Fundamentals of Software Engineering
First-Order Logic
Ina Schaefer
Institute for Software Systems Engineering
TU Braunschweig, Germany
Slides by Wolfgang Ahrendt, Richard Bubel, Reiner Hähnle
(Chalmers University of Technology, Gothenburg, Sweden)
Ina Schaefer
FSE
1
Main Approaches
Spin
1st part
of course
Abstract programs,
Simple properties
Concrete programs,
Simple properties
Ina Schaefer
Abstract programs,
Complex properties
Concrete programs,
Complex properties
KeY
2nd part
of course
FSE
33
Motivation for Introducing First-Order Logic
We will specify Java programs with Java Modeling Language (JML)
JML combines
• Java expressions
• First-Order Logic (FOL)
Ina Schaefer
FSE
2
Motivation for Introducing First-Order Logic
We will specify Java programs with Java Modeling Language (JML)
JML combines
• Java expressions
• First-Order Logic (FOL)
We will verify Java programs using Dynamic Logic
Dynamic Logic combines
• First-Order Logic (FOL)
• Java programs
Ina Schaefer
FSE
3
FOL: Language and Calculus
We introduce:
• FOL as a language
• (no formal semantics)
• calculus for proving FOL formulas
• KeY system as FOL prover (to start with)
Ina Schaefer
FSE
4
First-Order Logic: Signature
Signature
A first-order signature Σ consists of
• a set TΣ of types
• a set FΣ of function symbols
• a set PΣ of predicate symbols
• a typing αΣ
Ina Schaefer
FSE
5
First-Order Logic: Signature
Signature
A first-order signature Σ consists of
• a set TΣ of types
• a set FΣ of function symbols
• a set PΣ of predicate symbols
• a typing αΣ
intuitively, the typing αΣ determines
• for each function and predicate symbol:
!
!
its arity, i.e., number of arguments
its argument types
• for each function symbol its result type.
Ina Schaefer
FSE
6
First-Order Logic: Signature
Signature
A first-order signature Σ consists of
• a set TΣ of types
• a set FΣ of function symbols
• a set PΣ of predicate symbols
• a typing αΣ
intuitively, the typing αΣ determines
• for each function and predicate symbol:
!
!
its arity, i.e., number of arguments
its argument types
• for each function symbol its result type.
formally:
• αΣ (p) ∈ TΣ ∗ for all p ∈ PΣ
• αΣ (f ) ∈ TΣ ∗ × TΣ for all f ∈ FΣ
Ina Schaefer
FSE
(arity of p is |αΣ (p)|)
(arity of f is |αΣ (f )| − 1)
7
Example Signature 1 + Constants
TΣ1 = {int},
FΣ1 = {+, -} ∪{ ..., -2, -1, 0, 1, 2, ...},
PΣ1 = {<}
Ina Schaefer
FSE
8
Example Signature 1 + Constants
TΣ1 = {int},
FΣ1 = {+, -} ∪{ ..., -2, -1, 0, 1, 2, ...},
PΣ1 = {<}
αΣ1 (<) = (int,int)
αΣ1 (+) = αΣ1 (-) = (int,int,int)
αΣ1 (0) = αΣ1 (1) = αΣ1 (-1) = ... = (int)
Ina Schaefer
FSE
9
Example Signature 1 + Constants
TΣ1 = {int},
FΣ1 = {+, -} ∪{ ..., -2, -1, 0, 1, 2, ...},
PΣ1 = {<}
αΣ1 (<) = (int,int)
αΣ1 (+) = αΣ1 (-) = (int,int,int)
αΣ1 (0) = αΣ1 (1) = αΣ1 (-1) = ... = (int)
Constants
A function symbol f with |αΣ1 (f )| = 1 (i.e., with arity 0)
is called constant symbol.
Ina Schaefer
FSE
10
Example Signature 1 + Constants
TΣ1 = {int},
FΣ1 = {+, -} ∪{ ..., -2, -1, 0, 1, 2, ...},
PΣ1 = {<}
αΣ1 (<) = (int,int)
αΣ1 (+) = αΣ1 (-) = (int,int,int)
αΣ1 (0) = αΣ1 (1) = αΣ1 (-1) = ... = (int)
Constants
A function symbol f with |αΣ1 (f )| = 1 (i.e., with arity 0)
is called constant symbol.
here, the constants are: ..., -2, -1, 0, 1, 2, ...
Ina Schaefer
FSE
11
Syntax of First-Order Logic: Signature Cont’d
Type declaration of signature symbols
• Write τ x; to declare variable x of type τ
• Write p(τ1 , . . . , τr ); for α(p) = (τ1 , . . . , τr )
• Write τ f (τ1 , . . . , τr ); for α(f ) = (τ1 , . . . , τr , τ )
r = 0 is allowed, then write f instead of f (), etc.
Ina Schaefer
FSE
12
Syntax of First-Order Logic: Signature Cont’d
Type declaration of signature symbols
• Write τ x; to declare variable x of type τ
• Write p(τ1 , . . . , τr ); for α(p) = (τ1 , . . . , τr )
• Write τ f (τ1 , . . . , τr ); for α(f ) = (τ1 , . . . , τr , τ )
r = 0 is allowed, then write f instead of f (), etc.
Example
Variables
integerArray a;
int i;
Predicates
isEmpty(List);
alertOn;
Functions
int arrayLookup(int);
Ina Schaefer
FSE
Object o;
13
Example Signature 1 + Notation
typing of Signature 1:
αΣ1 (<) = (int,int)
αΣ1 (+) = αΣ1 (-) = (int,int,int)
αΣ1 (0) = αΣ1 (1) = αΣ1 (-1) = ... = (int)
can alternatively be written as:
<(int,int);
int +(int,int);
int 0; int 1; int -1; ...
Ina Schaefer
FSE
14
Example Signature 2
TΣ2 = {int, LinkedIntList},
FΣ2 = {null, new, elem, next} ∪{ ...,-2,-1,0,1,2,...}
PΣ2 = {}
Ina Schaefer
FSE
15
Example Signature 2
TΣ2 = {int, LinkedIntList},
FΣ2 = {null, new, elem, next} ∪{ ...,-2,-1,0,1,2,...}
PΣ2 = {}
intuitively, elem and next model fields of LinkedIntList objects
Ina Schaefer
FSE
16
Example Signature 2
TΣ2 = {int, LinkedIntList},
FΣ2 = {null, new, elem, next} ∪{ ...,-2,-1,0,1,2,...}
PΣ2 = {}
intuitively, elem and next model fields of LinkedIntList objects
type declarations:
Ina Schaefer
FSE
17
Example Signature 2
TΣ2 = {int, LinkedIntList},
FΣ2 = {null, new, elem, next} ∪{ ...,-2,-1,0,1,2,...}
PΣ2 = {}
intuitively, elem and next model fields of LinkedIntList objects
type declarations:
LinkedIntList null;
LinkedIntList new(int,LinkedIntList);
int elem(LinkedIntList);
LinkedIntList next(LinkedIntList);
Ina Schaefer
FSE
18
Example Signature 2
TΣ2 = {int, LinkedIntList},
FΣ2 = {null, new, elem, next} ∪{ ...,-2,-1,0,1,2,...}
PΣ2 = {}
intuitively, elem and next model fields of LinkedIntList objects
type declarations:
LinkedIntList null;
LinkedIntList new(int,LinkedIntList);
int elem(LinkedIntList);
LinkedIntList next(LinkedIntList);
and as before:
int 0; int 1;
Ina Schaefer
int -1; ...
FSE
19
First-Order Terms
We assume a set V of variables (V ∩ (FΣ ∪ PΣ ) = ∅).
Each v ∈ V has a unique type αΣ (v ) ∈ TΣ .
Ina Schaefer
FSE
20
First-Order Terms
We assume a set V of variables (V ∩ (FΣ ∪ PΣ ) = ∅).
Each v ∈ V has a unique type αΣ (v ) ∈ TΣ .
Terms are defined recursively:
Terms
A first-order term of type τ ∈ TΣ
• is either a variable of type τ , or
• has the form f (t1 , . . . , tn ),
where f ∈ FΣ has result type τ , and each ti is term of the correct
type, following the typing αΣ of f .
Ina Schaefer
FSE
21
First-Order Terms
We assume a set V of variables (V ∩ (FΣ ∪ PΣ ) = ∅).
Each v ∈ V has a unique type αΣ (v ) ∈ TΣ .
Terms are defined recursively:
Terms
A first-order term of type τ ∈ TΣ
• is either a variable of type τ , or
• has the form f (t1 , . . . , tn ),
where f ∈ FΣ has result type τ , and each ti is term of the correct
type, following the typing αΣ of f .
If f is a constant symbol, the term is written f , instead of f ().
Ina Schaefer
FSE
22
Terms over Signature 1
example terms over Σ1 :
(assume variables int v1 ; int v2 ;)
Ina Schaefer
FSE
23
Terms over Signature 1
example terms over Σ1 :
(assume variables int v1 ; int v2 ;)
• -7
• +(-2, 99)
• -(7, 8)
• +(-(7, 8), 1)
• +(-(v1 , 8), v2 )
Ina Schaefer
FSE
24
Terms over Signature 1
example terms over Σ1 :
(assume variables int v1 ; int v2 ;)
• -7
• +(-2, 99)
• -(7, 8)
• +(-(7, 8), 1)
• +(-(v1 , 8), v2 )
some variants of FOL allow infix notation of functions:
• -2 + 99
• 7 - 8
• (7 - 8) + 1
• (v1 - 8) + v2
Ina Schaefer
FSE
25
Terms over Signature 2
example terms over Σ2 :
(assume variables LinkedIntList o; int v ;)
Ina Schaefer
FSE
26
Terms over Signature 2
example terms over Σ2 :
(assume variables LinkedIntList o; int v ;)
• -7
• null
• new(13, null)
• elem(new(13, null))
• next(next(o))
Ina Schaefer
FSE
27
Terms over Signature 2
example terms over Σ2 :
(assume variables LinkedIntList o; int v ;)
• -7
• null
• new(13, null)
• elem(new(13, null))
• next(next(o))
for first-order functions modeling object fields,
we allow dotted postfix notation:
• new(13, null).elem
• o.next.next
Ina Schaefer
FSE
28
Atomic Formulas
Logical Atoms
Given a signature Σ.
A logical atom has either of the forms
• true
• false
• t 1 = t2
(“equality”),
where t1 and t2 have the same type.
• p(t1 , . . . , tn )
(“predicate”),
where p ∈ PΣ , and each ti is term of the correct type,
following the typing αΣ of p.
Ina Schaefer
FSE
29
Atomic Formulas over Signature 1
example formulas over Σ1 :
(assume variable int v ;)
Ina Schaefer
FSE
30
Atomic Formulas over Signature 1
example formulas over Σ1 :
(assume variable int v ;)
• 7=8
• 7 < 8
• -2 - v < 99
• v < (v + 1)
Ina Schaefer
FSE
31
Atomic Formulas over Signature 2
example formulas over Σ2 :
(assume variables LinkedIntList o; int v ;)
Ina Schaefer
FSE
32
Atomic Formulas over Signature 2
example formulas over Σ2 :
(assume variables LinkedIntList o; int v ;)
• new(13, null) = null
• elem(new(13, null)) = 13
• next(new(13, null)) = null
• next(next(o)) = o
Ina Schaefer
FSE
33
General Formulas
first-order formulas are defined recursively:
Formulas
• each atomic formula is a formula
• with φ and ψ formulas, x a variable, and τ a type,
the following are also formulas:
!
!
!
!
!
Ina Schaefer
¬φ (“not φ”)
φ ∧ ψ (“φ and ψ”)
φ ∨ ψ (“φ or ψ”)
φ → ψ (“φ implies ψ”)
φ ↔ ψ (“φ is equivalent to ψ”)
FSE
34
General Formulas
first-order formulas are defined recursively:
Formulas
• each atomic formula is a formula
• with φ and ψ formulas, x a variable, and τ a type,
the following are also formulas:
!
!
!
!
!
!
Ina Schaefer
¬φ (“not φ”)
φ ∧ ψ (“φ and ψ”)
φ ∨ ψ (“φ or ψ”)
φ → ψ (“φ implies ψ”)
φ ↔ ψ (“φ is equivalent to ψ”)
∀ τ x; φ (“for all x of type τ holds φ”)
FSE
35
General Formulas
first-order formulas are defined recursively:
Formulas
• each atomic formula is a formula
• with φ and ψ formulas, x a variable, and τ a type,
the following are also formulas:
!
!
!
!
!
!
!
Ina Schaefer
¬φ (“not φ”)
φ ∧ ψ (“φ and ψ”)
φ ∨ ψ (“φ or ψ”)
φ → ψ (“φ implies ψ”)
φ ↔ ψ (“φ is equivalent to ψ”)
∀ τ x; φ (“for all x of type τ holds φ”)
∃ τ x; φ (“there exists an x of type τ such that φ”)
FSE
36
General Formulas
first-order formulas are defined recursively:
Formulas
• each atomic formula is a formula
• with φ and ψ formulas, x a variable, and τ a type,
the following are also formulas:
!
!
!
!
!
!
!
¬φ (“not φ”)
φ ∧ ψ (“φ and ψ”)
φ ∨ ψ (“φ or ψ”)
φ → ψ (“φ implies ψ”)
φ ↔ ψ (“φ is equivalent to ψ”)
∀ τ x; φ (“for all x of type τ holds φ”)
∃ τ x; φ (“there exists an x of type τ such that φ”)
In ∀ τ x; φ and ∃ τ x; φ the variable x is ‘bound’ (i.e., ‘not free’).
Ina Schaefer
FSE
37
General Formulas
first-order formulas are defined recursively:
Formulas
• each atomic formula is a formula
• with φ and ψ formulas, x a variable, and τ a type,
the following are also formulas:
!
!
!
!
!
!
!
¬φ (“not φ”)
φ ∧ ψ (“φ and ψ”)
φ ∨ ψ (“φ or ψ”)
φ → ψ (“φ implies ψ”)
φ ↔ ψ (“φ is equivalent to ψ”)
∀ τ x; φ (“for all x of type τ holds φ”)
∃ τ x; φ (“there exists an x of type τ such that φ”)
In ∀ τ x; φ and ∃ τ x; φ the variable x is ‘bound’ (i.e., ‘not free’).
Formulas with no free variable are ‘closed’.
Ina Schaefer
FSE
38
General Formulas: Examples
(signatures/types left out here)
Example (There are at least two elements)
Ina Schaefer
FSE
39
General Formulas: Examples
(signatures/types left out here)
Example (There are at least two elements)
∃x, y ; ¬(x = y )
Ina Schaefer
FSE
40
General Formulas: Examples
(signatures/types left out here)
Example (Strict partial order)
Ina Schaefer
FSE
41
General Formulas: Examples
(signatures/types left out here)
Example (Strict partial order)
Irreflexivity ∀x; ¬(x < x)
Asymmetry ∀x; ∀y ; (x < y → ¬(y < x))
Transitivity ∀x; ∀y ; ∀z;
(x < y ∧ y < z → x < z)
Ina Schaefer
FSE
42
General Formulas: Examples
(signatures/types left out here)
Example (Strict partial order)
Irreflexivity ∀x; ¬(x < x)
Asymmetry ∀x; ∀y ; (x < y → ¬(y < x))
Transitivity ∀x; ∀y ; ∀z;
(x < y ∧ y < z → x < z)
(is any of the three formulas redundant?)
Ina Schaefer
FSE
43
General Formulas: Examples
(signatures/types left out here)
Example (All models have infinite domain)
Ina Schaefer
FSE
44
General Formulas: Examples
(signatures/types left out here)
Example (All models have infinite domain)
Signature and axioms of strict partial order plus
Existence Successor ∀x; ∃y ; x < y
Ina Schaefer
FSE
45
Semantics (briefly, but see Appendix)
Domain
A domain D is a set of elements which are (potentially) the meaning of
terms and variables.
Ina Schaefer
FSE
46
Semantics (briefly, but see Appendix)
Domain
A domain D is a set of elements which are (potentially) the meaning of
terms and variables.
Interpretation
An interpretation I (over D) assigns meaning to the symbols in FΣ ∪ PΣ
(assigning functions to function symbols, relations to predicate symbols).
Ina Schaefer
FSE
47
Semantics (briefly, but see Appendix)
Domain
A domain D is a set of elements which are (potentially) the meaning of
terms and variables.
Interpretation
An interpretation I (over D) assigns meaning to the symbols in FΣ ∪ PΣ
(assigning functions to function symbols, relations to predicate symbols).
Valuation
In a given D and I, a closed formula evaluates to either T or F .
Ina Schaefer
FSE
48
Semantics (briefly, but see Appendix)
Domain
A domain D is a set of elements which are (potentially) the meaning of
terms and variables.
Interpretation
An interpretation I (over D) assigns meaning to the symbols in FΣ ∪ PΣ
(assigning functions to function symbols, relations to predicate symbols).
Valuation
In a given D and I, a closed formula evaluates to either T or F .
Validity
A closed formula is valid if it evaluates to T in all D and I.
Ina Schaefer
FSE
49
Semantics (briefly, but see Appendix)
Domain
A domain D is a set of elements which are (potentially) the meaning of
terms and variables.
Interpretation
An interpretation I (over D) assigns meaning to the symbols in FΣ ∪ PΣ
(assigning functions to function symbols, relations to predicate symbols).
Valuation
In a given D and I, a closed formula evaluates to either T or F .
Validity
A closed formula is valid if it evaluates to T in all D and I.
In the context of specification/verification of programs:
each (D, I) is called a ‘state’.
Ina Schaefer
FSE
50
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
Ina Schaefer
FSE
51
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔
Ina Schaefer
FSE
52
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
Ina Schaefer
FSE
53
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔
Ina Schaefer
FSE
54
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
Ina Schaefer
FSE
55
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔
Ina Schaefer
FSE
56
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
Ina Schaefer
FSE
57
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔
Ina Schaefer
FSE
58
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
Ina Schaefer
FSE
59
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
Ina Schaefer
FSE
60
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
Ina Schaefer
FSE
61
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
• (φ → ψ) ↔
Ina Schaefer
FSE
62
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
• (φ → ψ) ↔ (¬φ ∨ ψ)
Ina Schaefer
FSE
63
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
• (φ → ψ) ↔ (¬φ ∨ ψ)
• φ → true
Ina Schaefer
FSE
64
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
• (φ → ψ) ↔ (¬φ ∨ ψ)
• φ → true
• false → φ
Ina Schaefer
FSE
65
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
• (φ → ψ) ↔ (¬φ ∨ ψ)
• φ → true
• false → φ
• (true → φ) ↔
Ina Schaefer
FSE
66
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
• (φ → ψ) ↔ (¬φ ∨ ψ)
• φ → true
• false → φ
• (true → φ) ↔ φ
Ina Schaefer
FSE
67
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
• (φ → ψ) ↔ (¬φ ∨ ψ)
• φ → true
• false → φ
• (true → φ) ↔ φ
• (φ → false) ↔
Ina Schaefer
FSE
68
Useful Valid Formulas
Let φ and ψ be arbitrary, closed formulas (whether valid of not).
The following formulas are valid:
• ¬(φ ∧ ψ) ↔ ¬φ ∨ ¬ψ
• ¬(φ ∨ ψ) ↔ ¬φ ∧ ¬ψ
• (true ∧ φ) ↔ φ
• (false ∨ φ) ↔ φ
• true ∨ φ
• ¬(false ∧ φ)
• (φ → ψ) ↔ (¬φ ∨ ψ)
• φ → true
• false → φ
• (true → φ) ↔ φ
• (φ → false) ↔ ¬φ
Ina Schaefer
FSE
69
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
Ina Schaefer
FSE
70
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔
Ina Schaefer
FSE
71
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
Ina Schaefer
FSE
72
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔
Ina Schaefer
FSE
73
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔ ∃ τ x; ¬φ
Ina Schaefer
FSE
74
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔ ∃ τ x; ¬φ
• (∀ τ x; φ ∧ ψ) ↔
Ina Schaefer
FSE
75
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔ ∃ τ x; ¬φ
• (∀ τ x; φ ∧ ψ) ↔ (∀ τ x; φ) ∧ (∀ τ x; ψ)
Ina Schaefer
FSE
76
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔ ∃ τ x; ¬φ
• (∀ τ x; φ ∧ ψ) ↔ (∀ τ x; φ) ∧ (∀ τ x; ψ)
• (∃ τ x; φ ∨ ψ) ↔
Ina Schaefer
FSE
77
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔ ∃ τ x; ¬φ
• (∀ τ x; φ ∧ ψ) ↔ (∀ τ x; φ) ∧ (∀ τ x; ψ)
• (∃ τ x; φ ∨ ψ) ↔ (∃ τ x; φ) ∨ (∃ τ x; ψ)
Ina Schaefer
FSE
78
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔ ∃ τ x; ¬φ
• (∀ τ x; φ ∧ ψ) ↔ (∀ τ x; φ) ∧ (∀ τ x; ψ)
• (∃ τ x; φ ∨ ψ) ↔ (∃ τ x; φ) ∨ (∃ τ x; ψ)
Are the following formulas also valid?
Ina Schaefer
FSE
79
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔ ∃ τ x; ¬φ
• (∀ τ x; φ ∧ ψ) ↔ (∀ τ x; φ) ∧ (∀ τ x; ψ)
• (∃ τ x; φ ∨ ψ) ↔ (∃ τ x; φ) ∨ (∃ τ x; ψ)
Are the following formulas also valid?
• (∀ τ x; φ ∨ ψ) ↔ (∀ τ x; φ) ∨ (∀ τ x; ψ)
Ina Schaefer
FSE
80
Useful Valid Formulas
Assume that x is the only variable which may appear freely in φ or ψ.
The following formulas are valid:
• ¬(∃ τ x; φ) ↔ ∀ τ x; ¬φ
• ¬(∀ τ x; φ) ↔ ∃ τ x; ¬φ
• (∀ τ x; φ ∧ ψ) ↔ (∀ τ x; φ) ∧ (∀ τ x; ψ)
• (∃ τ x; φ ∨ ψ) ↔ (∃ τ x; φ) ∨ (∃ τ x; ψ)
Are the following formulas also valid?
• (∀ τ x; φ ∨ ψ) ↔ (∀ τ x; φ) ∨ (∀ τ x; ψ)
• (∃ τ x; φ ∧ ψ) ↔ (∃ τ x; φ) ∧ (∃ τ x; ψ)
Ina Schaefer
FSE
81
Remark on Concrete Syntax
Negation
Conjunction
Disjunction
Implication
Equivalence
Universal Quantifier
Existential Quantifier
Value equality
Ina Schaefer
Text book
¬
∧
∨
→, ⊃
↔
∀ x; φ
∃ x; φ
.
=
FSE
Spin
!
&&
||
−>
<−>
n/a
n/a
==
KeY
!
&
|
−>
<−>
\forall τ x; φ
\exists τ x; φ
=
82
Part I
Sequent Calculus for FOL
Ina Schaefer
FSE
83
Reasoning by Syntactic Transformation
Prove Validity of φ by syntactic transformation of φ
Ina Schaefer
FSE
84
Reasoning by Syntactic Transformation
Prove Validity of φ by syntactic transformation of φ
Logic Calculus: Sequent Calculus based on notion of sequent:
ψ1 , . . . , ψm
! "# $
=⇒
Antecedent
Ina Schaefer
φ1 , . . . , φn
! "# $
Succedent
FSE
85
Reasoning by Syntactic Transformation
Prove Validity of φ by syntactic transformation of φ
Logic Calculus: Sequent Calculus based on notion of sequent:
ψ1 , . . . , ψm
! "# $
=⇒
Antecedent
has same meaning as
(ψ1 ∧ · · · ∧ ψm )
Ina Schaefer
φ1 , . . . , φn
! "# $
Succedent
→
FSE
(φ1 ∨ · · · ∨ φn )
86
Reasoning by Syntactic Transformation
Prove Validity of φ by syntactic transformation of φ
Logic Calculus: Sequent Calculus based on notion of sequent:
ψ1 , . . . , ψm
! "# $
=⇒
Antecedent
has same meaning as
(ψ1 ∧ · · · ∧ ψm )
φ1 , . . . , φn
! "# $
Succedent
→
(φ1 ∨ · · · ∨ φn )
|=
φ1 ∨ · · · ∨ φn
which has same meaning as
{ψ1 , . . . , ψm }
Ina Schaefer
FSE
87
Notation for Sequents
ψ1 , . . . , ψm
=⇒
φ1 , . . . , φn
Consider antecedent/succedent as sets of formulas, may be empty
Ina Schaefer
FSE
88
Notation for Sequents
ψ1 , . . . , ψm
=⇒
φ1 , . . . , φn
Consider antecedent/succedent as sets of formulas, may be empty
Schema Variables
φ, ψ, . . . match formulas, Γ, ∆, . . . match sets of formulas
Characterize infinitely many sequents with a single schematic sequent
Γ
=⇒
φ ∧ ψ, ∆
Matches any sequent with occurrence of conjunction in succedent
Call φ ∧ ψ main formula and Γ, ∆ side formulas of sequent
Any sequent of the form Γ, φ =⇒ φ, ∆ is logically valid: axiom
Ina Schaefer
FSE
89
Sequent Calculus Rules
Write syntactic transformation schema for sequents that reflects
semantics of connectives as closely as possible
RuleName
#
Γ1 =⇒ ∆1
Premisses
$!
···
Γ
! =⇒
"# ∆$
"
Γr =⇒ ∆r
Conclusion
Ina Schaefer
FSE
90
Sequent Calculus Rules
Write syntactic transformation schema for sequents that reflects
semantics of connectives as closely as possible
RuleName
#
Γ1 =⇒ ∆1
Premisses
$!
···
Γ
! =⇒
"# ∆$
"
Γr =⇒ ∆r
Conclusion
Meaning: For proving the Conclusion, it suffices to prove all Premisses.
Ina Schaefer
FSE
91
Sequent Calculus Rules
Write syntactic transformation schema for sequents that reflects
semantics of connectives as closely as possible
RuleName
#
Γ1 =⇒ ∆1
Premisses
$!
···
Γ
! =⇒
"# ∆$
"
Γr =⇒ ∆r
Conclusion
Meaning: For proving the Conclusion, it suffices to prove all Premisses.
Example
andRight
Ina Schaefer
Γ =⇒ φ, ∆
Γ =⇒ ψ, ∆
Γ =⇒ φ ∧ ψ, ∆
FSE
92
Sequent Calculus Rules
Write syntactic transformation schema for sequents that reflects
semantics of connectives as closely as possible
RuleName
#
Γ1 =⇒ ∆1
Premisses
$!
···
Γ
! =⇒
"# ∆$
"
Γr =⇒ ∆r
Conclusion
Meaning: For proving the Conclusion, it suffices to prove all Premisses.
Example
andRight
Γ =⇒ φ, ∆
Γ =⇒ ψ, ∆
Γ =⇒ φ ∧ ψ, ∆
Admissible to have no premisses (iff conclusion is valid, eg axiom)
Ina Schaefer
FSE
93
‘Propositional’ Sequent Calculus Rules
main left side (antecedent)
not
Ina Schaefer
right side (succedent)
Γ =⇒ φ, ∆
Γ, φ =⇒ ∆
Γ, ¬φ =⇒ ∆
Γ =⇒ ¬φ, ∆
FSE
94
‘Propositional’ Sequent Calculus Rules
main left side (antecedent)
not
and
Ina Schaefer
right side (succedent)
Γ =⇒ φ, ∆
Γ, φ =⇒ ∆
Γ, ¬φ =⇒ ∆
Γ =⇒ ¬φ, ∆
Γ, φ, ψ =⇒ ∆
Γ =⇒ φ, ∆
Γ, φ ∧ ψ =⇒ ∆
Γ =⇒ ψ, ∆
Γ =⇒ φ ∧ ψ, ∆
FSE
95
‘Propositional’ Sequent Calculus Rules
main left side (antecedent)
not
and
or
Ina Schaefer
right side (succedent)
Γ =⇒ φ, ∆
Γ, φ =⇒ ∆
Γ, ¬φ =⇒ ∆
Γ =⇒ ¬φ, ∆
Γ, φ, ψ =⇒ ∆
Γ =⇒ φ, ∆
Γ, φ ∧ ψ =⇒ ∆
Γ, φ =⇒ ∆
Γ =⇒ ψ, ∆
Γ =⇒ φ ∧ ψ, ∆
Γ, ψ =⇒ ∆
Γ =⇒ φ, ψ, ∆
Γ, φ ∨ ψ =⇒ ∆
Γ =⇒ φ ∨ ψ, ∆
FSE
96
‘Propositional’ Sequent Calculus Rules
main left side (antecedent)
not
and
Γ =⇒ φ, ∆
Γ, φ =⇒ ∆
Γ, ¬φ =⇒ ∆
Γ =⇒ ¬φ, ∆
Γ, φ, ψ =⇒ ∆
Γ =⇒ φ, ∆
Γ, φ ∧ ψ =⇒ ∆
or
Γ, φ =⇒ ∆
Γ, ψ =⇒ ∆
imp
Γ =⇒ φ, ∆
Γ, ψ =⇒ ∆
Ina Schaefer
right side (succedent)
Γ =⇒ ψ, ∆
Γ =⇒ φ ∧ ψ, ∆
Γ =⇒ φ, ψ, ∆
Γ, φ ∨ ψ =⇒ ∆
Γ =⇒ φ ∨ ψ, ∆
Γ, φ =⇒ ψ, ∆
Γ, φ → ψ =⇒ ∆
Γ =⇒ φ → ψ, ∆
FSE
97
‘Propositional’ Sequent Calculus Rules
main left side (antecedent)
not
and
right side (succedent)
Γ =⇒ φ, ∆
Γ, φ =⇒ ∆
Γ, ¬φ =⇒ ∆
Γ =⇒ ¬φ, ∆
Γ, φ, ψ =⇒ ∆
Γ =⇒ φ, ∆
Γ, φ ∧ ψ =⇒ ∆
or
Γ, φ =⇒ ∆
Γ, ψ =⇒ ∆
imp
Γ =⇒ φ, ∆
Γ, ψ =⇒ ∆
Γ =⇒ φ ∧ ψ, ∆
Γ =⇒ φ, ψ, ∆
Γ, φ ∨ ψ =⇒ ∆
close
Ina Schaefer
Γ =⇒ ψ, ∆
Γ =⇒ φ ∨ ψ, ∆
Γ, φ =⇒ ψ, ∆
Γ, φ → ψ =⇒ ∆
Γ =⇒ φ → ψ, ∆
Γ, φ =⇒ φ, ∆
FSE
98
‘Propositional’ Sequent Calculus Rules
main left side (antecedent)
not
and
right side (succedent)
Γ =⇒ φ, ∆
Γ, φ =⇒ ∆
Γ, ¬φ =⇒ ∆
Γ =⇒ ¬φ, ∆
Γ, φ, ψ =⇒ ∆
Γ =⇒ φ, ∆
Γ, φ ∧ ψ =⇒ ∆
Γ =⇒ φ ∧ ψ, ∆
or
Γ, φ =⇒ ∆
Γ, ψ =⇒ ∆
imp
Γ =⇒ φ, ∆
Γ, ψ =⇒ ∆
Γ =⇒ φ, ψ, ∆
Γ, φ ∨ ψ =⇒ ∆
close
Ina Schaefer
Γ =⇒ φ ∨ ψ, ∆
Γ, φ =⇒ ψ, ∆
Γ, φ → ψ =⇒ ∆
Γ, φ =⇒ φ, ∆
Γ =⇒ ψ, ∆
true
Γ =⇒ φ → ψ, ∆
Γ =⇒ true, ∆
FSE
99
‘Propositional’ Sequent Calculus Rules
main left side (antecedent)
not
and
right side (succedent)
Γ =⇒ φ, ∆
Γ, φ =⇒ ∆
Γ, ¬φ =⇒ ∆
Γ =⇒ ¬φ, ∆
Γ, φ, ψ =⇒ ∆
Γ =⇒ φ, ∆
Γ, φ ∧ ψ =⇒ ∆
Γ =⇒ φ ∧ ψ, ∆
or
Γ, φ =⇒ ∆
Γ, ψ =⇒ ∆
imp
Γ =⇒ φ, ∆
Γ, ψ =⇒ ∆
Γ =⇒ φ, ψ, ∆
Γ, φ ∨ ψ =⇒ ∆
close
Ina Schaefer
Γ =⇒ φ ∨ ψ, ∆
Γ, φ =⇒ ψ, ∆
Γ, φ → ψ =⇒ ∆
Γ, φ =⇒ φ, ∆
Γ =⇒ ψ, ∆
true
Γ =⇒ φ → ψ, ∆
Γ =⇒ true, ∆
FSE
false
Γ, false =⇒ ∆
100
Sequent Calculus Proofs
Goal to prove: G =
ψ1 , . . . , ψm =⇒ φ1 , . . . , φn
• find rule R whose conclusion matches G
• instantiate R such that conclusion identical to G
• recursively find proofs for resulting premisses G1 , . . . , Gr
• tree structure with goal as root
• close proof branch when rule without premiss encountered
Goal-directed proof search
In KeY tool proof displayed as Java Swing tree
Ina Schaefer
FSE
101
A Simple Proof
=⇒ (p ∧ (p → q)) → q
Ina Schaefer
FSE
102
A Simple Proof
p ∧ (p → q) =⇒ q
=⇒ (p ∧ (p → q)) → q
Ina Schaefer
FSE
103
A Simple Proof
p, (p → q) =⇒ q
p ∧ (p → q) =⇒ q
=⇒ (p ∧ (p → q)) → q
Ina Schaefer
FSE
104
A Simple Proof
p =⇒ q, p
p, q =⇒ q
p, (p → q) =⇒ q
p ∧ (p → q) =⇒ q
=⇒ (p ∧ (p → q)) → q
Ina Schaefer
FSE
105
A Simple Proof
Close
Ina Schaefer
∗
∗
Close
p =⇒ q, p
p, q =⇒ q
p, (p → q) =⇒ q
p ∧ (p → q) =⇒ q
=⇒ (p ∧ (p → q)) → q
FSE
106
A Simple Proof
Close
∗
∗
Close
p =⇒ q, p
p, q =⇒ q
p, (p → q) =⇒ q
p ∧ (p → q) =⇒ q
=⇒ (p ∧ (p → q)) → q
A proof is closed iff all its branches are closed
Demo
prop.key
Ina Schaefer
FSE
107
Proving Validity of First-Order Formulas
Proving a universally quantified formula
Claim: ∀ τ x; φ is true
How is such a claim proved in mathematics?
Ina Schaefer
FSE
108
Proving Validity of First-Order Formulas
Proving a universally quantified formula
Claim: ∀ τ x; φ is true
How is such a claim proved in mathematics?
All even numbers are divisible by 2 ∀ int x; (even(x) → divByTwo(x))
Ina Schaefer
FSE
109
Proving Validity of First-Order Formulas
Proving a universally quantified formula
Claim: ∀ τ x; φ is true
How is such a claim proved in mathematics?
All even numbers are divisible by 2 ∀ int x; (even(x) → divByTwo(x))
Let c be an arbitrary number
Ina Schaefer
Declare “unused” constant int c
FSE
110
Proving Validity of First-Order Formulas
Proving a universally quantified formula
Claim: ∀ τ x; φ is true
How is such a claim proved in mathematics?
All even numbers are divisible by 2 ∀ int x; (even(x) → divByTwo(x))
Let c be an arbitrary number
Declare “unused” constant int c
The even number c is divisible by 2
prove
Ina Schaefer
FSE
even(c) → divByTwo(c)
111
Proving Validity of First-Order Formulas
Proving a universally quantified formula
Claim: ∀ τ x; φ is true
How is such a claim proved in mathematics?
All even numbers are divisible by 2 ∀ int x; (even(x) → divByTwo(x))
Let c be an arbitrary number
Declare “unused” constant int c
The even number c is divisible by 2
prove
even(c) → divByTwo(c)
Sequent rule ∀-right
forallRight
Γ =⇒ [x/c] φ, ∆
Γ =⇒ ∀ τ x; φ, ∆
• [x/c] φ is result of replacing each occurrence of x in φ with c
• c new constant of type τ
Ina Schaefer
FSE
112
Proving Validity of First-Order Formulas Cont’d
Proving an existentially quantified formula
Claim: ∃ τ x; φ is true
How is such a claim proved in mathematics?
Ina Schaefer
FSE
113
Proving Validity of First-Order Formulas Cont’d
Proving an existentially quantified formula
Claim: ∃ τ x; φ is true
How is such a claim proved in mathematics?
There is at least one prime number ∃ int x; prime(x)
Ina Schaefer
FSE
114
Proving Validity of First-Order Formulas Cont’d
Proving an existentially quantified formula
Claim: ∃ τ x; φ is true
How is such a claim proved in mathematics?
There is at least one prime number ∃ int x; prime(x)
Provide any “witness”, say, 7
Ina Schaefer
Use variable-free term int 7
FSE
115
Proving Validity of First-Order Formulas Cont’d
Proving an existentially quantified formula
Claim: ∃ τ x; φ is true
How is such a claim proved in mathematics?
There is at least one prime number ∃ int x; prime(x)
Provide any “witness”, say, 7
Use variable-free term int 7
7 is a prime number
prime(7)
Ina Schaefer
FSE
116
Proving Validity of First-Order Formulas Cont’d
Proving an existentially quantified formula
Claim: ∃ τ x; φ is true
How is such a claim proved in mathematics?
There is at least one prime number ∃ int x; prime(x)
Provide any “witness”, say, 7
Use variable-free term int 7
7 is a prime number
prime(7)
Sequent rule ∃-right
existsRight
Γ =⇒ [x/t " ] φ, ∃ τ x; φ, ∆
Γ =⇒ ∃ τ x; φ, ∆
• t any variable-free term of type τ
• Proof might not work with t! Need to keep premise to try again
Ina Schaefer
FSE
117
Proving Validity of First-Order Formulas Cont’d
Using a universally quantified formula
We assume ∀ τ x; φ is true
How is such a fact used in a mathematical proof?
Ina Schaefer
FSE
118
Proving Validity of First-Order Formulas Cont’d
Using a universally quantified formula
We assume ∀ τ x; φ is true
How is such a fact used in a mathematical proof?
We know that all primes are odd ∀ int x; (prime(x) → odd(x))
Ina Schaefer
FSE
119
Proving Validity of First-Order Formulas Cont’d
Using a universally quantified formula
We assume ∀ τ x; φ is true
How is such a fact used in a mathematical proof?
We know that all primes are odd ∀ int x; (prime(x) → odd(x))
In particular, this holds for 17
Ina Schaefer
Use variable-free term int 17
FSE
120
Proving Validity of First-Order Formulas Cont’d
Using a universally quantified formula
We assume ∀ τ x; φ is true
How is such a fact used in a mathematical proof?
We know that all primes are odd ∀ int x; (prime(x) → odd(x))
In particular, this holds for 17
Use variable-free term int 17
We know: if 17 is prime it is odd
prime(17) → odd(17)
Ina Schaefer
FSE
121
Proving Validity of First-Order Formulas Cont’d
Using a universally quantified formula
We assume ∀ τ x; φ is true
How is such a fact used in a mathematical proof?
We know that all primes are odd ∀ int x; (prime(x) → odd(x))
In particular, this holds for 17
Use variable-free term int 17
We know: if 17 is prime it is odd
prime(17) → odd(17)
Sequent rule ∀-left
forallLeft
Γ, ∀ τ x; φ, [x/t " ] φ =⇒ ∆
Γ, ∀ τ x; φ =⇒ ∆
• t " any variable-free term of type τ
• We might need other instances besides t " ! Keep premise ∀ τ x; φ
Ina Schaefer
FSE
122
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
We assume ∃ τ x; φ is true
How is such a fact used in a mathematical proof?
Ina Schaefer
FSE
123
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
We assume ∃ τ x; φ is true
How is such a fact used in a mathematical proof?
We know such an element exists. Let’s give it a new name for future
reference.
Ina Schaefer
FSE
124
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
We assume ∃ τ x; φ is true
How is such a fact used in a mathematical proof?
We know such an element exists. Let’s give it a new name for future
reference.
Sequent rule ∃-left
existsLeft
Γ, [x/c] φ =⇒ ∆
Γ, ∃ τ x; φ =⇒ ∆
• c new constant of type τ
Ina Schaefer
FSE
125
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
Ina Schaefer
FSE
126
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
Let x, y denote integer constants, both are not zero.
.
.
¬(x = 0), ¬(y = 0)
Ina Schaefer
=⇒
FSE
127
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
Let x, y denote integer constants, both are not zero. We know further
that x divides y .
.
.
.
¬(x = 0), ¬(y = 0), ∃ int k; k ∗ x = y =⇒
Ina Schaefer
FSE
128
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
Let x, y denote integer constants, both are not zero. We know further
that x divides y .
.
Show: (y /x) ∗ x = y (" /" is division on integers, i.e. the equation is not
always true, e.g. x = 2, y = 1)
.
.
.
.
¬(x = 0), ¬(y = 0), ∃ int k; k ∗ x = y =⇒ (y /x) ∗ x = y
Ina Schaefer
FSE
129
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
Let x, y denote integer constants, both are not zero. We know further
that x divides y .
.
Show: (y /x) ∗ x = y (" /" is division on integers, i.e. the equation is not
always true, e.g. x = 2, y = 1)
.
Proof: We know x divides y , i.e. there exists a k such that k ∗ x = y .
Let now c denote such a k.
.
.
.
.
¬(x = 0), ¬(y = 0), c ∗ x = y =⇒ (y /x) ∗ x = y
.
.
.
.
¬(x = 0), ¬(y = 0), ∃ int k; k ∗ x = y =⇒ (y /x) ∗ x = y
Ina Schaefer
FSE
130
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
Let x, y denote integer constants, both are not zero. We know further
that x divides y .
.
Show: (y /x) ∗ x = y (" /" is division on integers, i.e. the equation is not
always true, e.g. x = 2, y = 1)
.
Proof: We know x divides y , i.e. there exists a k such that k ∗ x = y .
Let now c denote such a k. Hence we can replace y by c ∗ x on the
right side (see slide 34).
.
.
.
.
¬(x = 0), ¬(y = 0), c ∗ x = y =⇒ ((c ∗ x)/x) ∗ x = y
.
.
.
.
¬(x = 0), ¬(y = 0), c ∗ x = y =⇒ (y /x) ∗ x = y
.
.
.
.
¬(x = 0), ¬(y = 0), ∃ int k; k ∗ x = y =⇒ (y /x) ∗ x = y
Ina Schaefer
FSE
131
Proving Validity of First-Order Formulas Cont’d
Using an existentially quantified formula
Let x, y denote integer constants, both are not zero. We know further
that x divides y .
.
Show: (y /x) ∗ x = y (" /" is division on integers, i.e. the equation is not
always true, e.g. x = 2, y = 1)
.
Proof: We know x divides y , i.e. there exists a k such that k ∗ x = y .
Let now c denote such a k. Hence we can replace y by c ∗ x on the
right side (see slide 34). . . .
∗
..
.
.
.
.
.
¬(x = 0), ¬(y = 0), c ∗ x = y =⇒ ((c ∗ x)/x) ∗ x = y
.
.
.
.
¬(x = 0), ¬(y = 0), c ∗ x = y =⇒ (y /x) ∗ x = y
.
.
.
.
¬(x = 0), ¬(y = 0), ∃ int k; k ∗ x = y =⇒ (y /x) ∗ x = y
Ina Schaefer
FSE
132
Proving Validity of First-Order Formulas Cont’d
Example (A simple theorem about binary relations)
∃ x; ∀ y ; p(x, y ) =⇒ ∀ y ; ∃ x; p(x, y )
Untyped logic: let static type of x and y be 0
Ina Schaefer
FSE
133
Proving Validity of First-Order Formulas Cont’d
Example (A simple theorem about binary relations)
∀ y ; p(c, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∃ x; ∀ y ; p(x, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∃-left: substitute new constant c of type 0 for x
Ina Schaefer
FSE
134
Proving Validity of First-Order Formulas Cont’d
Example (A simple theorem about binary relations)
∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∃ x; ∀ y ; p(x, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∀-right: substitute new constant d of type 0 for y
Ina Schaefer
FSE
135
Proving Validity of First-Order Formulas Cont’d
Example (A simple theorem about binary relations)
p(c, d), ∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∃ x; ∀ y ; p(x, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∀-left: free to substitute any term of type 0 for y , choose d
Ina Schaefer
FSE
136
Proving Validity of First-Order Formulas Cont’d
Example (A simple theorem about binary relations)
p(c, d), ∀ y ; p(c, y ) =⇒ p(c, d), ∃ x; p(x, y )
p(c, d), ∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∃ x; ∀ y ; p(x, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∃-right: free to substitute any term of type 0 for x, choose c
Ina Schaefer
FSE
137
Proving Validity of First-Order Formulas Cont’d
Example (A simple theorem about binary relations)
∗
p(c, d), ∀ y ; p(c, y ) =⇒ p(c, d), ∃ x; p(x, y )
p(c, d), ∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∃ x; ∀ y ; p(x, y ) =⇒ ∀ y ; ∃ x; p(x, y )
Close
Ina Schaefer
FSE
138
Proving Validity of First-Order Formulas Cont’d
Example (A simple theorem about binary relations)
∗
p(c, d), ∀ y ; p(c, y ) =⇒ p(c, d), ∃ x; p(x, y )
p(c, d), ∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∃ x; p(x, d)
∀ y ; p(c, y ) =⇒ ∀ y ; ∃ x; p(x, y )
∃ x; ∀ y ; p(x, y ) =⇒ ∀ y ; ∃ x; p(x, y )
Demo
relSimple.key
Ina Schaefer
FSE
139
Proving Validity of First-Order Formulas Cont’d
Using an equation between terms
.
We assume t = t " is true
How is such a fact used in a mathematical proof?
Ina Schaefer
FSE
140
Proving Validity of First-Order Formulas Cont’d
Using an equation between terms
.
We assume t = t " is true
How is such a fact used in a mathematical proof?
.
.
.
Use x = y −1 to simplify x+1/y
x = y −1 =⇒ 1 = x+1/y
Ina Schaefer
FSE
141
Proving Validity of First-Order Formulas Cont’d
Using an equation between terms
.
We assume t = t " is true
How is such a fact used in a mathematical proof?
.
.
.
Use x = y −1 to simplify x+1/y
x = y −1 =⇒ 1 = x+1/y
Replace x in conclusion with right-hand side of equation
Ina Schaefer
FSE
142
Proving Validity of First-Order Formulas Cont’d
Using an equation between terms
.
We assume t = t " is true
How is such a fact used in a mathematical proof?
.
.
.
Use x = y −1 to simplify x+1/y
x = y −1 =⇒ 1 = x+1/y
Replace x in conclusion with right-hand side of equation
.
.
We know: x+1/y equal to y −1+1/y x = y −1 =⇒ 1 = y −1+1/y
Ina Schaefer
FSE
143
Proving Validity of First-Order Formulas Cont’d
Using an equation between terms
.
We assume t = t " is true
How is such a fact used in a mathematical proof?
.
.
.
Use x = y −1 to simplify x+1/y
x = y −1 =⇒ 1 = x+1/y
Replace x in conclusion with right-hand side of equation
.
.
We know: x+1/y equal to y −1+1/y x = y −1 =⇒ 1 = y −1+1/y
.
Sequent rule =-left
.
Γ, t = t " , [t/t " ] φ =⇒ ∆
applyEqL
.
Γ, t = t " , φ =⇒ ∆
.
Γ, t = t " =⇒ [t/t " ] φ, ∆
applyEqR
.
Γ, t = t " =⇒ φ, ∆
• Always replace left- with right-hand side (use eqSymm if necessary)
• t,t " variable-free terms of the same type
Ina Schaefer
FSE
144
Proving Validity of First-Order Formulas Cont’d
Closing a subgoal in a proof
• We derived a sequent that is obviously valid
close
Γ, φ =⇒ φ, ∆
true
Γ =⇒ true, ∆
false
Γ, false =⇒ ∆
• We derived an equation that is obviously valid
eqClose
Ina Schaefer
.
Γ =⇒ t = t, ∆
FSE
145
Sequent Calculus for FOL at One Glance
left side, antecedent
right side, succedent
Γ, ∀ τ x; φ, [x/t " ] φ =⇒ ∆
∀
Γ =⇒ [x/c] φ, ∆
Γ, ∀ τ x; φ =⇒ ∆
Γ =⇒ ∀ τ x; φ, ∆
Γ =⇒ [x/t " ] φ, ∃ τ x; φ, ∆
Γ, [x/c] φ =⇒ ∆
∃
Γ, ∃ τ x; φ =⇒ ∆
.
Γ, t = t " =⇒ [t/t " ] φ, ∆
.
Γ, t = t " =⇒ φ, ∆
.
=
Γ =⇒ ∃ τ x; φ, ∆
.
Γ =⇒ t = t, ∆
(+ application rule on left side)
• [t/t " ] φ is result of replacing each occurrence of t in φ with t "
• t,t " variable-free terms of type τ
• c new constant of type τ (occurs not on current proof branch)
• Equations can be reversed by commutativity
Ina Schaefer
FSE
146
Recap: ‘Propositional’ Sequent Calculus Rules
main left side (antecedent)
not
and
right side (succedent)
Γ =⇒ φ, ∆
Γ, φ =⇒ ∆
Γ, ¬φ =⇒ ∆
Γ =⇒ ¬φ, ∆
Γ, φ, ψ =⇒ ∆
Γ =⇒ φ, ∆
Γ, φ ∧ ψ =⇒ ∆
Γ =⇒ φ ∧ ψ, ∆
or
Γ, φ =⇒ ∆
Γ, ψ =⇒ ∆
imp
Γ =⇒ φ, ∆
Γ, ψ =⇒ ∆
Γ =⇒ φ, ψ, ∆
Γ, φ ∨ ψ =⇒ ∆
close
Ina Schaefer
Γ =⇒ φ ∨ ψ, ∆
Γ, φ =⇒ ψ, ∆
Γ, φ → ψ =⇒ ∆
Γ, φ =⇒ φ, ∆
Γ =⇒ ψ, ∆
true
Γ =⇒ φ → ψ, ∆
Γ =⇒ true, ∆
FSE
false
Γ, false =⇒ ∆
147
Features of the KeY Theorem Prover
Demo
rel.key, twoInstances.key
Feature List
• Can work on multiple proofs simultaneously (task list)
• Proof trees visualized as Java Swing tree
• Point-and-click navigation within proof
• Undo proof steps, prune proof trees
• Pop-up menu with proof rules applicable in pointer focus
• Preview of rule effect as tool tip
• Quantifier instantiation and equality rules by drag-and-drop
• Possible to hide (and unhide) parts of a sequent
• Saving and loading of proofs
Ina Schaefer
FSE
148
Literature for this Lecture
essential:
• W. Ahrendt
Using KeY
Chapter 10 in [KeYbook]
further reading:
• M. Giese
First-Order Logic
Chapter 2 in [KeYbook]
KeYbook B. Beckert, R. Hähnle, and P. Schmitt, editors, Verification
of Object-Oriented Software: The KeY Approach, vol 4334
of LNCS (Lecture Notes in Computer Science), Springer,
2006 (access via Chalmers library → E-books → Lecture
Notes in Computer Science)
Ina Schaefer
FSE
149
Part II
Appendix: First-Order Semantics
Ina Schaefer
FSE
150
First-Order Semantics
From propositional to first-order semantics
• In prop. logic, an interpretation of variables with {T , F } sufficed
• In first-order logic we must assign meaning to:
! variables bound in quantifiers
! constant and function symbols
! predicate symbols
• Each variable or function value may denote a different object
• Respect typing: int i, List l must denote different objects
What we need (to interpret a first-order formula)
1. A collection of typed universes of objects
2. A mapping from variables to objects
3. A mapping from function arguments to function values
Ina Schaefer
FSE
151
First-Order Domains/Universes
1. A collection of typed universes of objects
Definition (Universe/Domain)
A non-empty set D of objects is a universe or domain
Each element of D has a fixed type given by δ : D → τ
• Notation for the domain elements of type τ ∈ T :
Dτ = {d ∈ D | δ(d) = τ }
• Each type τ ∈ T must ‘contain’ at least one domain element:
Dτ 1= ∅
Ina Schaefer
FSE
152
First-Order States
3. A mapping from function arguments to function values
4. The set of argument tuples where a predicate is true
Definition (First-Order State)
Let D be a domain with typing function δ
Let f be declared as τ f (τ1 , . . . , τr );
Let p be declared as p(τ1 , . . . , τr );
Let I(f ) : Dτ1 × · · · × Dτr → Dτ
Let I(p) ⊆ Dτ1 × · · · × Dτr
Then S = (D, δ, I) is a first-order state
Ina Schaefer
FSE
153
First-Order States Cont’d
Example
Signature: int i; short j; int f(int); Object obj; <(int,int);
D = {17, 2, o} where all numbers are short
I(i) = 17
I(j) = 17
I(obj) = o
D int I(f )
2
2
17
2
D int × D int in I(<)?
(2, 2)
F
(2, 17)
T
(17, 2)
F
(17, 17)
F
One of uncountably many possible first-order states!
Ina Schaefer
FSE
154
Semantics of Reserved Signature Symbols
Definition
.
.
Equality symbol = declared as = (0, 0)
.
Interpretation is fixed as I(=) = {(d, d) | d ∈ D}
“Referential Equality” (holds if arguments refer to identical object)
Exercise: write down the predicate table for example domain
Ina Schaefer
FSE
155
Signature Symbols vs. Domain Elements
• Domain elements different from the terms representing them
• First-order formulas and terms have no access to domain
Example
Signature: Object obj1, obj2;
Domain: D = {o}
In this state, necessarily I(obj1) = I(obj2) = o
Ina Schaefer
FSE
156
Variable Assignments
2. A mapping from variables to objects
Think of variable assignment as environment for storage of local variables
Definition (Variable Assignment)
A variable assignment β maps variables to domain elements
It respects the variable type, i.e., if x has type τ then β(x) ∈ Dτ
Definition (Modified Variable Assignment)
Let y be variable of type τ , β variable assignment, d ∈ Dτ :
%
β(x) x 1= y
d
βy (x) :=
d
x =y
Ina Schaefer
FSE
157
Semantic Evaluation of Terms
Given a first-order state S and a variable assignment β
it is possible to evaluate first-order terms under S and β
Definition (Valuation of Terms)
valS,β : Term → D such that valS,β (t) ∈ Dτ for t ∈ Termτ :
• valS,β (x) = β(x)
• valS,β (f (t1 , . . . , tr )) = I(f )(valS,β (t1 ), . . . , valS,β (tr ))
Ina Schaefer
FSE
158
Semantic Evaluation of Terms Cont’d
Example
Signature: int i; short j; int f(int);
D = {17, 2, o} where all numbers are short
Variables: Object obj; int x;
I(i) = 17
I(j) = 17
D int I(f)
2 17
17
2
Var β
obj o
x 17
• valS,β (f(f(i))) ?
• valS,β (x) ?
Ina Schaefer
FSE
159
Semantic Evaluation of Formulas
Definition (Valuation of Formulas)
valS,β (φ) for φ ∈ For
• valS,β (p(t1 , . . . , tr ) = T
• valS,β (φ ∧ ψ) = T
iff
iff
• . . . as in propositional logic
• valS,β (∀ τ x; φ) = T
• valS,β (∀ τ x; φ) = T
d∈
Ina Schaefer
Dτ
iff
iff
(valS,β (t1 ), . . . , valS,β (tr )) ∈ I(p)
valS,β (φ) = T and valS,β (ψ) = T
valS,βxd (∀ τ x; φ) = T for all d ∈ Dτ
valS,βxd (∀ τ x; φ) = T for at least one
FSE
160
Semantic Evaluation of Formulas Cont’d
Example
Signature: short j; int f(int); Object obj; <(int,int);
D = {17, 2, o} where all numbers are short
I(j) = 17
I(obj) = o
D int I(f )
2
2
17
2
• valS,β (f (j) < j) ?
D int × D int in I(<)?
(2, 2)
F
(2, 17)
T
(17, 2)
F
(17, 17)
F
.
• valS,β (∃ int x; f (x) = x) ?
.
• valS,β (∀ Object o1; ∀ Object o2; o1 = o2) ?
Ina Schaefer
FSE
161
Semantic Notions
Definition (Satisfiability, Truth, Validity)
valS,β (φ) = T
S |= φ
|= φ
iff for all β : valS,β (φ) = T
iff for all S : S |= φ
(φ is satisfiable)
(φ is true in S)
(φ is valid)
Closed formulas that are satisfiable are also true: one top-level notion
Ina Schaefer
FSE
162
Semantic Notions
Definition (Satisfiability, Truth, Validity)
valS,β (φ) = T
S |= φ
|= φ
iff for all β : valS,β (φ) = T
iff for all S : S |= φ
(φ is satisfiable)
(φ is true in S)
(φ is valid)
Closed formulas that are satisfiable are also true: one top-level notion
Example
• f (j) < j is true in S
.
• ∃ int x; i = x is valid
.
• ∃ int x; ¬(x = x) is not satisfiable
Ina Schaefer
FSE
163