( m =@;/: (3;
TRANSCRIPT
![Page 1: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/1.jpg)
�(�������M�=@;/:�(3;/<B71AMM.6=<5�(6/=MM-/:3�*<7D3@A7BGM�3>/@B;3<B�=4��=;>CB3@�(173<13�
��$)&'���*�&*��+� )�)'(�������
![Page 2: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/2.jpg)
)=2/G�A�"31BC@3�
�
L ,6G�ABC2G�4=@;/:�A3;/<B71A��
L �=E� �B3/16�B67A�1=C@A3��
L #/B6�0/195@=C<2�/<2�>@3271/B3�:=571�
![Page 3: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/3.jpg)
,6/B� A��=@;/:�(3;/<B71A���
4=@;/:������"�(��"�(���!!-�&��$&$)'��A3;/<B71A������'()�-�$��"��#�#�'��
�
%0D7=CA:G��
L ,6/B�7A�/�>@=5@/;;7<5�:/<5C/53���,6/B�7A�/�>@=5@/;��
L ,6/B�/@3�B63�;3/<7<5A�=4�A>317471�:/<5C/53�43/BC@3A�/<2�6=E�B63G�7<B3@/1B���
L �=E�B=�;/93�AC@3�B6/B�/�>@=5@/;�036/D3A�/11=@27<5�B=�7BA��A>317471/B7=<�����
�CB�/:A=��
L �=E�2=�E3�3F>:/7<�B63A3��;3/<7<5A���7<�E6716��:/<5C/53���
L ,6/B�7A�/�;3B/�:=571��,6/B�7A�/�;316/<7H32�;3B/�:=571���
L ,6/B�7A�/�A>317471/B7=<�:/<5C/53��,6/B�7A�7BA��A3;/<B71A����
![Page 4: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/4.jpg)
,6G�)/93��(�������
L (=4BE/@3�@3:7/07:7BG�/<2�A31C@7BG�/@3�B63�07553AB�>@=0:3;A�4/132�0G�B63� )�7<2CAB@G�B=2/G���-=C�/@3�:793:G�B=�E=@@G�/0=CB�B63;�7<�G=C@�4CBC@3�8=0A�
L B�E7::�57D3�G=C�/<�3253�=D3@�G=C@�1=;>3B7B=@A��7<2CAB@G�/<2�;=AB�=B63@�A16==:A�2=<’B�B3/16�B67A��
L B�E7::�7;>@=D3�G=C@�>@=5@/;;7<5�A97::A�K�031/CA3�G=C�E7::�6/D3�/�03BB3@�/>>@317/B7=<�=4�E6/B�G=C@�>@=5@/;A�/1BC/::G�"��#��
L -=C�E7::�03�03BB3@�/0:3�B=�1=;>/@3�/<2�1=<B@/AB�>@=5@/;;7<5�:/<5C/53A��=@�3D3<�23A75<�G=C@�=E<�
L B�7A�/<�7;>=@B/<B�/<2�3F17B7<5�/@3/�=4�@3A3/@16��E7B6�;/<G�<3E�723/A�/<2�>3@A>31B7D3A�4@3?C3<B:G�3;3@57<5�
![Page 5: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/5.jpg)
�@7/<<3���
%<�!C<3����������B63��@7/<<3���B==9�=44�=<�7BA�;/723<�4:756B�
���A31=<2A�7<B=�7BA�4:756B�7B�D33@32�=44�1=C@A3�/<2�3F>:=232�
B�E/A�:/B3@�4=C<2�B=�03�/<�3@@=@�7<�@3CA3�=4�/�A=4BE/@3�1=;>=<3<B�
�)67A�>71BC@3�031/;3�?C7B3�>=>C:/@�7<�B/:9A�=<�A=4BE/@3�@3:7/07:7BG�/<2�@3:/B32�B=>71A��
![Page 6: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/6.jpg)
��3BB3@���/AB3@���63/>3@��
<�������$�(��:=AB�0=B6�B63�#/@A�&=:/@�"/<23@�/<2�B63��:7;/B3�%@07B3@�
"/B3@�7<D3AB75/B7=<A�23B3@;7<32�A=4BE/@3�3@@=@A�E3@3�B=�0:/;3�
• %@07B3@���=;>=<3<B�@3CA3�3@@=@�
• "/<23@��&@31=<27B7=<�D7=:/B7=<�
![Page 7: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/7.jpg)
*((�-=@9B=E<�
��4B3@�/�1@3E�;3;03@�;7AB/93<:G�3<B3@32�/�H3@=�7<B=�B63�2/B/�473:2�=4�/<�/>>:71/B7=<��B63�1=;>CB3@�AGAB3;�>@=133232�B=�27D723�/<=B63@�?C/<B7BG�0G�B6/B�H3@=�����$%�&�(�$#���)'������)���&�$*�&�!$+���#�+�������(��!�� ����&$"���(�"%$&�&-�'($&����'%�����#�"�"$&-���#��(����&&$&��*�#()�!!-��&$)��(��$+#�(���'��%�'�%&$%)!'�$#�'-'(�"��)63�@3AC:B��(����$& ($+#�+�'�������#�(���+�(�&��$&�"$&��(��#�(+$��$)&'��
![Page 8: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/8.jpg)
)63@/1� ��
�@=;������������A3D3@/:M1/<13@�>/B73<BA�E3@3M97::32�=@�A3@7=CA:G�7<8C@32M/A�/�@3AC:B�=4�037<5�=D3@�M@/27/B32�0G�)63@/1� ��M/�@/27/B7=<�B@3/B;3<BM4/17:7BG�
M)63�>@=0:3;�E/A�2C3�B=�/�AC0B:3�@/13M1=<27B7=<�03BE33<�1=<1C@@3<B�>@=13AA3A�
![Page 9: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/9.jpg)
�=;>CB3@�+7@CA3A�
�
$332�E3�A/G�;=@3��
�=@�;=@3��A=4BE/@3�6=@@=@�AB=@73A���A33M6BB>�EEE1AB/C/17:I</16C;26=@@=@6B;:�
![Page 10: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/10.jpg)
%0A3@D/B7=<A�
L ��/7:C@3�=4B3<�2C3�B=�A7;>:3�>@=0:3;A��7<�B63�23B/7:A��
L �(;/::�B63=@3;A�/0=CB�:/@53�>@=5@/;A�E=C:2�03�CA34C:�
L �$332�1:3/@:G�A>3174732�7<B3@4/13A�/<2�163197<5�=4�7<B3@4/13�1=;>:7/<13�
L ��3BB3@�:/<5C/53A�E=C:2�63:>��
![Page 11: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/11.jpg)
�6/::3<53A�
)63�7;>/1B�/<2�1=AB�=4�A=4BE/@3�4/7:C@3A�E7::�7<1@3/A3��/A�E7::�B63�23;/<2�4=@�3FB3<A707:7BG�
)63�27AB7<1B7=<�03BE33<��A/43BG�1@7B71/:��/<2��1=<AC;3@�3:31B@=<71A��A=4BE/@3�E7::�4/23�/E/G�
��$�+�!!�%&$*����(���(���#$!$�-��$&��'�����'$�(+�&��'-'(�"'��
![Page 12: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/12.jpg)
10 Emerging Technologies 2011, In: Technology Review, 2011(6), MIT Press
http://www.technologyreview.com/tr10/
![Page 13: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/13.jpg)
%>>=@BC<7B73A�
�756�/AAC@/<13��@3:7/07:7BG�23>3<2A�4C<2/;3<B/::G�=<�=C@�/07:7BG�B=�&��'$#���$)(�%&$�&�"'��
����$%%$&()#�(��'��$&�#�+�!�#�)���'��'�+�!!��'��$&"�!�'�"�#(��'��(-%��(��$&-���$"%)(�(�$#�!�!$������#��'$�$#���&���&��(��
![Page 14: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/14.jpg)
Certifying a computing host?
Formal proofs for resilience,
extensibility, security?
Need to reason about:
• human behaviors
• cosmic rays + natural disasters
• hardware failure
• software
VIEW #1: bug-free host impossible. Treat it as a biological system.
![Page 15: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/15.jpg)
Certifying a computing host?
Formal proofs for resilience,
extensibility, security?
Need to reason about:
• human behaviors
• cosmic rays + natural disasters
• hardware failure
• software
VIEW #2: focus on software since it is a rigorous mathematical entity!
HW & Env Model
![Page 16: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/16.jpg)
Certified software 01011010101010101111100011001110110111111101010101010101010101010111111111010101010101111000110001010101010101011111100011001001111001111111100111111100011110001010101011111101110011001110101010111111100011
110001110001110011
SOFTWARE
Formal specs &
proofs for resilience,
extensibility, security?
HW & Env Model
Find a mathematical proof showing that
if the HW/Env follows its model, the software will run according to its specification
![Page 17: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/17.jpg)
0101101010101010111110001100111011011111110101010101010101010101011111111101010101010111100011000101010101010101111110001100100111100111111110011111110001111000101010101111110111001100111010
10101111111000111100
Application & other system SW
Certified OS kernel
Formal specs &
proofs for resilience,
extensibility, security?
HW & Env Model
Research tasks & key innovations:
• new OS kernel that can “crash-proof” the entire system & application SW
• new PLs for writing certified kernel plug-ins (new OCAP + DSPLs)
• new formal methods for automating proofs & specs (VeriML)
ResourceManagers
ProtectedExecutors
DeviceDrivers
Certified Kernel
CPU CPU GPU GPU Disk NIC
NativeExecutor
TypesafeExecutor
VMMExecutor
SFIExecutor
Scheduler Scheduler
Driver Driver
FS Net
DriverDriver
LegacyX86App
Java/MSILApp
NaClApp
LegacyOS + App
![Page 18: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/18.jpg)
Certified “hypervisor” kernel
• Problems w. existing platforms • Attacks: Zero-Day Kernel Vulnerabilities
(ZDKVs) & rogue driver certificates
• leads to rogue kernels
• leads to rogue WinCC/Step7 apps
• leads to rogue PLC firmeware
�firmw
are
Rogue PC Rogue PLC WinCC
&
Step 7
rogue OS & its kernel
�
Other
Apps �
zero-day kernel vulnerabilities
& fake/stolen driver certificates
�certified firm
ware
Secure PC w. IFC labels
Secure PLC WinCC
&
Step 7
certified kernel
�
Other
Apps �
COTS OS
small mechanized proof checker
New CRASH technologies
• A small certified “hypervisor” kernel provides a reliable ZDKV-free core to fall back on, even under attacks
• Information-Flow-Control to enforce security
• Mechanized proof certificates are unforgeable
Protecting against Stuxnet attacks!
![Page 19: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/19.jpg)
Process Management
Mgmt OS (Linux 1) Linux 2 App 1 Virtual
Device Certified
App 2 Applica'on*
Scheduler IPC
V-PIC V-PCI Hypercall
Trap Handling
(Interrupt, Exception, Syscall)
SVM*/*VMX*module*
Pass-Through Devices
Hardware*
Memory Management
Cer'KOS*
CertiKOS architecture
Device*Drivers* SVM&VMX*Driver* IOMMU&VT-d Driver
IOMMU/VT-d module +7@BC/:�#/167<3�#/</53;3<B�
Disk*Driver*
KBD*Driver* VGA*Driver* Timer*Driver* IOCAPIC*Driver* APIC*Driver* PCI*Driver*
Serial*Driver*
![Page 20: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/20.jpg)
Compositional specification & verification�
Raw Machine / HW Spec�
kmod1.c
CompCert�
abs-layer-1 spec�
kmod1.s�
high-level kernel spec�
abs-layer-k spec�
kmodk.s�
abs-layer-2 spec�
kmod2.s�
kmod2.c
CompCert�
abs-layer-z spec�
kmodz.s�
kmodz.c
CompCert�
…………………………�
abs-layer-x spec�
kmodx.s�
kmodx.c
CompCert�kmody.c
CompCert�
kmody.s�
kmod3.c
CompCert�
kmod3.s�
kmody.c
CompCert�
kmody.s�
…………………………�
kinit.c�
Safety
(never crash)�
Correctness
Secure
(no info leak)
Liveness (resource usage)
![Page 21: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/21.jpg)
Compositonal specification & verification current target: single-core CertiKOS
![Page 22: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/22.jpg)
Decomposing CertiKOS�
Initialization of paging mechanism
Providing address space
�/A32�=<�B63�/0AB@/1B�;/167<3�>@=D7232�0G�0==B�
:=/23@�
Physical Memory and Virtual Memory Management�
![Page 23: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/23.jpg)
Decomposing CertiKOS (cont’d) �
Thread and Process Management�
![Page 24: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/24.jpg)
�$)&'���*�&*��+�
![Page 25: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/25.jpg)
#G��=/:A�
�6/D3�BE=�5=/:A��
L )=�B3/16�B63�;=AB�1=;;=<�"�(�$�'�4=@�A>3174G7<5�4=@;/:�A3;/<B71AJ� <�>/@B71C:/@��B63���#$(�(�$#�!��$%�&�(�$#�!���,�$"�(���/<2�(-%��(��$&�(���;3B6=2AMM)67A�E7::�57D3�G=C�B63�<313AA/@G�B==:A�B=�C<23@AB/<2�A3;/<B71�A>317471/B7=<A�/<2�B=�23D3:=>�<3E�=<3A�
L )=�AC@D3G�3F7AB7<5�!�#�)�������()&�'�B=�>@=D723�/�233>�C<23@AB/<27<5�=4�E6/B�B63A3�43/BC@3A�@3/::G�"��#��E6/B�B63G�2=��/<2�6=E�B63G�1=;>/@3MM)67A�E7::�3</0:3�G=C�B=�03BB3@�3D/:C/B3�3F7AB7<5�:/<5C/53A�/<2�<3E�=<3A�/A�B63G�/@3�23D3:=>32�
![Page 26: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/26.jpg)
&@3@3?C7A7B3A�
L �(� �����(� � ���(� ����(�� �M�=@�3?C7D/:3<BA��
L #/B63;/B71/:�0/195@=C<2��:=571��A3BA��@3:/B7=<A��4C<1B7=<A��>@=2C1BA��/<2�C<7=<A���(33��>>3<27F�7<�'3G<=:2A�B3FB0==9��
L ��23A7@3�B=�:3/@<��
![Page 27: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/27.jpg)
�=C@A3�'3?C7@3;3<BA��:/AA�/BB3<2/<13�7A�@31=;;3<232�
• %CBA723�;/B3@7/:�E7::�03�7<B@=2C132�
&@=0:3;�A3BA�• &@=0:3;A�4@=;�B3FB0==9A�• &@=5@/;;7<5�/AA75<;3<BA��,3�E7::�%&$($(-%��A=;3�=4�=C@�
A3;/<B71A�A>317471/B7=<A�7<��=?��=@�#"�/A93::��
'3/27<5A�• (3:31B32�16/>B3@A�7<�B63�;/7<�B3FB0==9A���/@>3@�/<2�'3G<=:2A��• ��1=C>:3�=4�@3A3/@16�>/>3@A�• �=?��=@�#"�/A93::��BCB=@7/:A�74�G=C�2=<�B�9<=E�B63;��
�@/27<5�• �0=CB�����>@=0:3;�A3BA������47</:�>@=831B3F/;��<=�;72B3@;��
![Page 28: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/28.jpg)
(G::/0CA�� <B@=2C1B7=<��&@3271/B3�"=571� <2C1B7D3��347<7B7=<A�� �0AB@/1B�(G<B/F�/<2��7<27<5�� ;>���3<=B/B7=</:�(3;/<B71A�� �/7:C@3�� <>CB�%CB>CB��/<2��=<B7<C/B7=<A�� (B/B71�/<2��G</;71�(3;/<B71A���� &@=5@/;�(>317471/B7=<A�/<2�&@==4A���� �C<1B7=<�)G>3A���� &:=B97<�A�&������������ �7<7B3��/B/�)G>3A������� <47<7B3��/B/�)G>3A������ *<BG>32�"/;02/��/:1C:CA�������� �G</;71�)G>7<5��������
![Page 29: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/29.jpg)
(G::/0CA��1=<B�2����
�� &=:G;=@>671�)G>3A����� �F7AB3<B7/:�)G>3A����� �=<B@=:�(B/19A�/<2��F13>B7=<A�������� �=<B7<C/B7=<A���������� )G>3A�/<2�&@=>=A7B7=<A���������� (C0BG>7<5��(3;/<B71A�=4�)G>3A���� � (B=@/53��4431BA����� � #=</2A�/<2��=;=</2A����� "/HG��D/:C/B7=<����� � &/@/::3:7A;������ � &@=13AA��/:1C:CA�������� � #=</271��=<1C@@3<1G�������
![Page 30: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/30.jpg)
�=C@A3�,30>/53�
�
��������6BB>�4:7<B1AG/:332C1A����
![Page 31: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/31.jpg)
�&�����(���$�������
��(����� �&$)#��
![Page 32: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/32.jpg)
Predicate Logic
Predicate logic over integer expressions:
a language of logical assertions, for example
8x. x + 0 = x
Why discuss predicate logic?
It is an example of a simple language
It has simple denotational semantics
We will use it later in program specifications
![Page 33: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/33.jpg)
Abstract Syntax
Describes the structure of a phrase
ignoring the details of its representation.
An abstract grammar for predicate logic over integer expressions:
intexp ::= 0 | 1 | . . .
| var
| �intexp | intexp + intexp | intexp � intexp | . . .
assert ::= true | false| intexp = intexp | intexp < intexp | intexp intexp | . . .
| ¬assert | assert ^ assert | assert _ assert
| assert ) assert | assert , assert
| 8var . assert | 9var . assert
![Page 34: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/34.jpg)
Resolving Notational Ambiguity
Using parentheses: (8x. ((((x) + (0)) + 0) = (x)))
Using precedence and parentheses: 8x. (x + 0) + 0 = x
arithmetic operators (⇤ / rem . . .) with the usual precedencerelational operators (= 6= < . . .)
¬^_),
The body of a quantified term extends to a delimiter.
![Page 35: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/35.jpg)
Carriers and Constructors
Carriers: sets of abstract phrases (e.g. intexp, assert)Constructors: specify abstract grammar productions
intexp ::= 0 �! c0 2 {hi}! intexp
intexp ::= intexp + intexp �! c+ 2intexp ⇥ intexp ! intexp
Note: Independent of the concrete pattern of the production:
intexp ::= plus intexp intexp �! c+ 2intexp ⇥ intexp ! intexp
Constructors must be injective and have disjoint ranges
Carriers must be either predefined or their elements must be
constructible in finitely many constructor applications
![Page 36: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/36.jpg)
Inductive Structure of Carrier Sets
With these properties of constructors and carriers,carriers can be defined inductively:
intexp
(0) = {}intexp
(j+1) = {c0hi, . . .} [ {c+(x0, x1) |x0, x1 2 intexp
(j)} [ . . .
assert
(0) = {}assert
(j+1) = {ctruehi, cfalsehi}[{c=(x0, x1) |x0, x1 2 intexp
(j)} [ . . .
[{c¬(x0) |x0 2 assert
(j)} [ . . .
intexp =1[
j=0intexp
(j)
assert =1[
j=0assert
(j)
![Page 37: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/37.jpg)
Denotational Semantics of Predicate Logic
The meaning of a term e 2 intexp is [[e]]intexp
i.e. the function [[�]]intexp
maps intexp objects to their meanings.
What is the set of meanings?
The meaning [[5 + 37]]intexp
of the term 5 + 37| {z } could be the integer 42.(that is, c+(c5hi, c37hi))
However the term x + 5 contains the free variable x,
so the meaning of an intexp in general cannot be an integer. . .
![Page 38: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/38.jpg)
Mathematical Background
Sets
Relations
Functions
Sequences
Products and Sums
![Page 39: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/39.jpg)
Sets
membership the empty setnatural numbers
inclusion integersfinite subset
set comprehensionintersection and
is a bound variableunion ordifference and notpowersetinteger range and
![Page 40: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/40.jpg)
Generalized Set Operations
def def
def def
def def
meaningless
Examples:
![Page 41: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/41.jpg)
Relations
A relation is a set of primitive pairs .
relates and
is an identity relation
the identity on def
the domain of dom def
the range of ran def
composition of with def and
reflection of def
![Page 42: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/42.jpg)
Relations: Properties and Examples
dom ran
dom
![Page 43: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/43.jpg)
Functions
A relation is a function ifand
If is a function,maps to
and are functions.If and are functions, then is a function:
is not necessarily a function:consider
is an injection if both and are functions.
![Page 44: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/44.jpg)
Notation for Functions
Typed abstraction: def
Defined only when is defined for all(consider )
dom , if ran dom .
Placeholder: with a dash standing for the bound variable
Variation of a function :ifotherwise
dom domran ran
![Page 45: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/45.jpg)
Sequences
def
def
def
— the empty function— the empty sequence— an -tuple— a (non-primitive) pair
dom == when
![Page 46: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/46.jpg)
Products
Let be an indexed family of sets (a function with sets in its range).The Cartesian product of is
def dom dom and dom
![Page 47: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/47.jpg)
More Products
def
def
def “ ”
def
def
times
![Page 48: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/48.jpg)
Sets of Sequences
Let
def (finite)
def (finite)
def (infinite)
![Page 49: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/49.jpg)
Sums
Let ✓ be an indexed family of sets (a function with sets in its range).
The disjoint union (sum) of ✓ is
P✓
def
= {hi, xi | i 2 dom ✓ and x 2 ✓ i}
X
x2T
S
def
=X
�x 2 T. S S1 + . . . + S
n
def
=nX
i=1“S
i
”
nX
i=m
S
def
=X
i2(m to n)S T ⇥ S =
X
x2T
S
n⇥ S = (0 to (n� 1))⇥ S = S + . . . + S| {z }n times
B + B =PhB, Bi = {h0, truei, h0, falsei, h1, truei, h1, falsei}
= 2⇥B
![Page 50: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/50.jpg)
Functions of Multiple Arguments
Use tuples instead of multiple arguments:
f (a0, . . . a
n�1) ����!f ha0, . . . a
n�1i
Syntactic sugar:
�hx0 2 S0, . . . , x
n�1 2 S
n�1i. Edef
= �x 2 S0 ⇥ . . .⇥ S
n�1. (�x0 2 S0. . . . �x
n�1 2 S
n�1. E)
(x 0) . . . (x(n�1))
Use Currying:
f (a0, . . . a
n�1) ����!f a0 . . . a
n�1
=(. . . (f a0) . . .) a
n�1
where f is a Curried function �x0 2 S0. . . . �x
n�1 2 S
n�1. E.
![Page 51: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/51.jpg)
Relations Between Sets
⇢ is a relation from S to T
() ⇢ 2 S
�!REL
T
() dom ⇢ ✓ S and ran ⇢ ✓ T .
Relation on S
def
= relation from S to S.
I
S
2 S
�!REL
S
⇢ 2 S
�!REL
T ) ⇢
† 2 T
�!REL
S
For all S and T , {} 2 S
�!REL
T
{} 2! S
�!REL
{}
{} 2! {}�!REL
T
![Page 52: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/52.jpg)
Total Relations
⇢ 2 S
�!REL
T is a total relation from S to T
() ⇢ 2 S
�!TREL
T
() 8x 2 S.9y 2 T. x ⇢ y
() dom ⇢ = S
() I
S
✓ ⇢
† · ⇢
S ut^
^
^
^
^
^
^
^
^
^
^
^
^
^
rs �
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pq^
^
^
^
^
^
^
^
^
^
^
^
^
^
^
^
^
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Tut
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pqZ
Z
Z
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
,,Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
Z
⇢ �
�
22e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e �
�
44i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i �
�
88r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
r
55k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
k
⇢ 2 (dom ⇢) �!TREL
T () T ◆ ran ⇢
![Page 53: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/53.jpg)
Functions Between Sets
f is a partial function from S to T
() f 2 S
��!PFUN
T
() f 2 S
�!REL
T and f is a function.
“Partial”: f 2 S
�!REL
T ) dom f ✓ S
f 2 S
��!PFUN
T is a (total) function from S to T
() f 2 S ! T
() dom f = S.
S ! T = T
S =Y
x2S
T
S ! T ! U = S ! (T ! U)
![Page 54: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/54.jpg)
Surjections, Injections, Bijections
f is a surjection from S to T () ran f = T
f is a injection from S to T () f
† 2 T
��!PFUN
S
f is a bijection from S to T () f
† 2 T ! S
() f is an isomorphism from S to T
S ut^
^
^
^
^
^
^
^
^
^
^
rs �
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pq^
^
^
^
^
^
^
^
^
^
^
^
^
^
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Tut
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pqZ
Z
Z
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�++X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X �
�
44h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h �
�
33f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f �
�
44h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
h
sur
S ut^
^
^
^
^
^
^
^
^
^
rs�
�
�
�
�
�
�
�
�
�
�
�
�
pq^
^
^
^
^
^
^
^
^
^
^
^
^
wv�
�
�
�
�
�
�
�
�
�
�
�
Tut
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pqZ
Z
Z
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�++W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W �
�
44i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i
i �
in
�
S ut^
^
^
^
^
^
^
^
^
^
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pq^
^
^
^
^
^
^
^
^
^
^
^
^
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
Tut
rs�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
pqZ
Z
Z
wv�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�++W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W
W �
�**U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U �
�
77o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o �
bi
![Page 55: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/55.jpg)
Back to Predicate Logic
intexp ::= 0 | 1 | . . .
| var
| �intexp | intexp + intexp | intexp � intexp | . . .
assert ::= true | false
| intexp = intexp | intexp < intexp | intexp intexp | . . .
| ¬assert | assert ^ assert | assert _ assert
| assert ) assert | assert , assert
| 8var . assert | 9var . assert
![Page 56: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/56.jpg)
Denotational Semantics of Predicate Logic
The meaning of term e 2 intexp is [[e]]intexp
i.e. the function [[�]]intexp
maps objects from intexp to their meanings.
What is the set of meanings?
The meaning [[5+37]]intexp
of the term 5+37 could be the integer 42.
But the term x + 5 contains the free variable x. . .
![Page 57: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/57.jpg)
Environments
. . . hence we need an environment (variable assignment, state)
� 2 ⌃def
= var ! Z
to give meaning to free variables.
The meaning of a term is a function from the states to Z or B.
[[�]]intexp
2 intexp ! ⌃! Z
[[�]]assert
2 assert ! ⌃! B
if � = [x : 3, y : 4], then [[x+5]]intexp
� = 8
[[9z. x < z ^ z < y]] � = false
![Page 58: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/58.jpg)
Direct Semantics Equations for Predicate Logic
v 2 var e 2 intexp p 2 assert
[[0]]intexp
� = 0
( really [[c0hi]]intexp
� = 0)
[[v]]intexp
� = �v
[[e0+e1]]intexp
� = [[e0]]intexp
� + [[e1]]intexp
�
[[true]]assert
� = true
[[e0=e1]]assert� = [[e0]]intexp
� = [[e1]]intexp
�
[[¬p]]assert
� = ¬([[p]]assert
�)
[[p0 ^ p1]]assert� = [[p0]]assert� ^ [[p1]]assert�
[[8v. p]]assert
� = 8n 2 Z. [[p]]assert
[�|v : n]
![Page 59: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/59.jpg)
Example: The Meaning of a Term
[[8x. x+0=x]]assert
�
= 8n 2 Z. [[x+0=x]]assert
[�|x : n]
= 8n 2 Z. [[x+0]]intexp
[�|x : n] = [[x]]intexp
[�|x : n]
= 8n 2 Z. [[x]]intexp
[�|x : n]+[[0]]intexp
[�|x : n]=[[x]]intexp
[�|x : n]
= 8n 2 Z. [�|x : n](x) + 0 = [�|x : n](x)
= 8n 2 Z. n + 0 = n
= true
![Page 60: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/60.jpg)
Properties of the Semantic Equations
They are syntax-directed (homomorphic):
exactly one equation for each abstract grammar production
(constructor)
result expressed using functions (meanings)
of subterms only (arguments of constructor)
) they have exactly one solution h[[�]]intexp
, [[�]]assert
i(proof by induction on the structure of terms).
They define compositional semantic functions
(depending only on the meaning of the subterms)
) “equivalent” subterms can be substituted
![Page 61: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/61.jpg)
Validity of Assertions
p holds/is true in � () � satisfies p () [[p]]assert
� = true
p is valid () 8� 2 ⌃. p holds in �
p is unsatisfiable () 8� 2 ⌃. [[p]]assert
� = false
() ¬p is valid
p is stronger than p
0 () 8� 2 ⌃. (p0 holds if p holds )
() (p ) p
0) is valid
p and p
0are equivalent () p is stronger than p
0
and p
0is stronger than p
![Page 62: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/62.jpg)
Inference Rules
Class Examples
` p (Axiom) ` x + 0 = x (xPlusZero)
` p(Axiom Schema) ` e1=e0 ) e0=e1
(SymmObjEq)
` p0 . . . ` pn�1` p
(Rule)` p ` p ) p0
` p0(ModusPonens)
` p
` 8v. p(Generalization)
![Page 63: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/63.jpg)
Formal Proofs
A set of inference rules defines a logical theory `.
A formal proof (in a logical theory):
a sequence of instances of the inference rules, wherethe premisses of each rule occur as conclusions earlier in the sequence.
1. ` x + 0 = x (xPlusZero)
2. ` x + 0 = x ) x = x + 0 (SymmObjEq)[e0 : x | e1 : x + 0]
3. ` x = x + 0 (ModusPonens, 1, 2)[p : x + 0 = x | p0 : x = x + 0]
4. ` 8x. x = x + 0 (Generalization, 3)[v : x | p : x = x + 0]
![Page 64: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/64.jpg)
Tree Representation of Formal Proofs
` x + 0 = x ` x + 0 = x ) x = x + 0
(SymmObjEq)
` x = x + 0
(MP)
` 8x. x = x + 0
(Gen)
![Page 65: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/65.jpg)
Soundness of a Logical Theory
An inference rule is sound if in every instance of the rule
the conclusion is valid if all the premisses are.
A logical theory ` is sound if all inference rules in it are sound.
If ` is sound and there is a formal proof of ` p, then p is valid.
Object vs Meta implication:
` p ) 8v. p is not a sound rule, although` p
` 8v. pis.
![Page 66: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/66.jpg)
Completeness of a Logical Theory
A logical theory ` is complete if
for every valid p there is a formal proof of ` p.
A logical theory ` is axiomatizable if
there exists a finite set of inference rules
from which can be constructed formal proofs of all assertions in `.
No first-order theory of arithmetic is complete and axiomatizable.
![Page 67: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/67.jpg)
Variable Binding
8x. 9y. xrspq^^^^^^^^^^^
nn < y
utwv`````````````````
oo ^ 9x. xrspqOO > y
utwv_________________________________________________________________
oo
8
x
@@⇥⇥⇥⇥⇥⇥⇥⇥
9
__????????
y
??~~~~~~~~ ^
ggOOOOOOOOOOOOOOOO
<
77ppppppppppppppp 9
__????????
x
??~~~~~~~~y
__????????
x
??��������
>
__@@@@@@@@
x
??~~~~~~~~y
__????????
![Page 68: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/68.jpg)
Variable Binding
8x. 9y. xrspq^^^^^^^^^^^
nn < y
utwv`````````````````
oo ^ 9x. xrspqOO > y
utwv_________________________________________________________________
oo
8
pw����
����
���
ab??
????
????
????
???
��
9
__????????
y
??~~~~~~~~ ^
ggOOOOOOOOOOOOOOOO
<
77ppppppppppppppp 9pw⇥⇥
⇥⇥
ab???
???������
__????????
y
__????????
>
__@@@@@@@@
y
__????????
![Page 69: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/69.jpg)
Bound and Free Variables
In 8v. p, v is the binding occurrence (binder) and p is its scope.
If a non-binding occurrence of v is within the scope of a binder for v,
then it is a bound occurrence; otherwise it’s a free one.
FVintexp
(0) = {} FVassert
(true) = {}FV (v) = {v} FV (e0=e1) = FV (e0) [ FV (e1)
FV (�e) = FV (e) FV (¬p) = FV (p)
FV (e0 + e1) = FV (e0) [ FV (e1) FV (p0 ^ p1) = FV (p0) [ FV (p1)
FV (8v. p) = FV (p)� {v}
Example:
FV (9y. x < y ^ 9x. x > y) = {x}
![Page 70: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/70.jpg)
Only Assignment of Free Variables Matters
Coincidence Theorem:
If �v = �0v for all v 2 FV✓(p), then [[p]]✓� = [[p]]✓�0
(where p is a phrase of type ✓).
Proof: By structural induction.
Inductive hypothesis:
The statement of the theorem holdsfor all phrases of depth less than that of the phrase p0.
Base cases:
p0 = 0 ) [[0]]intexp
� = 0 = [[0]]intexp
�0
p0 = v ) [[v]]intexp
� = � v = �0v = [[v]]intexp
�0, since FV (v) = {v}.
![Page 71: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/71.jpg)
Proof of Concidence Theorem, cont’d
Coincidence Theorem:
If �v = �0v for all v 2 FV✓(p), then [[p]]✓� = [[p]]✓�0.
Inductive cases:
p0 = e0 + e1: by IH [[ei]]intexp
� = [[ei]]intexp
�0, i 2 {1,2}.[[p0]]
intexp
� = [[e0]]intexp
� + [[e1]]intexp
�= [[e0]]
intexp
�0 + [[e1]]intexp
�0 = [[p0]]intexp
�0
p0 = 8u. q: �v = �0v, 8v 2 FV (p0) = FV (q)� {u}then [�|u : n]v = [�0|u : n]v, 8v 2 FV (q), n 2 Z
Then by IH [[q]]assert
[�|u : n]= [[q]]assert
[�0|u : n] for all n 2 Z,
hence 8n 2 Z. [[q]]assert
[�|u : n]=8n 2 Z. [[q]]assert
[�0|u : n]
[[8u. q]]assert
� =[[8u. q]]assert
�0.
![Page 72: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/72.jpg)
Substitution
�/� 2 intexp ! intexp
�/� 2 assert ! assert
9>=
>;when � 2 var ! intexp
0/� = 0 v/� = �v
(-e)/� = -(e/�) (p0 ^ p1)/� = (p0/�) ^ (p1/�)
(e0+e1)/� = (e0/�)+(e1/�) (8v. p)/� = 8v0. (p/[�|v : v0]),
. . . where v0 /2[
u2FV (p)�{v}FV (�u)
Examples:
(x < 0 ^ 9x. x y)/[x : y+1] = y+1 < 0 ^ 9x. x y
(x < 0 ^ 9x. x y)/[y : x+1] = x < 0 ^ 9z. z x+1
![Page 73: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/73.jpg)
Preserving Binding Structure
(x < 0 ^ 9x. x y)/[ x : y+1] = y+1 < 0 ^ 9x. x y
^
<
:B}}}}}}}
}}}}}}}
9pw⇥⇥
⇥⇥⇥
⇥⇥⇥⇥
⇥
ab??
????
??;C������
������
[c???????
???????
x
;C~~~~~~~
~~~~~~~
0
[c>>>>>>>>
>>>>>>>>
<
Zb>>>>>>>>
>>>>>>>>
y
Zb========
========
�! ^
<
:B}}}}}}}
}}}}}}}
9pw⇤⇤
⇤⇤⇤⇤
⇤⇤
ab??
????
??;C������
������
[c???????
???????
+
;C�������
�������
0
\dAAAAAAAA
AAAAAAAA
<
[c@@@@@@@
@@@@@@@
y
<D�������
�������
1
[c@@@@@@@@
@@@@@@@@
y
[c@@@@@@@@
@@@@@@@@
1
![Page 74: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/74.jpg)
Avoiding Variable Capture
(x < 0 ^ 9x. x y)/[ y : x+1] = x < 0 ^ 9z. z x+1
^
<
:B}}}}}}}
}}}}}}}
9pw⇥⇥
⇥⇥⇥
⇥⇥⇥⇥
⇥
ab??
????
??
;C������
������
[c???????
???????
x
;C��������
��������
0
\dAAAAAAAA
AAAAAAAA
<
[c@@@@@@@
@@@@@@@
y
[c???????
???????
�! ^
<
:B}}}}}}}
}}}}}}}
9pw⇤⇤
⇤⇤⇤⇤
⇤⇤
ab??
????
??;C�����
�����
[c???????
???????
x
;C��������
��������
0
\dAAAAAAAA
AAAAAAAA
<
[c@@@@@@@
@@@@@@@
+
\dAAAAAAA
AAAAAAA
x
:B}}}}}}}}
}}}}}}}}
1
[c>>>>>>>
>>>>>>>
![Page 75: ( M =@;/: (3;](https://reader034.vdocument.in/reader034/viewer/2022042708/5aba0e067f8b9ac60e8ec745/html5/thumbnails/75.jpg)
Substitution Theorems
Substitution Theorem:
If � = [[�]]intexp
�0 · � on FV (p), then ([[�]]�)p = ([[�]]�0 · (�/�))p.
Finite Substitution Theorem:
[[p/v0 ! e0, . . . vn�1 ! en�1]]� = [[p]][�|v0 : [[e0]]�, . . .].
where
p/v0 ! e0, . . . vn�1 ! en�1def= p/[cvar|v0 : e0| . . . |vn�1 : en�1].
Renaming:
If u /2 FV (q)� {v}, then [[8u. (q/v ! u)]]boolexp
= [[8v. q]]boolexp
.