1

HOARE VERIFICATION
Albert Nymeyer
 Sir Charles Antony Richard Hoare
2

Picture taken in 2011

 Hoare logic
3

!  Hoare:
!  discovered Hoare Logic (in 1969), quicksort, CSP, occam, …
!  Hoare Logic is an inference system
!  usedto prove properties of programs.
!  based on proof rules, called Hoare triples:

{P} Q {R}
where
"  P is a precondition
"  Q is a program or a program statement
"  R post-condition.
 Change of state
4

What does x:=1 do?

!  It is an action that assigns the value 1 to location x
!  It is an action that results in a change of state (in the computer)
!  Before the statement, the pre-condition, we could be in ‘any state’
"  Any state satisfies ‘any state’, so we say this state satisfies the
predicate true
!  After the statement, the post-condition, the predicate x=1 is true
!  We express the change of state by a Hoare triple
{true} x:=1 {x=1}
!  Another example: what does if x<0 then x:=-x do? The Hoare triple is:
{true} if x<0 then x:=-x {x≥0}
!  The precondition and post-condition form a specification for the
fragment of code
 Specification and implementation
5

Any number of programs may implement the same specification.

Here are two identical specs:
!  {true} x:=y {x=y}
!  Correct, but a poor specification. What is the intention?
!  {true} x:=5; y:=5 {x=y}
!  Same (poor) spec, but a different program. Again, what is the intention?
A better way to specify what is probably intended
!  {x=a ∧ y=b} x:=y {x=b ∧ y=b}
!  a and b are dummy variables
 Hoare Triple examples
6

!  {true} x:=5 {x=5}

!  {x=y} x:=x+3 {x=y+3}
!  {x>-1} x:=x*2+3 {x>1}
!  {x=a} if (x<0) then x:=-x {x=|a|}
Can be anything
!  {false} x:=3 {x=12345678}
!  {x<0} while (x!=0) x:=x-1{ } does not exist
 Strongest post-condition
7

!  Examples of valid Hoare Triples:

!  {x=5} x:=x*2 {true}
!  {x=5} x:=x*2 {x>0}
!  {x=5} x:=x*2 {x=10 ∨ x=5}
!  {x=5} x:=x*2 {x=10} this has the strongest post-condition
!  All triples are true, but the last one is the most useful because it contains
the strongest post-condition x=10
!  It is strongest because this post-condition implies all the post-conditions:
!  x=10→true
!  x=10→x>0
!  x=10→(x=10 ∨ x=5)
!  x=10→x=10
!  Mathematically, if {P} S {Q} and for all R such that {P} S {R} it is the
case that Q→R, then Q is the strongest post-condition
 Weakest precondition
8

!  More examples of valid Hoare triples:

this has the weakest precondition

!  {x=5∧y=10} z:=x/y {z<1}

!  {x<y∧y>0} z:=x/y {z<1}

!  {y≠0∧x/y<1} z:=x/y {z<1}

!  All are true, but the most useful triple is the last one because it
contains the weakest precondition
!  using it allows the code to be used in the most general way

!  It is weakest because it implies each of the (other) preconditions

!  Mathematically, if {P} S {Q} and for all N such that {N} S {Q} it
is the case that N→P, then P is the weakest precondition wp(S,Q)
of S with respect to Q
 What makes a predicate strong/weak?
9

P→Q Remember, P is the antecedent and Q is the consequent

!  P is stronger than Q. P is more restricted than Q
!  Q is weaker than P. Q is more general than P
!  There are objects in Q that do not come from P
Examples
!  x can lift 100kg → x can lift 10kg

!  x lives in Sydney → x lives in Australia

!  x>0 → x≥0
!  false → true … true is the weakest possible predicate, false the strongest

We can change the strength of the antecedent or consequent …

 Let’s revisit the weightlifter
P: x can lift 100kg, Q: x can lift 10kg
10

!  P→Q means
"  If x can lift 100kg then x can lift 10kg
"  If x cannot lift 100kg, nothing happens

!  What’s the precondition of P→Q ?

"  x can lift 100kg, i.e. P
"  or x cannot lift 100kg, i.e. ¬P
is the same as {true}
"  so we can write {P∨¬P} P→Q { ? }

!  What’s the post-condition?

"  Well, if P is true then the state changes to Q
"  ifP is not true then nothing changes so all we have is ¬P
"  so we can write {true} P→Q {Q∨¬P}

In other words, P→Q ≡ {Q∨¬P} Material implication rule, see earlier

 … adding conditions to change strength
11 P Q P∧Q P∧Q→P
If P→Q we can: T T T T
!  strengthen the antecedent: add conditions with ∧ T F F T
"  … then P∧Q→P is true see for yourself F T F T
!  weaken the consequent: add conditions with ∨
F F F T
"  … then P→P∨Q is true
Examples
!  (x likes reading ∧ x likes running) → (x likes reading)
!  (x likes reading) → (x likes reading∨ x likes running)

Applying this to Hoare’s triples:

"  Example: the triple {x=1} x:=x+1 {x=2}
"  We are allowed to strengthen the precondition:
"  {x=1 ∧ y=1} x:=x+1 {x=2}
"  … but in this case it would seem pointless
 Calculate the weakest precondition (wp)
12

Assignment rule x:=E

!  Theweakest precondition wp(x:=E; P) = [E/x] P
!  … so the triple is {[E/x] P} x:=E {P}
this says substitute E for x in the post-condition P

!  Example: fill in the wp in the triple {wp} x:=3 {x+y>0}

!  Apply the rule: [E/x] P ≡ [3/x](x+y>0) ≡ 3+y>0 ≡ y>-3
!  So the solution is {y>-3} x:=3 {x+y>0}

!  Example: fill in the wp in the triple {wp} x:=3*y+z {x*y-z>0}

!  [3*y+z/x] (x*y–z>0) ≡ (3*y+z)*y-z>0 ≡3*y2 +z*y-z>0
!  So the solution is {3*y2+z*y-z>0} x:=3*y+z {x*y-z>0}
 Calculating wp
13

Sequence rule s1; s2

!  wp((s1; s2); P) = wp(s1; wp(s2; P))
Example
!  What is the wp in the triple {wp} x:=x+1; y:=x+y {y>5}
!  wp((x:=x+1; y:=x+y); y>5)
wp(x:=x+1, wp(y:=x+y; y>5)) … applying the sequence rule
wp(x:=x+1; x+y>5) … applying assignment rule to s2
x+1+y>5 … applying assignment rule to s1
x+y>4 … simplifying
 Calculating wp
14

Conditional rules if B then s1 else s2 and if B then s

!  wp(if B then s1 else s2; P) = B→wp(s1; P) ∧ ¬B→wp(s2; P)
= (B∧wp(s1; P)) ∨ (¬B∧wp(s2; P))
since: (P→Q) ∧ (¬P→R) ≡ (P∧Q) ∨ (¬P∧R)

!  wp(if B then s; P) = B→wp(s; P) ∧ ¬B→P

= (B∧wp(s; P)) ∨ (¬B∧P))

Example
!  What is the wp in {wp} if x>0 then y:=z else y:=-z {y>5}
wp(if x>0 then y:=z else y:=-z; y>5)
(x>0∧wp(y:=z; y>5)) ∨ (x≤0∧wp(y:=-z; y>5))
wp is (x>0 ∧ z>5) ∨ (x≤0 ∧ z<-5)
(which you could have worked out by looking at the code)
 For loops, it’s more complicated
15

Loops
!  Want to prove the triple {P} while B do S {Q}
"  where B is the loop condition and S is a sequence of statements
!  We used ‘weakest precondition’ rules to calculate
"  a single Hoare triple for a single statement

!  A loop is different: a set of statements S repeatedly executed

"  we do not know how many times the loop will repeat
"  maybe zero times, or 1 time, or a zillion times
"  … we try to find what never changes, called the invariant condition I
"  … we then need to prove the following:
"  The precondition implies the invariant P→I
"  The invariant is true inside the loop {I∧B} S {I}
"  The invariant (∧ ¬B) implies the post-condition I∧¬B → Q
 What the invariant is doing
16

The invariant I placed in the code

P→I establish
while (B)
{I∧B} S {I} maintenance
{ sfirst statement of the loop
…
slast statement of loop
}
I∧¬B → Q conclusion
It can be hard to find I. What we know for sure:
!  I must be weaker than P because P→I

!  I must be different to B because I must be true and B must be false

at the conclusion of the loop
 Example: sum of odds is a square
17

!  1 = 12
!  1+3 = 22
!  1+3+5=32
!  1+3+5+7=42
!  ...

We’ll write a program that sums odd numbers, and then verify its correctness.
 A program that sums odds
18

input n≥0
s:=0;
i:=0; the initialization statements must establish the invariant
while (i≠n)
we need to find an invariant
{
i:=i+1;
s:=s+(2i-1); the loop assignments must maintain the invariant
}
on conclusion, the invariant should produce the result s=n2
 Sums odds: maintain the invariant
19

!  Observe: a loop iteration i generates a square number s = i2

!  also notice that s=i2 links the result s and the loop index I
!  So we guess the invariant I is s=i2
!  We know B is i≠n
!  Compute {I ∧ B} i:=i+1; s:=s+(2i-1); {I} the Hoare triple to maintain the loop
((s=i2) ∧ (i≠n)) i:=i+1; s:=s+(2i-1); {s=i2} substitute for I and B
((s=i2) ∧ (i≠n)) i:=i+1; {s+(2i-1)=i2} assign rule
((s=i2) ∧ (i≠n)) {s+(2(i+1)-1)=(i+1)2} assign rule again
((s=i2) ∧ (i≠n)) {s=i2} simplify
((s=i2) ∧ (i≠n)) → s=i2 antecedent strengthening
true
!  So s=i2 is an invariant.
Sums odds: Establish the invariant, produce the result
20

!  Does the initialization code establish the invariant?

{wp} i:=0; s:=0; {s=i2}
{wp} i:=0; {0:=i2}
wp = 0:=02
true
!  On conclusion, I∧¬B→Q, where the postcondition Q is s=n2
(s=i2)∧¬ (i≠n) → (s=n2)
(s=i2)∧ (i=n) → (s=n2)
(s=n2) → (s=n2)
true
We have successfully verified the “sums odds” program
 Correctness: partial or total
21

If we prove the invariant condition is always true

!  code is functionally correct for any number of loop repetitions,
even infinite (what?), but
"  What happens if the loop never terminates? Is that correct?
"  It
depends how you define ‘correctness’.
"  ... it is often called partial correctness for this reason
A loop is totally correct if we prove
!  the loop terminates

Need to show the loop index (variant)

1.  makes progress towards some limit and
2.  reaches the limit
 Validity
22

If a conclusion is true for all assignments to its variables, then the

predicate expression is valid. Examples:
!  ∀x (isPerson(x) → isMortal(x)) for the domain of objects
!  ∀x (x2≥x) for the domain of integers
If there is an assignment that invalidates the expression, this is
called a counter-example
!  ∀x (x2≥x) for the domain of reals
"  a counter-example is x=½
"  this predicate is true for some values of x
A predicate that is not valid (everywhere) is called invalid.
!  they are satisfied for some variables only
 Satisfiability
23

An expression is satisfiable if it is true for at least one assignment to its

variables
"  (∃x P(x) ∧ ∃x Q(x)) → ∃x (P(x) ∧ Q(x))
"  e.g. consider P is (wear a red shirt), Q is (wear green shorts)
"  is satisfiable because someone could be wearing both

"  but it is not valid as it is not always true

!  An expression that is satisfiable everywhere is valid

! An expression that is not satisfiable everywhere is invalid

An expression that is never satisfied (always false) is unsatisfiable
"  ∀x P(x) ∧ ∃x ¬P(x) is unsatisfiable
"  first term says P is always true
"  second term says P is sometimes not true: a contradiction
 Inference rules
24

In Hoare Logic, there are inference rules written as:

premise1 premise2 …
conclusion
!  can also be written prem1, prem2, …⊢ conclusion

!  if the premises are true then the conclusion is true

There are rules for inference on many program constructs:

!  assignments x := a
!  if-then-else if e then S1 else S2 fi
!  iteration while e do S od
!  composition S1; S2
 D0: Assignments
25

Inference rule for assignments

{[E/x]P} x:=E {P}

Calculate precondition by replacing all x’s in P with E

Example:
{[x+1/x} (x<10) x := x+1 {x<10}
{x<9} x := x+1 {x<10}
 D1: Consequence (strengthening & weakening)
26

!  Inference rule for post-condition weakening

{P} Q {R} R→S
{P} Q {S}

!  {y+1<10} y := y+1 {y<10} y<10 → x=1

{y+1<10} y := y+1 {x=1}

!  Inference rule for precondition strengthening

S→P {P} Q {R}
{S} Q {R}
 D1: Consequence continued
27

Inference rule for consequence

M→P {P}Q{R} R→S
{M}Q{S}
Combines precondition strengthening and post-condition weakening in one rule:
!  If M=P we get the post-condition weakening rule
!  If R=S we get the precondition weakening rule
 D2: Composition (also called sequencing)
28

Inference rule for composition

{P} Q1 {R1} {R1} Q2 {R}

{P} Q1; Q2 {R}

P Q1 R1 R1 Q2 R
{x=1} y := x {y=1} {y=1} z:=y {z=1}
{x=1} y:=x; z:=y {z=1}
P Q1 ; Q2 R
 D3: Iteration
29

Inference rule for iteration: while B do S

{I∧B} S {I}_______
{I} while B do S {I∧¬B}
Example: we want to infer:
{x≤0} while (x≤2) do x:=x+1 {x=3}
Let invariant I be x≤3
{x≤3∧x≤2} x := x+1 {x≤3} .
{x≤3} while (x≤2) do x:=x+1 {x≤3∧x>2}
Strengthen the precondition (apply rule D1)
x≤0→x≤2 {x≤2} x := x+1 {x≤3}
{x≤0} while (x≤2) do x:=x+1 {x=3}
 D4: conditional (if-then-else)
30

if-then-else inference rule

{P∧B} Q1 {R} {P∧¬B} Q2 {R}

{P} if B then Q1 else Q2 fi {R}

{z=0 ∧ x<0} y:=z-x {y>0} {z=0 ∧ x≥0} y:=z+x {y>0}

{z=0} if (x<0) y:=z-x else y:=z+x {y>0}
 D4: conditional (if-then)
31

if-then inference rule replaces the else statement by skip

{P∧B} Q {R} {P∧¬B} skip {R}

{P} if B then Q else skip fi {R}

{true∧x<0} x:=-x {x≥0} {true∧x≥0} skip {x≥0}

{true} if (x<0) x:=-x {x≥0}
 Revisit D1: let’s prove it
32

Here is the precondition strengthening inference rule D1 again

S→P {P} Q {R}
{S} Q {R}
It is easy to prove this.
!  Assume S is true. Then P must be true because S→P.

!  If P is true, then run code Q, and R will be true

!  Hence we can write {S} Q {R}

Similarly for post-condition weakening.

 Predicate inference rules and equivalences
33

Disjunction intro. P ⊢ P∨Q

Conjunction elim. P∧Q ⊢ P
Conjunction P, Q ⊢ P∧Q
Modus ponens P, P→Q ⊢ Q
Modus tollens ¬Q, P→Q ⊢ ¬P
Hypothetical syllogism P→Q, Q→R ⊢ P→R
Disjunctive syllogism P∨Q, ¬P ⊢ Q
Resolution P∨Q, ¬P∨R ⊢ Q∨R

The most common equivalences are:

Material implication P→Q ≡ ¬P∨Q
De Morgan’s Law P∧Q ≡ ¬(¬P∨¬Q)
Augustus de Morgan (1806-1871)
 More predicate logic equivalences
34

!  There are many more equivalences:

!  ∀x P(x) ∨ ¬∀x P(x) ≡ true
!  ∀x (P(x) ∧ Q(x)) ≡ ∀x P(x) ∧ ∀x Q(x)
!  ¬∀x P(x) ≡ ∃x ¬P(x)
!  If P→Q ∧ Q→P then P and Q are equivalent

P Q P→Q Q→P P→Q∧Q→P

€ €

T T T T T

Let’s check this T F F T F

F T T F F
F F T T T
“ponens” is latin “tollens” is latin
for “affirms” for “denies”

35

Premise: Innocent people have an alibi

∀x (I(x) →A(x)) ∧ I(c)
Premise: Cas is innocent M.P. ! A(c)
!  Modus ponens: Cas has an alibi ∀x (I(x) →A(x)) ∧ ¬A(c)
!  A logically correct argument …
M.T. # ¬I(c)
"  and natural

Premise: Cas does not have an alibi

!  Modus tollens: Cas is guilty
!  A logical correct argument …
"  but not used as often
 More on maths and modus tollens
36

!  We know x≥1 → x≥0

"  notice
x=0 is in x≥0 but not in x≥1
"  remember: strong implies weak, small set implies large set

!  Apply modus tollens

!  We get ¬(x≥0) → ¬(x≥1)
x<0 → x<1
"  notice x=0 is in x<1 but not in x<0
"  so x<1 is weaker than x<0
what does this say?
 Quantification Rules (summary of earlier slides)
37

Universal Instantiation Existential Instantiation

For any a ∈ D: For an unspecified new (witness)
∀x∈D, P(x) w∈D:
P(a) ∃x∈D, P(x)
P(w)

Universal Generalization Existential Generalization

For any arbitrary x ∈ D: For any a ∈ D:
P(x) P(a)
∀x∈D, P(x)
∃x∈D, P(x)
 Example: Quotient & remainder
38

Problem: find the quotient and remainder of x/y

!  input x≥0 and y>0

!  output: q and r such that x=q*y+r, where y>r

Examples:
!  9÷2 = 4*2 +1
!  11÷1 = 11*1+0
!  19÷5 = 3*5 +4

Notice that the information above gives us a specification

!  precondition P is (x≥0) ∧ (y>0)

!  post-condition Q is (x=q*y+r) ∧ (r≥0) ∧ (r<y) ∧ (y>0)

 Quotient & remainder code
39

Code is:
// {P}
r := x;
q := 0;
while (y<=r)
{
r := r – y;
q := 1 + q;
}
// {Q}

What we actually want is: prove the triple {P} code {Q}, where
!  P is (x≥0) ∧ (y>0)
!  Q is (x=q*y+r) ∧ (y>r) ∧ (r≥0) ∧ (y>0)
!  code is above
We let the invariant I be x=q*y+r ∧ (r≥0) ∧ (y>0)
 Pre-, post-conditions, invariant for quotient
40

{(x=0*y+x) ∧ (x≥0) ∧ (y>0)} the precondition

r:=x;
{(x=0*y+r) ∧ (r≥0) ∧ (y>0)}
q:=0;
{(x=q*y+r) ∧ (r≥0) ∧ (y>0)} the invariant
while(y<=r)
{(x=(1+q)*y+(r-y)) ∧ (r-y≥0) ∧ (y>0) ∧ (y≤r)}
{r:=r–y;
{(x=(1+q)*y+r) ∧ (r≥0) ∧ (y>0) ∧ (y≤r)}
same
q:=1+q;
{(x=q*y+r) ∧ (r≥0) ∧ (y>0) ∧ (y≤r)}
}
{(x=q*y+r) ∧ (r≥0) ∧ (y>0) ∧ (y>r)} postcondition
 Total correctness: show the loop terminates
41

In the previous slide we showed that the invariant:

"  was established by the 2 initialization statements from the precondition
"  was maintained by the loop condition y≤r and the 2 statements inside the loop
"  finished with the required postcondition
So we have verified the program is partially correct.
To show the program is totally correct, we need to
!  show that the loop index is bounded from below by 0 for as long as
the loop has not terminated.
I ∧ (y≤r) → r≥0
(x=q*y+r) ∧ (r≥0) ∧ (y>0) ∧ (y≤r) → r≥0
This is trivially satisfied.
 Repeat the verification
42

We’ll repeat the verification here, but show the inference rules this time
1.  true → x=x+y*0 Lemma 1, see later
2.  {x=x+y*0} r := x {x=r+y*0} D0
3.  {x=r+y*0} q := 0 {x=r+y*q} D0
4.  {true} r := x {x=r+y*0} D1, 1,2
5.  {true} r := x; q :=0 {x=r+y*q} D2, 4,3
6.  (x=r+y*q) ∧ (y≤r) → (x=(r-y) + y*(1+q)) Lemma 2, see later
7.  {x=(r-y)+y*(1+q)} r := r-y {x=r+y*(1+q)} D0
8.  {x=r+y*(1+q)} q := 1+q {x=r+y*q} D0
9.  {x=(r-y)+y*(1+q)} r := r-y; q := 1+q {x=r+y*q} D2, 7,8
 Repeat the verification continued
43

10.  {x=r+y*q ∧ y≤r} r := r-y; q := 1+q {x=r+y*q} D1, 6, 9

11.  {x=r+y*q} while y≤r do r:=r-y; q:=1+q {y>r ∧ x=r+y*q} D3, 10
12.  {true} r := x; q :=0; while y≤r do r:=r-y; q:=1+q {y>r∧x=r+y*q} D2, 5, 11

We have verified that the remainder/quotient program satisfies the spec.

 Lemma 1 (we needed this in the verification)
44

To prove x = x+y*0
we use the axioms from arithmetic:
!  A0: x = x
!  A1: x*0 = 0
!  A2: x+0 = x
Proof
1.  x=x by A0
2.  y*0 = 0 by A1
3.  x = x+y*0 by 1, 2 and A2
 Lemma 2 (we needed this in the verification)
45

Informally we prove that:

(x=r+y*q) ∧ (y≤r) → (x=(1+q)*y+(r-y))
1.  From the consequent: y+y*q+r-y = y*q+r simple arithmetic
2.  So y*q+r = y*(1+q)+(r-y) reverse 1.
3.  So (x=r+y*q) → (x=(r-y)+y*(1+q)) if P=Q then P⇒Q
4.  Now add y≤r to the antecedent antecedent strengthening of 3.
5.  QED

This is trivial, but formal is formal

 Quotient in Dafny showing the specification
46

method quotient(x : int, y : int) returns (q : int, r : int)

requires x >= 0 && y > 0; // this is the precondition
ensures q * y + r == x && r >= 0 && r < y; // postcondition
{
q := 0;
r := x;
while (r >= y)
invariant q * y + r == x && r >= 0 && y > 0;
{
r := r - y;
q := q + 1;
}
}
This program compiles and verifies okay in Dafny
 Another example: Σ0..n
47

The following program computes 0+1+2+…+n = Σ0..n

{n≥0} {P} precondition

k := 1; S1
s := 0;

Σ
{0≤k≤n+1 ∧ s= 0..k-1} {I} the invariant

while (k<=n) { B
s := s+k; S2
k := k+1;
}

Σ
{s= 0..n} {Q} the post-condition: it’s what we want
 Verifying the program
48

If the answers to all the questions:

!  Starting: Is {P} S1 {I} true?
!  Maintaining: Is {I∧B} S2 {I} true?

!  Finishing: Does I∧¬B → Q ?

is yes, then the code is functionally correct (with respect to the spec)
If we can prove termination: i.e. prove that B must eventually be
false, then the program is totally correct
 Does the program start properly?
49

Is {P} k:=1; s:=0 {I} true?

{n≥0} k:=1; s:=0 {0≤k≤n+1 ∧ s=Σ0..k-1}
Execute the assignment statements on {I}
{0≤1≤n+1 ∧ 0=Σ0..1-1}
{0≤n ∧ 0=0}
Hence true.

I’ve been lazy here: I should have computed the state after EACH
assignment statement using rule D0, and then used rule D2 to
combine them
 Does the program maintain the invariant?
50

!  Is {I∧B} S2 {I} true?

{0≤k≤n+1 ∧ s=Σ0..k-1 ∧ k≤n} s:=s+k; k:=k+1 {0≤k≤n+1∧ s=Σ0..k-1}

!  Simplifying the precondition: {0≤k≤n ∧ s=Σ0..k-1}

!  Starting with the postcondition, we work right to left:

!  Substituting k:=k+1 we get {0≤k+1≤n+1∧ s=Σ0..k+1-1}

"  this simplifies to {-1≤k≤n ∧ s=Σ0..k}

!  Now substituting s:=s+k we get {-1≤k≤n ∧ s+k=Σ0..k}

"  this simplifies to {-1≤k≤n ∧ s=Σ0..k-1}

"  which we can strengthen to the above precondition
!  So, the triple is true, and the invariant is maintained
Again, I’ve been lazy: I should have said when I used rule D0 and D2
 Does the program finish properly?
51

Does I∧¬B → Q?
(0≤k≤n+1 ∧ s=Σ0..k-1) ∧ ¬k≤n → s=Σ0..n
Σ
Antecedent (ie. the LHS) says k=n+1. Substituting into s= 0..k-1 generates

s = Σ0..n+1-1 → s = Σ0..n
Hence true.

Start, maintenance and finish are true, hence program is verified.

 1. Q&A on inferences
52

Here is D1 (precondition strengthening) again

S→P {P} Q {R}
{S} Q {R}
P R
!  Q: Is inference {0<x ∧ x<10} x := x*x {x<100} correct?
{x=9} x := x*x {x<100}
S R
S P
!  A: Yes, because (x=9) → ((0<x) ∧ (x<10)) and use D1
!  In other words, x=9 strengthens 0<x<10 so can be used as a precondition
 2. Q&A
53

Here is D1 (precondition strengthening) again

S→P {P} Q {R}
{S} Q {R}

!  Q: Is the inference {x*x<100} x := x*x {x<100} correct?

{0<x ∧ x<10 } x := x*x {x<100}

!  A: Yes, because 0<x ∧ x<10 → x*x<100 and applying D1

 3. Q&A
54

!  Q: Is inference {x=6} x := x*x {x<100} correct?

{0<x ∧ x<10 } x := x*x {x<100}

!  A: No, because 0<x ∧ x<10 →

✖ x=6, obviously
 4. Q&A
55

Here is D1 (postcondition weakening) again

{P} Q {R} R→S
{P} Q {S}

!  Q: Is the inference {x+y=5} x:=x+y {x=5} correct?

{x+y=5} x:=x+y {x<10}

!  A: Yes, because x=5 → x<10 and applying D1

 5. Q&A inference proofs (follows Ucolorado slides)
56

Everything is physical. Everything has a soul. Therefore some

physical things have souls.
Q: Express this as a predicate formula and prove its correctness.
∀xP(x), ∀xS(x) ⊢ ∃x(P(x) ∧ S(x)) where P and S mean …

1 ∀xP(x) Premise

2 ∀xS(x) Premise
3 P(a) UI (1)
4 S(a) UI (2)
5 P(a) ∧ S(a) Conjunction (3,4)
6 ∃x(P(x) ∧ S(x)) EG (5)
 6. Q&A inference proofs (using contradiction)
57

Albert is an Australian and a lecturer. Albert doesn’t play rugby.

Therefore not all Australians play rugby.
Q: Express this as a predicate formula and prove its correctness.
A(a)∧L(a), ¬R(a) ⊢ ¬∀x(A(x)→R(x)) where A, L and R mean …
1 A(a)∧L(a) Premise, Albert is Aust, Albert is lecturer
2 ¬R(a) Premise, Albert doesn’t play rugby
3 ∀x(A(x) →R(x)) Assume conclusion incorrect
4 A(a) →R(a) UI(3) with constant a
5 A(a) Conjunction Elim. (1)
6 R(a) Modus Ponens (4,5)
7 ¬R(a)∧R(a) Conjunction (2,6)
8 ¬∀x(A(x)→R(x)) Contradiction (7), assump(3) incorrect