SE 504
Proof of correctness of a program composed of a selection (if) command and an assignment

Note: Here we use the notation b.i (as does Kaldewaij) rather than the more familiar b[i] to refer to the i-th element of array b.

Problem: Prove the following Hoare triple: 

{ P: 0<i<m<N ∧ (∀j | i < j < N : b.j ≥ b.m) }
if b.i >= b.m  -->  skip
[] b.i <= b.m  -->  m := i
fi
;i := i-1
{ Q: 0≤i<m<N ∧ (∀j | i < j < N : b.j ≥ b.m) }

Note that P and Q differ only in that Q allows i to have value zero.

Solution:
The given Hoare triple is of the form {P} S1; S2 {Q}, where S1 is a selection command and S2 is an assignment command. The Hoare triple catenation law tells us that, to prove it, it suffices to identify a predicate R and to show {P} S1 {R} S2 {Q}, which is an abbreviation for

{P} S1 {R} ∧ {R} S2 {Q}

The natural choice for R is wp.S2.Q, in particular because it is easy to compute using the wp Assignment Law. By definition of wp, this choice for R truthifies {R} S2 {Q}. Hence, it remains only to prove {P} S1 {R}. As S1 is a selection (i.e., if) command, we do so by applying the Hoare triple selection law, which says that it suffices to show

  1. [P ⇒ BB], where BB is the disjunction of the guards, and
  2. {P ∧ Bi} Si {R} (for all i).

As for (a), it is trivial, because, in any state, at least one of b.i ≥ b.m (i.e., B0) or b.i ≤ b.m (i.e., B1) must hold. If we insist on formality, we could prove (a) as follows. (Notice that we don't even need to make use of P as an assumption.) 

    BB

=      < BB is disjunction of guards, of which there are two >

    B0 ∨ B1

=      < defn of B0 and B1 >

    b.i ≥ b.m  ∨  b.i ≤ b.m

=      < defn of ≥ >

    b.i = b.m  ∨  b.i > b.m  ∨   b.i ≤ b.m

=      < theorem: [¬(x > y)  =  x ≤ y] >

    b.i = b.m  ∨  b.i > b.m  ∨  ¬(b.i > b.m)

=      < Excluded Middle (3.28); true is zero of ∨ (3.29) >

    true

As for (b), because there are two guarded commands in our selection command, we are to prove both (i) {P ∧ B0} S0 {R} (where S0 is skip) and (ii) {P ∧ B1} S1 {R} (where S1 is m := i). Our choice for R was wp.(i:=i-1).Q, which, applying the wp assignment law and textual substitution, works out to

R: 0≤i-1<m<N ∧ (∀j | i-1 < j < N : b.j ≥ b.m)

(i) {P ∧ B0} S0 {R}   (i.e., [P ∧ B0 ⇒ wp.S0.R])

We prove it by assuming the antecedant (P ∧ B0) and showing the consequent (wp.S0.R). 

    wp.S0.R

=      < defn. of S0 >

    wp.skip.R

=      < wp skip law >

    R

=      < defn of R >

    0≤i-1<m<N ∧ (∀j | i-1 < j < N : b.j ≥ b.m)

=      < assumption 0<i is equivalent to 0≤i-1 >

    true  ∧  i-1<m<N  ∧  (∀j | i-1 < j < N : b.j ≥ b.m)

=      < assumption i<m implies i-1<m >

    true  ∧  true  ∧  m<N  ∧  (∀j | i-1 < j < N : b.j ≥ b.m)

=      < assumption m<N >

    true  ∧  true  ∧  true  ∧  (∀j | i-1 < j < N : b.j ≥ b.m)

=      < true is identity of ∧ (3.39), three times >

    (∀j | i-1 < j < N : b.j ≥ b.m)

=      < split off (first) term (8.23) (justified by fact that the 
         assumptions guarantee i<N, from which it follows that there 
         is at least one value of j satisfying i-1 < j < N (i.e., the 
         range is nonempty))                                            >

    b.i ≥ b.m  ∧  (∀j | i < j < N : b.j ≥ b.m)

=      < assumption B0, (3.39) >

    (∀j | i < j < N : b.j ≥ b.m)

=      < (2nd conjunct of) assumption P >

    true

(ii) {P ∧ B1} S1 {R}   (i.e., [P ∧ B1 ⇒ wp.S1.R])

We prove it by assuming the antecedant (P ∧ B1) and showing the consequent (wp.S1.R). 

    wp.S1.R

=      < defn. of S1 >

    wp.(m:=i).R

=      < wp assignment law >

    R(m:=i)

=      < defn of R, textual substitution >

    0≤i-1<i<N  ∧  (∀j | i-1 < j < N : b.j ≥ b.i)

=      < assumption 0<i is equivalent to 0≤i-1 >

    true  ∧  i-1<i<N  ∧  (∀j | i-1 < j < N : b.j ≥ b.i)

=      < number theoretic theorem: x-1 < x >

    true  ∧  true  ∧  i<N  ∧  (∀j | i-1 < j < N : b.j ≥ b.i)

=      < assumptions i<m and m<N together imply, 
         by transitivity of <, that i<N          >

    true  ∧  true  ∧  true  ∧  (∀j | i-1 < j < N : b.j ≥ b.i)

=      < true is identity of ∧ (3.39), three times >

    (∀j | i-1 < j < N : b.j ≥ b.i)

=      < split off (first) term (8.23) (justified by fact that the 
         assumptions guarantee i<N, as noted above, from which it
         follows that there is at least one value of j satisfying
         i-1 < j < N (i.e., the range is nonempty))               >

    b.i ≥ b.i  ∧  (∀j | i < j < N : b.j ≥ b.i)

=      < theorem: x ≥ x; true is identity of ∧ (3.39) >

    (∀j | i < j < N : b.j ≥ b.i)

Now what? The expression above, which we want to prove, says that b.j ≥ b.i for all j in the range i+1..N-1. But this follows from the transitivity of ≥ together with two of our assumptions, namely B1 (which says that b.m ≥ b.i) and the 2nd conjunct of P (which says that b.j ≥ b.m for all j in i+1..N-1). How can we show this formally? It is a bit tricky. Continuing from where we had left off, here goes: 

    (∀j | i < j < N : b.j ≥ b.i)

<==    < Body weakening/strengthening (9.11) >

    (∀j | i < j < N : b.j ≥ b.m  ∧  b.m ≥ b.i  ∧  b.j ≥ b.i)

=      < by transitivity of ≥, the 3rd conjunct in body of
         above is implied by the conjunction of the first two;
         thus, by (3.60), an equivalent expression is obtained
         by removing the 3rd conjunct                           >

    (∀j | i < j < N : b.j ≥ b.m  ∧  b.m ≥ b.i)

=      < Distributivity of ∧ over ∀ (9.7) >

    (∀j | i < j < N : b.j ≥ b.m)  ∧  b.m ≥ b.i

=      < assumption P and assumption B1 >

    true ∧ true

=      < (3.40) >

    true

Summarizing, what we have shown is

[(P ∧ B1) ⇒ (true ⇒ wp.S1.R)]

But by (3.73), the consequent of the above is simply wp.S1.R. Hence, we have proved [(P ∧ B1) ⇒ wp.S1.R], as required.