Higher-Order Logic Specification and Verification with Higher-Order Logic Arnd Poetzsch-Heffter

Higher-Order Logic

Specification and Verification with Higher-Order Logic

Arnd Poetzsch-Heffter

Software Technology Group Fachbereich Informatik Technische Universität Kaiserslautern

Sommersemester 2010

Introduction

Outline

1

Introduction

2

Types Motivation Syntax Polymorphism Sematics

3

Terms Syntax

Higher-Order Terms Semantics

4

HOL Proof System Formulas and Sequents Axioms and Rules

5

Summary

Introduction Overview

Overview

Higher-Order Logic

quantification over predicates, functions and sets supports formalisation of arbitrary mathematics

Motivation

reasoning about hardware and software can require very sophisticated mathematics

floating point: real numbers and analysis

correctness of randomised algorithms: probability

Types

Outline

1

Introduction

2

Types Motivation Syntax Polymorphism Sematics

3

Terms Syntax

Higher-Order Terms Semantics

4

HOL Proof System Formulas and Sequents Axioms and Rules

5

Summary

Types Motivation

Problem: Russell’s Paradox

Russel’s Paradox

Having variables that range over predicates allows to write terms like

Ω

= λ P . ¬( P P )

where P is a variable. By β -reduction:

Ω Ω = (λ P .¬( P P )) Ω = ¬(Ω Ω)

Conclusion

To avoid this kind of thing types are needed!

Types Syntax

Types

Syntax of Types type constant: c type variable: α

compound type: (σ ₁ , . . . , σ

) op

Types Syntax

Type Examples

Example (Type Constant) bool: Booleans num: natural numbers

weekday: some appropriate user defined type

Example (Compound Types)

(σ 1 ,σ 2 ) fun: functions from σ 1 to σ 2

(σ 1 ,σ 2 ) prod : pairs of values

Types Syntax

Terminology and Notation

Definition (Type operator)

‘op’ in (σ 1 , . . . , σ

) op is called a type constructor

Conventions

The type (σ 1 , σ 2 ) fun is usually written σ 1 → σ 2 and σ 1 → σ 2 → · · · → σ

= (σ 1 → (σ 2 → (· · · → σ

))) The type (σ 1 , σ 2 ) prod is usually written σ 1 × σ 2 or σ 1 ∗ σ 2

and σ ₁ ∗ σ ₂ ∗ · · · ∗ σ

= (σ ₁ ∗ (σ ₂ ∗ (· · · ∗ σ

)))

Types Syntax

Typing of Terms

Typing of Terms

All terms must be well-typed.

t :σ means the term t is well-typed and has type σ .

Variables and Constants

Variables may have any type: v :σ

Constants have a fixed generic type: c :σ

Types Syntax

Assigning Types to Terms

Rules for the Assignment function application

t 1 :σ 1 → σ 2 t 2 :σ 1

( t 1 t 2 ):σ 2

abstraction

x :σ 1 t :σ 2

λ x . t :σ ₁ → σ 2

Types Polymorphism

Polymorphism

Example (Polymorphism)

Consider the constant I, defined by:

I

= λ x . x

We may want to apply the function I to things of different types:

I 7 = 7 with I : num → num I T = T with I : bool → bool

It seems that I must have two different types.

Types Polymorphism

Polymorphism and Generic Types

Polymorphism

The types of polymorphic functions such as I contain type variables:

I

= (λ x . x ):α→α

where α stands for ‘any type’. α→α is the generic type of I.

The constant I then has every type obtainable by substituting any type for the variable α in its generic type:

I : bool → bool I : num → num

I : (α → bool ) → (α → bool )

I : α → α

Types Polymorphism

Polymorphism Examples

Example (Function Composition)

o

= λ f .λ g .λ x . f ( g ( x )) where o : (β → γ) → (α → β ) → (α → γ )

Example (Equality)

= : α → α → bool

Example (Apply a Function and Add)

app_add

= λ f .(λ x . f ( x ) + f ( x ))

where app_add : (α → num ) → (α → num )

Types Sematics

Church’s Simple Theory of Types

Definition (Universe)

each element X ∈ U is a non-empty set if X ∈ U ^{and Y} ⊆ X , then Y ∈ U ^. if X ∈ U ^{and Y} ∈ U ^{, then X} × Y ∈ U

if X ∈ U , then powerset ℘( X ) = { Y : Y ⊆ X } ∈ U U contains a distinguished infinite set I

distinguished element ch ∈ Π

∈ U X :

ch ( X ) ∈ X witnesses non-emptiness

Types Sematics

Model

Definition (Model of Type Structure)

given: type structure Ω as set of type constants (ν, n ) model: M (ν) : U

→ U

Polymorphic Types

types containing type variables: polymorphic

meaning of polymorphic types not single set, but set-valued function

Types Sematics

Summary of Types

Fact (Types)

Types are introduced to avoid inconsistency.

Types

Type constants: bool, num, . . . Type variables: α , β , γ , . . .

Compound Types: (σ 1 , . . . ,σ

) op e.g. σ 1 → σ 2 , and σ 1 × σ 2 .

Polymorphism

twice

= λ f .λ x . f ( f ( x ))

where twice : (α → α) → (α → α )

Terms

Outline

1

Introduction

2

Types Motivation Syntax Polymorphism Sematics

3

Terms Syntax

Higher-Order Terms Semantics

4

HOL Proof System Formulas and Sequents Axioms and Rules

5

Summary

Terms Syntax

Syntax of Terms

Syntax of Terms constants: c variables : v

function applications: T 1 T 2

lambda abstractions λ v . T

Terms Syntax

Constants and Variables

Fact (Distinction between Constants and Variables)

The distinction between a constant and a variable always depends on the context.

Identifiers

x , y , foo, t ⁰ , k ₂ , c_val , . . .

Special Symbols

∃ , ∀ , ⊃ , ∧ , ∨ , ¬ , 1, 2, 3, . . . , + , × , = , . . .

Terms Syntax

Function Applications

Notation

h term 1 i h term 2 i

denotes the result of applying the function h term 1 i to the value h term 2 i .

Precedence

parentheses can be used for grouping

f ( x ), f ( g y ), ( f x ) y , . . .

default precedence

f x ₁ x ₂ · · · x

= ((( f x ₁ ) x ₂ ) · · · x

)

Terms Syntax

Abstractions

Notation

λ h var i.h term i

denotes the function x 7→ term [ x / var ] .

Convention

λ x 1 x 2 · · · x

. t = λ x 1 . λ x 2 . · · · λ x

. t

Example (Abstraction)

λ x . x : the identity function

λ x . f ( f x ) : function that applies f twice

λ f .λ g .λ x . f ( g x ) : function composition

Terms Syntax

Free and Bound Variables

Definition (Free Variable)

λ x .h body i

A variable x is called free in a term if it does not occur inside the body of an abstraction.

Definition (Bound Variables)

If an instance of a variable is not free, it is bound.

Example (Free and Bound Variables) Consider variable x :

(λ x . f x )(λ y . x )

Terms Syntax

Syntactic Sugar

Infix Aplications

Certain constants are written in infix position:

t ₁ + t ₂ abbreviates + t ₁ t ₂ t 1 × t 2 abbreviates × t 1 t 2

t 1 ∧ t 2 abbreviates ∧ t 1 t 2

Terms Syntax

Summary of Terms

Terms

Terms may be

Variables: x, y, a ⁰ , a_var, phi 1 , . . . Constants: T , F , phi, ∃ , + , . . . Applications: t 1 t 2 , t 1 t 2 t 3 . . . t

Abstractions: λ x . t, λ x 1 x 2 . . . x

. t

Terms Higher-Order Terms

Higher-Order Terms

Fact (Higher-Order Terms)

Variables can range over functions or predicates (i. e. boolean-valued functions)

Example (Higher-Order Term)

in λ f . f 0, the variable f ranges over functions in ∀ P . P ( n ) → P ( n + 1 ) , P ranges over predicates typical assertion

∀ x f . ∃ g .( g 0 = x ) ∧ ∀ n . g ( n + 1 ) = ( f ( g n ))

Terms Higher-Order Terms

Syntactic Sugar

Binders

The quantifiers ∀ and ∃ are in fact polymorphic constants with types:

∀ : (α → B ) → B

∃ : (α → B ) → B

They are defined such that for P : (α → bool ) :

∀ P means P ( x ) = T for all x

∃ P means P ( x ) = T for some x

Terms Higher-Order Terms

Hilbert’s Choice Function

Definition ( ε -Operator)

ε x . t [ x ]

with x : σ and t [ x ] a term involving x binder of type (σ → B ) → σ

denotes a value of type σ

some value of type σ , v :σ such that t [ v ] is true

no such value exists: arbitrary but fixed value of type σ

Terms Higher-Order Terms

Examples of ε -Terms

Example ( ε -Terms)

This term denotes the number 1: ε x . 0 < x ∧ x < 2

This term denotes an even number: ε x . ∃ y . x = 2 · y

An unspecified natural number: ε x . x + 1 = x

The following proposition is true: (ε x . x + 3 = 9 ) = 6

Terms Semantics

Standard Signatures

Standard Signature and Intended Interpretation

standard type structure Ω contains the atomic types B of Boolean values and I of individuals

→ of type ( B → B → B )

Intended interpretation: implication

= of type (α → α → B )

Intended interpretation: equality on the set α ε of type ((α → B ) → α )

Intended interpretation: Hilbert’s choice function.

Terms Semantics

Standard Logical Constants

Definition of Standard Logical Constants EXISTS ` _def ∃ = λ P . P (ε P )

TRUTH ` <sub>def</sub> true = ((λ x . x ) = (λ x . x )) FORALL ` _def ∀ = λ P .( P = (λ x . true )) FALSITY ` _def false = ∀ x . x

NEGATION ` _def ¬ = λ x . x → false

DISJUNCTION ` _def ∨ = λ ( x , y ).¬ x → y

CONJUNCTION ` _def ∧ = λ ( x , y ).¬(¬ x ∨ ¬ y )

HOL Proof System

Outline

1

Introduction

2

Types Motivation Syntax Polymorphism Sematics

3

Terms Syntax

Higher-Order Terms Semantics

4

HOL Proof System Formulas and Sequents Axioms and Rules

5

Summary

HOL Proof System Formulas and Sequents

Formulas

Definition (Formulas in HOL)

Formulas in HOL are terms of type B

Example (Formulas in HOL)

∀ x . x = 0 ∨ ¬( x = 0 ) true

(λ x . ¬ x )(∀ y . y = y )

∀ x . x = true

HOL Proof System Formulas and Sequents

Sequents

Definition (Sequents in HOL) A sequent is a pair (Γ, t ) where

Γ is a set of formulas (assumptions) t is a formula (conclusion)

A sequent (Γ, t ) essentially means

From the formulas in Γ , t can be derived.

Example (Sequents in HOL)

The sequent ({ x = 3 , ∀ n . n = n }, x = 99 ) means

{ x = 3 , y = 7 , ∀ n . n = n } ` x + y = 10

HOL Proof System Formulas and Sequents

Theorems

Definition (Theorems in HOL) A theorem is a sequent that is either

an axiom, or

can be derived from other theorems Notation

Γ ` t or just ` t if Γ is empty

Example (HOL Theorems)

` ∀ x . x = 0 ∨ ¬( x = 0 ) ?

` true ?

` (λ x . ¬ x )(∀ y . y = y ) ?

` ∀ x . x = true ?

HOL Proof System Axioms and Rules

Axioms of the HOL Logic

Five Axioms

` ∀ b . ( b = true ) ∨ ( b = false )

` ∀ b ₁ b ₂ . ( b ₁ → b ₂ ) → ( b ₂ → b ₁ ) → ( b ₁ = b ₂ )

` ∀ f . (λ x . fx ) = f

` ∀ P x . P x → P (ε P )

` ∃ f .(∀ x y . fx = fy → x = y ) ∧ (¬∀ x . ∃ y . x = f y )

HOL Proof System Axioms and Rules

Inference Rules

Primitive Inference Rules ASSUME

{ t } ` t

REFL ` t = t

MP Γ ₁ ` t <sub>1</sub> → t <sub>2</sub> Γ <sub>2</sub> ` t ₁ Γ 1 ∪ Γ 2 ` t 2

DISCH Γ ` t <sub>2</sub> Γ − { t <sub>1</sub> } ` t ₁ → t ₂

ABS Γ ` t 1 = t 2

Γ ` (λ x . t 1 ) = (λ x . t 2 ) ^{(with x} not free in Γ )

HOL Proof System Axioms and Rules

Inference Rules

Primitive Inference Rules (continued) BETA_CONV

` (λ x . t 1 ) t 2 = t 1 [ t 2 / x ]

SUBST Γ ₁ ` t <sub>1</sub> = t <sub>2</sub> Γ <sub>2</sub> ` t [ t ₁ ] Γ ₁ ∪ Γ ₂ ` t [ t ₂ ]

INST_TYPE Γ ` t

Γ ` t [σ 1 . . . σ

/α 1 . . . α

]

HOL Proof System Axioms and Rules

Beta Conversion

Rule for Beta-Conversion

BETA_CONV

` (λ x . t 1 ) t 2 = t 1 [ t 2 / x ]

t 1 [ t 2 / x ] denotes the result of substituting t 2 for all free occurrences of x in t 1

bound variables renamed if necessary so that no free variable in t 2

becomes bound

Example (Beta Conversion)

` (λ x . x + 3 ) 7 = 7 + 3

` (λ x . (∀ x . x = true ) → x ) false = (∀ x . x = true ) → false )

` (λ y . ∀ x . x = y ) x = (∀ x ⁰ . x ⁰ = x )

HOL Proof System Axioms and Rules

Substitution

Rule for Substitution

SUBST Γ 1 ` t 1 = t 2 Γ 2 ` t [ t 1 ] Γ 1 ∪ Γ 2 ` t [ t 2 ]

where t [ t ₁ ] is a term with selected free occurences of t ₁ ‘singled out’ for t [ t 2 ] is the result of replacing those chosen t 1 by t 2

bound variables are renamed so that variables free in t 2

do not become bound in t [ t 2 ]

HOL Proof System Axioms and Rules

Type Instantiation

Rule for Type Instantiation

INST_TYPE Γ ` t

Γ ` t [σ 1 . . . σ

/α 1 . . . α

]

which effects the parallel substitution of types σ 1 . . . σ

for type variables α 1 . . . α

in t .

Restriction: none of α 1 . . . α

occur in Γ .

Example (Type Instantiation)

` I ( x : α) = x

` I ( x : num ) = x

Summary

Outline

1

Introduction

2

Types Motivation Syntax Polymorphism Sematics

3

Terms Syntax

Higher-Order Terms Semantics

4

HOL Proof System Formulas and Sequents Axioms and Rules

5

Summary

Summary

Summary

Higher-Order Logic types and terms

quantification over predicates, functions and sets

HOL Proof System

five axioms and eight primitive inference rules