1. 1 Theorem proving Alexander Serebrenik

2. 2 TP for FM FM: proving properties of programs. Theorem proving: proving statements in first-order logics (FOL). Hence: Translator Theorem prover programs and properties statements in FOL proof found no proof found

3. 3 Today and Next Week Translator Theorem prover programs and properties statements in FOL proof found no proof found in two weeks

4. 4 Propositional Calculus – Reminder Predicates: p, q, r, … Connectors: –  (“and”), –  (“or”), –  (“not”), –  (“implies”) E.g. (p  q)  r

5. 5 First Order Logics – reminder Constants: ‘John Doe’, 1984, 3.14159… Variables: x, y, z, … Function symbols: f, g, h, … Predicates: p, q, r, … Term: h(x), fatherOf(‘John Doe’) Atomic sentence: married(fatherOf(‘John Doe’), ‘Jane Smith’)

6. 6 Connectors and Quantifiers Connectors: , , ,  married(x, ‘Jane’)  rich(x) Quantifiers: ,   x (married(x, ‘Jane’)  rich(x)) QQ: “Everybody needs somebody” A.  x  y needs(x,y) C.  x  y needs(x,y) B.  x  y needs(x,y) D.  x  y needs(x,y)

7. 7 Variables: Free and Bound Intuition: variables that appear between () after ,  are called bound, otherwise they are called free. QQ: Which variables are free in the following sentence?  x ((p(x,y)  q(x))   z (r(v,z)  s(z)))

8. 8 Questions so far? If these notions are not familiar… If you are not sure which variables are free in  x (p(x,y)   z q(z,x))… If you do not remember whether  (p(x)  q(y)) is equivalent to  p(x)   q(y) Check logics textbooks!

9. 9 Some Sentences Are Always True If x and y are negative then x*y is positive. Any prime number greater than two is odd. We call this tautology and denote╞ φ –φ - sentence

10. 10 ╞ φ ?╞ φ ?╞ φ ?╞ φ ? Check whether for all variable substitutions φ is evaluated to true.

11. 11 Alternative We need a proof calculus –number of syntactic inference rules φ –when applied to axioms can produce φ Even better: reduce φ to axioms by applying the rules!Even better: reduce φ to axioms by applying the rules! QQ: Why is the second option better?QQ: Why is the second option better?

12. 12 Proofs If φ can be reduced to axioms by applying the rules we write ├ φ Proof = series of reduction steps φ is provable

13. 13 Correctness Properties for ├ Proof calculus should satisfy: ╞ φSoundness: If├ φ then ╞ φ –if something has been proved, it holds. ╞ φ thenCompleteness: If ╞ φ then ├ φ –if something holds, it can be proven.

14. 14 System G a proof calculus for propositional calculus / first- order logics sound and complete basis for automated theorem provers We will see the axioms and the inference rules apply them to a number of examples discuss automation of the approach

15. 15 Γ  ΔΓ  ΔΓ  ΔΓ  Δ antecedentssuccedents System G is Based on: Gentzen Sequent finite sequences of logic sentences

16. 16 Intuition Let Γ be  A 1, …, A n , Δ be  B 1, …, B m  Γ  Δ corresponds to ╞ ((A 1  …  A n )  (B 1  …  B m ))

17. 17 System G: Axioms Γ  Δ is an axiom if Γ  Δ ≠  QQ: Explain the choice of the axioms. Hint:Hint: recall the intuition behind Γ  Δ

18. 18 System G: Inference Rules Depend on the outermost connector of quantifier. Conjunction (1): A, B are arbitrary sentences Γ, Δ, Λ are sequences of sentences Read upwards: –replace an antecedent A  B by two antecedents A and B

19. 19 System G: Try It Yourself! QQ: Prove (A  B  A) Proof:

20. 20 System G:  :right What if we need to prove A  B? We need to prove two statements: A and B  Replace one sequent by two:

21. 21 System G: Try It Yourself! QQ: Prove (A,B  A  B) Proof:

22. 22  -symmetry (1) If we need to prove A  B, we need to prove at least one of A or B

23. 23  -symmetry (2) If we know A  B, we either know A or we know B.

24. 24 Negation

25. 25 Implication: Try Yourself! Reminder: A  B is equivalent to  A  B. Group B Group A

26. 26 Implication: Group A Hence

27. 27 Implication: Group B Hence

28. 28 … But How Can We Prove φ? Start with  φ

29. 29 Example Prove  A  A:

30. 30 Summary So Far System G: –based on the notion of a Gentzen sequent –sequent: Γ  Δ Axioms: Γ  Δ is an axiom if Γ  Δ ≠  For propositional calculus: 8 inference rules ({ , , ,  } * {left, right}) For First-Order Logics: 4 more to come.

31. 31 G for Propositional Calculus Sound and complete for propositional calculus. There exists an algorithm that given a sequent: –always terminates –proves the sequent if and only if it is a tautology –based on the notion of a proof tree, i.e., a tree with nodes labelled by sequents

32. 32 Algorithm (1) algo search(Γ  Δ) T := one-node tree labeled with Γ  Δ while exists a leaf of T that can be expanded CopyT := T for each leaf node of CopyT if the node is not an axiom expand(node, T) if all leaves are axioms write(‘T is the proof of Γ  Δ’) else write(‘Γ  Δ is not a tautology’)

33. 33 Algorithm (2) algo expand(node,T) let node be labeled  A 1, …,A n    B 1, …,B m  S := one-node tree labeled with  A 1, …,A n    B 1, …,B m  for i=1 to n if nonatomic(A i ) then apply2all(A i, left, S) for i=1 to m if nonatomic(A i ) then apply2all(A i, right, S) replace node in T by S

34. 34 Algorithm: Let Us Try It! Tree T Tree S

35. 35 Algorithm: Let Us Try It! Tree T Tree S

36. 36 Algorithm: Let Us Try It! Tree T Both leaves are axioms! Hence, T is the proof of

37. 37 Algorithm: QQ To prove that our algorithm terminates we have to find a certain value that decreases from a parent node to each one of the children nodes. What is this value?

38. 38 Towards FOL:  :left  –if we know that  x A(x) holds, then we can chose any term t (not containing x) and replace x by t. –A[t/x] denotes replacement of all x’s in A by t QQ: Why do we keep  x A?

39. 39 Towards FOL:  :right  –if we need to prove that  x A holds, we can take any term t (not containing x) and replace  x A by A[t/x]. –if the proof of A[t/x] succeeds, then we have also proved  x A –t is not necessarily unique, so we keep  x A

40. 40 But what if we know  x A? We still do not know for which x does A hold! How can we guess? We do not need to guess! A new (unused) variable: let y be such that A[y/x] holds!

41. 41  x A? And If We Need to Prove  x A? The same idea works! If A holds for a new unused variable y, then it holds for any value

42. 42 QQ: Why Should y Be New? Otherwise, we loose soundness! Give an example.

43. 43 Summary: System G for Quantifiers

44. 44 QQ Group A: Prove  x A  A if A does not contain x. Group B: Prove A   x A if A does not contain x.

45. 45 System G for FOL Sound and complete There exists an algorithm that given a sequent: –proves the sequent if and only if it is a tautology –extends our previous algorithm However, termination is no longer guaranteed

46. 46 Hence Algorithm Terminates, the statement is not a tautology Terminates, the proof has been found. Does not terminate

47. 47 Even more bad news There exists no algorithm for FOL that –always terminates, and –proves the sequent if and only if it is a tautology. In other words, the problem of deciding whether an FOL formula is a tautology is recursively enumerable, but not co- recursively enumerable.

48. 48 Reasons for Non-Termination (1) Repetitive application of (  :left), (  :right). –it is useless to chose the same t twice for the same A. –for each term t keep a list of  xA and  xA such that t has been used for the replacement in (  :left) or (  :right).

49. 49 Reasons for Non-Termination (2) As we have function symbols we have infinitely many terms to choose from: {a, f(a), f(f(a)), f(f(f(a))), …} –either try all of them in some order –or leave the choice to a human

50. 50 How Shall We Adapt the Algorithm? (1) List of variables {x 0, x 1, …, x n } appearing in Γ  Δ List of variables for (  :right) and (  :left): {y 1, y 2, …} –disjoint from {x 0, x 1, …, x n } –a variable is removed from the list every time these rules are applied

51. 51 How Shall We Adapt the Algorithm? (2) Structure TERM of pairs –S = a list of  xA and  xA such that t has been used for the replacement in (  :left) or (  :right). –initially:, where c is a constant or a free variable appearing in Γ  Δ, if exists y 0, otherwise List AVAIL of terms for (  :left) and (  :right): –AVAIL 0 - terms from free variables, constants (if exist) or y 0 (otherwise), and function symbols –AVAIL i - terms containing y i constructed from free variables, constants, y 1, …, y i, and function symbols

52. 52 How Shall We Adapt the Algorithm? (3) (  :right) and (  :left): –Remove y i from {y 1, y 2, …} –Add y i to TERM –Remove y i from AVAIL i (  :left) and (  :right): –All terms from TERM are available –Add first element from AVAIL i to TERM and remove it from AVAIL i

53. 53 Complete Algorithm? See handouts

54. 54 We Have FOL, But We Need More We would like to compare terms, using = Sound and complete System G = for any f for any P

55. 55 System G = : QQ axiom

56. 56 P Can Be =!

57. 57 Example: Symmetry of = T:T:

58. 58 Automation For propositional calculus – complete –the user can make reasoning more efficient choice of  A 1, …, A n    B 1, …, B m  to apply an inference rule. For FOL and FOL = –only partial automation possible: choice of a term for the substitution. choice of  A 1, …, A n    B 1, …, B m  to apply an inference rule.

59. 59 Summary (1) Proving properties of programs is based on proving logic formulae. To prove a formula one needs proof calculus. Proof calculus should be sound and complete. System G is based on the notion of a sequent.

60. 60 Summary (2) Sequent Γ  Δ –Γ, Δ are finite sequences of sentences System G  for propositional calculus is sound and complete. –there is a proof algorithm that always terminates. System G for FOL is sound and complete. –proof algorithm can go forever. System G = for FOL = is sound and complete. –proof algorithm can go forever.

61. 61 Next Lecture: PVS Prototype Verification System –Developed at SRI International –Open Source (GPL) since 1993 –Runs on Linux/Solaris/Mac –Uses Emacs as Interface –Supports System G reasoning… –and much, much more! We will use it, so install it at your laptops!