COMP 2600: Formal Methods for Software

Engineeing

Dirk Pattinson

Semester 2, 2013

What do we mean by FORMAL?

Oxford Dictionary

• in accordance with convention or etiquette

• or denoting a style of writing or public speaking characterized by moreelaborate grammatical structures and more conservative and technicalvocabulary.

• officially sanctioned or recognized

• of or concerned with outward form or appearance as distinct fromcontent

The validity of logical arguments depends on form, rather than content.

1. Abstracting content allows us to study the mechanics of reasoning

2. We have more confidence in formalised arguments

3. Automation requires formalisation.

Topics in COMP 2600

• Logic and Natural Deduction

• Proving Properties of Functional Programs (Induction)

• Proving Properties of Imperative Programs

• Formal Specification of Systems

• Automata, Languages and Parsing

• Turing Machines and Computability

1

Assessment

Assignments: 4 × 9%

• One for each major topic, released in weeks 5, 7, 9 and 12

Tutorials: 4%

• demonstrate a reasonable attempt at the tutorial questions

Mid-Semester Quiz: 10%

• redeemable: replaced by exam mark if better, covers weeks 2 – 6

Final Exam: 50%

• or 60% if quiz not attempted or quiz score < exam score

Final Mark

• capped at Exam * (100/60) + 10%

Boring Administrative Stuff

TutorialsRegister for a tutorial in Streams. Tutorials start in week 3.

Use the Course Web Page

• Textbooks

• Tentative Schedule

• Forum

• Lecture Notes

Course Web Page: http://cs.anu.edu.au/Student/comp2600/

2

Aristotle(384–322BC)

Leibniz(1646– 1716)

Boole(1815 – 1884)

Russel(1872 – 1970)

History of Logic, the Science of Reasoning

• Aristotle: syllogistic logic logic.

• Leibniz: symbolic logic

• Boole: algebraic logic (boolean algebras) algebra.

• Russel: logic as foundation of mathematics logic.

• Later: Church, Turing, Curry, Goedel, Scott, Milner etc.: Formalmodels of computational systems

Why study logic?

Coolness: Logic is cool — trust me.

Hardware: Binary logic is logical.

Software: Programming languages have logical constructs.

Semantics: The language of logic is unambiguous and can be used to givemeaning to programs.

Proof: Arguments should be logical.

Every day: Clearer thinking in every day situations. More effective com-munication.

Propositions: Basic Building Blocks

Definition 1. A statement is a sentence for which it makes sense to askwhether it is true or false. A proposition is a statement that does not dependon any variables.

Example 2. • John had tea for breakfast.

• x2 > 12

3

• Every integer > 2 is the sum of two primes (Goldbach’s conjecture)

We often use variables p, q, r to denote propositions (‘atomic proposi-tions’ or ‘propositional variables’).

Logical Connectives

Operators on Statements

∧ conjunction, and

∨ disjunction, or

→ implication, if . . . then . . .

¬ negation, not

↔ , equivalence, if and only if

⊺,� true, false

Definition 3. Propositional Formulae are built from a set of atomic propo-sitions using the logical connectives.

Example 4. If p, q and ‘John had toast for breakfast’ and ’John is hungry’are atomic propositions, then

• p→ (¬q ∨ (p↔ ⊺))→ (p ∧ q) ∨ r

• ’John had toast for breakfast’ → ’John is hungry’

are propositional formulae.

Precedences and Meaning

PrecedencesOperator priorities (‘strength of binding’) to minimise parentheses

¬ ≻ ∧ ≻ ∨ ≻ → ≻ ↔where ≻ stands for ‘binds more strongly’ or ‘has higher precedence’.Example 5.

¬p ∨ q → r ∧ s ≡ ((¬p) ∨ q)→ (r ∧ s)p ∨ q ∧ r ≡ p ∨ (q ∧ r)

Meaning of Connectives: Truth Tables

p q p ∧ q

⊺ ⊺ ⊺⊺ � �� ⊺ �� � � (and similarly for other connectives)

4

Tautologies

Definition 6. A propositional formula is said to be a tautology if it is truefor all possible assignments of truth values to its atomic propositions.

Example 7.p ¬p p ∨ ¬p⊺ � ⊺� ⊺ ⊺

In general, to prove a tautology, one can construct a truth table for theproposition and checks that its column is all ⊺s.

Contradictions and Contingencies

Definition 8. A contradiction is a compound proposition which evaluatesto � for all values of its elementary propositions.[1ex] A contingency is acompound proposition which may evaluate to ⊺ or � for different values ofits elementary propositions.

Example 9. 1. ’John had toast for breakfast’ is a contingency.

2. ’John had toast for breakfast’ ∧¬ ’John had toast for breakfast’ is acontradiction

3. p→ (¬q ∨ (p↔ ⊺))→ (p ∧ q) ∨ r – can be complicated!

(Algebraic) Laws of Propositional Calculus

Associative laws

• p ∨ (q ∨ r) ≡ (p ∨ q) ∨ r

• p ∧ (q ∧ r) ≡ (p ∧ q) ∧ r

Distributive laws

• p ∧ (q ∨ r) ≡ (p ∧ q) ∨ (p ∧ r)• p ∨ (q ∧ r) ≡ (p ∨ q) ∧ (p ∨ r)

(These are just a representative few. Replacing ≡ by ↔ they are alltautologies.)

5

Logical Arguments, or: Formal Proofs

Example: Arguments in English

• If the professor is naked then the class is amused.

• If the class is amused and the material is organized then the class ishappy.

• The lecture is good if both the material is organized and the class ishappy.

• Therefore, the lecture is good if the professor is naked.

Typical Structure

• the assumptions appear above the horizontal line

• the conclusions appear below.

(Is this a valid argument?)

Exercise: Reconstruct the Argument in Logic

• identify the atomic propositions, or variables

• translate assumptions and conclusions into logical form

For ExamplePropositions n – naked, a – amused, o – organised, h – happy, g – good

Translation

• If the professor is naked then the class is amused: n→ a

• If the class is amused and the material is organised, then the class ishappy: a ∧ o→ h

• . . .

In Logical Form

n→ aa ∧ o→ ho ∧ h→ gn→ g

As a single formula:

(n→ a) ∧ (a ∧ o→ h)∧ (o ∧ h→ g)→ (n→ g)

6

Disjunctive Syllogism — An inference rule

Definition 10. An inference rule is a blueprint for a valid argument. Itspropositions are variables, and applying an inference rule amounts to pro-viding formulae for the variables.

Disjunctive SyllogismOne of Aristotle’ patterns of valid deduction:

p ∨ q¬pq

Example 11.

The student was happy ∨ The student was awake¬The student was happyThe student was awake

Disjunctive Syllogism — Proof in the Algebraic Style

(p ∨ q) ∧ ¬p → q

≡ ¬p ∧ (p ∨ q) → q (commutativity)

≡ (¬p ∧ p) ∨ (¬p ∧ q) → q (distribution)

≡ � ∨ (¬p ∧ q) → q (contradiction)

≡ ¬p ∧ q → q (or-simplification)

≡ ¬(¬p ∧ q) ∨ q (implication)

≡ (p ∨ ¬q) ∨ q (De Morgan)

≡ p ∨ (¬q ∨ q) (associativity)

≡ p ∨ ⊺ (excluded middle)

≡ ⊺ (or-simplification)

A non-example

‘Or’ in logicIn natural language, ’or’ is almost always exclusive.

• ‘Do you want to have chips or peas with your dinner?’

• ‘The car was grey or green’

7

In logic, ’or’ is always inclusive – see the truth table.

Non-ExampleThe student was happy ∨ The student was awake

The student was happy¬The student was awake

This “reasoning” is INVALID.

Modus ponens — Inference rule

Modus Ponens: the most important rulep→ qpq

Example 12.

The student worked hard → The student passedThe student worked hard

The student passed

Non-Example

The student worked hard → The student passedThe student passed

The student worked hard

This “reasoning” is INVALID.

Limitations of propositional logic

Is this argument valid? useful?

Natural language Propositional logic

All COMP2600 students are happy. pLisa is a COMP2600 student. qTherefore, Lisa is happy. ∴r

Maybe – but not in propositional logic!Not a valid in terms of propositional logic, since p∧q → r is not a tautology.(No relationship between the propositions.)

ProblemThe identity of Lisa is not maintained through the propositions. In otherwords, the propositions don’t take arguments.

8

Predicate Calculus: Propositions on Steroids

Formalising the ArgumentWhat are the propositions?

p(x) ≡ x is a COMP2600 student.q(x) ≡ x is happy.

Logical Form of the argument:

∀x.p(x)→ q(x)p(Lisa)q(Lisa)

. . . which we might be able to deal with. . .

Predicates — Introduction

Definition 13. A statement that depends on (zero, one or more) variablesis called a predicate. They are usually written as expressions with (unbound)variables, e.g. x > 5.

How to think about predicates

• As a a mapping from some domain to a Boolean value, such as p ∶ N→Bool where p(x) ≡ x > 5.

• The domain of a predicate is some set of appropriate values for thevariable(x) in the predicate expression. In the above example thedomain of p is N.

• If a predicate contains more than one variable, then the elements ofthe domain are tuples. That is x+y = 5 is the function p ∶ N×N→ Boolwhere p(x, y) ≡ (x + y = 5).

• Instantiating the variables in a predicate with values yields a proposi-tion, e.g. p(12,17) ≡ 12 + 17 = 5.

Quantifiers – What they mean and how they are written

Definition 14. If P (x) is a predicate that depends on a variable x, then

∀x.P (x)means that P (x) is true for all values of x (chosen from a domain of dis-course), and

∃x.P (x)means that P (x) is true for some choice of x (from a suitable domain ofdiscourse). In both cases

9

• ∀ (resp. ∃) is the quantifier

• x is the quantified (or bound) variable.

Formulae of predicate logic are built from atomic predicates, proposi-tional connectives and the quantifiers.

Abbreviations and Simple Laws

Abbreviations

∀x, y.P (x, y) ≡ ∀x.∀y.P (x, y) ≡ ∀x.(∀y.P (x, y))i.e. we can remove (some) parentheses and group quantifiers.

Quantifiers of the same type commute

∃x.∃y.P (x, y) ≡ ∃y.∃x.P (x, y) and ∀x.∀y.P (x, y) ≡ ∀y.∀x.P (x, y)

Quantifiers of different types don’t commutePredicates. C(x, y) – car x has colour y

Translation.

• ∀x∃y.C(x, y) – every car has a colour.

• ∃y.∀x.C(x, y) – every car has the same colour.

10