#6 formal methods – loop proof using induction method
Post on 15-Feb-2017
435 Views
Preview:
TRANSCRIPT
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Formal Methods:Loop proof using induction
method
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Loop Invariant
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Why to use it ??? It is hard to keep track of what is happening with loops. Loops which don't terminate or terminate without achieving their goal behavior is a common problem in computer programming. Loop invariants help.
A loop invariant is a relation among program variables that is true when control enters a loop,
remains true each time the program executes the body of the loop, and is still true when control exits the loop.
Understanding loop invariants can help us analyze programs, check for errors, and derive programs from specifications.
Definition
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Invariant and Loops
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
The point of Loop Invariants is the promise that the invariant will be restored before repeating the loop body each time.
There are two advantages to this: Work is not carried forward to the next pass in complicated, data dependent
ways. Each pass through the loop in independent of all others, with the invariant serving to bind the passes together into a working whole.
Reasoning that your loop works is reduced to reasoning that the loop invariant is restored with each pass through the loop. This breaks the complicated overall behavior of the loop into small simple steps, each which can be considered separately.
More details ….
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
You consider separately two things: why the loop should ever terminate, and why the loop achieves its goal when it terminates.
The loop will terminate if each time through the loop you move closer to satisfying the termination condition. It is often easy to assure this: e.g. stepping a counter variable by one until it reaches a fixed upper limit. Sometimes the reasoning behind termination is more difficult.
The loop invariant should be created so that when the condition of termination is attained, and the invariant is true, then the goal is reached:
invariant + termination => goal
More details ….
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Example: Find the index of the minimum value in an array of integers.Here is the general idea. Let us call the array A[n], which has n elements in it.
a[0], a[1], a[2], ……………………………………………….. , a[n-1]Index of Min. Value of Array with n elements IMA[n] = m is our goal.≔We keep two variables, i and s,
i index of the next element to check.≔ s Index of the smallest element till this step (so far)≔
we initially make s = 0 and i =1, and compare a[i] against a[s] if the current comparison shows a smaller value, we update s=i.
Each time through the loop we increment i by one, and fix s to i:
Loop Invariant Example
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Two main questions must be answered:What is the termination condition of the loop?
It is clear that loop stop when we reach the last element means i = n, so the test condition is i < n.
What is the loop invariant?At any time we will have an array A[i] such that IMA[i] = s.This means for any element k inside the array A[i] , a[s] =< a[k]
Loop Invariant Example
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Check that the Loop Invariant is setup true by the initialization s and ICheck that each time through the loop, the Loop Invariant is true. Check that headway towards termination is being made (i is always incremented in the loop body). Check that termination plus loop invariant equals goal attained.
Loop Invariant Example
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
induction method
10
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
We will add two important induction principles to our rules. Those principles are very important
when dealing with integers especially positive integers.
First Principle:
Second Principle:
Major difference is in the second statement.
Use the second principle when assuming P(k) is not enough to prove P(k+1).
Assuming P(r) for any r where 1 r k gives more ammunition to prove the relation.
Induction reasoning
11
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
The pattern for a loop function is as the diagram.
And The Hoare triple rule for iteration is
Loop proof using induction reasoning
12
{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧¬ B}
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Example: Prove the Euclidean algorithm finds the index of the minimum value in an array of positive integers A[n]. using induction method?
The Index of the minimum value in an array A of n integers, denoted by
IMV(An), is the index of the minimum integer r such that r ≤ k where k is any integer of the array.
For example, If we have the array A[5] { 5, 10, 3, 7, 12 } , Then ≔IMV(A5) = 2. The min. integer is the element a(2) = 3 and a(2) ≤ a(i) where 0 ≤ i < 5.
Loop proof using induction reasoning
13
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Loop Description:Here is the general idea. Let us call the array A[n], which has n elements in it.
a[0], a[1], a[2], ……………………………………………….. , a[n-1]We keep two variables, i and s, i index of the next element to check and s Index of ≔ ≔
the smallest element till this step (so far)We initially make s = 0 and i =1, and compare a[i] against a[s] if the current comparison
shows a smaller value, we update s=i.Each time through the loop we increment i by one, and fix s.
if ( a[i] < a[s] ) { s = i ; } i ++ ;Condition of the loop: It is clear that loop stop when we reach the last element means i = n, so the test condition is i < n.
Loop proof using induction reasoning
14
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Loop proof using induction reasoning
15
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Solution Steps: (Four Steps)
Step 1: From Loop description find some definitions for the relation between variables.Definitions: The goal is Index of min value ,denoted by IMV(An), could have any value as the predicate
0 ≤ IMV(An) < n. Every iteration, there will be a new temporary array with a temporary IMV value, where
IMV(Ai) ≤ IMV(An), where i is the number of element of the temporary array under check.And it is clear that the index of min. value of next array checked is greater or equal to the
previous one from the previous iteration, that means. IMV(Ai) ≤ IMV(Ai++)
Step 2: Define the loop invariant.Loop invariant:Define the loop invariant which is true before and after the loop and relate all the variables
inside the program. In our case it is: IMV(Ai) ≤ IMV(An)
Loop proof using induction reasoning
16
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Step 3: Now we have to prove that Q is valid for all cases possible inside the loop. So, we use induction to prove:
Proof: Q(0) IMV(A1) ≤ IMV(An) .When we first get to the loop statement, i=1.≔
An array A[1] have one element which is a(0) means IMV(A1) = 0, Which match with the first definition.so Q(0) is true.
Assume Q(k) IMV(Ak) ≤ IMV(An) is True. ………… Inductive hypothesis.≔Then prove that Q(k + 1) IMV(A(k+1)) ≤ IMV(An) is true also.≔We begin by left side and conclude right side (P Q) IMV(A(k+1)) ………. is the hypothesis and
From definitions IMV(A) ≤ IMV(Ai++) ,the result is IMV(Ak) ≤ IMV(A(k+1))………. And
From the inductive hypothesis IMV(Ak) ≤ IMV(An), the result is IMV(A(k+1)) ≤ IMV(An) is True , So Q(k + 1) is proved.
Loop proof using induction reasoning
17
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Step 4: Now we have to prove that at loop termination the post condition will imply to the conclusion.
Termination + Loop Invariant = Goal As(i=n) so IMV(Ai) = IMV(An) which is the goal.
As we prove that Q is valid for all cases inside the loop and the loop termination imply to the conclusion. Therefore, function IMV is correct.
Loop proof using induction reasoning
18
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
19
Example : Prove the Euclidean algorithm finds the greatest common divisor of two positive integers a and b, using induction method?
The greatest common divisor of a and b, denoted by gcd(a, b), is the largest integer n such that a/n and b/n. For example, gcd(12, 18) = 6 and gcd(420, 66) = 6.
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
20
The Euclidean algorithm works by a succession of divisions. To find gcd(a, b)assuming a >= b, so “a” is the dividend and “b” is the divisoryou first divide a by b, getting a quotient and a remainder.Next, you divide the divisor, b, by the remainder (means the previous
divisor become the new dividend and the previous reminder become the new divisor) and keep doing this until the remainder is 0, at This point the greatest common divisor is the last divisor used.
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
21
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
22
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
23
Theorem {Q} while (B) {P} {Q≔ ∧¬ B} gcd(a,b)Loop condition (B) (remainder is not 0) (j != 0 )≔ ≔Solution Steps: (Four Steps)Step 1: From Loop description find some definitions for the relation between variables.Definitions: The greatest common divisor of any two integers (dividend i and divisor j) is equal to the
greatest common advisor of the divisor j and remaining r ≔ gcd(i, j) = gcd(j, r)
At every iteration The greatest common divisor of temporary dividend i and divisor j is equal to the greatest common divisor of original two integers a & b
≔ gcd(i, j) = gcd(a, b)
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
24
Step 2: Define the loop invariant.Loop invariant: Define the loop invariant which is true before and after the loop and relate all the variables
inside the program. In our case it isQ gcd(i, j) = gcd(a, b)≔
Step 3: Now we have to prove that Q is valid for all cases possible inside the loop. So, we use induction to prove:
Proof:Q(n) gcd(i≔ n, jn) = gcd(a, b) for all n 0.
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
25
− Q(0) is gcd(i0, j0) = gcd(a, b) is true because when we first get to the loop statement, i and j have the values a and b.
Assume Q(k): gcd(ik, jk) = gcd(a, b).Show Q(k + 1): gcd(ik + 1, jk + 1) = gcd(a, b). By the assignment statements within the loop body, we know that
ik + 1 = jk jk + 1 = rk
Then, by the additional fact on the previous slide:gcd(ik + 1, jk + 1) = gcd(jk, rk) = gcd(ik, jk)By the inductive hypothesis, the above is equal to gcd(a, b)
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
26
Step 4: Now we have to prove that at loop termination the post condition will imply to the conclusion.
Termination + Loop Invariant = Goal At loop termination
gcd(i, j) = gcd(a, b) and j = 0, so gcd(i, 0) = gcd(a, b). But gcd(i, 0) is i, so i = gcd(a, b).
As we prove that Q is valid for all cases inside the loop and the loop termination imply to the conclusion. Therefore, function GCD is correct.
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
27
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
End of Lecture
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
28
Prepared by: Sharif Omar Salem – ssalemg@gmail.com
Next Lecture:Loop proof - Examples
top related