The other undecidability result comes from the soundness and completeness of predicate logic which, in special form for sentences, reads as

which we do not prove in this text. Since we can’t decide validity, we cannot decide provability either, on the basis of (2.10). One might reflect on that last negative result a bit. It means bad news if one wants to implement perfect theorem provers which can mechanically produce a proof of a given formula, or refute it. It means good news, though, if we like the thought that machines still need a little bit of human help. Creativity seems to have limits if we leave it to machines alone.

2.6 Expressiveness of predicate logic

Predicate logic is much more expressive than propositional logic, having predicate and function symbols, as well as quantifiers. This expressivess comes at the cost of making validity, satisfiability and provability undecidable. The good news, though, is that checking formulas on models is practical; SQL queries over relational databases or XQueries over XML documents are examples of this in practice.

Software models, design standards, and execution models of hardware or programs often are described in terms of directed graphs. Such models M are interpretations of a two-argument predicate symbol R over a concrete set A of ‘states.’

Example 2.23 Given a set of states A = {s0, s1, s2, s3}, let RM be the set {(s0, s1), (s1, s0), (s1, s1), (s1, s2), (s2, s0), (s3, s0), (s3, s2)}. We may depict this model as a directed graph in Figure 2.5, where an edge (a transition) leads from a node s to a node s i (s, s ) RM. In that case, we often denote this as s → s .

The validation of many applications requires to show that a ‘bad’ state cannot be reached from a ‘good’ state. What ‘good’ and ‘bad’ mean will depend on the context. For example, a good state may be one in which an integer expression, say x (y − 1), evaluates to a value that serves as a safe index into an array a of length 10. A bad state would then be one in which this integer expression evaluates to an unsafe value, say 11, causing an ‘out- of-bounds exception.’ In its essence, deciding whether from a good state one can reach a bad state is the reachability problem in directed graphs.

Figure 2.5. A directed graph, which is a model M for a predicate symbol R with two arguments. A pair of nodes (n, n ) is in the interpretation RM of R iff there is a transition (an edge) from node n to node n in that graph.

Reachability: Given nodes n and n in a directed graph, is there a finite path of transitions from n to n ?

In Figure 2.5, state s2 is reachable from state s0, e.g. through the path s0 → s1 → s2. By convention, every state reaches itself by a path of length 0. State s3, however, is not reachable from s0; only states s0, s1, and s2 are reachable from s0. Given the evident importance of this concept, can we express reachability in predicate logic – which is, after all, so expressive that it is undecidable? To put this question more precisely: can we find a predicate-logic formula φ with u and v as its only free variables and R as its only predicate symbol (of arity 2) such that φ holds in directed graphs i there is a path in that graph from the node associated to u to the node associated to v? For example, we might try to write:

u = v x(R(u, x) R(x, v)) x1 x2(R(u, x1) R(x1, x2) R(x2, v)) . . .

This is infinite, so it’s not a well-formed formula. The question is: can we find a well-formed formula with the same meaning?

Surprisingly, this is not the case. To show this we need to record an important consequence of the completeness of natural deduction for predicate logic.

Theorem 2.24 (Compactness Theorem) Let Γ be a set of sentences of predicate logic. If all finite subsets of Γ are satisfiable, then so is Γ.

PROOF: We use proof by contradiction: Assume that Γ is not satisfiable. Then the semantic entailment Γ holds as there is no model in which all φ Γ are true. By completeness, this means that the sequent Γ is valid. (Note that this uses a slightly more general notion of sequent in which we may have infinitely many premises at our disposal. Soundness and

138 2 Predicate logic

completeness remain true for that reading.) Thus, this sequent has a proof in natural deduction; this proof – being a finite piece of text – can use only finitely many premises ∆ from Γ. But then ∆ is valid, too, and so ∆ follows by soundness. But the latter contradicts the fact that all finite subsets of Γ are consistent.

From this theorem one may derive a number of useful techniques. We mention a technique for ensuring the existence of models of infinite size.

Theorem 2.25 (L¨owenheim-Skolem Theorem) Let ψ be a sentence of predicate logic such for any natural number n ≥ 1 there is a model of ψ with at least n elements. Then ψ has a model with infinitely many elements.

def

that there are at least n elements. Consider the set of sentences Γ = {ψ} {φn | n ≥ 1} and let ∆ be any if its finite subsets. Let k ≥ 1 be such that n ≤ k for all n with φn ∆. Since the latter set is finite, such a k has to exist. By assumption, {ψ, φk } is satisfiable; but φk → φn is valid for all n ≤ k (why?). Therefore, ∆ is satisfiable as well. The compactness theorem then implies that Γ is satisfiable by some model M; in particular, M ψ holds. Since M satisfies φn for all n ≥ 1, it cannot have finitely many elements.

We can now show that reachability is not expressible in predicate logic.

Theorem 2.26 Reachability is not expressible in predicate logic: there is no predicate-logic formula φ with u and v as its only free variables and R as its only predicate symbol (of arity 2) such that φ holds in directed graphs i there is a path in that graph from the node associated to u to the node associated to v.

PROOF: Suppose there is a formula φ expressing the existence of a path from the node associated to u to the node associated to v. Let c and c be constants. Let φn be the formula expressing that there is a path of length n from c to c : we define φ0 as c = c , φ1 as R(c, c ) and, for n > 1,

def

φn = x1 . . . xn−1(R(c, x1) R(x1, x2) · · · R(xn−1, c )).

Let ∆ = {¬φi | i ≥ 0} {φ[c/u][c /v]}. All formulas in ∆ are sentences and ∆ is unsatisfiable, since the ‘conjunction’ of all sentences in ∆ says that there is no path of length 0, no path of length 1, etc. from the node denoted by c to the node denoted by c , but there is a finite path from c to c as φ[c/u][c /v] is true.