Invariant proof
We got almost where we needed to be on Monday with respect to our invariant proof. Remember that we are going backwards from:
{X! * Y =n! /\ X>=0 /\ X > 0} Y:=Y*X; X:=X-1; {X! * Y = n! /\ X>=0}
Note that the loop condition is included with I in the precondition on the sequence. This is required by the while rule.
The only rule we can apply is the sequence rule. Thus, we have to find A, B and C from {A}c0{C} and {C}c1{B}. We know that B is the invariant and can thus find C by working backwards over c1. Thus, the first thing to deal with is the assignment rule and X:=X-1:
{X! * Y = n! /\ X>=0}[X-1/X]
Replacing X by X-1 gives us C:
{(X-1)! * Y = n! /\ X-1>=0}
Now we can push C backwards through c0 again using the assignment rule to get A:
{(X-1)! * Y = n! /\ X-1>=0}[X*Y/Y]
Replacing Y with X*Y gives us A:
{(X-1)! * X * Y = n! /\ X-1>=0}
Unfortunately, this is not what we want. But if we can show that:
X! * Y = n! /\ X >=0 /\ X > 0 => (X-1)! * X * Y = n! /\ X-1 >= 0
we're in business because of the consequence rule. This is just a bit of mathematical manipulation:
X! * Y = n! /\ X >= 0 /\ X > 0
=> X! * Y = n! /\ X >= 1 (By X>0 and X>=0)
=> X! * Y = n! /\ (X-1) >= 0 (By subtracting 1 from each side of the inequality)
=> X * (X-1)! * Y = n! (X-1) >= 0 (By unrolling the factorial once)
Since A => A' and {A'}c{B} and B=>B the consequence rule gives us {A}c{B} which is exactly what we want if A = X! * Y = n! /\ X >= 0 /\ X > 0
Q.E.D.
Cool, but we still have some work to do in class Wednesday to show that the factorial calculation really is a factorial. All we've done here is show that our invariant is an invariant over the body of the loop.
{X! * Y =n! /\ X>=0 /\ X > 0} Y:=Y*X; X:=X-1; {X! * Y = n! /\ X>=0}
Note that the loop condition is included with I in the precondition on the sequence. This is required by the while rule.
The only rule we can apply is the sequence rule. Thus, we have to find A, B and C from {A}c0{C} and {C}c1{B}. We know that B is the invariant and can thus find C by working backwards over c1. Thus, the first thing to deal with is the assignment rule and X:=X-1:
{X! * Y = n! /\ X>=0}[X-1/X]
Replacing X by X-1 gives us C:
{(X-1)! * Y = n! /\ X-1>=0}
Now we can push C backwards through c0 again using the assignment rule to get A:
{(X-1)! * Y = n! /\ X-1>=0}[X*Y/Y]
Replacing Y with X*Y gives us A:
{(X-1)! * X * Y = n! /\ X-1>=0}
Unfortunately, this is not what we want. But if we can show that:
X! * Y = n! /\ X >=0 /\ X > 0 => (X-1)! * X * Y = n! /\ X-1 >= 0
we're in business because of the consequence rule. This is just a bit of mathematical manipulation:
X! * Y = n! /\ X >= 0 /\ X > 0
=> X! * Y = n! /\ X >= 1 (By X>0 and X>=0)
=> X! * Y = n! /\ (X-1) >= 0 (By subtracting 1 from each side of the inequality)
=> X * (X-1)! * Y = n! (X-1) >= 0 (By unrolling the factorial once)
Since A => A' and {A'}c{B} and B=>B the consequence rule gives us {A}c{B} which is exactly what we want if A = X! * Y = n! /\ X >= 0 /\ X > 0
Q.E.D.
Cool, but we still have some work to do in class Wednesday to show that the factorial calculation really is a factorial. All we've done here is show that our invariant is an invariant over the body of the loop.
Comments
Partial correctness
A quick word about partial vs total correctness in our axiomatic specifications. Remember that we are talking about partial correctness in class. For the command c:
When dealing with everything but loops, the distinction between this and total correctness has little impact on our work. However, it is important to remember that the notation:
says that B is true if c terminates. Thus, partial correctness. Total correctness is harder to deal with and our book chooses not to do so.
Remember to look at the last rule from class for Monday:
{A}c{B}When dealing with everything but loops, the distinction between this and total correctness has little impact on our work. However, it is important to remember that the notation:
{A}while b do c{B}says that B is true if c terminates. Thus, partial correctness. Total correctness is harder to deal with and our book chooses not to do so.
Remember to look at the last rule from class for Monday:
|=(A=>A') {A'}c{B'} |=(B=>B')------------------------------------- {A}c{B}The new blog...
Mon, Nov 10 2008 12:01
| Permalink
I've just moved the blog from being hosted by the ITTC web server to blogger.com. You can still access the blog through the web page as always. However, you can now access the blog via the address:
http://ku-eecs762.blogspot.com
Should be easier for me to administer and you to follow. Let me know if you have any difficulties.
http://ku-eecs762.blogspot.com
Should be easier for me to administer and you to follow. Let me know if you have any difficulties.
Axiomatic semantics beginnings
Today in class we defined what is called a Hoare triple, {A}c{B}, where A is a precondition, B is a postcondition and c is a command from IMP. Intuitively, the meaning of the Hoare triple is if A is true in sigma before c is evaluated, then B will be true in sigma’ after c is evaluated. We have that a formal definition using the concept of models or satisfies using the new semantic turnstyle. We started to give the assertion language used to write A and B a semantics towards the end of class. We were providing a semantics that was simply an extension of the semantics for a and b from IMP with the addition of integer variables. We don’t really know what those are quite yet, but we will shortly. We also defined the concept of an interpretation, denoted I, that is in effect a mapping from integer variables to values.
What’s going on here will be much clearer after Monday’s lecture, but Winskel’s description of this is excellent if you want to read it. I’m guessing that will happen after the project, which of course is perfectly fine.
What’s going on here will be much clearer after Monday’s lecture, but Winskel’s description of this is excellent if you want to read it. I’m guessing that will happen after the project, which of course is perfectly fine.
