Chapter 3

Discrete Mathematics

? Transparency No. 2-0

Chapter 3

Mathematical Reasoning

Transparency No. 3-1

formal logicmathematical preliminaries

Discrete Mathematics Ch 3 Mathematical reasoning


Contents

First-order theory Common rules of inferences Fallacies Proof methods Mathematical Inductions Recursive defined sets Recursive definitions Structural Induction Recursive algorithms Program correctness



First-order theory

: a (first-order) signature[I.e., a set of function and predicate symbols]

A (first-order) -theory T is a collection of sentences of . For each T, let Th(T) =def {A | T |= A }. Ie., Th(T) is the collection of all logical consequences of T.

T is closed iff it is closed under logical consequence. I.e., all logical consequences of T are in T. namely, T = Th(T).

T is consistent iff sentences A Th(T). <=> ~ sentence A s.t., {A,~A} T.

T is complete iff for all sentence A, exactly one of A and ~A Th(T).



Example First-order theory

: any signature {p1,...} {} is a first order -theory

Th({}) = {A | |= A} = the set of all valid (-)sentences {} is consistent.

since the sentence x p(x) Th({}).

{} is not complete.since neither x p(x) nor ~x p(x) Th({}).

N = {0, +1, +, *, <, =} : (natural) number signature.

MN : number structure = {{0,1,2,...}, ... } NT (Number-theory) = {A is a N-sentence | MN |= A.}

I.e., Number-theory is the collection of all sentences true in the number structure.

NT is a closed, consistent and complete theory.



Other First-order theories

Total Order theory: = {, =} OT = {

x x x y /\ y z -> x z x y /\ y /\ z -> x = z x y /\ y z -> x z x y \/ y x x = x x = y -> y = x x = y /\ y = z -> x = z x = y -> ((y z) -> (x z)) x = z -> ((y z) -> (y x)) }

OT is consistent but not complete.Existence of least element: xy x y neither can be proved nor

can be disproved.



An axiom system of First-order theory

logical Axioms: A(BA) A(BC) ((AB)(AC)) (~B~A) (AB) ∀ x A(x) A(t) , where t is free for x in A. ∀ x (AB) (A x B) where x is not free in A.∀

Inference rules: MP: from A and AB infer B Gen: from A infer x A.∀



An axiom system for the first-order Number theory

First-order equality theory + Peano’s axioms x = x x=y y = x x=y /\ y = z x = z x1=y1/\…xn=yn f(x1,x2,…,xn) = f(y1,…,yn) x=y (A(x) <->A(y))

0 N∈ x N ∈ x’ S∈ x’ ≠ 0 x’ = y’ x = y MI: P(x) : any statement about N. from P(0) and x P(x) ∀ P(x’) infer x P(x).∀



More notions about theories T: a -theory; A: a (-)sentence Ax: a set of sentences

If Th(Ax) = Th(T), then Ax is a set of axioms of T. Ex:

T is a set of axioms of T{} is a set of axioms of T if T is a set of valid sentences.

T is said to be finitely axiomatizable iff it has a finite set of axioms.

The natural number theory is not finitely axiomatizable. Ax : a set of axioms of a theory T; A : a formulas of Ax.

A is a logical axiom if it is true in all theories A is a proper axiom if it is not true in all theories.

Note: Ax: a set of axioms of T => Ax /{A | A is a logical axiom (of T) } is also a set of axioms of T.



Proofs of theorems from axioms of a theory

T: a theory, A : a formula,

Ax: a set of axioms of T

If T |= A. (i.e., A in Th(T)), then say A is a theorem (定理 ) of theory(理論 ) T.

Problem: How to show that a formula A is a theorem of T ? ==> give a proof.

But what is a proof ?



What is a proof

what is a proof ? ==> a sequence of formulas

A1, ... An [=A]

generated according to some ( valid inference) rules



Inference rules

A rule of inference is a pattern of formulas of the form: P1,P2,...,Pm (m 0) // C. Meaning that if P1,..,Pm have been produced (proved,

generated, etc) before then we can add C to the proof sequence (now).

P1,..,Pm : premises of the rule; C: Conclusion of the rule.



Example Rules of inferences and proof

Rules : where A, B are any formulas. r1: // A->(B->A) r2: // (A ->(B->C)) ->((A->B)->(A->C)) r3: A, A->B // B

A proof of p p from rules, where p is any formula: 1. (p -> ((p->p)->p)) -> (p->(p->p)) ->(p->p)) : r2 2. p -> ((p->p) ->p) :r1 3. (p->(p->p))->(p->p) :r3, 1, 2. 4. p->(p->p) :r1 5. p->p :r3,3,4



Formal definition of proofs Ax: a set of axioms [of a theory T] R: a set of inference rules A: a formula A proof of A (according to axioms Ax and rules R) is a

nonempty sequence of formulas A1,A2,...,An s.t., 1. An = A. 2. For i = 1,.., n

Either Ai is an axiom (i.e., a member of Ax) or there is an inference rule r: P1,..,Pm / C in R s.t. 1. C = Ai

2. {p1,..,Pm}{A1,...,Ai-1}

Note: 1. each Ai (i <n) is called a lemma. 2. If B can be inferred from A directly, it is called a

corollary of theorem A. 3. Both lemmas and corollaries are theorems.



Soundness of inference rules

An inference rule: P1,..,Pm // C is said to be sound(可靠 ) (or correct[正確 ], valid[有效 ]) in theory T iff C is a logical T-consequence of the conjunction of all premi

ses P1 /\ P2.../\Pm (P1,...,Pm |=T C)

Fact1 : If P1,..,Pm // C is sound in T, and all premises are theorem of T then so is the conclusion C.

Pf: M: any model of T, => M |= {P1,..,Pm}

Since the rule is sound, M |= {P1,..,Pm} => M|= C.

Hence M |= C. => C in Th(T).

Fact2: If A= P1/\P2../\Pn C is tautology, then r: P1,..,Pn //C is a correct inference rule of all theories.

Pf: M: any interpretation. A is a tautology => M |= A.

If M|= P1 /\P2../\Pn then M|= C. Hence r is correct. QED



Example inference rules

1. Modus Ponus(MP) : AB, A // B

2. abduction (ABD) : AB, B // A

3. denying premise : AB, ~A // ~B

4. Math. ind.: (let P be any formula ) P(0)

x P(x) P(x +1)

--------------------------

x P(x)

Notes:

1. rule 1 is correct for all theories.

2. rule 2,3 are in general not correct for any theory.

3. Rule 4 is correct for natural number(NT) theory, but not correct for integer theory(ZT) and real number theory(RT).



Theorem: Ax: a set of axioms of a theory T R: a set of inference rules, each correct in T A: a formula Theorem: If there is a proof of A from Ax and R, then A is

a theorem of T. (i.e, A in Th(T)). Pf: By ind. on the length n of proof of A. Case 1. n = 1. then A is either in Ax or is a conclusion C of a r

ule: // C from R. In both cases, we have A in Th(T). Case 2. n > 1 and the proof is A1,..,An =A.

Case 2.1. A in Ax => A in Th(T). Case 2.2. there is rule: P1,..Pm // A in R, and each Pi in {A

1,..,An-1}. By ind. hyp. each Pi in Th(T). By soundess of the rule, A in Th(T). QED

Conclusion: 用正確的推論法則所證明的結論總是正確的 ;用非正確的推論法則所證明的結論雖未必錯誤但卻是不可信的 .



Some commonly used inference rules

Rules of inferences

Tautologies Name

p // p\/q

p->(p\/q) Addition

p/\q // p p/\q->p Simplication

p, p->q//q p/\(p->q) -> q Modus ponens

~q, p->q //~p

~q /\ (p->q) ->~p Modus Tollens

p->q,q->r//p->r ((p->q) /\ (q->r)) -> (p->r)

Hypothetical syllogism

p\/q,~p //q ~p /\ (p \/q) -> q Disjunctive syllogism



Some commonly used fallacies

Affirming the conclusion [abduction]: From p->q, q infer p Ex: Do all exercises => learn discrete math.

Since have learned D.M., hence have done all exercises. note: p is a possible reason (explanation) of q, instead of a

(necessary) consequence of q.

Denying the hypothesis: from ~p and p->q infer ~q. Ex: rain => wet, since not rain, hence not wet.

Circular reasoning Assume n2 is even. n2 = 2k for some k. Hence n2 is even



Techniques for proving theorems

Different ways of proving a theorem: p implies q. Vacuous proof: Prove that ~p. [~p //p->q] Trivial proof: Prove that q. [q // p->q ] Direct proof: Prove that if p then q. [p->q //p->q]

suppose p, then ..., q Indirect proof: (proof by contraposition) Prove that "~q implies ~P" [~q->~p // p->q]

Proof by contradiction: To prove P, it suffices to show that ~P -> F (false) [~p ->F // p]

Proof by cases: To prove that "p \/ q implies r " it suffices to show that p->r

and q -> r. [p->r, q->r // (p\/ q) ->r.]



Proving existence theorem

Methods for proving x p(x): Constructive proof: find an object (or term) a, s.t.

P(a). [p(a) // x p(x) ]

Nonconstructive proof: a proof of x P(x) w/o knowing what object satisfies p. ex:proof by contradiction: Show that ~x p(x) ->F.



Example of existence proofs

Ex 20: [constructive proof] Show that there are n consecutive composite integers for every integer n >0. (I.e. for all n x (x+1,x+2,...x+n) are all composite.

Sol: Let x = (n+1)! +1.

=> x+i = (n+1)! + (i+1) = (i+1)( (n+1)!/(i+1) +1) is composite for i = 1,..,n. QED.

Ex 21: [nonconstructive proof] For all n >0 prime number > n.

Sol: by contradiction. Assume n s.t. all prime number < n.

Let m = n! +1. ==> (k, m) = 1 for all k ≤ n.

=> all prime cannot divide m

=> m is a prime > n

=> a contradiction. QED.

Note: We cannot know a prime > n from the proof.



Adequacy of inference rules [omitted] T: a theory Ax: a set of formulas R: a set of inference rules: [soundness of proof system]

The pair (Ax, R) is called a proof(or axiom) system. If every formula provable from (Ax,R) is a theorem of T,

( |-(Ax,R) A => A in Th(T) ), we say the proof system is sound for T.

If Ax are theorems of T and all rule of R are sound in T => (Ax,R) is sound for T.

Completeness: But can we assure that all theorems of T can be proved

from (AX,R) ? (Ax,R) is said to be complete for T if it satisfies such

property.



Completeness of axiom systems [omitted]

Benefit of a complete axiom system: No need of other innovative methods to prove or disprov

e any existing conjecture in the theory.

Issues: How to find a complete axiom system for various theories. Will we be able to find a complete axiom system for any t

heory ?

Facts: There are complete axiom systems for the empty first ord

er theory Th({}). There is no sound and complete axiom system for the nat

ural number theory.(Goedel incompleteness theorem)



3.2 Mathematical Induction

To show that a property p hold for all nonnegative integer n, it suffices to show that

1. Basis step: P(0) is true

2. Ind. step: P(n) P(n+1) is true for all nonnegative integer.

P(n) in 2. is called the inductive hypothesis. Note: Math. Ind. is exactly the inference rule:

P(0), n p(n)P(n+1) // n P(n) for any property P

The second form of MI Basis: P(0) holds Ind. step: P(0) /\ P(1) /\ ...,/\p(n-1) P(n) holds for all n. P(0) /\ P(1) /\ ...,/\p(n-1) (or for all k k<n => P(k)) is the ind.

hyp.



Correctness of Math. Ind.

Correctness of MI.Pf: Assume MI is incorrect. i.e. the set NP = {k | P(k) is false} is

not empty.

Let m be the least number of NP.

Since p(0), 0 NP and m >0.

=> m-1 exists and P(0),P(1),…,P(m-1) hold P(m) holds [by MI I or II]=> m NP => a contradiction.

QED.



Examples :

2: i=1,n 2i-1 = n2

3. n < 2n

4. 3 | n3 - n if n > 0

i=1,n 2i = 2(n+1) -1

6. j=1,n arj = arn+1 - a / (r -1)

7. Let Hk = 1 + 1/2 +...+ 1/k => H2n 1 + n/2

8. |S| = n => |2S| = 2n.

9. 1 + 2+...+ n = n(n+1)/2

10. If n > 3 => 2n < n!

11. ~(S1 ...Sn) = ~S1 U ... U ~Sn.



More examples:

13: n >1 => n can be written as a product of primes.

[hint: use 2nd form of MI]

14. for every k >11, there are m,n s.t. k = 4m + 5n.



3.3 Recursive definitions

Different ways of defining sets of objects Explicit listing

Suitable for finite objects only.

Define by giving an explicit expressionEx: F(n) = 2n

recursive (or inductive ) definitionDefine value of objects (sequences, functions,

sets, ...) in terms of values of smaller similar ones.Ex: the sequence 1,2,4,... (an = 2n) can be defined

recursively as follows:

1. a0 = 1;

2. an+1 = 2 x an for n > 0.



Recursively defined functions

To define a function over natural numbers: specify the value of f at 0 (i.e., f(0)) Given a rule for finding f(n) from f(n-1),..., f(0).

i.e., f(n) = some expression in terms of n, f(n), ..., f(0).

Ex1: f(n) = 3 if n = 0 = 2f(n-1) +3 if n >0 => f(0) = 3, f(1) = 2f(0) +3 = 9 f(2) = 2f(1)+3 = 21,... This guarantees f be defined for all numbers.



More examples functions

Ex2: The factorial function f(n) = n! f(0) = 1 f(n) = n f(n-1) for all n > 0.

Recursively defined functions (over N) are well defined

Pf: Let P(n) = "there is at least one value assigned to f(n)".

Q(n) = "there are at most one value assigned to f(n)".

We show P(n) hold for all n by MI..

basis: P(0) holds.

Ind. : assume p(k) holds for all k ≤ n

=> since f(n+1) can be assigned a value by evaluating the expr(n,f(0),..,f(n)), where by ind. hyp. all f(i)s (i<n) have been assigned a value.

The fact that Q(n) holds for all n is trivial, since each f(k) appear at the left hand side of the definition exactly once. QED



More examples:

Ex5: The Fibonacci number: f(0) = 0; f(1) = 1; f(n) = f(n-1) + f(n-2) for n > 1. ==> 0,1,1,2,3,5,8,...

Ex6: Show that f(n) > n-2 where = (1+ sqrt(5))/2 whenever n ≥ 3.

Pf: (by MI). Let P(n) = "f(n) > n-2 ". Basis: P(3), P(4) holds. An easy check. Ind.step: (for n >= 3) If n ≥ 3 => n-1 = 2 n-3 = (+1) n-3 = n-2 + n-3. If n ≥ 4 => by ind. hyp., f(n-1) >an-3, f(n) >an-2 Hence f(n+1) = f(n)+f(n-1) > n-2 + n-3 = n-1. QED



Lame's theorem a,b: positive integer with a b.=> #divisions used by the Euclidean algorithm to find gcd(a,b) 5 x

#decimal digits in b.Pf: seq of equations used for finding gcd(a,b) where r0 = a, r1 = b. r2 = ro mod r1 0 r3 = r1 mod r2 0 ... rn = rn-2 mod rn-1 0 rn+1 = rn-1 mod rn = 0 i.e., until rn | rn-1 and then gcd(a,b) = rn. #division used = n. rn 1 = f2

rn-1 2rn 2f2 = f3; rn-2 rn+rn-1 = f2 + f3 = f4

...r2 r3 + r4 fn-1+fn-2=fn; b = r1 r2r3fn+fn-1 = fn+1.> n-1.

logb > (n-1) log ~ 0.208 (n-1) > (n-1)/5 n < 1 + 5 log b < 1 + 5 #digit(b). => n 5#digit(b).



Recursively defined sets

Given a universal set U, a subset V of U and a set of operations OP on U, we often define a subset D of U as follows: 1. Init: Every element of V is an element of D. 2. Closure: For each operation f in OP, if f:Un->U and t1,..,t

n are objects already known to be in the set D, then f(t1,..,t

n) is also an object of D.

Example: The set S = {3n | n >0} N can be defined recursively as follows: 1. Init: 3 S (i.e., V = { 3 } )∈ 2. closure: S is closed under +. i.e., If a,b S then so are a+b . (OP = {+})∈



Notes about recursively defined sets

1. The definition of D is not complete (in the sense that there are multiple subsets of U satisfying both conditions.

Ex: the universe U satisfies (1) and (2), but it is not Our intended D.2. In fact the intended defined set 3': D is the least of all subsets of U satisfying 1 & 2, or 3'': D is the intersection of all subsets of U satisfying 1 & 2or 3''': Only objects obtained by a finite number of applications o

f rule 1 & 2 are elements of D.3. It can be proven that 3',3'',and 3''' are equivalent.4. Hence, to be complete, one of 3',3'' or 3''' should be appende

d to condition 1 & 2, though it can always be omitted(or replaced by the adv. inductively, recursively) with such understanding in mind.



Proof of the equivalence of 3',3'' and 3'''

D1: the set obtained by 1,2,3' D1 satisfies 1&2 and any S satisfies 1&2 is a superset of

D1. D2: the set obtained by 1,2,3''.

D2 = the intersection of all subsets Sk of U satisfying 1&2.

D3: the set obtained by 1,2,3'''. For any x U, x D3 iff there is a sequence∈ ∈ x1,...,xm = x, such that for each xi (i = 1.m) either

(init: ) xi V or∈ (closure:) there are f in OP and t1,...tn in {x1,..,xi-1} s.t. xi = f(t1,..,tn).

pf: 1. D2 satisfies 1&2 and is the least of all sets satisfying 1&2 , Hence D1 exists and equals to D2.

2.1 D3 satisfies 1 & 2.[ by ind.] 2.2 D3 is contained in all sets satisfying 1 & 2 [by ind.] Hence D3 = D2.



Example:

Ex 7': The set of natural numbers can be defined inductively as follows: Init: 0 in N. closure: If x in N, then x' in N.

=> 0, 0',0'',0''',... are natural numbers (unary representation of natural numbers)



Induction principles III (structural induction)

D: a recursively defined set P; a property about objects of D. To show that P(t) holds for all t in D, it suffices to show that

1. basis step: P(t) holds for all t in V. 2. Ind. step: For each f in OP and t1,..,tn in D, if P(t1),...,P(t

n) holds, then P(f(t1,..,tn)) holds, too. Show the correctness of structural induction.Pf: assume not correct. => NP = {t D | P(t) does not hold} is ∈

not empty. => x NP s.t. a derivation x1,..xn of x and a∃ ∈ ∃ll xi (i<n) ∉ NP.

=> If n =1, then x1 = x V (impossible)∈ Else either n > 1 and x V (impossible, like n=1)∈ or n > 1, and x=f(t1,.,tn) for some {t1,..,tn} in {x1,..xn-1} and

P holds for all tks => P(x) holds too => x ∉ NP, a contradiction. QED.



MI is a specialization of SI

Rephrase the SI to the domain N, we have: To show P(t) holds for all t N, it suffices to show that∈ Init: P(0) holds Ind. step: [OP={ ‘ }] for any x in N, If P(x) holds than P(x') holds.

Notes: 1. The above is just MI. 2. MI is only suitable for proving properties of natural

numbers; whereas SI is suitable for proving properties of all recursively defined sets.

3. The common variant of MI starting from a value c ≠ 0 ,1 is also a special case of SI with the domain

D = {c, c+1, c + 2, … }



well-formed arithmetic expressions

Ex: (2 +x), (x + (y/3)),... (ok)

x2+, xy*/3 ... (no)

Let Vr = {x,y,..,} be the set of variables,

M = numerals = finite representations of numbers

OP = {+,-,x,/,^}

U = the set of all finite strings over Vr U M U OP U {(,)}.

The set of all well-formed arithmetic expressions (wfe) can be defined inductively as follows:

1. Init: every variable x in Vr and every numeral n in M is a wfe.

2. closure: If A, B are wfe, then so are (x+y), (x-y), (x * y),

(x / y) and (x ^ y).

Note: "1 + x " is not a wfe. Why ?



More examples:

Ex9: Wff (well-formed propositional formulas) PV: {p1,p2,.. } a set of propositional symbols. OP = {/\, \/, ~, -> } U = the set of all finite strings over PV U OP U {(,)} Init: every pi in PV is a wff closure: If A and B are wffs, then so are (A/\B), (A \/B), (A->B), ~A.

Ex10: [strings] : an alphabet *: the set of finite strings over is defined inductively a

s follows:1. Init: is a string.2. closure: If x is a string and a a symbol in , then a·x is a

string.



Ex11: Recursively define two functions on *. len : * -> N s.t. len(x) = the length of the string x. basis: i() = 0 Ind. step: for any x in and a in , len(ax) = len(x) + 1. · : S* x S* S* s.t. x · y = the concatenation of x and y. Basis: e · y = y for all string y. recursive step: (a · z) · y = a · (z · y) for all symbols a and strin

gs z,y. Prove properties of len(-) on *:Ex12: show that len(x · y) = len(x) +len(y) for any x,y ∈ *.

By SI on x. Let P(x) = "len(xy) = len(x) +len(y)". Basis: x = . => x · y = y => len(x · y) = len(y) = len() + len(y). Ind. step: x = az len(x · y) = len((a · z) · y) = len((a · (z · y)) = 1 + len(zy) = 1+ len(z) + len(y) =l(x) +l(y).



Where we use Recursion

Define a domain numbers, lists, trees, formulas, strings,...

Define functions on recursively defined domains Prove properties of functions or domains by stru

ctural induction. compute recursive functions

--> recursive algorithm

Ex:

len(x){ // x : a string

if x = then return(0)

else return(1+ l(tl(x))) }



3.4 Recursive algorithm

Definition: an algorithm is recursive if it solve a problem by reducing it to an instance of the same problem with smaller inputs.

Ex1: compute an where a R and n N.∈ ∈ Ex2: gcd(a,b) a, b N, a > b∈ gcd(a,b) =def if b = 0 then a else gcd(b, a mod b). Ex: show that gcd(a,b) will always terminate. Comparison b/t recursion and iteration

Recursion: easy to read, understand and devise. Iteration: use much less computation time. Result: programmer --> recursive program --> compiler --> iterative program --> machine.



3.5 Program correctness

After designing a program to solve a problem, how can we assure that the program always produce correct output?

Types of errors in a program: syntax error --> easy to detect by the help of compiler semantic error --> test or verify

Program testing can only increase our confidence about the correctness of a program; it can never guarantee that the program passing test always produce correct output.

A program is said to be correct if it produces the correct output for every possible input.

Correctness proof generally consists of two steps: Termination proof : Partial correctness: whenever the program terminates,

it will produce the correct output.



Program verification

Problem: what does it mean that a program produce the

correct output (or results)?By specifying assertions (or descriptions) about the

expected outcome of the program.

Input to program verifications: Pr : the program to be verified. Q : final assertions (postconditions), giving th

e properties that the output of the program should have

P : initial assertions(preconditions) , giving the properties that the initial input values are required to have.



Hoare triple:

P,Q; assertions S: a program or program segment. P {S} Q is called a Hoare triple, meaning that

S is partially correct (p.c.) w.r.t P,Q,i.e., whenever P is true for I/P value of S and terminates, then Q is true for the O/P values of S.

Ex1: x=1 {y := 2; z := x+ y} z = 3 is true. Why ?

Ex 2: x = 1 { while x > 0 x++ } x = 0 is true. why?



Typical program constructs:

1. assignment: x := expr x := x+y-3

2. composition: S1;S2 Execute S1 first, after termination, then execute S2.

3. Conditional: 3.1 If <cond> then S 3.2 If <cond> then S1 else S2.

4. Loop: 4.1 while <cond> do S 4.2 repeat S until <cond> // 4.3 do S while <cond> …

Other constructs possible, But it can be shown that any program can be converted into an equivalent one using only 1,2,3.1 and 4.1



Assignment rule

P[x/expr] {x := expr } P P[x/expr] is the result of replacing every x in P by the expres

sion expr. ex: P = "y < x /\ x + z = 5" => P[x/3] = “y < 3 /\ 3+z = 5". Why correct? consider the variable spaces (...,x,...) == x := expr ==> (..., expr,...) |= P Hence if P[x/expr] holds before execution, P will hold after e

xecution. Example: Q {y := x+y} x > 2y + 1 => Q = ? (xb,yb) ==>{ya := xb+yb} ==>(xb,xb+yb) = (xa,ya) |= P(xa,ya) =def ‘’x

a > 2ya +1’’

=> (xb,yb) |= Q = P(xa,ya)[xa/xb;ya/xb+yb]

= P(xb,xb+yb) “xb > 2(xb+yb) +1”



Composition rules:

Splitting programs into subprograms and then show that each subprogram is correct.

The composition rule: P {S1} Q x = 0 { x:= x+2} ?

Q {S2} R ? { x := x-1} x > 0

------------------- ---------------------------------------

P {S1;S2} R x=0 {x:= x+2; x:= x -1} x > 0 Meaning:

Forward reading: Backward reading: to prove P{S1;S2}Q, it suffices to find

an assertion Q s.t. P{S1}Q and Q {S2}R.

Problem: How to find Q ?



Example:

Show that x =1 {y := 2; z := x +y} z = 3

x = 1 {y := 2; z := x+y} z = 3 -------------------------------------------------------- x=1 {y := 2} ? ? {z := x+y} z = 3



Classical rules

Classical rules:

P => P1 P {S} Q1 P => P1

P1 {S} Q Q1 => Q P1 {S} Q1

---------------------- ----------------------- Q1 => Q

P {S} Q P{S} Q -------------------------

P {S} Q

Examples:

x = 1 => x+1>1 x+1>0 {x := x + 1} x > 0

x+1>1 { x := x + 1 } x > 1 x > 0 => x ≠ 0

----------------------------------- -----------------------------------

x = 1 { x := x + 1} x > 1 x+1 > 0 {x := x+1 } x ≠ 0



Conditional rules

P /\ <cond> {S1} Q

P /\~ <cond> {S2} Q

------------------------------------------------

P {if <cond> then S1 else S2 } Q

T /\ x > y => x x x x {y:=x} y x

------------------------------------------------

P /\ <cond> {S} Q T /\ x>y {y := x} y x

P /\~<cond> => Q ~ x > y => y x

--------------------------- --------------------------------------

P {if <cond> then S} Q T {if x > y then y := x} y x



While-loop rules

Loop invariant: A statement P is said to be a loop invariant of a while progr

am: While <cond> do S, if it remains true after each iteration of the loop body S.

I.e., P /\ <cond> {S} P is true.

While rule: P /\ <cond> {S} P ----------------------------------------------------- P {while <cond> do S} P /\ ~<cond>

Issues: How to find loop invariant P? Most difficulty of program verification lies in the finding of a

ppropriate loop invariants.



While loop example

Show that

n>0 { i:= 1; f := 1;

while i < n do (i := i+1 ; f := f x i ) } f = n!

To prove the program terminates with f = n!, a loop invariant is needed.

Let p = "i ≤ n /\ f = i!"

First show that p is a loop invariant of the while program

i.e., i n /\ f = i! /\ i < n { i:= i+1; f:= f x i} i n /\ f=i!



while loop example(cont'd)

n > 0 --- i:= 1; ------ i ≤ n

f := 1; ------ p = "i ≤ n /\ f = i! “

while i < n do (i := i+1 ; f := f x i )

------ p /\ ~ i < n ==> i=n /\ f = i!

==> f = n!



Another example:

Ex5:Show that the following program is correct: Procedure prod(m,n: integer) : integer1. If n < 0 then a := -n else a := n ; ------ a = |n|2. k := 0 ; x := 0 3. while k < a do --- p = "x = mk /\ k ≤ a" is a loop x := x + m; invariant. k := k+1 enddo --- x = mk /\ k ≤ a /\ ~k<a => k=a /\ x=ma => x = m |n| 4. If n < 0 then prod := -x => prod = - m |n| = mn else prod := x => Prod = m |n| = mn---- prod = mn. Hence the program is [partially] correct !Note: to be really correct, we need to show that the program will

eventually terminates.

Chapter 3

Documents

Transcript of Chapter 3