Subject to statutory exception and the provisions of applicable collective licensing agreements, no part may be reproduced without the written permission of Cambridge University Press. I recommend it to the reader with the greatest enthusiasm and predict that the book will be a great success.
Our motivation for (re)writing this book
What’s new and what’s gone
It now begins with a discussion of the temporal logic of linear time; Contains the open source NuSMV model checking tool; and includes a discussion of design problems, more material on expressiveness of temporal logic, and new modeling examples.
The interdependence of chapters and prerequisites
WWW page
Declarative sentences
It is based on propositions or declarative sentences that can in principle be claimed to be true or false. Given the pandr, we may want to claim that at least one of the following is true: 'I won the lottery last week or I won the lottery last week;' we denote this declarative sentence by p∨r and call it the disjunction pandr2.
Natural deduction
- Rules for natural deduction
- Derived rules
- Natural deduction in summary
- Provable equivalence
- An aside: proof by contradiction
Part of the structure of the formula(q→r)→((¬q→ ¬p)→ (p→r)) to show how it determines the proof structure. In particular, it is not a restriction in the case that one of the premises is (always) false.
Propositional logic as a formal language
Given the well-formed formula φ above, its subformulas are just those that correspond to the subtrees of its parse tree in Figure 1.3. However, the tree in Figure 1.21 on page 82 does not represent a well-formed formula for two reasons.
Semantics of propositional logic
- The meaning of logical connectives
- Mathematical induction
- Soundness of propositional logic
- Completeness of propositional logic
Since the conjunction of T and F is F, we get F as the meaning of the right subtree of. Gradient-of-values inductive step: Let us assume that the proof of the successive φ1, φ2,.
Normal forms
- Semantic equivalence, satisfiability and validity Two formulas φ and ψ are said to be equivalent if they have the same
- Conjunctive normal forms and validity
- Horn clauses and satisfiability
For example, if φ has the form φ1∧φ2, we can simply compute conjunctive normal forms ηi for φi (i = 1,2), where η1∧η2 is a conjunctive normal form equivalent to φ provided that ηi≡φi (i = 1, 2). The first formula is not a Horn formula since ¬p, the conclusion of the implication of the first conjunct, is not of type P. The third formula is not a Horn formula since the conclusion of the implication of the first conjunct, p13∧p27, is not of type P.
Note that the entry in the body of the while statement has the effect of marking an unmarked P that is not.
SAT solvers
- A linear solver
- A cubic solver
The fact that every node in the DAG has obtained an imposed label does not indicate that this is evidence of the fulfillment of the formula. Since this quantity is a linear function of the length φ – the translation of T results in only a linear increase – our SAT solver has a linear running time in the length of the formula. This linearity comes at a price: our linear solver fails for all formulas of the form ¬(φ1∧φ2).
The running time is indeed cubic in the size of the DAG (and the length of the original formula).
Exercises
Determine, by trying to draw parse trees, which of the following formulas are well-formed:. Given an evaluation and a parsetree of a formula, compute the truth value of the formula for that evaluation (as done in a bottom-up fashion in Figure 1.7 on page 40) with the parse tree inside. Show that the following sequences are not valid by finding an evaluation in which the truth values of the formulas on the left are Tand the truth value of the formula on the right of isF.
In Figure 1.16 on page 73, we discovered a contradiction which ensured the validity of the sequence np∧q→rp→q→r.
Bibliographic notes
Our linear and cubic SAT solvers are variants of St˚almarck's method [SS90], a SAT solver patented in Sweden and the USA. Further historical notes, and also references to other contemporary books on propositional and predicate logic, can be found in the bibliographical notes at the end of Chapter 2.
The need for a richer language
It is beyond the scope of this book to show that the natural deductive calculus for predicate logic is reliable and complete with respect to semantic inclusion; but it's true. It is not very elegant to say 'any of x's mothers', since we know that each individual has one and only one mother1. Imagining that Andy and Paul share the same maternal grandmother is even simpler; is recorded.
However, it is usually cleaner to use function symbols whenever possible, because we get more compact encodings.
Predicate logic as a formal language
- Terms
- Formulas
- Free and bound variables
- Substitution
An occurrence of x in φ is free in φ if it is a leaf node in the parse tree of φ such that there is no upward path from that node x to a node ∀x or∃x. Let f be a function symbol with two arguments and φ the formula with the parse tree in Figure 2.1. Given the parse tree of φ and the parse tree often, we can perform the substitution [t/x] on φ to obtain the formula φ[t/x].
Examining the definition of 't is free for x in φ', we see that every term t is free for x in φ if and only if no free variablex of φ is under some quantifier in the parse tree for φ.
Proof theory of predicate logic
- Natural deduction rules
- Quantifier equivalences
The box controls two things: the range of x0 and also the range of the assumption φ[x0/x]. The rule ∃xe is also similar to ∨e in the sense that they are both elimination rules that do not need to end as a subformula of the formula they are eliminating. Within that box, we want to make use of the premise ∃x P(x), which results in the proofbox setup of lines 4−7.
Now we want to present formal proofs of some of the most commonly used quantifier equivalences.
Semantics of predicate logic
- Models
- Semantic entailment
- The semantics of equality
This leaves us with the case where the root node is a predicate symbol P (in propositional logic this was an atom and we were already done). Essentially they are lookup tables for all variables; such a table associates a value l(x) of the model with each variable x. So you can also say that environments are functions l:var→A from the set of variables var to the universe of values A of the underlying model.
We have already pointed out the open nature of the semantics of predicate logic.
Undecidability of predicate logic
This is a beautiful application of the rules of evidence. i and¬e, since then we can conclude that our problem cannot be solved either. Here is an example of a problem that we can solve successfully: the example of the concrete correspondence problem C is given by a sequence of three pairsCdef thus. Note that the root of the parse tree of φ is an implication, so this is the crucial clause for the definition of Mφ.
The way we proceed here is by interpreting finite, binary strings in the domain of values A of the model M.
Expressiveness of predicate logic
- Existential second-order logic
- Universal second-order logic Of course, we can negate (2.12) and obtain
The other result of undecidability comes from the soundness and completeness of predicate logic which, in special form for sentences, reads as. Given the obvious importance of this concept, can we express reachability in predicate logic—which is, after all, so expressive that it is undecidable? To put this question more precisely, can we find a predicate logic formula φ with u and v as its only free variables and R as its only predicate symbol (of arity 2) such that φ holds in directed graphs if there is a path in that graph from the node associated with u to the node associated with v.
If predicate logic cannot express accessibility in graphics, then what can, and at what cost.
Micromodels of software
- State machines
- Alma – re-visited
- A software micromodel
Please verify that this is a counterexample to the assertion of the assertion FinalNotInitial within the specified scope. Please verify that this witness meets all consistency check constraints and is within the specified limits. Its body ..indicates that for allex, andy in cast ofS, if alma is loved by x and xis loved by y, then - the symbol => expresses implication -alma is not loved by y.
So this operation only applies if the component is not yet in the component set of the PDS (not c in P.components; an example of a boundary condition) and if the PDS only adds c and loses no other components (P' . components = P.components + c, an example postcondition).
Exercises
LetFbe{d, f, g}, where is a constant, f is a two-argument function symbol, and d is a three-argument function symbol. a) Which of the following verses are terms on F. Draw the parse tree of those strings that are actually terms:. Hint: whenever you use ∧ rules in the (propositional) assertion of the previous article, use the ∀ rules in the (predicate) assertion.). Prove the validity of the following sequences in predicate logic, where F,G,P and Qhave arity 1, and S has arity 0 (a 'propositional atom'):.
What conclusion, based on the result of the analysis. f) Write an afun-statement that, when parsed, generates a state machine with two propositions and three states such that it completes the sentence statement in the title of Figure 2.15.
Bibliographic notes
The PDS model grew out of a coursework set for C475 Software Engineering Environments in Fall 2002, co-taught by Susan Eisenbach and the first author;. Jackson and his software design group at the Laboratory for Computer Science at the Massachusetts Institute of Technology. More information on typed higher-order logic and its use in the modeling and verification of programming frameworks can be found on F.
Motivation for verification
In terms of the above classification, model checking is an automated, model-based, property verification approach. Another difference between Alloy and model checking is that model checking (unlike Alloy) explicitly focuses on temporal properties and the temporal evolution of systems. In contrast, Chapter 4 describes a very different verification technique which, in terms of the above classification, is an evidence-based, computer-aided, property verification approach.
Since model checking is a model-based approach in the sense of the classification given earlier, it follows that in this chapter, unlike the previous two, we will not deal with semantic inclusion (Γφ) or with evidence theory (Γφ ), such as the development of natural deductive calculus for temporal logic.
Linear-time temporal logic
- Syntax of LTL
- Semantics of LTL
- Practical patterns of specifications
- Important equivalences between LTL formulas Definition 3.9 We say that two LTL formulas φ and ψ are semantically
X means "next state," F means "a future state," and G means "all future states (worldwide)." The next three, U, R, and W are called 'Until', 'Release', and 'Weak-until'. ' respectively. It is useful to visualize all possible computational paths from a given state by unwinding the transitional system to obtain an infinite computational tree. R is useful because it is the dual form of U, while W is useful because it is a weak form of U.
Intuitively it says: no matter how far down the road you go (that's the G part), you'll find that you still have a peg in front of you (that's the F part).
