CS245 Logic and Computation

Alice Gao
December 9, 2019

Contents
1 Propositional Logic 3
1.1 Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Structural Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2.1 A template for structural induction on well-formed propositional for-
mulas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 The Semantics of an Implication . . . . . . . . . . . . . . . . . . . . . . . . 15
1.4 Tautology, Contradiction, and Satisfiable but Not a Tautology . . . . . . . . 16
1.5 Logical Equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.6 Analyzing Conditional Code . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
1.7 Circuit Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
1.8 Tautological Consequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1.9 Formal Deduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
1.9.1 Rules of Formal Deduction . . . . . . . . . . . . . . . . . . . . . . . . 29
1.9.2 Format of a Formal Deduction Proof . . . . . . . . . . . . . . . . . . 31
1.9.3 Strategies for writing a formal deduction proof . . . . . . . . . . . . 31
1.9.4 And elimination and introduction . . . . . . . . . . . . . . . . . . . . 33
1.9.5 Implication introduction and elimination . . . . . . . . . . . . . . . . 34
1.9.6 Or introduction and elimination . . . . . . . . . . . . . . . . . . . . . 36
1.9.7 Negation introduction and elimination . . . . . . . . . . . . . . . . . 38
1.9.8 Putting them together! . . . . . . . . . . . . . . . . . . . . . . . . . . 41
1.9.9 Putting them together: Additional exercises . . . . . . . . . . . . . . 45
1.9.10 Other problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
1.10 Soundness and Completeness of Formal Deduction . . . . . . . . . . . . . . . 47
1.10.1 The soundness of inference rules . . . . . . . . . . . . . . . . . . . . . 47
1.10.2 Soundness and Completeness of Formal Deduction . . . . . . . . . . 49
1.11 Proving the Completeness Theorem . . . . . . . . . . . . . . . . . . . . . . . 52

1
2 Predicate Logic 55
2.1 Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
2.2 Semantics of Predicate Formulas . . . . . . . . . . . . . . . . . . . . . . . . 61
2.2.1 Evaluating Formulas with No Variables . . . . . . . . . . . . . . . . . 61
2.2.2 Evaluating Formulas without Bound Variables . . . . . . . . . . . . . 63
2.2.3 Evaluating Formulas with Free and Bound Variables . . . . . . . . . 64
2.2.4 Evaluating Formulas with Bound Variables Only . . . . . . . . . . . 66
2.3 Tautological Consequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
2.3.1 Semantic Entailment - Additional Exercises . . . . . . . . . . . . . . 78
2.4 Formal Deduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
2.4.1 Forall-elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.4.2 Exists-introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
2.4.3 Forall-introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
2.4.4 Forall-introduction - Additional Exercises . . . . . . . . . . . . . . . 82
2.4.5 Exists-elimination . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
2.4.6 Exists-Elimination - Additional Exercises . . . . . . . . . . . . . . . . 85
2.4.7 Putting them together . . . . . . . . . . . . . . . . . . . . . . . . . . 86
2.4.8 Putting them together - Additional Exercises . . . . . . . . . . . . . 90
2.5 Soundness and Completeness of Natural Deduction . . . . . . . . . . . . . . 91
2.5.1 Proving that an inference rule is sound or not sound . . . . . . . . . 91
2.5.2 Additional Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
2.5.3 Proofs using the soundness and completeness theorems . . . . . . . . 97

3 Program Verification 98
3.1 Partial and Total Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.2 Assignment Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
3.3 Conditional Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
3.4 Conditional Statements: Additional Exercises . . . . . . . . . . . . . . . . . 109
3.5 While Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
3.6 While Loops: Additional Exercises . . . . . . . . . . . . . . . . . . . . . . . 114
3.7 Array Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
3.8 Putting them together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

4 Undecidability 123
4.1 Prove that a problem is decidable . . . . . . . . . . . . . . . . . . . . . . . . 123
4.2 The Halting Problem is Undecidable . . . . . . . . . . . . . . . . . . . . . . 124
4.3 Prove that a problem is undecidable . . . . . . . . . . . . . . . . . . . . . . 125

2
1 Propositional Logic
1.1 Translations
Exercise 1. Translate the following three sentences into propositional logic.

• Nadhi will eat a fruit if it is an apple.

• Nadhi will eat a fruit only if it is an apple.

• Nadhi will eat a fruit if and only if it is an apple.

Solution: 𝑛: Nadhi will eat a fruit.

𝑎: The fruit is an apple.

• Nadhi will eat a fruit if it is an apple.

Translation: (𝑎 → 𝑛)
If the fruit is an apple, we know that Nadhi will eat it.
If the fruit is not an apple, Nadhi may or may not eat it.
The set of apples is a subset of the set of fruits that Nadhi eats.

• Nadhi will eat a fruit only if it is an apple.

Translation: (𝑛 → 𝑎)
If Nadhi eats a fruit, then we know that it is an apple.
If Nadhi does not eat a fruit, the fruit may or may not be an apple.
The set of fruits that Nadhi eats is a subset of the set of apples.

• Nadhi will eat a fruit if and only if it is an apple.

Translation: (𝑛 ↔ 𝑎)
If Nadhi eats a fruit, then it is an apple.
If Nadhi does not eat a fruit, then it is not an apple.
The set of fruits that Nadhi eats and the set of apples coincide.

3
Exercise 2. Translate the following sentence into multiple propositional formulas. Show
that they are logically equivalent using a truth table.
Soo-Jin will eat an apple or an orange but not both.

Solution: 𝑎: Soo-Jin will eat an apple. 𝑜: Soo-Jin will eat an orange.

This sentence translates into an exclusive OR. There are many ways of writing down a
formula for an exclusive OR.

• ((𝑎 ∨ 𝑜) ∧ (¬(𝑎 ∧ 𝑜)))

a or o is true, but not both.

• ((𝑎 ∨ 𝑜) ∧ ((¬𝑎) ∨ (¬𝑜)))

a or o is true, and a is false or o is false.

• ((𝑎 ∧ (¬𝑜)) ∨ ((¬𝑎) ∧ 𝑜))

a is true and o is false, or a is false and o is true.

• (¬(𝑎 ↔ 𝑜))
It is not the case that a and o have the same truth value.

• ((¬𝑎) ↔ 𝑜) ⊨⊨ (𝑎 ↔ (¬𝑜))
negated a and o have the same truth value.

4
Exercise 3. Translate the following sentence into at least three syntactically different propo-
sitional formulas. Show that they are logically equivalent using a truth table.
If it is sunny tomorrow, then I will play golf, provided that I am relaxed.

Solution:

• 𝑠: It is sunny tomorrow.

• 𝑔: I will play golf.

• 𝑟: I am relaxed.

I can think of three ways of translating this sentence into a propositional formula.

• Interpretation 1: If it is sunny tomorrow, then, if I am relaxed, then I will play golf.

Translation: (𝑠 → (𝑟 → 𝑔)).
Sunny tomorrow is the premise for the first.

• Interpretation 2: If it is sunny tomorrow and I am relaxed, then I will play golf.

Translation: ((𝑠 ∧ 𝑟) → 𝑔).
Sunny tomorrow and being relaxed together are premises for playing golf.

• Interpretation 3: If I am relaxed, then, if it is sunny tomorrow, I will play golf.

Translation: (𝑟 → (𝑠 → 𝑔)).
Being relaxed is the premise for the rest.

All three interpretations are logically equivalent.

5
Exercise 4. Translate the following sentence into a propositional formula.
If I ace CS 245, I will get a job at Google; otherwise I will apply for the Geek
Squad.

Solution: Define the propositional variables:

• 𝑎: I ace CS 245.

• 𝑔: I will get a job at Google.

• 𝑠: I will apply for the Geek Squad.

First, let’s break down this sentence into two parts by the semicolon.
The first part translates into an implication because of the key word “if”. It becomes (𝑎 → 𝑔).
In the second part, “otherwise” means that “if I don’t ace CS 245”. After rephrasing, the
second part becomes “If I don’t ace CS 245, then I will apply for the Geek Squad.” This is
another implication ((¬𝑎) → 𝑠).
Now the tricky part is: what connective should we use to connect the two parts together?
Two natural options are ∧ and ∨. The ∨ option seems possible because the sentence could
be rephrase as “If I ace CS 245, ...; or otherwise ....”
The correct connective to use is ∧ for the following reasons.
Let’s consider the scenario in which I ace CS 245, I don’t get a job at Google and I apply for
the Geek Squad. In this case, is the sentence true or false? Intuitively, the sentence should
be false, because the first implication is violated when I ace CS 245 but do not get a job at
Google. Now let’s look at the truth values of the two possible propositional formulas:

• If we use ∧ as the connective, the resulting formula ((𝑎 → 𝑔) ∧ ((¬𝑎) → 𝑠)) is false
in this scenario. The truth value of the formula is the same as the truth value of the
sentence in this scenario.

• If we use ∨ as the connective, the resulting formula ((𝑎 → 𝑔) ∧ ((¬𝑎) → 𝑠)) is true in
this scenario. This truth value of the formula is different from the truth value of the
sentence in this scenario. Therefore, ∨ is not the correct connective to use because the
resulting formula has a different meaning from the formula.

6
Exercise 5. Translate the following sentence into two propositional formulas and explain
why the two formulas are not logically equivalent.
Sidney will carry an umbrella unless it is sunny.

Solution: Define the propositional variables.

𝑢: Sidney will carry an umbrella.
𝑠: It is sunny.

• Interpretation 1:
Intuitively, many people understand “unless” as an “exclusive OR”, which means that
exactly one of the two parts of the sentence is true at a time.
With this interpretation, “unless” is equivalent to an “if and only if not”. The sentence
is true under the following two scenarios:

– It is not sunny and Sidney carries an umbrella.

– It is sunny and Sidney does not carry an umbrella.

Note that this interpretation does not allow Sidney to carry an umbrella when it is
sunny. So the sentence is false when 𝑢 and 𝑠 are both true.
In propositional logic, this is equivalent to

((¬𝑢) ↔ 𝑠) (1)
⊨⊨ ((¬𝑢) ∧ 𝑠) ∨ (𝑢 ∧ (¬𝑠))) (2)
⊨⊨ ((𝑢 ∨ 𝑠) ∧ (¬(𝑢 ∧ 𝑠))) (3)
⊨⊨ ((𝑢 ∨ 𝑠) ∧ ((¬𝑢) ∨ (¬𝑠))). (4)

All the formulas above are equivalent. They look different but their meanings are the
same.

• Interpretation 2:
Alternatively, you may think of “unless” as meaning “if not”. Then the sentence
becomes: if it is not sunny, then Sidney will carry an umbrella. In propositional logic,
this becomes:

((¬𝑠) → 𝑢) (5)
⊨⊨ ((¬(¬𝑠)) ∨ 𝑢) (6)
⊨⊨ (𝑠 ∨ 𝑢). (7)

Under this interpretation, this sentence is true under three scenarios:

– It is not sunny and Sidney carries an umbrella.

7
 – It is sunny and Sidney does not carry an umbrella.
– It is sunny and Sidney carries an umbrella.

Notice that this interpretation allows Sidney to carry an umbrella when it is sunny. So
the sentence is true when 𝑢 and 𝑠 are both true.

8
1.2 Structural Induction
1.2.1 A template for structural induction on well-formed propositional formulas
Theorem: Every well-formed propositional formula 𝐴 has the property 𝑃 .

Proof by structural induction:

Define 𝑃 (𝐴) to be that 𝐴 has the property 𝑃 .

Base case: 𝐴 is a propositional variable 𝑝. We need to prove that 𝑃 (𝑝) holds.

Induction step:

Case 1: 𝐴 is a well-formed propositional formula of the form (¬𝐵) where 𝐵 is a well-formed

propositional formula.
Induction hypothesis: Assume that P(B) holds.
Prove that 𝑃 ((¬𝐵)) holds.

Case 2: 𝐴 is a well-formed propositional formula of the form 𝐵 ∗ 𝐶) where 𝐵 and 𝐶 are

well-formed propositional formulas and ∗ is one of ∧, ∨, →, and ↔.
Induction hypothesis: Assume that 𝑃 (𝐵) and 𝑃 (𝐶) hold.
Prove that 𝑃 ((𝐵 ∗ 𝐶)) holds.

By the principle of structural induction, 𝑃 (𝐴) holds for every well-formed propositional
formula 𝐴.

QED

9
Theorem 1. Every well-formed propositional formula has an equal number of opening and
closing brackets.
Solution: Each check mark indicates one point awarded to an important step of your proof.
Proof by Structural Induction. Let 𝑃 (𝜑) denote that the well-formed formula 𝜑 has an equal
number of opening and closing brackets. ✓
Let 𝑜𝑝(𝜑) and 𝑐𝑙(𝜑) denote the number of opening and closing brackets of 𝜑 respectively.
Base case: 𝜑 is a propositional symbol 𝑞. Prove that 𝑃 (𝑞) holds.
𝑞 has zero opening and zero closing bracket. Thus, 𝑃 (𝜑) holds. ✓

Induction step:

Case 1: 𝜑 is (¬𝑎), where 𝑎 is well-formed.

Induction hypothesis: Assume that 𝑃 (𝑎) holds (i.e. 𝑜𝑝(𝑎) = 𝑐𝑙(𝑎)). ✓
We need to prove that 𝑃 ((¬𝑎)) holds.

𝑜𝑝((¬𝑎)) (8)
= 1 + 𝑜𝑝(𝑎) By inspection of (¬𝑎) (9)
= 1 + 𝑐𝑙(𝑎) By induction hypothesis✓ (10)
= 𝑐𝑙((¬𝑎)) By inspection of (¬𝑎) (11)

Thus, 𝑃 ((¬𝑎)) holds.

Case 2: 𝜑 is (𝑎 ∗ 𝑏) where 𝑎 and 𝑏 are well-formed and ∗ is one of the four binary
connectives ∧, ∨, →, ↔.
Induction hypothesis: Assume that 𝑃 (𝑎) ✓ and 𝑃 (𝑏) ✓ hold (i.e. 𝑜𝑝(𝑎) = 𝑐𝑙(𝑎)
and 𝑜𝑝(𝑏) = 𝑐𝑙(𝑏)).
We need to prove that 𝑃 ((𝑎 ∗ 𝑏)) holds.

𝑜𝑝((𝑎 ∗ 𝑏)) = 1 + 𝑜𝑝(𝑎) + 𝑜𝑝(𝑏) By inspection of (𝑎 ∗ 𝑏) (12)

= 1 + 𝑐𝑙(𝑎) + 𝑐𝑙(𝑏) By induction hypothesis✓✓ (13)
= 𝑐𝑙(𝑎 ∗ 𝑏) By inspection of (𝑎 ∗ 𝑏) (14)

Thus, 𝑃 ((𝑎 ∗ 𝑏)) holds.

By the principle of structural induction, 𝑃 (𝜑) holds for every well-formed formula 𝜑.
✓ QED

10
Theorem 2. Every proper prefix of a well-formed formula has more opening than closing
brackets.
Solution:
Proof by Structural Induction. Let 𝑃 (𝜑) denote that every proper prefix of the well-formed
formula 𝜑 has more opening than closing brackets.
Let 𝑜𝑝(𝜑) and 𝑐𝑙(𝜑) denote the number of opening and closing brackets of 𝜑 respectively.
Base case: 𝜑 is a propositional variable 𝑞. Prove that 𝑃 (𝑞) holds.
Induction step:

Case 1: 𝜑 is (¬𝑎), where 𝑎 is well-formed.

Induction hypothesis: Assume that 𝑃 (𝑎) holds.
We need to prove that 𝑃 ((¬𝑎)) holds.
Let 𝑚 denote any proper prefix of 𝑎. There are four possible proper prefixes of
(¬𝑎): (, (¬, (¬𝑚, and (¬𝑎. We will prove the four cases separately.

𝑜𝑝(() = 1 (15)
𝑐𝑙(() = 0 (16)
𝑜𝑝(() > 𝑐𝑙(() (17)

𝑜𝑝((¬) = 1 (18)
𝑐𝑙((¬) = 0 (19)
𝑜𝑝((¬) > 𝑐𝑙(() (20)

𝑜𝑝((¬𝑚) (21)
= 1 + 𝑜𝑝(𝑚) (22)
> 1 + 𝑐𝑙(𝑚) By the induction hypothesis on 𝑚 (23)
> 𝑐𝑙(𝑚) (24)
= 𝑐𝑙((¬𝑚) (25)

𝑜𝑝((¬𝑎) (26)
= 1 + 𝑜𝑝(𝑎) (27)
= 1 + 𝑐𝑙(𝑎) By Theorem 1 and 𝑎 is a well-formed formula (28)
> 𝑐𝑙(𝑎) (29)
= 𝑐𝑙((¬𝑎) (30)

11
Case 2: 𝜑 is (𝑎 ∗ 𝑏) where 𝑎 and 𝑏 are well-formed and ∗ is a binary connective.
Let 𝑚 and 𝑛 denote any proper prefix of 𝑎 and 𝑏 respectively.
Induction hypothesis: Assume that 𝑃 (𝑎) and 𝑃 (𝑏) hold. In other words, 𝑃 (𝑚)
and 𝑃 (𝑛) are true.
We need to prove that 𝑃 ((𝑎 ∗ 𝑏)) holds.
There are six possible proper prefixes of (𝑎 ∗ 𝑏): (, (𝑚, (𝑎, (𝑎∗, (𝑎 ∗ 𝑛, and (𝑎 ∗ 𝑏.

𝑜𝑝(() = 1 (31)
𝑐𝑙(() = 0 (32)
𝑜𝑝(() > 𝑐𝑙(() (33)

𝑜𝑝((𝑚) (34)
= 1 + 𝑜𝑝(𝑚) (35)
> 1 + 𝑐𝑙(𝑚) By the induction hypothesis on 𝑚 (36)
> 𝑐𝑙(𝑚) (37)
= 𝑐𝑙((𝑚) (38)

𝑜𝑝((𝑎) (39)
= 1 + 𝑜𝑝(𝑎) (40)
= 1 + 𝑐𝑙(𝑎) By Theorem 1 and 𝑎 is a well-formed formula (41)
> 𝑐𝑙(𝑎) (42)
= 𝑐𝑙((𝑎) (43)

𝑜𝑝((𝑎∗) (44)
= 1 + 𝑜𝑝(𝑎) (45)
= 1 + 𝑐𝑙(𝑎) By Theorem 1 and 𝑎 is a well-formed formula (46)
> 𝑐𝑙(𝑎) (47)
= 𝑐𝑙((𝑎∗) (48)

12
 𝑜𝑝((𝑎 ∗ 𝑛) (49)
= 1 + 𝑜𝑝(𝑎) + 𝑜𝑝(𝑛) (50)
= 1 + 𝑐𝑙(𝑎) + 𝑜𝑝(𝑛) By Theorem 1 and 𝑎 is a well-formed formula (51)
> 1 + 𝑐𝑙(𝑎) + 𝑐𝑙(𝑛) By the induction hypothesis on 𝑛 (52)
> 𝑐𝑙(𝑎) + 𝑐𝑙(𝑛) (53)
= 𝑐𝑙((𝑎 ∗ 𝑛) (54)

𝑜𝑝((𝑎 ∗ 𝑏) (55)
= 1 + 𝑜𝑝(𝑎) + 𝑜𝑝(𝑏) (56)
= 1 + 𝑐𝑙(𝑎) + 𝑐𝑙(𝑏) By Theorem 1 and 𝑎 is a well-formed formula (57)
> 𝑐𝑙(𝑎) + 𝑐𝑙(𝑏) (58)
= 𝑐𝑙((𝑎 ∗ 𝑏) (59)

By the principle of structural induction, 𝑃 (𝜑) holds for every well-formed formula 𝜑.
QED

13
Theorem 3. Consider the set 𝐼(𝑋, 𝐶, 𝑃 ) inductively defined by the domain set 𝑋 = ℝ, the
core set 𝐶 = {0, 2}, and the set of operations 𝑃 = {𝑓1(𝑥, 𝑦) = 𝑥 + 𝑦, 𝑓2(𝑥, 𝑦) = 𝑥 − 𝑦}.
Every element in 𝐼(𝑋, 𝐶, 𝑃 ) is an even integer.

Solution:
Proof by Structural Induction. Base case: We need to prove that every element of the core
set 𝐶 is an even integer. 0 is even because 0 = 2 ∗ 0. 2 is even because 2 = 2 ∗ 1.

Induction step:
Case 1: Let 𝑥, 𝑦 ∈ 𝐼(𝑋, 𝐶, 𝑃 ).
Induction hypotheses: Assume that 𝑥 and 𝑦 are even integers.
We will prove that 𝑓1(𝑥, 𝑦) is an even integer.
𝑥 and 𝑦 are even integers. Thus, by the induction hypotheses, 𝑥 = 2𝑚 and 𝑦 = 2𝑛 where
𝑚 and 𝑛 are integers. Then, 𝑓1(𝑥, 𝑦) = 𝑥 + 𝑦 = 2𝑚 + 2𝑛 = 2(𝑚 + 𝑛). Since (𝑚 + 𝑛) is an
integer, 𝑓1(𝑥, 𝑦) is an even integer.
Case 2: Let 𝑥, 𝑦 ∈ 𝐼(𝑋, 𝐶, 𝑃 ).
Induction hypotheses: Assume that 𝑥 and 𝑦 are even integers.
We will prove that 𝑓2(𝑥, 𝑦) is an even integer.
𝑥 and 𝑦 are even integers. Thus, by the induction hypotheses, 𝑥 = 2𝑚 and 𝑦 = 2𝑛 where
𝑚 and 𝑛 are integers. Then, 𝑓2(𝑥, 𝑦) = 𝑥 − 𝑦 = 2𝑚 − 2𝑛 = 2(𝑚 − 𝑛). Since (𝑚 − 𝑛) is an
integer, 𝑓2(𝑥, 𝑦) is an even integer.

By the principle of structural induction, every element of 𝐼(𝑋, 𝐶, 𝑃 ) is an even integer.

14
1.3 The Semantics of an Implication
Exercise 6. Do you really understand an implication? We will find out.

• Think of an implication as a promise that someone made to you. In what case can you
prove that the promise has been broken (i.e. the implication is false)?

• When the premise is true, what is the relationship between the truth value of the
conclusion and the truth value of the implication?

• When the premise is false, the implication is vacuously true. Could you come up with
an intuitive explanation for this?

• If the conclusion is true, is the implication true or false?

• The implication (𝑎 → 𝑏) is logically equivalent to ((¬𝑎) ∨ 𝑏). Does this equivalent

formula make sense to you? Explain.

15
1.4 Tautology, Contradiction, and Satisfiable but Not a Tautology
Exercise 7. Determine whether each of the following formulas is a tautology, satisfiable but
not a tautology, or a contradiction.

• 𝑝
Solution: Answer: Satisfiable but not a tautology.
Reason: True when 𝑝 is true and false when 𝑝 is false.

• ((𝑟 ∧ 𝑠) → 𝑟)
Solution: Answer: Tautology.
Reason: When 𝑟 is true, the conclusion of the implication is true, so the implication
is true. When 𝑟 is false, the premise of the implication is false, so the implication is
vacuously true.

• ((¬(𝑝 ↔ 𝑞)) ↔ (𝑞 ∨ 𝑝))

Solution: Answer: Satisfiable but not a tautology
Reason: It’s tempting to say “these two formulas don’t mean the same thing so the
biconditional is false”. However, go back to truth values. When 𝑝 is true and 𝑞 is false,
both sides of the biconditional are true and the biconditional itself is true. When 𝑝
and 𝑞 are both true, the left side is false but the right is true, and so the biconditional
is false.

• ((((𝑝 ∨ 𝑞) ∧ (𝑝 ∨ (¬𝑞))) ∧ ((¬𝑝) ∨ 𝑞)) ∧ ((¬𝑝) ∨ (¬𝑞)))

Solution: Answer: Contradiction
Reason: The first half can be simplfiied to (𝑝 ∨ (𝑞 ∧ (¬𝑞))), which is (𝑝 ∨ 𝐹 ) or 𝑝. The
second half can be simplfiied to (¬𝑝). Thus, the entire formula is (𝑝 ∧ (¬𝑝)), which is
a contradiction.

16
1.5 Logical Equivalence
Exercise 8. ”If it is sunny, I will play golf, provided that I am relaxed.”
𝑠: it is sunny. 𝑔: I will play golf. 𝑟: I am relaxed.
There are three possible translations:

1. (𝑟 → (𝑠 → 𝑔))

2. ((𝑠 ∧ 𝑟) → 𝑔)

3. (𝑠 → (𝑟 → 𝑔))

Prove that all three translations are logically equivalent.

Solution: Part 1: (𝑟 → (𝑠 → 𝑔)) ⊨⊨ ((𝑠 ∧ 𝑟) → 𝑔).

Proof.

(𝑟 → (𝑠 → 𝑔)) (60)
⊨⊨ (𝑟 → ((¬𝑠) ∨ 𝑔)) Implication (61)
⊨⊨ ((¬𝑟) ∨ ((¬𝑠) ∨ 𝑔)) Implication (62)
⊨⊨ (((¬𝑟) ∨ (¬𝑠)) ∨ 𝑔) Associativity (63)
⊨⊨ (((¬(𝑟 ∧ 𝑠)) ∨ 𝑔) De Morgan (64)
⊨⊨ ((𝑟 ∧ 𝑠) → 𝑔) Implication (65)
⊨⊨ ((𝑠 ∧ 𝑟) → 𝑔) Commutativity (66)

Part 2: (𝑟 → (𝑠 → 𝑔)) ⊨⊨ (𝑠 → (𝑟 → 𝑔)).

Proof.

(𝑟 → (𝑠 → 𝑔)) (67)
⊨⊨ (𝑟 → ((¬𝑠) ∨ 𝑔)) Implication (68)
⊨⊨ ((¬𝑟) ∨ ((¬𝑠) ∨ 𝑔)) Implication (69)
⊨⊨ (((¬𝑟) ∨ (¬𝑠)) ∨ 𝑔) Associativity (70)
⊨⊨ (((¬𝑠) ∨ (¬𝑟)) ∨ 𝑔) Commutativity (71)
⊨⊨ ((¬𝑠) ∨ ((¬𝑟) ∨ 𝑔)) Associativity (72)
⊨⊨ ((¬𝑠) ∨ (𝑟 → 𝑔)) Implication (73)
⊨⊨ (𝑠 → (𝑟 → 𝑔)) Implication (74)

17
Exercise 9. ”If it snows then I will not go to class but I will do my assignment.”
𝑠: it snows. 𝑐: I will go to class. 𝑎: I will do my assignment.
There are two possible translations:

1. ((𝑠 → (¬𝑐)) ∧ 𝑎)

2. (𝑠 → ((¬𝑐) ∧ 𝑎))

Prove that the two translations are NOT logically equivalent.

Solution:
Proof. We need to find a valuation 𝑡 under which the two formulas have different values.
Consider the truth valuation 𝑡 where 𝑡(𝑠) = 0, 𝑡(𝑐) = 1, and 𝑡(𝑎) = 0.
The two formulas have different values under 𝑡, as shown below.

• ((𝑠 → (¬𝑐)) ∧ 𝑎)𝑡 = 0

• (𝑠 → ((¬𝑐) ∧ 𝑎))𝑡 = 1

18
1.6 Analyzing Conditional Code
Consider the following code fragment:

if ( input > 0 || ! output ) {

if (!( output && queuelength < 100)) {
P1
} else if ( output && !( queuelength < 100)) {
P2
} else {
P3
}
} else {
P4
}
Define the propositional variables:

• 𝑖: input > 0

• 𝑢: output

• 𝑞: queuelength < 100

The code fragment becomes the following. We’ll call this code fragment #1.
if ( i || !u ) {
if ( !( u && q) ) {
P1
} else if ( u && !q ) {
P2
} else { P3 }
} else { P4 }
Code fragment #2:

if (( i && u) && q) {
P3
} else if (!i && u) {
P4
} else {
P1
}
Prove that these two pieces of code fragments are equivalent:
Solution:

19
Prove that the condition leading to 𝑃2 is logically equivalent to 0.
The condition leading to 𝑃2 :

(((𝑖 ∨ (¬𝑢)) ∧ (¬(¬(𝑢 ∧ 𝑞)))) ∧ (𝑢 ∧ (¬𝑞))) (75)

⊨⊨ (((𝑖 ∨ (¬𝑢)) ∧ (𝑢 ∧ 𝑞)) ∧ (𝑢 ∧ (¬𝑞))) Double Negation (76)
⊨⊨ ((𝑖 ∨ (¬𝑢)) ∧ ((𝑢 ∧ 𝑢) ∧ (𝑞 ∧ (¬𝑞)))) Associativity, Commutativity (77)
⊨⊨ ((𝑖 ∨ (¬𝑢)) ∧ (𝑢 ∧ (𝑞 ∧ (¬𝑞)))) Idempotence (78)
⊨⊨ ((𝑖 ∨ (¬𝑢)) ∧ (𝑢 ∧ 0)) Contradiction (79)
⊨⊨ ((𝑖 ∨ (¬𝑢)) ∧ 0) Simplification 1 (80)
⊨⊨ 0 Simplification 1 (81)
(82)

Prove that the condition leading to 𝑃3 is true if and only if all three variables are true.
The condition leading to 𝑃3 :

(((𝑖 ∨ (¬𝑢)) ∧ (𝑢 ∧ 𝑞)) ∧ (¬(𝑢 ∧ (¬𝑞)))) (83)

⊨⊨ (((𝑖 ∨ (¬𝑢)) ∧ (𝑢 ∧ 𝑞)) ∧ ((¬𝑢) ∨ (¬(¬𝑞)))) De Morgan (84)
⊨⊨ (((𝑖 ∨ (¬𝑢)) ∧ (𝑢 ∧ 𝑞)) ∧ ((¬𝑢) ∨ 𝑞)) Double Negation (85)
⊨⊨ ((𝑖 ∨ (¬𝑢)) ∧ (𝑢 ∧ (𝑞 ∧ ((¬𝑢) ∨ 𝑞))))) Associativity (86)
⊨⊨ ((𝑖 ∨ (¬𝑢)) ∧ (𝑢 ∧ 𝑞)) Simplification 2 (87)
⊨⊨ ((𝑖 ∨ (¬𝑢)) ∧ 𝑢) ∧ 𝑞) Associativity (88)
⊨⊨ (((𝑖 ∧ 𝑢) ∨ ((¬𝑢) ∧ 𝑢)) ∧ 𝑞) Distributivity (89)
⊨⊨ (((𝑖 ∧ 𝑢) ∨ 0) ∧ 𝑞) Contradiction (90)
⊨⊨ ((𝑖 ∧ 𝑢) ∧ 𝑞) Simplification 1 (91)

Prove that the condition leading to 𝑃4 is true if and only if 𝑖 is false and 𝑢 is true.
The condition leading to 𝑃4 :

(¬(𝑖 ∨ (¬𝑢))) (92)

((¬𝑖) ∧ (¬(¬𝑢))) De Morgan (93)
⊨⊨ ((¬𝑖) ∧ 𝑢) Double Negation (94)

The condition leading to 𝑃1 :

((𝑖 ∨ (¬𝑢)) ∧ (¬(𝑢 ∧ 𝑞))) (95)

⊨⊨ ((𝑖 ∨ (¬𝑢)) ∧ ((¬𝑢) ∨ (¬𝑞))) De Morgan (96)
⊨⊨ ((¬𝑢) ∨ (𝑖 ∧ (¬𝑞))) Distributivity (97)

20
1.7 Circuit Design
Basic gates:

Problem: Your instructors, Alice, Carmen, and Collin, are choosing questions to be put on
the midterm. For each problem, each instructor votes either yes or not. A question is chosen
if it receives two or more yes votes. Design a circuit, which outputs yes whenever a question
is chosen.

1. Draw the truth table based on the problem description.

x y z output
1 1 1 1
1 1 0 1
1 0 1 1
1 0 0 0
0 1 1 1
0 1 0 0
0 0 1 0
0 0 0 0

2. Convert the truth table into a propositional formula.

3. Then, convert the formula to a circuit.

Solution:

21
Solution 1:

1. Convert the truth table into a propositional formula.

Convert each row of the truth table to a conjunction.

If a variable is true in that row, write it down. Otherwise, if the variable is false, write
down its negation. Then connect all variables or their negations together using AND.

• ((𝑥 ∧ 𝑦) ∧ 𝑧)
• ((𝑥 ∧ 𝑦) ∧ (¬𝑧))
• ((𝑥 ∧ (¬𝑦)) ∧ 𝑧)
• (((¬𝑥) ∧ 𝑦) ∧ 𝑧)

Connect all formulas into a disjunction.

(((((𝑥 ∧ 𝑦) ∧ 𝑧) ∨ ((𝑥 ∧ 𝑦) ∧ (¬𝑧))) ∨ ((𝑥 ∧ (¬𝑦)) ∧ 𝑧)) ∨ (((¬𝑥) ∧ 𝑦) ∧ 𝑧))

2. Draw the circuit.

Making a circuit clear and readable can be challenging. Here are some advice on
drawing circuits:

• Determine where to put the inputs and the outputs first.

• Determine where to put the major gates (the OR at the end, and one AND for
each scenario).
• Try to draw wires horizontally or vertically, not at an angle.
• Indicate clearly whether two crossing wires are connected or not.

22
Solution 2:

1. Convert the truth table into a propositional formula.

Converts rows 1-3 to a propositional formula.

(𝑥 ∧ (𝑦 ∨ 𝑧))
Convert row 5 to a propositional formula.
(((¬𝑥) ∧ 𝑦) ∧ 𝑧)
Connect all formulas into a disjunction.
((𝑥 ∧ (𝑦 ∨ 𝑧)) ∨ (((¬𝑥) ∧ 𝑦) ∧ 𝑧))

2. Draw the circuit.

23
Solution 3:

1. Convert the truth table into a propositional formula.

Convert rows 1 and 5 into a propositional formula.

(𝑦 ∧ 𝑧)
Convert rows 2 and 3 into a propositional formula.
(𝑥 ∧ (𝑦 ⊕ 𝑧))
For convenience, we will use the symbol ⊕ to represent an exclusive OR. However, you
are only allowed to use this symbol in circuit design problems. You are not allowed to
use this symbol for other problems because it is not a basic connective based on the
definition of well-formed formulas.
Connect all formulas into a disjunction.
((𝑦 ∧ 𝑧) ∨ (𝑥 ∧ (𝑦 ⊕ 𝑧)))

2. Draw the circuit.

24
Solution 4 (contributed by Triman Kandola)

1. Convert the truth table into a propositional formula.

(((𝑥 ∧ 𝑦) ∨ (𝑥 ∧ 𝑧)) ∨ (𝑦 ∧ 𝑧))
This formula intuitively makes sense. If two people are already voting yes, then I don’t
care about what the third vote is.

2. Draw the circuit.

25
1.8 Tautological Consequence
Exercise 10. Let Σ = {(𝑝 → 𝑞), (𝑞 → 𝑟)}. Is Σ satisfiable? Why or why not?

Solution: Σ is satisfied by the truth valuation 𝑡 where 𝑡(𝑝) = 1, 𝑡(𝑞) = 1 and 𝑡(𝑟) = 1.
Note that (𝑝 → 𝑞)𝑡 = 1 and (𝑞 → 𝑟)𝑡 = 1. Thus, Σ is satisfiable.

Exercise 11. Let Σ = ∅. Is Σ satisfiable? Why or why not?

Solution: Σ is satisfiable. In fact, any truth valuation satisfies Σ.

A truth valuation 𝑡 satisfies Σ if and only if, for any formula 𝐴, if 𝐴 is in Σ, then 𝐴𝑡 = 1.
Since Σ = ∅, no formula is in Σ. The premise of the implication is false for any 𝐴, so the
implication is true for every 𝐴. Therefore, any truth valuation satisfies Σ = ∅.

Exercise 12. Let Σ = {𝑝, (¬𝑝)}. Is Σ satisfiable? Why or why not?

Solution: Σ is not satisfiable. To show this, we need to show that, under every truth
valuation, at least one formula in Σ is false.
Consider an arbitrary truth valuation 𝑡. Under 𝑡, 𝑝 is either true or false.

• If 𝑝𝑡 = 1, then (¬𝑝)𝑡 = 0. 𝑡 does not satisfy Σ.

• If 𝑝𝑡 = 0, then 𝑡 does not satisfy Σ.

In both cases, 𝑡 does not satisfy Σ. Therefore, no truth valuation can satisfy Σ. Σ is not
satisfiable.

26
Exercise 13. Prove that {(¬(𝑝 ∧ 𝑞)), (𝑝 → 𝑞)} ⊨ (¬𝑝).

Solution:
Proof. Consider a truth valuation 𝑡 such that (¬(𝑝 ∧ 𝑞))𝑡 = 1 and (𝑝 → 𝑞)𝑡 = 1.
Since (𝑝 → 𝑞)𝑡 = 1, it is not the case that 𝑝𝑡 = 1 and 𝑞 𝑡 = 0.
Since (¬(𝑝 ∧ 𝑞))𝑡 = 1, it is not the case that 𝑝𝑡 = 1 and 𝑞 𝑡 = 1.
Thus, the two premises are true under two scenarios:

• 𝑝𝑡 = 0 and 𝑞 𝑡 = 1: In this case, (¬𝑝)𝑡 = 1.

• 𝑝𝑡 = 0 and 𝑞 𝑡 = 0: In this case, (¬𝑝)𝑡 = 1.

In both scenarios, the conclusion is true. Thus, the tautological consequence holds.

Exercise 14. Prove that {(¬(𝑝 ∧ 𝑞)), (𝑝 → 𝑞)} ⊭ (𝑝 ↔ 𝑞).

Solution:
Proof. Consider the truth valuation 𝑡 where 𝑝𝑡 = 0 and 𝑞 𝑡 = 1.
By definitions of the connectives, (¬(𝑝 ∧ 𝑞))𝑡 = 1, (𝑝 → 𝑞)𝑡 = 1 and (𝑝 ↔ 𝑞)𝑡 = 0. Thus,
the tautological consequence does not hold.

Exercise 15. Prove that ∅ ⊨ ((𝑝 ∧ 𝑞) → 𝑝)).

Solution:
Proof. Since there is no premise, we need to prove that the conclusion ((𝑝 ∧ 𝑞) → 𝑝)) is a
tautology.
Consider any truth valuation 𝑡. Under 𝑡, p must be either true or false.

• 𝑝𝑡 = 1: The conclusion of the implication ((𝑝 ∧ 𝑞) → 𝑝))is true. Therefore, the

implication is true.

• 𝑝𝑡 = 0: The premise of the implication ((𝑝∧𝑞) → 𝑝)) is true. Therefore, the implication
is true.

Thus, the conclusion is true under any truth valuation and is a tautology. The tautological
consequence holds.

27
Exercise 16. Prove that {𝑟, (𝑝 → (𝑟 → 𝑞))} ⊨ (𝑝 → (𝑞 ∧ 𝑟)).

Solution:
Proof. Consider a truth valuation 𝑡 where 𝑟𝑡 = 1 and (𝑝 → (𝑟 → 𝑞))𝑡 = 1. We need to show
that (𝑝 → (𝑞 ∧ 𝑟))𝑡 = 1.
Consider two cases: 𝑝𝑡 = 0 and 𝑝𝑡 = 1.
If 𝑝𝑡 = 0, then (𝑝 → (𝑞 ∧ 𝑟))𝑡 = 1.
Otherwise, suppose that 𝑝𝑡 = 1. We need to show that (𝑞 ∧ 𝑟)𝑡 = 1.
By the definition of implication, (𝑟 → 𝑞)𝑡 = 1 since (𝑝 → (𝑟 → 𝑞))𝑡 = 1. Since 𝑟𝑡 = 1 and
(𝑟 → 𝑞)𝑡 = 1, then 𝑞 𝑡 = 1 by the definition of implication. By the definition of ∧, (𝑞 ∧𝑟)𝑡 = 1
since 𝑞 and 𝑟 are both true under 𝑡. Therefore, (𝑝 → (𝑞 ∧ 𝑟))𝑡 = 1.
In both cases, the conclusion is true under 𝑡. The tautological consequence holds.

Exercise 17. Prove that {(¬𝑝), (𝑞 → 𝑝)} ⊭ ((¬𝑝) ∧ 𝑞).

Solution:

Remark 1. We need to come up with a truth valuation under which both premises are true
and the conclusion is false.
(¬𝑝) has to be true. So 𝑝 has to be false under this truth valuation.
(𝑞 → 𝑝) has to be true and 𝑝 is false. Thus, 𝑞 must be false under this truth valuation.
Therefore, this truth valuation must make 𝑝 false and 𝑞 false.

Proof. Consider the truth valuation 𝑡 where 𝑝𝑡 = 0 and 𝑞 𝑡 − 0.

Under this truth valuation, (¬𝑝)𝑡 = 1 and (𝑞 → 𝑝)𝑡 = 1. Both premises are true.
Under this truth valuation, ((¬𝑝) ∧ 𝑞)𝑡 = 0. The conclusion is false.
Therefore, the tautological consequence does not hold.

Exercise 18. Prove that {𝑝, (¬𝑝)} ⊨ 𝑟.

Solution:
Proof. Consider any truth valuation 𝑡 under which both premises are true. If such a truth
valuation exists, we have to show that 𝑟 must be true under this truth valuation.
However, such a truth valuation does not exist. There are two possible cases. 𝑝 is true or 𝑝
is false. If 𝑝 is false, then this truth valuation does not satisfy the first premise. If 𝑝 is true
under this truth valuation, then (¬𝑝) must be false. This truth valuation does not satisfy
the second premise.
Since no truth valuation satisfies both premises, the tautological consequence holds.

28
1.9 Formal Deduction
1.9.1 Rules of Formal Deduction
membership (∈)
Addition of premises (+)
if 𝐴 ∈ Σ,
if Σ ⊢ 𝐴,
then Σ ⊢ 𝐴.
then Σ, Σ′ ⊢ 𝐴.
Special case: Reflexivity (Ref)

𝐴 ⊢ 𝐴.

And introduction (∧+) And elimination (∧−)

if Σ ⊢ 𝐴, if Σ ⊢ 𝐴 ∧ 𝐵,
Σ ⊢ 𝐵, then Σ ⊢ 𝐴.
then Σ ⊢ 𝐴 ∧ 𝐵. if Σ ⊢ 𝐴 ∧ 𝐵,
then Σ ⊢ 𝐵.

Or introduction (∨+) Or elimination (∨−)

if Σ ⊢ 𝐴, if Σ, 𝐴 ⊢ 𝐶,
then Σ ⊢ 𝐴 ∨ 𝐵. Σ, 𝐵 ⊢ 𝐶,
if Σ ⊢ 𝐵, then Σ, 𝐴 ∨ 𝐵 ⊢ 𝐶.
then Σ ⊢ 𝐴 ∨ 𝐵.

Negation introduction (¬+) Negation elimination (¬−)

if Σ, 𝐴 ⊢ 𝐵, if Σ, ¬𝐴 ⊢ 𝐵,
Σ, 𝐴 ⊢ ¬𝐵, Σ, ¬𝐴 ⊢ ¬𝐵,
then Σ ⊢ ¬𝐴. then Σ ⊢ 𝐴.

Implication introduction (→ +) Implication elimination (→ −)

if Σ, 𝐴 ⊢ 𝐵, if Σ ⊢ 𝐴,
then Σ ⊢ 𝐴 → 𝐵. Σ ⊢ 𝐴 → 𝐵,
then Σ ⊢ 𝐵.

29
Equivalence introduction (↔ +) Equivalence elimination (↔ −)

if Σ, 𝐴 ⊢ 𝐵, if Σ ⊢ 𝐴,
Σ, 𝐵 ⊢ 𝐴, Σ ⊢ 𝐴 ↔ 𝐵,
then Σ ⊢ 𝐴 ↔ 𝐵. then Σ ⊢ 𝐵.
if Σ ⊢ 𝐵,
Σ ⊢ 𝐴 ↔ 𝐵,
then Σ ⊢ 𝐴.
Comments:

• For each connective, the rules come in pairs. The introduction rule produces a conclu-
sion with the connective in it. The elimination rule produces a conclusion without the
connective.

• 𝐴 and 𝐵 can be any propositional formula. In particular, 𝐴 and 𝐵 can be the same.

• Σ and Σ′ are sets of propositional formulas.

• Σ, 𝐴 means Σ ∪ {𝐴}. Σ, Σ′ means Σ ∪ Σ′ .

30
1.9.2 Format of a Formal Deduction Proof
• Every line contains: a line number, a set of premises, the ⊢ symbol, a conclusion, and
a justification containing a formal deduction rule and possibly line numbers.
• The last line of a proof is the same as the original statement to be proved.
• Every line of the proof can be justified in two ways: (1) using the premises on the left
of ⊢ using the membership ∈ rule. (2) using one or more conclusions on previous lines
by using any other formal deduction rule.
• You have to bring a premise to the right of ⊢ before you can use it in a subsequent
line.

1.9.3 Strategies for writing a formal deduction proof

What is the thought process for producing a formal deduction proof?
• I’ve found that it is most effective to generate a proof backwards starting from the last
line of the proof.
• Write down the statement to be proved as the last line of the proof. Work backwards
from here.
• Look at the conclusion carefully. What is the structure of the conclusion (what is the
last connective applied in the formula? Can you apply an introduction rule to produce
the conclusion?
• Look at each premise carefully. What is the structure of the premise (what is the last
connective applied in the formula)? Can you apply an elimination rule to simplify it
and to produce a new formula?
• Working backwards from the conclusion is often more effective than working forward
from the premises. It keeps your eyes on the prize.
• If no rule is applicable, consider using ¬+ or ¬−. The negation rules are “universal”.
They can be applied in any situation but beware that they are not always helpful.
• When do we stop?
We can stop this process when we are able to justify every line of our proof. Usually,
we end this process by justifying the last line produced using the membership ∈ rule.
Why are we allowed to add premises to the left of ⊢?
• Think about adding a premise on the left of ⊢ as making an assumption in our proof.
For example, when you are proving a property of a natural number, you may write
your proof as follows: case 1, 𝑛 is even ... case 2, 𝑛 is odd ... Here 𝑛 is even and 𝑛 is
odd are additional assumptions made in your proof. Adding a premise on the left is
the same as making such an additional assumption.

31
• We are only able to add a premise on the left of ⊢ if a formal deduction rule allows us
to do so.

• Eventually, we will need to remove the additional premises from the left of ⊢ in order
to produce the conclusion required in the original statement to be proved.

32
1.9.4 And elimination and introduction
Exercise 19. Show that (𝑝 ∧ 𝑞), (𝑟 ∧ 𝑠) ⊢ (𝑞 ∧ 𝑠).

Solution:

(1) 𝑝 ∧ 𝑞, 𝑟 ∧ 𝑠 ⊢ 𝑝 ∧ 𝑞 by (∈)
(2) 𝑝 ∧ 𝑞, 𝑟 ∧ 𝑠 ⊢ 𝑞 by ∧ −, 1
(3) 𝑝 ∧ 𝑞, 𝑟 ∧ 𝑠 ⊢ 𝑟 ∧ 𝑠 by (∈)
(4) 𝑝 ∧ 𝑞, 𝑟 ∧ 𝑠 ⊢ 𝑠 by ∧ −, 3
(5) 𝑝 ∧ 𝑞, 𝑟 ∧ 𝑠 ⊢ 𝑞 ∧ 𝑠 by ∧ +, 2, 4

Exercise 20. Show that ((𝑝 ∧ 𝑞) ∧ 𝑟) ⊢ (𝑝 ∧ (𝑞 ∧ 𝑟)).

Solution:

(1) (𝑝 ∧ 𝑞) ∧ 𝑟 ⊢ (𝑝 ∧ 𝑞) ∧ 𝑟 by (∈)
(2) (𝑝 ∧ 𝑞) ∧ 𝑟 ⊢ (𝑝 ∧ 𝑞) by ∧ −, 1
(3) (𝑝 ∧ 𝑞) ∧ 𝑟 ⊢ 𝑟 by ∧ −, 1
(4) (𝑝 ∧ 𝑞) ∧ 𝑟 ⊢ 𝑝 by ∧ −, 2
(5) (𝑝 ∧ 𝑞) ∧ 𝑟 ⊢ 𝑞 by ∧ −, 2
(6) (𝑝 ∧ 𝑞) ∧ 𝑟 ⊢ 𝑞 ∧ 𝑟 by ∧ +, 3, 5
(7) (𝑝 ∧ 𝑞) ∧ 𝑟 ⊢ 𝑝 ∧ (𝑞 ∧ 𝑟) by ∧ +, 4, 6

33
1.9.5 Implication introduction and elimination
Exercise 21. Show that (𝑝 → 𝑞), (𝑞 → 𝑟) ⊢ (𝑝 → 𝑟).

Solution:

(1) 𝑝 → 𝑞, 𝑞 → 𝑟, 𝑝 ⊢ 𝑝 → 𝑞 by (∈)
(2) 𝑝 → 𝑞, 𝑞 → 𝑟, 𝑝 ⊢ 𝑝 by (∈)
(3) 𝑝 → 𝑞, 𝑞 → 𝑟, 𝑝 ⊢ 𝑞 by (→ −, 1, 2)
(4) 𝑝 → 𝑞, 𝑞 → 𝑟, 𝑝 ⊢ 𝑞 → 𝑟 by (∈)
(5) 𝑝 → 𝑞, 𝑞 → 𝑟, 𝑝 ⊢ 𝑟 by (→ −, 3, 4)
(6) 𝑝 → 𝑞, 𝑞 → 𝑟 ⊢ 𝑝 → 𝑟 by (→ +, 5)

Exercise 22. Show that (𝑝 → (𝑞 → 𝑟)), (𝑝 → 𝑞) ⊢ (𝑝 → 𝑟).

Solution:

(1) 𝑝 → (𝑞 → 𝑟), 𝑝 → 𝑞, 𝑝 ⊢ 𝑝 by (∈)

(2) 𝑝 → (𝑞 → 𝑟), 𝑝 → 𝑞, 𝑝 ⊢ 𝑝 → 𝑞 by (∈)
(3) 𝑝 → (𝑞 → 𝑟), 𝑝 → 𝑞, 𝑝 ⊢ 𝑞 by (→ −, 1, 2)
(4) 𝑝 → (𝑞 → 𝑟), 𝑝 → 𝑞, 𝑝 ⊢ 𝑝 → (𝑞 → 𝑟) by (∈)
(5) 𝑝 → (𝑞 → 𝑟), 𝑝 → 𝑞, 𝑝 ⊢ 𝑞 → 𝑟 by (→ −, 1, 4)
(6) 𝑝 → (𝑞 → 𝑟), 𝑝 → 𝑞, 𝑝 ⊢ 𝑟 by (→ −, 3, 5)
(7) 𝑝 → (𝑞 → 𝑟), 𝑝 → 𝑞 ⊢ 𝑝 → 𝑟 by (→ +, 6)

34
Exercise 23. Show that (𝑝 → (𝑞 → 𝑟)) ⊢ ((𝑝 ∧ 𝑞) → 𝑟).

Solution:

(1) 𝑝 → (𝑞 → 𝑟), 𝑝 ∧ 𝑞 ⊢ 𝑝 ∧ 𝑞 by (∈)

(2) 𝑝 → (𝑞 → 𝑟), 𝑝 ∧ 𝑞 ⊢ 𝑝 by (∧−, 1)
(3) 𝑝 → (𝑞 → 𝑟), 𝑝 ∧ 𝑞 ⊢ 𝑝 → (𝑞 → 𝑟) by (∈)
(4) 𝑝 → (𝑞 → 𝑟), 𝑝 ∧ 𝑞 ⊢ 𝑞 by (∧−, 1)
(5) 𝑝 → (𝑞 → 𝑟), 𝑝 ∧ 𝑞 ⊢ 𝑞 → 𝑟 by (→ −, 2, 3)
(6) 𝑝 → (𝑞 → 𝑟), 𝑝 ∧ 𝑞 ⊢ 𝑟 by (→ −, 4, 5)
(7) 𝑝 → (𝑞 → 𝑟) ⊢ (𝑝 ∧ 𝑞) → 𝑟 by (→ +, 6)

Exercise 24. Show that ((𝑝 ∧ 𝑞) → 𝑟) ⊢ (𝑝 → (𝑞 → 𝑟)).

Solution:

(1) (𝑝 ∧ 𝑞) → 𝑟, 𝑝, 𝑞 ⊢ (𝑝 ∧ 𝑞) → 𝑟 by (∈)
(2) (𝑝 ∧ 𝑞) → 𝑟, 𝑝, 𝑞 ⊢ 𝑝 by (∈)
(3) (𝑝 ∧ 𝑞) → 𝑟, 𝑝, 𝑞 ⊢ 𝑞 by (∈)
(4) (𝑝 ∧ 𝑞) → 𝑟, 𝑝, 𝑞 ⊢ 𝑝 ∧ 𝑞 by (∧+, 2, 3)
(5) (𝑝 ∧ 𝑞) → 𝑟, 𝑝, 𝑞 ⊢ 𝑟 by (→ −, 1, 4)
(6) (𝑝 ∧ 𝑞) → 𝑟, 𝑝 ⊢ 𝑞 → 𝑟 by (→ +, 5)
(7) (𝑝 ∧ 𝑞) → 𝑟 ⊢ 𝑝 → (𝑞 → 𝑟) by (→ +, 6)

35
1.9.6 Or introduction and elimination
Exercise 25. Show that (𝑝 ∨ 𝑞) ⊢ ((𝑝 → 𝑞) ∨ (𝑞 → 𝑝)).

Solution:

(1) 𝑝, 𝑞 ⊢ 𝑝 by (∈)
(2) 𝑝⊢𝑞→𝑝 by (→ +, 1)
(3) 𝑞, 𝑝 ⊢ 𝑞 by (∈)
(4) 𝑞⊢𝑝→𝑞 by (→ +, 1)
(5) 𝑝 ⊢ (𝑝 → 𝑞) ∨ (𝑞 → 𝑝) by (∨+, 2)
(6) 𝑞 ⊢ (𝑝 → 𝑞) ∨ (𝑞 → 𝑝) by (∨+, 4)
(7) (𝑝 ∨ 𝑞) ⊢ (𝑝 → 𝑞) ∨ (𝑞 → 𝑝) by (∨−, 5, 6)

Exercise 26. Show that (𝑝 → 𝑞) ⊢ ((𝑟 ∨ 𝑝) → (𝑟 ∨ 𝑞)).

Solution:

(1) 𝑝 → 𝑞, 𝑝 ⊢ 𝑝 by (∈)
(2) 𝑝 → 𝑞, 𝑝 ⊢ 𝑝 → 𝑞 by (∈)
(3) 𝑝 → 𝑞, 𝑝 ⊢ 𝑞 by (→ −, 1, 2)
(4) 𝑝 → 𝑞, 𝑟 ⊢ 𝑟 by (∈)
(5) 𝑝 → 𝑞, 𝑟 ⊢ (𝑟 ∨ 𝑞) by (∨+, 4)
(6) 𝑝 → 𝑞, 𝑝 ⊢ (𝑟 ∨ 𝑞) by (∨+, 3)
(7) 𝑝 → 𝑞, 𝑟 ∨ 𝑝 ⊢ (𝑟 ∨ 𝑞) by (∨−, 5, 6)
(8) 𝑝 → 𝑞 ⊢ (𝑟 ∨ 𝑝) → (𝑟 ∨ 𝑞) by (→ +, 7)

36
Exercise 27. Show that ((𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟)) ⊢ (𝑝 ∧ (𝑞 ∨ 𝑟)).

Solution:

(1) 𝑝∧𝑞 ⊢𝑝∧𝑞 by (∈)

(2) 𝑝∧𝑞 ⊢𝑞 by (∧−, 1)
(3) 𝑝∧𝑞 ⊢𝑞∨𝑟 by (∨+, 2)
(4) 𝑝∧𝑞 ⊢𝑝 by (∧−, 1)
(5) 𝑝∧𝑟 ⊢𝑝∧𝑟 by (∈)
(6) 𝑝∧𝑟 ⊢𝑟 by (∧−, 5)
(7) 𝑝∧𝑟 ⊢𝑞∨𝑟 by (∨+, 6)
(8) 𝑝∧𝑟 ⊢𝑝 by (∧−, 5)
(9) 𝑝 ∧ 𝑞 ⊢ 𝑝 ∧ (𝑞 ∨ 𝑟) by (∧+, 3, 4)
(10) 𝑝 ∧ 𝑟 ⊢ 𝑝 ∧ (𝑞 ∨ 𝑟) by (∧+, 7, 8)
(11) (𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟) ⊢ 𝑝 ∧ (𝑞 ∨ 𝑟) by (∨−, 9, 10)

Exercise 28. Show that (𝑝 ∧ (𝑞 ∨ 𝑟)) ⊢ ((𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟)).

Solution:

(1) (𝑝 ∧ (𝑞 ∨ 𝑟)) ⊢ (𝑝 ∧ (𝑞 ∨ 𝑟)) by (𝑅𝑒𝑓)

(2) (𝑝 ∧ (𝑞 ∨ 𝑟)) ⊢ 𝑝 by (∧−, 1)
(3) (𝑝 ∧ (𝑞 ∨ 𝑟)) ⊢ 𝑞 ∨ 𝑟 by (∧−, 1)
(4) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑞 ⊢ 𝑞 by (∈)
(5) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑞 ⊢ 𝑝 by (+, 2)
(6) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑞 ⊢ 𝑝 ∧ 𝑞 by (∧+, 4, 5)
(7) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑞 ⊢ (𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟) by (∨+, 6)
(8) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑟 ⊢ 𝑟 by (∈)
(9) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑟 ⊢ 𝑝 by (+, 2)
(10) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑟 ⊢ 𝑝 ∧ 𝑟 by (∧+, 8, 9)
(11) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑟 ⊢ (𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟) by (∨+, 10)
(12) (𝑝 ∧ (𝑞 ∨ 𝑟)), 𝑞 ∨ 𝑟 ⊢ (𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟) by (∨−, 7, 11)
(13) (𝑝 ∧ (𝑞 ∨ 𝑟)) ⊢ (𝑞 ∨ 𝑟) → (𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟) by (→ +, 12)
(14) (𝑝 ∧ (𝑞 ∨ 𝑟)) ⊢ (𝑝 ∧ 𝑞) ∨ (𝑝 ∧ 𝑟) by (→ −, 3, 13)

37
1.9.7 Negation introduction and elimination
Exercise 29. Show that 𝑝 → (¬𝑝) ⊢ (¬𝑝).

Solution:

(1) 𝑝 → (¬𝑝), 𝑝 ⊢ 𝑝 by (∈)

(2) 𝑝 → (¬𝑝), 𝑝 ⊢ 𝑝 → (¬𝑝) by (∈)
(3) 𝑝 → (¬𝑝), 𝑝 ⊢ (¬𝑝) by (→ −, 1, 2)
(4) 𝑝 → (¬𝑝) ⊢ (¬𝑝) by (¬+, 1, 3)

Exercise 30. Show that (𝑝 → (𝑞 → 𝑟)), 𝑝, (¬𝑟) ⊢ (¬𝑞).

Solution:

(1) 𝑝 → (𝑞 → 𝑟), 𝑝, (¬𝑟), 𝑞 ⊢ 𝑝 by (∈)

(2) 𝑝 → (𝑞 → 𝑟), 𝑝, (¬𝑟), 𝑞 ⊢ 𝑝 → (𝑞 → 𝑟) by (∈)
(3) 𝑝 → (𝑞 → 𝑟), 𝑝, (¬𝑟), 𝑞 ⊢ 𝑞 → 𝑟 by (→ −, 1, 2)
(4) 𝑝 → (𝑞 → 𝑟), 𝑝, (¬𝑟), 𝑞 ⊢ 𝑞 by (∈)
(5) 𝑝 → (𝑞 → 𝑟), 𝑝, (¬𝑟), 𝑞 ⊢ 𝑟 by (→ −, 3, 4)
(6) 𝑝 → (𝑞 → 𝑟), 𝑝, (¬𝑟), 𝑞 ⊢ (¬𝑟) by (∈)
(7) 𝑝 → (𝑞 → 𝑟), 𝑝, (¬𝑟) ⊢ (¬𝑞) by (¬+, 5, 6)

38
Exercise 31. Show that (𝑝 → 𝑞), (¬𝑞) ⊢ (¬𝑝).

Solution:

(1) 𝑝 → 𝑞, ¬𝑞, 𝑝 ⊢ 𝑝 by (∈)

(2) 𝑝 → 𝑞, ¬𝑞, 𝑝 ⊢ 𝑝 → 𝑞 by (∈)
(3) 𝑝 → 𝑞, ¬𝑞, 𝑝 ⊢ 𝑞 by (→ −, 1, 2)
(4) 𝑝 → 𝑞, ¬𝑞, 𝑝 ⊢ ¬𝑞 by (∈)
(5) 𝑝 → 𝑞, ¬𝑞 ⊢ ¬𝑝 by (¬−, 3, 4)

Exercise 32. Show that (¬𝑝) → (¬𝑞) ⊢ (𝑞 → 𝑝).

Solution:

(1) (¬𝑝) → (¬𝑞), 𝑞, ¬𝑝 ⊢ ¬𝑝 by (∈)

(2) (¬𝑝) → (¬𝑞), 𝑞, ¬𝑝 ⊢ (¬𝑝) → (¬𝑞) by (∈)
(3) (¬𝑝) → (¬𝑞), 𝑞, ¬𝑝 ⊢ 𝑞 by (∈)
(4) (¬𝑝) → (¬𝑞), 𝑞, ¬𝑝 ⊢ ¬𝑞 by (→ −, 1, 2)
(5) (¬𝑝) → (¬𝑞), 𝑞 ⊢ 𝑝 by (¬−, 3, 4)
(6) (¬𝑝) → (¬𝑞) ⊢ 𝑞 → 𝑝 by (→ +, 5)

Exercise 33. Show that (𝑝 ∧ (¬𝑞)) → 𝑟, (¬𝑟), 𝑝 ⊢ 𝑞.

Solution:

(1) (𝑝 ∧ ¬𝑞) → 𝑟, ¬𝑟, 𝑝, ¬𝑞 ⊢ 𝑝 by (∈)

(2) (𝑝 ∧ ¬𝑞) → 𝑟, ¬𝑟, 𝑝, ¬𝑞 ⊢ ¬𝑞 by (∈)
(3) (𝑝 ∧ ¬𝑞) → 𝑟, ¬𝑟, 𝑝, ¬𝑞 ⊢ (𝑝 ∧ ¬𝑞) by (∧+, 1, 2)
(4) (𝑝 ∧ ¬𝑞) → 𝑟, ¬𝑟, 𝑝, ¬𝑞 ⊢ (𝑝 ∧ ¬𝑞) → 𝑟 by (∈)
(5) (𝑝 ∧ ¬𝑞) → 𝑟, ¬𝑟, 𝑝, ¬𝑞 ⊢ 𝑟 by (→ −, 3, 4)
(6) (𝑝 ∧ ¬𝑞) → 𝑟, ¬𝑟, 𝑝, ¬𝑞 ⊢ (¬𝑟) by (∈)
(7) (𝑝 ∧ ¬𝑞) → 𝑟, ¬𝑟, 𝑝 ⊢ 𝑞 by (¬−, 5, 6)

39
Exercise 34. Show that (𝑝 ∨ 𝑞), (¬𝑝) ⊢ 𝑞.

Solution:

(1) ¬𝑝, 𝑝, ¬𝑞 ⊢ 𝑝 by (∈)

(2) ¬𝑝, 𝑝, ¬𝑞 ⊢ ¬𝑝 by (∈)
(3) ¬𝑝, 𝑝 ⊢ 𝑞 by (¬−, 1, 2)
(4) ¬𝑝, 𝑞 ⊢ 𝑞 by (∈)
(5) ¬𝑝, 𝑝 ∨ 𝑞 ⊢ 𝑞 by (∨−, 3, 4)

Exercise 35. Show that ∅ ⊢ (¬𝑝) → (𝑝 → (𝑝 → 𝑞)).

Solution:

(1) ¬𝑝, 𝑝, ¬(𝑝 → 𝑞) ⊢ 𝑝 by (∈)

(2) ¬𝑝, 𝑝, ¬(𝑝 → 𝑞) ⊢ ¬𝑝 by (∈)
(3) ¬𝑝, 𝑝 ⊢ 𝑝 → 𝑞 by (¬−, 1, 2)
(4) ¬𝑝 ⊢ 𝑝 → (𝑝 → 𝑞) by (→ +, 3)
(5) ∅ ⊢ (¬𝑝) → (𝑝 → (𝑝 → 𝑞)) by (→ +, 4)

40
1.9.8 Putting them together!
Exercise 36. (De Morgan’s Law) Show that (¬(𝑎 ∨ 𝑏)) ⊢ ((¬𝑎) ∧ (¬𝑏)).
Solution:
(1) ¬(𝑎 ∨ 𝑏), 𝑎 ⊢ ¬(𝑎 ∨ 𝑏) by (∈)
(2) ¬(𝑎 ∨ 𝑏), 𝑎 ⊢ 𝑎 by (∈)
(3) ¬(𝑎 ∨ 𝑏), 𝑎 ⊢ (𝑎 ∨ 𝑏) by (∨+, 2)
(4) ¬(𝑎 ∨ 𝑏), 𝑏 ⊢ ¬(𝑎 ∨ 𝑏) by (∈)
(5) ¬(𝑎 ∨ 𝑏), 𝑏 ⊢ 𝑏 by (∈)
(6) ¬(𝑎 ∨ 𝑏), 𝑏 ⊢ (𝑎 ∨ 𝑏) by (∨+, 5)
(7) ¬(𝑎 ∨ 𝑏) ⊢ ¬𝑎 by (∧+, 1, 3)
(8) ¬(𝑎 ∨ 𝑏) ⊢ ¬𝑏 by (∧+, 4, 6)
(9) ¬(𝑎 ∨ 𝑏) ⊢ ¬𝑎 ∧ ¬𝑏 by (∧+, 7, 8)

Exercise 37. (De Morgan’s Law) Show that ((¬𝑎) ∧ (¬𝑏)) ⊢ (¬(𝑎 ∨ 𝑏)).
Solution:
(1) ¬𝑎 ∧ ¬𝑏, 𝑎, ¬𝑞 ⊢ ¬𝑎 ∧ ¬𝑏 by (∈)
(2) ¬𝑎 ∧ ¬𝑏, 𝑎, ¬𝑞 ⊢ ¬𝑎 by (∧−, 1)
(3) ¬𝑎 ∧ ¬𝑏, 𝑎, ¬𝑞 ⊢ 𝑎 by (∈)
(4) ¬𝑎 ∧ ¬𝑏, 𝑎 ⊢ 𝑞 by (¬−, 2, 3)
(5) ¬𝑎 ∧ ¬𝑏, 𝑏, ¬𝑞 ⊢ ¬𝑎 ∧ ¬𝑏 by (∈)
(6) ¬𝑎 ∧ ¬𝑏, 𝑏, ¬𝑞 ⊢ ¬𝑏 by (∧−, 5)
(7) ¬𝑎 ∧ ¬𝑏, 𝑏, ¬𝑞 ⊢ 𝑏 by (∈)
(8) ¬𝑎 ∧ ¬𝑏, 𝑏 ⊢ 𝑞 by (¬−, 6, 7)
(9) ¬𝑎 ∧ ¬𝑏, 𝑎 ∨ 𝑏 ⊢ 𝑞 by (∨−, 4, 8)
(10) ¬𝑎 ∧ ¬𝑏, 𝑎, 𝑞 ⊢ ¬𝑎 ∧ ¬𝑏 by (∈)
(11) ¬𝑎 ∧ ¬𝑏, 𝑎, 𝑞 ⊢ ¬𝑎 by (∧−, 10)
(12) ¬𝑎 ∧ ¬𝑏, 𝑎, 𝑞 ⊢ 𝑎 by (∈)
(13) ¬𝑎 ∧ ¬𝑏, 𝑎 ⊢ ¬𝑞 by (¬+, 11, 12)
(14) ¬𝑎 ∧ ¬𝑏, 𝑏, 𝑞 ⊢ ¬𝑎 ∧ ¬𝑏 by (∈)
(15) ¬𝑎 ∧ ¬𝑏, 𝑏, 𝑞 ⊢ ¬𝑏 by (∧−, 14)
(16) ¬𝑎 ∧ ¬𝑏, 𝑏, 𝑞 ⊢ 𝑏 by (∈)
(17) ¬𝑎 ∧ ¬𝑏, 𝑏 ⊢ ¬𝑞 by (¬+, 15, 16)
(18) ¬𝑎 ∧ ¬𝑏, 𝑎 ∨ 𝑏 ⊢ ¬𝑞 by (∨−, 13, 18)
(19) ¬𝑎 ∧ ¬𝑏 ⊢ ¬(𝑎 ∨ 𝑏) by (∧+, 8, 18)

41
Exercise 38. (De Morgan’s Law) Show that ((¬𝑎) ∨ (¬𝑏)) ⊢ (¬(𝑎 ∧ 𝑏)).

Solution:

(1) ¬𝑏, (𝑎 ∧ 𝑏) ⊢ 𝑎 ∧ 𝑏 by (∈)

(2) ¬𝑏, (𝑎 ∧ 𝑏) ⊢ ¬𝑏 by (∈)
(3) ¬𝑏, (𝑎 ∧ 𝑏) ⊢ 𝑏 by (∧−, 1)
(4) ¬𝑏 ⊢ ¬(𝑎 ∧ 𝑏) by (¬+, 2, 3)
(5) ¬𝑎, (𝑎 ∧ 𝑏) ⊢ 𝑎 ∧ 𝑏 by (∈)
(6) ¬𝑎, (𝑎 ∧ 𝑏) ⊢ ¬𝑎 by (∈)
(7) ¬𝑎, (𝑎 ∧ 𝑏) ⊢ 𝑎 by (∧−, 5)
(8) ¬𝑎 ⊢ ¬(𝑎 ∧ 𝑏) by (¬+, 6, 7)
(9) ¬𝑎 ∨ ¬𝑏 ⊢ ¬(𝑎 ∧ 𝑏) by (∨−, 4, 8)

Exercise 39. (De Morgan’s Law) Show that (𝑎 ∨ 𝑏) ⊢ (¬((¬𝑎) ∧ (¬𝑏))).

Solution:

(1) ¬𝑎 ∧ ¬𝑏, 𝑎 ⊢ ¬𝑎 ∧ ¬𝑏 by (∈)

(2) ¬𝑎 ∧ ¬𝑏, 𝑎 ⊢ ¬𝑎 by (∧−, 1)
(3) ¬𝑎 ∧ ¬𝑏, 𝑎 ⊢ 𝑎 by (∈)
(4) ¬𝑎 ∧ ¬𝑏, 𝑏 ⊢ ¬𝑎 ∧ ¬𝑏 by (∈)
(5) ¬𝑎 ∧ ¬𝑏, 𝑏 ⊢ ¬𝑏 by (∧−, 4)
(6) ¬𝑎 ∧ ¬𝑏, 𝑏 ⊢ 𝑏 by (∈)
(7) 𝑎 ⊢ ¬(¬𝑎 ∧ ¬𝑏) by (¬+, 2, 3)
(8) 𝑏 ⊢ ¬(¬𝑎 ∧ ¬𝑏) by (¬+, 5, 6)
(9) 𝑎 ∨ 𝑏 ⊢ ¬(¬𝑎 ∧ ¬𝑏) by (∨−, 7, 8)

42
Exercise 40. (De Morgan’s Law) Show that (¬(𝑎 ∧ 𝑏)) ⊢ ((¬𝑎) ∨ (¬𝑏)).

Solution:

Exercise 41. Show that (¬(𝑝 → 𝑞)) ⊢ (𝑞 → 𝑝).

Solution:

43
Exercise 42. (Law of excluded middle) ∅ ⊢ (𝑎 ∨ (¬𝑎)).

Solution: Solution 1:

(1) ¬(𝑎 ∨ (¬𝑎)), 𝑎 ⊢ 𝑎 by (∈)

(2) ¬(𝑎 ∨ (¬𝑎)), 𝑎 ⊢ ¬(𝑎 ∨ (¬𝑎)) by (∈)
(3) ¬(𝑎 ∨ (¬𝑎)), 𝑎 ⊢ 𝑎 ∨ (¬𝑎) by (∨+, 1)
(4) ¬(𝑎 ∨ (¬𝑎)) ⊢ ¬𝑎 by (¬+, 2, 3)
(5) ¬(𝑎 ∨ (¬𝑎)) ⊢ ¬(𝑎 ∨ (¬𝑎)) by (∈)
(6) ¬(𝑎 ∨ (¬𝑎)) ⊢ 𝑎 ∨ (¬𝑎) by (∨+, 4)
(7) ∅ ⊢ 𝑎 ∨ (¬𝑎) by (¬−, 5, 6)

Solution 2:

(1) ¬(𝑎 ∨ (¬𝑎)), ¬𝑎 ⊢ ¬𝑎 by (∈)

(2) ¬(𝑎 ∨ (¬𝑎)), ¬𝑎 ⊢ ¬(𝑎 ∨ (¬𝑎)) by (∈)
(3) ¬(𝑎 ∨ (¬𝑎)), ¬𝑎 ⊢ 𝑎 ∨ (¬𝑎) by (∨+, 1)
(4) ¬(𝑎 ∨ (¬𝑎)) ⊢ 𝑎 by (¬−, 2, 3)
(5) ¬(𝑎 ∨ (¬𝑎)) ⊢ ¬(𝑎 ∨ (¬𝑎)) by (∈)
(6) ¬(𝑎 ∨ (¬𝑎)) ⊢ 𝑎 ∨ (¬𝑎) by (∨+, 4)
(7) ∅ ⊢ 𝑎 ∨ (¬𝑎) by (¬−, 5, 6)

44
1.9.9 Putting them together: Additional exercises
Exercise 43. (¬(𝑝 → 𝑞)) ⊢ 𝑝.

Exercise 44. ((𝑝 → 𝑞) → 𝑝) ⊢ 𝑝.

Exercise 45. ((𝑝 → 𝑞) → 𝑞) ⊢ ((¬𝑞) → 𝑝).

Exercise 46. ∅ ⊢ ((𝑝 → 𝑞) ∨ (𝑞 → 𝑟))

Exercise 47. (𝑝 → (𝑞 ∨ 𝑟)) ⊢ ((𝑝 → 𝑞) ∨ (𝑝 → 𝑟)).

45
1.9.10 Other problems
Exercise 48. E4 Exercise 4: Prove that for any set of propositional formulas Σ and any
propositional variables 𝑝 and 𝑞, if Σ ⊢ 𝑝, then Σ ⊢ ((¬𝑝) → 𝑞).

Solution:
Proof. Let Σ be a set of propositional formulas and let 𝑝 and 𝑞 be propositional variables.
Assume that Σ ⊢ 𝑝. This means that the following proof exists.

(1) Σ⊢𝑝 by assumption

Using the above proof, we will construct a formal deduction proof for Σ ⊢ ((¬𝑝) → 𝑞).

(1) Σ⊢𝑝 by assumption

(2) Σ, ¬𝑝, ¬𝑞 ⊢ 𝑝 by (+, 1)
(3) Σ, ¬𝑝, ¬𝑞 ⊢ ¬𝑝 by (∈)
(4) Σ, ¬𝑝 ⊢ 𝑞 by (¬−, 2, 3)
(5) Σ ⊢ (¬𝑝) → 𝑞 by (→ +, 4)

Therefore, Σ ⊢ ((¬𝑝) → 𝑞) holds.

46
1.10 Soundness and Completeness of Formal Deduction
1.10.1 The soundness of inference rules
Exercise 49. The following inference rule is called Disjunctive syllogism.

if Σ ⊢ ¬𝐴,
Σ ⊢ 𝐴 ∨ 𝐵,
then Σ ⊢ 𝐵.

where 𝐴 and 𝐵 are well-formed propositional formulas.

Prove that this inference rule is sound. That is, prove that if Σ ⊨ ¬𝐴 and Σ ⊨ 𝐴 ∨ 𝐵, then
Σ ⊨ 𝐵.
You must use the definition of tautological consequence to write your proof. Do not use
any other technique such as truth table, valuation tree, logical identities, formal deduction,
soundness, or completeness.

Solution:
Proof. Consider a truth valuation 𝑡 under which Σ𝑡 = 1. Since Σ ⊨ (¬𝐴) and Σ ⊨ 𝐴 ∨ 𝐵,
we have that (¬𝐴)𝑡 = 1 and (𝐴 ∨ 𝐵)𝑡 = 1. We need to show that 𝐵𝑡 = 1.
By the truth table of ¬, since (¬𝐴)𝑡 = 1, 𝐴𝑡 = 0.
By the truth table of ∨, since (𝐴 ∨ 𝐵)𝑡 = 1, at least one of 𝐴 and 𝐵 is true under 𝑡. Since
𝐴𝑡 = 0, then 𝐵𝑡 = 1.
Therefore, Σ ⊨ 𝐵 holds.

Remark 2. To prove that a tautological consequence holds, we need to consider all truth
valuations under which all of the premises are true. For each such truth valuation, we need
to show that the conclusion is true.
The proof typically looks like the following.

• Consider a truth valuation 𝑡 under which all of the premises are true.

• If premise 1 is true under 𝑡, then 𝐴 must be ... under 𝑡 and 𝐵 must be ... under 𝑡. If
premise 2 is true under 𝑡, then ...

• There are ... cases that we need to consider.

• Case 1: this case is impossible because .../... the conclusion is true under 𝑡.

• Case 2: ...

• The conclusion is true in every case. Therefore, the tautological consequence holds.

47
Exercise 50. Consider the following inference rule:
(𝐴 → 𝐵)
Flip the implication
(𝐵 → 𝐴)

where 𝐴 and 𝐵 are well-formed propositional formulas.

Prove that this inference rule is NOT sound. That is, prove the following statement:

{(𝐴 → 𝐵)} ⊭ (𝐵 → 𝐴)

You must use the definition of tautological consequence to write your proof. Do not use
any other technique such as truth table, valuation tree, logical identities, formal deduction,
soundness, or completeness.
Solution:
Remark 3. To prove that a tautological consequence does not hold, we need to find a concrete
counterexample, which shows that, there is a truth valuation 𝑡 under which all of the premises
are true and the conclusion is false.
A concrete counterexample consist of the following:
• Choose concrete formulas for 𝐴 and 𝐵. In the following proof, we let 𝐴 be 𝑝 and 𝐵 be
𝑞 where 𝑝 and 𝑞 are propositional variables.

• Choose a truth valuation 𝑡 such that all the premises are true and the conclusion is
false.

Choosing a concrete formula for each symbol is important. In the proof below, if we do not
assign concrete formulas to 𝐴 and 𝐵, then we cannot make claims about their truth values
under 𝑡. We want to find a truth valuation under which 𝐵 is true and 𝐴 is false. This is
not possible if 𝐵 is (𝑟 ∧ (¬𝑟)) and 𝐴 is (𝑟 ∨ (¬𝑟)).
The difficult part is coming up with a counterexample that works. After that, writing up the
proof is straightforward.

Proof. To prove that the tautological consequence does not hold, we need to find one coun-
terexample.
Let 𝑝 and 𝑞 be two propositional variables. Let 𝐴 be 𝑝 and let 𝐵 be 𝑞. Consider a truth
valuation 𝑡 under which 𝑝𝑡 = 0 and 𝑞 𝑡 = 1.
Under 𝑡, the premise is true. (𝐴 → 𝐵)𝑡 = (𝑝 → 𝑞)𝑡 = 1.
Under 𝑡, the conclusion is false. (𝐵 → 𝐴)𝑡 = (𝑞 → 𝑝)𝑡 = 0.
We found a truth valuation under which the premise is true and the conclusion is false.
Thus, the tautological consequence does not hold.

48
1.10.2 Soundness and Completeness of Formal Deduction
Exercise 51. Prove or disprove this statement: If {𝑎, 𝑏} ⊢ 𝑐, then ∅ ⊨ ((𝑎 ∧ 𝑏) → 𝑐). 𝑎, 𝑏,
and 𝑐 are well-formed propositional formulas.

Solution:

Remark 4. The statement is an implication, and the premise and the conclusion of the
implication differ in two ways. The premise is about the existence of a formal deduction
proof, whereas the conclusion is about a tautological consequence. Moreover, the premise has
𝑎 and 𝑏 on the left hand side, whereas the conclusion has everything on the right hand side.
Thus, there are two ways for us to transform the premise into the conclusion.

Approach 1:
A visual representation of approach 1:

{𝑎, 𝑏} ⊢ 𝑐 → {𝑎, 𝑏} ⊨ 𝑐 → ∅ ⊨ ((𝑎 ∧ 𝑏) → 𝑐)

First, we transform {𝑎, 𝑏} ⊢ 𝑐 (the existence of a proof) to {𝑎, 𝑏} ⊨ 𝑐 (a tautological conse-

quence) by using the soundness of formal deduction.
Then, we move 𝑎 and 𝑏 from the left hand side to the right hand side by proving that {𝑎, 𝑏} ⊨ 𝑐
are ∅ ⊨ ((𝑎 ∧ 𝑏) → 𝑐) equivalent by the definition of tautological consequence.

Approach 2:
A visual representation of approach 2:

{𝑎, 𝑏} ⊢ 𝑐 → ∅ ⊢ ((𝑎 ∧ 𝑏) → 𝑐) → ∅ ⊨ ((𝑎 ∧ 𝑏) → 𝑐)

First, we move 𝑎 and 𝑏 from the left hand side to the right hand side by proving that {𝑎, 𝑏} ⊢ 𝑐
and ∅ ⊢ ((𝑎 ∧ 𝑏) → 𝑐) are equivalent.
Then, we transform ∅ ⊢ ((𝑎 ∧ 𝑏) → 𝑐) (the existence of a proof) to ∅ ⊨ ((𝑎 ∧ 𝑏) → 𝑐) (a
tautological consequence) by the soundness of formal deduction.

See the two proofs on the following page.

49
Proof 1. We will prove the statement.
Assume {𝑎, 𝑏} ⊢ 𝑐 holds.
By the soundness of formal deduction, the tautological consequence {𝑎, 𝑏} ⊨ 𝑐 holds.
Consider a truth valuation 𝑡 under which 𝑎𝑡 = 1 and 𝑏𝑡 = 1. We know that 𝑐𝑡 = 1 by
{𝑎, 𝑏} ⊨ 𝑐. Therefore, by the definition of an implication, we know that ((𝑎 ∧ 𝑏) → 𝑐) is a
tautology.
Consider a truth valuation 𝑡. There is no formula in ∅. Thus, 𝑡 satisfies ∅. 𝑡 also satisfies
((𝑎 ∧ 𝑏) → 𝑐) since ((𝑎 ∧ 𝑏) → 𝑐) is a tautology. Therefore, the tautological consequence
∅ ⊨ ((𝑎 ∧ 𝑏) → 𝑐) holds.

Proof 2. We will prove the statement.

Assume {𝑎, 𝑏} ⊢ 𝑐 holds. Thus, there is a formal deduction proof which starts with 𝑎 and 𝑏
as the premises and ends with 𝑐.
1. 𝑎 premise
2. 𝑏 premise
3. ... ...
4. 𝑐 ...

We construct a formal deduction proof for ∅ ⊢ ((𝑎 ∧ 𝑏) → 𝑐) as follows.

1. (𝑎 ∧ 𝑏) assumption
2. 𝑎 ∧e: 1
3. 𝑏 ∧e: 1
4. ... ...
5. 𝑐 ...
6. ((𝑎 ∧ 𝑏) → 𝑐) →i: 1-5
This proof shows that ∅ ⊢ ((𝑎 ∧ 𝑏) → 𝑐) holds.
By the soundness of formal deduction, the tautological consequence ∅ ⊨ ((𝑎 ∧ 𝑏) → 𝑐) holds.

50
Exercise 52. Prove or disprove this statement: If {𝐴} ⊨ 𝐵, then ∅ ⊢ (𝐵 → 𝐴). 𝐴 and 𝐵
are well-formed propositional formulas.

Solution:

Remark 5. To show that the implication is false, we need to choose concrete formulas for
𝐴 and 𝐵 such that the premise is true and the conclusion is false.
By inspecting the premise and the conclusion, we see that the concrete formulas need to make
sure that 𝐴 entails 𝐵, but 𝐵 does not entail 𝐴.
Choosing 𝐴 to be 𝑝 and 𝐵 to be (𝑝 ∨ 𝑞) satisfy both requirements.

Proof. We will disprove the statement.

Let 𝑝 and 𝑞 be two propositional variables. Let 𝐴 be 𝑝 and let 𝐵 be (𝑝 ∨ 𝑞).
First, we prove that {𝐴} ⊨ 𝐵 holds. Consider a truth valuation 𝑡 under which 𝐴 is true.
This means that 𝑝𝑡 = 1. Under 𝑡, 𝐵 is true because (𝑝 ∨ 𝑞)𝑡 = 1. Therefore, the tautological
consequence {𝐴} ⊨ 𝐵 holds.
Now, we prove that ∅ ⊬ (𝐵 → 𝐴) holds. To show that such a proof does not exist, it suffices
to show that the corresponding tautological consequence ∅ ⊨ (𝐵 → 𝐴) does not hold. Then
by the contrapositive of the soundness of formal deduction, we have that ∅ ⊬ (𝐵 → 𝐴) holds.
To prove that ∅ ⊭ (𝐵 → 𝐴) (or ∅ ⊭ ((𝑝 ∨ 𝑞) → 𝑝)), we consider a truth valuation 𝑡 such that
𝑝𝑡 = 0 and 𝑞 𝑡 = 1. Under 𝑡, 𝐵𝑡 = (𝑝 ∨ 𝑞)𝑡 = 1 and 𝐴𝑡 = 𝑝𝑡 = 0. Therefore, ∅ ⊭ (𝐵 → 𝐴)
holds.

51
1.11 Proving the Completeness Theorem
Exercise 53. Prove that the following two definitions of a consistent set are equivalent.

1. There exists a formula 𝐴 such that Σ ⊬ 𝐴.

2. For every formula 𝐴, if Σ ⊢ 𝐴, then Σ ⊬ (¬𝐴).

52
Exercise 54. Let Σ1 and Σ2 be sets of propositional formulas. Let Σ1 ⊆ Σ2 .
Prove or disprove the statement below: If Σ1 is consistent, then Σ2 is consistent.

Exercise 55. Let Σ1 and Σ2 be sets of propositional formulas. Let Σ1 ⊆ Σ2 .

Prove or disprove the statement below: If Σ2 is consistent, then Σ1 is consistent.

53
Prove that the following two definitions of a maximally consistent set are equivalent. Assume
that Σ is consistent.

1. For every propositional formula 𝐵, if Σ ⊬ 𝐵 then Σ ∪ {𝐵} is inconsistent.

2. For every propositional formula 𝐴, Σ ⊢ 𝐴 or Σ ⊢ (¬𝐴).

Solution: Question: Is the OR in definition 2 an exclusive OR?

Answer: Yes, it has to be. If for every propositional formula 𝐴, Σ ⊢ 𝐴 and Σ ⊢ (¬𝐴), then
𝐴 has to be inconsistent, which contradicts with our assumption that Σ is consistent.

Part (a) Prove that if a set Σ satisfies definition 1, then it also satisfies definition 2.
Proof Sketch:
To show that Σ satisfies definition 2, we need to show that for every propositional formula
𝐴, Σ ⊢ 𝐴 or Σ ⊢ (¬𝐴). If at least one of Σ ⊢ 𝐴 and Σ ⊢ (¬𝐴) is true, then we are done.
However, it is unlikely that we can prove that one of them is always true. Therefore, it must
be the case that one is true in some scenarios and the other one is true in other scenarios.
A common approach for proving a disjunction is to divide into several cases. It must be true
that either Σ ⊢ 𝐴 or Σ ⊬ 𝐴. In fact, these two cases are mutually exclusive and exhaustive.
Therefore, we will consider two cases. In each case, we will need to prove that Σ ⊢ 𝐴 and
Σ ⊢ (¬𝐴).

Here is a sketch of the proof.

Assume that Σ satisfies definition 1.
Consider any propositional formula 𝐴.
Case (1): Assume that Σ ⊢ 𝐴.
We need to prove that Σ ⊢ 𝐴 or Σ ⊢ (¬𝐴).
Case (2): Assume that Σ ⊬ 𝐴.
We need to prove that Σ ⊢ 𝐴 or Σ ⊢ (¬𝐴).

Part (b) Prove that if a set Σ satisfies definition 2, then it also satisfies definition 1.
Proof sketch:

54
2 Predicate Logic
2.1 Translations
Exercise 56. Let the domain be the set of animals. Let 𝐵(𝑥) mean that 𝑥 is a bear. Let
𝐻(𝑥) mean that 𝑥 likes honey.
Translate “every bear likes honey” into predicate logic.

Solution: People often come up with the following two translations. See the formulas and
the corresponding explanations below.

• (∀𝑥 (𝐵(𝑥) ∧ 𝐻(𝑥)))

This formula says that every animal 𝑥 is a bear and likes honey.
This formula is an incorrect translation. The original sentence does not require every
animal to be a bear. The sentence simply ignores any animal that is not a bear and
focuses on animals that are bears.

• (∀𝑥 (𝐵(𝑥) → 𝐻(𝑥)))

This formula says that for every animal 𝑥, if 𝑥 is a bear, then 𝑥 likes honey.
This is a correct translation. If an animal is a bear, then it must like honey as required
by the original sentence. If an animal is not a bear, then the premise of the implication
is false, which means that the implication is vacuously true. (In other words, we don’t
care about animals that are not bears.)

To differentiate between two predicate formulas, it is often a useful exercise to come up with
a domain for which one formula is true and the other formula is false.
Consider a domain, which contains a bear A who likes honey and a rabbit B.

• For this domain, the first formula is false. When 𝑥 is rabbit 𝐵, 𝑥 is not a bear.

• For this domain, the second formula is true. When 𝑥 is bear 𝐴, it likes honey, so the
implication is true. When 𝑥 is rabbit B, it is not a bear, so the implication is vacuously
true. Since the implication is true for every element of the domain, the formula is true.

In general, consider a domain 𝐷 and a predicate 𝑃 (𝑥).

The following sentence

“All <things in D for which P is true> have the property Q.”

translates into the formula

(∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))).

55
Exercise 57. Let the domain be the set of animals. Let 𝐵(𝑥) mean that 𝑥 is a bear. Let
𝐻(𝑥) mean that 𝑥 likes honey.
Translate “some bear likes honey” into predicate logic.

Solution: People often come up with the following two translations. See the formulas and
the corresponding explanations below.

• (∃𝑥 (𝐵(𝑥) ∧ 𝐻(𝑥)))

This formula says that there is an animal 𝑥, which is a bear and likes honey.
This formula is the correct translation. The original sentence requires that there is a
bear in the domain. Furthermore, it requires that there is a bear in the domain that
likes honey. This formula guarantees both.

• (∃𝑥 (𝐵(𝑥) → 𝐻(𝑥)))

This formula says that there is an animal 𝑥, which is either not a bear, or is a bear
and likes honey.
This sentence is an incorrect translation, although many people think that it makes
intuitive sense. The problem with this formula comes from the fact that the implication
is vacuously true when the premise is false. This formula does not guarantee that there
has to be a bear in the domain. As soon as we find an animal that is not a bear in the
domain, the premise of the implication is false and the implication is vacuously true.
This does not correspond to the original sentence, which requires that there is a bear
in the domain.

To differentiate these two formulas, let’s consider a domain, which contains a rabbit B. For
this domain, the original sentence should be false because there is no bear.

• For this domain, the first formula is false. We cannot find a bear in the domain, which
is required by the formula.

• For this domain, the second formula is true. When 𝑥 is rabbit 𝐵, 𝐵 is not a bear, so
the premise of the implication is false. Thus, the implication is vacuously true. Since
we have found an animal which makes the implication true, the formula is true.

In general, consider a domain 𝐷 and a predicate 𝑃 (𝑥).

The following sentence

“Some <thing in D for which P is true> have the property Q.”

translates into the formula

(∃𝑥 (𝑃 (𝑥) ∧ 𝑄(𝑥))).

56
Based on the two exercises above, could you summarize the general patterns of translations?
Which binary connectives usually go with the universal and the existential quantifiers?
As a general rule of thumb, the universal quantifier is often used in conjunction with the im-
plication (→), and the existential quantifier is often used in conjunction with the conjunction
(∧). We’ve seen examples of both above.
The universal quantifier

• ∀ and →: This universal quantifier pairs well with the implication. This combination
is used to make a statement about a subset of the domain. Therefore, we use the
premise of the implication to restrict our attention to this subset. We don’t have to
worry about any element that is not in this subset because the implication is vacuously
true for any such element.

• ∀ and ∧: This combination is not impossible. However, it is a very strong statement.

This combination is claiming that every element of the domain must satisfy the prop-
erties connected by the ∧. If this is what you meant to express, then go ahead and use
this combination.

The existential quantifier

• ∃ and ∧: The existential quantifier pairs well with the conjunction. This combination
can be used to express the fact that there exists an element of domain which has the
two properties connected by the conjunction.

• ∃ and →: This combination does not make sense logically. The main reason is that it
is too easy to make such a formula true. As soon as we find an element of the domain,
which makes the premise of the implication false, the implication is vacuously true and
the formula is true as well.

57
Exercise 58. Translate the following sentences into predicate formulas.

Let the domain contain the set of all students and courses. Define the following predicates:
𝐶(𝑥): 𝑥 is a course.
𝑆(𝑥): 𝑥 is a student.
𝑇 (𝑥, 𝑦): student 𝑥 has taken course 𝑦.

1. Every student has taken some course.

Solution: (∀𝑥 (𝑆(𝑥) → (∃𝑦 (𝐶(𝑦) ∧ 𝑇 (𝑥, 𝑦)))))

2. A student has taken a course.

Solution: (∃𝑥 (𝑆(𝑥) ∧ (∃𝑦 (𝐶(𝑦) ∧ 𝑇 (𝑥, 𝑦)))))

3. No student has taken every course.

Solution: (¬(∃𝑥 (𝑆(𝑥) ∧ (∀𝑦 (𝐶(𝑦) → 𝑇 (𝑥, 𝑦))))))

4. Some student has not taken any course.

Solution: (∃𝑥 (𝑆(𝑥) ∧ (∀𝑦 (𝐶(𝑦) → (¬𝑇 (𝑥, 𝑦))))))

5. Every student has taken every course.

Solution: (∀𝑥 (𝑆(𝑥) → (∀𝑦 (𝐶(𝑦) → 𝑇 (𝑥, 𝑦)))))

58
Exercise 59. Translating “at least”, “at most”, and “exactly”.
Translate the following sentences into predicate formulas.

• There is at least one bear.

Solution:
(∃𝑥 𝐵(𝑥))

• There are at least two bears.

Solution:
(∃𝑥 (∃𝑦 ((𝐵(𝑥) ∧ 𝐵(𝑦)) ∧ (𝑥 ≠ 𝑦))))

The formula says: there are two bears 𝑥 and 𝑦, and 𝑥 and 𝑦 must be different. Note
that, if we don’t have (𝑥 ≠ 𝑦), the formula only guarantees that there exists one bear
because 𝑥 and 𝑦 could refer to the same animal in the domain.

• There is at most one bear.

Solution:
(¬(∃𝑥 (∃𝑦 ((𝐵(𝑥) ∧ 𝐵(𝑦)) ∧ (𝑥 ≠ 𝑦)))))

The negation of “at most one” is “at least two”. Therefore, the sentence is equivalent
to “It is not the case that there exist two different bears”.

Using the generalized De Morgan’s laws, we can show that the above formula is logically
equivalent to the formula below.

(∀𝑥 (∀𝑦 ((𝐵(𝑥) ∧ 𝐵(𝑦)) → (𝑥 = 𝑦))))

This formula says that: If we can find two bears 𝑥 and 𝑦, then 𝑥 and 𝑦 must refer to
the same bear. To understand this formula, imagine that I made the claim that there
is at most one bear. Then your goal is to disprove my claim. You find two bears in
the domain and show them to me. For my claim to be true, I have to be able to prove
that the two bears you found are actually the same bear. I have to be able to do this
no matter which two bears you show to me.

Yet another translation is that: ((there is no bear) or (there is exactly one bear)). We
can use any translation of ”there is exactly one bear” on the next page.

((∀𝑥 (¬𝐵(𝑥))) ∨ (∃𝑦 (𝐵(𝑦) ∧ (∀𝑧 (𝐵(𝑧) → (𝑦 = 𝑧))))))

59
• There is exactly one bear.
Solution: One translation is: there is at least one bear and there is at most one bear.

((∃𝑧 𝐵(𝑧)) ∧ ((¬(∃𝑥 (∃𝑦 ((𝐵(𝑥) ∧ 𝐵(𝑦)) ∧ (𝑥 ≠ 𝑦)))))))

Another translation: there is at least one bear and if there is another bear, then the
two bears must be the same.

(∃𝑥 (𝐵(𝑥) ∧ (∀𝑦 (𝐵(𝑦) → (𝑥 = 𝑦)))))

60
2.2 Semantics of Predicate Formulas
Consider this language of predicate logic:
• Individual constant symbols: 𝑎, 𝑏, 𝑐
• Free Variable Symbols: 𝑢, 𝑣, 𝑤
• Bound Variable symbols: 𝑥, 𝑦, 𝑧
• Function symbols: 𝑓 is a unary function, 𝑔 is a binary function.
• Predicate/Relation symbols: 𝑃 is a unary predicate, 𝑄 is a binary predicate.

2.2.1 Evaluating Formulas with No Variables

Exercise 60. Give a valuation 𝑣 such that 𝑄(𝑓(𝑐), 𝑎)𝑣 = 1 where 𝐷 = {1, 2, 3}.
Solution:
Remark 6. We only need to define the components of the valuation that appear in the
formula. This means, we only need to define 𝑎𝑣 , 𝑐𝑣 , 𝑓 𝑣 , and 𝑄𝑣 .
I don’t like to work with weird functions. So let’s fix the function 𝑓 to something simple first.
Let 𝑓 𝑣 be 𝑓 𝑣 (𝑥) = 𝑥, ∀𝑥 ∈ 𝐷. Given this, we simplify the formula below.
𝑓(𝑐)𝑣 = 𝑓 𝑣 (𝑐𝑣 ) = 𝑐𝑣 (98)
𝑄(𝑓(𝑐), 𝑎)𝑣 = 𝑄(𝑐, 𝑎)𝑣 (99)

I like to deal with the predicates last. So let’s assign meanings to the individual constant
symbols. Let 𝑐𝑣 = 1 and 𝑎𝑣 = 2. Then, we have that 𝑄(𝑐, 𝑎)𝑣 is true if and only if ⟨1, 2⟩ ∈ 𝑄𝑣 .
Finally, let’s define 𝑄𝑣 . Above the above analysis, at a minimum, we need ⟨1, 2⟩ ∈ 𝑄𝑣 .
We could include other tuples in 𝑄𝑣 if we like, but they don’t affect the truth value of this
formula. Thus, let 𝑄𝑣 = {⟨1, 2⟩}.
Solution Text: The valuation 𝑣 is given below.

• 𝐷 = {1, 2, 3}.
• 𝑎𝑣 = 2, 𝑐𝑣 = 1.
• 𝑓 𝑣 (𝑥) = 𝑥, ∀𝑥 ∈ 𝐷.
• 𝑄𝑣 = {⟨1, 2⟩}.
Therefore, 𝑄(𝑓(𝑐), 𝑎)𝑣 = 1 since all of the following hold:
𝑓(𝑐)𝑣 = 𝑓 𝑣 (1) = 1 (100)
𝑎𝑣 = 2 (101)
⟨1, 2⟩ ∈ 𝑄𝑣 . (102)

61
Exercise 61. Give a valuation 𝑣 such that 𝑄(𝑓(𝑐), 𝑎)𝑣 = 0.

Solution:

Remark 7. All we need to do is make one small adjustment to the interpretation in exer-
cise 60.
To make the formula false, we need to make sure the tuple ⟨1, 2⟩ ∉ 𝑄𝑣 . Let 𝑄𝑣 be the empty
set.

Solution Text: The valuation 𝑣 is given below.

• 𝐷 = {1, 2, 3}.

• 𝑎𝑣 = 2, 𝑐𝑣 = 1.

• 𝑓 𝑣 (𝑥) = 𝑥, ∀𝑥 ∈ 𝐷.

• 𝑄𝑣 = ∅.

Therefore, 𝑄(𝑓(𝑐), 𝑎)𝑣 = 0 since all of the following hold:

𝑓(𝑐)𝑣 = 𝑓 𝑣 (1) = 1 (103)

𝑎𝑣 = 2 (104)
⟨1, 2⟩ ∉ 𝑄𝑣 . (105)

62
2.2.2 Evaluating Formulas without Bound Variables
Exercise 62. Give a valuation 𝑣 such that 𝑄(𝑓(𝑢), 𝑎)𝑣 = 1.

Solution:

Remark 8. Let’s start with the valuation in the solution to exercise 60. We simplify the
formula below.
𝑓(𝑢)𝑣 = 𝑓 𝑣 (𝑢𝑣 ) = 𝑢𝑣 , 𝑎𝑣 = 2.
Thus, the formula is true if and only if ⟨𝑢𝑣 , 2⟩ ∈ 𝑄𝑣 .
The only tuple in 𝑄𝑣 is ⟨1, 2⟩. Thus, it is sufficient to let 𝑢𝑣 = 1.

Solution Text: The valuation 𝑣 is given below. 𝐷 = {1, 2, 3}, 𝑎𝑣 = 2, 𝑢𝑣 = 1, 𝑓 𝑣 (𝑥) =

𝑥, ∀𝑥 ∈ 𝐷, 𝑄𝑣 = {⟨1, 2⟩}.
Given 𝑣, we can show that 𝑄(𝑓(𝑥), 𝑎)𝑣 = 1 because

𝑢𝑣 = 1, 𝑓(𝑢)𝑣 = 𝑓 𝑣 (1) = 1, 𝑎𝑣 = 2, ⟨1, 2⟩ ∈ 𝑄𝑣 .

Exercise 63. Give a valuation 𝑣 such that 𝑄(𝑓(𝑥), 𝑎)𝑣 = 0.

Solution:

Remark 9. Let’s start with the valuation in the solution to exercise 62, and modify 𝑄𝑣 to
be the empty set. Under 𝑣, the formula is false, using similar reasoning as exercise 61.

Solution Text: The valuation 𝑣 are given below.

𝐷 = {1, 2, 3}, 𝑎𝑣 = 2, 𝑢𝑣 = 1, 𝑓 𝑣 (𝑥) = 𝑥, ∀𝑥 ∈ 𝐷, 𝑄𝑣 = {⟨1, 2⟩}.

Given 𝑣, we can show that 𝑄(𝑓(𝑥), 𝑎)𝑣 = 0 because

𝑢𝑣 = 1, 𝑓(𝑥)𝑣 = 𝑓 𝑣 (1) = 1, 𝑎𝑣 = 2, ⟨1, 2⟩ ∉ 𝑄𝑣 .

63
2.2.3 Evaluating Formulas with Free and Bound Variables
Exercise 64. Give a valuation 𝑣 such that (∃𝑥 𝑄(𝑥, 𝑢))𝑣 = 1. Assume that the domain is
𝐷 = {1, 2, 3}.

Solution:

Remark 10. Here is more explanation to help you understand how I came up with the
valuation 𝑣 above.
𝑢 is a free variable in the formula. Let’s arbitrarily define 𝑢𝑣 = 2.
To make the formula true, there must be at least one tuple in 𝑄𝑣 and the second value in the
tuple (the value of 𝑢 in the tuple) must be 2 because 𝑢𝑣 = 2. Let 𝑄𝑣 = {⟨1, 2⟩}.

Solution Text: The valuation 𝑣 is shown below.

𝐷 = {1, 2, 3}, 𝑢𝑣 = 2, 𝑄𝑣 = {⟨1, 2⟩}.

Given the 𝑣 above, we know that 𝑄(𝑢, 𝑤)𝑣(𝑢/1) = 1 because all of the following hold:

⟨𝑢, 𝑤⟩𝑣(𝑢/1)(𝑤/2) = ⟨1, 2⟩ ∈ 𝑄𝑣 (106)

Hence, by the ∃-satisfaction rule, (∃𝑥 𝑄(𝑥, 𝑦))𝑣 = 1.

64
Exercise 65. Give a valuation 𝑣 such that (∀𝑥 𝑄(𝑥, 𝑢))𝑣 = 1. Assume that the domain is
𝐷 = {1, 2, 3}.

Solution:

Remark 11. Let’s start with the valuation 𝑣 in exercise 64.

We will modify 𝑄𝑣 . To make the formula true, we must be able to replace 𝑥 by any value
in the domain. Furthermore, for each tuple in 𝑄𝑣 , the second value in the tuple must be 2
because the environment maps 𝑦 to 2. Thus, let 𝑄𝑣 = {⟨1, 2⟩, ⟨2, 2⟩, ⟨3, 2⟩}.

Solution Text: The valuation is shown below.

• 𝐷 = {1, 2, 3}.

• 𝑎𝑣 = 2, 𝑏𝑣 = 1, 𝑐𝑣 = 1.

• 𝑓 𝑣 (𝑥) = 𝑥, ∀𝑥 ∈ 𝐷, 𝑔𝑣 (𝑥) = 1, ∀𝑥 ∈ 𝐷.

• 𝑄𝑣 = {⟨1, 2⟩, ⟨2, 2⟩, ⟨3, 2⟩}, 𝑃 𝑣 = ∅.

The environment 𝐸 is 𝐸(𝑥) = 1, 𝐸(𝑦) = 2, 𝐸(𝑧) = 1.

We will prove that (∀𝑥 𝑄(𝑥, 𝑦))𝑣 = 1. Consider all possible values of 𝑥. By the definition
of 𝑄𝑣 , the following statements hold.

• [𝑥 ↦ 1]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1]) = 1 because all of the following hold.

𝐸[𝑥 ↦ 1](𝑥) = 1
𝐸[𝑥 ↦ 1](𝑦) = 2
⟨1, 2⟩ ∈ 𝑄𝑣 .

• [𝑥 ↦ 2]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦2]) = 1 because all of the following hold.

𝐸[𝑥 ↦ 2](𝑥) = 2
𝐸[𝑥 ↦ 2](𝑦) = 2
⟨2, 2⟩ ∈ 𝑄𝑣 .

• [𝑥 ↦ 3]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦3]) = 1 because all of the following hold.

𝐸[𝑥 ↦ 3](𝑥) = 3
𝐸[𝑥 ↦ 3](𝑦) = 2
⟨3, 2⟩ ∈ 𝑄𝑣 .

Therefore, by the satisfaction rules for ∀, (∀𝑥 𝑄(𝑥, 𝑦))𝑣 = 1.

65
2.2.4 Evaluating Formulas with Bound Variables Only
Exercise 66. Give an interpretation 𝐼 and an environment 𝐸 such that (∃𝑥(∀𝑦 𝑄(𝑥, 𝑦)))𝑣 =
1. Start with the domain 𝐷 = {1, 2, 3}.

Solution:

Remark 12. To make the formula true, there must be at least 3 tuples in 𝑄𝑣 because 𝑦 (the
second value of each tuple) could take any of the 3 possible values in the domain.
The first element of all three tuples must be the same because there must be one value for 𝑥
that makes 𝑄(𝑥, 𝑦) true.
Note that, when choosing the value of 𝑥, we do not know the value of 𝑦 yet. Our choice of
value for 𝑥 cannot depend on the value of 𝑦.
One definition of 𝑄𝑣 that satisfies all these requirements is 𝑄𝑣 = {⟨1, 1⟩, ⟨1, 2⟩, ⟨1, 3⟩}.

Solution Text: The interpretation 𝐼 is given below.

• 𝐷 = {1, 2, 3}.

• 𝑎𝑣 = 2, 𝑏𝑣 = 1, 𝑐𝑣 = 1.

• 𝑓 𝑣 (𝑥) = 𝑥, ∀𝑥 ∈ 𝐷, 𝑔𝑣 (𝑥) = 1, ∀𝑥 ∈ 𝐷.

• 𝑄𝑣 = {⟨1, 1⟩, ⟨1, 2⟩, ⟨1, 3⟩}, 𝑃 𝑣 = ∅.

Let 𝐸 be an arbitrary environment.

We will prove that (∃𝑥(∀𝑦 𝑄(𝑥, 𝑦)))𝑣 = 1.
By the satisfaction rules of ∃, we need to show that (∀𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦𝑑𝑥 ]) = 1 for some
𝑑𝑥 𝑖𝑛𝐷.
Consider 𝑑𝑥 = 1. We now need to show that 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦𝑑𝑥 ][𝑦↦𝑑𝑦 ) = 1 for every 𝑑𝑦 ∈ 𝐷.
Consider all possible values of 𝑦.

• [𝑦 ↦ 1]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1][𝑦↦1]) = 1 because all of the following hold.

𝐸[𝑥 ↦ 1][𝑦 ↦ 1](𝑥) = 1 (107)

𝐸[𝑥 ↦ 1][𝑦 ↦ 1](𝑦) = 1 (108)
⟨𝐸[𝑥 ↦ 1][𝑦 ↦ 1](𝑥), 𝐸[𝑥 ↦ 1][𝑦 ↦ 1](𝑦)⟩ = ⟨1, 1⟩ ∈ 𝑄𝑣 . (109)

• [𝑦 ↦ 2]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1][𝑦↦2]) = 1 because all of the following hold.

𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑥) = 1 (110)

𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑦) = 2 (111)
⟨𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑥), 𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑦)⟩ = ⟨1, 2⟩ ∈ 𝑄𝑣 . (112)

66
 • [𝑦 ↦ 3]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1][𝑦↦3]) = 1 because all of the following hold.

𝐸[𝑥 ↦ 1][𝑦 ↦ 3](𝑥) = 1 (113)

𝐸[𝑥 ↦ 1][𝑦 ↦ 3](𝑦) = 3 (114)
⟨𝐸[𝑥 ↦ 1][𝑦 ↦ 3](𝑥), 𝐸[𝑥 ↦ 1][𝑦 ↦ 3](𝑦)⟩ = ⟨1, 3⟩ ∈ 𝑄𝑣 . (115)

By the satisfaction rules of ∀, (∃𝑥(∀𝑦 𝑄(𝑥, 𝑦)))(𝐼,𝐸[𝑥↦1]) = 1 holds. By the definition of ∃,

(∃𝑥(∀𝑦 𝑄(𝑥, 𝑦)))𝑣 = 1 holds.

67
Exercise 67. Give an interpretation 𝐼 and an environment 𝐸 such that (∃𝑥(∀𝑦 𝑄(𝑥, 𝑦)))𝑣 =
0. Start with the domain 𝐷 = {1, 2, 3}.

Solution:

Remark 13. The formula has no free variables. The bound variables get their meanings
through the quantifiers. Thus, there is no need to define an environment. We only need to
define an interpretation to evaluate the formula.
There are many ways to make the formula false. An easy solution is to let 𝑄𝑣 be the empty
set. Then, 𝑄𝑣 (𝑥, 𝑦) is always false and the formula must be false as well.
If there are tuples in 𝑄𝑣 , we need to make sure that 𝑄𝑣 does not have three tuples such that
the first value of all three tuples are the same and the second value in all three tuples are all
different.

Solution Text:
The interpretation 𝐼 is shown below.

• 𝐷 = {1, 2, 3}.

• 𝑎𝑣 = 2, 𝑏𝑣 = 1, 𝑐𝑣 = 1.

• 𝑓 𝑣 (𝑥) = 𝑥, ∀𝑥 ∈ 𝐷, 𝑔𝑣 (𝑥) = 1, ∀𝑥 ∈ 𝐷.

• 𝑄𝑣 = {⟨1, 1⟩, ⟨2, 2⟩, ⟨3, 3⟩}, 𝑃 𝑣 = ∅.

Let 𝐸 be an arbitrary environment.

We will prove that (∃𝑥(∀𝑦 𝑄(𝑥, 𝑦)))𝑣 = 0.
By the satisfaction rules for ∃, we need to show that (∀𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦𝑑𝑥 ]) = 0 holds for
every 𝑑𝑥 ∈ 𝐷.
Consider all possible values of 𝑥.

• [𝑥 ↦ 1]:
By the rules of satisfaction for ∀, to prove that (∀𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦1]) = 0, we need to
prove that 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1][𝑦↦𝑑𝑦 ]) = 0 for some 𝑑𝑦 ∈ 𝐷.
𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1][𝑦↦2]) = 0 holds since all of the following statements hold.

𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑥) = 1 (116)

𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑦) = 2 (117)
⟨𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑥), 𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑦)⟩ = ⟨1, 2⟩ ∉ 𝑄𝑣 (118)

Therefore, 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1][𝑦↦2]) = 0 holds, which means that (∀𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦1]) = 0
holds.

68
 • [𝑥 ↦ 2]:
𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦2][𝑦↦1]) = 0 holds because all of the following statements hold.

𝐸[𝑥 ↦ 2][𝑦 ↦ 1](𝑥) = 2 (119)

𝐸[𝑥 ↦ 2][𝑦 ↦ 1](𝑦) = 1 (120)
⟨𝐸[𝑥 ↦ 2][𝑦 ↦ 1](𝑥), 𝐸[𝑥 ↦ 2][𝑦 ↦ 1](𝑦)⟩ = ⟨2, 1⟩ ∉ 𝑄𝑣 (121)

Therefore, (∀𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦2]) = 0 holds.

• [𝑥 ↦ 3]:
𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦3][𝑦↦1]) = 0 holds because all of the following statements hold.

𝐸[𝑥 ↦ 3][𝑦 ↦ 1](𝑥) = 3 (122)

𝐸[𝑥 ↦ 3][𝑦 ↦ 1](𝑦) = 1 (123)
⟨𝐸[𝑥 ↦ 3][𝑦 ↦ 1](𝑥), 𝐸[𝑥 ↦ 3][𝑦 ↦ 1](𝑦)⟩ = ⟨3, 1⟩ ∉ 𝑄𝑣 (124)

Therefore, (∀𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦3]) = 0 holds.

By the satisfaction rules of ∃, we have proven that (∃𝑥(∀𝑦 𝑄(𝑥, 𝑦)))𝑣 = 0.

69
2.3 Tautological Consequence
Collected Wisdom:

• Tautological consequence and formal deduction are two ways of proving

the same argument. Did you notice that Q1a of assignment 6 is the same as Q2d
of assignment 7 (in Spring 2018)? We asked you prove the same argument, once
with tautological consequence and once with formal deduction. If you have trouble
proving a statement using tautological consequence, you may want to try
formal deduction first, and then convert it to a tautological consequence
argument.

70
Exercise 68. Show that {(∀𝑥 𝑃 (𝑥))} ⊨ (∃𝑥 𝑃 (𝑥)).

Solution:
Proof. Consider an interpretation 𝐼 such that (∀𝑥 𝑃 (𝑥))𝑣 = 1. We will prove that (∃𝑥 𝑃 (𝑥))𝑣 =
1.
Consider an arbitrary environment 𝐸. Let 𝑑1 ∈ 𝐷 be a domain element.
By the satisfaction rules for ∀, 𝑃 (𝑥)(𝐼,𝐸[𝑥↦𝑑1 ]) = 1. Therefore, 𝐸[𝑥 ↦ 𝑑1 ](𝑥) = 𝑑1 ∈ 𝑃 𝑣 .
By the satisfaction rules for ∃, (∃𝑥 𝑃 (𝑥))𝑣 = 1.

Exercise 69. Show that {(∃𝑥 𝑃 (𝑥))} ⊭ (∀𝑥 𝑃 (𝑥)).

Solution:
Proof. To prove that the tautological consequence does hold, we need to find an interpreta-
tion 𝐼 such that (∃𝑥 𝑃 (𝑥))𝑣 = 1 and (∀𝑥 𝑃 (𝑥))𝑣 = 0.
Consider the interpretation 𝐼 below.

• 𝐷 = {1, 2}.

• 𝑃 𝑣 = {1}.

Let 𝐸 be an arbitrary environment.

𝑃 (𝑥)(𝐼,𝐸[𝑥↦1]) = 1 holds since 𝐸[𝑥 ↦ 1](𝑥) = 1 ∈ 𝑃 𝑣 . By the satisfaction rules for ∃,
(∃𝑥 𝑃 (𝑥))𝑣 = 1.
𝑃 (𝑥)(𝐼,𝐸[𝑥↦2]) = 0 holds since 𝐸[𝑥 ↦ 2](𝑥) = 2 ∉ 𝑃 𝑣 . By the satisfaction rules for ∀,
(∀𝑥 𝑃 (𝑥))𝑣 = 0 holds.

71
Exercise 70. Show that {(∀𝑥 (𝐴 → 𝐵))} ⊨ ((∀𝑥 𝐴) → (∀𝑥 𝐵)), where 𝑥 is a variable
symbol and 𝐴 and 𝐵 are well-formed predicate formulas.

Solution:
Proof. Consider an interpretation 𝐼 and an environment 𝐸 such that (∀𝑥 (𝐴 → 𝐵))𝑣 = 1.
We will prove that ((∀𝑥 𝐴) → (∀𝑥 𝐵))𝑣 = 1.
To show that ((∀𝑥 𝐴) → (∀𝑥 𝐵))𝑣 = 1, we assume that (∀𝑥 𝐴)𝑣 = 1.
By the satisfaction rule for ∀, we have that

𝐴(𝐼,𝐸[𝑥↦𝑑]) = 1 for every 𝑑 ∈ 𝐷.

By our assumption, (∀𝑥 (𝐴 → 𝐵))𝑣 = 1. By the satisfaction rule for ∀, we have that

(𝐴 → 𝐵)(𝐼,𝐸[𝑥↦𝑑]) = 1 for every 𝑑 ∈ 𝐷.

By the satisfaction rule for an implication, we have that

𝐵(𝐼,𝐸[𝑥↦𝑑]) = 1 for every 𝑑 ∈ 𝐷.

By the satisfaction rule for ∀, we have that

(∀𝑥 𝐵)𝑣 = 1.
Thus, the tautological consequence holds.

72
Exercise 71. Show that {((∀𝑥 𝐴) → (∀𝑥 𝐵))} ⊭ (∀𝑥 (𝐴 → 𝐵)), where 𝑥 is a variable
symbol and 𝐴 and 𝐵 are well-formed predicate formulas.
Solution:
Remark 14. The most important step for the proof below is to come up with the concrete
example such that the premises are all true and the conclusion is false.
I first chose concrete formulas for 𝐴 and 𝐵. This step is important. Without doing so, I
may not be able to make claims about whether 𝐴 and 𝐵 are true or false under a particular
interpretation.
Next, I construct an interpretation to satisfy the two requirements. I start by picking a
domain containing two elements. It is small enough to be manageable and large enough to
give me a few possibilities to experiment with.
Then, I try to find definitions for 𝑃 𝑣 and 𝑄𝑣 to satisfy the two requirements.
First, I want to make the conclusion (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))) false. To do this, it is sufficient to
make 𝑃 to be true and 𝑄 to be false for one value of 𝑥 (so that the implication (𝑃 (𝑥) → 𝑄(𝑥))
is false). I used 𝑥 = 2 for this case and made sure that 2 ∈ 𝑃 𝑣 and 2 ∉ 𝑄𝑣 .
Next, I want to make the premise true. Since 2 ∉ 𝑄𝑣 , then (∀𝑥 𝑄(𝑥)) is false. So the
conclusion of the premise is false. To make the premise true, I have to make the premise of
the premise false. This means that, I need to make sure at least one domain element is not
in 𝑃 𝑣 . Therefore, I defined 𝑃 𝑣 such that 1 ∉ 𝑃 𝑣 .
Proof. Let 𝐴 be 𝑃 (𝑥) and let 𝐵 be 𝑄(𝑥), where 𝑃 and 𝑄 are unary predicates. Consider
the following interpretation:
• 𝐷 = {1, 2}
• 𝑃 𝑣 = {2} and 𝑄𝑣 = {1}
We need to show that ((∀𝑥 𝑃 (𝑥)) → (∀𝑥 𝑄(𝑥)))𝑣 = 1 and (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥)))𝑣 = 0. Let
𝐸 be an arbitrary environment.
First, we will show that ((∀𝑥 𝑃 (𝑥)) → (∀𝑥 𝑄(𝑥)))𝑣 = 1.
𝑃 (𝑥)(𝐼,𝐸[𝑥↦1]) = 0 because 𝐸[𝑥 ↦ 1](𝑥) = 1 ∉ 𝑃 𝑣 . By the satisfaction rule for ∀,
(∀𝑥 𝑃 (𝑥))𝑣 = 0.
By the satisfaction rule for an implication, ((∀𝑥 𝑃 (𝑥)) → (∀𝑥 𝑄(𝑥)))𝑣 = 1 because
(∀𝑥 𝑃 (𝑥))𝑣 = 0.
Next, we will show that (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥)))𝑣 = 0.
(𝑃 (𝑥) → 𝑄(𝑥))(𝐼,𝐸[𝑥↦2]) = 0 because 𝐸[𝑥 ↦ 2](𝑥) = 2 ∈ 𝑃 𝑣 and 𝐸[𝑥 ↦ 2](𝑥) = 2 ∉ 𝑄𝑣 .
By the satisfaction rule for ∀, (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥)))𝑣 = 0.
In summary, the tautological consequence does not hold.

73
Exercise 72. Show that {(∃𝑦 (∀𝑥 𝑄(𝑥, 𝑦)))} ⊨ (∀𝑥 (∃𝑦 𝑄(𝑥, 𝑦))).

Solution:
Proof. Consider an interpretation 𝐼 such that (∃𝑦 (∀𝑥 𝑄(𝑥, 𝑦)))𝑣 = 1. We will prove that
(∀𝑥 (∃𝑦 𝑄(𝑥, 𝑦)))𝑣 = 1. Let 𝐸 be an arbitrary environment.
By the satisfaction rules for ∃, we have

(∀𝑥 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑦↦𝑑𝑦 ]) = 1 for some 𝑑𝑦 ∈ 𝐷.

By the satisfaction rules for ∀, we have

𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑦↦𝑑𝑦 ][𝑥↦𝑑]) = 1, for some 𝑑𝑦 ∈ 𝐷 and for every 𝑑 ∈ 𝐷.

Note that in the environment 𝐸[𝑦 ↦ 𝑑𝑦 ][𝑥 ↦ 𝑑], the value of 𝑑𝑦 was chosen first
and does not depend on the value of 𝑑. Thus, the environment 𝐸[𝑦 ↦ 𝑑𝑦 ][𝑥 ↦ 𝑑]
is equivalent to the environment 𝐸[𝑥 ↦ 𝑑][𝑦 ↦ 𝑑𝑦 ]. It does not matter whether
we chose the value for 𝑥 or the value for 𝑦 first. Therefore, we rewrite the formula
above as follows.

𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦𝑑][𝑦↦𝑑𝑦 ]) = 1, for every 𝑑 ∈ 𝐷 and for some 𝑑𝑦 ∈ 𝐷.

By the satisfaction rule for ∃, we have

(∃𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦𝑑]) = 1 for every 𝑑 ∈ 𝐷.

By the satisfaction rule for ∀, we have that

(∀𝑥 (∃𝑦 𝑄(𝑥, 𝑦)))𝑣 = 1.

74
Exercise 73. Show that {(∀𝑥 (∃𝑦 𝑄(𝑥, 𝑦)))} ⊭ (∃𝑦 (∀𝑥 𝑄(𝑥, 𝑦))).

Solution:

Remark 15. If I attempt to prove the tautological consequence, what would happen?
By the satisfaction rules for ∀, we have

(∃𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦𝑑𝑥 ]) = 1 for every 𝑑𝑥 ∈ 𝐷.

By the satisfaction rules for ∃, we have

𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦𝑑𝑥 ][𝑦↦𝑑𝑦 ]) = 1

for every 𝑑 ∈ 𝐷 and for some 𝑑𝑦 ∈ 𝐷 where the value of 𝑑𝑦 may depend on the value of 𝑑𝑥 .
Note that the value of 𝑑𝑦 may depend on the value of 𝑑𝑥 . In other words, for every value of
𝑑𝑥 , we may choose a different value of 𝑑𝑦 to satisfy the formula. Therefore, we CANNOT
switch the two overrides in the environment. The following formula is FALSE.

A false formula: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑦↦𝑑𝑦 ][𝑥↦𝑑𝑥 ]) = 1

for some 𝑑𝑦 ∈ 𝐷 and for every 𝑑𝑥 ∈ 𝐷.

Proof. To prove that the tautological consequence does not hold, we need to find an inter-
pretation 𝐼 such that (∀𝑥 (∃𝑦 𝑄(𝑥, 𝑦)))𝑣 = 1 and (∃𝑦 (∀𝑥 𝑄(𝑥, 𝑦)))𝑣 = 0.
Consider the interpretation 𝐼 below.

• 𝐷 = {1, 2}.

• 𝑄𝑣 = {⟨1, 1⟩, ⟨2, 2⟩}.

First, we will show that (∀𝑥 (∃𝑦 𝑄(𝑥, 𝑦)))𝑣 = 1. Let 𝐸 be an arbitrary environment.
Consider all possible values of 𝑥.

• [𝑥 ↦ 1]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1][𝑦↦1]) = 1 because

⟨𝐸[𝑥 ↦ 1][𝑦 ↦ 1](𝑥), 𝐸[𝑥 ↦ 1][𝑦 ↦ 1](𝑦)⟩ = ⟨1, 1⟩ ∈ 𝑄𝑣 .

By the satisfaction rule for ∃, (∃𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦1]) = 1.

• [𝑥 ↦ 2]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦2][𝑦↦2]) = 1 because

⟨𝐸[𝑥 ↦ 2][𝑦 ↦ 2](𝑥), 𝐸[𝑥 ↦ 2][𝑦 ↦ 2](𝑦)⟩ = ⟨2, 2⟩ ∈ 𝑄𝑣 .

By the satisfaction rule for ∃, (∃𝑦 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑥↦2]) = 1.

75
Thus, by the satisfaction rule for ∀, (∀𝑥 (∃𝑦 𝑄(𝑥, 𝑦)))𝑣 = 1.

Next, we will show that (∃𝑦 (∀𝑥 𝑄(𝑥, 𝑦)))𝑣 = 0. Let 𝐸 be an arbitrary environment.
Consider all possible values of 𝑦.

• [𝑦 ↦ 1]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦2][𝑦↦1]) = 0 because

⟨𝐸[𝑥 ↦ 2][𝑦 ↦ 1](𝑥), 𝐸[𝑥 ↦ 2][𝑦 ↦ 1](𝑦)⟩ = ⟨2, 1⟩ ∉ 𝑄𝑣 .

By the satisfaction rule for ∃, (∀𝑥 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑦↦1]) = 0.

• [𝑦 ↦ 2]: 𝑄(𝑥, 𝑦)(𝐼,𝐸[𝑥↦1][𝑦↦2]) = 0 because

⟨𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑥), 𝐸[𝑥 ↦ 1][𝑦 ↦ 2](𝑦)⟩ = ⟨1, 2⟩ ∉ 𝑄𝑣 .

By the satisfaction rule for ∀, (∀𝑥 𝑄(𝑥, 𝑦))(𝐼,𝐸[𝑦↦2]) = 0.

Thus, by the satisfaction rule for ∀, (∃𝑦 (∀𝑥 𝑄(𝑥, 𝑦)))𝑣 = 0.

Hence, the tautological consequence does not hold.

76
Exercise 74. Show that {(∀𝑥 (∃𝑦 (𝑃 (𝑥) ∨ 𝑄(𝑦))))} ⊨ (∃𝑦 (∀𝑥 (𝑃 (𝑥) ∨ 𝑄(𝑦)))).

Remark 16. Wait a second! In exercise 73, didn’t we just show that this tautological
consequence does NOT hold? Not quite. In exercise 73, we dealt with a generic predicate
formula 𝑄(𝑥, 𝑦) without knowing any additional information about the predicate. In this
question, we are working with a much more concrete predicate formula (𝑃 (𝑥) ∨ 𝑄(𝑦)). It
turns out that, having this concrete predicate formula allows us to prove the tautological
consequence.

Remark 17. Let’s write out a proof sketch first.

To prove that the conclusion is true, we need to find one value 𝑑𝑦 ∈ 𝐷 for 𝑦 such that
(𝑃 (𝑥) ∨ 𝑄(𝑦)) is true for every possible value for 𝑥. The value of 𝑦 only influences the 𝑄(𝑦)
part of the formula. Does there exist a value for 𝑦 such that 𝑄(𝑦) is true?
Let’s suppose that we know that there is some 𝑑𝑦 ∈ 𝐷 for 𝑦 such that 𝑄(𝑦) is true. Would
this help us prove the conclusion? For sure. If 𝑄(𝑦) is true for 𝑦 = 𝑑𝑦 , then (𝑃 (𝑥) ∨ 𝑄(𝑦))
must be true for 𝑦 = 𝑑𝑦 regardless of the value of 𝑥. We just found a value for 𝑦 which will
make the conclusion true.
We know how to prove the conclusion for the case when 𝑄(𝑦) for at least one value of 𝑦.
What if 𝑄(𝑦) is always false? Let’s look at the premise. If 𝑄(𝑦) is always false, for the
premise to be true, 𝑃 (𝑥) must be true for every possible value of 𝑥. If 𝑃 (𝑥) is true for every
possible value of 𝑥, then to prove that the conclusion is true, we could choose any value for
𝑦. For any value of 𝑦, 𝑃 (𝑥) is true for any value of 𝑥, so (𝑃 (𝑥) ∨ 𝑄(𝑦)) must be true.

77
2.3.1 Semantic Entailment - Additional Exercises
Exercise 75. {((∀𝑥 𝑃 (𝑥)) ∨ (∀𝑥 𝑄(𝑥)))} ⊨ (∀𝑥 (𝑃 (𝑥) ∨ 𝑄(𝑥))).

Exercise 76. {(∃𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∀𝑦 𝑃 (𝑦))} ⊨ (∃𝑥 𝑄(𝑥))

Exercise 77. {((∃𝑥 𝑃 (𝑥)) ∨ (∃𝑥 𝑄(𝑥)))} ⊨ (∃𝑥 (𝑃 (𝑥) ∨ 𝑄(𝑥))).

78
2.4 Formal Deduction

∀-introduction (∀+) ∀-elimination (∀−)

if Σ ⊢ 𝐴(𝑢), 𝑢 not occurring in Σ, if Σ ⊢ ∀𝑥 𝐴(𝑥),

then Σ ⊢ ∀𝑥 𝐴(𝑥). then Σ ⊢ 𝐴(𝑡).

Comments:

• ∀− is analogous to ∧−.

• ∀+ is analogous to ∧+.
Intuitively, this rule means that: from “any member 𝑢 of the set has a certain property”
we can deduce that “every member of the set has this property”. The arbitrariness
of 𝑢 means that the choice of 𝑢 is independent of the premises in Σ. This point is
expressed by “𝑢 not occurring in Σ”.
We know nothing about 𝑢 except that 𝑢 is a domain element. If 𝑢 is special, our
conclusion may not be valid.

∃-introduction (∃+)

if Σ ⊢ 𝐴(𝑡), ∃-elimination (∃−)

then Σ ⊢ ∃𝑥 𝐴(𝑥).
if Σ, 𝐴(𝑢) ⊢ 𝐵, 𝑢 not occurring in Σ or 𝐵,
where 𝐴(𝑥) results by replacing then Σ, ∃𝑥 𝐴(𝑥) ⊢ 𝐵.
some (not necessarily all) occurrences of 𝑡
in 𝐴(𝑡) by 𝑥.

Comments:

• ∃− is analogous to ∨−.

– Proof by cases.
– The conclusion may have nothing to do with the starting formula.

• ∃+ is analogous to ∨+.

79
2.4.1 Forall-elimination
Exercise 78. Show that {𝑃 (𝑢), ∀𝑥 (𝑃 (𝑥) → (¬𝑄(𝑥)))} ⊢ (¬𝑄(𝑢)).

Solution:

(1) 𝑃 (𝑢), ∀𝑥 (𝑃 (𝑥) → (¬𝑄(𝑥))) ⊢ (∀𝑥 (𝑃 (𝑥) → (¬𝑄(𝑥)))) by ((∈))

(2) 𝑃 (𝑢), ∀𝑥 (𝑃 (𝑥) → (¬𝑄(𝑥))) ⊢ 𝑃 (𝑢) by ((∈))
(3) 𝑃 (𝑢), ∀𝑥 (𝑃 (𝑥) → (¬𝑄(𝑥))) ⊢ 𝑃 (𝑢) → ¬𝑄(𝑢) by ((∀−), (1))
(4) 𝑃 (𝑢), ∀𝑥 (𝑃 (𝑥) → (¬𝑄(𝑥))) ⊢ ¬𝑄(𝑢) by ((→ −), (2), (3))

2.4.2 Exists-introduction
Exercise 79. Show that {(¬𝑃 (𝑣))} ⊢ (∃𝑥 (𝑃 (𝑥) → 𝑄(𝑣))).

Solution:

(1) (¬𝑃 (𝑣)), 𝑃 (𝑣), ¬𝑄(𝑣) ⊢ 𝑃 (𝑣) by (∈)

(2) (¬𝑃 (𝑣)), 𝑃 (𝑣), ¬𝑄(𝑣) ⊢ ¬𝑃 (𝑣) by (+, 1)
(3) (¬𝑃 (𝑣)), 𝑃 (𝑣) ⊢ 𝑄(𝑣) by (¬−, 1, 2)
(4) (¬𝑃 (𝑣)) ⊢ (𝑃 (𝑣) → 𝑄(𝑣)) by (→ +, 3)
(5) (¬𝑃 (𝑣)) ⊢ (∃𝑥 (𝑃 (𝑥) → 𝑄(𝑣))) by (∃+, 4)

Exercise 80. Show that {(∀𝑥 𝑃 (𝑥))} ⊢ (∃𝑦 𝑃 (𝑦)).

Solution:

(1) (∀𝑥 𝑃 (𝑥)) ⊢ (∀𝑥 𝑃 (𝑥)) by (∈)

(2) (∀𝑥 𝑃 (𝑥)) ⊢ 𝑃 (𝑢) by (∀−, 1)
(3) (∀𝑥 𝑃 (𝑥)) ⊢ (∃𝑦 𝑃 (𝑦)) by (∃+, 2)

80
2.4.3 Forall-introduction
Exercise 81. Show that {(∀𝑥 𝑃 (𝑥))} ⊢ (∀𝑦 𝑃 (𝑦)).

Solution:

(1) (∀𝑥 𝑃 (𝑥)) ⊢ (∀𝑥 𝑃 (𝑥)) by (∈)

(2) (∀𝑥 𝑃 (𝑥)) ⊢ 𝑃 (𝑢) by (∀−, 1)
(3) (∀𝑥 𝑃 (𝑥)) ⊢ (∀𝑦 𝑃 (𝑦)) by (∀+, 2)

Exercise 82. Show that (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))) ⊢ ((∀𝑥 𝑃 (𝑥)) → (∀𝑦 𝑄(𝑦))).

Solution:

(1) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∀𝑥 𝑃 (𝑥)) ⊢ (∀𝑥 𝑃 (𝑥)) by (∈)

(2) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∀𝑥 𝑃 (𝑥)) ⊢ (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))) by (∈)
(3) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∀𝑥 𝑃 (𝑥)) ⊢ 𝑃 (𝑢) by (∀−, 1)
(4) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∀𝑥 𝑃 (𝑥)) ⊢ 𝑃 (𝑢) → 𝑄(𝑢) by (∀−, 2)
(5) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∀𝑥 𝑃 (𝑥)) ⊢ 𝑄(𝑢) by (→ −, 3, 4)
(6) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∀𝑥 𝑃 (𝑥)) ⊢ (∀𝑦 𝑄(𝑦)) by (∀+, 5)
(7) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))) ⊢ ((∀𝑥 𝑃 (𝑥)) → (∀𝑦 𝑄(𝑦))) by (→ +, 6)

81
2.4.4 Forall-introduction - Additional Exercises
Exercise 83. {(∀𝑥 (∀𝑦 𝑃 (𝑥, 𝑦)))} ⊢ (∀𝑦 (∀𝑥 𝑃 (𝑥, 𝑦))).

Exercise 84. {(∀𝑥 ((¬𝑃 (𝑥)) ∧ 𝑄(𝑥)))} ⊢ (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))).

Exercise 85. {(∀𝑥 (𝑃 (𝑥) ∧ 𝑄(𝑥)))} ⊢ (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))).

Exercise 86. {(∀𝑥 (𝑃 (𝑥) ∧ 𝑄(𝑥)))} ⊢ ((∀𝑥 𝑃 (𝑥)) ∧ (∀𝑥 𝑄(𝑥))).

Exercise 87. {((∀𝑥 𝑃 (𝑥)) ∨ (∀𝑥 𝑄(𝑥)))} ⊢ (∀𝑥 (𝑃 (𝑥) ∨ 𝑄(𝑥))).

Exercise 88. {(∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥)))} ⊢ ((∀𝑥 (¬𝑄(𝑥))) → (∀𝑥 (¬𝑃 (𝑥)))).

Exercise 89. {(∀𝑥 (∀𝑦 (𝑅(𝑥, 𝑦) → 𝑅(𝑦, 𝑥))))} ⊢ (∀𝑥 (∀𝑦 (𝑅(𝑦, 𝑥) → 𝑅(𝑥, 𝑦)))).

Exercise 90. {(∀𝑥 (∀𝑦 (∀𝑧 ((𝑅(𝑥, 𝑦) ∧ 𝑅(𝑦, 𝑧)) → 𝑅(𝑥, 𝑧))))), (∀𝑥 (¬𝑅(𝑥, 𝑥)))}
⊢ (∀𝑥 (∀𝑦 (∀𝑧 (¬((𝑅(𝑥, 𝑦) ∧ 𝑅(𝑦, 𝑧)) ∧ 𝑅(𝑧, 𝑥)))))).

Exercise 91. {(∀𝑥 (∀𝑦 (∀𝑧 ((𝑅(𝑥, 𝑦) ∧ 𝑅(𝑥, 𝑧)) → 𝑅(𝑦, 𝑧))))), (∀𝑥 𝑅(𝑥, 𝑥))}
⊢ (∀𝑥 (∀𝑦 (∀𝑧 ((𝑅(𝑥, 𝑦) ∧ 𝑅(𝑦, 𝑧)) → 𝑅(𝑥, 𝑧))))).

82
2.4.5 Exists-elimination
Exercise 92. (∃𝑥 𝑃 (𝑥)) ⊢ (∃𝑦 𝑃 (𝑦)).

Solution:

(1) 𝑃 (𝑢) ⊢ 𝑃 (𝑢) by (∈)

(2) 𝑃 (𝑢) ⊢ (∃𝑦 𝑃 (𝑦)) by ((∃+), (1))
(3) (∃𝑥 𝑃 (𝑥)) ⊢ (∃𝑦 𝑃 (𝑦)) by ((∃−), (2))

Exercise 93. ∃𝑥 (𝑃 (𝑥) ∧ 𝑄(𝑥)) ⊢ (∃𝑥 𝑃 (𝑥) ∧ (∃𝑥 𝑄(𝑥)).

Solution:

(1) 𝑃 (𝑢) ⊢ 𝑃 (𝑢) by ((∈))

(2) 𝑃 (𝑢) ⊢ (∃𝑥 𝑃 (𝑥)) by ((∃+), (1))
(3) 𝑄(𝑢) ⊢ 𝑄(𝑢) by ((∈))
(4) 𝑄(𝑢) ⊢ (∃𝑥 𝑄(𝑥)) by ((∃+), (3))
(5) 𝑃 (𝑢) ⊢ (∃𝑥 𝑃 (𝑥)) ∨ (∃𝑥 𝑄(𝑥)) by ((∨+), (2))
(6) 𝑄(𝑢) ⊢ (∃𝑥 𝑃 (𝑥)) ∨ (∃𝑥 𝑄(𝑥)) by ((∨+), (4))
(7) 𝑃 (𝑢) ∨ 𝑄(𝑢) ⊢ (∃𝑥 𝑃 (𝑥)) ∨ (∃𝑥 𝑄(𝑥)) by ((∨−), (5), (6))
(8) ∃𝑥(𝑃 (𝑥) ∨ 𝑄(𝑥)) ⊢ (∃𝑥 𝑃 (𝑥)) ∨ (∃𝑥 𝑄(𝑥)) by ((∃−), (7))

Exercise 94. ((∃𝑥 𝑃 (𝑥)) ∨ (∃𝑥 𝑄(𝑥))) ⊢ (∃𝑥 (𝑃 (𝑥) ∨ 𝑄(𝑥))).

83
Exercise 95. Show that (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∃𝑥 𝑃 (𝑥)) ⊢ (∃𝑥 𝑄(𝑥)).

Solution:

(1) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), 𝑃 (𝑢) ⊢ (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))) by (∈)

(2) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), 𝑃 (𝑢) ⊢ 𝑃 (𝑢) by (∈)
(3) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), 𝑃 (𝑢) ⊢ 𝑃 (𝑢) → 𝑄(𝑢) by (∀−, 1)
(4) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), 𝑃 (𝑢) ⊢ 𝑄(𝑢) by (→ −, 2, 3)
(5) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), 𝑃 (𝑢) ⊢ (∃𝑥 𝑄(𝑥)) by (∃+, 4)
(6) (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∃𝑥 𝑃 (𝑥)) ⊢ (∃𝑥 𝑄(𝑥)) by (∃−, 2)

Exercise 96. Show that (∀𝑥 (𝑄(𝑥) → 𝑅(𝑥))), (∃𝑥 (𝑃 (𝑥) ∧ 𝑄(𝑥))) ⊢ (∃𝑥 (𝑃 (𝑥) ∧ 𝑅(𝑥))).

Solution:
1. (∀𝑥 (𝑄(𝑥) → 𝑅(𝑥))) premise
2. (∃𝑥 (𝑃 (𝑥) ∧ 𝑄(𝑥))) premise
3. (𝑃 (𝑢) ∧ 𝑄(𝑢)), 𝑢 fresh assumption
4. 𝑃 (𝑢) ∧e: 3
5. 𝑄(𝑢) ∧e: 3
6. (𝑄(𝑢) → 𝑅(𝑢)) ∀e: 1
7. 𝑅(𝑢) →e: 5, 6
8. (𝑃 (𝑢) ∧ 𝑅(𝑢)) ∧i: 4, 7
9. (∃𝑥 (𝑃 (𝑥) ∧ 𝑅(𝑥))) ∃i: 8
10. (∃𝑥 (𝑃 (𝑥) ∧ 𝑅(𝑥))) ∃e: 2, 3-9

84
2.4.6 Exists-Elimination - Additional Exercises
Exercise 97. {(∃𝑥 (𝑃 (𝑥) → 𝑄(𝑥))), (∀𝑦 𝑃 (𝑦))} ⊢ (∃𝑥 𝑄(𝑥))

Exercise 98. {(∃𝑥 (∃𝑦 𝑃 (𝑥, 𝑦)))} ⊢ (∃𝑦 (∃𝑥 𝑃 (𝑥, 𝑦))).

Exercise 99. {(∃𝑥 ((¬𝑃 (𝑥)) ∧ (¬𝑄(𝑥))))} ⊢ (∃𝑥 (¬(𝑃 (𝑥) ∧ 𝑄(𝑥)))).

Exercise 100. {(∃𝑥 ((¬𝑃 (𝑥)) ∨ 𝑄(𝑥)))} ⊢ (∃𝑥 (¬(𝑃 (𝑥) ∧ (¬𝑄(𝑥))))).

85
2.4.7 Putting them together
Exercise 101. Show that (∃𝑦 (∀𝑥 𝑃 (𝑥, 𝑦))) ⊢ (∀𝑥 (∃𝑦 𝑃 (𝑥, 𝑦))).

Solution: There are two different solutions, depending whether we apply ∀+ last or apply
∃− last.
Applying ∃− last:

(1) (∀𝑥 𝑃 (𝑥, 𝑣)) ⊢ (∀𝑥 𝑃 (𝑥, 𝑣)) by (∈)

(2) (∀𝑥 𝑃 (𝑥, 𝑣)) ⊢ 𝑃 (𝑢, 𝑣) by (∀−, 1)
(3) (∀𝑥 𝑃 (𝑥, 𝑣)) ⊢ (∃𝑦 𝑃 (𝑢, 𝑦)) by (∃+, 2)
(4) (∀𝑥 𝑃 (𝑥, 𝑣)) ⊢ (∀𝑥 (∃𝑦 𝑃 (𝑥, 𝑦))) by (∀+, 3)
(5) (∃𝑦 (∀𝑥 𝑃 (𝑥, 𝑦))) ⊢ (∀𝑥 (∃𝑦 𝑃 (𝑥, 𝑦))) by (∃−, 4)

Applying ∀+ last:

(1) (∀𝑥 𝑃 (𝑥, 𝑣)) ⊢ (∀𝑥 𝑃 (𝑥, 𝑣)) by (∈)

(2) (∀𝑥 𝑃 (𝑥, 𝑣)) ⊢ 𝑃 (𝑢, 𝑣) by (∀−, 1)
(3) (∀𝑥 𝑃 (𝑥, 𝑣)) ⊢ (∃𝑦 𝑃 (𝑢, 𝑦)) by (∃+, 2)
(4) (∃𝑦 (∀𝑥 𝑃 (𝑥, 𝑦))) ⊢ (∃𝑦 𝑃 (𝑢, 𝑦)) by (∃−, 3)
(5) (∃𝑦 (∀𝑥 𝑃 (𝑥, 𝑦))) ⊢ (∀𝑥 (∃𝑦 𝑃 (𝑥, 𝑦))) by (∀+, 4)

86
Exercise 102. Show that {(∃𝑥 𝑃 (𝑥)), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦))))} ⊢ (∀𝑦 𝑄(𝑦)).

Solution: There are two different solutions, depending whether we apply ∀+ last or apply
∃− last.

(1) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) by (∈)
(2) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (∀𝑦 (𝑃 (𝑢) → 𝑄(𝑦))) by (∀−, 1)
(3) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (𝑃 (𝑢) → 𝑄(𝑣)) by (∀−, 2)
(4) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ 𝑃 (𝑢) by (∈)
(5) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ 𝑄(𝑣) by (→ −, 3, 4)
(6) (∃𝑥 𝑃 (𝑥)), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ 𝑄(𝑣) by (∃−, 5)
(7) (∃𝑥 𝑃 (𝑥)), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (∀𝑦 𝑄(𝑦)) by (∀+, 6)

(1) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) by (∈)
(2) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (∀𝑦 (𝑃 (𝑢) → 𝑄(𝑦))) by (∀−, 1)
(3) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (𝑃 (𝑢) → 𝑄(𝑣)) by (∀−, 2)
(4) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ 𝑃 (𝑢) by (∈)
(5) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ 𝑄(𝑣) by (→ −, 3, 4)
(6) 𝑃 (𝑢), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (∀𝑦 𝑄(𝑦)) by (∀+, 5)
(7) (∃𝑥 𝑃 (𝑥)), (∀𝑥 (∀𝑦 (𝑃 (𝑥) → 𝑄(𝑦)))) ⊢ (∀𝑦 𝑄(𝑦)) by (∃−, 6)

87
Exercise 103. Show that {(¬(∃𝑥 𝑃 (𝑥)))} ⊢ (∀𝑥 (¬𝑃 (𝑥))). (De Morgan)

Solution:

(1) (¬(∃𝑥 𝑃 (𝑥))), 𝑃 (𝑢) ⊢ 𝑃 (𝑢) by (∈)

(2) (¬(∃𝑥 𝑃 (𝑥))), 𝑃 (𝑢) ⊢ (∃𝑥 𝑃 (𝑥)) by (∃+, 1)
(3) (¬(∃𝑥 𝑃 (𝑥))), 𝑃 (𝑢) ⊢ (¬(∃𝑥 𝑃 (𝑥))) by (∈)
(4) (¬(∃𝑥 𝑃 (𝑥))) ⊢ (¬𝑃 (𝑢)) by (¬+, 2, 3)
(5) (¬(∃𝑥 𝑃 (𝑥))) ⊢ (∀𝑥 (¬𝑃 (𝑥))) by (∀+, 4)

Exercise 104. Show that {(∀𝑥 (¬𝑃 (𝑥)))} ⊢ (¬(∃𝑥 𝑃 (𝑥))). (De Morgan)

Solution:

(1) (∀𝑥 (¬𝑃 (𝑥))), 𝑃 (𝑢), ¬𝑄(𝑣) ⊢ (∀𝑥 (¬𝑃 (𝑥))) by (∈)
(2) (∀𝑥 (¬𝑃 (𝑥))), 𝑃 (𝑢), ¬𝑄(𝑣) ⊢ ¬𝑃 (𝑢) by (∀−, 1)
(3) (∀𝑥 (¬𝑃 (𝑥))), 𝑃 (𝑢), ¬𝑄(𝑣) ⊢ 𝑃 (𝑢) by (∈)
(4) (∀𝑥 (¬𝑃 (𝑥))), 𝑃 (𝑢) ⊢ 𝑄(𝑣) by (¬−, 2, 3)
(5) (∀𝑥 (¬𝑃 (𝑥))), (∃𝑥 𝑃 (𝑥)) ⊢ 𝑄(𝑣) by (∃−, 4)
(6) (∀𝑥 (¬𝑃 (𝑥))), 𝑃 (𝑢), 𝑄(𝑣) ⊢ (∀𝑥 (¬𝑃 (𝑥))) by (∈)
(7) (∀𝑥 (¬𝑃 (𝑥))), 𝑃 (𝑢), 𝑄(𝑣) ⊢ ¬𝑃 (𝑢) by (∀−, 6)
(8) (∀𝑥 (¬𝑃 (𝑥))), 𝑃 (𝑢), 𝑄(𝑣) ⊢ 𝑃 (𝑢) by (∈)
(9) (∀𝑥 (¬𝑃 (𝑥))), 𝑃 (𝑢) ⊢ ¬𝑄(𝑣) by (¬+, 7, 8)
(10) (∀𝑥 (¬𝑃 (𝑥))), (∃𝑥 𝑃 (𝑥)) ⊢ ¬𝑄(𝑣) by (∃−, 9)
(11) (∀𝑥 (¬𝑃 (𝑥))) ⊢ (¬(∃𝑥 𝑃 (𝑥))) by (¬+, 5, 10)

88
Exercise 105. Show that {(∃𝑥 (¬𝑃 (𝑥)))} ⊢ (¬(∀𝑥 𝑃 (𝑥))). (De Morgan)

Solution:
1. (∃𝑥 (¬𝑃 (𝑥))) premise
2. (∀𝑥 𝑃 (𝑥)) assumption
3. (¬𝑃 (𝑢)), 𝑢 fresh assumption
4. 𝑃 (𝑢) ∀e: 2
5. ⊥ ⊥i: 3, 4
6. ⊥ ∃e: 1, 3-5
7. (¬(∀𝑥 𝑃 (𝑥))) ¬i: 2-6

Exercise 106. Show that {(¬(∀𝑥 𝑃 (𝑥)))} ⊢ (∃𝑥 (¬𝑃 (𝑥))). (De Morgan)

Solution:
1. (¬(∀𝑥 𝑃 (𝑥))) premise
2. (¬(∃𝑥 (¬𝑃 (𝑥)))) assumption
3. 𝑢 fresh assumption
4. (¬𝑃 (𝑢)) assumption
5. (∃𝑥 (¬𝑃 (𝑥))) ∃i: 4
6. ⊥ 2, 5
7. 𝑃 (𝑢) PBC: 4-6
8. (∀𝑥 𝑃 (𝑥)) ∀i: 3-7
9. ⊥ ⊥i: 1, 8
10. (∃𝑥 (¬𝑃 (𝑥))) PBC: 2-9

89
2.4.8 Putting them together - Additional Exercises
Exercise 107. {(∀𝑥 (𝑃 (𝑥) → (¬𝑄(𝑥))))} ⊢ (¬(∃𝑥 (𝑃 (𝑥) ∧ 𝑄(𝑥)))).

Exercise 108. {(∀𝑥 (𝑃 (𝑥) ∨ 𝑄(𝑥)))} ⊢ ((∀𝑥 𝑃 (𝑥)) ∨ (∃𝑥 𝑄(𝑥))).

Exercise 109. {(∀𝑥 (𝑃 (𝑥) → (𝑄(𝑥) ∨ 𝑅(𝑥)))), (¬(∃𝑥 (𝑃 (𝑥) ∧ 𝑅(𝑥))))} ⊢ (∀𝑥 (𝑃 (𝑥) → 𝑄(𝑥))).

Exercise 110. {(∃𝑥 (𝑃 (𝑥) ∧ 𝑄(𝑥))), (∀𝑥 (𝑃 (𝑥) → 𝑅(𝑥)))} ⊢ (∃𝑥 (𝑅(𝑥) ∧ 𝑄(𝑥))).

Exercise 111. {(∃𝑥 (∃𝑦 (𝑆(𝑥, 𝑦) ∨ 𝑆(𝑦, 𝑥))))} ⊢ (∃𝑥 (∃𝑦 𝑆(𝑥, 𝑦))).

Exercise 112. {(∀𝑥 (∃𝑦 𝑅(𝑥, 𝑦)))} ⊢ (¬(∀𝑥 𝑅(𝑥, 𝑥))).

This is false. Can you prove it?

Exercise 113. {(∀𝑥 (∃𝑦 𝑅(𝑥, 𝑦)))} ⊢ (∀𝑥 (∃𝑦 (∃𝑧 (𝑅(𝑥, 𝑦) ∧ 𝑅(𝑥, 𝑧))))).

Exercise 114. {(∀𝑥 (𝑃 (𝑥) ∨ 𝑄(𝑥))), (∃𝑥 (¬𝑄(𝑥))), (∀𝑥 (𝑅(𝑥) → (¬𝑃 (𝑥))))} ⊢ (∃𝑥 (¬𝑅(𝑥))).

Exercise 115. ∅ ⊢ (∃𝑦 (𝑅(𝑦) → (∀𝑥 𝑅(𝑥)))).

Exercise 116. {(∀𝑥 (∃𝑦 (𝑃 (𝑥) ∨ 𝑄(𝑦))))} ⊢ (∃𝑦 (∀𝑥 (𝑃 (𝑥) ∨ 𝑄(𝑦)))).

Exercise 117. {(∀𝑥 ((∃𝑦 𝑃 (𝑦)) → 𝑄(𝑥)))} ⊢ (∀𝑥 (∃𝑦 (𝑃 (𝑦) → 𝑄(𝑥)))).

Exercise 118. {(∀𝑥 (𝑃 (𝑥, 𝑥) ∨ (∀𝑦 𝑄(𝑥, 𝑦))))} ⊢ (∀𝑥 ((∃𝑦 𝑃 (𝑥, 𝑦)) ∨ 𝑄(𝑥, 𝑥))).

Exercise 119. ⊢ ((∀𝑥 (∃𝑦 𝑅(𝑥, 𝑦))) ∨ (¬(∀𝑥 𝑅(𝑥, 𝑥)))).

90
2.5 Soundness and Completeness of Natural Deduction
2.5.1 Proving that an inference rule is sound or not sound
Lemma 1. Let 𝑡 be a predicate term. Let 𝐼 be an interpretation with domain 𝐷. Let 𝐸 be
an environment. Then we have that

𝑡𝑣 ∈ 𝐷.

Lemma 2. Let 𝐴 be a well-formed predicate formula. Let 𝑡 be a predicate term. Let 𝐼 and
𝐸 be an interpretation and environment. Let 𝑥 be a variable. Then we have that
𝑣
𝐴[𝑡/𝑥]𝑣 = 𝐴(𝐼,𝐸[𝑥↦𝑡 ]) .

Exercise 120. Prove that the ∀e inference rule is sound. That is, prove that the tautological
consequence holds:

{(∀𝑥 𝐴)} ⊨ 𝐴[𝑡/𝑥] (125)

where 𝐴 be a Predicate formula, 𝑥 is a variable, and 𝑡 is a Predicate term.

The proof sketch below is like an outline or a master plan. I will lay down the plan first.
Then I will fill in the missing details.
Proof Sketch. Consider an interpretation and environment (𝐼, 𝐸) such that (∀𝑥 𝐴)𝑣 = 1.
We need to show that 𝐴[𝑡/𝑥]𝑣 = 1.
(∀𝑥 𝐴)𝑣 = 1 holds because ...
𝑣
𝐴(𝐼,𝐸[𝑥↦𝑡 ])
= 1 holds because ...
𝐴[𝑡/𝑥]𝑣 = 1 holds because ...
Thus, the tautological consequence holds and the inference rule is sound.
Solution: Let (𝐼, 𝐸) be an interpretation and environment such that (∀𝑥 𝐴)𝑣 = 1.
By the satisfaction rule for ∀, we have that 𝐴(𝐼,𝐸[𝑥↦𝑑]) = 1, for every 𝑑 ∈ 𝐷.
𝑣
By Lemma 1, 𝑡𝑣 is some domain element. Thus, we have that 𝐴(𝐼,𝐸[𝑥↦𝑡 ])
= 1.
𝑣
By Lemma 2, we have that 𝐴[𝑡/𝑥]𝑣 = 𝐴(𝐼,𝐸[𝑥↦𝑡 ]) . Thus, we have that 𝐴[𝑡/𝑥]𝑣 = 1.

91
Exercise 121. Prove that the ∃i inference rule is sound. That is, prove that the tautological
consequence holds:

{𝐴[𝑡/𝑥]} ⊨ (∃𝑥 𝐴) (126)

where 𝐴 is a predicate formula, 𝑡 is a predicate term, and 𝑥 is a variable.

Proof Sketch. Consider an interpretation and environment (𝐼, 𝐸) such that 𝐴[𝑡/𝑥]𝑣 = 1. We
need to show that (∃𝑥 𝐴)𝑣 = 1.
𝐴[𝑡/𝑥]𝑣 = 1 holds because ...
𝑣
𝐴(𝐼,𝐸[𝑥↦𝑡 ])
= 1 holds because ...
(∃𝑥 𝐴)𝑣 = 1 holds because ...
Thus, the tautological consequence holds and the inference rule is sound.
Solution: Let (𝐼, 𝐸) be an interpretation and environment such that 𝐴[𝑡/𝑥]𝑣 = 1.
𝑣 𝑣
By Lemma 2, we have that 𝐴[𝑡/𝑥]𝑣 = 𝐴(𝐼,𝐸[𝑥↦𝑡 ]) . Thus, we have that 𝐴(𝐼,𝐸[𝑥↦𝑡 ])
= 1.
By Lemma 1, 𝑡𝑣 is some domain element. Thus, by the satisfaction rule for ∃, we have that
(∃𝑥 𝐴)𝑣 = 1.

92
Exercise 122. Prove that the following inference rule is NOT sound.
𝐴[𝑡/𝑥]
∀𝑖∗
(∀𝑥 𝐴) (127)
where 𝐴 is a predicate formula, 𝑡 is a predicate term, and 𝑥 is a variable.
Proof Sketch. Define the symbols in the language of Predicate logic that we consider.
Choose 𝐴 to be a concrete Predicate formula. Choose 𝑡 to be a concrete Predicate term.
Define an interpretation and an environment (𝐼, 𝐸).
Show that 𝐴[𝑡/𝑥]𝑣 = 1.
Show that (∀𝑥 𝐴)𝑣 = 0.
Solution:
Remark 18. How did I come up with the interpretation and the environment below?
Given the definition of 𝐷, 𝐸, and 𝐴 and 𝑡, we can simplify the premise and the conclusion.
The premise becomes 𝐴[𝑡/𝑥] = 𝑃 (𝑥)[𝑦/𝑥] = 𝑃 (𝑦).
The conclusion becomes (∀𝑥 𝑃 (𝑥)).
To make the premise true, we need to define 𝐸(𝑦) and 𝑃 𝑣 such that 𝑃 (𝑦) is true. If we
choose 𝐸(𝑦) = 1, then we need 1 ∈ 𝑃 𝑣 . If we choose 𝐸(𝑦) = 2, then we need 2 ∈ 𝑃 𝑣 . In the
solution below, I chose 𝐸(𝑦) = 1 and 1 ∈ 𝑃 𝑣 .
To make the conclusion false, we need to make sure that 𝑃 (𝑥) is false for one element of the
domain. By the above definition, we already know that 𝑃 (𝑥) is true when 𝑥 is 1. The only
other element of the domain is 2. So we need to make sure that 𝑃 (𝑥) is false when 𝑥 is 2,
which means that 2 ∉ 𝑃 𝑣 .
Solution Text:
We need to provide an interpretation 𝐼 and an environment 𝐸 such that 𝐴[𝑡/𝑥]𝑣 = 1 and
(∀𝑥 𝐴)𝑣 = 0.
Consider the language of predicate logic where 𝑃 (1) is a unary predicate and 𝑥 and 𝑦 are
variables.
Let 𝐴 be 𝑃 (𝑥) and let 𝑡 be 𝑦. Let the interpretation 𝐼 be defined below.
• 𝐷 = {1, 2}
• 𝑃 𝑣 = {1}
Let the environment 𝐸 be defined by 𝐸(𝑥) = 1 and 𝐸(𝑦) = 1.
𝑣
First, we show that 𝐴[𝑡/𝑥]𝑣 = 1. By Lemma 2, 𝐴[𝑡/𝑥]𝑣 = 𝐴(𝐼,𝐸[𝑥↦𝑡 ]) . By the definition of
the term 𝑡, 𝑡𝑣 = 𝑦𝑣 = 𝐸(𝑦) = 1. Thus, 𝐴[𝑡/𝑥]𝑣 = 𝐴(𝐼,𝐸[𝑥↦1]) = 𝑃 (𝑥)(𝐼,𝐸[𝑥↦1]) = 1 because
𝐸[𝑥 ↦ 1](𝑥) = 1 ∈ 𝑃 𝑣 .
Next, we show that (∀𝑥 𝐴)𝑣 = 0. By the satisfaction rule for ∀, we need to show that
𝐴(𝐼,𝐸[𝑥↦𝑑]) = 0 for at least one 𝑑 ∈ 𝐷. We have that 𝐴(𝐼,𝐸[𝑥↦2]) = 𝑃 (𝑥)(𝐼,𝐸[𝑥↦2]) = 0
because 𝐸[𝑥 ↦ 2](𝑥) = 2 ∉ 𝑃 𝑣 .

93
Exercise 123. Prove that the following inference rule is NOT sound.
(∃𝑥 𝐴)
∃𝑒∗
𝐴[𝑡/𝑥] (128)

where 𝐴 is a predicate formula, 𝑡 is a predicate term, and 𝑥 is a variable.

Proof Sketch. Define the symbols in the language of Predicate logic that we consider.
Choose 𝐴 to be a concrete Predicate formula. Choose 𝑡 to be a concrete Predicate term.
Define an interpretation and an environment (𝐼, 𝐸).
Show that (∃𝑥 𝐴)𝑣 = 1.
Show that 𝐴[𝑡/𝑥]𝑣 = 0.
Solution: We need to provide an interpretation 𝐼 and an environment 𝐸 such that (∃𝑥 𝐴)𝑣 =
1 and 𝐴[𝑡/𝑥]𝑣 = 0.
Consider the language of predicate logic where 𝑃 (1) is a unary predicate and 𝑥 and 𝑦 are
variables.
Let 𝐴 be 𝑃 (𝑥) and let 𝑡 be 𝑦. Let the interpretation 𝐼 be defined below.

• 𝐷 = {1, 2}

• 𝑃 𝑣 = {1}

Let the environment 𝐸 be defined by 𝐸(𝑥) = 1 and 𝐸(𝑦) = 2.

First, we show that (∃𝑥 𝐴)𝑣 = 1.
By the definition of 𝑃 𝑣 , we have that

𝐴(𝐼,𝐸[𝑥↦1]) = 1

because 𝐸[𝑥 ↦ 1](𝑥) = 1 ∈ 𝑃 𝑣 .

By the satisfaction rule for ∃, we have that

(∃𝑥 𝐴)𝑣 = 1.

Second, we show that 𝐴[𝑡/𝑥]𝑣 = 0.

By Lemma 2, we have that
𝑣
𝐴[𝑡/𝑥]𝑣 = 𝐴(𝐼,𝐸[𝑥↦𝑡 ]) .
We need to prove that
𝑣
𝐴(𝐼,𝐸[𝑥↦𝑡 ])
= 0.
By Lemma 1, 𝑡𝑣 is a domain element. By the definitions of 𝑡, 𝐼, and 𝐸, we have that

𝑡𝑣 = 𝑦𝑣 = 𝐸(𝑦) = 2.

94
By the definition of 𝑃 𝑣 , we have that
𝑣
𝐴(𝐼,𝐸[𝑥↦𝑡 ])
= 𝐴(𝐼,𝐸[𝑥↦2]) = 0

because 𝐸[𝑥 ↦ 2](𝑥) = 2 ∉ 𝑃 𝑣 .

𝑣
Therefore, we have that 𝐴(𝐼,𝐸[𝑥↦𝑡 ]) = 0.
The tautological consequence does not hold and the inference rule is not sound.

95
2.5.2 Additional Exercises
Exercise 124. Prove that the following inference rule is sound.

(∀𝑥(𝐴 → 𝐵)) 𝐴[𝑡/𝑥]

∀𝑒1
𝐵[𝑡/𝑥] (129)

where 𝐴 and 𝐵 are predicate formulas, 𝑡 is a predicate term, and 𝑥 is a variable.

Exercise 125. Prove that the following inference rule is sound.

(∀𝑥(𝐴 → 𝐵)) (¬𝐵[𝑡/𝑥])

∀𝑒2
(¬𝐴[𝑡/𝑥]) (130)

where 𝐴 and 𝐵 are predicate formulas, 𝑡 is a predicate term, and 𝑥 is a variable.

Exercise 126. Prove that the following inference rule is NOT sound.

(∀𝑥(𝐴 → 𝐵)) 𝐵[𝑡/𝑥]

∀𝑒3
𝐴[𝑡/𝑥] (131)

where 𝐴 and 𝐵 are predicate formulas, 𝑡 is a predicate term, and 𝑥 is a variable.

Exercise 127. Prove that the following inference rule is NOT sound.

(∀𝑥(𝐴 → 𝐵)) (¬𝐴[𝑡/𝑥])

∀𝑒4
(¬𝐵[𝑡/𝑥]) (132)

where 𝐴 and 𝐵 are predicate formulas, 𝑡 is a predicate term, and 𝑥 is a variable.

96
2.5.3 Proofs using the soundness and completeness theorems
Exercise 128. Let Σ be a set of Predicate formulas and let 𝐴 be a Predicate formula.
If Σ ∪ {(¬𝐴)} is unsatisfiable, then Σ ⊢ 𝐴.
Proof Sketch. Assume that Σ ∪ {(¬𝐴)} is unsatisfiable. This means that, for any interpre-
tation and environment (𝐼, 𝐸), at least one formula in Σ ∪ {(¬𝐴)} is false.
Prove that Σ ⊨ 𝐴. Consider an interpretation and environment (𝐼, 𝐸). Assume that every
formula in Σ is true under (𝐼, 𝐸). Prove that 𝐴 is true under (𝐼, 𝐸).
We have Σ ⊢ 𝐴 by the completeness of Natural Deduction.
Solution:
Remark 19. What does it mean for a set of formula Σ to be unsatisfiable?
• It means that “for every (𝐼, 𝐸), at least one formula in Σ is false.”
Example 1: The set {𝑃 (𝑥), (¬𝑃 (𝑥))} is unsatisfiable. Under any (𝐼, 𝐸), if 𝑃 (𝑥) is
true, then (¬𝑃 (𝑥)) must be false. If (¬𝑃 (𝑥)) is true, then 𝑃 (𝑥) must be false.
• It DOES NOT mean that “ for every (𝐼, 𝐸), at least one formula in Σ is a contradic-
tion.”
Example 2: The set {(𝑃 (𝑥) ∧ (¬𝑃 (𝑥)))} is unsatisfiable. Under any (𝐼, 𝐸), (𝑃 (𝑥) ∧
(¬𝑃 (𝑥))) is always false. Note that this is only one type of unsatisfiable set.
• It DOES NOT mean that “for one pair (𝐼, 𝐸), at least one formula in Σ is false.”
When proving the tautological consequence Σ ⊨ 𝐴, why do we only consider the cases when
every formula in Σ is true?
By the definition of tautological consequence, we only need to verify that 𝐴 is true in the case
when every formula in Σ is true under an (𝐼, 𝐸). Thus, we do not need to consider the case
when a formula in Σ is false under an (𝐼, 𝐸).
Solution Text: Assume that Σ ∪ {(¬𝐴)} is unsatisfiable. This means that, for any
interpretation and environment (𝐼, 𝐸), at least one formula in Σ ∪ {(¬𝐴)} is false.
We need to prove that Σ ⊨ 𝐴. Consider an interpretation and environment (𝐼, 𝐸). Assume
that every formula in Σ is true under (𝐼, 𝐸). We need to prove that 𝐴 is true under (𝐼, 𝐸).
Under the (𝐼, 𝐸) we are considering, every formula in Σ is true and at least one formula in
Σ ∪ {(¬𝐴)} is false. Therefore, it must be that (¬𝐴)𝑣 = 0. By the definition of ¬, 𝐴𝑣 = 1.
Therefore, the tautological consequence Σ ⊨ 𝐴 holds.
Σ ⊢ 𝐴 holds by the completeness of Natural Deduction.
Exercise 129. Let Σ be a set of Predicate formulas and let 𝐴 be a Predicate formula.
If Σ ⊢ 𝐴, then Σ ∪ {(¬𝐴)} is unsatisfiable.
Exercise 130. Show that there is no formal deduction proof for {(∃𝑥 𝑃 (𝑥))} ⊢ 𝑃 (𝑡), where
𝑃 is a unary predicate, 𝑡 is a term and 𝑥 is a variable.

97
3 Program Verification
3.1 Partial and Total Correctness
Exercise 131. Consider the Hoare triple ⦇ (𝑥 > 0) ⦈ 𝐶1 ⦇ ((𝑦 ∗ 𝑦) < 𝑥) ⦈.
If we run 𝐶1 starting with the state (𝑥 = 5), (𝑦 = 5), 𝐶1 terminates in the state (𝑥 = 5), (𝑦 =
0).
Is the Hoare triple satisfied under partial correctness?

Solution: The answer is ‘not enough information to tell.”

The definition of partial correctness has an implication in it: If a starting state satisfies
the precondition and the program terminates when run with this starting state, then the
terminating state satisfies the postcondition.
For the given example, the starting state (𝑥 = 5) satisfies the precondition 𝑥 > 0, the
program terminates, and the terminating state ((𝑥 = 5), (𝑦 = 0)) satisfies the postcondition
since 𝑦 ∗ 𝑦 = 0 < 5 = 5. Therefore, this example satisfies the implication in the definition of
partial correctness.
However, to verify partial correctness, we need to consider all possible starting states which
satisfy the precondition, e.g. (𝑥 = 1), (𝑥 = 2), etc. We do not know the terminating states
for the other possible starting states. Therefore, we do not have enough information to
determine the answer.

Exercise 132. Consider the Hoare triple ⦇ (𝑥 > 0) ⦈ 𝐶2 ⦇ ((𝑦 ∗ 𝑦) < 𝑥) ⦈.

If we run 𝐶2 starting with the state (𝑥 = 5), (𝑦 = 5), 𝐶2 terminates in the state (𝑥 = 5), (𝑦 =
3).
Is the Hoare triple satisfied under partial correctness?

Solution: The answer is NO.

The definition of partial correctness has an implication in it: If a starting state satisfies
the precondition and the program terminates when run with this starting state, then the
terminating state satisfies the postcondition.
For the given example, the starting state 𝑥 = 5 satisfies the precondition 𝑥 > 0, and the
terminating state (𝑥 = 5, 𝑦 = 3) does NOT satisfy the postcondition 𝑦 ∗ 𝑦 = 0 < 5 =
5. Therefore, this example does not satisfy this implication in the definition of partial
correctness.
To verify that partial correctness is not satisfied, it is sufficient to find one counterexample
as shown above. Therefore, the triple is NOT satisfied under partial correctness.

98
Exercise 133. Consider the Hoare triple ⦇ (𝑥 > 0) ⦈ 𝐶3 ⦇ ((𝑦 ∗ 𝑦) < 𝑥) ⦈.
If we run 𝐶3 starting with the state (𝑥 = −3), (𝑦 = 5), 𝐶3 terminates in the state (𝑥 =
−3), (𝑦 = 0).
Is the Hoare triple satisfied under partial correctness?

Solution: The answer is “not enough information to tell”.

For the given example, the starting state 𝑥 = −3 does not satisfy the precondition.
To verify partial correctness, we only need to consider starting states that satisfy the pre-
condition. Therefore, the example is irrelevant for us.
Since we do not know how the program behaves for starting states that satisfy the precon-
dition, we do not have enough information to determine the answer.

Exercise 134. Consider the Hoare triple ⦇ (𝑥 > 0) ⦈ 𝐶4 ⦇ ((𝑦 ∗ 𝑦) < 𝑥) ⦈.

If we run 𝐶4 starting with the state (𝑥 = 2), (𝑦 = 5), 𝐶4 does not terminate.
Is the Hoare triple satisfied under partial correctness?

Solution: The answer is “not enough information to tell”.

The definition of partial correctness has an implication in it: If a starting state satisfies
the precondition and the program terminates when run with this starting state, then the
terminating state satisfies the postcondition.
For the given example, the starting state 𝑥 = 2 satisfies the precondition but the program
does not terminate. Note that, program termination is a premise of the implication in the
definition of partial correctness. Therefore, this example satisfies the implication in the
definition of partial correctness.
However, to verify partial correctness, we need to consider all possible starting states that
satisfy the precondition. Since we do not know how the program behaves for other possible
starting states, we do not have enough information to determine the answer.

99
Exercise 135. Is the following Hoare triple satisfied under partial and/or total correctness?
⦇ (𝑥 = 1) ⦈
while ( 1 ) {
x = 0
};
⦇ (𝑦 = 1) ⦈

Solution: The triple is satisfied under partial correctness, and it is not satisfied under total
correctness.
The program does not terminate for any starting state. Therefore, partial correctness is
automatically satisfied. (If the program does not terminate for a starting state, then the
premise of the implication is false and the implication is vacuously true.)
The program does not terminate for any starting state. Therefore, total correctness is NOT
satisfied.
The key difference between partial and total correctness is that partial correctness does not
require program termination, whereas total correctness does.
Exercise 136. Is the following Hoare triple satisfied under partial and/or total correctness?
⦇ 𝑡𝑟𝑢𝑒 ⦈
y = 1;
z = 0;
while ( z != x ) {
z = z + 1;
y = y ∗ z;
}
⦇ (𝑦 = 𝑥!) ⦈

Solution: The triple is satisfied under partial correctness, and it is NOT satisfied under
total correctness.
The precondition is true. This means that there is no required precondition. In other words,
any starting state satisfies the precondition.
If the starting state has 𝑥 ≥ 0, we can verify that the program terminates and computes
𝑦 = 𝑥! correctly. (We are not able to prove this yet because we haven’t learned the techniques
to construct the proof. However, we could verify this on a case-by-case basis.) Therefore,
for this case, partial and total correctness are both satisfied.
If the starting state has 𝑥 < 0, the while loop runs forever and does not terminate. Therefore,
for this case, only partial correctness is satisfied. Total correctness is not satisfied because
the program does not terminate.
In summary, partial correctness is satisfied because it is satisfied in both cases. Total cor-
rectness is NOT satisfied because the program does not terminate for some starting states
where 𝑥 < 0.

100
3.2 Assignment Statements
Complete the following annotations.
⦇ ⦈
x = 2;
⦇ (𝑥 = 2) ⦈
Solution:
⦇ (2 = 2) ⦈
x = 2;
⦇ (𝑥 = 2) ⦈ assignment

⦇ ⦈
x = 2;
⦇ (𝑥 = 𝑦) ⦈
Solution:
⦇ (2 = 𝑦) ⦈
x = 2;
⦇ (𝑥 = 𝑦) ⦈ assignment

⦇ ⦈
x = 2;
⦇ (𝑥 = 0) ⦈
Solution:
⦇ (2 = 0) ⦈
x = 2;
⦇ (𝑥 = 0) ⦈ assignment

101
⦇ ⦈
x = x + 1;
⦇ (𝑥 = (𝑛 + 1)) ⦈
Solution:
⦇ ((𝑥 + 1) = (𝑛 + 1)) ⦈
x = x + 1;
⦇ (𝑥 = (𝑛 + 1)) ⦈ assignment

⦇ ⦈
x = y;
⦇ ((2 ∗ 𝑥) = (𝑥 + 𝑦)) ⦈
Solution:
⦇ ((2 ∗ 𝑦) = (𝑦 + 𝑦)) ⦈
x = y;
⦇ ((2 ∗ 𝑥) = (𝑥 + 𝑦)) ⦈ assignment

102
Exercise 137. Show that the following triple is satisfied under partial correctness.
⦇ (𝑦 = 6) ⦈
x = y + 1;
⦇ (𝑥 = 7) ⦈

Solution:
⦇ (𝑦 = 6) ⦈
⦇ ((𝑦 + 1) = 7) ⦈ i m p l i e d (A)
x = y + 1;
⦇ (𝑥 = 7) ⦈ assignment
Proof of implied (A):
Assume that 𝑦 = 6. Adding 1 to both sides, we get 𝑦 + 1 = 6 + 1 = 7.

Exercise 138. Show that the following triple is satisfied under partial correctness.
⦇ ((𝑥 = 𝑥0 ) ∧ (𝑦 = 𝑦0 )) ⦈
t = x;
x = y;
y = t;
⦇ ((𝑥 = 𝑦0 ) ∧ (𝑦 = 𝑥0 )) ⦈

Solution:
⦇ ((𝑥 = 𝑥0 ) ∧ (𝑦 = 𝑦0 )) ⦈
⦇ ((𝑦 = 𝑦0 ) ∧ (𝑥 = 𝑥0 )) ⦈ i m p l i e d (A)
t = x;
⦇ ((𝑦 = 𝑦0 ) ∧ (𝑡 = 𝑥0 )) ⦈ assignment
x = y;
⦇ ((𝑥 = 𝑦0 ) ∧ (𝑡 = 𝑥0 )) ⦈ assignment
y = t;
⦇ ((𝑥 = 𝑦0 ) ∧ (𝑦 = 𝑥0 )) ⦈ assignment
Proof of implied (A):
Assume that ((𝑥 = 𝑥0 ) ∧ (𝑦 = 𝑦0 )) is true. By the definition of ∧, 𝑥 = 𝑥0 and 𝑦 = 𝑦0 are
both true. By the definition of ∧, ((𝑦 = 𝑦0 ) ∧ (𝑥 = 𝑥0 )) is true.

103
3.3 Conditional Statements
Exercise 139. Show that the following triple is satisfied under partial correctness.
⦇ 𝑡𝑟𝑢𝑒 ⦈
if (x > y) {
max = x ;
} else {
max = y ;
}
⦇ (((𝑥 > 𝑦) ∧ (𝑚𝑎𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑚𝑎𝑥 = 𝑦))) ⦈

Solution:
⦇ 𝑡𝑟𝑢𝑒 ⦈
if (x > y) {
⦇ (𝑥 > 𝑦) ⦈ i f −then−e l s e
⦇ (((𝑥 > 𝑦) ∧ (𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑥 = 𝑦))) ⦈ i m p l i e d (A)
max = x ;
⦇ (((𝑥 > 𝑦) ∧ (𝑚𝑎𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑚𝑎𝑥 = 𝑦))) ⦈ assignment
} else {
⦇ (¬(𝑥 > 𝑦)) ⦈ i f −then−e l s e
⦇ (((𝑥 > 𝑦) ∧ (𝑦 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑦 = 𝑦))) ⦈ i m p l i e d (B)
max = y ;
⦇ (((𝑥 > 𝑦) ∧ (𝑚𝑎𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑚𝑎𝑥 = 𝑦))) ⦈ assignment
}
⦇ (((𝑥 > 𝑦) ∧ (𝑚𝑎𝑥 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑚𝑎𝑥 = 𝑦))) ⦈ i f −then−e l s e

Proof of implied (A)

Assume that (𝑥 > 𝑦). By the definition of =, 𝑥 = 𝑥 is true. By the definition of ∧,
((𝑥 > 𝑦)∧(𝑥 = 𝑥)) is true. By the definition of ∨, (((𝑥 > 𝑦)∧(𝑥 = 𝑥))∨((𝑥 ≤ 𝑦)∧(𝑥 = 𝑦)))
is true.
Proof of implied (B)
Assume that (¬(𝑥 > 𝑦)) is true. By the definition of >, (𝑥 ≤ 𝑦) is true. By the definition
of =, 𝑦 = 𝑦 is true. By the definition of ∧, ((𝑥 ≤ 𝑦) ∧ (𝑦 = 𝑦)) is true. By the definition of
∨, (((𝑥 > 𝑦) ∧ (𝑦 = 𝑥)) ∨ ((𝑥 ≤ 𝑦) ∧ (𝑦 = 𝑦))) is true.

104
Exercise 140. Show that the following triple is satisfied under partial correctness.
⦇ (𝑥 = 3) ⦈
i f ( x > 0) {
x = 1;
} else {
x = 0;
}
⦇ (𝑥 ≥ 0) ⦈

Solution:
⦇ (𝑥 = 3) ⦈
i f ( x > 0) {
⦇ ((𝑥 = 3) ∧ (𝑥 > 0)) ⦈ i f −then−e l s e
⦇ (1 ≥ 0) ⦈ i m p l i e d (A)
x = 1;
⦇ (𝑥 ≥ 0) ⦈ assignment
} else {
⦇ ((𝑥 = 3) ∧ (¬(𝑥 > 0))) ⦈ i f −then−e l s e
⦇ (0 ≥ 0) ⦈ i m p l i e d (B)
x = 0;
⦇ (𝑥 ≥ 0) ⦈ assignment
}
⦇ (𝑥 ≥ 0) ⦈ i f −then−e l s e

Proof of implied (A) (((𝑥 = 3) ∧ (𝑥 > 0)) → (1 ≥ 0))

Assume that ((𝑥 = 3) ∧ (𝑥 > 0)) is true. 1 ≥ 0 is true by the definition of ≥.
Proof of implied (B) (((𝑥 = 3) ∧ (¬(𝑥 > 0))) → (0 ≥ 0))
The premise ((𝑥 = 3) ∧ (¬(𝑥 > 0))) is false. (𝑥 = 3) means that 𝑥 is positive. (¬(𝑥 > 0))
means that 𝑥 is not positive. These two formulas contradict each other and cannot be true
at the same time. Therefore, ((𝑥 = 3) ∧ (¬(𝑥 > 0))) is false by the property of ∧. The
implication is vacuously true.

105
Exercise 141. Show that the following triple is satisfied under partial correctness.
⦇ 𝑡𝑟𝑢𝑒 ⦈
i f ( max < x ) {
max = x ;
}
⦇ (𝑚𝑎𝑥 ≥ 𝑥) ⦈

Solution:
⦇ 𝑡𝑟𝑢𝑒 ⦈
i f ( max < x ) {
⦇ (𝑚𝑎𝑥 < 𝑥) ⦈ i f −then
⦇ (𝑥 ≥ 𝑥) ⦈ i m p l i e d (A)
max = x ;
⦇ (𝑚𝑎𝑥 ≥ 𝑥) ⦈ assignment
}
⦇ (𝑚𝑎𝑥 ≥ 𝑥) ⦈ i f −then
i m p l i e d (B) ((¬(𝑚𝑎𝑥 < 𝑥)) → (𝑚𝑎𝑥 ≥ 𝑥))

Proof of implied (A)

Assume that (𝑚𝑎𝑥 < 𝑥) is true. (𝑥 ≥ 𝑥) is true by the definition of ≥.
Proof of implied (B)
Assume that (¬(𝑚𝑎𝑥 < 𝑥)) is true. By the definition of ¬ and <, (𝑚𝑎𝑥 ≥ 𝑥) is true.

106
Exercise 142. Show that the following triple is satisfied under partial correctness.
⦇ 𝑡𝑟𝑢𝑒 ⦈
i f ( x % 2 == 1 ) {
x = x + 1;
}
⦇ (∃𝑢 (𝑥 = (2 ∗ 𝑢))) ⦈

Solution:
⦇ 𝑡𝑟𝑢𝑒 ⦈
i f ( x % 2 == 1 ) {
⦇ ((𝑥%2) = 1) ⦈ i f −then
⦇ (∃𝑢 (𝑥 + 1 = (2 ∗ 𝑢))) ⦈ i m p l i e d (A)
x = x + 1;
⦇ (∃𝑢 (𝑥 = (2 ∗ 𝑢))) ⦈ assignment
}
⦇ (∃𝑢 (𝑥 = (2 ∗ 𝑢))) ⦈ i f −then
i m p l i e d (B) ((¬(𝑥%2 = 1)) → ((∃𝑢 (𝑥 = (2 ∗ 𝑢)))))

Proof of implied (A)

Assume that ((𝑥%2) = 1) is true. This means that 𝑥 is odd. By the definition of an odd
integer, there exists an integer 𝑢 such that 𝑥 = 2 ∗ 𝑢 − 1 or 𝑥 + 1 = 2 ∗ 𝑢. Therefore,
(∃𝑢 (𝑥 + 1 = (2 ∗ 𝑢))) is true.
Proof of implied (B)
Assume that ((¬(𝑥%2 = 1)) is true, which meant that 𝑥 is even. By the definition of an
even integer, there exists an integer 𝑢 such that 𝑥 = 2 ∗ 𝑢. Therefore, ((∃𝑢 (𝑥 = (2 ∗ 𝑢))))
is true.

107
Exercise 143. Show that the following triple is satisfied under partial correctness.
⦇ 𝑡𝑟𝑢𝑒 ⦈
i f ( x < 5) {
r = 0;
} else {
i f ( x > 10) {
r = 0;
} else {
r = 1;
}
}
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (𝑟 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (𝑟 = 1))) ⦈

Solution:
⦇ 𝑡𝑟𝑢𝑒 ⦈
i f ( x < 5) {
⦇ 𝑡𝑟𝑢𝑒 ∧ (𝑥 < 5) ⦈ i f −then−e l s e
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (0 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (0 = 1))) ⦈ i m p l i e d (A)
r = 0;
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (𝑟 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (𝑟 = 1))) ⦈ assignment
} else {
⦇ 𝑡𝑟𝑢𝑒 ∧ (𝑥 ≥ 5) ⦈ i f −then−e l s e
i f ( x > 10) {
⦇ 𝑡𝑟𝑢𝑒 ∧ (𝑥 ≥ 5) ∧ (𝑥 > 10) ⦈ i f −then−e l s e
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (0 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (0 = 1))) ⦈ i m p l i e d (B)
r = 0;
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (𝑟 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (𝑟 = 1))) ⦈ assignment
} else {
⦇ 𝑡𝑟𝑢𝑒 ∧ (𝑥 ≥ 5) ∧ (𝑥 ≤ 10) ⦈ i f −then−e l s e
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (1 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (1 = 1))) ⦈ i m p l i e d (C)
r = 1;
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (𝑟 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (𝑟 = 1))) ⦈ assignment
}
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (𝑟 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (𝑟 = 1))) ⦈ i f −then−e l s e
}
⦇ ((((𝑥 < 5) ∨ (𝑥 > 10)) ∧ (𝑟 = 0)) ∨ (((5 ≤ 𝑥) ∧ (𝑥 ≤ 10)) ∧ (𝑟 = 1))) ⦈ i f −then−e l s e

108
3.4 Conditional Statements: Additional Exercises
Exercise 144. Show that the following triple is satisfied under partial correctness.
⦇ 𝑡𝑟𝑢𝑒 ⦈
x = a ∗ a;
y = b ∗ b;
z = x + y;
if (b > a) {
z = z + 2 ∗ a ∗ b;
} else {
z = z − 2 ∗ a ∗ b;
}
⦇ ((∃𝑢 (𝑢 ∗ 𝑢 = 𝑧)) ⦈

109
3.5 While Loops
Exercise 145. Show that the following triple is satisfied under partial correctness.
⦇ (𝑥 ≥ 0) ⦈
y = 1;
z = 0;
while ( z != x ) {
z = z + 1;
y = y ∗ z;
}
⦇ (𝑦 = 𝑥!) ⦈

Remark 20. There is a while loop in the program. To complete the proof, we need to come
up with an invariant for the while loop. We produce the following table, which contains
the values of all the variables in the program whenever the execution reaches the while test
𝑧! = 𝑥.
Note: We can choose any non-negative value for 𝑥. For the following table, we chose 𝑥 = 5.
Note: In the table, I wrote 𝑦 as a factorial. Doing this is helpful for seeing a relationship
between the variables (With this, it is easy to see that 𝑦 = 𝑧! in every row of the table). Also,
the post-condition says that 𝑦 should be a factorial. If we want to make progress towards that
post-condition, then it makes sense that 𝑦 is equal to some factorial at every iteration of the
loop.

x z y
5 0 1 = 0!
5 1 1 = 1!
5 2 2 = 2!
5 3 6 = 3!
5 4 24 = 4!
5 5 120 = 5!

Given the table, we can try to come up with relationship between the variables. For the
relationship to be an invariant, it has to be true in every row of the truth table.
For example,

• (¬(𝑧 = 𝑥)) is NOT an invariant. It is NOT true in the last row of the table.

• (𝑧 ≤ 𝑥) IS an invariant. It is true in every row of the table.

• (𝑦 = 𝑧!) IS an invariant. It is true in every row of the table.

• (𝑦 = 𝑥!) is NOT an invariant. It is only true in the last row of the table and not true
in any other row.

110
 • ((𝑧 ≤ 𝑥) ∧ (𝑦 = 𝑧!)) IS an invariant.

Note: We can combine one or more invariants with an ∧ to produce new invariants. If 𝐴
and 𝐵 are invariants, then (𝐴 ∧ 𝐵) is an invariant as well.
So far, we have found three invariants: (𝑧 ≤ 𝑥), (𝑦 = 𝑧!), and ((𝑧 ≤ 𝑥) ∧ (𝑦 = 𝑧!)). Which
of these invariants will lead to valid proofs? It turns out that both the second and third
invariants will both lead to valid proofs.
How do I choose an invariant to complete my proof? The only sure way of answering this
question is to try completing the proof with the invariant. The proof is valid if and only if
we can prove all of the implied conditions using the invariant.
However, there are two strategies to speed up this process of selecting ani nvariant that works.

• A useful invariant is often similar to the post-condition. In our example, both

invariants that work ((𝑦 = 𝑧!) and ((𝑧 ≤ 𝑥) ∧ (𝑦 = 𝑧!))) have the component (𝑦 = 𝑧!),
which is similar to the post-condition (𝑦 = 𝑥!).
This makes intuitive sense. An invariant describes the progress we are making towards
the post-condition at every iteration of the loop. Therefore, it is only natural that the
invariant looks similar to the post-condition.

• The last implied condition (implied C) is often the most difficult to satisfy.
Thus, to test whether an invariant works, it may be more efficient to try proving implied
(C) first.

See the completed solution below with the invariant (𝑦 = 𝑧!).

Solution:
⦇ (𝑥 ≥ 0) ⦈
⦇ (1 = 0!) ⦈ i m p l i e d (A)
y = 1;
⦇ (𝑦 = 0!) ⦈ assignment
z = 0;
⦇ (𝑦 = 𝑧!) ⦈ assignment
while ( z != x ) {
⦇ ((𝑦 = 𝑧!) ∧ (¬(𝑧 = 𝑥))) ⦈ p a r t i a l −while
⦇ ((𝑦 ∗ (𝑧 + 1)) = (𝑧 + 1)!) ⦈ i m p l i e d (B)
z = z + 1;
⦇ ((𝑦 ∗ 𝑧) = 𝑧!) ⦈ assignment
y = y ∗ z;
⦇ (𝑦 = 𝑧!) ⦈ assignment
}
⦇ ((𝑦 = 𝑧!) ∧ (¬(¬(𝑧 = 𝑥)))) ⦈ p a r t i a l −while
⦇ (𝑦 = 𝑥!) ⦈ i m p l i e d (C)

111
Proof of implied (A):
Assume that (𝑥 ≥ 0) is true. (1 = 0!) is true by the definition of factorial.
Proof of implied (B):
Assume that (𝑦 = 𝑧!) and (¬(𝑧 = 𝑥)) are true.
Multiplying (𝑧 + 1) on both sides of (𝑦 = 𝑧!), we get that 𝑦 ∗ (𝑧 + 1) = (𝑧 + 1)! is true.
Proof of implied (C):
Assume that (𝑦 = 𝑧!) and (¬(¬(𝑧 = 𝑥))) are true. By the definition of ¬, (¬(¬(𝑧 = 𝑥)))
is equivalent to (𝑧 = 𝑥). Since (𝑦 = 𝑧!) and (𝑧 = 𝑥) are both true, we know that (𝑦 = 𝑥!)
must be true.

112
Exercise 146. Show that the following triple is satisfied under partial correctness.
⦇ (𝑥 ≥ 0) ⦈
y = 1;
z = 0;
while ( z < x ) {
z = z + 1;
y = y ∗ z;
}
⦇ (𝑦 = 𝑥!) ⦈

Solution:
⦇ (𝑥 ≥ 0) ⦈
⦇ ((1 = 0!) ∧ (0 ≤ 𝑥)) ⦈ i m p l i e d (A)
y = 1;
⦇ ((𝑦 = 0!) ∧ (0 ≤ 𝑥)) ⦈ assignment
z = 0;
⦇ ((𝑦 = 𝑧!) ∧ (𝑧 ≤ 𝑥)) ⦈ assignment
while ( z < x ) {
⦇ (((𝑦 = 𝑧!) ∧ (𝑧 ≤ 𝑥)) ∧ (𝑧 < 𝑥)) ⦈ p a r t i a l −while
⦇ (𝑦 ∗ (𝑧 + 1) = (𝑧 + 1)!) ⦈ i m p l i e d (B)
z = z + 1;
⦇ (𝑦 ∗ 𝑧 = 𝑧!) ⦈ assignment
y = y ∗ z;
⦇ (𝑦 = 𝑧!) ⦈ assignment
}
⦇ (((𝑦 = 𝑧!) ∧ (𝑧 ≤ 𝑥)) ∧ (¬(𝑧 < 𝑥))) ⦈ p a r t i a l −while
⦇ (𝑦 = 𝑥!) ⦈ i m p l i e d (C)

Proof of implied (A):

Assume that 𝑥 ≥ 0 is true. Then (0 ≤ 𝑥) is true by the definitions of ≤ and ≥. (1 = 0!) is
true by the definition of factorial.
Proof of implied (B):
Assume that (𝑦 = 𝑧!), (𝑧 ≤ 𝑥) and (𝑧 < 𝑥) are true.
Multiplying (𝑧 + 1) on both sides of (𝑦 = 𝑧!), we get that 𝑦 ∗ (𝑧 + 1) = (𝑧 + 1)! is true.
Proof of implied (C):
Assume that (𝑦 = 𝑧!), (𝑧 ≤ 𝑥) and (¬(𝑧 < 𝑥)) are true. By the definition of ¬, (¬(𝑧 < 𝑥))
is equivalent to (𝑧 ≥ 𝑥). Since (𝑧 ≤ 𝑥) and (𝑧 ≥ 𝑥), it must be that (𝑧 = 𝑥). Since (𝑦 = 𝑧!)
and (𝑧 = 𝑥) are both true, we know that (𝑦 = 𝑥!) must be true.

113
3.6 While Loops: Additional Exercises
Exercise 147. Show that the following triple is satisfied under partial correctness.
⦇ ((𝑛 ≥ 0) ∧ (𝑎 ≥ 0)) ⦈
s = 1;
i = 0;
while ( i != n ) {
s = s ∗ a;
i = i + 1;
}
⦇ (𝑠 = 𝑎𝑛 ) ⦈

Exercise 148. Show that the following triple is satisfied under partial correctness.
⦇ ((𝑛 ≥ 0) ∧ (𝑎 ≥ 0)) ⦈
s = 1;
i = 0;
while ( i < n ) {
s = s ∗ a;
i = i + 1;
}
⦇ (𝑠 = 𝑎𝑛 ) ⦈

114
3.7 Array Assignments
Exercise 149. Show that the following triple is satisfied under partial correctness.
⦇ ((𝐴[𝑥] = 𝑥0) ∧ (𝐴[𝑦] = 𝑦0)) ⦈
t = A[ x ] ;
A[ x ] = A[ y ] ;
A[ y ] = t ;
⦇ ((𝐴[𝑥] = 𝑦0) ∧ (𝐴[𝑦] = 𝑥0)) ⦈ array assignment

Solution:
⦇ ((𝐴[𝑥] = 𝑥0) ∧ (𝐴[𝑦] = 𝑦0)) ⦈
⦇ ((𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}[𝑥] = 𝑦0) ∧ (𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}[𝑦] = 𝑥0)) ⦈ i m p l i e d
t = A[ x ] ;
⦇ ((𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝑡}[𝑥] = 𝑦0) ∧ (𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝑡}[𝑦] = 𝑥0)) ⦈ a s s i g n m e n t
A[ x ] = A[ y ] ;
⦇ ((𝐴{𝑦 ← 𝑡}[𝑥] = 𝑦0) ∧ (𝐴{𝑦 ← 𝑡}[𝑦] = 𝑥0)) ⦈ array assignment
A[ y ] = t ;
⦇ ((𝐴[𝑥] = 𝑦0) ∧ (𝐴[𝑦] = 𝑥0)) ⦈ array assignment

Proof of implied:
We will prove that ((𝐴[𝑥] = 𝑥0) ∧ (𝐴[𝑦] = 𝑦0)) → (((𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}[𝑥] =
𝑦0) ∧ (𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}[𝑦] = 𝑥0)).

Proof. Case 1: Assume that 𝑥 = 𝑦. Assume that 𝐴[𝑥] = 𝑥0 and 𝐴[𝑦] = 𝑦0 are true.
Since 𝑥 = 𝑦, we can re-write the conclusion as follows.
𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}[𝑥] = 𝐴{𝑦 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑦]}[𝑦] = 𝐴[𝑦] = 𝑦0, and
𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}[𝑦] = 𝐴{𝑥 ← 𝐴[𝑥]}{𝑥 ← 𝐴[𝑥]}[𝑥] = 𝐴[𝑥] = 𝑥0.
Case 2: Assume that 𝑥 ≠ 𝑦. Assume that 𝐴[𝑥] = 𝑥0 and 𝐴[𝑦] = 𝑦0 are true.
Consider the array 𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}. The first assignment {𝑥 ← 𝐴[𝑦]} changes
the 𝑥th element of the array to 𝐴[𝑦]. The second assignment {𝑦 ← 𝐴[𝑥]} changes the 𝑦th
element of the array to 𝐴[𝑥]. Since 𝑥 ≠ 𝑦, the two assignments are modifying two different
elements in the array and do not affect each other.
Therefore, we have that
𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}[𝑦] = 𝐴[𝑥] = 𝑥0.
because the second assignment changes the 𝑦th element to 𝐴[𝑥].

𝐴{𝑥 ← 𝐴[𝑦]}{𝑦 ← 𝐴[𝑥]}[𝑥] = 𝐴[𝑦] = 𝑦0.

because the first assignment changes the 𝑥th element to 𝐴[𝑦].

115
3.8 Putting them together
Exercise 150. (Reversing an array)
Consider an array 𝑅 of 𝑛 integers, 𝑅[1], 𝑅[2], ..., 𝑅[𝑛].
Consider the following program which reverses the elements inside the array 𝑅.
Let 𝑟𝑥 denote the element at index 𝑥 in the array 𝑅 before the program execution.
Prove that the following triple is satisfied under total correctness.
⦇ ((∀𝑥 (1 ≤ 𝑥 ≤ 𝑛 → 𝑅[𝑥] = 𝑟𝑥 ))) ⦈
j = 1;
while (2 ∗ j <= n ) {
t = R[ j ] ;
R[ j ] = R[ n+1− j ] ;
R[ n+1− j ] = t ;
j = j + 1;
}
⦇ ((∀𝑥 (1 ≤ 𝑥 ≤ 𝑛 → 𝑅[𝑥] = 𝑟𝑛+1−𝑥 ))) ⦈

Solution: Since there is a while loop in the program, we need to come up with an invariant
for the while loop.
Consider the following invariant.

𝐼𝑛𝑣(𝑗) ⊨⊨ (((∀𝑥 (1 ≤ 𝑥 ≤ 𝑗 − 1 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 )))

∧ (∀𝑥 (𝑗 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ))))
∧ (𝑗 ≤ 𝑛/2 + 1))

Using the above invariant, we complete the annotations for the program as shown below.
⦇ (∀𝑥 (1 ≤ 𝑥 ≤ 𝑛 → 𝑅[𝑥] = 𝑟𝑥 )) ⦈
⦇ 𝐼𝑛𝑣(1) ⦈ i m p l i e d (A)
j = 1;
⦇ 𝐼𝑛𝑣(𝑗) ⦈ assignment
while ( 2 ∗ j <= n ) {
⦇ (𝐼𝑛𝑣(𝑗) ∧ (2 ∗ 𝑗 ≤ 𝑛)) ⦈ p a r t i a l −while
⦇ 𝐼𝑛𝑣(𝑗 + 1)[𝑅{𝑗 ← 𝑅[𝑛 + 1 − 𝑗]}{𝑛 + 1 − 𝑗 ← 𝑅[𝑗]}/𝑅] ⦈ i m p l i e d (B)
t = R[ j ] ;
⦇ 𝐼𝑛𝑣(𝑗 + 1)[𝑅{𝑗 ← 𝑅[𝑛 + 1 − 𝑗]}{𝑛 + 1 − 𝑗 ← 𝑡}/𝑅] ⦈ a s s i g n m e n t
R [ j ] = R [ n+1− j ] ;
⦇ 𝐼𝑛𝑣(𝑗 + 1)[𝑅{𝑛 + 1 − 𝑗 ← 𝑡}/𝑅] ⦈ a r r a y a s s i g n m e n t
R [ n+1− j ] = t ;
⦇ 𝐼𝑛𝑣(𝑗 + 1) ⦈ array assignment
j = j + 1;
⦇ 𝐼𝑛𝑣(𝑗) ⦈ a s s i g n m e n t
}

116
⦇ (𝐼𝑛𝑣(𝑗) ∧ (¬(2 ∗ 𝑗 ≤ 𝑛))) ⦈ p a r t i a l −while
⦇ ((∀𝑥 (1 ≤ 𝑥 ≤ 𝑛 → 𝑅[𝑥] = 𝑟𝑛+1−𝑥 ))) ⦈ i m p l i e d (C)
It remains to prove the implied (A), (B), and (C).
To prove implied (C), we first prove Lemma 3 below.

Lemma 3. The two formulas below are logically equivalent.

(∀𝑥 ((1 ≤ 𝑥 ≤ (𝑛 + 1)/2) → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ))))

⊨⊨ (∀𝑥 ((1 ≤ 𝑥 ≤ 𝑛) → (𝑅[𝑥] = 𝑟𝑥 )))

Proof. Starting with the top formula is logically equivalent to the following formula

(∀𝑥 (1 ≤ 𝑥 ≤ (𝑛 + 1)/2 → 𝑅[𝑥] = 𝑟𝑥 )))

∧ (∀𝑥 (1 ≤ 𝑥 ≤ (𝑛 + 1)/2 → 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ))) (133)

We will transform formula 133 as follows. Let 𝑦 = 𝑛 + 1 − 𝑥. Then 𝑥 = 𝑛 + 1 − 𝑦. Plugging

𝑥 = 𝑛 + 1 − 𝑦 into formula 133, we have

(∀𝑥 (1 ≤ 𝑛 + 1 − 𝑦 ≤ (𝑛 + 1)/2 → 𝑅[𝑦] = 𝑟𝑦 )))

Let’s simplify the inequality 1 ≤ 𝑛 + 1 − 𝑦 ≤ (𝑛 + 1)/2.

1≤𝑛+1−𝑦 →𝑦 ≤𝑛

𝑛 + 1 − 𝑦 ≤ (𝑛 + 1)/2 → 𝑦 ≥ (𝑛 + 1)/2
Thus, the inequality becomes:
(𝑛 + 1)/2 ≤ 𝑦 ≤ 𝑛
The formula becomes:

(∀𝑥 ((𝑛 + 1)/2 ≤ 𝑦 ≤ 𝑛 → 𝑅[𝑦] = 𝑟𝑦 )))

Changing 𝑦 back into 𝑥, we have

(∀𝑥 ((𝑛 + 1)/2 ≤ 𝑥 ≤ 𝑛 → 𝑅[𝑥] = 𝑟𝑥 )))

117
Implied (A):
(∀𝑥 (1 ≤ 𝑥 ≤ 𝑛 → 𝑅[𝑥] = 𝑟𝑥 )) → 𝐼𝑛𝑣(1)
Proof. Assume that the premise is true. Our goal is to prove that the conclusion is true.
Let’s simplify the conclusion below.
The conclusion is 𝐼𝑛𝑣(1). Take the invariant 𝐼𝑛𝑣(𝑗) and plug in 𝑗 = 1, we have

(((∀𝑥 (1 ≤ 𝑥 ≤ 0 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 )))

∧ (∀𝑥 (1 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ))))
∧ (1 ≤ 𝑛/2 + 1))

1 ≤ 𝑥 ≤ 0 is always false for any integer 𝑥. Thus the first part of the above formula is always
true. We can simplify the formula to the following.

(∀𝑥 (1 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ))))

∧ (1 ≤ 𝑛/2 + 1))

We can further simplify 1 ≤ 𝑛/2 + 1 and get 0 ≤ 𝑛. The formula becomes the following:

(∀𝑥 (1 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 )))) (134)

∧ (0 ≤ 𝑛))

Note that 0 ≤ 𝑛 is true because 𝑛 is positive. There is an implicit assumption that the array
has at least one element. By Lemma 3, formula 134 is logically equivalent to the premise.
Therefore, the implied holds.

118
To prove implied (C), we first prove Lemma 4 below.

Lemma 4. Assume that 𝑛 is odd (The array 𝑅 has an odd number of elements). The two
formulas below are logically equivalent.

(((∀𝑥 (1 ≤ 𝑥 ≤ (𝑛 − 1)/2 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 ))) ∧ (𝑅[(𝑛 + 1)/2] = 𝑟(𝑛+1)/2 )

⊨⊨ ((∀𝑥 (1 ≤ 𝑥 ≤ 𝑛 → 𝑅[𝑥] = 𝑟𝑛+1−𝑥 )))

Proof.

119
Implied (C):
(𝐼𝑛𝑣(𝑗) ∧ (¬(2 ∗ 𝑗 ≤ 𝑛))) → ((∀𝑥 (1 ≤ 𝑥 ≤ 𝑛 → 𝑅[𝑥] = 𝑟𝑛+1−𝑥 )))
Proof. Let’s simplify the premise.

(2𝑗 ≤ 𝑛) ⊨⊨ (2𝑗 > 𝑛) ⊨⊨ (2𝑗 ≥ 𝑛 + 1) ⊨⊨ (𝑗 ≥ (𝑛 + 1)/2)

(𝑗 ≤ 𝑛/2 + 1) ⊨⊨ (𝑗 ≤ (𝑛 + 2)/2)
If 𝑛 is odd, then 𝑗 = (𝑛 + 1)/2. If 𝑛 is even, then 𝑗 = (𝑛 + 2)/2.
Case 1: 𝑛 is even and 𝑗 = (𝑛 + 2)/2. Plugging in 𝑗 = (𝑛 + 2)/2 into the premise, we have
(((∀𝑥 (1 ≤ 𝑥 ≤ 𝑛/2 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 )))
∧ (∀𝑥 ((𝑛 + 1)/2 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 )))) (135)
∧ (𝑗 = (𝑛 + 1)/2).
(𝑛 + 1)/2 ≤ 𝑥 ≤ (𝑛 + 1)/2 is always false. Thus, formula 135 is always true. We can simplify
the formula to the following.
(((∀𝑥 (1 ≤ 𝑥 ≤ 𝑛/2 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 ))) (136)
∧ (𝑗 = (𝑛 + 1)/2).
We can prove that the formula 136 is logically equivalent to the conclusion of implied (C).
(The argument is similar to Lemma 3). Therefore, when 𝑛 is even, if the premise of implied
(C) is true, then the conclusion of implied (C) must be true.
Case 2: 𝑛 is odd and 𝑗 = (𝑛 + 1)/2. Plugging in 𝑗 = (𝑛 + 1)/2 into the premise, we have
the following. (I’ve omitted the 𝑗 = (𝑛 + 1)/2 part of the formula.
(((∀𝑥 (1 ≤ 𝑥 ≤ (𝑛 − 1)/2 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 )))
∧ (∀𝑥 ((𝑛 + 1)/2 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 )))) (137)
In formula 137, 𝑥 must be equal to (𝑛 + 1)/2. Thus, we can simplify formula 137 as follows.
(∀𝑥 ((𝑛 + 1)/2 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 )))
⊨⊨ (𝑅[(𝑛 + 1)/2] = 𝑟(𝑛+1)/2 ∧ 𝑅[(𝑛 + 1)/2] = 𝑟(𝑛+1)/2 ))
⊨⊨ 𝑅[(𝑛 + 1)/2] = 𝑟(𝑛+1)/2
With this simplification, the premise becomes:
(((∀𝑥 (1 ≤ 𝑥 ≤ (𝑛 − 1)/2 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 )))
∧ (𝑅[(𝑛 + 1)/2] = 𝑟(𝑛+1)/2 )
By Lemma 4, the above formula is logically equivalent to the conclusion of implied (C).
Therefore, when 𝑛 is odd, if the premise of implied (C) is true, then the conclusion of
implied (C) must be true.

120
Implied (B):

(𝐼𝑛𝑣(𝑗) ∧ (2 ∗ 𝑗 ≤ 𝑛)) → 𝐼𝑛𝑣(𝑗 + 1)[𝑅{𝑗 ← 𝑅[𝑛 + 1 − 𝑗]}{𝑛 + 1 − 𝑗 ← 𝑅[𝑗]}/𝑅]

Proof. For convenience, let’s define 𝐼𝑛𝑣𝑝 (𝑗) to be the following formula:

(((∀𝑥 (1 ≤ 𝑥 ≤ 𝑗 − 1 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 ))) (138)

∧ (∀𝑥 (𝑗 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 )))) (139)

The premise of implied (B) becomes

𝐼𝑛𝑣𝑝 (𝑗) ∧ (𝑗 ≤ 𝑛/2 + 1)) ∧ (2𝑗 ≤ 𝑛)

For convenience, let 𝑅′ denote 𝑅{𝑗 ← 𝑅[𝑛 + 1 − 𝑗]}{𝑛 + 1 − 𝑗 ← 𝑅[𝑗]}. The conclusion of
implied (B) becomes

(((∀𝑥 (1 ≤ 𝑥 ≤ 𝑗 → (𝑅′ [𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅′ [𝑛 + 1 − 𝑥] = 𝑟𝑥 )))

∧ (∀𝑥 (𝑗 + 1 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅′ [𝑥] = 𝑟𝑥 ∧ 𝑅′ [𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ))))
∧ (𝑗 ≤ 𝑛/2))
⊨⊨ 𝐼𝑛𝑣𝑝 (𝑗 + 1)[𝑅′ /𝑅] ∧ (𝑗 ≤ 𝑛/2)

To prove implied (B), it is sufficient for us to prove the following two implications:
Implication 1: ((𝑗 ≤ 𝑛/2 + 1)) ∧ (2𝑗 ≤ 𝑛)) → (𝑗 ≤ 𝑛/2).
Proof of implication 1: Assume that (𝑗 ≤ 𝑛/2 + 1)) and (2𝑗 ≤ 𝑛) are true. (2𝑗 ≤ 𝑛) is
equivalent to (𝑗 ≤ 𝑛/2). Since 𝑛/2 < 𝑛/2 + 1, we know that (𝑗 ≤ 𝑛/2), which is the
conclusion that we need.
Implication 2: 𝐼𝑛𝑣𝑝 (𝑗) → 𝐼𝑛𝑣𝑝 (𝑗 + 1)[𝑅′ /𝑅].
Proof of implication 2: Let’s recall that what 𝐼𝑛𝑣𝑝 (𝑗) and 𝐼𝑛𝑣𝑝 (𝑗 + 1)[𝑅′ /𝑅] are.

𝐼𝑛𝑣𝑝 (𝑗) ⊨⊨ (((∀𝑥 (1 ≤ 𝑥 ≤ 𝑗 − 1 → (𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 )))

∧ (∀𝑥 (𝑗 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ))))

𝐼𝑛𝑣𝑝 (𝑗 + 1)[𝑅′ /𝑅] ⊨⊨ (((∀𝑥 (1 ≤ 𝑥 ≤ 𝑗 → (𝑅′ [𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅′ [𝑛 + 1 − 𝑥] = 𝑟𝑥 )))

∧ (∀𝑥 (𝑗 + 1 ≤ 𝑥 ≤ (𝑛 + 1)/2 → (𝑅′ [𝑥] = 𝑟𝑥 ∧ 𝑅′ [𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ))))

To prove implication 2, it is sufficient to prove the following implications.

For any 1 ≤ 𝑥 ≤ 𝑗 − 1,

(𝑅[𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑥 ) → (𝑅′ [𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅′ [𝑛 + 1 − 𝑥] = 𝑟𝑥 ).

Recall that 𝑅′ = 𝑅{𝑗 ← 𝑅[𝑛 + 1 − 𝑗]}{𝑛 + 1 − 𝑗 ← 𝑅[𝑗]}. The two assignments only
potentially affect the elements at indices 𝑗 and 𝑛 + 1 − 𝑗. Thus, for any index 𝑥 where

121
1 ≤ 𝑥 ≤ 𝑗 − 1, the element of 𝑅 is not affected. Thus, for any 1 ≤ 𝑥 ≤ 𝑗 − 1, 𝑅[𝑥] = 𝑅′ [𝑥].
Thus, the implication holds.
For 𝑗 + 1 ≤ 𝑥 ≤ (𝑛 + 1)/2,

(𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ) → (𝑅′ [𝑥] = 𝑟𝑥 ∧ 𝑅′ [𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ).

Recall that 𝑅′ = 𝑅{𝑗 ← 𝑅[𝑛 + 1 − 𝑗]}{𝑛 + 1 − 𝑗 ← 𝑅[𝑗]}. The two assignments only
potentially affect the elements at indices 𝑗 and 𝑛 + 1 − 𝑗. Thus, for any index 𝑥 where
𝑗 + 1 ≤ 𝑥 ≤ (𝑛 + 1)/2, the element of 𝑅 is not affected. Thus, for any 𝑗 + 1 ≤ 𝑥 ≤ (𝑛 + 1)/2,
𝑅[𝑥] = 𝑅′ [𝑥]. Thus, the implication holds.
For 𝑥 = 𝑗,

(𝑅[𝑥] = 𝑟𝑥 ∧ 𝑅[𝑛 + 1 − 𝑥] = 𝑟𝑛+1−𝑥 ) → (𝑅′ [𝑥] = 𝑟𝑛+1−𝑥 ∧ 𝑅′ [𝑛 + 1 − 𝑥] = 𝑟𝑥 ).

This is equivalent to the following implication:

(𝑅[𝑗] = 𝑟𝑗 ∧ 𝑅[𝑛 + 1 − 𝑗] = 𝑟𝑛+1−𝑗 ) → (𝑅′ [𝑗] = 𝑟𝑛+1−𝑗 ∧ 𝑅′ [𝑛 + 1 − 𝑗] = 𝑟𝑗 ).

Since 𝑗 < (𝑛 + 1)/2, 𝑗 ≠ 𝑛 + 1 − 𝑗. Thus, we have that

𝑅′ [𝑗] = 𝑅{𝑗 ← 𝑅[𝑛 + 1 − 𝑗]}{𝑛 + 1 − 𝑗 ← 𝑅[𝑗]}[𝑗] = 𝑅[𝑛 + 1 − 𝑗] = 𝑟𝑛+1−𝑗 .

by the first assignment {𝑗 ← 𝑅[𝑛+1−𝑗]} and by our assumption that 𝑅[𝑛+1−𝑗] = 𝑟𝑛+1−𝑗 .

𝑅′ [𝑛 + 1 − 𝑗] = 𝑅{𝑗 ← 𝑅[𝑛 + 1 − 𝑗]}{𝑛 + 1 − 𝑗 ← 𝑅[𝑗]}[𝑛 + 1 − 𝑗] = 𝑅[𝑗] = 𝑟𝑗 .

by the second assignment{𝑛 + 1 − 𝑗 ← 𝑅[𝑗]} and by our assumption that 𝑅[𝑗] = 𝑟𝑗 .

122
4 Undecidability
4.1 Prove that a problem is decidable
Collected Wisdom:

• When you describe an algorithm, make sure that it terminates. For example, if a set
𝑆 is infinite, your algorithm cannot iterate through every element of 𝑆. For another
example, it is okay to draw the truth table of a given formula because the truth table
has finite size.

• An algorithm usually considers several cases. Make sure that you clearly indicate the
return value of the algorithm in every case.

Exercise 151. The propositional-satisfiability problem: Is the propositional formula 𝐴 sat-

isfiable?
Prove that the propositional-satisfiability problem is decidable.

Solution: We are given the propositional formula 𝐴. We will draw the truth table of 𝐴.
The formula 𝐴 must have a finite number of propositional variables in it. Therefore, the
truth table will have a finite size and we will need a finite amount of time to draw the truth
table.
We will go through every cell in the final column of the truth table, where the truth value
of 𝐴 is indicated. If we can find one row of the truth table in which 𝐴 is true, then 𝐴 is
satisfiable. Otherwise, if 𝐴 is false in every row of the truth table, then 𝐴 is not satisfiable.

Exercise 152. The propositional-tautology problem: Is the propositional formula 𝐴 a tau-

tology?
Prove that the propositional-tautology problem is decidable.

123
4.2 The Halting Problem is Undecidable
Exercise 153. The Halting Problem: Given a program 𝑃 and an input 𝐼, does P terminate
when run with input 𝐼?
Prove that the Halting Problem is undecidable.

Solution: This proof is adapted from a proof by Luwei Zhang. Thanks, Luwei!
Proof by Contradiction. Assume that the halting problem is decidable. There exists an
algorithm 𝐻 such that 𝐻 takes a program 𝑃 and an input 𝐼 for 𝐼 and returns yes if 𝑃
terminates when run with input 𝐼 and no otherwise.
We will construct a program 𝑋 which takes a program 𝑌 as its input. 𝑋 works as follows.

• 𝑋 called 𝐻(𝑌 , 𝑌 ) to predict whether program 𝑌 will terminate when run with input
𝑌.

• If 𝐻(𝑌 , 𝑌 ) returns yes, 𝑋 goes into an infinite loop and does not terminate.

• If 𝐻(𝑌 , 𝑌 ) returns no, 𝑋 terminates immediately.

Now, consider what happens if we run the program 𝑋 with itself as input.
Suppose that 𝐻 predicts that 𝑋 terminates when run with input 𝑋. Then by the construc-
tion of 𝑋, when 𝐻(𝑋, 𝑋) returns yes, 𝑋 goes into an infinite loop and does not terminate.
𝐻’s prediction was wrong.
Suppose that 𝐻 predicts that 𝑋 does not terminate when run with input 𝑋. Then by the
construction of 𝑋, when 𝐻(𝑋, 𝑋) returns no, 𝑋 terminates immediately. 𝐻’s prediction
was wrong again.
Therefore, 𝐻 does not correctly predict whether 𝑋 terminates when run with input 𝑋. This
contradicts with our assumption that 𝐻 can decide the Halting Problem.

124
4.3 Prove that a problem is undecidable
Collected Wisdom:

• Suppose that we are trying to prove that problem 𝑋 is undecidable. In your reduction,
make the inputs to the algorithm for solving problem 𝑋 relate to 𝑃 and 𝐼. After all,
we are trying to construct an algorithm to determine whether 𝑃 terminates when run
with input 𝐼.

• To verify whether a reduction leads to a valid proof, consider two different cases: (1)
𝑃 terminates when run with input 𝐼. (2) 𝑃 does not terminate when run with input
𝐼. A reduction works if and only if the constructed algorithm gives the correct answer
for both cases.

• A few useful constructions:

1. Construct a program which runs 𝑃 with input 𝐼.

2. Construct a program which does nothing and terminates immediately.
3. Construct a program which has an infinite loop and runs forever.
4. Construct a program, which ignores its input and does one of 1, 2, and 3.

125
Exercise 154. The halting-no-input problem: Given a program 𝑃 that requires no input,
does 𝑃 halt?
Prove that the halting-no-input problem is undecidable.

Solution:
Proof by Contradiction. Assume that there is an algorithm 𝐵 which solves the halting-no-
input problem. We will construct an algorithm 𝐴 to solve the halting problem.
Algorithm 𝐴 takes two inputs a program 𝑃 and an input 𝐼. It works as follows:

• Constructs a program 𝑃 ′ , which runs 𝑃 with input 𝐼.

• Runs algorithm 𝐵 with the program 𝑃 ′ as the input and returns the result 𝐵(𝑃 ′ ).

By our construction of algorithm 𝐴, 𝑃 ′ halts if and only if 𝑃 halts on input 𝐼. Therefore, if

algorithm 𝐵 solves the halting-no-input problem for input 𝑃 ′ , then algorithm 𝐴 solves the
halting problem for inputs 𝑃 and 𝐼.
By our assumption, algorithm 𝐵 solves the halting-no-input problem. Thus, algorithm 𝐴
solves the halting problem.
This contradicts the fact that the halting problem is undecidable.

126
Exercise 155. The both-halt problem: Given two programs 𝑃 1 and 𝑃 2 that take no input,
do both programs halt?
Prove that the both-halt problem is undecidable.

Solution:
Proof by Contradiction. Assume that there is an algorithm 𝐵 which solves the both-halt
problem. We will construct an algorithm 𝐴 to solve the halting problem.
Algorithm 𝐴 takes two inputs a program 𝑃 and an input 𝐼. It works as follows:

• Constructs a program 𝑃 ′ , which runs 𝑃 with input 𝐼.

• Runs algorithm 𝐵 with the two programs 𝑃 ′ and 𝑃 ′ as its inputs and returns the
result 𝐵(𝑃 ′ , 𝑃 ′ ).

By our construction of algorithm 𝐴, both programs 𝑃 ′ and 𝑃 ′ halt if and only if 𝑃 halts on
input 𝐼. Therefore, if algorithm 𝐵 solves the both-halt problem for inputs 𝑃 ′ and 𝑃 ′ , then
the algorithm 𝐴 solves the halting problem for inputs 𝑃 and 𝐼.
By our assumption, algorithm 𝐵 solves the both-halt problem. Thus, algorithm 𝐴 solves the
halting problem.
This contradicts the fact that the halting problem is undecidable.

Remark 21. Other reductions:

• Let 𝑃 1 do nothing. Let 𝑃 2 run 𝑃 with input 𝐼. (This works.)

• Let 𝑃 1 contain an infinite loop. Let 𝑃 2 run 𝑃 with input 𝐼. (This does NOT work.)

Remark 22. A variant of this problem:

Consider the both-run-forever problem: Given two programs 𝑃 1 and 𝑃 2, do both programs
run forever?
Prove that the both-run-forever problem is undecidable.

127
Exercise 156. We say that two problems agree on all input if and only if, for every input
𝑥, either they both run forever, or they both halt and return the same value.
The program-agreement problem: Given two programs, do they agree on all inputs?
Prove that the program-agreement problem is undecidable.

128
Exercise 157. The total-correctness problem: Given a Hoare triple, is the triple satisfied
under total correctness?
Prove that the total correctness problem is undecidable.

129
Exercise 158. The partial-correctness problem: Given a Hoare triple, is the triple satisfied
under partial correctness?
Prove that the partial-correctness problem is undecidable.

Solution:
Proof by Contradiction. Assume that there is an algorithm 𝐵 which solves the total-correctness
problem. We will construct an algorithm 𝐴 to solve the halting problem.
Algorithm 𝐴 takes two inputs a program 𝑃 and an input 𝐼. It works as follows:

• Constructs a program 𝑃 ′ , which runs 𝑃 with input 𝐼.

• Constructs the Hoare triple ⦇ 𝑡𝑟𝑢𝑒 ⦈ 𝑃 ′ ⦇ 𝑓𝑎𝑙𝑠𝑒 ⦈.

• Runs algorithm 𝐵 with the Hoare triple ⦇ 𝑡𝑟𝑢𝑒 ⦈ 𝑃 ′ ⦇ 𝑓𝑎𝑙𝑠𝑒 ⦈ as its input.

• Return the negation of the result 𝐵(⦇ 𝑡𝑟𝑢𝑒 ⦈ 𝑃 ′ ⦇ 𝑓𝑎𝑙𝑠𝑒 ⦈). (If 𝐵 returns true, then 𝐴
returns false, and vice versa.)

If the program 𝑃 ′ terminates, then the triple ⦇ 𝑡𝑟𝑢𝑒 ⦈ 𝑃 ′ ⦇ 𝑓𝑎𝑙𝑠𝑒 ⦈ is NOT satisfied under
partial correctness because the postcondition is false. Therefore, the only way for the triple
to be satisfied under partial correctness is when 𝑃 ′ does not terminate.
By our construction of algorithm 𝐴, 𝑃 halts on input 𝐼 if and only if 𝑃 ′ halts. 𝑃 ′ halts if
and only if the triple ⦇ 𝑡𝑟𝑢𝑒 ⦈ 𝑃 ′ ⦇ 𝑓𝑎𝑙𝑠𝑒 ⦈ is NOT satisfied under partial correctness. Thus,
𝑃 halts on input 𝐼 if and only if the triple ⦇ 𝑡𝑟𝑢𝑒 ⦈ 𝑃 ′ ⦇ 𝑓𝑎𝑙𝑠𝑒 ⦈ is NOT satisfied under
partial correctness.
Therefore, if algorithm 𝐵 solves the partial-correctness problem for input ⦇ 𝑡𝑟𝑢𝑒 ⦈ 𝑃 ′ ⦇ 𝑓𝑎𝑙𝑠𝑒 ⦈,
then the algorithm 𝐴 solves the halting problem for inputs 𝑃 and 𝐼.
By our assumption, algorithm 𝐵 solves the partial-correctness problem. Thus, algorithm 𝐴
solves the halting problem.
This contradicts the fact that the halting problem is undecidable.

130
Exercise 159. The exists-halting-input problem: Given a program 𝑃 , does there exist an
input 𝐼 such that 𝑃 halts with input 𝐼?
Prove that this problem is undecidable.

131
Exercise 160. The halt-every-input problem: Given a program 𝑃 , does 𝑃 halt for every
input?
Prove that the halt-every-input problem is undecidable.

132