1. Calculate (and simplify as much as possible).
(a) wp.(b.j := k).(b.j ≠ b.k)
(b) wp.(b.(b.j) := b.k).(b.j = b.k)
2. Complete the development of the program below and show a proof of (ii) from the loop checklist. (The four other items on the list are clearly true.) Of course, E refers to an unknown expression. You will need to augment the loop invariant with a third conjunct in a way similar to what was done in solving the Prefix Sums problem. Don't forget that B is a rigid variable and therefore cannot be mentioned in any executable command.
|[ con N : int; {N≥0}
var b : array[0..N] of int; {b = B}
var k : int;
k := 0;
{loop invariant I: (∀i | 0≤i<k : b.i = B.i * B.(i+1)) ∧ 0≤k≤N ∧ b.n = B.n}
{bound function t: N - k}
do k ≠ N ⟶ k,b := k+1,b(k:E)
od
{Q': (∀i | 0≤i<k : b.i = B.i * B.(i+1)) ∧ k=N ∧ b.N = B.N}
{Q: (∀i | 0≤i<N : b.i = B.i * B.(i+1)) ∧ b.N = B.N }
]|
|
3. Complete the development of the program below and show a proof of (ii) from the loop checklist. (The four other items on the list are clearly true, with the exception of item (i) with respect to any fresh variables that you might introduce.) Of course, E refers to an unknown expression. You will need not only to augment the loop invariant as in the previous problem but also to strengthen it by introducing a fresh variable. You should find that using a multiple assignment command is very convenient. Don't forget that B is a rigid variable and therefore cannot be mentioned in any executable command.
|[ con N : int; {N>0}
var b : array[0..N) of int; {b = B}
var k : int;
k := 1;
{loop invariant I: (∀i | 1≤i<k : b.i = B.i max B.(i-1)) ∧ 1≤k≤N ∧ b.0 = B.0}
{bound function t: N - k}
do k ≠ N ⟶ k,b := k+1,b(k:E)
od
{Q': (∀i | 1≤i<k : b.i = B.i max B.(i-1)) ∧ k=N ∧ b.0 = B.0 }
{Q: (∀i | 1≤i<N : b.i = B.i max B.(i-1)) ∧ b.0 = B.0 }
]|
|
4. Prove the correctness of the following program, which sorts an array. (Do you recognize which sorting algorithm it is based upon?) Because it is obvious that items (iii), (iv), and (v) on the loop checklist are satisfied, all you need to show are items (i) and (ii). (Regarding (ii), all you need to consider is the line of code that swaps two array elements, as is explained below.)
|[ con N : int { N≥0 }
;var b : array[0..N) of T { b=B }
;var k, m : int
;k := 0
{I: inOrder(b,0,k) ∧ boundary(b,k) ∧ 0≤k≤N ∧ perm(b,B)}
{t: N-k}
do k ≠ N ⟶
{I ∧ k≠N}
m := locOfMin(b,k,N);
{I ∧ k≠N ∧ k≤m<N ∧ (∀j | k≤j<N : b.m ≤ b.j) }
;swap(b,k,m);
{I(k:=k+1)}
;k := k+1
{I}
od
{Q: inOrder(b,0,N) ∧ perm(b,B)}
]|
whereinOrder(f,p,q) : (∀i,j | p≤i≤j<q : f.i ≤ f.j) boundary(f,p) : (∀i,j | 0≤i<p ∧ p≤j<#f : f.i ≤ f.j) perm(f,g) : arrays f and g are permutations of one another |
Notes/Hints:
The command swap(a,i,j) is, in effect, the assignment a := a(i,j : a.j,a.i) and therefore (in accord with the wp assignment law) has the following semantics:
where (provided that i=j implies E=F)
| a(i,j : E,F).r = | { | E | if i=r |
| F | if j=r | ||
| a.r | otherwise |
Using the if function, this can be written as follows:
Thus, if b'.i occurs within a quantification in which i is a dummy that varies over a range that includes neither k nor m, you can cite the Irrelevant Array Element Axiom to justify replacing that occurrence of b'.i by b.i.
wp.swap(b,k,m).(I(k:=k+1))which, making use of the definition of I, the semantics of the swap() method, the definition of b', and textual substitution, translates into
inOrder(b',k+1) ∧ boundary(b',k+1) ∧ 0≤k+1≤N ∧ perm(b',B)As pointed out below, you can ignore the conjunct involving perm(). Rather than deal with all three remaining conjuncts simultaneously, it is recommended that you deal with them separately, which is justified by the PostCondition Conjunctivity theorem, which says that {P} S {Q1 ∧ Q2} ≡ {P} S {Q1} ∧ {P} S {Q2}
boundary(b,k) ∧ k≤r<#b ⟹ (∀i | 0≤i<k : b.i ≤ b.r)