Download
chapter 3 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Chapter 3 PowerPoint Presentation

Chapter 3

157 Views Download Presentation
Download Presentation

Chapter 3

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. formal logic mathematical preliminaries Chapter 3 Mathematical Reasoning Transparency No. 3-1

  2. Contents • First-order theory • Common rules of inferences • Fallacies • Proof methods • Mathematical Inductions • Recursive defined sets • Recursive definitions • Structural Induction • Recursive algorithms • Program correctness

  3. First-order theory • S : a (first-order) signature[I.e., a set of function and predicate symbols] • A (first-order) S-theory T is a collection of sentences of S. • For each T, let Th(T) =def {A | T |= A }. • Ie., Th(T) is the collection of all logical consequences of T. • T is closed iff it is closed under logical consequence. • I.e., all logical consequences of T are in T. • namely, T = Th(T). • T is consistent iff $ sentences A Ï Th(T). • <=> ~$ sentence A s.t., {A,~A} Î T. • T is complete iff for all sentence A, exactly one of A and ~A ÎTh(T).

  4. Example First-order theory • S: any signature {p1,...} • {} is a first order S-theory • Th({}) = {A | |= A} = the set of all valid (S-)sentences • {} is consistent. • since the sentence $x p(x) Ï Th({}). • {} is not complete. • since neither $x p(x) nor ~$x p(x) Î Th({}). • N = {0, +1, +, *, <, =} : (natural) number signature. • MN : number structure = {{0,1,2,...}, ... } • NT (Number-theory) = {A is a N-sentence | MN |= A.} • I.e., Number-theory is the collection of all sentences true in the number structure. • NT is a closed, consistent and complete theory.

  5. Other First-order theories • Total Order theory: S = {£, =} • OT = { • x £ x • x £y /\ y £ z -> x £ z • x £y /\ y /\ z -> x = z • x £y /\ y £z -> x £ z • x £ y \/ y £ x • x = x • x = y -> y = x • x = y /\ y = z -> x = z • x = y -> ((y £ z) -> (x £z)) • x = z -> ((y £ z) -> (y £ x)) • } • OT is consistent but not complete. • Existence of least element: $x"y x £y neither can be proved nor can be disproved.

  6. An axiom system of First-order theory • logical Axioms: • A(BA) • A(BC) ((AB)(AC)) • (~B~A) (AB) • ∀ x A(x) A(t) , where t is free for x in A. • ∀ x (AB)  (A ∀ x B) where x is not free in A. • Inference rules: • MP: from A and AB infer B • Gen: from A infer ∀ x A.

  7. An axiom system for the first-order Number theory • First-order equality theory + Peano’s axioms • x = x • x=y  y = x • x=y /\ y = z  x = z • x1=y1/\…xn=yn f(x1,x2,…,xn) = f(y1,…,yn) • x=y  (A(x) <->A(y)) • 0 ∈ N • x∈ N  x’ ∈ S • x’ ≠ 0 • x’ = y’  x = y • MI: P(x) : any statement about N. from P(0) and ∀ x P(x) P(x’) infer ∀ x P(x).

  8. More notions about theories • T: a S-theory; A: a (S-)sentence • Ax: a set of sentences • If Th(Ax) = Th(T), then Ax is a set of axioms of T. • Ex: • T is a set of axioms of T • {} is a set of axioms of T if T is a set of valid sentences. • T is said to be finitely axiomatizable iff it has a finite set of axioms. • The natural number theory is not finitely axiomatizable. • Ax : a set of axioms of a theory T; • A : a formulas of Ax. • A is a logical axiom if it is true in all theories • A is a proper axiom if it is not true in all theories. • Note: Ax: a set of axioms of T => Ax /{A | A is a logical axiom (of T) } is also a set of axioms of T.

  9. Proofs of theorems from axioms of a theory • T: a theory, A : a formula, Ax: a set of axioms of T • If T |= A. (i.e., A in Th(T)), then say A is a theorem (定理) of theory(理論) T. • Problem: How to show that a formula A is a theorem of T ? ==> give a proof. • But what is a proof ?

  10. What is a proof • what is a proof ? • ==> a sequence of formulas • A1, • ... • An [=A] generated according to some ( valid inference) rules

  11. Inference rules • A rule of inference is a pattern of formulas of the form: • P1,P2,...,Pm (m ³ 0) // C. • Meaning that if P1,..,Pm have been produced (proved, generated, etc) before then we can add C to the proof sequence (now). • P1,..,Pm : premises of the rule; • C: Conclusion of the rule.

  12. Example Rules of inferences and proof • Rules : where A, B are any formulas. • r1: // A->(B->A) • r2: // (A ->(B->C)) ->((A->B)->(A->C)) • r3: A, A->B // B • A proof of p  p from rules, where p is any formula: • 1. (p -> ((p->p)->p)) -> (p->(p->p)) ->(p->p)) : r2 • 2. p -> ((p->p) ->p) :r1 • 3. (p->(p->p))->(p->p) :r3, 1, 2. • 4. p->(p->p) :r1 • 5. p->p :r3,3,4

  13. Formal definition of proofs • Ax: a set of axioms [of a theory T] • R: a set of inference rules • A: a formula • A proof of A (according to axioms Ax and rules R) is a nonempty sequence of formulas A1,A2,...,An s.t., • 1. An = A. • 2. For i = 1,.., n • Either Ai is an axiom (i.e., a member of Ax) or • there is an inference rule r: P1,..,Pm / C in R s.t. 1. C = Ai 2. {p1,..,Pm} Í {A1,...,Ai-1} • Note: • 1. each Ai (i <n) is called a lemma. • 2. If B can be inferred from A directly, it is called a corollary of theorem A. • 3. Both lemmas and corollaries are theorems.

  14. Soundness of inference rules • An inference rule: P1,..,Pm // C is said to be sound(可靠) (or correct[正確], valid[有效]) in theory T iff • C is a logical T-consequence of the conjunction of all premises P1 /\ P2.../\Pm (P1,...,Pm |=T C) • Fact1 : If P1,..,Pm // C is sound in T, and all premises are theorem of T then so is the conclusion C. Pf: M: any model of T, => M |= {P1,..,Pm} Since the rule is sound, M |= {P1,..,Pm} => M|= C. Hence M |= C. => C in Th(T). • Fact2: If A= P1/\P2../\Pn  C is tautology, then r: P1,..,Pn //C is a correct inference rule of all theories. Pf: M: any interpretation. A is a tautology => M |= A. If M|= P1 /\P2../\Pn then M|= C. Hence r is correct. QED

  15. Example inference rules 1. Modus Ponus(MP) : AB, A // B 2. abduction (ABD) : AB, B // A 3. denying premise : AB, ~A // ~B 4. Math. ind.: (let P be any formula ) P(0) "x P(x)  P(x +1) -------------------------- " x P(x) Notes: 1. rule 1 is correct for all theories. 2. rule 2,3 are in general not correct for any theory. 3. Rule 4 is correct for natural number(NT) theory, but not correct for integer theory(ZT) and real number theory(RT).

  16. Theorem: • Ax: a set of axioms of a theory T • R: a set of inference rules, each correct in T • A: a formula • Theorem: If there is a proof of A from Ax and R, then A is a theorem of T. (i.e, A in Th(T)). Pf: By ind. on the length n of proof of A. Case 1. n = 1. then A is either in Ax or is a conclusion C of a rule: // C from R. In both cases, we have A in Th(T). Case 2. n > 1 and the proof is A1,..,An =A. • Case 2.1. A in Ax => A in Th(T). • Case 2.2. there is rule: P1,..Pm // A in R, and each Pi in {A1,..,An-1}. By ind. hyp. each Pi in Th(T). By soundess of the rule, A in Th(T). QED • Conclusion: 用正確的推論法則所證明的結論總是正確的;用非正確的推論法則所證明的結論雖未必錯誤但卻是不可信的.

  17. Some commonly used inference rules

  18. Some commonly used fallacies • Affirming the conclusion [abduction]: • From p->q, q infer p • Ex: Do all exercises => learn discrete math. Since have learned D.M., hence have done all exercises. • note: p is a possible reason (explanation) of q, instead of a (necessary) consequence of q. • Denying the hypothesis: • from ~p and p->q infer ~q. • Ex: rain => wet, since not rain, hence not wet. • Circular reasoning • Assume n2 is even. • n2 = 2k for some k. • Hence n2 is even

  19. Techniques for proving theorems • Different ways of proving a theorem: p implies q. • Vacuous proof: Prove that ~p. [~p //p->q] • Trivial proof: Prove that q. [q // p->q ] • Direct proof: Prove that if p then q. [p->q //p->q] • suppose p, then ..., q • Indirect proof: (proof by contraposition) • Prove that "~q implies ~P" [~q->~p // p->q] • Proof by contradiction: • To prove P, it suffices to show that ~P -> F (false) • [~p ->F // p] • Proof by cases: • To prove that "p \/ q implies r " it suffices to show that p->r and q -> r. • [p->r, q->r // (p\/ q) ->r.]

  20. Proving existence theorem Methods for proving $x p(x): • Constructive proof: find an object (or term) a, s.t. P(a). • [p(a) // $x p(x) ] • Nonconstructive proof: a proof of $x P(x) w/o knowing what object satisfies p. • ex:proof by contradiction: Show that ~$x p(x) ->F.

  21. Example of existence proofs Ex 20: [constructive proof] Show that there are n consecutive composite integers for every integer n >0. (I.e. for all n $x (x+1,x+2,...x+n) are all composite. Sol: Let x = (n+1)! +1. => x+i = (n+1)! + (i+1) = (i+1)( (n+1)!/(i+1) +1) is composite for i = 1,..,n. QED. Ex 21: [nonconstructive proof] For all n >0 $ prime number > n. Sol: by contradiction. Assume $n s.t. all prime number < n. Let m = n! +1. ==> (k, m) = 1 for all k ≤ n. => all prime cannot divide m => m is a prime > n => a contradiction. QED. Note: We cannot know a prime > n from the proof.

  22. Adequacy of inference rules [omitted] • T: a theory • Ax: a set of formulas • R: a set of inference rules: • [soundness of proof system] • The pair (Ax, R) is called a proof(or axiom) system. • If every formula provable from (Ax,R) is a theorem of T, ( |-(Ax,R) A => A in Th(T) ), we say the proof system is sound for T. • If Ax are theorems of T and all rule of R are sound in T => (Ax,R) is sound for T. • Completeness: • But can we assure that all theorems of T can be proved from (AX,R) ? • (Ax,R) is said to be complete for T if it satisfies such property.

  23. Completeness of axiom systems [omitted] • Benefit of a complete axiom system: • No need of other innovative methods to prove or disprove any existing conjecture in the theory. • Issues: • How to find a complete axiom system for various theories. • Will we be able to find a complete axiom system for any theory ? • Facts: • There are complete axiom systems for the empty first order theory Th({}). • There is no sound and complete axiom system for the natural number theory.(Goedel incompleteness theorem)

  24. 3.2 Mathematical Induction • To show that a property p hold for all nonnegative integer n, it suffices to show that 1. Basis step: P(0) is true 2. Ind. step: P(n)  P(n+1) is true for all nonnegative integer. • P(n) in 2. is called the inductive hypothesis. • Note: Math. Ind. is exactly the inference rule: • P(0), "n p(n)P(n+1) // "n P(n) for any property P • The second form of MI • Basis: P(0) holds • Ind. step: P(0) /\ P(1) /\ ...,/\p(n-1)  P(n) holds for all n. • P(0) /\ P(1) /\ ...,/\p(n-1) (or for all k k<n => P(k)) is the ind. hyp.

  25. Correctness of Math. Ind. • Correctness of MI. Pf: Assume MI is incorrect. i.e. the set NP = {k | P(k) is false} is not empty. Let m be the least number of NP. Since p(0), 0 Ï NP and m >0. => m-1 exists and P(0),P(1),…,P(m-1) hold • P(m) holds [by MI I or II]=> m Ï NP => a contradiction. QED.

  26. Examples : 2: Si=1,n 2i-1 = n2 3. n < 2n 4. 3 | n3 - n if n > 0 5. Si=1,n 2i = 2(n+1) -1 6. Sj=1,n arj = arn+1 - a / (r -1) 7. Let Hk = 1 + 1/2 +...+ 1/k => H2n³ 1 + n/2 8. |S| = n => |2S| = 2n. 9. 1 + 2+...+ n = n(n+1)/2 10. If n > 3 => 2n < n! 11. ~(S1Ç ...ÇSn) = ~S1 U ... U ~Sn.

  27. More examples: 13: n >1 => n can be written as a product of primes. [hint: use 2nd form of MI] 14. for every k >11, there are m,n s.t. k = 4m + 5n.

  28. 3.3 Recursive definitions • Different ways of defining sets of objects • Explicit listing • Suitable for finite objects only. • Define by giving an explicit expression • Ex: F(n) = 2n • recursive (or inductive ) definition • Define value of objects (sequences, functions, sets, ...) in terms of values of smaller similar ones. • Ex: the sequence 1,2,4,... (an = 2n) can be defined recursively as follows: 1. a0 = 1; 2. an+1 = 2 x an for n > 0.

  29. Recursively defined functions • To define a function over natural numbers: • specify the value of f at 0 (i.e., f(0)) • Given a rule for finding f(n) from f(n-1),..., f(0). • i.e., f(n) = some expression in terms of n, f(n), ..., f(0). • Ex1: • f(n) = 3 if n = 0 • = 2f(n-1) +3 if n >0 • => f(0) = 3, • f(1) = 2f(0) +3 = 9 • f(2) = 2f(1)+3 = 21,... • This guarantees f be defined for all numbers.

  30. More examples functions • Ex2: The factorial function f(n) = n! • f(0) = 1 • f(n) = n f(n-1) for all n > 0. • Recursively defined functions (over N) are well defined Pf: Let P(n) = "there is at least one value assigned to f(n)". Q(n) = "there are at most one value assigned to f(n)". We show P(n) hold for all n by MI.. basis: P(0) holds. Ind. : assume p(k) holds for all k ≤ n => since f(n+1) can be assigned a value by evaluating the expr(n,f(0),..,f(n)), where by ind. hyp. all f(i)s (i<n) have been assigned a value. The fact that Q(n) holds for all n is trivial, since each f(k) appear at the left hand side of the definition exactly once. QED

  31. More examples: Ex5: The Fibonacci number: • f(0) = 0; f(1) = 1; • f(n) = f(n-1) + f(n-2) for n > 1. • ==> 0,1,1,2,3,5,8,... Ex6: Show that f(n) > an-2 where a = (1+ sqrt(5))/2 whenever n ≥ 3. Pf: (by MI). Let P(n) = "f(n) > an-2 ". Basis: P(3), P(4) holds. An easy check. Ind.step: (for n >= 3) If n ≥ 3 => an-1 = a2an-3 = (a+1) an-3 = an-2 + a n-3. If n ≥ 4 => by ind. hyp., f(n-1) >an-3, f(n) >an-2 Hence f(n+1) = f(n)+f(n-1) > an-2 + an-3 = an-1. QED

  32. Lame's theorem • a,b: positive integer with a  b. => #divisions used by the Euclidean algorithm to find gcd(a,b) £ 5 x #decimal digits in b. Pf: seq of equations used for finding gcd(a,b) where r0 = a, r1 = b. r2 = ro mod r1¹ 0 r3 = r1 mod r2 ¹ 0 ... rn = rn-2 mod rn-1 ¹ 0 rn+1 = rn-1 mod rn = 0 i.e., until rn | rn-1 and then gcd(a,b) = rn. #division used = n. rn³ 1 = f2 rn-1³ 2rn³ 2f2 = f3; rn-2³ rn+rn-1 = f2 + f3 = f4 ...r2³ r3 + r4³fn-1+fn-2=fn; b = r1³ r2+ r3³ fn+fn-1 = fn+1.> an-1. logb > (n-1) log a ~ 0.208 (n-1) > (n-1)/5 n < 1 + 5 log b < 1 + 5 #digit(b). => n £ 5#digit(b).

  33. Recursively defined sets • Given a universal set U, a subset V of U and a set of operations OP on U, we often define a subset D of U as follows: • 1. Init: Every element of V is an element of D. • 2. Closure: For each operation f in OP, if f:Un->U and t1,..,tn are objects already known to be in the set D, then f(t1,..,tn) is also an object of D. • Example: The set S = {3n | n >0} N can be defined recursively as follows: • 1. Init: 3 ∈ S (i.e., V = { 3 } ) • 2. closure: S is closed under +. • i.e., If a,b ∈ S then so are a+b . (OP = {+})

  34. Notes about recursively defined sets 1. The definition of D is not complete (in the sense that there are multiple subsets of U satisfying both conditions. Ex: the universe U satisfies (1) and (2), but it is not Our intended D. 2. In fact the intended defined set 3': D is the least of all subsets of U satisfying 1 & 2, or 3'': D is the intersection of all subsets of U satisfying 1 & 2 or 3''': Only objects obtained by a finite number of applications of rule 1 & 2 are elements of D. 3. It can be proven that 3',3'',and 3''' are equivalent. 4. Hence, to be complete, one of 3',3'' or 3''' should be appended to condition 1 & 2, though it can always be omitted(or replaced by the adv. inductively, recursively) with such understanding in mind.

  35. Proof of the equivalence of 3',3'' and 3''' • D1: the set obtained by 1,2,3' • D1 satisfies 1&2 and any S satisfies 1&2 is a superset of D1. • D2: the set obtained by 1,2,3''. • D2 = the intersection of all subsets Sk of U satisfying 1&2. • D3: the set obtained by 1,2,3'''. • For any x ∈ U, x ∈ D3 iff there is a sequence x1,...,xm = x, such that for each xi (i = 1.m) either • (init: ) xi ∈ V or • (closure:) there are f in OP and t1,...tn in {x1,..,xi-1} s.t. • xi = f(t1,..,tn). pf: 1. D2 satisfies 1&2 and is the least of all sets satisfying 1&2 , Hence D1 exists and equals to D2. 2.1 D3 satisfies 1 & 2.[ by ind.] 2.2 D3 is contained in all sets satisfying 1 & 2 [by ind.] Hence D3 = D2.

  36. Example: • Ex 7': The set of natural numbers can be defined inductively as follows: • Init: 0 in N. • closure: If x in N, then x' in N. • => 0, 0',0'',0''',... are natural numbers • (unary representation of natural numbers)

  37. Induction principles III (structural induction) • D: a recursively defined set • P; a property about objects of D. • To show that P(t) holds for all t in D, it suffices to show that • 1. basis step: P(t) holds for all t in V. • 2. Ind. step: For each f in OP and t1,..,tn in D, if P(t1),...,P(tn) holds, then P(f(t1,..,tn)) holds, too. • Show the correctness of structural induction. Pf: assume not correct. => NP = {t ∈ D | P(t) does not hold} is not empty. => ∃ x ∈ NP s.t. ∃ a derivation x1,..xn of x and all xi (i<n) ∉ NP. => If n =1, then x1 = x ∈ V (impossible) Else either n > 1 and x ∈ V (impossible, like n=1) or n > 1, and x=f(t1,.,tn) for some {t1,..,tn} in {x1,..xn-1} and P holds for all tks => P(x) holds too => x ∉ NP, a contradiction. QED.

  38. MI is a specialization of SI • Rephrase the SI to the domain N, we have: • To show P(t) holds for all t ∈ N, it suffices to show that • Init: P(0) holds • Ind. step: [OP={ ‘ }] • for any x in N, If P(x) holds than P(x') holds. • Notes: • 1. The above is just MI. • 2. MI is only suitable for proving properties of natural numbers; whereas SI is suitable for proving properties of all recursively defined sets. • 3. The common variant of MI starting from a value c ≠ 0 ,1 is also a special case of SI with the domain • D = {c, c+1, c + 2, … }

  39. well-formed arithmetic expressions Ex: (2 +x), (x + (y/3)),... (ok) x2+, xy*/3 ... (no) Let Vr = {x,y,..,} be the set of variables, M = numerals = finite representations of numbers OP = {+,-,x,/,^} U = the set of all finite strings over Vr U M U OP U {(,)}. The set of all well-formed arithmetic expressions (wfe) can be defined inductively as follows: 1. Init: every variable x in Vr and every numeral n in M is a wfe. 2. closure: If A, B are wfe, then so are (x+y), (x-y), (x * y), (x / y) and (x ^ y). Note: "1 + x " is not a wfe. Why ?

  40. More examples: • Ex9: Wff (well-formed propositional formulas) • PV: {p1,p2,.. } a set of propositional symbols. • OP = {/\, \/, ~, -> } • U = the set of all finite strings over PV U OP U {(,)} • Init: every pi in PV is a wff • closure: If A and B are wffs, then so are • (A/\B), (A \/B), (A->B), ~A. • Ex10: [strings] • S: an alphabet • S*: the set of finite strings over S is defined inductively as follows: 1. Init:e is a string. 2. closure: If x is a string and a a symbol in S, then a·x is a string.

  41. Ex11: Recursively define two functions on S*. • len : S* -> N s.t. len(x) = the length of the string x. • basis: i(e) = 0 • Ind. step: for any x in S and a in S, len(ax) = len(x) + 1. • · : S* x S*  S* s.t. x · y = the concatenation of x and y. • Basis: e · y = y for all string y. • recursive step: (a · z) · y = a · (z · y) for all symbols a and strings z,y. • Prove properties of len(-) on S*: Ex12: show that len(x · y) = len(x) +len(y) for any x,y ∈ S*. • By SI on x. Let P(x) = "len(xy) = len(x) +len(y)". • Basis: x = e. => x · y = y => len(x · y) = len(y) = len(e) + len(y). • Ind. step: x = az • len(x · y) = len((a · z) · y) = len((a · (z · y)) = 1 + len(zy) • = 1+ len(z) + len(y) =l(x) +l(y).

  42. Where we use Recursion • Define a domain • numbers, lists, trees, formulas, strings,... • Define functionson recursively defined domains • Prove properties of functions or domains by structural induction. • compute recursive functions • --> recursive algorithm • Ex: len(x){ // x : a string if x = e then return(0) else return(1+ l(tl(x))) }

  43. 3.4 Recursive algorithm • Definition: an algorithm is recursive if it solve a problem by reducing it to an instance of the same problem with smaller inputs. • Ex1: compute an where a ∈ R and n ∈ N. • Ex2: gcd(a,b) a, b ∈ N, a > b • gcd(a,b) =def if b = 0 then a else gcd(b, a mod b). • Ex: show that gcd(a,b) will always terminate. • Comparison b/t recursion and iteration • Recursion: easy to read, understand and devise. • Iteration:use much less computation time. • Result:programmer --> recursive program --> • compiler --> iterative program --> machine.

  44. 3.5 Program correctness • After designing a program to solve a problem, how can we assure that the program always produce correct output? • Types of errors in a program: • syntax error --> easy to detect by the help of compiler • semantic error --> test or verify • Program testing can only increase our confidence about the correctness of a program; it can never guarantee that the program passing test always produce correct output. • A program is said to be correct if it produces the correct output for every possible input. • Correctness proof generally consists of two steps: • Termination proof : • Partial correctness: whenever the program terminates, it will produce the correct output.

  45. Program verification • Problem: • what does it mean that a program produce the correct output (or results)? • By specifying assertions (or descriptions) about the expected outcome of the program. • Input to program verifications: • Pr : the program to be verified. • Q : final assertions (postconditions), giving the properties that the output of the program should have • P : initial assertions(preconditions) , giving the properties that the initial input values are required to have.

  46. Hoare triple: • P,Q; assertions • S: a program or program segment. • P {S} Q is called a Hoare triple, meaning that S is partially correct (p.c.) w.r.t P,Q,i.e., whenever P is true for I/P value of S and terminates, then Q is true for the O/P values of S. Ex1: x=1 {y := 2; z := x+ y} z = 3 is true. Why ? Ex 2: x = 1 { while x > 0 x++ } x = 0 is true. why?

  47. Typical program constructs: 1. assignment: x := expr • x := x+y-3 2. composition: S1;S2 • Execute S1 first, after termination, then execute S2. 3. Conditional: • 3.1 If <cond> then S • 3.2 If <cond> then S1 else S2. 4. Loop: • 4.1 while <cond> do S • 4.2 repeat S until <cond> // 4.3 do S while <cond> … • Other constructs possible, But it can be shown that any program can be converted into an equivalent one using only 1,2,3.1 and 4.1

  48. Assignment rule • P[x/expr] {x := expr } P • P[x/expr] is the result of replacing every x in P by the expression expr. • ex: P = "y < x /\ x + z = 5" => P[x/3] = “y < 3 /\ 3+z = 5". • Why correct? • consider the variable spaces • (...,x,...) == x := expr ==> (..., expr,...) |= P • Hence if P[x/expr] holds before execution, P will hold after execution. • Example: Q {y := x+y} x > 2y + 1 => Q = ? • (xb,yb) ==>{ya := xb+yb} ==>(xb,xb+yb) = (xa,ya) |= P(xa,ya) =def ‘’xa > 2ya +1’’ • => (xb,yb) |= Q = P(xa,ya)[xa/xb;ya/xb+yb] • = P(xb,xb+yb)  “xb > 2(xb+yb) +1”

  49. Composition rules: • Splitting programs into subprograms and then show that each subprogram is correct. • The composition rule: P {S1} Q x = 0 { x:= x+2} ? Q {S2} R ? { x := x-1} x > 0 ------------------- --------------------------------------- P {S1;S2} R x=0 {x:= x+2; x:= x -1} x > 0 • Meaning: • Forward reading: • Backward reading: to prove P{S1;S2}Q, it suffices to find an assertion Q s.t. P{S1}Q and Q {S2}R. • Problem: How to find Q ?

  50. Example: • Show that x =1 {y := 2; z := x +y} z = 3 • x = 1 {y := 2; z := x+y} z = 3 • -------------------------------------------------------- • x=1 {y := 2} ? ? {z := x+y} z = 3