SE 504
Proof of correctness of a program comprised of a selection (if) command
and an assignment


Prove the following Hoare triple:

{ P: 0<i & i<m & m<N & (&j | i < j < N : b.j >= b.m) }
if b.i >= b.m  -->  skip
[] b.i <= b.m  -->  m := i
fi;
i := i-1
{ Q: 0<=i & i<m & m<N & (&j | i < j < N : b.j >= b.m) }

Solution:
--------
The given Hoare triple is of the form {P} S1; S2 {Q}, where S1 is a
selection command and S2 is an assignment command.  The Hoare triple
catenation law tells us that, to prove it, it suffices to devise a
predicate R and to show

               {P} S1 {R}  &  {R} S2 {Q}

Because S2 is an assignment, we choose R to be wp.S2.Q.  By definition of
wp, this choice for R truthifies {R} S2 {Q}.  Hence, it remains only to
prove {P} S1 {R}.  As S1 is a selection (i.e., if) command, we do so by
applying the Hoare triple selection law, which says that it suffices to show 

(a) [P ==> BB], where BB is the disjunction of the guards, and
(b) {P & Bi} Si {R} (for all i).

As for (a), it is trivial, because, in any state, at least one of b.i <= b.m
(i.e., B0) or b.i >= b.m (i.e., B2) must hold.  If we insist on formality,
we could prove (a) as follows.  (Notice that we don't even need to make use
of P.)

     BB

 =      < BB is disjunction of guards, of which there are two >

     B0 v B1

 =      < defn of B0, B1 >

     b.i <= b.m  v  b.i >= b.m

 =      < defn of <= >

     b.i = b.m  v  b.i < b.m  v   b.i >= b.m

 =      < theorem: [~(x < y)  =  x >= y] >

     b.i = b.m  v  b.i < b.m  v  ~(b.i < b.m)

 =      < Excluded Middle (3.28); true is zero of v (3.29) >

     true


As for (b), because there are two guarded commands in our selection command,
we are to prove both (i) {P & B0} S0 {R} and (ii) {P & B1} S1 {R}.  Our
choice for R was wp.(i:=i-1).Q, which, applying the wp assignment law and
textual substitution, works out to

      R: 0<=i-1 & i-1<m & m<N & (&j | i-1 < j < N : b.j >= b.m)


(i) {P & B0} S0 {R}  (i.e., [P & B0 ==> wp.S0.R])

   We prove it by assuming the antecedant (P & B0) and showing the consequent
   (wp.S0.R).


       wp.S0.R

   =      < defn. of S0 >

       wp.skip.R

   =      < wp skip law >

       R

   =      < defn of R >

       0<=i-1 & i-1<m & m<N & (&j | i-1 < j < N : b.j >= b.m)

   =      < assumption 0<i is equivalent to 0<=i-1 >

       true  &  i-1<m  &  m<N  &  (&j | i-1 < j < N : b.j >= b.m)

   =      < assumption i<m implies i-1<m >

       true  &  true  &  i<N  &  (&j | i-1 < j < N : b.j >= b.m)

   =      < assumptions i<m and m<N together imply 
            (by transitivity of < ) i<N             >

       true  &  true  &  true  &  (&j | i-1 < j < N : b.j >= b.m)

   =      < true is identity of & (3.39), three times >

       (&j | i-1 < j < N : b.j >= b.m)

   =      < split off term (8.23) (justified by fact that the 
            assumptions guarantee i<N, as noted above, from which it
            follows that there is at least one value of j satisying
            i-1 < j < N (i.e., the range is nonempty))                >

       b.i >= b.m  &  (&j | i < j < N : b.j >= b.m)

   =      < assumption B0, (3.39) >

       (&j | i < j < N : b.j >= b.m)

   =      < (4th conjunct of) assumption P >

       true



(ii) {P & B1} S1 {R}  (i.e., [P & B1 ==> wp.S1.R])

   We prove it by assuming the antecedant (P & B1) and showing the consequent
   (wp.S1.R).

       wp.S1.R

   =      < defn. of S1 >

       wp.(m:=i).R

   =      < wp assignment law >

       R(m:=i)

   =      < defn of R, text. sub. >

       0<=i-1  &  i-1<i  &  i<N  &  (&j | i-1 < j < N : b.j >= b.i)

   =      < assumption 0<i is equivalent to 0<=i-1 >

       true  &  i-1<i  &  i<N  &  (&j | i-1 < j < N : b.j >= b.i)

   =      < number theoretic theorem: x-1 < x >

       true  &  true  &  i<N  &  (&j | i-1 < j < N : b.j >= b.i)

   =      < assumptions i<m and m<N together
            imply, by transitivity of <, that i<N        >

       true  &  true  &  true  &  (&j | i-1 < j < N : b.j >= b.i)

   =      < true is identity of & (3.39), three times >

       (&j | i-1 < j < N : b.j >= b.i)

   =      < split off term (8.23) (justified by fact that the 
            assumptions guarantee i<N, as noted above, from which it
            follows that there is at least one value of j satisfying
            i-1 < j < N (i.e., the range is nonempty))               >

       b.i >= b.i  &  (&j | i < j < N : b.j >= b.i)

   =      < theorem: x >= x; true is identity of & (3.39) >

       (&j | i < j < N : b.j >= b.i)

   Now what?  The expression above, which we want to prove, says that
   b.j >= b.i for all j in the range i+1..N-1.  But this follows from
   the transitivity of >= together with two of our assumptions, namely B1
   (which says that b.m >= b.i) and the 4th conjunct of P (which says that
   b.j >= b.m for all j in i+1..N-1).  How can we show this formally?  It
   is a bit tricky.  Here goes:

  <==     < Body weakening/strengthening (9.11) >

       (&j | i < j < N : b.j >= b.m  &  b.m >= b.i  &  b.j >= b.i)

   =      < by transitivity of >=, the 3rd conjunct in body of
            above is implied by the conjunction of the first two;
            thus, by (3.60), an equivalent expression is obtained
            by removing the 3rd conjunct                           >

       (&j | i < j < N : b.j >= b.m  &  b.m >= b.i)

    =     < Distributivity of & over universal quantification (9.7) >

       (&j | i < j < N : b.j >= b.m)  &  b.m >= b.i

    =     < (4th conjunct of) assumption P and assumption B1 >

       true & true

    =     < (3.40) >

       true 


Summarizing, what we have shown is

   [(P & B1)  ==>  (true ==> wp.S1.R)]

But by (3.73), the consequent of the above is simply wp.S1.R.  Hence, we
have proved [(P & B1)  ==>  wp.S1.R], as required.