Suppose you have a loop of the following form (that is, one whose body is a selection command):
do B --->
if B0 ---> S0
[] B1 ---> S1
fi
od
Question: When it comes time to prove item (ii) on the loop checklist, {I ∧ B} S {I} (where I is the invariant, B is the loop guard, and S is the body of the loop), how do you proceed?
Answer: First, you observe that S is a selection command. Following the rules that govern how one goes about proving a Hoare triple in which the program is a selection command (namely, rule (5) in Program Verification Summary (PVS), we deduce that the following should be proved:
(a) [I ∧ B ==> B0 v B1]
(b0) {I ∧ B ∧ B0} S0 {I}
(b1) {I ∧ B ∧ B1} S1 {I}
As with any Hoare triple, the steps to follow in order to prove (b0) depend upon the form of S0. If S0 is the catenation of two or more commands, apply (1) from PVS. If S0 is an assignment command, apply (4). And so on and so forth. Of course, the same reasoning applies to proving (b1).
Just to complicate things a little, suppose that the original program were of the form
do B --->
if B0 ---> S0
[] B1 ---> S1
fi;
i := i+1
od
Now the loop body, rather than consisting entirely of a selection command, is the catenation of a selection command (call it IF) with an assignment. Instantiating S by IF; i:=i+1, Item (ii) on the loop checklist is {I ∧ B} IF; i:=i+1 {I}. Because it is a catenation, rule (1) from PVS applies, which says that we should find an R for which both {I ∧ B} IF {R} and {R} i:=i+1 {I} are true. Because i:=i+1 is an assignment, a good choice for R is wp.(i:=i+1).I, which is I[i:=i+1]. This gives us {R} i:=i+1 {I} "for free". We are left to show {I ∧ B} IF {I[i:=i+1]}. Now we apply (5) from PVS, which tells us to prove
(a) [I ∧ B ==> B0 ∨ B1]
(b0) {I ∧ B ∧ B0} S0 {I[i:=i+1]}
(b1) {I ∧ B ∧ B1} S1 {I[i:=i+1]}
As explained earlier, to prove (b0) we would follow the appropriate rule
from PVS, according to the form of S0 (e.g., catenation, assignment, skip,
selection command, etc.). The same goes for (b1).