Program Correctness: Jorge A. Pérez

Program Correctness
Block 3
Jorge A. Pérez
(based on slides by Arnold Meijster)
Bernoulli Institute for Mathematics, Computer Science, and AI

University of Groningen, Groningen, the Netherlands
February 16, 2023

Outline
From Last Lecture

Euclid’s algorithm (gcd)
Initialization and Active Finalization

Exercise 6.5
Exercise 6.7
How to find a good invariant?

Heuristic: Split conjuncts
Heuristic: Replace constant by variable
Heuristic: Generalization
Examples
2 / 36
Stepwise design of a while program
The starting point is the specification fP g T fQ g.
0 Based on the specification, we decide that we need a loop.
1 Choose an invariant J and a guard B such that
J ^: B ) Q (aka finalization)
2 Initialization: Find a command T0 such that
P g T0 fJ g
f
3 Variant function: Choose a vf 2 Z and prove

J ^ B ) vf 0
4 Body of the loop: Find a command S such that
J
f ^ B ^ vf = V g S fJ ^ vf < Vg
5 Conclude that
P g T0 ; while B do S end fQ g
f
3 / 36
Example: Euclid’s algorithm (gcd)
We consider the following specification for computing the greatest

common divisor of x and y, denoted gcd(x ; y ):
var x ; y : Z;
fP : x > 0 ^ y > 0 ^ gcd(x ; y ) = Z g
S
fQ : x = Z g
4 / 36
Before we derive an algorithm, recall that if x ; y 2 Z and y > 0, then

x div y and x mod y are integers that satisfy
(x = y (x div y ) + x mod y ) ^ 0 x mod y < y
5 / 36

Also, if z divides y, then (z divides i y + j) (z divides j ).
5 / 36


Using these facts, we can prove that
- every common divisor of x and y > 0
is also
- a common divisor of y and x mod y (and vice versa).
5 / 36


Using these facts, we can prove that
- every common divisor of x and y > 0
is also
- a common divisor of y and x mod y (and vice versa).
We can therefore use the recurrence:
x > 0 ) gcd(x ; 0) = x
y > 0 ) gcd(x ; y ) = gcd(y ; x mod y )
5 / 36
Example: Designing a loop (1/4)
f P : x > 0^y > 0 ^ gcd(x ; y ) = Z g
S
f Q : x = Zg
0 We decide that we need a while: Using the recurrence we
expect to decrease the values of x and y iteratively.
6 / 36
f P : x > 0^y > 0 ^ gcd(x ; y ) = Z g
S
f Q : x = Zg
0 We decide that we need a while: Using the recurrence we
expect to decrease the values of x and y iteratively.
1 Choose an invariant J and a guard B such that J ^ :B ) Q.
J :x > 0^y 0 ^ gcd(x ; y ) = Z
B :y 6= 0
Notice:
J ^: B x > 0^y 0 ^ gcd(x ; y ) = Z ^ y = 0
f logic; substitution y = 0g
) x > 0 ^ gcd(x ; 0) = Z
f gcd(x ; 0) = x g
) Q : x = Z
6 / 36
Up to here:
P :x > 0^y > 0 ^ gcd(x ; y ) = Z

J :x > 0^y 0 ^ gcd(x ; y ) = Z
B :y 6= 0
2 Initialization: Find a command T0 such that fP g T0 fJ g.

Because y > 0 ) y 0, we have P ) J .
Therefore, initialization is not necessary, and T0 = skip.
3 Variant function: Choose a vf 2 Z and prove J ^ B ) vf 0
Since J ensures y 0, we can simply choose vf = y.
Clearly, we have: J ^ B ) J ) y 0 vf 0.
7 / 36
4 Body: Find S such that fJ ^ B ^ vf = V g S fJ ^ vf < Vg
f J ^ B ^ vf = Vg
f J ^ vf < Vg
8 / 36
fJ ^ B ^ vf = V g
(* definitions J , B , and vf *)
fx > 0 ^ y 0 ^ gcd(x ; y ) = Z ^ y 6= 0^y = Vg
| {z }
J
f J ^ vf < Vg 8 / 36
fJ ^ B ^ vf = V g
fx > 0 ^ y 0 ^ gcd(x ; y ) = Z ^ y 6= 0^y = Vg
| {z }
J
(* recurrence; y > 0 ) gcd(x ; y ) = gcd(y ; x mod y ) *)
f J ^ vf < Vg 8 / 36
fJ ^ B ^ vf = V g
fx > 0 ^ y 0 ^ gcd(x ; y ) = Z ^ y 6= 0^y = Vg
| {z }
J
fy > 0 ^ gcd(y ; x mod y ) = Z ^ 0 x mod y < y = V g
f J ^ vf < Vg 8 / 36
fJ ^ B ^ vf = V g
fx > 0 ^ y 0 ^ gcd(x ; y ) = Z ^ y 6= 0^y = Vg
| {z }
J
m := x mod y ;
fy > 0 ^ gcd(y ; m ) = Z ^ 0 m < y = V g
f J ^ vf < Vg 8 / 36
fJ ^ B ^ vf = V g
fx > 0 ^ y 0 ^ gcd(x ; y ) = Z ^ y 6= 0^y = Vg
| {z }
J
m := x mod y ;
fy > 0 ^ gcd(y ; m ) = Z ^ 0 m < y = V g
(* logic *)
fy > 0 ^ gcd(y ; m ) = Z ^ m 0 ^ m < V g
f J ^ vf < Vg 8 / 36
fJ ^ B ^ vf = V g
fx > 0 ^ y 0 ^ gcd(x ; y ) = Z ^ y 6= 0^y = Vg
| {z }
J
m := x mod y ;
fy > 0 ^ gcd(y ; m ) = Z ^ 0 m < y = V g
(* logic *)
fy > 0 ^ gcd(y ; m ) = Z ^ m 0 ^ m < V g
x := y ;
fx > 0 ^ gcd(x ; m ) = Z ^ m 0 ^ m < V g
f J ^ vf < Vg 8 / 36
fJ ^ B ^ vf = V g
fx > 0 ^ y 0 ^ gcd(x ; y ) = Z ^ y 6= 0^y = Vg
| {z }
J
m := x mod y ;
fy > 0 ^ gcd(y ; m ) = Z ^ 0 m < y = V g
(* logic *)
fy > 0 ^ gcd(y ; m ) = Z ^ m 0 ^ m < V g
x := y ;
fx > 0 ^ gcd(x ; m ) = Z ^ m 0 ^ m < V g
y := m ;
fx > 0 ^ gcd(x ; y ) = Z ^ y 0 ^ y < V g
f J ^ vf < Vg 8 / 36
fJ ^ B ^ vf = V g
fx > 0 ^ y 0 ^ gcd(x ; y ) = Z ^ y 6= 0^y = Vg
| {z }
J
m := x mod y ;
fy > 0 ^ gcd(y ; m ) = Z ^ 0 m < y = V g
(* logic *)
fy > 0 ^ gcd(y ; m ) = Z ^ m 0 ^ m < V g
x := y ;
fx > 0 ^ gcd(x ; m ) = Z ^ m 0 ^ m < V g
y := m ;
fx > 0 ^ gcd(x ; y ) = Z ^ y 0 ^ y < V g
(* definitions J and vf *)
fJ ^ vf < V g
8 / 36
5 We found the following program fragment (Euclid’s algorithm):

var x ; y ; m : Z;
fP : x > 0 ^ y > 0 ^ gcd(x ; y ) = Z g
fJ : x > 0 ^ y 0 ^ gcd(x ; y ) = Z g
(* vf = y *)
while y 6= 0 do
m := x mod y ;
x := y ;
y := m ;
end;
fQ : x = Z g
9 / 36
Outline
From Last Lecture


Exercise 6.5
Exercise 6.7

Examples
10 / 36
Proof rule: while-loop
Recall the proof rule for while-loops:
J ^ B ) vf 0 fJ ^ B ^ vf = V g S fJ ^ vf
< Vg
fJ g while B do S end fJ ^ :B g
11 / 36
12 / 36
12 / 36
12 / 36
P g T0 fJ g
f
12 / 36
P g T0 fJ g
f

J ^ B ) vf 0
12 / 36
P g T0 fJ g
f

J ^ B ) vf 0
f J ^ B ^ vf = V g S fJ ^ vf < Vg
12 / 36
P g T0 fJ g
f

J ^ B ) vf 0
f J ^ B ^ vf = V g S fJ ^ vf < Vg
5 Conclude that
f P g T0 ; while B do S end fQ g
12 / 36
(Active) Initialization
I In general, we need a command T0 to establish the initial
validity of the invariant: fP g T0 fJ g.
I If P ) J then T0 = skip (e.g. Euclid’s algorithm)
I Otherwise, if P 6) J then we need an (active) initialization
command T0 .
13 / 36
(Active) Initialization
I In general, we need a command T0 to establish the initial
validity of the invariant: fP g T0 fJ g.
I If P ) J then T0 = skip (e.g. Euclid’s algorithm)
I Otherwise, if P 6) J then we need an (active) initialization
command T0 .
Active Finalization
I Similarly, if J ^ :B ) Q1 but J ^ :B 6) Q, then we need a
command T1 that establishes the postcondition: fQ1 g T1 fQ g.
I In this case, we call T1 an active finalization.
13 / 36
A Generalized Rule
fP g T0 fJ g fQ1 g T1 fQ g
J ^ B ) vf 0 fJ ^ B ^ vf = V g S fJ ^ vf < V g
fP g T0 ; fJ g while B do S end; fQ1 g T1 ; fQ g
Specific cases:
I If T0 = skip then initialization is not necessary
(and we may need to show that P ) J ).
I If T1 = skip then active finalization is not necessary
(and we may need to show that Q1 ) Q).
14 / 36
Plan
Rest of Today:
I Exercises 6.5 and 6.7: loops with initialization and finalization.
I Some heuristics for finding a good invariant.
Next week:
I More on recurrence relations (Monday)
I No lecture on Thursday
15 / 36
Exercise 6.5
The function f is defined by the recurrence:
y 0 ) f (y ; z ) = z
y > 0 ) f (y ; z ) = 10 f (y div 10; z ) + y mod 10
Find a command S that satisfies the specification:
var y ; z : Z;
fP : Z = f (y ; z )g
S
fQ : Z = z g
Use active finalization, auxiliary variables m and n, and
J : Z = m f (y ; z ) + n
16 / 36
Exercise 6.5: Initialization
y 0 ) f (y ; z ) = z
y > 0 ) f (y ; z ) = 10 f (y div 10; z ) + y mod 10
P :Z = f (y ; z )
J :Z = m f (y ; z ) + n
Q :Z = z
Because P 6) J , we need initialization, but it is easy:
fP : Z = f (y ; z )g
(* calculus *)
fZ = 1 f (y ; z ) + 0g
m := 1; n := 0;
fJ : Z = m f (y ; z ) + n g
17 / 36
Exercise 6.5: Guard
y 0 ) f (y ; z ) = z
y > 0 ) f (y ; z ) = 10 f (y div 10; z ) + y mod 10
P :Z = f (y ; z )
J :Z = m f (y ; z ) + n
Q :Z = z
We now define the guard B . We know f (y ; z ) directly if y 0.
Therefore, we choose B to be :(y 0), i.e. B : y > 0.
18 / 36
Exercise 6.5: Guard
y 0 ) f (y ; z ) = z
y > 0 ) f (y ; z ) = 10 f (y div 10; z ) + y mod 10
P :Z = f (y ; z )
J :Z = m f (y ; z ) + n
Q :Z = z
We now define the guard B . We know f (y ; z ) directly if y 0.
Therefore, we choose B to be :(y 0), i.e. B : y > 0.
Given this, J ^: B 6) Q and so we need active finalization:
fJ ^ :B g
fZ = m f (y ; z ) + n ^ y 0g
(* definition f *)
fZ = m z + n g
z := m z + n ;
fQ : Z = z g
18 / 36
Exercise 6.5: Variant and Body
Because B : y > 0, we need to decrease y until y 0.
We choose vf = y 2 Z. Clearly, B vf > 0 and J ^ B ) vf 0.
19 / 36
For the body of the loop we find:
fJ ^ B ^ vf = V g
fZ = m f (y ; z ) + n ^ y > 0^y = Vg
fJ ^ vf < Vg
19 / 36
fJ ^ B ^ vf = V g
fZ = m f (y ; z ) + n ^ y > 0 ^ y = V g
(* definition f ; y = V > 0 ) y div 10 < V *)
fZ = m (10 f (y div 10; z ) + y mod 10) + n ^ y div 10 < V g
fJ ^ vf < Vg
19 / 36
fJ ^ B ^ vf = V g
fZ = m f (y ; z ) + n ^ y > 0 ^ y = V g
(* calculus *)
fZ = 10 m f (y div 10; z ) + m (y mod 10) + n ^ y div 10 < V g
fJ ^ vf < Vg
19 / 36
fJ ^ B ^ vf = V g
fZ = m f (y ; z ) + n ^ y > 0 ^ y = V g
(* calculus *)
n := m (y mod 10) + n ;
fZ = 10 m f (y div 10; z ) + n ^ y div 10 < V g
f J ^ vf < Vg
19 / 36
fJ ^ B ^ vf = V g
fZ = m f (y ; z ) + n ^ y > 0 ^ y = V g
(* calculus *)
n := m (y mod 10) + n ;
m := 10 m ;
fZ = m f (y div 10; z ) + n ^ y div 10 < V g
f J ^ vf < Vg
19 / 36
fJ ^ B ^ vf = V g
fZ = m f (y ; z ) + n ^ y > 0 ^ y = V g
(* calculus *)
n := m (y mod 10) + n ;
m := 10 m ;
fZ = m f (y div 10; z ) + n ^ y div 10 < V g
y := y div 10;
fZ = m f (y ; z ) + n ^ y < V g
fJ ^ vf < V g
19 / 36
Exercise 6.5: Conclusion
Using active initialization and finalization, we derived the following
program fragment:
var n ; m ; y ; z : Z;
fP : Z = f (y ; z )g
m := 1;
n := 0;
fJ : Z = m f (y ; z ) + n g
(* vf = y *)
while y > 0 do
n := m (y mod 10) + n ;
m := 10 m ;
y := y div 10;
end;
z := m z + n ;
fQ : z = Z g
20 / 36
Exercise 6.7
The function h is defined by the recurrence:
h (0) = 0
n > 0 ) h (n ) = 5 h (n div 3) + n mod 4
Find a command S that satisfies the following specification:
var n ; x : Z;
fP : n 0 ^ Z = h (n )g
S
fQ : Z = x g
21 / 36
Exercise 6.7
The function h is defined by the recurrence:
h (0) = 0
n > 0 ) h (n ) = 5 h (n div 3) + n mod 4
Find a command S that satisfies the following specification:
var n ; x : Z;
fP : n 0 ^ Z = h (n )g
S
fQ : Z = x g
Introduce a variable y and use the invariant
J : Z = y h (n ) + x ^ n 0
21 / 36
h (0) = 0
n > 0 ) h (n ) = 5 h (n div 3) + n mod 4
P :n 0^Z = h (n )
J :Z = y h (n ) + x ^ n 0
Because P 6) J , we need initialization,
22 / 36
h (0) = 0
n > 0 ) h (n ) = 5 h (n div 3) + n mod 4
P :n 0^Z = h (n )
J :Z = y h (n ) + x ^ n 0
Because P 6) J , we need initialization, but it is easy:
f P : Z = h (n ) ^ n 0g
(* calculus *)
f Z = 1 h ( n ) + 0 ^ n 0g
x := 0; y := 1;
fJ : Z = y h (n ) + x ^ n 0g
22 / 36
Exercise 6.7: Guard and Variant
h (0) = 0
n > 0 ) h (n ) = 5 h (n div 3) + n mod 4
Q :Z = x
J : Z = y h (n ) + x ^ n 0
We now define the guard B . We know h (n ) directly if n = 0.
Therefore, we choose B : n 6= 0.
23 / 36
h (0) = 0
n > 0 ) h (n ) = 5 h (n div 3) + n mod 4
Q :Z = x
J : Z = y h (n ) + x ^ n 0
Therefore, we choose B : n 6= 0. We check that J ^ :B ) Q:
J ^: B = Z = y h (n ) + x ^ n 0^n = 0
(* h (0) = 0 and logic *)
) Z = y 0+x
(* calculus *)
Z = x
23 / 36
h (0) = 0
n > 0 ) h (n ) = 5 h (n div 3) + n mod 4
Q :Z = x
J : Z = y h (n ) + x ^ n 0
Therefore, we choose B : n 6= 0. We check that J ^ :B ) Q:
J ^: B = Z = y h (n ) + x ^ n 0^n = 0
(* h (0) = 0 and logic *)
) Z = y 0+x
(* calculus *)
Z = x
As J gives n 0 and B : n 6= 0, we need to decrease n until n = 0.

We choose vf = n 2 Z. Clearly, J ^ B ) vf 0.
23 / 36
Exercise 6.7: Body of the Loop
fJ ^ B ^ vf = V g
fZ = y h (n ) + x ^ n 0^n 6= 0^n = Vg
fJ ^ vf < Vg
24 / 36
fJ ^ B ^ vf = V g
fZ = y h (n ) + x ^ n 0 ^ n 6= 0 ^ n = V g
(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0 n div 3 < n *)

fZ = y (5 h (n div 3) + n mod 4) + x ^ 0 n div 3 < V g
fJ ^ vf < Vg
24 / 36
fJ ^ B ^ vf = V g
fZ = y h (n ) + x ^ n 0 ^ n 6= 0 ^ n = V g

(* calculus *)
fZ = 5 y h (n div 3) + y (n mod 4) + x ^ 0 n div 3 < V g
fJ ^ vf < Vg
24 / 36
fJ ^ B ^ vf = V g
fZ = y h (n ) + x ^ n 0 ^ n 6= 0 ^ n = V g

(* calculus *)
x := y (n mod 4) + x ;
fZ = 5 y h (n div 3) + x ^ 0 n div 3 < V g
fJ ^ vf < Vg
24 / 36
fJ ^ B ^ vf = V g
fZ = y h (n ) + x ^ n 0 ^ n 6= 0 ^ n = V g

(* calculus *)
x := y (n mod 4) + x ;
y := 5 y ;
fZ = y h (n div 3) + x ^ 0 n div 3 < V g
fJ ^ vf < Vg
24 / 36
fJ ^ B ^ vf = V g
fZ = y h (n ) + x ^ n 0 ^ n 6= 0 ^ n = V g

(* calculus *)
x := y (n mod 4) + x ;
y := 5 y ;
fZ = y h (n div 3) + x ^ 0 n div 3 < V g
n := n div 3;
fZ = y h (n ) + x ^ 0 n < V g
fJ ^ vf < V g
24 / 36
Exercise 6.7: Conclusion
Using initialization, we derived the following program fragment:
var x ; y ; n : Z;
fP : Z = h (n ) ^ n 0g
x := 0;
y := 1;
fJ : Z = y h (n ) + x ^ n 0g
(* vf = n *)
while n 6= 0 do
x := y (n mod 4) + x ;
y := 5 y ;
n := n div 3;
end;
fQ : x = Z g
25 / 36
Outline
From Last Lecture


Exercise 6.5
Exercise 6.7

Examples
26 / 36
I Imagine you interrupt the loop, open it up, and take a snapshot:
- What would you observe? (variables, predicates)
- What is key to the loop’s operation?
27 / 36
I Imagine you interrupt the loop, open it up, and take a snapshot:
- What would you observe? (variables, predicates)
- What is key to the loop’s operation?
I Informally, J should be a predicate that is ‘in between’ P and Q.
I Not too weak (uninformative/useless), but
not too strong (hard to initialize and restore).
I Rule of thumb: Use a predicate that can easily be initialized,
and is obtained by weakening the postcondition Q.
I Choose the guard B such that J ^ :B ) Q.
27 / 36
I If Q is of the form Q0 ^ Q1 , then it could be useful to try to

isolate one conjunct as in J Q0 and B :Q1 (or vice versa).
I Clearly, J must be easy to initialize, and B must be a valid test
(i.e. without specification constants).
I Sometimes Q appears to be a single conjunct while it still can
be expressed as two conjuncts.
Example: x < y can be expressed as x y ^ x 6= y.
28 / 36
Heuristic: Replace expression by variable
I If Q contains an expression E , then J could be defined by

replacing some (or all) occurrences of E in Q by a new
variable i . This way, J ^ i = E ) Q.
I The guard must then be B i 6= E and should not contain any
specification constants.
I It is a good practice to augment J with some conjunct that
indicates which range of values i may attain.
29 / 36
A special case of the previous heuristic.

I If Q contains a constant n then we could define J by
replacing some (or all) occurrences of n in Q by a new variable
i , such that J ^ i = n ) Q.
I Clearly, the guard must be B i 6= n.
I Again, it is good practice to augment J with some conjunct that
30 / 36
Heuristic: Split a variable
A special case of the special case.

I If Q contains several occurrences of a variable k , then J could
be defined by replacing some (but not all) occurrences of k in Q
by a new variable i , such that J ^ i = k ) Q.
I Again, the guard must be B i 6= k .
I Again, it is good practice to augment J with some conjunct that
31 / 36
Suppose a precondition P and a (post-regular) postcondition Q:
P :X = E
Q :x = X
Often, we can find a suitable J by generalizing E in P to some

expression E0 .
I Example 1: J : X = x + E where :B ) E = 0.
I Example 2: J : X = x E where :B ) E = 1.
One could argue that this is similar to the heuristic “Replace

constant by a variable” applied to the precondition:
I Example 1: P : X = 0 + E
I Example 2: P : X = 1E
32 / 36
Outline
From Last Lecture


Exercise 6.5
Exercise 6.7

Examples
33 / 36
Examples: Exponentiation
Recall the following specification:
const x : R;
var y : R; n : Z;
fP : n 0 ^ x
n = Yg
S
fQ : y = Y g
We found the invariant (and guard) by generalization:
J :n 0 ^ y xn = Y
B :n 6= 0
34 / 36
Examples: Powers of 2
Recall the following specification:
const x : Z;
var i ; y : Z;
fP : x > 0g
T
fQ : x < y 2 x ^ y = 2i g
We found the invariant (and guard) by conjunct-splitting Q:
J :y 2x ^ y = 2i
B :x y
35 / 36
The End
I We have covered until Section 7.3 of the reader
I Next time:
Deriving recurrence relations for exercises in Chapter 7
36 / 36

Program Correctness: Jorge A. Pérez

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Program Correctness: Jorge A. Pérez

Uploaded by

Copyright:

Available Formats

Program Correctness

Bernoulli Institute for Mathematics, Computer Science, and AI

February 16, 2023

From Last Lecture

Initialization and Active Finalization

How to find a good invariant?

3 Variant function: Choose a vf 2 Z and prove

We consider the following specification for computing the greatest

Before we derive an algorithm, recall that if x ; y 2 Z and y > 0, then

(x = y (x div y ) + x mod y ) ^ 0  x mod y < y

Before we derive an algorithm, recall that if x ; y 2 Z and y > 0, then

(x = y (x div y ) + x mod y ) ^ 0  x mod y < y

Also, if z divides y, then (z divides i y + j)  (z divides j ).

Before we derive an algorithm, recall that if x ; y 2 Z and y > 0, then

(x = y (x div y ) + x mod y ) ^ 0  x mod y < y

Also, if z divides y, then (z divides i y + j)  (z divides j ).

Before we derive an algorithm, recall that if x ; y 2 Z and y > 0, then

(x = y (x div y ) + x mod y ) ^ 0  x mod y < y

Also, if z divides y, then (z divides i y + j)  (z divides j ).

We can therefore use the recurrence:

P :x > 0^y > 0 ^ gcd(x ; y ) = Z

2 Initialization: Find a command T0 such that fP g T0 fJ g.

5 We found the following program fragment (Euclid’s algorithm):

From Last Lecture

Initialization and Active Finalization

How to find a good invariant?

Recall the proof rule for while-loops:

3 Variant function: Choose a vf 2 Z and prove

3 Variant function: Choose a vf 2 Z and prove

3 Variant function: Choose a vf 2 Z and prove

The function f is defined by the recurrence:

Find a command S that satisfies the specification:

Use active finalization, auxiliary variables m and n, and

The function h is defined by the recurrence:

Find a command S that satisfies the following specification:

The function h is defined by the recurrence:

Find a command S that satisfies the following specification:

Introduce a variable y and use the invariant

As J gives n  0 and B : n 6= 0, we need to decrease n until n = 0.

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0  n div 3 < n *)

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0  n div 3 < n *)

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0  n div 3 < n *)

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0  n div 3 < n *)

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0  n div 3 < n *)

Using initialization, we derived the following program fragment:

From Last Lecture

Initialization and Active Finalization

How to find a good invariant?

I If Q is of the form Q0 ^ Q1 , then it could be useful to try to

I If Q contains an expression E , then J could be defined by

A special case of the previous heuristic.

A special case of the special case.

Suppose a precondition P and a (post-regular) postcondition Q:

Often, we can find a suitable J by generalizing E in P to some

One could argue that this is similar to the heuristic “Replace

From Last Lecture

Initialization and Active Finalization

How to find a good invariant?

Recall the following specification:

We found the invariant (and guard) by generalization:

Recall the following specification:

We found the invariant (and guard) by conjunct-splitting Q:

(x = y (x div y ) + x mod y ) ^ 0 x mod y < y

(x = y (x div y ) + x mod y ) ^ 0 x mod y < y

Also, if z divides y, then (z divides i y + j) (z divides j ).

(x = y (x div y ) + x mod y ) ^ 0 x mod y < y

Also, if z divides y, then (z divides i y + j) (z divides j ).

(x = y (x div y ) + x mod y ) ^ 0 x mod y < y

Also, if z divides y, then (z divides i y + j) (z divides j ).

As J gives n 0 and B : n 6= 0, we need to decrease n until n = 0.

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0 n div 3 < n *)

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0 n div 3 < n *)

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0 n div 3 < n *)

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0 n div 3 < n *)

(* n > 0 ) h (n ) = 5 h (n div 3) + n mod 4 ^ 0 n div 3 < n *)