Propositional Calculus CS 680: Formal Methods in Verification Computer Systems Jeremy Johnson
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Propositional Calculus
CS 680: Formal Methods in Verification Computer Systems
Jeremy Johnson
2
Propositional CalculusObjective: To provide students with the
concepts and techniques from propositional calculus so that they can use it to codify logical statements and to reason about these statements. To illustrate how a computer can be used to carry out formal proofs and to provide a framework for logical deduction.
Propositional CalculusTopics
MotivationBoolean functions and expressionsRules of Boolean AlgebraTautologies and automatic verification of
tautologiesSatisfiabilityPropositional calculus in ACL2
Word Problem
Tom likes Jane if and only if Jane likes Tom. Jane likes Bill. Therefore, Tom does not like Jane. Let p denote “Tom likes Jane” Let q denote “Jane likes Tom” Let r denote “Jane likes Bill” ((p q) r) p encodes the above claim The claim is not valid as the assignment p =
true, q = true, and r = true evaluates to false
5
Programming Example Boolean expressions arise in conditional statements. It is
possible to abstract the relations with boolean variables (propositions that are either true or false). Using this abstraction one can reason and simplify conditional statements.
if ((a < b) || ((a >= b) && (c == d)) then { … } else { … } Let p denote the relation (a<b) and q denote the relation
(c == d). The above expression is then equal to
p || !p && q
6
Programming Example (cont) The previous expression is equivalent (two expressions are
equivalent if they are true for the same values of the variables occurring in the expressions) to a simpler expression
(p || !p && q) p || q
We can see this since if p is true both expressions are true, and if p is false, then !p is true and (!p && q) is true exactly when q is true.
7
Limitations of Propositional Calculus
Propositions hide the information in the predicates they abstract.
Sometimes properties of the hidden information is required to make further deductions.
E.G. for integers a,b, and c, (a < b) && (b < c) implies that a < c; however, this can not be deduced without using the order properties of the integers.
The predicate calculus allows the use of predicates to encode this additional information.
E.G. we can introduce a parameterized predicate lt(a,b) to encode the predicate a < b. Properties such as lt(a,b) && lt(b,c) lt(a,c) can be asserted. This type of notation and deduction is called predicate calculus and will be discussed later.
8
Boolean Functions A Boolean variable has
two possible values (true/false) (1/0).
A Boolean function has a number of Boolean input variables and has a Boolean valued output.
A Boolean function can be described using a truth table.
There are 22n Boolean function of n variables.
s x0 x1 f
0 0 0 0
0 0 1 0
0 1 0 1
0 1 1 1
1 0 0 0
1 0 1 1
1 1 0 0
1 1 1 1
f
x0
x1
s
Multiplexor function
9
Boolean Expressions
BExpr :=Constant: T|F [t | nil]Variable [symbol]Negation: BExpr [(not BExpr)]And: BExpr BExpr [(and BExpr BExpr)Or: BExpr BExpr [(or BExpr BExpr)]
10
Predicate for Boolean Expressions
(defunc booleanexprp (expr)
:input-contract t
:output-contract (booleanp (booleanexprp expr))
(cond
( (is-constant expr) t )
( (is-variable expr) t )
( (is-not expr) (booleanexprp (op1 expr)) )
( (is-or expr) (and (booleanexprp (op1 expr))
(booleanexprp (op2 expr))) )
( (is-and expr) (and (booleanexprp (op1 expr))
(booleanexprp (op2 expr))) )
( t nil) ) )
Expression Trees
Boolean expressions can be represented by a binary tree
Internal nodes are operatorsLeaf nodes are operandsConsider p (1 q):
(and p (or t (not q))
p
1
q
12
Semantics of Boolean Expressions
An expression built up from variables, and, or, and not.
x y x y
0 0 0
0 1 0
1 0 0
1 1 1
x y x y
0 0 0
0 1 1
1 0 1
1 1 1
x x
0 1
1 0
and or not
Evaluation(defun bool-eval (expr env)
(cond
( (is-constant expr) expr )
( (is-variable expr) (lookup expr env) )
( (is-not expr) (not (bool-eval (op expr) env)) )
( (is-or expr) (or (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) )
( (is-and expr) (and (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) )
))
Evaluation with Contracts(defunc bool-eval (expr env)
:input-contract (and (booleanexprp expr)
(environmentp env)
(all-variables-defined expr env))
:output-contract (booleanp (bool-eval expr env))
(cond
( (is-constant expr) expr )
( (is-variable expr) (lookup expr env) )
( (is-not expr) (not (bool-eval (op1 expr) env)) )
( (is-or expr) (or (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) )
( (is-and expr) (and (bool-eval (op1 expr) env) (bool-eval (op2 expr) env)) ) ) )
Short Circuit Evaluation(defun sc-eval (expr env)
(cond
( (is-constant expr) expr )
( (is-variable expr) (lookup expr env) )
( (is-not expr) (not (sc-eval (op expr) env)) )
( (is-or expr) (if (sc-eval (op1 expr) env) t (sc-eval (op2 expr) env) ) )
( (is-and expr) (if (sc-eval (op1 expr) env) (sc-eval (op2 expr) env) nil ) )
))
If-then-else The ternary boolean
function ite(p,q,r) can be used to represent , , and p ite(p,0,1) p q ite(p,1,q) p q ite(p,q,0)
p q r ite(p,q,r)
0 0 0 0
0 0 1 1
0 1 0 0
0 1 1 1
1 0 0 0
1 0 1 0
1 1 0 1
1 1 1 1
Conversion to ite Expression Any Boolean expression can be converted
to an equivalent expression using ite (bool-eval expr env) (ite-eval (bool2ite
expr) env)
p
1
q
ite
p
1
q
ite
ite
0
1
0 1
bool2ite(defun bool2ite (expr)
(cond
( (is-constant expr) expr )
( (is-variable expr) expr )
( (is-not expr) (list 'ite (bool2ite (op1 expr)) nil t) )
( (is-or expr) (list 'ite (bool2ite (op1 expr))
t (bool2ite (op2 expr))) )
( (is-and expr) (list 'ite (bool2ite (op1 expr))
(bool2ite (op2 expr)) nil) )
)
)
Ite-eval(defun ite-eval (expr env)
(cond
( (is-constant expr) expr )
( (is-variable expr) (lookup expr env) )
( (is-ite expr) (if (ite-eval (op1 expr) env)
(ite-eval (op2 expr) env)
(ite-eval (op3 expr) env)) )
)
)
Equivalence of Conversion
Want to prove that (bool-eval expr env) = (ite-eval (bool2ite expr) env)
Lemma ite1. p ite(p,0,1)
2. p q ite(p,1,q)
3. p q ite(p,q,0)
p q ite(p,0,1) p ite(p,1,q) p q ite(p,q,0) p q
0 0 1 1 0 0 0 0
0 1 1 1 1 1 0 0
1 0 0 0 1 1 0 0
1 1 0 0 1 1 1 1
Equivalence of Conversion
(bool-eval expr env) = (ite-eval (bool2ite expr) env)
Proof by induction on expr using Lemma ite [Base case] constant or variable. In this case
(bool2ite expr) = expr and bool-eval and ite-eval return the same thing
Equivalence of Conversion [Not] Assume (bool-eval expr1 env) = (ite-eval
(bool2ite expr1)) (ite-eval (bool2ite ‘(not expr1)) env)= (ite-eval ‘(ite (bool2ite expr1) nil t) env) [by def of
bool2ite]= (not (ite-eval (bool2ite expr1) env)) [by Lemma ite
part 1]= (not (bool-eval expr1 env)) [by IH]= (bool-eval ‘(not expr1) env) [by def of bool-eval]
Equivalence of Conversion [Or] Assume (bool-eval expr1 env) = (ite-eval
(bool2ite expr1)) and (bool-eval expr2 env) = (ite-eval (bool2ite expr2)) (ite-eval (bool2ite ‘(or expr1 expr2)) env)= (ite-eval ‘(ite (bool2ite expr1) t (bool2ite expr2)) env)
[by def of bool2ite]= (or (ite-eval (bool2ite expr1) env) (ite-eval (bool2ite
expr2) env)) [by Lemma ite part 2]= (or (bool-eval expr1 env) (bool-eval expr2 env)) [by
IH]= (bool-eval ‘(or expr1 expr2) env) [by def of bool-eval]
Equivalence of Conversion [And] Assume (bool-eval expr1 env) = (ite-eval
(bool2ite expr1)) and (bool-eval expr2 env) = (ite-eval (bool2ite expr2)) (ite-eval (bool2ite ‘(and expr1 expr2)) env)= (ite-eval ‘(ite (bool2ite expr1) (bool2ite expr2) nil) env)
[by def of bool2ite]= (and (ite-eval (bool2ite expr1) env) (ite-eval (bool2ite
expr2) env)) [by Lemma ite part 3]= (and (bool-eval expr1 env) (bool-eval expr2 env)) [by
IH]= (bool-eval ‘(and expr1 expr2) env) [by def of bool-eval]
Exercise
Implement a recursive function to convert ite expressions to boolean expressions (ite2bool iexpr) Use and define the following helper functions
(is-ite expr) Check for ‘(ite … )
(is-itenot iexpr) Check for ‘(ite iexpr nil t)
(is-iteor iexpr) Check for ‘(ite iexpr t iexpr)
(is-iteand iexpr) Check for ‘(ite iexpr iexpr nil)
Solution
(defun is-itenot (iexpr)
(and (equal (op2 iexpr) nil) (equal (op3 iexpr) t)))
(defun is-iteor (iexpr)
(equal (op2 iexpr) t))
(defun is-iteand (iexpr)
(equal (op3 iexpr) nil))
Solution
(defun ite2bool (iexpr)
(cond
( (is-constant iexpr) iexpr )
( (is-variable iexpr) iexpr )
( (is-ite iexpr)
(cond
( (is-itenot iexpr) (list 'not (ite2bool (op1 iexpr))) )
( (is-iteor iexpr) (list 'or (ite2bool (op1 iexpr))
(ite2bool (op3 iexpr))) )
( (is-iteand iexpr) (list 'and (ite2bool (op1 iexpr))
(ite2bool (op2 iexpr))) ) ))))
Solution Remark
Note that there is one overlap inNot (ite p nil t)Or (ite p t q)And (ite p q nil)
(ite p t nil) = (and p t) = (or p nil) = pThis implies (ite2bool (bool2ite ‘(and p t)) = (or
p t) not equal to the initial expressionHowever, (ite2bool (bool2ite expr)) expr,
i.e. (booleval expr) = (ite2bool (bool2ite expr))
Correctness of ite2bool
Use induction to prove (equiv (ite2bool (bool2ite expr)) expr) Base case: expr is a constant or variable (not expr) (or expr1 expr2) (and expr1 expr2)
Solution
Show (equiv (ite2bool (bool2ite expr)) expr) Base case: if expr is a constant or variable then
(ite2bool (bool2ite expr)) = (ite2bool expr) = expr [by def]
[Not] Assume (equiv (ite2bool (bool2ite expr)) expr) (ite2bool (bool2ite (not expr))) = (ite2bool (list ‘ite (bool2ite expr) nil t))) [by def b2ite]= (not (ite2bool (bool2ite expr))) [by def ite2bool and
Lemma ite ]º (not expr) [by IH]
Solution
[Or] Assume (equiv (ite2bool (bool2ite expr1)) expr1) and (equiv (ite2bool (bool2ite expr2) expr2) (ite2bool (bool2ite (or expr1 expr2)))= (ite2bool (list ‘ite (bool2ite expr1) t (bool2ite
expr2))) [by def of bool2ite]= (or (ite2bool (bool2ite expr1)) (ite2bool
(bool2ite expr2))) [by def of ite2bool and Lemma ite]
º (or expr1 expr2) [by IH]
Solution
[And] Assume (equiv (ite2bool (bool2ite expr1)) expr1) and (equiv (ite2bool (bool2ite expr2) expr2) (ite2bool (bool2ite (and expr1 expr2)))= (ite2bool (list ‘ite (bool2ite expr1) (bool2ite
expr2) nil)) [by def of bool2ite]º (and (ite2bool (bool2ite expr1)) (ite2bool
(bool2ite expr2))) [by def of ite2bool and Lemma ite]
º (and expr1 expr2) [by IH]
Boolean Algebra
The Boolean operators and are analogous to addition and multiplication with true and false playing the roles of 1 and 0. Complement is used for negation.
This provides a compact notation and suggests appropriate algebraic simplification
Similar properties hold such as the associative, commutative, and distributive identities.
34
Boolean Expressions A Boolean expression is a Boolean function Any Boolean function can be written as a Boolean
expression
Disjunctive normal form (sums of products) For each row in the truth table where the output is true,
write a product such that the corresponding input is the only input combination that is true
Not unique
E.G. (multiplexor function)
s x0 x1 f
0 0 0 0
0 0 1 0
0 1 0 1
0 1 1 1
1 0 0 0
1 0 1 1
1 1 0 0
1 1 1 1
Nand is functionally complete
All boolean functions can be implemented using nand gates (and, or and not can be implemented using nand)not:
and:
or:
x y x | y
0 0 1
0 1 1
1 0 1
1 1 0
Boolean Algebra Boolean expressions can be simplified using rules of Boolean
algebra Identity law: A + 0 = A and A ● 1 = A. Zero and One laws: A + 1 = 1 and A ● 0 = 0 Inverse laws: Idempotent laws: A + A = A = A ● A Commutative laws: A + B = B + A and A ● B = B ● A. Associative laws:
A + (B + C) = (A + B) + C and A ● (B ● C) = (A ● B) ● C. Distributive laws: A ● (B + C) = (A ● B) + (A ● C) and
A + (B ● C) = (A + B) ● (A + C) Double Negation: DeMorgan’s laws:
37
Simplification of Boolean Expressions
Simplifying multiplexor expression using Boolean algebra
Equational reasoning: replace subexpressions by equivalent expressions
Verify that the boolean function corresponding to this expression as the same truth table as the original function.
Simplifying Expression Trees Constant folding
p
1
q
p 1
p
Exercise Implement and test (bool-simp expr) (bool-simp expr) returns a simplified boolean
expression using the following simplifications1. evaluate all constant subexpressions
2. (not (not expr)) -> expr
3. (and t expr) -> expr
4. (and expr t) -> expr
5. (and nil expr) -> nil
6. (and expr nil) -> nil
7. (or t expr) -> t
8. (or expr t) -> t
9. (or nil expr) -> expr
10. (or expr nil) -> expr
Exercise Simplification (2) is done through the helper
routine not-simp. Simplifications (3)-(6) are done through the helper routine and-simp. Simplifications (7)-(10) are done through the helper routine or-simp.
bool-simp traverses the boolean expression and recursively simplifies all operands to not, or and and and calls the appropriate helper routineto perform operator specific simplifiations and constant evaluation.
Exercise
Prove the following lemmas1. (bool-eval '(not expr) env) = (bool-eval (not-
simp expr) env)2. (bool-eval '(and expr1 expr2) env) = (bool-eval
(and-simp expr1 expr2) env)3. (bool-eval '(or expr1 expr2) env) = (bool-eval
(or-simp expr1 expr2) env)4. (bool-eval expr env) = (bool-eval (bool-simp
expr) env)
Exercise
Prove using induction on expr that (bool-eval expr env) = (bool-eval (bool-simp
expr) env) Prove by induction that (bool-simp expr)
Has no double negations Is either a constant or an expression with no
constants Write an is-simplified function to test whether the
output of (bool-simp expr) satisfies this property
43
Additional Notation Several additional Boolean functions of two variables have
special meaning and are given special notation. By our previous results we know that all boolean functions can be expressed with not, and, and or; so the additional notation is simply a convenience.
x y x y
0 0 1
0 1 1
1 0 0
1 1 1
implication
x y x y
0 0 1
0 1 0
1 0 0
1 1 1
equivalence
x y x y
0 0 0
0 1 1
1 0 1
1 1 0
xor
44
TautologiesA tautology is a boolean expression that is always
true, independent of the values of the variables occurring in the expression. The properties of Boolean Algebra are examples of tautologies.
Tautologies can be verified using truth tables. The truth table below shows that x y x y
x y x y x y
0 0 1 1
0 1 1 1
1 0 0 0
1 1 1 1
45
Exercise
Derive the tautology x y x yfrom the sum of products expression obtained from the truth table for x y. You will need to use properties of Boolean algebra to simplify the sum of products expression to obtain the desired equivalence.
46
Solution
Derive the tautology x y x y
x y x y
0 0 1
0 1 1
1 0 0
1 1 1
47
Tautology Checker A program can be written to check to see if a Boolean
expression is a tautology.
Simply generate all possible truth assignments for the variables occurring in the expression and evaluate the expression with its variables set to each of these assignments. If the evaluated expressions are always true, then the given Boolean expression is a tautology.
A similar program can be written to check if any two Boolean expressions E1 and E2 are equivalent, i.e. if E1 E2. Such a program has been provided.
Satisfiability A formula is satisfiable if there is an assignment
to the variables that make the formula true A formula is unsatisfiable if all assignments to
variables eval to false A formula is falsifiable if there is an assignment
to the variables that make the formula false A formula is valid if all assignments to variables
eval to true (a valid formula is a theorem or tautology)
Satisfiability Checking to see if a formula f is satisfiable can be
done by searching a truth table for a true entry Exponential in the number of variables Does not appear to be a polynomial time algorithm
(satisfiability is NP-complete) There are efficient satisfiability checkers that work
well on many practical problems
Checking whether f is satisfiable can be done by checking if f is a tautology
An assignment that evaluates to false provides a counter example to validity
Propositional Logic in ACL2
In beginner mode and aboveACL2S B !>QUERY
(thm (implies (and (booleanp p) (booleanp q))
(iff (implies p q) (or (not p) q))))
<< Starting proof tree logging >>
Q.E.D.
Summary
Form: ( THM ...)
Rules: NIL
Time: 0.00 seconds (prove: 0.00, print: 0.00, proof tree: 0.00, other: 0.00)
Proof succeeded.
Propositional Logic in ACL2ACL2 >QUERY
(thm (implies (and (booleanp p) (booleanp q))
(iff (xor p q) (or p q))))
…
**Summary of testing**
We tested 500 examples across 1 subgoals, of which 1 (1 unique) satisfied
the hypotheses, and found 1 counterexamples and 0 witnesses.
We falsified the conjecture. Here are counterexamples:
[found in : "Goal''"]
(IMPLIES (AND (BOOLEANP P) (BOOLEANP Q) P) (NOT Q))
-- (P T) and (Q T)
Related Documents
