SE 504
Development and proof of a linear search algorithm
(alternative to Cohen's from pp. 131-134)

Given the following specification, devise a program that meets it, and
prove the program's correctness.

|[ con N : int;  { N>0 }
   con b : array [0..N) of bool;  { (Vj | 0<=j<N : b.j) }
   var k : int;

   find_first_true

   {R: b.k  &  (&j | 0<=j<k : ~b.j) }
]|

In informal terms, the above specification describes a program that, given
a fixed boolean array b[0..N) containing at least one occurrence of TRUE,
finds the location k of the first occurrence of TRUE.

Let us refer to the two conjuncts of postcondition R as R0 and R1.

It would seem that, in order to find an occurrence of TRUE in a boolean
array, it is necessary to search for it using a loop.  One of the heuristics
for developing a loop is sometimes called "deleting a conjunct".  It suggests
that we take the loop invariant to be the same as the postcondition, except
with one (or more) of its conjuncts omitted.  The negation of the omitted 
conjunct(s) is taken to be the guard of the loop.  Applying that heuristic
here, suppose that we take R1 as the loop invariant and ~R0 as the loop guard.
Keeping in mind that we should initialize the variable k prior to the loop, we
get

|[ con N : int;  { N>0 }
   con b : array [0..N) of bool;  { (Vj | 0<=j<N : b.j) }
   var k : int;
   k := ?;
   {invariant P: (&j | 0<=j<k : ~b.j) }
   do ~b.k  --->  ?
   od
   {postcondition R: b.k  &  (&j | 0<=j<k : ~b.j) }
]|

The loop guard is ~b.k.  As the index range of b is [0..N), evaluation
of the guard in a state in which k<0 or k>=N results in abortion (due to an
"array subscript out-of-bounds error").  Hence, we should include 0<=k<N
(equivalently, 0<=k & k<N) as another conjunct in the loop invariant.  That
is, we augment P to become P: (&j | 0<=j<k : ~b.j)  &  0<=k  &  k<N.

To what value should we initialize k?  As the loop immediately follows, the
initialization of k must result in a state satisfying the loop invariant.
Examining the invariant, we notice that, if k has value zero, the universal
quantification in P has an empty range, which makes it true.  (To prove this,
use (9.2), (3.75), and (9.8).)  Hence, we choose k := 0 as our initialization.

Now consider the body of the loop.  The only variable in the program is k;
hence, the loop body should modify k in some way.  Because the loop
invariant says that every value in b[0..k) is FALSE and we are trying to
find the first element that is TRUE, it would seem that the appropriate
way to change k is to increase it by one.  (If we increase it by more than
one, we may "miss" the first element containing TRUE; if we fail to increase
k at all, the next loop iteration cannot possibly find the first occurrence
of TRUE, as we already know that no location in b[0..k) contains TRUE.)

What about a bound function?  As k increases during every loop iteration (in
accord with what we said in the previous paragraph), one possible bound
function is t: C-k, where C is some constant that k cannot possibly exceed.
(Such a choice for the bound function guarantees that its value will decrease
on every iteration, in compliance with checkpoint (v), and that its value
will never fall below the lower bound of zero, in compliance with (iv).)
As k's value should never go as high as N (because the precondition tells us
that we should find a TRUE element somewhere within b[0..N)), we choose bound
function t: N-k.

What we have, then, is

|[ con N : int;  { N>0 }
   con b : array [0..N) of bool;  { (Vj | 0<=j<N : b.j) }
   var k : int;
   k := 0;
   {invariant P: (&j | 0<=j<k : ~b.j)  &  0<=k  &  k<N }
   {bound t: N-k }
   do ~b.k  --->  k := k+1
   od
   {postcondition R: b.k  &  (&j | 0<=j<k : ~b.j) }
]|

Let us now prove the five items on the "loop checklist".  Note that any
assertion made in the program about one of its constants can be taken to be
a "global invariant" and can be assumed in proving any of the five items.
(For example, we can make use of the fact that N>0.)  For convenience, we
refer to the three conjuncts of P as P0, P1, and P2.


(i) {Q} S_init {P}  (equivalently, [Q ==> wp.S_init.P])

As no precondition Q is explicitly given in the program (aside from the
global invariants already mentioned), we take it to be TRUE.

    wp.S_init.P

 =    < defn of S_init >

    wp.(k := 0).P

 =    < wp assignment law >

    P[k:=0]

 =    < defn of P, textual sub. >

    (&j | 0<=j<0 : ~b.j)  &  0<=0  &  0<N 

 =    < 0<=0 is trivial (reflexivity of <=), 0<N is assumed, (3.39) >

    (&j | 0<=j<0 : ~b.j) 

 =    < 0<=j<0  =  false >

    (&j | false : ~b.j) 

 =    < (9.2); (3.75); (9.8) >

    true



(ii) {P & ~b.k} k := k+1 { P }  (equivalently, [P & ~b.k ==> wp.(k:=k+1).P])

    We (attempt to) prove wp.(k:=k+1).P using P and ~b.k as assumptions.

    wp.(k:=k+1).P

 =    < wp assignment law >

    P[k:=k+1]

 =    < defn of P, textual sub. >

    (&j | 0<=j<k+1 : ~b.j)  &  0<=k+1  &  k+1<N 

 =    < split off term (8.23) >

    (&j | 0<=j<k : ~b.j) & ~b.k  &  0<=k+1  &  k+1<N 

 =    < 1st conjunct above is assumption P0; second is assumed, too; (3.39) >

    0<=k+1  &  k+1<N 

 =    < 0<=k+1 follows from assumption P1; (3.39) >

    k+1<N 

 =    < algebra >

    k<N-1

At this point, we get stuck!  It remains to show that k<N-1 is true, assuming
P & ~b.k.  In other words, it remains to show [P & ~b.k ==> k<N-1].  We have

    P & ~b.k  ==>  k<N-1

 =    < contrapositive (3.61) >

    ~(k<N-1)  ==>  ~(P & ~b.k)

 =    < ~(a<b) = a>=b; DeMorgan (3.47a), (3.12) >

    k >= N-1  ==>  ~P v b.k

 =    < defn of >= : a>=b  =  a>b v a=b >

    (k>N-1 v k=N-1)  ==>  ~P v b.k

 =    < (3.78) >

    (k > N-1  ==>  ~P v b.k)  &  (k = N-1  ==>  ~P v b.k)

Thus, it suffices to prove each of the two conjuncts of the above.  We prove
the first by assuming its antecedant (k>N-1) and showing its consequent:

    ~P v b.k

 =    < defn of P >

    ~((&j | 0<=j<k : ~b.j)  &  0<=k  &  k<N)  v  b.k

 =    < DeMorgan (3.47a)  >

    ~(&j | 0<=j<k : ~b.j)  v  ~(0<=k)  v  ~(k<N)  v  b.k

 =    < generalized DeMorgan (9.17); (3.12); (a<b> = a>=b) >

    (Vj | 0<=j<k : b.j)  v  ~(0<=k)  v  k>=N  v  b.k

 =    < assumption k>N-1 is equivalant to 3rd disjunct above >

    (Vj | 0<=j<k : b.j)  v  ~(0<=k)  v  true  v  b.k

 =    < (3.29) >

    true

Now we prove the 2nd conjunct (again, by assuming the antecedant (k=N-1)
and showing the consequent):

    ~P v b.k

 =    < repeating the first three steps from proof of 1st conjunct >

    (Vj | 0<=j<k : b.j)  v  ~(0<=k)  v  k>=N  v  b.k

 =    < split off term (8.23) >

    (Vj | 0<=j<k+1 : b.j)  v  ~(0<=k)  v  k>=N 

 =    < assumption k=N-1 and (3.84a) >

    (Vj | 0<=j<N-1+1 : b.j)  v  ~(0<=k)  v  k>=N 

 =    < algebra >

    (Vj | 0<=j<N : b.j)  v  ~(0<=k)  v  k>=N 

 =    < 1st disjunct above is global invariant >

    true  v  ...

 =    < (3.29) >

    true

This completes the proof of item (ii) in the loop checklist!!


(iii) [P & ~B ==> R]

We need not even go through the proof, because the invariant and loop
guard were chosen to satisfy this!  The loop invariant P is P0 & P1 & P2,
the loop guard is ~B, and the postcondition is R: P0 & B.  Hence, we have

    P & ~B

 =     < P is P0 & P1 & P2 >

    P0 & P1 & P2 & ~B

==>    < (3.76b) > 

    P0 & ~B

 =     < R is P0 & ~B >

    R
    

Postponing checkpoint (iv), we now do (v):

(v) {P & ~~b.k & N-k=T} k:=k+1 { N-k<T }

    wp.(k:=k+1).(N-k < T)

 =    < wp assignment law >

    (N-k < T)[k:=k+1]

 =    < textual sub. >

    N - (k+1) < T

 =    < assumption N-k=T >

    N - (k+1) < N-k

 =    < algebra >

    0 < 1

 =    < number theory !! >

    true


Finally, let us prove loop checkpoint (iv):

(iv) [P & ~b.k ==> N-k > 0].

    N-k > 0

 =    < algebra >

    N > k

 =    < assumption P2: k<N >

    true


Just for fun, let's show that, even if neither P1 nor P2 were included as 
conjuncts of P, we could still carry out a proof of (iv).  That is, we will
show [P0 & ~b.k ==> N-k > 0].  To do this, we show its contrapositive, 

                   [N <= k  ==>  ~P0 v b.k]

by assuming the antecedant and proving the consequent.

     ~P0 v b.k

  =    < defn of P0 >

     ~(&j | 0<=j<k : ~b.j) v b.k

  =    < generalized De Morgan (9.17) >

     (Vj | 0<=j<k : b.j) v b.k

  =    < Split off term (8.23) >

     (Vj | 0<=j<k+1 : b.j) 

  =    < from assumption N <= k it follows
         that (0<=j<k+1)  =  (0<=j<N v N<=j<k+1) >

     (Vj | 0<=j<N v N<=j<k+1 : b.j) 

  =    < Range Split (8.16) >

     (Vj | 0<=j<N : b.j) v (Vj | N<=j<k+1 : b.j) 

  =    < 1st conjunct above is assumed "global invariant" >

     true  v  (Vj | N<=j<k+1 : b.j)

  =    < true is zero of disjunction (3.29) >

     true