Typed First-order Logic

Size: px

Start display at page:

Download "Typed First-order Logic"

Brent Webb
6 years ago
Views:

1 22c181: Formal Methods in Software Engineering The University of Iowa Spring 2008 Typed First-order Logic Copyright Reiner Hähnle and Cesare Tinelli. Notes originally developed by Reiner Hähnle at Chalmers University and modified by Cesare Tinelli at the University of Iowa. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of one of the copyright holders. 22c181: Formal Methods in Software Engineering p.1/31

2 Contents Overview of KeY UML and its semantics Introduction to OCL Specifying requirements with OCL Modelling of Systems with Formal Semantics Propositional & First-order logic, sequent calculus OCL to Logic, horizontal proof obligations, using KeY Dynamic logic, proving program correctness Java Card DL Vertical proof obligations, using KeY Wrap-up, trends 22c181: Formal Methods in Software Engineering p.2/31

3 Propositional Logic is insufficient A ALL PERSONS ARE HAPPY 22c181: Formal Methods in Software Engineering p.3/31

4 Propositional Logic is insufficient A B ALL PERSONS ARE HAPPY PAT IS A PERSON 22c181: Formal Methods in Software Engineering p.3/31

5 Propositional Logic is insufficient A B? ALL PERSONS ARE HAPPY PAT IS A PERSON PAT IS HAPPY Propositional logic lacks possibility to talk about individuals In particular, need to model objects, attributes, associations, etc. 22c181: Formal Methods in Software Engineering p.3/31

6 Propositional Logic is insufficient A B? ALL PERSONS ARE HAPPY PAT IS A PERSON PAT IS HAPPY Propositional logic lacks possibility to talk about individuals In particular, need to model objects, attributes, associations, etc. First-Order Logic (FOL) with Types 22c181: Formal Methods in Software Engineering p.3/31

7 First-Order Logic First-Order Formulas I, = First-Order Models First-Order Sequent Calculus 22c181: Formal Methods in Software Engineering p.4/31

8 OO Type Hierarchy Finite set T of static types, subtype relation, Dynamic types T d T, where T d Abstract types T a T, where T a T d T a =, T d T a = T, z for all z T Object AbstractCollection List int AbstractList ArrayList Null 22c181: Formal Methods in Software Engineering p.5/31

9 Signature of Typed First-Order Logic Given type hierarchy (T, T d, T a, ), Signature Σ = (V, P, F, α) let T q := T \{ } 22c181: Formal Methods in Software Engineering p.6/31

10 Signature of Typed First-Order Logic Given type hierarchy (T, T d, T a, ), let T q := T \{ } Signature Σ = (V, P, F, α) Variable Symbols V = {x i i N} Predicate Symbols P = {p i i N} Function Symbols F = {f i i N} 22c181: Formal Methods in Software Engineering p.6/31

11 Signature of Typed First-Order Logic Given type hierarchy (T, T d, T a, ), Signature Σ = (V, P, F, α) Variable Symbols V = {x i i N} Predicate Symbols P = {p i i N} Function Symbols F = {f i i N} Typing function α for all symbols: α(x) T q for all x V We write x:z instead of α(x) = z let T q := T \{ } (in Java: z t; ) α(p) Tq for all p P We write p:z 1,...,z r intead of α(p) = (z 1,...,z r ) α(f) T q T q for all f F We write f:z 1,...,z r z instead of α(f) = ((z 1,...,z r ),z) r = 0 ok, No overloading of variables, functions, predicates! 22c181: Formal Methods in Software Engineering p.6/31

12 Special Signature Symbols An Equality symbol. = in P, with typing. = :, A type predicate symbol z in P for each z T q. with typing z : Type cast symbol (z) in F for each z T q, with typing (z) :, z 22c181: Formal Methods in Software Engineering p.7/31

13 First-Order Signature Example Sticks and stones may break your bones, but flowers will never hurt 22c181: Formal Methods in Software Engineering p.8/31

14 First-Order Signature Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates P = {hurts : Any} Functions F = {stick : Stick, stone : Stone, r : Flower} Function with empty argument list: constant 22c181: Formal Methods in Software Engineering p.8/31

15 First-Order Signature Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates P = {hurts : Any} Functions F = {stick : Stick, stone : Stone, r : Flower} Function with empty argument list: constant cf. KeY book p28 22c181: Formal Methods in Software Engineering p.8/31

16 Terms of First-Order Logic Given signature (V, P, F, α) Terms: Set Term z of terms of type z, one for each static type z T x is term of type z for each variable x : z f(t 1,...,t r ) is term of type z for each function symbol f : z 1,...,z r z and terms t i of type z i z i for 1 i r If f is constant (r = 0) we write f instead of f() 22c181: Formal Methods in Software Engineering p.9/31

17 Terms of First-Order Logic Given signature (V, P, F, α) Terms: Set Term z of terms of type z, one for each static type z T x is term of type z for each variable x : z f(t 1,...,t r ) is term of type z for each function symbol f : z 1,...,z r z and terms t i of type z i z i for 1 i r If f is constant (r = 0) we write f instead of f() Example: T d = {Car, Person, } where Person, Car F = {owner : Car Person, pat : Person, herbie : Car}, x : Car Terms: herbie, owner(herbie), owner((car)pat) (!), owner(x) Non-terms: Car, owner(pat), owner((person)herbie) 22c181: Formal Methods in Software Engineering p.9/31

18 Formulas of First-Order Logic First-Order Formulas: Set F or of (first-order) formulas p(t 1,...,t r ) is an atomic formula for predicate symbol p : z 1,...,z r and terms t i of type z i z i for 1 i r Truth constants, connectives as in propositional logic If x is any variable, φ a formula, then x.φ and x.φ are formulas We call φ the scope of variable x. We say that x is bound by the quantifier in x.φ (similarly for x.φ) 22c181: Formal Methods in Software Engineering p.10/31

19 Formulas of First-Order Logic First-Order Formulas: Set F or of (first-order) formulas p(t 1,...,t r ) is an atomic formula for predicate symbol p : z 1,...,z r and terms t i of type z i z i for 1 i r Truth constants, connectives as in propositional logic If x is any variable, φ a formula, then x.φ and x.φ are formulas We call φ the scope of variable x. We say that x is bound by the quantifier in x.φ (similarly for x.φ) Bound variables in quantified formulas are analogous to local variables/formal parameters in programs Use pathentheses and usual precedence rules to avoid syntactic ambiguity 22c181: Formal Methods in Software Engineering p.10/31

20 First-Order Syntax Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions Variables P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} V = {x : Weapon, y : Flower} Examples: 22c181: Formal Methods in Software Engineering p.11/31

21 First-Order Syntax Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions Variables P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} V = {x : Weapon, y : Flower} Examples: x.hurts(x) & y.!hurts(y) We sometimes write the type of quantified variables explicitly. 22c181: Formal Methods in Software Engineering p.11/31

22 First-Order Syntax Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions Variables P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} V = {x : Weapon, y : Flower} Examples: x : Weapon.hurts(x) & y : Flower.!hurts(y) 22c181: Formal Methods in Software Engineering p.11/31

23 First-Order Syntax Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions Variables P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} V = {x : Weapon, y : Flower} Examples: x : Weapon.hurts(x) & y : Flower.!hurts(y) hurts(r) -> y. hurts(y) 22c181: Formal Methods in Software Engineering p.11/31

24 Semantics of First-Order Logic First-Order Formulas I, = First-Order Models First-Order Sequent Calculus 22c181: Formal Methods in Software Engineering p.12/31

25 Semantics of First-Order Logic A model of FOL is a triple M = (D,δ, I) where D is the universe or domain Contains objects and values δ is a dynamic typing function δ : D T d Each domain element has dynamic ( runtime ) type I is an interpretation of the function and predicate symbols s.t. If p : z 1,...,z r P, then I(p) D z 1 D z r If f : z 1,...,z r z F, then I(f) : D z 1 D z r D z Moreover, let D z = {d D δ(d) z} (the domain elements of type z). The dynamic types z T d must be non-empty: D z 22c181: Formal Methods in Software Engineering p.13/31

26 Semantics of Special Symbols Equality symbol. = in P, with typing. =:, Semantics: I(. =) = {(d,d) d D} D D Referential Equality 22c181: Formal Methods in Software Engineering p.14/31

27 Semantics of Special Symbols Equality symbol =. in P, with typing =:., Semantics: I( =). = {(d,d) d D} D D Referential Equality Type predicate symbol z in P for each z T q, with typing z : Semantics: I( z ) = D z D 22c181: Formal Methods in Software Engineering p.14/31

28 Semantics of Special Symbols Equality symbol =. in P, with typing =:., Semantics: I( =). = {(d,d) d D} D D Referential Equality Type predicate symbol z in P for each z T q, with typing z : Semantics: I( z ) = D z D Type cast symbol (z) in F for each z T q, with typing (z) :, z Semantics: I((z)) is a function such that x if δ(x) z I((z))(x) = d otherwise with d an arbitrary but fixed element of D z 22c181: Formal Methods in Software Engineering p.14/31

29 Semantics of First-Order Logic: Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} Variables V = {x : Weapon, y : Flower} One of (infinitely) many possible models: 22c181: Formal Methods in Software Engineering p.15/31

30 Semantics of First-Order Logic: Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} Variables V = {x : Weapon, y : Flower} One of (infinitely) many possible models: Domain D = {o 1,o 2,o 3,o 4 } 22c181: Formal Methods in Software Engineering p.15/31

31 Semantics of First-Order Logic: Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} Variables V = {x : Weapon, y : Flower} One of (infinitely) many possible models: Domain D = {o 1,o 2,o 3,o 4 } Typing δ(o 1 ) = δ(o 4 ) = Stick, δ(o 2 ) = Stone, δ(o 3 ) = Flower D Stick = {o 1,o 4 }, D Stone = {o 2 }, D Flower = {o 3 }, D Any = {o 1,o 2,o 3,o 4 } 22c181: Formal Methods in Software Engineering p.15/31

32 Semantics of First-Order Logic: Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} Variables V = {x : Weapon, y : Flower} One of (infinitely) many possible models: Domain D = {o 1,o 2,o 3,o 4 } Typing δ(o 1 ) = δ(o 4 ) = Stick, δ(o 2 ) = Stone, δ(o 3 ) = Flower D Stick = {o 1,o 4 }, D Stone = {o 2 }, D Flower = {o 3 }, D Any = {o 1,o 2,o 3,o 4 } Interpretation I(hurts) = {o 1,o 2,o 4 } I(stick) = o 1, I(stone) = o 2, I(r) = o 3 22c181: Formal Methods in Software Engineering p.15/31

33 Semantics of First-Order Logic, Cont d Assigning meaning to variables Let x be variable of static type z A Variable Assignment β maps x to an element of D z 22c181: Formal Methods in Software Engineering p.16/31

34 Semantics of First-Order Logic, Cont d Assigning meaning to variables Let x be variable of static type z A Variable Assignment β maps x to an element of D z Assigning meaning to terms: a mapping val M,β from Term z (t) to D z (dependind on model M and variable assignment β) such that val M,β (x) = β(x) (element in D z, where x has type z) val M,β (f(t 1,...,t r )) = I(f)(val M,β (t 1 ),...,val M,β (t r )) 22c181: Formal Methods in Software Engineering p.16/31

35 Semantics of First-Order Logic, Cont d Assigning meaning to variables Let x be variable of static type z A Variable Assignment β maps x to an element of D z Assigning meaning to terms: a mapping val M,β from Term z (t) to D z (dependind on model M and variable assignment β) such that val M,β (x) = β(x) (element in D z, where x has type z) val M,β (f(t 1,...,t r )) = I(f)(val M,β (t 1 ),...,val M,β (t r )) Modified variable assignment: β(x) For d D z let βy(x) d if x y := d if x = y 22c181: Formal Methods in Software Engineering p.16/31

36 Semantics of First-Order Logic, Cont d Assigning meaning to formulas Validity relation: M,β = φ for φ For M,β = p(t 1,...,t r ) iff (val M,β (t 1 ),...,val M,β (t r )) I(p) M,β = φ &ψ iff M,β = φ and M,β = ψ... M,β = x.φ iff M,β d x = φ for all d D z where the type of x is z M,β = x.φ iff M,β d x = φ for at least one d D z where the type of x is z 22c181: Formal Methods in Software Engineering p.17/31

37 Semantics of First-Order Logic: Example Sticks and stones may break your bones, but flowers will never hurt Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Functions Variables P = {hurts : Any} F = {stick : Stick, stone : Stone, r : Flower} V = {x : Weapon, y : Flower} In our previous model M: D Stick = {o 1,o 4 }, D Stone = {o 2 }, D Flower = {o 3 } D Weapon = {o 1,o 2,o 4 }, I(hurts) = {o 1,o 2,o 4 } D Any Evaluate these formulas: x.hurts(x), x.hurts(x), y. hurts(y) 22c181: Formal Methods in Software Engineering p.18/31

38 Semantics of First-Order Logic: Evaluation Example Let β be arbitrary. M,β = x : Weapon.hurts(x) iff Semantic Rule Information from model (D, δ, I) 22c181: Formal Methods in Software Engineering p.19/31

39 Semantics of First-Order Logic: Evaluation Example Let β be arbitrary. M,β = x : Weapon.hurts(x) iff There exists d D Weapon such that M,β d x = hurts(x) if Semantic Rule M,β = x.φ iff M,β d x = φ for at least one d D z where the type of x is z Information from model (D, δ, I) 22c181: Formal Methods in Software Engineering p.19/31

40 Semantics of First-Order Logic: Evaluation Example Let β be arbitrary. M,β = x : Weapon.hurts(x) iff There exists d D Weapon such that M,β d x = hurts(x) if M,β o 1 x = hurts(x) iff Semantic Rule Information from model (D, δ, I) D Weapon = {o 1,o 2,o 4 } 22c181: Formal Methods in Software Engineering p.19/31

41 Semantics of First-Order Logic: Evaluation Example Let β be arbitrary. M,β = x : Weapon.hurts(x) iff There exists d D Weapon such that M,β d x = hurts(x) if M,β o 1 x = hurts(x) val M,β o 1 x (x) I(hurts) iff Semantic Rule M,β = p(t 1,...,t r ) iff (val M,β (t 1 ),...,val M,β (t r )) I(p) Information from model (D, δ, I) 22c181: Formal Methods in Software Engineering p.19/31

42 Semantics of First-Order Logic: Evaluation Example Let β be arbitrary. M,β = x : Weapon.hurts(x) iff There exists d D Weapon such that M,β d x = hurts(x) if M,β o 1 x = hurts(x) val M,β o 1 x (x) I(hurts) iff since val M,β o 1 x (x) = βo 1 x (x) = o 1 iff Semantic Rule val M,β (x) = β(x), β d y(x) := β(x) x y d x = y Information from model (D, δ, I) 22c181: Formal Methods in Software Engineering p.19/31

43 Semantics of First-Order Logic: Evaluation Example Let β be arbitrary. M,β = x : Weapon.hurts(x) iff There exists d D Weapon such that M,β d x = hurts(x) if M,β o 1 x = hurts(x) val M,β o 1 x (x) I(hurts) iff since val o (x) = M,β 1 βo 1 x x (x) = o 1 o 1 I(hurts) = {o 1,o 2,o 4 } iff Semantic Rule Information from model (D, δ, I) I(hurts) = {o 1,o 2,o 4 } 22c181: Formal Methods in Software Engineering p.19/31

44 Semantics of First-Order Logic: Evaluation Example Let β be arbitrary. M,β = x : Weapon.hurts(x) iff There exists d D Weapon such that M,β d x = hurts(x) if M,β o 1 x = hurts(x) val M,β o 1 x (x) I(hurts) iff since val o (x) = M,β 1 βo 1 x x (x) = o 1 o 1 I(hurts) = {o 1,o 2,o 4 } ok! iff Semantic Rule Information from model (D, δ, I) 22c181: Formal Methods in Software Engineering p.19/31

45 First-Order Semantic Notions Satisfiability, truth, and validity M,β = φ (φ is satisfiable) M = φ iff for all β : M,β = φ (φ is true in M) = φ iff for all M : M = φ (φ is valid) Formula containing only variables in scope of a quantifier is closed Closed formulas that are satisfiable are also true: only one notion From now on only closed formulas are considered. 22c181: Formal Methods in Software Engineering p.20/31

46 First-Order Logic Example Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Variables P = {hurts : Any} V = {x : Weapon, y : Flower} 22c181: Formal Methods in Software Engineering p.21/31

47 First-Order Logic Example Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Variables P = {hurts : Any} V = {x : Weapon, y : Flower} x : Weapon.hurts(x) & y : Flower.!hurts(y) Satisfiable? True? Valid? 22c181: Formal Methods in Software Engineering p.21/31

48 First-Order Logic Example Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Variables P = {hurts : Any} V = {x : Weapon, y : Flower} x : Weapon.hurts(x) & y : Flower.!hurts(y) Satisfiable? True? Valid? Model: D = {o 1, o 2 }, δ(o 1 ) = Stone, δ(o 2 ) = Flower I(hurts) = {o 1 } 22c181: Formal Methods in Software Engineering p.21/31

49 First-Order Logic Example Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Variables P = {hurts : Any} V = {x : Weapon, y : Flower} x : Weapon.hurts(x) & y : Flower.!hurts(y) Satisfiable? True? Valid? Counter-model: D = {o 1, o 2 }, δ(o 1 ) = Stone, δ(o 2 ) = Flower I(hurts) = {} 22c181: Formal Methods in Software Engineering p.21/31

50 First-Order Logic Example Types T d = {Stick, Stone, Flower}, T a = {Weapon, Any} Stick, Stone Weapon Any, Flower Any Predicates Variables P = {hurts : Any} V = {x : Weapon, y : Flower} x : Weapon.hurts(x) & y : Flower.!hurts(y) Satisfiable? True? Valid? Another Counter-model: D = {o 1, o 2,o 3 }, δ(o 1 ) = Stone, δ(o 2 ) = δ(o 3 ) = Flower I(hurts) = {o 1,o 3 } 22c181: Formal Methods in Software Engineering p.21/31

51 Untyped First-Order Logic Standard FOL (as in most logic textbooks is untyped [single typed]) Obtained as special case of typed signature: T d = { }, T a = { } Hence, D = D, δ(d) = for all d D All variables, predicate and function symbols declared on Don t need type information of variables (omit) Only arity in signature of function/predicate symbols matters 22c181: Formal Methods in Software Engineering p.22/31

52 Untyped First-Order Logic Standard FOL (as in most logic textbooks is untyped [single typed]) Obtained as special case of typed signature: T d = { }, T a = { } Hence, D = D, δ(d) = for all d D All variables, predicate and function symbols declared on Don t need type information of variables (omit) Only arity in signature of function/predicate symbols matters Example: P = {person/1, happy/1}, F = {pat/0} 22c181: Formal Methods in Software Engineering p.22/31

53 Untyped First-Order Logic Standard FOL (as in most logic textbooks is untyped [single typed]) Obtained as special case of typed signature: T d = { }, T a = { } Hence, D = D, δ(d) = for all d D All variables, predicate and function symbols declared on Don t need type information of variables (omit) Only arity in signature of function/predicate symbols matters Example: P = {person/1, happy/1}, F = {pat/0} x.(person(x) -> happy(x)) ALL PERSONS ARE HAPPY 22c181: Formal Methods in Software Engineering p.22/31

54 Untyped First-Order Logic Standard FOL (as in most logic textbooks is untyped [single typed]) Obtained as special case of typed signature: T d = { }, T a = { } Hence, D = D, δ(d) = for all d D All variables, predicate and function symbols declared on Don t need type information of variables (omit) Only arity in signature of function/predicate symbols matters Example: P = {person/1, happy/1}, F = {pat/0} x.(person(x) -> happy(x)) person(pat) ALL PERSONS ARE HAPPY PAT IS A PERSON 22c181: Formal Methods in Software Engineering p.22/31

55 Untyped First-Order Logic Standard FOL (as in most logic textbooks is untyped [single typed]) Obtained as special case of typed signature: T d = { }, T a = { } Hence, D = D, δ(d) = for all d D All variables, predicate and function symbols declared on Don t need type information of variables (omit) Only arity in signature of function/predicate symbols matters Example: P = {person/1, happy/1}, F = {pat/0} x.(person(x) -> happy(x)) person(pat) happy(pat) ALL PERSONS ARE HAPPY PAT IS A PERSON PAT IS HAPPY 22c181: Formal Methods in Software Engineering p.22/31

56 Types and Symbols with Fixed Interpretation Certain symbols should have standard meaning in all interpretations So far:. =, z, (z) For certain types we also fix domain and dynamic typing: D int = {d D δ(d) = int} = These types appear between and, uncomparable to others Examples of types, function/predicate symbols with fixed meaning I(17) should be always 17, not e.g. towel int KeY can switch between JAVA 32-bit integers and but in FOL always math integers I(+) = +, I( * ) =,... boolean 22c181: Formal Methods in Software Engineering p.23/31

57 Some Predefined Symbols in KeY FO Logic Types int, short, byte, boolean with standard meaning All classes of current UML context diagram and Null If T is one of these types then also Set(T), Bag(T), Sequence(T) Predicates on integer types with standard meaning >, <, >=, <=,... (infix) Functions and Constants with standard meaning +, -, div, mod, 0, 1,... TRUE, FALSE Notation for quantifiers, variables declared at quantifier symbol \forall Type Variable; ScopeFormula 22c181: Formal Methods in Software Engineering p.24/31

58 First-Order Problems in KeY Syntax:.key \sorts { // types are called sorts person; // one declaration per line, end with ; } \functions { // ResultType FctSymbol(ParType,..,ParType) int age(person); // int predefined type } \predicates { // PredSymbol(ParType,..,ParType) parent(person,person); } \problem { // Goal formula \forall person son; \forall person father; (parent(father,son) -> age(father) > age(son)) } 22c181: Formal Methods in Software Engineering p.25/31

59 Contents Overview of KeY UML and its semantics Introduction to OCL Specifying requirements with OCL Modelling of Systems with Formal Semantics Propositional & First-order logic, sequent calculus OCL to Logic, horizontal proof obligations, using KeY Dynamic logic, proving program correctness Java Card DL Vertical proof obligations, using KeY Wrap-up, trends 22c181: Formal Methods in Software Engineering p.26/31

60 Sequent Calculus for FOL left side, antecedent right side, succedent [t/t ]φ is result of replacing each occurrence of t in φ with t s z,t z and t are arbitrary variable free terms x and s z have static type z and t z has static type z z c z new constant of type z (does not occur in current proof branch) Equations can be reversed (by symmetry of equality) 22c181: Formal Methods in Software Engineering p.27/31

61 Sequent Calculus for FOL left side, antecedent Γ, x.φ, h x/t z i φ ==> Γ, x.φ ==> right side, succedent Γ ==> [x/c z ]φ, Γ ==> x.φ, [t/t ]φ is result of replacing each occurrence of t in φ with t s z,t z and t are arbitrary variable free terms x and s z have static type z and t z has static type z z c z new constant of type z (does not occur in current proof branch) Equations can be reversed (by symmetry of equality) 22c181: Formal Methods in Software Engineering p.27/31

62 Sequent Calculus for FOL left side, antecedent Γ, x.φ, h x/t z i φ ==> Γ, x.φ ==> Γ, [x/c z ]φ ==> Γ, x.φ ==> right side, succedent Γ ==> [x/c z ]φ, Γ ==> x.φ, Γ ==> h x/t z i φ, x.φ, Γ ==> x.φ, [t/t ]φ is result of replacing each occurrence of t in φ with t s z,t z and t are arbitrary variable free terms x and s z have static type z and t z has static type z z c z new constant of type z (does not occur in current proof branch) Equations can be reversed (by symmetry of equality) 22c181: Formal Methods in Software Engineering p.27/31

63 Sequent Calculus for FOL left side, antecedent Γ, x.φ, h x/t z i φ ==> Γ, x.φ ==> Γ, [x/c z ]φ ==> Γ, x.φ ==> h.. = Γ,sz = t z, s z /t z i ψ ==> Γ,s z. = t z,ψ ==> φ, h s z /t z i φ, right side, succedent Γ ==> [x/c z ]φ, Γ ==> x.φ, Γ ==> h x/t z i φ, x.φ, Γ ==> x.φ, Γ ==> t. = t, [t/t ]φ is result of replacing each occurrence of t in φ with t s z,t z and t are arbitrary variable free terms x and s z have static type z and t z has static type z z c z new constant of type z (does not occur in current proof branch) Equations can be reversed (by symmetry of equality) 22c181: Formal Methods in Software Engineering p.27/31

64 A Simple Proof (Exercises p3.key) x. y.p(x,y) ==> y. x.p(x,y) Let static type of x and y be 22c181: Formal Methods in Software Engineering p.28/31

65 A Simple Proof (Exercises p3.key) y.p(c,y) ==> y. x.p(x,y) x. y.p(x,y) ==> y. x.p(x,y) ex left: substitute new constant c of type for x 22c181: Formal Methods in Software Engineering p.28/31

66 A Simple Proof (Exercises p3.key) y.p(c,y) ==> x.p(x,d) y.p(c,y) ==> y. x.p(x,y) x. y.p(x,y) ==> y. x.p(x,y) all right: substitute new constant d of type for y 22c181: Formal Methods in Software Engineering p.28/31

67 A Simple Proof (Exercises p3.key) p(c,d), y.p(c,y) ==> x.p(x,d) y.p(c,y) ==> x.p(x,d) y.p(c,y) ==> y. x.p(x,y) x. y.p(x,y) ==> y. x.p(x,y) all left: free to substitute any term of type for y, choose d 22c181: Formal Methods in Software Engineering p.28/31

68 A Simple Proof (Exercises p3.key) p(c,d) ==> x.p(x,d) y.p(c,y) ==> x.p(x,d) y.p(c,y) ==> y. x.p(x,y) x. y.p(x,y) ==> y. x.p(x,y) all left not needed anymore (hide) 22c181: Formal Methods in Software Engineering p.28/31

69 A Simple Proof (Exercises p3.key) p(c,d) p(c,d) ==> p(c,d), x.p(x,y) ==> x.p(x,d) y.p(c,y) ==> x.p(x,d) y.p(c,y) ==> y. x.p(x,y) x. y.p(x,y) ==> y. x.p(x,y) ex right: free to substitute any term of type for x, choose c 22c181: Formal Methods in Software Engineering p.28/31

70 A Simple Proof (Exercises p3.key) p(c, d) ==> p(c, d) p(c,d) ==> x.p(x,d) y.p(c,y) ==> x.p(x,d) y.p(c,y) ==> y. x.p(x,y) x. y.p(x,y) ==> y. x.p(x,y) ex right not needed anymore (hide) 22c181: Formal Methods in Software Engineering p.28/31

71 A Simple Proof (Exercises p3.key) p(c, d) ==> p(c, d) p(c,d) ==> x.p(x,d) y.p(c,y) ==> x.p(x,d) y.p(c,y) ==> y. x.p(x,y) x. y.p(x,y) ==> y. x.p(x,y) Close 22c181: Formal Methods in Software Engineering p.28/31

72 Rules for Type Casts and Type Predicates Type predicate formulas t z true iff dynamic type val M (t) is subtype of z Type cast terms (z)t evaluates to val M (t) if cast succeeds, arb. element otherwise 22c181: Formal Methods in Software Engineering p.29/31

73 Rules for Type Casts and Type Predicates Type predicate formulas t z true iff dynamic type val M (t) is subtype of z Type cast terms (z)t evaluates to val M (t) if cast succeeds, arb. element otherwise Typical rule: 22c181: Formal Methods in Software Engineering p.29/31

74 Rules for Type Casts and Type Predicates Type predicate formulas t z true iff dynamic type val M (t) is subtype of z Type cast terms (z)t evaluates to val M (t) if cast succeeds, arb. element otherwise Typical rule: The dynamic type of a term must be typeable to its static type TYPESTATIC Γ, t z ==> Γ ==> z static (declared) type of t Expresses type-safety of typed first-order logic 22c181: Formal Methods in Software Engineering p.29/31

75 Rules for Type Casts and Type Predicates Type predicate formulas t z true iff dynamic type val M (t) is subtype of z Type cast terms (z)t evaluates to val M (t) if cast succeeds, arb. element otherwise Typical rule: The dynamic type of a term must be typeable to its static type TYPESTATIC Γ, t z ==> Γ ==> z static (declared) type of t Expresses type-safety of typed first-order logic KeY first-order strategy applies suitable typing rules automatically 22c181: Formal Methods in Software Engineering p.29/31

76 Sequent Proofs: Important Issues Rules are applied to top-most connective/quantifier exleft and allright substitute new constant exright and allleft allow to substitute any variable-free term Formulas that are not needed in remaining proof may be hidden All branches must be closed with axiom There are many different possible proofs for a valid sequent KeY FO strategy applies all but exright and allleft automatically 22c181: Formal Methods in Software Engineering p.30/31

77 Another Proof Example Types T = {, } Predicates PSym = {p}, p :, Functions FSym = {} ( x. y.p(x,y) & x.!p(x,x)) -> x. y.(!x =. y) Intuitive Meaning? Satisfiable? True? Valid? oclfol/rel.key Demo 22c181: Formal Methods in Software Engineering p.31/31

15-819M: Data, Code, Decisions

15-819M: Data, Code, Decisions 08: First-Order Logic André Platzer aplatzer@cs.cmu.edu Carnegie Mellon University, Pittsburgh, PA André Platzer (CMU) 15-819M/08: Data, Code, Decisions 1 / 40 Outline 1