CSI2101

DISCRETE STRUCTURES

Winter 2016
WonSook Lee
[email protected]
EECS, Univ. of Ottawa
The lecture note is collaborative work, and
large contribution is from Prof. Nejib Zaguia
3/29/18 1
 Program
Correctness/Verification
We want to be able to prove that a given program
meets the intended specifications.
This can often be done manually, or even by
automated program verification tools.

• A program is correct if it produces the correct

output for every possible input.
• A program has partial correctness if it produces
the correct output for every input for which the
program eventually halts.
2
 Pre-condition & post-
condition
• A program’s I/O specification can be given using initial and
final assertions.
– Pre-condition : the initial assertion p is the condition
that the program’s input (its initial state) is guaranteed
(by its user) to satisfy.
– Post-condition: the final assertion q is the condition that
the output produced by the program (its final state) is
required to satisfy.
• Hoare triple notation:
The notation p{S}q means that, for all inputs I such that p(I)
is true, if program S (given input I) halts and produces
output O = S(I), then q(O) is true.
That is, S is partially correct with respect to specification p,
q. 3
 initial assertion/ final
assertion
• To specify what it means for a
program to produce the correct
output, two propositions are used.
– The first is the initial assertion, which
gives the properties that the input
values must have.
– The second is the final assertion, which
gives the properties that the output of
the program should have, if the program
did what was intended. 4
 A trivial example
• Let S be the program fragment
“y := 2; z := x+y”
Let p be the initial assertion “x = 1”. The variable x
will hold 1 in all initial states.
Let q be the final assertion “z = 3”. The variable z
must hold 3 in all final states.

• Prove p{S}q.
Proof: If x=1 in the program’s input state, then
after running y:=2 and z:=x+y, z will be 1+2=3.
5
 Hoare Triple Inference
Rules
Deduction rules for Hoare Triple statements.
A simple example: The composition rule:

p{S1}q
q{S2}r
∴ p{S1; S2}r.

It says: If program S1 given condition p produces

condition q, and S2 given q produces r, then the
program “S1 followed by S2”, if given p, yields r.

6
 Conditional Statements
• Suppose that a program segment has the form
if condition then
S

where S is a block of statements. Then S is

executed if condition is true and it is not executed
when condition is false
First, it must be shown that when p is true and
condition is also true, then q is true after S
terminates. Second, it must be shown that when p
is true and condition is false, then q is true
(because in this case S does not execute). 7
 Inference rule for if
statements
(p ∧ condition){S}q
(p ∧￢condition) → q
∴ p{if condition then S}q.
Example: Verify that the program segment
if x > y then y := x
is correct with respect to the initial assertion T and the final
assertion y ≥ x. i.e. Show that: T {if x>y then y:=x} y≥x.
Proof: If initially x>y, then the if body is executed, setting y=x,
and so afterwards y≥x is true.
Otherwise, x≤y and so y≥x. In either case y≥x is true.
So the rule applies, and so the fragment meets the
specification.
8
 if-then-else rule
if condition then
S1
else
S2

• If condition is true, then S1 executes; if condition is false,

then S2 executes. To verify that this program segment is
correct with respect to the initial assertion p and the final
assertion q, two things must be done. First, it must be shown
that when p is true and condition is true, then q is true after
S1 terminates. Second, it must be shown that when p is true
and condition is false, then q is true after S2 terminates.

(p ∧ condition){S1}q
(p ∧￢condition){S2}q
∴ p{if condition then S1 else S2}q 9
 if-then-else rule
Example: Verify that the program segment
if x < 0 then
abs := −x
else
abs := x
is correct with respect to the initial assertion T and the final
assertion abs = |x|. i.e. Show that T {if x<0 then abs:=−x else
abs:=x} abs=|x|

Proof: If x<0 then after the if body, abs will be |x|.

If ¬(x<0), i.e., x≥0, then after the else body, abs=x,
which is |x|. So the rule applies.

10
 Loop Invariants
while condition
S

S is repeatedly executed until condition becomes false.

• An assertion that remains true each time S is executed must
be chosen. Such an assertion is called a loop invariant. In
other words, p is a loop invariant if (p ∧ condition){S}p is
true.
• Suppose that p is a loop invariant. It follows that if p is true
before the program segment is executed, p and ￢condition
are true after termination, if it occurs. This rule of
inference is
– And so p stays true through all subsequent iterations.

11
 Loop Invariants
• This leads to the inference rule:

(p ∧ condition){S}p
∴ p{while condition S}(￢ condition ∧ p)
Example: A loop invariant is needed to verify that the program
segment terminates with factorial = n! when n is a positive
integer.
i := 1
factorial := 1
while i < n
i := i + 1
factorial := factorial · I

Proof: define P, check the program segment and check the look terminates.
12
 Loop Invariant Example
Proof. Let p be the assertion “factorial = i! and i ≤ n.”
Then p is a loop invariant because
Suppose that, at the beginning of one execution of the while
loop, p is true and the condition of the while loop holds; in
other words, assume that factorial = i! and that i < n. The new
values inew and factorialnew of i and factorial are
inew = i + 1 and
factorialnew = factorial · (i + 1) = (i + 1)! = inew!.
Because i < n, we also have inew = i + 1 ≤ n. Thus, p is true at
the end of the execution of the loop. This shows that p is a
loop invariant.

13
 Loop Invariant Example
Proof.(conti.)
Now we consider the program segment.
Just before entering the loop, i = 1 ≤ n and factorial = 1 = 1! =
i! both hold, so p is true. Because p is a loop invariant, the
rule of inference just introduced implied that if the while
loop terminates, it terminates with p true and with i < n
false. In this case, at the end, factorial = i! and i ≤ n are true,
but i < n is false; in other words, i = n and factorial = i! = n!, as
desired.

14
 Loop Invariant Example
Proof.(conti.)
Finally, we need to check that the while loop actually
terminates.
At the beginning of the program i is assigned the value 1, so
after n − 1 traversals of the loop, the new value of i will
be n, and the loop terminates at that point.

15
 Loop Invariant Example
Another example: combine several rules:
procedure multiply(m, n: integers)
if n < 0 then a := −n
else a := n
k := 0
x := 0
while k < a
x := x + m
k := k + 1
if n < 0 then product := −x
else product := x

return product
{product equals mn}
17
 Loop Invariant Example
Another example: combine several rules:
procedure multiply(m; n : integers)
p := "(m; n ∈ Z)"
if n < 0 then a := - n (segment S1)
else a := n
q := "(p ^ (a = |n|))"
k := 0; x := 0 (segment S2)
r := "q ^ (k = 0) ^ (x = 0)"
(x = mk ^ k≤a) ß- loop invariant
while k < a { (segment S3)
x = x + m; k = k + 1;
}
Maintain loop invariant: (x = mk ^ k≤a)
((x = mk ^ k = a) ) ∴ s := “(x = ma) ^ a = |n|)"
s ⇒ (n < 0 ^ x = - mn) ∨ (n ≥ 0 ^ x = mn)
if n < 0 then prod := - x (segment S4)
else prod := x
18
t = "(prod = mn)"
Correctness of multiply(m; n)
Correctness of de multiply(m; n)
This is the structure of the proof (using the propositions p; q; r; s; t as defined on the
previous slide):
• We must prove p{S1}q using the inference rule: if statements.
• We must prove q{S2}r by examining the trivial segment S2.
• We must prove r{S3}s using the inference rule of the loop : “while cond S”.
• We must prove s{S4}t using the inference rule : if statements.
• We use the composition rule to prove p{S1; S2; S3; S4}t;

So far we did prove the partial correctness for

p := "(m; n ∈ Z)" et t = "(prod = mn)",

To complete the proof of the correctness we have to verify that the segment halts
for every possible input.
The segments S1, S2 and S4 obviously halts for every possible input. For the while loop
(S4), we can easily see that this loop does exactly a iterations.
(The details of each part of this proof are left as an exercise)
19
 How to prove that a loop
halts?
How to prove that a loop halts?
• For each iteration i we associate an non-negative integer ki,
such that < k0; k1; k2; ... > is a decreasing sequence.
• Because of the well ordering principle of any subset of
integers, this sequence of ki is finite.

From the last example:

• We define ki = a - k
• < k0; k1; k2; ... > is a decreasing sequence since a is constant
and k increases by 1 at each iteration.

20
3/29/18 WonSook Lee, Univ. of Ottawa 21
• Exercise:
Prove that the program segment
y := 1
z := x + y
is correct with respect to the initial assertion x = 0
and the final assertion z = 1.

Solution:
Suppose that x = 0. The program segment first
assigns the value 1 to y and then assigns the value x +
y = 0 + 1 = 1 to z.

22
• Exercise:
Verify that the program segment
x := 2
z := x + y
if y > 0 then
z := z + 1
else
z := 0
is correct with respect to the initial assertion y = 3 and
the final assertion z = 6.
Solution:
Suppose that y = 3. The program segment assigns the value 2 to
x and then assigns the value x+y = 2+3 = 5 to z. Because y = 3 >
0 it then assigns the value z+1 = 5+1 = 6 to z.

23
• Exercise: Use a loop invariant to prove that the
following program segment for computing the nth power,
where n is a positive integer, of a real number x is correct.
power := 1
i := 1
while i ≤ n
power := power ∗ x
i := i + 1
Solution:

what is a loop invariant?

• A loop invariant = An assertion that
remains true each time S is executed.

p : “power = xi−1 and i ≤ n + 1”

24
• Exercise: Use a loop invariant to prove that the following program segment for
computing the nth power, where n is a positive integer, of a real number x is correct.
power := 1
i := 1
while i ≤ n
power := power ∗ x
i := i + 1

Solution:
We will show that p : “power = xi−1 and i ≤ n + 1” is a loop invariant.
Note that p is true initially, because before the loop starts, i = 1 and power= 1 = x0 =
x1−1.
Next, we must show that if p is true and i ≤ n after an execution of the loop, then p
remains true after one more execution. The loop increments i by 1. Hence, because i ≤
n before this pass, i ≤ n+1 after this pass. Also the loop assigns power · x to power. By
the inductive hypothesis we see that power is assigned the value xi−1 · x = xi .
Hence, p remains true.
Furthermore, the loop terminates after n traversals of the loop with i
= n + 1 because i is assigned the value 1 prior to entering the loop, is
incremented by 1 on each pass, and the loop terminates when i > n.
Consequently, at termination power = xn, as desired.

25
3/29/18 WonSook Lee, Univ. of Ottawa 26