Mathematical Logic and its Applications to Computer ... - CiteSeerX

Mathematical Logic and its Applications to Computer Science Eitan Farchi [email protected]

Yochai Ben-Chaim [email protected]

April 1, 2009

1

Contents I

Lecture Notes

6

1 Lecture Notes 1.1 Knaves and Knights . . . . . . . . . 1.2 Inductive Definitions of Sets . . . . . 1.2.1 Induction . . . . . . . . . . . 1.2.2 Example . . . . . . . . . . . . 1.2.3 The Set I(A, P ) . . . . . . . . 1.3 The Induction Principle . . . . . . . 1.4 Prepositional Calculus . . . . . . . . 1.5 Syntax . . . . . . . . . . . . . . . . . 1.6 A Ruling Function from the Talmud

II

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

Lecture Transcripts

12

2 Lecture 1 - March 04, 2009 2.1 Inductive Sets . . . . . . . . . . . . . . . . . . . . 2.1.1 Example . . . . . . . . . . . . . . . . . . . 2.1.2 Example . . . . . . . . . . . . . . . . . . . 2.1.3 Example . . . . . . . . . . . . . . . . . . . 2.1.4 Exercise . . . . . . . . . . . . . . . . . . . 2.1.5 An Exercise to Think about at Home . . . 2.1.6 Example . . . . . . . . . . . . . . . . . . . 2.1.7 Claim . . . . . . . . . . . . . . . . . . . . 2.1.8 Example . . . . . . . . . . . . . . . . . . . 2.1.9 Sub-example . . . . . . . . . . . . . . . . . 2.1.10 Let’s Look for an Example in the Program 2.2 Lecture Summary . . . . . . . . . . . . . . . . . . 2.2.1 In the Next Lecture . . . . . . . . . . . . . 3 Lecture 2 - March 11, 2009 3.1 Inductive Sets - Continued 3.2 Propositional Calculus . . 3.2.1 syntax . . . . . . . 3.2.2 Example . . . . . . 3.2.3 Example . . . . . . 3.2.4 Meaning . . . . . .

6 6 6 6 6 7 8 9 9 10

. . . . . .

. . . . . .

2

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

12 12 12 12 13 14 14 14 16 17 17 17 20 21

. . . . . .

22 22 22 23 25 27 28

4 Lecture 3 - March 18, 2009 4.1 What We’ve Done so Far . . 4.1.1 Example . . . . . . . 4.1.2 Example . . . . . . . 4.2 Our Main Running Example 4.3 Hierarchy of Dictionaries . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

31 31 31 32 33 36

5 Lecture 4 - March 25, 2009 37 5.1 In this and Upcoming Lectures . . . . . . . . . . . . . . . . . 37 5.2 Hierarchy of Continued Rules for Glossary Design . . . . . . . 37 6 Lecture 5 - April 01, 2009 6.1 In this and upcoming lectures: . . . . . . . . . . . . . . . . . . 6.2 Continued Design of Glossaries Hierarchy . . . . . . . . . . . . 6.3 A ruling function from the Talmud . . . . . . . . . . . . . . .

39 39 39 42

III

44

Exercises

7 Exercise 1 - March 05, 2009 7.1 Introduction . . . . . . . . . . . . . . 7.1.1 Predicate Calculus . . . . . . 7.1.2 Semantics . . . . . . . . . . . 7.1.3 What is a proof? . . . . . . . 7.2 Logics . . . . . . . . . . . . . . . . . 7.2.1 Sets . . . . . . . . . . . . . . 7.2.2 Basic Terms . . . . . . . . . . 7.2.3 Actions between Sets . . . . . 7.2.4 Example #1 . . . . . . . . . . 7.2.5 Example #2 . . . . . . . . . . 7.2.6 Example #3 . . . . . . . . . . 7.3 Truth Tables . . . . . . . . . . . . . 7.3.1 Example #4 . . . . . . . . . . 7.4 Logical Equivalence . . . . . . . . . . 7.4.1 Example #5 . . . . . . . . . . 7.4.2 Logical Quantifiers . . . . . . 7.4.3 Example #6 . . . . . . . . . . 7.4.4 A More Complicated Example 7.5 Inductive Definition . . . . . . . . . . 7.5.1 Example . . . . . . . . . . . . 7.5.2 Examples . . . . . . . . . . . 3

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . .

44 44 44 44 44 44 44 45 45 46 46 46 47 48 48 48 48 48 49 50 50 50

7.5.3

Proving Using Induction . . . . . . . . . . . . . . . . . 51

8 Exercise 2 - March 12, 2009 8.1 In the Previous Exercise (1) . . 8.2 Inductive Definition . . . . . . . 8.2.1 Example . . . . . . . . . 8.2.2 Examples . . . . . . . . 8.2.3 Proving Using Induction 8.3 Example Program #1 . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

9 Exercise 3 - March 17, 2009 9.1 In the previous Exercise (2) . . . . . . . . 9.2 Example Program #2 . . . . . . . . . . . 9.3 Differences between Syntax and Semantics 9.3.1 Power Set . . . . . . . . . . . . . . 9.3.2 example . . . . . . . . . . . . . . . 9.3.3 example . . . . . . . . . . . . . . . 9.3.4 example . . . . . . . . . . . . . . . 10 Exercise 4 - March 24, 2009 10.1 In the previous Exercise (3) . . . 10.2 Homework Exercise #1 . . . . . . 10.3 Induction - MI MU Example . . . 10.3.1 The Elements of I(A, P) . 10.3.2 Prove that M U ∈ / I(A, P ) 10.4 Propositional Calculus . . . . . . 10.5 Simple Program . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

11 Exercise 5 - March 31, 2009 11.1 In the previous Exercise (4) : . . . . . . . . . . . . 11.2 Go Over Home Exercise #1 . . . . . . . . . . . . . 11.3 Z Language Specification - ’Dictionaries’ . . . . . . 11.3.1 Purpose . . . . . . . . . . . . . . . . . . . . 11.3.2 Specification of Well-Formed Pairs of Words 11.3.3 Operations . . . . . . . . . . . . . . . . . . . 11.3.4 Invariants . . . . . . . . . . . . . . . . . . . 11.3.5 Error Handling . . . . . . . . . . . . . . . . 11.3.6 ’Total Operations’ . . . . . . . . . . . . . .

IV

References

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . .

52 52 52 52 53 53 54

. . . . . . .

56 56 56 60 61 61 61 62

. . . . . . .

63 63 63 63 64 64 66 67

. . . . . . . . .

69 69 69 69 69 69 70 70 70 71

72 4

Abstract The objective of the course is to introduce mathematical logic and explore its applications in computer science, with an emphasis on formal specifications. Proposition calculus, structured induction, partial orders, and first order logic will be introduced. Formal specification using the Z language will be introduced, including some background in set theory, relation, functions and schemes. Applications of mathematical logic to formal verification or program analysis will be explored.

5

Part I

Lecture Notes 1

Lecture Notes

1.1

Knaves and Knights

An island is inhibited by two types of people - knaves - who always lie, and knights - who always tell the truth. The Problem A and B are from that Island. A says, ”at least one of us is a knave”. What types of people are A and B? The Solution If A is a knave, then there are either one or two knaves. As a result, the statement that ”at least one of us is a knave” is true. However, this contradicts the fact that A is a knave because knaves always lie. If A is a knight, then the statement that ”at least one of us is a knave” is true if and only if B is a knave. As A is a knight, he is telling the truth, and for the statement to be true, B has to be a knave.

1.2 1.2.1

Inductive Definitions of Sets Induction

I(A, P ) is the inductive set created from the atoms, A, using the operation P . We are interested in the set obtained from the atoms by repeatedly applying the operations. Let’s begin with an example. 1.2.2

Example

The set of atoms is A = {M I}. The operations, P , are detailed below. • XI → XIU - add U at the end • M X → M XX - for a word that starts with M , whatever follows the M , in this case, X, is added at the end • III → U - a sequence of three consecutive Is can be changed to a U • U U → nothing - two consecutive U s can be omitted The elements M I → M II → M IIII → M IIIIU → M IU are all in I(A, P ). Check why each step in the derivation is correct. Next, we want to prove that M U ∈ / I(A, P ). In other words, starting from M I, you cannot 6

get to M U by applying the operations in P . Thus, M U is not a member of the inductive set I(A, P ) that was obtained from A by using the operations, P. To prove this claim, we proceed by induction. The claim we are going to prove is that for any member of w ∈ I(A, P ), the number of Is in w is not a multiple of three. This will prove that M U is not in I(A, P ), M U ∈ / I(A, P ), as the number of Is in M U is zero and thus a multiple of three. The inductive proof includes showing that the claim is true for the atoms and then showing that if the claim is true for a word and you apply one of the operations to that word, the claim stays true. Next, let’s follow the details of the proof. The number of Is in M I is 1 and thus not a multiple of three. Assume that for some w in I(A, P ), w ∈ I(A, P ), the number of Is in w is not a multiple of three. For the first rule, XI → XIU , adding a U at the end does not change the number of Is and it thus remains not a multiple of three. For the second rule, M X → M XX, the number of Is was multiplied by two. Thus, if before the application of the operation the number of Is in w was 3 ∗ k + 1 or 3 ∗ k − 1 (not a multiple of three), then the number of Is after applying the operation is 2(3 ∗ k + 1) = 6 ∗ k + 2 or 2(3 ∗ k − 1) = 6 ∗ k − 2 - neither of which is a multiple of three. For the third rule, III → U , the number of Is was reduced by three, and thus remained not a multiple of three. For the last rule, U U → nothing, the number of Is did not change and thus remains not a multiple of three. This completes the induction step and the proof. 1.2.3

The Set I(A, P )

Next, we make the notion of I(A, P ) precise. Given a set of atoms, A, and a set of operations, P , an inductive set of A and P is a set that: • Contains A • Is closed under operations in P . In other words, if we know that X1 , ..., andXk are in the inductive set and Z is obtained from X1 , ..., Xk by one of the operations in P , then Z is in the inductive set. Consider the following example. If A = {1} and P = +1, then {1, 2, 3, ...} is an inductive set but so are {..., −3, −2, −1, 0, 1, 2, , 3, ...} - the real numbers and the complex numbers, as all of them contain {1} and adding one to any of the members of these sets results in a member of these sets. We realize that we have too many options, that is the two rules above do not define a unique set. To correct this situation, we add a third rule. We define the set I(A, P ) to be the set that meets the above two rules and an additional third rule: the set is the minimal (under inclusion), that meets these rules. 7

{1, 2, 3, ...} is contained in {..., −3, −2, −1, 0, 1, 2, , 3, ...} - the real and the complex numbers. It is also true that I({1}, +1) = {1, 2, 3, ...}. We will be ready to prove this once we characterize I(A, P ) using a bottom-up. The bottom-up definition includes starting from A, applying the operations to A in any way possible to obtain I1 . We then apply the operations once more in any way possible on the elements obtained thus far, obtaining I2 . We continue in this manner and finally take the union of all the elements that we obtained. We call this set I1 (A, P ). Let’s make sure that the definition of I1 (A, P ) is clear using our running example: Applying the operations in any way on M I results in M II and M IU . Applying the operations in anyway to M I, M II and M IU results in M II, M IU IU , and M IIU , and so on. Reviewing the claim that I({1}, +1) = {1, 2, 3, ...}, one clearly notices that I1 (A, P ) = {1, 2, 3, ...}. If we prove that I1 (A, P ) = I(A, P ) then we reach the conclusion that I({1}, +1) = {1, 2, 3, ...}. So this is what we aim to prove next. By definition, I1 (A, P ) contains the atoms A. In addition, if any X1 , ..., XK are in I1 (A, P ), then they are also in some In (A, P ). The application of any operation in P on X1 , ..., XK will result in In+1 . Thus, I1 (A, P ) is an inductive set, and I(A, P ) is contained in I1 (A, P ). On the other hand, any element of I1 (A, P ) was obtained by a finite application of the operations starting in an element of A, which means that this element is in I(A, P ), and the proof is completed.

1.3

The Induction Principle

In the example above, we proved that M U is not in the set I(A, P ), created from the atom A = {M I} by the following operations: • XI → XIU - add U at the end • M X → M XX - for a word that starts with M , whatever follows M , in this case, X, is added at the end • III → U - a sequence of three consecutive Is can be changed to a U • U U → nothing - two consecutive U s can be omitted Our method of proving this was to show that a certain claim, T , is true for the atom A and that whenever we assume it is true before applying an operation from P , it remains true after applying that operation. We then deduced that T is true for I(A, P ), but why? The fact is that the set of 8

elements for which T is true is an inductive set. By abuse of notation, we will denote the set of elements for which the claim T is true by T . Thus, T ⊇ I(A, P ) (as I(A, P ) is the minimal inductive set for the atoms A and operations P ). This means that for every element of I(A, P ), the claim T holds.

1.4

Prepositional Calculus

1.5

Syntax

We define the syntax of the prepositional calculus. Atoms are letters or indexed letters, (e.g., p ∈ A and pi ∈ A). In addition, if P and Q are in I(A, P ), then so are: • (¬P ) • (P ∨ Q) • (P ∧ Q) • (P → Q) We will refer to I(A, P ) as the set of sentences of prepositional logic. The intended meaning of ¬, ∨, ∧, and → are ”not”, ”or”, ”and”, and ”imply” respectively. However, this is just an intended meaning at this point of the discussion. The situation is similar to a programming language that has no compiler yet. Thus, in our hypo-statical programming language, we might have intended that if x = 5; t = 3; (g(x, x + +) ¿ 0); g(x, f(t)); means some sort of calculation. However, if we do not define the calculation, it is just a string of characters devoid of meaning. As a string of characters, it could be a legal string or not. Thus, I(A, P ) defines the legal strings of prepositional calculus (or the ”programs” that will compile and have correct syntax, though that does not mean they will do something sensible). Next, we further investigate the syntax. We claim that a sentence, if it’s not an atom, begins with ”(”. Indeed, if we assume that P and Q begin with ”(”, then clearly, so does (¬P ), (P ∨ Q), (P ∧ Q), and (P → Q). Thus, ¬(p ∨ q) is not a sentence. Also, the number of opening parentheses ”(” and closing parentheses ”)” in a sentence is equal. Proof: This holds true for the atoms, since the number of opening and closing parentheses is zero. If the number of parentheses is equal for P and Q, it is equal for (¬P ), (P ∨ Q), (P ∧ Q), and (P → Q), as one ”(” and one ”)” were added, ensuring that equality was kept. 9

We next define the sentences that are ”always correct” (at least this is the intended meaning) inductively. The atoms A are sentences of the form: • (A → (B → A)) • ((A → (B → C)) → ((A → B) → (A → C))) • ((¬A → ¬B) → (B → A)) where A, B, and C are any legal sentences in propositional language. We will also call the above atoms ”axioms”. Note that for any truth values of A, B, and C, the sentences above are intuitively true. We will give a more precise explanation to this once we define an interpretation of prepositional language sentences. We will only have one operation in P ; if (A → B) and A are already in the set of ”always correct”, then so is B (this operation will be referred to as ”separation”). Thus, I(A, P ) defines a set of sentences that are intended to be ”always true”. Note that at this stage, this is only our intention and has no bearing on the formalism. One last element of notation: if a ∈ I(A, P ), we will say that ` a. In this case, there is a sequence by which a is obtained from the atoms of I(A, P ). We will refer to that sequence as a proof for a - a a. Next, let’s examine a ”proof” for (a → a) → (a → a), which is indeed, intuitively, always true. • a → (a → a) (axiom) • (a → (a → a)) → ((a → a) → (a → a)) • (a → a) → (a → a) (separation)

1.6

A Ruling Function from the Talmud

Rules: If a bull never attacked before and then attacks and kills another bull, then the owner of the first bull pays the owner of the second bull half the value of the second bull, but up to the value of the first. Example: If the first bull is worth 500 and the second is worth 2000 and the first bull kills the second bull, then the owner of the first bull pays the owner of the second bull 500. If the first bull is worth 1000, then 1000 is paid. If the first bull is worth 1500, then 1000 is paid. 10

Now assume that one of two bulls, owned by one person, killed a third bull owned by another person. The third bull is worth 2000 while the first and second bulls are worth 500 and 1000 respectively. If the first bull killed the third bull, then the owner of the bull that was killed should get 500, while if the second bull killed the third bull, the owner of the third bull should get 1000. But we don’t know which of the two bulls killed the third bull! We ask the owner of the first bull and simultaneously ask the owner of the second bull. Each one answers in one of three ways: • I don’t know (ignorant). • The first bull did it (first). • The second bull did it (second). We model this by Answer = {ignorant, f irst, second}. The set of possible responses of the first and second is modeled by the Cartesian product Answer ∗ Answer. We are looking for a ruling function such that ruling : A∗A ← {0, 500, 1000}. One ruling function that appears in the Talmud is that if there is agreement, or at least no disagreement, on who killed the third bull, we go by the undisputed claim and apply the rule that we describe above. Thus, the ruling function is defined as follows: {(ignorant, ignorant, 0), (ignorant, f irst, 500), (ignorant, second, 1000), (f irst, ignorant, 500), (f irst, f irst, 500), (f irst, second, 0), (second, ignorant, 1000), (second, f irst, 0), (second, second, 1000)} For those familiar with Game Theory - notice that this function defines a matrix Game. Does it have a Nash equilibrium point in pure strategies?

11

Part II

Lecture Transcripts 2 2.1

Lecture 1 - March 04, 2009 Inductive Sets

An inductive set is a collection of members - called ”atoms” - that are defined in a certain way. We start from the collection of members, on which we activate actions. Once we receive the results, we reactivate the actions, and so on. The ”set” is the result of what we receive by activating the actions. 2.1.1

Example

I(0, +1) The atom is 0 The action is +1 When activating +1 on 0, we receive 1. We then reactivate +1 and get 2, and then reactivate +1 and get 3, and so on. 0 − − + 1 → 1 − − + 1 → 2 − − + 1, etc. We quickly realize that the result is N - the set of natural numbers: N = {0, 1, 2, 3, ...} −1, for instance, is not in the group {} marks a set So how does all of this relate to software engineering? What is the connection between logic tools and computer science? The relation will be through software requirements for computer science. 2.1.2

Example

Let’s examine the following program: x = 0; while(true){ x + +; print(x);

12

} This program describes (prints) the natural numbers: I(0, +1) We claim that N = I(0, +1) The claim is that the set deduced from the action +1, starting from atom 0, is the set of natural numbers. Another claim: The program P will print the set N. Actually, both claims are the same and this is the same claim. This is the connection between the logical tool (the inductive set) and the claim about what the program does (a computer science requirement). During the course, we will use logics to define what artifacts are supposed to do. In this case, we performed a logical ”jump” from program P to the definition of the inductive set I(0, +1) without proof. Let’s now try to prove and explain what this inductive set is using as a different definition to the inductive set I(A, P ), where A is the ”atoms” and P is the ”actions”. I(A, P ) is the set that maintains that all the atoms are in the set (that is, all the members of A are in the set). If x1 , x2 , ... xy are in A and if action o is in P , then o(x1 , x2 , ..., xy ) is also in A. In other words, the result of activating the action o on the members of the set is also in the set. 2.1.3

Example

The Atom: A = {M I} The actions (P ) are: O1 : XI → XIU O2 : M X → M XX O3 : III → U O4 : U U → nothing We start with {M I} - a member of A. Since {M I} is a member of A, it is an atom. According to action O2, O2(M I) = M II is also a member of A.

13

Next, we activate action O1 on M II. O1(M II) = M IIU Then we activate action O2 on M IIU . O2(M IIU ) = M IIU IIU 2.1.4

Exercise

We would like to be able to reach a point where we can activate action O3. By activating O2 twice on M I, we receive: O2(M I) = M II O2(M II) = M IIII O3(M III) = M U I 2.1.5

An Exercise to Think about at Home

We would like to be able to reach a point where we can activate action O4. Let’s return to the definition. We define ”closure”: Activating an action on members of the set leaves us in the set. But, the definitions that we gave (all the atoms are in the set and closure) are not good enough definitions because there are many sets that pertain to these conditions. 2.1.6

Example

Suppose that: I(0, +1) According to the definition of atoms that are members of the set and the definition of closure, we would have liked to see the result that these are the natural numbers N. But, the set of all numbers Z, which includes the negative numbers, also pertains to these conditions because 0 is in the set, and for every member in the set, the member +1 is also in the set. The set of all real numbers R - which includes fractions, also maintains both claims. -We deduce that our definition is not enough, and we need to add a third condition: If we look at the example, we see that N is contained in Z, which is contained in R, which we mark: N⊆Z⊆R What is the additional condition we need to add? How do we characterize the desired set? We want the smallest set that maintains all conditions; we want the smallest 14

set under the subset ⊆ relation. In other words, the set is contained in any other set that maintains both conditions. I(A, P ) will be the set contained in any other set B that maintains both conditions (all the atoms are in the set and closure). We found a second definition for the inductive set: I(A, P ) Where A is in the set A = A0 A1 is the set of all members that result from members of A0 and are activating all the actions in any legal way. A2 is the set of all members that result from members of A1 and are activating all the actions, and so on. Then, I(A, P ) is the unity ∪ from 1 through infinity ∞ of A0i s From the previous example: The atom was A = {M I} and the actions (P ) were: O1 : XI → XIU O2 : M X → M XX O3 : III → U O4 : U U → nothing A0 = {M I} O1(M I) = M IU O2(M I) = M II We cannot activate O3 and O4 on M I. So A1 is {MI, MIU, MII}. To reach A2 we need to activate the four possible actions on MIU and MII. The legal actions are: O2(M IU ) = M IU IU We cannot activate the rest of the actions (O1, O3, O4) on MIU. As for activating the actions on MII: O1(M II) = M IIU O2(M II) = M IIII We cannot activate O3 and O4 on MII. So, each member in the group can be described by the list of actions that created it. For instance, MIUIU was created from MI by activating O1 and then O2. 15

We call this the ”creation series” of MIUIU. It is sometimes referred to as the derivation or proof. 2.1.7

Claim

I∗ (A, P ) = I(A, P ) Why is this true? The idea of the proof is to start and show that the set created by activating the actions is the set that maintains both conditions - that the atoms are contained and closure. To show that I∗ (A, P ) contains the atoms and maintains closure over the actions, we will also need to show that this is the minimal set that maintains these two conditions. Why does I∗ (A, P ) contain the atoms? Because I∗ (A, P ) was initially derived from them, since according to the proof - A = A0 . Why is I∗ (A, P ) closed over the actions? To prove this, we need to take the members, activate the actions, and show that the results are in the set. We take two members: x, y from I∗ (A, P ) and activate on them an action o from P . We need to show that o(x, y) is still in I∗ (A, P ). This is true because x was derived from a creation series of activating actions and y was derived from a creation series of activating actions, so when we activate the action o on x and y, we have a creation series that results in x and we have a creation series that results in x, and so we have a creation series to reach o(x, y), and therefore o(x, y) ∈ I∗ (A, P ) We showed that I(A, P ) ⊆ I∗ (A, P ) because I∗ (A, P ) contains the atoms and is closed over the actions, and we know that I(A, P ) is the minimal set that maintains these two conditions. To prove that they are equal - I(A, P ) = I∗ (A, P ) - we need to show the subset ⊆ in the other way: I∗ (A, P ) ⊆ I(A, P ). For each member x in I∗ (A, P ), there is a creation series: x1 → x2 → ... → xk = x for any x in I(A, P ). So, according to closure, I∗ (A, P ) ⊆ I(A, P ). Therefore, we proved that I(A, P ) = I∗ (A, P ). We notice that there are operative definitions and there are declarative definitions: I - is a declarative definition. I∗ - is an operative definition.

16

2.1.8

Example

I({(1, 0), (0, 1)}, v, w → av + bw} Where v and w are points in the plane and a and b are numbers in the set of real numbers R. For instance: v(0, 1) w(1, 0) a = −1 b=3 We receive: (−1 ∗ (0, 1)) + (3 ∗ (1, 0)) = (3, −1) What does this produce? I is all in the plane R2 . I is all in the plane, and the whole plane is the minimal set that defines the actions in I. 2.1.9

Sub-example

If we only look at I({(1, 0)}, v → av), we would have received only the x axis. If we remember the concepts of ”basis” and ”span”from linear algebra, then according to the linear algebra language, if we take a vector space and a set of vectors and we look at the span of the vectors: SP AN (v1 , v2 , ...vk ), which is all linear combinations, then a different definition of the span of the vectors is the minimal sub-vector space closed under the linear combinations, and thus contains the vectors. Or, if we translate into the language of induction sets: Our atoms A are the vectors. The actions P are the linear combinations. In other words, we multiply each vector with a scalar and add the resulting vectors. We are looking for the minimal sub-vector space that is closed under the linear combinations and is minimal under the subset relation. 2.1.10

Let’s Look for an Example in the Program

if (a < b){ x = b − a; 17

y = a − b; }else{ z = b − a; t = a − b; } How can we make this program more efficient? By doing the subtraction actions only once and then setting their values: r = b − a; f = a − b; if (a < b){ x = r; y = f; }else{ z = r; t = f; } We would like to have been able to write an automatic computer program that finds and makes this change. Purpose: Write a computer program that automatically finds and suggests this change. In fact, this is what computer compilers do - efficiency actions by compilers. So how do inductive sets help with the process of creating effective compilers? For instance, there are optimization options when activating the compiler so that the compiler actually changes the assembly code. Let’s try and perform an abstraction of the inductive set to characterize the change in the program: 1.if (a < b){ 2. x = b − a; 3. y = a − b; 18

}else{ 4. z = b − a; 5. t = a − b; } We mark the rows as actions. We start with the set of atoms: A = {1,ø}, {2,ø}, {3,ø}, {4,ø}, {5,ø} Our goal: To define I(A, P ) so that it contains: {1, {b − a, a − b}} That is, to associate the expressions a − b, b − a to action 1. What are the actions? Each action i means that if I am in the command line {i, X}: a) {2, Y}, {4, Z}, {1, X} → {1, Y ∪ Z ∪ X} b) {2, X}, {3, Y} → {2, X ∪ Y ∪ {b − a}} c) {5, X}, {4, Y} → {4, X ∪ Y ∪ {b − a}} d) {3, X} → {3, X ∪ {a − b}} e) {5, X} → {5, X ∪ {a − b}} The possible flows of the program are from command line 1 to either 2 and then 3 and then end, or 4 and then 5 and then end. To spell out rule a: with regard to the expressions used in the past: 1, 2 and 4 - don’t forget them and don’t add any new knowledge to them. Rule b says that to the knowledge received from the past from 2 and 3 don’t forget them, and add b − a, because this is the expression used in 2. When activating rule b on: {2,ø}, {3,ø} we receive: {2,ø}, {3,ø} → ruleb → {2,ø∪ø∪{b − a}} = {2, {b − a}} Our goal is to deduce from the set of rules what I(A, P ) is. We start with the set of atoms: A = {1,ø}, {2,ø}, {3,ø}, {4,ø}, {5,ø} We quickly see that {5, a − b} and {3, a − b} are also in the set. How do we prove things for inductive sets? We start by proving that if something is true for the atoms, then it’s also true for the actions.

19

Claim: If {5, X} is in the inductive set, then it’s either {5,ø} or {5, {a − b}}. Proof: For the atoms this holds true, since {5,ø} is in the atoms. Now, let’s assume that {5, X} fulfills that X is øor a − b. We need to show that activating the actions maintains this condition, that what we receive is either $ or a − b. It is obvious that we can only activate actions that start with {5 and then something, which are: {5, {b − a}} → {5, {b − a} ∪ {b − a}} = {5, {b − a}} {5,ø} → {5,ø∪{b − a}} = {5, {b − a}} We showed that activating the actions maintained the claim. Therefore the claim is true. Next, if we start with {4,ø}:newline and we activate the rules that include {4, we can receive: {4, {b − a}}and{4, {a − b, b − a}} From all the options that we receive from all the possible activations, the most interesting one is: {1, {a − b, b − a}} From the calculation of I(A, P ), we show that maintaining the results of the expressions, a − b and b − a, is efficient for saving time. How did we deduce that this is the interesting option? By selecting the ”largest” members: {1, {a − b, b − a}} contains {1, {a − b}} and {1, {b − a}} It’s possible to deduce the largest members automatically. We can intuitively see that the most interesting place for us is the entrance to the loop.

2.2

Lecture Summary

1. The concept of inductive set 2. We showed how to use the inductive set 3. Operative and declarative definitions of inductive set 4. We showed that it’s interesting to try to characterize the inductive set 5. We showed how to use the inductive set in the context of computer programs

20

2.2.1

In the Next Lecture

• Prepositional calculus • Also from the inductive set point of view • From the point of view of the relationship between programming languages and their meaning

21

3

Lecture 2 - March 11, 2009

3.1

Inductive Sets - Continued

In the previous section, we discussed the definition of the inductive set: I(A, P) We discussed the set created by the atoms A and actions P: A - atoms P - actions We gave two definitions: 1. An operational definition (”we say how to create the set”): Start with atoms A and activate actions P repeatedly 2. A declarative definition: (”without saying how to create the set, we define it”): The minimal set (in terms of inclusion) that maintain two conditions: (a) All the atoms A are in the set (b) Closure over the actions: If there are k members in the set: x1 , x2 , ..., xk are in the set and you activate an action p ∈ P on them, then p(x1 , x2 , ..., xk ) is also in the set We showed that both definitions are equivalent. Later, when we want to define a programming language, we will apply the uses of operational and declarative definitions. We will also talk about denotation semantics (with regard to declarative definitions). Given the definitions, we want to try and use denotation semantics to define the first type of logic that we will use: propositional calculus Later, we will also discuss and learn first-order logic.

3.2

Propositional Calculus

We will learn the idea of leads to: if x then y Or: x or y And: x and y

22

Not: not x Where x and y are types of sentences. For instance, x is ”it is raining now”. The result can either be true or false according to the condition if x and y are true. What we will see is that we distinguish between syntax and semantic and between the rules that create the sentences and the meaning of the sentences. Syntax: ((¬p → q) ∨ r) In terms of semantics, this has meaning: Not p leads to q or not r, where p, q, and r are sentences in the language, and each sentence is either true or false. So where do we stand? 3.2.1

syntax

Let’s start with the world of syntax. We put aside the ”meaning”. Our purpose is to create a language that will use ”Or”, ”And”, and so on, a language that will also allow us to characterize tautologies: the sentences that are always true. For instance: ¬p ∨ p We start with the purpose of how to define all the sentences in the language. After defining all the sentences, we will want to define all the true sentences.

23

Temporal logic - which we don’t necessarily cover in this course - also adds the definition of time. The idea is that the same tools that we use today are the same tools that we use for all logic types. Our purpose: To define all the sentences in the language. If we use an analogy from the computer world - a program that we can compile. ”A program that can compile” means that the syntax is correct and not necessarily that the program will do anything logical or effective. We use the technique of the inductive set: What are the atoms? The letters in the English alphabet, along with the option to use indexes. For instance: • p, q, r • p 1 , r7 The actions: If X and Y are sentences then: • (¬X) is also a sentence • (X ∧ Y) is also a sentence • (X ∨ Y) is also a sentence • (X → Y) is also a sentence 24

3.2.2

Example

Sentences: • ((¬p → q) ∨ r) is a sentence (is in I(A, P)) Why is this true? p, q, and r are atoms. Therefore, (¬p) is a sentence according to our previous base definition. Therefore, ((¬p) → q) is a sentence according to our previous base definition. Therefore, (((¬p) → q) ∨ r) is a sentence, again according to the base definition. Are the following sentences? 1. p ∧ q 2. (¬p → q) 3. ¬¬p 4. ¬(q ∧ p Answers: 1. is not a sentence since there are no parentheses. 2. is not a sentence since there are no parentheses around the ¬p. 3. is not a sentence since there are no parentheses around the ¬p. 4. is not a sentence since there are no closing parentheses. Question: Can we claim that the number of opening and closing parentheses in every valid sentence will be the same? Claim: The number of opening ”(” and closing parentheses ”)” in every valid sentence in I(A, P) will be the same. Proof - using induction: 1. Check for the atoms: For the atoms: p, q, r, p1 there are no parentheses; we have zero and zero opening and closing parentheses, which are equal.

25

2. Check for the actions: Assume that the number of opening and closing parentheses are equal in X and Y and are equal to n. How many opening and closing parentheses will we have after activating the actions? (a) In (¬X), we will have n+1 opening and closing parentheses. (b) We show the same for the rest of the actions: (X ∧ Y), (X ∨ Y), (X → Y) - n+1 opening and closing parentheses. Why is use of the technique of proof using induction correct? This type of induction is called: ”induction on the structure”. What is this proof technique? We prove that it is true on the atoms, and that if it is true before activating the actions, it is also true after activating the actions. Therefore, the claim is true. Why is the use of this technique correct? Later, we may use axiom techniques to prove things, but in this case, we can actually prove our claim. Assume we have a claim T. Let’s look at the set over which the claim T is true. What does this set maintain? This set T maintains that all the atoms are in T, A ⊆ T , and it maintains closure over the actions. If X, Y ∈ T and you activate an action p and the result p(X, Y) is also in T, therefore - T is an inductive set over the atoms A and the actions P. What can we say about the relationship between T and I(A, P)? I(A, P) is the minimal set so I(A, P ) ⊆ T , meaning that for every member in I(A, P), the claim is true. This proves why the use of the induction technique is valid So far, the main purpose of this lecture has been to define sentences in terms of syntax, and now we want to define the syntax of all valid sentences: The atoms are: For sentences: X, Y and Z, the following are sentences: 1. (X → (Y → X)) 2. ((X → (Y → Z)) → ((X → Y) → (X → Z))) 3. (((¬X) → ¬Y) → (Y → X)) We term these as axioms. For instance, if X is (p → q) and Y is (¬p ∨ q), then our atom axiom is: ((p → q) → ((((¬p) ∨ q) → (p → q)))). 26

Actually, we wrote an infinite number of atoms, because each X, Y and Z represents an infinite number of sentences/axioms/atoms. Later, we will see that by using just the → and ¬, we can represent all the sentences. The actions - there is only one: If X is always true, and (X → Y) is always true, then Y is always true. This is the only action. 3.2.3

Example

In the example, we want to see an axiom and a list of actions, to visualize the formal system. (p → ((p → p) → p)) is an axiom because: X is p Y is (p → p) X and Y are sentences Therefore, this is an axiom of the sort: (X → (Y → X)) ((p → ((p → p) → p)) → ((p → (p → p)) → (p → p))) is also an axiom according to the second axiom (((X → (Y → Z)) → ((X → Y) → (X → Z)))) X is p Y is (p → p) Z is p Now, let’s activate the action: If something is true and leads to (something leads to something is true), then (something leads to something) is true. By activating the action on the previous two lines: ((p → (p →)) → (p → p)) The following is also an axiom: (p → (p → p)) is an axiom according to the first axiom X is p Y is p We can perform separation here, -meaning that we deactivate the axiom again. (p → p) We defined the claim that: (p → p) ` (p → p) So, why did we ”play this weird game?”

27

3.2.4

Meaning

We will use induction to prove the true values of every sentence. What we want to do is to define a function. The function takes input sentences, and output is true/false. At this stage, we can’t do this since we need more infrastructure. Instead, let’s define the truth values for sentences: X Y T T T F F T F F

(X ∨ Y) T T T F

X Y T T T F F T F F

(X ∧ Y) T F F F

X Y T T T F F T F F

(X → Y) T F T T

X (¬X) T F F T Next, note that we have things here that we don’t need. For instance, if we look at: X Y T T T F F T F F

(¬X) ((¬X) ∨ Y) F T F F T T T T

So, this is equivalent with (X → Y) ((¬X) ∨ Y) ≡ (X → Y) We can ”live” without the →, which we can replace with ¬, ∧ and ∨.

28

We can look for a minimal list of signs that will be enough for all the truth tables. Claim: Using ∨ (Or), ∧ (And) and ¬ (Not), we can express any truth table. For instance, let’s look for the meaning of: using ¬, ∧ and ∨: X Y T T T F F T F F

(X Y) F T T F

((X ∧ (¬Y)) ∨ ((¬X) ∧ Y)) Claim: Using ”leads to” → and ”Not” ¬, we can denote any other action. For now, we do not prove this claim. Claim: Anything we can deduce from the axiomatic system is always true. In other words, the axiomatic system is a tautology. We will prove using induction: For the atoms - the axioms - we need to show that this is true: (X → (Y → X)) For this to be false, X needs to be true Therefore, Y → X is true (according to the truth table), and therefore, according to the truth table: (X → (Y → X)) is true. A B (A → B) T T T T F F F T T F F T As for the second axiom: ((X → (Y → Z)) → ((X → Y) → (X → Z))) So, (X → Y) must be true and (X → Z) must be false. (X → Z) must be false denotes that X is true and Z is false. From ((X → (Y → Z)) is true denotes that: (Y → Z) is true, and therefore, Y is true. According to the truth table, (Y → Z) is false, in contradiction to our assumption that (Y → Z) is true. Another option for proof: (Y → Z is false 29

denotes that (X → (Y → Z)) is false in contradiction. Now, let’s look at: ((¬X → ¬Y) → (Y → X)) Convince yourself that this is always true. End of proof (for the action): If X is always true and (X → Y) is always true, denotes that Y is always true. The only situation where X is true and (X → Y) is true in the truth table is where Y is also true. We introduce a new symbol: |= X means that X is always true. So, what did we prove? |= X ⇐` X

30

4

Lecture 3 - March 18, 2009

4.1

What We’ve Done so Far

So far, we talked about the inductive set I(A, P) and characterized it using two options: Bottom-Up - from atoms you activate the actions. Top-Down (also known as declarative) - you see that the set includes the atoms and is closed over the actions, and then you take the minimal set. We discussed propositional calculus We defined a sentence using induction - We took the letters p, q, r, ... - and then defined that if α, β, ... sentences, then (α ∧ β) is also a sentence, and (¬β) is also a sentence, and so on. We defined a proof system. We showed that if we can prove a sentence denoted by ` α, then ⇒ the sentence is always true |= α. We used the axioms: (β → (α → β)) ((β → (α → δ)) → ((β → δ) → (β → δ))) (((¬α) → (¬β)) → (β → α)) Note that all of the axioms are tautologic That is - they have the same values in truth tables α β T T T F F T F F

(α → β) β → (α → β) T T F T T T T T

Action: `α→β `α Separation `β 4.1.1

Example

α=p→q β = ¬p → q 31

Using Axiom 1: ((p → q) → (((¬p) → q) → (p → q))) Using Axiom 2: (((p → q) → (((¬p) → q) → (p → q))) → (((p → q)) → ((¬p) → q)) → ((p → q) → ((¬p) → q)))) Separation: (((p → q) → ((¬p) → q)) → (((p → q) → ((¬p) →))) The second characteristic that is complementary in this sense: If something is true, it can be proved. |= α ⇒` α Semantics and syntax are the same in propositional calculus: JAVA The meaning of the program Syntax Semantics Sentence Sentences Axioms True-False Proof Tautology `α |= α ` α ⇔|= α 4.1.2

Example

One of the main purposes of this course is learning how to define what a software system does. This is known as specification or defining a software requirement. ”The system will perform the action quickly.” Is this a satisfactory requirement? This is an undefined requirement and can cause the project to fail. Bad requirements cause projects by contract to fail. Another problematic requirement: ”The system should always be available.” What is ”always” and what is ”available”? ”The system should respond to user requirements within two thousands of a second.” ”The system should never lose data.” These are all problematic requirements. Our purpose is a very distinct definition of system requirements. To do so, - we will use the Z language. The Z language uses: 32

Set theory + relational calculus + types of sets (for example, universe, needed for checking consistency) This means that we will only have members of the same type so that we can check consistency. We won’t, for instance, have a group: {Subaru, Volvo, University of Haifa}

4.2

Our Main Running Example

We would like to create a system of glossaries (dictionaries) with specific relationships between the glossaries. The system will maintain consistency between hierarchies of glossaries. Why do we need this system? And why do we need consistency? Many times, when you look at a series of written documents, each document is maintained at a certain level. At a certain level, you can use the dictionary of the language in which it was written. But then, at a more specific level, the dictionary of the language is okay only as a starting point. In addition, you also need a glossary of specific terms, which may contain terms that are used and defined differently than the way they are defined in the ”language. New terms may also be added to the glossary. For instance: ”CSP” - Constraints Satisfaction Problem It is not in the English Language, but it will appear in the specific glossary. We might also have the term: ”Thread”, which in the dictionary is a string, but in the glossary will be overwritten by a type of execution process - something that has a control flow, but with no heap memory (something like a ”light-process”). We need to use the most relevant glossary for the term. When defining terms, we have a problem. We don’t want to use words that are too specific - words that will limit the implementation. For instance, if we define a communication protocol and don’t want to use the term: ”byte”. Why? Because we want to leave an option to implement the protocol using bytes or words (2 bytes) or any other implementation. Observation: One of the interesting aspects is that if you are able to choose the correct consistent set of terms, your requirements and definitions are much more accurate and productive (in the process of software development). Next, we are going to try to define the hierarchy of the glossaries in the 33

Z language: This is not instead of the definition in words - it is complementary. For the definition, we first need to define some infrastructure: We start by defining: AlephBet = {a, b, ..., z, A, B, ..., Z} The set of letters: We need the AlephBet and the punctuation signs to define what strings are and to define what dictionary/glossary entries are. We further define: Punctuation = {” ”, ”,” , ”!”, ”?”, ...} We define a sign: sign = AlephBet ∪ Punctuation Next, we will want to be able to define a word (term) and a sentence (which will be used later as the definition of the term). A word in a dictionary (we allow words without a logical meaning): Words = ∪∞ i=1 Ai i AlephBet Where: Ai = Xj=1 i, -in this case, is the length of the word. X is the Cartesian Product. A ”Cartesian Product” of order i is all the possible permutations of a string containing i letters from the AlephBet. = {(a1 , a2 , ..., ai ) | aj ∈ AlephBet 1 ≤ j ≤ i } Example: For i = 3 ∪3i=1 AlephBet = AlephBet x AlephBet x AlephBet = {aaa, aab, aac, abc, zaa, zab, zac, ..., ZZZ} a1 a2 a3 ∈ ∪3i=1 AlephBet if and only if ⇔ a1 ∈ AlephBet ∧a2 ∈ AlephBet ∧a3 ∈ AlephBet We further define sentences: Sentences = ∪∞ i=1 Pi i Where: Pi = Xj=1 sign We define the length of the strings #: #W = i ⇔ W ∈ Ai #S = i ⇔ S ∈ Pi For example: #(aaa) = 3 #(abc) = 3 A glossary/dictionary will be a set of couples - terms (words) and sentences that make up the definition. For instance: {(”dog”, ”an animal with four legs”), (”cat”, ”an animal with four legs that does not bark”)} 34

We continue by defining the substring function: substring(W, S) : Words X Sentences → {True, False} ∀W ∈ W ords, ∀S ∈ Sentence substring(W, S) = True ⇔ ∃i ∈ N, ∀#W + i > j ≥ i, W(j-i) = S(j) Meaning: substring(W, S) : Words X Sentences → {True, False} Which means a function from the Cartesian Product of Words and Sentences to {True, False} A function is something that creates a connection between each member of the source to a single member in the destination. Our source is the Cartesian Product of words and sentences Our destination is: {True, False}. We define our function as: ∀W ∈ W ords, ∀S ∈ Sentence substring(W, S) = True ⇔ ∃i ∈ N, ∀#W + i > j ≥ i, W(j-i) = S(j) ⇔ means if and only if W(j) means the j th character in the word Examples: substring(abc, atzbc) = False substring(abc, ztabcr) = True #W = #(abc) = 3 We look at j, which is the indexes between i=3 to #w+i = 3+3 = 6, not including 6. W(j-i) = S(j) For j=3 - W(0) = S(3) = ”a” For j=4 - W(1) = S(4) = ”b” For j=5 - W(2) = S(5) = ”c” Another example: S = ”I’m going home” W = ”home” Starting with index zero S(0) = ”I” i = 10 #W = 4 ∀i + #W > j ≥ i So j is between 10 (inclusive) and smaller than 14 (up to 13 inclusive). S(10) = W(0) = ”h” S(11) = W(1) = ”o” S(12) = W(2) = ”m” and S(13) = W(3) = ”e” And therefore, the word ”home” is a substring of the sentence ”I’m going home”. 35

4.3

Hierarchy of Dictionaries

k Dictionaries (Glossaries): D1 , .., Dk ∈ P( Words X Sentences ) Each Di i = 1, 2, ... k - is a dictionary (Glossary) where X is the Cartesian Product. P is the Power Set - the whole set of subsets. Each glossary, Di , in the hierarchy will maintain a relationship between its words and their meanings (as a pair (W, S) of words and their meanings). For example: D1 = { (”dog”, ”something that barks”) , (”cat”, ”something my wife keeps at home”) } First Rule: ∀i ∈ {1, .., k} ∀(W1 , S1 ) ∈ Di ∀(W2 , S2 ) ∈ Dj such that j > i W2 6= W1 ∧ ¬substring(W2 , S1 ) k - is the same k as above Explanation in words: in glossary I, you can’t use a word either as a Word or as a Sentence. -This means that in the sentence in S1 , we can’t use words that we will define later in Dj j>i. Note that the following is a tautology: |= (¬a ∧ ¬b) ↔ ¬(a ∨ b) You can convince yourself using the truth table: p t t f f

”if and only if” relationship: p ↔ q: q p↔q t t f f t f f t

Next time we will start by adding additional rules to the Hierarchy of Glossaries.

36

5

Lecture 4 - March 25, 2009

5.1

In this and Upcoming Lectures

• Hierarchy of Continued Rules for Glossary Design • Sets • Type • Cartesian Product Sets • Functions • Bijective Function • Equivalence Classes • Fixed Point Theorem

5.2

Hierarchy of Continued Rules for Glossary Design

Another rule: ∀(W1 , S1 ) ∈ Di ∀(W2 , S2 ) ∈ Di W1 6= W2 ∧ S1 6= S2 We define: result = { OK, OKDup, FailedAbstract, FailedDup} i = 1, ..., k We define: completeDi = { (W, S) — such that ∃1 ≤ j ≤ i such that (W, S) ∈ Dj ∧ ¬(∃r > j|(W, S) ∈ Dr ) } Where (W, S) ∈ P(Words X Sentences) These are the terms that are allowed for use in the i’th level Action: Adding a word and a definition: (W?, S?) ∈ (Words X Sentences) to Di Di is termed Schema (in Z language) The ”?” in Z Language is ”input” i? : N, (W?, S?) : Words X Sentences res! : Result We want to return a result from the Result type that we defined before. (! is the output of the action in Z) (∃k ≥ j > i?, ∧∃(W 1, S1) ∈ Dj such that W 1 = W ?∨ substring(W1, s?)) 37

∧ which means that the result is: res! = FailedAbstract Y (∃(W 1, S1) ∈ Di such that W 1 = W ?) ∧ res! = FailedDup Y (∃1 =< j =< i(W 1, S1) ∈ Dj and W 1 = W ?) ∧ 0 Di - the situation of the dictionary after the action 0 Di = Di ∪ {(W ?, S?)} res! = OKDup OKDup - we can define again a term that we defined in a previous level Y 0 Di = Di ∪ {(W ?, S?)} ∧ res! = OK Next, we prove by induction on the action that if we start with the dictionary Di = ø(the atom), and define the action as the schema, then we can use the inductive set proof method to prove that all resulting dictionaries maintain the same rules. Intuitively - this is clear - since our only action adds - without breaking the rule

38

Part III

Exercises 6

Exercise 1 - March 05, 2009

6.1

Introduction

We will start with predicate calculus From the predicate calculus, we derive the semantics From the semantics, we will derive Verification using Invariants 6.1.1

Predicate Calculus

Predicate Calculus is, in essence, a proving system. If you want to use it, you choose a language (basic terms such as ”+” or ”period”) and a collection of axioms, and then you can start deriving formal conclusions from the axioms. Prepositional Calculus will describe what a valid conclusion is. 6.1.2

Semantics

Semantics are used to investigate the meaning associated with the syntax. To derive semantically means that something is true in any model in which the axioms are true. 6.1.3

What is a proof ?

A proof must be based on axioms. Otherwise, proving that 1 plus 1 equals 2 takes more than 200 pages.

6.2 6.2.1

Logics Sets

Different ways to mark sets: 1. curly parentheses, {}, with the group members inside (a) An explicit list of members in parentheses For instance: {1, 2, 70}

39

(b) Using a list that explains a rule For instance: {0, 1, 2, 3, ...} (c) Using a common attribute For instance: {i: where i is an even number} 2. By giving the set a name, using a known letter For instance: N ≡ the natural numbers 6.2.2

Basic Terms

• In: x ∈ A - the member x belongs to set A • Subset: A ⊆ B - set A is a subset of set B if for every x ∈ A, it also holds that x ∈ B – A ⊆ B, then it is said that A is a subset of B – Note: The empty set {}, also known as ø, is a subset of any other set • A true subset: A ⊂ B, if for every x ∈ A, it also holds that x ∈ B and there exists at least one x0 ∈ B, such that x0 ∈ /A • Equality among sets: Two sets, A and B, are equal A = B, if A and B have the same members Equality between sets is proved using two-way containment. 6.2.3

Actions between Sets

• Unity: A ∪ B = {x : x ∈ A or x ∈ B} • Intersection: A ∩ B = {x : x ∈ A and x ∈ B} • Subtraction: A\B = {x : x ∈ A and x ∈ / B} • Complementary: Ac = x : x ∈ /A Note that in the complementary set, you have to know over what world you are working. • Foreign Sets: where A ∩ B =ø

40

6.2.4

Example #1

Given that: Scandinavian = {Denmark, Finland, Norway, Sweden, Iceland} Benelux = {Belgium, Netherlands, Luxembourg} What are: Scandinavian \ Benelux = ? Scandinavian ∩ Benelux = ? Additional exercises to think about: Find: Scandinavian ∪ Benelux = ? Given that the world is all the countries in the world, find: Scandinavianc = ? 6.2.5

Example #2

Prove formally that: A ∩ (B ∪ C) = (A ∩ B) ∪ (A ∩ C) Proof 1. We will prove that: A ∩ (B ∪ C) ⊆ (A ∩ B) ∪ (A ∩ C) 2. We will prove that: (A ∩ B) ∪ (A ∩ C) ⊆ A ∩ (B ∪ C) And then it will follow that: A ∩ (B ∪ C) = (A ∩ B) ∪ (A ∩ C) Additional exercises to think about: Prove formally that: 1. A ∪ (B ∩ C) = (A ∪ B) ∩ (A ∪ C) 2. (A ∩ B) ∪ (A\B) = A 6.2.6

Example #3

Venn Diagram:

41

• Color the area that is: A ∪ B • Color the area that is: (A ∩ B) ∪ C Additional exercises to think about: • Color the area that is: (A\C) ∪ (B\C) • Color the area that is: (B\A) ∪ C

6.3

Truth Tables

Truth tables for logical relationships: • not relationship: ¬ • or relationship: ∨ • and relationship: ∧ p t t f f p t t f f

”if then” relationship: p → q: q p→q t t f f t t f f ”if and only if” relationship: p ↔ q: q p↔q t t f f t f f t 42

6.3.1

Example #4

Build a truth table for the statement: (p ∧ q) ∨ r An exercise to think about: Build a truth table for the statement: (p ∨ q) ∧ (q ∨ r)

6.4

Logical Equivalence

Definition: Two statements are said to be logically equivalent if they have the same set of values under the same assignment to their atoms or, in other words, they have the same truth tables. 6.4.1

Example #5

Proof that p ↔ q and (p → q) ∧ (q → p) are logically equivalent. 6.4.2

Logical Quantifiers

• There exists: ∃ • For all: ∀ 6.4.3

Example #6

Claim: ”Beethoven was a composer of opera” A different way to write it: ”There is an opera such that Beethoven was the composer of” Or, in a mathematical way: ∃x : opera - Beethoven was the composer of x Another Claim: ”Sao Paolo is bigger than any city in Europe” A different way to write it: ”For every city c, if c is in Europe, then Sao Paolo is bigger than c” Or, in a mathematical way: ∀c : city − cisinEurope ⇒ Sao Paolo is bigger than c In a different mathematical way, ∀p is the same as ¬∃¬p ¬∃c : city − ¬(cisinEurope ⇒ SaoP aoloisbiggerthanc) This is an example of transferring ∀ to ∃

43

6.4.4

A More Complicated Example

”There is a certain country to which Sao Paolo belongs, and Sao Paolo is bigger than any other city in that country.” ∃co : country Sao Paolo is in co ∧ ∀ ci : city ci is in co ∧ ¬ ci is Sao Paolo ⇒ Sao Paolo is bigger than ci Additional exercises to think about: ∃ p: person ∀ n: person n is a neighbor of p ⇒ p never speaks to n Additional exercises to think about: ∀ p : person ∃ n: person ∀ t: person ¬n = t ⇒ ¬n lives with t ∧ p knows n

44

6.5

Inductive Definition

Given that: • X - the world above which the set is built • A - the core set, and a subset of X • P - a set of creation actions The set I(A, P ) is the set that maintains the following requirements. 6.5.1

Example

For example: X is the set of real numbers R A = {0} P = {f + } - f + (x) = x + 1 ⇒ I(A, P) = N 1. A is a subset of I(A, P): A ⊆ I(A, P ) 2. Closure over the actions in P: If f ∈ P (where f is an action from P) with n values, and x1 , x2 , ...xn ∈ I(A, P ), then f (x1 , x2 , ...xn ) ∈ I(A, P ) 3. Minimal: for every set Z that maintains both conditions 1 and 2: I(A, P ) ⊆ Z 6.5.2

Examples

1. Vector with operation: 2. Vector w receives c times w. 3. Answer - the straight line (Span vector v) 4. {1} and x to 2x as an operation (2N ) 5. Lattice: 6. Start with (0, 0) 7. The action: (x, y) → (x, y + 1) or (x + 1, y) or (x, y − 1) or (x − 1, y)

45

8. Towers of Hanoi: The rule is that you can only put smaller pieces on larger pieces. Then, we can ask if a certain legal possibility exists in I(A, P). Can we use I(A, P) to check if the solution can be achieved? 9. Chess game 6.5.3

Proving Using Induction

Look at the following computer program: while(x > 0){ x=x−1 } For instance, we can look at the example where, at the beginning, x=3. We can therefore see the connection between the activation plan and the inductive set. How can we prove it using induction? We need to prove that x will always be greater than or equal to zero. For every x ∈ I(A, P ), it implies that x ≥ 0. 1. We chose a first atom, for instance, n=1, and since n ≥ 0, we proved for the atom. 2. Suppose we have atoms that are all ≥ 0. We need to show that they are still ≥ 0 even after the activating the action. There are two possibilities: Either the number we selected was zero, in which case we do not perform the subtraction and it remains zero, Or, the number we chose was greater than zero, so after subtracting 1, it is still ≥ 0.

46

7

Exercise 2 - March 12, 2009

7.1

In the Previous Exercise (1)

• We discussed the basics of logics and reminded ourselves of key definitions • We discussed the basics of truth tables and representations of some basic relationships using truth tables • We discussed the basic way to prove logical equivalence • We reached the basic definition of the inductive set and the inductive form of definition

7.2

Inductive Definition

Given that: • X - the world above which the set is built • A - the core set, and a subset of X • P - a set of creation actions The set I(A, P ) is the set that maintains the following requirements. 7.2.1

Example

For example: X is the set of real numbers R A = {0} P = {f + } - f + (x) = x + 1 ⇒ I(A, P) = N 1. A is a subset of I(A, P): A ⊆ I(A, P ) 2. Closure over the actions in P: If f ∈ P (where f is an action from P) with n values, and x1 , x2 , ...xn ∈ I(A, P ), then f (x1 , x2 , ...xn ) ∈ I(A, P ) 3. Minimal: for every set Z that maintains both conditions 1 and 2: I(A, P ) ⊆ Z 47

7.2.2

Examples

1. Vector with operation: Vector w receives c times w. Answer - the straight line (Span vector v) 2. Lattice: Start with (0, 0) The action: (x, y) → (x, y + 1) or (x + 1, y) or (x, y − 1) or (x − 1, y) 3. Towers of Hanoi: The rule is that you can only put smaller pieces on larger pieces. Then, we can ask if a certain legal possibility exists in I(A, P). Can we use I(A, P) to check if the solution can be achieved? 4. Chess game 7.2.3

Proving Using Induction

Look at the following computer program: while(x > 0){ x=x−1 } For instance, we can look at the example where at the beginning, x=3. We can therefore see the connection between the activation plan and the inductive set. We need to prove that x will always be greater than or equal to zero. That is, for every x ∈ I(A, P ), it implies that x ≥ 0. How can we prove it using induction? 1. We chose a first atom - for instance n=1, and since n ≥ 0, we showed for the atom that x ≥ 0. 2. Suppose we have atoms that are all ≥ 0. We need to show that they are still ≥ 0 even after the activation of the action. There are two possibilities: Either the number we selected was zero, in which case we do not perform the subtraction and it remains zero, Or, the number we chose was greater than zero, so after subtracting 1, it is still ≥ 0. 48

7.3

Example Program #1

Let’s look at the following program: x = a+b; y = a-b; while ( ( a+b ) ( a-b ) > 0 ) { a = a+1; x = a+b; y = a-b; } Next, we mark each row with a line number: 1. - x = a+b; 2. - y = a-b; 3. - while ((a+b)(a-b) > 0 ) { 4. - a = a+1; 5. - x = a+b; 6. - y = a-b; 7. - } The following diagram roughly describes the execution plan (control flow):

49

Let’s look at the information known at the entrance to each command: 1. - x = a+b;

ø

2. - y = a-b;

a+b

3. - while ((a+b)(a-b) > 0 ) {

a+b, a-b

4. - a = a+1;

a + b, a-b, ((a+b)(a-b))

5. - x = a+b;

ø

6. - y = a-b;

a+b

7. - }

a+b, a-b

Next, we attempt to describe the world of our knowledge in terms of the paths that lead to each row and the information added in each row: (1, P ) → (1, P ∪ {a+b}) This statement means that when entering row 1, we add to any knowledge we had before - the knowledge of (a+b). (1, P ), (2, Q) → (2, P ∪ Q ∪ {a-b}) (6, P ), (2, Q), (3, R) → (3, (P ∩ Q) ∪ R ∪ {a+b, a-b, (a+b)(a-b)}) This statement means that we can reach row 3 from either rows 2 or 6. The reason for the use of intersection ∩ between P and Q is that we want to know for certain what the information is when entering row 3. Only when taking the intersection ∩ can we be sure that the information is known. When activating row 3, we calculate the additional information: (a+b), (a-b), (a+b)(a-b), which is therefore added to our knowledge. (3, P ), (4, Q) → (4, P ∪ Q \ { anything containing a }) (4, P ), (5, Q) → (5, P ∪ Q ∪ {a+b}) (5, P ), (6, Q) → (6, P ∪ Q ∪ {a-b})

50

8

Exercise 3 - March 17, 2009

8.1

In the previous Exercise (2)

• We discussed the definition of the inductive set • We discussed the uses of inductive sets in proofs • We went through a test case example of a small simple computer program

8.2

Example Program #2

Let’s look at the following program: if (a < b) { x = b-a; y = a-b; } else { z = b-a; t = a-b; } We quickly realize that a more optimal execution would have done the following (assuming this code segment is within a loop): r = b-a; f = a-b; if (a < b) { x = b-a; y = a-b; } else { z = b-a; t = a-b; 51

} -If, when entering the first ”if ” statement, we had already calculated (ba) and (a-b), we could refrain from calculating them again. We would like to see a visualization of this in the induction set, meaning that the knowledge of (b-a) and (a-b) at the ”if ” statement could help. We would like to create an association of each program location with the set of expressions that are used - if calculated - along any path, up to the exit from the code segment. Next, we mark each row with a line number: 1. if (a < b) { 2.

x = b-a;

3.

y = a-b;

} else { 4.

z = b-a;

5.

t = a-b;

} The following diagram shows the execution plan (control flow):

52

We mark the rows as actions - 1 through 5. We start with the set of atoms: A0 = {1, ø}, {2, ø}, {3, ø}, {4, ø}, {5, ø} Next, we attempt to describe the world of our knowledge in terms of the paths that lead to each row and the information that is added in each row but in reverse execution order : (5, P ) → (5, P ∪ {a-b}) This statement means that when entering row 5, we add to any knowledge that we had before - the knowledge of (a-b). Similarly: (3, P ) → (3, P ∪ {a-b}) (5, P ), (4, Q) → (4, P ∪ Q ∪ {b-a}) This means that in the execution order, we can get to row 5 only from row 4. So, in reverse execution order, row 4 follows row 5, and adds the information of (b-a). Similarly: (3, P ), (2, Q) → (2, P ∪ Q ∪ {b-a}) Finally, we add: (2, P ), (4, Q), (1, R) → (1, (P ∩ Q) ∪ R) This means that from row 1, we can go to either row 2 or row 4. So, in reverse execution order, we reached row 1 either from row 2 or row 4. If we want to know the information that is known for certain, it is the intersection ∩ of the information known from rows 2 and 4, with the additional information added in row 1. Note: If we had something like a = a+1, then (a+b), and (a-b) would have been deduced before exiting the code segment. Now, let’s try to activate the rules: From the rule: (5, P ) → (5, P ∪ {a-b}) Activated on: {5, ø} 53

(5, ø) → (5, {a-b}) From the rule: (3, P ) → (3, P ∪ {a-b}) Activated on: {3, ø} (3, ø) → (3, {a-b}) From the rule: (5, P ), (4, Q) → (4, P ∪ Q ∪ {b-a}) Activated on: {5, {a-b}} and {4, ø} {5, {a-b}}, {4, ø} → (4, {a-b, b-a}) From the rule: (3, P ), (2, Q) → (2, P ∪ Q ∪ {b-a}) Activated on: {3, {a-b}} and {2, ø} {3, {a-b}}, {2, ø} → (2, {a-b, b-a}) From the rule: (2, P ), (4, Q), (1, R) → (1, (P ∩ Q) ∪ R) Activated on: {2, {a-b, b-a}}, {4, {a-b, b-a}} and {1, ø} {2, {a-b, b-a}}, {4, {a-b, b-a}}, {1, ø} → (1, {a-b, b-a}) We are looking for all the expression results that we will use in the future, expression results that we know will not change in any path until the exit of the code segment. We reached a Fixed Point, since after we activate the rules again, nothing changes.

54

8.3

Differences between Syntax and Semantics

Let’s start with an example: Assume the following induction set I(A, P) is a description of a language: ”pq” (a new language I just invented): X = { e : a series of signs p, q} X = { p, q, - }∗ A = { pq } P = { f, g } Where f is the action that adds a ”-” in the beginning and end and g is the action that adds a ”-” in the end and in the middle. A few examples of ”words” in this language are: • pq • −pq− • − − pq − − • − − p − q − −− When explaining formal languages, we can use explanations of: 1. syntax 2. semantics (meaning) Returning to the example, let’s try and give semantics to our newly created language, pq: For instance, let’s try to see what we get from the semantics that defines: • −=1 • −− = 2 • ... We further translate: • p as + • q as = Then, the outcome will be mathematical exercises.

55

8.3.1

Power Set

Definition A power set of Set A is the set of all the possible subsets of A. Notation: P(A) = Power set of A What is the | P(A) | (size of P(A) )? | P(A) | = 2 |A| P(A) = { S : S ⊆ A } 8.3.2

example

Given: A = {1, 2} P(A) = {ø, {1}, {2}, {1, 2}} Questions: • Is 2 ∈ P (A)? - No • Is {2} ⊆ P (A)? - No • Is {2} ∈ P (A)? - Yes 8.3.3

example

Suppose we define the following inductive set: X = N - the set of natural numbers A = { i : i > 1∧ i is odd } P = { f1 } where f1 (x) = 2x Question - what is I(A, P)? Let’s mark If irst = I(A, P ) Let’s look at a few example sets: I1 = {1, 3, 5, 7, ...} I2 = {0, 1, 2, 3, ...} I3 = {3, 5, 6, 7, 8, 10, 11, 13, ...} = {i ∈ N : i 6= 0∧ i is not a power of 2}. Is I1 = If irst ? I1 6= If irst because I1 maintains the first trait, but I1 does not maintain the second trait: f1 (1) = 2 ∈ / I1 Is I2 = If irst ? I2 maintains the first and second trait, but I2 does not maintain the third trait because I3 ⊂ I2 and I3 maintains traits 1 and 2. Therefore, I2 is not minimal. Our guess is that I3 = If irst

56

8.3.4

example

Let X be the set with members that are sets: X = {Ai }k0 - ∀i : Ai set Furthermore, we define: ∪X = { a : a ∈ Ai and exists Ai ∈ X} ∩X = { a : a ∈ Ai for every Ai ∈ X} Example: X = {{1, 2, 3}, {5, 6}, {4}} ∪X = {1, 2, 3, 4, 5, 6} ∩X = ø We define for every i ∈ N: A = {Ai }∞ i=0 Ai = {1, 2, 3, ... , i} Questions: • What is: A0 ? A0 = ø • What is: A5 ? A5 = {1, 2, 3, 4, 5} • Is: {1, 2, 3} ∈ A? A3 = {1, 2, 3} ∈ A • Is: {2, 3, 4} ∈ A? No • Is: {1, 2, 3} ⊆ A? No, because for instance, 1 ∈ /A • What is ∪ A? N\ {ø} • What is ∩ A? {1} For instance, how do you prove that: ∪ A? = N\ {ø} We prove that using bi-directional containment We begin by defining for every i ∈ N: Bi = {i · n : n ∈ N} Questions: • What is B3 ? {0, 3, 6, 9, ...} • What is ∪∞ i=0 Bi ? N • What is ∩∞ i=0 Bi ? {0} • What is ∩i∈N (Bi \{0}) ? ø

57

9

Exercise 4 - March 24, 2009

9.1

In the previous Exercise (3)

• We went through a test case example of a small simple computer program • We discussed differences between syntax and semantics • We discussed the definition and characteristics of a Power Set

9.2

Homework Exercise #1

• Induction Example - MI MU • Propositional Calculus Example • Sample Simple Program Example

9.3

Induction - MI MU Example

The set of atoms is A = {MI}. The operations P are detailed below. 1. XI → XIU - add U at the end 2. MX → MXX - for a word that starts with M , whatever follows the M , in this case, X, is doubled at the end 3. III → U - a sequence of three consecutive Is can be changed to a U 4. UU → nothing - two consecutive U s can be omitted Let’s look at some elements of I(A, P). MI → rule 2 → MII MII → rule 2 → MIIII MIIII → rule 1 → MIIIIU MIIIIU → rule 3 → MIU MII, MIIII, MIIIIU, and MIU are all in I(A, P).

58

9.3.1

The Elements of I(A, P)

We We We We We

start with the Atom: A = {MI} 1 apply rule #1 : MI → MIU 2 apply rule #2 : MI → MII 3 apply rule #3 : MI → MI 4 apply rule #4 : MI → MI Now, we start with MIU and apply all the rules: 1 We apply rule #1 : MIU → MIUU 2 We apply rule #2 : MIU → MIUIU 3 We apply rule #3 : MIU → MIU 4 We apply rule #4 : MIU → MIU Now, we start with MII and apply all the rules: 1 We apply rule #1 : MII → MIIU 2 We apply rule #2 : MII → MIIII 3 We apply rule #3 : MII → MII 4 We apply rule #4 : MII → MII The number of members in I(A, P) is ∞. 9.3.2

Prove that M U ∈ / I(A, P )

In other words, starting from M I, you cannot get to (meaning there is no derivation series for) M U by applying the operations in P . Thus, M U is not a member of the inductive set I(A, P ) obtained from A using the operations P . To prove this claim, we proceed by induction. The claim we are going to prove is that for any member w ∈ I(A, P), the number of Is in w is not a multiple of three. This will prove that MU is not in I(A, P), MU ∈ / I(A, P), as the number of I’s in MU is zero and thus a multiple of three. The inductive proof includes showing that the claim is true for the atoms and then showing that if the claim is true for a word and you apply one of the operations to that word, the claim stays true. Next, let’s follow the details of the proof. The number of I’s in MI is 1, and thus not a multiple of three. Assume that for some w in I(A, P), w ∈ I(A, P), the number of I’s in w is not a multiple of three. For the first rule, XI → XIU, adding a U at the end does not change the number of I’s and it thus remains not a multiple of three. For the second rule, MX → MXX, the number of I’s was multiplied by two. 59

Thus, if before the application of the operation the number of I’s in w was some 3 ∗ k + 1 or 3 ∗ k − 1 (not a multiple of three), then the number of I’s after applying the operation is 2(3∗k +1) = 6∗k +2 or 2(3∗k −1) = 6∗k −2, and neither is a multiple of three. For the third rule, III → U, the number of I’s was reduced by three, and thus remained not a multiple of three. For the fourth and last rule, UU → nothing, the number of I’s did not change, and thus stayed as not a multiple of three. This completes the induction step and the proof. Applying the operations in any way on MI results in MII and MIU. Applying the operations in anyway to MI, MII and MIU results in MII, MIUIU, and MIIU, and so on and so forth.

60

9.4

Propositional Calculus

Assuming p is a theorem and q is a theorem, then p and q are theorems. We assume the following axioms: 1. ¬¬ can be deleted in a theorem and a theorem is obtained. 2. If q can be derived from p, then p → q is a theorem (this applies recursively). 3. If p is a theorem and p → q is a theorem, then q is a theorem. 4. p → q is a theorem if and only if ¬ q → ¬ p is a theorem. 5. ¬ p ∧¬ q is a theorem if and only if ¬ (p ∨ q) is a theorem. 6. p → q is a theorem if and only if ¬ p ∨ q is a theorem. We can derive different theorems based on these operations. One will be presented here, and others will be given as homework. Assume that p is a theorem. Prove that p ∨¬ p is a theorem. Proof: p is a theorem, according to assumption: Using rule #1 - ¬¬ p obtained Using rule #2 - p → ¬¬ p a theorem Using rule #4 - ¬¬¬ p → ¬ p Using rule #1 - ¬ p → ¬ p Using rule #6 - ¬¬ p ∨¬ p Using rule #1 - p ∨¬ p In the Homework Exercise: 2a. Prove that p ∧ q → q ∧ p 2b. Prove that p → (q → (p ∧ q))

61

9.5

Simple Program

x = sin(t); y = r2 - 2; while (x > y) { x = x + y + 3; } We number the rows: 1. x = sin(t); 2. y = r2 - 2; 3. while (x > y) { 4.

x = x + y + 3;

5. } Let’s look at the lines that could affect the value of x: (1, x, {1}) (2, x, {1}) (3, x, {1, 4}) (4, x, {1}) These are the lines that can affect the value of x. That is, the lines that can have an affect on the value of x when we reach them. Our Atoms: (1, x, {ø}) (2, x, {ø}) (3, x, {ø}) (4, x, {ø}) Our Actions: 62

1

(1, x, S) → (1, x, S ∪ {1} ) 2

(2, x, S) → (2, x, S) 3

(3, x, S1 ), (2, x, S2 ), (4, x, S3 ) → (3, x, S1 ∪ S2 ∪ S3 ) 4

(4, x, S) → (4, x, S ∪ {4} ) The process will stop after you activate the actions on a line containing (1, 4). Define the system and explain its purpose. Compute: I(A, P) 2. Define the same type of system for y. 3. Define a different program with x and y dependencies and compute I(A, P). x = 10; y = 100; while (x < 50) { x = x + y; y = y - x; while (y > 50) { x = x - y; y = y + x; } }

63

Part IV

References References [1] Herbert B. Enderton. A Mathematical Introduction to Logic. Academic Press, second edition, 2000. [2] Flemming Nielson, Hanne Riis Nielson, and Chris Hankin. Principles of Program Analysis. Springer, second edition, 2005. [3] Ben Potter, Jane Sinclair, and David Till. An Introduction to Formal Specification and Z. Prentice Hall, second edition, 1996.

64