#6 formal methods – loop proof using induction method

Prepared by: Sharif Omar Salem – [email protected]


Formal Methods:Loop proof using induction

method



Loop Invariant


Why to use it ??? It is hard to keep track of what is happening with loops. Loops which don't terminate or terminate without achieving their goal behavior is a common problem in computer programming. Loop invariants help.

A loop invariant is a relation among program variables that is true when control enters a loop,

remains true each time the program executes the body of the loop, and is still true when control exits the loop.

Understanding loop invariants can help us analyze programs, check for errors, and derive programs from specifications.

Definition


Invariant and Loops


The point of Loop Invariants is the promise that the invariant will be restored before repeating the loop body each time.

There are two advantages to this: Work is not carried forward to the next pass in complicated, data dependent

ways. Each pass through the loop in independent of all others, with the invariant serving to bind the passes together into a working whole.

Reasoning that your loop works is reduced to reasoning that the loop invariant is restored with each pass through the loop. This breaks the complicated overall behavior of the loop into small simple steps, each which can be considered separately.

More details ….


You consider separately two things: why the loop should ever terminate, and why the loop achieves its goal when it terminates.

The loop will terminate if each time through the loop you move closer to satisfying the termination condition. It is often easy to assure this: e.g. stepping a counter variable by one until it reaches a fixed upper limit. Sometimes the reasoning behind termination is more difficult.

The loop invariant should be created so that when the condition of termination is attained, and the invariant is true, then the goal is reached:

invariant + termination => goal

More details ….


Example: Find the index of the minimum value in an array of integers.Here is the general idea. Let us call the array A[n], which has n elements in it.

a[0], a[1], a[2], ……………………………………………….. , a[n-1]Index of Min. Value of Array with n elements IMA[n] = m is our goal.≔We keep two variables, i and s,

i index of the next element to check.≔ s Index of the smallest element till this step (so far)≔

we initially make s = 0 and i =1, and compare a[i] against a[s] if the current comparison shows a smaller value, we update s=i.

Each time through the loop we increment i by one, and fix s to i:

Loop Invariant Example


Two main questions must be answered:What is the termination condition of the loop?

It is clear that loop stop when we reach the last element means i = n, so the test condition is i < n.

What is the loop invariant?At any time we will have an array A[i] such that IMA[i] = s.This means for any element k inside the array A[i] , a[s] =< a[k]



Check that the Loop Invariant is setup true by the initialization s and ICheck that each time through the loop, the Loop Invariant is true. Check that headway towards termination is being made (i is always incremented in the loop body). Check that termination plus loop invariant equals goal attained.




induction method

10


We will add two important induction principles to our rules. Those principles are very important

when dealing with integers especially positive integers.

First Principle:

Second Principle:

Major difference is in the second statement.

Use the second principle when assuming P(k) is not enough to prove P(k+1).

Assuming P(r) for any r where 1 r k gives more ammunition to prove the relation.

Induction reasoning

11


The pattern for a loop function is as the diagram.

And The Hoare triple rule for iteration is

Loop proof using induction reasoning

12

{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧￢ B}


Example: Prove the Euclidean algorithm finds the index of the minimum value in an array of positive integers A[n]. using induction method?

The Index of the minimum value in an array A of n integers, denoted by

IMV(An), is the index of the minimum integer r such that r ≤ k where k is any integer of the array.

For example, If we have the array A[5] { 5, 10, 3, 7, 12 } , Then ≔IMV(A5) = 2. The min. integer is the element a(2) = 3 and a(2) ≤ a(i) where 0 ≤ i < 5.


13


Loop Description:Here is the general idea. Let us call the array A[n], which has n elements in it.

a[0], a[1], a[2], ……………………………………………….. , a[n-1]We keep two variables, i and s, i index of the next element to check and s Index of ≔ ≔

the smallest element till this step (so far)We initially make s = 0 and i =1, and compare a[i] against a[s] if the current comparison

shows a smaller value, we update s=i.Each time through the loop we increment i by one, and fix s.

if ( a[i] < a[s] ) { s = i ; } i ++ ;Condition of the loop: It is clear that loop stop when we reach the last element means i = n, so the test condition is i < n.


14



15


Solution Steps: (Four Steps)

Step 1: From Loop description find some definitions for the relation between variables.Definitions: The goal is Index of min value ,denoted by IMV(An), could have any value as the predicate

0 ≤ IMV(An) < n. Every iteration, there will be a new temporary array with a temporary IMV value, where

IMV(Ai) ≤ IMV(An), where i is the number of element of the temporary array under check.And it is clear that the index of min. value of next array checked is greater or equal to the

previous one from the previous iteration, that means. IMV(Ai) ≤ IMV(Ai++)

Step 2: Define the loop invariant.Loop invariant:Define the loop invariant which is true before and after the loop and relate all the variables

inside the program. In our case it is: IMV(Ai) ≤ IMV(An)


16


Step 3: Now we have to prove that Q is valid for all cases possible inside the loop. So, we use induction to prove:

Proof: Q(0) IMV(A1) ≤ IMV(An) .When we first get to the loop statement, i=1.≔

An array A[1] have one element which is a(0) means IMV(A1) = 0, Which match with the first definition.so Q(0) is true.

Assume Q(k) IMV(Ak) ≤ IMV(An) is True. ………… Inductive hypothesis.≔Then prove that Q(k + 1) IMV(A(k+1)) ≤ IMV(An) is true also.≔We begin by left side and conclude right side (P Q) IMV(A(k+1)) ………. is the hypothesis and

From definitions IMV(A) ≤ IMV(Ai++) ,the result is IMV(Ak) ≤ IMV(A(k+1))………. And

From the inductive hypothesis IMV(Ak) ≤ IMV(An), the result is IMV(A(k+1)) ≤ IMV(An) is True , So Q(k + 1) is proved.


17


Step 4: Now we have to prove that at loop termination the post condition will imply to the conclusion.

Termination + Loop Invariant = Goal As(i=n) so IMV(Ai) = IMV(An) which is the goal.

As we prove that Q is valid for all cases inside the loop and the loop termination imply to the conclusion. Therefore, function IMV is correct.


18


19

Example : Prove the Euclidean algorithm finds the greatest common divisor of two positive integers a and b, using induction method?

The greatest common divisor of a and b, denoted by gcd(a, b), is the largest integer n such that a/n and b/n. For example, gcd(12, 18) = 6 and gcd(420, 66) = 6.



20

The Euclidean algorithm works by a succession of divisions. To find gcd(a, b)assuming a >= b, so “a” is the dividend and “b” is the divisoryou first divide a by b, getting a quotient and a remainder.Next, you divide the divisor, b, by the remainder (means the previous

divisor become the new dividend and the previous reminder become the new divisor) and keep doing this until the remainder is 0, at This point the greatest common divisor is the last divisor used.



21



22



23

Theorem {Q} while (B) {P} {Q≔ ∧￢ B} gcd(a,b)Loop condition (B) (remainder is not 0) (j != 0 )≔ ≔Solution Steps: (Four Steps)Step 1: From Loop description find some definitions for the relation between variables.Definitions: The greatest common divisor of any two integers (dividend i and divisor j) is equal to the

greatest common advisor of the divisor j and remaining r ≔ gcd(i, j) = gcd(j, r)

At every iteration The greatest common divisor of temporary dividend i and divisor j is equal to the greatest common divisor of original two integers a & b

≔ gcd(i, j) = gcd(a, b)



24

Step 2: Define the loop invariant.Loop invariant: Define the loop invariant which is true before and after the loop and relate all the variables

inside the program. In our case it isQ gcd(i, j) = gcd(a, b)≔

Step 3: Now we have to prove that Q is valid for all cases possible inside the loop. So, we use induction to prove:

Proof:Q(n) gcd(i≔ n, jn) = gcd(a, b) for all n 0.



25

− Q(0) is gcd(i0, j0) = gcd(a, b) is true because when we first get to the loop statement, i and j have the values a and b.

Assume Q(k): gcd(ik, jk) = gcd(a, b).Show Q(k + 1): gcd(ik + 1, jk + 1) = gcd(a, b). By the assignment statements within the loop body, we know that

ik + 1 = jk jk + 1 = rk

Then, by the additional fact on the previous slide:gcd(ik + 1, jk + 1) = gcd(jk, rk) = gcd(ik, jk)By the inductive hypothesis, the above is equal to gcd(a, b)



26

Step 4: Now we have to prove that at loop termination the post condition will imply to the conclusion.

Termination + Loop Invariant = Goal At loop termination

gcd(i, j) = gcd(a, b) and j = 0, so gcd(i, 0) = gcd(a, b). But gcd(i, 0) is i, so i = gcd(a, b).

As we prove that Q is valid for all cases inside the loop and the loop termination imply to the conclusion. Therefore, function GCD is correct.



27


End of Lecture


28


Next Lecture:Loop proof - Examples

#6 formal methods – loop proof using induction method

Education