1. SS 2018 Software Verification FOL to ML
Prof. Dr. Holger Schlingloff 1,2
Dr. Esteban Pavese 1
(1) Institut für Informatik der Humboldt Universität
(2) Fraunhofer Institut für offene Kommunikationssysteme FOKUS

2. Quick recap Complexity of PL satisfiability?
Complexity of PL validity?
Is the PL calculus correct and complete?
What is a derivation in PL?
Translation from sequential circuits into PL?
What is a resolution proof in PL?
Syntax of FOL?
FOL vs. PL – commonalities and differences?
Semantics of FOL?

3. Recap: FOL Syntax New syntactic elements as compared to PL
R is a set of relation symbols, where each pR has an arity nN0
V is a denumerable set of first-order (or individual) variables
Usually, V={x, y, z, x1, x2, …} (if not stated otherwise)
An atomic formula is p(x1,…,xn), where pR is n-ary and (x1,…,xn)Vn.
O-ary (constant) relations are called propositions, unary relations are called predicates
Syntax of (pure) first-order logic FOL ::= R (Vn) |  | (FOL  FOL) | V FOL
Remark: There is no law which prohibits “empty” quantifiers, e.g., x p(y,z)
Remark: if all predicates are propositions, then FOL = PL (only empty quantifiers occur, e.g., x (p()  (q()  y p()))

4. FOL: Models Here, we give the semantics for pure FOL First-Order Model
Let a universe U be some nonempty set
Interpretation I: assignment R ↦ Un
in particular, I(r)  U U for binary rR
I(p)  U for unary pR
for 0-ary p ?
Valuation V: assignment V ↦ U
Model M: (U,I,V)
Example: R ={even, <, =}; U ={1,2,3}
I1(even)={2}, I1(<)={(1,2),(1,3),(2,3)}, I1(=)={(1,1),(2,2),(3,3)}.
I2(even)={1,2,3}, I2(<)={(1,2),(2,3),(3,1)}, I2(=)={(1,1),(2,2),(3,3),(1,2)}.
V(x)=1, V(y)=2

5. FOL: Semantics
Given a model M: (U,I,V), the value xM of variable xV is xM=V(x)
Likewise, the validation relation ⊨ between model M and formula 
M ⊨ p(x1,…,xn) if (x1M,…, xnM)I(p)
M ⊭ ; M ⊨ () if M ⊨  implies M ⊨ 
M ⊨x if M‘ ⊨ for some M‘ which differs at most in V(x) from M
Validity and satisfiability is defined as in the propositional case
Some examples, e.g., M1 ?⊨ y (even(x)  x<y) M2 ?⊨ y (even(x)  x<y)

6. More Examples ⊨ x  x  ⊨ x   x   x (  )
⊨ x y   y x 
⊨ x   [x:=t] where t is any first-order variable in the signature and [x:=t] denotes the formula  where each occurrence of x is replaced by t.
If ⊨ , then ⊨ x 

7. Extending FOL with Types and Functions
As „syntactic sugar“, we introduce types and functions.
Let again V be a (denumerable) set of (first-order) variables, where each variable has a type DD (written as x:D) (for any type, there is an unlimited supply of variables of that type)
The notions Term and Atomic Formula AtF are defined recursively:
each variable of type D is a term of type D
if f is an n-ary function symbol of type (D1,…Dn,Dn+1) and t1, …, tn are terms of type D1, …, Dn, then f(t1,…,tn) is a term of type Dn+1
if p is an n-ary relation symbol of type (D1,…Dn) and t1, …, tn are terms of type D1, …, Dn, then p(t1,…,tn) is an atomic formula
Syntax of first-order logic with types and functions
FOL ::= AtF |  | (FOL  FOL) | V:D FOL

8. Extended FOL: Models Now, we extend the semantics
First-order model with types
Let a universe U be some nonempty set, and let DU  U for every DD be the domain of D
Interpretation I: assignment F ↦ Un R ↦ Un
Valuation V: assignment V ↦ U interpretations and valuations must respect typing
Model M: (U,I,V)

9. Extended FOL: Semantics
Given a model M: (U,I,V), the value tM of term t (of type D) can be defined inductively
if t=xV, then tM=V(x)
if t=f(t1,…,tn) , then tM=I(f)(t1M,…,tnM)
Likewise, the validation relation ⊨ between model M and formula 
M ⊨ p(t1,…,tn) if (t1M,…,tnM)I(p)
M ⊭ ; M ⊨ () if M ⊨  implies M ⊨ 
M ⊨x if M‘ ⊨ for some M‘ which differs at most in V(x) from M
Some examples

10. FOL: Calculus A sound and complete axiom system for FOL:
all substitution instances of axioms of PL
modus ponens: , () ⊢ 
⊢((x:=t)x) instantiation
() ⊢(x) if x doesn‘t occur in  particularization
Relaxation: particularization may be applied if there is no free occurrence of x in ; i.e., x may occur in  inside the scope of a quantification

11. FOL: Completeness
As in the propositional case, correctness is easy (⊢  ⊨, “every derivable formula is valid”)
Completeness (⊨  ⊢, “every valid formula is derivable”) follows with a similar proof as previously: given a consistent formula, construct a model satisfying it ~⊢¬  ~⊨¬
Extension lemma: If Φ is a finite consistent set of formulæ and  is any formula, then Φ{} or Φ{¬} is consistent
Needs additionally: If Φ is any consistent set of formulæ and x is a formula in Φ, then Φ{(t)} is consistent for any term t
From this, a canonical model can be constructed as before

12. FOL: Expressiveness Consider the formula
xyz ((p(x, y) ∧ p(y, z)) → p(x, z))
∧ x ¬p(x, x) ∧ x y p(x, y)
This formula is satisfiable only in infinite models
FOL cannot express equality x=y p (p(x)  p(y)) (Leibnitz’ extensionality)
Usually: take “=“ as a new, special predicate with fixed interpretation (FOL=)

13. Modal logics – a motivation
Introduced by C. I. Lewis ( ) in 1910
Critique on the concept of variables in formalizations of language
Actually Aristotle had already discussed about syllogistic logic being too absolute; he wondered about the consequences of potentiallity and time
Main drive behind MLs in the 1960s
Influencial people: Saul Kripke (1940-), Jaako Hintikka ( )
Arthus Prior (1957): Interpretation of modal as temporal operators
Amir Pnueli (1977, 1996 Turing Award) proposed the use of a particular ML (temporal logic) for formalising concurrent software behaviour

14. Modal logics – a motivation
C. I. Lewis (and others) had problems with the material conditional A B
A  B T F

15. Modal logics – a motivation
C. I. Lewis (and others) had problems with the material conditional
Transitivity
{A  B, B  C} ⊢ A  C A B
A  B T F

16. Modal logics – a motivation
C. I. Lewis (and others) had problems with the material conditional
Transitivity
{A  B, B  C} ⊢ A  C
Distinguish between material implication and necessary implication? A B
A  B T F
If James Bond was Russian, he would spy for Russia 👍
If James Bond spies for Russia, he would be a traitor to the Crown 👍
If James Bond was Russian, he would be a traitor to the Crown 🤔

17. Modal logics – a motivation
C. I. Lewis (and others) had problems with the material conditional
Monotonicity (Left-strengthening)
A  C ⊢ (A  B)  C A B
A  B T F

18. Modal logics – a motivation
C. I. Lewis (and others) had problems with the material conditional
Monotonicity (Left-strengthening)
A  C ⊢ (A  B)  C
If I put Ketchup in my Bratwurst, it tastes great 👍
If I put Ketchup and curry in my Bratwurst, it tastes great 💩 (*)
(*) Yeah, I hate Currywurst! A B
A  B T F
Talk also about negation of implication (courtroom example)

19. Modal logics – a motivation
Dorothy Edgington (*1941) famously “proved” God’s existence If God does not exist, then it is not the case that when I pray, the prayer is answered ¬G  ¬(P  A)
Ok, so I don’t pray ¬P
But!
{¬G  ¬(P  A), ¬P} ⊢ G
If I don’t pray, God exists! 😱

20. A question of necessity
Essentially, there is a deep difference between an absolute necessity (material implication), a contingent necessity, and a possibility
“All men are mortal. Socrates is a man. Socrates is mortal” (absolute)
“Nothing can travel faster than the speed of light” (contingent on the laws of nature)
“If it rains, I get wet” (possibility)

21. Modal logic syntax
ML is an extension of PL with an additional modal possibility operator noted ◊
Assume again a set of propositions P (i.e., a signature)
Formulae are built inductively:
ML ::= p |  | (ML  ML) | ◊ ML
Dual operator necessity: □φ = ◊φ
Formulas, e.g., (□□p  ◊□p)
Which formulas are “valid”?
(□p  ◊p)
(□p  p)
(p  □p) …

22. Kripke Models A Kripke model is a tupel M=(U,R,I,w), where
U is a non-empty set, the universe of „possible worlds“,
R  UU is the accessibility relation, where world v is accessible from world u whenever uRv holds,
I: is the interpretation function mapping each proposition pP to the set of worlds where it is true, and
wU is the initial (or current) world.
Some authors call M=(U,R,I) a Kripke structure, and note the current world separately (i.e., M,w⊨ ).
The graph described by (U,R) is sometimes called the frame of the Kripke model, or a Kripke frame.

23. Modal logic – Kripke models
Example
M=(U,R,I,s0), where
U ={s0,s1,s2,s3}
R={(s0,s1), (s1,s2), (s1,s3), (s2,s3), (s3,s2), (s3,s3)}
I(p) ={s0,s1}
I(q) ={s0,s1,s3}
I(r) ={s0,s2,s3}

24. Modal logic – Satisfiability
Recall W is a set of worlds. A formula may be true in some world in a frame, but false in another world. The satisfiability definition must take into account
Let M=(U,R,I,s0)
M ⊨ p if s0 I(p)
M ⊭ 
M ⊨ () if M ⊨  implies M ⊨ 
M ⊨ ◊  if there exists an s1U such that (U,R,I,s1) ⊨ 
(U,R,I) ⊨  if for every sU we have (U,R,I,s) ⊨ 
(U,R) ⊨  if for every interpretation I we have (U,R,I) ⊨ 
Some examples…