Prepared by: Sharif Omar Salem – [email protected] Prepared by: Sharif Omar Salem – [email protected] Prepared by: Sharif Omar Salem – [email protected] Formal Methods: Loop proof using induction method Example 1
Prepared by: Sharif Omar Salem – [email protected]
1
Prepared by: Sharif Omar Salem – [email protected] by: Sharif Omar Salem – [email protected]
Formal Methods:Loop proof using induction method
Example
Prepared by: Sharif Omar Salem – [email protected]
Induction reasoning
2
We will add two important induction principles to our rules. Those principles are very
important when dealing with integers especially positive integers.
• First Principle:
Second Principle:
• Major difference is in the second statement.
– Use the second principle when assuming P(k) is not enough to prove P(k+1).
– Assuming P(r) for any r where 1 r k gives more ammunition to prove the relation.
Prepared by: Sharif Omar Salem – [email protected]
Loop proof using induction reasoning
3
The pattern for a loop function is as the diagram.
And The Hoare triple rule for iteration is
{Q ∧ B} P {Q} ⊢ {Q} while (B) [P] {Q∧¬ B}
Prepared by: Sharif Omar Salem – [email protected]
4
Loop proof using induction reasoning
Example : Prove the Euclidean algorithm finds the greatest common divisor of two positive integers a and b, using induction method?
• The greatest common divisor of a and b, denoted by gcd(a, b), is the largest integer n such that a/n and b/n. For example, gcd(12, 18) = 6 and gcd(420, 66) = 6.
• The Euclidean algorithm works by a succession of divisions. To find gcd(a, b)– assuming a >= b, so “a” is the dividend and “b” is the divisor– you first divide a by b, getting a quotient and a remainder.– Next, you divide the divisor, b, by the remainder (means the previous
divisor become the new dividend and the previous reminder become the new divisor) and keep doing this until the remainder is 0, at This point the greatest common divisor is the last divisor used.
Prepared by: Sharif Omar Salem – [email protected]
7
• Theorem {Q} while (B) {P} {Q≔ ∧¬ B} gcd(a,b)• Loop condition (B) (remainder is not 0) (j != 0 )≔ ≔Solution Steps: (Four Steps)Step 1: From Loop description find some definitions for the relation between
variables.Definitions: • The greatest common divisor of any two integers (dividend i and divisor j) is
equal to the greatest common advisor of the divisor j and remaining r ≔ gcd(i, j) = gcd(j, r)
• At every iteration The greatest common divisor of temporary dividend i and divisor j is equal to the greatest common divisor of original two integers a & b
≔ gcd(i, j) = gcd(a, b)
Loop proof using induction reasoning
Prepared by: Sharif Omar Salem – [email protected]
8
Loop proof using induction reasoning
Step 2: Define the loop invariant.Loop invariant: Define the loop invariant which is true before and after the loop and relate all the
variables inside the program. In our case it isQ gcd(i, j) = gcd(a, b)≔
Step 3: Now we have to prove that Q is valid for all cases possible inside the loop. So, we use induction to prove:
Proof:Q(n) gcd(i≔ n, jn) = gcd(a, b) for all n 0.
Prepared by: Sharif Omar Salem – [email protected]
9
Loop proof using induction reasoning
− Q(0) is gcd(i0, j0) = gcd(a, b) is true because when we first get to the loop statement, i and j have the values a and b.
– Assume Q(k): gcd(ik, jk) = gcd(a, b).– Show Q(k + 1): gcd(ik + 1, jk + 1) = gcd(a, b). – By the assignment statements within the loop body, we know that
• ik + 1 = jk • jk + 1 = rk
– Then, by the additional fact on the previous slide:– gcd(ik + 1, jk + 1) = gcd(jk, rk) = gcd(ik, jk)– By the inductive hypothesis, the above is equal to gcd(a, b)
Prepared by: Sharif Omar Salem – [email protected]
10
Loop proof using induction reasoning
Step 4: Now we have to prove that at loop termination the post condition will imply to the conclusion.
Termination + Loop Invariant = Goal At loop termination
• gcd(i, j) = gcd(a, b) and j = 0,• so gcd(i, 0) = gcd(a, b). • But gcd(i, 0) is i, so i = gcd(a, b).
As we prove that Q is valid for all cases inside the loop and the loop termination imply to the conclusion. Therefore, function GCD is correct.
Prepared by: Sharif Omar Salem – [email protected]
11
Prepared by: Sharif Omar Salem – [email protected] by: Sharif Omar Salem – [email protected]
End of Lecture
Prepared by: Sharif Omar Salem – [email protected]
12
Prepared by: Sharif Omar Salem – [email protected] by: Sharif Omar Salem – [email protected]
Next Lecture:ProLogic