Fundamentals of Software Engineering

Fundamentals of Software Engineering First-Order Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner Hähnle (Chalmers University of Technology, Gothenburg, Sweden) Ina Schaefer FSE 1

Main Approaches Spin 1st part of course Abstract programs, Simple properties Concrete programs, Simple properties Abstract programs, Complex properties Concrete programs, Complex properties KeY 2nd part of course Ina Schaefer FSE 33

Motivation for Introducing First-Order Logic We will specify Java programs with Java Modeling Language (JML) JML combines Java expressions First-Order Logic (FOL) Ina Schaefer FSE 2

Motivation for Introducing First-Order Logic We will specify Java programs with Java Modeling Language (JML) JML combines Java expressions First-Order Logic (FOL) We will verify Java programs using Dynamic Logic Dynamic Logic combines First-Order Logic (FOL) Java programs Ina Schaefer FSE 3

FOL: Language and Calculus We introduce: FOL as a language (no formal semantics) calculus for proving FOL formulas KeY system as FOL prover (to start with) Ina Schaefer FSE 4

First-Order Logic: Signature Signature A first-order signature Σ consists of a set T Σ of types a set F Σ of function symbols a set P Σ of predicate symbols a typing α Σ Ina Schaefer FSE 5

First-Order Logic: Signature Signature A first-order signature Σ consists of a set T Σ of types a set F Σ of function symbols a set P Σ of predicate symbols a typing α Σ intuitively, the typing α Σ determines for each function and predicate symbol: its arity, i.e., number of arguments its argument types for each function symbol its result type. Ina Schaefer FSE 6

Example Signature 1 + Constants T Σ1 = {int}, F Σ1 = {+, -} {..., -2, -1, 0, 1, 2,...}, P Σ1 = {<} Ina Schaefer FSE 8

Example Signature 1 + Constants T Σ1 = {int}, F Σ1 = {+, -} {..., -2, -1, 0, 1, 2,...}, P Σ1 = {<} α Σ1 (<) =(int,int) α Σ1 (+) =α Σ1 (-) =(int,int,int) α Σ1 (0) =α Σ1 (1) =α Σ1 (-1) =... =(int) Ina Schaefer FSE 9

Example Signature 1 + Constants T Σ1 = {int}, F Σ1 = {+, -} {..., -2, -1, 0, 1, 2,...}, P Σ1 = {<} α Σ1 (<) =(int,int) α Σ1 (+) =α Σ1 (-) =(int,int,int) α Σ1 (0) =α Σ1 (1) =α Σ1 (-1) =... =(int) Constants A function symbol f with α Σ1 (f ) = 1 (i.e., with arity 0) is called constant symbol. Ina Schaefer FSE 10

Syntax of First-Order Logic: Signature Cont d Type declaration of signature symbols Write τ x; to declare variable x of type τ Write p(τ 1,..., τ r ); for α(p) =(τ 1,..., τ r ) Write τ f (τ 1,..., τ r ); for α(f )=(τ 1,..., τ r,τ) r = 0 is allowed, then write f instead of f (), etc. Ina Schaefer FSE 12

Example Signature 1 + Notation typing of Signature 1: α Σ1 (<) =(int,int) α Σ1 (+) =α Σ1 (-) =(int,int,int) α Σ1 (0) =α Σ1 (1) =α Σ1 (-1) =... =(int) can alternatively be written as: <(int,int); int +(int,int); int 0; int 1; int -1;... Ina Schaefer FSE 14

Example Signature 2 T Σ2 = {int, LinkedIntList}, F Σ2 = {null, new, elem, next} {...,-2,-1,0,1,2,...} P Σ2 = {} Ina Schaefer FSE 15

Example Signature 2 T Σ2 = {int, LinkedIntList}, F Σ2 = {null, new, elem, next} {...,-2,-1,0,1,2,...} P Σ2 = {} intuitively, elem and next model fields of LinkedIntList objects Ina Schaefer FSE 16

Example Signature 2 T Σ2 = {int, LinkedIntList}, F Σ2 = {null, new, elem, next} {...,-2,-1,0,1,2,...} P Σ2 = {} intuitively, elem and next model fields of LinkedIntList objects type declarations: LinkedIntList null; LinkedIntList new(int,linkedintlist); int elem(linkedintlist); LinkedIntList next(linkedintlist); Ina Schaefer FSE 18

First-Order Terms We assume a set V of variables (V (F Σ P Σ )= ). Each v V has a unique type α Σ (v) T Σ. Ina Schaefer FSE 20

First-Order Terms We assume a set V of variables (V (F Σ P Σ )= ). Each v V has a unique type α Σ (v) T Σ. Terms are defined recursively: Terms A first-order term of type τ T Σ is either a variable of type τ, or has the form f (t 1,..., t n ), where f F Σ has result type τ, and each t i is term of the correct type, following the typing α Σ of f. Ina Schaefer FSE 21

Terms over Signature 1 example terms over Σ 1 : (assume variables int v 1 ; int v 2 ;) Ina Schaefer FSE 23

Terms over Signature 1 example terms over Σ 1 : (assume variables int v 1 ; int v 2 ;) -7 +(-2, 99) -(7, 8) +(-(7, 8), 1) +(-(v 1, 8), v 2 ) Ina Schaefer FSE 24

Terms over Signature 1 example terms over Σ 1 : (assume variables int v 1 ; int v 2 ;) -7 +(-2, 99) -(7, 8) +(-(7, 8), 1) +(-(v 1, 8), v 2 ) some variants of FOL allow infix notation of functions: -2 + 99 7-8 (7-8) + 1 (v 1-8) + v 2 Ina Schaefer FSE 25

Terms over Signature 2 example terms over Σ 2 : (assume variables LinkedIntList o; int v;) Ina Schaefer FSE 26

Terms over Signature 2 example terms over Σ 2 : (assume variables LinkedIntList o; int v;) -7 null new(13, null) elem(new(13, null)) next(next(o)) Ina Schaefer FSE 27

Terms over Signature 2 example terms over Σ 2 : (assume variables LinkedIntList o; int v;) -7 null new(13, null) elem(new(13, null)) next(next(o)) for first-order functions modeling object fields, we allow dotted postfix notation: new(13, null).elem o.next.next Ina Schaefer FSE 28

Atomic Formulas Logical Atoms Given a signature Σ. A logical atom has either of the forms true false t 1 = t 2 ( equality ), where t 1 and t 2 have the same type. p(t 1,..., t n ) ( predicate ), where p P Σ, and each t i is term of the correct type, following the typing α Σ of p. Ina Schaefer FSE 29

Atomic Formulas over Signature 1 example formulas over Σ 1 : (assume variable int v;) Ina Schaefer FSE 30

Atomic Formulas over Signature 1 example formulas over Σ 1 : (assume variable int v;) 7 = 8 7 < 8-2 - v < 99 v < (v + 1) Ina Schaefer FSE 31

Atomic Formulas over Signature 2 example formulas over Σ 2 : (assume variables LinkedIntList o; int v;) Ina Schaefer FSE 32

Atomic Formulas over Signature 2 example formulas over Σ 2 : (assume variables LinkedIntList o; int v;) new(13, null) = null elem(new(13, null)) = 13 next(new(13, null)) = null next(next(o)) = o Ina Schaefer FSE 33

General Formulas first-order formulas are defined recursively: Formulas each atomic formula is a formula with φ and ψ formulas, x a variable, and τ a type, the following are also formulas: φ ( not φ ) φ ψ ( φ and ψ ) φ ψ ( φ or ψ ) φ ψ ( φ implies ψ ) φ ψ ( φ is equivalent to ψ ) τ x; φ ( for all x of type τ holds φ ) τ x; φ ( there exists an x of type τ such that φ ) Ina Schaefer FSE 36

General Formulas: Examples (signatures/types left out here) Example (There are at least two elements) Ina Schaefer FSE 39

General Formulas: Examples (signatures/types left out here) Example (There are at least two elements) x, y; (x = y) Ina Schaefer FSE 40

General Formulas: Examples (signatures/types left out here) Example (Strict partial order) Ina Schaefer FSE 41

General Formulas: Examples (signatures/types left out here) Example (Strict partial order) Irreflexivity x; (x < x) Asymmetry x; y;(x < y (y < x)) Transitivity x; y; z; (x < y y < z x < z) Ina Schaefer FSE 42

General Formulas: Examples (signatures/types left out here) Example (All models have infinite domain) Ina Schaefer FSE 44

General Formulas: Examples (signatures/types left out here) Example (All models have infinite domain) Signature and axioms of strict partial order plus Existence Successor x; y; x < y Ina Schaefer FSE 45

Semantics (briefly, but see Appendix) Domain A domain D is a set of elements which are (potentially) the meaning of terms and variables. Ina Schaefer FSE 46

Semantics (briefly, but see Appendix) Domain A domain D is a set of elements which are (potentially) the meaning of terms and variables. Interpretation An interpretation I (over D) assigns meaning to the symbols in F Σ P Σ (assigning functions to function symbols, relations to predicate symbols). Valuation In a given D and I, a closed formula evaluates to either T or F. Ina Schaefer FSE 48

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: Ina Schaefer FSE 51

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) Ina Schaefer FSE 52

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ Ina Schaefer FSE 53

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) Ina Schaefer FSE 54

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ Ina Schaefer FSE 55

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ (true φ) Ina Schaefer FSE 56

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ (true φ) φ Ina Schaefer FSE 57

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ (true φ) φ (false φ) Ina Schaefer FSE 58

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ (true φ) φ (false φ) φ Ina Schaefer FSE 59

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ (true φ) φ (false φ) φ true φ Ina Schaefer FSE 60

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ (true φ) φ (false φ) φ true φ (false φ) Ina Schaefer FSE 61

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ (true φ) φ (false φ) φ true φ (false φ) (φ ψ) Ina Schaefer FSE 62

Useful Valid Formulas Let φ and ψ be arbitrary, closed formulas (whether valid of not). The following formulas are valid: (φ ψ) φ ψ (φ ψ) φ ψ (true φ) φ (false φ) φ true φ (false φ) (φ ψ) ( φ ψ) Ina Schaefer FSE 63

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: Ina Schaefer FSE 70

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: ( τ x; φ) Ina Schaefer FSE 71

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: ( τ x; φ) τ x; φ Ina Schaefer FSE 72

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: ( τ x; φ) τ x; φ ( τ x; φ) Ina Schaefer FSE 73

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: ( τ x; φ) τ x; φ ( τ x; φ) τ x; φ Ina Schaefer FSE 74

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: ( τ x; φ) τ x; φ ( τ x; φ) τ x; φ ( τ x; φ ψ) Ina Schaefer FSE 75

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: ( τ x; φ) τ x; φ ( τ x; φ) τ x; φ ( τ x; φ ψ) ( τ x; φ) ( τ x; ψ) Ina Schaefer FSE 76

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: ( τ x; φ) τ x; φ ( τ x; φ) τ x; φ ( τ x; φ ψ) ( τ x; φ) ( τ x; ψ) ( τ x; φ ψ) Ina Schaefer FSE 77

Useful Valid Formulas Assume that x is the only variable which may appear freely in φ or ψ. The following formulas are valid: ( τ x; φ) τ x; φ ( τ x; φ) τ x; φ ( τ x; φ ψ) ( τ x; φ) ( τ x; ψ) ( τ x; φ ψ) ( τ x; φ) ( τ x; ψ) Are the following formulas also valid? Ina Schaefer FSE 79

Remark on Concrete Syntax Text book Spin KeY Negation!! Conjunction && & Disjunction Implication, > > Equivalence < > < > Universal Quantifier x; φ n/a \forall τ x; φ Existential Quantifier x; φ n/a \exists τ x; φ. Value equality = == = Ina Schaefer FSE 82

Part I Sequent Calculus for FOL Ina Schaefer FSE 83

Reasoning by Syntactic Transformation Prove Validity of φ by syntactic transformation of φ Ina Schaefer FSE 84

Reasoning by Syntactic Transformation Prove Validity of φ by syntactic transformation of φ Logic Calculus: Sequent Calculus based on notion of sequent: ψ 1,..., ψ m }{{} Antecedent = φ 1,..., φ n }{{} Succedent has same meaning as (ψ 1 ψ m ) (φ 1 φ n ) Ina Schaefer FSE 86

Notation for Sequents ψ 1,..., ψ m = φ 1,..., φ n Consider antecedent/succedent as sets of formulas, may be empty Ina Schaefer FSE 88

Notation for Sequents ψ 1,..., ψ m = φ 1,..., φ n Consider antecedent/succedent as sets of formulas, may be empty Schema Variables φ, ψ,... match formulas, Γ,,... match sets of formulas Characterize infinitely many sequents with a single schematic sequent Γ = φ ψ, Matches any sequent with occurrence of conjunction in succedent Call φ ψ main formula and Γ, side formulas of sequent Any sequent of the form Γ,φ = φ, is logically valid: axiom Ina Schaefer FSE 89

Sequent Calculus Rules Write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible RuleName Premisses {}}{ Γ 1 = 1 Γ r = r Γ= }{{} Conclusion Meaning: For proving the Conclusion, it suffices to prove all Premisses. Ina Schaefer FSE 91

Propositional Sequent Calculus Rules main left side (antecedent) right side (succedent) Γ= φ, Γ,φ = not Γ, φ = Γ= φ, Ina Schaefer FSE 94

Propositional Sequent Calculus Rules main left side (antecedent) right side (succedent) Γ= φ, Γ,φ = not Γ, φ = Γ= φ, and Γ, φ, ψ = Γ,φ ψ = Γ= φ, Γ = ψ, Γ= φ ψ, Ina Schaefer FSE 95

Propositional Sequent Calculus Rules main left side (antecedent) right side (succedent) Γ= φ, Γ,φ = not Γ, φ = Γ= φ, and or Γ, φ, ψ = Γ,φ ψ = Γ,φ = Γ,ψ = Γ,φ ψ = Γ= φ, Γ = ψ, Γ= φ ψ, Γ= φ, ψ, Γ= φ ψ, Ina Schaefer FSE 96

Propositional Sequent Calculus Rules main left side (antecedent) right side (succedent) Γ= φ, Γ,φ = not Γ, φ = Γ= φ, and or imp Γ, φ, ψ = Γ,φ ψ = Γ,φ = Γ,ψ = Γ,φ ψ = Γ= φ, Γ,ψ = Γ,φ ψ = Γ= φ, Γ = ψ, Γ= φ ψ, Γ= φ, ψ, Γ= φ ψ, Γ,φ = ψ, Γ= φ ψ, Ina Schaefer FSE 97

Sequent Calculus Proofs Goal to prove: G = ψ 1,..., ψ m = φ 1,..., φ n find rule R whose conclusion matches G instantiate R such that conclusion identical to G recursively find proofs for resulting premisses G 1,..., G r tree structure with goal as root close proof branch when rule without premiss encountered Goal-directed proof search In KeY tool proof displayed as Java Swing tree Ina Schaefer FSE 101

A Simple Proof = (p (p q)) q Ina Schaefer FSE 102

A Simple Proof p (p q) = q = (p (p q)) q Ina Schaefer FSE 103

A Simple Proof p, (p q) = q p (p q) = q = (p (p q)) q Ina Schaefer FSE 104

A Simple Proof p = q, p p, q = q p, (p q) = q p (p q) = q = (p (p q)) q Ina Schaefer FSE 105

A Simple Proof Close p = q, p p, q = q Close p, (p q) = q p (p q) = q = (p (p q)) q Ina Schaefer FSE 106

A Simple Proof Close p = q, p p, q = q Close p, (p q) = q p (p q) = q = (p (p q)) q Demo A proof is closed iff all its branches are closed prop.key Ina Schaefer FSE 107

Proving Validity of First-Order Formulas Proving a universally quantified formula Claim: τ x; φ is true How is such a claim proved in mathematics? Ina Schaefer FSE 108

Proving Validity of First-Order Formulas Proving a universally quantified formula Claim: τ x; φ is true How is such a claim proved in mathematics? All even numbers are divisible by 2 int x; (even(x) divbytwo(x)) Let c be an arbitrary number Declare unused constant int c The even number c is divisible by 2 prove even(c) divbytwo(c) Ina Schaefer FSE 111

Proving Validity of First-Order Formulas Cont d Proving an existentially quantified formula Claim: τ x; φ is true How is such a claim proved in mathematics? Ina Schaefer FSE 113

Proving Validity of First-Order Formulas Cont d Proving an existentially quantified formula Claim: τ x; φ is true How is such a claim proved in mathematics? There is at least one prime number int x; prime(x) Provide any witness, say, 7 Use variable-free term int 7 7 is a prime number prime(7) Sequent rule -right existsright Γ= [x/t ] φ, τ x; φ, Γ= τ x; φ, t any variable-free term of type τ Proof might not work with t! Need to keep premise to try again Ina Schaefer FSE 117

Proving Validity of First-Order Formulas Cont d Using a universally quantified formula We assume τ x; φ is true How is such a fact used in a mathematical proof? Ina Schaefer FSE 118

Proving Validity of First-Order Formulas Cont d Using a universally quantified formula We assume τ x; φ is true How is such a fact used in a mathematical proof? We know that all primes are odd int x; (prime(x) odd(x)) In particular, this holds for 17 Use variable-free term int 17 We know: if 17 is prime it is odd Sequent rule -left prime(17) odd(17) forallleft Γ, τ x; φ, [x/t ] φ = Γ, τ x; φ = t any variable-free term of type τ We might need other instances besides t! Keep premise τ x; φ Ina Schaefer FSE 122

Proving Validity of First-Order Formulas Cont d Using an existentially quantified formula We assume τ x; φ is true How is such a fact used in a mathematical proof? Ina Schaefer FSE 123

Proving Validity of First-Order Formulas Cont d Using an existentially quantified formula We assume τ x; φ is true How is such a fact used in a mathematical proof? We know such an element exists. Let s give it a new name for future reference. Ina Schaefer FSE 124

Proving Validity of First-Order Formulas Cont d Using an existentially quantified formula Ina Schaefer FSE 126

Proving Validity of First-Order Formulas Cont d Using an existentially quantified formula Let x, y denote integer constants, both are not zero. (x. = 0), (y. = 0) = Ina Schaefer FSE 127

Proving Validity of First-Order Formulas Cont d Using an existentially quantified formula Let x, y denote integer constants, both are not zero. We know further that x divides y. (x. = 0), (y. = 0), int k; k x. = y = Ina Schaefer FSE 128

Proving Validity of First-Order Formulas Cont d Using an existentially quantified formula Let x, y denote integer constants, both are not zero. We know further that x divides y. Show: (y/x) x. = y ( / is division on integers, i.e. the equation is not always true, e.g. x =2, y = 1) Proof: We know x divides y, i.e. there exists a k such that k x. = y. Let now c denote such a k. (x. = 0), (y. = 0), c x. = y = (y/x) x. = y (x. = 0), (y. = 0), int k; k x. = y = (y/x) x. = y Ina Schaefer FSE 130

Proving Validity of First-Order Formulas Cont d Using an existentially quantified formula Let x, y denote integer constants, both are not zero. We know further that x divides y. Show: (y/x) x =. y ( / is division on integers, i.e. the equation is not always true, e.g. x =2, y = 1) Proof: We know x divides y, i.e. there exists a k such that k x =. y. Let now c denote such a k. Hence we can replace y by c x on the right side (see slide 34). (x. = 0), (y. = 0), c x. = y = ((c x)/x) x. = y (x. = 0), (y. = 0), c x. = y = (y/x) x. = y (x. = 0), (y. = 0), int k; k x. = y = (y/x) x. = y Ina Schaefer FSE 131

Proving Validity of First-Order Formulas Cont d Using an existentially quantified formula Let x, y denote integer constants, both are not zero. We know further that x divides y. Show: (y/x) x =. y ( / is division on integers, i.e. the equation is not always true, e.g. x =2, y = 1) Proof: We know x divides y, i.e. there exists a k such that k x =. y. Let now c denote such a k. Hence we can replace y by c x on the right side (see slide 34)..... (x. = 0), (y. = 0), c x. = y = ((c x)/x) x. = y (x. = 0), (y. = 0), c x. = y = (y/x) x. = y (x. = 0), (y. = 0), int k; k x. = y = (y/x) x. = y Ina Schaefer FSE 132

Proving Validity of First-Order Formulas Cont d Example (A simple theorem about binary relations) x; y; p(x, y) = y; x; p(x, y) Untyped logic: let static type of x and y be Ina Schaefer FSE 133

Proving Validity of First-Order Formulas Cont d Example (A simple theorem about binary relations) y; p(c, y) = y; x; p(x, y) x; y; p(x, y) = y; x; p(x, y) -left: substitute new constant c of type for x Ina Schaefer FSE 134

Proving Validity of First-Order Formulas Cont d Example (A simple theorem about binary relations) y; p(c, y) = x; p(x, d) y; p(c, y) = y; x; p(x, y) x; y; p(x, y) = y; x; p(x, y) -right: substitute new constant d of type for y Ina Schaefer FSE 135

Proving Validity of First-Order Formulas Cont d Example (A simple theorem about binary relations) p(c, d), y; p(c, y) = x; p(x, d) y; p(c, y) = x; p(x, d) y; p(c, y) = y; x; p(x, y) x; y; p(x, y) = y; x; p(x, y) -left: free to substitute any term of type for y, choose d Ina Schaefer FSE 136

Proving Validity of First-Order Formulas Cont d Example (A simple theorem about binary relations) p(c, d), y; p(c, y) = p(c, d), x; p(x, y) p(c, d), y; p(c, y) = x; p(x, d) y; p(c, y) = x; p(x, d) y; p(c, y) = y; x; p(x, y) x; y; p(x, y) = y; x; p(x, y) -right: free to substitute any term of type for x, choose c Ina Schaefer FSE 137

Proving Validity of First-Order Formulas Cont d Using an equation between terms We assume t. = t is true How is such a fact used in a mathematical proof? Ina Schaefer FSE 140

Proving Validity of First-Order Formulas Cont d Using an equation between terms We assume t. = t is true How is such a fact used in a mathematical proof? Use x =. y 1 to simplify x+1/y x =. y 1 = 1 =. x+1/y Replace x in conclusion with right-hand side of equation We know: x+1/y equal to y 1+1/y x. = y 1 = 1. = y 1+1/y Sequent rule =-left. applyeql Γ, t =. t, [t/t ] φ = Γ, t =. t,φ = applyeqr Γ, t. = t = [t/t ] φ, Γ, t. = t = φ, Always replace left- with right-hand side (use eqsymm if necessary) t,t variable-free terms of the same type Ina Schaefer FSE 144

Proving Validity of First-Order Formulas Cont d Closing a subgoal in a proof We derived a sequent that is obviously valid close Γ,φ = φ, true Γ= true, false Γ, false = We derived an equation that is obviously valid eqclose Γ= t. = t, Ina Schaefer FSE 145

Sequent Calculus for FOL at One Glance left side, antecedent Γ, τ x; φ, [x/t ] φ = Γ, τ x; φ = Γ, [x/c] φ = Γ, τ x; φ = right side, succedent Γ= [x/c] φ, Γ= τ x; φ, Γ= [x/t ] φ, τ x; φ, Γ= τ x; φ,. = Γ, t. = t = [t/t ] φ, Γ, t. = t = φ, Γ= t. = t, (+ application rule on left side) [t/t ] φ is result of replacing each occurrence of t in φ with t t,t variable-free terms of type τ c new constant of type τ (occurs not on current proof branch) Equations can be reversed by commutativity Ina Schaefer FSE 146

Recap: Propositional Sequent Calculus Rules main left side (antecedent) right side (succedent) Γ= φ, Γ,φ = not Γ, φ = Γ= φ, and or imp Γ, φ, ψ = Γ,φ ψ = Γ,φ = Γ,ψ = Γ,φ ψ = Γ= φ, Γ,ψ = Γ,φ ψ = Γ= φ, Γ = ψ, Γ= φ ψ, Γ= φ, ψ, Γ= φ ψ, Γ,φ = ψ, Γ= φ ψ, close Γ,φ = φ, true Γ= true, false Γ, false = Ina Schaefer FSE 147

Features of the KeY Theorem Prover Demo Feature List rel.key, twoinstances.key Can work on multiple proofs simultaneously (task list) Proof trees visualized as Java Swing tree Point-and-click navigation within proof Undo proof steps, prune proof trees Pop-up menu with proof rules applicable in pointer focus Preview of rule effect as tool tip Quantifier instantiation and equality rules by drag-and-drop Possible to hide (and unhide) parts of a sequent Saving and loading of proofs Ina Schaefer FSE 148

Literature for this Lecture essential: W. Ahrendt Using KeY Chapter 10 in [KeYbook] further reading: M. Giese First-Order Logic Chapter 2 in [KeYbook] KeYbook B. Beckert, R. Hähnle, and P. Schmitt, editors, Verification of Object-Oriented Software: The KeY Approach, vol 4334 of LNCS (Lecture Notes in Computer Science), Springer, 2006 (access via Chalmers library E-books Lecture Notes in Computer Science) Ina Schaefer FSE 149

Part II Appendix: First-Order Semantics Ina Schaefer FSE 150

First-Order Semantics From propositional to first-order semantics In prop. logic, an interpretation of variables with {T, F } sufficed In first-order logic we must assign meaning to: variables bound in quantifiers constant and function symbols predicate symbols Each variable or function value may denote a different object Respect typing: int i, List l must denote different objects What we need (to interpret a first-order formula) 1. A collection of typed universes of objects 2. A mapping from variables to objects 3. A mapping from function arguments to function values Ina Schaefer FSE 151

First-Order Domains/Universes 1. A collection of typed universes of objects Definition (Universe/Domain) A non-empty set D of objects is a universe or domain Each element of D has a fixed type given by δ : D τ Notation for the domain elements of type τ T : D τ = {d D δ(d) =τ} Each type τ T must contain at least one domain element: D τ Ina Schaefer FSE 152

First-Order States 3. A mapping from function arguments to function values 4. The set of argument tuples where a predicate is true Definition (First-Order State) Let D be a domain with typing function δ Let f be declared as τ f (τ 1,..., τ r ); Let p be declared as p(τ 1,..., τ r ); Let I(f ):D τ 1 D τr D τ Let I(p) D τ 1 D τr Then S =(D, δ, I) is a first-order state Ina Schaefer FSE 153

First-Order States Cont d Example Signature: int i; short j; int f(int); Object obj; <(int,int); D = {17, 2, o} where all numbers are short I(i) = 17 I(j) = 17 I(obj) =o D int I(f ) 2 2 17 2 D int D int in I(<)? (2, 2) F (2, 17) T (17, 2) F (17, 17) F One of uncountably many possible first-order states! Ina Schaefer FSE 154

Semantics of Reserved Signature Symbols Definition Equality symbol. = declared as. = (, ) Interpretation is fixed as I(. =) = {(d, d) d D} Referential Equality (holds if arguments refer to identical object) Exercise: write down the predicate table for example domain Ina Schaefer FSE 155

Signature Symbols vs. Domain Elements Domain elements different from the terms representing them First-order formulas and terms have no access to domain Example Signature: Object obj1, obj2; Domain: D = {o} In this state, necessarily I(obj1) = I(obj2) = o Ina Schaefer FSE 156

Variable Assignments 2. A mapping from variables to objects Think of variable assignment as environment for storage of local variables Definition (Variable Assignment) A variable assignment β maps variables to domain elements It respects the variable type, i.e., if x has type τ then β(x) D τ Definition (Modified Variable Assignment) Let y be variable of type τ, β variable assignment, d D τ : { βy d β(x) x y (x) := d x = y Ina Schaefer FSE 157

Semantic Evaluation of Terms Given a first-order state S and a variable assignment β it is possible to evaluate first-order terms under S and β Definition (Valuation of Terms) val S,β : Term D such that val S,β (t) D τ for t Term τ : val S,β (x) =β(x) val S,β (f (t 1,..., t r )) = I(f )(val S,β (t 1 ),..., val S,β (t r )) Ina Schaefer FSE 158

Semantic Evaluation of Terms Cont d Example Signature: int i; short j; int f(int); D = {17, 2, o} where all numbers are short Variables: Object obj; int x; I(i) = 17 I(j) = 17 D int I(f) 2 17 17 2 Var β obj o x 17 val S,β (f(f(i)))? val S,β (x)? Ina Schaefer FSE 159

Semantic Evaluation of Formulas Definition (Valuation of Formulas) val S,β (φ) for φ For val S,β (p(t 1,..., t r )=T iff (val S,β (t 1 ),..., val S,β (t r )) I(p) val S,β (φ ψ) =T iff val S,β (φ) =T and val S,β (ψ) =T... as in propositional logic val S,β ( τ x; φ) =T iff val S,β d x ( τ x; φ) =T for all d D τ val S,β ( τ x; φ) =T iff val S,β d x ( τ x; φ) =T for at least one d D τ Ina Schaefer FSE 160

Semantic Evaluation of Formulas Cont d Example Signature: short j; int f(int); Object obj; <(int,int); D = {17, 2, o} where all numbers are short I(j) = 17 I(obj) =o D int I(f ) 2 2 17 2 D int D int in I(<)? (2, 2) F (2, 17) T (17, 2) F (17, 17) F val S,β (f (j) < j)? val S,β ( int x; f (x). = x)? val S,β ( Object o1; Object o2; o1. = o2)? Ina Schaefer FSE 161

Semantic Notions Definition (Satisfiability, Truth, Validity) val S,β (φ) =T (φ is satisfiable) S = φ iff for all β : val S,β (φ) =T (φ is true in S) = φ iff for all S : S = φ (φ is valid) Closed formulas that are satisfiable are also true: one top-level notion Ina Schaefer FSE 162