Matching Logic Explained - fmse.info.uaic.roMatching Logic Explained Dorel Lucanu1 Joint work with...

Matching Logic Explained

Dorel Lucanu1

Joint work with Xiaohong Chen2, Grigore Ros,u2

1Alexandru Ioan Cuza University of Ias, i2University of Illinois at Urbana-Champaign

FROM, September 05, 2019

Dorel Lucanu (UAIC) Matching Logic Explained FROM, September 05, 2019 1 / 65

1 Introduction

2 Matching Logic (ML)

3 Matching µ-Logic (MmL)

4 Applicative Matching Logic (AML)

5 Induction

6 Coinduction

7 Conclusion

1 Introduction

5 Induction

6 Coinduction

7 Conclusion

Ideal language framework:tools derived from formal language definition

A Brief History of K Framework

I 2003, Grigore Ros,u at UIUC: motivated mainly by teachingprogramming languages and noticing that the existing semanticframeworks have limitations

I 2010-2013: joint work between Formal Systems Laboratory (FSL)from University of Illinois at Urbana-Champaign (UIUC) lead byGrigore Ros,u and Formal Methods in Software Engineering (FMSE)from Al. I. Cuza University (UAIC) lead by presenter

I since 2014: joint work between FSL and Runtimeverification - astart-up founded by Grigore Ros,u

A Fundamental Question

What is the best candidate for a unifying logic to be used for programminglanguages, specification, and verification?Such a candidate should be able (at least)

1. to represent the structure of the programs and their configurations,

2. to specify the semantics of the language simply and in a scalable(modular) way, and

3. to support (symbolic) execution and verification, includingspecification of properties

None of the existing logics supplied a satisfactory answer to theserequirements.

Initial Idea

I configuration: a pair term ∧ constraint〈x = x * 2; y = x +1;, x 7→ a + 3 y 7→ b〉 ∧ a ≤ b

I language definition: rulesif B then S1 else S2 ∧ B == true ⇒ S1

I properties: reachability formulas φ1 ⇒ φ2

Outcomes:

I symbolic execution automatically derived from definition of thesemantics

I reachability logics: a couple of proof systems for reachability formulas

I implementations that showed the feasibility of the approach on realcase studies (C, Java, JavaScript, etc)

Initial Idea

I configuration: a pair term ∧ constraint〈x = x * 2; y = x +1;, x 7→ a + 3 y 7→ b〉 ∧ a ≤ b

I language definition: rulesif B then S1 else S2 ∧ B == true ⇒ S1

I properties: reachability formulas φ1 ⇒ φ2

Outcomes:

I symbolic execution automatically derived from definition of thesemantics

I reachability logics: a couple of proof systems for reachability formulas

I implementations that showed the feasibility of the approach on realcase studies (C, Java, JavaScript, etc)

Current (and Final?) Status

Matching Logic (ML) (2017):

I no difference between function symbols and predicate symbolss(∃ x ∧ x > 5) ∨ plus(x , y ∧ y < 8) ∧ x < y

Matching µ-Logic (MmL) (2019):

I ML with least fixed-point (lfp) and greatest fixed-point (gfp) (asdual) operators

Applicative Matching Logic (AML) (2019):

I a fragment of MmL much simpler (and thus more appealing from afoundational and implementation perspectives), yet as expressive asMmL

A Taste of Matching Logic

a // b //

✏✏d

Node(=x) Gstep({x})a {a, b, d}b {a, b, d}c {a, b, d, e}d {a, b, d}e {a, b, d}f {a, b, c, d, e}

Figure 1. A simple transition system and tabulation of Gstep .

check if a is in it, but suppose we do not want to do this because inpractice the transition system may be huge or even infinite.

Instead, we may employ Tarski’s fixed-point theorem [22],which says that, to show a 2 inf , it suffices to find a set of nodesX such that a 2 X and 8x 2 X. 9y 2 X. x ! y. For the giventransition system, a possible such set is X = {a, b, d}, which cor-responds to the set of nodes that we followed to exhibit the cycleearlier. The problem, however, is that this proof is rather differentfrom the “model checking” one, and actually more difficult becauseit forces us to figure out what X is up front. What we would re-ally like is a way to prove our goal by incrementally expanding thecoinduction hypothesis from {a} to {a, b} to {a, b, d} as we ex-plore the transition system and see what nodes are reachable froma. The validity of such an approach is intuitively obvious, but whatis the general lattice-theoretic proof principle that justifies it?

Contributions. In this paper, we show how to support coinductiveproofs that are both compositional and incremental, using a deadsimple construction we call the parameterized greatest fixed point.The basic idea is to parameterize the greatest fixed point of interestover the accumulated knowledge of “the proof so far”.

Neither the idea nor the construction behind it is an origi-nal invention of ours per se. In 1989, Winskel [23] proposed thesame idea for supporting “local model checking” in the modal µ-calculus. (His construction, which is slightly different from ours,supports incrementality but not compositionality—in our sense ofthe word—but it is straightforward to repurpose his core “reduc-tion lemma” to derive a compositional version of his construction.)Independently, in 2001, Moss [14] presented a construction thatis essentially the same as ours, albeit in a more abstract categori-cal setting. However, neither of these prior accounts suggests thegeneral applicability of the parameterized greatest fixed point toimproving the state of the art in interactive coinductive proof.

Our goal in the present paper is to popularize the idea of param-eterized coinduction and explore its potential as a practically usefultool. More specifically, we make the following contributions:

• We present the parameterized greatest fixed point in simplelattice-theoretic terms, and show that it validates several usefulprinciples for compositional, incremental proofs (Section 2).We give representative examples to illustrate the utility of theseproof principles (Sections 2 and 3).

• We show how parameterized coinduction is complementary tothe traditional approach to simplifying simulation proofs via“up-to” techniques, and we develop the basic theory of howthese approaches compose (Section 4).

• We explore the issues that arise in the mechanization of parame-terized coinduction in existing interactive theorem provers likeCoq and Isabelle (Section 5). Fortunately, several of these is-sues can be resolved through variations on a somewhat esoterictechnique called Mendler-style recursion (Section 6).

• We describe Paco (pronounced “pah-ko”), a new Coq librarywe have developed for parameterized coinduction. Comparedto Coq’s existing cofix tactic, Paco enables faster and morerobust proof development, thanks to its support for semantic,rather than syntactic, guardedness checking (Section 7).

Finally, we conclude the paper in Section 8 with a detailed discus-sion of related work.

The technical development of this paper has been formalized inthe Coq proof assistant. That formalization, together with a tutorialfor our Coq library, Paco, is available from the Paco website:

http://plv.mpi-sws.org/paco/

2. Parameterized CoinductionLet us begin by reviewing the basic lattice theory underlying coin-ductive definitions and their associated standard proof principles.

Consider a complete lattice (C,v,u,t,>,?), and a monotone(i.e., order-preserving) function f 2 C

mon�! C. Strictly speaking,for generality, we do not require v to be antisymmetric, and wewrite ⌘ for the intersection of v and w (its inverse), which corre-sponds to = if we have antisymmetry. We say that r is a prefixedpoint of f if f(r) v r, and r is a postfixed point of f if r v f(r).Further, we write µf for f ’s least fixed point and ⌫f for its greatestfixed point, which by Tarski’s fixed-point theorem [22] is equal tothe join of all postfixed points of f :

⌫f ⌘G

{r 2 C | r v f(r)}

Tarski’s Principle. We are concerned with proving statements ofthe form x v ⌫f . From Tarski’s theorem we directly get thatpostfixed points are included in the greatest fixed point:

x v f(x) =) x v ⌫f (TARSKI)

To prove that x v ⌫f when x 6v f(x) using this principle, we haveto determine a postfixed point of f larger than x up front:

x v ⌫f () 9r. x v r ^ r v f(r)

This is clearly inconvenient for doing interactive proofs, as it forcesone to construct the coinduction hypothesis r up front, instead ofallowing r to be generated naturally in the course of the proof. Re-call that in the example of the introduction, although we were onlyinterested in showing that a 2 ⌫ step, we had to pick r := {a, b, d}up front. In large proofs, this quickly becomes a big problem.For example, the ClightTSO-Csharpminor simulation proof in theCompCertTSO verified compiler [20] requires a simulation relationr that comprises 69 cases, most of which tediously relate interme-diate execution states.

Strong Coinduction. Second, there is a slight variant of (TARSKI),sometimes called the strong coinduction principle [4]:

Lemma 1 (Strong coinduction). x v ⌫f () x v f(x t ⌫f).

Proof. First, we have ⌫f ⌘ f(⌫f) v f(x t ⌫f) (†). The (=))direction follows directly from (†). For the ((=) direction: fromx v f(xt ⌫f) and (†), we get xt ⌫f v f(xt ⌫f), i.e., xt ⌫f isa postfixed point of f . So, from (TARSKI), x v x t ⌫f v ⌫f .

This principle is “strong” in the sense that it is complete, but itstill does not offer us a very useful interactive proof technique. Theproblem arises if in the course of proving that x v f(x t ⌫f), weever need to generalize the coinduction hypothesis by adding somey to it. The only recourse the strong coinduction principle gives usat this point (if we want to continue interactively with the proof)is to show that y v ⌫f . But of course the proof of that may cyclearound, forcing us to prove that x v ⌫f , in which case we arestuck. We are therefore forced to restart the proof, generalizing thecoinduction hypothesis to x t y, i.e., showing that x t y v ⌫f .

Parameterized Coinduction. Our parameterized coinduction prin-ciple gives us a way to avoid restarting the proof by making explicitthe idea of accumulated knowledge. In the course of the proof, we

a ∈ [[State]] ∧ b ∈ [[State]] ∧ · · ·(a, b, c , d , e, f are constants of sortState),∀ s . s ∈ [[State]]→ • s ⊆ [[State]](• : [[State]]→ [[State]]),• a = ⊥ • d = b• b = a ∨ d • e = ⊥• c = b ∨ e • f = c

We may prove that there is an infinite execution starting from a:Γ |= a→ ν Y . • Y

a // b //

✏✏d

⌫f ⌘G

{r 2 C | r v f(r)}

x v ⌫f () 9r. x v r ^ r v f(r)

a // b //

✏✏d

⌫f ⌘G

{r 2 C | r v f(r)}

x v ⌫f () 9r. x v r ^ r v f(r)

This Talk

I a gentle intoduction to the three components of the ML frameworkbased on:

Grigore Ros,u. Matching logic. Logical Methods in Computer Science,

Xiaohong Chen and Grigore Ros,u. Matching mu-logic. LICS’19, 2019.

Xiaohong Chen and Grigore Ros,u. Applicative matching logic.Technical Report, http://hdl.handle.net/2142/104616, 201913(4):1-61, 2017.

I several case studies showing how the inductive reasoning and thecoinductive reasoning are applied within ML (work in progress)

1 Introduction

5 Induction

6 Coinduction

7 Conclusion

How We Define Syntax

Backus-Naur notation/grammar:

Nat ::= 0 | s(Nat) | le(Nat,Nat)

Inference rules:

s(n):Nat

m:Nat n:Nat

le(m, n):Nat

Functional-programming-language-like syntax:

nat : Set := Zero : nat | Succ : nat −> natl e (m n : nat ) : nat := . . .

Signatures in ML

I sorts: S

I symbols: Σ = {Σw ,s}w∈S∗,s∈SI variables: Var = {Vars}s∈S

Example BNAT:

S = {Nat},Σε,Nat = {0},ΣNat,Nat = {s},ΣNat Nat,Nat = {le},Σw ,s = ∅ otherwise.

Patterns

Pattern(�):

ϕs ::= x :s | ϕs ∧ ϕs | ¬ϕs | ∃x :s ′ . ϕs | σ(ϕs1 , . . . , ϕsn)

where x :s ∈ Vars , σ ∈ Σs1···sn,s .Examples of BNAT patterns:

¬s(0)

x :Nat ∧ le(s(0), x :Nat),

∃x :Nat . x :Nat ∧ le(s(0), x :Nat),

s(∃x :Nat . x :Nat ∧ le(s(0), x :Nat))

Models

In a model M

I each sort s ∈ S is interpreted as a set Ms ;

I each symbol σ ∈ Σs1···sn,s as a function (relation)Mσ : Ms1 × · · · ×Msn → P(Ms);

I the variables are interpreted using valuations ρ : Var→ M, such thatρ(x :s) ∈ Ms for all x :s ∈ Vars , s ∈ S .

Remark

If σ ∈ Σε,s , i.e., σ is a constant of sort s, then Mσ ⊆ Ms .

It is recommended to think that an interpretation of a symbol is a relation!

The interpretations of symbols are pointwise extended to sets:

Mσ(A1, . . . ,An) =⋃{Mσ(a1, . . . , an) | a1 ∈ A1, . . . , an ∈ An}

Models

In a model M

Remark

Models

In a model M

Remark

Models

In a model M

Remark

The First BNAT Model

M1Nat = N = {0, 1, 2, . . .};M10 = {0};M1s(n) = {n + 1};

M1le(m, n) =

{N ,m ≤ n,

∅ , otherwise.

The Third BNAT Model

M3Nat = N;

M30 = {0};M3s(m) = {n | n ∈ N,m < n};

M3le(m, n) =

{N ,M3s(n) ⊆ M3s(m),

∅ , otherwise.

Interpretations of the Patterns

ρ : Var→ M are inductively extended to ρ : Pattern(�)→ P(M) asfollows:

ρ(x :s) = {ρ(x)};ρ(ϕs ∧ ϕ′s) = ρ(ϕs) ∩ ρ(ϕ′s);

ρ(¬ϕs) = Ms \ ρ(ϕs);

ρ(∃x :s ′ . ϕs) =⋃

a∈Msρ[a/x ](ϕ);

ρ(σ(ϕ1, . . . , ϕn)) = Mσ(ρ(ϕ1), . . . , ρ(ϕn));

where ρ[a/x ] : Var→ M is the valuation defined by

ρ[a/x ](y) =

{a , y = x ,

ρ(y) , y 6= x.

Interpretations of the Patterns: Example 1/2

ρ(s(0)) = 1 ∀ρ : Var→ M1

ρ(s(0)) = {2, 3, . . .} ∀ρ : Var→ M3

ρ(¬s(0)) = N \ 1 ∀ρ : Var→ M1

ρ(¬s(0)) = N \ {2, 3, . . .} = {0, 1} ∀ρ : Var→ M3

Interpretations of the Patterns: Example 2/2

ρ(x :Nat ∧ le(s(0), x :Nat)) = {0} ∩ ∅ = ∅ ρ : Var→ M1, ρ(x) = 0

ρ(x :Nat ∧ le(s(0), x :Nat)) = {3} ∩ N = {3} ρ : Var→ M1, ρ(x) = 3

similar for M3

ρ(∃x :Nat . x :Nat ∧ le(s(0), x :Nat)) = {1, 2, 3, . . .} ∀ρ : Var→ M1

ρ(∃x :Nat . x :Nat ∧ le(s(0), x :Nat)) = {1, 2, 3, . . .} ∀ρ : Var→ M3

ρ(s(∃x :Nat . x :Nat ∧ le(s(0), x :Nat))) = {2, 3, . . .} ∀ρ : Var→ M1

ρ(s(∃x :Nat . x :Nat ∧ le(s(0), x :Nat))) = {2, 3, . . .} ∀ρ : Var→ M3

Derived Constructs

ϕ1 ∨ ϕ2 ≡ ¬(¬ϕ1 ∧ ¬ϕ2) ∀x :s ′ . ϕ ≡ ¬∃x :s ′ .¬ϕϕ1 → ϕ2 ≡ ¬ϕ1 ∨ ϕ2 >s ≡ ∃x :s . x :s

ϕ1 ↔ ϕ2 ≡ (ϕ1 → ϕ2) ∧ (ϕ2 → ϕ1) ⊥s ≡ ¬>s

Consequences:

ρ(ϕ1 ∨ ϕ2) = ρ(ϕ1) ∪ ρ(ϕ2) ρ(∀x :s ′ . ϕ) =⋂

a∈Ms

ρ[a/x ](ϕ)

ρ(ϕ1 → ϕ2) = Ms \ (ρ(ϕ1) \ ρ(ϕ2)) ρ(>s) = Ms

ρ(ϕ1 ↔ ϕ2) = Ms \ (ρ(ϕ1)4ρ(ϕ2)) ρ(⊥s) = ∅

Derived Constructs

ϕ1 ∨ ϕ2 ≡ ¬(¬ϕ1 ∧ ¬ϕ2) ∀x :s ′ . ϕ ≡ ¬∃x :s ′ .¬ϕϕ1 → ϕ2 ≡ ¬ϕ1 ∨ ϕ2 >s ≡ ∃x :s . x :s

ϕ1 ↔ ϕ2 ≡ (ϕ1 → ϕ2) ∧ (ϕ2 → ϕ1) ⊥s ≡ ¬>s

Consequences:

ρ(ϕ1 ∨ ϕ2) = ρ(ϕ1) ∪ ρ(ϕ2) ρ(∀x :s ′ . ϕ) =⋂

a∈Ms

ρ[a/x ](ϕ)

ρ(ϕ1 → ϕ2) = Ms \ (ρ(ϕ1) \ ρ(ϕ2)) ρ(>s) = Ms

ρ(ϕ1 ↔ ϕ2) = Ms \ (ρ(ϕ1)4ρ(ϕ2)) ρ(⊥s) = ∅

Validity

M |= ϕ (M satisfies ϕ): ρ(ϕ) = Ms for all ρ : Var→ M

M |= F , F ⊆ Pattern: M |= ϕ for all ϕ ∈ F

ϕ valid, |= ϕ: M |= ϕ for all models M

Examples:

M |= ϕ1 ∧ ϕ2 iff M |= ϕ1 and M |= ϕ2

M |= ϕ1 → ϕ2 iff ρ(ϕ1) ⊆ ρ(ϕ2) for all ρ : Var→ M

M |= ∀x :s . ϕ iff M |= ϕ

|= ϕ, where ϕ is a propositional tautology

|= ϕ1 and |= ϕ1 → ϕ2 implies |= ϕ2 (modus ponens)

|= ∀x :s . ϕ→ ϕ[y :s/x :s], where y : s 6∈ FV (ϕ) (substitution)

Validity

M |= ϕ (M satisfies ϕ): ρ(ϕ) = Ms for all ρ : Var→ M

M |= F , F ⊆ Pattern: M |= ϕ for all ϕ ∈ F

ϕ valid, |= ϕ: M |= ϕ for all models M

Examples:

M |= ϕ1 ∧ ϕ2 iff M |= ϕ1 and M |= ϕ2

M |= ϕ1 → ϕ2 iff ρ(ϕ1) ⊆ ρ(ϕ2) for all ρ : Var→ M

M |= ∀x :s . ϕ iff M |= ϕ

|= ϕ, where ϕ is a propositional tautology

|= ϕ1 and |= ϕ1 → ϕ2 implies |= ϕ2 (modus ponens)

|= ∀x :s . ϕ→ ϕ[y :s/x :s], where y : s 6∈ FV (ϕ) (substitution)

Specifications

specification: (S ,Σ,F )

(S ,Σ,F )-model M: M |= ϕ for all ϕ ∈ F

(S ,Σ,F ) entails ϕ: M |= F implies M |= ϕ for all models M

Examples:

(S ,Σ, {σ(x1:s1, . . . , xn:sn) = >s ∨ σ(x1:s1, . . . , xn:sn) = ⊥s}): Mσ is apredicate (holds or does not hold)

(S ,Σ, {∃ y :s . σ(x :s) = y :s, σ(x :s) ∧ σ(y :s)→ σ(x :s ∧ y :s)}): Mσ isan injective function

(S ,Σ, {∃y :s ′ . σ(x :s)→ y :s ′}): Mσ is a partial function

Specifications

specification: (S ,Σ,F )

(S ,Σ,F )-model M: M |= ϕ for all ϕ ∈ F

(S ,Σ,F ) entails ϕ: M |= F implies M |= ϕ for all models M

Examples:

(S ,Σ, {σ(x1:s1, . . . , xn:sn) = >s ∨ σ(x1:s1, . . . , xn:sn) = ⊥s}): Mσ is apredicate (holds or does not hold)

(S ,Σ, {∃ y :s . σ(x :s) = y :s, σ(x :s) ∧ σ(y :s)→ σ(x :s ∧ y :s)}): Mσ isan injective function

(S ,Σ, {∃y :s ′ . σ(x :s)→ y :s ′}): Mσ is a partial function

Definedness

Motivation:

I How can we interpret patterns in a conventional, two-valued way?

I Are the patterns matching proper subsets of elements?

I How can we lift reasoning within syntactic category (sort) s1 tosyntactic category s2?

Solution:Consider specifications (S ,Σ,F ) such that, for any pair (s1, s2) ∈ S × S ,

I Σ includes a distinguished symbol d es2s1 , called definedness

I F includes the axiom dx :s1es2s1

Definedness

Motivation:

I How can we interpret patterns in a conventional, two-valued way?

I Are the patterns matching proper subsets of elements?

I How can we lift reasoning within syntactic category (sort) s1 tosyntactic category s2?

Solution:Consider specifications (S ,Σ,F ) such that, for any pair (s1, s2) ∈ S × S ,

I Σ includes a distinguished symbol d es2s1 , called definedness

I F includes the axiom dx :s1es2s1

Totality and Equality of Patterns

Motivation:Since ϕ↔ ϕ′ is not two-valued, it cannot capture the equality ϕ = ϕ′.

Solution:

ϕ =s2s1 ϕ

′ ≡ bϕ↔ ϕ′cs2s1where the totality symbol b cs2s1 is the dual of the definedness:

bϕcs2s1 ≡ ¬d¬ϕes2s1

Explanation: (ϕ totally defined) ≡ (it is not true that there are elementsfor which ϕ is not defined)(ϕ is equal to ϕ′ in s2) ≡ (ϕ↔ ϕ′ is totally defined), i.e.,

M |= ϕ =s2s1 ϕ

′ iff M |= ϕ↔ ϕ′ for any model M

Totality and Equality of Patterns

Motivation:Since ϕ↔ ϕ′ is not two-valued, it cannot capture the equality ϕ = ϕ′.

Solution:

ϕ =s2s1 ϕ

′ ≡ bϕ↔ ϕ′cs2s1where the totality symbol b cs2s1 is the dual of the definedness:

bϕcs2s1 ≡ ¬d¬ϕes2s1

Explanation: (ϕ totally defined) ≡ (it is not true that there are elementsfor which ϕ is not defined)(ϕ is equal to ϕ′ in s2) ≡ (ϕ↔ ϕ′ is totally defined), i.e.,

M |= ϕ =s2s1 ϕ

′ iff M |= ϕ↔ ϕ′ for any model M

Axiomatizing Membership and Subset

I membership: x :s1 ∈s2s1 ϕ ≡ dx ∧ ϕes2s1

I inclusion: ϕ ⊆s2s1 ϕ

′ ≡ bϕ→ ϕ′cs2s1

Axiomatizing Product Sorts

Let s1, s2 be two sorts in S . Then we can add the product sort s1⊗s2 to Swith the following axiomatic definition:

Consider two auxiliary symbols:

pairing: 〈 , 〉 : s1 × s2 → s1 ⊗ s2, and

projections: πi : s1 ⊗ s2 → si , i = 1, 2,

together with the follwing axioms:

injectivity: ∀ x1, y1:s1 .∀ x2, y2:s2 . 〈x1, x2〉 = 〈y1, y2〉 → x1 = y1 ∧ x2 = y2

product: ∃ x1:s1 .∃ x2:s2 . 〈x1, x2〉diagram chasing : πi 〈x1, x2〉 = xi , i = 1, 2

Axiomatizing Product Sorts

Let s1, s2 be two sorts in S . Then we can add the product sort s1⊗s2 to Swith the following axiomatic definition:

Consider two auxiliary symbols:

pairing: 〈 , 〉 : s1 × s2 → s1 ⊗ s2, and

projections: πi : s1 ⊗ s2 → si , i = 1, 2,

together with the follwing axioms:

injectivity: ∀ x1, y1:s1 .∀ x2, y2:s2 . 〈x1, x2〉 = 〈y1, y2〉 → x1 = y1 ∧ x2 = y2

product: ∃ x1:s1 .∃ x2:s2 . 〈x1, x2〉diagram chasing : πi 〈x1, x2〉 = xi , i = 1, 2

1 Introduction

5 Induction

6 Coinduction

7 Conclusion

Motivation

Extend ML in order to

I be able to define inductive and coinductive types

I reason about the dynamic behaviour of programs

Fixed Points

Theorem (Knaster-Tarski)

Let U be a set. Any F : P(U)→ P(U) monotonic w.r.t. ⊆ has

I a least fixed-point µ y .F (y) (on short µ F ), and

I a greatest fixed-point ν y .F (y) (on short ν F ).

Moreover,

I µ F =⋂{X | F (X ) ⊆ X} and

I ν F =⋃{X | X ⊆ F (X )}

Knaster-Tarski Theorem, Graphically

X ⊆ F (X )

X = F (X )

F (X ) ⊆ X

set of post-fixed points

complete lattice of fixed points

set of pre-fixed points

Patterns as Powerset Functionals

ϕ ∈ Patterns , ρ : Var→ M, x ∈ FV (ϕ)

Define Fρϕ,x : P(Ms)→ P(Ms) by

Fρϕ,x(A) =⋃a∈A

ρ[a/x ](ϕ)

Example: ϕ = 0 ∨ s(x),ρ : Var→ NFρϕ,x(∅)= ρ(0) ∪ (

⋃a∈∅ ρ[a/x ](s(x))) = {0}

Fρϕ,x({0})= ρ(0) ∪ (

⋃a∈{0} ρ[a/x ](s(x))) = {0, 1}

Fρϕ,x({0, 1})= ρ(0) ∪ (

⋃a∈{0,1} ρ[a/x ](s(x))) = {0, 1, 2}

. . .Fρϕ,x is monotonic, so it has a least fixed point µFρϕ,x and a greatest fixed

point ν Fρϕ,x .Question: Can we define patterns matching the two fixed points?

ρ[a/x ](ϕ)

⋃a∈∅ ρ[a/x ](s(x))) = {0}

Fρϕ,x({0})= ρ(0) ∪ (

⋃a∈{0} ρ[a/x ](s(x))) = {0, 1}

Fρϕ,x({0, 1})= ρ(0) ∪ (

⋃a∈{0,1} ρ[a/x ](s(x))) = {0, 1, 2}

ρ[a/x ](ϕ)

⋃a∈∅ ρ[a/x ](s(x))) = {0}

Fρϕ,x({0})= ρ(0) ∪ (

⋃a∈{0} ρ[a/x ](s(x))) = {0, 1}

Fρϕ,x({0, 1})= ρ(0) ∪ (

⋃a∈{0,1} ρ[a/x ](s(x))) = {0, 1, 2}

Matching µ-Logic (MmL), Formally 1/2

Variables: Var = EVar ∪ SVar,EVar = element variables x :s, y :s, z :s, . . .,SVar = set variables X :s,Y :s,Z :s, . . .

Signatures: � = (S ,Var,Σ)

Patterns:

ϕs ::=x :s | X : s | · · ·µX :s . ϕs if ϕs is positive in X :s

Models: similar to ML

Valuations: ρ : Var→ M such that ρ(x :s) ∈ Ms for x : ∈ EVar andρ(X :s) ⊆ Ms for X : ∈ EVar

ρ(x :s) = {ρ(x :s)}ρ(X :s) = ρ(x :s)

ρ(µX :s . ϕ) = µFρϕ,X

where Fρϕ,X : P(Ms)→ PMs , Fρϕ,X (A) = ρ[A/X ](ϕ)

Derived pattern:

ν X :s . ϕ ≡ ¬µX :s.¬ϕ[¬X :s/X :s]

ρ(ν X :s . ϕ) = ν Fρϕ,X

Models: similar to ML

Valuations: ρ : Var→ M such that ρ(x :s) ∈ Ms for x : ∈ EVar andρ(X :s) ⊆ Ms for X : ∈ EVar

ρ(x :s) = {ρ(x :s)}ρ(X :s) = ρ(x :s)

ρ(µX :s . ϕ) = µFρϕ,X

where Fρϕ,X : P(Ms)→ PMs , Fρϕ,X (A) = ρ[A/X ](ϕ)

Derived pattern:

ν X :s . ϕ ≡ ¬µX :s.¬ϕ[¬X :s/X :s]

ρ(ν X :s . ϕ) = ν Fρϕ,X

Finite Lists in MmL 1/2

S = {Elt, List}, Σ = {nil , cons}, and F includes the following axioms:

nil , cons are functions:

nil : → List cons : Elt × List → List

The above statements are sugar syntax for the axioms:

∃y :List . nil = y :List

∃z :List . cons(x :Elt), y :List) = z :List

S = {Elt, List}, Σ = {nil , cons}, and F includes the following axioms:

nil , cons are functions:

nil : → List cons : Elt × List → List

The above statements are sugar syntax for the axioms:

∃y :List . nil = y :List

∃z :List . cons(x :Elt), y :List) = z :List

No-junk, No-confusion (nil and cons are constructors for lists):

µ L:List . nil ∨ cons(Elt, L)

nil 6= cons(e, L)

∀ e, e ′:Elt . ∀ `, `′:List . cons(e, `) = cons(e ′, `′)→ (e = e ′ ∧ ` = `′)

The above faithfully reflects the slogan

An inductive type (seen as a set) contains exactly those elementsthat we obtain by repeatedly using of finitely times theconstructors.

No-junk, No-confusion (nil and cons are constructors for lists):

µ L:List . nil ∨ cons(Elt, L)

nil 6= cons(e, L)

∀ e, e ′:Elt . ∀ `, `′:List . cons(e, `) = cons(e ′, `′)→ (e = e ′ ∧ ` = `′)

The above faithfully reflects the slogan

An inductive type (seen as a set) contains exactly those elementsthat we obtain by repeatedly using of finitely times theconstructors.

Streams in MmL

S = {Bit, Stream}, Σ = {0,1, :: }, and F includes the axioms:0,1 and :: are functions:

0 : → Bit 1 : → Bit

:: : Bit × Stream→ Stream

Inductive definition of Bit: 0 ∨ 1 (equivalent to µB:Bit . 0 ∨ 1) and 0 6= 1

No junk for streams: ν S :Stream .Bit :: SNo confusion for :: :∀b, b′:Bit .∀ t, t ′:Stream . (b :: t = b′ :: t ′ → b = b′ ∧ t = t ′)The above faithfully reflects the slogan

An coinductive type (seen as a set) contains exactly thoseelements that we obtain by repeatedly using of possible infinitelytimes the constructors.

Streams in MmL

0 : → Bit 1 : → Bit

Streams in MmL

0 : → Bit 1 : → Bit

Streams in MmL

0 : → Bit 1 : → Bit

1 Introduction

5 Induction

6 Coinduction

7 Conclusion

Motivation: Subsorts

Nat ::= plus(Nat,Nat)

Int ::= Nat | plus(Int, Int)

The inclusion Int ::= Nat can be axiomatized by ∃ x :Nat . x ⊆ ∃ x :Int . x .

But we also want to axiomatize the fact that ”any pattern of sort Nat isof sort Int as well; e.g. plus(x :Nat, , y :Nat).Moreover, a pattern plus(x :Nat, y :Int) is ill-formed now.

A possible solution is to consider ”injections”:

inj : Nat → Int

but their axiomatization is quite challenging.

inj : Nat → Int

Motivation: Parametric Sorts

List〈S〉 ::= nil | cons(S , List〈S〉)

orList〈S〉 ::= nil〈S〉 | cons(S , List〈S〉)

where S ranges here over sorts. E.g., we may have the sorts List〈Nat〉,List〈Int〉,List〈List〈Nat〉〉, and so on.

We may also want to be able to define

Sorts = µX .Nat ∨ Int ∨ List〈X 〉

Motivation: Parametric Sorts

List〈S〉 ::= nil | cons(S , List〈S〉)

orList〈S〉 ::= nil〈S〉 | cons(S , List〈S〉)

where S ranges here over sorts. E.g., we may have the sorts List〈Nat〉,List〈Int〉,List〈List〈Nat〉〉, and so on.

We may also want to be able to define

Sorts = µX .Nat ∨ Int ∨ List〈X 〉

Applicative Matching Logic, Formally 1/2

Signatures: � = (EVar,SVar,Σ)No sorts!!! (or you may think that there is just one universalsort ∗)Σ contains only constant symbols (i.e., no arity).And variables are not sorted.

Patterns:

ϕs ::=x ∈ EVar | X ∈ SVar | σ ∈ Σ

ϕ1 ϕ2 (application)

⊥ (false)

ϕ1 → ϕ2 (implication)

∃ x . ϕ (binding)

µX :s . ϕs if f ϕs is positive in X :s (l.f.p.)

Signatures: � = (EVar,SVar,Σ)No sorts!!! (or you may think that there is just one universalsort ∗)Σ contains only constant symbols (i.e., no arity).And variables are not sorted.

Patterns:

ϕs ::=x ∈ EVar | X ∈ SVar | σ ∈ Σ

ϕ1 ϕ2 (application)

⊥ (false)

ϕ1 → ϕ2 (implication)

∃ x . ϕ (binding)

µX :s . ϕs if f ϕs is positive in X :s (l.f.p.)

Σ-Model: (M, · , {Mσ | σ ∈ Σ}), whereM is a non-empty set,· : M ×M → P(M)Mσ ⊆ M for each σ ∈ Σ

Abreviation: a b for a · b.Derived Patterns

¬ϕ ≡ ϕ→ ⊥ > ≡ ¬⊥ ϕ1 ∨ ϕ2 ≡ ¬ϕ1 → ϕ2

Definedness1, totality, equality, membership, inclusion,. . . are defined in asimilar way to ML.

1With a small amendament.Dorel Lucanu (UAIC) Matching Logic Explained FROM, September 05, 2019 42 / 65

Σ-Model: (M, · , {Mσ | σ ∈ Σ}), whereM is a non-empty set,· : M ×M → P(M)Mσ ⊆ M for each σ ∈ Σ

Abreviation: a b for a · b.Derived Patterns

¬ϕ ≡ ϕ→ ⊥ > ≡ ¬⊥ ϕ1 ∨ ϕ2 ≡ ¬ϕ1 → ϕ2

Definedness1, totality, equality, membership, inclusion,. . . are defined in asimilar way to ML.

1With a small amendament.Dorel Lucanu (UAIC) Matching Logic Explained FROM, September 05, 2019 42 / 65

Encoding of MmL in AML 1/2

An MmL-signature � = (EVar,SVar,S ,Σ)

can be encoded as an AML theory

�AML = (EVarAML,SVarAML,ΣAML, ΓAML), where:

I EVarAML = {x | x :s ∈ EVar}, SVarAML = {X | X :s ∈ SVar},I ΣAML = S ∪ Σ ∪ {[[ ]]} (inhabitants symbol)

I ΓAML includes:non-empty sort: [[s]] 6= ⊥each constant s ∈ S is functional: ∃ y . s = yfor each σ ∈ Σs1···sn,s an axiom

x1 ∈ [[s1]] ∧ · · · ∧ xn ∈ [[sn]]→ σ x1 . . . xn ⊆ [[s]]

or, equivalently,σ [[s1]] . . . [[sn]] ⊆ [[s]]

x1 ∈ [[s1]] ∧ · · · ∧ xn ∈ [[sn]]→ σ x1 . . . xn ⊆ [[s]]

Each �AML-model M defines a �-model M ′ as follows:

I M ′s = M[[s]]