TME4013 Formal Methods

Logic Overview

Resources
1. P.G. Larsen, Lecture Note, TVDM1 VDMTools & Logic.
2. John Fitzgerald, et al., Validate Designs for OO Systems, Springer, 2005.
3. C.B Jones, Systematic Software Development using VDM, Prectice Hall, ch11990

Assoc Prof Dr. Edwin Mit

Dept of Computing and Software Engineering
Faculty of Computer Sc. & IT., UNIMAS
Tel : 082-58(3799)
[email protected]

Oct 30, 2023 1

 Agenda

• Introduction to Logic
– Logical Predicates
– Logical Operators
– Quantifiers
• Case Study: Temperature Monitor

Oct 30, 2023 2

 Logic

Logic is the branch

of philosophy concerned with the
use and study of valid reasoning.

Oct 30, 2023 3

 Logic (cont…)

Logic is our ability to state invariants, record pre-conditions

and post-conditions, and the ability to reason about a formal
model depend on the logic on which the modelling language
is based:
• Classical logical propositions
and predicates
• Connectives
• Quantifiers

Formal specifications employ mathematical notation in

order to achieve both preciseness and conciseness.

Oct 30, 2023 4

 Logical Predicates

Predicates are simply logical expressions. The simplest

kind of logical predicate is a proposition.
A proposition is a logical assertion about a particular
value or values, usually involving a Boolean operator to
compare the values, e.g.

A proposition is an expression which can have the

value true or false.
Oct 30, 2023 5
 Logical Predicates (cont…)
A predicate is a logical expression that is not specific to
particular values but contains variables which can
stand for one of a range of possible values.
For examples;
(i)
(ii)
The truth or falsehood of a predicate depends on
the value taken by the variables (i.e., x).

Oct 30, 2023 6

 Homework

Which of the following sentences are propositions?

a) Your place or mine?

b) Why learn formal methods?
c) x-y = y-x

Oct 30, 2023 7

 Logical Operators (Connectives)
We will examine the following logical operators:
Logical Standard Meaning
Operator Connective
Symbol
Negation  NOT
Conjunction  AND
Disjunction  OR
Implication , => If .. .then
Bicondition , <==> If and only
al if (iff)

Truth tables can be used to show how these operators

can combine propositions to compound propositions.

Oct 30, 2023 8

 The symbol

• Please take note that, in VDM++ the following

symbols are used:

= equal to (e.g., )
:= assign to (e.g., )

>= greater or equal to (e.g., )

=> implication (e.g., if x then y)

<= less than or equal to (e.g., )

Oct 30, 2023 9

 Binding

There are two types of binding:

Type Binding, e.g. A type binding lets the
bound variable range
x : nat over a type (a possibly
n : seq of char infinite collection of
values).

Set Binding, e.g. A set binding lets the

bound variable range
i in set inds m over a finite set of
x in set {1, values.
…,20}

Oct 30, 2023 10

 Quantifiers
Syntax:
forall binding & predicate
exists binding & predicate

Note:

"forall" is the universal quantifier.

the syntax:
"forall bind list & predicate"

"for all" is for looping,

where it is a set for loop statement
the syntax:
" for all x in set s do
statement use x"

Oct 30, 2023 11

 Universal quantification
• Universal quantification is a generalised form of
conjunction.

• For example, the statement

“every natural number is greater than or equal to zero”
is equivalent to
0  0  1  0  2  0  3  0  …
and in universal quantification is denoted by
n: nat  n  0

( is a turned-round “A”, “for All” and written as “forall” in ASCII)

Universal quantification is a lot more brief and simple.

Oct 30, 2023 12

 Questions

Formulate the following statements using predicate logic:

• Everybody likes Formal Methods (FM)
forall p in set People & LikesFM(p)
• Everybody either likes FM or OO (Object-Oriented)
forall p in set People & LikesFM(p) or LikesOO(p)
• Either everybody likes FM or everybody likes OO
(forall p in set People & LikesFM(p)) or
(forall p in set People & LikesOO(p))

• Are the last two statements equivalent?

No the last two statements are not equivalent!

Function/operation LikesFM(p)and
LikesOO(p) need to be defined.
Oct 30, 2023 13
 Existential quantification
• Existential quantification allows us to assert that a
predicate holds for at least one value — but not
necessarily all values — of a given set.

• For example, the statement

“there is a natural number that is greater than or equal to zero”
is equivalent to
0  0  1  0  2  0  3  0  …
and in existential quantification is denoted by:
n: nat  n  0

( is a turned-round “E”, “there Exists”

and written as “exists” in ASCII)
Oct 30, 2023 14
“
 Questions
Formulate the following statements using predicate logic:
• Somebody likes FM.
exists p in set People & LikesFM(p)
• There is somebody who either likes FM or OO.
exists p in set People & LikesFM(p) or LikesOO(p)
• Either somebody likes FM or somebody likes OO
(exists p in set People & LikesFM(p)) or
(exists p in set People & LikesOO(p))
• Are the last two statements equivalent?
Yes the two last statements are equivalent

Function/operation LikesFM(p)and
LikesOO(p) need to be defined.
Oct 30, 2023 15
 Homework
(refer to your Discrete Maths course)

Let p, q and r be the propositions

p: you have flu
q: you miss the final exam
r: you pass the course

Write these propositions using p, q, and r

and logical connectives.

You pass the course, but you don’t have flu

Oct 30, 2023 16

 Agenda

• Introduction to Logic
– Logical Predicates
– Logical Operators
– Quantifiers
• Case Study: Temperature Monitor

Oct 30, 2023 17

 A temperature monitor example
Temperature (C)

30
20
10
0
Time (s)
1 2 3 4 5 6 7 8 9

The monitor records the last five

temperature readings
25 10 5 5 10

Oct 30, 2023 18

 A temperature monitor example
The following conditions are to be detected by the monitor:
1. Rising: the last reading in the sample is greater than the first
2. Over limit: there is a reading in the sample in excess of 400 C
3. Continually over limit: all the readings in the sample exceed
400 C
4. Safe: If readings do not exceed 400 C by the middle of the
sample, the reactor is safe. If readings exceed 400 C by the
middle of the sample, the reactor is still safe provided that the
reading at the end of the sample is less than 400 C.
5. Alarm: The alarm is to be raised if and only if the reactor is
not safe

Oct 30, 2023 19

 Predicates in the monitor
example
Monitor :: temps : seq of int
alarm : bool
inv m == len m.temps = 5

Consider a monitor m. m is a sequence so we can index into it:

First reading in m: m.temps(1)

Last reading in m: m.temps(5)
Predicate stating that the first reading in m is strictly less than
the last reading:
m.temps(1) < m.temps(5)

The truth of the predicate depends on the value of m.

Oct 30, 2023 20

 The rising condition
The last reading in the sample is greater than the first
Monitor :: temps : seq of int
alarm : bool
inv m == len m.temps = 5
We can express the rising condition as a Boolean
function:
Rising: Monitor -> bool
Rising(m) == m.temps(1) < m.temps(5)

For any monitor m, the expression Rising(m) evaluates

to true iff the last reading in the sample in m is higher
than the first, e.g.
Rising( mk_Monitor([233,45,677,650,900], true) )
Rising( mk_Monitor([23,45,67,50,20], false) )
Oct 30, 2023 21
 Negation
Negation allows us to state that the opposite of some
logical expression is true, e.g.
The temperature in the monitor mon is not
rising:
not Rising(mon)

Truth table for negation:

P P
true false
P = Rising(mon)
false true

Oct 30, 2023 22

 Disjunction
Disjunction allows us to express alternatives that are not
necessarily exclusive:
Over limit: There is a reading in the sample in excess of
400 C
OverLimit: Monitor -> bool
OverLimit(m) ==
m.temps(1) > 400 or P Q PQ
m.temps(2) > 400 or true true true
m.temps(3) > 400 or true false true
m.temps(4) > 400 or
m.temps(5) > 400 false true true
false false false
Example (1st)
If reading P excess 400C OR reading Q excess 400C then OverLimit (i.e., PVQ) is true
Oct 30, 2023 23
 Conjunction
Conjunction allows us to express the fact that all of a
collection of facts are true.
Continually over limit: all the readings in the sample
exceed 400 C
COverLimit: Monitor -> bool
COverLimit(m) ==
P Q PQ
m.temps(1) > 400 and
m.temps(2) > 400 and true true true
m.temps(3) > 400 and true false false
m.temps(4) > 400 and
false true false
m.temps(5) > 400
false false false
Example (1st)
If reading P and reading Q excess 400C the COverLimit (i.e., PQ) is true.
Oct 30, 2023 24
Note that P and Q represent all readings
 Implication
Implication allows us to express facts which are only
true under certain conditions (“if … then …”):
Safe: If readings do not exceed 400 C by the middle of
the sample, the reactor is safe. If readings exceed 400
C by the middle of the sample, the reactor is still safe
provided that the reading at the end of the sample is
less than 400 C.
Safe: Monitor -> bool P Q PQ
Safe(m) == true true true
m.temps(3) > 400 =>
true false false
m.temps(5) < 400
false true true
m.temps(3) < 400 C
false false true
Example (1Octst)30, 2023 25
If reading P >400 (true) and reading Q <400 (true) then SAFE (i.e., PQ) is true.
 Bi-implication
Bi-implication allows us to express equivalence
(“if and only if”).
Alarm: The alarm is to be raised if and only if
the reactor is not safe
This can be recorded as an invariant property:

Monitor :: temps : seq of int

alarm : bool P Q PQ
inv m == true true true
len m.temps = 5 and true false false
not Safe(m.temps) <=> m.alarm false true false
false false true

Example (1Octst)30, 2023 26

Not safe is T, alarm is T so this P,< == > Q is T. (see note for more details)
 P <==>Q

The truth of P => Q, is sometimes described by saying that

‘P is sufficient condition for Q, or
Q is necessary condition for P.

Saying that P is a necessary and sufficient condition for Q

Is another way of saying Q => P and P => Q are true,
i.e., P <==> Q

e.g.,
If students are in lecture hall, then lecture hall is not quiet.
The students are outside lecture hall, so lecture hall is quiet

Oct 30, 2023 27

 Operator Precedence and
Associativity
• Not, has the highest precedence
• Followed by and, or, => and <=> in that order
• => has right grouping i.e.
o A => B => C without brackets means
o A => (B => C)
• The other logical operators are associative so right
and left grouping are equivalent, i.e.
o A and (B and C) is identical to (A and B) and C

Oct 30, 2023 28

 Quantifiers

For large collections of values, using a variable makes

more sense than dealing with each case separately.
inds m.temps represents indices (1-5) of the
sample
The “over limit” condition can then be expressed more
economically as:
exists i in set inds m.temps & temps(i) > 400
The “continually over limit” condition can then be
expressed using “forall”:
COverLimit: Monitor -> bool
COverLimit(m) ==
forall i in set inds m.temps & temps(i) > 400

Oct 30, 2023 29

 Represented by using collection of values
COverLimit: Monitor -> bool
COverLimit(m) ==
m.temps(1) > 400 and
m.temps(2) > 400 and
m.temps(3) > 400 and
m.temps(4) > 400 and
m.temps(5) > 400

Using variables
COverLimit: Monitor -> bool
COverLimit(m) ==
forall i in set inds m.temps & temps(i) > 400

Oct 30, 2023 30

 Quantifiers
Several variables may be bound at once by a single
quantifier, e.g.
forall x,y in set {1,…,5} &
X <> y => m.temps(x) = m.temps(y)

Would this predicate be true for the following value of

m.temps ?
[320, 220, 105, 119, 150]

Oct 30, 2023 31

 Formulation Questions
All the readings in the sample are less than 400 and greater than 50.

forall i in set inds m.temps &

m.temps(i) < 400 and m.temps(i) > 50

Each reading in the sample is up to 10 greater than its predecessor.

(e.g., 8 is predecessor of 9), in this case 8, 8+10, 18+10,

forall i in set inds m.temps\{1} &

m.temps(i – 1) <= m.temps(i) + 10

There are two distinct readings in the sample which are over 400.

exists i,j in set inds m.temps &

i <> j and m.temps(i) > 400 and m.temps(j) > 400
Oct 30, 2023 32
 Quantifiers
Suppose we have to formalise the following property:
There is a “single minimum” in the sequence of readings, i.e.
there is a reading which is strictly smaller than any of the other
readings.

exists i in set inds m.temps &

forall j in set inds m.temps &
i <> j => m.temps(i) < m.temps(j)

m.temps = [320, 220, 105, 119, 150]

Oct 30, 2023 33

 Reflection Exercise (QL3)
Take a piece of paper,
write your name on top-right corner of your paper (1%),
then answer the following questions

(1) Which of the following are propositions:

(i) 13 < 9
(ii) Where are you going?

2. Let a:=0, b:=34, e:=true, f:=false.

Evaluate the logical expressions
a < b and not(e and f).

3. Translate the statement “all number in the

set {7, 55, 133, 200} are greater than 5”
into logical expressions

Submit your answer to eLEAP

Oct 30, 2023 34
 Questions?

If you have any

question(s)/comment(s)/
suggestion(s), please email
to me at [email protected]
or post in eLEAP forum.

Oct 30, 2023 35