SE 504 Spring 2024
HW #3: Selection, Catenation, and Repetition
Due: 7:20pm, Monday, February 26

Recall the following:

Relationship between Hoare Triples and the weakest precondition function:
{P} S {Q}  ≡  [P ⇒ wp.S.Q]

wp skip Law: [wp.skip.Q  ≡  Q]

wp Assignment Law: [wp.(x:=E).Q  ≡  Q(x:=E)]

wp Sequential Composition Law: [wp.(S1; S2).Q  ≡  wp.S1.(wp.S2.Q)]

Hoare Triple Sequential Composition Rule:
To prove the Hoare Triple {P} S1; S2 {Q}, it suffices to devise a predicate R and to prove both {P} S1 {R} and {R} S2 {Q}. If S2 is an assignment command, the obvious choice for R is wp.S2.Q.

1. Prove the correctness of this program: 

{x = X ∧ y = Y}
x := x + y;
y := x - y;
x := x - y
{x = Y ∧ y = X}

Recall that if IF is the program if B then S1 else S2 fi then

{P} IF {Q} ≡ {P ∧ B} S1 {Q} ∧ {P ∧ ¬B} S2 {Q}

2. Prove the correctness of this program: 
{P ∧ 0 ≤ k < #b}
if b[k] ≤ 0 then 
   sum,k := sum - b[k], k+1
else 
   sum := sum + b[k]; k := k+1
fi
{P}
3. Prove the correctness of this program: 
{P ∧ 0 ≤ k < #b}
if b[k] ≤ 0 then 
   sum := sum - b[k]
else 
   sum := sum + b[k]
fi
;k := k+1
{P}

where P: sum = (+i | 0 ≤ i < k : |b[i]|).

The absolute value function satisfies this condition:

[(x=|x| ≡ x≥0) ∧ (-x=|x| ≡ x≤0)]

Notice that, in Problem 2, the two branches of the selection command are different in that one is a simultaneous assignment and the other is a sequential composition of two assignments. Hence their proofs should not be mirror images of one another.

Notice that, in Problem 3, the program itself is a sequential composition of a selection command and an assignment command. This is unlike Problem 2, whose program is a selection command. Hence the two proofs, while having some commonality, should not be the same. 

{P}
Sinit;
{loop invariant I: ...}
{bound function t: ...}
do B ---> S
od
{Q}
Consider a Hoare Triple {P} Sinit; LOOP {Q} in which Sinit is an assignment command (used for the initialization of variables) and LOOP is a repetition command annotated with a loop invariant and bound function, as shown to the right.

Then to prove the Hoare Triple {P} Sinit; LOOP {Q} it suffices to prove these five "proof obligations":

  1. {P} Sinit {I}, which guarantees that the initialization establishes (i.e., truthifies) the loop invariant immediately before the loop's first iteration.
  2. {I ∧ B} S {I}, which guarantees that each iteration of the loop preserves the truth of the loop invariant.
  3. [I ∧ ¬B ⟹ Q], which guarantees that, at the moment when the loop terminates (assuming that it does), the postcondition will be true.
  4. [I ∧ B  ⟹  t > 0] (or, equivalently, [I ∧ t ≤ 0  ⟹  ¬B]), which guarantees that, as long as more loop iterations are to occur, the bound function has not yet descended to its threshold of zero.
  5. {I ∧ B ∧ t = C} S {t < C}, which guarantees that each loop iteration causes the value of the bound function to decrease.

Items (i) and (ii) together show that I is, as claimed, an invariant of the loop. (In effect, (i) is the basis and (ii) is the inductive step in a proof by induction on the number of loop iterations.)

Item (iii) shows that, if and when the loop terminates, the postcondition Q holds.

Items (iv) and (v) together show that the loop terminates after finitely many iterations.

4. Prove that the following program is correct. Notice that the loop guard and the main conjunct of the loop invariant were derived (using the delete a conjunct heuristic) from the strengthened version Q' of the postcondition, which was obtained from the original postcondition Q using the replace a constant by a fresh variable heuristic. 


{P: N ≥ 0}
k,m := 0,0;
{loop invariant I: m = k2 ∧ 0≤k≤N}
{bound function t: N - k}
do k ≠ N ---> k,m := k+1,m+k+k+1
od
{Q': m = k2 ∧ k=N }
{Q: m = N2 }