SE 504 Develop code to satisfy the Hoare Triple {P & y>0} x,y,z := x^2, E, F { P } where P: C = x^y * z. All of x, y, and z are to be understood to be of type int. In effect, the code we want squares x while at the same time modifying y and z so as to preserve the value of x^y * z. The code is expected to work provided that y is positive. Using the usual approach, we attempt to calculate expressions for E and F while performing a proof of P & y>0 ==> wp.(x,y,z := x^2,E,F).P. Assume the precondition, P & y>0. wp.(x,y,z := x^2,E,F).P = < wp assignment law > P(x,y,z := x^2,E,F) = < defn of P; textual substitution > C = (x^2)^E * F = < assumption C = x^y * z; algebra: (a^b)^c = a^(bc) > x^y * z = x^(2E) * F At this point, the obvious thing to do (in order to make the left- and right-hand sides of the equation above coincide) is to choose E and F to satisfy y=2E and z=F. For the latter, that would mean to choose F to be z (duh!). For the former, that would mean to choose E to be y/2. Or would it? We must remember that y is of type int, so that E (the value of which is to be assigned to y) also must be of type int. Hence, the "/" operator in "y/2" must denote integer division, as opposed to real division. In order to avoid any confusion between the two here, let's use "div" (as in the Pascal programming language) to denote integer division. Recalling that integer division "truncates" (i.e., the result is the integer part of the real quotient), we recognize that 2(y div 2) = y does not necessarily hold. Indeed, 2(y div 2) = y when y is even but 2(y div 2) = y-1 when y is odd and positive. (We will ignore the possibility of y being negative because it is excluded by the pre-condition.) Continuing the proof above under the added assumption that y is even, we get x^y * z = x^(2E) * F = < choose E to be "y div 2" and F to be "z" > x^y * z = x^(2(y div 2)) * z = < assumption even.y implies that 2(y div 2) = y > x^y * z = x^y * z = < = is reflexive > true To summarize, we have proved the Hoare Triple {P & y>0 & even.y} x,y,z := x^2, y div 2, z { P } Notice that the pre-condition has even.y as a "new" conjunct. We cannot omit that, because we assumed it in one of the steps of the proof. One could also notice that the assignment z := z can be omitted. Now let us return to where we suspended the proof, but this time assume that y is odd (and positive). Let's make the same choice for E and see what happens: x^y * z = x^(2E) * F = < choose E to be "y div 2" > x^y * z = x^(2(y div 2)) * F = < assumptions y>0 and !even.y imply that 2(y div 2) = y-1 > x^y * z = x^(y-1) * F = < algebra: for integer b>0, a^b = a^(b-1) * a > x^(y-1) * x * z = x^(y-1) * F = < choose F to be "x*z" > x^(y-1) * x * z = x^(y-1) * x * z = < = is reflexive > true To summarize, we have just proved the Hoare Triple {P & y>0 & !even.y} x,y,z := x^2, y div 2, x*z { P } So we have proved two Hoare Triples of the forms {P & B} S0 {Q} {P & !B} S1 {Q} from which it follows that the following (annotated) Hoare Triple is valid: {P} if B ---> {P & B} S0 {Q} [] !B ---> {P & !B} S1 {Q} fi {Q} (The fact that P guarantees the disjunction of the guards is trivial, due to that disjunction being of the form p v !p, which is true (by the law of the excluded middle).) That is, what we have proved is the following Hoare Triple: {P & y>0} if even.y ---> {P & y>0 & even.y} x,y := x^2, y div 2 {P} [] !even.y ---> {P & y>0 & !even.y} x,y,z := x^2, y div 2, x*z {P} fi {P} This solves the problem originally given.