Formal Methods in Software

Lecture 1. Introduction

Vlad PatryshevSCU2014

Content of this course

• FSM, deterministic/non-deterministic; (P/NP); regexp; code sample (the one-liner), problem with the code; p!=np

• Stack machine, context-free languages; general languages; Turing machine; some Turing stuff, examples of Turing machine

• Z specification language• Pi calculus and its fate;• Monoid, Group, Groupoid, Category, Monomorphisms, Epimorphisms,

Isomorphisms, show it on sets and monoids; Scala (Java) category• terminal object, initial object; products, unions; show code samples;

equalizers, code samples; notation {x|f(x)==g(x)}; pullbacks, sql• functors examples (diagrams; product; exponentiations); currying/yoneda

lemma; example with integers/rationals; monad?

What you have to know

• first-order logic; quantifiers (see COEN260 slides)

• some set theory; binary relationships, currying; injection/surjection/bijection (see COEN260 slides)

• some intro to intuitionistic logic (see COEN260 slides)

• javascript or java or scala

Formal Methods

• Need them in:o medical deviceso spaceo militaryo communications

• Don’t need them in:o social networkso ads and saleso startups

Example of Algorithm Proof

Euclidean Algorithm:Find GCD(a,b), where a and b are two natural numbers.

1. If a < b, use the fact that GCD(a,b)=GCD(b,a)

2. GCD(a,0) = a; done.

3. GCD(a,b) = GCD(a-b,a)

4. Repeat until done.

Proof:

A. Prove that GCD(a,b)=GCD(b,a)

B. Prove that GCD(a,0) = a

C. Prove that GCD(a,b) = GCD(a-b,a)

D. Prove that it takes not more than 2*max(a,b) steps.

You are asked to double a cube

Have a cube, V=x3

Build a cube of size 2*V, using a divider and a ruler

Informally: approximate; we only have doubles in Java.

Formally: have to calculate √3(2)

The thing is: You Can’t

A similar problem

Need an algorithm to find roots of a 5th degree polynomial

Explanation: 5 roots, S5 is the group of all permutations, and it cannot be represented via a chain of +/- symmetries.

x5-x+1 = 0

Gödel’s First Theorem

Meaning, if we have a theory T, we can always come up with a statement in T that cannot be proved.

How?

• enumerate all sentences; then all proofs.

• isProvable(n) ≡ F (n=#(F) ∃ ∧ F is provable)

• (diagonal lemma) F p (p ↔ F(#(p))∀ ∃

• how about p ↔ ¬isProvable(#(p))

A theory that contains arithmetics cannot be at the same time consistent and complete.

Entscheidungsproblem

Is there an algorithm that, given a first-order theory, takes a statement and checks whether the statement is true?

(The essence of the proof of program validity.)

The answer is: NO

Church proved that there is no computable function which decides for two given λ calculus expressions whether they are equivalent or not.

Turing proved that it reduces to Halting Problem

Halting Problem

Given a program, can we decide if it ever ends?

Answer: NO

http://ro-che.info/ccc/03

Collatz Conjecture

function(n) {

while (n > 1) {

println(n);

n = n%2==0 ? n/2 : (3*n+1)

}

}

E.g. 11, 34, 17, 52, 26, 13, 40, 20, 10, 5, 16, 8, 4, 2, 1

Will it ever stop?

Nobody Knows.

So, what can we do?

• limit ourselves by only provable algorithms

• count on the finiteness of the universe (is it finite?)

• count on the finiteness of time (is it finite?)

• write some unittests and pray (is it a formal method?!)

Unittests

• You cannot prove the program is right, but you can find errors

• Can cover main and corner cases

• Can check behavior independently from environment

• Can feel safe doing refactorings

Some people tried to formalize unittest creation (agitar.com) (see e.g. halting problem)

Question: can you write a unittest for random numbers generator?