15-819M: Data, Code, Decisions

Size: px

Start display at page:

Download "15-819M: Data, Code, Decisions"

Miles Carpenter
6 years ago
Views:

15-819M: Data, Code, Decisions 08: First-Order Logic André Platzer aplatzer@cs.cmu.

1 15-819M: Data, Code, Decisions 08: First-Order Logic André Platzer Carnegie Mellon University, Pittsburgh, PA André Platzer (CMU) M/08: Data, Code, Decisions 1 / 40

2 Outline 1 Formal Modeling 2 First-Order Logic Signature Terms Formulas 3 Semantics Domain Model Variable Assignment Term Valuation Formula Valuation Semantic Notions 4 Untyped Logic 5 Modeling with FOL 6 Summary André Platzer (CMU) M/08: Data, Code, Decisions 1 / 40

3 Outline 1 Formal Modeling 2 First-Order Logic Signature Terms Formulas 3 Semantics Domain Model Variable Assignment Term Valuation Formula Valuation Semantic Notions 4 Untyped Logic 5 Modeling with FOL 6 Summary André Platzer (CMU) M/08: Data, Code, Decisions 1 / 40

4 Formalisation Real World Formalisation Formal Model André Platzer (CMU) M/08: Data, Code, Decisions 2 / 40

5 Formalisation: Syntax, Semantics Syntax Formal Language Real World Semantics Formal Semantics André Platzer (CMU) M/08: Data, Code, Decisions 2 / 40

6 Formalisation: Syntax, Semantics Real World Syntax Semantics Formal Language Interpretation Formal Semantics André Platzer (CMU) M/08: Data, Code, Decisions 2 / 40

7 Formalisation: Syntax, Semantics Real World Syntax Propositional Logic Interpretation Semantics Valuation André Platzer (CMU) M/08: Data, Code, Decisions 2 / 40

8 Formalisation: Syntax, Semantics Real World Syntax First-Order Logic Interpretation Semantics Valuation André Platzer (CMU) M/08: Data, Code, Decisions 2 / 40

9 Approaches to Formal Software Verification KeY Concrete programs, Complex properties Abstract programs, Complex properties Concrete programs, Simple properties Abstract programs, Simple properties Spin André Platzer (CMU) M/08: Data, Code, Decisions 3 / 40

10 Formal Verification: Deduction Syntax Translation Java+ JML Dynamic Logic Real World Semantics Kripke Semantics Sequent Calculus André Platzer (CMU) M/08: Data, Code, Decisions 4 / 40

11 Beyond Propositional Logic Propositional Logic +functions +state change First-order Logic Temporal Logic André Platzer (CMU) M/08: Data, Code, Decisions 5 / 40

12 Beyond Propositional Logic Propositional Logic +functions First-order Logic +state change +functions Dynamic Logic +state change Temporal Logic André Platzer (CMU) M/08: Data, Code, Decisions 5 / 40

13 Beyond Propositional Logic Propositional Logic +functions First-order Logic +state change +functions Dynamic Logic +state change Temporal Logic Spin André Platzer (CMU) M/08: Data, Code, Decisions 5 / 40

14 Beyond Propositional Logic Propositional Logic +functions First-order Logic +state change +functions Dynamic Logic KeY +state change Temporal Logic Spin André Platzer (CMU) M/08: Data, Code, Decisions 5 / 40

15 Beyond Propositional Logic today s lecture Propositional Logic +functions First-order Logic +state change +functions Dynamic Logic KeY +state change Temporal Logic Spin André Platzer (CMU) M/08: Data, Code, Decisions 5 / 40

16 Syntax, Semantics, Calculus Syntax Formula/Program x Semantics valid Calculus Derivable André Platzer (CMU) M/08: Data, Code, Decisions 6 / 40

17 Syntax, Semantics, Calculus Syntax Formula/Program x Completeness Semantics valid Calculus Derivable André Platzer (CMU) M/08: Data, Code, Decisions 6 / 40

18 Syntax, Semantics, Calculus Syntax Formula/Program x Completeness Semantics valid Soundness Calculus Derivable André Platzer (CMU) M/08: Data, Code, Decisions 6 / 40

19 Limitations of Propositional Logic Fixed, finite number of objects Cannot express: let g be group with arbitrary number of elements No functions or relations with arguments Can express: finite function/relation table with indexed variables p ij Cannot express: properties of function/relation on all arguments: + associative Static interpretation Programs change value of their variables, e.g., via assignment, call, etc. Propositional formulas look at one single interpretation at a time André Platzer (CMU) M/08: Data, Code, Decisions 7 / 40

20 Outline 1 Formal Modeling 2 First-Order Logic Signature Terms Formulas 3 Semantics Domain Model Variable Assignment Term Valuation Formula Valuation Semantic Notions 4 Untyped Logic 5 Modeling with FOL 6 Summary André Platzer (CMU) M/08: Data, Code, Decisions 7 / 40

21 Propositional Logic Propositional Formulas x = Mapping Var {T, F } Sequent Calculus André Platzer (CMU) M/08: Data, Code, Decisions 8 / 40

22 First-Order Logic First-Order Formulas x = First-Order Model Sequent Calculus André Platzer (CMU) M/08: Data, Code, Decisions 8 / 40

23 Syntax of First-Order Logic: Signature Definition (First-Order Signature) First-order signature Σ = (PSym, FSym, α) Predicate or Relation Symbols PSym = {p i i IIN} Function Symbols FSym = {f i i IIN} Typing function α, set of types T α(p) T for all p PSym α(f ) T T for all f FSym Definition (Variables) VSym = {x i i IIN} set of typed variables In contrast to standard FOL, our symbols are typed Necessary to model a typed programming language such as Java! Allow any non-reserved name for symbols, not merely p 3, f 17,... André Platzer (CMU) M/08: Data, Code, Decisions 9 / 40

24 Syntax of First-Order Logic: Signature Declaration of signature symbols Write T x; to declare variable x of type T Write p(t 1,..., T r ); for α(p) = (T 1,..., T r ) Write T f (T 1,..., T r ); for α(f ) = ((T 1,..., T r ), T ) Similar convention as in Java, no overloading of symbols Case r = 0 is allowed, then write p instead of p(), etc. André Platzer (CMU) M/08: Data, Code, Decisions 10 / 40

25 Syntax of First-Order Logic: Signature Declaration of signature symbols Write T x; to declare variable x of type T Write p(t 1,..., T r ); for α(p) = (T 1,..., T r ) Write T f (T 1,..., T r ); for α(f ) = ((T 1,..., T r ), T ) Similar convention as in Java, no overloading of symbols Case r = 0 is allowed, then write p instead of p(), etc. Example Variables boolean b; int i; Predicates isempty(list); alerton; Functions int arraylookup(int); java.lang.object o; André Platzer (CMU) M/08: Data, Code, Decisions 10 / 40

26 OO Type Hierarchy We want to model the behavior of Java programs Admissible types T form object-oriented type hierarchy André Platzer (CMU) M/08: Data, Code, Decisions 11 / 40

27 OO Type Hierarchy We want to model the behavior of Java programs Admissible types T form object-oriented type hierarchy Definition (OO Type Hierarchy) T is finite set of types (not parameterized) Given subtype relation, assume T has all supertypes, i.e., T is -closed Dynamic types T d T, where T d Abstract types T a T, where T a T d T a = T d T a = T T for all T T André Platzer (CMU) M/08: Data, Code, Decisions 11 / 40

28 OO Type Hierarchy Example Using UML notation Object AbstractCollection List int AbstractList ArrayList Null André Platzer (CMU) M/08: Data, Code, Decisions 12 / 40

29 OO Type Hierarchy Dynamic types are those with direct elements Abstract types for abstract classes and interfaces Java 1.5+ is -closed In Java primitive (value) and object types incomparable is abstract and hence no object ever can have this type cannot occur in declaration of signature symbols Each abstract type except has a non-empty dynamic subtype In Java is chosen to have no direct elements Java has infinitely many types: int[], int[][],... Restrict T to the finitely many types that occur in a given program André Platzer (CMU) M/08: Data, Code, Decisions 13 / 40

30 OO Type Hierarchy Dynamic types are those with direct elements Abstract types for abstract classes and interfaces Java 1.5+ is -closed In Java primitive (value) and object types incomparable is abstract and hence no object ever can have this type cannot occur in declaration of signature symbols Each abstract type except has a non-empty dynamic subtype In Java is chosen to have no direct elements Java has infinitely many types: int[], int[][],... Restrict T to the finitely many types that occur in a given program Example (The Minimal Type Hierarchy) T = {, } All signature symbols have same type : drop type, untyped logic André Platzer (CMU) M/08: Data, Code, Decisions 13 / 40

31 Reserved Signature Symbols Reserved signature symbols. Equality symbol = PSym declared as =. (, ) Written infix: x. = 0 Type predicate symbol T PSym for each T T Declared as T ( ) Written prefix: i int read instance of Type cast symbol (T ) FSym for each T T Declared as T (T )( ) Written prefix: (String)o read cast o to String André Platzer (CMU) M/08: Data, Code, Decisions 14 / 40

32 Reserved Signature Symbols Reserved signature symbols. Equality symbol = PSym declared as =. (, ) Written infix: x. = 0 Type predicate symbol T PSym for each T T Declared as T ( ) Written prefix: i int read instance of Type cast symbol (T ) FSym for each T T Declared as T (T )( ) Written prefix: (String)o read cast o to String So far, we have a type system and a signature where is the logic? André Platzer (CMU) M/08: Data, Code, Decisions 14 / 40

33 Terms First-order terms, informally Think of first-order terms as expressions in a programming language Built up from variables, constants, function symbols First-order terms have no side effects (like Promela, unlike Java) First-order terms have a type and must respect type hierarchy type of f (g(x)) is result type in declaration of function f in f (g(x)) the result type of g is subtype of argument type of f, etc. André Platzer (CMU) M/08: Data, Code, Decisions 15 / 40

34 Terms First-order terms, informally Think of first-order terms as expressions in a programming language Built up from variables, constants, function symbols First-order terms have no side effects (like Promela, unlike Java) First-order terms have a type and must respect type hierarchy type of f (g(x)) is result type in declaration of function f in f (g(x)) the result type of g is subtype of argument type of f, etc. Definition (First-Order Terms {Term T } T T with type T T ) x is term of type T for variable declared as T x; f (t 1,..., t r ) is term of type T for function symbol declared as T f (T 1,..., T r ); and terms t i of type T i T i for 1 i r There are no other terms (inductive definition) André Platzer (CMU) M/08: Data, Code, Decisions 15 / 40

35 Terms Example Signature: int i; short j; List l; int f(int); f(i) has result type int and is contained in Term int f(j) has result type int (when short int) f(l) is ill-typed (when int, List incomparable) f(i,i) is not a term (doesn t match declaration) (int)j is term of type int even (int)l is term of type int (type cast always well-formed) André Platzer (CMU) M/08: Data, Code, Decisions 16 / 40

36 Terms Example Signature: int i; short j; List l; int f(int); f(i) has result type int and is contained in Term int f(j) has result type int (when short int) f(l) is ill-typed (when int, List incomparable) f(i,i) is not a term (doesn t match declaration) (int)j is term of type int even (int)l is term of type int (type cast always well-formed) If f is constant (r = 0) write f instead of f () Use infix notation liberally, where appropriate: declare int +(int, int); then write i+j, etc. Use brackets to disambiguiate parsing: (i+j)*i André Platzer (CMU) M/08: Data, Code, Decisions 16 / 40

37 First-Order Atomic Formulas Definition (Atomic First-Order Formulas) p(t 1,..., t r ) is atomic first-order formula for predicate symbol declared as p(t 1,..., T r ); and terms t i of type T i T i for 1 i r André Platzer (CMU) M/08: Data, Code, Decisions 17 / 40

38 First-Order Atomic Formulas Definition (Atomic First-Order Formulas) p(t 1,..., t r ) is atomic first-order formula for predicate symbol declared as p(t 1,..., T r ); and terms t i of type T i T i for 1 i r Example Signature: int i; short j; List l; <(int, int); i < i is an atomic first-order formula i < j is an atomic first-order formula (when short int) i < l is ill-typed (when int, List incomparable) i =j. and even i =l. are atomic first-order formulas i short is an atomic first-order formula André Platzer (CMU) M/08: Data, Code, Decisions 17 / 40

39 First-Order Formulas Definition (Set of First-Order Formulas For) Truth constants true, false and all first-order atomic formulas are first-order formulas If φ and ψ are first-order formulas then! φ, (φ & ψ), (φ ψ), (φ > ψ), (φ < > ψ) are also first-order formulas If T x is a variable declaration, φ a first-order formula, then T x; φ and T x; φ are first-order formulas Any occurrence of x in φ must be well-typed T x; φ called universally quantified formula T x; φ called existentially quantified formula André Platzer (CMU) M/08: Data, Code, Decisions 18 / 40

40 First-Order Formulas In T x; φ and T x; φ call φ the scope of x bound by / Variables bound in quantified formulas similar to program locations declared as local variables/formal parameters Example int i; int j; i < j is a first-order formula int i; List l; i < l is ill-typed int i; i < j is a first-order formula if j is a constant compatible with int ( int i; int j; i < j) ( int i; int j; i > j) is a first-order formula André Platzer (CMU) M/08: Data, Code, Decisions 19 / 40

41 Remark on Concrete Syntax Text book Spin KeY Java Negation!!! Conjunction && & && Disjunction Implication, > > n/a Equivalence < > < > n/a Universal Quantifier x; φ n/a \forall T x; φ n/a Existential Quantifier x; φ n/a \exists T x; φ n/a. Value equality = == = == André Platzer (CMU) M/08: Data, Code, Decisions 20 / 40

42 Remark on Concrete Syntax Text book Spin KeY Java Negation!!! Conjunction && & && Disjunction Implication, > > n/a Equivalence < > < > n/a Universal Quantifier x; φ n/a \forall T x; φ n/a Existential Quantifier x; φ n/a \exists T x; φ n/a. Value equality = == = == For quantifiers we normally use textbook syntax and suppress type information to ease readability For propositional connectives we use KeY syntax André Platzer (CMU) M/08: Data, Code, Decisions 20 / 40

43 Outline 1 Formal Modeling 2 First-Order Logic Signature Terms Formulas 3 Semantics Domain Model Variable Assignment Term Valuation Formula Valuation Semantic Notions 4 Untyped Logic 5 Modeling with FOL 6 Summary André Platzer (CMU) M/08: Data, Code, Decisions 20 / 40

44 First-Order Semantics First-Order Formulas x = First-Order Model Sequent Calculus André Platzer (CMU) M/08: Data, Code, Decisions 21 / 40

45 First-Order Semantics First-Order Formulas x = First-Order Model Sequent Calculus André Platzer (CMU) M/08: Data, Code, Decisions 21 / 40

46 First-Order Semantics From propositional to first-order semantics In prop. logic, interpretation of variables with {T, F } In first-order logic we must assign meaning to: variables bound in quantifiers constant and function symbols predicate symbols Each variable or function value may denote a different object Respect typing: int i, List l must denote different objects What we need (to interpret a first-order formula) 1 A collection of typed universes of objects (akin to heap objects) 2 A mapping from variables to objects 3 A mapping from function arguments to function values 4 The set of argument tuples where a predicate is true André Platzer (CMU) M/08: Data, Code, Decisions 22 / 40

47 First-Order Domains/Universes 1 A collection of typed universes of objects Definition (Universe/Domain) A non-empty set D of objects is a universe or domain Each element of D has a fixed type given by δ : D T d Like heap objects and values in Java Notation for the domain elements type-compatible with T T : D T = {d D δ(d) T } For each dynamic type T T d there must be at least one domain element type-compatible with it: D T André Platzer (CMU) M/08: Data, Code, Decisions 23 / 40

48 First-Order Universes Example int short Object D = {17, o} δ(17) = short, δ(o) = Object Then D short = D int = {17}, D Object = {o}, D = D = {17, o}, and D = {} André Platzer (CMU) M/08: Data, Code, Decisions 24 / 40

49 First-Order Models 3 A mapping from function arguments to function values 4 The set of argument tuples where a predicate is true Definition (First-Order Model) Let D be a domain with typing function δ Let f be declared as T f (T 1,..., T r ); Let p be declared as p(t 1,..., T r ); Let I(f ) : D T 1 D Tr D T Let I(p) D T 1 D Tr Then M = (D, δ, I) is a first-order model André Platzer (CMU) M/08: Data, Code, Decisions 25 / 40

50 First-Order Models Example Signature: int i; short j; int f(int); Object obj; <(int,int); D = {17, 2, o} where all numbers are short I(i) = 17 I(j) = 17 I(obj) = o D int I(f ) D int D int in I(<)? (2, 2) F (2, 17) T (17, 2) F (17, 17) F One of uncountably many possible first-order models! André Platzer (CMU) M/08: Data, Code, Decisions 26 / 40

51 Semantics of Reserved Signature Symbols Definition Equality symbol. = declared as. = (, ) Model is fixed as I(. =) = {(d, d) d D} Referential Equality (holds if arguments refer to identical object) Exercise: write down the predicate table for example domain Type predicate symbol T for any T, declared as T ( ) I( T ) = D T Exercise: what is I( Object)? Type cast symbol (T ) for each T, declared as T (T )( ) { x if cast succeeds (δ(x) T ) I((T ))(x) = d otherwise, for an arbitrary fixed d D T Exercise: what is I((int))(17)? André Platzer (CMU) M/08: Data, Code, Decisions 27 / 40

52 Signature Symbols vs. Domain Elements Example Domain elements are not just the terms representing them First-order formulas and terms have no access to domain As in Java: identity and memory layout of values/objects hidden Think of a first-order model as a heap of first-order logic Signature: Object obj1, obj2; Domain: D = {o} In this model, necessarily I(obj1) = I(obj2) = o Effect similar to aliasing in Java with reference types André Platzer (CMU) M/08: Data, Code, Decisions 28 / 40

53 Variable Assignments 2 A mapping from variables to objects Think of variable assignment as environment for storage of local variables Definition (Variable Assignment) A variable assignment β maps variables to domain elements It respects the variable type, i.e., if x has type T then β(x) D T Definition (Modified Variable Assignment) Let y be variable of type T, β variable assignment, d D T : { βy d β(x) if x y (x) := d if x = y André Platzer (CMU) M/08: Data, Code, Decisions 29 / 40

54 Semantic Evaluation of Terms Given a first-order model M and a variable assignment β it is possible to evaluate first-order terms under M and β Analogy Evaluating an expression in a programming language with respect to a given heap (M) and binding of local variables (β) Definition (Valuation of Terms) val M,β : Term D such that val M,β (t) D T for t Term T : val M,β (x) = β(x) (recall that β respects typing) val M,β (f (t 1,..., t r )) = I(f )(val M,β (t 1 ),..., val M,β (t r )) André Platzer (CMU) M/08: Data, Code, Decisions 30 / 40

55 Semantic Evaluation of Terms Example Signature: int i; short j; int f(int); D = {17, 2, o} where all numbers are short Variables: Object obj; int x; I(i) = 17 I(j) = 17 D int I(f) Var β obj o x 17 val M,β (f(f(i)))? val M,β (x)? val M,β ((int)obj)? André Platzer (CMU) M/08: Data, Code, Decisions 31 / 40

56 Semantic Evaluation of Terms Example Signature: int i; short j; int f(int); D = {17, 2, o} where all numbers are short Variables: Object obj; int x; I(i) = 17 I(j) = 17 D int I(f) Var β obj o x 17 val M,β (f(f(i)))? = 17 val M,β (x)? val M,β ((int)obj)? André Platzer (CMU) M/08: Data, Code, Decisions 31 / 40

57 Semantic Evaluation of Terms Example Signature: int i; short j; int f(int); D = {17, 2, o} where all numbers are short Variables: Object obj; int x; I(i) = 17 I(j) = 17 D int I(f) Var β obj o x 17 val M,β (f(f(i)))? = 17 val M,β (x)? = 17 val M,β ((int)obj)? André Platzer (CMU) M/08: Data, Code, Decisions 31 / 40

58 Semantic Evaluation of Terms Example Signature: int i; short j; int f(int); D = {17, 2, o} where all numbers are short Variables: Object obj; int x; I(i) = 17 I(j) = 17 D int I(f) Var β obj o x 17 val M,β (f(f(i)))? = 17 val M,β (x)? = 17 val M,β ((int)obj)? = 2, say André Platzer (CMU) M/08: Data, Code, Decisions 31 / 40

59 Semantic Evaluation of Formulas Formulas are true or false A validity relation is more convenient than a function Definition (Validity Relation for Formulas) M, β = φ for φ For M, β models φ M, β = p(t 1,..., t r ) iff (val M,β (t 1 ),..., val M,β (t r )) I(p) M, β = φ & ψ iff M, β = φ and M, β = ψ... as in propositional logic M, β = T x; φ iff M, βx d = φ for all d D T M, β = T x; φ iff M, βx d = φ for at least one d D T André Platzer (CMU) M/08: Data, Code, Decisions 32 / 40

60 Semantic Evaluation of Formulas Example Signature: short j; int f(int); Object obj; <(int,int); D = {17, 2, o} where all numbers are short I(j) = 17 I(obj) = o D int I(f ) D int D int in I(<)? (2, 2) F (2, 17) T (17, 2) F (17, 17) F M, β = f (j) < j? M, β = int x; f (x). = x? M, β = Object o1; Object o2; o1. = o2? André Platzer (CMU) M/08: Data, Code, Decisions 33 / 40

61 Semantic Notions Definition (Satisfiability, Truth, Validity) M, β = φ (φ is satisfiable) M = φ iff for all β : M, β = φ (φ is true in M) = φ iff for all M : M = φ (φ is valid) Closed formulas that are satisfiable are also true: one top-level notion André Platzer (CMU) M/08: Data, Code, Decisions 34 / 40

62 Semantic Notions Definition (Satisfiability, Truth, Validity) M, β = φ (φ is satisfiable) M = φ iff for all β : M, β = φ (φ is true in M) = φ iff for all M : M = φ (φ is valid) Closed formulas that are satisfiable are also true: one top-level notion Example f (j) < j is true in M. int x; i = x is valid int x;!(x. = x) is not satisfiable André Platzer (CMU) M/08: Data, Code, Decisions 34 / 40

63 Outline 1 Formal Modeling 2 First-Order Logic Signature Terms Formulas 3 Semantics Domain Model Variable Assignment Term Valuation Formula Valuation Semantic Notions 4 Untyped Logic 5 Modeling with FOL 6 Summary André Platzer (CMU) M/08: Data, Code, Decisions 34 / 40

64 Untyped First-Order Logic Most logic textbooks introduce untyped logic How to obtain untyped logic as a special case Minimal Type Hierarchy: T = {, } D = D : only one populated type, drop all typing info Signature merely specifies arity of functions and predicates: Write f /1, < /2, i/0, etc. Untyped logic is suitable whenever we model a uniform domain Typical applications: pure mathematics such as algebra André Platzer (CMU) M/08: Data, Code, Decisions 35 / 40

65 Untyped First-Order Logic Example (Axiomatization of a group in first-order logic) Signature Σ G : FSym = { /2, e/0}, PSym = {. = /2} Let G be the following formulas: Left identity x; e x =. x Left inverse x; y; y x =. e Associativity x; y; z; (x y) z =. x (y z) Let φ be Σ G -formula. Whenever = G > φ, then φ is a theorem of group theory André Platzer (CMU) M/08: Data, Code, Decisions 36 / 40

66 Outline 1 Formal Modeling 2 First-Order Logic Signature Terms Formulas 3 Semantics Domain Model Variable Assignment Term Valuation Formula Valuation Semantic Notions 4 Untyped Logic 5 Modeling with FOL 6 Summary André Platzer (CMU) M/08: Data, Code, Decisions 36 / 40

67 Modeling with First-Order Logic First-Order Formulas Which? First-Order Models André Platzer (CMU) M/08: Data, Code, Decisions 37 / 40

68 Modeling with First-Order Logic First-Order Formulas Which? Example (At least two elements) First-Order Models André Platzer (CMU) M/08: Data, Code, Decisions 37 / 40

69 Modeling with First-Order Logic First-Order Formulas Which? Example (At least two elements) x; y;!(x. = y) How to do this without built-in equality? First-Order Models André Platzer (CMU) M/08: Data, Code, Decisions 37 / 40

70 Modeling with First-Order Logic First-Order Formulas Example (Strict partial order) Which? First-Order Models André Platzer (CMU) M/08: Data, Code, Decisions 37 / 40

71 Modeling with First-Order Logic First-Order Formulas First-Order Models Which? Example (Strict partial order) PSym = {< /2} Irreflexivity x;!(x < x) Asymmetry x; y; (x < y >!(y < x)) Transitivity x; y; z; (x < y & y < z > x < z) André Platzer (CMU) M/08: Data, Code, Decisions 37 / 40

72 Modeling with First-Order Logic First-Order Formulas Which? Example (All models have infinite domain) First-Order Models André Platzer (CMU) M/08: Data, Code, Decisions 37 / 40

73 Modeling with First-Order Logic First-Order Formulas Which? Example (All models have infinite domain) Signature and axioms of irreflexive order plus Existence Successor x; y; x < y First-Order Models André Platzer (CMU) M/08: Data, Code, Decisions 37 / 40

74 Modeling with First-Order Logic First-Order Formulas Which? Example (Abstract data types) FSym = { Stack push(int, Stack); int pop(stack); Stack nil; } First-Order Models int i; Stack s; pop(push(i, s)). = s André Platzer (CMU) M/08: Data, Code, Decisions 37 / 40

75 Why such a Complicated First-Order Semantics? Why not take terms and properties at their face value? Definition (Herbrand Model (untyped logic)) A first-order model where Domain D are all variable-free (i.e., ground) terms Each domain element is represented as a term Interpretation of function symbols is identity: I(f )(d 1,..., d r ) = f (d 1,..., d r ) André Platzer (CMU) M/08: Data, Code, Decisions 38 / 40

76 Why such a Complicated First-Order Semantics? Why not take terms and properties at their face value? Definition (Herbrand Model (untyped logic)) A first-order model where Domain D are all variable-free (i.e., ground) terms Each domain element is represented as a term Interpretation of function symbols is identity: I(f )(d 1,..., d r ) = f (d 1,..., d r ) Major limitations of Herbrand models Too many different domain elements: 1 + 2, Natural to represent program locations as terms and domain elements as their values whose exact representation we don t know There are theoretical limitations as well André Platzer (CMU) M/08: Data, Code, Decisions 38 / 40

77 Outline 1 Formal Modeling 2 First-Order Logic Signature Terms Formulas 3 Semantics Domain Model Variable Assignment Term Valuation Formula Valuation Semantic Notions 4 Untyped Logic 5 Modeling with FOL 6 Summary André Platzer (CMU) M/08: Data, Code, Decisions 38 / 40

78 Summary and Outlook Summary First-order formulas defined over a signature of typed symbols Hierarchical OO type system with abstract and dynamic types Quantification over variables, no free variables in formulas Semantic domain like objects in a Java heap First-order model assigns semantic value to terms and formulas Semantic notions satisfiability and validity André Platzer (CMU) M/08: Data, Code, Decisions 39 / 40

79 Summary and Outlook Summary First-order formulas defined over a signature of typed symbols Hierarchical OO type system with abstract and dynamic types Quantification over variables, no free variables in formulas Semantic domain like objects in a Java heap First-order model assigns semantic value to terms and formulas Semantic notions satisfiability and validity Semantic evaluation is not feasible in practice Infinite (uncountable) number of first-order models Evaluation of quantified formula may involve infinitely many cases Next goal: a syntactic calculus allowing mechanical validity checking André Platzer (CMU) M/08: Data, Code, Decisions 39 / 40

80 Background Literature KeYbook B. Beckert, R. Hähnle, and P. Schmitt, editors. Verification of Object-Oriented Software: The KeY Approach, vol 4334 of LNCS. Springer, Chapter 2: First-Order Logic Fitting Melvin Fitting. First-Order Logic and Automated Theorem Proving, 2nd edn., Springer 1996 Ben-Ari Mordechai Ben-Ari. Mathematical Logic for Computer Science, Springer, Huth & Ryan Michael Huth and Mark Ryan. Logic in Computer Science, Cambridge University Press, 2nd edn., 2004 André Platzer (CMU) M/08: Data, Code, Decisions 40 / 40

Fundamentals of Software Engineering

Fundamentals of Software Engineering Reasoning about Programs with Dynamic Logic - Part I Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard