Good Morning Welcome to the US, Cornell, and CS

1. I am David Gries. I am starting my 50th year as aCS faculty member. My part of this course is about program methodology: how to develop correct programs Good MorningWelcome to the US, Cornell, and CS

2. Calculational Logic In order to “calculate” programs, or algorithms, we need a “calculational logic”, This logic is equivalent to other logics, like natural deduction,but it is designed to let you “calculate” the way you calculate in other math domains, like algebra. A good introduction to calculational logic can (1) Dispel fear of math, (2) Instil an appreciation for rigor, (3) Show you that logic can be fun. (4) Teach principles and strategies for developing proofs. Logic is the glue that binds together arguments in all domains

3. Contents Introduction 3 Boolean expressions 5 Translating English into booleanexps12 Calculational propositional logic 17 Checking English arguments 52 Contextual substitution 54 Weakening/strengthening steps 57 Monotonicity 62 Foundations for informal techniques 65 Deduction theorem 65 Partial evaluation 70 Case analysis 70 Mutual implication 71 Proof by contradiction 71 Substitution 20 Inference rules 22 Equivalence 23 Proof formats 24 Derived rules 29 !, inequiv, false 32 Or 39 And 43 Implication 46 Shunting 50

4. Calculational logic formalizesproofs that are calculations Prove that (a+b) c = ac + bc using theorems given below Available mult. theorems: associativity: A(BC) = (AB)C symmetry: AB = BA left distributivity: A(B+C) = AB+ AC (a+b) c ac + bc = <symmetry> c (a + b) = <left distributivity> ca + cb Observation: Proof requiressyntactic manipulation = <symmetry, twice> We will use this style of proof for logic

5. A similar proof about logic Prove P true  true Start by eliminating true. What theorems are available? (3.7) Identity of : true  Q  Q (3.32)  over : P  (Q  R)  P  Q P  R P true true = <(3.7) Identity of : true  Q  Q> P  (P  P) = <(3.32)  over > P  P  P  P = <(3.7) Identity of >

6. Boolean expressions Two values: trueand false A boolean expression is one of the following (P and Qdenote booleanexpressions) • A boolean (propositional) variable p, q, r, … • true • false • A negation (not): (P) • An equality: (P =Q) • An equivalence: (P Q) • A disjunction (or): (P Q) • A conjunction (and): (P Q) • An implication: (P Q) • A consequence (P Q) These boolean expressions are fully parenthesized

7. Precedence conventions allowelimination of some parentheses Example: b + c / - d is (b + (c / (- d))) • Precedence of some operators • Unary prefix: + –  • * / • + –   • = ≠ < ≤ > ≥these are conjunctional (explained later) •  •  •  • is right associative: p  q r is p (q  r) • is left associative: p  q r is (p q) r • + are associative: • e.g. p q r is either(p q) r or p  (q r)

8. About the operators Negation b read as complement of b or not b true if bis falseand falseif b is true Equality b = c read as b equals ctrueif band chave same value Equivalence b c read as b equivalesctrue if b and c have same value Inequality b c read as b differs from cSame value as  (b = c) Inequivalenceb |c read as b differs from cor as b “exclusive or” cSame value as  (b  c)

9. About the operators Operands are disjuncts Disjunction b c read as b or ctrue iffbor c(or both) are true  Conjunction b c read as b and ctrue iff both band c are true Implication b c read as b implies c or if b then cSame value as b c bcis true if bis false. This is consistent with English inter-pretationof a statement like If Schneider is 10 feet tall then Gries can walk on the ceiling is true because Schneider is not 10 feet tall. False implies anything. Consequence b  c is read as b follows from c It is equal to b c Operands are conjuncts b is the antecedent c is the consequence

10. Truth table for evaluating operations  /    =  ≠ t t t t t t t t t t f f f f f f f f t f t t t t f f f f t t t t f f f f f t t t f f t t f f t t f f t t f f f f t f t f t f t f t f t f t f t f We assume that, given boolean variables p, q, r, … with values, you can evaluate a boolean expression like p (q r).

11. Terms dealing with expression evaluation • Boolean expression P is satisfied in a state if its value is true in that state • Pis satisfiableif there is a state in which it is satisfied • Pis unsatisfiableif it is false inevery state • P is validif it is satisfied in every state • A valid boolean expression is also called a tautology

12. Equality versus Equivalence b = c is equality. b and c have same type —but any type b c is equality. b and c must be boolean Need no parens in b + c = d  c > 5  p = is conjunctional b = c = d means b= c  c = d 1 ≤ i ≤ n means 1 ≤ ii ≤ n  is associative p (c d) and (p c) d have the same value So we write b  c d to mean either one

13. To translate a proposition into a boolean expression • Introduce boolean variables (propositional variables) to denote subpropositions • Replace subpropositionalvarsby corresponding booleanvars • Translate result of step 2 into a boolexpression using obvious" translations of English words into operators and but becomes  or becomes V not becomes  it is not the case that becomes  if p then q becomes p q

14. Translating English into boolexps Proposition: English (or Chinese) statement that can be interpreted as being either true or false John has one son and Mary has two. Introduce propositional variables j and m: j: John has one son m: Mary has two sons Replace subpropositions of sentence by propositional variables j and m Replace operators of sentence by "obvious" boolean operators h c

15. Rewording before translation j: John had 1 son Given are these two variables j and p p: 1 is a prime John had 1 son and 1 is not prime Reword this John had 1 son and (it is not the case that 1 is prime) h p I am going to Florida or Maine Reword this I am going to Florida or I am going to Maine Every name in the Ithaca telephone directory is in the New York telephone directory If name is in the Ithaca telephone directory then it is in the New York telephone directory

16. On implication false  c defined to be true no matter what c is. Why? Consider: If x > 4 then x > 3. Formalize as x > 4  x > 3 Below gives evaluation of this expression with threedifferent values of x. Since If x > 4 then x > 3 is a true statement, its formalization should evaluate to true in all states. Thus, the righthand column contains true even in the two cases when antecedent x > 4 is false x x > 4 x > 3 x > 4  x > 3 5 true true true 4 false true true 3 false false true

17. On implication What is value of following the sentence: (1) If you don’t eat your spinach, I’ll spank you. Reword it! (2) Eat your spinach or I’ll spank you es: Eat spinach sp: I’ll spank you (1) es sp (2) esV sp If esis true, then es V spis true So if esis false, es spis true

18. Calculational Logic Calculus: method or process of reasoning by calculation with symbols Logic: calculus for deriving theorems. Consists of: Axioms: Formulas that are taken to be theorems without proof. Also called postulates Inference rules, e.g. Means: if P1 and P2are theorems then Q is a theorem Theorem(0) An axiom or (1) the conclusion of an inference rule whose premises are theorems Proof of a theorem is syntactic. Has nothing to do with evaluating expressions. But to have a useful logic, we want every theorem to be valid. That’s called soundness P1, P2 Q

19. Axiom Scheme ((P Q) R))  (P  (Q R)) Evaluate it in all states to verify that it is valid BIG LETTERS: "syntactical variables”: Stand for any formula (booleanexpression) LITTLE LETTERS: propositional variables ((P  Q)  R))  (P  (Q  R)) is a formula scheme: Replacing P, Q, Rby formulas yields a formula Axiom:((p q)r)) (p (q r)) Axiom:((p p)r)) (p (p r)) Axiom:((pqpq) r)) (pq(pq r))

20. Inference rule Transitivity Inference rule Transitivity: Suppose the following are theorems (B /C )  (B C ) and (B  C )  (B  C ) Then, by Transitivity, (B / C )  (B  C ) is a theorem P Q, Q R P R (B / C )  (B  C ), (B  C )  (B  C ) (B / C )  (B  C )

21. Leibniz (1646-1716) onsubstitution of equals for equals 2 * x = x + x 2*x + 5 = x+ x + 5 Two terms are the same if one can be substituted for the other without altering the truth of any statement. If we have A and B, and Aenters into some true proposition and the substitution of Bfor Awherever it appears results in a new proposition that is likewise true, and if this can be done for every proposition, then Aand Bare said to be the same; and conversely, if A and Bare the same they can be substituted for one another, as I have said A B A  C B  C

22. Substitution Formula scheme R[α/] is R with some of its sub-formulas replaced by placeholder α R[α/]: P  (S α) P[α/]: P α α α: a placeholder for a formula Then R[α/Q]is R[α/] but with α replaced by Q R[α/p  r]is P  (S (p r)) (P α α )[α/pr] is P  (pr)  p r

23. Inference rules of Calculational Logic Based on equality (equivalence) and substitution of equals for equals. (3.1) Leibniz (3.2) Transitivity (3.3) Equanimity P =Q E[α/P] = E[α/Q] P =Q, Q = R P = R P, P  Q Q

24. Axioms and theorems for Equivalence (3.5) Axiom, Associativity of : ((P Q) R)  (P (Q R)) (3.6) Axiom, Identity of : trueQ Q Can now prove (3.7) Reflexivity of : P  P (3.8) Symmetry of : P  Q  Q  P (3.9) true Q true Q Later, try proving These two yourself

25. Proof Format #1 Conclude P = Q from X = Y, using Leibniz: This must be an instance of Leibniz: Use Transitivity to conclude P = R: P = <X = Y> Q = <X1 = Y1> R P = Q, Q = R P = R X = Y P = Q In same way, conclude Q = R from X1 = Y1, using Leibniz Important: There is no need to mention which inference rule is being used at each place. The format tells us.

26. Proof Format #2 Use Equanimity to conclude that R is a theorem P —this is a theorem = <…> … = <…> R P, P = R R In doing proofs, we use symmetry and associativity of operators without mention, just as we do with arithmetic, e.g. 3 + a + 2 = <arithmetic> a + 5 Important: There is no need to mention which inference rule is being used at each place. The format tells us.

27. First proof: P P true  P  P —Identity of (3.6) = <Identity of = (3.6), true Q Q> P  P The = step uses inferencerule Leibniz: A step X = <P = Q> Y is Leibniz true  p p true p p  p p X = Y P = Q

28. First proof: P P (continued) This says to use inference rule Equanimity,using Theorem (3.6) true  P  P —Identity of (3.6) = <Identity of = (3.6), true Q Q> P  P P  P follows from Equanimity, using (3.6): Since the top line is a theorem, and since (top line = bottom line) is a theorem, so is the bottom line true  P  P, true  P  P  P  P P  P

29. Proof of Symmetry of  First, note that the following is an instance of (3.7) Reflexivity. It is (3.7) with P replaced by true  P true P  true  P true  P  true  P —(3.7), P:= true  P = <Identity of = (3.6), true  Q  Q> P  true  P = <Identity of = (3.6), true  Q  Q, with P:= Q> P  Q  Q  P

30. Some Derived Inference Rules “Derived" because they are not given initially but we can prove that it is okay to use them Equanimity: Leibniz: Redundant true: Example of use of Redundant true P  Q <Redundant true: P> true  Q P =Q E[α/Q] = E[α/P] P, Q  P Q P P  true P  true P Simply put: If P is a theorem, it is equivalent to true and can be replaced by true

31. Summary of Proof Methods To prove that P  Q is a theorem, do one of the following: • Transform P to Q (using a series of Leibniz steps) • Transform Qto P • Transform P  Q to a previous theorem • Transform a previous theorem to P  Q

32. Liars and Truars Tom says that Dick and Harry are of the same type: both liars or both truars. Someone asks Harry, “Are Tom and Dick of the same type?” What does Harry answer? Introduce propositional variables; t : Tom is a truar d: Dick is a truar h: Harry is a truar Tom’s statement is: t == d == h

33. Negation, Inequivalence, and false (3.13) Axiom, Definition of false: false true (3.14) Axiom,  over :(P Q)P Q (3.15) Axiom, Definition of /: P /Q (P Q) (3.16) P  Q  P Q (3.17) Double negation: P P (3.18) Negation of false: false true (3.19) (P / Q)P  Q (3.20) P P  false (3.21) Symmetry of /:(P / Q)  (Q / P) (3.22) Associativity of /: ((P /Q) /R) (P /(Q /R)) (3.23) Mutual associativity:((P /Q)R)  (P /(Q  R)) (3.24) Mutual interchangeability: P /Q R  P Q /R

34. Heuristic: An approach that may help in problem solving (3.26) Heuristic. Identify applicable theorems by matching the structure of expressions or subexpressions The operators that appear in an expression and the shape of its subexpressionscan focus the choice of theorems to be used in manipulating it Proof of (3.16) P  Q  P Q P  Q  P Q Which previous theo-rem (or axiom) can be used? = <(3.14),  (P  Q) P Q> (P  Q)  P Q Can we use (3.14) again? = <(3.14), with P, Q:= Q, P> (P  Q)  (P  Q) —(3.7) Reflexivity of  We use symmetry of operations without mentioning it

35. Principle: Structure proofs to avoid repeatingthe same subexpression on many lines Two proofs of (3.20) P  P false P  P false = <(3.14),  (P  Q) P Q, with Q:= P> (P P) false = < (3.6) Identity of : true  Q Q, with Q:= P> (true) false —theorem (3.13) P  P = <(3.14),  (P  Q) P  Q> (P  P) = < (3.6) Identity of : true  Q  Q> (true) = < (3.13> false

36. (3.28) Heuristic: Unfold-fold To prove a theorem concerning an operator •that is defined in terms of another operator, say * , Replace •by its definition (called unfolding) to arrive at a formula that contains * Exploit properties of * to manipulate the formula, and Possibly reintroduce * using its definition (called folding) Illustrate use of heuristic in proving (3.21) Symmetry of /: (P / Q)  (Q / P) Here, • is / And * is 

37. Use of (3.28) Heuristic: Unfold-fold (3.21) Symmetry of /: (P / Q)  (Q / P) P /Q = <(3.15) Axiom, Definition of / —unfolding> (P  Q) = <(3.8) Symmetry of : P  Q  Q  P> (Q P) <((3.15) Axiom, Definition of /—folding> = Q /P

38. Portia’s suitor’s dilemma She puts her picture in one of the two caskets and asks her suitor: which casket has the picture? On gold casket. g: Portrait not in here On silvercasket: s: Exactly one of g and s is true Introduce two variables, with these meanings: G: Portrait is in gold casket S: Portrait is in silver casket Portrait in exactly one casket: G !S Formalize inscription g: !G Formalize inscription s: !g s

39. Portia’s suitor continued Formalize inscription g: g !G Formalize inscription s: s !g  s s !g s --second fact about the system= < Symmetry of > !g= <second fact about the system !!G= <double negation> Gs !g s !g

40. Disjunction (Or) (3.29) Axiom, Symmetry of : P  Q  Q  P (3.30) Axiom, Associativity of : (P  Q) R P  (Q  R) (3.31) Axiom, Idempotencyof :P  PP (3.32) Axiom,  over : (P  Q)  R  P  RQ R (3.33) Axiom, Excluded Middle: P  P true (3.34) Zero of : P true  true (3.35) Identity of : P false  P (3.36)  over : P (QR)  (PQ) (PR) (3.37) PQ  P Q  P

41. Heuristic: use structure (3.38) Heuristic. To prove P Q, transform the expression with the most structure (either Por Q)into the other. Proof theorem (3.34) Zero of :P  true  true What side to start with? P true = <(3.6) Identity of : true  Q Q> P (P  P) = <(3.32) over > P P P P = <(3.6) Identity of > true

42. Principle: Structure to minimize rabbits (3.39) Principle. Structure proofs to minimize the number of rabbits pulled out of a hat —make each step seem obvious based on the structure of the expression and the goal of the manipulation.

43. Principle: Structure to minimize rabbits The proof below is the same as the one earlier except that it goes in reverse. It is harder, to understand. The first step is a rabbit pulled out of a hat. Proof theorem (3.34) Zero of :P  true  true true = <(3.6) Identity of :> P P  P P = <(3.32) over > P (P  P) = <(3.6) Identity of > P true

44. Conjunction (and)  (3.35) Axiom, Golden rule: P  Q  P  Q P  Q Rephrase: P  Q P  Q P Q Says that two expressions are equal exactly when their conjunction and disjunction are equal Can now prove theorems (3.41–3.60). We use this heuristic often: (3.61) Heuristic. Exploit ability to parse thetheorems like the Golden rule in many different ways

45. Two proofs of Idempotency of : (3.43) P  P  P = <Golden rule (3.40), with Q:= P> P  P  P  P Start with left side. No choice! Using unfold! P P = <Idempotency of v, (3.31)> P  P  P = <Symmetry of  , (3.8)> P Start with whole formula. No choice! P  P  P = <Golden rule (3.40), with Q:= P> P  P  P —Idempotency of  (3.31)

46. Exploiting the Golden Rule Prove law of Absorption (3.48a): P (P  Q) P P  (P  Q) P Can we use the Golden rule? Yes! X is P Y is P  Q = <Golden rule> P  Q P P  Q = <Idempotency of  (3.31)> P  Q P Q ---Reflexivity of  (3.7) Golden rule: X Y X Y X  Y

47. Implication Three possible definitions of implication. Use whichever is easiest in a proof (3.62) Axiom, Implication: P  Q  P  Q  Q (3.64) Implication: P  Q  P Q P (3.65) Implication: P  Q P  Q (3.63) Axiom, Consequence: P  Q  Q  P Have MANY new theorems: (3.66)–(3.68)

48. Implication: stronger and weaker expressions For a theorem P  Q , Q makes fewer restrictions on the states in which it is satisfied (is true) true. P is stronger, Q is weaker Strongest boolean expression: false Weakest boolean expression: true Q P

49. Implication is difficult to work with Implication is difficult to work with because it is not symmetric. Unfold-fold is often a good strategy to use in proving theorems containing implications Proof of (3.65), P  Q P  Q P  Q = <Definition of Implication (3.62)> P  Q Q Look for a theorem that contains P  Q • = <(3.37), P  Q  P Q  P, with P, Q:= Q, P> • P  Q

50. Three choices for the “definition” of  Choose the one of (3.62), (3.64), (3.65) based on the structure of the formula being proved. Below, choose (3.64) because the goal has only and . Prove (3.67), P  (Q  R)  P  Q  P  R P  (Q  R) = <(3.64) Implication: P  Q  P  Q P> P (Q  R)  P = <(3.54) P (Q  R) P  Q P  RP> P  Q  P R