CS245 Logic and Computation

Alice Gao December 9, 2019

Contents

1 Propositional Logic 3 1.1 Translations ...... 3 1.2 Structural Induction ...... 9 1.2.1 A template for structural induction on well-formed propositional for- mulas ...... 9 1.3 The Semantics of an Implication ...... 15 1.4 Tautology, Contradiction, and Satisfiable but Not a Tautology ...... 16 1.5 Logical Equivalence ...... 17 1.6 Analyzing Conditional Code ...... 19 1.7 Circuit Design ...... 21 1.8 Tautological Consequence ...... 26 1.9 Formal Deduction ...... 29 1.9.1 Rules of Formal Deduction ...... 29 1.9.2 Format of a Formal Deduction Proof ...... 31 1.9.3 Strategies for writing a formal deduction proof ...... 31 1.9.4 And elimination and introduction ...... 33 1.9.5 Implication introduction and elimination ...... 34 1.9.6 Or introduction and elimination ...... 36 1.9.7 Negation introduction and elimination ...... 38 1.9.8 Putting them together! ...... 41 1.9.9 Putting them together: Additional exercises ...... 45 1.9.10 Other problems ...... 46 1.10 Soundness and Completeness of Formal Deduction ...... 47 1.10.1 The soundness of inference rules ...... 47 1.10.2 Soundness and Completeness of Formal Deduction ...... 49 1.11 Proving the Completeness Theorem ...... 52

1 2 Predicate Logic 55 2.1 Translations ...... 55 2.2 Semantics of Predicate Formulas ...... 61 2.2.1 Evaluating Formulas with No Variables ...... 61 2.2.2 Evaluating Formulas without Bound Variables ...... 63 2.2.3 Evaluating Formulas with Free and Bound Variables ...... 64 2.2.4 Evaluating Formulas with Bound Variables Only ...... 66 2.3 Tautological Consequence ...... 70 2.3.1 Semantic Entailment - Additional Exercises ...... 78 2.4 Formal Deduction ...... 79 2.4.1 Forall-elimination ...... 80 2.4.2 Exists-introduction ...... 80 2.4.3 Forall-introduction ...... 81 2.4.4 Forall-introduction - Additional Exercises ...... 82 2.4.5 Exists-elimination ...... 83 2.4.6 Exists-Elimination - Additional Exercises ...... 85 2.4.7 Putting them together ...... 86 2.4.8 Putting them together - Additional Exercises ...... 90 2.5 Soundness and Completeness of Natural Deduction ...... 91 2.5.1 Proving that an inference rule is sound or not sound ...... 91 2.5.2 Additional Exercises ...... 96 2.5.3 Proofs using the soundness and completeness theorems ...... 97

3 Program Verification 98 3.1 Partial and Total Correctness ...... 98 3.2 Assignment Statements ...... 101 3.3 Conditional Statements ...... 104 3.4 Conditional Statements: Additional Exercises ...... 109 3.5 While Loops ...... 110 3.6 While Loops: Additional Exercises ...... 114 3.7 Array Assignments ...... 115 3.8 Putting them together ...... 116

4 Undecidability 123 4.1 Prove that a problem is decidable ...... 123 4.2 The Halting Problem is Undecidable ...... 124 4.3 Prove that a problem is undecidable ...... 125

2 1 Propositional Logic

1.1 Translations Exercise 1. Translate the following three sentences into propositional logic.

• Nadhi will eat a fruit if it is an apple.

• Nadhi will eat a fruit only if it is an apple.

• Nadhi will eat a fruit if and only if it is an apple.

Solution: 푛: Nadhi will eat a fruit. 푎: The fruit is an apple.

• Nadhi will eat a fruit if it is an apple. Translation: (푎 → 푛) If the fruit is an apple, we know that Nadhi will eat it. If the fruit is not an apple, Nadhi may or may not eat it. The set of apples is a subset of the set of fruits that Nadhi eats.

• Nadhi will eat a fruit only if it is an apple. Translation: (푛 → 푎) If Nadhi eats a fruit, then we know that it is an apple. If Nadhi does not eat a fruit, the fruit may or may not be an apple. The set of fruits that Nadhi eats is a subset of the set of apples.

• Nadhi will eat a fruit if and only if it is an apple. Translation: (푛 ↔ 푎) If Nadhi eats a fruit, then it is an apple. If Nadhi does not eat a fruit, then it is not an apple. The set of fruits that Nadhi eats and the set of apples coincide.

3 Exercise 2. Translate the following sentence into multiple propositional formulas. Show that they are logically equivalent using a truth table. Soo-Jin will eat an apple or an orange but not both.

Solution: 푎: Soo-Jin will eat an apple. 표: Soo-Jin will eat an orange. This sentence translates into an exclusive OR. There are many ways of writing down a formula for an exclusive OR.

• ((푎 ∨ 표) ∧ (¬(푎 ∧ 표))) a or o is true, but not both.

• ((푎 ∨ 표) ∧ ((¬푎) ∨ (¬표))) a or o is true, and a is false or o is false.

• ((푎 ∧ (¬표)) ∨ ((¬푎) ∧ 표)) a is true and o is false, or a is false and o is true.

• (¬(푎 ↔ 표)) It is not the case that a and o have the same truth value.

• ((¬푎) ↔ 표) ⊨ ⊨ (푎 ↔ (¬표)) negated a and o have the same truth value.

4 Exercise 3. Translate the following sentence into at least three syntactically different propo- sitional formulas. Show that they are logically equivalent using a truth table. If it is sunny tomorrow, then I will play golf, provided that I am relaxed.

Solution:

• 푠: It is sunny tomorrow.

• 푔: I will play golf.

• 푟: I am relaxed.

I can think of three ways of translating this sentence into a propositional formula.

• Interpretation 1: If it is sunny tomorrow, then, if I am relaxed, then I will play golf. Translation: (푠 → (푟 → 푔)). Sunny tomorrow is the premise for the first.

• Interpretation 2: If it is sunny tomorrow and I am relaxed, then I will play golf. Translation: ((푠 ∧ 푟) → 푔). Sunny tomorrow and being relaxed together are premises for playing golf.

• Interpretation 3: If I am relaxed, then, if it is sunny tomorrow, I will play golf. Translation: (푟 → (푠 → 푔)). Being relaxed is the premise for the rest.

All three interpretations are logically equivalent.

5 Exercise 4. Translate the following sentence into a propositional formula. If I ace CS 245, I will get a job at Google; otherwise I will apply for the Geek Squad.

Solution: Define the propositional variables:

• 푎: I ace CS 245.

• 푔: I will get a job at Google.

• 푠: I will apply for the Geek Squad.

First, let’s break down this sentence into two parts by the semicolon. The first part translates into an implication because of the key word “if”. Itbecomes (푎 → 푔). In the second part, “otherwise” means that “if I don’t ace CS 245”. After rephrasing, the second part becomes “If I don’t ace CS 245, then I will apply for the Geek Squad.” This is another implication ((¬푎) → 푠). Now the tricky part is: what connective should we use to connect the two parts together? Two natural options are ∧ and ∨. The ∨ option seems possible because the sentence could be rephrase as “If I ace CS 245, ...; or otherwise ....” The correct connective to use is ∧ for the following reasons. Let’s consider the scenario in which I ace CS 245, I don’t get a job at Google and I apply for the Geek Squad. In this case, is the sentence true or false? Intuitively, the sentence should be false, because the first implication is violated when I ace CS 245 but do not getajobat Google. Now let’s look at the truth values of the two possible propositional formulas:

• If we use ∧ as the connective, the resulting formula ((푎 → 푔) ∧ ((¬푎) → 푠)) is false in this scenario. The truth value of the formula is the same as the truth value of the sentence in this scenario.

• If we use ∨ as the connective, the resulting formula ((푎 → 푔) ∧ ((¬푎) → 푠)) is true in this scenario. This truth value of the formula is different from the truth value ofthe sentence in this scenario. Therefore, ∨ is not the correct connective to use because the resulting formula has a different meaning from the formula.

6 Exercise 5. Translate the following sentence into two propositional formulas and explain why the two formulas are not logically equivalent. Sidney will carry an umbrella unless it is sunny.

Solution: Define the propositional variables. 푢: Sidney will carry an umbrella. 푠: It is sunny.

• Interpretation 1: Intuitively, many people understand “unless” as an “exclusive OR”, which means that exactly one of the two parts of the sentence is true at a time. With this interpretation, “unless” is equivalent to an “if and only if not”. The sentence is true under the following two scenarios:

– It is not sunny and Sidney carries an umbrella. – It is sunny and Sidney does not carry an umbrella.

Note that this interpretation does not allow Sidney to carry an umbrella when it is sunny. So the sentence is false when 푢 and 푠 are both true. In propositional logic, this is equivalent to

((¬푢) ↔ 푠) (1) ⊨ ⊨ ((¬푢) ∧ 푠) ∨ (푢 ∧ (¬푠))) (2) ⊨ ⊨ ((푢 ∨ 푠) ∧ (¬(푢 ∧ 푠))) (3) ⊨ ⊨ ((푢 ∨ 푠) ∧ ((¬푢) ∨ (¬푠))). (4)

All the formulas above are equivalent. They look different but their meanings are the same.

• Interpretation 2: Alternatively, you may think of “unless” as meaning “if not”. Then the sentence becomes: if it is not sunny, then Sidney will carry an umbrella. In propositional logic, this becomes:

((¬푠) → 푢) (5) ⊨ ⊨ ((¬(¬푠)) ∨ 푢) (6) ⊨ ⊨ (푠 ∨ 푢). (7)

Under this interpretation, this sentence is true under three scenarios:

– It is not sunny and Sidney carries an umbrella.

7 – It is sunny and Sidney does not carry an umbrella. – It is sunny and Sidney carries an umbrella.

Notice that this interpretation allows Sidney to carry an umbrella when it is sunny. So the sentence is true when 푢 and 푠 are both true.

8 1.2 Structural Induction 1.2.1 A template for structural induction on well-formed propositional formulas Theorem: Every well-formed propositional formula 퐴 has the property 푃 .

Proof by structural induction:

Define 푃 (퐴) to be that 퐴 has the property 푃 .

Base case: 퐴 is a propositional variable 푝. We need to prove that 푃 (푝) holds.

Induction step:

Case 1: 퐴 is a well-formed propositional formula of the form (¬퐵) where 퐵 is a well-formed propositional formula. Induction hypothesis: Assume that P(B) holds. Prove that 푃 ((¬퐵)) holds.

Case 2: 퐴 is a well-formed propositional formula of the form 퐵 ∗ 퐶) where 퐵 and 퐶 are well-formed propositional formulas and ∗ is one of ∧, ∨, →, and ↔. Induction hypothesis: Assume that 푃 (퐵) and 푃 (퐶) hold. Prove that 푃 ((퐵 ∗ 퐶)) holds.

By the principle of structural induction, 푃 (퐴) holds for every well-formed propositional formula 퐴.

QED

9 Theorem 1. Every well-formed propositional formula has an equal number of opening and closing brackets. Solution: Each check mark indicates one point awarded to an important step of your proof. Proof by Structural Induction. Let 푃 (휑) denote that the well-formed formula 휑 has an equal number of opening and closing brackets. ✓ Let 표푝(휑) and 푐푙(휑) denote the number of opening and closing brackets of 휑 respectively. Base case: 휑 is a propositional symbol 푞. Prove that 푃 (푞) holds. 푞 has zero opening and zero closing bracket. Thus, 푃 (휑) holds. ✓

Induction step:

Case 1: 휑 is (¬푎), where 푎 is well-formed. Induction hypothesis: Assume that 푃 (푎) holds (i.e. 표푝(푎) = 푐푙(푎)). ✓ We need to prove that 푃 ((¬푎)) holds.

표푝((¬푎)) (8) = 1 + 표푝(푎) By inspection of (¬푎) (9) = 1 + 푐푙(푎) By induction hypothesis✓ (10) = 푐푙((¬푎)) By inspection of (¬푎) (11)

Thus, 푃 ((¬푎)) holds.

Case 2: 휑 is (푎 ∗ 푏) where 푎 and 푏 are well-formed and ∗ is one of the four binary connectives ∧, ∨, →, ↔. Induction hypothesis: Assume that 푃 (푎) ✓ and 푃 (푏) ✓ hold (i.e. 표푝(푎) = 푐푙(푎) and 표푝(푏) = 푐푙(푏)). We need to prove that 푃 ((푎 ∗ 푏)) holds.

표푝((푎 ∗ 푏)) = 1 + 표푝(푎) + 표푝(푏) By inspection of (푎 ∗ 푏) (12) = 1 + 푐푙(푎) + 푐푙(푏) By induction hypothesis✓✓ (13) = 푐푙(푎 ∗ 푏) By inspection of (푎 ∗ 푏) (14)

Thus, 푃 ((푎 ∗ 푏)) holds.

By the principle of structural induction, 푃 (휑) holds for every well-formed formula 휑. ✓ QED

10 Theorem 2. Every proper prefix of a well-formed formula has more opening than closing brackets. Solution: Proof by Structural Induction. Let 푃 (휑) denote that every proper prefix of the well-formed formula 휑 has more opening than closing brackets. Let 표푝(휑) and 푐푙(휑) denote the number of opening and closing brackets of 휑 respectively. Base case: 휑 is a propositional variable 푞. Prove that 푃 (푞) holds. Induction step:

Case 1: 휑 is (¬푎), where 푎 is well-formed. Induction hypothesis: Assume that 푃 (푎) holds. We need to prove that 푃 ((¬푎)) holds. Let 푚 denote any proper prefix of 푎. There are four possible proper prefixes of (¬푎): (, (¬, (¬푚, and (¬푎. We will prove the four cases separately.

표푝(() = 1 (15) 푐푙(() = 0 (16) 표푝(() > 푐푙(() (17)

표푝((¬) = 1 (18) 푐푙((¬) = 0 (19) 표푝((¬) > 푐푙(() (20)

표푝((¬푚) (21) = 1 + 표푝(푚) (22) > 1 + 푐푙(푚) By the induction hypothesis on 푚 (23) > 푐푙(푚) (24) = 푐푙((¬푚) (25)

표푝((¬푎) (26) = 1 + 표푝(푎) (27) = 1 + 푐푙(푎) By Theorem 1 and 푎 is a well-formed formula (28) > 푐푙(푎) (29) = 푐푙((¬푎) (30)

11 Case 2: 휑 is (푎 ∗ 푏) where 푎 and 푏 are well-formed and ∗ is a binary connective. Let 푚 and 푛 denote any proper prefix of 푎 and 푏 respectively. Induction hypothesis: Assume that 푃 (푎) and 푃 (푏) hold. In other words, 푃 (푚) and 푃 (푛) are true. We need to prove that 푃 ((푎 ∗ 푏)) holds. There are six possible proper prefixes of (푎 ∗ 푏): (, (푚, (푎, (푎∗, (푎 ∗ 푛, and (푎 ∗ 푏.

표푝(() = 1 (31) 푐푙(() = 0 (32) 표푝(() > 푐푙(() (33)

표푝((푚) (34) = 1 + 표푝(푚) (35) > 1 + 푐푙(푚) By the induction hypothesis on 푚 (36) > 푐푙(푚) (37) = 푐푙((푚) (38)

표푝((푎) (39) = 1 + 표푝(푎) (40) = 1 + 푐푙(푎) By Theorem 1 and 푎 is a well-formed formula (41) > 푐푙(푎) (42) = 푐푙((푎) (43)

표푝((푎∗) (44) = 1 + 표푝(푎) (45) = 1 + 푐푙(푎) By Theorem 1 and 푎 is a well-formed formula (46) > 푐푙(푎) (47) = 푐푙((푎∗) (48)

12 표푝((푎 ∗ 푛) (49) = 1 + 표푝(푎) + 표푝(푛) (50) = 1 + 푐푙(푎) + 표푝(푛) By Theorem 1 and 푎 is a well-formed formula (51) > 1 + 푐푙(푎) + 푐푙(푛) By the induction hypothesis on 푛 (52) > 푐푙(푎) + 푐푙(푛) (53) = 푐푙((푎 ∗ 푛) (54)

표푝((푎 ∗ 푏) (55) = 1 + 표푝(푎) + 표푝(푏) (56) = 1 + 푐푙(푎) + 푐푙(푏) By Theorem 1 and 푎 is a well-formed formula (57) > 푐푙(푎) + 푐푙(푏) (58) = 푐푙((푎 ∗ 푏) (59)

By the principle of structural induction, 푃 (휑) holds for every well-formed formula 휑. QED

13 Theorem 3. Consider the set 퐼(푋, 퐶, 푃 ) inductively defined by the domain set 푋 = ℝ, the core set 퐶 = {0, 2}, and the set of operations 푃 = {푓1(푥, 푦) = 푥 + 푦, 푓2(푥, 푦) = 푥 − 푦}. Every element in 퐼(푋, 퐶, 푃 ) is an even integer.

Solution: Proof by Structural Induction. Base case: We need to prove that every element of the core set 퐶 is an even integer. 0 is even because 0 = 2 ∗ 0. 2 is even because 2 = 2 ∗ 1.

Induction step: Case 1: Let 푥, 푦 ∈ 퐼(푋, 퐶, 푃 ). Induction hypotheses: Assume that 푥 and 푦 are even integers. We will prove that 푓1(푥, 푦) is an even integer. 푥 and 푦 are even integers. Thus, by the induction hypotheses, 푥 = 2푚 and 푦 = 2푛 where 푚 and 푛 are integers. Then, 푓1(푥, 푦) = 푥 + 푦 = 2푚 + 2푛 = 2(푚 + 푛). Since (푚 + 푛) is an integer, 푓1(푥, 푦) is an even integer. Case 2: Let 푥, 푦 ∈ 퐼(푋, 퐶, 푃 ). Induction hypotheses: Assume that 푥 and 푦 are even integers. We will prove that 푓2(푥, 푦) is an even integer. 푥 and 푦 are even integers. Thus, by the induction hypotheses, 푥 = 2푚 and 푦 = 2푛 where 푚 and 푛 are integers. Then, 푓2(푥, 푦) = 푥 − 푦 = 2푚 − 2푛 = 2(푚 − 푛). Since (푚 − 푛) is an integer, 푓2(푥, 푦) is an even integer.

By the principle of structural induction, every element of 퐼(푋, 퐶, 푃 ) is an even integer.

14 1.3 The Semantics of an Implication Exercise 6. Do you really understand an implication? We will find out.

• Think of an implication as a promise that someone made to you. In what case can you prove that the promise has been broken (i.e. the implication is false)?

• When the premise is true, what is the relationship between the truth value of the conclusion and the truth value of the implication?

• When the premise is false, the implication is vacuously true. Could you come up with an intuitive explanation for this?

• If the conclusion is true, is the implication true or false?

• The implication (푎 → 푏) is logically equivalent to ((¬푎) ∨ 푏). Does this equivalent formula make sense to you? Explain.

15 1.4 Tautology, Contradiction, and Satisfiable but Not a Tautology Exercise 7. Determine whether each of the following formulas is a tautology, satisfiable but not a tautology, or a contradiction.

• 푝 Solution: Answer: Satisfiable but not a tautology. Reason: True when 푝 is true and false when 푝 is false.

• ((푟 ∧ 푠) → 푟) Solution: Answer: Tautology. Reason: When 푟 is true, the conclusion of the implication is true, so the implication is true. When 푟 is false, the premise of the implication is false, so the implication is vacuously true.

• ((¬(푝 ↔ 푞)) ↔ (푞 ∨ 푝)) Solution: Answer: Satisfiable but not a tautology Reason: It’s tempting to say “these two formulas don’t mean the same thing so the biconditional is false”. However, go back to truth values. When 푝 is true and 푞 is false, both sides of the biconditional are true and the biconditional itself is true. When 푝 and 푞 are both true, the left side is false but the right is true, and so the biconditional is false.

• ((((푝 ∨ 푞) ∧ (푝 ∨ (¬푞))) ∧ ((¬푝) ∨ 푞)) ∧ ((¬푝) ∨ (¬푞))) Solution: Answer: Contradiction Reason: The first half can be simplfiied to (푝 ∨ (푞 ∧ (¬푞))), which is (푝 ∨ 퐹 ) or 푝. The second half can be simplfiied to (¬푝). Thus, the entire formula is (푝 ∧ (¬푝)), which is a contradiction.

16 1.5 Logical Equivalence Exercise 8. ”If it is sunny, I will play golf, provided that I am relaxed.” 푠: it is sunny. 푔: I will play golf. 푟: I am relaxed. There are three possible translations:

1. (푟 → (푠 → 푔))

2. ((푠 ∧ 푟) → 푔)

3. (푠 → (푟 → 푔))

Prove that all three translations are logically equivalent.

Solution: Part 1: (푟 → (푠 → 푔)) ⊨ ⊨ ((푠 ∧ 푟) → 푔). Proof.

(푟 → (푠 → 푔)) (60) ⊨ ⊨ (푟 → ((¬푠) ∨ 푔)) Implication (61) ⊨ ⊨ ((¬푟) ∨ ((¬푠) ∨ 푔)) Implication (62) ⊨ ⊨ (((¬푟) ∨ (¬푠)) ∨ 푔) Associativity (63) ⊨ ⊨ (((¬(푟 ∧ 푠)) ∨ 푔) De Morgan (64) ⊨ ⊨ ((푟 ∧ 푠) → 푔) Implication (65) ⊨ ⊨ ((푠 ∧ 푟) → 푔) Commutativity (66)

Part 2: (푟 → (푠 → 푔)) ⊨ ⊨ (푠 → (푟 → 푔)). Proof.

(푟 → (푠 → 푔)) (67) ⊨ ⊨ (푟 → ((¬푠) ∨ 푔)) Implication (68) ⊨ ⊨ ((¬푟) ∨ ((¬푠) ∨ 푔)) Implication (69) ⊨ ⊨ (((¬푟) ∨ (¬푠)) ∨ 푔) Associativity (70) ⊨ ⊨ (((¬푠) ∨ (¬푟)) ∨ 푔) Commutativity (71) ⊨ ⊨ ((¬푠) ∨ ((¬푟) ∨ 푔)) Associativity (72) ⊨ ⊨ ((¬푠) ∨ (푟 → 푔)) Implication (73) ⊨ ⊨ (푠 → (푟 → 푔)) Implication (74)

17 Exercise 9. ”If it snows then I will not go to class but I will do my assignment.” 푠: it snows. 푐: I will go to class. 푎: I will do my assignment. There are two possible translations:

1. ((푠 → (¬푐)) ∧ 푎)

2. (푠 → ((¬푐) ∧ 푎))

Prove that the two translations are NOT logically equivalent.

Solution: Proof. We need to find a valuation 푡 under which the two formulas have different values. Consider the truth valuation 푡 where 푡(푠) = 0, 푡(푐) = 1, and 푡(푎) = 0. The two formulas have different values under 푡, as shown below.

• ((푠 → (¬푐)) ∧ 푎)푡 = 0

• (푠 → ((¬푐) ∧ 푎))푡 = 1

18 1.6 Analyzing Conditional Code Consider the following code fragment: if (input > 0 || !output) { if (!(output && queuelength < 100)) { P1 } else if (output && !(queuelength < 100)) { P2 } else { P3 } } else { P4 } Define the propositional variables:

• 푖: input > 0

• 푢: output

• 푞: queuelength < 100

The code fragment becomes the following. We’ll call this code fragment #1. if ( i || !u ) { if ( !(u && q) ) { P1 } else if ( u && !q ) { P2 } else { P3 } } else { P4 } Code fragment #2: if (( i && u) && q) { P3 } else if (!i && u) { P4 } else { P1 } Prove that these two pieces of code fragments are equivalent: Solution:

19 Prove that the condition leading to 푃2 is logically equivalent to 0. The condition leading to 푃2:

(((푖 ∨ (¬푢)) ∧ (¬(¬(푢 ∧ 푞)))) ∧ (푢 ∧ (¬푞))) (75) ⊨ ⊨ (((푖 ∨ (¬푢)) ∧ (푢 ∧ 푞)) ∧ (푢 ∧ (¬푞))) Double Negation (76) ⊨ ⊨ ((푖 ∨ (¬푢)) ∧ ((푢 ∧ 푢) ∧ (푞 ∧ (¬푞)))) Associativity, Commutativity (77) ⊨ ⊨ ((푖 ∨ (¬푢)) ∧ (푢 ∧ (푞 ∧ (¬푞)))) Idempotence (78) ⊨ ⊨ ((푖 ∨ (¬푢)) ∧ (푢 ∧ 0)) Contradiction (79) ⊨ ⊨ ((푖 ∨ (¬푢)) ∧ 0) Simplification 1 (80) ⊨ ⊨ 0 Simplification 1 (81) (82)

Prove that the condition leading to 푃3 is true if and only if all three variables are true. The condition leading to 푃3:

(((푖 ∨ (¬푢)) ∧ (푢 ∧ 푞)) ∧ (¬(푢 ∧ (¬푞)))) (83) ⊨ ⊨ (((푖 ∨ (¬푢)) ∧ (푢 ∧ 푞)) ∧ ((¬푢) ∨ (¬(¬푞)))) De Morgan (84) ⊨ ⊨ (((푖 ∨ (¬푢)) ∧ (푢 ∧ 푞)) ∧ ((¬푢) ∨ 푞)) Double Negation (85) ⊨ ⊨ ((푖 ∨ (¬푢)) ∧ (푢 ∧ (푞 ∧ ((¬푢) ∨ 푞))))) Associativity (86) ⊨ ⊨ ((푖 ∨ (¬푢)) ∧ (푢 ∧ 푞)) Simplification 2 (87) ⊨ ⊨ ((푖 ∨ (¬푢)) ∧ 푢) ∧ 푞) Associativity (88) ⊨ ⊨ (((푖 ∧ 푢) ∨ ((¬푢) ∧ 푢)) ∧ 푞) Distributivity (89) ⊨ ⊨ (((푖 ∧ 푢) ∨ 0) ∧ 푞) Contradiction (90) ⊨ ⊨ ((푖 ∧ 푢) ∧ 푞) Simplification 1 (91)

Prove that the condition leading to 푃4 is true if and only if 푖 is false and 푢 is true. The condition leading to 푃4:

(¬(푖 ∨ (¬푢))) (92) ((¬푖) ∧ (¬(¬푢))) De Morgan (93) ⊨ ⊨ ((¬푖) ∧ 푢) Double Negation (94)

The condition leading to 푃1:

((푖 ∨ (¬푢)) ∧ (¬(푢 ∧ 푞))) (95) ⊨ ⊨ ((푖 ∨ (¬푢)) ∧ ((¬푢) ∨ (¬푞))) De Morgan (96) ⊨ ⊨ ((¬푢) ∨ (푖 ∧ (¬푞))) Distributivity (97)

20 1.7 Circuit Design Basic gates:

Problem: Your instructors, Alice, Carmen, and Collin, are choosing questions to be put on the midterm. For each problem, each instructor votes either yes or not. A question is chosen if it receives two or more yes votes. Design a circuit, which outputs yes whenever a question is chosen.

1. Draw the truth table based on the problem description.

x y z output 1 1 1 1 1 1 0 1 1 0 1 1 1 0 0 0 0 1 1 1 0 1 0 0 0 0 1 0 0 0 0 0

2. Convert the truth table into a propositional formula.

3. Then, convert the formula to a circuit.

Solution:

21 Solution 1:

1. Convert the truth table into a propositional formula.

Convert each row of the truth table to a conjunction. If a variable is true in that row, write it down. Otherwise, if the variable is false, write down its negation. Then connect all variables or their negations together using AND.

• ((푥 ∧ 푦) ∧ 푧) • ((푥 ∧ 푦) ∧ (¬푧)) • ((푥 ∧ (¬푦)) ∧ 푧) • (((¬푥) ∧ 푦) ∧ 푧)

Connect all formulas into a disjunction. (((((푥 ∧ 푦) ∧ 푧) ∨ ((푥 ∧ 푦) ∧ (¬푧))) ∨ ((푥 ∧ (¬푦)) ∧ 푧)) ∨ (((¬푥) ∧ 푦) ∧ 푧))

2. Draw the circuit.

Making a circuit clear and readable can be challenging. Here are some advice on drawing circuits:

• Determine where to put the inputs and the outputs first. • Determine where to put the major gates (the OR at the end, and one AND for each scenario). • Try to draw wires horizontally or vertically, not at an angle. • Indicate clearly whether two crossing wires are connected or not.

22 Solution 2:

1. Convert the truth table into a propositional formula.

Converts rows 1-3 to a propositional formula. (푥 ∧ (푦 ∨ 푧)) Convert row 5 to a propositional formula. (((¬푥) ∧ 푦) ∧ 푧) Connect all formulas into a disjunction. ((푥 ∧ (푦 ∨ 푧)) ∨ (((¬푥) ∧ 푦) ∧ 푧))

2. Draw the circuit.

23 Solution 3:

1. Convert the truth table into a propositional formula.

Convert rows 1 and 5 into a propositional formula. (푦 ∧ 푧) Convert rows 2 and 3 into a propositional formula. (푥 ∧ (푦 ⊕ 푧)) For convenience, we will use the symbol ⊕ to represent an exclusive OR. However, you are only allowed to use this symbol in circuit design problems. You are not allowed to use this symbol for other problems because it is not a basic connective based on the definition of well-formed formulas. Connect all formulas into a disjunction. ((푦 ∧ 푧) ∨ (푥 ∧ (푦 ⊕ 푧)))

2. Draw the circuit.

24 Solution 4 (contributed by Triman Kandola)

1. Convert the truth table into a propositional formula. (((푥 ∧ 푦) ∨ (푥 ∧ 푧)) ∨ (푦 ∧ 푧)) This formula intuitively makes sense. If two people are already voting yes, then I don’t care about what the third vote is.

2. Draw the circuit.

25 1.8 Tautological Consequence Exercise 10. Let Σ = {(푝 → 푞), (푞 → 푟)}. Is Σ satisfiable? Why or why not?

Solution: Σ is satisfied by the truth valuation 푡 where 푡(푝) = 1, 푡(푞) = 1 and 푡(푟) = 1. Note that (푝 → 푞)푡 = 1 and (푞 → 푟)푡 = 1. Thus, Σ is satisfiable.

Exercise 11. Let Σ = ∅. Is Σ satisfiable? Why or why not?

Solution: Σ is satisfiable. In fact, any truth valuation satisfies Σ. A truth valuation 푡 satisfies Σ if and only if, for any formula 퐴, if 퐴 is in Σ, then 퐴푡 = 1. Since Σ = ∅, no formula is in Σ. The premise of the implication is false for any 퐴, so the implication is true for every 퐴. Therefore, any truth valuation satisfies Σ = ∅.

Exercise 12. Let Σ = {푝, (¬푝)}. Is Σ satisfiable? Why or why not?

Solution: Σ is not satisfiable. To show this, we need to show that, under every truth valuation, at least one formula in Σ is false. Consider an arbitrary truth valuation 푡. Under 푡, 푝 is either true or false.

• If 푝푡 = 1, then (¬푝)푡 = 0. 푡 does not satisfy Σ.

• If 푝푡 = 0, then 푡 does not satisfy Σ.

In both cases, 푡 does not satisfy Σ. Therefore, no truth valuation can satisfy Σ. Σ is not satisfiable.

26 Exercise 13. Prove that {(¬(푝 ∧ 푞)), (푝 → 푞)} ⊨ (¬푝).

Solution: Proof. Consider a truth valuation 푡 such that (¬(푝 ∧ 푞))푡 = 1 and (푝 → 푞)푡 = 1. Since (푝 → 푞)푡 = 1, it is not the case that 푝푡 = 1 and 푞푡 = 0. Since (¬(푝 ∧ 푞))푡 = 1, it is not the case that 푝푡 = 1 and 푞푡 = 1. Thus, the two premises are true under two scenarios:

• 푝푡 = 0 and 푞푡 = 1: In this case, (¬푝)푡 = 1.

• 푝푡 = 0 and 푞푡 = 0: In this case, (¬푝)푡 = 1.

In both scenarios, the conclusion is true. Thus, the tautological consequence holds.

Exercise 14. Prove that {(¬(푝 ∧ 푞)), (푝 → 푞)} ⊭ (푝 ↔ 푞).

Solution: Proof. Consider the truth valuation 푡 where 푝푡 = 0 and 푞푡 = 1. By definitions of the connectives, (¬(푝 ∧ 푞))푡 = 1, (푝 → 푞)푡 = 1 and (푝 ↔ 푞)푡 = 0. Thus, the tautological consequence does not hold.

Exercise 15. Prove that ∅ ⊨ ((푝 ∧ 푞) → 푝)).

Solution: Proof. Since there is no premise, we need to prove that the conclusion ((푝 ∧ 푞) → 푝)) is a tautology. Consider any truth valuation 푡. Under 푡, p must be either true or false.

• 푝푡 = 1: The conclusion of the implication ((푝 ∧ 푞) → 푝))is true. Therefore, the implication is true.

• 푝푡 = 0: The premise of the implication ((푝∧푞) → 푝)) is true. Therefore, the implication is true.

Thus, the conclusion is true under any truth valuation and is a tautology. The tautological consequence holds.

27 Exercise 16. Prove that {푟, (푝 → (푟 → 푞))} ⊨ (푝 → (푞 ∧ 푟)).

Solution: Proof. Consider a truth valuation 푡 where 푟푡 = 1 and (푝 → (푟 → 푞))푡 = 1. We need to show that (푝 → (푞 ∧ 푟))푡 = 1. Consider two cases: 푝푡 = 0 and 푝푡 = 1. If 푝푡 = 0, then (푝 → (푞 ∧ 푟))푡 = 1. Otherwise, suppose that 푝푡 = 1. We need to show that (푞 ∧ 푟)푡 = 1. By the definition of implication, (푟 → 푞)푡 = 1 since (푝 → (푟 → 푞))푡 = 1. Since 푟푡 = 1 and (푟 → 푞)푡 = 1, then 푞푡 = 1 by the definition of implication. By the definition of ∧, (푞∧푟)푡 = 1 since 푞 and 푟 are both true under 푡. Therefore, (푝 → (푞 ∧ 푟))푡 = 1. In both cases, the conclusion is true under 푡. The tautological consequence holds.

Exercise 17. Prove that {(¬푝), (푞 → 푝)} ⊭ ((¬푝) ∧ 푞).

Solution:

Remark 1. We need to come up with a truth valuation under which both premises are true and the conclusion is false. (¬푝) has to be true. So 푝 has to be false under this truth valuation. (푞 → 푝) has to be true and 푝 is false. Thus, 푞 must be false under this truth valuation. Therefore, this truth valuation must make 푝 false and 푞 false.

Proof. Consider the truth valuation 푡 where 푝푡 = 0 and 푞푡 − 0. Under this truth valuation, (¬푝)푡 = 1 and (푞 → 푝)푡 = 1. Both premises are true. Under this truth valuation, ((¬푝) ∧ 푞)푡 = 0. The conclusion is false. Therefore, the tautological consequence does not hold.

Exercise 18. Prove that {푝, (¬푝)} ⊨ 푟.

Solution: Proof. Consider any truth valuation 푡 under which both premises are true. If such a truth valuation exists, we have to show that 푟 must be true under this truth valuation. However, such a truth valuation does not exist. There are two possible cases. 푝 is true or 푝 is false. If 푝 is false, then this truth valuation does not satisfy the first premise. If 푝 is true under this truth valuation, then (¬푝) must be false. This truth valuation does not satisfy the second premise. Since no truth valuation satisfies both premises, the tautological consequence holds.

28 1.9 Formal Deduction 1.9.1 Rules of Formal Deduction membership (∈) Addition of premises (+) if 퐴 ∈ Σ, if Σ ⊢ 퐴, then Σ ⊢ 퐴. then Σ, Σ′ ⊢ 퐴. Special case: Reflexivity (Ref)

퐴 ⊢ 퐴.

And introduction (∧+) And elimination (∧−)

if Σ ⊢ 퐴, if Σ ⊢ 퐴 ∧ 퐵, Σ ⊢ 퐵, then Σ ⊢ 퐴. then Σ ⊢ 퐴 ∧ 퐵. if Σ ⊢ 퐴 ∧ 퐵, then Σ ⊢ 퐵.

Or introduction (∨+) Or elimination (∨−)

if Σ ⊢ 퐴, if Σ, 퐴 ⊢ 퐶, then Σ ⊢ 퐴 ∨ 퐵. Σ, 퐵 ⊢ 퐶, if Σ ⊢ 퐵, then Σ, 퐴 ∨ 퐵 ⊢ 퐶. then Σ ⊢ 퐴 ∨ 퐵.

Negation introduction (¬+) Negation elimination (¬−)

if Σ, 퐴 ⊢ 퐵, if Σ, ¬퐴 ⊢ 퐵, Σ, 퐴 ⊢ ¬퐵, Σ, ¬퐴 ⊢ ¬퐵, then Σ ⊢ ¬퐴. then Σ ⊢ 퐴.

Implication introduction (→ +) Implication elimination (→ −)

if Σ, 퐴 ⊢ 퐵, if Σ ⊢ 퐴, then Σ ⊢ 퐴 → 퐵. Σ ⊢ 퐴 → 퐵, then Σ ⊢ 퐵.

29 Equivalence introduction (↔ +) Equivalence elimination (↔ −)

if Σ, 퐴 ⊢ 퐵, if Σ ⊢ 퐴, Σ, 퐵 ⊢ 퐴, Σ ⊢ 퐴 ↔ 퐵, then Σ ⊢ 퐴 ↔ 퐵. then Σ ⊢ 퐵. if Σ ⊢ 퐵, Σ ⊢ 퐴 ↔ 퐵, then Σ ⊢ 퐴. Comments:

• For each connective, the rules come in pairs. The introduction rule produces a conclu- sion with the connective in it. The elimination rule produces a conclusion without the connective.

• 퐴 and 퐵 can be any propositional formula. In particular, 퐴 and 퐵 can be the same.

• Σ and Σ′ are sets of propositional formulas.

• Σ, 퐴 means Σ ∪ {퐴}. Σ, Σ′ means Σ ∪ Σ′.

30 1.9.2 Format of a Formal Deduction Proof • Every line contains: a line number, a set of premises, the ⊢ symbol, a conclusion, and a justification containing a formal deduction rule and possibly line numbers. • The last line of a proof is the same as the original statement to be proved. • Every line of the proof can be justified in two ways: (1) using the premises on theleft of ⊢ using the membership ∈ rule. (2) using one or more conclusions on previous lines by using any other formal deduction rule. • You have to bring a premise to the right of ⊢ before you can use it in a subsequent line.

1.9.3 Strategies for writing a formal deduction proof What is the thought process for producing a formal deduction proof? • I’ve found that it is most effective to generate a proof backwards starting from thelast line of the proof. • Write down the statement to be proved as the last line of the proof. Work backwards from here. • Look at the conclusion carefully. What is the structure of the conclusion (what is the last connective applied in the formula? Can you apply an introduction rule to produce the conclusion? • Look at each premise carefully. What is the structure of the premise (what is the last connective applied in the formula)? Can you apply an elimination rule to simplify it and to produce a new formula? • Working backwards from the conclusion is often more effective than working forward from the premises. It keeps your eyes on the prize. • If no rule is applicable, consider using ¬+ or ¬−. The negation rules are “universal”. They can be applied in any situation but beware that they are not always helpful. • When do we stop? We can stop this process when we are able to justify every line of our proof. Usually, we end this process by justifying the last line produced using the membership ∈ rule. Why are we allowed to add premises to the left of ⊢? • Think about adding a premise on the left of ⊢ as making an assumption in our proof. For example, when you are proving a property of a natural number, you may write your proof as follows: case 1, 푛 is even ... case 2, 푛 is odd ... Here 푛 is even and 푛 is odd are additional assumptions made in your proof. Adding a premise on the left is the same as making such an additional assumption.

31 • We are only able to add a premise on the left of ⊢ if a formal deduction rule allows us to do so.

• Eventually, we will need to remove the additional premises from the left of ⊢ in order to produce the conclusion required in the original statement to be proved.

32 1.9.4 And elimination and introduction Exercise 19. Show that (푝 ∧ 푞), (푟 ∧ 푠) ⊢ (푞 ∧ 푠).

Solution:

(1) 푝∧푞,푟∧푠⊢푝∧푞 by (∈) (2) 푝 ∧ 푞, 푟 ∧ 푠 ⊢ 푞 by ∧ −, 1 (3) 푝∧푞,푟∧푠⊢푟∧푠 by (∈) (4) 푝 ∧ 푞, 푟 ∧ 푠 ⊢ 푠 by ∧ −, 3 (5) 푝∧푞,푟∧푠⊢푞∧푠 by ∧ +, 2, 4

Exercise 20. Show that ((푝 ∧ 푞) ∧ 푟) ⊢ (푝 ∧ (푞 ∧ 푟)).

Solution:

(1) (푝 ∧ 푞) ∧ 푟 ⊢ (푝 ∧ 푞) ∧ 푟 by (∈) (2) (푝 ∧ 푞) ∧ 푟 ⊢ (푝 ∧ 푞) by ∧ −, 1 (3) (푝 ∧ 푞) ∧ 푟 ⊢ 푟 by ∧ −, 1 (4) (푝 ∧ 푞) ∧ 푟 ⊢ 푝 by ∧ −, 2 (5) (푝 ∧ 푞) ∧ 푟 ⊢ 푞 by ∧ −, 2 (6) (푝 ∧ 푞) ∧ 푟 ⊢ 푞 ∧ 푟 by ∧ +, 3, 5 (7) (푝 ∧ 푞) ∧ 푟 ⊢ 푝 ∧ (푞 ∧ 푟) by ∧ +, 4, 6

33 1.9.5 Implication introduction and elimination Exercise 21. Show that (푝 → 푞), (푞 → 푟) ⊢ (푝 → 푟).

Solution:

(1) 푝→푞,푞→푟,푝⊢푝→푞 by (∈) (2) 푝→푞,푞→푟,푝⊢푝 by (∈) (3) 푝→푞,푞→푟,푝⊢푞 by (→ −, 1, 2) (4) 푝→푞,푞→푟,푝⊢푞→푟 by (∈) (5) 푝→푞,푞→푟,푝⊢푟 by (→ −, 3, 4) (6) 푝→푞,푞→푟⊢푝→푟 by (→ +, 5)

Exercise 22. Show that (푝 → (푞 → 푟)), (푝 → 푞) ⊢ (푝 → 푟).

Solution:

(1) 푝 → (푞 → 푟), 푝 → 푞, 푝 ⊢ 푝 by (∈) (2) 푝 → (푞 → 푟), 푝 → 푞, 푝 ⊢ 푝 → 푞 by (∈) (3) 푝 → (푞 → 푟), 푝 → 푞, 푝 ⊢ 푞 by (→ −, 1, 2) (4) 푝 → (푞 → 푟), 푝 → 푞, 푝 ⊢ 푝 → (푞 → 푟) by (∈) (5) 푝 → (푞 → 푟), 푝 → 푞, 푝 ⊢ 푞 → 푟 by (→ −, 1, 4) (6) 푝 → (푞 → 푟), 푝 → 푞, 푝 ⊢ 푟 by (→ −, 3, 5) (7) 푝 → (푞 → 푟), 푝 → 푞 ⊢ 푝 → 푟 by (→ +, 6)

34 Exercise 23. Show that (푝 → (푞 → 푟)) ⊢ ((푝 ∧ 푞) → 푟).

Solution:

(1) 푝 → (푞 → 푟), 푝 ∧ 푞 ⊢ 푝 ∧ 푞 by (∈) (2) 푝 → (푞 → 푟), 푝 ∧ 푞 ⊢ 푝 by (∧−, 1) (3) 푝 → (푞 → 푟), 푝 ∧ 푞 ⊢ 푝 → (푞 → 푟) by (∈) (4) 푝 → (푞 → 푟), 푝 ∧ 푞 ⊢ 푞 by (∧−, 1) (5) 푝 → (푞 → 푟), 푝 ∧ 푞 ⊢ 푞 → 푟 by (→ −, 2, 3) (6) 푝 → (푞 → 푟), 푝 ∧ 푞 ⊢ 푟 by (→ −, 4, 5) (7) 푝 → (푞 → 푟) ⊢ (푝 ∧ 푞) → 푟 by (→ +, 6)

Exercise 24. Show that ((푝 ∧ 푞) → 푟) ⊢ (푝 → (푞 → 푟)).

Solution:

(1) (푝 ∧ 푞) → 푟, 푝, 푞 ⊢ (푝 ∧ 푞) → 푟 by (∈) (2) (푝 ∧ 푞) → 푟, 푝, 푞 ⊢ 푝 by (∈) (3) (푝 ∧ 푞) → 푟, 푝, 푞 ⊢ 푞 by (∈) (4) (푝 ∧ 푞) → 푟, 푝, 푞 ⊢ 푝 ∧ 푞 by (∧+, 2, 3) (5) (푝 ∧ 푞) → 푟, 푝, 푞 ⊢ 푟 by (→ −, 1, 4) (6) (푝 ∧ 푞) → 푟, 푝 ⊢ 푞 → 푟 by (→ +, 5) (7) (푝 ∧ 푞) → 푟 ⊢ 푝 → (푞 → 푟) by (→ +, 6)

35 1.9.6 Or introduction and elimination Exercise 25. Show that (푝 ∨ 푞) ⊢ ((푝 → 푞) ∨ (푞 → 푝)).

Solution:

(1) 푝, 푞 ⊢ 푝 by (∈) (2) 푝 ⊢ 푞 → 푝 by (→ +, 1) (3) 푞, 푝 ⊢ 푞 by (∈) (4) 푞 ⊢ 푝 → 푞 by (→ +, 1) (5) 푝 ⊢ (푝 → 푞) ∨ (푞 → 푝) by (∨+, 2) (6) 푞 ⊢ (푝 → 푞) ∨ (푞 → 푝) by (∨+, 4) (7) (푝 ∨ 푞) ⊢ (푝 → 푞) ∨ (푞 → 푝) by (∨−, 5, 6)

Exercise 26. Show that (푝 → 푞) ⊢ ((푟 ∨ 푝) → (푟 ∨ 푞)).

Solution:

(1) 푝 → 푞, 푝 ⊢ 푝 by (∈) (2) 푝 → 푞, 푝 ⊢ 푝 → 푞 by (∈) (3) 푝 → 푞, 푝 ⊢ 푞 by (→ −, 1, 2) (4) 푝 → 푞, 푟 ⊢ 푟 by (∈) (5) 푝 → 푞, 푟 ⊢ (푟 ∨ 푞) by (∨+, 4) (6) 푝 → 푞, 푝 ⊢ (푟 ∨ 푞) by (∨+, 3) (7) 푝 → 푞, 푟 ∨ 푝 ⊢ (푟 ∨ 푞) by (∨−, 5, 6) (8) 푝 → 푞 ⊢ (푟 ∨ 푝) → (푟 ∨ 푞) by (→ +, 7)

36 Exercise 27. Show that ((푝 ∧ 푞) ∨ (푝 ∧ 푟)) ⊢ (푝 ∧ (푞 ∨ 푟)).

Solution:

(1) 푝 ∧ 푞 ⊢ 푝 ∧ 푞 by (∈) (2) 푝 ∧ 푞 ⊢ 푞 by (∧−, 1) (3) 푝 ∧ 푞 ⊢ 푞 ∨ 푟 by (∨+, 2) (4) 푝 ∧ 푞 ⊢ 푝 by (∧−, 1) (5) 푝 ∧ 푟 ⊢ 푝 ∧ 푟 by (∈) (6) 푝 ∧ 푟 ⊢ 푟 by (∧−, 5) (7) 푝 ∧ 푟 ⊢ 푞 ∨ 푟 by (∨+, 6) (8) 푝 ∧ 푟 ⊢ 푝 by (∧−, 5) (9) 푝 ∧ 푞 ⊢ 푝 ∧ (푞 ∨ 푟) by (∧+, 3, 4) (10) 푝 ∧ 푟 ⊢ 푝 ∧ (푞 ∨ 푟) by (∧+, 7, 8) (11) (푝 ∧ 푞) ∨ (푝 ∧ 푟) ⊢ 푝 ∧ (푞 ∨ 푟) by (∨−, 9, 10)

Exercise 28. Show that (푝 ∧ (푞 ∨ 푟)) ⊢ ((푝 ∧ 푞) ∨ (푝 ∧ 푟)).

Solution:

(1) (푝 ∧ (푞 ∨ 푟)) ⊢ (푝 ∧ (푞 ∨ 푟)) by (푅푒푓) (2) (푝 ∧ (푞 ∨ 푟)) ⊢ 푝 by (∧−, 1) (3) (푝 ∧ (푞 ∨ 푟)) ⊢ 푞 ∨ 푟 by (∧−, 1) (4) (푝 ∧ (푞 ∨ 푟)), 푞 ⊢ 푞 by (∈) (5) (푝 ∧ (푞 ∨ 푟)), 푞 ⊢ 푝 by (+, 2) (6) (푝 ∧ (푞 ∨ 푟)), 푞 ⊢ 푝 ∧ 푞 by (∧+, 4, 5) (7) (푝 ∧ (푞 ∨ 푟)), 푞 ⊢ (푝 ∧ 푞) ∨ (푝 ∧ 푟) by (∨+, 6) (8) (푝 ∧ (푞 ∨ 푟)), 푟 ⊢ 푟 by (∈) (9) (푝 ∧ (푞 ∨ 푟)), 푟 ⊢ 푝 by (+, 2) (10) (푝 ∧ (푞 ∨ 푟)), 푟 ⊢ 푝 ∧ 푟 by (∧+, 8, 9) (11) (푝 ∧ (푞 ∨ 푟)), 푟 ⊢ (푝 ∧ 푞) ∨ (푝 ∧ 푟) by (∨+, 10) (12) (푝 ∧ (푞 ∨ 푟)), 푞 ∨ 푟 ⊢ (푝 ∧ 푞) ∨ (푝 ∧ 푟) by (∨−, 7, 11) (13) (푝 ∧ (푞 ∨ 푟)) ⊢ (푞 ∨ 푟) → (푝 ∧ 푞) ∨ (푝 ∧ 푟) by (→ +, 12) (14) (푝 ∧ (푞 ∨ 푟)) ⊢ (푝 ∧ 푞) ∨ (푝 ∧ 푟) by (→ −, 3, 13)

37 1.9.7 Negation introduction and elimination Exercise 29. Show that 푝 → (¬푝) ⊢ (¬푝).

Solution:

(1) 푝 → (¬푝), 푝 ⊢ 푝 by (∈) (2) 푝 → (¬푝), 푝 ⊢ 푝 → (¬푝) by (∈) (3) 푝 → (¬푝), 푝 ⊢ (¬푝) by (→ −, 1, 2) (4) 푝 → (¬푝) ⊢ (¬푝) by (¬+, 1, 3)

Exercise 30. Show that (푝 → (푞 → 푟)), 푝, (¬푟) ⊢ (¬푞).

Solution:

(1) 푝 → (푞 → 푟), 푝, (¬푟), 푞 ⊢ 푝 by (∈) (2) 푝 → (푞 → 푟), 푝, (¬푟), 푞 ⊢ 푝 → (푞 → 푟) by (∈) (3) 푝 → (푞 → 푟), 푝, (¬푟), 푞 ⊢ 푞 → 푟 by (→ −, 1, 2) (4) 푝 → (푞 → 푟), 푝, (¬푟), 푞 ⊢ 푞 by (∈) (5) 푝 → (푞 → 푟), 푝, (¬푟), 푞 ⊢ 푟 by (→ −, 3, 4) (6) 푝 → (푞 → 푟), 푝, (¬푟), 푞 ⊢ (¬푟) by (∈) (7) 푝 → (푞 → 푟), 푝, (¬푟) ⊢ (¬푞) by (¬+, 5, 6)

38 Exercise 31. Show that (푝 → 푞), (¬푞) ⊢ (¬푝).

Solution:

(1) 푝 → 푞, ¬푞, 푝 ⊢ 푝 by (∈) (2) 푝 → 푞, ¬푞, 푝 ⊢ 푝 → 푞 by (∈) (3) 푝 → 푞, ¬푞, 푝 ⊢ 푞 by (→ −, 1, 2) (4) 푝 → 푞, ¬푞, 푝 ⊢ ¬푞 by (∈) (5) 푝 → 푞, ¬푞 ⊢ ¬푝 by (¬−, 3, 4)

Exercise 32. Show that (¬푝) → (¬푞) ⊢ (푞 → 푝).

Solution:

(1) (¬푝) → (¬푞), 푞, ¬푝 ⊢ ¬푝 by (∈) (2) (¬푝) → (¬푞), 푞, ¬푝 ⊢ (¬푝) → (¬푞) by (∈) (3) (¬푝) → (¬푞), 푞, ¬푝 ⊢ 푞 by (∈) (4) (¬푝) → (¬푞), 푞, ¬푝 ⊢ ¬푞 by (→ −, 1, 2) (5) (¬푝) → (¬푞), 푞 ⊢ 푝 by (¬−, 3, 4) (6) (¬푝) → (¬푞) ⊢ 푞 → 푝 by (→ +, 5)

Exercise 33. Show that (푝 ∧ (¬푞)) → 푟, (¬푟), 푝 ⊢ 푞.

Solution:

(1) (푝 ∧ ¬푞) → 푟, ¬푟, 푝, ¬푞 ⊢ 푝 by (∈) (2) (푝 ∧ ¬푞) → 푟, ¬푟, 푝, ¬푞 ⊢ ¬푞 by (∈) (3) (푝 ∧ ¬푞) → 푟, ¬푟, 푝, ¬푞 ⊢ (푝 ∧ ¬푞) by (∧+, 1, 2) (4) (푝 ∧ ¬푞) → 푟, ¬푟, 푝, ¬푞 ⊢ (푝 ∧ ¬푞) → 푟 by (∈) (5) (푝 ∧ ¬푞) → 푟, ¬푟, 푝, ¬푞 ⊢ 푟 by (→ −, 3, 4) (6) (푝 ∧ ¬푞) → 푟, ¬푟, 푝, ¬푞 ⊢ (¬푟) by (∈) (7) (푝 ∧ ¬푞) → 푟, ¬푟, 푝 ⊢ 푞 by (¬−, 5, 6)

39 Exercise 34. Show that (푝 ∨ 푞), (¬푝) ⊢ 푞.

Solution:

(1) ¬푝, 푝, ¬푞 ⊢ 푝 by (∈) (2) ¬푝, 푝, ¬푞 ⊢ ¬푝 by (∈) (3) ¬푝, 푝 ⊢ 푞 by (¬−, 1, 2) (4) ¬푝, 푞 ⊢ 푞 by (∈) (5) ¬푝, 푝 ∨ 푞 ⊢ 푞 by (∨−, 3, 4)

Exercise 35. Show that ∅ ⊢ (¬푝) → (푝 → (푝 → 푞)).

Solution:

(1) ¬푝, 푝, ¬(푝 → 푞) ⊢ 푝 by (∈) (2) ¬푝, 푝, ¬(푝 → 푞) ⊢ ¬푝 by (∈) (3) ¬푝, 푝 ⊢ 푝 → 푞 by (¬−, 1, 2) (4) ¬푝 ⊢ 푝 → (푝 → 푞) by (→ +, 3) (5) ∅ ⊢ (¬푝) → (푝 → (푝 → 푞)) by (→ +, 4)

40 1.9.8 Putting them together! Exercise 36. (De Morgan’s Law) Show that (¬(푎 ∨ 푏)) ⊢ ((¬푎) ∧ (¬푏)). Solution: (1) ¬(푎 ∨ 푏), 푎 ⊢ ¬(푎 ∨ 푏) by (∈) (2) ¬(푎 ∨ 푏), 푎 ⊢ 푎 by (∈) (3) ¬(푎 ∨ 푏), 푎 ⊢ (푎 ∨ 푏) by (∨+, 2) (4) ¬(푎 ∨ 푏), 푏 ⊢ ¬(푎 ∨ 푏) by (∈) (5) ¬(푎 ∨ 푏), 푏 ⊢ 푏 by (∈) (6) ¬(푎 ∨ 푏), 푏 ⊢ (푎 ∨ 푏) by (∨+, 5) (7) ¬(푎 ∨ 푏) ⊢ ¬푎 by (∧+, 1, 3) (8) ¬(푎 ∨ 푏) ⊢ ¬푏 by (∧+, 4, 6) (9) ¬(푎 ∨ 푏) ⊢ ¬푎 ∧ ¬푏 by (∧+, 7, 8)

Exercise 37. (De Morgan’s Law) Show that ((¬푎) ∧ (¬푏)) ⊢ (¬(푎 ∨ 푏)). Solution: (1) ¬푎 ∧ ¬푏, 푎, ¬푞 ⊢ ¬푎 ∧ ¬푏 by (∈) (2) ¬푎 ∧ ¬푏, 푎, ¬푞 ⊢ ¬푎 by (∧−, 1) (3) ¬푎 ∧ ¬푏, 푎, ¬푞 ⊢ 푎 by (∈) (4) ¬푎 ∧ ¬푏, 푎 ⊢ 푞 by (¬−, 2, 3) (5) ¬푎 ∧ ¬푏, 푏, ¬푞 ⊢ ¬푎 ∧ ¬푏 by (∈) (6) ¬푎 ∧ ¬푏, 푏, ¬푞 ⊢ ¬푏 by (∧−, 5) (7) ¬푎 ∧ ¬푏, 푏, ¬푞 ⊢ 푏 by (∈) (8) ¬푎 ∧ ¬푏, 푏 ⊢ 푞 by (¬−, 6, 7) (9) ¬푎 ∧ ¬푏, 푎 ∨ 푏 ⊢ 푞 by (∨−, 4, 8) (10) ¬푎 ∧ ¬푏, 푎, 푞 ⊢ ¬푎 ∧ ¬푏 by (∈) (11) ¬푎 ∧ ¬푏, 푎, 푞 ⊢ ¬푎 by (∧−, 10) (12) ¬푎 ∧ ¬푏, 푎, 푞 ⊢ 푎 by (∈) (13) ¬푎 ∧ ¬푏, 푎 ⊢ ¬푞 by (¬+, 11, 12) (14) ¬푎 ∧ ¬푏, 푏, 푞 ⊢ ¬푎 ∧ ¬푏 by (∈) (15) ¬푎 ∧ ¬푏, 푏, 푞 ⊢ ¬푏 by (∧−, 14) (16) ¬푎 ∧ ¬푏, 푏, 푞 ⊢ 푏 by (∈) (17) ¬푎 ∧ ¬푏, 푏 ⊢ ¬푞 by (¬+, 15, 16) (18) ¬푎 ∧ ¬푏, 푎 ∨ 푏 ⊢ ¬푞 by (∨−, 13, 18) (19) ¬푎 ∧ ¬푏 ⊢ ¬(푎 ∨ 푏) by (∧+, 8, 18)

41 Exercise 38. (De Morgan’s Law) Show that ((¬푎) ∨ (¬푏)) ⊢ (¬(푎 ∧ 푏)).

Solution:

(1) ¬푏, (푎 ∧ 푏) ⊢ 푎 ∧ 푏 by (∈) (2) ¬푏, (푎 ∧ 푏) ⊢ ¬푏 by (∈) (3) ¬푏, (푎 ∧ 푏) ⊢ 푏 by (∧−, 1) (4) ¬푏 ⊢ ¬(푎 ∧ 푏) by (¬+, 2, 3) (5) ¬푎, (푎 ∧ 푏) ⊢ 푎 ∧ 푏 by (∈) (6) ¬푎, (푎 ∧ 푏) ⊢ ¬푎 by (∈) (7) ¬푎, (푎 ∧ 푏) ⊢ 푎 by (∧−, 5) (8) ¬푎 ⊢ ¬(푎 ∧ 푏) by (¬+, 6, 7) (9) ¬푎 ∨ ¬푏 ⊢ ¬(푎 ∧ 푏) by (∨−, 4, 8)

Exercise 39. (De Morgan’s Law) Show that (푎 ∨ 푏) ⊢ (¬((¬푎) ∧ (¬푏))).

Solution:

(1) ¬푎 ∧ ¬푏, 푎 ⊢ ¬푎 ∧ ¬푏 by (∈) (2) ¬푎 ∧ ¬푏, 푎 ⊢ ¬푎 by (∧−, 1) (3) ¬푎 ∧ ¬푏, 푎 ⊢ 푎 by (∈) (4) ¬푎 ∧ ¬푏, 푏 ⊢ ¬푎 ∧ ¬푏 by (∈) (5) ¬푎 ∧ ¬푏, 푏 ⊢ ¬푏 by (∧−, 4) (6) ¬푎 ∧ ¬푏, 푏 ⊢ 푏 by (∈) (7) 푎 ⊢ ¬(¬푎 ∧ ¬푏) by (¬+, 2, 3) (8) 푏 ⊢ ¬(¬푎 ∧ ¬푏) by (¬+, 5, 6) (9) 푎 ∨ 푏 ⊢ ¬(¬푎 ∧ ¬푏) by (∨−, 7, 8)

42 Exercise 40. (De Morgan’s Law) Show that (¬(푎 ∧ 푏)) ⊢ ((¬푎) ∨ (¬푏)).

Solution:

Exercise 41. Show that (¬(푝 → 푞)) ⊢ (푞 → 푝).

Solution:

43 Exercise 42. (Law of excluded middle) ∅ ⊢ (푎 ∨ (¬푎)).

Solution: Solution 1:

(1) ¬(푎 ∨ (¬푎)), 푎 ⊢ 푎 by (∈) (2) ¬(푎 ∨ (¬푎)), 푎 ⊢ ¬(푎 ∨ (¬푎)) by (∈) (3) ¬(푎 ∨ (¬푎)), 푎 ⊢ 푎 ∨ (¬푎) by (∨+, 1) (4) ¬(푎 ∨ (¬푎)) ⊢ ¬푎 by (¬+, 2, 3) (5) ¬(푎 ∨ (¬푎)) ⊢ ¬(푎 ∨ (¬푎)) by (∈) (6) ¬(푎 ∨ (¬푎)) ⊢ 푎 ∨ (¬푎) by (∨+, 4) (7) ∅ ⊢ 푎 ∨ (¬푎) by (¬−, 5, 6)

Solution 2:

(1) ¬(푎 ∨ (¬푎)), ¬푎 ⊢ ¬푎 by (∈) (2) ¬(푎 ∨ (¬푎)), ¬푎 ⊢ ¬(푎 ∨ (¬푎)) by (∈) (3) ¬(푎 ∨ (¬푎)), ¬푎 ⊢ 푎 ∨ (¬푎) by (∨+, 1) (4) ¬(푎 ∨ (¬푎)) ⊢ 푎 by (¬−, 2, 3) (5) ¬(푎 ∨ (¬푎)) ⊢ ¬(푎 ∨ (¬푎)) by (∈) (6) ¬(푎 ∨ (¬푎)) ⊢ 푎 ∨ (¬푎) by (∨+, 4) (7) ∅ ⊢ 푎 ∨ (¬푎) by (¬−, 5, 6)

44 1.9.9 Putting them together: Additional exercises Exercise 43. (¬(푝 → 푞)) ⊢ 푝.

Exercise 44. ((푝 → 푞) → 푝) ⊢ 푝.

Exercise 45. ((푝 → 푞) → 푞) ⊢ ((¬푞) → 푝).

Exercise 46. ∅ ⊢ ((푝 → 푞) ∨ (푞 → 푟))

Exercise 47. (푝 → (푞 ∨ 푟)) ⊢ ((푝 → 푞) ∨ (푝 → 푟)).

45 1.9.10 Other problems Exercise 48. E4 Exercise 4: Prove that for any set of propositional formulas Σ and any propositional variables 푝 and 푞, if Σ ⊢ 푝, then Σ ⊢ ((¬푝) → 푞).

Solution: Proof. Let Σ be a set of propositional formulas and let 푝 and 푞 be propositional variables. Assume that Σ ⊢ 푝. This means that the following proof exists.

(1) Σ ⊢ 푝 by assumption

Using the above proof, we will construct a formal deduction proof for Σ ⊢ ((¬푝) → 푞).

(1) Σ ⊢ 푝 by assumption (2) Σ, ¬푝, ¬푞 ⊢ 푝 by (+, 1) (3) Σ, ¬푝, ¬푞 ⊢ ¬푝 by (∈) (4) Σ, ¬푝 ⊢ 푞 by (¬−, 2, 3) (5) Σ ⊢ (¬푝) → 푞 by (→ +, 4)

Therefore, Σ ⊢ ((¬푝) → 푞) holds.

46 1.10 Soundness and Completeness of Formal Deduction 1.10.1 The soundness of inference rules Exercise 49. The following inference rule is called Disjunctive syllogism.

if Σ ⊢ ¬퐴, Σ ⊢ 퐴 ∨ 퐵, then Σ ⊢ 퐵. where 퐴 and 퐵 are well-formed propositional formulas. Prove that this inference rule is sound. That is, prove that if Σ ⊨ ¬퐴 and Σ ⊨ 퐴 ∨ 퐵, then Σ ⊨ 퐵. You must use the definition of tautological consequence to write your proof. Do not use any other technique such as truth table, valuation tree, logical identities, formal deduction, soundness, or completeness.

Solution: Proof. Consider a truth valuation 푡 under which Σ푡 = 1. Since Σ ⊨ (¬퐴) and Σ ⊨ 퐴 ∨ 퐵, we have that (¬퐴)푡 = 1 and (퐴 ∨ 퐵)푡 = 1. We need to show that 퐵푡 = 1. By the truth table of ¬, since (¬퐴)푡 = 1, 퐴푡 = 0. By the truth table of ∨, since (퐴 ∨ 퐵)푡 = 1, at least one of 퐴 and 퐵 is true under 푡. Since 퐴푡 = 0, then 퐵푡 = 1. Therefore, Σ ⊨ 퐵 holds.

Remark 2. To prove that a tautological consequence holds, we need to consider all truth valuations under which all of the premises are true. For each such truth valuation, we need to show that the conclusion is true. The proof typically looks like the following.

• Consider a truth valuation 푡 under which all of the premises are true.

• If premise 1 is true under 푡, then 퐴 must be ... under 푡 and 퐵 must be ... under 푡. If premise 2 is true under 푡, then ...

• There are ... cases that we need to consider.

• Case 1: this case is impossible because .../... the conclusion is true under 푡.

• Case 2: ...

• The conclusion is true in every case. Therefore, the tautological consequence holds.

47 Exercise 50. Consider the following inference rule: (퐴 → 퐵) Flip the implication (퐵 → 퐴)

where 퐴 and 퐵 are well-formed propositional formulas. Prove that this inference rule is NOT sound. That is, prove the following statement:

{(퐴 → 퐵)} ⊭ (퐵 → 퐴)

You must use the definition of tautological consequence to write your proof. Do not use any other technique such as truth table, valuation tree, logical identities, formal deduction, soundness, or completeness. Solution: Remark 3. To prove that a tautological consequence does not hold, we need to find a concrete counterexample, which shows that, there is a truth valuation 푡 under which all of the premises are true and the conclusion is false. A concrete counterexample consist of the following: • Choose concrete formulas for 퐴 and 퐵. In the following proof, we let 퐴 be 푝 and 퐵 be 푞 where 푝 and 푞 are propositional variables.

• Choose a truth valuation 푡 such that all the premises are true and the conclusion is false.

Choosing a concrete formula for each symbol is important. In the proof below, if we do not assign concrete formulas to 퐴 and 퐵, then we cannot make claims about their truth values under 푡. We want to find a truth valuation under which 퐵 is true and 퐴 is false. This is not possible if 퐵 is (푟 ∧ (¬푟)) and 퐴 is (푟 ∨ (¬푟)). The difficult part is coming up with a counterexample that works. After that, writing upthe proof is straightforward.

Proof. To prove that the tautological consequence does not hold, we need to find one coun- terexample. Let 푝 and 푞 be two propositional variables. Let 퐴 be 푝 and let 퐵 be 푞. Consider a truth valuation 푡 under which 푝푡 = 0 and 푞푡 = 1. Under 푡, the premise is true. (퐴 → 퐵)푡 = (푝 → 푞)푡 = 1. Under 푡, the conclusion is false. (퐵 → 퐴)푡 = (푞 → 푝)푡 = 0. We found a truth valuation under which the premise is true and the conclusion is false. Thus, the tautological consequence does not hold.

48 1.10.2 Soundness and Completeness of Formal Deduction Exercise 51. Prove or disprove this statement: If {푎, 푏} ⊢ 푐, then ∅ ⊨ ((푎 ∧ 푏) → 푐). 푎, 푏, and 푐 are well-formed propositional formulas.

Solution:

Remark 4. The statement is an implication, and the premise and the conclusion of the implication differ in two ways. The premise is about the existence of a formal deduction proof, whereas the conclusion is about a tautological consequence. Moreover, the premise has 푎 and 푏 on the left hand side, whereas the conclusion has everything on the right hand side. Thus, there are two ways for us to transform the premise into the conclusion.

Approach 1: A visual representation of approach 1:

{푎, 푏} ⊢ 푐 → {푎, 푏} ⊨ 푐 → ∅ ⊨ ((푎 ∧ 푏) → 푐)

First, we transform {푎, 푏} ⊢ 푐 (the existence of a proof) to {푎, 푏} ⊨ 푐 (a tautological conse- quence) by using the soundness of formal deduction. Then, we move 푎 and 푏 from the left hand side to the right hand side by proving that {푎, 푏} ⊨ 푐 are ∅ ⊨ ((푎 ∧ 푏) → 푐) equivalent by the definition of tautological consequence.

Approach 2: A visual representation of approach 2:

{푎, 푏} ⊢ 푐 → ∅ ⊢ ((푎 ∧ 푏) → 푐) → ∅ ⊨ ((푎 ∧ 푏) → 푐)

First, we move 푎 and 푏 from the left hand side to the right hand side by proving that {푎, 푏} ⊢ 푐 and ∅ ⊢ ((푎 ∧ 푏) → 푐) are equivalent. Then, we transform ∅ ⊢ ((푎 ∧ 푏) → 푐) (the existence of a proof) to ∅ ⊨ ((푎 ∧ 푏) → 푐) (a tautological consequence) by the soundness of formal deduction.

See the two proofs on the following page.

49 Proof 1. We will prove the statement. Assume {푎, 푏} ⊢ 푐 holds. By the soundness of formal deduction, the tautological consequence {푎, 푏} ⊨ 푐 holds. Consider a truth valuation 푡 under which 푎푡 = 1 and 푏푡 = 1. We know that 푐푡 = 1 by {푎, 푏} ⊨ 푐. Therefore, by the definition of an implication, we know that ((푎 ∧ 푏) → 푐) is a tautology. Consider a truth valuation 푡. There is no formula in ∅. Thus, 푡 satisfies ∅. 푡 also satisfies ((푎 ∧ 푏) → 푐) since ((푎 ∧ 푏) → 푐) is a tautology. Therefore, the tautological consequence ∅ ⊨ ((푎 ∧ 푏) → 푐) holds.

Proof 2. We will prove the statement. Assume {푎, 푏} ⊢ 푐 holds. Thus, there is a formal deduction proof which starts with 푎 and 푏 as the premises and ends with 푐. 1. 푎 premise 2. 푏 premise 3...... 4. 푐 ...

We construct a formal deduction proof for ∅ ⊢ ((푎 ∧ 푏) → 푐) as follows. 1. (푎 ∧ 푏) assumption 2. 푎 ∧e: 1 3. 푏 ∧e: 1 4...... 5. 푐 ... 6. ((푎 ∧ 푏) → 푐) →i: 1-5 This proof shows that ∅ ⊢ ((푎 ∧ 푏) → 푐) holds. By the soundness of formal deduction, the tautological consequence ∅ ⊨ ((푎 ∧ 푏) → 푐) holds.

50 Exercise 52. Prove or disprove this statement: If {퐴} ⊨ 퐵, then ∅ ⊢ (퐵 → 퐴). 퐴 and 퐵 are well-formed propositional formulas.

Solution:

Remark 5. To show that the implication is false, we need to choose concrete formulas for 퐴 and 퐵 such that the premise is true and the conclusion is false. By inspecting the premise and the conclusion, we see that the concrete formulas need to make sure that 퐴 entails 퐵, but 퐵 does not entail 퐴. Choosing 퐴 to be 푝 and 퐵 to be (푝 ∨ 푞) satisfy both requirements.

Proof. We will disprove the statement. Let 푝 and 푞 be two propositional variables. Let 퐴 be 푝 and let 퐵 be (푝 ∨ 푞). First, we prove that {퐴} ⊨ 퐵 holds. Consider a truth valuation 푡 under which 퐴 is true. This means that 푝푡 = 1. Under 푡, 퐵 is true because (푝 ∨ 푞)푡 = 1. Therefore, the tautological consequence {퐴} ⊨ 퐵 holds. Now, we prove that ∅ ⊬ (퐵 → 퐴) holds. To show that such a proof does not exist, it suffices to show that the corresponding tautological consequence ∅ ⊨ (퐵 → 퐴) does not hold. Then by the contrapositive of the soundness of formal deduction, we have that ∅ ⊬ (퐵 → 퐴) holds. To prove that ∅ ⊭ (퐵 → 퐴) (or ∅ ⊭ ((푝∨푞) → 푝)), we consider a truth valuation 푡 such that 푝푡 = 0 and 푞푡 = 1. Under 푡, 퐵푡 = (푝 ∨ 푞)푡 = 1 and 퐴푡 = 푝푡 = 0. Therefore, ∅ ⊭ (퐵 → 퐴) holds.

51 1.11 Proving the Completeness Theorem Exercise 53. Prove that the following two definitions of a consistent set are equivalent.

1. There exists a formula 퐴 such that Σ ⊬ 퐴.

2. For every formula 퐴, if Σ ⊢ 퐴, then Σ ⊬ (¬퐴).

52 Exercise 54. Let Σ1 and Σ2 be sets of propositional formulas. Let Σ1 ⊆ Σ2. Prove or disprove the statement below: If Σ1 is consistent, then Σ2 is consistent.

Exercise 55. Let Σ1 and Σ2 be sets of propositional formulas. Let Σ1 ⊆ Σ2. Prove or disprove the statement below: If Σ2 is consistent, then Σ1 is consistent.

53 Prove that the following two definitions of a maximally consistent set are equivalent. Assume that Σ is consistent.

1. For every propositional formula 퐵, if Σ ⊬ 퐵 then Σ ∪ {퐵} is inconsistent.

2. For every propositional formula 퐴, Σ ⊢ 퐴 or Σ ⊢ (¬퐴).

Solution: Question: Is the OR in definition 2 an exclusive OR? Answer: Yes, it has to be. If for every propositional formula 퐴, Σ ⊢ 퐴 and Σ ⊢ (¬퐴), then 퐴 has to be inconsistent, which contradicts with our assumption that Σ is consistent.

Part (a) Prove that if a set Σ satisfies definition 1, then it also satisfies definition 2. Proof Sketch: To show that Σ satisfies definition 2, we need to show that for every propositional formula 퐴, Σ ⊢ 퐴 or Σ ⊢ (¬퐴). If at least one of Σ ⊢ 퐴 and Σ ⊢ (¬퐴) is true, then we are done. However, it is unlikely that we can prove that one of them is always true. Therefore, it must be the case that one is true in some scenarios and the other one is true in other scenarios. A common approach for proving a disjunction is to divide into several cases. It must be true that either Σ ⊢ 퐴 or Σ ⊬ 퐴. In fact, these two cases are mutually exclusive and exhaustive. Therefore, we will consider two cases. In each case, we will need to prove that Σ ⊢ 퐴 and Σ ⊢ (¬퐴).

Here is a sketch of the proof. Assume that Σ satisfies definition 1. Consider any propositional formula 퐴. Case (1): Assume that Σ ⊢ 퐴. We need to prove that Σ ⊢ 퐴 or Σ ⊢ (¬퐴). Case (2): Assume that Σ ⊬ 퐴. We need to prove that Σ ⊢ 퐴 or Σ ⊢ (¬퐴).

Part (b) Prove that if a set Σ satisfies definition 2, then it also satisfies definition 1. Proof sketch:

54 2 Predicate Logic

2.1 Translations Exercise 56. Let the domain be the set of animals. Let 퐵(푥) mean that 푥 is a bear. Let 퐻(푥) mean that 푥 likes honey. Translate “every bear likes honey” into predicate logic.

Solution: People often come up with the following two translations. See the formulas and the corresponding explanations below.

• (∀푥 (퐵(푥) ∧ 퐻(푥))) This formula says that every animal 푥 is a bear and likes honey. This formula is an incorrect translation. The original sentence does not require every animal to be a bear. The sentence simply ignores any animal that is not a bear and focuses on animals that are bears.

• (∀푥 (퐵(푥) → 퐻(푥))) This formula says that for every animal 푥, if 푥 is a bear, then 푥 likes honey. This is a correct translation. If an animal is a bear, then it must like honey as required by the original sentence. If an animal is not a bear, then the premise of the implication is false, which means that the implication is vacuously true. (In other words, we don’t care about animals that are not bears.)

To differentiate between two predicate formulas, it is often a useful exercise to come upwith a domain for which one formula is true and the other formula is false. Consider a domain, which contains a bear A who likes honey and a rabbit B.

• For this domain, the first formula is false. When 푥 is rabbit 퐵, 푥 is not a bear.

• For this domain, the second formula is true. When 푥 is bear 퐴, it likes honey, so the implication is true. When 푥 is rabbit B, it is not a bear, so the implication is vacuously true. Since the implication is true for every element of the domain, the formula is true.

In general, consider a domain 퐷 and a predicate 푃 (푥). The following sentence

“All have the property Q.” translates into the formula

(∀푥 (푃 (푥) → 푄(푥))).

55 Exercise 57. Let the domain be the set of animals. Let 퐵(푥) mean that 푥 is a bear. Let 퐻(푥) mean that 푥 likes honey. Translate “some bear likes honey” into predicate logic.

Solution: People often come up with the following two translations. See the formulas and the corresponding explanations below.

• (∃푥 (퐵(푥) ∧ 퐻(푥))) This formula says that there is an animal 푥, which is a bear and likes honey. This formula is the correct translation. The original sentence requires that there is a bear in the domain. Furthermore, it requires that there is a bear in the domain that likes honey. This formula guarantees both.

• (∃푥 (퐵(푥) → 퐻(푥))) This formula says that there is an animal 푥, which is either not a bear, or is a bear and likes honey. This sentence is an incorrect translation, although many people think that it makes intuitive sense. The problem with this formula comes from the fact that the implication is vacuously true when the premise is false. This formula does not guarantee that there has to be a bear in the domain. As soon as we find an animal that is not a bear inthe domain, the premise of the implication is false and the implication is vacuously true. This does not correspond to the original sentence, which requires that there is a bear in the domain.

To differentiate these two formulas, let’s consider a domain, which contains a rabbit B.For this domain, the original sentence should be false because there is no bear.

• For this domain, the first formula is false. We cannot find a bear in the domain, which is required by the formula.

• For this domain, the second formula is true. When 푥 is rabbit 퐵, 퐵 is not a bear, so the premise of the implication is false. Thus, the implication is vacuously true. Since we have found an animal which makes the implication true, the formula is true.

In general, consider a domain 퐷 and a predicate 푃 (푥). The following sentence

“Some have the property Q.” translates into the formula

(∃푥 (푃 (푥) ∧ 푄(푥))).

56 Based on the two exercises above, could you summarize the general patterns of translations? Which binary connectives usually go with the universal and the existential quantifiers? As a general rule of thumb, the universal quantifier is often used in conjunction with theim- plication (→), and the existential quantifier is often used in conjunction with the conjunction (∧). We’ve seen examples of both above. The universal quantifier

• ∀ and →: This universal quantifier pairs well with the implication. This combination is used to make a statement about a subset of the domain. Therefore, we use the premise of the implication to restrict our attention to this subset. We don’t have to worry about any element that is not in this subset because the implication is vacuously true for any such element.

• ∀ and ∧: This combination is not impossible. However, it is a very strong statement. This combination is claiming that every element of the domain must satisfy the prop- erties connected by the ∧. If this is what you meant to express, then go ahead and use this combination.

The existential quantifier

• ∃ and ∧: The existential quantifier pairs well with the conjunction. This combination can be used to express the fact that there exists an element of domain which has the two properties connected by the conjunction.

• ∃ and →: This combination does not make sense logically. The main reason is that it is too easy to make such a formula true. As soon as we find an element of the domain, which makes the premise of the implication false, the implication is vacuously true and the formula is true as well.

57 Exercise 58. Translate the following sentences into predicate formulas.

Let the domain contain the set of all students and courses. Define the following predicates: 퐶(푥): 푥 is a course. 푆(푥): 푥 is a student. 푇 (푥, 푦): student 푥 has taken course 푦.

1. Every student has taken some course. Solution: (∀푥 (푆(푥) → (∃푦 (퐶(푦) ∧ 푇 (푥, 푦)))))

2. A student has taken a course. Solution: (∃푥 (푆(푥) ∧ (∃푦 (퐶(푦) ∧ 푇 (푥, 푦)))))

3. No student has taken every course. Solution: (¬(∃푥 (푆(푥) ∧ (∀푦 (퐶(푦) → 푇 (푥, 푦))))))

4. Some student has not taken any course. Solution: (∃푥 (푆(푥) ∧ (∀푦 (퐶(푦) → (¬푇 (푥, 푦))))))

5. Every student has taken every course. Solution: (∀푥 (푆(푥) → (∀푦 (퐶(푦) → 푇 (푥, 푦)))))

58 Exercise 59. Translating “at least”, “at most”, and “exactly”. Translate the following sentences into predicate formulas.

• There is at least one bear. Solution: (∃푥 퐵(푥))

• There are at least two bears. Solution: (∃푥 (∃푦 ((퐵(푥) ∧ 퐵(푦)) ∧ (푥 ≠ 푦))))

The formula says: there are two bears 푥 and 푦, and 푥 and 푦 must be different. Note that, if we don’t have (푥 ≠ 푦), the formula only guarantees that there exists one bear because 푥 and 푦 could refer to the same animal in the domain.

• There is at most one bear. Solution: (¬(∃푥 (∃푦 ((퐵(푥) ∧ 퐵(푦)) ∧ (푥 ≠ 푦)))))

The negation of “at most one” is “at least two”. Therefore, the sentence is equivalent to “It is not the case that there exist two different bears”.

Using the generalized De Morgan’s laws, we can show that the above formula is logically equivalent to the formula below.

(∀푥 (∀푦 ((퐵(푥) ∧ 퐵(푦)) → (푥 = 푦))))

This formula says that: If we can find two bears 푥 and 푦, then 푥 and 푦 must refer to the same bear. To understand this formula, imagine that I made the claim that there is at most one bear. Then your goal is to disprove my claim. You find two bears in the domain and show them to me. For my claim to be true, I have to be able to prove that the two bears you found are actually the same bear. I have to be able to do this no matter which two bears you show to me.

Yet another translation is that: ((there is no bear) or (there is exactly one bear)). We can use any translation of ”there is exactly one bear” on the next page.

((∀푥 (¬퐵(푥))) ∨ (∃푦 (퐵(푦) ∧ (∀푧 (퐵(푧) → (푦 = 푧))))))

59 • There is exactly one bear. Solution: One translation is: there is at least one bear and there is at most one bear.

((∃푧 퐵(푧)) ∧ ((¬(∃푥 (∃푦 ((퐵(푥) ∧ 퐵(푦)) ∧ (푥 ≠ 푦)))))))

Another translation: there is at least one bear and if there is another bear, then the two bears must be the same.

(∃푥 (퐵(푥) ∧ (∀푦 (퐵(푦) → (푥 = 푦)))))

60 2.2 Semantics of Predicate Formulas Consider this language of predicate logic: • Individual constant symbols: 푎, 푏, 푐 • Free Variable Symbols: 푢, 푣, 푤 • Bound Variable symbols: 푥, 푦, 푧 • Function symbols: 푓 is a unary function, 푔 is a binary function. • Predicate/Relation symbols: 푃 is a unary predicate, 푄 is a binary predicate.

2.2.1 Evaluating Formulas with No Variables Exercise 60. Give a valuation 푣 such that 푄(푓(푐), 푎)푣 = 1 where 퐷 = {1, 2, 3}. Solution: Remark 6. We only need to define the components of the valuation that appear inthe formula. This means, we only need to define 푎푣, 푐푣, 푓푣, and 푄푣. I don’t like to work with weird functions. So let’s fix the function 푓 to something simple first. Let 푓푣 be 푓푣(푥) = 푥, ∀푥 ∈ 퐷. Given this, we simplify the formula below. 푓(푐)푣 = 푓푣(푐푣) = 푐푣 (98) 푄(푓(푐), 푎)푣 = 푄(푐, 푎)푣 (99)

I like to deal with the predicates last. So let’s assign meanings to the individual constant symbols. Let 푐푣 = 1 and 푎푣 = 2. Then, we have that 푄(푐, 푎)푣 is true if and only if ⟨1, 2⟩ ∈ 푄푣. Finally, let’s define 푄푣. Above the above analysis, at a minimum, we need ⟨1, 2⟩ ∈ 푄푣. We could include other tuples in 푄푣 if we like, but they don’t affect the truth value of this formula. Thus, let 푄푣 = {⟨1, 2⟩}. Solution Text: The valuation 푣 is given below.

• 퐷 = {1, 2, 3}. • 푎푣 = 2, 푐푣 = 1. • 푓푣(푥) = 푥, ∀푥 ∈ 퐷. • 푄푣 = {⟨1, 2⟩}. Therefore, 푄(푓(푐), 푎)푣 = 1 since all of the following hold: 푓(푐)푣 = 푓푣(1) = 1 (100) 푎푣 = 2 (101) ⟨1, 2⟩ ∈ 푄푣. (102)

61 Exercise 61. Give a valuation 푣 such that 푄(푓(푐), 푎)푣 = 0.

Solution:

Remark 7. All we need to do is make one small adjustment to the interpretation in exer- cise 60. To make the formula false, we need to make sure the tuple ⟨1, 2⟩ ∉ 푄푣. Let 푄푣 be the empty set.

Solution Text: The valuation 푣 is given below.

• 퐷 = {1, 2, 3}.

• 푎푣 = 2, 푐푣 = 1.

• 푓푣(푥) = 푥, ∀푥 ∈ 퐷.

• 푄푣 = ∅.

Therefore, 푄(푓(푐), 푎)푣 = 0 since all of the following hold:

푓(푐)푣 = 푓푣(1) = 1 (103) 푎푣 = 2 (104) ⟨1, 2⟩ ∉ 푄푣. (105)

62 2.2.2 Evaluating Formulas without Bound Variables Exercise 62. Give a valuation 푣 such that 푄(푓(푢), 푎)푣 = 1.

Solution:

Remark 8. Let’s start with the valuation in the solution to exercise 60. We simplify the formula below. 푓(푢)푣 = 푓푣(푢푣) = 푢푣, 푎푣 = 2. Thus, the formula is true if and only if ⟨푢푣, 2⟩ ∈ 푄푣. The only tuple in 푄푣 is ⟨1, 2⟩. Thus, it is sufficient to let 푢푣 = 1.

Solution Text: The valuation 푣 is given below. 퐷 = {1, 2, 3}, 푎푣 = 2, 푢푣 = 1, 푓푣(푥) = 푥, ∀푥 ∈ 퐷, 푄푣 = {⟨1, 2⟩}. Given 푣, we can show that 푄(푓(푥), 푎)푣 = 1 because

푢푣 = 1, 푓(푢)푣 = 푓푣(1) = 1, 푎푣 = 2, ⟨1, 2⟩ ∈ 푄푣.

Exercise 63. Give a valuation 푣 such that 푄(푓(푥), 푎)푣 = 0.

Solution:

Remark 9. Let’s start with the valuation in the solution to exercise 62, and modify 푄푣 to be the empty set. Under 푣, the formula is false, using similar reasoning as exercise 61.

Solution Text: The valuation 푣 are given below.

퐷 = {1, 2, 3}, 푎푣 = 2, 푢푣 = 1, 푓푣(푥) = 푥, ∀푥 ∈ 퐷, 푄푣 = {⟨1, 2⟩}.

Given 푣, we can show that 푄(푓(푥), 푎)푣 = 0 because

푢푣 = 1, 푓(푥)푣 = 푓푣(1) = 1, 푎푣 = 2, ⟨1, 2⟩ ∉ 푄푣.

63 2.2.3 Evaluating Formulas with Free and Bound Variables Exercise 64. Give a valuation 푣 such that (∃푥 푄(푥, 푢))푣 = 1. Assume that the domain is 퐷 = {1, 2, 3}.

Solution:

Remark 10. Here is more explanation to help you understand how I came up with the valuation 푣 above. 푢 is a free variable in the formula. Let’s arbitrarily define 푢푣 = 2. To make the formula true, there must be at least one tuple in 푄푣 and the second value in the tuple (the value of 푢 in the tuple) must be 2 because 푢푣 = 2. Let 푄푣 = {⟨1, 2⟩}.

Solution Text: The valuation 푣 is shown below.

퐷 = {1, 2, 3}, 푢푣 = 2, 푄푣 = {⟨1, 2⟩}.

Given the 푣 above, we know that 푄(푢, 푤)푣(푢/1) = 1 because all of the following hold:

⟨푢, 푤⟩푣(푢/1)(푤/2) = ⟨1, 2⟩ ∈ 푄푣 (106)

Hence, by the ∃-satisfaction rule, (∃푥 푄(푥, 푦))푣 = 1.

64 Exercise 65. Give a valuation 푣 such that (∀푥 푄(푥, 푢))푣 = 1. Assume that the domain is 퐷 = {1, 2, 3}.

Solution:

Remark 11. Let’s start with the valuation 푣 in exercise 64. We will modify 푄푣. To make the formula true, we must be able to replace 푥 by any value in the domain. Furthermore, for each tuple in 푄푣, the second value in the tuple must be 2 because the environment maps 푦 to 2. Thus, let 푄푣 = {⟨1, 2⟩, ⟨2, 2⟩, ⟨3, 2⟩}.

Solution Text: The valuation is shown below.

• 퐷 = {1, 2, 3}.

• 푎푣 = 2, 푏푣 = 1, 푐푣 = 1.

• 푓푣(푥) = 푥, ∀푥 ∈ 퐷, 푔푣(푥) = 1, ∀푥 ∈ 퐷.

• 푄푣 = {⟨1, 2⟩, ⟨2, 2⟩, ⟨3, 2⟩}, 푃 푣 = ∅.

The environment 퐸 is 퐸(푥) = 1, 퐸(푦) = 2, 퐸(푧) = 1. We will prove that (∀푥 푄(푥, 푦))푣 = 1. Consider all possible values of 푥. By the definition of 푄푣, the following statements hold.

• [푥 ↦ 1]: 푄(푥, 푦)(퐼,퐸[푥↦1]) = 1 because all of the following hold.

퐸[푥 ↦ 1](푥) = 1 퐸[푥 ↦ 1](푦) = 2 ⟨1, 2⟩ ∈ 푄푣.

• [푥 ↦ 2]: 푄(푥, 푦)(퐼,퐸[푥↦2]) = 1 because all of the following hold.

퐸[푥 ↦ 2](푥) = 2 퐸[푥 ↦ 2](푦) = 2 ⟨2, 2⟩ ∈ 푄푣.

• [푥 ↦ 3]: 푄(푥, 푦)(퐼,퐸[푥↦3]) = 1 because all of the following hold.

퐸[푥 ↦ 3](푥) = 3 퐸[푥 ↦ 3](푦) = 2 ⟨3, 2⟩ ∈ 푄푣.

Therefore, by the satisfaction rules for ∀, (∀푥 푄(푥, 푦))푣 = 1.

65 2.2.4 Evaluating Formulas with Bound Variables Only Exercise 66. Give an interpretation 퐼 and an environment 퐸 such that (∃푥(∀푦 푄(푥, 푦)))푣 = 1. Start with the domain 퐷 = {1, 2, 3}.

Solution:

Remark 12. To make the formula true, there must be at least 3 tuples in 푄푣 because 푦 (the second value of each tuple) could take any of the 3 possible values in the domain. The first element of all three tuples must be the same because there must be one valuefor 푥 that makes 푄(푥, 푦) true. Note that, when choosing the value of 푥, we do not know the value of 푦 yet. Our choice of value for 푥 cannot depend on the value of 푦. One definition of 푄푣 that satisfies all these requirements is 푄푣 = {⟨1, 1⟩, ⟨1, 2⟩, ⟨1, 3⟩}.

Solution Text: The interpretation 퐼 is given below.

• 퐷 = {1, 2, 3}.

• 푎푣 = 2, 푏푣 = 1, 푐푣 = 1.

• 푓푣(푥) = 푥, ∀푥 ∈ 퐷, 푔푣(푥) = 1, ∀푥 ∈ 퐷.

• 푄푣 = {⟨1, 1⟩, ⟨1, 2⟩, ⟨1, 3⟩}, 푃 푣 = ∅.

Let 퐸 be an arbitrary environment. We will prove that (∃푥(∀푦 푄(푥, 푦)))푣 = 1.

By the satisfaction rules of ∃, we need to show that (∀푦 푄(푥, 푦))(퐼,퐸[푥↦푑푥]) = 1 for some 푑푥푖푛퐷. (퐼,퐸[푥↦푑푥][푦↦푑푦) Consider 푑푥 = 1. We now need to show that 푄(푥, 푦) = 1 for every 푑푦 ∈ 퐷. Consider all possible values of 푦.

• [푦 ↦ 1]: 푄(푥, 푦)(퐼,퐸[푥↦1][푦↦1]) = 1 because all of the following hold.

퐸[푥 ↦ 1][푦 ↦ 1](푥) = 1 (107) 퐸[푥 ↦ 1][푦 ↦ 1](푦) = 1 (108) ⟨퐸[푥 ↦ 1][푦 ↦ 1](푥), 퐸[푥 ↦ 1][푦 ↦ 1](푦)⟩ = ⟨1, 1⟩ ∈ 푄푣. (109)

• [푦 ↦ 2]: 푄(푥, 푦)(퐼,퐸[푥↦1][푦↦2]) = 1 because all of the following hold.

퐸[푥 ↦ 1][푦 ↦ 2](푥) = 1 (110) 퐸[푥 ↦ 1][푦 ↦ 2](푦) = 2 (111) ⟨퐸[푥 ↦ 1][푦 ↦ 2](푥), 퐸[푥 ↦ 1][푦 ↦ 2](푦)⟩ = ⟨1, 2⟩ ∈ 푄푣. (112)

66 • [푦 ↦ 3]: 푄(푥, 푦)(퐼,퐸[푥↦1][푦↦3]) = 1 because all of the following hold.

퐸[푥 ↦ 1][푦 ↦ 3](푥) = 1 (113) 퐸[푥 ↦ 1][푦 ↦ 3](푦) = 3 (114) ⟨퐸[푥 ↦ 1][푦 ↦ 3](푥), 퐸[푥 ↦ 1][푦 ↦ 3](푦)⟩ = ⟨1, 3⟩ ∈ 푄푣. (115)

By the satisfaction rules of ∀, (∃푥(∀푦 푄(푥, 푦)))(퐼,퐸[푥↦1]) = 1 holds. By the definition of ∃, (∃푥(∀푦 푄(푥, 푦)))푣 = 1 holds.

67 Exercise 67. Give an interpretation 퐼 and an environment 퐸 such that (∃푥(∀푦 푄(푥, 푦)))푣 = 0. Start with the domain 퐷 = {1, 2, 3}.

Solution:

Remark 13. The formula has no free variables. The bound variables get their meanings through the quantifiers. Thus, there is no need to define an environment. We only needto define an interpretation to evaluate the formula. There are many ways to make the formula false. An easy solution is to let 푄푣 be the empty set. Then, 푄푣(푥, 푦) is always false and the formula must be false as well. If there are tuples in 푄푣, we need to make sure that 푄푣 does not have three tuples such that the first value of all three tuples are the same and the second value in all three tuples areall different.

Solution Text: The interpretation 퐼 is shown below.

• 퐷 = {1, 2, 3}.

• 푎푣 = 2, 푏푣 = 1, 푐푣 = 1.

• 푓푣(푥) = 푥, ∀푥 ∈ 퐷, 푔푣(푥) = 1, ∀푥 ∈ 퐷.

• 푄푣 = {⟨1, 1⟩, ⟨2, 2⟩, ⟨3, 3⟩}, 푃 푣 = ∅.

Let 퐸 be an arbitrary environment. We will prove that (∃푥(∀푦 푄(푥, 푦)))푣 = 0.

By the satisfaction rules for ∃, we need to show that (∀푦 푄(푥, 푦))(퐼,퐸[푥↦푑푥]) = 0 holds for every 푑푥 ∈ 퐷. Consider all possible values of 푥.

• [푥 ↦ 1]: By the rules of satisfaction for ∀, to prove that (∀푦 푄(푥, 푦))(퐼,퐸[푥↦1]) = 0, we need to (퐼,퐸[푥↦1][푦↦푑푦]) prove that 푄(푥, 푦) = 0 for some 푑푦 ∈ 퐷. 푄(푥, 푦)(퐼,퐸[푥↦1][푦↦2]) = 0 holds since all of the following statements hold.

퐸[푥 ↦ 1][푦 ↦ 2](푥) = 1 (116) 퐸[푥 ↦ 1][푦 ↦ 2](푦) = 2 (117) ⟨퐸[푥 ↦ 1][푦 ↦ 2](푥), 퐸[푥 ↦ 1][푦 ↦ 2](푦)⟩ = ⟨1, 2⟩ ∉ 푄푣 (118)

Therefore, 푄(푥, 푦)(퐼,퐸[푥↦1][푦↦2]) = 0 holds, which means that (∀푦 푄(푥, 푦))(퐼,퐸[푥↦1]) = 0 holds.

68 • [푥 ↦ 2]: 푄(푥, 푦)(퐼,퐸[푥↦2][푦↦1]) = 0 holds because all of the following statements hold.

퐸[푥 ↦ 2][푦 ↦ 1](푥) = 2 (119) 퐸[푥 ↦ 2][푦 ↦ 1](푦) = 1 (120) ⟨퐸[푥 ↦ 2][푦 ↦ 1](푥), 퐸[푥 ↦ 2][푦 ↦ 1](푦)⟩ = ⟨2, 1⟩ ∉ 푄푣 (121)

Therefore, (∀푦 푄(푥, 푦))(퐼,퐸[푥↦2]) = 0 holds.

• [푥 ↦ 3]: 푄(푥, 푦)(퐼,퐸[푥↦3][푦↦1]) = 0 holds because all of the following statements hold.

퐸[푥 ↦ 3][푦 ↦ 1](푥) = 3 (122) 퐸[푥 ↦ 3][푦 ↦ 1](푦) = 1 (123) ⟨퐸[푥 ↦ 3][푦 ↦ 1](푥), 퐸[푥 ↦ 3][푦 ↦ 1](푦)⟩ = ⟨3, 1⟩ ∉ 푄푣 (124)

Therefore, (∀푦 푄(푥, 푦))(퐼,퐸[푥↦3]) = 0 holds.

By the satisfaction rules of ∃, we have proven that (∃푥(∀푦 푄(푥, 푦)))푣 = 0.

69 2.3 Tautological Consequence Collected Wisdom:

• Tautological consequence and formal deduction are two ways of proving the same argument. Did you notice that Q1a of assignment 6 is the same as Q2d of assignment 7 (in Spring 2018)? We asked you prove the same argument, once with tautological consequence and once with formal deduction. If you have trouble proving a statement using tautological consequence, you may want to try formal deduction first, and then convert it to a tautological consequence argument.

70 Exercise 68. Show that {(∀푥 푃 (푥))} ⊨ (∃푥 푃 (푥)).

Solution: Proof. Consider an interpretation 퐼 such that (∀푥 푃 (푥))푣 = 1. We will prove that (∃푥 푃 (푥))푣 = 1.

Consider an arbitrary environment 퐸. Let 푑1 ∈ 퐷 be a domain element.

(퐼,퐸[푥↦푑1]) 푣 By the satisfaction rules for ∀, 푃 (푥) = 1. Therefore, 퐸[푥 ↦ 푑1](푥) = 푑1 ∈ 푃 . By the satisfaction rules for ∃, (∃푥 푃 (푥))푣 = 1.

Exercise 69. Show that {(∃푥 푃 (푥))} ⊭ (∀푥 푃 (푥)).

Solution: Proof. To prove that the tautological consequence does hold, we need to find an interpreta- tion 퐼 such that (∃푥 푃 (푥))푣 = 1 and (∀푥 푃 (푥))푣 = 0. Consider the interpretation 퐼 below.

• 퐷 = {1, 2}.

• 푃 푣 = {1}.

Let 퐸 be an arbitrary environment. 푃 (푥)(퐼,퐸[푥↦1]) = 1 holds since 퐸[푥 ↦ 1](푥) = 1 ∈ 푃 푣. By the satisfaction rules for ∃, (∃푥 푃 (푥))푣 = 1. 푃 (푥)(퐼,퐸[푥↦2]) = 0 holds since 퐸[푥 ↦ 2](푥) = 2 ∉ 푃 푣. By the satisfaction rules for ∀, (∀푥 푃 (푥))푣 = 0 holds.

71 Exercise 70. Show that {(∀푥 (퐴 → 퐵))} ⊨ ((∀푥 퐴) → (∀푥 퐵)), where 푥 is a variable symbol and 퐴 and 퐵 are well-formed predicate formulas.

Solution: Proof. Consider an interpretation 퐼 and an environment 퐸 such that (∀푥 (퐴 → 퐵))푣 = 1. We will prove that ((∀푥 퐴) → (∀푥 퐵))푣 = 1. To show that ((∀푥 퐴) → (∀푥 퐵))푣 = 1, we assume that (∀푥 퐴)푣 = 1. By the satisfaction rule for ∀, we have that

퐴(퐼,퐸[푥↦푑]) = 1 for every 푑 ∈ 퐷.

By our assumption, (∀푥 (퐴 → 퐵))푣 = 1. By the satisfaction rule for ∀, we have that

(퐴 → 퐵)(퐼,퐸[푥↦푑]) = 1 for every 푑 ∈ 퐷.

By the satisfaction rule for an implication, we have that

퐵(퐼,퐸[푥↦푑]) = 1 for every 푑 ∈ 퐷.

By the satisfaction rule for ∀, we have that

(∀푥 퐵)푣 = 1. Thus, the tautological consequence holds.

72 Exercise 71. Show that {((∀푥 퐴) → (∀푥 퐵))} ⊭ (∀푥 (퐴 → 퐵)), where 푥 is a variable symbol and 퐴 and 퐵 are well-formed predicate formulas. Solution: Remark 14. The most important step for the proof below is to come up with the concrete example such that the premises are all true and the conclusion is false. I first chose concrete formulas for 퐴 and 퐵. This step is important. Without doing so, I may not be able to make claims about whether 퐴 and 퐵 are true or false under a particular interpretation. Next, I construct an interpretation to satisfy the two requirements. I start by picking a domain containing two elements. It is small enough to be manageable and large enough to give me a few possibilities to experiment with. Then, I try to find definitions for 푃 푣 and 푄푣 to satisfy the two requirements. First, I want to make the conclusion (∀푥 (푃 (푥) → 푄(푥))) false. To do this, it is sufficient to make 푃 to be true and 푄 to be false for one value of 푥 (so that the implication (푃 (푥) → 푄(푥)) is false). I used 푥 = 2 for this case and made sure that 2 ∈ 푃 푣 and 2 ∉ 푄푣. Next, I want to make the premise true. Since 2 ∉ 푄푣, then (∀푥 푄(푥)) is false. So the conclusion of the premise is false. To make the premise true, I have to make the premise of the premise false. This means that, I need to make sure at least one domain element is not in 푃 푣. Therefore, I defined 푃 푣 such that 1 ∉ 푃 푣. Proof. Let 퐴 be 푃 (푥) and let 퐵 be 푄(푥), where 푃 and 푄 are unary predicates. Consider the following interpretation: • 퐷 = {1, 2} • 푃 푣 = {2} and 푄푣 = {1} We need to show that ((∀푥 푃 (푥)) → (∀푥 푄(푥)))푣 = 1 and (∀푥 (푃 (푥) → 푄(푥)))푣 = 0. Let 퐸 be an arbitrary environment. First, we will show that ((∀푥 푃 (푥)) → (∀푥 푄(푥)))푣 = 1. 푃 (푥)(퐼,퐸[푥↦1]) = 0 because 퐸[푥 ↦ 1](푥) = 1 ∉ 푃 푣. By the satisfaction rule for ∀, (∀푥 푃 (푥))푣 = 0. By the satisfaction rule for an implication, ((∀푥 푃 (푥)) → (∀푥 푄(푥)))푣 = 1 because (∀푥 푃 (푥))푣 = 0. Next, we will show that (∀푥 (푃 (푥) → 푄(푥)))푣 = 0. (푃 (푥) → 푄(푥))(퐼,퐸[푥↦2]) = 0 because 퐸[푥 ↦ 2](푥) = 2 ∈ 푃 푣 and 퐸[푥 ↦ 2](푥) = 2 ∉ 푄푣. By the satisfaction rule for ∀, (∀푥 (푃 (푥) → 푄(푥)))푣 = 0. In summary, the tautological consequence does not hold.

73 Exercise 72. Show that {(∃푦 (∀푥 푄(푥, 푦)))} ⊨ (∀푥 (∃푦 푄(푥, 푦))).

Solution: Proof. Consider an interpretation 퐼 such that (∃푦 (∀푥 푄(푥, 푦)))푣 = 1. We will prove that (∀푥 (∃푦 푄(푥, 푦)))푣 = 1. Let 퐸 be an arbitrary environment. By the satisfaction rules for ∃, we have

(퐼,퐸[푦↦푑푦]) (∀푥 푄(푥, 푦)) = 1 for some 푑푦 ∈ 퐷.

By the satisfaction rules for ∀, we have

(퐼,퐸[푦↦푑푦][푥↦푑]) 푄(푥, 푦) = 1, for some 푑푦 ∈ 퐷 and for every 푑 ∈ 퐷.

Note that in the environment 퐸[푦 ↦ 푑푦][푥 ↦ 푑], the value of 푑푦 was chosen first and does not depend on the value of 푑. Thus, the environment 퐸[푦 ↦ 푑푦][푥 ↦ 푑] is equivalent to the environment 퐸[푥 ↦ 푑][푦 ↦ 푑푦]. It does not matter whether we chose the value for 푥 or the value for 푦 first. Therefore, we rewrite the formula above as follows.

(퐼,퐸[푥↦푑][푦↦푑푦]) 푄(푥, 푦) = 1, for every 푑 ∈ 퐷 and for some 푑푦 ∈ 퐷.

By the satisfaction rule for ∃, we have

(∃푦 푄(푥, 푦))(퐼,퐸[푥↦푑]) = 1 for every 푑 ∈ 퐷. By the satisfaction rule for ∀, we have that

(∀푥 (∃푦 푄(푥, 푦)))푣 = 1.

74 Exercise 73. Show that {(∀푥 (∃푦 푄(푥, 푦)))} ⊭ (∃푦 (∀푥 푄(푥, 푦))).

Solution:

Remark 15. If I attempt to prove the tautological consequence, what would happen? By the satisfaction rules for ∀, we have

(퐼,퐸[푥↦푑푥]) (∃푦 푄(푥, 푦)) = 1 for every 푑푥 ∈ 퐷.

By the satisfaction rules for ∃, we have

푄(푥, 푦)(퐼,퐸[푥↦푑푥][푦↦푑푦]) = 1 for every 푑 ∈ 퐷 and for some 푑푦 ∈ 퐷 where the value of 푑푦 may depend on the value of 푑푥. Note that the value of 푑푦 may depend on the value of 푑푥. In other words, for every value of 푑푥, we may choose a different value of 푑푦 to satisfy the formula. Therefore, we CANNOT switch the two overrides in the environment. The following formula is FALSE.

A false formula: 푄(푥, 푦)(퐼,퐸[푦↦푑푦][푥↦푑푥]) = 1 for some 푑푦 ∈ 퐷 and for every 푑푥 ∈ 퐷. Proof. To prove that the tautological consequence does not hold, we need to find an inter- pretation 퐼 such that (∀푥 (∃푦 푄(푥, 푦)))푣 = 1 and (∃푦 (∀푥 푄(푥, 푦)))푣 = 0. Consider the interpretation 퐼 below.

• 퐷 = {1, 2}.

• 푄푣 = {⟨1, 1⟩, ⟨2, 2⟩}.

First, we will show that (∀푥 (∃푦 푄(푥, 푦)))푣 = 1. Let 퐸 be an arbitrary environment. Consider all possible values of 푥.

• [푥 ↦ 1]: 푄(푥, 푦)(퐼,퐸[푥↦1][푦↦1]) = 1 because

⟨퐸[푥 ↦ 1][푦 ↦ 1](푥), 퐸[푥 ↦ 1][푦 ↦ 1](푦)⟩ = ⟨1, 1⟩ ∈ 푄푣.

By the satisfaction rule for ∃, (∃푦 푄(푥, 푦))(퐼,퐸[푥↦1]) = 1.

• [푥 ↦ 2]: 푄(푥, 푦)(퐼,퐸[푥↦2][푦↦2]) = 1 because

⟨퐸[푥 ↦ 2][푦 ↦ 2](푥), 퐸[푥 ↦ 2][푦 ↦ 2](푦)⟩ = ⟨2, 2⟩ ∈ 푄푣.

By the satisfaction rule for ∃, (∃푦 푄(푥, 푦))(퐼,퐸[푥↦2]) = 1.

75 Thus, by the satisfaction rule for ∀, (∀푥 (∃푦 푄(푥, 푦)))푣 = 1.

Next, we will show that (∃푦 (∀푥 푄(푥, 푦)))푣 = 0. Let 퐸 be an arbitrary environment. Consider all possible values of 푦.

• [푦 ↦ 1]: 푄(푥, 푦)(퐼,퐸[푥↦2][푦↦1]) = 0 because

⟨퐸[푥 ↦ 2][푦 ↦ 1](푥), 퐸[푥 ↦ 2][푦 ↦ 1](푦)⟩ = ⟨2, 1⟩ ∉ 푄푣.

By the satisfaction rule for ∃, (∀푥 푄(푥, 푦))(퐼,퐸[푦↦1]) = 0.

• [푦 ↦ 2]: 푄(푥, 푦)(퐼,퐸[푥↦1][푦↦2]) = 0 because

⟨퐸[푥 ↦ 1][푦 ↦ 2](푥), 퐸[푥 ↦ 1][푦 ↦ 2](푦)⟩ = ⟨1, 2⟩ ∉ 푄푣.

By the satisfaction rule for ∀, (∀푥 푄(푥, 푦))(퐼,퐸[푦↦2]) = 0.

Thus, by the satisfaction rule for ∀, (∃푦 (∀푥 푄(푥, 푦)))푣 = 0. Hence, the tautological consequence does not hold.

76 Exercise 74. Show that {(∀푥 (∃푦 (푃 (푥) ∨ 푄(푦))))} ⊨ (∃푦 (∀푥 (푃 (푥) ∨ 푄(푦)))).

Remark 16. Wait a second! In exercise 73, didn’t we just show that this tautological consequence does NOT hold? Not quite. In exercise 73, we dealt with a generic predicate formula 푄(푥, 푦) without knowing any additional information about the predicate. In this question, we are working with a much more concrete predicate formula (푃 (푥) ∨ 푄(푦)). It turns out that, having this concrete predicate formula allows us to prove the tautological consequence.

Remark 17. Let’s write out a proof sketch first.

To prove that the conclusion is true, we need to find one value 푑푦 ∈ 퐷 for 푦 such that (푃 (푥) ∨ 푄(푦)) is true for every possible value for 푥. The value of 푦 only influences the 푄(푦) part of the formula. Does there exist a value for 푦 such that 푄(푦) is true?

Let’s suppose that we know that there is some 푑푦 ∈ 퐷 for 푦 such that 푄(푦) is true. Would this help us prove the conclusion? For sure. If 푄(푦) is true for 푦 = 푑푦, then (푃 (푥) ∨ 푄(푦)) must be true for 푦 = 푑푦 regardless of the value of 푥. We just found a value for 푦 which will make the conclusion true. We know how to prove the conclusion for the case when 푄(푦) for at least one value of 푦. What if 푄(푦) is always false? Let’s look at the premise. If 푄(푦) is always false, for the premise to be true, 푃 (푥) must be true for every possible value of 푥. If 푃 (푥) is true for every possible value of 푥, then to prove that the conclusion is true, we could choose any value for 푦. For any value of 푦, 푃 (푥) is true for any value of 푥, so (푃 (푥) ∨ 푄(푦)) must be true.

77 2.3.1 Semantic Entailment - Additional Exercises Exercise 75. {((∀푥 푃 (푥)) ∨ (∀푥 푄(푥)))} ⊨ (∀푥 (푃 (푥) ∨ 푄(푥))).

Exercise 76. {(∃푥 (푃 (푥) → 푄(푥))), (∀푦 푃 (푦))} ⊨ (∃푥 푄(푥))

Exercise 77. {((∃푥 푃 (푥)) ∨ (∃푥 푄(푥)))} ⊨ (∃푥 (푃 (푥) ∨ 푄(푥))).

78 2.4 Formal Deduction

∀-introduction (∀+) ∀-elimination (∀−)

if Σ ⊢ 퐴(푢), 푢 not occurring in Σ, if Σ ⊢ ∀푥 퐴(푥), then Σ ⊢ ∀푥 퐴(푥). then Σ ⊢ 퐴(푡).

Comments:

• ∀− is analogous to ∧−.

• ∀+ is analogous to ∧+. Intuitively, this rule means that: from “any member 푢 of the set has a certain property” we can deduce that “every member of the set has this property”. The arbitrariness of 푢 means that the choice of 푢 is independent of the premises in Σ. This point is expressed by “푢 not occurring in Σ”. We know nothing about 푢 except that 푢 is a domain element. If 푢 is special, our conclusion may not be valid.

∃-introduction (∃+)

if Σ ⊢ 퐴(푡), ∃-elimination (∃−) then Σ ⊢ ∃푥 퐴(푥). if Σ, 퐴(푢) ⊢ 퐵, 푢 not occurring in Σ or 퐵, where 퐴(푥) results by replacing then Σ, ∃푥 퐴(푥) ⊢ 퐵. some (not necessarily all) occurrences of 푡 in 퐴(푡) by 푥.

Comments:

• ∃− is analogous to ∨−.

– Proof by cases. – The conclusion may have nothing to do with the starting formula.

• ∃+ is analogous to ∨+.

79 2.4.1 Forall-elimination Exercise 78. Show that {푃 (푢), ∀푥 (푃 (푥) → (¬푄(푥)))} ⊢ (¬푄(푢)).

Solution:

(1) 푃 (푢), ∀푥 (푃 (푥) → (¬푄(푥))) ⊢ (∀푥 (푃 (푥) → (¬푄(푥)))) by ((∈)) (2) 푃 (푢), ∀푥 (푃 (푥) → (¬푄(푥))) ⊢ 푃 (푢) by ((∈)) (3) 푃 (푢), ∀푥 (푃 (푥) → (¬푄(푥))) ⊢ 푃 (푢) → ¬푄(푢) by ((∀−), (1)) (4) 푃 (푢), ∀푥 (푃 (푥) → (¬푄(푥))) ⊢ ¬푄(푢) by ((→ −), (2), (3))

2.4.2 Exists-introduction Exercise 79. Show that {(¬푃 (푣))} ⊢ (∃푥 (푃 (푥) → 푄(푣))).

Solution:

(1) (¬푃 (푣)), 푃 (푣), ¬푄(푣) ⊢ 푃 (푣) by (∈) (2) (¬푃 (푣)), 푃 (푣), ¬푄(푣) ⊢ ¬푃 (푣) by (+, 1) (3) (¬푃 (푣)), 푃 (푣) ⊢ 푄(푣) by (¬−, 1, 2) (4) (¬푃 (푣)) ⊢ (푃 (푣) → 푄(푣)) by (→ +, 3) (5) (¬푃 (푣)) ⊢ (∃푥 (푃 (푥) → 푄(푣))) by (∃+, 4)

Exercise 80. Show that {(∀푥 푃 (푥))} ⊢ (∃푦 푃 (푦)).

Solution:

(1) (∀푥 푃 (푥)) ⊢ (∀푥 푃 (푥)) by (∈) (2) (∀푥 푃 (푥)) ⊢ 푃 (푢) by (∀−, 1) (3) (∀푥 푃 (푥)) ⊢ (∃푦 푃 (푦)) by (∃+, 2)

80 2.4.3 Forall-introduction Exercise 81. Show that {(∀푥 푃 (푥))} ⊢ (∀푦 푃 (푦)).

Solution:

(1) (∀푥 푃 (푥)) ⊢ (∀푥 푃 (푥)) by (∈) (2) (∀푥 푃 (푥)) ⊢ 푃 (푢) by (∀−, 1) (3) (∀푥 푃 (푥)) ⊢ (∀푦 푃 (푦)) by (∀+, 2)

Exercise 82. Show that (∀푥 (푃 (푥) → 푄(푥))) ⊢ ((∀푥 푃 (푥)) → (∀푦 푄(푦))).

Solution:

(1) (∀푥 (푃 (푥) → 푄(푥))), (∀푥 푃 (푥)) ⊢ (∀푥 푃 (푥)) by (∈) (2) (∀푥 (푃 (푥) → 푄(푥))), (∀푥 푃 (푥)) ⊢ (∀푥 (푃 (푥) → 푄(푥))) by (∈) (3) (∀푥 (푃 (푥) → 푄(푥))), (∀푥 푃 (푥)) ⊢ 푃 (푢) by (∀−, 1) (4) (∀푥 (푃 (푥) → 푄(푥))), (∀푥 푃 (푥)) ⊢ 푃 (푢) → 푄(푢) by (∀−, 2) (5) (∀푥 (푃 (푥) → 푄(푥))), (∀푥 푃 (푥)) ⊢ 푄(푢) by (→ −, 3, 4) (6) (∀푥 (푃 (푥) → 푄(푥))), (∀푥 푃 (푥)) ⊢ (∀푦 푄(푦)) by (∀+, 5) (7) (∀푥 (푃 (푥) → 푄(푥))) ⊢ ((∀푥 푃 (푥)) → (∀푦 푄(푦))) by (→ +, 6)

81 2.4.4 Forall-introduction - Additional Exercises Exercise 83. {(∀푥 (∀푦 푃 (푥, 푦)))} ⊢ (∀푦 (∀푥 푃 (푥, 푦))).

Exercise 84. {(∀푥 ((¬푃 (푥)) ∧ 푄(푥)))} ⊢ (∀푥 (푃 (푥) → 푄(푥))).

Exercise 85. {(∀푥 (푃 (푥) ∧ 푄(푥)))} ⊢ (∀푥 (푃 (푥) → 푄(푥))).

Exercise 86. {(∀푥 (푃 (푥) ∧ 푄(푥)))} ⊢ ((∀푥 푃 (푥)) ∧ (∀푥 푄(푥))).

Exercise 87. {((∀푥 푃 (푥)) ∨ (∀푥 푄(푥)))} ⊢ (∀푥 (푃 (푥) ∨ 푄(푥))).

Exercise 88. {(∀푥 (푃 (푥) → 푄(푥)))} ⊢ ((∀푥 (¬푄(푥))) → (∀푥 (¬푃 (푥)))).

Exercise 89. {(∀푥 (∀푦 (푅(푥, 푦) → 푅(푦, 푥))))} ⊢ (∀푥 (∀푦 (푅(푦, 푥) → 푅(푥, 푦)))).

Exercise 90. {(∀푥 (∀푦 (∀푧 ((푅(푥, 푦) ∧ 푅(푦, 푧)) → 푅(푥, 푧))))), (∀푥 (¬푅(푥, 푥)))} ⊢ (∀푥 (∀푦 (∀푧 (¬((푅(푥, 푦) ∧ 푅(푦, 푧)) ∧ 푅(푧, 푥)))))).

Exercise 91. {(∀푥 (∀푦 (∀푧 ((푅(푥, 푦) ∧ 푅(푥, 푧)) → 푅(푦, 푧))))), (∀푥 푅(푥, 푥))} ⊢ (∀푥 (∀푦 (∀푧 ((푅(푥, 푦) ∧ 푅(푦, 푧)) → 푅(푥, 푧))))).

82 2.4.5 Exists-elimination Exercise 92. (∃푥 푃 (푥)) ⊢ (∃푦 푃 (푦)).

Solution:

(1) 푃 (푢) ⊢ 푃 (푢) by (∈) (2) 푃 (푢) ⊢ (∃푦 푃 (푦)) by ((∃+), (1)) (3) (∃푥 푃 (푥)) ⊢ (∃푦 푃 (푦)) by ((∃−), (2))

Exercise 93. ∃푥 (푃 (푥) ∧ 푄(푥)) ⊢ (∃푥 푃 (푥) ∧ (∃푥 푄(푥)).

Solution:

(1) 푃 (푢) ⊢ 푃 (푢) by ((∈)) (2) 푃 (푢) ⊢ (∃푥 푃 (푥)) by ((∃+), (1)) (3) 푄(푢) ⊢ 푄(푢) by ((∈)) (4) 푄(푢) ⊢ (∃푥 푄(푥)) by ((∃+), (3)) (5) 푃 (푢) ⊢ (∃푥 푃 (푥)) ∨ (∃푥 푄(푥)) by ((∨+), (2)) (6) 푄(푢) ⊢ (∃푥 푃 (푥)) ∨ (∃푥 푄(푥)) by ((∨+), (4)) (7) 푃 (푢) ∨ 푄(푢) ⊢ (∃푥 푃 (푥)) ∨ (∃푥 푄(푥)) by ((∨−), (5), (6)) (8) ∃푥(푃 (푥) ∨ 푄(푥)) ⊢ (∃푥 푃 (푥)) ∨ (∃푥 푄(푥)) by ((∃−), (7))

Exercise 94. ((∃푥 푃 (푥)) ∨ (∃푥 푄(푥))) ⊢ (∃푥 (푃 (푥) ∨ 푄(푥))).

83 Exercise 95. Show that (∀푥 (푃 (푥) → 푄(푥))), (∃푥 푃 (푥)) ⊢ (∃푥 푄(푥)).

Solution:

(1) (∀푥 (푃 (푥) → 푄(푥))), 푃 (푢) ⊢ (∀푥 (푃 (푥) → 푄(푥))) by (∈) (2) (∀푥 (푃 (푥) → 푄(푥))), 푃 (푢) ⊢ 푃 (푢) by (∈) (3) (∀푥 (푃 (푥) → 푄(푥))), 푃 (푢) ⊢ 푃 (푢) → 푄(푢) by (∀−, 1) (4) (∀푥 (푃 (푥) → 푄(푥))), 푃 (푢) ⊢ 푄(푢) by (→ −, 2, 3) (5) (∀푥 (푃 (푥) → 푄(푥))), 푃 (푢) ⊢ (∃푥 푄(푥)) by (∃+, 4) (6) (∀푥 (푃 (푥) → 푄(푥))), (∃푥 푃 (푥)) ⊢ (∃푥 푄(푥)) by (∃−, 2)

Exercise 96. Show that (∀푥 (푄(푥) → 푅(푥))), (∃푥 (푃 (푥) ∧ 푄(푥))) ⊢ (∃푥 (푃 (푥) ∧ 푅(푥))).

Solution: 1. (∀푥 (푄(푥) → 푅(푥))) premise 2. (∃푥 (푃 (푥) ∧ 푄(푥))) premise 3. (푃 (푢) ∧ 푄(푢)), 푢 fresh assumption 4. 푃 (푢) ∧e: 3 5. 푄(푢) ∧e: 3 6. (푄(푢) → 푅(푢)) ∀e: 1 7. 푅(푢) →e: 5, 6 8. (푃 (푢) ∧ 푅(푢)) ∧i: 4, 7 9. (∃푥 (푃 (푥) ∧ 푅(푥))) ∃i: 8 10. (∃푥 (푃 (푥) ∧ 푅(푥))) ∃e: 2, 3-9

84 2.4.6 Exists-Elimination - Additional Exercises Exercise 97. {(∃푥 (푃 (푥) → 푄(푥))), (∀푦 푃 (푦))} ⊢ (∃푥 푄(푥))

Exercise 98. {(∃푥 (∃푦 푃 (푥, 푦)))} ⊢ (∃푦 (∃푥 푃 (푥, 푦))).

Exercise 99. {(∃푥 ((¬푃 (푥)) ∧ (¬푄(푥))))} ⊢ (∃푥 (¬(푃 (푥) ∧ 푄(푥)))).

Exercise 100. {(∃푥 ((¬푃 (푥)) ∨ 푄(푥)))} ⊢ (∃푥 (¬(푃 (푥) ∧ (¬푄(푥))))).

85 2.4.7 Putting them together Exercise 101. Show that (∃푦 (∀푥 푃 (푥, 푦))) ⊢ (∀푥 (∃푦 푃 (푥, 푦))).

Solution: There are two different solutions, depending whether we apply ∀+ last or apply ∃− last. Applying ∃− last:

(1) (∀푥 푃 (푥, 푣)) ⊢ (∀푥 푃 (푥, 푣)) by (∈) (2) (∀푥 푃 (푥, 푣)) ⊢ 푃 (푢, 푣) by (∀−, 1) (3) (∀푥 푃 (푥, 푣)) ⊢ (∃푦 푃 (푢, 푦)) by (∃+, 2) (4) (∀푥 푃 (푥, 푣)) ⊢ (∀푥 (∃푦 푃 (푥, 푦))) by (∀+, 3) (5) (∃푦 (∀푥 푃 (푥, 푦))) ⊢ (∀푥 (∃푦 푃 (푥, 푦))) by (∃−, 4)

Applying ∀+ last:

(1) (∀푥 푃 (푥, 푣)) ⊢ (∀푥 푃 (푥, 푣)) by (∈) (2) (∀푥 푃 (푥, 푣)) ⊢ 푃 (푢, 푣) by (∀−, 1) (3) (∀푥 푃 (푥, 푣)) ⊢ (∃푦 푃 (푢, 푦)) by (∃+, 2) (4) (∃푦 (∀푥 푃 (푥, 푦))) ⊢ (∃푦 푃 (푢, 푦)) by (∃−, 3) (5) (∃푦 (∀푥 푃 (푥, 푦))) ⊢ (∀푥 (∃푦 푃 (푥, 푦))) by (∀+, 4)

86 Exercise 102. Show that {(∃푥 푃 (푥)), (∀푥 (∀푦 (푃 (푥) → 푄(푦))))} ⊢ (∀푦 푄(푦)).

Solution: There are two different solutions, depending whether we apply ∀+ last or apply ∃− last.

(1) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) by (∈) (2) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (∀푦 (푃 (푢) → 푄(푦))) by (∀−, 1) (3) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (푃 (푢) → 푄(푣)) by (∀−, 2) (4) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ 푃 (푢) by (∈) (5) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ 푄(푣) by (→ −, 3, 4) (6) (∃푥 푃 (푥)), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ 푄(푣) by (∃−, 5) (7) (∃푥 푃 (푥)), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (∀푦 푄(푦)) by (∀+, 6)

(1) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) by (∈) (2) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (∀푦 (푃 (푢) → 푄(푦))) by (∀−, 1) (3) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (푃 (푢) → 푄(푣)) by (∀−, 2) (4) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ 푃 (푢) by (∈) (5) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ 푄(푣) by (→ −, 3, 4) (6) 푃 (푢), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (∀푦 푄(푦)) by (∀+, 5) (7) (∃푥 푃 (푥)), (∀푥 (∀푦 (푃 (푥) → 푄(푦)))) ⊢ (∀푦 푄(푦)) by (∃−, 6)

87 Exercise 103. Show that {(¬(∃푥 푃 (푥)))} ⊢ (∀푥 (¬푃 (푥))). (De Morgan)

Solution:

(1) (¬(∃푥 푃 (푥))), 푃 (푢) ⊢ 푃 (푢) by (∈) (2) (¬(∃푥 푃 (푥))), 푃 (푢) ⊢ (∃푥 푃 (푥)) by (∃+, 1) (3) (¬(∃푥 푃 (푥))), 푃 (푢) ⊢ (¬(∃푥 푃 (푥))) by (∈) (4) (¬(∃푥 푃 (푥))) ⊢ (¬푃 (푢)) by (¬+, 2, 3) (5) (¬(∃푥 푃 (푥))) ⊢ (∀푥 (¬푃 (푥))) by (∀+, 4)

Exercise 104. Show that {(∀푥 (¬푃 (푥)))} ⊢ (¬(∃푥 푃 (푥))). (De Morgan)

Solution:

(1) (∀푥 (¬푃 (푥))), 푃 (푢), ¬푄(푣) ⊢ (∀푥 (¬푃 (푥))) by (∈) (2) (∀푥 (¬푃 (푥))), 푃 (푢), ¬푄(푣) ⊢ ¬푃 (푢) by (∀−, 1) (3) (∀푥 (¬푃 (푥))), 푃 (푢), ¬푄(푣) ⊢ 푃 (푢) by (∈) (4) (∀푥 (¬푃 (푥))), 푃 (푢) ⊢ 푄(푣) by (¬−, 2, 3) (5) (∀푥 (¬푃 (푥))), (∃푥 푃 (푥)) ⊢ 푄(푣) by (∃−, 4) (6) (∀푥 (¬푃 (푥))), 푃 (푢), 푄(푣) ⊢ (∀푥 (¬푃 (푥))) by (∈) (7) (∀푥 (¬푃 (푥))), 푃 (푢), 푄(푣) ⊢ ¬푃 (푢) by (∀−, 6) (8) (∀푥 (¬푃 (푥))), 푃 (푢), 푄(푣) ⊢ 푃 (푢) by (∈) (9) (∀푥 (¬푃 (푥))), 푃 (푢) ⊢ ¬푄(푣) by (¬+, 7, 8) (10) (∀푥 (¬푃 (푥))), (∃푥 푃 (푥)) ⊢ ¬푄(푣) by (∃−, 9) (11) (∀푥 (¬푃 (푥))) ⊢ (¬(∃푥 푃 (푥))) by (¬+, 5, 10)

88 Exercise 105. Show that {(∃푥 (¬푃 (푥)))} ⊢ (¬(∀푥 푃 (푥))). (De Morgan)

Solution: 1. (∃푥 (¬푃 (푥))) premise 2. (∀푥 푃 (푥)) assumption 3. (¬푃 (푢)), 푢 fresh assumption 4. 푃 (푢) ∀e: 2 5. ⊥ ⊥i: 3, 4 6. ⊥ ∃e: 1, 3-5 7. (¬(∀푥 푃 (푥))) ¬i: 2-6

Exercise 106. Show that {(¬(∀푥 푃 (푥)))} ⊢ (∃푥 (¬푃 (푥))). (De Morgan)

Solution: 1. (¬(∀푥 푃 (푥))) premise 2. (¬(∃푥 (¬푃 (푥)))) assumption 3. 푢 fresh assumption 4. (¬푃 (푢)) assumption 5. (∃푥 (¬푃 (푥))) ∃i: 4 6. ⊥ 2, 5 7. 푃 (푢) PBC: 4-6 8. (∀푥 푃 (푥)) ∀i: 3-7 9. ⊥ ⊥i: 1, 8 10. (∃푥 (¬푃 (푥))) PBC: 2-9

89 2.4.8 Putting them together - Additional Exercises Exercise 107. {(∀푥 (푃 (푥) → (¬푄(푥))))} ⊢ (¬(∃푥 (푃 (푥) ∧ 푄(푥)))).

Exercise 108. {(∀푥 (푃 (푥) ∨ 푄(푥)))} ⊢ ((∀푥 푃 (푥)) ∨ (∃푥 푄(푥))).

Exercise 109. {(∀푥 (푃 (푥) → (푄(푥) ∨ 푅(푥)))), (¬(∃푥 (푃 (푥) ∧ 푅(푥))))} ⊢ (∀푥 (푃 (푥) → 푄(푥))).

Exercise 110. {(∃푥 (푃 (푥) ∧ 푄(푥))), (∀푥 (푃 (푥) → 푅(푥)))} ⊢ (∃푥 (푅(푥) ∧ 푄(푥))).

Exercise 111. {(∃푥 (∃푦 (푆(푥, 푦) ∨ 푆(푦, 푥))))} ⊢ (∃푥 (∃푦 푆(푥, 푦))).

Exercise 112. {(∀푥 (∃푦 푅(푥, 푦)))} ⊢ (¬(∀푥 푅(푥, 푥))). This is false. Can you prove it?

Exercise 113. {(∀푥 (∃푦 푅(푥, 푦)))} ⊢ (∀푥 (∃푦 (∃푧 (푅(푥, 푦) ∧ 푅(푥, 푧))))).

Exercise 114. {(∀푥 (푃 (푥) ∨ 푄(푥))), (∃푥 (¬푄(푥))), (∀푥 (푅(푥) → (¬푃 (푥))))} ⊢ (∃푥 (¬푅(푥))).

Exercise 115. ∅ ⊢ (∃푦 (푅(푦) → (∀푥 푅(푥)))) .

Exercise 116. {(∀푥 (∃푦 (푃 (푥) ∨ 푄(푦))))} ⊢ (∃푦 (∀푥 (푃 (푥) ∨ 푄(푦)))).

Exercise 117. {(∀푥 ((∃푦 푃 (푦)) → 푄(푥)))} ⊢ (∀푥 (∃푦 (푃 (푦) → 푄(푥)))).

Exercise 118. {(∀푥 (푃 (푥, 푥) ∨ (∀푦 푄(푥, 푦))))} ⊢ (∀푥 ((∃푦 푃 (푥, 푦)) ∨ 푄(푥, 푥))).

Exercise 119. ⊢ ((∀푥 (∃푦 푅(푥, 푦))) ∨ (¬(∀푥 푅(푥, 푥)))).

90 2.5 Soundness and Completeness of Natural Deduction 2.5.1 Proving that an inference rule is sound or not sound Lemma 1. Let 푡 be a predicate term. Let 퐼 be an interpretation with domain 퐷. Let 퐸 be an environment. Then we have that

푡푣 ∈ 퐷.

Lemma 2. Let 퐴 be a well-formed predicate formula. Let 푡 be a predicate term. Let 퐼 and 퐸 be an interpretation and environment. Let 푥 be a variable. Then we have that

퐴[푡/푥]푣 = 퐴(퐼,퐸[푥↦푡푣]).

Exercise 120. Prove that the ∀e inference rule is sound. That is, prove that the tautological consequence holds:

{(∀푥 퐴)} ⊨ 퐴[푡/푥] (125)

where 퐴 be a Predicate formula, 푥 is a variable, and 푡 is a Predicate term.

The proof sketch below is like an outline or a master plan. I will lay down the plan first. Then I will fill in the missing details. Proof Sketch. Consider an interpretation and environment (퐼, 퐸) such that (∀푥 퐴)푣 = 1. We need to show that 퐴[푡/푥]푣 = 1. (∀푥 퐴)푣 = 1 holds because ... 퐴(퐼,퐸[푥↦푡푣]) = 1 holds because ... 퐴[푡/푥]푣 = 1 holds because ... Thus, the tautological consequence holds and the inference rule is sound. Solution: Let (퐼, 퐸) be an interpretation and environment such that (∀푥 퐴)푣 = 1. By the satisfaction rule for ∀, we have that 퐴(퐼,퐸[푥↦푑]) = 1, for every 푑 ∈ 퐷. By Lemma 1, 푡푣 is some domain element. Thus, we have that 퐴(퐼,퐸[푥↦푡푣]) = 1. By Lemma 2, we have that 퐴[푡/푥]푣 = 퐴(퐼,퐸[푥↦푡푣]). Thus, we have that 퐴[푡/푥]푣 = 1.

91 Exercise 121. Prove that the ∃i inference rule is sound. That is, prove that the tautological consequence holds:

{퐴[푡/푥]} ⊨ (∃푥 퐴) (126)

where 퐴 is a predicate formula, 푡 is a predicate term, and 푥 is a variable.

Proof Sketch. Consider an interpretation and environment (퐼, 퐸) such that 퐴[푡/푥]푣 = 1. We need to show that (∃푥 퐴)푣 = 1. 퐴[푡/푥]푣 = 1 holds because ... 퐴(퐼,퐸[푥↦푡푣]) = 1 holds because ... (∃푥 퐴)푣 = 1 holds because ... Thus, the tautological consequence holds and the inference rule is sound. Solution: Let (퐼, 퐸) be an interpretation and environment such that 퐴[푡/푥]푣 = 1. By Lemma 2, we have that 퐴[푡/푥]푣 = 퐴(퐼,퐸[푥↦푡푣]). Thus, we have that 퐴(퐼,퐸[푥↦푡푣]) = 1. By Lemma 1, 푡푣 is some domain element. Thus, by the satisfaction rule for ∃, we have that (∃푥 퐴)푣 = 1.

92 Exercise 122. Prove that the following inference rule is NOT sound. 퐴[푡/푥] ∀푖∗ (∀푥 퐴) (127) where 퐴 is a predicate formula, 푡 is a predicate term, and 푥 is a variable. Proof Sketch. Define the symbols in the language of Predicate logic that we consider. Choose 퐴 to be a concrete Predicate formula. Choose 푡 to be a concrete Predicate term. Define an interpretation and an environment (퐼, 퐸). Show that 퐴[푡/푥]푣 = 1. Show that (∀푥 퐴)푣 = 0. Solution: Remark 18. How did I come up with the interpretation and the environment below? Given the definition of 퐷, 퐸, and 퐴 and 푡, we can simplify the premise and the conclusion. The premise becomes 퐴[푡/푥] = 푃 (푥)[푦/푥] = 푃 (푦). The conclusion becomes (∀푥 푃 (푥)). To make the premise true, we need to define 퐸(푦) and 푃 푣 such that 푃 (푦) is true. If we choose 퐸(푦) = 1, then we need 1 ∈ 푃 푣. If we choose 퐸(푦) = 2, then we need 2 ∈ 푃 푣. In the solution below, I chose 퐸(푦) = 1 and 1 ∈ 푃 푣. To make the conclusion false, we need to make sure that 푃 (푥) is false for one element of the domain. By the above definition, we already know that 푃 (푥) is true when 푥 is 1. The only other element of the domain is 2. So we need to make sure that 푃 (푥) is false when 푥 is 2, which means that 2 ∉ 푃 푣. Solution Text: We need to provide an interpretation 퐼 and an environment 퐸 such that 퐴[푡/푥]푣 = 1 and (∀푥 퐴)푣 = 0. Consider the language of predicate logic where 푃 (1) is a unary predicate and 푥 and 푦 are variables. Let 퐴 be 푃 (푥) and let 푡 be 푦. Let the interpretation 퐼 be defined below. • 퐷 = {1, 2} • 푃 푣 = {1} Let the environment 퐸 be defined by 퐸(푥) = 1 and 퐸(푦) = 1. First, we show that 퐴[푡/푥]푣 = 1. By Lemma 2, 퐴[푡/푥]푣 = 퐴(퐼,퐸[푥↦푡푣]). By the definition of the term 푡, 푡푣 = 푦푣 = 퐸(푦) = 1. Thus, 퐴[푡/푥]푣 = 퐴(퐼,퐸[푥↦1]) = 푃 (푥)(퐼,퐸[푥↦1]) = 1 because 퐸[푥 ↦ 1](푥) = 1 ∈ 푃 푣. Next, we show that (∀푥 퐴)푣 = 0. By the satisfaction rule for ∀, we need to show that 퐴(퐼,퐸[푥↦푑]) = 0 for at least one 푑 ∈ 퐷. We have that 퐴(퐼,퐸[푥↦2]) = 푃 (푥)(퐼,퐸[푥↦2]) = 0 because 퐸[푥 ↦ 2](푥) = 2 ∉ 푃 푣.

93 Exercise 123. Prove that the following inference rule is NOT sound. (∃푥 퐴) ∃푒∗ 퐴[푡/푥] (128)

where 퐴 is a predicate formula, 푡 is a predicate term, and 푥 is a variable.

Proof Sketch. Define the symbols in the language of Predicate logic that we consider. Choose 퐴 to be a concrete Predicate formula. Choose 푡 to be a concrete Predicate term. Define an interpretation and an environment (퐼, 퐸). Show that (∃푥 퐴)푣 = 1. Show that 퐴[푡/푥]푣 = 0. Solution: We need to provide an interpretation 퐼 and an environment 퐸 such that (∃푥 퐴)푣 = 1 and 퐴[푡/푥]푣 = 0. Consider the language of predicate logic where 푃 (1) is a unary predicate and 푥 and 푦 are variables. Let 퐴 be 푃 (푥) and let 푡 be 푦. Let the interpretation 퐼 be defined below.

• 퐷 = {1, 2}

• 푃 푣 = {1}

Let the environment 퐸 be defined by 퐸(푥) = 1 and 퐸(푦) = 2. First, we show that (∃푥 퐴)푣 = 1. By the definition of 푃 푣, we have that

퐴(퐼,퐸[푥↦1]) = 1 because 퐸[푥 ↦ 1](푥) = 1 ∈ 푃 푣. By the satisfaction rule for ∃, we have that

(∃푥 퐴)푣 = 1.

Second, we show that 퐴[푡/푥]푣 = 0. By Lemma 2, we have that 퐴[푡/푥]푣 = 퐴(퐼,퐸[푥↦푡푣]). We need to prove that 퐴(퐼,퐸[푥↦푡푣]) = 0. By Lemma 1, 푡푣 is a domain element. By the definitions of 푡, 퐼, and 퐸, we have that

푡푣 = 푦푣 = 퐸(푦) = 2.

94 By the definition of 푃 푣, we have that

퐴(퐼,퐸[푥↦푡푣]) = 퐴(퐼,퐸[푥↦2]) = 0

because 퐸[푥 ↦ 2](푥) = 2 ∉ 푃 푣. Therefore, we have that 퐴(퐼,퐸[푥↦푡푣]) = 0. The tautological consequence does not hold and the inference rule is not sound.

95 2.5.2 Additional Exercises Exercise 124. Prove that the following inference rule is sound.

(∀푥(퐴 → 퐵)) 퐴[푡/푥] ∀푒1 퐵[푡/푥] (129) where 퐴 and 퐵 are predicate formulas, 푡 is a predicate term, and 푥 is a variable.

Exercise 125. Prove that the following inference rule is sound.

(∀푥(퐴 → 퐵)) (¬퐵[푡/푥]) ∀푒2 (¬퐴[푡/푥]) (130) where 퐴 and 퐵 are predicate formulas, 푡 is a predicate term, and 푥 is a variable.

Exercise 126. Prove that the following inference rule is NOT sound.

(∀푥(퐴 → 퐵)) 퐵[푡/푥] ∀푒3 퐴[푡/푥] (131) where 퐴 and 퐵 are predicate formulas, 푡 is a predicate term, and 푥 is a variable.

Exercise 127. Prove that the following inference rule is NOT sound.

(∀푥(퐴 → 퐵)) (¬퐴[푡/푥]) ∀푒4 (¬퐵[푡/푥]) (132) where 퐴 and 퐵 are predicate formulas, 푡 is a predicate term, and 푥 is a variable.

96 2.5.3 Proofs using the soundness and completeness theorems Exercise 128. Let Σ be a set of Predicate formulas and let 퐴 be a Predicate formula. If Σ ∪ {(¬퐴)} is unsatisfiable, then Σ ⊢ 퐴. Proof Sketch. Assume that Σ ∪ {(¬퐴)} is unsatisfiable. This means that, for any interpre- tation and environment (퐼, 퐸), at least one formula in Σ ∪ {(¬퐴)} is false. Prove that Σ ⊨ 퐴. Consider an interpretation and environment (퐼, 퐸). Assume that every formula in Σ is true under (퐼, 퐸). Prove that 퐴 is true under (퐼, 퐸). We have Σ ⊢ 퐴 by the completeness of Natural Deduction. Solution: Remark 19. What does it mean for a set of formula Σ to be unsatisfiable? • It means that “for every (퐼, 퐸), at least one formula in Σ is false.” Example 1: The set {푃 (푥), (¬푃 (푥))} is unsatisfiable. Under any (퐼, 퐸), if 푃 (푥) is true, then (¬푃 (푥)) must be false. If (¬푃 (푥)) is true, then 푃 (푥) must be false. • It DOES NOT mean that “ for every (퐼, 퐸), at least one formula in Σ is a contradic- tion.” Example 2: The set {(푃 (푥) ∧ (¬푃 (푥)))} is unsatisfiable. Under any (퐼, 퐸), (푃 (푥) ∧ (¬푃 (푥))) is always false. Note that this is only one type of unsatisfiable set. • It DOES NOT mean that “for one pair (퐼, 퐸), at least one formula in Σ is false.” When proving the tautological consequence Σ ⊨ 퐴, why do we only consider the cases when every formula in Σ is true? By the definition of tautological consequence, we only need to verify that 퐴 is true in the case when every formula in Σ is true under an (퐼, 퐸). Thus, we do not need to consider the case when a formula in Σ is false under an (퐼, 퐸). Solution Text: Assume that Σ ∪ {(¬퐴)} is unsatisfiable. This means that, for any interpretation and environment (퐼, 퐸), at least one formula in Σ ∪ {(¬퐴)} is false. We need to prove that Σ ⊨ 퐴. Consider an interpretation and environment (퐼, 퐸). Assume that every formula in Σ is true under (퐼, 퐸). We need to prove that 퐴 is true under (퐼, 퐸). Under the (퐼, 퐸) we are considering, every formula in Σ is true and at least one formula in Σ ∪ {(¬퐴)} is false. Therefore, it must be that (¬퐴)푣 = 0. By the definition of ¬, 퐴푣 = 1. Therefore, the tautological consequence Σ ⊨ 퐴 holds. Σ ⊢ 퐴 holds by the completeness of Natural Deduction. Exercise 129. Let Σ be a set of Predicate formulas and let 퐴 be a Predicate formula. If Σ ⊢ 퐴, then Σ ∪ {(¬퐴)} is unsatisfiable. Exercise 130. Show that there is no formal deduction proof for {(∃푥 푃 (푥))} ⊢ 푃 (푡), where 푃 is a unary predicate, 푡 is a term and 푥 is a variable.

97 3 Program Verification

3.1 Partial and Total Correctness

Exercise 131. Consider the Hoare triple ⦇ (푥 > 0) ⦈ 퐶1 ⦇ ((푦 ∗ 푦) < 푥) ⦈.

If we run 퐶1 starting with the state (푥 = 5), (푦 = 5), 퐶1 terminates in the state (푥 = 5), (푦 = 0). Is the Hoare triple satisfied under partial correctness?

Solution: The answer is ‘not enough information to tell.” The definition of partial correctness has an implication in it: If a starting state satisfies the precondition and the program terminates when run with this starting state, then the terminating state satisfies the postcondition. For the given example, the starting state (푥 = 5) satisfies the precondition 푥 > 0, the program terminates, and the terminating state ((푥 = 5), (푦 = 0)) satisfies the postcondition since 푦 ∗ 푦 = 0 < 5 = 5. Therefore, this example satisfies the implication in the definition of partial correctness. However, to verify partial correctness, we need to consider all possible starting states which satisfy the precondition, e.g. (푥 = 1), (푥 = 2), etc. We do not know the terminating states for the other possible starting states. Therefore, we do not have enough information to determine the answer.

Exercise 132. Consider the Hoare triple ⦇ (푥 > 0) ⦈ 퐶2 ⦇ ((푦 ∗ 푦) < 푥) ⦈.

If we run 퐶2 starting with the state (푥 = 5), (푦 = 5), 퐶2 terminates in the state (푥 = 5), (푦 = 3). Is the Hoare triple satisfied under partial correctness?

Solution: The answer is NO. The definition of partial correctness has an implication in it: If a starting state satisfies the precondition and the program terminates when run with this starting state, then the terminating state satisfies the postcondition. For the given example, the starting state 푥 = 5 satisfies the precondition 푥 > 0, and the terminating state (푥 = 5, 푦 = 3) does NOT satisfy the postcondition 푦 ∗ 푦 = 0 < 5 = 5. Therefore, this example does not satisfy this implication in the definition of partial correctness. To verify that partial correctness is not satisfied, it is sufficient to find one counterexample as shown above. Therefore, the triple is NOT satisfied under partial correctness.

98 Exercise 133. Consider the Hoare triple ⦇ (푥 > 0) ⦈ 퐶3 ⦇ ((푦 ∗ 푦) < 푥) ⦈.

If we run 퐶3 starting with the state (푥 = −3), (푦 = 5), 퐶3 terminates in the state (푥 = −3), (푦 = 0). Is the Hoare triple satisfied under partial correctness?

Solution: The answer is “not enough information to tell”. For the given example, the starting state 푥 = −3 does not satisfy the precondition. To verify partial correctness, we only need to consider starting states that satisfy the pre- condition. Therefore, the example is irrelevant for us. Since we do not know how the program behaves for starting states that satisfy the precon- dition, we do not have enough information to determine the answer.

Exercise 134. Consider the Hoare triple ⦇ (푥 > 0) ⦈ 퐶4 ⦇ ((푦 ∗ 푦) < 푥) ⦈.

If we run 퐶4 starting with the state (푥 = 2), (푦 = 5), 퐶4 does not terminate. Is the Hoare triple satisfied under partial correctness?

Solution: The answer is “not enough information to tell”. The definition of partial correctness has an implication in it: If a starting state satisfies the precondition and the program terminates when run with this starting state, then the terminating state satisfies the postcondition. For the given example, the starting state 푥 = 2 satisfies the precondition but the program does not terminate. Note that, program termination is a premise of the implication in the definition of partial correctness. Therefore, this example satisfies the implication inthe definition of partial correctness. However, to verify partial correctness, we need to consider all possible starting states that satisfy the precondition. Since we do not know how the program behaves for other possible starting states, we do not have enough information to determine the answer.

99 Exercise 135. Is the following Hoare triple satisfied under partial and/or total correctness? ⦇ (푥 = 1) ⦈ while (1) { x = 0 }; ⦇ (푦 = 1) ⦈

Solution: The triple is satisfied under partial correctness, and it is not satisfied under total correctness. The program does not terminate for any starting state. Therefore, partial correctness is automatically satisfied. (If the program does not terminate for a starting state, thenthe premise of the implication is false and the implication is vacuously true.) The program does not terminate for any starting state. Therefore, total correctness is NOT satisfied. The key difference between partial and total correctness is that partial correctness doesnot require program termination, whereas total correctness does. Exercise 136. Is the following Hoare triple satisfied under partial and/or total correctness? ⦇ 푡푟푢푒 ⦈ y = 1 ; z = 0 ; while ( z != x ) { z = z + 1 ; y = y ∗ z ; } ⦇ (푦 = 푥!) ⦈

Solution: The triple is satisfied under partial correctness, and it is NOT satisfied under total correctness. The precondition is true. This means that there is no required precondition. In other words, any starting state satisfies the precondition. If the starting state has 푥 ≥ 0, we can verify that the program terminates and computes 푦 = 푥! correctly. (We are not able to prove this yet because we haven’t learned the techniques to construct the proof. However, we could verify this on a case-by-case basis.) Therefore, for this case, partial and total correctness are both satisfied. If the starting state has 푥 < 0, the while loop runs forever and does not terminate. Therefore, for this case, only partial correctness is satisfied. Total correctness is not satisfied because the program does not terminate. In summary, partial correctness is satisfied because it is satisfied in both cases. Total cor- rectness is NOT satisfied because the program does not terminate for some starting states where 푥 < 0.

100 3.2 Assignment Statements Complete the following annotations. ⦇ ⦈ x = 2 ; ⦇ (푥 = 2) ⦈ Solution: ⦇ (2 = 2) ⦈ x = 2 ; ⦇ (푥 = 2) ⦈ assignment

⦇ ⦈ x = 2 ; ⦇ (푥 = 푦) ⦈ Solution: ⦇ (2 = 푦) ⦈ x = 2 ; ⦇ (푥 = 푦) ⦈ assignment

⦇ ⦈ x = 2 ; ⦇ (푥 = 0) ⦈ Solution: ⦇ (2 = 0) ⦈ x = 2 ; ⦇ (푥 = 0) ⦈ assignment

101 ⦇ ⦈ x = x + 1 ; ⦇ (푥 = (푛 + 1)) ⦈ Solution: ⦇ ((푥 + 1) = (푛 + 1)) ⦈ x = x + 1 ; ⦇ (푥 = (푛 + 1)) ⦈ assignment

⦇ ⦈ x = y ; ⦇ ((2 ∗ 푥) = (푥 + 푦)) ⦈ Solution: ⦇ ((2 ∗ 푦) = (푦 + 푦)) ⦈ x = y ; ⦇ ((2 ∗ 푥) = (푥 + 푦)) ⦈ assignment

102 Exercise 137. Show that the following triple is satisfied under partial correctness. ⦇ (푦 = 6) ⦈ x = y + 1 ; ⦇ (푥 = 7) ⦈

Solution: ⦇ (푦 = 6) ⦈ ⦇ ((푦 + 1) = 7) ⦈ i m p l i e d (A) x = y + 1 ; ⦇ (푥 = 7) ⦈ assignment Proof of implied (A): Assume that 푦 = 6. Adding 1 to both sides, we get 푦 + 1 = 6 + 1 = 7.

Exercise 138. Show that the following triple is satisfied under partial correctness.

⦇ ((푥 = 푥0) ∧ (푦 = 푦0)) ⦈ t = x ; x = y ; y = t ; ⦇ ((푥 = 푦0) ∧ (푦 = 푥0)) ⦈

Solution:

⦇ ((푥 = 푥0) ∧ (푦 = 푦0)) ⦈ ⦇ ((푦 = 푦0) ∧ (푥 = 푥0)) ⦈ i m p l i e d (A) t = x ; ⦇ ((푦 = 푦0) ∧ (푡 = 푥0)) ⦈ assignment x = y ; ⦇ ((푥 = 푦0) ∧ (푡 = 푥0)) ⦈ assignment y = t ; ⦇ ((푥 = 푦0) ∧ (푦 = 푥0)) ⦈ assignment Proof of implied (A): Assume that ((푥 = 푥0) ∧ (푦 = 푦0)) is true. By the definition of ∧, 푥 = 푥0 and 푦 = 푦0 are both true. By the definition of ∧, ((푦 = 푦0) ∧ (푥 = 푥0)) is true.

103 3.3 Conditional Statements Exercise 139. Show that the following triple is satisfied under partial correctness. ⦇ 푡푟푢푒 ⦈ i f ( x > y ) { max = x ; } else { max = y ; } ⦇ (((푥 > 푦) ∧ (푚푎푥 = 푥)) ∨ ((푥 ≤ 푦) ∧ (푚푎푥 = 푦))) ⦈

Solution: ⦇ 푡푟푢푒 ⦈ i f ( x > y ) { ⦇ (푥 > 푦) ⦈ i f −then−else ⦇ (((푥 > 푦) ∧ (푥 = 푥)) ∨ ((푥 ≤ 푦) ∧ (푥 = 푦))) ⦈ i m p l i e d (A) max = x ; ⦇ (((푥 > 푦) ∧ (푚푎푥 = 푥)) ∨ ((푥 ≤ 푦) ∧ (푚푎푥 = 푦))) ⦈ assignment } else { ⦇ (¬(푥 > 푦)) ⦈ i f −then−else ⦇ (((푥 > 푦) ∧ (푦 = 푥)) ∨ ((푥 ≤ 푦) ∧ (푦 = 푦))) ⦈ i m p l i e d (B) max = y ; ⦇ (((푥 > 푦) ∧ (푚푎푥 = 푥)) ∨ ((푥 ≤ 푦) ∧ (푚푎푥 = 푦))) ⦈ assignment } ⦇ (((푥 > 푦) ∧ (푚푎푥 = 푥)) ∨ ((푥 ≤ 푦) ∧ (푚푎푥 = 푦))) ⦈ i f −then−else

Proof of implied (A) Assume that (푥 > 푦). By the definition of =, 푥 = 푥 is true. By the definition of ∧, ((푥 > 푦)∧(푥 = 푥)) is true. By the definition of ∨, (((푥 > 푦)∧(푥 = 푥))∨((푥 ≤ 푦)∧(푥 = 푦))) is true. Proof of implied (B) Assume that (¬(푥 > 푦)) is true. By the definition of >, (푥 ≤ 푦) is true. By the definition of =, 푦 = 푦 is true. By the definition of ∧, ((푥 ≤ 푦) ∧ (푦 = 푦)) is true. By the definition of ∨, (((푥 > 푦) ∧ (푦 = 푥)) ∨ ((푥 ≤ 푦) ∧ (푦 = 푦))) is true.

104 Exercise 140. Show that the following triple is satisfied under partial correctness. ⦇ (푥 = 3) ⦈ i f ( x > 0) { x = 1 ; } else { x = 0 ; } ⦇ (푥 ≥ 0) ⦈

Solution: ⦇ (푥 = 3) ⦈ i f ( x > 0) { ⦇ ((푥 = 3) ∧ (푥 > 0)) ⦈ i f −then−else ⦇ (1 ≥ 0) ⦈ i m p l i e d (A) x = 1 ; ⦇ (푥 ≥ 0) ⦈ assignment } else { ⦇ ((푥 = 3) ∧ (¬(푥 > 0))) ⦈ i f −then−else ⦇ (0 ≥ 0) ⦈ i m p l i e d (B) x = 0 ; ⦇ (푥 ≥ 0) ⦈ assignment } ⦇ (푥 ≥ 0) ⦈ i f −then−else

Proof of implied (A) (((푥 = 3) ∧ (푥 > 0)) → (1 ≥ 0)) Assume that ((푥 = 3) ∧ (푥 > 0)) is true. 1 ≥ 0 is true by the definition of ≥. Proof of implied (B) (((푥 = 3) ∧ (¬(푥 > 0))) → (0 ≥ 0)) The premise ((푥 = 3) ∧ (¬(푥 > 0))) is false. (푥 = 3) means that 푥 is positive. (¬(푥 > 0)) means that 푥 is not positive. These two formulas contradict each other and cannot be true at the same time. Therefore, ((푥 = 3) ∧ (¬(푥 > 0))) is false by the property of ∧. The implication is vacuously true.

105 Exercise 141. Show that the following triple is satisfied under partial correctness. ⦇ 푡푟푢푒 ⦈ i f (max < x ) { max = x ; } ⦇ (푚푎푥 ≥ 푥) ⦈

Solution: ⦇ 푡푟푢푒 ⦈ i f (max < x ) { ⦇ (푚푎푥 < 푥) ⦈ i f −then ⦇ (푥 ≥ 푥) ⦈ i m p l i e d (A) max = x ; ⦇ (푚푎푥 ≥ 푥) ⦈ assignment } ⦇ (푚푎푥 ≥ 푥) ⦈ i f −then i m p l i e d (B) ((¬(푚푎푥 < 푥)) → (푚푎푥 ≥ 푥))

Proof of implied (A) Assume that (푚푎푥 < 푥) is true. (푥 ≥ 푥) is true by the definition of ≥. Proof of implied (B) Assume that (¬(푚푎푥 < 푥)) is true. By the definition of ¬ and <, (푚푎푥 ≥ 푥) is true.

106 Exercise 142. Show that the following triple is satisfied under partial correctness. ⦇ 푡푟푢푒 ⦈ i f ( x % 2 == 1) { x = x + 1 ; } ⦇ (∃푢 (푥 = (2 ∗ 푢))) ⦈

Solution: ⦇ 푡푟푢푒 ⦈ i f ( x % 2 == 1) { ⦇ ((푥%2) = 1) ⦈ i f −then ⦇ (∃푢 (푥 + 1 = (2 ∗ 푢))) ⦈ i m p l i e d (A) x = x + 1 ; ⦇ (∃푢 (푥 = (2 ∗ 푢))) ⦈ assignment } ⦇ (∃푢 (푥 = (2 ∗ 푢))) ⦈ i f −then i m p l i e d (B) ((¬(푥%2 = 1)) → ((∃푢 (푥 = (2 ∗ 푢)))))

Proof of implied (A) Assume that ((푥%2) = 1) is true. This means that 푥 is odd. By the definition of an odd integer, there exists an integer 푢 such that 푥 = 2 ∗ 푢 − 1 or 푥 + 1 = 2 ∗ 푢. Therefore, (∃푢 (푥 + 1 = (2 ∗ 푢))) is true. Proof of implied (B) Assume that ((¬(푥%2 = 1)) is true, which meant that 푥 is even. By the definition of an even integer, there exists an integer 푢 such that 푥 = 2 ∗ 푢. Therefore, ((∃푢 (푥 = (2 ∗ 푢)))) is true.

107 Exercise 143. Show that the following triple is satisfied under partial correctness. ⦇ 푡푟푢푒 ⦈ i f ( x < 5) { r = 0 ; } else { i f ( x > 10) { r = 0 ; } else { r = 1 ; } } ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (푟 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (푟 = 1))) ⦈

Solution: ⦇ 푡푟푢푒 ⦈ i f ( x < 5) { ⦇ 푡푟푢푒 ∧ (푥 < 5) ⦈ i f −then−else ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (0 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (0 = 1))) ⦈ i m p l i e d (A) r = 0 ; ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (푟 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (푟 = 1))) ⦈ assignment } else { ⦇ 푡푟푢푒 ∧ (푥 ≥ 5) ⦈ i f −then−else i f ( x > 10) { ⦇ 푡푟푢푒 ∧ (푥 ≥ 5) ∧ (푥 > 10) ⦈ i f −then−else ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (0 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (0 = 1))) ⦈ i m p l i e d (B) r = 0 ; ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (푟 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (푟 = 1))) ⦈ assignment } else { ⦇ 푡푟푢푒 ∧ (푥 ≥ 5) ∧ (푥 ≤ 10) ⦈ i f −then−else ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (1 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (1 = 1))) ⦈ i m p l i e d (C) r = 1 ; ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (푟 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (푟 = 1))) ⦈ assignment } ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (푟 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (푟 = 1))) ⦈ i f −then−else } ⦇ ((((푥 < 5) ∨ (푥 > 10)) ∧ (푟 = 0)) ∨ (((5 ≤ 푥) ∧ (푥 ≤ 10)) ∧ (푟 = 1))) ⦈ i f −then−else

108 3.4 Conditional Statements: Additional Exercises Exercise 144. Show that the following triple is satisfied under partial correctness. ⦇ 푡푟푢푒 ⦈ x = a ∗ a ; y = b ∗ b ; z = x + y ; i f ( b > a ) { z = z + 2 ∗ a ∗ b ; } else { z = z − 2 ∗ a ∗ b ; } ⦇ ((∃푢 (푢 ∗ 푢 = 푧)) ⦈

109 3.5 While Loops Exercise 145. Show that the following triple is satisfied under partial correctness. ⦇ (푥 ≥ 0) ⦈ y = 1 ; z = 0 ; while ( z != x ) { z = z + 1 ; y = y ∗ z ; } ⦇ (푦 = 푥!) ⦈

Remark 20. There is a while loop in the program. To complete the proof, we need to come up with an invariant for the while loop. We produce the following table, which contains the values of all the variables in the program whenever the execution reaches the while test 푧! = 푥. Note: We can choose any non-negative value for 푥. For the following table, we chose 푥 = 5. Note: In the table, I wrote 푦 as a factorial. Doing this is helpful for seeing a relationship between the variables (With this, it is easy to see that 푦 = 푧! in every row of the table). Also, the post-condition says that 푦 should be a factorial. If we want to make progress towards that post-condition, then it makes sense that 푦 is equal to some factorial at every iteration of the loop.

x z y 5 0 1 = 0! 5 1 1 = 1! 5 2 2 = 2! 5 3 6 = 3! 5 4 24 = 4! 5 5 120 = 5!

Given the table, we can try to come up with relationship between the variables. For the relationship to be an invariant, it has to be true in every row of the truth table. For example,

• (¬(푧 = 푥)) is NOT an invariant. It is NOT true in the last row of the table.

• (푧 ≤ 푥) IS an invariant. It is true in every row of the table.

• (푦 = 푧!) IS an invariant. It is true in every row of the table.

• (푦 = 푥!) is NOT an invariant. It is only true in the last row of the table and not true in any other row.

110 • ((푧 ≤ 푥) ∧ (푦 = 푧!)) IS an invariant.

Note: We can combine one or more invariants with an ∧ to produce new invariants. If 퐴 and 퐵 are invariants, then (퐴 ∧ 퐵) is an invariant as well. So far, we have found three invariants: (푧 ≤ 푥), (푦 = 푧!), and ((푧 ≤ 푥) ∧ (푦 = 푧!)). Which of these invariants will lead to valid proofs? It turns out that both the second and third invariants will both lead to valid proofs. How do I choose an invariant to complete my proof? The only sure way of answering this question is to try completing the proof with the invariant. The proof is valid if and only if we can prove all of the implied conditions using the invariant. However, there are two strategies to speed up this process of selecting ani nvariant that works.

• A useful invariant is often similar to the post-condition. In our example, both invariants that work ((푦 = 푧!) and ((푧 ≤ 푥) ∧ (푦 = 푧!))) have the component (푦 = 푧!), which is similar to the post-condition (푦 = 푥!). This makes intuitive sense. An invariant describes the progress we are making towards the post-condition at every iteration of the loop. Therefore, it is only natural that the invariant looks similar to the post-condition.

• The last implied condition (implied C) is often the most difficult to satisfy. Thus, to test whether an invariant works, it may be more efficient to try proving implied (C) first.

See the completed solution below with the invariant (푦 = 푧!).

Solution: ⦇ (푥 ≥ 0) ⦈ ⦇ (1 = 0!) ⦈ i m p l i e d (A) y = 1 ; ⦇ (푦 = 0!) ⦈ assignment z = 0 ; ⦇ (푦 = 푧!) ⦈ assignment while ( z != x ) { ⦇ ((푦 = 푧!) ∧ (¬(푧 = 푥))) ⦈ p a r t i a l −while ⦇ ((푦 ∗ (푧 + 1)) = (푧 + 1)!) ⦈ i m p l i e d (B) z = z + 1 ; ⦇ ((푦 ∗ 푧) = 푧!) ⦈ assignment y = y ∗ z ; ⦇ (푦 = 푧!) ⦈ assignment } ⦇ ((푦 = 푧!) ∧ (¬(¬(푧 = 푥)))) ⦈ p a r t i a l −while ⦇ (푦 = 푥!) ⦈ i m p l i e d (C)

111 Proof of implied (A): Assume that (푥 ≥ 0) is true. (1 = 0!) is true by the definition of factorial. Proof of implied (B): Assume that (푦 = 푧!) and (¬(푧 = 푥)) are true. Multiplying (푧 + 1) on both sides of (푦 = 푧!), we get that 푦 ∗ (푧 + 1) = (푧 + 1)! is true. Proof of implied (C): Assume that (푦 = 푧!) and (¬(¬(푧 = 푥))) are true. By the definition of ¬, (¬(¬(푧 = 푥))) is equivalent to (푧 = 푥). Since (푦 = 푧!) and (푧 = 푥) are both true, we know that (푦 = 푥!) must be true.

112 Exercise 146. Show that the following triple is satisfied under partial correctness. ⦇ (푥 ≥ 0) ⦈ y = 1 ; z = 0 ; while ( z < x ) { z = z + 1 ; y = y ∗ z ; } ⦇ (푦 = 푥!) ⦈

Solution: ⦇ (푥 ≥ 0) ⦈ ⦇ ((1 = 0!) ∧ (0 ≤ 푥)) ⦈ i m p l i e d (A) y = 1 ; ⦇ ((푦 = 0!) ∧ (0 ≤ 푥)) ⦈ assignment z = 0 ; ⦇ ((푦 = 푧!) ∧ (푧 ≤ 푥)) ⦈ assignment while ( z < x ) { ⦇ (((푦 = 푧!) ∧ (푧 ≤ 푥)) ∧ (푧 < 푥)) ⦈ p a r t i a l −while ⦇ (푦 ∗ (푧 + 1) = (푧 + 1)!) ⦈ i m p l i e d (B) z = z + 1 ; ⦇ (푦 ∗ 푧 = 푧!) ⦈ assignment y = y ∗ z ; ⦇ (푦 = 푧!) ⦈ assignment } ⦇ (((푦 = 푧!) ∧ (푧 ≤ 푥)) ∧ (¬(푧 < 푥))) ⦈ p a r t i a l −while ⦇ (푦 = 푥!) ⦈ i m p l i e d (C)

Proof of implied (A): Assume that 푥 ≥ 0 is true. Then (0 ≤ 푥) is true by the definitions of ≤ and ≥. (1 = 0!) is true by the definition of factorial. Proof of implied (B): Assume that (푦 = 푧!), (푧 ≤ 푥) and (푧 < 푥) are true. Multiplying (푧 + 1) on both sides of (푦 = 푧!), we get that 푦 ∗ (푧 + 1) = (푧 + 1)! is true. Proof of implied (C): Assume that (푦 = 푧!), (푧 ≤ 푥) and (¬(푧 < 푥)) are true. By the definition of ¬, (¬(푧 < 푥)) is equivalent to (푧 ≥ 푥). Since (푧 ≤ 푥) and (푧 ≥ 푥), it must be that (푧 = 푥). Since (푦 = 푧!) and (푧 = 푥) are both true, we know that (푦 = 푥!) must be true.

113 3.6 While Loops: Additional Exercises Exercise 147. Show that the following triple is satisfied under partial correctness. ⦇ ((푛 ≥ 0) ∧ (푎 ≥ 0)) ⦈ s = 1 ; i = 0 ; while ( i != n) { s = s ∗ a ; i = i + 1 ; } ⦇ (푠 = 푎푛) ⦈

Exercise 148. Show that the following triple is satisfied under partial correctness. ⦇ ((푛 ≥ 0) ∧ (푎 ≥ 0)) ⦈ s = 1 ; i = 0 ; while ( i < n) { s = s ∗ a ; i = i + 1 ; } ⦇ (푠 = 푎푛) ⦈

114 3.7 Array Assignments Exercise 149. Show that the following triple is satisfied under partial correctness. ⦇ ((퐴[푥] = 푥0) ∧ (퐴[푦] = 푦0)) ⦈ t = A[ x ] ; A[ x ] = A[ y ] ; A[ y ] = t ; ⦇ ((퐴[푥] = 푦0) ∧ (퐴[푦] = 푥0)) ⦈ array assignment

Solution: ⦇ ((퐴[푥] = 푥0) ∧ (퐴[푦] = 푦0)) ⦈ ⦇ ((퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}[푥] = 푦0) ∧ (퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}[푦] = 푥0)) ⦈ i m p l i e d t = A[ x ] ; ⦇ ((퐴{푥 ← 퐴[푦]}{푦 ← 푡}[푥] = 푦0) ∧ (퐴{푥 ← 퐴[푦]}{푦 ← 푡}[푦] = 푥0)) ⦈ assignment A[ x ] = A[ y ] ; ⦇ ((퐴{푦 ← 푡}[푥] = 푦0) ∧ (퐴{푦 ← 푡}[푦] = 푥0)) ⦈ array assignment A[ y ] = t ; ⦇ ((퐴[푥] = 푦0) ∧ (퐴[푦] = 푥0)) ⦈ array assignment Proof of implied: We will prove that ((퐴[푥] = 푥0) ∧ (퐴[푦] = 푦0)) → (((퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}[푥] = 푦0) ∧ (퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}[푦] = 푥0)).

Proof. Case 1: Assume that 푥 = 푦. Assume that 퐴[푥] = 푥0 and 퐴[푦] = 푦0 are true. Since 푥 = 푦, we can re-write the conclusion as follows. 퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}[푥] = 퐴{푦 ← 퐴[푦]}{푦 ← 퐴[푦]}[푦] = 퐴[푦] = 푦0, and 퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}[푦] = 퐴{푥 ← 퐴[푥]}{푥 ← 퐴[푥]}[푥] = 퐴[푥] = 푥0. Case 2: Assume that 푥 ≠ 푦. Assume that 퐴[푥] = 푥0 and 퐴[푦] = 푦0 are true. Consider the array 퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}. The first assignment {푥 ← 퐴[푦]} changes the 푥th element of the array to 퐴[푦]. The second assignment {푦 ← 퐴[푥]} changes the 푦th element of the array to 퐴[푥]. Since 푥 ≠ 푦, the two assignments are modifying two different elements in the array and do not affect each other. Therefore, we have that 퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}[푦] = 퐴[푥] = 푥0. because the second assignment changes the 푦th element to 퐴[푥].

퐴{푥 ← 퐴[푦]}{푦 ← 퐴[푥]}[푥] = 퐴[푦] = 푦0. because the first assignment changes the 푥th element to 퐴[푦].

115 3.8 Putting them together Exercise 150. (Reversing an array) Consider an array 푅 of 푛 integers, 푅[1], 푅[2], ..., 푅[푛]. Consider the following program which reverses the elements inside the array 푅. Let 푟푥 denote the element at index 푥 in the array 푅 before the program execution. Prove that the following triple is satisfied under total correctness.

⦇ ((∀푥 (1 ≤ 푥 ≤ 푛 → 푅[푥] = 푟푥))) ⦈ j = 1 ; while (2∗ j <= n) { t = R[ j ] ; R[ j ] = R[ n+1−j ] ; R[ n+1−j ] = t ; j = j + 1 ; } ⦇ ((∀푥 (1 ≤ 푥 ≤ 푛 → 푅[푥] = 푟푛+1−푥))) ⦈

Solution: Since there is a while loop in the program, we need to come up with an invariant for the while loop. Consider the following invariant.

퐼푛푣(푗) ⊨ ⊨ (((∀푥 (1 ≤ 푥 ≤ 푗 − 1 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥)))

∧ (∀푥 (푗 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥)))) ∧ (푗 ≤ 푛/2 + 1))

Using the above invariant, we complete the annotations for the program as shown below.

⦇ (∀푥 (1 ≤ 푥 ≤ 푛 → 푅[푥] = 푟푥)) ⦈ ⦇ 퐼푛푣(1) ⦈ i m p l i e d (A) j = 1 ; ⦇ 퐼푛푣(푗) ⦈ assignment while (2∗ j <= n ) { ⦇ (퐼푛푣(푗) ∧ (2 ∗ 푗 ≤ 푛)) ⦈ p a r t i a l −while ⦇ 퐼푛푣(푗 + 1)[푅{푗 ← 푅[푛 + 1 − 푗]}{푛 + 1 − 푗 ← 푅[푗]}/푅] ⦈ i m p l i e d (B) t = R[ j ] ; ⦇ 퐼푛푣(푗 + 1)[푅{푗 ← 푅[푛 + 1 − 푗]}{푛 + 1 − 푗 ← 푡}/푅] ⦈ assignment R[ j ] = R[ n+1−j ] ; ⦇ 퐼푛푣(푗 + 1)[푅{푛 + 1 − 푗 ← 푡}/푅] ⦈ array assignment R[ n+1−j ] = t ; ⦇ 퐼푛푣(푗 + 1) ⦈ array assignment j = j + 1 ; ⦇ 퐼푛푣(푗) ⦈ assignment }

116 ⦇ (퐼푛푣(푗) ∧ (¬(2 ∗ 푗 ≤ 푛))) ⦈ p a r t i a l −while ⦇ ((∀푥 (1 ≤ 푥 ≤ 푛 → 푅[푥] = 푟푛+1−푥))) ⦈ i m p l i e d (C) It remains to prove the implied (A), (B), and (C). To prove implied (C), we first prove Lemma 3 below.

Lemma 3. The two formulas below are logically equivalent.

(∀푥 ((1 ≤ 푥 ≤ (푛 + 1)/2) → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥))))

⊨ ⊨ (∀푥 ((1 ≤ 푥 ≤ 푛) → (푅[푥] = 푟푥)))

Proof. Starting with the top formula is logically equivalent to the following formula

(∀푥 (1 ≤ 푥 ≤ (푛 + 1)/2 → 푅[푥] = 푟푥)))

∧ (∀푥 (1 ≤ 푥 ≤ (푛 + 1)/2 → 푅[푛 + 1 − 푥] = 푟푛+1−푥))) (133)

We will transform formula 133 as follows. Let 푦 = 푛 + 1 − 푥. Then 푥 = 푛 + 1 − 푦. Plugging 푥 = 푛 + 1 − 푦 into formula 133, we have

(∀푥 (1 ≤ 푛 + 1 − 푦 ≤ (푛 + 1)/2 → 푅[푦] = 푟푦)))

Let’s simplify the inequality 1 ≤ 푛 + 1 − 푦 ≤ (푛 + 1)/2.

1≤푛+1−푦→푦≤푛

푛 + 1 − 푦 ≤ (푛 + 1)/2 → 푦 ≥ (푛 + 1)/2 Thus, the inequality becomes: (푛 + 1)/2 ≤ 푦 ≤ 푛 The formula becomes:

(∀푥 ((푛 + 1)/2 ≤ 푦 ≤ 푛 → 푅[푦] = 푟푦)))

Changing 푦 back into 푥, we have

(∀푥 ((푛 + 1)/2 ≤ 푥 ≤ 푛 → 푅[푥] = 푟푥)))

117 Implied (A): (∀푥 (1 ≤ 푥 ≤ 푛 → 푅[푥] = 푟푥)) → 퐼푛푣(1) Proof. Assume that the premise is true. Our goal is to prove that the conclusion is true. Let’s simplify the conclusion below. The conclusion is 퐼푛푣(1). Take the invariant 퐼푛푣(푗) and plug in 푗 = 1, we have

(((∀푥 (1 ≤ 푥 ≤ 0 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥)))

∧ (∀푥 (1 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥)))) ∧ (1 ≤ 푛/2 + 1))

1 ≤ 푥 ≤ 0 is always false for any integer 푥. Thus the first part of the above formula is always true. We can simplify the formula to the following.

(∀푥 (1 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥)))) ∧ (1 ≤ 푛/2 + 1))

We can further simplify 1 ≤ 푛/2 + 1 and get 0 ≤ 푛. The formula becomes the following:

(∀푥 (1 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥)))) (134) ∧ (0 ≤ 푛))

Note that 0 ≤ 푛 is true because 푛 is positive. There is an implicit assumption that the array has at least one element. By Lemma 3, formula 134 is logically equivalent to the premise. Therefore, the implied holds.

118 To prove implied (C), we first prove Lemma 4 below.

Lemma 4. Assume that 푛 is odd (The array 푅 has an odd number of elements). The two formulas below are logically equivalent.

(((∀푥 (1 ≤ 푥 ≤ (푛 − 1)/2 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥))) ∧ (푅[(푛 + 1)/2] = 푟(푛+1)/2)

⊨ ⊨ ((∀푥 (1 ≤ 푥 ≤ 푛 → 푅[푥] = 푟푛+1−푥)))

Proof.

119 Implied (C):

(퐼푛푣(푗) ∧ (¬(2 ∗ 푗 ≤ 푛))) → ((∀푥 (1 ≤ 푥 ≤ 푛 → 푅[푥] = 푟푛+1−푥))) Proof. Let’s simplify the premise.

(2푗 ≤ 푛) ⊨ ⊨ (2푗 > 푛) ⊨ ⊨ (2푗 ≥ 푛 + 1) ⊨ ⊨ (푗 ≥ (푛 + 1)/2) (푗 ≤ 푛/2 + 1) ⊨ ⊨ (푗 ≤ (푛 + 2)/2) If 푛 is odd, then 푗 = (푛 + 1)/2. If 푛 is even, then 푗 = (푛 + 2)/2. Case 1: 푛 is even and 푗 = (푛 + 2)/2. Plugging in 푗 = (푛 + 2)/2 into the premise, we have

(((∀푥 (1 ≤ 푥 ≤ 푛/2 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥)))

∧ (∀푥 ((푛 + 1)/2 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥)))) (135) ∧ (푗 = (푛 + 1)/2). (푛+1)/2 ≤ 푥 ≤ (푛+1)/2 is always false. Thus, formula 135 is always true. We can simplify the formula to the following.

(((∀푥 (1 ≤ 푥 ≤ 푛/2 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥))) (136) ∧ (푗 = (푛 + 1)/2). We can prove that the formula 136 is logically equivalent to the conclusion of implied (C). (The argument is similar to Lemma 3). Therefore, when 푛 is even, if the premise of implied (C) is true, then the conclusion of implied (C) must be true. Case 2: 푛 is odd and 푗 = (푛 + 1)/2. Plugging in 푗 = (푛 + 1)/2 into the premise, we have the following. (I’ve omitted the 푗 = (푛 + 1)/2 part of the formula.

(((∀푥 (1 ≤ 푥 ≤ (푛 − 1)/2 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥)))

∧ (∀푥 ((푛 + 1)/2 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥)))) (137) In formula 137, 푥 must be equal to (푛 + 1)/2. Thus, we can simplify formula 137 as follows.

(∀푥 ((푛 + 1)/2 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥)))

⊨ ⊨ (푅[(푛 + 1)/2] = 푟(푛+1)/2 ∧ 푅[(푛 + 1)/2] = 푟(푛+1)/2))

⊨ ⊨ 푅[(푛 + 1)/2] = 푟(푛+1)/2 With this simplification, the premise becomes:

(((∀푥 (1 ≤ 푥 ≤ (푛 − 1)/2 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥)))

∧ (푅[(푛 + 1)/2] = 푟(푛+1)/2) By Lemma 4, the above formula is logically equivalent to the conclusion of implied (C). Therefore, when 푛 is odd, if the premise of implied (C) is true, then the conclusion of implied (C) must be true.

120 Implied (B):

(퐼푛푣(푗) ∧ (2 ∗ 푗 ≤ 푛)) → 퐼푛푣(푗 + 1)[푅{푗 ← 푅[푛 + 1 − 푗]}{푛 + 1 − 푗 ← 푅[푗]}/푅]

Proof. For convenience, let’s define 퐼푛푣푝(푗) to be the following formula:

(((∀푥 (1 ≤ 푥 ≤ 푗 − 1 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥))) (138)

∧ (∀푥 (푗 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥)))) (139) The premise of implied (B) becomes

퐼푛푣푝(푗) ∧ (푗 ≤ 푛/2 + 1)) ∧ (2푗 ≤ 푛) For convenience, let 푅′ denote 푅{푗 ← 푅[푛 + 1 − 푗]}{푛 + 1 − 푗 ← 푅[푗]}. The conclusion of implied (B) becomes

′ ′ (((∀푥 (1 ≤ 푥 ≤ 푗 → (푅 [푥] = 푟푛+1−푥 ∧ 푅 [푛 + 1 − 푥] = 푟푥))) ′ ′ ∧ (∀푥 (푗 + 1 ≤ 푥 ≤ (푛 + 1)/2 → (푅 [푥] = 푟푥 ∧ 푅 [푛 + 1 − 푥] = 푟푛+1−푥)))) ∧ (푗 ≤ 푛/2)) ′ ⊨ ⊨ 퐼푛푣푝(푗 + 1)[푅 /푅] ∧ (푗 ≤ 푛/2) To prove implied (B), it is sufficient for us to prove the following two implications: Implication 1: ((푗 ≤ 푛/2 + 1)) ∧ (2푗 ≤ 푛)) → (푗 ≤ 푛/2). Proof of implication 1: Assume that (푗 ≤ 푛/2 + 1)) and (2푗 ≤ 푛) are true. (2푗 ≤ 푛) is equivalent to (푗 ≤ 푛/2). Since 푛/2 < 푛/2 + 1, we know that (푗 ≤ 푛/2), which is the conclusion that we need. ′ Implication 2: 퐼푛푣푝(푗) → 퐼푛푣푝(푗 + 1)[푅 /푅]. ′ Proof of implication 2: Let’s recall that what 퐼푛푣푝(푗) and 퐼푛푣푝(푗 + 1)[푅 /푅] are.

퐼푛푣푝(푗) ⊨ ⊨ (((∀푥 (1 ≤ 푥 ≤ 푗 − 1 → (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥)))

∧ (∀푥 (푗 ≤ 푥 ≤ (푛 + 1)/2 → (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥))))

′ ′ ′ 퐼푛푣푝(푗 + 1)[푅 /푅] ⊨ ⊨ (((∀푥 (1 ≤ 푥 ≤ 푗 → (푅 [푥] = 푟푛+1−푥 ∧ 푅 [푛 + 1 − 푥] = 푟푥))) ′ ′ ∧ (∀푥 (푗 + 1 ≤ 푥 ≤ (푛 + 1)/2 → (푅 [푥] = 푟푥 ∧ 푅 [푛 + 1 − 푥] = 푟푛+1−푥)))) To prove implication 2, it is sufficient to prove the following implications. For any 1 ≤ 푥 ≤ 푗 − 1,

′ ′ (푅[푥] = 푟푛+1−푥 ∧ 푅[푛 + 1 − 푥] = 푟푥) → (푅 [푥] = 푟푛+1−푥 ∧ 푅 [푛 + 1 − 푥] = 푟푥). Recall that 푅′ = 푅{푗 ← 푅[푛 + 1 − 푗]}{푛 + 1 − 푗 ← 푅[푗]}. The two assignments only potentially affect the elements at indices 푗 and 푛 + 1 − 푗. Thus, for any index 푥 where

121 1 ≤ 푥 ≤ 푗 − 1, the element of 푅 is not affected. Thus, for any 1 ≤ 푥 ≤ 푗 − 1, 푅[푥] = 푅′[푥]. Thus, the implication holds. For 푗 + 1 ≤ 푥 ≤ (푛 + 1)/2,

′ ′ (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥) → (푅 [푥] = 푟푥 ∧ 푅 [푛 + 1 − 푥] = 푟푛+1−푥).

Recall that 푅′ = 푅{푗 ← 푅[푛 + 1 − 푗]}{푛 + 1 − 푗 ← 푅[푗]}. The two assignments only potentially affect the elements at indices 푗 and 푛 + 1 − 푗. Thus, for any index 푥 where 푗 + 1 ≤ 푥 ≤ (푛 + 1)/2, the element of 푅 is not affected. Thus, for any 푗 + 1 ≤ 푥 ≤ (푛 + 1)/2, 푅[푥] = 푅′[푥]. Thus, the implication holds. For 푥 = 푗,

′ ′ (푅[푥] = 푟푥 ∧ 푅[푛 + 1 − 푥] = 푟푛+1−푥) → (푅 [푥] = 푟푛+1−푥 ∧ 푅 [푛 + 1 − 푥] = 푟푥).

This is equivalent to the following implication:

′ ′ (푅[푗] = 푟푗 ∧푅[푛+1−푗]=푟푛+1−푗) → (푅 [푗] = 푟푛+1−푗 ∧ 푅 [푛 + 1 − 푗] = 푟푗).

Since 푗 < (푛 + 1)/2, 푗 ≠ 푛 + 1 − 푗. Thus, we have that

′ 푅 [푗] = 푅{푗 ← 푅[푛 + 1 − 푗]}{푛 + 1 − 푗 ← 푅[푗]}[푗] = 푅[푛 + 1 − 푗] = 푟푛+1−푗. by the first assignment {푗 ← 푅[푛+1−푗]} and by our assumption that 푅[푛+1−푗] = 푟푛+1−푗.

′ 푅 [푛 + 1 − 푗] = 푅{푗 ← 푅[푛 + 1 − 푗]}{푛 + 1 − 푗 ← 푅[푗]}[푛 + 1 − 푗] = 푅[푗] = 푟푗. by the second assignment{푛 + 1 − 푗 ← 푅[푗]} and by our assumption that 푅[푗] = 푟푗.

122 4 Undecidability

4.1 Prove that a problem is decidable Collected Wisdom:

• When you describe an algorithm, make sure that it terminates. For example, if a set 푆 is infinite, your algorithm cannot iterate through every element of 푆. For another example, it is okay to draw the truth table of a given formula because the truth table has finite size.

• An algorithm usually considers several cases. Make sure that you clearly indicate the return value of the algorithm in every case.

Exercise 151. The propositional-satisfiability problem: Is the propositional formula 퐴 sat- isfiable? Prove that the propositional-satisfiability problem is decidable.

Solution: We are given the propositional formula 퐴. We will draw the truth table of 퐴. The formula 퐴 must have a finite number of propositional variables in it. Therefore, the truth table will have a finite size and we will need a finite amount of time to draw the truth table. We will go through every cell in the final column of the truth table, where the truth value of 퐴 is indicated. If we can find one row of the truth table in which 퐴 is true, then 퐴 is satisfiable. Otherwise, if 퐴 is false in every row of the truth table, then 퐴 is not satisfiable.

Exercise 152. The propositional-tautology problem: Is the propositional formula 퐴 a tau- tology? Prove that the propositional-tautology problem is decidable.

123 4.2 The Halting Problem is Undecidable Exercise 153. The Halting Problem: Given a program 푃 and an input 퐼, does P terminate when run with input 퐼? Prove that the Halting Problem is undecidable.

Solution: This proof is adapted from a proof by Luwei Zhang. Thanks, Luwei! Proof by Contradiction. Assume that the halting problem is decidable. There exists an algorithm 퐻 such that 퐻 takes a program 푃 and an input 퐼 for 퐼 and returns yes if 푃 terminates when run with input 퐼 and no otherwise. We will construct a program 푋 which takes a program 푌 as its input. 푋 works as follows.

• 푋 called 퐻(푌 , 푌 ) to predict whether program 푌 will terminate when run with input 푌 .

• If 퐻(푌 , 푌 ) returns yes, 푋 goes into an infinite loop and does not terminate.

• If 퐻(푌 , 푌 ) returns no, 푋 terminates immediately.

Now, consider what happens if we run the program 푋 with itself as input. Suppose that 퐻 predicts that 푋 terminates when run with input 푋. Then by the construc- tion of 푋, when 퐻(푋, 푋) returns yes, 푋 goes into an infinite loop and does not terminate. 퐻’s prediction was wrong. Suppose that 퐻 predicts that 푋 does not terminate when run with input 푋. Then by the construction of 푋, when 퐻(푋, 푋) returns no, 푋 terminates immediately. 퐻’s prediction was wrong again. Therefore, 퐻 does not correctly predict whether 푋 terminates when run with input 푋. This contradicts with our assumption that 퐻 can decide the Halting Problem.

124 4.3 Prove that a problem is undecidable Collected Wisdom:

• Suppose that we are trying to prove that problem 푋 is undecidable. In your reduction, make the inputs to the algorithm for solving problem 푋 relate to 푃 and 퐼. After all, we are trying to construct an algorithm to determine whether 푃 terminates when run with input 퐼.

• To verify whether a reduction leads to a valid proof, consider two different cases: (1) 푃 terminates when run with input 퐼. (2) 푃 does not terminate when run with input 퐼. A reduction works if and only if the constructed algorithm gives the correct answer for both cases.

• A few useful constructions:

1. Construct a program which runs 푃 with input 퐼. 2. Construct a program which does nothing and terminates immediately. 3. Construct a program which has an infinite loop and runs forever. 4. Construct a program, which ignores its input and does one of 1, 2, and 3.

125 Exercise 154. The halting-no-input problem: Given a program 푃 that requires no input, does 푃 halt? Prove that the halting-no-input problem is undecidable.

Solution: Proof by Contradiction. Assume that there is an algorithm 퐵 which solves the halting-no- input problem. We will construct an algorithm 퐴 to solve the halting problem. Algorithm 퐴 takes two inputs a program 푃 and an input 퐼. It works as follows:

• Constructs a program 푃 ′, which runs 푃 with input 퐼.

• Runs algorithm 퐵 with the program 푃 ′ as the input and returns the result 퐵(푃 ′).

By our construction of algorithm 퐴, 푃 ′ halts if and only if 푃 halts on input 퐼. Therefore, if algorithm 퐵 solves the halting-no-input problem for input 푃 ′, then algorithm 퐴 solves the halting problem for inputs 푃 and 퐼. By our assumption, algorithm 퐵 solves the halting-no-input problem. Thus, algorithm 퐴 solves the halting problem. This contradicts the fact that the halting problem is undecidable.

126 Exercise 155. The both-halt problem: Given two programs 푃 1 and 푃 2 that take no input, do both programs halt? Prove that the both-halt problem is undecidable.

Solution: Proof by Contradiction. Assume that there is an algorithm 퐵 which solves the both-halt problem. We will construct an algorithm 퐴 to solve the halting problem. Algorithm 퐴 takes two inputs a program 푃 and an input 퐼. It works as follows:

• Constructs a program 푃 ′, which runs 푃 with input 퐼.

• Runs algorithm 퐵 with the two programs 푃 ′ and 푃 ′ as its inputs and returns the result 퐵(푃 ′, 푃 ′).

By our construction of algorithm 퐴, both programs 푃 ′ and 푃 ′ halt if and only if 푃 halts on input 퐼. Therefore, if algorithm 퐵 solves the both-halt problem for inputs 푃 ′ and 푃 ′, then the algorithm 퐴 solves the halting problem for inputs 푃 and 퐼. By our assumption, algorithm 퐵 solves the both-halt problem. Thus, algorithm 퐴 solves the halting problem. This contradicts the fact that the halting problem is undecidable.

Remark 21. Other reductions:

• Let 푃 1 do nothing. Let 푃 2 run 푃 with input 퐼. (This works.)

• Let 푃 1 contain an infinite loop. Let 푃 2 run 푃 with input 퐼. (This does NOT work.)

Remark 22. A variant of this problem: Consider the both-run-forever problem: Given two programs 푃 1 and 푃 2, do both programs run forever? Prove that the both-run-forever problem is undecidable.

127 Exercise 156. We say that two problems agree on all input if and only if, for every input 푥, either they both run forever, or they both halt and return the same value. The program-agreement problem: Given two programs, do they agree on all inputs? Prove that the program-agreement problem is undecidable.

128 Exercise 157. The total-correctness problem: Given a Hoare triple, is the triple satisfied under total correctness? Prove that the total correctness problem is undecidable.

129 Exercise 158. The partial-correctness problem: Given a Hoare triple, is the triple satisfied under partial correctness? Prove that the partial-correctness problem is undecidable.

Solution: Proof by Contradiction. Assume that there is an algorithm 퐵 which solves the total-correctness problem. We will construct an algorithm 퐴 to solve the halting problem. Algorithm 퐴 takes two inputs a program 푃 and an input 퐼. It works as follows:

• Constructs a program 푃 ′, which runs 푃 with input 퐼.

• Constructs the Hoare triple ⦇ 푡푟푢푒 ⦈ 푃 ′ ⦇ 푓푎푙푠푒 ⦈.

• Runs algorithm 퐵 with the Hoare triple ⦇ 푡푟푢푒 ⦈ 푃 ′ ⦇ 푓푎푙푠푒 ⦈ as its input.

• Return the negation of the result 퐵(⦇ 푡푟푢푒 ⦈ 푃 ′ ⦇ 푓푎푙푠푒 ⦈). (If 퐵 returns true, then 퐴 returns false, and vice versa.)

If the program 푃 ′ terminates, then the triple ⦇ 푡푟푢푒 ⦈ 푃 ′ ⦇ 푓푎푙푠푒 ⦈ is NOT satisfied under partial correctness because the postcondition is false. Therefore, the only way for the triple to be satisfied under partial correctness is when 푃 ′ does not terminate. By our construction of algorithm 퐴, 푃 halts on input 퐼 if and only if 푃 ′ halts. 푃 ′ halts if and only if the triple ⦇ 푡푟푢푒 ⦈ 푃 ′ ⦇ 푓푎푙푠푒 ⦈ is NOT satisfied under partial correctness. Thus, 푃 halts on input 퐼 if and only if the triple ⦇ 푡푟푢푒 ⦈ 푃 ′ ⦇ 푓푎푙푠푒 ⦈ is NOT satisfied under partial correctness. Therefore, if algorithm 퐵 solves the partial-correctness problem for input ⦇ 푡푟푢푒 ⦈ 푃 ′ ⦇ 푓푎푙푠푒 ⦈, then the algorithm 퐴 solves the halting problem for inputs 푃 and 퐼. By our assumption, algorithm 퐵 solves the partial-correctness problem. Thus, algorithm 퐴 solves the halting problem. This contradicts the fact that the halting problem is undecidable.

130 Exercise 159. The exists-halting-input problem: Given a program 푃 , does there exist an input 퐼 such that 푃 halts with input 퐼? Prove that this problem is undecidable.

131 Exercise 160. The halt-every-input problem: Given a program 푃 , does 푃 halt for every input? Prove that the halt-every-input problem is undecidable.

132