ECE 453 - Software Testing, Quality Assurance, and Maintenance¶

Introduction¶

Testing and Verification¶

Testing: An ad-hoc software validation method that proves the existence of faults.
Verification: A formal software validation method that proves the software satisfies its specifications.
Static Program Verification: The algorithmic discovery of the properties of a program by inspection of its source text.
Formal Methods: The general area of research related to program specification and verification.

Undecidability¶

Undecidability: A problem is undecidable if there does not exists a Turning machine that can solve it.
Rice's Theorem: For any non-trivial property of partial functions, no general and effective method can decide whether an algorithm computes a partial function with that property.

User Effort vs Verification Assurance¶

From Least Effort / Least Assurance to Most Effort / Most Assurance.

Testing
Symbolic Execution: Automated Test-Case Generation
Automated Verification
Deductive Verification

Key Challenges¶

Testing: Coverage
Symbolic Execution and Automated Verification: Scalability
Deductive Verification: Usability
Common Challenges: Specification / Oracle

Fault, Error, and Failure¶

Definitions¶

Fault: A static defect in software.
Error: An incorrect internal state (unobserved).
Failure: An incorrect external behavior with respect to the expected external behavior (observed).

RIP Model¶

Three conditions must be present for an error to be observed: failure.
1. Reachability: The location or locations in the program that contain the fault must be reached.
2. Infection: After execution the location, the state of the program must be incorrect.
3. Propagation: The infected state must propagate to cause some output of the program to be incorrect.

Addressing Faults¶

Fault Avoidance: Better Design, Better Programming Languages, ...
Fault Detection: Testing, Debugging, ...
Fault Tolerance: Redundancy, Isolation, ...

Foundations: Syntax, Semantics, and Graphs¶

WHILE: A Simple Imperative Language¶

Syntatic Entities¶

Terminals¶

Atomic Tokens.

Integers: $n \in Z$
Booleans: $\text{true}, \text{false} \in B$
Locations (Program Variables): $x, y \in L$

Non-Terminals¶

Composition of Tokens.

Atomic Expressions: $e \in Aexp$
Boolean Expressions: $b \in Bexp$
Statements: $c \in Stmt$

Syntax of Arithmetic Expressions¶

$$ \begin{aligned} \text{e } ::= &\; n &\text{ for } n \in Z \\ &\vert -n &\text{ for } n \in Z \\ &\vert x &\text{ for } x \in L \\ &\vert e_1 \text{ aop } e_2 \\ &\vert \text{'('e')'} \\ \text{aop } ::= &\; \text{'*' } \vert \text{ '/' } \vert \text{ '-' } \vert \text{ '+'} \end{aligned} $$

No Declarations
Only Integer Variables.
No Side-Effects.

Syntax of Boolean Expressions¶

$$ \begin{aligned} \text{b } ::= &\; \text{'true'} \\ &\vert \text{'false'} \\ &\vert \text{'not' } b \\ &\vert e_1 \text{ rop } e_2 &\text{ for } e_1, e_2 \in Aexp \\ &\vert e_1 \text{ bop } e_2 &\text{ for } e_1, e_2 \in Bexp \\ &\vert \text{'('b')'} \\ \text{rop } ::= &\; \text{'<' } \vert \text{ '<=' } \vert \text{ '=' } \vert \text{ '>=' } \vert \text{ '>'} \\ \text{bop } ::= &\; \text{'and' } \vert \text{ 'or'} \end{aligned} $$

Syntax of Statements¶

$$ \begin{aligned} \text{s } ::= &\; \text{skip} \\ &\vert x := e \\ &\vert \text{if } b \text{ then } s \;[\text{else } s] \\ &\vert \text{while } b \text{ do } s \\ &\vert \text{'\{' } slist \text{ '\}'} \\ &\vert \text{print_state} \\ &\vert \text{assert } b \\ &\vert \text{assume } b \\ &\vert \text{havoc } v1, ..., vN \\ \text{slist } ::= &\; s (\text{';'} s)* \\ \text{prog } ::= &\; \text{slist} \end{aligned} $$

Abstract Syntax Tree¶

An abstract syntax tree is a tree in which each node represents a syntactic entity.

Visitor Design Pattern¶

An object-oriented design pattern that separates an algorithm from an element on which it operates.
Assignment Notes: In Python, the method handle is used to dynamic dispatch calls: visit_Stmt().

Non-Determinism vs. Randomness¶

A deterministic function always returns the same result on the same input.
A non-deterministic function may return different values on the same input.
A random function may choose a different value with a probability distribution.
A non-deterministic choice cannot be implemented.

Syntax and Semantics¶

Syntax: Determines how things are expressed.
Semantics: Determines how syntax is interpreted to give meaning.

Semantics of Programming Languages¶

Denotational Semantics: The meaning of a program is defined as the mathematical object it computes.
Axiomatic Semantics: The meaning of a program is defined in terms of its effect on the truth of logical assertions.
Operational Semantics: The meaning of a program is defined by formalizing the individual computation steps of the program.

Semantics of WHILE¶

A state $s$ is a function from $L$ to $Z$.
- It assigns a value for every variable.
The set of all states is $Q = L \to Z$.

Notation¶

Empty State: $\left[\right]$
State: $\left[x := 10, y := 15, z := 5\right]$
Substitution: $s\left[x := 10\right]$

Judgement¶

$\langle e, q \rangle \Downarrow n$ states that an expression $e$ in state $q$ has a value $n$.
Note: Evaluate $n$ in a judgement $\langle e, q \rangle \Downarrow n$.

Inference Rules¶

$$ \frac{F_1 ... F_n}{G} \text{ where } H $$

An inference rule defines a relation between judgements $F_1, ..., F_n$ and $G$.
- The judgements $F_1, ..., F_n$ are the premises of the rule.
- The judgements $G$ is the conclusion of the rule.
- The formula $H$ is called the side condition of the rule.
- If $n = 0$, the rule is called an axiom. In this case, the line separating premises and conclusion may be omitted.
A derivation infers new facts from existing facts.

Inference Rules for Aexp¶

Note: Expression would not mutate state; side-effect free.

$$ \begin{aligned} &\frac{}{\langle n, q \rangle \Downarrow n} \\[1em] &\frac{}{\langle x, q \rangle \Downarrow q(x)} \\[1em] &\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} + e_{2}, q \rangle \Downarrow (n_{1} + n_{2})} \\[1em] &\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} - e_{2}, q \rangle \Downarrow (n_{1} - n_{2})} \\[1em] &\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} * e_{2}, q \rangle \Downarrow (n_{1} * n_{2})} \end{aligned} $$

Inference Rules for Bexp¶

Note: Expression would not mutate state; side-effect free.

$$ \begin{aligned} &\frac{}{\langle \text{true}, q \rangle \Downarrow \text{true}} \\[1em] &\frac{}{\langle \text{false}, q \rangle \Downarrow \text{false}} \\[1em] &\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} = e_{2}, q \rangle \Downarrow (n_{1} = n_{2})} \\[1em] &\frac{\langle e_{1}, q \rangle \Downarrow n_{1} \quad \langle e_{2}, q \rangle \Downarrow n_{2}}{\langle e_{1} \le e_{2}, q \rangle \Downarrow (n_{1} \le n_{2})} \\[1em] &\frac{\langle b_{1}, q \rangle \Downarrow t_{1} \quad \langle b_{2}, q \rangle \Downarrow t_{2}}{\langle b_{1} \land b_{2}, q \rangle \Downarrow (t_{1} \land t_{2})} \end{aligned} $$

Semantics of Statements¶

$\langle s, q \rangle \Downarrow q'$
- where $s$ is the Program Statement.
- where $q$ is the Input Program State.
- where $q'$ is the Output Program State.

$$ \begin{aligned} &\frac{}{\langle \text{skip}, q \rangle \Downarrow q} \\[1em] &\frac{}{\langle \text{print_state}, q \rangle \Downarrow q} \\[1em] &\frac{\langle s_{1}, q \rangle \Downarrow q'' \quad \langle s_{2}, q'' \rangle \Downarrow q'}{\langle s_{1} \text{ ; } s_{2}, q \rangle \Downarrow q'} \\[1em] &\frac{\langle e, q \rangle \Downarrow n}{\langle x := e, q \rangle \Downarrow q[x := n]} \\[1em] &\frac{\langle b, q \rangle \Downarrow \text{true} \quad \langle s_{1}, q \rangle \Downarrow q'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \Downarrow q'} \\[1em] &\frac{\langle b, q \rangle \Downarrow \text{false} \quad \langle s_{2}, q \rangle \Downarrow q'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \Downarrow q'} \end{aligned} $$

Derivation $\implies$ Execution¶

Top-Down: Execution.
Bottom-Up: Explanation.

Show that $\langle p := 0 \text{ ; } x := 1 \text{ ; } n := 2, [] \rangle \Downarrow [p := 0, x := 1, n := 2]$.

$$ \cfrac{\cfrac{}{\cfrac{\langle 0, [] \rangle \Downarrow 0}{\langle p := 0, [] \rangle \Downarrow [p := 0]}} \quad \cfrac{}{\cfrac{\langle 1, [p := 0] \rangle \Downarrow 1}{\langle x := 1, [p := 0] \rangle \Downarrow [p := 0, x := 1]}}}{\cfrac{\langle p := 0 \text{ ; } x := 1, [] \rangle \Downarrow [p := 0, x:= 1] \quad \langle n := 2, [p := 0, x := 1] \rangle \Downarrow [p := 0, x := 1, n := 2]}{\langle p := 0 \text{ ; } x := 1 \text{ ; } n := 2, [] \rangle \Downarrow [p := 0, x := 1, n := 2]}} $$

Semantics of Loops¶

Let $T$ be a special state, top, that represents divergence, such as an infinite loop.
Any statement in a divergent state is treated like "skip".

$$ \begin{aligned} &\frac{\langle b, q \rangle \Downarrow \text{false}}{\langle \text{while } b \text{ do } s, q \rangle \Downarrow q}\\[1em] &\frac{\langle b, q \rangle \Downarrow \text{true} \quad \langle s \text{ ; while } b \text{ do } s, q \rangle \Downarrow q'}{\langle \text{while } b \text{ do } s, q \rangle \Downarrow q'}\\[1em] &\frac{}{\langle \text{while true do } s, q \rangle \Downarrow T}\\[1em] &\frac{}{\langle s, T \rangle \Downarrow T}\\[1em] \end{aligned} $$

Properties of Semantics¶

A semantic is deterministic if every program statement has exactly one possible derivation in any state.
Two statements are semantically equivalent if for every input state they derive the same output state.

Structural Induction¶

To prove a property $P$ on a derivation tree.
1. Base Case: Prove $P$ for all of the axioms.
2. Inductive Hypothesis: Assume $P$ holds before every rule.
3. Induction: Prove that $P$ holds at the end of every rule.
Use structural induction to prove that the semantics are deterministic.

Structural Operational Semantics (Small-Step)¶

Execution of One Statement: $\langle s, q \rangle \implies \langle t, q' \rangle$
- where $s$ is the statement to execute.
- where $q$ is the input state.
- where $t$ is the rest of the program.
- where $q'$ is the output state.

Small-Step Semantics for WHILE¶

$$ \begin{aligned} &\frac{}{\langle \text{skip}, q \rangle \implies q}\\[1em] &\frac{\langle s_{1}, q \rangle \implies q'}{\langle s_{1} \text{ ; } s_{2}, q \rangle \implies \langle s_{2}, q' \rangle}\\[1em] &\frac{\langle s_{1}, q \rangle \implies \langle \mathbf{s_{3}}, q' \rangle}{\langle s_{1} \text{ ; } s_{2}, q \rangle \implies \langle \mathbf{s_{3}} \text{ ; } s_{2}, q' \rangle}\\[1em] &\frac{\langle b, q \rangle \Downarrow \text{true}}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \implies \langle s_{1}, q \rangle}\\[1em] &\frac{\langle b, q \rangle \Downarrow \text{false}}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \implies \langle s_{2}, q \rangle}\\[1em] &\frac{}{\langle \text{while } b \text{ do } s, q \rangle \implies \langle \text{if } b \text{ then } (s \text{ ; while } b \text{ do } s) \text{ else skip}, q \rangle} \end{aligned} $$

Properties of Small Step Semantics¶

Small step semantics are a transition system: $TS = (S, R)$.
- where $S$ is a set of states: $\langle s, q \rangle$.
- where $R$ is a transition relation on a pair of states.
  - $(x, y) \in R \iff (x \implies y)$ is a true judgement in small-step semantics.
Derivation Sequence: A path $x_{1}, x_{2}, x_{3}, ....$ in $TS$ corresponds to a program execution.
Properties of small-step semantics are established by induction on the length of the derivation.
A small step semantic is deterministic if there is only one derivation for every configuration.

Programming to Modeling¶

Assertions: assert e - Aborts an execution when $e$ is false, no-op otherwise.
```
void assert(bool b) {
  if (!b)
      error();
}
```
Non-Determinism: havoc x - Assign a variable $x$ a non-deterministic value.
```
void havoc(int &x) {
  int y;
  x = y;
}
```
Assumptions: assume e - Block execution if $e$ is false, no-op otherwise.
```
void assume(bool e) {
  while (!e);
}
```

Safety Specifications as Assertions¶

Correct: If all executions that satisfy all assumptions also satisfy all assertions.
Incorrect: If there exists an execution that satisfies all of the assumptions and violdates at least one assertion.
Assumptions $\implies$ Pre-Conditions.
Assertions $\implies$ Properties.

Graphs, Paths, Cycle¶

A graph, $G = (N, E)$, is an ordered pair consisting of a node set, $N$, and an edge set, $E = \{(n_{i}, n_{j})\}$.
- Directed: If the pairs in $E$ are ordered.
- Undirected: If the pairs in $E$ are unordered.
A path, $P$, through a directed graph $G = (N, E)$ is a sequence of edges $\left( (u_{1}, v_{1}), (u_{2}, v_{}), ... (u_{t}, v_{t}) \right)$ such that the following is true.
- where $v_{k - 1} = u_{k}$ for all $1 < k \le t$.
- where $u_{1}$ is the start node.
- where $u_{t}$ is the end node.
- The length of a path is the number of edges in the path.
A cycle in a graph $G$ is a path whose start node and end node are the same.
A tree is an acyclic, undirected graph.
A directed acyclic graph (DAG) is a directed graph without cycles.
Every tree is isomorphic to a prefix-closed subset of $N^{*}$ for some natural number $N$.

Graphs as Models of Computation¶

A computation tree represents all possible executions of a system.
- Node: The state of the system represented by the valuation of all the variables.
- Problem: For many computations, the trees are too large.
A control flow graph represents the flow of execution in the program $G = (N, E, S, T)$.
- where $N$ is the nodes representing executable instructions.
- where $E$ is the edges representing the potential transfer of control.
- where $S$ is a designated start node.
- where $T$ is a designated terminal node.
An infeasible path is a path that does not correspond with an execution sequence.

Structural Coverage¶

Testing¶

Static Testing $\implies$ Compile Time:
- Static Analysis
- Code Inspection
- Code Walk-Through
Dynamic Testing $\implies$ Run Time:
- Black-Box Testing
- White-Box Testing

Test Case¶

Test Case: Input Values, Expected Results, Prefix Values, Postfix Values, Dependency Values.
Test Set: A Set of Test Cases.
Expected Results: The results that will be produced when executing the test if and only if the program satisfies its intended behavior.

Test Requirement¶

Test Requirement: A specific element of a software artifact that a test case must satisfy or cover.
- Denoted $TR$

Examples¶

Functional (Black Box, Specification-Based)
Structural (White Box)
Model-Based
Fault-Based

Coverage Criterion¶

Coverage Criterion: A rule or collection of rules that impose test requirements on a test set.
- Generates $TR$

Adequacy Criteria¶

Adequacy Criterion: Set of Test Requirements.
A test suite satisfies an adequacy criterion if:
- All the tests succeed.
- Every test requirement in the criterion is satisfied by at least one of the test cases in the test suite.

Coverage Criteria¶

Basic Coverage $\implies$ Advanced Coverage

Line
- Adequacy Criterion: Each source code line must be executed at least once.
- Coverage: The percentage of source code lines executed.
Statement
- Adequacy Criterion: Each statement (or node in the CFG) must be executed at least once.
- Coverage: The percentage of statements executed.
Function
Branch
- Adequacy Criterion: Each branch/decision, (or edge in the CFG) must be executed at least once.
- Coverage: The percentage of edges executed.
- Test Case: $O(n)$, where $n$ is the number of conditions.
Decision/Condition
Modified Decision/Condition
Path
- Adequancy Criterion: Each path in the CFG must be executed at lease once.
- Coverage: The percentage of paths executed.
- Test Case: $O(2^{n})$, where $n$ is the number of conditions.
Loop
Mutation

Coverage Level¶

Given a set of test requirements $TR$,
Given a test set $T$,
The coverage level is the ratio of the number of test requirements satisfied by $T$ to the size of $TR$.

Unit Testing¶

A unit test exercises a unit of functionality to test its behavior.
A unit test framework provides a standard mechanism for....
1. Specifying a Test (Setup, Execution, Expected Result, Teardown).
2. Executing a Test.
3. Generating Test Reports.

Designing for Testing¶

Factor the program into meaningful units.
Each unit should have a well defined specification.
- What are legal inputs?
- What are legal outputs?
- How inputs and outputs are passed around?
Avoid monolithic design that reads standard input and writes standard output.
Additional functionality specifically for testing/debugging purposes.

Subsumption¶

Criteria Subsumption: A test criterion $C_{1}$ subsumes $C_{2}$ if and only if every set of test cases satisfies $C_{1}$ also satisfies $C_{2}$.

Syntactical and Semantic Reachability¶

A node $n$ is syntactically reachable from $m$ if there exists a path from $m$ to $n$.
A node $n$ is semantically reachhable if one of the paths from $n$ to $n$ can be reached on some input.
Syntactic Reachability: Control Flow Graph.
Semantic Reachability: Undecidable.

Reachability¶

Let $reach_{G}(X)$ denote the sub-graph of $G$ that is syntactically reachable from $X$, where $X$ is either a node, an edge, a set of nodes, or a set of edges.

Connect Test Cases and Test Paths¶

A $path_{G}$ is a mapping from test cases to test paths. $$path(T) = \{path(t) \mid t \in T\}$$
A test case has at least one test path.
- Deterministic: One Test Path.
- Nondeterministic: Many Test Paths.

Node, Edge, Edge-Pair Coverage¶

Node Coverage (NC): $TR$ contains each reachable node in $G$.
- ~Statement Coverage.
Edge Coverage (EC): $TR$ contains each reachable path of length up to $1$, inclusive, in $G$.
- ~Branch Coverage.
Edge-Pair Coverage (EPC): $TR$ contains each reachable path of length up to $2$, inclusive, in $G$.

Simple Path¶

A path is simple if no node appears more than once in the path, except that the first and the last nodes may be the same.

Properties¶

No Internal Loops.
Possibly Bounded Length.
Possible Create Any Path = Composition of Simple Paths.
Many Simple Paths Exist.

Prime Path¶

A path is prime if it is simple and does not appear as a proper subpath of any other simple path.
Prime Path Coverage (PPC): $TR$ contains each prime path in $G$.
- Problem: A prime path may be infeasible yet contains feasible simple paths.
Complete Path Coverage (CPC): $TR$ contains all paths in $G$.
Specified Path Coverage (SPC): $TR$ contains a specified set $S$ of paths.

Graph Coverage Criteria Subsumption¶

Complete Path Coverage (CPC) > Prime Path Coverage (PPC) > Edge Coverage (EC) > Node Coverage (NC)
Complete Path Coverage (CPC) > Edge-Pair Coverage (EPC) > Edge Coverage (EC) > Node Coverage (NC)

Logic Coverage¶

Decisions¶

Decisions: A logical expression in a program.
- $P$ is a set of decisions (predicates) of the program.
Conditions: The leaves of a decision.
- $C_{p}$ is a set of conditions (atomic predicates) constructing a predicate $p$.
- $C$ is the set of all conditions in all of the decisions in $P$. $$C_{p} = \{c \mid c \in p\}$$ $$C = \cup_{p \in P} C_{p}$$
Logical Operators: Connect conditions to construct a decision.

Decision, Condition, Combinatorial Coverage¶

Decision Coverage (DC): For each $p \in P$, $TR$ contains two requirements.
1. $p$ evaluates to true.
2. $p$ evaluates to false.
- ~Edge Coverage.
Condition Coverage (CC): For each $c \in C$, $TR$ contains two requirements.
1. $c$ evaluates to true.
2. $c$ evaluates to false.
Combinatorial Coverage (CoC) / Multiple Condition Coverage: For each $p \in P$, $TR$ has test requirements for the conditions in $C_{p}$ to evaluate to each possible combination of truth values.

Active Condition Coverage¶

An active condition focuses on each condition that affects the final decision.
- Active Conditions = Major Conditions.
- Non-Active Conditions = Minor Conditions.
Determination: A major condition determines a decision with certain minor conditions.
Active Condition Coverage (ACC): For each $p \in P$ and making each condition $c_{i} \in C_{p}$ major, choose assignments for minor conditions $c_{j}$, $j \ne i$ such that $c_{i}$ determines $p$.

Automated Test-Case Generation: Address Sanitizer¶

Automated Test-Case Generation¶

Black Box: Random Test Cases.
Grey Box: Coverage Guidance.
White Box: Symbolic Reasoning.

Valgrind¶

An instrumentation framework for dynamic analysis tools that interprets a program using a synthetic CPU.

Memory Access Instrumentation¶

The compiler instruments each STORE and LOAD instruction with a check whether the memory being accessed is accessible.

Memory Mapping and Alignment¶

Virutal Memory $\implies$ Mem + Shadow
- Mem: Normal Application Memory.
- Shadow: Metadata Memory about Main Memory.
Poisoning a byte address of Mem requires writing a special value to its corresponding descriptor in Shadow.
Because most processors align memory using 8 bytes (i.e., QWORDS), AddressSanitizer maps each 8 bytes of Mem into 1 byte of Shadow.
- If all 8 bytes are accessible, $\text{Shadow} = 0$.
- If all 8 bytes are inaccessible, $\text{Shadow} < 0$.
- If the first $k$ bytes are only accessible, $\text{Shadow} = k$.

Redzones¶

Redzones are markers that mark boundaries of allocated memory segments on the heap.

Automated Test-Case Generation: Fuzzing¶

Fuzzing¶

A set of automated testing techniques that tries to identify abnormal program behaviors by evaluation of how the tested program responds to various inputs.

Challenges¶

Inputs: Input Files or Byte Arrays
Detecting Abnormal Behavior: Crashes, User-Defined Assertions, Hang Time, Memory Allocations
Ensuring Progression: Program Counter, Lines of Source Code, Statements, Control Flow Graph, Functions, ....
- i.e., Coverage Feedback
Generating Interesting Inputs: Bit Flips, Byte Flips, Byte Swaps, Byte Rotates, Arithmetic, Known Inputs, Composition, ....
Speed: Fork After Initialization, Use Cheaper Resources, Many Inputs for Single Process, ....

SMT Solver Z3¶

Satisfiability Modulo Theory (SMT)¶

Satisfiability: The problem of determining whether a formula $F$ has a model.
- If $F$ is propositional, a model is a truth assignment to Boolean variables.
- If $F$ is first-order formula, a model assigns values to variables and interpretation to all the function and predicate symbols.
SAT Solvers: Check satisfiability of propositional formulas.
SMT Solvers: Check satisfiability of formulas in a decidable first-order theory.

Symbolic Execution¶

Symbolic Execution High-Level Algorithm¶

Execute Program with Symbolic Inputs.
Fork Execution at Each Branch.
Record Branching Conditions.
Decide Path Feasibility with Constraint Solver.
Generates Test Cases with Constraint Solver.

Symbolic Execution¶

Symbolic Execution: A static analysis of programs by tracking symbolic values.
Symbolic Path Condition: A path condition for a path $P$ is a formula $PC$ such that $PC$ is satisfiable if and only if $P$ is executable.
The forking of the execution at each branch allows constraints to be built that characterize conditions for executing paths, and the effects of the execution on program state.

Symbolic State¶

A symbolic state is a pair $S = (Env, PC)$, where ...
- $Env = L \to E$ is an environment that maps program variables to symbolic expressions (first-order logic terms).
- $PC$ is a path condition that is a first-order logic formula.
A concrete state $M : L \to Z$ satisfies a symbolic state $S = (Env, PC)$ if and only if ... $$M |= (Env, PC) \text{ iff } \left( (\land_{v \in L} M(v) = Env(v)) \land PC \text{ is } SAT \right)$$

Functional Representation of an Executable Component¶

A symbolic execution creates a functional representation of a path in a CFG.
$D[P_{i}]$ is the domain for a path $P_{i}$ that represents the inputs that force the program to take the path.
$C[P_{i}]$ is the computation for a path $P_{i}$ that represents the result of executing the path.
A program $P$ is composed of partial functions representing the executable paths: $P = \{P_{1}, ..., P_{r}\}$ where $P_{i} : X_{i} \to Y$.

Finding Bugs with Symbolic Execution¶

Enumerate Paths with Symbolic Execution.
Translate Any Safety Property to Reachability (Assertions).
Treat Assertions as Error Conditions.

Dynamic Symbolic Execution¶

Execute the program with a concrete state and a symbolic state in parallel.
Generate a new concrete state using a constraint solver.

EXE Algorithm¶

See Slides 6 to 21 in Dynamic Symbolic Execution.

DART Algorithm¶

See Slides 22 to 64 in Dynamic Symbolic Execution.

Semantics of Symbolic Execution¶

Notation¶

$L$ is a set of program variables.
$q$ is a concrete state that maps program variables $L$ to integers $\mathbb{Z}$.
$Q : L \to \mathbb{Z}$ is the set of all states.

Symbolic States and Path Conditions¶

A symbolic state $q$ is a map from program variables to symbolic expressions.
A path condition $pc$ is a formula over symbolic expressions.
A judgment in symbolic execution has the following form. $$\langle s, q, pc \rangle \Downarrow q', pc'$$
- where $s$ is the Program Statement.
- where $q$ is the Input Symbolic Environment.
- where $q'$ is the Output Symbolic Environment.
- where $pc$ is the Input Path Condition.
- where $pc'$ is the Output Path Condition.
A path condition $pc'$ is satisfiable if and only if there is a concrete input state $c$ and concrete output state $c'$ such that $s$ started in state $c$ reaches $c'$, i.e., $\langle s, c \rangle \Downarrow c'$

Symbolic Semantics for WHILE: Expressions¶

$$ \begin{aligned} &\frac{}{\langle n, q \rangle \Downarrow n} n \in \mathbb{Z} \\[1em] &\frac{}{\langle v, q \rangle \Downarrow q(v)} v \in L \\[1em] &\frac{\langle a_{1}, q \rangle \Downarrow n_{1} \quad \langle a_{2}, q \rangle \Downarrow n_{2}}{\langle a_{1} + a_{2}, q \rangle \Downarrow \text{Plus}(n_{1}, n_{2})} \\[1em] &\frac{\langle a_{1}, q \rangle \Downarrow n_{1} \quad \langle a_{2}, q \rangle \Downarrow n_{2}}{\langle a_{1} * a_{2}, q \rangle \Downarrow \text{Times}(n_{1}, n_{2})} \\[1em] &\frac{\langle a_{1}, q \rangle \Downarrow n_{1} \quad \langle a_{2}, q \rangle \Downarrow n_{2}}{\langle a_{1} < a_{2}, q \rangle \Downarrow \text{Lt}(n_{1}, n_{2})} \\[1em] &\frac{\langle a_{1}, q \rangle \Downarrow n_{1} \quad \langle a_{2}, q \rangle \Downarrow n_{2}}{\langle a_{1} > a_{2}, q \rangle \Downarrow \text{Gt}(n_{1}, n_{2})} \\[1em] &\frac{\langle b_{1}, q \rangle \Downarrow r_{1} \quad \langle b_{2}, q \rangle \Downarrow r_{2}}{\langle b_{1} \land b_{2}, q \rangle \Downarrow \text{And}(r_{1}, r_{2})} \\[1em] &\frac{\langle b_{1}, q \rangle \Downarrow r_{1} \quad \langle b_{2}, q \rangle \Downarrow r_{2}}{\langle b_{1} \lor b_{2}, q \rangle \Downarrow \text{Or}(r_{1}, r_{2})} \\[1em] \end{aligned} $$

Symbolic Semantics for WHILE: Statements¶

$$ \begin{aligned} &\frac{}{\langle \text{skip}, q, pc \rangle \Downarrow q, pc} \\[1em] &\frac{}{\langle \text{print_state}, q, pc \rangle \Downarrow q, pc} \\[1em] &\frac{\langle s_{1}, q, pc \rangle \Downarrow q'', pc'' \quad \langle s_{2}, q'', pc'' \rangle \Downarrow q', pc'}{\langle s_{1} \text{ ; } s_{2}, q, pc \rangle \Downarrow q', pc'} \\[1em] &\frac{\langle e, q \rangle \Downarrow r}{\langle x := e, q, pc \rangle \Downarrow q[x := r], pc} \\[1em] &\frac{R \text{ is a fresh symbolic constant}}{\langle \text{havoc } x, q, pc \rangle \Downarrow q[x := R], pc} \\[1em] &\frac{\langle b, q \rangle \Downarrow r \quad pc \land r \text{ is SAT } \quad \langle s_{1}, q, pc \land r \rangle \Downarrow q', pc'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q, pc \rangle \Downarrow q', pc'} \\[1em] &\frac{\langle b, q \rangle \Downarrow r \quad pc \land \lnot r \text{ is SAT } \quad \langle s_{2}, q, pc \land \lnot r \rangle \Downarrow q', pc'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q, pc \rangle \Downarrow q', pc'} \\[1em] &\frac{\langle b, q \rangle \Downarrow r \quad pc \land \lnot r \text{ is SAT}}{\langle \text{while } b \text{ do } s, q, pc \rangle \Downarrow q, pc \land \lnot r}\\[1em] &\frac{\langle b, q \rangle \Downarrow r \quad pc \land r \text{ is SAT } \quad \langle s \text{ ; while } b \text{ do } s, q, pc \land r \rangle \Downarrow q', pc'}{\langle \text{while } b \text{ do } s, q, pc \rangle \Downarrow q', pc'}\\[1em] \end{aligned} $$

Concolic Semantics for WHILE: Notation¶

$Sym(L)$ are the symbolic program variables.
$Con(L)$ are the concrete program variables.
A concolic state is a triple: $q = \langle c, s, pc \rangle$.
- where $con(q) = c$ is the Concrete State.
- where $sym(q) = s$ is the Symbolic State.
- where $pc(q) = pc$ is the Path Condition.
Every variable $v \in sym(q)$ has a concrete shadow $con(q)(v)$; i.e., concrete state can evaluate all variables.

Equivalence of Concrete States¶

Two concrete states $c_{1}$ and $c_{2}$ are equivalent, $c_{1} \equiv_{con} c_{2}$, whenever they agree on concrete variables: $$c_{1} \equiv_{con} c_{2} \iff \forall a \in Con(L) \cdot c_{1}(a) = c_{2}(a)$$

Containment of Concrete States¶

$c \models \langle s, pc \rangle$ means that concrete $c$ is contained in symbolic $\langle s, pc \rangle$.

Concolic Semantics of Expressions¶

Expressions that do not depend on symbolic variables are evaluated concretely.
Expressions that depend on symbolic variables are evaluated symbolically (i.e. AST).

$$\frac{con(a) \quad \langle a, con(q) \rangle \Downarrow v}{\langle a, q \rangle \Downarrow v}$$$$\frac{sym(a) \quad \langle a, sym(q) \rangle \Downarrow v}{\langle a, q \rangle \Downarrow v}$$

Concolic Semantics of Simple Statements¶

For most statements, the semantics are extended by applying both symbolic and concrete operational semantics in parallel.
The last pre-condition ensures that the concrete and symbolic states are chosen consistently.

$$\frac{\langle s, con(q) \rangle \Downarrow c \quad \langle s, sym(q), pc(q) \rangle \Downarrow s', pc' \quad c \models \langle s', pc' \rangle}{\langle s, q \rangle \Downarrow \langle c, s', pc' \rangle}$$

Concolic Semantics of Assignment¶

Assignment of values to concrete variables is limited to concrete values only.
Impossible: To assign symbolic variables to concrete variables.

$$\frac{\langle e, q \rangle \Downarrow n \quad con(x) \quad n \in \mathbb{Z}}{\langle x := e, q \rangle \Downarrow q[x := n]}$$

Concolic Semantics of If-Statement¶

At an if-statement, concolic execution can chose to switch to the branch that is not consistent with current concrete state, as long as the concrete state can be adjusted.

$$\frac{\langle b, con(q) \rangle \Downarrow \text{true} \quad \langle b, q \rangle \Downarrow r \quad pc(q) \land \lnot r \text{ is SAT } \quad c \models \langle sym(q), pc(q) \land \lnot r \rangle \quad c \equiv_{con} con(q) \quad \langle s_{2}, \langle c, sym(q), pc(q) \land \lnot r \rangle \rangle \Downarrow q'}{\langle \text{if } b \text{ then } s_{1} \text{ else } s_{2}, q \rangle \Downarrow q'}$$

Concolic Semantics of Concretization¶

Concretization turns symbolic variables into the values of their concrete shadows. The choice of concretization is captured in a concretization constraints in the path condition.
If $x$ is a symbolic variable with symbolic value $r$ and it is currently shadowed concretely by a concrete value $n$, then its value can be concretized to $n$ as long as the path condition is updated with $r = n$ to reflect the concretization.

$$\frac{sym(x) \quad \langle x, con(q) \rangle \Downarrow n \quad \langle x, sym(q) \rangle \Downarrow r \quad \langle s, \langle con(q), sym(q)[x := n], pc(q) \land r = n \rangle \rangle \Downarrow q'}{\langle s, q \rangle \Downarrow q'}$$

Propositional Logic¶

Syntax of Propositional Logic¶

An atomic formula has the form $A_{i}$ where $i = 1, 2, 3, ...$.

Formulas¶

All atomic formulas are formulas.
Negation: For every formula $F$, ${\lnot}F$ is a formula.
Disjunction (Or): For all formulas $F$ and $G$, $(F \lor G)$ is a formula.
Conjunction (And): For all formulas $F$ and $G$, $(F \land G)$ is a formula.
Subformula: Any formula $F$ which occurs in another formula $G$.

Syntax¶

$$ \begin{aligned} \text{truth_symbol} &::= \top \text{ (true) } \mid \bot \text{ (false) }\\[1em] \text{variable} &::= p, q, r, ...\\[1em] \text{atom} &::= \text{truth_symbol} \mid \text{variable}\\[1em] \text{literal} &::= \text{atom} \mid {\lnot}\text{atom}\\[1em] \text{formula} &::= \text{literal} \,\mid\\ &{\lnot}\text{formula} \,\mid\\ &\text{formula} \land \text{formula}\,\mid\\ &\text{formula} \lor \text{formula}\,\mid\\ &\text{formula} \to \text{formula}\,\mid\\ &\text{formula} \leftrightarrow \text{formula} \end{aligned} $$

Semantics of Propositional Logic¶

Truth Values: The elements of the set $\{0, 1\}$.
Assignment: A function $\mathcal{A} : \mathbf{D} \to \{0, 1\}$, where $\mathbf{D}$ is any subset of the atomic formulas.
Given an assignment $\mathcal{A}$, it can be extended to the function $\mathcal{A'} : \mathbf{E} \to \{0, 1\}$, where $\mathbf{E} \supseteq \mathbf{D}$ is the set of formulas that can be built using only the atomic formulas from $\mathbf{D}$.

Semantics¶

For every atomic formula $A_{i} \in \mathbf{D}$, $\mathcal{A'}(A_{i}) = \mathcal{A}(A_{i})$.
$\mathcal{A'}((F \land G)) = \begin{cases}1, &\text{if } \mathcal{A'}(F) = 1 \text{ and } \mathcal{A'}(G) = 1 \\ 0, &\text{otherwise}\end{cases}$
$\mathcal{A'}((F \lor G)) = \begin{cases}1, &\text{if } \mathcal{A'}(F) = 1 \text{ or } \mathcal{A'}(G) = 1 \\ 0, &\text{otherwise}\end{cases}$
$\mathcal{A'}({\lnot}F) = \begin{cases}1, &\text{if } \mathcal{A'}(F) = 0 \\ 0, &\text{otherwise}\end{cases}$
$\mathcal{A'}((F \to G)) = {\lnot}F \lor G$
$\mathcal{A'}((F \leftrightarrow G)) = ({\lnot}F \lor G) \land (F \lor {\lnot}G)$

Truth Tables¶

$\mathcal{A}(F)$	$\mathcal{A}({\lnot}G)$
$0$	$1$
$1$	$0$

$\mathcal{A}(F)$	$\mathcal{A}(G)$	$\mathcal{A}((F \land G))$
$0$	$0$	$0$
$0$	$1$	$0$
$1$	$0$	$0$
$1$	$1$	$1$

$\mathcal{A}(F)$	$\mathcal{A}(G)$	$\mathcal{A}((F \lor G))$
$0$	$0$	$0$
$0$	$1$	$1$
$1$	$0$	$1$
$1$	$1$	$1$

$\mathcal{A}(F)$	$\mathcal{A}(G)$	$\mathcal{A}((F \to G))$
$0$	$0$	$1$
$0$	$1$	$1$
$1$	$0$	$0$
$1$	$1$	$1$

$\mathcal{A}(F)$	$\mathcal{A}(G)$	$\mathcal{A}((F \leftrightarrow G))$
$0$	$0$	$1$
$0$	$1$	$0$
$1$	$0$	$0$
$1$	$1$	$1$

Induction on the Formula Structure¶

Prove a statement $S$ for every formula $F$.

Induction Base: Show that $S$ holds for every atomic formula $A_{i}$.
Induction Step: Show under the induction hypothesis that $S$ holds for arbitrary, but fixed formulas $F$ and $G$, it follows that $S$ also holds for ${\lnot}F$, $(F \land G)$, and $(F \lor G)$.

Suitable Assignment, Model, Satisfiable, Valid¶

If an assignment $\mathcal{A}$ is defined for every atomic formula $A_{i}$ occurring in a formula $F$, then $\mathcal{A}$ is called suitable for $F$.
If an assignment $\mathcal{A}$ is suitable for a formula $F$, and if $\mathcal{A}(F) = 1$, then $F$ holds under the assignment $\mathcal{A}$; $\mathcal{A}$ is a model for F.
- $\mathcal{A} \models F$
- $\mathcal{A} \not\models F$.
A formula $F$ is satisfiable if $F$ has at least one model, else $F$ is called unsatisfiable/contradictory.
A formula $F$ is valid (or a tautology) if every suitable assignment for $F$ is a model for $F$.
- $\models F$
- $\not\models F$

Validity and Unsatisfiability Theorem¶

A formula $F$ is valid if and only if ${\lnot}F$ is unsatisfiable.

Satisfiability with a Truth Table¶

A formula $F$ with $n$ atomic sub-formulas has $2^{n}$ suitable assignments.
- $F$ is satisfiable if and only if there is at least once entry with $1$ in the output.
- $F$ is valid if and only if all the entries are $1$ in the output.

Equivalence¶

Two formulas $F$ and $G$ are semantically equivalent if for every assignment $\mathcal{A}$ that is suitable for both $F$ and $G$, $\mathcal{A}(F) = \mathcal{A}(G)$, denoted $F \equiv G$.

Substitution Theorem¶

Let $F$ and $G$ be equivalent formulas.
Let $H$ be a formula with an occurrence of $F$ as subformula.
Then $H$ is equivalent to $H'$ where $H'$ is a formula obtained from $H$ by substituting an occurence of subformula $F$ by $G$.

General Theorems¶

For all formulas $F$, $G$, and $H$, the following equivalences hold.

Idempotency¶

$$ \begin{aligned} (F \land F) &\equiv F\\ (F \lor F) &\equiv F \end{aligned} $$

Commutativity¶

$$ \begin{aligned} (F \land G) &\equiv (G \land F)\\ (F \lor G) &\equiv (G \lor F) \end{aligned} $$

Associativity¶

$$ \begin{aligned} ((F \land G) \land H) &\equiv (F \land (G \land H))\\ ((F \lor G) \lor H) &\equiv (F \lor (G \lor H)) \end{aligned} $$

Absorption¶

$$ \begin{aligned} (F \land (F \lor G)) &\equiv F\\ (F \lor (F \land G)) &\equiv F \end{aligned} $$

Distributivity¶

$$ \begin{aligned} (F \land (G \lor H)) &\equiv ((F \land G) \lor (F \land H))\\ (F \lor (G \land H)) &\equiv ((F \lor G) \land (F \lor H))\\ \end{aligned} $$

Double Negation¶

$${\lnot}{\lnot}F \equiv F$$

deMorgan's Laws¶

$$ \begin{aligned} {\lnot}(F \land G) &\equiv ({\lnot}F \lor {\lnot}G)\\ {\lnot}(F \lor G) &\equiv ({\lnot}F \land {\lnot}G) \end{aligned} $$

Tautology Laws¶

$$ \begin{aligned} (F \lor G) &\equiv F &\text{ if } F \text{ is a tautology}\\ (F \land G) &\equiv G &\text{ if } F \text{ is a tautology}\\ \end{aligned} $$

Unsatisfiability Laws¶

$$ \begin{aligned} (F \lor G) &\equiv G &\text{ if } G \text{ is unsatisfiable}\\ (F \land G) &\equiv F &\text{ if } F \text{ is unsatisfiable}\\ \end{aligned} $$

Normal Forms¶

A literal is an atomic formula or the negation of an atomic formula.
A formula $F$ is in conjunctive normal form (CNF) if it is a conjunction of disjunctions of literals. $$F = \left( \bigwedge^{n}_{i = 1}\left( \bigvee{m_{i}}_{j = 1} L_{i,j} \right) \right)$$
- where $L_{i,j} \in \{A_{1}, A_{2}, ...\} \cup \{{\lnot}A_{1}, {\lnot}A_{2}, ...\}$
A formula $F$ is in disjunctive normal form (DNF) if it is a disjunction of conjunctions of literals. $$F = \left( \bigvee^{n}_{i = 1}\left( \bigwedge{m_{i}}_{j = 1} L_{i,j} \right) \right)$$
- where $L_{i,j} \in \{A_{1}, A_{2}, ...\} \cup \{{\lnot}A_{1}, {\lnot}A_{2}, ...\}$

Normal Form Theorem¶

For every formula $F$ there is an equivalent formula $F_{1}$ in CNF and an equivalent formula $F_{2}$ in DNF.

Propositional Resolution¶

$$ \frac{C \lor p \quad D \lor {\lnot}p}{C \lor D} $$

Given $(C, p)$ and $(D, {\lnot}p)$ that contain a literal $p$ of different polarity, create a new clause by taking the union of literals in $C$ and $D$.
- Premise: $C \lor p$
- Pivot: $D \lor {\lnot}p$
- Resolvent: $C \lor D$

Unsatisfiable Resolution¶

$$ \frac{p \quad {\lnot}p}{\perp} $$

Resolution Lemma¶

Let $F$ be a CNF formula.
Let $R$ be a resolvent of two clauses $X$ and $Y$ in $F$.
Then, $F \cup \{R\}$ is equivalent to $F$.

Proof System¶

$$P_{1}, ..., P_{n} \vdash C$$

An inference rule is a tuple $(P_{1}, ..., P_{n}, C)$.
- Where $P_{1}, ..., P_{n}, C$ are formulas.
- Where $P_{i}$ is a premise.
- Where $C$ is a conclusion.
A proof system $P$ is a collection of inference rules.
A proof in a proof system $P$ is a tree (or a DAG) such that nodes are labeled by formulas, and for each node $n$, $(\text{parents}(n), n)$ is an inference rule in $P$.
Propositional Resolution System = Sound Proof System

Entailment and Derivation¶

A set of formulas $F$ entails a set of formulas $G$ if and only if every model of $F$ is a model of $G$. $$F \models G$$
A formula $G$ is derivable from a formula $F$ by a proof system $P$ if there exists a proof whose leaves are labeled by formulas in $F$ and the root is labeled by $G$. $$F \vdash_{P} G$$

Soundness and Completeness¶

A proof system $P$ is sound if and only if.... $$(F \vdash_{P} G) \implies (F \models G)$$
A proof system $P$ is complete if and only if.... $$(F \models G) \implies (F \vdash_{P} G)$$

Propositional Resolution = Sound + Complete

Semantic Arguments for Propositional Logic¶

Assume there exists a falsifying interpretation $\mathcal{A}$ such that $\mathcal{A} \not\models F$.
Apply the semantic definitions of the logical connectives in the form of proof rules. $$\frac{\text{Premises}}{\text{Deductions}}$$
- If any proof rule has multiple independent deductions, denoted $\mid$, then fork the proof for each case.
If there are contradictions, then $F$ is valid.
If there are no contradictions, then $F$ is invalid.

Proof Rules of Negation¶

$$ \begin{aligned} \mathcal{A} &\models {\lnot}F\\ \hline \mathcal{A} &\not\models F \end{aligned} \quad \begin{aligned} \mathcal{A} &\not\models {\lnot}F\\ \hline \mathcal{A} &\models F \end{aligned} $$

Proof Rules of Conjunction¶

$$ \begin{aligned} \mathcal{A} &\models F \land G\\ \hline \mathcal{A} &\models F\\ \mathcal{A} &\models G \end{aligned} \quad \begin{aligned} \mathcal{A} \not\models F \land G\\ \hline \mathcal{A} \not\models F \mid \mathcal{A} \not\models G \end{aligned} $$

Proof Rules of Disjunction¶

$$ \begin{aligned} \mathcal{A} \models F \lor G\\ \hline \mathcal{A} \models F \mid \mathcal{A} \models G \end{aligned} \quad \begin{aligned} \mathcal{A} &\not\models F \lor G\\ \hline \mathcal{A} &\not\models F\\ \mathcal{A} &\not\models G \end{aligned} $$

Proof Rules of Implication¶

$$ \begin{aligned} \mathcal{A} \models F \to G\\ \hline \mathcal{A} \not\models F \mid \mathcal{A} \models G \end{aligned} \quad \begin{aligned} \mathcal{A} &\not\models F \to G\\ \hline \mathcal{A} &\models F\\ \mathcal{A} &\not\models G \end{aligned} $$

Proof Rules of Bi-Implication¶

$$ \begin{aligned} \mathcal{A} \models F \leftrightarrow G\\ \hline \mathcal{A} \models F \land G \mid \mathcal{A} \not\models F \lor G \end{aligned} \quad \begin{aligned} \mathcal{A} \not\models F \leftrightarrow G\\ \hline \mathcal{A} \models F \land {\lnot}G \mid \mathcal{A} \models {\lnot}F \lor G \end{aligned} $$

Proof Rule of Contradiction¶

A contradiction occurs when following the other proof rules results in the claim that an assignment $\mathcal{A}$ both satisfies a formula $F$ and does not satisfy $F$.

$$ \begin{aligned} \mathcal{A} &\models F\\ \mathcal{A} &\not\models F\\ \hline \mathcal{A} &\models \bot \end{aligned} $$

Proof Rule of Modus Ponens¶

$$ \begin{aligned} \mathcal{A} &\models F\\ \mathcal{A} &\models F \to G\\ \hline \mathcal{A} &\models G \end{aligned} $$

First Order Logic (FOL)¶

Syntax of First Order Logic¶

A variable is of the form $x_{i}$.
A predicate symbol is of the form $P^{k}_{i}$.
A function symbol is of the form $f^{k}_{i}$.
A signature $\Sigma$ is a finite set of predicate symbols, function symbols, and an arity function $\Sigma \to N$.
$i = 1, 2, 3, ...$ is the distinguishability index.
$k = 0, 1, 2, ...$ is the arity.

Syntax of Terms¶

$$ \begin{aligned} t \in T ::=\, &v &v \in V\\ &{\mid} f(t_{1}, ..., t_{n}) &f \in \Sigma_{F}, t_{1}, ..., t_{n} \in T \end{aligned} $$

Syntax of Atomic Formulas¶

$$ \begin{aligned} a \in \text{Atoms} ::=\, &P(t_{1}, ..., t_{n}) &P \in \Sigma_{P}, t_{1}, ..., t_{n} \in T \end{aligned} $$

Syntax of Literals¶

$$ \begin{aligned} l \in \text{Literals} ::=\, &a \mid {\lnot}a &a \in \text{Atoms} \end{aligned} $$

Syntax of Quantifier Free Formulas¶

$$ \begin{aligned} \phi \in \text{QFF} ::=\, &a \in \text{Atoms} &\text{Atoms}\\ &{\mid} {\lnot}\phi &\text{Negations}\\ &{\mid} \phi \leftrightarrow \phi' &\text{Bi-Implications}\\ &{\mid} \phi \land \phi' &\text{Conjunction}\\ &{\mid} \phi \lor \phi' &\text{Disjunction}\\ &{\mid} \phi \to \phi' &\text{Implication} \end{aligned} $$

Syntax of First-Order Formulas¶

$$ \begin{aligned} \phi ::=\, &\phi \in \text{QFF} & ...\\ &{\mid} \forall x \cdot \phi &\text{Universal Quantifier}\\ &{\mid} \exists x \cdot \phi &\text{Existential Quantifier} \end{aligned} $$

Free: A variable in a formula not bound by a quantifier.
Sentence: A first-order formula with no free variables.

Semantics of First Order Logic¶

A structure is a pair $\mathcal{A} = (U_{\mathcal{A}}, I_{\mathcal{A}})$.
$U_{\mathcal{A}}$ is an arbitrary, non-empty set called the domain.
$I_{\mathcal{A}}$ is an interpretation / mapping that maps....
- Each $k$-ary predicate symbol $P$ to a $k$-ary predicate symbol on $U_{\mathcal{A}}$ (if $I_{\mathcal{A}}$ is defined on $P$).
- Each $k$-ary function symbol $f$ to a $k$-ary function on $U_{\mathcal{A}}$ (if $I_{\mathcal{A}}$ is defined on $f$).
- Each variable $x$ to an element of $U_{\mathcal{A}}$ (if $I_{\mathcal{A}}$ is defined on $x$).
A structure $\mathcal{A}$ is suitable for $F$ if $I_{\mathcal{A}}$ is defined for all predicate symbols, function symbols, and variables that occur free in $F$.
- $P^{\mathcal{A}} = I_{\mathcal{A}}(P)$
- $f^{\mathcal{A}} = I_{\mathcal{A}}(f)$
- $x^{\mathcal{A}} = I_{\mathcal{A}}(x)$
If for a formula $F$ and a suitable structure $\mathcal{A}$, $\mathcal{A}(F) = 1$, then $\mathcal{A}$ is a model for $F$, denoted $\mathcal{A} \models F$.
If every suitable structure for a formula $F$ is a model for $F$, then $F$ is valid, denoted $\models F$.
If there is at least one model for a formula $F$, then $F$ is called satisfiable.

Semantics¶

Let $\mathcal{A}(t)$ denote the value of the term $t$ occurring in $F$ under the structure $\mathcal{A}$.
Let $\mathcal{A}(F)$ denote the truth-value of the formula $F$ under the structure $\mathcal{A}$.

Variables: If $t$ is a variable, then $\mathcal{A}(t) = x^{\mathcal{A}}$
Functions: If $t$ is a function, $\mathcal{A}(t) = f^{\mathcal{A}}(\mathcal{A}(t_{1}), ..., \mathcal{A}(t_{k}))$
Predicates: If $F$ is a predicate, $$\mathcal{A}(F) = \begin{cases}1 & \text{if } (\mathcal{A}(t_{1}), ..., \mathcal{A}(t_{k})) \in P^{\mathcal{A}}\\ 0 & \text{otherwise} \end{cases}$$
Negation: If $F$ has the form $F = {\lnot}G$, $$\mathcal{A}(F) = \begin{cases}1 & \text{if } \mathcal{A}(G) = 0\\ 0 & \text{otherwise} \end{cases}$$
Conjunction: If $F$ has the form $F = (G \land H)$, $$\mathcal{A}(F) = \begin{cases}1 & \text{if } \mathcal{A}(G) = 1 \text{ and } \mathcal{A}(H) = 1\\ 0 & \text{otherwise} \end{cases}$$
Disjunction: If $F$ has the form $F = (G \lor H)$, $$\mathcal{A}(F) = \begin{cases}1 & \text{if } \mathcal{A}(G) = 1 \text{ or } \mathcal{A}(H) = 1\\ 0 & \text{otherwise} \end{cases}$$
Universal: If $F$ has the form $F = \forall x . G$, $$\mathcal{A}(F) = \begin{cases}1 & \text{if for all } u \in U_{\mathcal{A}}, \mathcal{A}_{[x := u]}(G) = 1\\ 0 & \text{otherwise} \end{cases}$$
Existential: If $F$ has the form $F = \exists x . G$, $$\mathcal{A}(F) = \begin{cases}1 & \text{if there exists some } u \in U_{\mathcal{A}}, \mathcal{A}_{[x := u]}(G) = 1\\ 0 & \text{otherwise} \end{cases}$$

Inference Rules for First Order Logic¶

Let $\vdash A$ denote when $A$ can be inferred from basic axioms.
Let $B \vdash A$ denote when $A$ can be inferred from $B$.
Let $\text{fresh}(a)$ denote some $a$ that has not been previously used in the proof.

$$ \begin{aligned} &\frac{\vdash A \quad \vdash B}{\vdash A \land B}\\[1em] &\frac{\vdash A}{\vdash A \lor B}\\[1em] &\frac{\vdash B}{\vdash A \lor B}\\[1em] &\frac{\vdash A \to B \quad \vdash A}{\vdash B}\\[1em] &\frac{\vdash A[x := e]}{\vdash \exists x \cdot A}\\[1em] &\frac{\vdash \forall x \cdot A}{\vdash A[x := e]}\\[1em] &\frac{\vdash A[x := a]}{\vdash \forall x \cdot A} \, \text{fresh}(a)\\[1em] &\frac{\vdash A \vdash B}{\vdash A \to B}\\[1em] &\frac{\vdash \exists x \cdot A \quad \vdash A[x := a] \vdash B}{\vdash B} \, \text{fresh}(a) \end{aligned} $$

Semantic Arguments for First Order Logic¶

See Semantic Arguments for Propositional Logic.

Proof Rules for Universal Quantification¶

$$ \begin{aligned} \mathcal{A} &\models \forall x . F\\ \hline \mathcal{A}[x := v] &\models F \end{aligned} \, \text{for any} \, v \in U_{\mathcal{A}} \quad \begin{aligned} \mathcal{A} &\not\models \forall x . F\\ \hline \mathcal{A}[x := v] &\not\models F \end{aligned} \, \text{for a fresh} \, v \in U_{\mathcal{A}} $$

Proof Rules for Existential Quantification¶

$$ \begin{aligned} \mathcal{A} &\models \exists x . F\\ \hline \mathcal{A}[x := v] &\models F \end{aligned} \, \text{for a fresh} \, v \in U_{\mathcal{A}} \quad \begin{aligned} \mathcal{A} &\not\models \exists x . F\\ \hline \mathcal{A}[x := v] &\not\models F \end{aligned} \, \text{for any} \, v \in U_{\mathcal{A}} $$

Proof Rule for Contradiction¶

A contradiction exists if two variants of the original structure $\mathcal{A}$ disagree on the truth value of an $n$-ary predicate $p$ for a given tuple of domain values.

$$ \begin{aligned} \mathcal{B} : \mathcal{A}[...] &\models p(s_{1}, ..., s_{n})\\ \mathcal{C} : \mathcal{A}[...] &\not\models p(t_{1}, ..., t_{n}) \text{ for } i \in \{1, ..., n\}, \alpha_{\mathcal{B}}[s_{i}] = \alpha_{\mathcal{C}}[t_{i}]\\ \hline \mathcal{A} &\models \bot \end{aligned} $$

Theories¶

A theory $T$ is a set of deductively closed sentences.
- Consistent: $\bot \not\in T$
A theory $T$ is the class of all models of $T$.
Deductive Closure: $DC(\Gamma)$ is the deductive closure of a set of sentences $\Gamma$.
- $DC(T) = T$
$T$-Satisfiable: A formula $\phi(x)$ is $T$-satisfiable in a theory $T$ if there is a model of $DC(T \cup \exists x \cdot \phi(x))$.
- $M \models_{T} \phi(x)$
$T$-Validity: A formula $\phi(x)$ is $T$-valid in a theory $T$ if $\forall x \cdot \phi(x) \in T$.
- $\models_{T} \phi(x)$
Fragment: A restricted subset of formulae of a theory $T$.
Decidable: A theory $T$ is decidable if $T$-validity is decidable for every formula $F$ of $T$.

Theory of Equality ($T_{E}$)¶

Signature¶

$$ \Sigma_{E} = \{ =, a, b, c, ..., A, B, C, ... \} $$

Axioms¶

Reflexivity: $\forall x \cdot x = x$
Symmetry: $\forall x, y \cdot x = y \to y = x$
Transitivity: $\forall x, y, z \cdot x = y \land y = z \to x = z$
Congruence: $\forall x_{1}, ..., x_{n}, y_{1}, ..., y_{n} \cdot \land_{i} x_{i} = y_{i} \to f(x_{1}, ..., x_{n}) = f(y_{1}, ..., y_{n})$
Equivalence: $\forall x_{1}, ..., x_{n}, y_{1}, ..., y_{n} \cdot \land_{i} x_{i} = y_{i} \to \left( P(x_{1}, ..., x_{n}) \leftrightarrow P(y_{1}, ..., y_{n}) \right)$

Theory of Peano Arithmetic ($T_{PA}$)(Natural Number)¶

Signature¶

$$ \Sigma_{PA} = \{ 0, 1, +, *, = \} $$

Axioms¶

Axioms for $T_{E}$

Zero: $\forall x \cdot \lnot (x + 1 = 0)$
Successor: $\forall x, y \cdot x + 1 = y + 1 \to x = y$
Induction: $F(0) \land (\forall x \cdot F(x) \to F(x + 1)) \to \forall x \cdot F(x)$
Plus Zero: $\forall x \cdot x + 0 = x$
Plus Successor: $\forall x, y \cdot x + (y + 1) = (x + y) + 1$
Times Zero: $\forall x \cdot x * 0 = 0$
Times Successor: $\forall x, y \cdot x * (y + 1) = x * y + x$

Theory of Presburger Arithmetic ($T_{PA}$)¶

Signature¶

$$ \Sigma_{PA} = \{ 0, 1, +, = \} $$

Axioms¶

Axioms for $T_{E}$

Zero: $\forall x \cdot \lnot (x + 1 = 0)$
Successor: $\forall x, y \cdot x + 1 = y + 1 \to x = y$
Induction: $F(0) \land (\forall x \cdot F(x) \to F(x + 1)) \to \forall x \cdot F(x)$
Plus Zero: $\forall x \cdot x + 0 = x$
Plus Successor: $\forall x, y \cdot x + (y + 1) = (x + y) + 1$

McCarthy Theory of Arrays ($T_{A}$)¶

Signature¶

$$ \Sigma_{A} = \{ \text{read}, \text{write}, = \} $$

$\text{read}(a, i)$ reads an array $a$ at the index $i$.
$\text{write}(a, i, v)$ writes a value $v$ to the index $i$ of array $a$, and returns a new array.

Axioms¶

Congruence: $\forall a, i, j \cdot i = j \to \text{read}(a, i) = \text{read}(a, j)$
Read-Over-Write 1: $\forall a, v, i, j \cdot i = j \to \text{read}(\text{write}(a, i, v), j) = v$
Read-Over-Write 2: $\forall a, v, i, j \cdot i \ne j \to \text{read}(\text{write}(a, i, v), j) = \text{read}(a, j)$
Extensionality: $a = b \leftrightarrow \forall i \cdot \text{read}(a, i) = \text{read}(b, i)$

Completeness, Compactness, Incompleteness¶

Gödel Completeness Theorem of FOL: Any first-order formula that is true in all models of a theory, must be logically deducible from that theory, and vice versa.
Gödel Compactness Theorem:A FOL theory $G$ is SAT if and only if every finite subset $G'$ of $G$ is SAT.
Incompleteness of FOL Theories:
- A theory is consistent if it is impossible to prove both $p$ and ${\lnot}p$ for any sentence $p$ in the signature of the theory.
- A theory is complete if for every sentence $p$ it includes either $p$ or ${\lnot}p$.
- There are FOL theories that are consistent but incomplete.

SAT¶

SAT Solving by Resolution¶

Assume that the input formula $F$ is in CNF.
Pick two clauses $C_{1}$ and $C_{2}$ in $F$ that can be resolved.
If the resolvent $C$ is an empty clause, return UNSAT.
Otherwise, add $C$ to $F$ and go to Step 1.
If no new clauses can be resolved, return SAT.

DPLL¶

Inspiration: Resolution-Based Search + Case Splitting on Decision
Idea: Incrementally builds a satisfying truth assignment $M$ for the input CNF formula $F$.
- Grow by Deduction
- Grow by Guessing + Backtracking
See Decision Procedures: An Algorithmic Point of View, Second Edition - Chapter 2.

Rules¶

$\cfrac{F}{F,p \mid F, {\lnot}p}$, split $p$ and ${\lnot}p$ are not in $F$.
$\cfrac{F, C \lor l, {\lnot}l}{F, C, {\lnot}l}$ Unit Propagation

Pure Literals¶

Pure: A literal that occurs only positively or negatively.
Pure Literal Rule: Clauses containing pure literals can be removed from the formula.

DPLL Procedure ($DPLL(F)$)¶

Apply unit propagation.
If conflict identified, return UNSAT.
Apply the pure literal rule.
If $F$ is satisfied, return SAT.
Select decision variable $x$:
- If $DPLL(F \land x) = \text{SAT}$, return SAT.
- Else, return $DPLL(F \land {\lnot}x)$.

Hoare Logic¶

WHILE Language Hoare Assertions¶

$$\{A\} c \{B\}$$

Equivalent: If $A$ holds in state $q$ and $q \to q'$, then $B$ holds in $q'$.
Where $A$ is a the pre-condition.
Where $B$ is a the post-condition.
Where $c$ is some computation.

Partial Correctness Assertion (Not Imply Termination)¶

$$\{A\} c \{B\}$$

If $A$ holds in state $q$ and there exists $q'$ such that $q \to q'$, then $B$ holds in $q'$.

Total Correctness Assertion (Imply Termination)¶

$$[A] c [B]$$

If $A$ holds in state $q$, then there exists $q'$ such that $q \to q'$ and $B$ holds in $q'$.

Semantics of Hoare Assertions¶

Let $q \models A$ denote that the assertion $A$ holds in a given state $q$.

$$ \begin{aligned} q \models \text{true} & \text{Always}\\ q \models e_{1} = e_{2} & \text{ iff } \langle e_{1}, q \rangle \Downarrow = \langle e_{2}, q \rangle \Downarrow\\ q \models e_{1} \ge e_{2} & \text{ iff } \langle e_{1}, q \rangle \Downarrow \ge \langle e_{2}, q \rangle \Downarrow\\ q \models A_{1} \land A_{2} & \text{ iff } q \models A_{1} \text{ and } a \models A_{2}\\ q \models A_{1} \lor A_{2} & \text{ iff } q \models A_{1} \text{ or } a \models A_{2}\\ q \models A_{1} \implies A_{2} & \text{ iff } q \models A_{1} \text{ implies } a \models A_{2}\\ q \models \forall x \cdot A & \text{ iff } \forall n \in \mathbb{Z} \cdot q[x := n] \models A\\ q \models \exists x \cdot A & \text{ iff } \exists n \in \mathbb{Z} \cdot q[x := n] \models A \end{aligned} $$

Semantics of Hoare Triples¶

Partial Correctness Assertion¶

$$ \models \{A\} c \{B\} \text{ iff } \forall q \in Q \cdot \forall q' \in Q \cdot q \models A \land q \to^{c} q' \implies q' \models B $$

Total Correctness Assertion¶

$$ \models [A] c [B] \text{ iff } \forall q \in Q \cdot q \models A \implies \exists q' \in Q \cdot q \to^{c} q' \land q' \models B $$

Inference Rules for Hoare Triples¶

Let $\vdash \{A\} c \{B\}$ denote that the Hoare Triple can be derived using inference rules.

Rule of Consequence¶

Strengthen Pre-Condition
Weaken Post-Condition

$$ \begin{aligned} &\cfrac{\vdash A' \implies A \quad \{A\} c \{B\} \quad \vdash B \implies B'}{\{A'\} c \{B'\}} \, \text{Conseq} \end{aligned} $$

Rules for WHILE¶

$$ \begin{aligned} &\vdash \{A\} \text{skip} \{A\}\\[1em] &\vdash \{A[x := e]\} x := e \{A\}\\[1em] &\cfrac{\vdash \{A\} s_{1} \{B\} \quad \vdash \{B\} s_{2} \{C\}}{\vdash \{A\} s_{1} \text{ ; } s_{2} \{C\}}\\[1em] &\cfrac{\vdash \{A \land b\} s_{1} \{B\} \quad \vdash \{A \land \lnot b\} s_{2} \{B\}}{\vdash \{A\} \text{ if } b \text{ then } s_{1} \text{ else } s_{2} \{B\}}\\[1em] &\cfrac{\vdash \{I \land b\} s \{I\}}{\vdash \{I\} \text{ while } b \text{ do } s \{I \land \lnot b\}}\\[1em] \end{aligned} $$

Alternative Rules for WHILE¶

$$ \begin{aligned} &\vdash \{A\} x := e \{\exists x_{0} \cdot x = e[x := x_{0}] \land A[x := x_{0}]\}\\[1em] &\cfrac{\vdash I \land b \implies C \quad \vdash \{C\} c \{I\} \quad \vdash I \land {\lnot}b \implies B}{\vdash \{I\} \text{ while } b \text{ do } c \{B\}}\\[1em] \end{aligned} $$

Inductive Loop Invariants Rule for WHILE¶

$$ \cfrac{\vdash \text{Pre} \implies \text{Inv} \quad \vdash \{\text{Inv} \land b\} s \{\text{Inv}\} \quad \vdash \text{Inv} \land {\lnot}b \implies \text{Post}}{\{\text{Pre}\} \text{ while } b \text{ do } s \{\text{Post}\}} $$

Inv is an inductive loop invariant if the following conditions hold.
1. Initiation: True before the loop.
2. Consecution: Preserved executing the body.
3. Safety: True after the loop.