« Mathematical Foundations: (2) Classical First-Order Logic »

« Mathematical foundations: Formal logics (2) Classical ﬁrst-order logic » A formal logic consists of: – a formal or informal language (formula expressing facts) Patrick Cousot –amodel-theoretic semantics (to deﬁne the meaning of Jerome C. Hunsaker Visiting Professor the language, that is which facts are valid) Massachusetts Institute of Technology Department of Aeronautics and Astronautics –a deductive system (made of axioms and inference cousot mit edu rules to formaly derive theorems, that is facts that www.mit.edu/~cousot are provable) Course 16.399: “Abstract interpretation” http://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www/

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —1— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —3— ľ P. Cousot, 2005

Questions about formal logics The main questions about a formal logic are: –Thesoundness of the deductive system: no provable formula is invalid –Thecompleteness of the deductive system: all valid formulæ are provable George Boole David Hilbert Gottlob Frege

Reference [1] Jean van Heijenoort, editor. “From Frege to Gödel: A Source Book in Mathematical Logic, 1879-1931”. Harvard University Press, 1967.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —2— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —4— ľ P. Cousot, 2005 Classical propositional logic – X 2Vare variables denoting unknown true or false facts Propositional classical logic –Thesetofformulæ ffi 2Fof the propositional logic are defined by the following grammar: ffi ::= X j (ffi1 ^ ffi2) j (:ffi) – The relation “is a subformula of” is well founded, whence can be used for structural definitions and proofs

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —5— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —7— ľ P. Cousot, 2005

Example of formulæ – A is a variable whence a formula The derivation – (:A) is a formula since A is a tree of the for- Syntax of the formula mula is: : classical propositional logic – (A ^ (:A)) is a formula since A and and (:A) are formulae – (:(A ^ (:A)) is a formula since ^ (A ^ (:A)) is a formula A :

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —6— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —8— ľ P. Cousot, 2005 Abstract syntax Free variables of proopositional formulae – In practice we avoid parentheses thanks to priorities: The set FV(ffi) of free variables appearing in a formula - : has highest priority (evaluated first) ffi is defined by structural induction as follows: - ^ has lowest priority (evaluated second) def FV(X) = fXg - ^ is left associative (evaluation from left to right) def FV(:ffi) =FV(ffi) For example, :A ^:B ^ C stands for (:A) ^ (:B) ^ C FV(ffi ffi ) def=FV(ffi ) FV(ffi ) which stands for ((:A) ^ (:B)) ^ C 1 ^ 2 1 [ 2 –Thederivation tree is given by the following abstract grammar: ffi ::= X j ffi1 ^ ffi2 j:ffi

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —9— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —11— ľ P. Cousot, 2005

Propositional identities Abbreviations (de Morgan laws)

def ffi1 _ ffi2 = :(:ffi1 ^:ffi2) Semantics of the def ffi1 =) ffi2 = :ffi1 _ ffi2 def propositional classical logic ffi1 (= ffi2 = ffi2 =) ffi1 def ffi1 () ffi2 =(ffi1 =) ffi2) ^ (ffi1 (= ffi2) def ffi1 _ ffi2 =(ffi1 _ ffi2) ^:(ffi1 ^ ffi2)

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —10— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —12— ľ P. Cousot, 2005 Booleans Tarskian/model-theoretic semantics of the def We define the booleans B = ftt ; ¸g and boolean opera- classical propositional logic tors by the following truth table: The semantics 2 S2F7! (V 7! B) 7! B of a proposi- & tt ¸ : tional formula ffi assign a meaning Sffi to the formula for any given environment  3: tt tt ¸ tt ¸ def ¸ ¸ ¸ ¸ tt SX = (X) def S:ffi = :(Sffi) def Sffi1 ^ ffi2 = Sffi1 & Sffi2

2 Also called an interpretation in logic 3 Hilbert used instead an arithmetic interpretation where 0 is true and 1 is false.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —13— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —15— ľ P. Cousot, 2005

Environment/Assignment Models

–Anenvironment 1  2V7!n B assigns boolean values  is a model of ffi (or that  satisfies ffi) if and only if: (X) to free propositional variables X. Sffi =tt – An example of assignment is  = fX ! tt ;Y ! ¸g such that (X)=tt, (Y )=¸and the value for all which is written: other propositional variables Z 2VnfX; Y g is unde- fined  ‚ ffi

1 Also called assignment in logic.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —14— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —16— ľ P. Cousot, 2005 Entailment Examples of tautologies P = P ( (P = Q)) = P –Aset` 2 }(F) of formulae entails ffi whenever: ) : ) ) (::P )=) P (:(P =) Q)) =) (::P ) P = ( P ) ( (P = Q)) = Q 0 ‚ 0 ‚ ) :: : ) ): 8 :(8ffi 2 ` :  ffi )=)  ffi P =) (Q =) P ) (P =):P )=) (P =) Q) P =) (Q =) Q) (P =) Q)=) (:Q =):P ) which is written: (:P =) P )=) P (P =):Q)=) (Q =):P ) P =) (:P =) Q) (:P =):Q)=) (Q =) P ) ` ‚ ffi :P =) (P =) Q) (:P =):Q)=) (:P =) Q)=) P ) (:(P =) P )) =) Q (:(P =) Q)) =) (Q =) R) P =) (:(P =):P )) (:(P =) Q)) =) (:P =) R) (P =):P )=):P (P =) Q)=) ((Q =) R)=) (P =) R))

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —17— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —19— ľ P. Cousot, 2005

Validity Satisfiability/Unsatisfiability –Wesaythatffi is valid if and only if: –Aformulaffi 2F is satisfiable if and only if:

8 2 (V 7! B):Sﬃ =tt 9 2 (V 7! B):Sﬃ =tt

which is written: –Aformulaffi 2F is unsatisfiable if and only if: ‚ ffi 8 2 (V 7! B):Sffi =tt (i.e. ffi is a tautaulogy, always true) (i.e. ffi is a antilogy, always false)

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —18— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —20— ľ P. Cousot, 2005 Satisfiability/Validity/Unsatisfiability Hilbert deductive system Formulae – Axiom schemata 4: 5 Satisfiable Unsatisfiable (1) ffi _ ffi =) ffi (2) ffi =) ffi0 _ ffi 6 Sometimes true (3) (ffi =) ffi0)=) (ffi00 _ ffi =) ffi0 _ ffi00) 7 Sometimes false – Inference rule schema 4: Always false ffi; ffi =) ffi0 (MP) 8 modus ponens Valid ffi0 Always true 4 to be instanciated for all possible formulae ffi; ffi0;ffi00 2F 5 i.e. :(:(:ffi ^:ffi)) _ ffi) 6 i.e. :(::ffi ^::(:ffi ^:ffi0)) 7 0 00 0 00 def i.e; :(:ffi _ ffi ) _ (:(ffi _ ffi) _ (ffi _ ffi )) where ffi1 _ ffi2 = :(:ffi1 _:ffi2) ffi; :ffi _ ffi0 8 i.e. ffi0

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —21— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —23— ľ P. Cousot, 2005

Hilbert derivation –Aderivation from a set ` 2 }(F) of hypotheses is a ﬁnite nonempty sequence:

Deductive system for the ffi1;ffi2;:::;ffin n – 0 classical propositional logic of formulae such that for each ffii, i =1;:::;n,wehave: - ffii is a element of ` (hypothesis) - ffii is an axiom 1 k ffii ;:::;ffii - ffii is the conclusion of an inference rule such ffii 1 k 9 that fffii ;:::;ffii g„fffi1;ffi2;:::;ffin`1g

9 So that the premises have already been proved.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —22— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —24— ľ P. Cousot, 2005 Hilbert proof Hilbert provability –Aproof is a derivation from ; – ffi 2 F is provable from ` 2 }(F) (or ` proves ffi)iff there is a proof of ffi from ` , written:

` ‘ ﬃ

where the deduction system (axioms and inference rules) are understood from the context. – ;‘ffi is written ‘ ffi This is the proof-theoretic semantics of first-order logic.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —25— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —27— ľ P. Cousot, 2005

Example of proof Example of provability

(ffi _ ffi =) ffi)=) (:ffi _ (ffi _ ffi)=) ffi _:ffi) [instance of (3)] (a) ‘:ffi _::ffi ffi _ ffi =) ffi [instance of (1)] (b) Proof. :ffi _ (ffi _ ffi)=) (ffi _:ffi) [(a), (b) and (MP)] (c) = (ffi =) (ffi _ ffi)) =) ffi _:ffi def. =) abbreviation Replace ffi by :ffi is the previous proof of ffi _:ffi. ffi =) (ffi _ ffi) [instance of (2)] (d) ffi _:ffi [(c), (d) and (MP)]

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —26— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —28— ľ P. Cousot, 2005 Soundness of a deductive system Consistency of a deductive system Provable formulae do hold: Absence of contradictory proofs ‚ ` ‘ ffi =) ` ffi :(9` : ` ‘ ffi ^ ` ‘:ffi) A sound deductive system is consistent. Proof. Proof. The proof for propositional logic is by induction on the length of the formal proof of ffi from ` . By reduction ad absurdum assume inconsistency 9` : ` ‘ ffi ^ ` ‘:ffi.By ‚ ‚ 0 ‚ 0 A proof of length one, can only use a formula ffi in ` which is assumed soundness ` ffi ^ ` :ffi whence for all  such that 8ffi 2 ` :  ffi ,we to hold (i.e. Sffi =tt) or an axiom that does hold as shown below. have S ffi  =ttand S :ffi  =tt=:S ffi  = :tt = ¸ which is the desired contradiction since tt 6=¸. – Sffi _ ffi =) ffi = S:(:(:ffi ^:ffi)) def. _ = :(:(:(Sffi)&:(Sffi))) def. S = :(Sffi)&:(Sffi) def. : = :(¸) def. &

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —29— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —31— ľ P. Cousot, 2005

= tt def. : Negative normal form – The proof is similar for the other two axioms.

A proof of length n +1, n – 1 is an initial proof ffi0;:::;ffin`1 of length A formula is in negative normal form iff it can be parsed n followed by a formula ffin. By induction hypothesis, we have S ffii  =tt, by the following grammar: i =1;:::;n` 1. If ffin 2 ` or ffin is an axiom then Sffin =ttas shown above. Otherwise, ffin is derived by the modus ponens inference rule (MP). In ffi ::= ffi _ ffi that case, we have k, 0 » ktruth table of =) is derived from the j ffi ^ ffi definition of =) and that of : and ^ as follows: j ’ =) ¸ tt

¸ tt tt ’ ::= X

tt ¸ tt j:X

Since Sffik =ttthe truth table of =) shows than the only possibility for (Sffik =)Sffin)=ttis Sffin =tt.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —30— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —32— ľ P. Cousot, 2005 Normalization in negative normal form Conjunctive normal form A formula is in conjunctive normal form iff it can be def nnf(:ffi) = nnf(ffi) parsed by the following grammar:

def nnf(ffi1 _ ffi2) = nnf(ffi1) _ nnf(ffi2) ffi ::= ffi^ def nnf(ffi1 ^ ffi2) = nnf(ffi1) ^ nnf(ffi2) ffi^ ::= ffi^ ^ ffi^ def nnf(:ffi) = nnf(ffi) j ffi_ nnf(ffi _ ffi ) def= nnf(ffi ) ^ nnf(ffi ) 1 2 1 2 ffi_ ::= ffi_ _ ffi_ def nnf(ffi ^ ffi ) = nnf(ffi ) _ nnf(ffi ) 1 2 1 2 j ’ nnf(X) def= X ’ ::= X nnf(X) def= :X j:X

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —33— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —35— ľ P. Cousot, 2005

Aformulaffi is equivalent to its negative normal form Normalization in conjunctive normal form nnf(ffi) is that: Any formula ffi can be put in equivalent conjunctive normal form by applying the following transformations to ‘ ffi if and only if ‘ nnf(ffi) nnf(ffi):

0 0 0 ffi _ (ffi1 ^ ffi2) ; (ffi ^ ffi1) _ (ffi ^ ffi2) 0 0 0 (ffi1 _ ffi2) ^ ffi ; (ffi1 _ ffi ) ^ (ffi2 _ ffi ) Aformulaffi is equivalent to its conjunctive normal form ffi^ in that:

‘ ﬃ if and only if ‘ ﬃ^

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —34— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —36— ľ P. Cousot, 2005 Completeness of a deductive system Formulae which hold are provable:

` ‚ ffi =) ` ‘ ffi Classical first-order logic

The very ﬁrst proof for propositional logic was given by Bernays (a student of Hilbert) [2]. The better known proof is that of Post [3].

Reference [2] Richard Zach. “Completeness before Post: Bernays, Hilbert, and the development of propositional logic”, Bulletin of Symbolic Logic 5 (1999) 331–366. [3] Ryan Stansifer. “Completeness of Propositional Logic as a Program”, Florida Institute of Technology, Mel- bourne, Florida, March 2001.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —37— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —39— ľ P. Cousot, 2005

Bernay’s proof can be sketched as follows. Every formula is interderivable with its conjunctive normal form. A conjuction is provable if and only if each of its conjuncts is provable. A disjunction of propositional variables or negations of proprositional variables if and only if it contains a variable and its negation, and conversely, every such disjunction is provable. So a formula is provable if and only if every conjunct in its normal form contains a variable and Syntax of the its negation. Now suppose that ffi is a valid (‚ ffi) but underivable formula. Its conjunctive classical first-order logic normal form ffi^ is also underivable, so it must contain a conjunct ffi0 where every variable occurs only negated or unnegated but not both. If ffi where added as a new axiom (so that

‚ ffi implies soundness of the new deductive system), then ffi^ and ffi0 would also be derivable.

By substituting X for every unnegated variable and (:X) for every negated variable in ﬃ0, we would obtain X as a derivable formula (after some simpliﬁcation), and the system would be inconsistent, which is the desired contradiction.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —38— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —40— ľ P. Cousot, 2005 Lexems Terms The lexems are the basic constituants of the formal lan- Terms t 2T denote individual objects of the universe of guage. discourse computed by applying fonctions to constants – symbols: (, ,, ), ^, :, 8, ... or variables: – constants: a;b:::2Cdenote individual objects of the t ::= c universe of discourse j x – variables: x;y;::: 2Vdenote unknown but ﬁxed 10 objects of the universe of discourse j fnn(t1;:::;tn)

10 Diﬀerent instances of the same variable in a given scope of a formula always denote the same unkown individal object of the universe of discourse. This is not true of imperative computer programs.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —41— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —43— ľ P. Cousot, 2005

n – function symbols: fnn; gnn;:::2F denoteS fonctions Atomic formulæ 0 def n of arity n.WeletF = C and F = n2N F .For Atomic formulæ A 2Aare used to state elementary short we write f instead of fnn when the arity n is facts about objects of the universe of discourse: understood n A ::= rnn(t1;:::;tn) – relation symbols: rnn; nn;::: 2R denoteS fonctions B def n of arity n.Welet = ftt ; ¸g and R = n2N R .For Example: short we write r instead of rnn when the arity n is – z is a variable whence a term understood – ˜n2(+n2(x; 1);y) is a term – »n2 is a relation symbol whence »n2(˜n2(+n2(x; 1);y);z) 11 is an atomic formula

11 written ((x +1)˜ y) » z in inﬁx form

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —42— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —44— ľ P. Cousot, 2005 First-order formulae Free variables Free variables are not bound by a quantifier: The set ˘ 2Lof first-order formulae (of the first-order language L) is defined by the following grammar def fv(8x : ˘) =fv(˘) nfxg def ˘ ::= AA2A fv(˘1 _ ˘2) =fv(˘1) [ fv(˘2) def fv(:˘) =fv(˘) j8x : ˘x2V S def n fv(rnn(t1;:::;tn)) = fv(t ) j ˘1 _ ˘2 i=1 i def j:˘ fv(c) = ; def fv(x) = fxg S 9x : ˘ is a shorthand for :(8x :(:˘)) def n fv(fnn(t1;:::;tn) = i=1 fv(ti)

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —45— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —47— ľ P. Cousot, 2005

Bound variables Theories def Bound variables appear under the scope of a quantiﬁer: –Thesetofvariables of a formula is var(˘) =bv(˘) [ def fv(˘) bv(8x : ˘) = fxg[bv(˘) def –Aclosed sentence (or ground formula)isaformula˘ bv(˘ _ ˘ ) =bv(˘ ) [ bv(˘ ) 1 2 1 2 with no free variable (so that fv(˘)=; bv( ˘) def=bv(˘) : –Atheory is a set of closed sentences def bv(rnn(t1;:::;tn)) = ; def bv(c) = ; def bv(x) = ; def bv(fnn(t1;:::;tn) = ;

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —46— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —48— ľ P. Cousot, 2005 Substitution Application of a substitution to a term – Substitution is a syntactic replacement of a variable by def aterm, may be with appropriate renaming of bound ff(c) = c def variables, so as to avoid capturing the term free vari- ff(y) = y iff y 62 dom(ff) def ables, as in ff(f(t1;:::;tn)) = f(ff(t1);:::;ff(tn)) ff(r(t ;:::;t )) def= r(ff(t );:::;ff(t )) x : x = y +1[y := x] 1 n 1 n 9 def ff(:˘) = :ff(˘) x : x = x +1 6!9 def ff(˘1 _ ˘2) = ff(˘1) _ ff(˘2) but should be def ff(8x : ˘) = 8x0 : ff(˘[x := x0]) where !9x0 : x0 = x +1 x0 62 yld(ff) [ (fv(˘) nfxg)

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —49— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —51— ľ P. Cousot, 2005

A substitution ﬀ 2V7!T is a function from variables Example of substitution in a term to terms with ﬁnite domain:

def (9x : x = y +1)[y := x] dom(ff) = fx 2Vjx 6= ff(x)g (finite domain) 0 0 def = 9x :((x = y +1)[x := x ])[y := x] rng(ff) = [fff(x) j x 2 dom(ff)g (range) def = x0 :((x)[x := x0]=(y)[x := x0] + (1)[x := x0])[y := x] yld(ff) = ffv(t) j t 2 rng(ff)g (yield) 9 = 9x0 :(x0 = y +1)[y := x] We write ff as: = 9x0 :((x0)[y := x]=(y)[y := x] + (1)[y := x]) [x1 ff(x1);:::;xn ff(xn)] 0 0 where dom(ff)=fx1;:::;xng. = 9x :((x )[y := x]=(y)[y := x] + (1)[y := x])

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —50— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —52— ľ P. Cousot, 2005 Environment/Assignment

– An environment/assignment  2V7! DI assigns a value (x) to each variable x 2V Semantics of the Assignment notation: if f 2 A 7! B, a 2 A, b 2 B then classical ﬁrst-order logic f[a := b]=f0 2 A 7! B such that: f0(a)=b i.e. f[a := b](a)=b f0(x)=f(x) whenever x 6= a i.e. f[a := b](x)=f(x)

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —53— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —55— ľ P. Cousot, 2005

Interpretation Semantics of the ﬁrst-order logic An interpretation I is deﬁned by: Given an interpretation I, the semantics is: –Adomain of discourse D (or domain of interpreta- I I tion) S t 2 (V 7! DI) 7! DI m I def –Aninterpretation I f 2 DI 7! DI for each function S c = Ic m symbol f 2F , m – 0 (including constants) def SIx = (x) m –Aninterpretation Ir 2 D 7! B for each relation def I SIf(t ;:::;t ) = If(SIt ;:::;SIt ) symbol r 2Rm, m – 0 1 n 1 n

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —54— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —56— ľ P. Cousot, 2005 I Semantics of substitution S A 2 (V 7! DI) 7! B Assignment is the semantic counterpart of syntactic sub- I def I I S r(t1;:::;tn) = Ir(S t1;:::;S tn) stitution:

I I I 0 S ˘ 2 (V 7! DI) 7! B S ﬀ(˘) = S ˘ def 0 I SI:˘ = :(SIg˘) where 8x 2V:  (x)=S ﬀ(x)  I def I I S ˘1 _ ˘2  = S^ ˘1  _S ˘2  def SI8x : ˘ = 12 SI˘[x := v] v2DI

V def 12 If S „ B then S =(S „ftt g).

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —57— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —59— ľ P. Cousot, 2005

It follows that for the abbreviations, we have: Lemma I def I I If x 62 fvt then S ˘1 =) ˘2  = S ˘1  =)S ˘2  I I _ 8 2V7! DI : 8v 2 DI : S t = S t[x := v] def SI9x : ˘ = SI˘[x := v] Proof. –Thecaset = x is disallowed by x 62 fvx = fxg v2DI –Ify 6= x then x 62 fvy = fyg and SIy = (y)=[x := v](y)= SIy[x := v] where: I – S f(t1;:::;tn) I I =) ¸ tt _ ¸ tt = If(S t1;:::;S tn) I I = If(S t1[x := v];:::;S tn[x := v]) by induction hypothesis since ¸ tt tt ¸ ¸ tt 8i : x 62 fvti I = S f(t1;:::;tn)[x := v] tt ¸ tt tt tt tt I W – S r(t1;:::;tn)  def I I and if S „ B then S =(S \ftt g 6= ;). = I r (S t1 ;:::;S tn )

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —58— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —60— ľ P. Cousot, 2005 I I I 0 = Ir(S t1[x := v];:::;S tn[x := v]) by induction hypothesis since = S r(t1;:::;tn) ) 8i : x 62 fv ti proving that 8A : SIff(A) = SIA0 = Ir(t ;:::;t )[x := v] S 1 n – SIff(:˘) = SI:ff(˘) = :(SIff(˘)) = :(SI˘0) = SI:˘0 I I I I I 0 – S ff(˘1_˘2) = S ff(˘1)_ff(˘2) = S ff(˘1)_S ff(˘2) = S ˘1 _ I 0 I 0 S ˘2 = S ˘1 _ ˘2 – SIff(8x : ˘) = SI8x0 : ff(˘[x := x0]) where x0 62 yld(ff) [ (fv(˘) nfxg) = SI8x0 : ff([x x0] 13(˘)) I = x0 :(ff ‹ [x x0]) 14(˘)) S^8 I = S (ff ‹ [x x0])(˘))[x0 := v] v^2DI ` ´ I I = S ffi –y . S (ff ‹ [x x0])(y))[x0 := v] by induction hypothesis

v2DI

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —61— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —63— ľ P. Cousot, 2005

^ I I I Proof of the theorem = S ffi(–y . ( y = x ? S (ff ‹ [x x0])(y))[x0 := v] : S (ff ‹ [x

v2DI Proof. 0 0 ) 15 x^])(y)) [x := v] ) By structural induction on formulae = SIffi(–y . ( y = x ? SIff(x0)[x0 := v] : SIff(y)[x0 := v])) – Iff(c) = Ic = Ic = Ic0 S S S v^2DI I I – S ff(x) = 0(x)=S x0 = SIffi(–y . ( y = x ? SIx0[x0 := v] : SIff(y)[x0 := v])) I – S ff(f(t1;:::;tn)) v2DI I since x0 yld(ff) so that ff(x0)=x0 = S f(ff(t1);:::;ff(tn))  ^ 62 I I = I f (S ff(t1) ;:::;S ff(ff(tn) ) = SIffi(–y . ( y = x ? v : SIy0)) I 0 I 0 = If(S t1 ;:::;S tn v2DI I 0 = S f(t1;:::;tn)  ) since I I 0 proving that 8t : S ff(t) = S t - SIx0[x0 := v] = [x0 := v](x0) = v I – S ff(r(t1;:::;tn))  - x0 62 yld(ff) so that x0 2 fvff(y) hence, by the lemma, I = S r(ff(t1);:::;ff(tn))  SIff(y)[x0 := v] = SIff(y) = SIy0 by induction hypoth- I I = I r (S ff(t1) ;:::;S ff(ff(tn) ) esis I 0 I 0 = I r (S t1  ;:::;S tn 

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —62— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —64— ľ P. Cousot, 2005 ^ = SIffi(–y . ( y = x ? v : 0(y))) Deduction system for first-order logic (H) v^2DI 0 0 = SIffi(0[x := v]) – Axioms (for all instances of formulae ˘, ˘ , ˘ ,variable v2DI x and term t): = SI8x : ffi0 (1) ˘ _ ˘ =) ˘ (2) ˘ =) ˘0 _ ˘ (3) (˘ =) ˘0)=) (˘00 _ ˘ =) ˘0 _ ˘00) (4) 8x : ˘ =) ˘[x := t] (5) (8x : ˘ _ ˘0)=) ˘ _8x : ˘0 when x 62 fv(˘)

13 The function [x x0] is the substitution of x0 for x def 14 ‹ is function composition f ¨ compg(x) = f(g(x)) 15 The conditional is ( tt ? a : b) = a and ( ¸ ? a : b) = b and ( a ? b Ü c ? d : e) = ( a ? b :(c ? d : e))

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —65— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —67— ľ P. Cousot, 2005

– Inference rules (for all instances of formulae ˘, ˘0 and variable x):

˘; ˘ =) ˘0 Deductive system for the (MP) Modus Ponens ˘0 classical ﬁrst-order logic ˘ (Gen) Generalization 8x : ˘

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —66— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —68— ľ P. Cousot, 2005 Example 1 of proof (i) (˘ =)::˘0)=) (˘ =) ˘0) tautology (i’) (:8x : :˘ =)::˘0)=) (:8x : :˘ =) ˘0) tautology, instance of (i) ˘[x := t]=):8x : :˘ (i.e. 9x : ˘) (j) :8x : :˘ =) ˘0 (h), (i’) and (MP) Proof. (assuming tautologies for short) (a) 8x : :˘ =) (:˘)[x := t] instance of (4) (b) (˘ =) ˘0)=) (:˘0 =):˘) contraposition tautology (b’) (8x : :˘ =) (:˘)[x := t]) =):((:˘)[x := t]) =):8x : :˘ tautology, instance of (b) (c) :((:˘)[x := t]) =):8x : :˘ (a), (b’) and (MP) (c’) ::(˘[x := t]) =):8x : :˘ def. substitution (d) (::˘ =):˘0)=) (˘ =):˘0) tautology (d’) (::(˘[x := t]) =):8x : :˘)=) (˘[x := t]=):8x : :˘) tautology (e) ˘[x := t]=):8x : :˘ (c), (d’) and (MP)

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —69— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —71— ľ P. Cousot, 2005

Example 2 of proof Extension of the deduction system (H) for

f˘ =) ˘0g‘:8x : :˘ =) ˘0 when x 62 fv(˘0) ﬁrst-order logic Proof. (assuming tautologies for short) These theorems are often incorporated to the deductive system as an axiom (a) ˘ =) ˘0 hypothesis (b) (˘ =) ˘0)=) (:˘0 =):˘) contraposition tautology ˘[x := t]=)9x : ˘ (c) :˘0 =):˘ (a), (b) and (MP) (c’) ˘0 ˘ def. abbreviation = :: _: ) and a generalization rule: (d) 8x :(::˘0 _:˘) (c’), (Gen) 0 (e) ::˘ _8x : :˘ (d), (5), x 62 fv(::˘0)=fv(˘0) ˘ =) ˘0 (f) :˘0 =)8x : :˘ def. abbreviation =) when x 62 fv(˘) 0 (g) (:˘0 =)8x : :˘)=) (:8x : :˘ =)::˘0) contraposition tautology (9x : ˘)=) ˘ (h) :8x : :˘ =)::˘0 (f), (g) and (MP)

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —70— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —72— ľ P. Cousot, 2005 Logical equivalences involving quantiﬁers and – The Hilbert style deductive system (H) is not decid- negations able [5]. – Proofs cannot be fully automated: there is no termi- – :8x : ˘ () 9 x : :Phi De Morgan laws nating algorithm that, given a ﬁrst-order formula ˘ as – :9x : ˘ () 8 x : :˘ input, returns true whenever ˘ is classically valid. – (8x : ˘ ^8x : ˘) () 8 x :(˘ ^ ˘0) – (9x : ˘ _8x : ˘) () 9 x :(˘ _ ˘0) – (˘ =) ˘0)=) (9x : ˘ =) ˘0) when x 62 fv(˘0) – (˘ =) ˘0)=) (˘ =)8x : ˘0) when x 62 fv(˘0) – 8x :(˘ _ ˘0) () (8x : ˘) _ ˘0 when x 62 fv(˘0) – 9x :(˘ ^ ˘0) () (9x : ˘) ^ ˘0 when x 62 fv(˘0) – ˘ () 8 x : ˘ when x 62 fv(˘0) Reference 0 [5] Kurt Gödel. “Über Formal Unentscheidbare Sätze der Principia Mathematica und Verwandter Systeme, I”. – ˘ () 9 x : ˘ when x 62 fv(˘ ) Monatshefte für Mathematik und Physik 38, 173–198, 1931.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —73— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —75— ľ P. Cousot, 2005

Properties of the deduction system (H) for The theory axiomatizing equality first-order logic Writing = n2(A; B) as A = B, the theory axiomatizing equality is first-order logic plus the following axioms: – The Hilbert style deductive system (H) is sound,con- – 8x : x = x reflexivity sistent, compact 16 and complete [4] for the first-order- – 8x : 8y : (x = y)=) (y = x) symmetry logic. – 8x1 : :::8xn : 8y1 : :::8yn : (x1 = y1 ^ :::^ xn = yn)=) (f(x1;:::;xn)=f(y1;:::;yn)) Leibnitz functional congruence – 8x1 : :::8xn : 8y1 : :::8yn : (x1 = y1 ^ :::^ xn = yn)=) (r(x1;:::;xn)=r(y1;:::;yn)) Leibnitz relational congruence – 8x : 8y : 8z : (x = y ^ y = z)=) (x = z) transitivity Reference [4] Kurt Gödel. “Die Vollständigkeit der Axiome des logischen Funktionen-kalküls”, Monatshefte für Mathe- matik und Physik 37 (1930), 349-360.

16 ` ‘ ˘ if and only if ` 0 ‘ ˘ for a ﬁnite subset ` 0 of `.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —74— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —76— ľ P. Cousot, 2005 Peano arithmetic [6] - 8x : x ˆ 0=0 def. multiplication - 8x : 8y : x ˆ s(y)=(x ˆ y)+x –Constantsymbols:0 - ((˘)[x := 0] ^ (8x : ˘ =) (˘)[x := s(x)]) =) (8x : – Functional symbols: s (sucessor), +, ˆ ˘) recurrence (for all instances of ˘) – Relation symbols: =, » –Axioms: - 8x : x = x reﬂexivity - 8x : 8y : (x = y)=) (y = x) symmetry - 8x : 8y : 8z : (x = y ^ y = z)=) (x = z) transitivity

Reference [6] Giuseppe Peano. Arithmetices principia, nova methodo exposita. Augustae Taurinorum, Ed. Fratres Bocca, 1889. – XVI, 20 p.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —77— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —79— ľ P. Cousot, 2005

- 8x : 8y : (x = y)=) (s(x)=s(y)) congruence Non standard integers - 8x : 8y : 8z : 8t : (x = z ^ t = t)=) (x + y = z + t) This axiomatization formalizes natural numbers but does - 8x : 8y : 8z : 8t : (x = z ^ t = t)=) (x ˆ y = z ˆ t) not exclude “non standard models” of the form: - x : y : z : t :(x = z t = t)= (x y = z t) 8 8 8 8 ^ ) » » 0123...... `20 `10 00 10 20 ... `21 `11 01 11 21 - 8x : (x =0)_ (9y : x = s(y)) every natural but 0 is ... `22 `12 02 12 22 ...... a successor Excluded by the second-order logic induction axiom 17: - 8x : :(s(x)=0) 0 is not a successor - 8x : 8y : (s(x)=s(y)) =) (x = y) s is injective so 8P :(P (0) ^ (8x : P (x)=) P (s(x)))) =)8x : P every nonzero natural has a unique predecessor - 8x : x +0=x def. addition

- 8x : 8y : s + s(y)=s(x + y) 17 The difference is that there is a denumerable infinity of instances of ˘ while there can be a non-denumerable infinity of P s, see G.S.Boolos and R.C.Jeffrey, “Computability and Logic”, Cambridge University Press, 1974, 1980, 1989, Section 17, pp.193-195.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —78— ľ P. Cousot, 2005 Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —80— ľ P. Cousot, 2005 THE END

My MIT web site is http://www.mit.edu/~cousot/

Thecoursewebsiteishttp://web.mit.edu/afs/athena.mit.edu/course/16/16.399/www/.

Course 16.399: “Abstract interpretation”, Tuesday March 8th, 2005 —81— ľ P. Cousot, 2005