i217: Func+onal Programming 11. Program Veriﬁca+on (1)
FUTATSUGI,Kokichi and OGATA,Kazuhiro How to Check Correctness of Programs
•  Correctness of programs means that programs conform with their speciﬁcaCons, or saCsfy some desired properCes. •  Some ways to check if they saCsfy properCes –  Tes$ng checks if programs can produces desired outputs for some concrete inputs. –  Model checking exhausCvely traverses reachable states of mathemaCcal models of programs in a certain way to check if the models saCsfy some desired properCes. –  Theorem proving proves in a mathemaCcal (and/or logical) sense that mathemaCcal models of programs saCsfy some desired properCes. •  Program veriﬁcaCon will be discusses based on theorem proving. 2 Natural Numbers a la Peano (1)
•  Natural numbers are inducCvely deﬁned as follows –  0 is a natural number. –  If n is a natural number, so is s(n). • 
• 
• 
• 
0 is the natural number zero. s(n) is n+1. s is called the successor funcCon. 0, s(0), s(s(0)), s(s(s(0))), … correspond to 0, 1, 2, 3, …
3 Natural Numbers a la Peano (2)
•  Module PNAT: mod! PNAT {
[Nat]
op 0 : -> Nat
op s : Nat -> Nat
op _+_ : Nat Nat -> Nat {prec: 30}
op _*_ : Nat Nat -> Nat {prec: 29}
op _=_ : Nat Nat -> Bool {comm}
…}
•  The funcCon _=_ checks if two natural numbers are equal. •  The built‐in funcCon (predicate) _==_ should not be used for veriﬁcaCon. Instead, an equivalence funcCon (predicate) such as _=_ should be deﬁned.
4 Natural Numbers a la Peano (3)
•  FuncCon _+_: eq 0 + Y = Y .
eq s(X) + Y = s(X + Y) .
•  FuncCon _*_: eq 0 * Y = 0 .
eq s(X) * Y = Y + (X * Y) .
-- (+1)
-- (+2)
-- (*1)
-- (*2)
•  FuncCon _=_: eq (X = X) = true .
eq (0 = s(Y)) = false .
eq (s(X) = s(Y)) = (X = Y) .
5 AssociaCvity of _+_
•  ( 0 + s(0) ) + s(s(0)) equals 0 + ( s(0) + s(s(0)) ). •  ( s(0) + s(s(0)) ) + s(s(s(0)))
equals s(0) + ( s(s(0)) + s(s(s(0))) ). •  ( s(s(0)) + s(s(s(0))) ) + s(s(s(s(0))))
equals s(s(0)) + ( s(s(s(0))) + s(s(s(s(0)))) ). •  Generally, (X + Y) + Z equals X + (Y + Z) for all
natural numbers. 6 Proof by InducCon on Natural Numbers
•  For a funcCon (predicate) p : Nat -> Bool, the following two formulas are equivalent: (1)  p(N) for all N:Nat
(2)  p(0) and (p(N) implies p(s(N)) for all N:Nat
•  Therefore, to prove (1), it suﬃces to show (i)  p(0)
(ii)  p(s(n)) assuming p(n) for an arbitrary n:Nat
•  (i) is called the base case, and (ii) the induc$on case. •  p(n) is called the induc$on hypothesis. 7 Proof of AssociaCvity of _+_
Theorem (X + Y) + Z = X + (Y + Z) for all X,Y,Z:Nat. Proof By induciton on X. Let x,y,z be arbitrary natural numbers. I.  Base case All we have to do is to show (0 + y) + z = 0 + (y + z). – 
LHS  y + z (by +1) – 
RHS  y + z (by +1) II.  InducCon case All we have to do is to show (s(x) + y) + z = s(x) + (y + z)
assuming the inducCon hypothesis (x + Y) + Z = x + (Y + Z)
for all Y,Z:Nat. – 
LHS  s(x + y) + z (by +2)  s((x + y) + z) (by +2) – 
RHS  s(x + (y + z)) (by +1)  s((x + y) + z) (by I.H.) QED 8 Formal Proof (VeriﬁcaCon) of AssociaCvity of _+_ (1)
•  Module THEOREM‐PNAT mod THEOREM-PNAT {
pr(PNAT)
-- Names of Theorems
op th1 : Nat Nat Nat -> Bool
-- CafeOBJ variables
vars X Y Z : Nat
-- Theorems
eq th1(X,Y,Z) = ((X + Y) + Z = X + (Y + Z)) .
}
9 Formal Proof (VeriﬁcaCon) of AssociaCvity of _+_ (2)
Theorem (X + Y) + Z = X + (Y + Z) for all X,Y,Z:Nat. Proof By induciton on X. Let x,y,z be arbitrary natural numbers. I.  Base case open THEOREM-PNAT
ops y z : -> Nat .
-- check
red th1(0,y,z) .
close
II.  InducCon case open THEOREM-PNAT
ops x y z : -> Nat .
-- check
red th1(x,y,z) implies th1(s(x),y,z) .
close
QED An instance of the inducCon hypothesis th1(x,Y,Z) for all Y,Z:Nat obtained by replacing Y and Z with y and z. 10 Proof Scores
•  Proofs wri`en in CafeOBJ are called proof scores. •  Proof scores consist of fragments enclosed with open and close. •  Fragments enclosed with open and close, which consCtute proof scores, are called proof passages.
A proof score of th1(X,Y,Z) for all X,Y,Z:Nat consisCng of two proof passages:
open THEOREM-PNAT
ops y z : -> Nat .
-- check
red th1(0,y,z) .
close
open THEOREM-PNAT
ops x y z : -> Nat .
-- check
red th1(x,y,z) implies th1(s(x),y,z) .
close
11 A`ributes of _+_ and _*_
•  It has been proved that _+_ is associaCve. •  It is also possible to prove that _+_ is commutaCve, and _*_ is associaCve and commutaCve. •  Then, a`ributes assoc and comm are given to _+_ and _*_. op _+_ : Nat Nat -> Nat {assoc comm prec: 30}
op _*_ : Nat Nat -> Nat {assoc comm prec: 29}
12 Sum
•  Module SUM1: mod! SUM1 {
pr(PNAT)
op sum1 : Nat -> Nat
var X : Nat
-- sum1
eq sum1(0) = 0 .
eq sum1(s(X)) = s(X) + sum1(X) .
}
-- (s1-1)
-- (s1-2)
13 Proof of a Property of sum1 (1)
Theorem s(s(0)) * sum1(X) = X * (X + s(0)) for all X:Nat. Proof By inducCon on X. Let x be an arbitrary natural number I.  Base case All we have to do is to show s(s(0)) * sum1(0) = 0 * (0 * s(0)). – 
– 
LHS  s(s(0)) * 0 (by s1‐1)  0 (by *1) RHS  0 * 0 (by *1)  0 (by *1) 14 Proof of a Property of sum1 (2)
II.  InducCon case All we have to do is to show s(s(0)) * sum1(s(x)) = s(x) * (s(x) + s(0))
assuming the inducCon hypothesis s(s(0)) * sum1(x) = x * (x + s(0)). The inducCon hypothesis can be rewri`en as sum1(x) + sum1(x) = x + x * x. – 
LHS  s(s(0)) * (s(x) + sum1(x))
(by s1‐2)  s(s(0)) * s(x + sum1(x))
(by +2) * s(x + sum1(x)) + s(x + sum1(x)) (by *2 & *1) * s(s(x + x + sum1(x) + sum1(x)) (by +2)  s(s(x + x + x + x * x))
(by I.H.) 15 Proof of a Property of sum1 (3)
– 
RHS * s(x) * s(s(x))
 s(s(x)) + x * s(s(x))
* s(s(x)) + x + x + x * x
* s(s(x + x + x + x * x))
(by +2 & +1) (by *2) (by *2) (by +2) QED 16 Formal Proof of the Property (1)
•  Module THEOREM-SUM: mod THEOREM-SUM1 {
pr(SUM)
-- arbitrary values
op x : -> Nat .
-- Names of Theorems
op th1 : Nat -> Bool
-- CafeOBJ variables
var X : Nat
-- Theorems
eq th1(X) = (s(s(0)) * sum1(X) = X * (X + s(0))) .
}
17 Formal Proof of the Property (2)
Theorem s(s(0)) * sum1(X) = X * (X + s(0)) for all X:Nat. Proof By inducCon on X. I.  Base case open THEOREM-SUM1
-- check
red th1(0) .
close II.  InducCon case open THEOREM-SUM1
-- check
red th1(x) implies th1(s(x)) .
close
CafeOBJ does not return true. Then, the case is split into two sub‐cases based on sum1(x) + sum1(x) = x + (x * x), which is equivalent to the inducCon hypothesis th1(x). 18 Formal Proof of the Property (3)
The two proof passages corresponding to the two sub‐cases are as follows: open THEOREM-SUM1
-- assumptions
eq (sum1(x) + sum1(x) = x + (x * x)) = false .
-- check
red th1(x) implies th1(s(x)) .
close
-open THEOREM-SUM1
-- assumptions
eq sum1(x) + sum1(x) = x + (x * x) .
-- check
red th1(x) implies th1(s(x)) .
close
QED
19 Another ImplementaCon of Sum
•  FuncCon sum2: eq sum2(X) = ss2(X,0) .
-- (s2)
•  FuncCon ss2: eq ss2(0,Y) = Y .
eq ss2(s(X),Y) = ss2(X,s(X) + Y) .
-- (ss2-1)
-- (ss2-2)
20 Proof of Equivalence of sum1 and sum2 (1)
•  First prove another theorem (th3), which is needed for the proof of the equivalence. Theorem ss2(X,Y + Z) = Y + ss2(X,Z) for all X,Y,Z:Nat. Proof By inducCon on X. Let x,y,z be arbitrary natural numbers. I.  Base case All we have to do is to show ss2(0,y + z) = y + ss2(0,z). – 
– 
LHS  y + z (by ss2‐1) RHS  y + z (by ss2‐1) 21 Proof of Equivalence of sum1 and sum2 (2)
II.  InducCon case All we have to do is to show ss2(s(x),y + z) = y + ss2(s(x),z)
assuming ss2(x,Y + Z) = Y + ss2(x,Z) for all Y,Z:Nat. –  LHS  ss2(x,s(x) + y + z) (by ss2‐2)  y + ss2(x,s(x) + z) (by I.H.) –  RHS  y + ss2(x,s(x) + z)
QED
22 Proof of Equivalence of sum1 and sum2 (3)
Theorem sum1(X) = sum2(X) for all X:Nat. Proof By inducCon on X. Let x be an arbitrary natural number. I.  Base case All we have to do is to show sum1(0) = sum2(0). – 
– 
LHS  0
(by s1‐1) RHS  ss2(0,0) (by s2) 0
(by ss2‐1) 23 Proof of Equivalence of sum1 and sum2 (4)
II.  InducCon case All we have to do is to show sum1(s(x)) = sum2(s(x))
assuming the inducCon hypothesis sum1(x) = sum2(x). – 
– 
QED LHS  s(x) + sum1(x) (by s1‐2)  s(x) + sum2(x) (by I.H.)  s(x) + ss2(x,0) (by s2) RHS  ss2(s(x),0)
(by s2)  ss2(x,s(x) + 0) (by ss2‐2)  s(x) + ss2(x,0) (by th3) 24 Formal Proof of the Equivalence (1)
•  Module THEOREM-SUM2: mod THEOREM-SUM2 { pr(SUM)
-- arbitrary values
ops x y z : -> Nat .
-- Names of Theorems
op th1 : Nat -> Bool
op th2 : Nat -> Bool
op th3 : Nat Nat Nat -> Bool
-- CafeOBJ variables
vars X Y Z : Nat
-- Theorems
eq th1(X) = (s(s(0)) * sum1(X) = X * (X + s(0))) .
eq th2(X) = (sum1(X) = sum2(X)) .
eq th3(X,Y,Z) = (ss2(X,Y + Z) = Y + ss2(X,Z)) .
}
25 Formal Proof of the Equivalence (2)
Theorem ss2(X,Y + Z) = Y + ss2(X,Z) for all X,Y,Z:Nat. Proof By inducCon on X. Let x,y,z be arbitrary natural numbers. I.  Base case open THEOREM-SUM2
-- check
red th3(0,y,z) .
close
II.  InducCon case open THEOREM-SUM2
-- check
red th3(x,y,s(x + z)) implies th3(s(x),y,z) .
close
QED An instance of the inducCon hypothesis th3(x,Y,Z) for all Y,Z:Nat obtained by replacing Y and Z with y and s(x + z). 26 Formal Proof of the Equivalence (3)
Theorem sum1(X) = sum2(X) for all X:Nat. Proof By inducCon on X. Let x be an arbitrary natural number. I.  Base case open THEOREM-SUM2
-- check
red th2(0) .
close
27 Formal Proof of the Equivalence (3)
II. 
QED InducCon case open THEOREM-SUM2
-- assumptions
eq (sum1(x) = ss2(x,0)) = false .
-- check
red th2(x) implies th2(s(x)) .
close
-open THEOREM-SUM2
-- assumptions
eq sum1(x) = ss2(x,0) .
-- check
red (th2(x) and th3(x,s(x),0)) implies th2(s(x)) .
close
Used as a lemma. 28 Exercises
1. 
For module PNAT in which neither assoc nor comm are given to _+_ and _*_, prove the following formulas: (1) 
(2) 
(3) 
1. 
X + 0 = X for all X:Nat
X + s(Y) = s(X + Y) for all X,Y:Nat
X + Y = Y + X for all X,Y:Nat Write in CafeOBJ a proof score of each formulas as well. Prove the equivalence of the following two implementaCons fact1 and fact2 of factorial: eq fact1(0) = s(0) .
eq fact1(s(X)) = s(X) * fact1(X) .
eq fact2(X) = sf2(X,s(0)) .
eq sf2(0,Y) = Y .
eq sf2(s(X),Y) = sf2(X,s(X) * Y) . Use module PNATat in which assoc and comm are given to _+_ and _*_. Write in CafeOBJ a proof score of the equivalence and proof scores of lemmas if any as well. 29