15-819M: Data, Code, Decisions 02: Formal Modeling with Propositional Logic André Platzer [email protected] Carnegie Mellon University, Pittsburgh, PA André Platzer (CMU) 15-819M/02: Data, Code, Decisions 1 / 38 Outline 1 Formal Modeling 2 Propositional Logic Syntax Semantics Sequent Calculus DPLL Expressiveness 3 Temporal Logic André Platzer (CMU) 15-819M/02: Data, Code, Decisions 1 / 38 Outline 1 Formal Modeling 2 Propositional Logic Syntax Semantics Sequent Calculus DPLL Expressiveness 3 Temporal Logic André Platzer (CMU) 15-819M/02: Data, Code, Decisions 1 / 38 Formalisation Real Formalisation World André Platzer (CMU) Formal Model 15-819M/02: Data, Code, Decisions 2 / 38 Formalisation: Syntax, Semantics Formal ax t Syn Languages Real World Sem ant ics Formal Semantics André Platzer (CMU) 15-819M/02: Data, Code, Decisions 2 / 38 Formalisation: Syntax, Semantics Formal ax t Syn Real Languages Interpretation World Sem ant ics Formal Semantics André Platzer (CMU) 15-819M/02: Data, Code, Decisions 2 / 38 Formalisation: Syntax, Semantics Propositional ax t Syn Real Logic Interpretation World Sem ant ics Valuation André Platzer (CMU) 15-819M/02: Data, Code, Decisions 2 / 38 Formalisation: Syntax, Semantics Promela + ax t Syn Real Temporal Logic Interpretation World Sem ant ics All Runs σ + Valuation in σ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 2 / 38 Formalisation: Syntax, Semantics Temporal Logic tax Syn Real World André Platzer (CMU) tax Syn Semantics 15-819M/02: Data, Code, Decisions Promela All Runs σ = Transition System 2 / 38 Formalisation: Syntax, Semantics, Proving Temporal Logic tax Syn Real World tax Syn Semantics Promela All Runs σ = Transition System How to do proving? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 2 / 38 Formal Verification: Model Checking TL Sy nt a x Promela x Real World André Platzer (CMU) ta n Sy Sem. Transition System 15-819M/02: Data, Code, Decisions 2 / 38 Formal Verification: Model Checking Translation TL of Negation Sy nt a x Promela Büchi Automaton x Real World André Platzer (CMU) ta n Sy Sem. Transition System 15-819M/02: Data, Code, Decisions 2 / 38 Formal Verification: Model Checking Translation TL of Negation Sy nt a x Promela Büchi Automaton x Real World ta n Sy Transition Semantics System Product accepts no run? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 2 / 38 Syntax, Semantics, Calculus Syntax Formula/Program Semantics “valid” x Calculus “Derivable” André Platzer (CMU) 15-819M/02: Data, Code, Decisions 3 / 38 Syntax, Semantics, Calculus Syntax Formula/Program Semantics “valid” x Soundness Calculus “Derivable” André Platzer (CMU) 15-819M/02: Data, Code, Decisions 3 / 38 Syntax, Semantics, Calculus Syntax Formula/Program Semantics “valid” x Completeness Soundness Calculus “Derivable” André Platzer (CMU) 15-819M/02: Data, Code, Decisions 3 / 38 Outline 1 Formal Modeling 2 Propositional Logic Syntax Semantics Sequent Calculus DPLL Expressiveness 3 Temporal Logic André Platzer (CMU) 15-819M/02: Data, Code, Decisions 3 / 38 Propositional Logic Propositional Formulas |= Mapping Var → {T , F } x ` Sequent Calculus SAT Solver André Platzer (CMU) 15-819M/02: Data, Code, Decisions 4 / 38 Propositional Logic: Syntax Propositional Formulas |= Mapping Var → {T , F } x ` Sequent Calculus SAT Solver André Platzer (CMU) 15-819M/02: Data, Code, Decisions 4 / 38 Syntax of Propositional Logic Definition (Signature) A set of Propositional Variables P André Platzer (CMU) (with typical elements p, q, r , . . .) 15-819M/02: Data, Code, Decisions 5 / 38 Syntax of Propositional Logic Definition (Signature) A set of Propositional Variables P (with typical elements p, q, r , . . .) Propositional Connectives true false & André Platzer (CMU) | ! −> <−> 15-819M/02: Data, Code, Decisions 5 / 38 Syntax of Propositional Logic Definition (Signature) A set of Propositional Variables P (with typical elements p, q, r , . . .) Propositional Connectives true false & | ! −> <−> Definition (Propositional Formulas For0 ) Truth constants true, false and variables P are formulas If φ and ψ are formulas then ! φ, (φ & ψ), (φ | ψ), (φ −> ψ), (φ <−> ψ) are also formulas There are no other formulas (inductive definition) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 5 / 38 Syntax of Propositional Logic Definition (Signature) A set of Propositional Variables P (with typical elements p, q, r , . . .) Propositional Connectives (KeY notation) true false & | ! −> <−> Definition (Propositional Formulas For0 ) Truth constants true, false and variables P are formulas If φ and ψ are formulas then ! φ, (φ & ψ), (φ | ψ), (φ −> ψ), (φ <−> ψ) are also formulas There are no other formulas (inductive definition) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 5 / 38 Remark on Concrete Syntax Negation Conjunction Disjunction Implication Equivalence André Platzer (CMU) Text book ¬ ∧ ∨ →, ⊃ ↔ KeY ! & | −> <−> Spin ! && || −> <−> 15-819M/02: Data, Code, Decisions 6 / 38 Remark on Concrete Syntax Negation Conjunction Disjunction Implication Equivalence Text book ¬ ∧ ∨ →, ⊃ ↔ KeY ! & | −> <−> Spin ! && || −> <−> Today, we use KeY notation. Be flexible during the course! André Platzer (CMU) 15-819M/02: Data, Code, Decisions 6 / 38 Propositional Logic: Semantics Propositional Formulas ` Mapping Var → {T , F } x |= Sequent Calculus SAT Solver André Platzer (CMU) 15-819M/02: Data, Code, Decisions 7 / 38 Propositional Logic: Semantics Propositional Formulas ` Mapping Var → {T , F } x |= Sequent Calculus SAT Solver André Platzer (CMU) 15-819M/02: Data, Code, Decisions 7 / 38 Semantics of Propositional Logic Definition (Interpretation I) Assigns a truth value to each propositional variable I : P → {T , F } André Platzer (CMU) 15-819M/02: Data, Code, Decisions 8 / 38 Semantics of Propositional Logic Definition (Interpretation I) Assigns a truth value to each propositional variable I : P → {T , F } Definition (Valuation function) valI : Continuation of I on For0 valI : For0 → {T , F } valI (pi ) = I(pi ) valI (true) = T valI (false) = F (cont’d next page) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 8 / 38 Semantics of Propositional Logic Definition (Valuation function . . . ) T if valI (φ) = F F otherwise T if valI (φ) = T and valI (ψ) = T valI (φ & ψ) = F otherwise T if valI (φ) = T or valI (ψ) = T valI (φ | ψ) = F otherwise T if valI (φ) = F or valI (ψ) = T valI (φ −> ψ) = F otherwise T if valI (φ) = valI (ψ) valI (φ <−> ψ) = F otherwise valI (! φ) = André Platzer (CMU) 15-819M/02: Data, Code, Decisions 9 / 38 Examples Example (Formula) p −> (q −> p) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 10 / 38 Examples Example (Formula) p −> (q −> p) Example (Interpretation) One of four different ones on P = {p, q} that are possible: I(p) = T I(q) = F André Platzer (CMU) 15-819M/02: Data, Code, Decisions 10 / 38 Examples Example (Formula) p −> (q −> p) Example (Interpretation) One of four different ones on P = {p, q} that are possible: I(p) = T I(q) = F Example valI ( q −> p ) André Platzer (CMU) = 15-819M/02: Data, Code, Decisions 10 / 38 Examples Example (Formula) p −> (q −> p) Example (Interpretation) One of four different ones on P = {p, q} that are possible: I(p) = T I(q) = F Example valI ( q −> p ) André Platzer (CMU) = T 15-819M/02: Data, Code, Decisions 10 / 38 Examples Example (Formula) p −> (q −> p) Example (Interpretation) One of four different ones on P = {p, q} that are possible: I(p) = T I(q) = F Example valI ( q −> p ) = T valI ( p −> (q −> p) ) André Platzer (CMU) = 15-819M/02: Data, Code, Decisions 10 / 38 Examples Example (Formula) p −> (q −> p) Example (Interpretation) One of four different ones on P = {p, q} that are possible: I(p) = T I(q) = F Example valI ( q −> p ) = T valI ( p −> (q −> p) ) André Platzer (CMU) = T 15-819M/02: Data, Code, Decisions 10 / 38 Semantic Notions of Propositional Logic Let φ ∈ For0 , Γ ⊂ For0 Definition (Validity and Consequence Relation, overloading |=) φ is valid in I (write: I |= φ) iff valI (φ) = T φ follows from Γ (write: Γ |= φ) iff for all interpretations I: If I |= ψ for all ψ ∈ Γ then also I |= φ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 11 / 38 Semantic Notions of Propositional Logic Let φ ∈ For0 , Γ ⊂ For0 Definition (Validity and Consequence Relation, overloading |=) φ is valid in I (write: I |= φ) iff valI (φ) = T φ follows from Γ (write: Γ |= φ) iff for all interpretations I: If I |= ψ for all ψ ∈ Γ then also I |= φ Definition (Satisfiability, Validity) A formula is satisfiable if it is valid in some interpretation. If φ is valid in every interpretation, i.e ∅ |= φ (short: |= φ) then φ is called logically valid. André Platzer (CMU) 15-819M/02: Data, Code, Decisions 11 / 38 Examples Example (Formula) p −> (q −> p) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 12 / 38 Examples Example (Formula) p −> (q −> p) Is this formula valid? |= p −> (q −> p) ? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 12 / 38 Examples p & ((! p) | q) Satisfiable? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 13 / 38 Examples p & ((! p) | q) Satisfiable? André Platzer (CMU) 4 15-819M/02: Data, Code, Decisions 13 / 38 Examples p & ((! p) | q) Satisfiable? Satisfying Interpretation? André Platzer (CMU) 4 15-819M/02: Data, Code, Decisions 13 / 38 Examples p & ((! p) | q) Satisfiable? Satisfying Interpretation? André Platzer (CMU) 4 I(p) = T , I(q) = T 15-819M/02: Data, Code, Decisions 13 / 38 Examples p & ((! p) | q) 4 Satisfiable? Satisfying Interpretation? I(p) = T , I(q) = T Other Satisfying Interpretations? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 13 / 38 Examples p & ((! p) | q) 4 Satisfiable? Satisfying Interpretation? I(p) = T , I(q) = T Other Satisfying Interpretations? 8 André Platzer (CMU) 15-819M/02: Data, Code, Decisions 13 / 38 Examples p & ((! p) | q) 4 Satisfiable? Satisfying Interpretation? I(p) = T , I(q) = T Other Satisfying Interpretations? 8 Therefore, also not valid! André Platzer (CMU) 15-819M/02: Data, Code, Decisions 13 / 38 Examples p & ((! p) | q) 4 Satisfiable? Satisfying Interpretation? I(p) = T , I(q) = T Other Satisfying Interpretations? 8 Therefore, also not valid! p & ((! p) | q) |= q | r Does it hold? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 13 / 38 Examples p & ((! p) | q) 4 Satisfiable? Satisfying Interpretation? I(p) = T , I(q) = T Other Satisfying Interpretations? 8 Therefore, also not valid! p & ((! p) | q) |= q | r Does it hold? Yes. André Platzer (CMU) Why? 15-819M/02: Data, Code, Decisions 13 / 38 Propositional Logic: Calculus Propositional Formulas ` Mapping Var → {T , F } x |= Sequent Calculus André Platzer (CMU) 15-819M/02: Data, Code, Decisions 14 / 38 Propositional Logic: Calculus Propositional Formulas ` Mapping Var → {T , F } x |= Sequent Calculus André Platzer (CMU) 15-819M/02: Data, Code, Decisions 14 / 38 Reasoning by Syntactic Transformation Establish |= φ by finite, syntactic transformation of φ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 15 / 38 Reasoning by Syntactic Transformation Establish |= φ by finite, syntactic transformation of φ Definition ((Logic) Calculus) A set of (decidable) syntactic transformation rules R defining a relation ` ⊆ For0 such that ` φ implies |= φ: Soundness (required) |= φ implies ` φ: Completeness (desirable) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 15 / 38 Reasoning by Syntactic Transformation Establish |= φ by finite, syntactic transformation of φ Definition ((Logic) Calculus) A set of (decidable) syntactic transformation rules R defining a relation ` ⊆ For0 such that ` φ implies |= φ: Soundness (required) |= φ implies ` φ: Completeness (desirable) Sequent Calculus based on notion of sequent ψ ,...,ψ | 1 {z m} Antecedent =⇒ φ1 , . . . , φ n | {z } Succedent has same semantics as (ψ1 & · · · & ψm ) −> (φ1 | · · · | φn ) {ψ1 , . . . , ψm } |= φ1 | · · · | φn André Platzer (CMU) 15-819M/02: Data, Code, Decisions 15 / 38 Notation for Sequents ψ1 , . . . , ψm =⇒ φ1 , . . . , φ n Consider antecedent/succedent as sets of formulas, possibly empty André Platzer (CMU) 15-819M/02: Data, Code, Decisions 16 / 38 Notation for Sequents ψ1 , . . . , ψm =⇒ φ1 , . . . , φ n Consider antecedent/succedent as sets of formulas, possibly empty Definition (Schema Variables) φ, ψ, . . . match formulas, Γ, ∆, . . . match sets of formulas Characterize infinitely many sequents with a single schematic sequent Γ =⇒ ∆, φ & ψ Matches any sequent with occurrence of conjunction in succedent Call φ & ψ main formula and Γ, ∆ side formulas of sequent Any sequent of the form Γ, φ =⇒ ∆, φ is logically valid: axiom André Platzer (CMU) 15-819M/02: Data, Code, Decisions 16 / 38 Sequent Calculus Rules of Propositional Logic Write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible Premisses RuleName z Γ1 =⇒ ∆1 }| ··· { Γr =⇒ ∆r Γ | =⇒ {z ∆} Conclusion André Platzer (CMU) 15-819M/02: Data, Code, Decisions 17 / 38 Sequent Calculus Rules of Propositional Logic Write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible Premisses RuleName z Γ1 =⇒ ∆1 }| ··· { Γr =⇒ ∆r Γ | =⇒ {z ∆} Conclusion Example andRight Γ =⇒ φ, ∆ Γ =⇒ ψ, ∆ Γ =⇒ φ & ψ, ∆ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 17 / 38 Sequent Calculus Rules of Propositional Logic Write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible Premisses RuleName z Γ1 =⇒ ∆1 }| ··· { Γr =⇒ ∆r Γ | =⇒ {z ∆} Conclusion Example andRight Γ =⇒ φ, ∆ Γ =⇒ ψ, ∆ Γ =⇒ φ & ψ, ∆ Sound rule (essential): André Platzer (CMU) |= (Γ1 =⇒ ∆1 & · · · & Γr =⇒ ∆r ) −> (Γ =⇒ ∆) 15-819M/02: Data, Code, Decisions 17 / 38 Sequent Calculus Rules of Propositional Logic Write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible Premisses RuleName z Γ1 =⇒ ∆1 }| ··· { Γr =⇒ ∆r Γ | =⇒ {z ∆} Conclusion Example andRight Γ =⇒ φ, ∆ Γ =⇒ ψ, ∆ Γ =⇒ φ & ψ, ∆ Sound rule (essential): |= (Γ1 =⇒ ∆1 & · · · & Γr =⇒ ∆r ) −> (Γ =⇒ ∆) Complete rule (desirable):|= (Γ =⇒ ∆) −> (Γ1 =⇒ ∆1 & · · · & Γr =⇒ ∆r ) Admissible to have no premisses (iff conclusion is valid, eg axiom) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 17 / 38 Rules of Propositional Sequent Calculus main left side (antecedent) not right side (succedent) Γ =⇒ φ, ∆ Γ, φ =⇒ ∆ Γ, ! φ =⇒ ∆ Γ =⇒ ! φ, ∆ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 18 / 38 Rules of Propositional Sequent Calculus main left side (antecedent) not and right side (succedent) Γ =⇒ φ, ∆ Γ, φ =⇒ ∆ Γ, ! φ =⇒ ∆ Γ =⇒ ! φ, ∆ Γ, φ, ψ =⇒ ∆ Γ, φ & ψ =⇒ ∆ André Platzer (CMU) Γ =⇒ φ, ∆ Γ =⇒ ψ, ∆ Γ =⇒ φ & ψ, ∆ 15-819M/02: Data, Code, Decisions 18 / 38 Rules of Propositional Sequent Calculus main left side (antecedent) not and or right side (succedent) Γ =⇒ φ, ∆ Γ, φ =⇒ ∆ Γ, ! φ =⇒ ∆ Γ =⇒ ! φ, ∆ Γ, φ, ψ =⇒ ∆ Γ =⇒ φ, ∆ Γ, φ & ψ =⇒ ∆ Γ, φ =⇒ ∆ André Platzer (CMU) Γ =⇒ φ & ψ, ∆ Γ, ψ =⇒ ∆ Γ, φ | ψ =⇒ ∆ Γ =⇒ ψ, ∆ Γ =⇒ φ, ψ, ∆ Γ =⇒ φ | ψ, ∆ 15-819M/02: Data, Code, Decisions 18 / 38 Rules of Propositional Sequent Calculus main left side (antecedent) not right side (succedent) Γ =⇒ φ, ∆ Γ, φ =⇒ ∆ Γ, ! φ =⇒ ∆ Γ =⇒ ! φ, ∆ Γ, φ, ψ =⇒ ∆ and Γ =⇒ φ, ∆ Γ, φ & ψ =⇒ ∆ Γ, φ =⇒ ∆ or Γ =⇒ φ & ψ, ∆ Γ, ψ =⇒ ∆ Γ, φ | ψ =⇒ ∆ imp Γ =⇒ φ, ∆ André Platzer (CMU) Γ =⇒ φ, ψ, ∆ Γ =⇒ φ | ψ, ∆ Γ, ψ =⇒ ∆ Γ, φ −> ψ =⇒ ∆ Γ =⇒ ψ, ∆ Γ, φ =⇒ ψ, ∆ Γ =⇒ φ −> ψ, ∆ 15-819M/02: Data, Code, Decisions 18 / 38 Rules of Propositional Sequent Calculus main left side (antecedent) not right side (succedent) Γ =⇒ φ, ∆ Γ, φ =⇒ ∆ Γ, ! φ =⇒ ∆ Γ =⇒ ! φ, ∆ Γ, φ, ψ =⇒ ∆ and Γ =⇒ φ, ∆ Γ, φ & ψ =⇒ ∆ Γ, φ =⇒ ∆ or Γ =⇒ φ & ψ, ∆ Γ, ψ =⇒ ∆ Γ, φ | ψ =⇒ ∆ imp close Γ =⇒ φ, ∆ André Platzer (CMU) true Γ =⇒ φ, ψ, ∆ Γ =⇒ φ | ψ, ∆ Γ, ψ =⇒ ∆ Γ, φ −> ψ =⇒ ∆ Γ, φ =⇒ φ, ∆ Γ =⇒ ψ, ∆ Γ, φ =⇒ ψ, ∆ Γ =⇒ φ −> ψ, ∆ Γ =⇒ true, ∆ false 15-819M/02: Data, Code, Decisions Γ, false =⇒ ∆ 18 / 38 Justification of Rules Justify rules by applying semantic definitions André Platzer (CMU) 15-819M/02: Data, Code, Decisions 19 / 38 Justification of Rules Justify rules by applying semantic definitions orRight Γ =⇒ φ, ψ, ∆ Γ =⇒ φ | ψ, ∆ Follows directly from semantics of sequents André Platzer (CMU) 15-819M/02: Data, Code, Decisions 19 / 38 Justification of Rules Justify rules by applying semantic definitions orRight Γ =⇒ φ, ψ, ∆ Γ =⇒ φ | ψ, ∆ Follows directly from semantics of sequents andRight Γ =⇒ φ, ∆ Γ =⇒ φ & ψ, ∆ Γ −> (φ & ψ) | ∆ iff Γ −> φ | ∆ Distributivity of & over | and −> André Platzer (CMU) Γ =⇒ ψ, ∆ and 15-819M/02: Data, Code, Decisions Γ −> ψ | ∆ 19 / 38 Sequent Calculus Proofs Goal to prove: G ≡ ψ1 , . . . , ψm =⇒ φ1 , . . . , φn find rule R whose conclusion matches G instantiate R such that conclusion identical to G recursively find proofs for resulting premisses G1 , . . . , Gr tree structure with goal as root close proof branch when rule without premiss encountered Goal-directed proof search In KeY tool proof displayed as a tree André Platzer (CMU) 15-819M/02: Data, Code, Decisions 20 / 38 A Simple Proof =⇒ (p & (p −> q)) −> q André Platzer (CMU) 15-819M/02: Data, Code, Decisions 21 / 38 A Simple Proof p & (p −> q) =⇒ q =⇒ (p & (p −> q)) −> q André Platzer (CMU) 15-819M/02: Data, Code, Decisions 21 / 38 A Simple Proof p, (p −> q) =⇒ q p & (p −> q) =⇒ q =⇒ (p & (p −> q)) −> q André Platzer (CMU) 15-819M/02: Data, Code, Decisions 21 / 38 A Simple Proof p =⇒ q, p p, q =⇒ q p, (p −> q) =⇒ q p & (p −> q) =⇒ q =⇒ (p & (p −> q)) −> q André Platzer (CMU) 15-819M/02: Data, Code, Decisions 21 / 38 A Simple Proof Close André Platzer (CMU) ∗ ∗ Close p =⇒ q, p p, q =⇒ q p, (p −> q) =⇒ q p & (p −> q) =⇒ q =⇒ (p & (p −> q)) −> q 15-819M/02: Data, Code, Decisions 21 / 38 A Simple Proof Close ∗ ∗ Close p =⇒ q, p p, q =⇒ q p, (p −> q) =⇒ q p & (p −> q) =⇒ q =⇒ (p & (p −> q)) −> q A proof is closed iff all its branches are closed Demo Examples/prop.key André Platzer (CMU) 15-819M/02: Data, Code, Decisions 21 / 38 DPLL: Davis-Putnam-Logeman-Loveland Basis for fast SAT solving in propositional logic refute ( S ) : while f a l s e 6∈ S do i f S =∅ then return sat i f S does not contain unit clause then P := choose variable /* split on P */ refute ( S with P:= f a l s e ) ; refute ( S with P:= true ) ; else K := choose unit clause from S /* propagate K */ drop all clauses containing K drop complement of K from all clauses end i f end while return unsat André Platzer (CMU) 15-819M/02: Data, Code, Decisions 22 / 38 A|B|C !A | B | !D !A | C !A | !C | D A | !C !B André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|B|C !A | B | !D !A | C !A | !C | D A | !C !B André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) A|C !A | !D !A | C !A | !C | D A | !C propagate(C ) refute(with A:=false) A|C !A | !D !A | C !A | !C | D A | !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) A|C !A | !D !A | C !A | !C | D A | !C propagate(C ) refute(with A:=false) A|C !A | !D !A | C !A | !C | D A | !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) !D C !C | D propagate(C ) refute(with A:=false) A|C !A | !D !A | C !A | !C | D A | !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) !D C !C | D !D propagate(C ) C !C | D refute(with A:=false) A|C !A | !D !A | C !A | !C | D A | !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) !D C !C | D !D propagate(C ) propagate(! D) D !D D refute(with A:=false) A|C !A | !D !A | C !A | !C | D A | !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) !D C !C | D !D propagate(C ) propagate(! D) unsat! empty clause D refute(with A:=false) A|C !A | !D !A | C !A | !C | D A | !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) !D C !C | D !D propagate(C ) propagate(! D) unsat! empty clause D refute(with A:=false) A|C !A | !D !A | C !A | !C | D A | !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) !D C !C | D !D propagate(C ) propagate(! D) unsat! empty clause D refute(with A:=false) C propagate(C ) C !C !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 A|C !A | !D !A | C !A | !C | D A | !C A|C !A | !D propagate(! B) ! A | C !A | !C | D A | !C refute(with A:=true) !D C !C | D !D propagate(C ) propagate(! D) unsat! empty clause D refute(with A:=false) C propagate(C ) unsat! empty clause !C André Platzer (CMU) 15-819M/02: Data, Code, Decisions 23 / 38 How Expressive is Propositional Logic? Finite set of elements N = {1, . . . , n} Let pij denote p(i) = j. p is a permutation on N is expressible . . . Groups, Latin squares, Sudoku, . . . Even finite numbers (e.g., bitwise encoding) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 24 / 38 Limitations of Propositional Logic Fixed, finite number of objects Cannot express: let g be group with arbitrary number of elements No functions or relations with arguments Can express: finite function/relation table pij Cannot express: properties of function/relation on all arguments, e.g., + is associative Static interpretation Programs change value of their variables, e.g., via assignment, call, etc. Propositional formulas look at one single interpretation at a time André Platzer (CMU) 15-819M/02: Data, Code, Decisions 25 / 38 Beyond the Limitations of Propositional Logic First-order Logic s ction +fun Propositional Logic +sta te André Platzer (CMU) chan g e Temporal Logic 15-819M/02: Data, Code, Decisions 26 / 38 Beyond the Limitations of Propositional Logic First-order Logic Propositional Logic s ction +fun +state change +functions +sta te André Platzer (CMU) chan g e Dynamic Logic Temporal Logic 15-819M/02: Data, Code, Decisions 26 / 38 Beyond the Limitations of Propositional Logic First-order Logic Propositional Logic s ction +fun +state change +functions +sta te chan g e Dynamic Logic Temporal Logic Spin André Platzer (CMU) 15-819M/02: Data, Code, Decisions 26 / 38 Beyond the Limitations of Propositional Logic First-order Logic Propositional Logic KeY s ction +fun +state change +functions +sta te chan g e Dynamic Logic Temporal Logic Spin André Platzer (CMU) 15-819M/02: Data, Code, Decisions 26 / 38 Outline 1 Formal Modeling 2 Propositional Logic Syntax Semantics Sequent Calculus DPLL Expressiveness 3 Temporal Logic André Platzer (CMU) 15-819M/02: Data, Code, Decisions 26 / 38 Transition Systems / Kripke Structures p= T p=T ; sa x FF sb TF q=p; F; = q sc TT p=F ; ; sd FT Notation name interp. update André Platzer (CMU) 15-819M/02: Data, Code, Decisions 27 / 38 Transition Systems / Kripke Structures p= T x sa FF p=T ; q=p; sb TF F; = q sc p=F ; TT ; sd FT Each state has its own propositional interpretation! Computations, or runs, are infinite paths through states Infinitely many different runs How to express (for example) that either p or q changes its value infinitely often in each run? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 27 / 38 Linear Temporal Logic An extension of propositional logic that allows to specify properties of sets of runs André Platzer (CMU) 15-819M/02: Data, Code, Decisions 28 / 38 Linear Temporal Logic: Syntax An extension of propositional logic that allows to specify properties of sets of runs Syntax Based on propositional signature and syntax. Extension with three connectives: Always If φ is a formula then so is [ ]φ Sometimes If φ is a formula then so is <>φ Until If φ and ψ are formulas then so is φ U ψ Concrete Syntax Always Sometimes Until André Platzer (CMU) text book ♦ U Spin [] <> U 15-819M/02: Data, Code, Decisions 28 / 38 Semantics of Temporal Logic A run σ is an infinite chain of states s0 s1 s2 s3 s4 I0 I1 I2 I3 I4 ··· Ij propositional interpretation of variables in j-th state Write more compactly s0 s1 s2 s3 . . . André Platzer (CMU) 15-819M/02: Data, Code, Decisions 29 / 38 Semantics of Temporal Logic A run σ is an infinite chain of states s0 s1 s2 s3 s4 I0 I1 I2 I3 I4 ··· Ij propositional interpretation of variables in j-th state Write more compactly s0 s1 s2 s3 . . . If σ = s0 s1 . . ., then σ|i denotes the suffix si si+1 . . . of σ. André Platzer (CMU) 15-819M/02: Data, Code, Decisions 29 / 38 Semantics of Temporal Logic p= T x sa FF p=T ; sb TF q=p; F; q= sc TT p=F ; ; sd FT Definition (Validity Relation) Validity of temporal formula depends on runs σ = s0 s1 . . . for which the formula may, or may not, hold: σ |= p iff I0 (p) = T , for p ∈ P. André Platzer (CMU) 15-819M/02: Data, Code, Decisions 30 / 38 Semantics of Temporal Logic p= T x sa p=T ; sb FF TF p q=p; F; q= p=F ; sc TT ; sd FT p Definition (Validity Relation) Validity of temporal formula depends on runs σ = s0 s1 . . . for which the formula may, or may not, hold: σ |= p iff I0 (p) = T , for p ∈ P. André Platzer (CMU) 15-819M/02: Data, Code, Decisions 30 / 38 Semantics of Temporal Logic p= T sa x p=T ; sb FF !p TF p q=p; F; q= p=F ; sc TT ; sd FT p !p Definition (Validity Relation) Validity of temporal formula depends on runs σ = s0 s1 . . . for which the formula may, or may not, hold: σ |= p iff I0 (p) = T , for p ∈ P. σ |= ! φ iff not σ |= φ (write σ 6|= φ) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 30 / 38 Semantics of Temporal Logic p= T sa x p=T ; sb FF !p TF p q=p; F; q= p=F ; sc TT ; sd FT p !p p&q Definition (Validity Relation) Validity of temporal formula depends on runs σ = s0 s1 . . . for which the formula may, or may not, hold: σ |= p iff I0 (p) = T , for p ∈ P. σ |= ! φ iff not σ |= φ (write σ 6|= φ) σ |= φ & ψ iff σ |= φ and σ |= ψ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 30 / 38 Semantics of Temporal Logic p= T sa x p=T ; sb FF !p TF p q=p; F; q= p=F ; sc TT ; sd FT p !p p&q Definition (Validity Relation) Validity of temporal formula depends on runs σ = s0 s1 . . . for which the formula may, or may not, hold: σ |= p iff I0 (p) = T , for p ∈ P. σ |= ! φ iff not σ |= φ (write σ 6|= φ) σ |= φ & ψ iff σ |= φ and σ |= ψ σ |= φ | ψ iff σ |= φ or σ |= ψ σ |= φ −> ψ iff σ 6|= φ or σ |= ψ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 30 / 38 Semantics of Temporal Logic s0 s1 ··· sk−1 sk ··· Definition (Validity Relation for Temporal Connectives) Given a run σ = s0 s1 , s2 . . . André Platzer (CMU) 15-819M/02: Data, Code, Decisions 31 / 38 Semantics of Temporal Logic s0 φ s1 φ ··· sk−1 ··· φ sk φ ··· ··· Definition (Validity Relation for Temporal Connectives) Given a run σ = s0 s1 , s2 . . . σ |= [ ]φ iff σ|k |= φ for all k ≥ 0 André Platzer (CMU) 15-819M/02: Data, Code, Decisions 31 / 38 Semantics of Temporal Logic s0 s1 ··· sk−1 sk ··· φ Definition (Validity Relation for Temporal Connectives) Given a run σ = s0 s1 , s2 . . . σ |= [ ]φ iff σ|k |= φ for all k ≥ 0 σ |= <>φ iff σ|k |= φ for some k ≥ 0 André Platzer (CMU) 15-819M/02: Data, Code, Decisions 31 / 38 Semantics of Temporal Logic s0 s1 φ φ ··· sk−1 ··· φ sk ··· ψ Definition (Validity Relation for Temporal Connectives) Given a run σ |= [ ]φ σ |= <>φ σ |= φ U ψ σ = s0 s1 , s2 . . . iff σ|k |= φ for all k ≥ 0 iff σ|k |= φ for some k ≥ 0 iff σ|k |= ψ for some k ≥ 0, and σ|j |= φ for all 0≤j<k André Platzer (CMU) 15-819M/02: Data, Code, Decisions 31 / 38 Safety and Liveness Properties Safety Properties Always-formulas called safety property: something bad never happens Let mutex be variable that is true when two process do not access a critical resource at the same time [ ] mutex expresses that simultaneous access never happens André Platzer (CMU) 15-819M/02: Data, Code, Decisions 32 / 38 Safety and Liveness Properties Safety Properties Always-formulas called safety property: something bad never happens Let mutex be variable that is true when two process do not access a critical resource at the same time [ ] mutex expresses that simultaneous access never happens Liveness Properties Sometimes-formulas called liveness property: something good happens eventually Let s be variable that is true when a process delivers a service <> s expresses that service is eventually provided André Platzer (CMU) 15-819M/02: Data, Code, Decisions 32 / 38 Complex Properties What does this mean? [ ]<>φ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 33 / 38 Complex Properties Infinitely Often [ ]<>φ During a run the formulas φ will become true infinitely often. André Platzer (CMU) 15-819M/02: Data, Code, Decisions 33 / 38 Complex Properties Infinitely Often [ ]<>φ During a run the formulas φ will become true infinitely often. What does this mean? <>[ ]φ André Platzer (CMU) 15-819M/02: Data, Code, Decisions 33 / 38 Complex Properties Infinitely Often [ ]<>φ During a run the formulas φ will become true infinitely often. Finally Always <>[ ]φ During a run the formulas φ will become eventually stay true indefinitely. André Platzer (CMU) 15-819M/02: Data, Code, Decisions 33 / 38 Validity Temporal Logic Definition (Validity) φ is valid, write |= φ, iff φ is valid in all runs σ = s0 s1 . . .. Recall that each run s0 s1 . . . essentially is an infinite sequence of interpretations I0 I1 . . .. André Platzer (CMU) 15-819M/02: Data, Code, Decisions 34 / 38 Examples <>[ ]φ Valid? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 35 / 38 Examples <>[ ]φ Valid? No, there is a run in where it is not valid: André Platzer (CMU) 15-819M/02: Data, Code, Decisions 35 / 38 Examples <>[ ]φ Valid? No, there is a run in where it is not valid: (! φ, ! φ, ! φ, . . .) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 35 / 38 Examples <>[ ]φ Valid? No, there is a run in where it is not valid: (! φ, ! φ, ! φ, . . .) Valid in some run? André Platzer (CMU) 15-819M/02: Data, Code, Decisions 35 / 38 Examples <>[ ]φ Valid? No, there is a run in where it is not valid: (! φ, ! φ, ! φ, . . .) Valid in some run? Yes: (φ, φ, φ, . . .) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 35 / 38 Examples <>[ ]φ Valid? No, there is a run in where it is not valid: (! φ, ! φ, ! φ, . . .) Valid in some run? Yes: (φ, φ, φ, . . .) [ ]φ −> φ (! [ ]φ) <−> (<> ! φ) Both are valid! André Platzer (CMU) 15-819M/02: Data, Code, Decisions 35 / 38 Examples <>[ ]φ Valid? No, there is a run in where it is not valid: (! φ, ! φ, ! φ, . . .) Valid in some run? Yes: (φ, φ, φ, . . .) [ ]φ −> φ (! [ ]φ) <−> (<> ! φ) Both are valid! [ ] is reflexive [ ] and <> are dual connectives André Platzer (CMU) 15-819M/02: Data, Code, Decisions 35 / 38 Transition systems revisited Definition (Transition System) A Transition System T = (S, Ini, δ, I) is given by a set of states S, a non-empty subset Ini ⊆ S of initial states, and a transition relation δ ⊆ S × S, and I labeling each state s ∈ S with a propositional interpretation Is . Definition (Runs of Transition System) A run of T is a is a run σ = s0 s1 . . ., with si ∈ S, such that s0 ∈ Ini and (si , si+1 ) ∈ δ for all i. André Platzer (CMU) 15-819M/02: Data, Code, Decisions 36 / 38 Semantics of Temporal Logic Validity of temporal formula is extended to transition systems in the following way: Definition (Validity Relation) Given a transition systems T = (S, Ini, δ, I), a temporal formula φ is valid in T (write T |= φ) iff σ |= φ for all runs σ of T . André Platzer (CMU) 15-819M/02: Data, Code, Decisions 37 / 38 Background Literature KeY W. Ahrendt: Using KeY. In: B. Beckert, R. Hähnle, and P. Schmitt, editors. Verification of Object-Oriented Software: The KeY Approach, Chapter 10, only pp 409–424, vol 4334 of LNCS. Springer, 2006. Ben-Ari Mordechai Ben-Ari: Principles of the Spin Model Checker, Springer, 2008(!). Section 5.2.1 (Promela examples briefly) André Platzer (CMU) 15-819M/02: Data, Code, Decisions 38 / 38
© Copyright 2026 Paperzz