SS 2018 Software Verification FOL to ML Prof. Dr. Holger Schlingloff 1,2 Dr. Esteban Pavese 1 (1) Institut für Informatik der Humboldt Universität (2) Fraunhofer Institut für offene Kommunikationssysteme FOKUS

Quick recap Complexity of PL satisfiability? Complexity of PL validity? Is the PL calculus correct and complete? What is a derivation in PL? Translation from sequential circuits into PL? What is a resolution proof in PL? Syntax of FOL? FOL vs. PL – commonalities and differences? Semantics of FOL?

Recap: FOL Syntax New syntactic elements as compared to PL R is a set of relation symbols, where each pR has an arity nN0 V is a denumerable set of first-order (or individual) variables Usually, V={x, y, z, x1, x2, …} (if not stated otherwise) An atomic formula is p(x1,…,xn), where pR is n-ary and (x1,…,xn)Vn. O-ary (constant) relations are called propositions, unary relations are called predicates Syntax of (pure) first-order logic FOL ::= R (Vn) |  | (FOL  FOL) | V FOL Remark: There is no law which prohibits “empty” quantifiers, e.g., x p(y,z) Remark: if all predicates are propositions, then FOL = PL (only empty quantifiers occur, e.g., x (p()  (q()  y p()))

FOL: Models Here, we give the semantics for pure FOL First-Order Model Let a universe U be some nonempty set Interpretation I: assignment R ↦ Un in particular, I(r)  U U for binary rR I(p)  U for unary pR for 0-ary p ? Valuation V: assignment V ↦ U Model M: (U,I,V) Example: R ={even, <, =}; U ={1,2,3} I1(even)={2}, I1(<)={(1,2),(1,3),(2,3)}, I1(=)={(1,1),(2,2),(3,3)}. I2(even)={1,2,3}, I2(<)={(1,2),(2,3),(3,1)}, I2(=)={(1,1),(2,2),(3,3),(1,2)}. V(x)=1, V(y)=2

FOL: Semantics Given a model M: (U,I,V), the value xM of variable xV is xM=V(x) Likewise, the validation relation ⊨ between model M and formula  M ⊨ p(x1,…,xn) if (x1M,…, xnM)I(p) M ⊭ ; M ⊨ () if M ⊨  implies M ⊨  M ⊨x if M‘ ⊨ for some M‘ which differs at most in V(x) from M Validity and satisfiability is defined as in the propositional case Some examples, e.g., M1 ?⊨ y (even(x)  x<y) M2 ?⊨ y (even(x)  x<y)

More Examples ⊨ x  x  ⊨ x   x   x (  ) ⊨ x y   y x  ⊨ x   [x:=t] where t is any first-order variable in the signature and [x:=t] denotes the formula  where each occurrence of x is replaced by t. If ⊨ , then ⊨ x 

Extending FOL with Types and Functions As „syntactic sugar“, we introduce types and functions. Let again V be a (denumerable) set of (first-order) variables, where each variable has a type DD (written as x:D) (for any type, there is an unlimited supply of variables of that type) The notions Term and Atomic Formula AtF are defined recursively: each variable of type D is a term of type D if f is an n-ary function symbol of type (D1,…Dn,Dn+1) and t1, …, tn are terms of type D1, …, Dn, then f(t1,…,tn) is a term of type Dn+1 if p is an n-ary relation symbol of type (D1,…Dn) and t1, …, tn are terms of type D1, …, Dn, then p(t1,…,tn) is an atomic formula Syntax of first-order logic with types and functions FOL ::= AtF |  | (FOL  FOL) | V:D FOL

Extended FOL: Models Now, we extend the semantics First-order model with types Let a universe U be some nonempty set, and let DU  U for every DD be the domain of D Interpretation I: assignment F ↦ Un+1 R ↦ Un Valuation V: assignment V ↦ U interpretations and valuations must respect typing Model M: (U,I,V)

Extended FOL: Semantics Given a model M: (U,I,V), the value tM of term t (of type D) can be defined inductively if t=xV, then tM=V(x) if t=f(t1,…,tn) , then tM=I(f)(t1M,…,tnM) Likewise, the validation relation ⊨ between model M and formula  M ⊨ p(t1,…,tn) if (t1M,…,tnM)I(p) M ⊭ ; M ⊨ () if M ⊨  implies M ⊨  M ⊨x if M‘ ⊨ for some M‘ which differs at most in V(x) from M Some examples

FOL: Calculus A sound and complete axiom system for FOL: all substitution instances of axioms of PL modus ponens: , () ⊢  ⊢((x:=t)x) instantiation () ⊢(x) if x doesn‘t occur in  particularization Relaxation: particularization may be applied if there is no free occurrence of x in ; i.e., x may occur in  inside the scope of a quantification

FOL: Completeness As in the propositional case, correctness is easy (⊢  ⊨, “every derivable formula is valid”) Completeness (⊨  ⊢, “every valid formula is derivable”) follows with a similar proof as previously: given a consistent formula, construct a model satisfying it ~⊢¬  ~⊨¬ Extension lemma: If Φ is a finite consistent set of formulæ and  is any formula, then Φ{} or Φ{¬} is consistent Needs additionally: If Φ is any consistent set of formulæ and x is a formula in Φ, then Φ{(t)} is consistent for any term t From this, a canonical model can be constructed as before

FOL: Expressiveness Consider the formula xyz ((p(x, y) ∧ p(y, z)) → p(x, z)) ∧ x ¬p(x, x) ∧ x y p(x, y) This formula is satisfiable only in infinite models FOL cannot express equality x=y p (p(x)  p(y)) (Leibnitz’ extensionality) Usually: take “=“ as a new, special predicate with fixed interpretation (FOL=)

Modal logics – a motivation Introduced by C. I. Lewis (1883-1964) in 1910 Critique on the concept of variables in formalizations of language Actually Aristotle had already discussed about syllogistic logic being too absolute; he wondered about the consequences of potentiallity and time Main drive behind MLs in the 1960s Influencial people: Saul Kripke (1940-), Jaako Hintikka (1929-2015) Arthus Prior (1957): Interpretation of modal as temporal operators Amir Pnueli (1977, 1996 Turing Award) proposed the use of a particular ML (temporal logic) for formalising concurrent software behaviour

Modal logics – a motivation C. I. Lewis (and others) had problems with the material conditional A B A  B T F

Modal logics – a motivation C. I. Lewis (and others) had problems with the material conditional Transitivity {A  B, B  C} ⊢ A  C A B A  B T F

Modal logics – a motivation C. I. Lewis (and others) had problems with the material conditional Transitivity {A  B, B  C} ⊢ A  C Distinguish between material implication and necessary implication? A B A  B T F If James Bond was Russian, he would spy for Russia 👍 If James Bond spies for Russia, he would be a traitor to the Crown 👍 If James Bond was Russian, he would be a traitor to the Crown 🤔

Modal logics – a motivation C. I. Lewis (and others) had problems with the material conditional Monotonicity (Left-strengthening) A  C ⊢ (A  B)  C A B A  B T F

Modal logics – a motivation C. I. Lewis (and others) had problems with the material conditional Monotonicity (Left-strengthening) A  C ⊢ (A  B)  C If I put Ketchup in my Bratwurst, it tastes great 👍 If I put Ketchup and curry in my Bratwurst, it tastes great 💩 (*) (*) Yeah, I hate Currywurst! A B A  B T F Talk also about negation of implication (courtroom example)

Modal logics – a motivation Dorothy Edgington (*1941) famously “proved” God’s existence If God does not exist, then it is not the case that when I pray, the prayer is answered ¬G  ¬(P  A) Ok, so I don’t pray ¬P But! {¬G  ¬(P  A), ¬P} ⊢ G If I don’t pray, God exists! 😱

A question of necessity Essentially, there is a deep difference between an absolute necessity (material implication), a contingent necessity, and a possibility “All men are mortal. Socrates is a man. Socrates is mortal” (absolute) “Nothing can travel faster than the speed of light” (contingent on the laws of nature) “If it rains, I get wet” (possibility)

Modal logic syntax ML is an extension of PL with an additional modal possibility operator noted ◊ Assume again a set of propositions P (i.e., a signature) Formulae are built inductively: ML ::= p |  | (ML  ML) | ◊ ML Dual operator necessity: □φ = ◊φ Formulas, e.g., (□□p  ◊□p) Which formulas are “valid”? (□p  ◊p) (□p  p) (p  □p) …

Kripke Models A Kripke model is a tupel M=(U,R,I,w), where U is a non-empty set, the universe of „possible worlds“, R  UU is the accessibility relation, where world v is accessible from world u whenever uRv holds, I: is the interpretation function mapping each proposition pP to the set of worlds where it is true, and wU is the initial (or current) world. Some authors call M=(U,R,I) a Kripke structure, and note the current world separately (i.e., M,w⊨ ). The graph described by (U,R) is sometimes called the frame of the Kripke model, or a Kripke frame.

Modal logic – Kripke models Example M=(U,R,I,s0), where U ={s0,s1,s2,s3} R={(s0,s1), (s1,s2), (s1,s3), (s2,s3), (s3,s2), (s3,s3)} I(p) ={s0,s1} I(q) ={s0,s1,s3} I(r) ={s0,s2,s3}

Modal logic – Satisfiability Recall W is a set of worlds. A formula may be true in some world in a frame, but false in another world. The satisfiability definition must take into account Let M=(U,R,I,s0) M ⊨ p if s0 I(p) M ⊭  M ⊨ () if M ⊨  implies M ⊨  M ⊨ ◊  if there exists an s1U such that (U,R,I,s1) ⊨  (U,R,I) ⊨  if for every sU we have (U,R,I,s) ⊨  (U,R) ⊨  if for every interpretation I we have (U,R,I) ⊨  Some examples…