# Predicate Calculus Formal Methods in Verification of Computer Systems Jeremy Johnson.

## Presentation on theme: "Predicate Calculus Formal Methods in Verification of Computer Systems Jeremy Johnson."— Presentation transcript:

Predicate Calculus Formal Methods in Verification of Computer Systems Jeremy Johnson

Outline 1.Motivation 1.Variables, quantifiers and predicates 2.Syntax 1.Terms and formulas 2.Quantifiers, scope and substitution 3.Rules of natural deduction for quantifiers 4.Semantics 1.Models and semantic entailment 5.Undecidability and limitations

Example 1 Every student is younger than some instructor  x ( S(x)   y(I(y)  Y(x,y) ) S(x) : x is a student I(x) : is an instructor Y(x,y) : x is younger than y

Example 2 Not all birds can fly   x ( B(x)  F(x) )  x ( (B(x)   F(x) ) B(x) : x is a bird F(x) : x can fly Semantically equivalent formulas

Example 3 Every child is younger than its mother  x  y ( C(x)  M(y,x)  Y(x,y) ) C(x) : x is child M(x,y) : x is y’s mother Y(x,y) : x is younger than y  x ( C(x)  Y(x,m(x)) m(x) : function for mother of x

Example 4 Andy and Paul have the same maternal grandmother  x  y  u  v ( M(x,y)  M(y,a)  M(u,v)  M(v,p)  x = u ) m(m(a)) = m(m(p)) a, b : variables for Andy and Paul = : binary predicate

Example 5 Everyone has a mother  x  y ( M(y,x) )  x  y ( M(y,x) ) [ not equivalent ] Everyone has exactly one mother  x  y ( M(y,x)   z (M(z,x)  z = y )

Example 6 Some people have more than one brother  x  y1  y2 ( B(y1,x)  B(y2,x)   (y1 = y2) )

Comparison to Propositional Calculus

Terms Terms are made up of variables, constants, and functions Term ::= Variable If c is a nullary function c is a term If t 1,…,t n are terms and f is an n-ary function then f(t 1,…,t n ) is a term

Formulas Formula ::= P is a predicate and t 1,…,t n are terms then P(t 1,…,t n ) is a formula If  is a formula  is a formula If  1 and  2 are formulas,  1   2,  1   2,  1   2 are formulas If  is a formula and x is a variable  x  and  x  are formulas

Parse Trees  x ( ( P(x)  Q(x) )  S(x,y) ) xx  S  xy P Q x x

Free and Bound Variables An occurrence of x in  is free if it is a leaf node in the parse tree for  with no quantifier as an ancestor xx  S  xy P Q x x xx  P Q x x    P x Q y

Substitution Given a variable x, a term t and a formula ,  [t/x] is the formula obtained by replacing each free occurrence of x by t xx  P Q x x   P x Q y  xx  P Q x x   P f Q y  x y  [f(x,y)/x]

Variable Capture t is free for x in  if no free x occurs in  in the scope of any quantifier for any variable y occurring in t. yy  S x  P Q x y

Variable Capture t is free for x in  if no free x occurs in  in the scope of any quantifier for any variable y occurring in t. yy  S x  P Q y f y y

Equality Rules Introduction Rule Elimination Rule = i t = t t 1 = t 2  [t 1 /x] =e  [t 2 /x]

Equivalence Relation 1premise 2=i 3=e 1,2 1premise 2 3=e 2,1

Conjunction Rules Introduction Rule Elimination Rule    i     e1      e2 

Universal Quantification Rules Introduction Rule Elimination Rule  x i  x   x e  [t/x] x 0 …  [x 0 /x]

Illegal Substitution Leads to False Reasoning  x   =  y (x < y)  [y/x] =  y (y < y) y is not free for x in 

Example Proof 1premise 2 3 x 0 P(x 0 )  Q(x 0 ) 4P(x 0 ) 5Q(x 0 )  e3,4 6

Disjunction Rules Introduction Rule Elimination Rule (proof by case analysis)   i1     e    i2    …… ……

Existential Quantification Rules Introduction Rule Elimination Rule (proof by case analysis)  [t/x]  x i  x   e  x 0  [x 0 /x] … 

Example Proof 1premise 2 3 x 0 P(x 0 )  Q(x 0 ) assumption 4 5Q(x 0 )  e 2 3 6 7 P(x 0 )  e 1 3 8 P(x 0 )  R(x 0 )  i7,6 9 10

Quantifier Equivalences

De Morgan’s Law 1premise 2assumption 3 4  i 1 3 5  e4,2 6PBC 3-5 7assumption 8  i 2 7 9  e4,2 10PBC 7-9 11 12  e 11,1 13PBC 2-12

Generalized De Morgan’s Law 1  x P(x) premise 2assumption 3x0x0 4 5 6  e 5,2 7PBC 4-6 8 9  e 8,1 10  x  P(x) PBC 2-9

Generalized De Morgan’s Law 1  x  premise 2assumption 3x0x0 4 5 6  e 5,2 7PBC 4-6 8 9  e 8,1 10  x  PBC 2-9

Exercise

Models Let F be a set of functions and P a set of predicates. A model M for (F,P) consists of A non-empty set A [universe] of concrete values For each nullary f  F an element of A = f M For each n-ary f  F a function f M : A n  A For each n-ary P  P a subset P M  A n

Example 1 F = {i} and P = {R,F} i a constant function, R binary and F unary predicates Model – A set of states, initial state i, state transitions R, final states F A = {a,b,c} i M = a R M = {(a,a),(a,b),(a,c),(b,c), (c,c)} F M = {b,c}

Example 1  y R(i,y)  F(i)  x  y  z (R(x,y)  R(x,z)  y = z )  x  y R(x,y)

Example 2 F = {e,  } and P = {  } e a constant function,  a binary function,  a binary predicate1 Model – A set of states, A = {binary strings} e M = ,  M concatenation,  M prefix ordering [011 is a prefix of 011001

Example 2  x ((x  x  e)  x  e  x))  y  x (y  x)  x  y (y  x)  x  y  z ((x  y)  (x  z  y  z))  x  y ((x  y)  (y  x))

Satisfaction

Semantic Entailment

Soundness and Completeness

Post Correspondence Given a finite sequence (s 1,t 1 ),…,(s k,t k ) of pairs of binary strings. Is there a sequence of indices i 1,i 2,…,i n such that s i 1  s i n = t i 1  t i n Example s 1 = 1, s 2 = 10, s 3 = 011 t 1 = 101, t 2 = 00, t 3 = 11 Solution (1,3,2,3) 101110011

Undecidability

Consequences of Undecidability

Proof

Reachabilty When modeling systems via states and state transitions, we want to show that a “bad” state can not be reached from a “good” state. Given nodes n and n’ in a directed graph, is there a finite path of transitions from n to n’. s0 s1 s3 s2 A = {s0,s1,s2,s3} R M = {(s0,s1), (s1,s0), (s1,s1),(s1,s2), (s2,s0),(s3,s0),(s3,s2)}

Compactness Theorem Let  be a set of sentences of predicate calculus. If all finite subsets of  are satisfiable, then so is . Proof – uses soundness and completeness and finite length of proofs.

Reachability is Not Expressible Can reachability be expressed in predicate calculus? u=v   x (R(u,x)  R(x,v))   x 1  x 2 (R(u,x 1 )  R(x 1,x 2 )  R(x 2,v))  … This is infinite The answer is no! Proof follows from compactness theorem.

Reachability is Not Expressible Theorem. There is no predicate-logic formula  with u and v as its only free variables and R its only predicate such that  holds in directed graphs iff there is a path from u to v. Proof. By contradiction. Suppose there is such a formula. Let  n be the formula expressing that there is a path from c to c’  n =  x 1 …  x n-1 (R(c,x 1 )  …  R(x n-1,c)).

Reachability is Not Expressible Proof. By contradiction. Suppose there is such a formula . Let  n be the formula expressing that there is a path from c to c’  n =  x 1 …  x n-1 (R(c,x 1 )  …  R(x n-1,c)).  = {   i | I  0}   [c/u][c’/v] is unsatisfiable, but any finite subset is satisfiable. By compactness this leads to a contradiction and hence there is no such .

Reachability via HOL

Obtain formula for the existence of a path from u to v by negating previous formula (use DeMorgan’s law)  P  x  y  z (  C 1   C 2   C 3   C 4 ) If both  and  can range over predicates then second order logic.

Download ppt "Predicate Calculus Formal Methods in Verification of Computer Systems Jeremy Johnson."

Similar presentations