1. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 1 Lecture 18 CS 1813 – Discrete Mathematics Loops Without Invariants Are Like Disneyland Without Crowd Control

2. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 2 Loop Induction for verifying properties of loops  Proof by Loop Induction  Prove: P(x 1, x 2, … x  ) is true when a loop begins  Prove: same P(x 1, x 2, … x  ) is true at end of each iteration Proof assumes P(x 1, x 2, … x  ) was true on previous iterations  Conclude: P(x 1, x 2, … x  ) is True and B(x 1, x 2, … x  ) is False if and when the loop terminates  Requirement Computing B(x 1, x 2, … x  ) does not affect values of x 1, x 2, … x  Loop precondition: P(x 1, x 2, … x  ) proved True while B(x 1, x 2, … x  ) … body of loop … Loop invariant: P(x 1, x 2, … x  ) proved True P(x 1, x 2, … x  )   B(x 1, x 2, … x  ) is True Loop Induction

3. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 3  a[i] = i=1  +1  a[i] where  denotes top-of-loop value of k i=1  a[  +1] +  Loop precondition True Subscript set for  is empty and empty sums are 0, by convention  Loop invariant True at end of loop if True at beginning sum = foldr (+) 0 — as a loop Function precondition: a[1..n] defined Loop precondition: s =  a[i] i=1 k integer sum(integer a[ ]) integer n = length(a[ ]) integer k, s s = 0 k = 0 while (k  n) k = k+1 s = s + a[k] return s Loop invariant: s =  a[i] i=1 k Conclude at return (by loop induction) s =  a[i] i=1 k But what is k at return? Loop terminates with k  n by counting-loop theorem (coming up)

4. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 4 The Counting-Loop Theorem  A type, c, is a “counting type” if  c includes operations suc::c -> c and (  ), (  )::c -> c -> bool  (suc m)  n whenever (m  n) {Note: x  y means (x  y)  (x  y)}  (m  n)  (n  iterate suc m) iterate f x = x : (iterate f (f x)) Computation pattern: iterate f x = [x, f x, f(f x), f(f(f x), … ]  Theorem (counting loop)  If k, m, n :: c, and m  n, and  If neither cmd1 nor cmd2 affects the values of k, m, or n  Then the following loop terminates and when it does, k  n k = m while (k  n) cmd1 k = suc k cmd2

5. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 5 Counting-Loop Proof k = m Loop precondition: k  n while (k  n) cmd1 k = suc k cmd2 Loop invariant: k  n  The values of k proceed through the sequence (iterate suc m) k = m, k = suc k = suc m, k = suc k = suc(suc m), …  Since c is a counting type and m  n, n  iterate suc m  That is, k takes on values at least as large as n  Therefore, the loop terminates m  n (assumption of theorem) k  m (meaning of assignment cmd) So, k  n k    n at top of loop suc   n whenever   n k = suc  at bottom of loop So, k  n k  n   (k  n) (loop induction) So, k  n at this point

6. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 6 bool vectorSum(double x[ ], double y[ ]) integer k, n = length(x[ ]) double z[1.. n] k = 0 while (k  n) k = k+1 z[k] = x[k] + y[k] return z[1.. n] addVectors = zipWith (+) Function precondition: x[1..n], y[1..n] defined Loop precondition:  i  k.z[i]  x[i] + y[i] Loop invariant:  i  k.z[i]  x[i] + y[i] By loop induction, (  i  k.z[i]  x[i] + y[i]) By counting-loop theorem, k = n Since k  n,  i  n.z[i]  x[i] + y[i] That is, z[i]  x[i] + y[i] for i = 1, 2, … n

7. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 7  Conclude: (  i  k.  a[i])  a[k] at return by loop induction  Case 1: k  n at return (a[k] = True)  (k  n) So, (  a[i] ) = True = (k  n) or = foldr (\/) False — as a loop Function precondition: a[1..n] defined, a[n+1] exists Loop precondition:  i  k.  a[i] bool or(bool a[ ], integer n) integer k a[n+1] = True k = 1 while (not a[k]) k = k+1 return (k  n) Loop invariant:  i  k.  a[i] n i=1  Case 2: k  n at return  i  k.  a[i]  i  n+1.  a[i]  i  n.  a[i]  a[i] = False = (k  n) n i=1

8. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 8 bool isPalindrome(char a[ ]) integer k, n = length(a[ ]) bool okSoFar okSoFar = True k = 1 while (okSoFar  (k  n div 2)) okSoFar = (a[k]  a[n-k+1] ) k = k+1 return okSoFar  (k  n div 2)  (a[k]  a[n-k+1] ) isPalindrome xs = (xs == reverse xs) Function precondition: a[1..n] defined Loop precondition: (  i  k.a[i]  a[n-i+1])  okSoFar Loop invariant: (  i  k.a[i]  a[n-i+1])  okSoFar If False, then either  okSoFar (Why?) or a[k]  a[n-k+1] Either way,  i. a[i]  a[n-i+1] If True, then (k  n div 2)  (a[k]  a[n-k+1] )  ((  i  k.a[i]  a[n-i+1])  okSoFar) So,  i  n div 2.a[i]  a[n-i+1] if okSoFar Is NOT palindrome Is palindrome What proves this equation is True? Palindromic predicates  i  n div 2.a[i]  a[n-i+1]  (  i. a[i]  a[n-i+1]) And,  (  i  n div 2.a[i]  a[n-i+1]) if  okSoFar loop induction

9. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 9 An Invariant for Every Loop  Software engineer must understand each loop  Loop invariants specify essential properties of loop  Software engineer states invariant for each loop  Invariant encapsulates all important properties  Sketch of proof or informal reasoning confirm correct results  Fools and amateurs can skip this step … Professionals cannot  Advantages of practicing this discipline  Way improves software quality Necessary to produce defect-free software  Facilitates software review and maintenance  Saves time, overall

10. CS 1813 Discrete Mathematics, Univ Oklahoma Copyright © 2000 by Rex Page 10 End of Lecture