#7 formal methods – loop proof examples

Prepared by: Sharif Omar Salem – [email protected]

1

Prepared by: Sharif Omar Salem – [email protected] by: Sharif Omar Salem – [email protected]

Formal Methods:Loop proof using induction method

Example


Induction reasoning

2

We will add two important induction principles to our rules. Those principles are very

important when dealing with integers especially positive integers.

• First Principle:

Second Principle:

• Major difference is in the second statement.

– Use the second principle when assuming P(k) is not enough to prove P(k+1).

– Assuming P(r) for any r where 1 r k gives more ammunition to prove the relation.


Loop proof using induction reasoning

3

The pattern for a loop function is as the diagram.

And The Hoare triple rule for iteration is

{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧￢ B}


4


Example : Prove the Euclidean algorithm finds the greatest common divisor of two positive integers a and b, using induction method?

• The greatest common divisor of a and b, denoted by gcd(a, b), is the largest integer n such that a/n and b/n. For example, gcd(12, 18) = 6 and gcd(420, 66) = 6.

• The Euclidean algorithm works by a succession of divisions. To find gcd(a, b)– assuming a >= b, so “a” is the dividend and “b” is the divisor– you first divide a by b, getting a quotient and a remainder.– Next, you divide the divisor, b, by the remainder (means the previous

divisor become the new dividend and the previous reminder become the new divisor) and keep doing this until the remainder is 0, at This point the greatest common divisor is the last divisor used.


5



6



7

• Theorem {Q} while (B) {P} {Q≔ ∧￢ B} gcd(a,b)• Loop condition (B) (remainder is not 0) (j != 0 )≔ ≔Solution Steps: (Four Steps)Step 1: From Loop description find some definitions for the relation between

variables.Definitions: • The greatest common divisor of any two integers (dividend i and divisor j) is

equal to the greatest common advisor of the divisor j and remaining r ≔ gcd(i, j) = gcd(j, r)

• At every iteration The greatest common divisor of temporary dividend i and divisor j is equal to the greatest common divisor of original two integers a & b

≔ gcd(i, j) = gcd(a, b)



8


Step 2: Define the loop invariant.Loop invariant: Define the loop invariant which is true before and after the loop and relate all the

variables inside the program. In our case it isQ gcd(i, j) = gcd(a, b)≔

Step 3: Now we have to prove that Q is valid for all cases possible inside the loop. So, we use induction to prove:

Proof:Q(n) gcd(i≔ n, jn) = gcd(a, b) for all n 0.


9


− Q(0) is gcd(i0, j0) = gcd(a, b) is true because when we first get to the loop statement, i and j have the values a and b.

– Assume Q(k): gcd(ik, jk) = gcd(a, b).– Show Q(k + 1): gcd(ik + 1, jk + 1) = gcd(a, b). – By the assignment statements within the loop body, we know that

• ik + 1 = jk • jk + 1 = rk

– Then, by the additional fact on the previous slide:– gcd(ik + 1, jk + 1) = gcd(jk, rk) = gcd(ik, jk)– By the inductive hypothesis, the above is equal to gcd(a, b)


10


Step 4: Now we have to prove that at loop termination the post condition will imply to the conclusion.

Termination + Loop Invariant = Goal At loop termination

• gcd(i, j) = gcd(a, b) and j = 0,• so gcd(i, 0) = gcd(a, b). • But gcd(i, 0) is i, so i = gcd(a, b).

As we prove that Q is valid for all cases inside the loop and the loop termination imply to the conclusion. Therefore, function GCD is correct.


11


End of Lecture


12


Next Lecture:ProLogic

#7 formal methods – loop proof examples

Education