Propositional Calculus CS 680: Formal Methods in Verification Computer Systems Jeremy Johnson

2 Propositional Calculus  Objective: To provide students with the concepts and techniques from propositional calculus so that they can use it to codify logical statements and to reason about these statements. To illustrate how a computer can be used to carry out formal proofs and to provide a framework for logical deduction.

Propositional Calculus  Topics  Motivation  Boolean functions and expressions  Rules of Boolean Algebra  Tautologies and automatic verification of tautologies  Satisfiability  Propositional calculus in ACL2

Word Problem  Tom likes Jane if and only if Jane likes Tom. Jane likes Bill. Therefore, Tom does not like Jane.  Let p denote “Tom likes Jane”  Let q denote “Jane likes Tom”  Let r denote “Jane likes Bill”  ((p  q)  r)   p encodes the above claim  The claim is not valid as the assignment p = true, q = true, and r = true evaluates to false

5 Programming Example  Boolean expressions arise in conditional statements. It is possible to abstract the relations with boolean variables (propositions that are either true or false). Using this abstraction one can reason and simplify conditional statements.  if ((a = b) && (c == d)) then { … } else { … }  Let p denote the relation (a<b) and q denote the relation (c == d). The above expression is then equal to p || !p && q

6 Programming Example (cont)  The previous expression is equivalent (two expressions are equivalent if they are true for the same values of the variables occurring in the expressions) to a simpler expression  (p || !p && q)  p || q  We can see this since if p is true both expressions are true, and if p is false, then !p is true and (!p && q) is true exactly when q is true.

7 Limitations of Propositional Calculus  Propositions hide the information in the predicates they abstract.  Sometimes properties of the hidden information is required to make further deductions.  E.G. for integers a,b, and c, (a < b) && (b < c) implies that a < c; however, this can not be deduced without using the order properties of the integers.  The predicate calculus allows the use of predicates to encode this additional information.  E.G. we can introduce a parameterized predicate lt(a,b) to encode the predicate a < b. Properties such as lt(a,b) && lt(b,c)  lt(a,c) can be asserted. This type of notation and deduction is called predicate calculus and will be discussed later.

8 Boolean Functions  A Boolean variable has two possible values (true/false) (1/0).  A Boolean function has a number of Boolean input variables and has a Boolean valued output.  A Boolean function can be described using a truth table.  There are 2 2 n Boolean function of n variables. s x 0 x 1 f f x0x0 x1x1 s Multiplexor function

9 Boolean Expressions  BExpr :=  Constant: T|F [t | nil]  Variable [symbol]  Negation:  BExpr [(not BExpr)]  And: BExpr  BExpr [(and BExpr BExpr)  Or: BExpr  BExpr [(or BExpr BExpr)]

10 Predicate for Boolean Expressions (defunc booleanexprp (expr) :input-contract t :output-contract (booleanp (booleanexprp expr)) (cond ( (is-constant expr) t ) ( (is-variable expr) t ) ( (is-not expr) (booleanexprp (op1 expr)) ) ( (is-or expr) (and (booleanexprp (op1 expr)) (booleanexprp (op2 expr))) ) ( (is-and expr) (and (booleanexprp (op1 expr)) (booleanexprp (op2 expr))) ) ( t nil) ) )

Expression Trees Boolean expressions can be represented by a binary tree Internal nodes are operators Leaf nodes are operands Consider p  (1   q): (and p (or t (not q))  p  1  q

12 Semantics of Boolean Expressions  An expression built up from variables, and, or, and not. x y x  y x y x  y x  x and or not

Evaluation (defun bool-eval (expr env) (cond ( (is-constant expr) expr ) ( (is-variable expr) (lookup expr env) ) ( (is-not expr) (not (bool-eval (op expr) env)) ) ( (is-or expr) (or (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) ) ( (is-and expr) (and (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) ) ))

Evaluation with Contracts (defunc bool-eval (expr env) :input-contract (and (booleanexprp expr) (environmentp env) (all-variables-defined expr env)) :output-contract (booleanp (bool-eval expr env)) (cond ( (is-constant expr) expr ) ( (is-variable expr) (lookup expr env) ) ( (is-not expr) (not (bool-eval (op1 expr) env)) ) ( (is-or expr) (or (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) ) ( (is-and expr) (and (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) ) ) )

Short Circuit Evaluation (defun sc-eval (expr env) (cond ( (is-constant expr) expr ) ( (is-variable expr) (lookup expr env) ) ( (is-not expr) (not (sc-eval (op expr) env)) ) ( (is-or expr) (if (sc-eval (op1 expr) env) t (sc-eval (op2 expr) env) ) ) ( (is-and expr) (if (sc-eval (op1 expr) env) (sc-eval (op2 expr) env) nil ) ) ))

If-then-else  The ternary boolean function ite(p,q,r) can be used to represent , , and    p  ite(p,0,1)  p  q  ite(p,1,q)  p  q  ite(p,q,0) p q r ite(p,q,r)

Conversion to ite Expression  Any Boolean expression can be converted to an equivalent expression using ite  (bool-eval expr env)  (ite-eval (bool2ite expr) env)  p  1  q ite p 1 q

bool2ite (defun bool2ite (expr) (cond ( (is-constant expr) expr ) ( (is-variable expr) expr ) ( (is-not expr) (list 'ite (bool2ite (op1 expr)) nil t) ) ( (is-or expr) (list 'ite (bool2ite (op1 expr)) t (bool2ite (op2 expr))) ) ( (is-and expr) (list 'ite (bool2ite (op1 expr)) (bool2ite (op2 expr)) nil) ) )

Ite-eval (defun ite-eval (expr env) (cond ( (is-constant expr) expr ) ( (is-variable expr) (lookup expr env) ) ( (is-ite expr) (if (ite-eval (op1 expr) env) (ite-eval (op2 expr) env) (ite-eval (op3 expr) env)) ) )

Equivalence of Conversion  Want to prove that (bool-eval expr env) = (ite-eval (bool2ite expr) env)  Lemma ite 1.  p  ite(p,0,1) 2.p  q  ite(p,1,q) 3.p  q  ite(p,q,0) p q ite(p,0,1)  p ite(p,1,q) p  q ite(p,q,0) p  q

Equivalence of Conversion  (bool-eval expr env) = (ite-eval (bool2ite expr) env)  Proof by induction on expr using Lemma ite  [Base case] constant or variable. In this case (bool2ite expr) = expr and bool-eval and ite- eval return the same thing

Equivalence of Conversion  [Not] Assume (bool-eval expr1 env) = (ite-eval (bool2ite expr1))  (ite-eval (bool2ite ‘(not expr1)) env)  (ite-eval ‘(ite (bool2ite expr1) nil t) env) [by def of bool2ite]  (not (ite-eval (bool2ite expr1) env)) [by Lemma ite part 1]  (not (bool-eval expr1 env)) [by IH]  (bool-eval ‘(not expr1) env) [by def of bool-eval]

Equivalence of Conversion  [Or] Assume (bool-eval expr1 env) = (ite-eval (bool2ite expr1)) and (bool-eval expr2 env) = (ite- eval (bool2ite expr2))  (ite-eval (bool2ite ‘(or expr1 expr2)) env)  (ite-eval ‘(ite (bool2ite expr1) t (bool2ite expr2)) env) [by def of bool2ite]  (or (ite-eval (bool2ite expr1) env) (ite-eval (bool2ite expr2) env)) [by Lemma ite part 2]  (or (bool-eval expr1 env) (bool-eval expr2 env)) [by IH]  (bool-eval ‘(or expr1 expr2) env) [by def of bool-eval]

Equivalence of Conversion  [And] Assume (bool-eval expr1 env) = (ite-eval (bool2ite expr1)) and (bool-eval expr2 env) = (ite- eval (bool2ite expr2))  (ite-eval (bool2ite ‘(and expr1 expr2)) env)  (ite-eval ‘(ite (bool2ite expr1) (bool2ite expr2) nil) env) [by def of bool2ite]  (and (ite-eval (bool2ite expr1) env) (ite-eval (bool2ite expr2) env)) [by Lemma ite part 3]  (and (bool-eval expr1 env) (bool-eval expr2 env)) [by IH]  (bool-eval ‘(and expr1 expr2) env) [by def of bool- eval]

Exercise  Implement a recursive function to convert ite expressions to boolean expressions  (ite2bool iexpr)  Use and define the following helper functions  (is-ite expr)  Check for ‘(ite … )  (is-itenot iexpr)  Check for ‘(ite iexpr nil t)  (is-iteor iexpr)  Check for ‘(ite iexpr t iexpr)  (is-iteand iexpr)  Check for ‘(ite iexpr iexpr nil)

Solution (defun is-itenot (iexpr) (and (equal (op2 iexpr) nil) (equal (op3 iexpr) t))) (defun is-iteor (iexpr) (equal (op2 iexpr) t)) (defun is-iteand (iexpr) (equal (op3 iexpr) nil))

Solution (defun ite2bool (iexpr) (cond ( (is-constant iexpr) iexpr ) ( (is-variable iexpr) iexpr ) ( (is-ite iexpr) (cond ( (is-itenot iexpr) (list 'not (ite2bool (op1 iexpr))) ) ( (is-iteor iexpr) (list 'or (ite2bool (op1 iexpr)) (ite2bool (op3 iexpr))) ) ( (is-iteand iexpr) (list 'and (ite2bool (op1 iexpr)) (ite2bool (op2 iexpr))) ) ))))

Solution Remark  Note that there is one overlap in  Not (ite p nil t)  Or (ite p t q)  And (ite p q nil)  (ite p t nil) = (and p t) = (or p nil) = p  This implies (ite2bool (bool2ite ‘(and p t)) = (or p t) not equal to the initial expression  However, (ite2bool (bool2ite expr))  expr, i.e. (booleval expr) = (ite2bool (bool2ite expr))

Correctness of ite2bool  Use induction to prove  (equiv (ite2bool (bool2ite expr)) expr)  Base case: expr is a constant or variable  (not expr)  (or expr1 expr2)  (and expr1 expr2)

Solution  Show (equiv (ite2bool (bool2ite expr)) expr)  Base case: if expr is a constant or variable then (ite2bool (bool2ite expr)) = (ite2bool expr) = expr [by def]  [Not] Assume (equiv (ite2bool (bool2ite expr)) expr)  (ite2bool (bool2ite (not expr)))  (ite2bool (list ‘ite (bool2ite expr) nil t))) [by def b2ite]  (not (ite2bool (bool2ite expr))) [by def ite2bool and Lemma ite ]  (not expr) [by IH]

Solution  [Or] Assume (equiv (ite2bool (bool2ite expr1)) expr1) and (equiv (ite2bool (bool2ite expr2) expr2)  (ite2bool (bool2ite (or expr1 expr2)))  (ite2bool (list ‘ite (bool2ite expr1) t (bool2ite expr2))) [by def of bool2ite]  (or (ite2bool (bool2ite expr1)) (ite2bool (bool2ite expr2))) [by def of ite2bool and Lemma ite]  (or expr1 expr2) [by IH]

Solution  [And] Assume (equiv (ite2bool (bool2ite expr1)) expr1) and (equiv (ite2bool (bool2ite expr2) expr2)  (ite2bool (bool2ite (and expr1 expr2)))  (ite2bool (list ‘ite (bool2ite expr1) (bool2ite expr2) nil)) [by def of bool2ite]  (and (ite2bool (bool2ite expr1)) (ite2bool (bool2ite expr2))) [by def of ite2bool and Lemma ite]  (and expr1 expr2) [by IH]

Boolean Algebra  The Boolean operators  and  are analogous to addition and multiplication with true and false playing the roles of 1 and 0. Complement is used for negation.  This provides a compact notation and suggests appropriate algebraic simplification  Similar properties hold such as the associative, commutative, and distributive identities.

34 Boolean Expressions  A Boolean expression is a Boolean function  Any Boolean function can be written as a Boolean expression  Disjunctive normal form (sums of products)  For each row in the truth table where the output is true, write a product such that the corresponding input is the only input combination that is true  Not unique  E.G. (multiplexor function) s x 0 x 1 f

Nand is functionally complete  All boolean functions can be implemented using nand gates (and, or and not can be implemented using nand)  not:  and:  or: x y x | y

Boolean Algebra

37 Simplification of Boolean Expressions  Simplifying multiplexor expression using Boolean algebra  Equational reasoning: replace subexpressions by equivalent expressions  Verify that the boolean function corresponding to this expression as the same truth table as the original function.

Simplifying Expression Trees  Constant folding  p  1  q  p 1 p

Exercise  Implement and test (bool-simp expr)  (bool-simp expr) returns a simplified boolean expression using the following simplifications 1.evaluate all constant subexpressions 2.(not (not expr)) -> expr 3.(and t expr) -> expr 4.(and expr t) -> expr 5.(and nil expr) -> nil 6.(and expr nil) -> nil 7.(or t expr) -> t 8.(or expr t) -> t 9.(or nil expr) -> expr 10. (or expr nil) -> expr

Exercise  Simplification (2) is done through the helper routine not-simp. Simplifications (3)-(6) are done through the helper routine and-simp. Simplifications (7)-(10) are done through the helper routine or-simp.  bool-simp traverses the boolean expression and recursively simplifies all operands to not, or and and and calls the appropriate helper routineto perform operator specific simplifiations and constant evaluation.

Exercise  Prove the following lemmas 1. (bool-eval '(not expr) env) = (bool-eval (not- simp expr) env) 2.(bool-eval '(and expr1 expr2) env) = (bool-eval (and-simp expr1 expr2) env) 3.(bool-eval '(or expr1 expr2) env) = (bool-eval (or-simp expr1 expr2) env) 4.(bool-eval expr env) = (bool-eval (bool-simp expr) env)

Exercise  Prove using induction on expr that  (bool-eval expr env) = (bool-eval (bool-simp expr) env)  Prove by induction that (bool-simp expr)  Has no double negations  Is either a constant or an expression with no constants  Write an is-simplified function to test whether the output of (bool-simp expr) satisfies this property

43 Additional Notation  Several additional Boolean functions of two variables have special meaning and are given special notation. By our previous results we know that all boolean functions can be expressed with not, and, and or; so the additional notation is simply a convenience. x y x  y implication x y x  y equivalence x y x  y xor

44 Tautologies  A tautology is a boolean expression that is always true, independent of the values of the variables occurring in the expression. The properties of Boolean Algebra are examples of tautologies.  Tautologies can be verified using truth tables. The truth table below shows that x  y   x  y x y x  y  x  y

45 Exercise  Derive the tautology x  y   x  y from the sum of products expression obtained from the truth table for x  y. You will need to use properties of Boolean algebra to simplify the sum of products expression to obtain the desired equivalence.

46 Solution x y x  y

47 Tautology Checker  A program can be written to check to see if a Boolean expression is a tautology.  Simply generate all possible truth assignments for the variables occurring in the expression and evaluate the expression with its variables set to each of these assignments. If the evaluated expressions are always true, then the given Boolean expression is a tautology.  A similar program can be written to check if any two Boolean expressions E1 and E2 are equivalent, i.e. if E1  E2. Such a program has been provided.

Satisfiability  A formula is satisfiable if there is an assignment to the variables that make the formula true  A formula is unsatisfiable if all assignments to variables eval to false  A formula is falsifiable if there is an assignment to the variables that make the formula false  A formula is valid if all assignments to variables eval to true (a valid formula is a theorem or tautology)

Satisfiability  Checking to see if a formula f is satisfiable can be done by searching a truth table for a true entry  Exponential in the number of variables  Does not appear to be a polynomial time algorithm (satisfiability is NP-complete)  There are efficient satisfiability checkers that work well on many practical problems  Checking whether f is satisfiable can be done by checking if  f is a tautology  An assignment that evaluates to false provides a counter example to validity

Propositional Logic in ACL2  In beginner mode and above ACL2S B !>QUERY (thm (implies (and (booleanp p) (booleanp q)) (iff (implies p q) (or (not p) q)))) > Q.E.D. Summary Form: ( THM...) Rules: NIL Time: 0.00 seconds (prove: 0.00, print: 0.00, proof tree: 0.00, other: 0.00) Proof succeeded.

Propositional Logic in ACL2 ACL2 >QUERY (thm (implies (and (booleanp p) (booleanp q)) (iff (xor p q) (or p q)))) … **Summary of testing** We tested 500 examples across 1 subgoals, of which 1 (1 unique) satisfied the hypotheses, and found 1 counterexamples and 0 witnesses. We falsified the conjecture. Here are counterexamples: [found in : "Goal''"] (IMPLIES (AND (BOOLEANP P) (BOOLEANP Q) P) (NOT Q)) -- (P T) and (Q T)