1 Constructing Loops Roland Backhouse April 30, 2001
2 Outline • The do-od statement • Invariants and Bound Functions • Examples
3 The do-od statement The statement denoted by while {b} do S in Java, or while b do S in Pascal is denoted here by do b → S od .
4 Multiple Guards The notation do b 1 → S 1 b 2 → S 2 ✷ . . . ✷ b n → S n ✷ od , where the b ’s are boolean-valued expressions and the S ’s are statements, denotes a program that is executed by iterating the process of choosing an i such that the guard b i evaluates to true and then executing the statement S i . If none of the guards evaluates to true then execution terminates. (Note that nondeterminism is allowed; it may be that more than one guard evaluates to true in which case an arbitrary choice is made as to which statement to execute.) We call a statement of this form a loop .
5 Example The statement do m <n → d,m := d + 1 ,m + 1 m >n → d,n := d + 1 ,n + 1 ✷ od adds to the initial value of d the absolute difference between (integer) variables m and n , resetting m and n in the process to the maximum of their initial values.
6 Multiple to Single Allowing multiple guards does not increase the power of the language since do b 1 → S 1 ✷ . . . ✷ b n → S n od is equivalent to do b 1 ∨ . . . ∨ b n → if b 1 → S 1 ✷ . . . ✷ b n → S n fi od . So loops with multiple guards are easily rewritten as while statements. But, as in the case of conditional statements, multiple guards improve readability as well as helping to avoid error.
7 Invariants and Bound Functions When constructing loops the notions of an invariant property and a bound function are crucial. Loops are designed so that each iteration of the loop body maintains the invariant whilst making progress to the required postcondition by always decreasing the bound function. Designing Loops Suppose a problem is specified by precondition P and postcondition Q . We design a loop to meet this specification by identifying an invariant property inv and a bound function bf .
8 The Bound Function The bound function is a measure of the size of the problem to be solved. It is required to be an integer-valued function of the program variables that is guaranteed to be at least zero when the loop is executed. A guarantee that the value of such a bound function is always decreased at each iteration is a guarantee that the number of times the loop body is executed is at most the initial value of the bound function.
9 The Invariant Property The invariant property is designed by generalising the required postcondition. Split the postcondition Q into a termination condition, done , and the invariant property inv in such a way that done ∧ inv ⇒ Q . (1) Often the termination condition is equivalent to the value of the bound function being zero. The invariant property is chosen so that it is easy to design an initialisation statement S that establishes the invariant property inv . That is, we design S such that { P } S { inv } . (2)
10 The invariant should also guarantee that the value of the bound function is at least zero. That is, inv ⇒ bf ≥ 0 . (3) The design is completed by constructing a loop body T that maintains the invariant whilst making progress towards the termination condition. That is, using the ghost variable C to relate the values of the bound function before and after execution of T , we design T to satisfy the specification { inv ∧ ¬ done ∧ bf = C } T { inv ∧ bf < C } . (4)
11 If the termination condition, done , the bound function, bf , the invariant, inv , and the loop body, T , have all been constructed so as to satisfy (1) and (4) it is the case that { inv } do ¬ done → T od { Q } . (5) Moreover, if statement S has been constructed to satisfy (2), we can use the rule of sequential composition to infer that { P } S ; do ¬ done → T od { Q } . (6)
12 Summary The task is to construct S , done and T to meet the specification { P } S ; do ¬ done → T od { Q } . We do this with the aid of an invariant inv and a bound function bf . The invariant and termination condition are chosen so that: (7) done ∧ inv ⇒ Q , so that the invariant can be established by the initialisation statement S : { P } S { inv } , (8) and so that the loop body T can be constructed guaranteeing progress towards the termination condition whilst maintaining the invariant: { inv ∧ ¬ done ∧ bf = C } T { inv ∧ bf < C } . (9) Finally the invariant should guarantee that the bound function never falls below zero. inv ⇒ bf ≥ 0 . (10)
13 Summing the Elements of an Array Suppose 0 ≤ N and it is required to compute � Σi | 0 ≤ i<N : a i � . The obvious solution is to introduce a variable s and assign to s successively 0 , a 0 , a 0 + a 1 , a 0 + a 1 + a 2 , and so on. Using index variable k to count the number of values that have been added, the invariant property is 0 ≤ k ≤ N ∧ s = � Σi | 0 ≤ i <k : a i � , and the termination condition is k = N . The appropriate initialisation is the assignment k,s := 0,0 and the bound function is N − k . Maintaining the invariant property whilst making progress towards the termination condition is achieved by the assignment k,s := k + 1 ,s + a k .
14 The Program { 0 ≤ N } k,s := 0,0 ; 0 ≤ k ≤ N ∧ s = � Σi | 0 ≤ i<k : a i � { Invariant: Bound function: N − k } do k <N → k,s := k + 1 ,s + a k od { s = � Σi | 0 ≤ i <N : a i � }
15 Verifying Correctness Termination Condition (7) k ≥ N ∧ 0 ≤ k ≤ N ∧ s = � Σi | 0 ≤ i <k : a i � ⇒ s = � Σi | 0 ≤ i <N : a i � . Initialisation (8) { 0 ≤ N } k,s := 0,0 { 0 ≤ k ≤ N ∧ s = � Σi | 0 ≤ i<k : a i � } . Loop Body (9) { 0 ≤ k ≤ N ∧ s = � Σi | 0 ≤ i <k : a i � ∧ k <N ∧ N − k = C } k,s := k + 1 ,s + a k { 0 ≤ k ≤ N ∧ s = � Σi | 0 ≤ i <k : a i � ∧ N − k < C } . Bound Function (10) 0 ≤ k ≤ N ∧ s = � Σi | 0 ≤ i <k : a i � ⇒ N − k ≥ 0 .
16 Evaluating a Polynomial Suppose we are required to evaluate Σi | 0 ≤ i <N : a i × X i � � for given real number X and array a . Horner’s rule involves computing the values a N − 1 a N − 1 × X + a N − 2 ( a N − 1 × X + a N − 2 ) × X + a N − 3 etc.
17 Evaluating a Polynomial (Continued) Horner’s rule maintains invariant the property 0 ≤ k ≤ N ∧ s × X k = Σi | k ≤ i <N : a i × X i � � . This property is established initially by the assignment k,s := N,0 and the required postcondition is satisfied when k = 0 . We calculate that 0 <k ≤ N ∧ s × X k = � Σi | k ≤ i <N : a i × X i � ∧ S = s × X + a k − 1 ⇒ 0 ≤ k − 1 ≤ N ∧ S × X k − 1 = � Σi | k − 1 ≤ i<N : a i × X i � . So the loop body is k,s := k − 1 , s × X + a k − 1 .
18 Evaluating a Polynomial (Continued) The complete algorithm is thus: { 0 ≤ N } k,s := N,0 ; 0 ≤ k ≤ N ∧ s × X k = � Σi | k ≤ i<N : a i × X i � { Invariant: k } Bound function: do k >0 → k,s := k − 1 , s × X + a k − 1 od � Σi | 0 ≤ i <N : a i × X i � { s = }
19 Evaluating Powers Using Horner’s Rule evaluate X M for M ≥ 0 . Suppose the binary Problem : representation of M is stored in the array a . Specifically we assume that Σi | 0 ≤ i <N : a i × 2 i � � (11) M = where �∀ i | 0 ≤ i <N : a i = 0 ∨ a i = 1 � . Then Horner’s rule suggests the computation in order of X a N − 1 X a N − 1 × 2 + a N − 2 X ( a N − 1 × 2 + a N − 2 ) × 2 + a N − 3 and so on.
20 Evaluating Powers Using Horner’s Rule (Cont) k,y := N,1 ; { Invariant: s × 2 k = 0 ≤ k ≤ N ∧ y = X s Σi | k ≤ i<N : a i × 2 i � � where k } Bound function: k,y := k − 1 ,y 2 ; do k >0 → if a k = 0 → skip ✷ a k = 1 → y := y × a k fi od { y = X M }
Recommend
More recommend
