Bachelor of Science in Computer Science

University of Colombo School of Computing

CS 4119 / SCS 4212

Formal Methods and Software Verification

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 1
Textbook for Formal Methods
A Logical Approach to
Discrete Math
By: David Gries &
Fred B. Schneider

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 2
Part -1: Formal Methods

Topic 1:
Textual Substitution, Equality, and Assignment

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 3
Expression
Definition of an expression
• A constant (e.g. 97) or variable (e.g. 𝑥) is an expression.
• If 𝐸 is an expression, then (𝐸) is an expression.
• If ∘ is a unary prefix operator and 𝐸 is an expression, then ∘ 𝐸 is an expression,
with operand E.
For example. -9, anr ¬𝑝 are expressions.
• If ∗ is a binary infix operator and 𝐷 and 𝐸 are expressions, then 𝐷 ∗ 𝐸 is an
expression, with operands 𝐷 and 𝐸.
For example, 2 + 3 and 3 ∙ (𝑥 + 2) are expressions.

Remark: Syntax refers to the structure of expressions, or the rules for putting
symbols together to form an expression. Semantics refers to the meaning of
expressions, or how they are evaluated.

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 4
Table of Precedence – highest to lowest
1. [𝑥 ∶= 𝑒] (textual substitution)
2. . (function application)
3. Unary prefix operators: +, −, ¬, ⋕, ~, 𝒫
4. ∗∗
5. ∙, /, ÷, 𝑚𝑜𝑑, 𝑔𝑐𝑑
6. +, −, ∪, ∩,×, ∘, ∙
7. ↑, ↓
8. ⊲, ⊳
9. =, <, >, ∈, ⊂, ⊆, ⊃, ⊇, |
10. ∧,∨
11. ⇒, ⇐
12. ≡

Note: All non-associative binary infix operators associate to the left, except ∗∗
, ⊲ , and ⇒ , which associate to the right.
SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 5
State
A state is a list of variables and their values. For example 𝑥, 5 , 𝑦, 3 .
Evaluation of an expression 𝐸 in a state is performed by replacing all
variables in 𝐸 by their values in the state and then computing the
value of the resulting expression.
Example: Evaluating 2𝑥 + 3𝑦 − 7 in the state 𝑥, 5 , 𝑦, 3 consists of
replacing variables 𝑥 and 𝑦 by their values to yield 2 × 5 + 3 × 3 − 7 and
then evaluating that to yield 12 .

A logical expression may be true in some states, but not in other

states.
Example: 2𝑥 + 3𝑦 = 7 is true in the state 𝑥, 5 , 𝑦, −1 but is not true in the
state 𝑥, 1 , 𝑦, 2 .

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 6
 Textual Substitution
Let 𝐸 and 𝑅 be expressions and let 𝑥 be a variable. We use the notation
𝑬[𝒙: = 𝑹] or 𝑬𝒙𝑹 to denote an expression that is the same as E but with all
occurrences of 𝑥 replaced by "(𝑅)" . The act of replacing all occurrences of 𝑥
by "(𝑅)" in 𝐸 is called textual substitution.
Examples:
Expression Result Removing Unnecessary
(textual substitution) parentheses
83 𝑥 ≔ 2 83
𝑦 𝑥≔2 𝑦
𝑥[𝑥: = 𝑧 + 2] (𝑧 + 2) 𝑧+2
(𝑥 + 𝑦)[𝑥: = 𝑧 + 2] 𝑧+2 +𝑦 𝑧+2+𝑦
(𝑥 ∙ 𝑥 + 𝑦)[𝑥 ≔ 𝑐 + 𝑦] ( 𝑐 + 𝑦 ∙ 𝑐 + 𝑦 + 𝑦) 𝑐+𝑦 ∙ 𝑐+𝑦 +𝑦

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 7
 Textual Substitution for Several Variables
Examples:
Expression Result Removing Unnecessary
(textual substitution) parentheses
𝑧 + 𝑦[𝑧, 𝑦: = 5, 6] = 𝑧 + (6) =𝑧+6
(𝑧 + 𝑦)[𝑧, 𝑦: = 5, 6] =( 5 + 6 ) = 11
(𝑥 + 𝑦 + 𝑦)[𝑥, 𝑦: = 𝑧, 𝑤] = ((𝑧) + (𝑤) + (𝑤)) =𝑧+𝑤+𝑤

(𝑥 + 2 · 𝑦 · 𝑧)[𝑥, 𝑦, 𝑧 ≔ 𝑧, 𝑥, 𝑦] =𝑧 + 2·𝑥·𝑦
(𝑥 + 2 · 𝑦)[𝑥, 𝑦 ∶= 𝑦, 𝑥] =𝑦+2·𝑥
(𝑥 + 2 · 𝑦)[𝑥 ∶= 𝑦][𝑦 ∶= 𝑥] =𝑥+2·𝑥

Note: Textual substitution is left associative, so that 𝐸[𝑥: = 𝑅] [𝑦: = 𝑄] is

defined to be (𝐸[𝑥: = 𝑅])[𝑦: = 𝑄].

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 8
A Property of Textual Substitution
((𝑎 + 𝑏) · 𝑐)[𝑏 ∶= 𝑥][𝑥 ∶= 𝑏] ((𝑎 + 𝑏) · 𝑥)[𝑏 ∶= 𝑥][𝑥 ∶= 𝑏]

= 𝑎+ 𝑥 · 𝑐 𝑥 ∶= 𝑏 𝑡𝑠 = 𝑎+ 𝑥 ·𝑥 𝑥 ∶= 𝑏 𝑡𝑠
= 𝑎 + 𝑥 · 𝑥 𝑥 ∶= 𝑏 𝑟𝑢𝑝
= 𝑎 + 𝑥 · 𝑐 𝑥 ∶= 𝑏 𝑟𝑢𝑝
= 𝑎 + (𝑏) · 𝑏 𝑡𝑠
= 𝑎 + (𝑏) · 𝑐 𝑡𝑠
= 𝑎+𝑏 ·𝑏 𝑟𝑢𝑝 .
= 𝑎+𝑏 ·𝑐 𝑟𝑢𝑝

If ¬ occurs ‘𝑥’, ‘𝐸’ then 𝐸 𝑦: = 𝑥 𝑥: = 𝑦 = 𝐸.

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 9
Proof

Axiomatic logic systems

Axioms Inference Rules Theorems

Given the inference rules, and some axioms, the logic

system produces theorems.

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 10
Inference Rules
Inference rules have a horizontal line with the premise or hypothesis
above the line and the conclusion below the line. The premise is
assumed to be true in all states.

Example -1:
2𝑥 + 3 = 11
.
𝑥=4
Example -2:

All students in this class are intelligent and Nimal is a student in this class
.
Nimal is intelligent

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 11
Inference rule - Substitution
𝐸
1.1 Substitution: .
𝐸 𝑥≔𝐹

Example -1:
𝒙+𝒚=𝒚+𝒙 𝒙+𝒚= 𝒚+𝒙
𝐨𝐫 .
𝒙 + 𝒚 = 𝒚 + 𝒙 𝒙, 𝒚 ≔ 𝒑, 𝟓 𝒑+𝟓= 𝟓+𝒑

Example -2:
𝒑 ∨ ¬𝒑 𝒑 ∨ ¬𝒑
𝐨𝐫 .
𝒑 ∨ ¬𝒑 𝒑 ≔ 𝒑 → 𝒒 (𝒑 → 𝒒) ∨ ¬(𝒑 → 𝒒)

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 12
The Four Laws of Equality
1.2 Reflexivity: 𝑥 = 𝑥
1.3 Symmetry: (𝑥 = 𝑦) = (𝑦 = 𝑥)
𝑋 = 𝑌, 𝑌 = 𝑍
1.4 Transitivity: .
𝑋=𝑍
𝑋=𝑌
1.5 Leibniz: .
𝐸 𝑧≔𝑋 =𝐸 𝑧≔𝑌

Example: Assume that 2𝑎 + 3 = 3𝑏 − 2 is a theorem.

Then by Leibniz’s Law, 𝑐 + 2𝑎 + 3 = 𝑐 + 2𝑏 − 2 is a theorem by
choosing 𝑋, 𝑌 and 𝑍 as follows 𝑋: 2𝑎 + 3, 𝑌: 3𝑏 − 2, 𝐸: 𝑐 + 𝑧 and 𝑧: 𝑧.

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 13
Function Evaluation
A function is a rule for computing a value 𝑦 (say) from another value 𝑥
(say). Value 𝑥 is called the argument and 𝑦 the corresponding result.
Example: 𝑓 𝑥 = 2𝑥 + 3. 𝑓. 𝑥 = 2 ∙ 𝑥 + 3
𝑓. 2 = 2 ∙ 2 + 3 = 7
What is 𝑓. 2 + 3?

If 𝑓. 𝑥: 𝐸 defines function 𝑓, then function application 𝑓. 𝑋 for any

argument 𝑋 is defined by 𝑓. 𝑋 = 𝐸 𝑥 ≔ 𝑋 .

1.5 Leibniz: 𝑋=𝑌 𝑋=𝑌

≡ .
𝐸 𝑧≔𝑋 =𝐸 𝑧≔𝑌 𝑓. 𝑋 = 𝑓. 𝑌

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 14
General Proof Step
𝑋=𝑌
Leibniz: .
𝐸 𝑧≔𝑋 =𝐸 𝑧≔𝑌

Proof step: 𝐸 𝑧≔𝑋

𝑋=𝑌
=
𝐸 𝑧≔𝑌

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 15
 Reasoning Using Leibniz's rule –Example-2
10 ∙ 𝑥 9
Assuming the following axioms prove that 5 = 5 ∙ 𝑥 4.
𝑥 ∙2
A.1 𝑎 ∙ 𝑏 = 𝑏 ∙ 𝑎
𝑎∙𝑏 𝑎 𝑏
A.2 = ∙
(𝑐∙𝑑) 𝑐 𝑑
𝑎𝑛
A.3 = 𝑎𝑛−𝑚 .
𝑎𝑚
A. 1 with 𝑎, 𝑏 ≔ 𝑥 5, 2 A. 2 with 𝑎, 𝑏, 𝑐, 𝑑 ≔ 10, 𝑥 4 , 2, 𝑥 5
10 ∙ 𝑥9
Proof: 𝑥5 ∙ 2
= 10 ∙ 𝑥 9 = 10 𝑥9
∙ 5
2 ∙ 𝑥5 2 𝑥
A. 3 with 𝑎, 𝑛, 𝑚 ≔ 𝑥, 9, 5
= 10
∙ 𝑥 9−5
2
Math rup
= =
(5) ∙ 𝑥 4 5 ∙ 𝑥4

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 16
Reasoning Using Leibniz's rule: Example-1
Assuming the following axioms prove that 𝑎 ∙ 𝑏 ∙ 𝑎 = 𝑎2 ∙ 𝑏
A.1 𝑥 ∙ 𝑦 = 𝑦 ∙ 𝑥
A.2 𝑥 ∙ 𝑥 = 𝑥 2
A.3 𝑥 = 𝑥.

𝐴. 1 with 𝑥, 𝑦 ≔ 𝑏, 𝑎, which is 𝑏 ∙ 𝑎 = 𝑎 ∙ 𝑏
Proof: 𝑎 ∙ 𝑏 ∙ 𝑎 = 𝑎2 ∙ 𝑏 =
𝑎 ∙ 𝑎 ∙ 𝑏 = 𝑎2 ∙ 𝑏
𝐴. 2 with 𝑥 ≔ 𝑎, which is 𝑎 ∙ 𝑎 = 𝑎2
=
𝑎2 ∙ 𝑏 = 𝑎2 ∙ 𝑏
𝐴. 3 with 𝑥 ≔ 𝑎2 ∙ 𝑏, which is 𝑎2 ∙ 𝑏 = 𝑎2 ∙ 𝑏
= .
𝑡𝑟𝑢𝑒 //

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 17
The Assignment Statement
The assignment statement uses the symbol as text substitution ∶ =
Example: 𝑥: = 𝑦 + 1
The effect of the above assignment statement is to change the state.

Example: Initial state 𝑥, 1 𝑦, 3 (𝑧, 7)

Assignment 𝑥: = 𝑦 + 2
Final state 𝑥, 5 𝑦, 3 𝑧, 7 .

Statement In Formal Methods 𝑪++ , 𝑱𝒂𝒗𝒂

Assignment := =

Equal = ==

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 18
The Hoare Triples
A Hoare Triple is denoted by 𝑃 𝑆 𝑄 , where
• 𝑃 is a precondition (Boolean expression)
• 𝑆 is a program statement
• 𝑄 is a postcondition (Boolean expression).

Interpretation of a Hoare Triple 𝑷 𝑺 𝑸

If 𝑃 is true, and you execute 𝑆, 𝑆 terminates and 𝑄 is quarantined to be
true.

Examples: Test the validity of the following Hoare Triples:

1. 𝑥 = 0 𝑥 ≔ 𝑥 + 1 𝑥 > 0
2. 𝑥 > 5 𝑥 ≔ 𝑥 + 1 𝑥 > 0
3. 𝑥 + 1 > 0 𝑥 ≔ 2 ∙ 𝑥 𝑥 > 0 .

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 19
Definition of Assignment
𝑅 𝑥: = 𝐸 𝑥: = 𝐸 𝑅
Assignment “ gets”
Textual Substitution “ Replaced by”
We calculate the pre condition from the postcondition

Examples: Find precondition for the following Hoare Triples:

• 𝑥 ≔𝑥+1 𝑥 >4
• 𝑦≔6 𝑥∙𝑦>0
• 𝑥 ≔ 2 ∙ 𝑥 𝑥 = 10
• 𝑥≔6 𝑦=6 .

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 20
Examples of Multiple Assignments
𝑥, 𝑦: = 𝑦, 𝑥 Swap 𝑥 and 𝑦
𝑥, 𝑖: = 0,0 Store 0 in 𝑥 and 𝑖
𝑖, 𝑥 ≔ 𝑖 + 1, 𝑥 + 𝑖 Add 1 to 𝑖 and 𝑖 to 𝑥
𝑥, 𝑖: = 𝑥 + 𝑖, 𝑖 + 1 Add 1 to 𝑖 and 𝑖 to 𝑥

Initial State Assignment Statement Final State

𝑥, 2 (𝑦, 3) 𝑥, 𝑦 ∶= 𝑥 + 𝑦, 𝑥 + 𝑦 (𝑥,5) (𝑦,5)
𝑥, 2 (𝑦, 3) 𝑥 ≔ 𝑥 + 𝑦; 𝑦 ≔ 𝑥 + 𝑦 (𝑥,5) (𝑦,8)

𝑅 𝑥, 𝑦: = 𝐸, 𝐹 𝑥, 𝑦: = 𝐸, 𝐹 {𝑅}
𝑅 𝑦 ∶= 𝐹 𝑥 ∶= 𝐸 𝑥 ∶= 𝐸; 𝑦 ∶= 𝐹 {𝑅}

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 21
 Examples of Hoare Triples for Multiple
Assignment
𝑦>𝑥 𝑥, 𝑦: = 𝑦, 𝑥 {𝑥 > 𝑦}

{𝑥 + 𝑖 = 1 + 2 +· · +(𝑖 + 1 − 1)} 𝑥, 𝑖 ≔ 𝑥 + 𝑖, 𝑖 + 1 {𝑥 = 1 + 2 +· · + (𝑖 − 1)}

{𝑥 + 𝑖 = 1 + 2 +· · +(𝑖 + 1 − 1)} 𝑥, 𝑖 ≔ 𝑖 + 1, 𝑖 + 1 {𝑥 = 1 + 2 +· · + (𝑖 − 1)}

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 22
Tutorial -1
All the exercises for Chapter 1: From 1.1 to 1.11

SCS 4212/CS4119 - Formal Methods and Software Verification Dr. Sritharan 10 June 2024 23