1 / 86

CSE 8389 Theorem Proving Peter-Michael Seidel

CSE 8389 Theorem Proving Peter-Michael Seidel. Syntax vs Semantics. Syntax a.k.a. “formation rules”; “grammar”; … prescribes what a well-formed formula is (syntactically) Semantics the “meaning” of well-formed formulas defined via a mapping called interpretation.

ferris
Download Presentation

CSE 8389 Theorem Proving Peter-Michael Seidel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSE8389Theorem ProvingPeter-Michael Seidel

  2. Syntax vs Semantics • Syntax • a.k.a. “formation rules”; “grammar”; … • prescribes what a well-formed formula is (syntactically) • Semantics • the “meaning” of well-formed formulas • defined via a mapping called interpretation Spring 2005

  3. Propositional Logic: Syntax • Logical symbols: • conjunction: , disjunction: , negation: , • implication: , equivalence: , parentheses:   • Non-logical symbols: • propositional variables p, q, r, ... • signature: set of propositional variables  = {p, q, r, ...} • Formation rules for well-formed formulas (wff) • an atomic formula (propositional variable) is a formula • if F, G are formulas, so are: • FG, F  G,  F, FG , FG,  F  propositional logic <logic> (or "propositional calculus") A system of symbolic logic using symbols to stand for whole propositions and logical connectives. Propositional logic only considers whether a proposition is true or false. In contrast to predicate logic, it does not consider the internal structure of propositions. http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?propositional+logic Spring 2005

  4. Propositional Logic: Semantics • Propositions can be assigned a truth-value: • either true or false (classical 2-valued logic: tertium non datur) • other propositional logics exist: 3-valued, 4-valued, temporal, … (modal logics), …, fuzzy logic • An interpretation I over a signature  is a mapping • I:  {true, false} , associating a truth value to every propositional variable • Truth tables describe how to extend I from atomic to composite formulas (Boolean Algebra): • FG, F  G,  F, FG , FG Spring 2005

  5. Boolean Algebra, Truth Tables http://wombat.doc.ic.ac.uk/foldoc/foldoc.cgi?two-valued+logic Spring 2005

  6. Different Logical Bases • Often: • ,  ,  • Alternatively: • ,  •  ,  • NAND • NOR • XOR • ite(A,B,C) if A then B else C ? Spring 2005

  7. Reasoning in Propositional Logic • A formula F is … • valid if it is true for all interpretations I • satisfiable if it is true for some interpretation I • unsatisfiable if it is true for no interpretation I • Try these: • p  q • p  p • p  p • p  p • p  p •  p  p Spring 2005

  8. Reasoning in Propositional Logic • Def. “models” relationship “|=”: • If a formula F evaluates to true for an interpretation I then Iis called a model of F; written I |= F • I is a model of {F1,…, Fk}, written I |= {F1,…, Fk},if I is a model of each Fj • Automated deduction setting: • Show that A1,,…, An (axioms) imply T (theorem), that is, every model of the axioms is also a model of the theorem: • That is: if I |= {A1,,…, An} then I |= T • Short: {A1,,…, An} |= T • Often: Show that A1 …  An  T is unsatisfiable • For Automation a procedure / reasoning algorithm is needed: • Predicate Calculus (in fact calculi: resolution, tableaux, …) Spring 2005

  9. Example • {p, p  q } |= q • Truth table • Resolution • Tableaux • Reasoning with BDDs Spring 2005

  10. Example: Reasoning with Binary Decision Trees(see also: Binary Decision Diagrams, or BDDs) …  B A  B A A A A if-false if-true 0 1 0 1 B 0 B true false 0 1 0 1  A …  B A  B A if-false if-true A A 1 0 B 0 1 B 1 false true 0 1 0 1 Spring 2005

  11. Syntax of First-Order Logic (FO) • Logical symbols: • , , , , ,  ,  (“for all”),  (“exists”), ... • Non-logical symbols: A FO signature  consists of • constant symbols: a,b,c, ... • function symbols: f, g, ... • predicate (relation) symbols: p,q,r, .... function and predicate symbols have an associated arity; • we can write, e.g., p/3, f/2 to denote the ternary predicate p and the function f with two arguments • First-order variables: x, y, ... • Formation rules for terms: • constants and variables are terms • if t1,…,tk are terms and f is a k-ary function symbols then f(t1,...,tk) is a term Spring 2005

  12. Syntax of First-Order Logic (FO) • Formation rules for formulas: • if t1,…, tk are terms and p/k is a predicate symbol (of arity k) then p(t1, …, tk) is an atomic formula (short: atom) • all variable occurrences in p(t1, …, tk) are free • if F,G are formulas and x is a variable, then the following are formulas: • FG, F  G,  F, FG , FG,  F , • x: F (“for all x: F(x,...) is true”) • x: F (“there exists x such that F(x,...) is true”) • the occurrences of a variable x within the scope of a quantifier are called bound occurrences. Spring 2005

  13. Examples • x man(x)  person(x). • man(bill). • child(marriage(bill,hillary),chelsea). • Variable: x • Constants (0-ary function symbols): bill/0, hillary/0, chelsea/0 • Function symbols: marriage/2 • Predicate symbols: man/1, person/1, child/2 Spring 2005

  14. Semantics of Predicate Logic • Let D be a non-empty domain (a.k.a. universe of discourse). A structure is a pair I= (D,I), with an interpretation I that maps ... • each constant symbols c to an element I(c) D • each predicate symbol p/k to a k-ary relation I(p)  Dk, • each function symbol f/k to a k-ary function I(f): DkD • Let Ibe a structure,  : VarsD a variable assignment. A valuation valI, maps Term to D and Fml to {true, false} • valI, (x) =  (x) ; for x Vars • valI, (f(t1,...,tk)) = I(f)( valI, (t1),..., valI, (tk) ) ; for f(t1,...,tk) Term • valI, (p(t1,...,tk)) = I(p)( valI, (t1),..., valI, (tk) ) ; for p(t1,...,tk) At • valI, (F  G) = valI, (F) and valI, (G) are true ; for F,G Fml • valI, (F  G) = valI, (F) or valI, (G) is true ; for F,G Fml • valI, ( F) = true (false) if valI, (F) is false (true) ; for FFml • valI, ( x F) = valI,[x/t] (F) is true for some t D ; for FFml • valI, ( x F) = valI,[x/t] (F) is true for all t D ; for FFml Spring 2005

  15. Example • Formula F = x man(x)  person(x). • Domain D = {b, h, c, d, e} • Let’s pick an interpretation I: I(bill) = b, I(hillary) = h, I(chelsea) = c I(person) = {b, h, c} I(man) = {b} • Under this I, the formula F evaluates to true. • If we choose I’ like I but I’(man) = {b,d}, then F evaluates to false • Thus, I is a model of F, while I’ is not: • I |= F I’ |=/= F Spring 2005

  16. FO Semantics (cont’d) • F entails G (G is a logical consequence of F) if every model of F is also a model of G: F |= G • F is consistent or satisfiable if it has at least one model • F is valid or a tautology if every interpretation of F is a model • Proof Theory: • Let F,G, ... be FO sentences (no free variables). • Then the following are equivalent: • F_1, ..., F_k |= G • F_1  ...  F_k  G is valid • F_1  ...  F_k   G is unsatisfiable (inconsistent) Spring 2005

  17. Querying vs. Reasoning • Querying: • given a DB instance I (= logic interpretation), evaluate a query expression (e.g. SQL, FO formula, Prolog program, ...) • boolean query: check if I |=  (i.e., if I is a model of ) • (ternary) query: { (X, Y, Z) | I |=  (X,Y,Z) } => check happyFathersin a given database • Reasoning: • check if I |=  impliesI |=  for all databases I, • i.e., if =>  • undecidable for FO, F-logic, etc. • Descriptions Logics aredecidable fragments • concept subsumption, concept hierarchy, classification • semantic tableaux, resolution, specialized algorithms Spring 2005

  18. Reasoning Example • (1) p(0) • (2) x p(x)  p(s(x)) • (3) p(s(s(0))). • We want to show that (1) & ... & (2) implies (3) • Approach: assume negation of (3) and show that it leads to a contradiction with {(1), (2)} • Question: Why is this sound? Spring 2005

  19. Limitations • Drawbacks of methods based on FOL/Predicate Logic: • only small and medium size circuits can be verified • most abstract representation view is gate level • Complex circuits are hierarchically designed, but verification methods are not able to benefit from this to reduce the verification complexity • Caused by limited expressiveness of underlying logic – • one can not even argue about simple natural numbers • Natural numbers useful to argue about • discrete time • parameterized circuits: • FORALL n>0, FORALL a,b,c in Bn: <a> + <b> = <c> • More expressive logic also needed to allow abstract descriptions (types) a b ADD(n) c Spring 2005

  20. Sentences in First­Order Logic • An atomic sentence is simply a predicate applied to a set of terms. • Owns(John,Car1) • Sold(John,Car1,Fred) • Semantics is True or False depending on the interpretation, i.e. is the predicate true of these arguments. • The standard propositional connectives ( Ú ¬ Ù ÞÛ) can be used to construct complex sentences: • Owns(John,Car1) Ú Owns(Fred, Car1) • Sold(John,Car1,Fred) Þ ¬Owns(John, Car1) • Semantics same as in propositional logic. Spring 2005

  21. Review: Quantifiers • Allow statements about entire collections of objects • Universal quantifier: "x • Asserts that a sentence is true for all values of variable x • "x Loves(x, FOPC) • "x Whale(x) Þ Mammal(x) • "x ("y Dog(y) Þ Loves(x,y)) Þ("z Cat(z) Þ Hates(x,z)) • Existential quantifier: $ • Asserts that a sentence is true for at least one value of a variable x • $x Loves(x, FOPC) • $x(Cat(x) Ù Color(x,Black) Ù Owns(Mary,x)) • $x("y Dog(y) Þ Loves(x,y)) Ù ("z Cat(z) Þ Hates(x,z)) Spring 2005

  22. Review: Use of Quantifiers • Universal quantification naturally uses implication: • "x Whale(x) Ù Mammal(x) • Says that everything in the universe is both a whale and a mammal. • Existential quantification naturally uses conjunction: • $x Owns(Mary,x) Þ Cat(x) • Says either there is something in the universe that Mary does not own or there exists a cat in the universe. • "x Owns(Mary,x) Þ Cat(x) • Says all Mary owns is cats (i.e. everthing Mary owns is a cat). Also true if Mary owns nothing. • "x Cat(x) Þ Owns(Mary,x) • Says that Mary owns all the cats in the universe. Also true if there are no cats in the universe. Spring 2005

  23. Nesting Quantifiers • The order of quantifiers of the same type doesn't matter: • "x"y(Parent(x,y) Ù Male(y) Þ Son(y,x)) • $x$y(Loves(x,y) Ù Loves(y,x)) • The order of mixed quantifiers does matter: • "x$y(Loves(x,y)) • Says everybody loves somebody, i.e. everyone has someone whom they love. • $y"x(Loves(x,y)) • Says there is someone who is loved by everyone in the universe. • "y$x(Loves(x,y)) • Says everyone has someone who loves them. • $x"y(Loves(x,y)) • Says there is someone who loves everyone in the universe. Spring 2005

  24. Variable Scope • The scope of a variable is the sentence to which the quantifier syntactically applies. • As in a block structured programming language, a variable in a logical expression refers to the closest quantifier within whose scope it appears. • $x (Cat(x) Ù"x(Black (x))) • The x in Black(x) is universally quantified • Says cats exist and everything is black • In a well­formed formula (wff) all variables should be properly introduced: • $xP(y) not well­formed • A ground expression contains no variables. Spring 2005

  25. Relations Between Quantifiers • Universal and existential quantification are logically related to each other: • "x ¬Love(x,Saddam) Û ¬$x Loves(x,Saddam) • "x Love(x,Princess­Di) Û ¬$x ¬Loves(x,Princess­Di) • General Identities • "x ¬P Û ¬$x P • ¬"x P Û$x ¬P • "x P Û ¬$x ¬P • $x P Û ¬"x ¬P • "x P(x) Ù Q(x) Û"x P(x) Ù"x Q(x) • $x P(x) Ú Q(x) Û$x P(x) Ú$x Q(x) Spring 2005

  26. Equality • Can include equality as a primitive predicate in the logic, or require it to be introduced and axiomatized as the identity relation. • Useful in representing certain types of knowledge: • $x$y(Owns(Mary, x) Ù Cat(x) Ù Owns(Mary,y) Ù Cat(y) • Ù ¬(x=y)) • Mary owns two cats. Inequality needed to ensure x and y are distinct. • "x $y married(x, y) Ù "z(married(x,z) Þ y=z) • Everyone is married to exactly one person. Second conjunct is needed to guarantee there is only one unique spouse. Spring 2005

  27. Higher­Order Logic • FOPC is called first­order because it allows quantifiers to range over objects (terms) but not properties, relations, or functions applied to those objects. • Second­order logic allows quantifiers to range over predicates and functions as well: • " x " y [ (x=y) Û (" p p(x) Û p(y)) ] • Says that two objects are equal if and only if they have exactly the same properties. • " f " g [ (f=g) Û (" x f(x) = g(x)) ] • Says that two functions are equal if and only if they have the same value for all possible arguments. • Third­order would allow quantifying over predicates of predicates, etc. • We will consider Higher-Order Logic = FOL & Second-order Logic & … • allows to argue about infinite sets, use induction Spring 2005

  28. Problems with Higher order Logic • Higher-Order Logic is Undecidible • Theorem Provers based on HOL have to be interactive. • (Informal Version’s of) Russel’s Paradox • In a certain town in Spain, there lives an excellent barber who shaves all the men who do not shave themselves. Who shaves the barber? • Divide all adjectives into two groups: the group of adjectives which describe themselves and the group of adjectives which do not. Into which group does the adjective indescribable go? • I am a liar. • Russel’s Paradox can be resolved by introducing typed Higher-order logic Spring 2005

  29. What is PVS? • PVS = Prototype Verification System • Formal specification language • Model checker • Theorem prover • Documentation tools, etc. Spring 2005

  30. Applications • Academic and industrial applications • Hardware verification (e.g. VAMP – Verified Architecture Microprocessor) • Protocol verification • Verification of Javacard applets • Formal Mathematics • Safety-critical systems • … (see http://pvs.csl.sri.com/users.html) Spring 2005

  31. The PVS Language • There are two languages • The language to write definitions and theorems (“definition language“) • The language to prove theorems(“proof language”) • They have nothing to do with each other • The definition language looks like “normal math” • (translator to Latex built in) • The proof language looks like LISP Spring 2005

  32. The PVS Definition Language • Main language elements • Declarations • Types • Constants • Expressions over these types • Expressions of Boolean types may be a formula • Formulae are theorems or axioms • Declarations and formulae are grouped into theories Spring 2005

  33. The PVS Definition Language class_theory: THEORY BEGIN my_type: NONEMPTY_TYPE constant1, constant2: my_type f1: THEOREM FORALL (a, b: integer): a+b=b+a f2: AXIOM constant1=constant2 END class_theory TypeDeclarations Expressions A Spring 2005

  34. The PVS Definition Language class_theory: THEORY BEGIN my_type: NONEMPTY_TYPE constant1, constant2: my_type f1: THEOREM FORALL (a, b: integer): a+b=b+a f2: AXIOM constant1=constant2 END class_theory Formulae A Spring 2005

  35. The PVS Definition Language class_theory: THEORY BEGIN my_type: NONEMPTY_TYPE constant1, constant2: my_type f1: THEOREM FORALL (a, b: integer): a+b=b+a f2: AXIOM constant1=constant2 END class_theory Declarations Spring 2005

  36. Axioms vs. Theorems • Axioms are assumed to be true • Dangerous! • Avoid axioms, use constant declarations instead: class_theory: THEORY BEGIN c: integer = 3 END class_theory class_theory: THEORY BEGIN c: integer c: AXIOM c=3 END class_theory Left hand side is conservative Spring 2005

  37. Types • PVS has a very rich type concept • Uninterpreted type declaration:numbers: TYPEnumbers: NONEMPTY_TYPE • Interpreted type declarationIntroduce names for type expressions posint: TYPE={ i: integer | i > 0} Spring 2005

  38. Types PVS comes with • boolean • FALSE, TRUE • Number types • real, rational, integer, natural • string • Ordinals Spring 2005

  39. Type Expressions • Function Types [ t1,…,tn -> t ] Alternative Syntax: FUNCTION[ t1,…,tn -> t ] ARRAY[ t1,…,tn -> t ] Note that ti and t may be function types as well! Spring 2005

  40. Expressions • Constants • Given by their name, as used in the declaration • Numbers (1, 2, 3, …) are actually identifiers and can even be overloaded • If name is ambiguous, use identifier::type Spring 2005

  41. Expressions • Function Applications f(x) • Tons of Syntactic variants exist to support intuition, don’t be confused • Binary operator symbols y * z is the same as *(y, z) Spring 2005

  42. Expressions • Functions PVS comes with • Boolean AND &, OR, IMPLIES =>, WHEN, IFF <=> • IF c THEN a ELSE b IF:[boolean, T, T -> T] • Numeric operators +, -, *, /, ^, <, <=, >, >= Spring 2005

  43. Expressions • Binding Expressions • Quantifiers EXISTS (x: T): p(x) FORALL (y: T): q(y) Spring 2005

  44. Expressions • Binding Expressions • Lambda: unnamed functions LAMBDA (x: int): x+1 Type of that: [ int -> int ] class_theory: THEORYBEGIN f(x: int): int = x+1 END class_theory class_theory: THEORYBEGIN f: [int->int] = LAMBDA (x: int): x+1 END class_theory A Spring 2005

  45. Recursion • Lambda cannot be used for recursion • Only named functions allow recursion • No mutual recursion factorial(x: nat): RECURSIVE nat = IF x=0 THEN 1 ELSE factorial(x-1)*x ENDIF MEASURE (LAMBDA (x: nat): x) Used to prove that the function is total A Spring 2005

  46. Expressions • LET Expressions LET i:T=e1 IN e2 • Useful for avoiding redundancy if e1 is used many times in e2 • Example LET x=2 IN x*y is (LAMBDA x: x*y)(2) Spring 2005

  47. Expressions • Override Expressions e WITH [(i1):=v1, (i2):=v2, …] • Sugar for LAMBDA LAMBDA x:IF x=i1 THEN v1ELSIF x=i2 THEN v2 …ELSE e(x) ENDIF • Also for records and tuples Spring 2005

  48. Expressions • LET and WITH useful for some sequential program constructs! int f(int i) { int a[10]={ 0, … }; ... a[i]=5; ... return a[0]; } f(i: int):int= LET a1=LAMBDA (x: below(10)): 0 IN ... LET a2=a1 WITH [(i):=5] IN ... aj(0) Spring 2005

  49. Expressions • Set Expressions • In PVS, sets are represented using their characteristic function [ T -> boolean ] same as setof[T] • Set expressions: { x:T | p(x) } For sets a, b over T: Union: a OR b Intersection: a AND b Spring 2005

  50. Some Additional Syntax • Tuple types • [ t1,…,tn ] • Tuple expressions • (e1,…,en) • Comes with projections • PROJ_1, PROJ_2, ..., PROJ_n Spring 2005

More Related