First, here is the postcondition that we want to implement:
P0: r = 〈↑ p, q: 0 ≤ p ≤ q ≤ N: 〈∑ i: p ≤ i < q: X.i〉〉where ↑ denotes the maximum of two operands. Like the conjunction and the disjunction, it is idempotent, associative and symmetric so we can use it in the same was as the universal and existential quantification. The first thing to do is to introduce a name for the summation part so that we can manipulate it independently of the overall specification.
(0) S.p.q = 〈∑ i: p ≤ i < q: X.i〉And the specification becomes:
P1: r = 〈↑ p, q: 0 ≤ p ≤ q ≤ N: S.p.q〉The traditional way to get an invariant from this is to replace N by a variable, let's call it n, and use n = N as an exit condition:
J0: r = 〈↑ p, q: 0 ≤ p ≤ q ≤ n: S.p.q〉 C0: n = NBy symmetry, we can assume that 0 is a proper initial value for n which makes S.0.0 a good one for r.
I0: n = 0 I1: r = 0Last formality: having n increase by one at each iteration will guarantee termination provided 0 ≤ N.
S0: n' = n + 1Let's now start calculating with J0 to see what adjustments we have to make to r to preserve it. Two distinct heuristics get us to start calculating with the right-hand side of the equality: it is much more complicated than the left-hand side so we can assume that most of our moves will be eliminations and all the program variable involved in the right-hand side don't have a matching assignment so we would basically be stuck right at the start. For a given loop with invariant J and body S, the invariance of J is assured by:
J' ⇐ J ∧ Swhere J' is J with all its program variables primed. It means we can use whatever is part of the body or the invariant to prove J's invariance, to do so, we can invent new statements for the body as we go.
〈↑ p, q: 0 ≤ p ≤ q ≤ n': S.p.q〉
= { S0 }
〈↑ p, q: 0 ≤ p ≤ q ≤ n+1: S.p.q〉
= { Split range }
〈↑ p, q: 0 ≤ p ≤ q ≤ n: S.p.q〉
↑ 〈↑ p: 0 ≤ p ≤ n+1: S.p.(n+1)〉
= { Use final value of a new variable using
Q0: s' = 〈↑ p: 0 ≤ p ≤ n+1: S.p.(n+1)〉 and J0 }
r ↑ s'
= { New statement: S1: r' = r ↑ s' to conclude
the proof of J0's invariance }
r'
Q0: s' = 〈↑ p: 0 ≤ p ≤ n+1: S.p.(n+1)〉
S1: r' = r ↑ s'
Q0 links unprimed variables with primed variables in a way that cannot be evaluated. Let's turn it into an invariant to fix this.
〈↑ p: 0 ≤ p ≤ n+1: S.p.(n+1)〉
= { S0 }
〈↑ p: 0 ≤ p ≤ n': S.p.n'〉
= { J1' }
s'
where
J1: s = 〈↑ p: 0 ≤ p ≤ n: S.p.n〉We now have to make sure that J1 is also invariant and use the same heuristic as for J0 to do so.
〈↑ p: 0 ≤ p ≤ n': S.p.n'〉
= { S0 and split }
〈↑ p: 0 ≤ p ≤ n: S.p.(n+1)〉↑ S.(n+1).(n+1)
= { (1), see below ; S.n.n = 0 }
〈↑ p: 0 ≤ p ≤ n: S.p.n + X.n〉↑ 0
= { + over ↑ }
(〈↑ p: 0 ≤ p ≤ n: S.p.n〉+ X.n) ↑ 0
= { J1 }
(s + X.n) ↑ 0
= { New statement: S2: s' = (s + X.n) ↑ 0 }
s'
S2: s' = (s + X.n) ↑ 0
(1) S.p.(n+1) = S.p.n + X.n ⇐ p ≤ n
(1) is a theorem that we calculated because we had a term S.p.(n+1) that we needed to replace by one formulated in terms of S.p.n to make it possible to use J1 to eliminate the quantified maximum.
Proof of (1):
S.p.(n+1)
= { (0) }
〈∑ i: p ≤ i < n+1: X.i〉
= { Split range using p ≤ n }
〈∑ i: p ≤ i < n: X.i〉+ X.n
= { (0) }
S.p.n + X.n
end of proof
All that is missing now to have a complete program is to add an initialization for s. An examination of J1 tells us that for n = 0, S.0.0 is an appropriate value for s. We now get:
n = 0 ∧ r = 0 ∧ s = 0
; while n ≠ N do
n' = n+1 ∧ r' = r↑s' ∧ s' = (s + X.n) ↑ 0
od
This would be a simple enough program to execute except for S1 which has primed variables on both side of the equality. Let's see if we can find a sequence of assignments (rather than a conjunction of equalities) that will do the same as S0 ∧ S1 ∧ S2.
The main law that we use for calculating assignments is
(2) s := E ; P ≡ P [s \ E]where P [s \ E] is the same as P except for the occurrences of s which are replaced by E. The way in which we will make assignments appear is by replacing terms of the initial specification by specifications of the form x' = x so that we can eventually replace the whole boolean specification by a skip and keep only the assignments.
n' = n+1 ∧ r' = r↑s' ∧ s' = (s + X.n) ↑ 0
= { Let's deal with s' to introduce s' = s
and solve the assignment to r }
s := (s + X.n) ↑ 0
; (n' = n+1 ∧ r' = r↑s' ∧ s' = s)
= { Leibniz }
s := (s + X.n) ↑ 0
; (n' = n+1 ∧ r' = r↑s ∧ s' = s)
= { Assignment (either of r or n will do. Let's pick
them in inverse order of introduction }
s := (s + X.n) ↑ 0
; r := r↑s
; (n' = n+1 ∧ r' = r ∧ s' = s)
= { One last time, assignment }
s := (s + X.n) ↑ 0
; r := r↑s
; n := n+1
; (n' = n ∧ r' = r ∧ s' = s)
⇐ { Introduce skip }
s := (s + X.n) ↑ 0
; r := r↑s
; n := n+1
; skip
= { Identity of ; }
s := (s + X.n) ↑ 0
; r := r↑s
; n := n+1
It is a bit disappointing to see that the order between the assignment to r and that to n is irrelevant and we could have used a multiple simultaneous assignment for them but, then, we would have noticed that the choice of grouping n with r or grouping it with s is also irrelevant. One way or another, an irrelevant choice has to be made.
By interpreting the initialization in a similar way, we get the following program:
n, r, s := 0, 0, 0
{ invariant J0 ∧ J1 }
; while n ≠ N do
s := (s + X.n) ↑ 0
; r := r ↑ s
; n := n + 1
od
