Automated Methods for Program Veriﬁcation: Propositional ... · Automated Methods for Program...

Automated Methods forProgram Verification:

Propositional logic as a formallanguage for CS

(handouts + exercises + modelproblems + model solutions)

Tweedledee: “If it was so, it might be; and if it were

so, it would be; but as it isn’t, it ain’t. That’s logic.”

– Lewis Caroll’s “Through the Looking Glass”

The textbook recommended: Michael Huth

and Mark Ryan. Logic in Computer Science.

Modelling and Reasoning about Systems.

Since the course is intended to follow the most

recent achievements, there is no fully appropri-

ate textbook for the course.

You should rely upon your notes in class.

Max Kanovich. Logic as a language for CS 1

What is logic for

Any logical system (or formal system) provides

the following:

(a) A precise well-defined formal language of

terms (that is objects) and formulas (that

is statements) to specify the problem area

in question.

(b) A set of inference rules to develop formal

proofs, or formal derivations.

(c) Given a form of semantics/interpretation,

the logic is sound if all sentences that can

be derived are true in the interpretation.

The logic is complete if all true sentences

can be derived.

What is a logic ?

• Logic is a precise and well-defined formal

language.

• Logic consists of syntax and semantics.

(a) Syntax: shape/form

(b) Semantics: meaning/interpretation/models

(a) Syntax defines the shape of sentences.

(b) Semantics gives meaning to sentences.

Logic as a Universal Language:Declarative sentences

Aristotle (384-322 BC)The heart of Aristotle’s logic is the syllogism,the classic example of which is as follows:

All men are mortal;

Socrates is a man;

Therefore, Socrates is mortal.

The syllogistic form of logical argumentationdominated logic for 2,000 years.

George Boole (1815-1864)

S1. If it rains then I take an umbrella.S2. If I take an umbrella then it rains.S3. If I do not take an umbrella then it is notraining.Is S1 = S2 ? Is S1 = S3 ?How to answer to the questions automatically(calculus).

Propositional logic: Examples

(a) If Mark is happy, he will come tomorrow.

(a1) p → q

(a2) p stands for “Mark is happy”

(a3) q means “he will come tomorrow”

(a4) A satisfying assignment:

p is true, q is true

(b) The sky is blue and if the water is warm,

I will go for a swim.

(b1) p ∧ (q → r)

(b2) p stands for “The sky is blue”

(b3) q stands for “the water is warm”

(b4) r stands for “I will go for a swim”

(b5) A satisfying assignment:

p is true, q is false, r is false.

Propositional logic: Examples

If the train is late and there are no taxis at the

station John is late for the meeting.

John is not late and the train arrived late.

Therefore there were taxis at the station.

If rains and Jane has no umbrella then she will

get wet. Jane is dry and it is raining.

Therefore she had an umbrella.

1. Are the above arguments valid?

2. Are they similar?

Propositional logic: Name them!

If the train is late and there are no taxis at the

station John is late for the meeting.

John is not late and the train arrived late.

Therefore there were taxis at the station.

Let p denote: “the train is late”.

Let q denote: “there are taxis at the station”

Let r denote: “John is late for the meeting”.

Then the whole is of the form:

If p and not q, then r. Not r and p. Therefore, q.

If rains and Jane has no umbrella then she will

get wet. Jane is dry and it is raining.

Therefore she had an umbrella.

Let p denote: “it is raining”.

Let q denote: “Jane has an umbrella”

Let r denote: “Jane is wet”.

We get the same:

Propositional formulas

The statement:

can be encoded further as a formula A:

A = (B ∧ C) → q

A = (((p ∧ ¬q) → r)︸︷︷︸

∧ (¬r ∧ p)︸︷︷︸

) → q

The validity of the above argument can be

shown by that A is always true whatever par-

ticular statements p, q, r we take

(e.g. by means of the truth-tables).

The fundamental principle in verification etc.

Compositionality:

The meaning of A is fully determined by the

meaning of its parts p, q, r.

Logic as a Language: Exercise 9

Translate into propositional logic:

(a) If you miss the party, then Jane, who is

already upset, will be angry with you.

(b) Handel is great, and the same goes for

Vivaldi.

(c) If inflation is up and an election is ap-

proaching, then public borrowing goes up.

(d) Heavy traffic and rain have put him in a

bad mood.

(e) All Vulcans are logical;

Spock is a Vulcan;

therefore, Spock is logical.

Answers to Exercise 9 on slide 9

(a) p = “you miss the party”,q = “Jane is already upset”,r = “Jane will be angry with you”

q ∧ (p → r)

(b) p = “Handel is great”,q = “Vivaldi is great”.

(p ∧ q)

(c) p = “inflation is up”,q = “an election is approaching”,r = “public borrowing goes up”.

(p ∧ q) → r

(d) p = “traffic is heavy”, q = “it rains”,r = “he is in a bad mood”.

(p ∧ q) → r

(e) This item requires a more advanced language!

All Vulcans are logical;Spock is a Vulcan;therefore, Spock is logical.

Logic as a Language: Exercise 11

A recent article quoted an official as having

said, “If Mr. Jones is innocent of a crime, then

he is not a suspect.”

Taking into account the ‘Presumption of Inno-

cence’

PRESUMPTION OF INNOCENCE - The in-

dictment or formal charge against any person

is not evidence of guilt. Indeed, the person

is presumed by the law to be innocent. The

law does not require a person to prove his in-

nocence or produce any evidence at all. The

Government has the burden of proving a per-

son guilty beyond a reasonable doubt, and if it

fails to do so the person is (so far as the law

is concerned) not guilty.

do you think the statement is true or false ?

An Answer to Exercise 11 onslide 11

“If Mr. Jones is innocent of a crime, then he

is not a suspect.”

Let p = “Mr. Jones is innocent”,

Let q = “Mr. Jones is a suspect”.

The statement is

p → ¬q

Is it in accordance with the ‘Presumption of In-

nocence’ ? Take an equivalent (?) statement

in the form:

q → ¬p

which is clearly against the lines of the ‘Pre-

sumption of Innocence’ !

Contrapositive versus Converse

(a) A converse of a proposition (A → B) isa proposition of the form (B → A)obtained by the interchange of the premiseand conclusion of the original proposition.So ((p ∧ q) → r) is the converse of (r → (p ∧ q))

(b) A contrapositive of a proposition (A → B)is a proposition of the form (¬B → ¬A)obtained by negating and permuting theterms of the original proposition.

(A → B) ≡ (¬B → ¬A)

E.g., (¬(p ∧ q) → ¬r) is the contraposi-tive of (r → (p ∧ q)).

S1. If it rains then I take an umbrella.S2. If I take an umbrella then it rains.S3. If I do not take an umbrella then it is notraining.

S2 ≡ S1 ? NO

S3 ≡ S1 ! YES

Propositional Connectives: Syntaxand Semantics

We will use the following logical connectives:

(i) negation ¬

(ii) conjunction ∧

(iii) disjunction ∨

(iv) implication →

The meaning of these connectives is definedby means of the following truth table:

p q ¬p ¬q p ∧ q p ∨ q p → q

T T F F T T TT F F T F T FF T T F F T TF F T T F F T

How many binary connectives can be defined ?

A ‘Standard’ Propositional Prooffor: LHS = RHS

Theorem 0.1 For any propositions p and q:

¬(p ∨ q) = (¬p) ∧ (¬q).

Proof. It follows from the truth table, in which

whatever p and q we take, the truth values of

LHS and RHS turn out to be identical.

p q ¬p ¬q p ∨ q LHS¬(p ∨ q)

RHS(¬p) ∧ (¬q)

T T F F T F F

T F F T T F F

F T T F T F F

F F T T F T T

Warning. Here p and q are propositions, or

closed assertions, which means that p and q

contain no free variables.

Semantic Satisfiability,Semantic Validity

A valuation, or a model, is a set of truthvalues attached to the atomic propositions.In other words, each of the rows within a giventruth table represents a valuation.

A formula ϕ is satisfiable if it computes to T

for at least one valuation (model).

A formula ϕ is valid, or a tautology, if itcomputes to T, whatever valuation (model) wechoose.We will denote this fact by |= ϕ.

A tautology ϕ is a statement composed ofsimpler statements in a fashion that makes ittrue whether the simpler statements are trueor false. E.g., ((A ∧B) → B) is a tautology.

A formula ϕ is a contradiction if it computesto F, whatever valuation (model) we choose.In this case, |= ¬ϕ.

Semantic EntailmentSemantic Equivalence

A valuation, or a model, is a set of truth

values attached to the atomic propositions.

ϕ1, ϕ2, . . . , ϕn semantically entail ψ

ϕ1, ϕ2, . . . , ϕn |= ψ

if, for any modelM , the ψ evaluates to T inM ,

whenever ϕ1, ϕ2, . . . , ϕn evaluate to T in M .

E.g., A, (A → B) |= B

ϕ and ψ are semantically equivalent

ϕ ≡ ψ

if, for any model M , the ϕ evaluates to T in M

if and only if the ψ evaluates to T in M .

E.g., ¬(A → B) ≡ A ∧ ¬B

Boolean Algebra

(a) De Morgan’s Laws, or the ‘Duality Principle’:

¬(p ∨ q) ≡ (¬p) ∧ (¬q), ¬(p ∧ q) ≡ (¬p) ∨ (¬q)

(b) Idempotent laws: (p ∨ p) ≡ p, (p ∧ p) ≡ p.

(c) Commutative Laws: (p ∨ q) ≡ (q ∨ p), (p ∧ q) ≡ (q ∧ p),

Cf. x+y = y+x, x · y = y · x.

(d) Associative Laws:

(p ∨ (q ∨ r)) ≡ ((p ∨ q) ∨ r), Cf. x+(y+z) = (x+y)+z,

(p ∧ (q ∧ r)) ≡ ((p ∧ q) ∧ r), Cf. x · (y · z) = (x · y) · z.

(e) Distributive Laws:

(p ∧ (q ∨ r)) ≡ (p ∧ q) ∨ (p ∧ r), Cf. x(y+z) = xy+xz,

(p ∨ (q ∧ r)) ≡ (p ∨ q) ∧ (p ∨ r).

(f) Identity Laws:

(p ∨ F ) ≡ p, (p ∧ T ) ≡ p, Cf. x+0 = x, x · 1 = x,

(p ∨ T ) ≡ T , (p ∧ F ) ≡ F , Cf. x · 0 = 0.

(g) Absorption Laws:

(p ∨ (p ∧ q)) ≡ p, (p ∧ (p ∨ q)) ≡ p,

Implication and Negation

(i) (p → q) ≡ ((¬p) ∨ q),

¬ (p → q) ≡ (p ∧ ¬q), (“counter-example”),

(ii) (p → (q → r)) ≡ ((p ∧ q) → r) ≡ (q → (p → r)),

(iii) (p → T ) ≡ T , (p → F ) ≡ ¬p,

(T → p) ≡ p, (F → p) ≡ T ,

(iv) (p → q) ≡ ((¬q) → (¬p)), (contraposition),

(v) (p ∨ ¬p) ≡ T ,

(law of excluded middle, tertium non datur),

(p ∧ ¬p) ≡ F , (contradiction law),

(vi) ¬¬p ≡ p, (double negation law),

(¬p → F ) ≡ p, (reductio ad absurdum).

Binding Conventions

¬, ∧, ∨, → are listed here in accordance with

their binding power.

Conjunctive Normal Form (CNF)

A CNF is a conjunction of disjunctions of liter-als, where a literal is either an atomic proposi-tion, say p or the negation of an atomic propo-sition, say ¬p:

C1 ∧ C2 ∧ · · · ∧ Cm

C1 = T,C2 = T,. . . . . .

Cm = T.

Theorem 0.2 Every propositional formula can

be rewritten as a CNF.

Examples (translate into CNF, if necessary):

p ∧ (q ∨ r) ∧ ¬r

p ∨ (q ∧ r)

p → q

(p ∧ ¬q) → r

Do We Really Need Proofs ?

The four parts are moved around resulting in

that 13 × 13 = 8 × 21 !!!

Do We Really Need Proofs ?An Algorithm of Getting Rich

(1) Take an 8cm by 8cm sheet of gold foil,64 cm2, and cut it up as in the picture onthe left.

(2) Take the pieces and rearrange them toform the 5cm by 13cm rectangle on theright, giving you 65 cm2 of gold foil.

(3) Now keep one cm2 as profit, and meltdown the rest. REPEAT.

83 8 3

From programs into propositionalformulas

What about translating program statements

into propositional logic?

Consider the code fragment: x=0;x=1;

• Is this (x = 0) ∧ (x = 1) ?

Let x be a Boolean variable, then we get

(x = 0) ∧ (x 6= 0), a contradiction.

• Is this x = 0 → x = 1 ? Again we get get

(x = 0) → (x 6= 0), which means simply (x 6= 0).

• What is the problem?

• What is the translation of: x=0;x=x+1;

A Solution (not nice): Firstattempt

The code fragment: x=0;x=1; refers to x butat two different moments in time:

• At first x is 0, but then x becomes 1,

• so in fact we are dealing with two differentcopies: x0 which is the value of x at thecurrent moment, say 0, and x1 which is thevalue of x at the next moment 1.

• Now (x0 = 0) ∧ (x1 = 1) is a solution to ourproblem in propositional logic by translatingx into two xs.

• Later on we develop a much more compre-hensive approach based on Hoare triples.

• Temporal logic is another attempt to dealwith time in logic. We do not need to multi-ply x into different time copies, the temporallogic itself will make possible to talk aboutthe behaviour of x in time.

Predicate logic as a formallanguage for CS

• Learn syntax and semantics of predicate logic

(a.k.a. first-order logic) with ensuring its

orientation to the actual needs of computer

science and information technology.

The basic constructs:

(a) Properties P (x), Relations Q(x, y)

(b) Propositional connectives: ∧, ∨, →, ¬

(c) Quantifiers: ∃, ∀

(d) Variables:

bound occurrences and free occurrences.

Cf. local and global parameters in pro-

gramming.

Max Kanovich. Predicate logic as a language 25

Syntax of Predicate Logic:Vocabulary

(a) We assume an infinite set of variables

x1, x2, . . . , xn, . . . . y1, y2, . . . , yn, . . . .

(b) Vocabulary V is a set of

(b1) constant symbols c1, c2, . . . ;

(b2) function symbols f1, f2, . . . ;

with their arity;

(b3) predicate symbols P1, P2, . . . .

with their arity.

(c) A special binary relation symbols “=”.

Syntax of Predicate Logic: Terms,Formulas

(a) Terms are defined inductively as expres-

sions built up from variables and constants

by applying function symbols.

E.g., f(c, g(x)).

(b) Elementary predicate formulas are of the

form P (t1, t2, .., tk) where P is a predicate

symbol, t1, t2,..,tk are terms.

(c) Predicate formulas are built up from el-

ementary formulas by means of proposi-

tional connectives and quantifiers.

E.g., ∀x ∀y (P (x, y) → P (y, x)).

Semantics. Models

Given V , a model M = (U, I) consists of:

A non-empty set U , called a the universe, domain,

An interpretation function I that maps

(a) each constant symbol c to an element cI ∈ U ,

the meaning of c.

(b) each function symbol f of arity k to a

concrete function fI : Uk → U .

(c) each predicate symbol P of arity n to a

concrete n-placed predicate PI defined on U .

Each predicate formula ϕ gets its meaning ϕIin the model M = (U, I) by replacing these

symbols c, f , and P with their concrete in-

terpretations cI, fI, and PI, resp.

Notation: M |= ϕ or |=M ϕ iff . . .

Semantics. Examples

“Reflectivity”: ϕrefl = ∀xR(x, x)

U are the integers, U are the nodes in a tree,

U are the nodes in a graph, U is a family,

U are the values in a heap.

Semantics. Examples

“Transitivity”:

ϕtrans = ∀x, y, z ((R(x, y)∧R(y, z)) → R(x, z))

U are the nodes in a graph,

U is a family, U are the values in a heap,

U are the states of a program.

Semantics. Examples

“A step”: ϕstep = ∀x∀y (S(x, y) → R(x, y))

S(x, y) = “y = x+1”, R(x, y) = “x ≤ y”

Semantics. Examples

“Reachability” (induction):

ϕreach = ∀x, y, z ((S(x, y)∧R(y, z)) → R(x, z))

“Reachability” ⇒ “Transitivity” ?

ϕrefl = ∀xR(x, x)

ϕreach = ∀x, y, z ((S(x, y)∧R(y, z)) → R(x, z))www�

in any model ?

“Reachability” ⇒ “Transitivity” ?

ϕrefl = ∀xR(x, x)

ϕreach = ∀x, y, z ((S(x, y)∧R(y, z)) → R(x, z))

ϕreach,2 = ∀x, z (R(x, z) →

((x=z) ∨ ∃y (S(x, y) ∧R(y, z))))www�

in any model ?

Inductive Definitions

R(x, z) ≡ ((x=z) ∨ ∃y (S(x, y) ∧R(y, z)))

Infinite domains

“Irreflexivity”: ϕ0 = ∀x¬P (x, x)

“Transitivity / Reachability”:

ϕ1 = ∀x, y, z ((P (x, y) ∧ P (y, z)) → P (x, z))

“Unboundness”:

ϕ2 = (ϕ0 ∧ ϕ1) → ∀x∃y P (x, y)

Finite Models as Instances ofRelational Databases

No function symbols.

(a) A relational schema consists of a set of

predicate symbols.

(b) A database instance is given by a finite in-

terpretation I: The “table” representation

makes explicit only the positive content of

an instance and leaves its negative content

implicit.

(c) An interpreted formula ϕ(x1, x2, . . . , xn) is

considered as a query.

Semantic Satisfiability,Semantic Validity

Recall: A model M = (U, I) is a description

of a system that accounts for all of its known

properties.

A closed formula ϕ is satisfiable if it computes

to T for at least one model.

A closed formula ϕ is valid,

or a tautology, if it computes to T, whatever

model we choose.

We will denote this fact by |= ϕ.

E.g., ((A ∧B) → B) is valid.

A closed formula ϕ is a contradiction if it

computes to F, whatever model we choose.

In this case, |= ¬ϕ.

Semantic EntailmentSemantic Equivalence

ϕ1, ϕ2, . . . , ϕn semantically entail ψ

ϕ1, ϕ2, . . . , ϕn |= ψ

if, for any modelM , the ψ evaluates to T inM ,

whenever ϕ1, ϕ2, . . . , ϕn evaluate to T in M .

E.g., A, (A → B) |= B

ϕ and ψ are semantically equivalent

ϕ ≡ ψ

if, for any model M , the ϕ evaluates to T in M

if and only if the ψ evaluates to T in M .

E.g., ¬(A → B) ≡ A ∧ ¬B

A subtle point with formulas with free variables

ϕ(x1, x2, . . . , xn)

Predicate logic as a speclanguage: An Example

“Each element of a given array is bounded by

some element from a given list.”

An Example: Name objects andidentify quantifiers

“Each element x of a given array A is bounded

by some element y from a given list L.”

An Example: Give a formula

∀x((x ∈ A) → ∃y((y ∈ L) ∧ (x ≤ y)))

Predicate Logic: Exercise 41

For each of the following sentences, encode it

in predicate logic and determine whether it is

true or false.

(a) “Every student is younger than some lec-

turer”

(b) “All men are mortal; Socrates is a man;

therefore, Socrates is mortal.”

(c) “For every integer one can find a larger

integer.”

(d) “The archaic Phoenician alphabet is in the

origin of all modern alphabets”

(e) “All even integers are divided by 4.”

(f) “All integer divided by 4 are even.”

(g) 2n < n2, for some positive integer n.

(h) 2n ≥ n2, for all positive integers n.

Answers to Ex.41 on slide 41

(a) ∀x(

S(x) → ∃y (L(y) ∧ Y (x, y)))

∀x (man(x) → mort(x)))

∧ man(s) → mort(s)

(c) A(Ph) ∧ ∀x(

A(x) ∧M(x) → O(Ph, x))

O(u, v) means “u is in the origin of v”

(d) ∀x(

(x∈N) → ∃y ((y∈N) ∧ (x < y)))

(e) ∀x((

(x∈N) ∧ ∃y ((y∈N) ∧ (x = 2y)))

→ ∃z ((z∈N) ∧ (x = 4z)))

(f) ∀x((

(x∈N) ∧ ∃y ((y∈N) ∧ (x = 4y)))

→ ∃z ((z∈N) ∧ (x = 2z)))

(g) ∃x(

(x∈N) ∧ (x>0) ∧ (2n < n2))

(h) ∀x(

((x∈N) ∧ (x>0)) → (2n ≥ n2))

The Universal Quantifier

Let P (x) denote an assertion about x, whichmeans that for each choice c of x, the assertionP (c) is either true or false.

“For every x from a given set S, P (x)” isabbreviated as

∀x∈S : P (x) (1)

Suppose S = {c1, c2, . . . , cm, . . . }.The meaning of the statement ∀x∈S : P (x)is determined with the help of the followingtable:

x P (x)

c1 P (c1)c2 P (c2)c3 P (c3). . . . . .

cm P (cm). . . . . .

The ‘quantified statement’ ∀x∈S : P (x) issaid to be true iff P (c) turns out to be truefor every choice c of x in S, that is the resultingcolumn in (2) consists only of T’s.

The Universal Quantifier,An Example

E.g., a statement of the form [∀x∈ IN : (x2 = x)]

is false:

x “(x2 = x)”

0 “(02 = 0)” ≡ T

1 “(12 = 1)” ≡ T

2 “(22 = 2)” ≡ F

. . . . . .

For a finite set S = {c1, c2, .., cm}, the state-

∀x∈S : P (x)

means the same as a “long” conjunction of the

P (c1) ∧ P (c2) ∧ · · · ∧ P (cm).

The Existential Quantifier

Let P (x) denote an assertion about x, whichmeans that for each choice c of x, the assertionP (c) is either true or false.

“For some x from a given set S, P (x)” isabbreviated as

∃x∈S : P (x) (3)

Suppose S = {c1, c2, . . . , cm, . . . }.The meaning of the statement ∃x∈S : P (x)is determined with the help of the followingtable:

x P (x)

c1 P (c1)c2 P (c2)c3 P (c3). . . . . .

cm P (cm). . . . . .

The ‘quantified statement’ ∃x∈S : P (x) issaid to be true iff P (c) turns out to be truefor at least one choice c of x in S, that is theresulting column in (4) has at least one T.

The Existential Quantifier.An Example

E.g., a statement of the form [∃x∈ IN : (x2 = x)]

is true:

x “(x2 = x)”

0 “(02 = 0)” ≡ T

1 “(12 = 1)” ≡ T

2 “(22 = 2)” ≡ F

. . . . . .

For a finite set S = {c1, c2, .., cm}, the state-

∃x∈S : P (x)

means the same as a “long” disjunction of the

P (c1) ∨ P (c2) ∨ · · · ∨ P (cm).

Free and Bound Variables

ϕ(x) = (P (x) → ∀xP (x))

By prefixing an operator such as ∀ or ∃, welimit, or bind, the corresponding quantified vari-able.

The bounded occurrences can be only renamed:

(a) ∀x∈S : P (x) means the same as∀y∈S : P (y),

(b) ∃x∈S : P (x) means the same as∃v∈S : P (v).

Warning: When we calculate, for instanceϕ(4), all bound occurrences of variables are“untouchable”.

ϕ(4) = (P (4) → ∀xP (x))

Free and Bound Variables

Bound variables are typical for Math and CS.

For instance,

(a) Algebra:

i=n∑

(here n is a free variable, i is a bound vari-

(b) Calculus:

asin(2t+ 1)dt

(here a and b are free variables, t is a

bound variable)

(c) Programming: Global and local variables.

A ‘Standard’ Predicate Proof for:

¬(∃x∈S : P (x)) ≡ (∀x∈S : ¬P (x)).

Theorem 0.3 For any predicate P (x) and set S:

¬(∃x∈S : P (x)) ≡ (∀x∈S : ¬P (x)).

Proof. We have to prove that both LHS and

RHS have just the same truth value irrespective

of the peculiarities of P (x) and S.

Let us consider the following cases.

¬(∃x∈S : P (x)) ≡ (∀x∈S : ¬P (x)).

(1) Suppose that LHS ≡ T.

Then (∃x∈S : P (x)) is false, which meansthat whatever values c from S we take, allthe propositions P (c) are to be false.Hence, all the propositions ¬P (c) aretrue, whenever c∈S.

By definition, (∀x∈S : ¬P (x)) is true.

We can conclude that RHS ≡ T ≡ LHS.

(2) Suppose the opposite: LHS ≡ F.

Then (∃x∈S : P (x)) is true, which meansthat one can find a particular value c0 in Ssuch that the proposition P (c0) is true.Therefore, ¬P (c0) is false. By definition,(∀x∈S : ¬P (x)) is not true.

The effect is that RHS ≡ F ≡ LHS.

Bringing together all the cases considered, wecan conclude that LHS ≡ RHS.

De Morgan’s Laws,or the ‘Duality Principle’

The universal and existential quantifiers gener-alize the connectives ∧ and ∨, resp., in order todeal with infinitely many assertions P (c) aboutinfinitely many values c.

Theorem 0.4 (De Morgan’s Laws)

¬∃x∈S : P (x) ≡ (∀x∈S : ¬P (x)), (5)

¬∀x∈S : Q(x) ≡ (∃x∈S : ¬Q(x)). (6)

(a) ¬∀x (x2 = x) ≡ ∃x¬(x2 = x) ≡ ∃x (x2 6= x).

(b) “There is no largest integer.”

¬∃y ∀x (x ≤ y) ≡ ∀y¬∀x (x ≤ y) ≡∀y ∃x¬(x ≤ y) ≡ ∀y ∃x (x > y).

“For every integer one can find a larger

integer.”

Is it true in Java?

A Very Useful Corollary

“All men are mortal” has a predicate structureof the form

∀x (M(x) → T (x))

“Some birds are swimming” has a predicatestructure of the form

∃x (B(x) ∧ S(x))

Corollary 0.1 (De Morgan’s Laws)

¬∃x (H(x) ∧ P (x)) ≡ ∀x (H(x) → ¬P (x)),

¬∀x (H(x) → Q(x)) ≡ ∃x (H(x) ∧ ¬Q(x)).

Reminder:

(i) “∀x∈S : Q(x)” means that

∀x((x∈S) → Q(x)).

(ii) Whereas “∃x∈S : P (x)” means that

∃x((x∈S) ∧ P (x)).

∀∃ versus ∃∀

Theorem 0.5 The order in which quantifiers

appear may affect the meaning of the state-

Proof. Statement Truth Value

∀x∈ IN ∃y∈ IN (x < y) true

∃y∈ IN ∀x∈ IN (x < y) false

Quantifiers Laws: “One likes one’srelatives”

Theorem 0.6 Whatever predicates P (x) and

Q(x) we take:

P (x) ∨Q(x))

∃xP (x))

∃xQ(x))

P (x) ∧Q(x))

∀xP (x))

∀xQ(x))

Theorem 0.7 One can find predicates P0(x)

and Q0(x) so that:

P0(x) ∧Q0(x))

∃xP0(x))

∃xQ0(x))

P0(x) ∨Q0(x))

∀xP0(x))

∀xQ0(x))

‘Limited’ Quantifiers Laws

Theorem 0.8 Assuming that x has no free

occurrence in predicate P :

P ∨Q(x))

≡ (P ∨ ∃xQ(x))

P ∧Q(x))

≡ (P ∧ ∃xQ(x))

P ∨Q(x))

≡ (P ∨ ∀xQ(x))

P ∧Q(x))

≡ (P ∧ ∀xQ(x))

P → Q(x))

≡ (P → ∀xQ(x))

Q(x) → P)

≡ ((

∃xQ(x))

→ P )

Peano Arithmetic: Vocabulary andan Intendent Interpretation.

Vocabulary V consists of

(a) a constant symbol zero

(b) a unary function symbol succ,

(c) binary function symbols add and mult

(d) the equality symbol =

The intended interpretation of symbols is:

(a) zero is interpreted as the number 0

(b) succ is interpreted as the successor func-tion which maps a number n into n+1

(c) add and mult are interpreted as the usualaddition and multiplication on natural num-bers

(d) the equality symbol = is the identity rela-tion.

A standard model M = (U, I)

Universe U is the set of natural numbers:

U = IN = {0, 1, 2, . . . }

Interpretation I maps symbols to their mean-

(a) zeroI = 0;

(b) succI(n) = n+1, for any natural number n;

(c) addI(n,m) = n+m, and

multI(n,m) = n ·m, for any natural num-

bers n and m;

Simplified notation

To make terms and formulas more readable,

(a) We write 0 instead of the term zero,

(b) We write x+1 instead of the term succ(x),

(c) We write + and · instead of add and mult

and use the infix notation:

x+y denotes the term add(x, y),x · y denotes the term mult(x, y).

(d) Relations < and ≤ are defined as:

x < z ≡ ∃y ((y 6= 0) ∧ (z = x+ y))

x ≤ z ≡ ∃y (z = x+ y)

(e) x is even ≡ ∃y (x = y + y)

x is odd ≡ ∃y (x = y + y + 1)

Primitive recursive arithmetic

Problem 1:

Problem 1: For the universe U = {1, 2, 3, 4, 5, 6},determine the truth value of the statement∃x ((x−1 = 4) ∧ (3x+5 = 20)).Answer to Problem 1: The statement in ques-tion is true.Let P (x) denote “((x−1 = 4) ∧ (3x+5 = 20))”

The meaning of P (x) is described by the table:

x P (x)

1 P (1) := “((1−1 = 4) ∧ (3·1+5 = 20))” ≡ F

2 P (2) := “((2−1 = 4) ∧ (3·2+5 = 20))” ≡ F

3 P (3) := “((3−1 = 4) ∧ (3·3+5 = 20))” ≡ F

4 P (4) := “((4−1 = 4) ∧ (3·4+5 = 20))” ≡ F

5 P (5) := “((5−1 = 4) ∧ (3·5+5 = 20))” ≡ T

6 P (6) := “((6−1 = 4) ∧ (3·6+5 = 20))” ≡ F

The resulting column in the above table has atleast one T, which means that the truth valueof the statement “∃x ((x−1 = 4) ∧ (3x+5 = 20))”is T.

Problem 2:

Problem 2: For the universeU = {1, 2, 3, 4, 5, 6, 7, 8}, determine the truthvalue of the following statements:

(a) ∀x (x>2),

(b) ∀x (x2<100),

(c) ∃x (x>2),

(d) ∃x ((x−1 = 4) ∧ (3x+5 = 20)).

Answer to Problem 2: (It is only a keyanswer, and must be completed withexplanations . . . )

Problem 3:

Problem 3: For the universeU = IN = {0, 1, 2, 3, . . .}, determine the truthvalue of the following statement: ∀x∃y (x < y),Answer to Problem 3: T

Let P (x) denote “∃y (x < y)”.The task is to evaluate a statement of the form∀xP (x).The meaning of P (x) is described as:

x P (x)

0 P (0) := “∃y (0 < y)” ≡ T

1 P (1) := “∃y (1 < y)” ≡ T

2 P (2) := “∃y (2 < y)” ≡ T

3 P (3) := “∃y (3 < y)” ≡ T

. . . . . .

m P (m) := “∃y (m < y)” ≡ T

. . . . . .

It is readily seen that the resulting column inthe above table has only T’s, which means thatthe truth value of the statement “∀xP (x)”is T.

Problem 4:

Problem 4: For the universeU = IN = {0, 1, 2, 3, . . .}, determine the truthvalue of the following statement: ∀y∃x (x < y)

Answer to Problem 4: F

Let Q(y) denote “∃x (x < y)”.The task is to evaluate a statement of the form∀y Q(y).The meaning of Q(y) is described as:

y Q(y)

0 Q(0) := “∃x (x < 0)” ≡ F

1 Q(1) := “∃x (x < 1)” ≡ T

2 Q(2) := “∃x (x < 2)” ≡ T

. . . . . .

The resulting column in the above table hassome F (it happens to be at the first row).This means that the truth value of the wholestatement “∀y Q(y)” is F.

Problem 5:

Problem 5: For the universe

U = IN = {0, 1, 2, 3, . . .}, determine the truth

value of the following statements:

(1) ∀x∀y (x < y),

(2) ∀x∃y (x < y),

(3) ∀y∃x (x < y),

(4) ∃x∀y (x < y),

(5) ∃x∃y (x < y).

Problem 6:

(1) ∀x∀y (x ≤ y),

(2) ∀x∃y (x ≤ y), (compare with ∃y∀x (x ≤ y))

(3) ∀y∃x (x ≤ y),

(4) ∃x∀y (x ≤ y),

(5) ∃x∃y (x ≤ y).

(2) T (whereas “∃y∀x (x ≤ y)” is F )

Problem 7:

(1) ∀x∀y (x = y),

(2) ∀x∃y (x = y), (compare with ∃y∀x (x = y))

(3) ∀y∃x (x = y),

(4) ∃x∀y (x = y),

(5) ∃x∃y (x = y).

(2) T (whereas “∃y∀x (x = y)” is F )

Problem 8:

Problem 8: Find appropriate predicates and

their specification to translate the following

into predicate logic:

(a) “All red things are in the box”

(b) “Only red things are in the box”

Answer to Problem 8:

I introduce the following predicates on the uni-

verse consisting of ’things’:

(a) R(x) := “x is red”

(b) B(y) := “y is a box”

(c) C(x, y) := “x is contained in y”

and the constant b to denote “the box”.

The translation into predicate logic is the fol-

lowing:

(a) ∀x (R(x) → C(x, b))

(b) ∀x (C(x, b) → R(x))

The following version is acceptable:

(b) C(x) := “x is in the box”

The translation into predicate logic is the fol-

lowing:

(a) ∀x (R(x) → C(x))

(b) ∀x (C(x) → R(x))

Problem 9:

Problem 9: Find appropriate predicates and

their specification to translate the following

into predicate logic, and simplify:

(a) “It is not true that all red things are in the

box”

(b) “It is not true that only red things are in

the box”

I introduce the following predicates on the uni-verse consisting of ’things’:

(b) B(y) := “y is a box”

(c) C(x, y) := “x is contained in y”

and the constant b to denote “the box”.

The result is the following:

(a) ¬∀x (R(x) → C(x, b)) ≡ ∃x (R(x) ∧ ¬C(x, b))

(“Some red thing is not in the box”)

(b) ¬∀x (C(x, b) → R(x)) ≡ ∃x (C(x, b) ∧ ¬R(x))

(“There is a thing in the box such that it,this thing, is not red”)

The following version is acceptable:

(b) C(x) := “x is in the box”

The result is the following:

(a) ∃x (R(x) ∧ ¬C(x))

(“Some red thing is not in the box”)

(b) ∃x (C(x) ∧ ¬R(x))

(“There is a thing in the box such that it,

this thing, is not red”)

The Prize . . . Problem 10:

Problem 10: Find appropriate predicates

and their specification to translate the follow-

ing into predicate logic:

(a) “Every prize was won by a boy”

(b) “A boy won every prize”

Explain the difference, if any, between (a) and (b).

Answer to Problem 10:

Problem 11:

The universe in question is the set of all human

beings.

You are not allowed to use any predicate sym-

bols other than below to translate the follow-

ing into predicate logic (and simplify, if it is

possible):

(1) F (x, y) mean “x is the father of y”;

(2) M(x, y) denote “x is the mother of y”;

and let constant symbol e denote “Ed”.

(a) “Everybody has a mother and a father”

(b) “Whoever has a mother has a father”

(c) “Ed is a grandfather”

(d) “It is not true that everybody has a mother

and a father”

(e) “It is not true that whoever has a mother

has a father”

(f) “It is not true that Ed is a grandfather”

(a) ∀x(

(∃yM(y, x)) ∧ (∃z F (z, x)))

(b) ∀x(

(∃yM(y, x)) → (∃z F (z, x)))

(c) ∃y(

F (e, y) ∧ ∃z (M(y, z) ∨ F (y, z)))

(d) ∃x(

(∀y¬M(y, x)) ∨ (∀z ¬F (z, x)))

(e) ∃x(

(∃yM(y, x)) ∧ (∀z ¬F (z, x)))

(f) ∀y(

F (e, y) → ∀z (¬M(y, z) ∧ ¬F (y, z)))

Automated Methods for Program Veriﬁcation: Propositional ... · Automated Methods for Program...

Documents

PreProceedings of the Ninth International Workshop on Automated Veriﬁcation … · 2012. 10. 23. · Preface AVOCS, the workshop on Automated Veriﬁcation of Critical Systems,

Logicredwood.cs.Ttu.edu/~rahewett/teach/ai16/5KR-logic.pdfLogic Logic as KR Propositional Logic Predicate Logic (predicate Calculus) Automated Reasoning Logical inferences Resolution

Ironclad Apps: End-to-End Security via Automated Full ...owen/courses/cmps223/papers/ironclad-os… · Ironclad Apps: End-to-End Security via Automated Full-System Veriﬁcation Chris

Completing the Automated Veriﬁcation of a Small Hypervisor

Propositional Logic and Satisfiability · 2020-07-09 · •Propositional Logic •Syntax •Semantics •Reduction to Clauses •Propositional Satisfiability •Empirical, Average

Software Veriﬁcation and Validation Laboratory: Automated ... · Automated Test Suite Generation for Time-Continuous Simulink Models Reza Matinnejad,Shiva Nejati,and Lionel Briand

PROPOSITIONAL AND NON- PROPOSITIONAL FUNCTIONS OF …

Beyond Subterm-Convergent Equational Theories in …people.inf.ethz.ch/rsasse/pub/BeyondSubterm-POST17.pdf · Beyond Subterm-Convergent Equational Theories in Automated Veriﬁcation

On Control Strategy and Safety Veriﬁcation of Automated ...publications.lib.chalmers.se/records/fulltext/173698/173698.pdf · On Control Strategy and Safety Veriﬁcation of Automated

1 Propositional Logic Introduction. 2 What is propositional logic? Propositional Logic is concerned with propositions and their interrelationships

Automated Deduction for Veriﬁcation · Automated Deduction for Veriﬁcation Natarajan Shankar ... the LCF (Logic for Computable Functions) project [Gordon et al. 1979] (initiated

Land surface Veriﬁcation Toolkit (LVT) - NASA · Land surface Veriﬁcation Toolkit (LVT)!! LVT is a framework developed to provide an automated, consolidated environment for systematic

Angelic Verification: Precise Verification Modulo Unknownsankushd/docs/cav15.pdf · 2020. 4. 5. · Angelic Verification: Precise Verification Modulo Unknowns Ankush Das1, Shuvendu

Behavior modeling and automated verification of Web servicesqsheng/papers/IS-2014.pdf · Behavior modeling and automated veriﬁcation of Web services Quan Z. Shenga,⇑, Zakaria

Propositional Logic...3.2 Syntax of Propositional Logic 31 studying propositional logic as a \gentle" introduction to the methods used in ﬂrst-order logic. In propositional logic,

Completing the Automated Verification of a Small … the Automated Verification of a Small Hypervisor - Assembler Code Verification? ... running the host processor in ... that we

MPRI 2-30: Automated Veriﬁcation of Cryptographic Protocol ...MPRI 2-30:! Automated Veriﬁcation of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon

Automated Veriﬁcation for Secure Messaging Protocols and their Implementations…prosecco.gforge.inria.fr/personal/bblanche/publications/... · · 2017-02-13Automated Veriﬁcation

Completing the Automated Verification of a Small …Completing the Automated Verification of a Small Hypervisor - Assembler Code Verification? Wolfgang Paul, Sabine Schmaltz, and

Automated Veriﬁcation of Practical Garbage Collectors...tractable, we exploit recent advances in automated theorem prov-ing technology, using the Boogie [3] and Z3 [8] tools to provide