Lecture 2: First Order Logic

COMS E6998 Formal Verification of System Software
Fall 2018
Ronghui Gu

1. What is First Order Logic

1.1 v.s. Propositional Logic

“Eric is younger than Ronghui”.
How to present “Every student is younger than Ronghui”?
The only way is to write this as an atomic fact.
We need a richer logic to reason about “every”, “younger”, etc.

1.2 Introduction of First Order Logic

First Order Logic := Propositional Logic + :

Terms: syntax only, e.g., “Eric”, “Ronghui”, etc.
Predicates: property of terms:
- $S$ (Eric): Eric is a student
- $Y$ (Eric, Ronghui): Eric is younger than Ronghui
How to talk about every student？
- FOL uses variables and universal quantification $\forall$
- $\forall x. S(x)$ : “all terms are students”
- $\forall x. S(x) \rightarrow$ : “forl all terms who are students, …”
How to talk about the existence of at least one Instructor
- FOL uses variables and existential quantification $\exists$
- $\exists x. I(x) \wedge Y(\text{Eric}, x)$ : “there exists a term which is an Instructor and Eric is younger than this instructor”.

Example: Not all birds can fly

$\neg\forall x.(B(x)\rightarrow F(x))$
$\exists x.(B(x)\wedge \neg F(x))$

1.3 Syntax of FOL

Terms are strings:

$t::= x\ |\ c\ |\ f(t_1,...,t_n)$

variable: x, y, z, …
constant: c, nullary function
- e.g., Eric, Ronghui
- we pick constants from a function set $\mathcal{F}$
application of function $f$ to terms $t_1, ..., t_n$ :
- e.g., S(Eric), I(Ronghui)
- e.g., natural numbers: O, S(O), S(S(O))
- we pick functions from the same function set $\mathcal{F}$

Formulas are strings:

application of predicate $P$ to terms $t_1, ..., t_n$ :
- e.g., $Y(\text{Eric},x)$
- we pick predicates from a set $\mathcal{P}$

Two parameters to FOL: $\mathcal{F}$ and $\mathcal{P}$

natural numbers: $\mathcal{F}:=\{O, S, ...\}$ , large enough $\mathcal{P}$
propositional logic: $\mathcal{F}:=\emptyset$ and $\mathcal{P}:=\{p,q,r,...\}$

1.4 Substitution

Definition

$\forall x. A / \exists x.A$ binds the variable $x$ in $A$
- the scope of $x$ is $A$
- $x$ is bound in $\forall x. A / \exists x.A$
- $x$ is free in $A$
any variable $x$ which appears in a formula $A$ and is not bound in $A$ is called free in $A$

Q: find the free and bound variables:

$\forall x. (P(x) \rightarrow Q(y))$

Barendreght convention: To avoid confusion, every bound variable will be distinct from any other bound variable and all the free variables.

Substitution: replace free variables with actual terms.

Definition $A[t/x]$ is defined to be the formula we get by replacing all free occurrences of $x$ in $A$ with $t$ . Q A:= $\forall x. (P(x) \rightarrow Q(y))$ , what is $A[\text{Eric}/y]$ ?

2 FOL Syntax Reasoning (Inference Rules)

$A_1 ... A_n ⊢ B$

2.1 Propositional rules

All propositional logic rules are rules of FO

2.2 Equality rules

Only consider “=” $\in \mathcal{P}$

$\frac{}{t=t}\ (\text{ref}) \qquad \frac{t_1=t_2 \quad A[t_1/x]}{A[t_2/x]}\ (=e)$

Q: prove the following rules:

$\frac{t_1=t_2}{t_2=t_1}\ (=\text{sym}) \qquad \frac{t_1=t_2 \quad t_2=t_3}{t_1=t_3}\ (=\text{trans})$

Proof of (=sym)
 
1. t1 = t2                    (Pre)
2. t1 = t1 := (x = t1)[t1/x]  (ref)
3. t2 = t1 := (x = t1)[t2/x]  (=e, 1, 2)
 
Qed

Q: Assume $\mathcal{F}:=\{O, S, +\}$ and $\mathcal{P}:=\{=, <,>,\leq, \geq,...\}$ , prove

$t_1 = t_2 ⊢ (t + t_2) = (t + t_1)$

Proof of
 
1. t1 = t2                                    (Pre)
2. t + t1 = t + t1 := (t + x = t + t1)[t1/x]  (ref)
3. t + t2 = t + t1 := (t + x = t + t1)[t2/x]  (=e, 1, 2)
 
Qed

Q: Prove $(x+1=1+x), [(x+1)>1 \rightarrow x>0]⊢(1+x)>1 \rightarrow x>0$

2.3 Quantification rules

Universal quantification elimination rule:

$\frac{\forall x.A}{A[t/x]}\ \forall e$

Can only replace with free variables: $A:= \forall x. \exists y. x < y$ , what is $A[y/x]$ ?
Q: prove $P(t), (\forall x. P(x)\rightarrow Q(x)) ⊢ Q(t)$

Proof of
 
1. P(t)               (Pre)
2. ∀x. P(x) → Q(x)    (Pre)
3. P(t) → Q(t)        (∀e, 2)
3. Q(t)               (→e, 1, 3)
 
Qed

Universal quantification introduction rule:

$\frac{\boxed{\begin{array}{c} x_0\\ ...\\ A[x_0/x] \end{array}} \text{ where } x_0 \text{ is fresh in } A}{\forall x.A}\ \forall i$

$x_0$ is a dummy variable that represents an arbitrary term
Thus, to prove $\forall x.A$ , we need to prove $A[x_0/x]$ for an arbitrary term $x_0$
Q: prove $[\forall x.P(x)], [\forall x. P(x)\rightarrow Q(x)] ⊢ \forall x. Q(x)$

Existential introduction rule:

$\frac{A[t/x]}{\exists x.A}\ \exists i$

pick an convenient $t$ and prove $A[t/x]$
Q: prove $⊢ \exists x. x = 0$

Existential elimination rule:

$\frac{\exists x.A \qquad \boxed{\begin{array}{c} x_0\quad A[x_0/x]\\ ...\\ C \end{array}}\text{ where } x_0 \text{ is fresh in } A\&C}{C}\ \exists i$

$x_0$ represents unknown term
Q: prove $\forall y. \exists x.f(x) = g(y) ⊢ \exists x. g(5) = f(x)$

Proof
1. ∀y. ∃x. f(x) = g(y)  (Pre)
2. ∃x. f(x) = g(5)      (∀e, 1)
   -----------------------------------
3. | x0                 (Hyp)        |
4. | f(x0) = g(5)       (Hyp)        |
5. | g(5) = f(x0)       (=sym, 4)    |
6. | ∃x. g(5) = f(x)    (∃i, 5)      |
   -----------------------------------
7. ∃x. g(5) = f(x)      (∃e, 2, 3~6)
 
Qed

Q: Assume $\mathcal{F}:=\{O, S\}$ and $\mathcal{P}:=\{=, <,>,\leq, \geq,...\}$ , and assume

$\frac{}{\quad x<S\ x \quad}<S$

express and prove in FOL over $\mathcal{F}$ and $\mathcal{P}$ :
“Any natural number is smaller than some number”

Proof
   ------------------------------
1. | x0            (hypothesis) |
2. | x0 < S x0     (<S, 1)      |
3. | ∃y. x0 < y    (∃i, 2)      |
   ------------------------------
4. ∀x. ∃y. x < y   (∀i, 1~3)
 
Qed

Q: Prove

$[∀x.Q(x)\rightarrow R(x)],\ [∃y. P(y) ∧ Q(y)]\ ⊢\ ∃x. P(x) ∧ R(x)$

Proof
1. ∀x. Q(x) → R(x)    (Pre)
2. ∃y. P(y) ∧ Q(y)    (Pre)
   ---------------------------------
3. | x0               (Hyp)        |
4. | P(x0) ∧ Q(x0)    (Hyp)        |
5. | P(x0)            (∧e1, 4)     |
6. | Q(x0) → R(x0)    (∀e, 1, 3)   |
7. | Q(x0)            (∧e2, 4)     |
8. | R(x0)            (→e, 6, 7)   |
9. | P(x0) ∧ R(x0)    (∧i, 5, 8)   |
10.| ∃x. P(x) ∧ R(x)  (∃i, 9)      |
   ---------------------------------
11. ∃x. P(x) ∧ R(x)   (∃e, 2. 3~10)
 
Qed

Q: $¬∀x.A ⊣⊢ ∃x.¬A$
Q: $¬∃x.A ⊣⊢ ∀x.¬A$

3. Classical vs. Intuitionistic logic

Consider the formula

$∃x.(P(x) → ∀y.P(y))$

To prove this we need use rule $∃i$ and provide a term $t$ for which we can show

$(P(t) → ∀y.P(y))$

Classically this is a tautology:

If $∀y.P(y)$ holds then we can pick arbitrarily term $t_0$ and show

$P(t_0) → ∀y.P(y)$

using rule $→ i$ (also see truth table of implication).

If $¬∀y.P(y)$ then there exists a term $t_1$ such that $¬P(t_1)$ , which we can use to show

$P(t_1) → ∀y.P(y)$

$\quad \Box$

However notice how we didn’t have to provide any concrete term $t_1$ in the second case to complete the proof of $∃x.(P(x) → ∀y.P(y))$ Let’s see this again:

If $¬∀y.P(y)$ then there exists a term $t_1$ such that $¬P(t_1)$ , which we can use to show $P(t1) → ∀y.P(y)$
- Assume logic’s terms $\mathcal{F}$ contain natural numbers and predicates $\mathcal{P}$ standard predicates over them.
- if $P(x)$ = even(x) then $t_1$ can be 3
- if $P(x)$ = $x \leq 1000$ then $t_1$ can be 1001
- …
We can’t provide a $t_1$ if we don’t know $P$ and the parameters $\mathcal{F}$ , $\mathcal{P}$ , but there is always one.
Classical logic is OK with that!
Intuitionistic logic is not! It requires us to give a concrete $t_1$ , before we know what $P$ is.

Theorem There are irrational $a$ and $b$ for which $a^b$ is rational.
Proof We know that 2 is irrational (known theorem of arithmetic which we will not prove here).
Suppose $\sqrt{2}^\sqrt{2}$ is rational. Then pick $a = b = \sqrt{2}$ and we’re done.
Otherwise $\sqrt{2}^\sqrt{2}$ is irrational. Pick $a = 2$ and $b = \sqrt{2}^\sqrt{2}$ .

$a^b= \left( \sqrt{2}^\sqrt{2} \right)^\sqrt{2} =\sqrt{2}^{\sqrt{2} \times \sqrt{2}} =\sqrt{2}^2=2$

which is rational. $\quad \Box$

Correct but we never identified two definitely irrational numbers a and b. In fact knowing whether $\sqrt{2}^\sqrt{2}$ is rational is a difficult problem!

Riemann hypothesis Michael Atiyah, Proof by Contradiction

4. Semantics of FOL

Let $Γ$ be a list of formulas $φ_1,...,φ_n$

$Γ ⊢ ψ$ means that there is a proof of $ψ$ from premises $Γ$ using the natural deduction rules.
In propositional logic we also defined $Γ \models ψ$ to mean that any model (valuation) which makes $Γ$ true, also makes $ψ$ true.
- we used finite truth-tables as the semantics of formulas
In propositional logic we showed soundness and completeness:
- $Γ⊢ψ \texttt{ iff } Γ\models ψ$
How can we define a semantic entailment $Γ \models ψ$ in FOL?
- What is the semantics of formulas?
- What sort of models can we consider for quantifiers $∀x.φ$ and $∃x.φ$ ?

4.1 Usefulness of semantics

Syntactic entailment is useful to show existence of proofs.
Semantic entailment is useful to show absence of proofs. How can we show that $Γ \not ⊢ ψ$ ?

we need to consider all possible (infinite) proofs

How can we show that $Γ \not\modelsψ$ ?

we need to find one model that makes $Γ$ true and $ψ$ false.

4.2 Model

What should be the semantics of $∀x.P(x, y)$ ?
It depends on the semantics of the parameters of FOL: the set of terms $\mathcal{F}$ and predicates $\mathcal{P}$ .

Definition A model $\mathcal{M}$ of $(\mathcal{F} , \mathcal{P})$ consists of the following:

A non-empty set $\mathcal{V}$ : the universe of concrete values.
for each nullary function $c ∈ \mathcal{F}$ , a concrete element $c^\mathcal{M} ∈ \mathcal{V}$
for each $f ∈ \mathcal{F}$ with arity $n > 0$ , a concrete mathematical function $f^\mathcal{M} : \mathcal{V}^n → \mathcal{V}$ , taking $n$ -tuple of $\mathcal{V}$ -values to $\mathcal{V}$ -values
for each $P∈\mathcal{P}$ with arity $n>0$ , a concrete mathematical function $P^M: \mathcal{V}^n \rightarrow \{T, F\}$ , taking $n$ -tuple of $\mathcal{V}$ -values to truth values.

Example Model Natural numbers:

$\mathcal{F}=\{O, S\} \qquad \mathcal{P} =\{ < \}$

A model $\mathcal{M}$ may be:

$\mathcal{V}=\{0,1,2,\cdots\}$
$O^\mathcal{M} := 0$
$S^\mathcal{M} := fun(x) \Rightarrow (x+1)$
$<^\mathcal{M} := fun(x,y) \Rightarrow \text{if } x < y \text{ then T else F}$

Q: What $\mathcal{M}$ is like if $A=\{"@", "@@", "@@@",\cdots\}$

4.3 Semantics of formulas

We will give semantics to closed formulas (no free variables) using the semantics of open formulas.

The semantics of $∀x.φ$ means that for all values $v ∈ \mathcal{V}, φ[v/x]$ is true. However it’s not a valid syntax to have formulas containing semantic values from $v$ . We need to use environments.

Definition
$\mathcal{E}$ is an environment if it is a function that maps syntactic variables to semantic values. (lookup tables)

Definition Given a model $\mathcal{M}$ for a pair $(\mathcal{F}, \mathcal{P})$ and given an environment $\mathcal{E}$ , we define the satisfaction relation $\mathcal{M} \models_\mathcal{E} φ$ for each logical formula $φ$ over the pair $(\mathcal{F}, \mathcal{P})$ and $\mathcal{E}$ as follows.

$\mathcal{M} \models_\mathcal{E} P(t_1,\cdots,t_n)$ holds if $P^\mathcal{M}(a_1,\cdots,a_n) = T$ , where $a_1,\cdots,a_n$ are the $\mathcal{V}$ -value of $t_1,\cdots,t_n$ under $\mathcal{E}$ .
$\mathcal{M} \models_\mathcal{E} φ_1 \wedge φ_2$ holds if $\mathcal{M} \models_\mathcal{E} φ_1$ holds and $\mathcal{M} \models_\mathcal{E} φ_2$ holds
$\mathcal{M} \models_\mathcal{E} φ_1 \vee φ_2$ holds if $\mathcal{M} \models_\mathcal{E} φ_1$ or $\mathcal{M} \models_\mathcal{E} φ_2$ holds
$\mathcal{M} \models_\mathcal{E} \neg φ$ holds if $\mathcal{M} \models_\mathcal{E} \neg φ$ does not hold
$\mathcal{M} \models_\mathcal{E} φ_1 \rightarrow φ_2$ holds if $\mathcal{M} \models_\mathcal{E} φ_2$ holds whenever $\mathcal{M} \models_\mathcal{E} φ_1$ holds
$\mathcal{M} \models_\mathcal{E} \forall x. φ$ holds if $\mathcal{M} \models_{\mathcal{E}\cup\{x \mapsto v\} } φ$ holds for all $v \in \mathcal{V}$
$\mathcal{M} \models_\mathcal{E} \exists x. φ$ holds if $\mathcal{M} \models_{\mathcal{E}\cup\{x \mapsto v\} } φ$ holds for some $v \in \mathcal{V}$

5. Results of FOL

Theorem (Soundness)
For a given $(\mathcal{F} , \mathcal{P})$ , if $⊢ φ$ then $\models φ$ which means for any model $\mathcal{M}$ of $(\mathcal{F} , \mathcal{P})$ and any environment $\mathcal{E}$ , we have $\mathcal{M} \models_\mathcal{E} φ$ .

Theorem (Strong soundness)
For a given $(\mathcal{F} , \mathcal{P})$ , if $Γ ⊢ ψ$ then $Γ \models φ$ which means for any model $\mathcal{M}$ of $(\mathcal{F} , \mathcal{P})$ and any environment $\mathcal{E}$ , if $\mathcal{M} \models_\mathcal{E} Γ$ then $\mathcal{M} \models_\mathcal{E} φ$ .

This involves properties that are true in all models. How can we talk about properties of certain models (e.g., numbers with some standard predicates over them)?
A: Encode the necessary properties of these models in $Γ$ . $Γ$ can contain the axioms we want to hold in these models.

famous axiomatisation of natural numbers: Peano axioms

Peano Axioms
Terms: $\mathcal{F}=\{O, S\}$ Axioms:

refl, sym, trans of equality
$O$ is a natural number
if $n$ is a natural number, $S(n)$ is a natural number
$∀x.¬(S(x) = O)$
$∀x.∀y.S(x) = S(y) \leftrightarrow x = y$
If $K$ is a set such that
- $O \in K$
- for every natural number $n$ , $n \in K \rightarrow S(n)\in K$
then $K$ contains every natural number

The Peano axioms can be augmented with other operations:

Addition
- $a+O =a$
- $a + S(b) = S (a + b)$
Multiplication
- $a \times O = O$
- $a \times S(b) = a + (a \times b)$

Gödel’s 1st incompleteness theorem

Theorem (Incompleteness) Any set of axioms $Γ$ which is consistent (no contradictions such as 0 = 1 are derivable) and contains “enough arithmetic” cannot be complete. That is, there are true facts φ about arithmetic for which $Γ\not⊢ φ$ .

Proof. Göedel gave a way to encode first-order logic itself in any axiomatisation $Γ$ containing Peano (or any other encoding of) natural numbers.
Hence for any such system he was able to write an encoding of the formula:

$φ = “φ\text{ is not provable in the logic.}”$

If $Γ ⊢ φ$ then obviously the logic is inconsistent ( $Γ ⊢ φ ∧ ¬φ$ ).
If $Γ\not⊢ φ$ then obviously the logic is incomplete ( $φ$ is true but not provable).

Gödel’s completeness theorem

Theorem (Completeness)
$\models φ$ then $⊢ φ$ .

This means that anything that is true for all models, can be syntactically proven. Examples:
- Yes: $¬∀x.φ(x) → ∃x.¬φ(x)$
- No: 1 + 1 = 2
- No: The Goldbach conjecture: “Every even integer greater than 2 can be expressed as the sum of two primes”