#6 formal methods – loop proof using induction method

Preparedby:SharifOmarSalem–ssalemg@gmail.com
Prepared by: Sharif Omar Salem – ssalemg@gmail.com

 Why to use it ??? It is hard to keep track of what is happening with loops. Loops
which don't terminate or terminate without achieving their goal behavior is a
common problem in computer programming. Loop invariants help.
 A loop invariant is
 a relation among program variables that is true when control enters a loop,
remains true each time the program executes the body of the loop, and is still
true when control exits the loop.
 Understanding loop invariants can help us analyze programs, check for errors,
and derive programs from specifications.

The point of Loop Invariants is the promise that the invariant will be restored before
repeating the loop body each time.
There are two advantages to this:
 Work is not carried forward to the next pass in complicated, data dependent ways.
Each pass through the loop in independent of all others, with the invariant serving
to bind the passes together into a working whole.
 Reasoning that your loop works is reduced to reasoning that the loop invariant is
restored with each pass through the loop. This breaks the complicated overall
behavior of the loop into small simple steps, each which can be considered
separately.

You consider separately two things:
 why the loop should ever terminate,
 and why the loop achieves its goal when it terminates.
The loop will terminate if each time through the loop you move closer to satisfying
the termination condition. It is often easy to assure this: e.g. stepping a counter
variable by one until it reaches a fixed upper limit. Sometimes the reasoning
behind termination is more difficult.
 The loop invariant should be created so that when the condition of termination is
attained, and the invariant is true, then the goal is reached:
 invariant + termination => goal

Example: Find the index of the minimum value in an array of integers.
 Here is the general idea. Let us call the array A[n], which has n elements in it.
a[0], a[1], a[2], ……………………………………………….. , a[n-1]
 Index of Min. Value of Array with n elements ≔ IMA[n] = m is our goal.
 We keep two variables, i and s,
 i ≔ index of the next element to check.
 s ≔ Index of the smallest element till this step (so far)
 we initially make s = 0 and i =1, and compare a[i] against a[s] if the current comparison
shows a smaller value, we update s=i.
 Each time through the loop
we increment i by one, and fix s to i:

Two main questions must be answered:
 What is the termination condition of the loop?
It is clear that loop stop when we reach the last element means i = n, so the test
condition is i < n.
 What is the loop invariant?
At any time we will have an array A[i] such that IMA[i] = s.
This means for any element k inside the array A[i] , a[s] =< a[k]

Check that the Loop Invariant is setup true by the initialization s and I
Check that each time through the loop, the Loop Invariant is true.
Check that headway towards termination is being made (i is always incremented in the loop body).
Check that termination plus loop invariant equals goal attained.

9

We will add two important induction principles to our rules. Those principles are very important
when dealing with integers especially positive integers.
 First Principle:
Second Principle:
 Major difference is in the second statement.
 Use the second principle when assuming P(k) is not enough to prove P(k+1).
 Assuming P(r) for any r where 1 r  k gives more ammunition to prove the relation.
10

The pattern for a loop function is as the diagram.
And The Hoare triple rule for iteration is
11
{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧￢B}

Example: Prove the Euclidean algorithm finds the index of the minimum
value in an array of positive integers A[n]. using induction method?
 The Index of the minimum value in an array A of n integers, denoted by
IMV(An), is the index of the minimum integer r such that r ≤ k where k is
any integer of the array.
 For example, If we have the array A[5] ≔ { 5, 10, 3, 7, 12 } , Then
IMV(A5) = 2. The min. integer is the element a(2) = 3 and a(2) ≤ a(i)
where 0 ≤ i < 5.
12

Loop Description:
 Here is the general idea. Let us call the array A[n], which has n elements in it.
a[0], a[1], a[2], ……………………………………………….. , a[n-1]
 We keep two variables, i and s, i ≔ index of the next element to check and s ≔ Index of
the smallest element till this step (so far)
 We initially make s = 0 and i =1, and compare a[i] against a[s] if the current comparison
shows a smaller value, we update s=i.
 Each time through the loop we increment i by one, and fix s.
if ( a[i] < a[s] )
{
s = i ;
}
i ++ ;
Condition of the loop: It is clear that loop stop when we reach the last element means i = n,
so the test condition is i < n.
13

14

Solution Steps: (Four Steps)
Step 1: From Loop description find some definitions for the relation between variables.
Definitions:
 The goal is Index of min value ,denoted by IMV(An), could have any value as the predicate
0 ≤ IMV(An) < n.
 Every iteration, there will be a new temporary array with a temporary IMV value, where
IMV(Ai) ≤ IMV(An), where i is the number of element of the temporary array under check.
 And it is clear that the index of min. value of next array checked is greater or equal to the
previous one from the previous iteration, that means. IMV(Ai) ≤ IMV(Ai++)
Step 2: Define the loop invariant.
Loop invariant:
 Define the loop invariant which is true before and after the loop and relate all the variables
inside the program. In our case it is: IMV(Ai) ≤ IMV(An)
15

Step 3: Now we have to prove that Q is valid for all cases possible inside the loop. So,
we use induction to prove:
Proof:
 Q(0) ≔ IMV(A1) ≤ IMV(An) .When we first get to the loop statement, i=1.
An array A[1] have one element which is a(0) means IMV(A1) = 0, Which match with
the first definition.
so Q(0) is true.
 Assume Q(k) ≔ IMV(Ak) ≤ IMV(An) is True. ………… Inductive hypothesis.
Then prove that Q(k + 1) ≔ IMV(A(k+1)) ≤ IMV(An) is true also.
We begin by left side and conclude right side (P  Q)
 IMV(A(k+1)) ………. is the hypothesis and
From definitions IMV(A) ≤ IMV(Ai++) ,the result is
 IMV(Ak) ≤ IMV(A(k+1))………. And
From the inductive hypothesis IMV(Ak) ≤ IMV(An), the result is
 IMV(A(k+1)) ≤ IMV(An) is True , So Q(k + 1) is proved.
16

Step 4: Now we have to prove that at loop termination the post condition will imply to
the conclusion.
Termination + Loop Invariant = Goal
As(i=n) so IMV(Ai) = IMV(An) which is the goal.
 As we prove that Q is valid for all cases inside the loop and the loop termination
imply to the conclusion. Therefore, function IMV is correct.
17

Example : Prove the Euclidean algorithm finds the greatest common
divisor of two positive integers a and b, using induction method?
 The greatest common divisor of a and b, denoted by gcd(a, b), is the
largest integer n such that a/n and b/n. For example, gcd(12, 18) = 6
and gcd(420, 66) = 6.
18

 The Euclidean algorithm works by a succession of divisions. To
find gcd(a, b)
 assuming a >= b, so “a” is the dividend and “b” is the divisor
 you first divide a by b, getting a quotient and a remainder.
 Next, you divide the divisor, b, by the remainder (means the previous
divisor become the new dividend and the previous reminder become
the new divisor) and keep doing this until the remainder is 0, at This
point the greatest common divisor is the last divisor used.
19

20

21
Loop proof using induction reasoning

 Theorem ≔ {Q} while (B) {P} {Q∧￢B}  gcd(a,b)
 Loop condition (B) ≔ (remainder is not 0) ≔ (j != 0 )
Solution Steps: (Four Steps)
Step 1: From Loop description find some definitions for the relation between variables.
Definitions:
 The greatest common divisor of any two integers (dividend i and divisor j) is equal to the
greatest common advisor of the divisor j and remaining r
≔ gcd(i, j) = gcd(j, r)
 At every iteration The greatest common divisor of temporary dividend i and divisor j is
equal to the greatest common divisor of original two integers a & b
≔ gcd(i, j) = gcd(a, b)
22
Loop proof using induction reasoning

Step 2: Define the loop invariant.
Loop invariant:
Define the loop invariant which is true before and after the loop and relate all the variables
inside the program. In our case it is
Q ≔ gcd(i, j) = gcd(a, b)
Step 3: Now we have to prove that Q is valid for all cases possible inside the loop. So, we
use induction to prove:
Proof:
Q(n) ≔ gcd(in, jn) = gcd(a, b) for all n  0.
23

− Q(0) is gcd(i0, j0) = gcd(a, b) is true because when we first get to the loop
statement, i and j have the values a and b.
 Assume Q(k): gcd(ik, jk) = gcd(a, b).
 Show Q(k + 1): gcd(ik + 1, jk + 1) = gcd(a, b).
 By the assignment statements within the loop body, we know that
 ik + 1 = jk
 jk + 1 = rk
 Then, by the additional fact on the previous slide:
 gcd(ik + 1, jk + 1) = gcd(jk, rk) = gcd(ik, jk)
 By the inductive hypothesis, the above is equal to gcd(a, b)
24

Step 4: Now we have to prove that at loop termination the post condition will imply to
the conclusion.
Termination + Loop Invariant = Goal
At loop termination
 gcd(i, j) = gcd(a, b) and j = 0,
 so gcd(i, 0) = gcd(a, b).
 But gcd(i, 0) is i, so i = gcd(a, b).
As we prove that Q is valid for all cases inside the loop and the loop termination
imply to the conclusion. Therefore, function GCD is correct.
25

26

27

#6 formal methods – loop proof using induction method

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to #6 formal methods – loop proof using induction method

Similar to #6 formal methods – loop proof using induction method (20)

Recently uploaded

Recently uploaded (20)

#6 formal methods – loop proof using induction method