From OCL to Propositional and First-order Logic: Part I

Transcription

1 22c181: Formal Methods in Software Engineering The University of Iowa Spring 2008 From OCL to Propositional and First-order Logic: Part I Copyright Reiner Hähnle and Cesare Tinelli. Notes originally developed by Reiner Hähnle at Chalmers University and modified by Cesare Tinelli at the University of Iowa. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of one of the copyright holders. 22c181: Formal Methods in Software Engineering p.1/32

2 Contents Overview of KeY UML and its semantics Introduction to OCL Specifying requirements with OCL Modelling of Systems with Formal Semantics Propositional & First-order logic, sequent calculus OCL to Logic, horizontal proof obligations, using KeY Dynamic logic, proving program correctness Java Card DL Vertical proof obligations, using KeY Wrap-up, trends 22c181: Formal Methods in Software Engineering p.2/32

3 Reminder: Object Diagrams and OCL id0815:person name = Jane age = 5 ownership harley17:bike colour = idblack idblack:colour black() = idblack white() = idwhite red() = idred id0825:person name = Paul age = 25 context inv: ownership bmw3:car colour = idwhite Vehicle self.owner.age >= 18 idwhite:colour black() = idblack white() = idwhite red() = idred idred:colour black() = idblack white() = idwhite red() = idred 22c181: Formal Methods in Software Engineering p.3/32

4 Reminder: Object Diagrams and OCL id0815:person name = Jane age = 5 ownership harley17:bike colour = idblack idblack:colour black() = idblack white() = idwhite red() = idred id0825:person name = Paul age = 25 context inv: ownership bmw3:car colour = idwhite Vehicle self.owner.age >= 18 I(Vehicle) = {harley17, bmw3} idwhite:colour black() = idblack white() = idwhite red() = idred idred:colour black() = idblack white() = idwhite red() = idred 22c181: Formal Methods in Software Engineering p.3/32

5 Reminder: Object Diagrams and OCL id0815:person name = Jane age = 5 ownership harley17:bike colour = idblack idblack:colour black() = idblack white() = idwhite red() = idred id0825:person name = Paul age = 25 context inv: ownership bmw3:car colour = idwhite Vehicle self.owner.age >= 18 I(Vehicle) = {harley17, bmw3} idwhite:colour black() = idblack white() = idwhite red() = idred idred:colour black() = idblack white() = idwhite red() = idred harley17.i(owner).i(age) 18 and bmw3.i(owner).i(age) 18 22c181: Formal Methods in Software Engineering p.3/32

6 Reminder: Object Diagrams and OCL id0815:person name = Jane age = 5 ownership harley17:bike colour = idblack idblack:colour black() = idblack white() = idwhite red() = idred id0825:person name = Paul age = 25 context inv: ownership bmw3:car colour = idwhite Vehicle self.owner.age >= 18 I(Vehicle) = {harley17, bmw3} idwhite:colour black() = idblack white() = idwhite red() = idred idred:colour black() = idblack white() = idwhite red() = idred harley17.i(owner).i(age) 18 and bmw3.i(owner).i(age) 18 I(owner) : Vehicle Person 22c181: Formal Methods in Software Engineering p.3/32

7 Reminder: Object Diagrams and OCL id0815:person name = Jane age = 5 ownership harley17:bike colour = idblack idblack:colour black() = idblack white() = idwhite red() = idred id0825:person name = Paul age = 25 context inv: ownership bmw3:car colour = idwhite Vehicle self.owner.age >= 18 I(Vehicle) = {harley17, bmw3} idwhite:colour black() = idblack white() = idwhite red() = idred idred:colour black() = idblack white() = idwhite red() = idred harley17.i(owner).i(age) 18 and bmw3.i(owner).i(age) 18 I(owner)(harley17) = I(owner)(bmw3) = id c181: Formal Methods in Software Engineering p.3/32

8 Reminder: Object Diagrams and OCL id0815:person name = Jane age = 5 ownership harley17:bike colour = idblack idblack:colour black() = idblack white() = idwhite red() = idred id0825:person name = Paul age = 25 context inv: ownership bmw3:car colour = idwhite Vehicle self.owner.age >= 18 I(Vehicle) = {harley17, bmw3} idwhite:colour black() = idblack white() = idwhite red() = idred idred:colour black() = idblack white() = idwhite red() = idred harley17.i(owner).i(age) 18 and bmw3.i(owner).i(age) 18 I(owner)(harley17) = I(owner)(bmw3) = id0825 id0825.i(age) 18 22c181: Formal Methods in Software Engineering p.3/32

9 Reminder: Object Diagrams and OCL id0815:person name = Jane age = 5 ownership harley17:bike colour = idblack idblack:colour black() = idblack white() = idwhite red() = idred id0825:person name = Paul age = 25 context inv: ownership bmw3:car colour = idwhite Vehicle self.owner.age >= 18 I(Vehicle) = {harley17, bmw3} idwhite:colour black() = idblack white() = idwhite red() = idred idred:colour black() = idblack white() = idwhite red() = idred harley17.i(owner).i(age) 18 and bmw3.i(owner).i(age) 18 I(owner)(harley17) = I(owner)(bmw3) = id0825 id0825.i(age) 18 I(age)(id0825) = c181: Formal Methods in Software Engineering p.3/32

10 OCL and Formal Proofs Snapshots provide formal semantics for UML and OCL can formally prove properties of model and implementation 22c181: Formal Methods in Software Engineering p.4/32

11 OCL and Formal Proofs Snapshots provide formal semantics for UML and OCL can formally prove properties of model and implementation Examples: Invariant of class A implies invariant of class B For each snapshot I: if A s invariant holds in I, then so does B s Horizontal verification problem (within specification) Implementation of operation m fulfills its contract For each snapshot I: if precondition of m holds in I, then its postcondition holds in snapshot I produced by execution of m Vertical verification problem (implementation against specification) 22c181: Formal Methods in Software Engineering p.4/32

12 Snapshots and States: Static View Snaphots have static and dynamic part 22c181: Formal Methods in Software Engineering p.5/32

13 Snapshots and States: Static View Snaphots have static and dynamic part Static (object diagram): objects, attribute values, associations Static part of snapshot similar to execution state of program Denote such states with s, set of all states S (infinite!) Think of one single state as object diagram Proving horizontal verification problem: state inclusion 22c181: Formal Methods in Software Engineering p.5/32

14 Snapshots and States: Static View Snaphots have static and dynamic part Static (object diagram): objects, attribute values, associations Static part of snapshot similar to execution state of program Denote such states with s, set of all states S (infinite!) Think of one single state as object diagram Proving horizontal verification problem: state inclusion Example: Let inv A be invariant of class A, inv B invariant of class B {s S inv A holds in s} {s S inv B holds in s} 22c181: Formal Methods in Software Engineering p.5/32

15 Snapshots and States: Dynamic View Program state s = static part of snapshot Set of all states S Dynamic part of snapshot: Semantics of operations m: ρ(m) : S S Operation can be seen as state transformer For each m and s S result state ρ(m)(s) ρ is partial function: programs deterministic, may not terminate Proving vertical verification problem: state reachability 22c181: Formal Methods in Software Engineering p.6/32

16 Snapshots and States: Dynamic View Program state s = static part of snapshot Set of all states S Dynamic part of snapshot: Semantics of operations m: ρ(m) : S S Operation can be seen as state transformer For each m and s S result state ρ(m)(s) ρ is partial function: programs deterministic, may not terminate Proving vertical verification problem: state reachability Example: Let pre be precondition, post postcondition of m Does post hold in all states s {ρ(m)(s) s satisfies pre}? Does post hold in all states s that can be reached via m from any state s satisfying pre? 22c181: Formal Methods in Software Engineering p.6/32

17 Dynamic Part of Snapshots as LTS (Deterministic) Labelled Transition System (LTS) K = (S, ρ): S set of states, ρ : Method (S S) (takes a program and returns a map from S to S), α = ρ(m), β = ρ(m ) a s 1 β s 2 α β α β s 4 α β a a s 5 s 6 s 3 Infinite number of states need theorem proving (or approximation) 22c181: Formal Methods in Software Engineering p.7/32

18 Dynamic Part of Snapshots as LTS Each state is a static snapshot (ie, object diagram) with the current objects and values. If ρ(m) takes, say, state s 1 into s 4, then a directed edge from s 1 to s 4 labelled with ρ(m) is present in K. ρ(m) is then a (possibly infinite) number of pre-/post execution state pairs. There is no explicit notion of initial state. One may consider as initial states those that satisfy the precondition of a distinguished main method (and possibly the invariant of its class). 22c181: Formal Methods in Software Engineering p.8/32

19 Encoding Verification Problem in Logic UML Model Patterns/Idioms CASE Tool Java (Card) (partial implementation) OCL (partial specification) Java (Card) RecodeR Univ Karlsruhe AST XML API AST FOL/Java Card DL OCL OCL Parser Univ Dresden Translation formula synthesis (vert. verif.) Formal proof Interactive/Automated Theorem Prover 22c181: Formal Methods in Software Engineering p.9/32

20 Why translate OCL into Logic? 22c181: Formal Methods in Software Engineering p.10/32

21 Why translate OCL into Logic? Difficult and expensive to develop theorem prover for a formalism OCL only one of many specification languages (JML, RSL, etc.) OCL prone to change (1.3, 1.4, 1.5,..., 2.0,...?) First order logic (FOL) well understood, mature tools FOL in verification like the Reals in Calculus 22c181: Formal Methods in Software Engineering p.10/32

22 Why translate OCL into Logic? Difficult and expensive to develop theorem prover for a formalism OCL only one of many specification languages (JML, RSL, etc.) OCL prone to change (1.3, 1.4, 1.5,..., 2.0,...?) First order logic (FOL) well understood, mature tools FOL in verification like the Reals in Calculus OCL not designed for verification, programming language independent OCL (UML) doesn t know about implementation of operations Need to incorporate Java data types and programs OCL not designed to express verification problems OCL doesn t know about (class) initialization (<2.0) 22c181: Formal Methods in Software Engineering p.10/32

23 Contents Overview of KeY UML and its semantics Introduction to OCL Specifying requirements with OCL Modelling of Systems with Formal Semantics Propositional & First-order logic, sequent calculus OCL to Logic, horizontal proof obligations, using KeY Dynamic logic, proving program correctness Java Card DL Vertical proof obligations, using KeY Wrap-up, trends 22c181: Formal Methods in Software Engineering p.11/32

24 Formalisation Real World Formalisation Formal Model 22c181: Formal Methods in Software Engineering p.12/32

25 Formalisation Formal Language Real World Formal Semantics 22c181: Formal Methods in Software Engineering p.12/32

26 Formalisation UML OCL Java Real World I, ρ Snapshots/LTS 22c181: Formal Methods in Software Engineering p.12/32

27 Formalisation UML OCL Java I, ρ Real World Snapshots/LTS infinite 22c181: Formal Methods in Software Engineering p.12/32

28 Formalisation UML OCL Java I, ρ Real World Snapshots/LTS infinite Calculus finite 22c181: Formal Methods in Software Engineering p.12/32

29 Formal Verification UML OCL Java I, ρ Real World Snapshot/ LTS infinite Calculus finite 22c181: Formal Methods in Software Engineering p.13/32

30 Formal Verification UML OCL Java I, ρ Real World Obj. Diagr. Snapshot/ LTS Calculus 22c181: Formal Methods in Software Engineering p.13/32

31 Formal Verification UML OCL Java I, ρ Translation FO Logic Dyn. Logic I, ρ Real World Obj. Diagr. Snapshot/ LTS FO Interp. Kripke Str. Calculus 22c181: Formal Methods in Software Engineering p.13/32

32 Formal Verification UML OCL Java I, ρ Translation FO Logic Dyn. Logic I, ρi, ρ, = Real World Obj. Diagr. Snapshot/ LTS Calculus FO Interp. Kripke Str. Sequent Calculus 22c181: Formal Methods in Software Engineering p.13/32

33 Syntax, Semantics, Calculus Syntax Formula I, ρ, = Semantics Valid Calculus Derivable 22c181: Formal Methods in Software Engineering p.14/32

34 Syntax, Semantics, Calculus Syntax Formula I, ρ, = Semantics Valid Calculus Derivable Completeness 22c181: Formal Methods in Software Engineering p.14/32

35 Syntax, Semantics, Calculus Syntax Formula I, ρ, = Semantics Valid Calculus Derivable Completeness Soundness 22c181: Formal Methods in Software Engineering p.14/32

36 Propositional Logic Propositional Formulas I, = Mapping Variables into {true, f alse} Sequent Calculus SAT solver 22c181: Formal Methods in Software Engineering p.15/32

37 Propositional Logic Propositional Formulas I, = Mapping Variables into {true, f alse} Sequent Calculus 22c181: Formal Methods in Software Engineering p.15/32

38 Contents Overview of KeY UML and its semantics Introduction to OCL Specifying requirements with OCL Modelling of Systems with Formal Semantics Propositional & First-order logic, sequent calculus OCL to Logic, horizontal proof obligations, using KeY Dynamic logic, proving program correctness Java Card DL Vertical proof obligations, using KeY Wrap-up, trends 22c181: Formal Methods in Software Engineering p.16/32

39 Propositional Logic: Syntax Propositional Formulas I, = Mapping Variables into {true, f alse} Sequent Calculus 22c181: Formal Methods in Software Engineering p.17/32

40 Syntax of Propositional Logic The Signature: Propositional Variables P = {p i i IN} with type Boolean 22c181: Formal Methods in Software Engineering p.18/32

41 Syntax of Propositional Logic The Signature: Propositional Variables P = {p i i IN} with type Boolean Connectives {true, false, &,,!, ->, <-> } 22c181: Formal Methods in Software Engineering p.18/32

42 Syntax of Propositional Logic The Signature: Propositional Variables P = {p i i IN} with type Boolean Connectives {true, false, &,,!, ->, <-> } Propositional Formulas For 0 (all have type Boolean) Truth constants true, false and variables P are formulas 22c181: Formal Methods in Software Engineering p.18/32

43 Syntax of Propositional Logic The Signature: Propositional Variables P = {p i i IN} with type Boolean Connectives {true, false, &,,!, ->, <-> } Propositional Formulas For 0 (all have type Boolean) Truth constants true, false and variables P are formulas If G and H are formulas then!g, (G &H), (G H), (G -> H), (G <-> H) are also formulas There are no other formulas (inductive definition) 22c181: Formal Methods in Software Engineering p.18/32

44 Propositional Logic: Semantics Propositional Formulas I, = Mapping Variables into {true, f alse} Sequent Calculus 22c181: Formal Methods in Software Engineering p.19/32

45 Semantics of Propositional Logic Interpretation I Assigns a truth value to each propositional variable I : P {true,false} 22c181: Formal Methods in Software Engineering p.20/32

46 Semantics of Propositional Logic Interpretation I Assigns a truth value to each propositional variable I : P {true,false} Valuation function val I : extension of I to For 0 val I : For 0 {true,false} 22c181: Formal Methods in Software Engineering p.20/32

47 Semantics of Propositional Logic Interpretation I Assigns a truth value to each propositional variable I : P {true,false} Valuation function val I : extension of I to For 0 val I (p i ) = I(p i ) val I (true) = true val I (false) = false val I : For 0 {true,false} true if val I (G) = false or val I (G -> H) = val I (H) = true f alse otherwise etc. I satisfies G if val I (G) = true; otherwise, it falsifies G. 22c181: Formal Methods in Software Engineering p.20/32

48 Example Formula p -> (q -> p) 22c181: Formal Methods in Software Engineering p.21/32

49 Example Formula p -> (q -> p) Interpretation (one of four that are possible) I(p) = true I(q) = false 22c181: Formal Methods in Software Engineering p.21/32

50 Example Formula p -> (q -> p) Interpretation (one of four that are possible) I(p) = true I(q) = false Valuation val I ( q -> p ) = true 22c181: Formal Methods in Software Engineering p.21/32

51 Example Formula p -> (q -> p) Interpretation (one of four that are possible) I(p) = true I(q) = false Valuation val I ( q -> p ) = true val I ( p -> (q -> p) ) = true 22c181: Formal Methods in Software Engineering p.21/32

52 Semantic Notions Let G For 0, Γ For 0 Validity Relation = G is valid in I iff val I (G) = true (write: I = G) A formula that is valid in some interpretation is satisfiable Γ entails G (Γ = G) iff for all interpretations I: If I = H for all H Γ then also I = G If G is valid in any interpretation, i.e = G (short : = G) then G is called logically valid 22c181: Formal Methods in Software Engineering p.22/32

53 Propositional Logic Examples Satisfiable? p & ((!p) q) 22c181: Formal Methods in Software Engineering p.23/32

54 Propositional Logic Examples p & ((!p) q) Satisfiable? Yes 22c181: Formal Methods in Software Engineering p.23/32

55 Propositional Logic Examples p & ((!p) q) Satisfiable? Yes Satisfying Interpretation? 22c181: Formal Methods in Software Engineering p.23/32

56 Propositional Logic Examples p & ((!p) q) Satisfiable? Yes Satisfying Interpretation? I(p) = true, I(q) = true 22c181: Formal Methods in Software Engineering p.23/32

57 Propositional Logic Examples p & ((!p) q) Satisfiable? Yes Satisfying Interpretation? I(p) = true, I(q) = true Does this hold? p & ((!p) q) = q r 22c181: Formal Methods in Software Engineering p.23/32

58 Propositional Logic Examples p & ((!p) q) Satisfiable? Yes Satisfying Interpretation? I(p) = true, I(q) = true Does this hold? Yes. Why? p & ((!p) q) = q r 22c181: Formal Methods in Software Engineering p.23/32

59 Propositional Logic Propositional Formulas I, = Mapping Variables into {true, f alse} Sequent Calculus 22c181: Formal Methods in Software Engineering p.24/32

60 Reasoning by Syntactic Transformation Establish = G by finite syntactic transformations of G 22c181: Formal Methods in Software Engineering p.25/32

61 Reasoning by Syntactic Transformation Establish = G by finite syntactic transformations of G (Logic) Calculus: a set of syntactic transformation rules R defining a property over For 0 such that = G iff G (G is derivable) = G implies G (Completeness) G implies = G (Soundness) 22c181: Formal Methods in Software Engineering p.25/32

62 Reasoning by Syntactic Transformation Establish = G by finite syntactic transformations of G (Logic) Calculus: a set of syntactic transformation rules R defining a property over For 0 such that = G iff G (G is derivable) = G implies G (Completeness) G implies = G (Soundness) Sequent Calculus based on notion of sequent ψ 1,...,ψ m }{{} Antecedent ==> φ 1,...,φ n }{{} Succedent has same semantics as (ψ 1 & &ψ m ) -> (φ 1 φ n ) {ψ 1,...,ψ m } = φ 1 φ n 22c181: Formal Methods in Software Engineering p.25/32

63 Notation for Sequents ψ 1,...,ψ m ==> φ 1,...,φ n Consider antecedent/succedent as sets of formulas, may be empty Use schema variables Γ,φ,... that match (sets of) formulas Characterize infinitely many formulas with a single sequent Γ ==>,φ&ψ Matches any sequent with occurrence of conjunction in succedent Call φ &ψ main formula and Γ, side formulas of sequent Any sequent of the form Γ,φ ==>,φ is logically valid, and is called an axiom 22c181: Formal Methods in Software Engineering p.26/32

64 Sequent Calculus Rules Basic idea: write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible rule name { Premisses }} { Γ 1 ==> 1 Γ r ==> r Γ ==> }{{} Conclusion 22c181: Formal Methods in Software Engineering p.27/32

65 Sequent Calculus Rules Basic idea: write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible Example rule name AND_RIGHT { Premisses }} { Γ 1 ==> 1 Γ r ==> r Γ ==> }{{} Conclusion Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, 22c181: Formal Methods in Software Engineering p.27/32

66 Sequent Calculus Rules Basic idea: write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible Example rule name AND_RIGHT { Premisses }} { Γ 1 ==> 1 Γ r ==> r Γ ==> }{{} Conclusion Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, Rules can have zero premisses (iff conclusion is valid, eg. an axiom) 22c181: Formal Methods in Software Engineering p.27/32

67 Sequent Calculus Rules Basic idea: write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible Example rule name AND_RIGHT { Premisses }} { Γ 1 ==> 1 Γ r ==> r Γ ==> }{{} Conclusion Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, A rule is sound if every interpretation that satisfies each premiss of the rule also satisfies its conclusion (essential property) 22c181: Formal Methods in Software Engineering p.27/32

68 Sequent Calculus Rules Basic idea: write syntactic transformation schema for sequents that reflects semantics of connectives as closely as possible Example rule name AND_RIGHT { Premisses }} { Γ 1 ==> 1 Γ r ==> r Γ ==> }{{} Conclusion Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, A rule is sound if every interpretation that satisfies each premiss of the rule also satisfies its conclusion (essential property) A rule is complete if every interpretation that satisfies its conclusion also satisfies each of its premisses (desirable property) 22c181: Formal Methods in Software Engineering p.27/32

69 Rules of Propositional Sequent Calculus main left side (work on antecedent) right side (work on succedent) not Γ ==> φ, Γ,!φ ==> Γ, φ ==> Γ ==>!φ, 22c181: Formal Methods in Software Engineering p.28/32

70 Rules of Propositional Sequent Calculus main left side (work on antecedent) right side (work on succedent) not and Γ ==> φ, Γ,!φ ==> Γ,φ,ψ ==> Γ,φ&ψ ==> Γ, φ ==> Γ ==>!φ, Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, 22c181: Formal Methods in Software Engineering p.28/32

71 Rules of Propositional Sequent Calculus main left side (work on antecedent) right side (work on succedent) not and or Γ ==> φ, Γ,!φ ==> Γ,φ,ψ ==> Γ,φ&ψ ==> Γ, φ ==> Γ, ψ ==> Γ,φ ψ ==> Γ, φ ==> Γ ==>!φ, Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, Γ ==> φ,ψ, Γ ==> φ ψ, 22c181: Formal Methods in Software Engineering p.28/32

72 Rules of Propositional Sequent Calculus main left side (work on antecedent) right side (work on succedent) not and or imp Γ ==> φ, Γ,!φ ==> Γ,φ,ψ ==> Γ,φ&ψ ==> Γ, φ ==> Γ, ψ ==> Γ,φ ψ ==> Γ ==> φ, Γ, ψ ==> Γ,φ -> ψ ==> Γ, φ ==> Γ ==>!φ, Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, Γ ==> φ,ψ, Γ ==> φ ψ, Γ,φ ==> ψ, Γ ==> φ -> ψ, 22c181: Formal Methods in Software Engineering p.28/32

73 Rules of Propositional Sequent Calculus main left side (work on antecedent) right side (work on succedent) not and or imp Γ ==> φ, Γ,!φ ==> Γ,φ,ψ ==> Γ,φ&ψ ==> Γ, φ ==> Γ, ψ ==> Γ,φ ψ ==> Γ ==> φ, Γ, ψ ==> Γ,φ -> ψ ==> Γ, φ ==> Γ ==>!φ, Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, Γ ==> φ,ψ, Γ ==> φ ψ, Γ,φ ==> ψ, Γ ==> φ -> ψ, CLOSE Γ,φ ==> φ, TRUE Γ ==> true, FALSE Γ, false ==> 22c181: Formal Methods in Software Engineering p.28/32

74 Justification of Rules Compute rules by applying semantics definition of connectives 22c181: Formal Methods in Software Engineering p.29/32

75 Justification of Rules Compute rules by applying semantics definition of connectives OR_RIGHT Γ ==> φ,ψ, Γ ==> φ ψ, Follows directly from semantics of sequents 22c181: Formal Methods in Software Engineering p.29/32

76 Justification of Rules Compute rules by applying semantics definition of connectives OR_RIGHT Γ ==> φ,ψ, Γ ==> φ ψ, Follows directly from semantics of sequents AND_RIGHT Γ ==> φ, Γ ==> ψ, Γ ==> φ &ψ, Γ -> (φ &ψ) iff Γ -> φ and Γ -> ψ Distributivity of & over and -> 22c181: Formal Methods in Software Engineering p.29/32

77 Sequent Calculus Proofs Goal to prove: G = ψ 1,...,ψ m ==> φ 1,...,φ n find rule R whose conclusion matches G instantiate R such that conclusion identical to G recursively find proofs for resulting premisses G 1,..., G r tree structure with goal as root close proof branch when rule without premise encountered Goal-directed proof search In KeY tool proof displayed as JAVA Swing tree 22c181: Formal Methods in Software Engineering p.30/32

78 A Simple Proof ==> (A &(A -> B)) -> B 22c181: Formal Methods in Software Engineering p.31/32

79 A Simple Proof A &(A -> B) ==> B ==> (A &(A -> B)) -> B By imp right Γ,φ ==> ψ, Γ ==> φ -> ψ, 22c181: Formal Methods in Software Engineering p.31/32

80 A Simple Proof A,(A -> B) ==> B A &(A -> B) ==> B ==> (A &(A -> B)) -> B By and left Γ,φ,ψ ==> Γ,φ&ψ ==> 22c181: Formal Methods in Software Engineering p.31/32

81 A Simple Proof A ==> B,A A,B ==> B A,(A -> B) ==> B A &(A -> B) ==> B ==> (A &(A -> B)) -> B By imp left Γ ==> φ, Γ,ψ ==> Γ,φ -> ψ ==> 22c181: Formal Methods in Software Engineering p.31/32

82 A Simple Proof CLOSE A ==> B,A A,B ==> B CLOSE A,(A -> B) ==> B A &(A -> B) ==> B ==> (A &(A -> B)) -> B By close Γ,φ ==> φ, 22c181: Formal Methods in Software Engineering p.31/32

83 A Simple Proof CLOSE A ==> B,A A,B ==> B CLOSE A,(A -> B) ==> B A &(A -> B) ==> B ==> (A &(A -> B)) -> B A proof is closed, if all its branches are closed. 22c181: Formal Methods in Software Engineering p.31/32

84 Propositional Logic is insufficient A ALL PERSONS ARE HAPPY 22c181: Formal Methods in Software Engineering p.32/32

85 Propositional Logic is insufficient A B ALL PERSONS ARE HAPPY PAT IS A PERSON 22c181: Formal Methods in Software Engineering p.32/32

86 Propositional Logic is insufficient A B? ALL PERSONS ARE HAPPY PAT IS A PERSON PAT IS HAPPY Propositional logic lacks possibility to talk about individuals In particular, need to model objects, attributes, associations, etc. 22c181: Formal Methods in Software Engineering p.32/32

87 Propositional Logic is insufficient A B? ALL PERSONS ARE HAPPY PAT IS A PERSON PAT IS HAPPY Propositional logic lacks possibility to talk about individuals In particular, need to model objects, attributes, associations, etc. First-Order Logic (FOL) 22c181: Formal Methods in Software Engineering p.32/32