Mathematical Logic for Computer Science
(Third Revised Edition)
Springer, 2012
Mordechai (Moti) Ben-Ari
http://www.weizmann.ac.il/sci-tea/benari/
c 2012 by Springer.
1 / 136
Example 1.2: A half-adder
Bit1
Bit2
A
A
$
A
%
A A A
Ae
A
A $
A
%
Carry
$
%
Sum
2 / 136
Figure 2.1: Two formulas
↔
"
" ZZ
"
Z
"
Z
→
→
J
\
J
\
J
\
p
q
¬
¬
p
q
→
!
! J
!
!
J
!!
J
↔
p
"J
" J
"
"
J
¬
q
→
J
J
J
p
¬
q
3 / 136
Notation
Operator Alternates Java language
¬
∧
∨
→
↔
⊕
↑
∼
&
⊃, ⇒
≡, ⇔
6≡
|
!
&, &&
|, ||
^
4 / 136
Figure 2.2: Derivation tree for p → q ↔ ¬ p → ¬ q
fml
P
" PP
"
PP
PP
"
"
P
fml
Q
Q
Q
Q
fml
p
→
fml
q
↔
fml
!aa
!
!
aa
!
aa
!!
→
fml
J
J
J
¬
fml
p
fml
J
J
J
¬
fml
q
5 / 136
Figure 2.3: Truth values of formulas
A
¬ A1
¬ A1
A1 ∨ A2
A1 ∨ A2
A1 ∧ A2
A1 ∧ A2
A1 → A2
A1 → A2
v(A1 ) v(A2 ) v(A)
T
F
F
F
otherwise
T
T
otherwise
T
F
otherwise
F
T
F
T
T
F
F
T
A
A1 ↑ A2
A1 ↑ A2
A1 ↓ A2
A1 ↓ A2
A1 ↔ A2
A1 ↔ A2
A1 ⊕ A2
A1 ⊕ A2
v(A1 )
v(A2 )
T
T
otherwise
F
F
otherwise
v(A1 ) = v(A2 )
v(A1 ) 6= v(A2 )
v(A1 ) 6= v(A2 )
v(A1 ) = v(A2 )
v(A)
F
T
T
F
T
F
T
F
6 / 136
Example 2.21
p
q
p→q
T
T
F
F
T
F
T
F
T
F
T
T
7 / 136
Example 2.22
p
q
T
T
F
F
T
F
T
F
p → q ¬ p ¬ q ¬ q → ¬ p (p → q) ↔ (¬ q → ¬ p)
T
F
T
T
F
F
T
T
F
T
F
T
T
F
T
T
T
T
T
T
8 / 136
Example 2.23
(p → q) ↔ (¬
T
F
T
F
T
T
F
T
T
F
T
T F F
T
T F F T T
q → ¬
F
F
F
F
F F F
F F F
F F F
p)
T
T
T
T
T
T
p
q
(p
→
q)
↔
(¬ q
→
¬ p)
T
T
F
F
T
F
T
F
T
T
F
F
T
F
T
T
T
F
T
F
T
T
T
T
F
T
F
T
T
F
T
T
F
F
T
T
T
F
T
F
T
T
F
F
9 / 136
Example 2.27
p
q
T
T
F
F
T
F
T
F
v(p ∨ q) v(q ∨ p)
T
T
T
F
T
T
T
F
10 / 136
Figure 2.4: Subformulas
↔
"
" ZZ
"
Z
"
Z
→
J
J
J
p
→
J
J
J
p
q
q
→
\
\
\
¬
¬
p
q
→
\
\
\
¬
¬
p
q
¬
¬
p
p
p
q
11 / 136
Logically equivalent formulas (1)
A ∨ true
A ∨ false
A → true
A → false
A ↔ true
A ↔ false
A
A
A ∨ ¬A
A→A
A↔A
¬A
≡
≡
≡
≡
≡
≡
≡
≡
≡
≡
≡
≡
true
A
true
¬A
A
¬A
¬¬A
A∧A
true
true
true
A↑A
A ∧ true
A ∧ false
true → A
false → A
A ⊕ true
A ⊕ false
≡
≡
≡
≡
≡
≡
A
false
A
true
¬A
A
A
≡ A∨A
A ∧ ¬ A ≡ false
A⊕A
¬A
≡ false
≡ A↓A
12 / 136
Logically equivalent formulas (2)
A∨B ≡ B∨A
A↔B ≡ B↔A
A↑B ≡ B↑A
A ∨ (B ∨C) ≡ (A ∨ B) ∨C
A ↔ (B ↔C) ≡ (A ↔ B) ↔C
A∧B ≡ B∧A
A⊕B ≡ B⊕A
A↓B ≡ B↓A
A ∧ (B ∧C) ≡ (A ∧ B) ∧C
A ⊕ (B ⊕C) ≡ (A ⊕ B) ⊕C
A ∨ (B ∧C) ≡ (A ∨ B) ∧ (A ∨C)
A ∧ (B ∨C) ≡ (A ∧ B) ∨ (A ∧C)
13 / 136
Logically equivalent formulas (3)
A↔B
A⊕B
A→B
A→B
A∨B
A∧B
A∨B
A∧B
≡
≡
≡
≡
≡
≡
≡
≡
(A → B) ∧ (B → A)
¬ (A → B) ∨ ¬ (B → A)
¬A∨B
¬ (A ∧ ¬ B)
¬ (¬ A ∧ ¬ B)
¬ (¬ A ∨ ¬ B)
¬A→B
¬ (A → ¬ B)
14 / 136
One-place operators
x
◦1 ◦2 ◦3 ◦4
T
F
T
T
T
F
F
T
F
F
15 / 136
Two-place operators
x1 x2
◦1
◦2
◦3
◦4
◦5
◦6
◦7
◦8
T
T
F
F
T
F
T
F
T
T
T
T
T
T
T
F
T
T
F
T
T
T
F
F
T
F
T
T
T
F
T
F
T
F
F
T
T
F
F
F
x1 x2
◦9
◦10 ◦11 ◦12 ◦13 ◦14 ◦15 ◦16
T
T
F
F
F
T
T
T
F
T
T
F
T
F
T
F
F
T
F
T
F
T
F
F
F
F
T
T
F
F
T
F
F
F
F
T
F
F
F
F
16 / 136
Operator names
op name
◦2
◦8
◦5
◦3
◦7
disjunction
conjunction
implication
reverse implication
equivalence
symbol
∨
∧
→
←
↔
op
name
symbol
◦15 nor
◦9 nand
◦12
◦14
◦10 exclusive or
↓
↑
⊕
17 / 136
Valid, satisfiable, falsifiable and unsatisfiable formulas
'
$
True in some interpretations;
false in others.
'
True in
all interpretations.
&
6
&
Valid
6
6
Satisfiable
False in
$ all interpretations.
%
6
6
Falsifiable
6
%
Unsatisfiable
18 / 136
Example 2.41
p
q
T
T
F
F
T
F
T
F
p ∨ q ¬ p ¬ q (p ∨ q) ∧ ¬ p ∧ ¬ q
T
T
T
F
F
F
T
T
F
T
F
T
F
F
F
F
19 / 136
Semantic tableau for p ∧ (¬ q ∨ ¬ p)
p ∧ (¬ q ∨ ¬ p)
↓
p, ¬ q ∨ ¬ p
ւ
ց
p, ¬ q
p, ¬ p
⊙
×
20 / 136
Semantic tableaux (p ∨ q) ∧ (¬ p ∧ ¬ q)
(p ∨ q) ∧ (¬ p ∧ ¬ q)
↓
p ∨ q, ¬ p ∧ ¬ q
↓
p ∨ q, ¬ p, ¬ q
ւ
ց
p, ¬ p, ¬ q
q, ¬ p, ¬ q
×
×
(p ∨ q) ∧ (¬ p ∧ ¬ q)
↓
p ∨ q, ¬ p ∧ ¬ q
ւ
ց
p, ¬ p ∧ ¬ q
q, ¬ p ∧ ¬ q
↓
↓
p, ¬ p, ¬ q
q, ¬ p, ¬ q
×
×
21 / 136
α -formulas
α
α1
α2
¬ ¬ A1
A1
A1 ∧ A2
A1
A2
¬ (A1 ∨ A2 )
¬ A1
¬ A2
¬ (A1 → A2 )
¬ A2
A1
¬ (A1 ↑ A2 )
A1
A2
¬ A1
¬ A2
A1 ↓ A2
A1 ↔ A2
A1 →A2 A2 →A1
¬ (A1 ⊕ A2 ) A1 →A2 A2 →A1
22 / 136
β -formulas
β
β1
β2
¬ (B1 ∧ B2 )
¬ B1
¬ B2
B1 ∨ B2
B1
B2
¬ B1
B1 → B2
B2
¬ B1
¬ B2
B1 ↑ B2
¬ (B1 ↓ B2 )
B1
B2
¬ (B1 ↔ B2 ) ¬ (B1 →B2 ) ¬ (B2 →B1 )
¬ (B1 →B2 ) ¬ (B2 →B1 )
B1 ⊕ B2
23 / 136
Section 2.7.1: Inductive step in proof of soundness
n : {A1 ∧ A2 } ∪U0
n : {B1 ∨ B2 } ∪U0
@
@
n′ : {A1 , A2 } ∪U0
n′ : {B1 } ∪U0
@
@
@
n′′ : {B2 } ∪U0
24 / 136
Example 2.73: Semantic tableau for p ∧ (¬ q ∨ ¬ p)
p ∧ (¬ q ∨ ¬ p)
↓
p, (¬ q ∨ ¬ p)
ւ
ց
p, ¬ q
p, ¬ p
⊙
×
25 / 136
Example 2.74: Semantic tableau for p ∨ (q ∧ ¬ q)
p ∨ (q ∧ ¬ q)
ւ
ց
p
q ∧ ¬q
⊙
↓
q, ¬ q
×
26 / 136
Figure 3.1: Classification of α -formulas
α
α1
α2
¬¬A
A
¬ (A1 ∧ A2 )
¬ A1
¬ A2
A1 ∨ A2
A1
A2
¬ A1
A1 → A2
A2
¬ A1
¬ A2
A1 ↑ A2
¬ (A1 ↓ A2 )
A1
A2
¬ (A1 ↔ A2 ) ¬ (A1 →A2 ) ¬ (A2 →A1 )
¬ (A1 →A2 ) ¬ (A2 →A1 )
A1 ⊕ A2
27 / 136
Figure 3.1: Classification of β -formulas
β
β1
β2
B1 ∧ B2
B1
B2
¬ (B1 ∨ B2 )
¬ B1
¬ B2
¬ (B1 → B2 )
¬ B2
B1
¬ (B1 ↑ B2 )
B1
B2
¬ B1
¬ B2
B1 ↓ B2
B1 ↔ B2
B1 →B2 B2 →B1
¬ (B1 ⊕ B2 ) B1 →B2 B2 →B1
28 / 136
Section 3.2.1: G and semantic tableaux
¬ p, q, p
¬ q, q, p
ց
ւ
¬ (p ∨ q), q, p
↓
¬ (p ∨ q), (q ∨ p)
↓
(p ∨ q) → (q ∨ p)
¬[(p ∨ q) → (q ∨ p)]
↓
p ∨ q, ¬ (q ∨ p)
↓
p ∨ q, ¬ q, ¬ p
ւ
ց
p, ¬ q, ¬ p
q, ¬ q, ¬ p
×
×
29 / 136
Hilbert system H
Axiom 1 ⊢ (A → (B → A)),
Axiom 2 ⊢ (A → (B →C)) → ((A → B) → (A →C)),
Axiom 3 ⊢ (¬ B → ¬ A) → (A → B).
Modus ponens
⊢A
⊢ A→B
⊢B
.
30 / 136
Derived rules of inference
Deduction
U∪{A}⊢B
U⊢A→B
Contrapositive
U⊢¬ B→¬ A
U⊢A→B
Transitivity
U⊢A→B
U⊢B→C
U⊢A→C
Exchange of antecedent
U⊢A→(B→C)
U⊢B→(A→C)
Double negation
U⊢¬ ¬ A
U⊢A
Reductio ad absurdum
U⊢¬ A→false
U⊢A
31 / 136
Theorem 3.37: Soundness of axioms 1 and 3
¬[A → (B → A)]
↓
A, ¬ (B → A)
↓
A, B, ¬ A
×
¬[(¬ B → ¬ A) → (A → B)]
↓
¬ B → ¬ A, ¬ (A → B)
↓
¬ B → ¬ A, A, ¬ B
ւ
ց
¬ ¬ B, A, ¬ B
¬ A, A, ¬ B
↓
×
B, A, ¬ B
×
32 / 136
Figure 3.32: Rules of inference for sequents
op
Introduction into consequent
Introduction into antecedent
∧
U ⇒ V ∪ {A}
U ⇒ V ∪ {B}
U ⇒ V ∪ {A ∧ B}
U ∪ {A, B} ⇒ V
U ∪ {A ∧ B} ⇒ V
∨
U ⇒ V ∪ {A, B}
U ⇒ V ∪ {A ∨ B}
U ∪ {A} ⇒ V
U ∪ {B} ⇒ V
U ∪ {A ∨ B} ⇒ V
→
U ∪ {A} ⇒ V ∪ {B}
U ⇒ V ∪ {A → B}
U ⇒ V ∪ {A}
U ∪ {B} ⇒ V
U ∪ {A → B} ⇒ V
¬
U ∪ {A} ⇒ V
U ⇒ V ∪ {¬ A}
U ⇒ V ∪ {A}
U ∪ {¬ A} ⇒ V
33 / 136
Figure 3.3: A natural deduction proof
1. A → ¬ A
2.
3.
4.
5.
6.
7.
¬¬A
A
¬A
A → (¬ A → false)
¬ A → false
false
8. ¬ ¬ A → false
9. ¬ A
10. (A → ¬ A) → ¬ A
Assumption
Assumption
Double neg. 2
MP 1, 3
Theorem 3.21
MP 3, 5
MP 4, 6
Deduction 2, 7
Reductio ad absurdum 8
Deduction 1, 9
34 / 136
Figure 4.1: Resolution refutation as a tree
2
HH
HH
HH
p
p̄
@
@
@
@
p̄q̄
A
A
A
A
p̄q̄r
p̄q
r̄
35 / 136
Figure 4.2: Incomplete resolution tree
p
HH
HH
HH
pq
pqr̄
@
@
@
@
r
pq̄
pq̄r
@
@
@
@
r̄
36 / 136
Figure 4.3: Semantic tree
r
3i
qXX
XXX p̄
p
XXX
X
X i
q
H
q 1 HHH q̄
q
HH q̄
HHq
H
H i
q
q
2
@
@
@
@ r̄
r
r
r
r̄
r̄
@r̄
@
@
@
@i
@
@
@q
q
q
@q
q
@q
4
37 / 136
Figure 4.4: Inference and failure node
n
l
n1
@
c
@ l
@
@
n2
38 / 136
Section 4.5: Graph for Tseitin clauses
p
0
q
0
r
1
s
t
0
39 / 136
Section 5.1: Efficient truth table for p ∨ (q ∧ r)
p
p
q
r
p ∨ (q ∧ r)
T
T
T
T
F
F
F
F
T
T
F
F
T
T
F
F
T
F
T
F
T
F
T
F
T
T
T
T
T
F
F
F
q
r
p ∨ (q ∧ r)
T T ∗
T F ∗
T
T
p q r
p ∨ (q ∧ r)
T ∗ ∗
T
p
q
r
T ∗ ∗
F T T
F T F
F F ∗
p ∨ (q ∧ r)
T
T
F
F
40 / 136
Section 5.1: Efficient truth table for p ⊕ q ⊕ r
p
q
r
p⊕q⊕r
T
T
T
T
F
F
F
F
T
T
F
F
T
T
F
F
T
F
T
F
T
F
T
F
T
F
F
T
F
T
T
F
p
q
r
p⊕q⊕r
T
T
T
T
F
F
T
T
F
F
T
F
T
F
T
F
∗
∗
T
F
F
T
(See rows 3 and 4.)
(See rows 1 and 2.)
41 / 136
Figure 5.1: BDD for p ∨ (q ∧ r)
pk
qk
@
@
@
rk
AA
A
F
H
HH
HH
H
HH
rk
F
F
@
@
@
rk
AA
A
qk
AA
A
T
T
rk
AA
A
T
T
T
42 / 136
Example 5.6: First reduction of BDD for p ∨ (q ∧ r)
pk
rk
qk
@
@
@
Q
Q
Q
Q
F
H
HH
HH
H
HH
rk
rk
qk
@
@
@
rk
```
Q
```
Q
```
``` Q
` Q
T
43 / 136
Example 5.6: Second reduction of BDD for p ∨ (q ∧ r)
pk
qk
@
@
@
rk
qk
Q
Q
Q
Q
F
T
44 / 136
Example 5.6: Third reduction of BDD for p ∨ (q ∧ r)
pk
qk
@
@
@
rk
Q
Q
Q
Q
F
T
45 / 136
Example 5.7: BDD for p ⊕ q ⊕ r after first reduction
rk
qk
@
@
@
pk
HH
HH
H
rk
rk
qk
@
@
@
PP
PP P
PP P
P
PP
PP
PP
F
rk
T
46 / 136
Example 5.6: BDD for p ⊕ q ⊕ r after second reduction
qk
pk
@
@
@
qk
"
b
"
b
b"
"b
"
b
"
b
k
r
rk
b
"
b
"
b"
"b
"
b
"
b
F
T
47 / 136
BDD for (p ⊕ q) ⊕ (p ⊕ r) from BDDs for p ⊕ q and p ⊕ r
pk
@
@
@
F
T
BDD for p ⊕ q
qk
pk
@
@
@
aa
!!
aa
!
!!aa
!
a
!
F
BDD for p ⊕ r
⊕
qk
rk
T
F
pk
@
@
@
aa
!!
aa
!
!!aa
!
a
!
rk
T
48 / 136
BDD for (p ⊕ q) ⊕ (p ⊕ r) from BDDs for p ⊕ q and p ⊕ r
BDD for p ⊕ q
qk
@
@
@
pk
@
@
@
BDD for p ⊕ r
⊕
qk
@
@
@
BDD for F ⊕ q BDD for T ⊕ q
rk
@
@
@
pk
@
@
@
rk
@
@
@
BDD for F ⊕ r BDD for T ⊕ r
49 / 136
BDD for (p ⊕ q) ⊕ (p ⊕ r) from BDDs for p ⊕ q and p ⊕ r
BDD for ¬ q
BDD for ¬ r
qk
rk
⊕
F
T
BDD for ¬ T
F
BDD for ¬ F
BDD for ¬ T
BDD for ¬ F
BDD for ¬ r
BDD for ¬ F
T
T
ri
⊕
F
BDD for ¬ T
T
BDD for ¬ F
50 / 136
BDD for (p ⊕ q) ⊕ (p ⊕ r) from BDDs for p ⊕ q and p ⊕ r
BDD for ¬ F
⊕
T
BDD for ¬ F
BDD for ¬ F
T
≡
F
≡
T
ri
F
F
BDD for ¬ F ⊕ ¬ r
BDD for ¬ r
⊕
T
BDD for ¬ F ⊕ ¬ F
BDD for ¬ F
⊕
T
BDD for ¬ F ⊕ ¬ T
BDD for ¬ T
ri
≡
T
T
F
51 / 136
BDD for (p ⊕ q) ⊕ (p ⊕ r) from BDDs for p ⊕ q and p ⊕ r
HH
HH
HH
qi
@
@ i
r
A
A
ri
A
A
F
pi
T
T
F
ri
F
qi
T
T
ri
F
BDD for q ⊕ r
qi
@
@ i
ri
r
aa !!
a
aa
!!
!
a
!
F
T
52 / 136
Example 5.21: Restriction
pi
qi
T
(a)
qi
\
\
\
\
\
\
@
@ i
r
AA
A
F
pi
F
T
(b)
pi
qi
F
T
(c)
pi
F
T
(b)
53 / 136
Section 6.4: 4-queens problem
Q
1
Q
2
3
Q
Q
4
1
2
3
4
54 / 136
Section 6.4.1: Encoding the 4-queens problem (1)
11 ∨ 12 ∨ 13 ∨ 14,
21 ∨ 22 ∨ 23 ∨ 24,
31 ∨ 32 ∨ 33 ∨ 34,
41 ∨ 42 ∨ 43 ∨ 44.
11 ∨ 12,
21 ∨ 22,
31 ∨ 32,
41 ∨ 42,
11 ∨ 13,
21 ∨ 23,
31 ∨ 33,
41 ∨ 43,
11 ∨ 14,
21 ∨ 24,
31 ∨ 34,
41 ∨ 44,
12 ∨ 13,
22 ∨ 23,
32 ∨ 33,
42 ∨ 43,
12 ∨ 14,
22 ∨ 24,
32 ∨ 34,
42 ∨ 44,
13 ∨ 14,
23 ∨ 24,
33 ∨ 34,
43 ∨ 44,
55 / 136
Section 6.4.1: Encoding the 4-queens problem (2)
11 ∨ 21,
12 ∨ 22,
13 ∨ 23,
14 ∨ 24,
11 ∨ 31,
12 ∨ 32,
13 ∨ 33,
14 ∨ 34,
11 ∨ 41,
12 ∨ 42,
13 ∨ 43,
14 ∨ 44,
21 ∨ 31,
22 ∨ 32,
23 ∨ 33,
24 ∨ 34,
21 ∨ 41,
22 ∨ 42,
23 ∨ 43,
24 ∨ 44,
11 ∨ 22,
13 ∨ 22,
21 ∨ 32,
23 ∨ 32,
31 ∨ 42,
33 ∨ 42,
11 ∨ 33, 11 ∨ 44,
13 ∨ 31, 13 ∨ 24,
21 ∨ 43,
23 ∨ 41, 23 ∨ 34,
12 ∨ 21,
14 ∨ 23,
22 ∨ 31,
24 ∨ 33,
32 ∨ 41,
34 ∨ 43.
12 ∨ 23, 12 ∨ 34,
14 ∨ 32, 14 ∨ 41,
22 ∨ 33, 22 ∨ 44,
22 ∨ 42,
32 ∨ 43,
33 ∨ 44,
31 ∨ 41,
32 ∨ 42,
33 ∨ 43,
34 ∨ 44.
56 / 136
Figure 7.1: Tree for ∀x(¬ ∃yp(x, y) ∨ ¬ ∃yp(y, x))
∀x
∨
QQ
Q
Q
¬
¬
∃y
∃y
p(x, y)
p(y, x)
57 / 136
Figure 7.2: Global and local variables
class MyClass {
int x;
void p() {
int x;
x = 1;
// Print the value of x
}
void q() {
// Print the value of x
}
... void main(...) {
x = 5;
p;
q;
}
58 / 136
Logically equivalent formulas (1)
∀xA(x) ↔ ¬ ∃x ¬ A(x)
∃xA(x) ↔ ¬ ∀x ¬ A(x)
∀x∀yA(x, y) ↔ ∀y∀xA(x, y)
∃x∀yA(x, y) → ∀y∃xA(x, y)
∃x∃yA(x, y) ↔ ∃y∃xA(x, y)
(∃xA(x) ∨ B) ↔ ∃x(A(x) ∨ B) (∀xA(x) ∨ B) ↔ ∀x(A(x) ∨ B)
(B ∨ ∃xA(x)) ↔ ∃x(B ∨ A(x)) (B ∨ ∀xA(x)) ↔ ∀x(B ∨ A(x))
(∃xA(x) ∧ B) ↔ ∃x(A(x) ∧ B) (∀xA(x) ∧ B) ↔ ∀x(A(x) ∧ B)
(B ∧ ∃xA(x)) ↔ ∃x(B ∧ A(x)) (B ∧ ∀xA(x)) ↔ ∀x(B ∧ A(x))
59 / 136
Logically equivalent formulas (2)
∀x(A → B(x)) ↔ (A → ∀xB(x))
∀x(A(x) → B) ↔ (∃xA(x) → B)
(∃x(A(x) ∨ B(x)) ↔ (∃xA(x) ∨ ∃xB(x))
∀x(A(x) ∧ B(x)) ↔ (∀xA(x) ∧ ∀xB(x))
∀xA(x) ∨ ∀xB(x)) → ∀x(A(x) ∨ B(x))
∃x(A(x) ∧ B(x)) → (∃xA(x) ∧ ∃xB(x))
∀x(A(x) ↔ B(x)) → (∀xA(x) ↔ ∀xB(x))
∀x(A(x) ↔ B(x)) → (∃xA(x) ↔ ∃xB(x))
∃x(A(x) → B(x)) ↔ (∀xA(x) → ∃xB(x))
(∃xA(x) → ∀xB(x)) → ∀x(A(x) → B(x))
60 / 136
Logically equivalent formulas (3)
∀x(A(x) ∨ B(x)) → (∀xA(x) ∨ ∃xB(x))
∀x(A(x) → B(x)) → (∀xA(x) → ∀xB(x))
∀x(A(x) → B(x)) → (∃xA(x) → ∃xB(x))
∀x(A(x) → B(x)) → (∀xA(x) → ∃xB(x))
61 / 136
Figure 7.3: Semantic tableau for a satisfiable formula
¬ (∀x(p(x) ∨ q(x)) → (∀xp(x) ∨ ∀xq(x)))
↓
∀x(p(x) ∨ q(x)), ¬ (∀xp(x) ∨ ∀xq(x))
↓
∀x(p(x) ∨ q(x)), ¬ ∀xp(x), ¬ ∀xq(x)
↓
∀x(p(x) ∨ q(x)), ¬ ∀xp(x), ¬ q(a)
↓
∀x(p(x) ∨ q(x)), ¬ p(a), ¬ q(a)
↓
p(a) ∨ q(a), ¬ p(a), ¬ q(a)
ւ
ց
p(a), ¬ p(a), ¬ q(a)
q(a), ¬ p(a), ¬ q(a)
×
×
62 / 136
Figure 7.4: A tableau that should close, but doesn’t
∀x∃yp(x, y) ∧ ∀x(q(x) ∧ ¬ q(x))
↓
∀x∃yp(x, y), ∀x(q(x) ∧ ¬ q(x))
↓
∀x∃yp(x, y), ∃yp(a1 , y), ∀x(q(x) ∧ ¬ q(x))
↓
∀x∃yp(x, y), p(a1 , a2 ), ∀x(q(x) ∧ ¬ q(x))
↓
∀x∃yp(x, y), p(a1 , a2 ), ∀x(q(x) ∧ ¬ q(x))
↓
∀x∃yp(x, y), ∃yp(a2 , y), p(a1 , a2 ), ∀x(q(x) ∧ ¬ q(x))
↓
∀x∃yp(x, y), p(a2 , a3 ), p(a1 , a2 ), ∀x(q(x) ∧ ¬ q(x))
63 / 136
Rules for γ - and δ -formulas
γ
γ (a)
∀xA(x)
A(a)
¬ ∃xA(x) ¬ A(a)
δ
δ (a)
∃xA(x)
A(a)
¬ ∀xA(x) ¬ A(a)
64 / 136
Figure 8.1: Semantic tableau in first-order logic
¬ ((∀xp(x) ∨ ∀xq(x)) → ∀x(p(x) ∨ q(x)))
↓
∀xp(x) ∨ ∀xq(x), ¬ ∀x(p(x) ∨ q(x))
ւ
ց
∀xq(x), ¬ ∀x(p(x) ∨ q(x))
∀xp(x), ¬ ∀x(p(x) ∨ q(x))
↓
↓
∀xp(x), ¬ (p(a) ∨ q(a))
∀xq(x), ¬ (p(a) ∨ q(a))
↓
↓
∀xp(x), ¬ p(a), ¬ q(a)
∀xq(x), ¬ p(a), ¬ q(a)
↓
↓
∀xp(x), p(a), ¬ p(a), ¬ q(a)
∀xq(x), q(a), ¬ p(a), ¬ q(a)
×
×
65 / 136
Figure 8.2: Gentzen proof tree in first-order logic
¬ ∀xp(x), ¬ p(a), p(a), q(a)
¬ ∀xq(x), ¬ q(a), p(a), q(a)
↓
↓
¬ ∀xp(x), p(a), q(a)
¬ ∀xq(x), p(a), q(a)
↓
↓
¬ ∀xp(x), p(a) ∨ q(a)
¬ ∀xq(x), p(a) ∨ q(a)
↓
↓
¬ ∀xp(x), ∀x(p(x) ∨ q(x))
¬ ∀xq(x), ∀x(p(x) ∨ q(x))
ց
ւ
¬ (∀xp(x) ∨ ∀xq(x)), ∀x(p(x) ∨ q(x))
↓
(∀xp(x) ∨ ∀xq(x)) → ∀x(p(x) ∨ q(x))
66 / 136
Rules for γ - and δ -formulas
U ∪ {γ , γ (a)}
U ∪ {γ }
U ∪ {δ (a)}
,
U ∪ {δ }
The rule for δ -formulas can be applied only if the constant a does not
occur in any formula of U.
γ
γ (a)
∃xA(x)
A(a)
¬ ∀xA(x) ¬ A(a)
δ
δ (a)
∀xA(x)
A(a)
¬ ∃xA(x) ¬ A(a)
67 / 136
Figure 8.3: δ -formulas follow γ -formulas
¬ ∀yp(a, y), ¬ p(a, b), ¬ p(a, a), ∃xp(x, b), p(a, b)
↓
¬ ∀yp(a, y), ¬ p(a, a), ∃xp(x, b), p(a, b)
↓
¬ ∀yp(a, y), ∃xp(x, b), p(a, b)
↓
¬ ∀yp(a, y), ∃xp(x, b)
↓
¬ ∀yp(a, y), ∀y∃xp(x, y)
↓
¬ ∃x∀yp(x, y), ∀y∃xp(x, y)
↓
∃x∀yp(x, y) → ∀y∃xp(x, y)
68 / 136
Hilbert system H
Axiom 1
Axiom 2
Axiom 3
Axiom 4
Axiom 5
⊢
⊢
⊢
⊢
⊢
(A → (B → A)),
(A → (B →C)) → ((A → B) → (A →C)),
(¬ B → ¬ A) → (A → B),
∀xA(x) → A(a),
∀x(A → B(x)) → (A → ∀xB(x)).
Modus ponens
⊢ A→B ⊢ A
⊢B
Generalization
⊢ A(a)
.
⊢ ∀xA(x)
In Axiom 5, B(x) is a formula with a free variable x, while x is not a free
variable of the formula A.
69 / 136
Derived rules of inference
Generalization
U⊢A(a)
U⊢∀xA(x) , a does not appear in U.
Deduction
U∪{A}⊢B
U⊢A→B
Axiom 4
U⊢∀xA(x)
U⊢A(a)
Generalization
⊢A(a)→B(a)
⊢∀xA(x)→∀xB(x)
C-rule
U⊢∃xA(x)
U⊢A(a) , a does not appear in U or ∃xA(x).
70 / 136
Figure 9.1: Finite sequences of terms (1)
n=1
n=2
n=3
n=4
a
b
f (a), f (b), f ( f (a)), f ( f (b))
f ( f ( f (a))), f ( f ( f (b),
g(a, a), g(a, b), g(a, f (a)), g(a, f (b)), g(a, f ( f (a))), g(a, f ( f (b))),
six similar terms with b as the first argument of g,
g( f (a), a), g( f (a), b), g( f (a), f (a)), g( f (a), f (b)),
g( f (a), f ( f (a))), g( f (a), f ( f (b))),
six similar terms with f (b) as the first argument of g,
71 / 136
Figure 9.1: Finite sequences of terms (2)
g( f ( f (a)), a), g( f ( f (a)), b), g( f ( f (a)), f (a)), g( f ( f (a)), f (b)),
g( f ( f (a)), f ( f (a))), g( f ( f (a)), f ( f (b))),
six similar terms with f ( f (b)) as the first argument of g,
f (g(a, a)), f (g(a, b)), f (g(a, f (a)), f (g(a, f (b)),
twelve similar terms with b, f (a), f (b) as the first argument of g,
f ( f (g(a, a))), f ( f (g(a, b))), f ( f (g(b, a))), f ( f (g(b, b))).
72 / 136
Example 9.20: Hebrand universes
S1
= {pa ¬ pbqz, ¬ qz ¬ pbqz}
HS1 = {a, b}
S2
= {¬ px f (y), pwg(w)}
HS2 = {a, f (a), g(a),
f ( f (a)), g( f (a)), f (g(a)), g(g(a)), . . .}
S3
= {¬ pa f (x, y), pb f (x, y)}
HS3 = {a, b, f (a, a), f (a, b), f (b, a), f (b, b),
f (a, f (a, a)), f ( f (a, a), a), . . .}
73 / 136
Example 10.2: Ground resolution
{p(a), r(a, f (b)), r( f (a), b)}
HH
HH
HH
HH
{q( f (b)), r(a, f (b))}
{p(a), ¬ q( f (b)), r( f (a), b)}
74 / 136
Example 10.7: Unification
h
h
h
h
h
h
h
g(y) = x,
f (x, h(x), y) = f (g(z), w, z)
f (g(y), h(g(y)), y) = f (g(z), w, z), x = g(y)
g(y) = g(z), h(g(y)) = w,
y = z,
y = z,
h(g(y)) = w,
y = z,
h(g(z)) = w, z = z,
x = g(z),
z = z,
x = g(z),
y = z,
x = g(z),
y = z,
w = h(g(z))
i
i
x = g(y)
i
x = g(y)
i
y=z
i
w = h(g(z)) i
i
75 / 136
Example 10.29: Resolution refutation (1)
1.
2.
3.
4.
5.
6.
7.
¬ p(x) ∨ q(x) ∨ r(x, f (x))
¬ p(x) ∨ q(x) ∨ s( f (x))
t(a)
p(a)
¬ r(a, y) ∨ t(y)
¬ t(x) ∨ ¬ q(x)
¬ t(x) ∨ ¬ s(x)
76 / 136
Example 10.29: Resolution refutation (2)
8.
9.
10.
11.
12.
13.
14.
15.
¬ q(a)
x←a
3, 6
q(a) ∨ s( f (a))
x←a
2, 4
s( f (a))
8, 9
q(a) ∨ r(a, f (a))
x←a
1, 4
r(a, f (a))
8, 11
t( f (a))
y ← f (a) 5, 12
¬ s( f (a))
x ← f (a) 7, 13
2
10, 14
77 / 136
Example 10.30: Resolution refutation
1.
2.
3.
4.
3′ .
5.
3′′ .
6.
5′′′ .
7.
4′′′′ .
8.
¬ p(x, y) ∨ p(y, x)
¬ p(x, y) ∨ ¬ p(y, z) ∨ p(x, z)
p(x, f (x))
¬ p(x, x)
p(x′ , f (x′ ))
p( f (x), x)
σ1 = {y ← f (x), x′ ← x}
p(x′′ , f (x′′ ))
¬ p( f (x), z) ∨ p(x, z)
σ2 = {y ← f (x), x′′ ← x}
p( f (x′′′ ), x′′′ )
σ3 = {z ← x, x′′′ ← x}
p(x, x)
¬ p(x′′′′ , x′′′′ )
2
σ4 = {x′′′′ ← x}
Rename 3
1, 3′
Rename 3
2, 3′′
Rename 5
6, 5′′′
Rename 4
7, 4′′′′
78 / 136
Theorem 10.33: Lifting Lemma
C1 ,C2
Resolution
-
Instance
C
Instance
?
C1′ ,C2′
-
Ground resolution
?
C′
79 / 136
Figure 10.1: Example for the lifting lemma (1)
C1 = {p(x), p( f (y)), p( f (z)), q(x)}
C2 = {¬ p( f (u)), ¬ p(w), r(u)}
θ1 = {x ← f (a), y ← a, z ← a}
θ2 = {u ← a, w ← f (a)}
C1′ = C1 θ1 = {p( f (a)), q( f (a))}
C2′ = C2 θ2 = {¬ p( f (a)), r(a)}
C′ = Res(C1 ,C2 ) = {q( f (a)), r(a)}
80 / 136
Figure 10.1: Example for the lifting lemma (2)
L1
λ1
L1 λ1
L2
λ2
L2 λ2
=
=
=
=
=
=
{p(x), p( f (y)), p( f (z))}
{x ← f (y), z ← y}
{p( f (y))}
{¬ p( f (u)), ¬ p(w)}
{w ← f (u)}
{¬ p( f (u))}
λ
L1 λ
C1 λ
L2 λ
C2 λ
=
=
=
=
=
λ1 ∪ λ2 = {x ← f (y), z ← y, w ← f (u)}
{p( f (y))}
{p( f (y)), q( f (y))}
{¬ p( f (u))}
{¬ p( f (u)), r(u)}
81 / 136
Figure 10.1: Example for the lifting lemma (3)
σ
C
λσ
C1 λ σ
C2 λ σ
C
=
=
=
=
=
=
{u ← y}
Res(C1 λ ,C2 λ ) = {q( f (y)), r(y)}, using σ
{x ← f (y), z ← y, w ← f (y), u ← y}
{p( f (y)), q( f (y))}
{¬ p( f (y)), r(y)}
Res(C1 ,C2 ) = {q( f (y)), r(y)}, using λ σ
θ1′
C1′
θ2′
C2′
=
=
=
=
{y ← a}
C1 θ1 = {p( f (a)), q( f (a))} = C1 λ σ θ1
{y ← a}
C2 θ2 = {¬ p( f (a)), r(a)} = C2 λ σ θ2
θ′
C′
= {y ← a}
= Res(C1′ ,C2′ ) = {q( f (a)), r(a)}
82 / 136
Figure 11.1: SLD-tree for selection of leftmost literal
q(y, b)
(1)
p(y, z), q(z, b)
p(y, b)
(5)
2
(3) @ (7)
(6)
@
@
2
PP
PP(2)
PP
P
q(a, b)
2
(1)
p(a, b)
×
@ (2)
@
@
HH
(10)
HH
H
q(h, b)
...
(1)
p(a, z′ ), q(z′ , b) p(h, j)
..
×
.
@ (2)
@
@
p(h, z′′ ), q(z′′ , j)
..
.
83 / 136
Theorem 12.3: Church’s Theorem
SM =
n
^
i=0
Li
x = x + 1;
y = y + 1;
if (x == 0)
else x =
if (y == 0)
else y =
!
Si ∧ p0 (a, a) → ∃z1 ∃z2 pn (z1 , z2 ).
Si
∀x∀y(pi (x, y) → pi+1 (s(x), y))
∀x∀y(pi (x, y) → pi+1 (x, s(y)))
goto Lj;
∀x(pi (a, x) → p j (a, x)) ∧
x - 1;
∀x∀y(pi (s(x), y) → pi+1 (x, y))
then goto Lj; ∀x(pi (x, a) → p j (x, a)) ∧
y - 1;
∀x∀y(pi (x, s(y)) → pi+1 (x, y))
84 / 136
Figure 13.1: State transition diagram
s0
p
¬q
s
1
- p
- q s
2 ?
-
¬p
q
s3 ?
¬p
¬q 85 / 136
Figure 13.2: Alternate representation
s0
s
1
- p
p
- q s
2 ?
-
q
s3 ?
86 / 136
Definition 13.27: Linear temporal logic
s0
¬p
- ¬p
s1
- p
s2
-
...
87 / 136
Example 13.33
s
0
p
s1
-
q
s
2
-
p
s
3
-
q
s
4
-
p
-...
88 / 136
Commutativity
s
0
s1
s
2
- ¬p
-
- ¬p
¬p
s
0
¬p
s1
s
3
s
4
s
5
-...
s
5
-...
- ¬p
- ¬p
-
- ¬p
- ¬p
-
-
p
s2
s
3
s
4
p
p
p
89 / 136
Section 13.51: Tableaux rules for LTL
α
α1
α2
2A
A
#2A
¬ 3A ¬ A ¬ #3A
β
β1
β2
3A
A
#3A
¬ 2A ¬ A ¬ #2A
X
X1
#A
A
¬ #A ¬ A
90 / 136
The rule for next formulas (1)
(p ∨ q) ∧ #(¬ p ∧ ¬ q)
↓
p ∨ q, #(¬ p ∧ ¬ q)
ւ
ց
p, #(¬ p ∧ ¬ q)
q, #(¬ p ∧ ¬ q)
91 / 136
The rule for next formulas (2)
(p ∨ q) ∧ #(¬ p ∧ ¬ q)
↓
p ∨ q, #(¬ p ∧ ¬ q)
ւ
ց
p, #(¬ p ∧ ¬ q)
q, #(¬ p ∧ ¬ q)
↓
¬ p ∧ ¬q
↓
¬ p, ¬ q
↓
¬ p ∧ ¬q
↓
¬ p, ¬ q
92 / 136
The rule for next formulas (3)
s0
p
s0
p
- ¬p
¬q
s1
- ¬p
¬q s1
s0
q
s0
q
- ¬p
¬q
s1
- ¬p
¬q s1
93 / 136
Semantic tableau for ¬ (2(p ∧ q) → 2p)
¬ (2(p ∧ q) → 2p)
↓
2(p ∧ q), 3 ¬ p
↓
p ∧ q, #2(p ∧ q), 3 ¬ p
↓
p, q, #2(p ∧ q), 3 ¬ p
ւ
ց
p, q, #2(p ∧ q), ¬ p
×
p, q, #2(p ∧ q), #3 ¬ p
94 / 136
Interpretations for ¬ (2(p ∧ q) → 2p)
s
0
p
q
s
1
- p
q
s
2
- p
q
-
s
0
p
q 95 / 136
Example 13.38
l0 : 23p
↓
l1 : 3p, #23p
ւ
ց
l2 : p, #23p
l3 : #3p, #23p
↓
↓
l4 : 23p
l5 : 3p, 23p
↓
↓
l6 : 3p, #23p
l7 : 3p, #23p
ւ
ց
ւ
ց
To l2
To l3
To l2
To l3
96 / 136
Example 13.43
l0 : 23p
↓
l1 : 3p, #23p
ւ
ց
l2 : p, #23p
l3 : #3p, #23p
↓
↓
To l0
To l1
s0 ?
-
p
s1
97 / 136
Figure 13.3: 2(3(p ∧ q) ∧ 3(¬ p ∧ q) ∧ 3(p ∧ ¬ q))
s
0
s
1
- ¬p
q *
HH
HH
6
6
HH HH
H
H
H
HH
H
HH
HH
s3 ?
s
2
? H
H
H
H
j
H
p ¬q
-
p
q -
YH
HH
98 / 136
Section 13.5.4: A linear, fulfilling Hintikka structure
s0 ?
p
q
s
1
- ¬p
q
s
2
- p
¬q
99 / 136
Figure 13.4: Strongly connected components
@
@
@
R @
s1 s4 - s5
@
6
R
@
?
s3
s2 s6 s7
s0
100 / 136
Figure 13.5: Component graph
'
$
@ %
&
@
@
R
@
'
'
$
$
@
R @
s1 s4 - s5
@
G1
G2
6
R
@
?
s3
s2 s6 s7
&
%
&
%
G0
s0
101 / 136
Figure 13.6: An SCC is contained in an MSCC
'
$
G′ '
s1 G
@
R
@
s3
s2 &
%
&
$
s4 - s5
6
?
- s6 s7
%
102 / 136
Example 13.68
s0
p
s0
p
s0
p
- p
s1
- p
s1
- ¬p
s1
- q
s2
- p
-
···
-
···
-
···
s2
- q
s2
103 / 136
Deductive system L
Axiom 0
Prop
Axiom 1
Axiom 2
Axiom 3
Axiom 4
Axiom 5
Distribution of 2
Distribution of #
Expansion of 2
Induction
Linearity
Modus ponens
Generalization
Any substitution instance of
a valid propositional formula.
⊢ 2(A → B) → (2A → 2B).
⊢ #(A → B) → (#A → #B).
⊢ 2A → (A ∧ #A ∧ #2A).
⊢ 2(A → #A) → (A → 2A).
⊢ #A ↔ ¬ # ¬ A.
⊢A
⊢ A→B
⊢B
.
⊢A
.
⊢ 2A
104 / 136
Example 14.9
s
0
s
1
s
2
s
3
-¬p
- p
-¬p
p
···
105 / 136
Semantic tableau for the negation of 2p → #2p
¬ (2p → #2p)
↓
2p, #3 ¬ p
↓
ls p, #2p, #3 ¬ p
↓
2p, 3 ¬ p
↓
p, #2p, 3 ¬ p
ւ
ց
p, #2p, ¬ p
(To node ls )
×
106 / 136
Section 14.4: Axioms for binary temporal operators
Axiom 6 Expansion of U
Axiom 7 Eventuality
⊢ AU B ↔ (B ∨ (A ∧ #(AU B))).
⊢ AU B → 3B.
107 / 136
Definition 15.8: H L (1)
Domain axioms
Every true formula over the domain(s) of the program variables.
Assignment axiom
⊢ {p(x){x ← t}} x := t {p(x)}.
Composition rule
⊢ {p} S1 {q}
⊢ {q} S2 {r}
.
⊢ {p} S1;S2 {r}
108 / 136
Definition 15.8: H L (2)
Alternative rule
⊢ {p ∧ B} S1 {q}
⊢ {p ∧ ¬ B} S2 {q}
.
⊢ {p} if B then S1 else S2 {q}
Loop rule
⊢ {p ∧ B} S {p}
.
⊢ {p} while B do S {p ∧ ¬ B}
Consequence rule
⊢ p1 → p
⊢ {p} S {q}
⊢ {p1 } S {q1 }
⊢ q → q1
.
109 / 136
Section 15.3: Program to be verified
{true}
x := 0;
{x = 0}
y := b;
{x = 0 ∧ y = b}
while y <> 0 do
{x = (b − y) · a}
begin x := x + a; y := y - 1 end;
{x = a · b}
110 / 136
Section 15.4.1: Solution 1 (outline)
{0 ≤ a}
x = E1(x,a);
while (B(x,a))
{0 ≤ x2 ≤ a}
x = E2(x,a);
{0 ≤ x2 ≤ a < (x + 1)2 }.
111 / 136
Section 15.4.1: Solution 1 (final)
{0 ≤ a}
x = 0;
while ((x+1)*(x+1) <= a)
{0 ≤ x2 ≤ a}
x = x + 1;
{0 ≤ x2 ≤ a < (x + 1)2 }.
112 / 136
Section 15.4.1: Solution 2 (outline)
{0 ≤ a}
x = 0;
y = a+1;
while (y != x+1)
{(0 ≤ x2 ≤ a < y2 ) ∧ (x < y ≤ a + 1)}
E(x,y,a);
{0 ≤ x2 ≤ a < (x + 1)2 }.
113 / 136
Section 15.4.1: Solution 2 (final)
{0 ≤ a}
x = 0;
y = a+1;
while (y != x+1)
{0 ≤ x2 ≤ a < y2 ∧ x < y ≤ a + 1}
{
z = (x+y) / 2;
if (z*z <= a)
x = z;
else
y = z;
}
{0 ≤ x2 ≤ a < (x + 1)2 }.
114 / 136
Example 15.15: Weaker conditions
'
y=0
&
'
&
y=1
y≤3
'
y = 1∨y = 3 $
%
y=2
&
y=3
$
$
%
%
115 / 136
Definition 15.21: Sequential composition
'
'
$
'
$
'
wp(S1, wp(S2, q))
&
&
-
wp(S2, q)
%
&
%
&
$
'
$
$
' $
:
q
& %
%
%
&
%
116 / 136
Corollary 9.26: Excluded miracle
'
p
&
|
z
{z
wp(S, p)
∞
wp(S, ¬ p)
}|
}
¬p
$
{
%
117 / 136
Theorem 9.28: Monotonicity
'
'
wp(S, q)
&
&
wp(S, p)
'
$
$
$ '
$
q
- p
%
% &
%
&
%
118 / 136
Lemma 15.37
'
'
'
'
'
0
W
wp(Wk , p)
k=0
&
&
&
&
&
1
W
wp(Wk , p)
k=0
$
2
W
$
$
wp(Wk , p) · · ·
%
k=0
$
$
∞
W
wp(Wk , p)
k=0
%
%
%
%
119 / 136
Example 16.2
Process p
1: n = n + 1
2: n = n + 1
end:
int n = 0
Process q
1: n = n + 1
2: n = n + 1
end:
120 / 136
Atomic operations
Process p
1: n = n + 1
end:
int n = 0
Process q
1: n = n + 1
end:
int n = 0
Process p
Process q
int temp = 0
int temp = 0
1: temp = n
1: temp = n
2: temp = temp + 1
2: temp = temp + 1
3: n = temp
3: n = temp
end:
end:
121 / 136
Peterson’s algorithm
boolean wantp = false, wantq = false
int turn = 1
Process p
Process q
while (true) {
while (true) {
non-critical-section
non-critical-section
wantp = true
wantq = true
turn = 1
turn = 2
wait until
wait until
(!wantq or turn == 2)
(!wantp or turn == 1)
critical-section
critical-section
wantp = false
wantq = false
}
}
122 / 136
Abbreviated algorithm
boolean wantp = false, wantq = false
int turn = 1
Process p
Process q
while (true) {
while (true) {
tryp: wantp=true; turn=1
tryq: wantq=true; turn=2
waitp: wait until
waitq: wait until
(!wantq or turn == 2)
(!wantp or turn == 1)
csp: wantp = false
csq: wantq = false
}
}
123 / 136
Progress axioms
Statement
v := expression
li:
li+1:
li:
if B then
lt:
S1
else
lf:
S2
li:
while B do
lt:
S1;
lf:
Progress axioms
⊢ li → 3li+1
⊢ li → 3(lt ∨ l f )
⊢ (li ∧ 2B) → 3lt
⊢ (li ∧ 2 ¬ B) → 3l f
⊢ li → 3(lt ∨ l f )
⊢ (li ∧ 2B) → 3lt
⊢ (li ∧ 2 ¬ B) → 3l f
124 / 136
Figure 16.3: Finite automata for Peterson’s algorithm
-
wantp=true !wantq
tryp
turn=1
6
or turn == 2- csp
- waitp
wantq and turn == 1
wantp=false
-
or turn == 1- csq
wantq=true !wantp
tryq
turn=2
6
- waitq
wantp and turn == 2
wantq=false
125 / 136
Product automaton for Peterson’s algorithm
···
#
?
wantq=true #
tryp turn=2
tryp
tryq
waitq
"!
wantp=true #
turn=1
- waitp
tryq
"!
···
"!
126 / 136
Figure 16.2: State space for Peterson’s algorithm
1. (tryp,tryq,1)
2. (waitp,tryq,1)
3. (tryp,waitq,2)
@
@
R
@
@
@
R
@
4. (csp,tryq,1)
i
1
HH
HH
HH
j
@
@
5. (waitp,waitq,2) 6. (waitp,waitq,1)
R @
8. (csp,waitq,2)
i
3
@
R i
@
8
@
R i i
@
5 6
?
9. (waitp,csq,1)
i
9
7. (tryp,csq,2)
@
R i
@
2
?
10. (tryp,tryq,2)
i
2
@
R i
@
3
127 / 136
Section 16.5.2: Dijkstra’s second attempt
boolean wantp = false, wantq = false
Process p
Process q
while (true) {
while (true) {
waitp: wait until !wantq waitq: wait until !wantp
tryp:
wantp = true
tryq:
wantq = true
csp:
wantp = false
csq:
wantq = false
}
}
128 / 136
Figure 16.3: State space for the second attempt
1. (waitp,waitq,F ,F)
2. (tryp,waitq,F ,F)
4. (csp,waitq,T ,F)
i
1
@
@
R
@
@
@
R
@
3. (waitp,tryq,F ,F)
5. (tryp,tryq,F ,F)
7. (csp,tryq,T ,F)
i
3
HH
HH
HH
j
HH
HH
HH
j
@
@
R
@
6. (waitp,csq,F ,T )
8. (tryp,csq,F ,T )
@
@
R
@
10. (csp,csq,T ,T )
i
6
@
R i
@
4
@
R i
@
1
@
R i
@
2
129 / 136
Section 16.6
s0
waitp
s0
tryp
s1 ?
- waitp
s1
- waitp
s2
- waitp
s2 ?
- waitp
s3
- waitp
s3
- waitp
130 / 136
Section 16.6.1
#
true
- s0 csp
-
"!
¬ waitp ∨ csp
#
-
"!
s1
true
#
#
waitp ∧ ¬ csp- s
- s0
1
-
"!
"!
true
¬ csp
131 / 136
Figure 16.4: Model checking liveness
1. (tryp,tryq,1)
HH
HH
HH
j
H
3. (tryp,waitq,2)
2. (waitp,tryq,1)
4. (csp,tryq,1)
j
1
@
@
@
R
@
@
@
@
R
@
@
R
@
8. (csp,waitq,2)
j
3
5. (waitp,waitq,2)
@
R
@
8j
@
@
@
R
@
6. (waitp,waitq,1)
j
j
6
5
?
9. (waitp,csq,1)
j
9
7. (tryp,csq,2)
@
R
@
2j
?
10. (tryp,tryq,2)
j
2
@
R
@
3j
132 / 136
Figure 16.5: The state space as a tree
1. (tryp,tryq,1)
HH
H
HH
HH
j
3. (tryp,waitq,2)
2. (waitp,tryq,1)
@
@
@
R
@
4. (csp,tryq,1)
?
5. (waitp,waitq,2)
@
@
@
R
@
8. (t,t,1)
9. (c,w,2)
@
@
@
R
@
6. (waitp,waitq,1)
@
@
@
R
@
10. (w,w,2)
@
@
@
?
R
@
7. (tryp,csq,2)
?
11. (w,w,1) 12. (w,c,1) 13. (t,t,2)
133 / 136
Figure 16.6: CTL model checking
1. (tryp,tryq,1)
HH
HH
HH
j
H
3. (tryp,waitq,2)
2. (waitp,tryq,1)
4. (csp,tryq,1)
j
1
@
@
@
R
@
@
@
@
R
@
@
R
@
8. (csp,waitq,2)
j
3
5. (waitp,waitq,2)
@
R
@
8j
@
@
@
R
@
6. (waitp,waitq,1)
j
j
5
6
?
9. (waitp,csq,1)
j
9
7. (tryp,csq,2)
@
R
@
2j
?
10. (tryp,tryq,2)
j
2
@
R
@
3j
134 / 136
Section 16.8: Symbolic model checking
tryp p0 ∧ p1
waitp ¬ p0 ∧ p1
csp
p0 ∧ ¬ p1
s0
tryq q0 ∧ q1
waitq ¬ q0 ∧ q1
csq
q0 ∧ ¬ q1
s1 ?
-
s2
-
s3
-
135 / 136
Venn diagrams
'
'
&
T
S
&
'
z
S
S−T
&
S∪T
}|
'
S∩T
&
$
$
%
%
$
{
T
$
T −S
%
%
136 / 136