SE 504   Two Examples of Deriving Selection Commands

Example 1: Computing the Maximum

Consider this Hoare Triple, where E is an unknown expression:

{true} z := E {z = x max y}

We shall assume that our programming language has no max operator, or else we would choose E to be x max y, making the solution trivial.

As there seems to be no other avenue to pursue, let's make use of the definition of max in order to rewrite the postcondition.

Definition: (c = a max b) ≡ ((c=a ∨ c=b) ∧ c≥a ∧ c≥b)

Restating the postcondition after applying this definition, our Hoare Triple becomes

{true} z := E {(z=x ∨ z=y) ∧ z≥x ∧ z≥y}

The postcondition, call it Q, suggests (due to its including as subexpressions z=x and z=y) two possible solutions, namely E:x and E:y. Recognizing that neither solution works in all circumstances, we attempt to calculate, for each one, a predicate characterizing those circumstances in which it does work. That is, we seek predicates P1 and P2 truthifying the Hoare Triples

{P1} z:=x {Q}   and   {P2} z:=y {Q}.

Calculation (using the wp assignment law) reveals that the weakest solution for P1 is x ≥ y and the weakest solution for P2 is y ≥ x. (See Appendix 1 for details.) That is, we have established

{x ≥ y} z := x {Q}   and   {y ≥ x} z := y {Q}

Embedding them in a selection command (with guards to be determined), we obtain

{true}
if B0  ⟶  {x ≥ y} z:=x {Q}
[] B1  ⟶  {y ≥ x} z:=y {Q}
fi
{Q}

Recall that, in proving the correctness of a selection command, for each of its guarded commands Bi ---> Si we must prove

{P ∧ Bi} Si {Q}

where P and Q are the pre- and postconditions, respectively, of the selection command.

In our example, P ∧ B0 is x ≥ y and P is true, which leads us to choose B0 to be x ≥ y. By similar reasoning, we choose B1 to be y ≥ x, and we obtain

{true}
if x ≥ y  ⟶  {x ≥ y} z:=x {Q}
[] y ≥ x  ⟶  {y ≥ x} z:=y {Q}
fi
{Q}

All that remains (in order to prove the correctness of this selection command) is to verify that, in every state, at least one of the two guards is true. But this is obvious! (For a rigorous proof, see Appendix 2.)


Example 2: Squaring x while Preserving the value of xyz

Consider the Hoare Triple

{P ∧ y>0} x,y,z := x2, E, F {P}

where P: C = xy⋅z, E and F are unknown expressions, all variables are of type int, and x2 is an abbreviation for x*x.

Let us try to calculate E and F. Following the usual approach, we attempt to carry out a proof of P ∧ y>0 ⇒ wp.(x,y,z := x2,E,F).P , along the way choosing appropriate expressions for E and F.

   Assume P ∧ y>0 (where P : C = xy ⋅ z)

   wp.(x,y,z := x2,E,F).P

 =    < wp assignment law, defn of P, textual substitution >

   C = (x2)E⋅F

 =    < algebra: (ab)c = abc >

   C = x2E⋅F

 =    < assumption C = xy⋅z >

   xy⋅z = x2E⋅F

y div 2 = { y/2if isEven.y
(y−1)/2if ¬isEven.y ∧ y>0
(y+1)/2if ¬isEven.y ∧ y<0
At this point, we recognize that if we choose expressions for E and F that satisfy y = 2E and F = z, we have a solution. In the case that y is even (i.e., isEven.y), this is possible, as we can choose E to be y div 2. Note that we are distinguishing between integer division, which is denoted by the div operator, and real division, which is denoted by a slash. The figure to the right shows the relationship between the two. What is significant to us here is the theorem

isEven.y   ≡   2(y div 2) = y

This means that had we assumed, in addition to P ∧ y>0, that isEven.y, we could have continued the proof as follows:

   xy⋅z = x2E⋅F

 =    < choose E : y div 2  and  F : z >

   xy⋅z = x2(y div 2)⋅z

 =    < Assumption isEven.y implies that 2(y div 2) = y  >

   xy⋅z = xy⋅z

 =    < reflexivity of = >

   true 

What we have just shown is

P ∧ y>0 ∧ isEven.y  ⟹  wp.(x,y,z := x2,y div 2,z).P

which, of course, is equivalent to the Hoare Triple {P ∧ y>0 ∧ isEven.y} x,y,z := x2,y div 2,z {P}

Now consider the case ¬isEven.y. The relevant theorem relating integer division by 2 when the dividend is positive but not even is this:

z>0 ∧ ¬isEven.z   ≡   2(z div 2) = z−1

Let's explore the possibility that, in this case too, there exists a solution in which E is y div 2. Continuing from where we had left off (and taking ¬isEven.y as an "extra" assumption), we get

     xy⋅z = x2E⋅F

 =     < choose E : y div 2 >

     xy⋅z = x2(y div 2)⋅F

 =     < Assumption y>0 ∧ ¬isEven.y implies 2(y div 2) = y-1) >

     xy⋅z = xy-1⋅F

 =     < Assumption y>0 implies xy =  xy-1⋅x >

     (xy-1⋅x)⋅z = xy-1⋅F

 =     < associativity of ⋅ >

     xy-1⋅(x⋅z) = xy-1⋅F

 =     < choose F to be x⋅z >

     xy-1⋅(x⋅z) = xy-1⋅(x⋅z)

 =     < reflexivity of = >

     true

What we have just proved is the Hoare Triple

{P ∧ y>0 ∧ ¬isEven.y} x,y,z := x2,y div 2,x⋅z {P}

Summarizing, what we've found is that, if y is even, choosing y div 2 for E and z for F yields a solution, while if y is not even, choosing y div 2 for E and x⋅z for F yields a solution. This leads us to replace the assignment command in our original Hoare Triple with a selection command, as follows:

{P ∧ y>0}
if isEven.y  ⟶ {P ∧ y>0 ∧ isEven.y} x,y,z := x2, y div 2, z {P}
[] ¬isEven.y ⟶ {P ∧ y>0 ∧ ¬isEven.y} x,y,z := x2, y div 2, x⋅z {P}
fi
{P}

Our obligation of showing that the precondition implies the disjunction of the guards is trivial, since the two guards are negations of each other.

The above is a perfectly good solution, except for the assignment z := z in the first branch, which obviously should be omitted, leaving only x,y := x2, y div 2 there. (Any programmer who leaves a command of the form z:=z in a program deserves harsh punishment.) However, a finicky programmer, observing that the assignments to x and y in the two branches are identical, may feel the urge to "factor out" that common part, putting it in a separate assignment command and leaving only the assignment to z within the selection command. Given that the values assigned to x and y don't depend upon z, but that the guards of the selection command depend upon y and the assignment in one branch of the selection depends upon x, the only sensible ordering of commands is to put the selection command first, followed by the (simultaneous) assignment to x and y. We get this program:

{P ∧ y>0}
if isEven.y  ⟶ {P ∧ y>0 ∧ isEven.y} skip {R}
[] ¬isEven.y ⟶ {P ∧ y>0 ∧ ¬isEven.y} z := x⋅z {R}
fi
{R}
;x,y := x2, y div 2;
{P}

Of course, P is no longer a proper postcondition for the selection command, as its execution cannot possibly change the values of either x or y, but may change the value of z, which would result in a state in which P is false. So then what is the appropriate choice for R?

But of course, R should be wp.(x,y := x2, y div 2).P, which is P(x,y := x2, y div 2), or, if you prefer (after a little algebra on the exponents)

C = x2(y div 2)⋅z

We get the annotated program

{P ∧ y>0}
if isEven.y  ⟶ {P ∧ y>0 ∧ isEven.y} skip {P(x,y:=x2, y div 2)}
[] ¬isEven.y ⟶ {P ∧ y>0 ∧ ¬isEven.y} z := x⋅z {P(x,y:=x2, y div 2)}
fi
{P(x,y:=x2, y div 2)}
;x,y := x2, y div 2;
{P}

To verify that our (intuition-based) transformation of the program is correct, we need only prove each of the two Hoare Triples nested inside the selection command, which is easy and is left to the reader.


Appendix 1

Here we calculate wp.(z:=x).Q —which, of course, is the weakest solution to Y : {Y} z := x {Q}— where Q : (z=x ∨ z=y) ∧ z≥x ∧ z≥y. The calculation of wp.(z:=y).Q is analogous.

   wp.(z:=x).Q

=    < defn of Q >

   wp.(z:=x).((z=x ∨ z=y) ∧ z≥x ∧ z≥y)

=    < wp assignment law >

   ((z=x ∨ z=y) ∧ z≥x ∧ z≥y)(z:=x)

=    < textual substitution >

   (x=x ∨ x=y) ∧ x≥x ∧ x≥y

=    < both = and ≥ are reflexive >

   (true ∨ x=y) ∧ true ∧ x≥y

=    < true is the "zero" of ∨ > and the identity of ∧ (twice) >

   true ∧ true ∧ x≥y

=    < (3.39), true is identity of ∧ >

   x≥y 


Appendix 2

We accept as a theorem of number theory the following:

Theorem: For all real numbers x and y, x>y  ∨  y>x  ∨  x=y

Now we prove that x≥y ∨ y≥x:

   x≥y ∨ y≥x

=    < defn of ≥ >

   (x>y ∨ x=y) ∨ (y>x ∨ y=x)

=    < symmetry of =; associativity, symmetry, and idempotence of ∨ >

   x>y ∨ y>x ∨ x=y    ------Theorem above