Predicate Calculus
Formal Methods in Verification of Computer Systems Jeremy Johnson Outline
1. Motivation 1. Variables, quantifiers and predicates 2. Syntax 1. Terms and formulas 2. Quantifiers, scope and substitution 3. Rules of natural deduction for quantifiers 4. Semantics 1. Models and semantic entailment 5. Undecidability and limitations
Example 1
• Every student is younger than some instructor
• ∀x ( S(x) → ∃y(I(y) ∧ Y(x,y) )
• S(x) : x is a student • I(x) : is an instructor • Y(x,y) : x is younger than y
Example 2
• Not all birds can fly
• ¬ ∀x ( B(x) → F(x) ) • ∃x ( (B(x) ∧ ¬ F(x) ) • B(x) : x is a bird • F(x) : x can fly
• Semantically equivalent formulas
Example 3
• Every child is younger than its mother
• ∀x ∀y ( C(x) ∧ M(y,x) → Y(x,y) ) • C(x) : x is child • M(x,y) : x is y’s mother • Y(x,y) : x is younger than y • ∀x ( C(x) → Y(x,m(x)) • m(x) : function for mother of x
Example 4
• Andy and Paul have the same maternal grandmother • ∀x ∀y ∀u ∀v ( M(x,y) ∧ M(y,a) ∧ M(u,v) ∧ M(v,p) → x = u ) • m(m(a)) = m(m(p)) • a, b : variables for Andy and Paul • = : binary predicate
Example 5
• Everyone has a mother • ∀x ∃y ( M(y,x) ) • ∃x ∀y ( M(y,x) ) [ not equivalent ]
• Everyone has exactly one mother • ∀x ∃y ( M(y,x) ∧ ∀z (M(z,x) → z = y )
Example 6
• Some people have more than one brother • ∃x ∃y1 ∃y2 ( B(y1,x) ∧ B(y2,x) ∧ ¬(y1 = y2) )
Comparison to Propositional Calculus • Proof calculus for predicate calculus
• φ1,…,φn ψ [ extend natural deduction ] Provide semantics for predicate calculus • ⊢ • φ1,…,φn ψ [ models needed to evaluate functions and predicates – may not be finite ] ⊨ • Soundness and Completeness
• φ1,…,φn ψ holds iff φ1,…,φn ψ is valid Undecidable • ⊨ ⊢ • No program exists that can always determine if φ holds
⊨ Terms
• Terms are made up of variables, constants, and functions • Term ::= • Variable • If c is a nullary function c is a term
• If t1,…,tn are terms and f is an n-ary function then f(t1,…,tn ) is a term Formulas
• Formula ::=
• P is a predicate and t1,…,tn are terms then P(t1,…,tn) is a formula • If ϕ is a formula ¬ϕ is a formula
• If ϕ1 and ϕ2 are formulas, ϕ1 ∧ ϕ2, ϕ1 ∨ ϕ2, ϕ1 → ϕ2 are formulas • If ϕ is a formula and x is a variable ∀x ϕ and ∃x ϕ are formulas
Parse Trees
∀x ( ( P(x) → Q(x) ) ∧ S(x,y) )
∀x
∧
→ S
P Q x y
x x Free and Bound Variables
• An occurrence of x in ϕ is free if it is a leaf node in the parse tree for ϕ with no quantifier as an ancestor → ∀x
∧ ∀x ∨
→ S ∧ ¬ Q
P Q x y P Q P y
x x x x x Substitution • Given a variable x, a term t and a formula ϕ, ϕ[t/x] is the formula obtained by replacing each free occurrence of x by t → →
∀x ∨ ∀x ∨ ϕ[f(x,y)/x]
∧ ¬ Q ∧ ¬ Q
P Q P y P Q P y x x x x x f x y Variable Capture
• t is free for x in ϕ if ∧ no free x occurs in ϕ in the scope of S ∀y any quantifier for any variable y x → occurring in t. P Q
x y Variable Capture
• t is free for x in ϕ if ∧ no free x occurs in ϕ in the scope of S ∀y any quantifier for any variable y x → occurring in t. P Q
f y y y Equality Rules
• Introduction Rule
= i t = t • Elimination Rule
t1 = t2 φ[t1/x] =e
φ[t2/x] Equivalence Relation
• Symmetry: 1 = 2 2 = 1
= 1 푡 푡 1 ⊢ 2푡 푡 premise 2 = =i 푡1 푡1 3 = =e 1,2 푡2 푡1 푡 푡 • Transitivity: 1 = 2, 2 = 3 1 = 3
1 푡 푡1 = 푡2 푡 ⊢premise푡 푡 2 = premise 푡2 푡3 3 = =e 2,1 푡1 푡3 푡 푡 Conjunction Rules
• Introduction Rule
φ ψ ∧ i φ ∧ ψ • Elimination Rule
φ ∧ ψ φ ∧ ψ ∧ e1 ∧ e2 φ ψ Universal Quantification Rules
• Introduction Rule
x0 …
φ[x0/x] ∀x i ∀x φ
• Elimination Rule ∀x φ ∀x e φ[t/x] Illegal Substitution Leads to False Reasoning ∀x ϕ ϕ = ∃y (x < y)
ϕ[y/x] = ∃y (y < y) y is not free for x in ϕ Example Proof
• ∀ P → Q , ∀ P( ) ∀ Q( )
1 ∀ P → Q , premise 푥 푥 푥 푥 푥 ⊢ 푥 푥 2 ∀ ( ) premise 푥 푥 푥 3 x P(x ) →Q(x ) ∀ e1 0 푥푥0 푥 0 4 P(x ) ∀ e2 0 푥 5 Q(x ) →e3,4 0 푥 6 ∀ Q( ) ∀ 5
푥 푥 푥 푖푖 − Disjunction Rules
• Introduction Rule
φ ψ ∨ i1 ∨ i2 φ ∨ ψ φ ∨ ψ
• Elimination Rule (proof by case analysis) φ ψ … … φ ∨ ψ χ χ ∨ e χ Existential Quantification Rules
• Introduction Rule
φ[t/x] ∃x i ∃x φ
• Elimination Rule (proof by case analysis)
x0 φ[x0/x] … ∃x φ χ ∃ e χ Example Proof
• ∀ Q → R , ∃ (P ∧Q( ))
∃ (P ∧R( )) 푥 푥 푥 푥 푥 푥 ⊢ 1 ∀ Q → R , premise 푥 푥 푥 2 ∃ (P ∧Q( )) premise 푥 푥 푥 3 x P(x ) ∧ Q(x ) assumption 0푥 푥 0 푥 0 4 Q 0 → R 0 ∀ e1 5 Q(x ) ∧e 3 푥 0 푥 푥2 6 R 0 → 4,5 7 P(x ) ∧e 3 푥 0 푒1 8 P(x0) ∧ R(x0) ∧i7,6
9 ∃ (P ∧R( )) ∃ i 8 10 ∃ (P ∧R( )) ∃ e 2,3-9 푥 푥 푥 푥 푥 푥 푥 푥 Quantifier Equivalences 1. ¬∀x ϕ ∃x ¬ ϕ 2. ¬ ∃ x ϕ ∀x ¬ ϕ ⊣⊢ 3. ∀x ϕ ∧ ψ ∀x (ϕ ∧ ψ) [x not free in ψ] ⊣⊢ 4. ∀x ϕ ∨ ψ ∀x (ϕ ∨ ψ) ⊣⊢ 5. ∃ x ϕ ∧ ψ ∃ x (ϕ ∧ ψ) ⊣⊢ 6. ∃ x ϕ ∨ ψ ∃ x (ϕ ∨ ψ) ⊣⊢ 7. ∀x (ψ → ϕ) ψ → ∀x ϕ ⊣⊢ 8. ∃ x (ϕ → ψ) ∀x ϕ → ψ ⊣⊢ 9. ∀x (ϕ → ψ) ∃ x ϕ → ψ ⊣⊢ 10.∃ x (ψ → ϕ) ψ → ∃ x ϕ ⊣⊢
⊣⊢
Quantifier Equivalences
1. ∀x ϕ ∧ ∀x ψ ∀x (ϕ ∧ ψ) 2. ∃ x ϕ ∨ ∃ x ψ ∃x (ϕ ∨ ψ) ⊣⊢ 3. ∀x ∀y ϕ ∀y ∀x ϕ ⊣⊢ 4. ∃ x ∃ y ϕ ∃ y ∃ x ϕ ⊣⊢
⊣⊢
De Morgan’s Law
¬(p1∧ 2) (¬ p1∨¬ 2)
1 ¬(p1∧ 2) premise 2 ¬(¬ p ∨¬ ) assumption 푝 ⊢1 푝 2 푝 3 ¬ p assumption 1 푝 4 ¬ p1∨¬ 2 ∨i1 3 5 ¬e4,2 푝 6 p PBC 3-5 ⊥1 7 ¬ p2 assumption
8 ¬ p1∨¬ 2 ∨i2 7 9 ¬e4,2 푝 10 p PBC 7-9 ⊥2 11 (p1∧ 2) ∧i 6,1- 12 ¬e 11,1 푝 13 (¬ p ∨¬ ) PBC 2-12 1⊥ 2 푝 Generalized De Morgan’s Law
¬∀x P(x) ∃x ¬P(x)
1 ¬∀⊢x P(x) premise 2 ¬∃x ¬P(x) assumption
3 x0
4 ¬P(x0) assumption 5 ∃x ¬P(x) ∃x i 4 6 ¬e 5,2 7 P(x ) PBC 4-6 ⊥0 8 ∀x P(x) ∀x i 3-7 9 ¬e 8,1 10 ∃x ¬P(x) PBC 2-9 ⊥ Generalized De Morgan’s Law
¬∀x ϕ ∃x ¬ϕ
1 ¬∀⊢xϕ premise 2 ¬∃x Exercise
Prove the reverse ∃x ¬ϕ ¬∀x ϕ
⊢ Models
• Let F be a set of functions and P a set of predicates. A model M for (F,P) consists of • A non-empty set A [universe] of concrete values
• For each nullary f ∈ F an element of A = fM • For each n-ary f ∈ F a function fM : An → A • For each n-ary P ∈ P a subset PM ⊆ An Example 1
• F = {i} and P = {R,F} • i a constant function, R binary and F unary predicates • Model – A set of states, initial state i, state transitions R, final states F • A = {a,b,c} • iM = a • RM = {(a,a),(a,b),(a,c),(b,c), (c,c)} • FM = {b,c} Example 1
• ∃y R(i,y)
• ¬F(i)
• ∀x ∀y ∀z (R(x,y) ∧ R(x,z) → y = z )
• ∀x ∃y R(x,y)
Example 2
• F = {e,⋅} and P = {≤} • e a constant function, ⋅ a binary function, ≤ a binary predicate1 • Model – A set of states, • A = {binary strings} • eM = ε, ⋅M concatenation, ≤M prefix ordering [011 is a prefix of 011001 Example 2
• ∀x ((x ≤ x⋅e) ∧ x⋅e ≤ x))
• ∃y ∀x (y ≤ x)
• ∀x ∃y (y ≤ x)
• ∀x ∀y ∀z ((x ≤ y) → (x⋅z ≤ y⋅z))
• ¬∃x ∀y ((x ≤ y) →(y ≤ x)) Satisfaction
• Given a model M for (F,P) and given an environment l : var → A the satisfaction relation M l ϕ
• P(t1,…,tn) → (a1,…,an) and M l ϕ iff (a1,…,an) ∈ RM ⊨ ⊨ • M l ∀x ψ iff M l [x → a]ψ holds for all a ∈ A
• M l ∃x ψ iff M l [x → a]ψ holds for some a ∈ A⊨ ⊨ ⊨ ⊨ Satisfaction
• Given a model M for (F,P) and given an environment l : var → A the satisfaction relation M l ϕ
• M l ¬ψ iff M l ψ does not hold • M ψ ∧⊨ ψ iff M ψ and M ψ holds ⊨l 1 2 ⊨ l 1 l 2 • M ψ ∨ ψ iff M ψ or M ψ holds ⊨l 1 2 ⊨l 1 ⊨l 2 • M ψ → ψ iff M ψ holds whenever M ⊨l 1 2 ⊨ l 2 ⊨ l ψ1 holds ⊨ ⊨ ⊨
Semantic Entailment
• For propositional calculus: If for all valuations (assignments of variables to
truth values) for which all φ1,…,φn evaluate to true, ψ also evaluates to true then the
semantic entailment relation φ1,…,φn ψ holds ⊨ • Decidable using truth tables Semantic Entailment
• Let Γ be a set of formulas (possibly infinite) and ψ be a formula from predicate calculus • Γ ψ holds iff for all models M and lookup tables l, whenever M l ϕ holds for all ϕ∈Γ ⊨ then M l ψ holds as well ⊨ • ψ is satisfiable iff there is some model M and ⊨ lookup table l such that M l ψ holds
• ψ is valid iff M l ψ holds for all models M and lookup tables l ⊨ ⊨
Soundness and Completeness
• φ1,…,φn ψ holds iff φ1,…,φn ψ is valid
⊨ ⊢ • In particular, ψ, a tautology, ψ is valid. I.E. ψ is a tautology iff ψ is provable ⊨ ⊢ • Soundness – you can not prove things that are not true in the truth table sense • Completeness – you can prove anything that is true in the truth table sense Post Correspondence
• Given a finite sequence (s1,t1),…,(sk,tk) of pairs of binary strings. Is there a sequence
of indices i1,i2,…,in such that si1 ⋅⋅⋅sin = ti1 ⋅⋅⋅tin • Example
• s1 = 1, s2 = 10, s3 = 011
• t1 = 101, t2 = 00, t3 = 11 • Solution (1,3,2,3) • 101110011 • 101110011
Undecidability
• Theorem. The decision problem of validity for predicate calculus is undecidable: no program exists which, given any ϕ, can determine in a finite amount of time if ϕ • Proof reduce to Post Correspondence problem. I.E. show that if the decision ⊨ problem is solvable, we could solve the Post Correspondence problem. This is a contradiction. Consequences of Undecidability
• From the soundness and completeness of predicate logic, which states that ϕ iff ϕ, we infer that we can not decide provability either ⊨ ⊢
• Since ϕ is satisfiable iff ¬ϕ is valid, we infer that satisfiability for predicate calculus is also undecidable. Proof
• Construct a formula ϕ such that ϕ holds iff the corresponding Post correspondence problem has a solution. ⊨
• ϕ = ϕ1 ∧ ϕ2 → ϕ3
• ϕ1 = ∧i=1..k P(fsi(e),fti(e))
• ϕ2 = ∀v∀w (P(v,w) → ∧i=1..k P(fsi(v),fti(w)))
• ϕ3 = ∃z P(z,z)
Proof • Find model which tells us the Post Correspondence problem has a solution • eM = empty string
• f0(s) = s0, f1(s) = s1 • PM = {(s,t) | there is a sequence of indices
i1,i2,…,in such that si1 ⋅⋅⋅sin = ti1 ⋅⋅⋅tin } • Since ϕ holds M ϕ holds • Both M ϕ and M ϕ holds so it ⊨ 1 ⊨ 2 follows that M ϕ3 holds. This tells us there is ⊨a solution to⊨ the given PC problem ⊨ Proof
• Conversely assume that the PCP C has a solution i1,i2,…,in • Show that if M is any model having a constant eM, two unary functions f0M and f1M, and a binary predicate PM, then the model has to satisfy ϕ
• Need to show if M ϕ1 ∧ ϕ2 then M ϕ3
⊨ ⊨ Proof
• Encode strings in A • interpret(ε) = eM M • interpret(s0) = f0 (interpret(s)) M • interpret(s1) = f1 (interpret(s)) M M M M • Interpret(011) = f1 (f1 (f0 (e ))) M • Since M ϕ1, (interpret(si),interpret(ti)) ∈ P M • Since M ϕ2, If (s,t) ∈ P then ⊨ M (interpret(ssi),interpret(tti)) ∈ P ⊨
Proof
• Therefore, M (interpret(si1…sin),interpret(ti1…tin)) ∈ P
• Since i1,i2,…,in is a solution to the PCP interpret(si1…sin) = interpret(ti1…tin) and ∃z P(z,z) in M and thus M ϕ3
⊨
Reachabilty
• When modeling systems via states and state transitions, we want to show that a “bad” state can not be reached from a “good” state. • Given nodes n and n’ in a directed graph, is there a finite path of transitions from n to n’. s0 s3
A = {s0,s1,s2,s3} RM = {(s0,s1), (s1,s0), (s1,s1),(s1,s2), s1 s2 (s2,s0),(s3,s0),(s3,s2)} Compactness Theorem
• Let Γ be a set of sentences of predicate calculus. If all finite subsets of Γ are satisfiable, then so is Γ.
• Proof – uses soundness and completeness and finite length of proofs. Reachability is Not Expressible
• Can reachability be expressed in predicate calculus?
• u=v ∨ ∃x (R(u,x) ∧ R(x,v)) ∨
• ∃x1∃x2 (R(u,x1) ∧ R(x1,x2) ∧ R(x2,v)) ∨ … • This is infinite
• The answer is no! Proof follows from compactness theorem. Reachability is Not Expressible
• Theorem. There is no predicate-logic formula ϕ with u and v as its only free variables and R its only predicate such that ϕ holds in directed graphs iff there is a path from u to v.
• Proof. By contradiction. Suppose there is
such a formula. Let ϕn be the formula expressing that there is a path from c to c’
ϕn = ∃x1 … ∃xn-1 (R(c,x1) ∧ … ∧ R(xn-1,c)). Reachability is Not Expressible
• Proof. By contradiction. Suppose there is
such a formula ϕ. Let ϕn be the formula expressing that there is a path from c to c’
ϕn = ∃x1 … ∃xn-1 (R(c,x1) ∧ … ∧ R(xn-1,c)).
• ∆ = {¬ ϕi | I ≥ 0} ∪ ϕ[c/u][c’/v] is unsatisfiable, but any finite subset is satisfiable. By compactness this leads to a contradiction and hence there is no such ϕ. Reachability via HOL
• Encode Transitive closure
• ∃P∀x∀y∀z (C1 ∧ C2 ∧ C3 ∧ C4)
• C1 = P(x,x)
• C2 = P(x,y) ∧ P(y,z) → P(x,y)
• C3 = P(u,v) → • C = R(x,y) → P(x,y) 4 ⊥ • Note quantifier applied to predicate P (Existential second order logic)
Reachability via HOL
• Obtain formula for the existence of a path from u to v by negating previous formula (use DeMorgan’s law)
• ∀P∃x∃y∃z (¬ C1 ∧ ¬ C2 ∧ ¬ C3 ∧ ¬ C4)
• If both ∀ and ∃ can range over predicates then second order logic.