100%(1)100% found this document useful (1 vote)
1K viewsKaldewaij - Programming
Uploaded by
Willy Alexis Peña VilcaCopyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
100%(1)100% found this document useful (1 vote)
1K viewsKaldewaij - Programming
Uploaded by
Willy Alexis Peña VilcaCopyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 117
Anne Kaldewaij Programming:
The Derivation of Algorithms
C. A. R. HOARE SERIES EDITOR
BIBL.T£CHHISCHE Uti I UERSI TE IT
I
f
YUle
BSA
Programming
Prentice Hall Internanonal Series 10 Computer SCIence
C. A. R. Hoare, Series Editor
BACKHOUSE, R. C., Program Construcuon and vcrificauon
BACKHOUSE, R. C., Syntax of Programmtug Languages; Theory and practice DEBAKKER, J. W .. MOIJu;,matICal Theory of Program Correctness
BARR. M. and WELLS, C.; Categorv Theory for Computing SCIence
B EN-A RI. M .. Prtnctples of Concurrent and Distributed Programmmg
BIRD. R. and WADLER. P .• lntroducuon to Functional Programnung BJORNER, D. and JONES, C. B .• Formal Spetificauon and Software Development BORNAT. R., Progranuntng from First Pnnctples
BUSTARD, D., ELDER, J. and WELSH. J., Concurrent Program Structures CLARK, K. L., and McCABE. F. G .. mtcro-Prolog: Programmmg m log":
CROOKES. D .• lntroducnon to Programnung III Prolog DROMEY, R. G .. HoII' ro Solve II by Cowpmer
DUNCAN, F., Microprocessor Programnung and Software Development ELDER. J .• Construaton of Data Processmg Software
ELLl01T, R. J. and HOARE. C. A. R .. (cds.), Scwmific Applicattons of Multiprocessors
GOLDSCHLAGER. L. and LISTER. A .. Computer SCJeIJce: A modem tntroducuon
(2ltd edn]
GORDON. M. J. c.. Programming Language Theorv and its implemenuuton HA YES, I, (ed.), Specificauon Case Studies
HEHNER. E. C. R., The Logtc ol Pragramrmng
HENDERSON, P., Fnncttonal Programming: Applicauon and lmplementauon HOARE, C. A. R .• Communtcatmg Sequennal Processes
HOARE. C. A. R., and JONES. C. B. [ed.). ESSII}'J III Compunng Sctence HOARE, C. A. R., and SHEPHERDSON.l. C. [cds, I. MfIIlreltllJllCa/ Logic 011(/
Programming Langrwges
HUGHES, J. G .• Database Technology: A software ellgmeer/llg approach INMOS LTD, occam 2 Reference MilIJUll1
JACKSON, M. A .. Svstem Development
JOHNSTON, H., Leartung 10 Program
JONES, C. B., Systemauc Sohware Development uSlIIg VDM (Lnd ednt JONES, C. B. and SHA W. R. C. F. (eds.). Case Studies /II Systcmauc Softwure
Development
JONES, G., Programmlllgm occam
JONES, G, and GOLDSMITH. M., Programming III OCC/lm 2
JOSEPH, M .• PRASAD, V. R. and NATARAJAN. N.,A Multiprocessor Operanng
System
KALDEW AlJ, A., Programmmg: The Denvauon of Algorithms LEW, A., Computer SCIence: A mathemancal mtroductton MARTIN, J. J., Dam Types and Dam Structures
MEYER. B., Introducuon 10 the Theory of Programming Languages MEYER. B., Obiect-onentated Software Construction
MILNER, R., Communtcauon and COIJCUrreIlCl'
MORGAN. c., Programmtng from Speci{icattoICS
PEYTON JONES, S. L., The lmplemenuuton of FWIClIona/ Programming Languages POMBERGER, G., Software Engmeenng and Mo(lu/0-2
POTIER. B., SINCLAIR, J., TILL, D .• An lntroducuon to Formal Specificunon and 2 REYNOLDS, r, C., The Craft of Programnung
RYDEHEARD, D. E. AND BURSTALL, R. M., Computatumul Category Theory SLOMAN, M. and KRAMER, J .• Distributed Systems and Computer Networks SPIVEY, J. M .• TIle Z Notal/Oil: A reierence manuai
TENNENT, R. D .• Pnnctple: of Progrumnung Languages
WA TI. D. A., Programnung Languages Concepts and Purndigms
WATI, D. A., WfCHMANN, B. A. and FINDLAY, W .• ADA: Language and
methodology
WELSH, J. and ELDER, J., Introducuon to Mac/ul(l-2 WELSH, J. and ELDER, J., Introducuon to Pascal (.1rel ednt
WELSH. 1., ELDER, r., and BUSTARD, D., Se'lul!lIIiul Program Structures WELSH, J. and HA Y; A., A Motiel Implemenuuton oi Stundard Pascal WELSH, J .. and McKEAG. M., Structured Svstem ProgrcJIIlm1lJg WIKSTROM, A., Funcuonal Progrumnung U:JilllgSttlfulllrd AIL
Programming
The Derivation of Algorithms
A. Kaldewaij
Eindhoven University of Technology
1 I
:1
.l
I
1·
l 'r
;1
Prentice Hall
New York London Toronto Sydney Tokyo Singapore
J
First published 1990 by
Prentice Hall Inrcrnanonal (UK) Ltd 66 Wood Lane End, Heme! Hempstead Hcrtfordshire HP24RG
A division of
Simon & Schuster lmernnuonal Group
e Prcnucc Hall International (UK) Lid. 1990
All fights reserved. No part of this publicauon may he reproduced, stored in a retrieval system. or transmitted. In any form, or by any means. electronrc, mechanical. photocopying. recording or otherwise, without pnor pcnmssron. In writing, from the publisher.
For permission within the Umted States of Amcnca contact Prentice Hall Inc., Englewood Cliffs, NJ 07632.
Printed and bound in Great Bntam hy
Dotcsios Pnnrcrs Lirrutcd, Trowhridge. Wiltshire
Library of Congress Catalogumg-m-Publicauon Data
Kaldcwni]. A. (Anne)
Programmmg: the dcnvuuun of algorithms/A. Kuldewuij.
p. em. - (Prentice' Hall intcrnanonal series In cnmputcr
science]
Includes bibliographical references and index. ISBN O·IJ·2()4101l·j : $32.95
I. Elcctroruc diglwl compurcrs-c- Progrumrrung.R, Algorithms. !. Title. II. Scnes,
QA76.6. K3417 1990
005.I-dc20 90·14158
err
British Library Cataloguing In Publication D'llii
Kaldcwaij. A. (Anne)
Prograrnmmg : the denvauon of algorithms. - (Prcnnce Hall International scncs In computer screnccj.
I. Computer systems. Programmmg. Algorithms. Design 1. Title
O()45.12028
ISBN ()·lJ-204IOS·j
I 2 3 4 5 94 93 9291 9ll
Contents
Preface ix
0 Introduction 1
1 Predicate Calculus 4
2 The Guarded Command Language 13
2.0 Introduction 13
2.1 Skip 16
2.2 Assignment 17
2.3 Catenation 20
2.4 Selection 23
2.5 Repetition 28
2.6 Constants, Inner Blocks, and Arrays 38
2.7 Summary 42
3 Quantifications 44
4 General Programming Techniques 51
4.0 Introduction 51
4.1 Taking conjuncts as mvariant 52
4.2 Replacing constants by variables 57
4.3 Strengthenmg invariants 63
4.4 Tail mvanants 72
4.5 Summary 80
v V1 Contents
5 Deriving Efficient Programs 83
5.0 Introduction 83
5.1 Integer division 83
5.2 Fibonacci 88
6 Searching 92
6.0 Introduction 92
6.1 Linear Search 92
6.2 Bounded Linear Search 95
6.3 Binary Search 98
6.4 Searching by Elimination . 104
7 Segment Problems 110
7.0 Introduction 110
7.1 Longest segments 110
7.1.0 All zeros 111
7.1.1 Left-mmtmal segments 115
7.1.2 At most ten zeros . 117
7.1.3 All elements different 119
7.2 Shortest segments . 122 I
8 Slope Search 127
8.0 Introduction 127 11
8.1 The basic principle 127
8.1.0 Searching 130 I
8.1.1 Decomposition in a sum of two squares 133 \1
8.1.2 Minimal distance 136
8.2 Longest and shortest segments . 140 i
8.2.0 Longest segments 141 I
8.2.1 Shortest segments . 144
8.2.2 At least two zeros revisited. 146
9 Mixed Problems 148 10 Array Manipuiatio~s 10.0 introduction
10.1 Array assignments 10.2 Swaps
10.2.0 The Dutch National Flag 10.2.1 Rotation .
Contents Vll
152
152
152
159
161
1M
170
170
172
172
174
176
178
179
183
187
195
195
198
201
206
214 11 Sorting
11.0 Introduction
11.1 Quadratic sorting algorithms. 11.1.0 Insertion Sort
11.1.1 Selection Sort
11.1.2 Bubble Sort
11.2 Advanced sorting algorithms 11.2.0 QUIcksort
11.2.1 Mergesort
11.2.2 Heapsort ,
12 Auxiliary Arrays 12.0 At most J( zeros
12.1 Largest square under a histogram
12.2 The length of a longest common subsequence 12.3 A shortest segment problem
Index
Preface
Programming is the art of designing efficient algorithms that meet their specifications. During the 1980s the art of programmmg became more and more a discipline of programming. Problems that were hard to solve ten years ago are now used as examples !II an introductory programming course. What happened?
There are two factors by which algorithms may be Judged: their correctness (do they solve the right problem?) and their performance (how fast do they run, and how much space do they use?). The classical way ofjudgmg the quality of an algorithm IS by tracing execution patterns, by providing test inputs, or by supplying formal proofs. The process of proving the correctness of an algorithm after it has been designed IS known as verification. Verification of algorithms IS rather difficult, even for the designer of an algorithm. Many a programmer regards it as a waste of time and prefers to continue with another interesting programming problem. TIlls is one of the reasons why formal methods were largely rejected or neglected by the software community.
As time went by it became obvious that neither tracing nor testmg can guarantee the absence of errors. To be sure of the correctness of a program one has to prove that it meets its specification. TIllS Insight led to the development of specification languages and tools that might support program verification.
A quite different approach was advocated and developed by Edsger W. Dijkstra and others durmg the 1970s. In their approach a program and its correctness proof are constructed hand in hand, thereby making a posteriori program verification superfluous. The proof rules (semantics) of the program notation provide the guidelines for the construction of algorithms from specifications. The correctness of a program obtained in this way is Implicit: following the rules of the game it IS Impossible to construct an incorrect algorithm. With the introduction of this method of programmmg it also became possible to reason about programs in a non-operational way.
Dunng the 1980s W.H.J. Feijen and others refined this method to what IS known as the calculational style of programming: to a large extent, programs are derived from
IX
x
Preface
their specification by means of formula manipulation. The calculations that lead to the algorithm are carried out In small steps, so that each individual step is easily verified. In this way the design decisions become manifest. Such decisions are based on several considerations, such as efficiency, simplicity and symmetry. This method does not only help us III finding a solution, but it can also yield new solutions that are often quite surprising. Program derivation IS not mechanical: it is a challenging activity and it requires creativity. Tills way of programming shows where creativity comes m, It IS tills method that is explained and exemplified III this textbook.
As a vehicle for the descnpcion of algorithms we use the guarded command language. It has the srmplicity needed for educational reasons and it has the expressiveness needed for the descnption of algorithms. Procedures and recursion are not included: the modest constructs of the guarded command language provide more than enough latitude for an mtroduction to programming.
How to use this book
The material of this textbook can be presented In a one-year course. Such a course may be organized as follows: each week a two-hour lecture in which the theory is explained and exemplified and a three-hour training session m which exercises are solved in small groups. This is the way m winch I present the material to first-year computing science students at the Eindhoven University of Technology. Each week one exercise is marked as a home-work assignment. That exercise has to be worked out with great precision. The same material has been used in a third-year course.
The only prerequisite is an introductory course in Pascal, Just enough to give students some idea about programs and about program execution.
The pace of lecturing should be leisurely. It takes time to get used to the notation and to get used to the mathematical ngor that is needed. The exercises playa fundamental .role: you can only understand and appreciate the strength and beauty of the method by using it.
A Teacher'S Manual (including answers to exercises) is available from the publishers for adopters of this book.
Ouerineiu
In the first chapters, we introduce the predicate calculus and the guarded command language. Since this book IS about programming and not about semantics, the presentation of the theory of predicates IS kept as Simple as possible. Each construct of the guarded command language IS introduced together with ItS accompanying proof rule. These chapters form the basis for the development of programs. Many exercises have been Included to help the reader gain familiarity with the notations and the proof rules.
Chapter 3 introduces quantifications, which are used m specifications and for which
Preface
XI
the manipulation rules a~e presented that are needed in program derivations.
In Chapter 4, we present the general programming techniques that underlie the more specific techniques presented in the chapters that follow. Chapter 5 discusses efficiency and presents two examples of efficient algorithms. This chapter gives the teacher the opportunity to show how one can reason about such programs without operational arguments.
In Chapters 6, 7, and 8 the general programming techniques of Chapter 4 are applied to more specific classes of problems. Chapter 6 addresses searching paradigms: the Linear Search, the Bounded Linear Search, the Binary Search, and Searching by Elinunation are presented. In Chapter 7 segment problems are discussed, which provide an excellent training III the calculus needed for program derivation. Chapter 8 deals with two-dimensional searches and applies the Slope Search technique to segment problems. These chapters are followed by a set of mixed programming problems.
The final chapters deal with array operations. The proof rule for the array assignment is introduced and applied to various problems. In Chapter 12 the introduction of auxiliary arrays is discussed and exemplified by some more complicated programming problems.
Bibliography
The proof format used in this book was invented by W.H.J. Feijen. Much of the notation, such as the square brackets for universal quantification over a state space, is due to E.W. Dijkstra. Many of the examples and many exercises occur also in A Method of Programmmg by Edsger W. Dijkstra and W.H.J. Feijen, Addison Wesley, 1988. Another source is The Science of Programmmg by David Gnes, Springer- Verlag New York Inc., 1981. For instance, the exercise called 'Welfare Crook' is an example from this book. Both books are recommended.
Searching by Elimination was invented by Berry Schoenmakers, Some of the exerCISes have been composed by Jan L.A. van de Snepscheut.
Two other books have to be mentioned. My first contact with the science of programming was A Discipline of Programming by Edsger W. Dijkstra, Prentice-Hall, 1976. You will find it a pleasure to read it after you have studied this textbook. For those interested in the theory of predicate transformers, I recommend Predicate Calculus and Program Semantics by Edsger W. Dijkstra and Carel S. Scholten, SpringerVerlag New York Inc., 1990.
Acknowledgements
It IS a pleasure to express my gratitude to Wim Feijen, who spent so much time teaching me all he knows about programming. This book would not have been written without him.
The Eindhoven Algorithm Club, in particular Lex Bijlsma, Victor Dielissen, Joop
XIl Preface
van den Eijude, Wirn Nuij and Berry Schoenmakers, is gratefully acknowledged for pointing out errors and obscunties in earlier versions,
My thanks go to all those colleagues and students who made comments on parts of this book. I want to mention W.H.J. Feijen, Ria van Ouwerkerk, Martin Rem, Rob Nederpelt, Asia van de Mortel, and Tom Verhoeff,
The ATAC (Austin Tuesday Afternoon Club), III particular Edsger W. Dijkstra, IS acknowledged for comments on the first part of this book.
Finally, my special thanks go to Rob Hoogenvoord who carefully studied the final draft of this text, aud who suggested many methodnlogica] improvements.
Eindhoven, September 1990 Anne Kaldewaij
Chapter 0
Introduction
There are many different views on programming. A common view IS that a program IS just a kind of recipe that explains what steps have to be performed to achieve a certain goal. Such a program IS often presented in an operational way: 'first do this, then apply that' and 'perform the following N times', This approach can be found in many textbooks on programmmg. Often such textbooks treat a specific prograrnmmg language, such as FORTRAN-77, COBOL or MODULA-2, and usually those books only differ in the language that is used.
In this book we present a completely different approach. A program together with its specification IS viewed as a theorem. The theorem expresses that the program satisfies the specification. Hence, all programs require proofs (as theorems do). We shall derive prograrns according to their specifications III a constructive way, such that program development and correctness proof go hand In hand.
As an example, we consider the following Pascal program.
program maxtmum [input.output}; var x, y : integer:
begin
read(x)i read(y)j
if x < y then a: := Yi write(x)
end.
Program variables define a so-called state space. Variables x and Y introduced in the second line of tills program define state space Z x Z, where Z denotes the set of mtegers, The coordinates of this state space correspond to the variables, the first oue to x and the second oue to y. Elements of a state space are called states. Typical states
1
2
Introduction
are (1,2) and (O, -5). Sets of states, i.e. subsets of the state space, are characterized by predicates (boolean functions), such as x 2: u and x 2: ° A Y 2: O.
When values A and B are supplied as input to the program above, execution of read(x)j read(y) establishes x = A A Y = B, or, phrased differently, leads to state {A, B}. Execution of
if x < y then x:= y
establishes x = A max B! the maximum of A and B. Finally, execution of write( x) will print the value of x, i.e, A maxB, at some output device.
The heart of the program is the selection statement:
if x < y then x := y
The relation between
x=AAy=B,
if x < y then x := y, and x=AmaxB
is denoted as
{ x = A A Y = B} if x < y then x:= y {x = A max B}
The operational interpretation of this triple IS
Execution of 'if z < y then x := y' starting in a state satisfying x = A A Y = B terminates in a state satisfying x = A max B.
Predicate x = A A Y = B is called the pre-condition and predicate x = A maxB is called the post-condition of this statement. How the pre-condition (in particular, the initial state) has been established is not relevant. In this book we will not be concerned with input or output, but we focus our attention on the design of the algorithm that expresses the computation of the output in terms of the mput.
We will use Edsger W. Dijkstra's guarded command language to denote our programs. This language IS quite modest but sufficiently rich to represent sequential algorithms in a succinct and elegant way. The language is not a main subject of the course, it is only used to represent programs. In the guarded commands notation the ... 1 program presented above is denoted as ,
Introduction
3
I[ val' X, u : inti {x=Al\y=B}
if x < y -. x:= y 0 x ;::: y -+ skip fi {x = AmaxB}
Specifications have the same shape as programs, for instance, a possible specification for the program above is
I[ var x, y: inti {x=AAy=B}
maxtmum
{x = AmaxB}
]1,
in which maxtmum is the name of the program we are looking for.
In general, a specification consists of the definition of a state space (a set of program vanables), a pre-condition and a post-condition. Program S satisfies a specification if all executions of S starting in a state satisfying the pre-condition terminate in a state satisfying the post-condition.
The fact that program S satisfies a specification with pre-condition P and postcondition Q IS denoted as
{P} S {Q}
The guarded command language will be introduced in such a way that {P} S {Q} can be inferred from the structure of S. For each construct S an inference rule is presented which is based on an operational interpretation of S. However, as soon as the rules have been defined, the operational interpretation will not be used any more.
Thus, before we can start with the main subject of this book, i.e, programmmg, we have to define the program notation and the rules of the game. The predicate calculus needed for this IS the tOPIC of the next chapter.
Any notation used III this book is introduced when it IS needed. One convention is mentioned here: for function application we use a dot, so instead of F(x) we wnte Fa: . Function application is left-bmding: f.x.y should be interpreted as (j.x).y
Chapter 1
Predicate Calculus
In programming, predicate IOgJc is used as a calculus, as opposed to its use in other disciplines where logic plays a more static role. This chapter is not a short introduction to Iogic, but a presentation of a (rather modest) notation and set of rules that will be used in the subsequent chapters.
A predicate IS a boolean function: for set X, function P: X _, {false, true} IS called a predicate on X. In our applications set X will be a state space defined by a set of program vanablss. Each program variable is of a certain type and X is the Cartesian product of these types. The coordinates of X are identified by the names of the program variables. For instance, x and y of type integer define state space X = Z x Z. Let the first coordinate correspond to x and let the second coordinate correspond to y. Typical predicates on X are x 2: y and x = 2 1\ Y = 3. The latter has value true m point (2,3) and value false III all other points of the state space.
For each state space the (constant) predicate that is true In each point of that space is also denoted by true. Similarly, false denotes the predicate that is false in all points of the state space. The following operators are defined on the set of predicates on a state space.
1\ [conjunction) V (disjunction! - (equivalence) => (implication)
(negation)
These operators are defined as follows:
P 1\ Q IS the predicate that IS true in each point where P IS true and Q 15 true; It is false III all other points.
4
Predicate Calculus 5
P V Q is the predicate that is false in each point where P IS false and Q is false; it is true in all othe~ points.
P = Q is the predicate that is true in each point where P and Q have the same value; it IS false in all other points.
P =? Q IS the predicate that is false in each point where P IS true and Q IS false; it IS true in all other points.
=P is the predicate that is true in each point where P IS false; it IS false m each point where P 15 true.
For P => Q we may also write Q -¢;;;: P ('Q follows from P'). To avoid parentheses III expressions we introduce the following priorities. Negation has the highest priority. From the binary operators, conjunction and disjunction have the highest priority followed by Implication and then equivalence. For instance, P =? Q = -,p V Q should be read as (P =? Q) = «...,P) v Q).
We are often Interested in predicates that hold everywhere, i.e., predicates that are true at each point of the state space. Examples of such predicates are Q;;;; Q , (x + 1)2 = x2 + 2x + 1 , and true. The proposition I P is true for all states; is denoted as
[PI
which is pronounced as 'for all states P' or IP, for all states'.
For instance, [x 2: 1 => x 2: 01 and (true I hold, whereas [x 2: 0 = x 2: 11 does not hold, since
o 2: 0 1\ ...,(0 2: 1)
Note that IP = QJ expresses that predicates P and Q denote the same function.
In particular, Q may be substituted for P This substitution rule (known as Leibnia's Rule) may be formulated as follcws:
If IP =: QJ then any occurrence of P in expression R may be replaced by Q without changing the value of R.
We assume that the reader is familiar with most of the properties of the operators mtroduced above. The following list shows some of these properties. TIns list is not exhaustive and not all of the listed properties will be used frequently. Their use will become apparent III the chapters that follow. In the Iollowmg P, Q, and Rare predicates on the same state space.
6
Predicate Calculus
idempotence: (P A P - PI IPvp - PI
commutativity: IP /I, Q - Q 1\ PI [PVQ = QVP] [(P;;; Q) ;;; (Q ;;; P)]
associativity: [(P 1\ Q) 1\ R ;;; P 1\ (Q 1\ R)] [(PvQ)V R ;;; Pv(QV R)]
[«P ;;; Q) ;;; R) ;;; (P ;;; (Q ;;; R))]
These associativity properties permit us to omit parentheses.
distributivity: IP 1\ (Q V R) == (P 1\ Q) V (P 1\ R)] IP V (Q 1\ R) =: (P V Q) 1\ (P V R)] [PV(Q;;; R) ;;; PVQ == PVRI
absorption:
[P 1\ (P V R) IP V (P I\R)
- PI PI
false-true rules: IP 1\ true;;; P] [P V false ;;; PI
De Morgan:
I,(P 1\ Q) ;;; ,p V ,Q[
negation:
["P == PI
[,(P ;;; Q) == ,p ;;; QJ
implication: (P=> Q - ,p V QJ
[P=? Q - PI\Q - PI
[P=> Q - PVQ - QJ
[p::::::> Pv Qj
IP 1\ Q::::} P] equivalence:
IP =: PI
[P;;; P == true] [.p;;; P == false I
[P 1\ false == false I IP V true == truer
[PV-'P [P I\-,P
true] _ false I
[false =? PI [P =? true]
[true => P ;;; PI [P::::} false js -'PI
. ',_,' /\ :?\ 1:,' .. , I )
Predicate Calculus
7
A theorem of the form [P ;;; QJ is often proved in a number of steps, for instance, by showing [P == Aj, [A == BI, and [B ;;; QJ, for certain predicates A and B. To avoid wnting down A and B twice, we use the following notation for such a proof:
P
- {hint why [P ;;; AJ}
A
- {hint why IA == B]}
B
- {hint why [B ;;; QI}
Q Similarly IP => QJ may be proved by, for instance, [P == AI, !:A =:> BJ, and IB ::::} QJ. We will denote such a proof as follows:
P
= {hint why [P ;;; AI}
A
::::} {hint why (A ::::::> B] }
B
=> {hint why [B ::::} QJ}
Q As an example we show [P 1\ (..,P V Q) _
P 1\ QI, a so-called 'complement rule;'
P 1\ (..,p V Q)
- {distributivity of 1\ over V }
(P A -,P) V (P 1\ Q)
- { negation rule}
false V (P 1\ Q)
= { false-true rule}
PI\Q When [P =:> QJ holds then P is called stronger than Q and Q is called weaker than p, For example, x 2:: 2 is stronger than x 2:: 1 and x2 ?: 0 IS weaker than x 2:: O. The weakest predicate is predicate true, since [P => true] for all P, and the strongest predicate is predicate false, since [false => PI for all P
Equation Y: [Y =:> PJ has P as weakest solution, since
8
Predicate Cajculus
(i) [P;;:} PI, r.e., P is a solution, and
(ii] for any solution Y, [Y;;:} PI, r.e., P is weaker tban Y
Note that false IS the strongest solution of this equation. Similarly, equation
y. iP:;:;. YI has P as its strongest solution, and true as its weakest solution.
We use predicates that are expressions in the program variables of the state space.
An important operation on expressions IS substitution. Substitution of expressron E for variable x m expression Q is denoted as
Q(x:= E}
to be pronounced as 'Q in which x is replaced by E' Multiple substitution of x and y by E and F, respectively, IS den.ot'?d-os. ---.......,_ -, ,
.: . n I)
Q(x, v= E, F) ( 0'ltl-k.-J-C1A/':- /'
<, ~-~--------
Substitution has a lngher priority than all other operators, for instance,
iP ;;: Q(x:= E)J should be read as [P = (Q(x:= E»J. Substitution distributes over all other operators.
Examples
C:'
[(x2 + 2 * x)(x:= x+l) = (x+ 1)2 + 2 * {x+1)J
[(x 2: y)(x:=x+1) == x+l 2: yl
[(x+2*1J=Z)(X,y:=y,X] = y+2*x=zl
[(x = E)(x:= E) ;;: E = E(x:= E)] (Note that x may occur ill E)
[(P(x:= y»(x:= y) [(P(x:= y»)(y:= x)
P(x:= y») P(y:= x)J
[(P 1\ Q)(x := E) ;;: P(x:= E) 1\ Q(x:= E)J
We will use CXlstentwl quantification and umversa{ quantification. Existential quantification IS a generalization of the disjunction. Let, for i 2: 0, P.i be a predicate. For n ~ 0 the disjunction
FO V .•. V P.(n-I)
IS denoted as
Predicate Calculus
9
(3 i : 0 ::; ~ < n : P.i)
We have
[(3 i : 0 ::; ~ < 0 : P.i) = false I
[(3~ : 0::; t < n+l ; P.i) = (3i; 0::; i < n P.i) V P.nl
In derivations this last line is accompanied by the hmt 'split off ~ = n' Due to the symmetry and associativity of V any term may be split off. In general, exrstential quantification IS of the form
(3t. R. P)
where ~ IS a variable (or a list of variables}, R is a predicate, called the range of the quantification, and P 1S called the term. The range need not be finite, for instance, 'x IS an even natural number' IS expressed by
(3 t : ~ E Z !\ i 2': 0 : x = 2i)
The term should be defined for all t that satisfy R. In general Rand P depend OIl z. In some formulae we make this dependence more explicit and we write
(3i; ti», P.i)
We have
[(3 i ; false; P) == false!
When the range of a quantification is false we say that the range is empty. Similarly, a non-empty range means that the range IS not false.
In (3 i . R ~ P) van able t IS called a bound uartable or a dummy. The expression (3i ~ R : P) does not depend on z , We will always use fresh names for dummies. In particular, program variables will never occur as the name of a bound variable. Dummies may be renamed: for fresh variable j we have
[(3i : R ; P) ;;: (3J. R(i:= j) ; P(i:= j»]
Unless stated otherwise, dummies have type Z and we omit this type indication III the range. For instance, 'x is an even natural number' IS denoted as
(3 i : i 2: 0: x = 2i)
"'j
10
Predicate Calculus
We mention some properties of existential quantification.
[(3 t ; false; P) == false]
[(3i : i = x. P) == P(i:= x)j (one-point rule)
[(3t : R /\ 5 P) == (3 i ; R . 5/\ P)] (trading)
[Q /\ (3t; R.t· P.i) lQ V (3i; tu . P.i)
(3i ; R.i : Q /\ P.i)] = (31. R. i ; Q V P.i)]
for R non-empty
[(3t:R;P) V (3i:R:Q) == (3i:R;PVQ)] [(3 L R; P) V (3 i ; S . P) == (31. R V 5 ; P)]
[(3t. Rs . P.i) /\ (3i. 5.i : Q.i) == (3i,) . R.i /\ 5.j : Ps. /\ Q.j)]
Universal quantification IS a generalization of the conjunction. It is denoted as
(Vi. R. P)
We have similar (dual) rules for universal quantification:
[(V i : false: P) == true]
[(Vi: t = z : P) == P(i:= x)) (one-point rule)
[(Vi.R/\5.P) == {Vi;R:S::::>P)l (trading)
[Q V (Vi. R:« . P.i) lQ /\ (Vi; tu . Pi)
(Vi; R.i : Q V P.i)] - (Vi: R.i: Q /\ P.i)]
for R non-empty
[(Vi:R;P) /\ (Vi:R:Q) == (Vi.R;P /\ Q)] [(Vi:R:P) /\ (Vi.S:P) == (Vi:RVS;P)]
{(Vi; tu . P.i) V (Vi; ss . Q.i) == (Vi,J. R.t /\ 5.J ; P.i V Q.j)]
Universal and existential quantification are coupled by De Morgan's Law:
l..,(3i, R. P) == (Vi: R: oP)]
Note that [P] IS also a form of universal quantification; it may also be written as (V x : x EX: P), where X is the state space. For universal quantification over a state. space, however, we always use the square brackets.
Predicate Calculus
11
Exercises
O. Prove the 'Golden Rule'; iP /\ Q == P == Q == P V QI 1. Prove
(i) [(P::::> Q) v..,R ;;;; P /\ R ::::> QI (ii) [P r. B ::::> R == P::::> (B ::::> R)J (iii} [(P::::> Q) ::::> (P /\ R ::::> Q /\ R)]
2. Prove or disprove
(I) [(P::::> Q) V (Q::::> P)] (li) [P:::} QJ V [Q:::} PI
3. Prove
(i) [P (ii) IP
- Q -
- Q - P;;::} Q ;;;; Q ::::>pl (P ::::> Q) /\ (Q ::::> P)]
4. Prove
(i) [(Vi: i 2: 0: P.i) ::::> POI [ii) [P.O ::::> (3 i : i 2: 0 : P.i)]
5. Determine how the following pairs of predicates are related (which of the predi-
cates is the weakest or strongest), if they are related at all:
(i) x:$ 0 and x :$ 1
(iil x 2: 0 and x2 + y2 = 9
(iii) x 2: 1 ::::> x 2: 0 and x 2: 1 (iv) x 2: 1 and (3 i : i 2: 0 : x = i) (v) (Vi:P:Q) and (3i:P'Q)
6. Determme the strongest and the weakest solutions of the following equations III y.
(i) Y: [Y ::::> P V QJ
(li) Y [YVQ;;::}PVQ] (iii) Y. fY ::::> P /\ Qj (iv) Y [1'" /\ Q ::::> P /\ QJ
12 Predicate Calculus
7. Disprove
8. Perform the following substitutions:
(i) (X2 + 2x + l)(x:= x+a) [ii) (x2 2: y}(x,y:= y+1,x-l) (iii) x2 2. y(x,y:= y+1,x-1)
(iv) (x 2. y+11\ y 2. z)(x,y:= x+ 3 * z,X - y+ 1) (v) (a == b)(a:= a == b)
9. Simplify the following expresstons
(i) (3 i : i 2: 0 : x = 2 '" i) (ii) (V i : z 2. a ; x :s; i)
(iii) (3 i : i 2. 0 : (31 : 0 :s; 1 < x : X = h j))
Chapter 2
The Guarded Command Language
2.0 Introduction
A program IS specified by its state space, a pre-condition and a post-condition. For example, consider the specification of a program for the computation of the greatest common divisor of two positive natural numbers X and Y'
I[ var x, y : int;
{X>O 1\ Y>O 1\ x=X 1\ y=Y} s
{x = XgcdY} ]I.
The first line defines state space Z X Z, in which the first coordinate corresponds to x and the second coordinate corresponds to y. In this chapter we restrict ourselves to types mt and bool. The latter denotes the set of boolean values, {true, false}. The second line contains the pre-condition of the program. Variables X and Yare called specification variables. They are not program variables and thus may not occur in program statements, They may occur in predicates; specifications are universally quantified over all of the specification variables that occur in it. The third line contains the name of the program specified, Finally, the fourth line states the post-condition,
The operational interpretation of the specification IS as follows: program S satisfies the specification if for all integers X and Y, execution of S starting III a state satisfying X > 0 1\ Y > 0 1\ x "'" X 1\ Y = Y terminates in a state satisfying x = X gcd Y
Programs, also called statement:;, are introduced in the next sections. For each statement S of the guarded command language a proof rule (inference rule) IS presented that shows how to prove that S satisfies a given specification, These rules are
13
14
Tile Guarded Command Language
inspired by the operational interpretation of S and by the operattonal interpretation
of (P} S {Q}, which states .
each execution of S terrnmates in a state satifying Q when applied to a state satisfying P
As soon as the rules have been given, we will not rely on this operational interpretation any more. As a preliminary, we discuss some general rules on programs. We shall then define the guarded command language in such a way that the general rules are not violated.
The first relation that we discuss is { P} S {false} which states that execution bf S starting in a state satisfying P terminates m a state satisfying false, i.e. in no state. To exclude miracles, we require that the following rule is valid for all our programs: /A
,
{P} S {false} is equivalent to [P =: false I
'. ~
Note that {P} S {true} expresses the fact that execution of S termi~tes when applied
to a state satisfying P
Another rule IS the fact that the pre-condition may be strengthened and the postcondition may be weakened. This is formulated as follows:
{P}S{Q} and [Po ~ Pj implies {Po}S{Q} {P} S {Q} and [Q ~ Qol implies {P} S {Qo}
Suppose that {P} S {Q} and {P} S {R} hold. Then, execution of S starting m a state satisfying P terminates in a state satisfying Q and also in a state satisfying R, hence, m a state satisfying Q A R. This observation leads to the rule of conjunctivity:
{P}S{Q} and {P}S{R} is equivalent to {P}S{QAR}
The last rule of thrs kind IS
{P}S{Q} and {R}S{Q} is squivalent to {PvR}S{Q}
A more precise way III which constructs may be introduced IS as follows. For each 0: -_: construct S one defines a predicate transformer, denoted by urp.S; which is a functionjt
,'"';_
;.' /1 e ,
T ,..
'C 1:1..( (' Introduction
15
from predicates to predicates. For construct S and predicate Q; wp.S.Q is interpreted as the weakest predicate 'P for which {P} S {Q} holds. It is called ~he weakest precondition of S with respect to Q. The relation between the expressions {P} S { Q} and wp.S.Q is given by
I i"
{P} S {Q} is equivalent to [P "* wp.S.QJ
We shall use proof rules in terms of {P} S {Q}. For the interested reader, however, we provide proof rules in terms of weakest pre-conditions as well, The rules of this section follow from the following rules for wp.S:
Iwp.S.faise == false]
(wp.S.Q A wp.S.R =: wp.S.(Q A R)l l:wp.S.Q V wp.S.R ::::> wp.S.(Q V R)]
-- .. ~ .,
.' ,
We do not have
[wp.S.Q V wp.S.R == wp.S.(Q V R)]
since we allow so-called non-determuusui in our programs. Vie will see examples of non-determinism in Section 2.4.
The examples used m this chapter may seem to be rather contrived. Their purpose is to show how the proof rules should be used and not how programs are derived. The derivation of programs is the subject of subsequent chapters: in this chapter programs are merely presented. Moreover, these programs are not supposed to be 'meaningful' nor is the reader expected to figure out 'what they do'.
"
\ . J' ;.", ·f
\ .. ' .' ,·i
Exercises
C0 o. Give an operational description of {true} S {true} and of {false} S {true}. CD 1. Deduce from the rules of this section that
{PO}S{QII} and {Pt}S{Qtl
Implies
{PII A Pd S {QII A Qd and {Po V PrJ S {Qo V Qd
(!_, 2. Show {false} S {P} for any P and S:
.. ~.'- ::':>~ .
..
1 •. ~-U :~
.-.j
16
The Guarded Command Language
3. As explained in this section, we denote for construct S and predicate Q the weakest predicate X for which {X} S {Q} holds as wp.S.Q. Then {P} S {Q} is equivalent to
[P =:> wp.S.QJ
Show that the rules of this section follow from the followmg rules for wp.S:
[wp.S.false == false I
lwp.S.Q J\ wp.S.R == wp.S.( Q /I. R)] Iwp.S.Q V wp.S.R :::} wp.S.(Q V R)]
4. Statement abort IS specified by
{P} abort {Q} IS equivalent to [P == false]
(i) Give all operational interpretation of abort. (ii) Determine wp.abort
(iii) Show that abort satisfies the rules of this section.
2.1 Skip
The first statement that we consider is slop. Execution of skip does not have any effect, on the current state. As we will see later, it is Important to be able to denote such 1 an action by a word like slrip, From the operational interpretation of {P} S {Q} we ,; conclude that skip may be characterized by {Q} skip {Q} for all predicates Q. Since '! the pre-condition may be strengthened, we prefer to characterize it by :
{P}skip{Q} is equivalent to [P:::} QJ
For example,
I[ var z, Y : III t; {x 2: 1} skip [z 2: o} JI
follows from
Ix 2: 1 =:> x 2: 01
The weakest solution of X: conditions skip is defined by
{X} skip {Q} IS Q, hence, in terms of weakest pre-
Iwp.slup.Q == QI
Assignment
17
Exercises
O. Prove:
(i) I[ vat x, y : mt; {x> 0/1. Y > O} skip {x> O}JI. (ii) I[ var x, y : inti {x> 0/1. Y > O} slop {y 2: o} 11. (iiil I[varx,y:bool; {x == y}skip{x=:>y}JI.
1. Disprove:
(i) I[ var x, y : int; {x > 0 J\ Y > O} skip {x = I} ]I. (ii) [var x,y: inti {x> 0/1. Y > o} skip {y 2: x}]I. (iii) I[varx,y: bool; {x == y}slcip{xVy}JI.
2. Show that the general rules of Section 2.0 hold for skip.
2.2 Assignment
Any change of state that occurs during execution of a program lS due to the execution of an assignment statement. The assignment statement is of the form x:= E, where x is a program variable and E is an expression of x's type. Its operational interpretation IS: execution of x:= E replaces the value of x by the value of E. In predicates this replacement corresponds to substitution. For predicate Q) we have that Q holds after execution of x:= E if Q(x:= E) held before execution. Tills observation yields the following rule for the assignment statement.
{P} x:= E {Q} IS equivalent to [P,,* Q(x:= E)]
For example,
[x 2: 3}x:= x+l {x 2: O]
follows from
(x 2: O)(x:= x+1)
{ substitution}
x+l2: 0 {arithmetic} x 2:-1
{ arithmetic }
18
The Guarded Command Language
The weakest solution of X, {X} x:= E {Q} is Q(x:= E), hence, m terms of weakest pre-conditions the assignment statement is defined by
Imp.(x:= E).Q ;; Q(x:= E)]
For instance, the weakest P for which {P} x;= x+1 {x ~ O} holds is x ~ -1.
It IS not difficult to show that the general rules of Section 1.0 are valid for the
assignment. We will also use multiple assignments. For example, .
{x=AAy=B}x,y:=y,x{x=BAy=A}
follows from
[(x=BAy=A)(x,y:=y,x) == x=AAy=BI
Integer expressions consist of integer constants (represented in the usual way), vari- , abies of type int, and combinations of these, formed by operators. We will use the unary: operator - and the binary operators '
+ addition
subtraction
* multiplication
max maximum
min mnnmum
div quotient of integer division
mod remainder of integer division
Binary operators + and - have a lower priority than the other operators. Expressions a div b and a mod b are defined for b -:# 0 by
a div b = q A a mod b = r == a = b * q + r A 0 ~ r < Ibl
Note that equation (q, r) ; a = b * q + r A 0 ~ r < !bl has for b i- 0 precisely one solution.
As an example, we show (a + b) mod b = a mod b for b of: O. We derive
ASSIgnment
19
adivb = q A c mod s = T {definition of div and mod} a = b * q + r A 0 ~ T < Ibl
{ arithmetic}
a + b = b * (q + 1) + r A 0 ~ r < Ibl
{ definition of div and mod} (a+b)divb=q+1 A (a+b)modb=r
Hence, {a+b)divb=adivb+1and (a+b)modb=amodb.
In boolean expressions we use the unary operator r- and the binary operators -A, V, =>, -e=, and js • Furthermore, one may form boolean expressions by applying the relational operators <, ~, >, ~, =, and of: to integer' expressions. These operators have a higher priority than the boolean operators and a lower priority than the arithmetic operators. Examples of boolean expressions are, for a, b : mt, p : bool,
a * b ~ a A a mod 3 = 0 a ~ b-1 V P
Expressions such as a div b are not defined for all values of a and b. The predicate that defines for which values of its van abies expression E IS defined, is denoted by deLE. For instance,
[def.(amodb) ;; b =1= 01 [def.( a + b) ;; true]
[def.(x div (a - b)) ;; a -:# bl
[def.(xdivy + ydivx) == x#- 0 A y #- 01
Since assignment x := E is only defined when deLE holds, we extend the definition of the assignment to
{P}x:= E {Q} is equivalent to [P => deLE A Q(x:= E)]
Since for most expressions E [deLE] holds, we usually omit deLE and calculate Q(x := E) only. In terms of weakest pre-conditions we have
C. I·"· t • -' '.~' ~"_
20
The Guarded Command Language
[wp.(x:= E).Q = deLE A Q(x:= E)]
Exercises
O. Determine the weakest predicate P that satisfies
(i) {P} x:= x+1 {x > o} (ii) {P}x:=x*x{x>O}
(iii) (iv) (v) (vi) (vii)
{P} z i= x * x * z - h x + 4 {x> o} [P}x:= x+l {xJ - 5x2 +2x > o}
{P} x:= x * x * z - 2 * x + 4 {xJ - 5x2 + 2x > o} {P} x:= x+1 {x = x+l} {PI x:= E {x = E} --£--
(viii) {P} x:= xmod2 (x = xmod2} (ix) {P} x, u= x+1, y-l {x+y > o} (x) {P}x,y:=y+1,x-1 (x> O}
(xi) {P}x,y:=y*x,x*y{x+y > O} (xii) {P} a:= a = b{a}
(xiii) {P}a:=a=? 6{avb}
® 1. Show that execution of x:= x+1 terminates. ", _PL"'.' -,
QG 2. Prove for b #- 0:
(i) (a modb) mod 6 = a mod b (ii) amodb = amod(-b)
(iii) (amodb + cmodb) modb = (a + c) modb
2.3 Catenation
Catenatiou allows us to describe sequences of actions. The catenation of S and T IS" denoted as S .T, Its operational interpretation is: first S is executed after which Tis'; executed. To prove {P} S; T {Q} , we have to invent predicate R such that {P} S {R}: and {R} T {Q} hold. Then execution of S starting in a state satisfymg P terminates '; in a state satisfying R, and execution of T starting III that state terrrunates III a state,';: satisfying Q. This leads to the following rule:,
;f_
~
;'q
Catenation
21
{P}SjT{Q} is equivalent to
a predicate R exists such that {P} S {R} and {R} T {Q}
.. I") ;"
r l}t.. ._, T \! 1.(£. LI d~-·,i -! r ' -. .• - . ~'. ~~ !'
Note that the semi-colon IS not used as a separator or a tenmnatcir: it is the composition operator for combining two statements. The weakest P that satisfies {P} S; T {Q} is obtained by taking the weakest R in {R} T {Q} and for that weakest R the weakest p for which {P} S {R} holds. In terms of weakest preconditions this IS captured by the following definition:
lwp.(S;T).Q = wp.S.(wp.T.Q)]
i.e., the semi-colon corresponds to function composition. In particular, catenation is associative. As an example, we prove
l[ var a, 6 : bool;
{(a = A) 1\ (b = B)}
a:=a:=o ; b:= a = b ia:=a:= b
{(a:=B) 1\ (b:=A)}
)I.
We calculate the weakest predicates that are allowed as intermediate predicates, proceeding from the bottom to the top, starting with the post-condition:
«a = B) A (b:= A))(a:= a:= b)
{ substitution}
(a = b = B) A (b = A)
and
«a:= b:= B) A (b = A))(b:= a = b) { substitution ]
(a = a = 6= B) A (a:= b:= A) {predicate calculus}
(6:= B) A (a = 6:= A)
and, finally,
22
The Guarded Command Language
«6 == B) 1\ (a == b == A))(o.:= a == b)
{substitution}
(6 == B) 1\ (a == 6 == b == A) { predicate calculus t (6 == B) 1\ (a == A)
{ predicate calculus} (a == A) 1\ (6 == B)
From these results we conclude
{(a == A) 1\ (6 == Bn 0.:= a == b {(b == B) 1\ (a == b == An
{(6 == B) 1\ (a == b == An 6:= 0.== b {(a == b == B) 1\ (b == A)} {(a == 6 == B) 1\ (6 == A)} 0.:= 0.== 6 {(a == B) 1\ (b == A)}
which had to be proved. To avoid this duplication of predicates, these three arguments' may be given In a 50-called annotated program:
I[ var a, b ; bool;
{(a == A) 1\ (6 == B)}
0.:= o.==b
{(6 == B) 1\ (a == b == A), Proof O} i b:= 0.==6
{(a:::: b == B) 1\ (b:::: A), Proof 1 } ; a:= 0.== b
{(a:::: B) 1\ (6 == Al, Proof 2}
]1,
and Proofs 0, 1, and 2 are the derivations above (in the order 2, I, and 0).
Exercises
O. Determine the weakest predicate P that satisfies
(i) {P}x:=x+l;x:=x+l{x>O} (ii) [P}x:= x *x ;x:= x+1 {x> O}
(iii) {PI x:= x+y ;y:= x-v ;x:= x-v {x = A 1\ Y = B} (iv) {PI x:= y;y:= x {x = A 1\ Y = Bj
Selection
23
(v) {P}x:=x+l.;skip{x3 > O} (vi) {P}x:= E ;x:= E{x = E}
(0 1. Show that skip ;skip IS equivalent to skip. (0 2. Calculate expressions E such that
(i) {A = s= B +r}q:= E ;r'= -:» {A = «= B + r} [ii) {true} y:= E ; x:= x div 2 {2 * x = y}
(iii) {x * y + p * q = N} x:= x-p;q:= E {x * y + p * q = N}
o 3. Prove
I[ var x, y : inti
{x = A 1\ Y = B}
x:= x-y;y:= x+y ,X:= v-x
{x=Bl\y=A}
2.4 Selection
Selection takes the form
if B.O ...... S.O 0 ... U B.n --. S.n fi
in which for 0 :$ t ~ n, B.i IS a boolean expression (a guard) and S.t is a statement. The construct B,» --. S:i IS called a guarded command. An operational mterpretation of selection is as follows:
Upon execution of a selection all guards are evaluated. If none of the guards evaluates to true then execution of the selection aborts, otherwise one of the guards that has the value true is chosen non-deiermimsticallsj and the corresponding statement is executed.
Abortion may be interpreted as 'fails to terminate', A possible implementation of the selection is as follows: the guards are evaluated until one of these evaluates to true after which the corresponding statement is executed.
As an example we derive a statement S that satisfies
I[ var x, y, z: int; {true} S {z = z rnaxp] ]
24
The Guarded Command Language
From
z = x max y == (z = x V z = y) 1\ z 2.. x 1\ z 2.. y
we conclude that z:= x is a. candidate for S. As a pre-condition we then have
«z = x V z = y) 1\ z 2: x 1\ z 2: y)(z := x)
{ substitution}
(x = x V x = y) 1\ x 2: $ 1\ $ 2: y {calculus}
x2..y
which leads to the guarded command $ 2: y - z;= $. On account of symmetry' we also have y 2.. $ -> z:= y. Combining these two leads to 5:
if a: 2.. y -> z:= x 0 y 2.. $ -. Z ;= y fi
From [x 2: y V Y 2.. xl we infer that the selection will not abort. Since guards need not exclude each other, we were able to exploit the symmetry of max.
We are now ready to present the definition of selection. It IS formulated for a selection statement that has two guarded commands.
{P} if Bo _, 50 0 BI -> 51 fi {Q} is equivalent to (i) [P "* Bo V Bd and
(iiJ {P 1\ Bo} 5o{Q} and {P 1\ Bd 5dQ}
In Section 2.2, we added deLE to the definition of $:= E. For selection, we have a Similar situation:
may only be executed in states where deLBo 1\ deLBl holds. Hence, Instead of (0 the" formal proof obligation IS
(i') [P ;;;;!> def.Bo 1\ deLBl !\ (Bo V Bd]
Since for most expressions B [deLBI holds, we usually omit deLEo 1\ deLEl and consider Eo V BI only.
The fact that only one of the guards is chosen, is demonstrated III the following example in which both guards are true. Its post-condition, x = 1, may not be replaced by x = 2. We prove
Selection
25
{$=O}iftrue-->x:=$+l 0 true c-- $:=$+1 fi{$=l}
Proof:
(i)
true V true
{predicate calculus}
true
'*= {predicate calculus}
x=O
(UJ
(x = l)(x:= x+1)
{ substitution} $+1 = 1
{ arithmetic} x=O
Hence, {x = 0 1\ true} x ;= z+ 1 {x = I}
In programs we wilt use the following annotation and corresponding proofs for the selection:
{P}
if B« -> {P 1\ Eo} So {Q, Proof O} o BI _, {P 1\ BI} 51 {Q, Proof I} fi
{Q, Proof2}
with
Proof 0: a. proof of {P 1\ Bo} 50 {Q}; Proof 1: a proof of {P 1\ Ed 51 {Q};
Proof 2: a. proof of rp "* Eo V BII and, if relevant, a proof of [P '* def.Eo 1\ deLBII.
The next example exhibits the non-determmism of selection. Its post-condition may be replaced neither by s: = 1 nor by x = -1. We annotate the Iollowmg program and we supply a proof for its correctness.
{x=O}iftrue->x:=l 0 true-tx:=-l fi{x=l V x=-l}
The annotated version is
26
Tile Guarded Comma.nd Language
{x = O}
if true -- {x = O}x;= 1 {x = 1 V x = -1, ProofO}
o true -> {x = O} x:= -1 {x = 1 V x = -1, Proof I} fi
{x = 1 V x = -1, Proof2}
Proof 0:
(x = 1 V x = -l)(x:= 1) ( substitution}
1 = 1 V 1 =-1
{calculus}
true
{::: { predicate calculus}
x=O
Proof 1: Similarly. Proof 2;
true V true
{predicate calculus}
true
{predicate calculus}
x=O
Hence, execution of this selection is guaranteed to terminate in a state satisfying x = 1 V x = -1, but neither termination in a state satisfying x = 1 nor termination in a state satisfying x = -1 can be guaranteed.
In terms of weakest pre-conditions selection is characterized by
[wp.(if Bo -> So 0 B1 -t 81 fi).Q
E deLBo A deLBl A (Bo V B1) 1\ (Bo => wp.So.Q) 1\ (Bl => WP.S1.Q}1
Since for most expressrons B [deLBj holds, we usually omit deLBo 1\ deLBl in calculations with this weakest pre-condition.
Exercises
O. Prove;
Selection
27
(i) {true} if x 2: 1 -+ x := x+1 a x ::; 1 -> x ;= x-I fi {x ",f 1}. (il) {true}ifx2:y-slcip 0 x:Sy-x,y:=Y,x fi{x2Y}. (iii) I[ var x, Y : mt;
{true}
x, Y:= y * y, x * z
; if x 2: Y -> x := x-V {x 2: 0 1\ Y 2: O}
a Y2:x ...... Y:=Y-x fi
11·
(iv) I[ var a, b ; bool; {true}
if ""a V b -- a;= ...,a o a V ...,b - b;= ...,b fi
{a vb}
]I.
1. Prove: {P} if Bo"'" 80 .s 0 BI -+ 81 ;8 fi {Q} IS equivalent to {P} if e; -> So 0 BI -- 81 fi;S {Q}
2. Prove: {P} if e; -- So 0 B1 -+ 81 fi {Q} implies {P} if Eo ..... So 0 El 1\ ...,Eo ..... 81 fi {Q}
3. Determine the weakest P such that
I[ var x: mt;
{P}
x:= z-l-L
; if x > 0 -t X := x-I
o x < 0 --> x ;= x+ 2
o x = 1- skip fi
{x 2: I}
J!.
28
The Guarded Commend Language
2.5 Repetition
The next construct of the language is repetition. Programs composed from the previous: constructs have execution times proportional to their length. It IS possible to specify, USIng repetition, a statement that IS to be executed more than once. It has the form
do B.O --> 5.0 D .•. 0 B.n -+ 5.n od
III wluch for 0 :5 2 :5 n, B.t is a boolean expression (a guard) and S,: is a statement.. An operational interpretation of repetition is the following.
Upon execution of a repetition all guards are evaluated. If all guards evaluate to false then skip IS executed. Otherwise one of the guards that has value true is chosen non-deiermirusiicallsj and the corresponding statementis executed after which the repetition IS executed agam,
At the end of this section, we present a (rather complicated) expression for the weakest pre-condition of a repetition. In the design of programs we do not use this weakest pre-condition. Instead, we use a rule known as the Invariance Theorem. In order to' explain this rule we consider repetitions with one guarded command, i.e. repetitions of, the form do B --> 5 od. From the operational description above we conclude .
{P} do B _. 5 od {Q}
IS equivalent to
{P}if.B- skip U B-5;doB-50d fi{Q}
Annotation of the selection yields
{P}
if.B~ {PA-,B}skip{Q}
U B ..... {PAB}5;doB->50d{Q} fi
{Q}
the catenation 5; do B --> 5 od. Thus, we have
{P}
if -,B _, {P 1\ -.B} skip {Q} U B-+ {PAB}5{P};doB-t50d{Q}
fi
{Q}
Repetition
29
with proof obligations
(i) [P A.B => Qj (ii) {P A B} 5 {P}
(iii) {P}doB ....... 50d{Q}
in which (iii) gives nse to (i), (ii), and (iii) again. If we can ensure that the repetition terminates, (i) and (il) suffice. This is formulated for a repetition with two guarded commands as follows.
(i) [P A .Bo A -.B1 :::} Qj and
(ii) {PABo}5o{P} and {PABd5dP}
implies
{P} do Bo _,. 50 DBI _, 51 od {Q}
provided that this repetition terminates.
A predicate P that satisfies (ii), i.e. {P 1\ Bo} 50 {P} and [P A Bd 51 {P} , 15 called an mvanant of do Bo _,. 50 UBI -+ 51 od.
Before discussing termination, we consider Edsger W. Dijkstra's example of the computation of the greatest common divisor of positive integers X and Y. Its specification IS
I[ var x,y ; inti {x = X A Y = Y A x> 0 Ay > O} 5 {x = X gcd Y} II
where X gcd Y denotes the greatest common divisor of X and Y i for x gcd y with x > 0 A Y > 0, we have
(0) xgcdx = x
(1) x gcd y = y gcd x
(2) x>y => xgcdy=(x-y)gcdy and,applying(l): y > x => x gcd y = x gcd (y - x)
A denvution of a program based on these properties IS presented in Chapter 4. Here we supply an invariant without further Justification and we focus our attention on the proof obligations. Predicate P is defined as
P: X > 0 A Y > 0 A x gcd y = X gcd Y
The pre-condition of the specification implies P Furthermore,
30
TIle Guarded Comnl<wd Language
Pi\x>y
{ definition of P }
x > 0 II Y > 0 II x gcd y = X gcd Y II x > y '* {(2)}
x > 0 A Y > 0 1\ (x - y) gcd y = X gcd Y 1\ x > y
{ arithmetic}
x - y > 0 1\ Y > 0 1\ (x - y) gcd y = X gcd Y [ definition of P}
P(x:=x-y)
Hence, (P 1\ z > y}x:= x - y {P} and by symmetry {P 1\ Y > x}y:= y - x {P}_ Finally, we derive
P 1\ -.(x>y) 1\ -,(y> x)
{ ari thmetic }
Pl\x=y
::} { definition of P }
x gcd z = X gcd Y {(O) }
x = XgcdY
Application of the rille for repetition YIelds
(P}
do x > y ---. x:= x - y D y > x -> y := y - x od {x = XgcdY}
provided that this repetition terminates.
Since x = X 1\ Y = Y 1\ x> a 1\ y > a is stronger than P; We also have
{x = X 1\ Y = Y 1\ x > a 1\ y > O}
do x > y -+ x := x - y 0 y > x -> y := y - x od {x = XgcdY}
provided that tills repetition termmates.
Termmation of a repetition ]5 proved by means of an integer function on the state space that IS bounded from below and that decreases III each step of the repetition. Such a function 15 called a bound function. For the repetition above, a suitable bound function
Repetition
31
15 X + y. From invariant P we infer x + y > 0, and both x:= z - y and y:= y - x decrease x + y, i.e., for any constant C we have
{P 1\ x> y 1\ x + y = e} z i= z - y {x + y < C} and {P 1\ Y > x 1\ z + y = C} y := y - x {x + y < e}
Combmmg the previous rule with the termination requirement, we obtain
(i) IP 1\ -.Bo 1\ ...,B1 '* QJ
(ii) {PI\Bo}So{P} and {PI\BdSdP}
(iii) an integer function t on the state space exists such that IP 1\ (Bo V Bd '* t ~ ai,
{P 1\ Bo 1\ t = O} So {t < CL and {P 1\ e, II t = C} SI {t < C}
Implies
{P} do B« ..... So n Bl -+ SI od {Q}
This rule is known as the Invariance Theorem. Such a repetition is annotated as follows.
{ mvariant P ; ... , bound t ... } do e; ....... {P 1\ Bo} So {P, Proof I} D e, -> {P 1\ Bd SdP, Proof 2} od
{ Q, Proof 3, termination: Proof 4 }
with
Proof 1: proof of {P 1\ Bo} So {P};
Proof 2: proof of {P 1\ Bl} Sl {P};
Proof 3: proof of fP 1\ -.Bo 1\ -.B1 => QJ;
Proof 4: proof of (i) [P 1\ (Bo V Btl ;;;;;> t ~ 01,
(ii) {P 1\ Bo 1\ t = C} So {t < e}, and (iii) {P 1\ e, 1\ t = e} SI {t < C}.
32
Tlse Guarded Command Language
Often, the invariant is the post-condition of a statement that precedes the repetition. That statement is sometimes called 'the initialisation of P' or 'the statement establishing P] If S IS such a statement and H IS its pre-condition, the annotation IS
{H} S
{invariant: Pi Proof 0, bound: ... }
; do Eo _, {P 1\ Eo} So {P, Proof 1} o e, _, {P t\ Ed SdP, Proof 2} od
{Q, Proof 3, termination: Proof 4}
with Proof 0 contammg a proof of {H} S {Pl.
As with selection,
is only defined when def.Bo t\ def.EI holds. Hence, another proof obligation IS
IP ::::} def.Eo t\ deLBd
When relevant, a proof thereof is added to Proof 3.
,)1'\ k~, r ~. ,,·t. It IS clear that repetition is the most complex construct of the guarded command;
1'"J ,,,,,' ".1<1" lan~deed, repetition is the essence of sequential programming. Programming) IS mainly the use of suitable techniques to derive invariants. These techniques are. the subject of subsequent chapters. For instance, it is shown in Chapter 4 how this; repetition for the computation of the greatest common divisor can be derived.
The derivation of a program is based on an invariant, However, III this chapter, .; for educational reasons, we give proofs of programs rather than deriving the program " with its proof from scratch. Moreover] the examples and exercises are rather artificiak' their only purpose is to show how the rules should be applied. An illustration thereof j IS given below. We prove .
I[var x,y,N: mt; {N 2: O} x,y:=O,O
;do x i' 0 -+ x:= x-I
o y # N _, x,y:= x+l,y+l od
{x = 01\ Y = N}
JI·
Repetition
33
It can be observed that the conjunction of the negations of the guards forms the postcondition. It remains to demonstrate termmation, In the first guarded command x decreases and in the second guarded command -y decreases. However, a decrease of -y is accompanied by an increase of x. Weighting the decrease of -y twice as much as the increase of x yields x - 2y as a function that decreases III each step of this repetition. Since this function has -2N as final value, we add 2N to it. TIns results III the bound function x + 2( N -y). Clearly, the upper bound for y must be N and the lower bound for x must be 0, thus, we propose as invariant
The annotated program is
[war x,y]N: lilt; {N 2: O} x]y:= 0,0
{invariant P: 0 ~ x t\ Y S; N, Proof 0, bound: x + 2(N -V) }
;dox:;o!:O -> {Pt\x:;o!:O} x:=x-l{P, Proof I}
o y:;6 N --+ {P 1\ Y # N} x, y:= x+1]y+l {P, Proof 2} od
{x = 0 t\ Y = N, Proof 3, termmation: Proof 4}
ll,
and the proofs are presented below. Proof 0;
P(x]Y:= 0,0)
{substitution} OS;Ot\OS;N {calculus} O~N
Proof L
P(x:= x-I)
{substitution}
o S; x-I t\ y S; N
{ arithmetic } O~xt\yS;Nt\x:;o!:O { definition of P } Pt\x"fO
34
Tile Guarded Command Language
Proof 2:
P(x,y:= x+l,y+l) { substitution}
o ;S x+l /I. y+l ;S N
{= { arithmetic}
O;Sx/l.y;SNl\y:FN { definition of P} PI\Y1*N
Proof 3:
P 1\ -.(x 1* O) 1\ ..,(y 1* N)
;o? { calculus}
x=O/\y=N
Proof 4:
(i) P 1\ (x 1* 0 V y;f; N)
=> { definition of P }
i- O;Sxl\y;SN
;o? {arithmetic}
x+2(N-y)?0
(ii) (x + 2(N-y))(x:= x-I)
{ substitution}
x-1+2(N-y)
< { arithmetic}
x + 2(N-y)
(iii) (x + 2(N-y))(x,y:= x+1,y+l)
= { substitution}
x+1+2(N-(Y+l))
{ arithmetic}
x + 2(N-y)-1
< { arithmetic }
x+ 2(N-y) Repetition
35
For the interested reader we discuss the weakest pre-condition of do B -. Sod.
As mentioned before, we define do B - S ad as being equivalent to
if ..,B -> skip 0 B _, S; do B _, S ad fi
We abbreviate do B -> S ad to DO, and we derive
wp.DO.Q
{see above}
wp.(if..,B _, skip 0 B _, S iDO fi).Q { definition of selection}
(..,B V B) /\ (-.B => wp.skip.Q) 1\ (B ;o? wp.{S JDO).Q) {[-,B vB:=; true], definitions of skip and catenation} (..,B ;o? Q) 1\ (B ;o? wp.S.(wp.DO.Q))
{ predicate calculus}
(B V Q) 1\ (..,B V wp.S.(wp.Do.Q))
Hence,
[wp.Do.Q == (B V Q) II (-.B V wp.S.(wp.Do.Q)) I
i.e., wp.DO.Q is a solution of the following equation in predicate X:
X: [X :=; (B V Q) 1\ (..,B V wp.s.X)]
This is a so-called !:~~~n.!.~f2ua~~!?I.l: We define wp.(do B ..... S od).Q as the strongest solution of this equation (it can be shown that a strongest solution exists). With this definition the Invariance Theorem can be proved. Such a proof, however, is beyond the scope of this book.
As an example, we compute wp.(do n l' 0 -4 n:= n-2 od).(n = 0). For tins specific choice the equation IS
1
X· [X := en 1* 0 V n = 0) 1\ (n = 0 v wp.(n:= n-2).X)]
which may be simplified to
x [X == n=OVX(n:=n-2)]
The strongest solution of this equation can be obtained by successive approximation, starting with false (the strongest predicate of all). Define for lc 2:: 0 predicate Xk by
36
The Guarded Command Language
[Xo == false I
rXk+l == n = 0 V Xk(n:= n-2)]
then the strongest solution is
Starting with [Xo == false I we have
{ definition of Xb [Xo _ false]}
n = a v false
{ predicate calculus} n=O
and
{ definition of Xk, [Xl == n = O]} n = a V (n = O)(n:= n-2) {substitution}
n=OVn=2
Similarly, we have [XJ := n = 0 V n = 2 V n = 41 and with induction one can prove (X", := 0:::; n < 2k /\ nmod2 = 01. Tills result yields
wp.(do n <F 0 -+ n:= n-2 od).(n = 0)
{ strongest solution of the equation J (3k: 0:::; k , X",)
{substitute X", } (3k:0:Sk:0:::;n<2k A nmod2=0) {calcu!us}
o :S n /\ n mod 2 = 0
Hence, f wp.(do n # 0 -> n:= n-2 od).(n = 0) _ O:S n /\ n mod2 = 0 j. It is easy''; to verify that 0 :S nAn mod 2 = 0 IS indeed a solution of " .
X: [X := n=OVX(n:=n-2)].
Repetition
37
Exercises
Prove the correctness of the following programs
0. I[ var x,N: inti {N 2: O}
x:=O idox~N->x:=x+1 od {x=N}
II·
1. ![varx,y,N:int; {N 2: O} x,y:= 0,1
; do x =F N -+ x,Y:= x+l,y+y od {y = 2N}
II·
2. II var YtN: inti {N 2: O} y:= 1
; do y < N -+ y:= y+y od
{y 2: N t\ (3 k ; k 2: 0 : y = 2"')}
II·
3. I[var x,y,N: inti {N 2: a} x,Y:= 0,0
i do x =F 0 -+ x:= x-I
a y =F N ...... X,y:= N,y+1 od
{x = O A Y = N} ]I,
4. l[ var x, y, z : mt: {true} do x < y - x:= x+1
D y < z -+ y:= y+l
a z<x-z:=z+l od
{x=y=z}
]I.
38
TlJe Guarded Command Language
5. The following program may be used to compute (non-deterministically) natural numbers x and y such that x * y = N. Prove:
Il var p,x,y, N: tnt; {N 2: 1 ~ p,x,y:= N-I, 1,1 {N=x*V+p}
; do P#.O
-+ if pmodx = 0 __, y,p:= y+l,p-x Q pmody = 0 __, X,p:= x+l,p-y fi
6. For natural a and b, aged b denotes the greatest common divisor of a and b. By
definition 0 gcd a = a A aged 0 = n, Prove .
(i) agcdb=bgcd(amodb) fora2:b>O. (ii) Il var x, u. A, B : inti {A 2: B > O} x,Y:= A, B
i do yi 0 -+ x,y:= y,xmody od {x = AgcdB}
11·
2.6 Constants, Inner Blocks, and Arrays
A possible specification for a program for the computation of the greatest common divisor of two positive integers IS;
I[var A, B,x: mt: {k> 0 A B > O} gcd
{x = AgcdB}
11·
This specification, however, has A, B, x:= 1,1,1 as possible solution. Of course, thi~. solution IS not what we have in mind. To exclude such solutions, we might change th~ specification to :;
:':1
Constants, Inner Blocks, and Arrays
39
I[ var A, B,» : inti
{A = Ao A B = Bo J\ A > 0 A B > O} gcd
{x = Aged B A A = Ao J\ B = Bo}
JI,
expressing that the final values of A and B equal their initial values. This specification still allows assignments to A and B. We use In the declaration can instead of var to express the fact that no value should be assigned to the listed names. Hence, a specification that avoids the problems mentioned above is
![ con A, B : int {A > 0 J\ B > O]: var x: inti
gcd
{x = AgcdB}
11·
Variables defined as can may not occur on the left-hand side of an assignment. Assertions about constants, such as A > 0 J\ B > D, should not be repeated in annotations and should not be part of an mvanant. They are 'universally invariant' since the values of constants do not change. Assertions about constants provide a context of the program and may be used in proofs whenever appropriate. Constants are not part of the state space.
Another addition to the guarded command language are so-called mner blocks.
These are used to extend the state space (locally) by means of new variables. An inner block has the form I[ var ... ;3JI. For variables introduced in an inner block, we use fresh names. As an example, we present a solution to gcd;
![conA,B;mt; {A>O 1\ B>O} var z : inti
I[ var y : inti x,y:=A,B
;do x> y -+ x:= x-v o y > x __, y := y-x ad
{x = AgcdB A V = AgcdB}
II
{x = AgcdB}
Jl.
40
The Guarded Command Language
In the inner block variable y of type int occurs. Between the inner scope symbols I[ and ]1 the state space has two coordinates, x and y. Outside the inner block the state space has one coordinate, x.
We formulate a rule for inner blocks for the case that the state space IS extended with (fresh) variable y:
t,
{P} I[ var y : lilt ;8 JI {Q} IS equivalent to
{P} 8 {Q}
For predicates P and Q III winch y does not occur
Note that {P} I[ var y : int ; S]I {Q} is an assertion involving the states of the original: state space, whereas {P} S {Q} is an assertion over the state space extended with y.:' In terms of weakest pre-conditions, it IS defined by ,
!wp.l[ Val' y : mt ; SJI.Q =: (Vy: y E .z . wp.S.Q)]
The universal quantification over y guarantees that (Vy : y E Z ' wp.S.Q) depends on the variables of the ongmal state space only. It says that, no matter what initial' value y has, S should lead to a state satisfying Q.
Arrays are the final subject that we discuss in this chapter. Often arrays are. considered as an abbreviation for a set of variables. We view arrays as functions on a', finite consecutive subset of the integers, Such a subset IS also called a segment. For' p s: q the segment consisting of all t satisfying p s: ~ < q IS denoted by [p .. q). It has" length q - p. The statement
,
r ,
I array [p .. q) of int
defines a program variable I which has as value a function: (p .. q) ..... Z. For the time, bemg we use arrays defined a5 con only, and we restrict the operations on arrays to' function application. For integer expression E, IE denotes I applied to E. Of course.' I.E 15 only defined when p $ E < q, i.e.,
[def. (J.E) .= deLE II. p s: E < qj
We also use notation such as [p .. qj, (p .. qJ, and (p .. q). The sentence 'integer array: !fO .. N)' IS short for' I of type array IO .. N) of int' Instead of
I . array [O .. N) of array [O .. M) of int
we may also write
I . array [O .. N) x IO .. M} of into
Constants, Inner Blocks. and Arrays
41
Exercises
O. Prove
I! var X,Y: int {x = A II. Y = B}j I[ var h : lilt; h:=xix:=Yiy:=h
J! {x=BAy=A}
]I.
1. Determine wp.l[var h : int ;h:= x ;x:= y ;y:= hll.(x = BAy = A)
2. Show that for P not depending on y
{P} S {Q}
implies
{P}I[vary: int ;SJj{(3y: y E Z· Q)}
3. Prove
(i) I[ con N : int {N ;:::: OJ; J: array [O .. N) of inti var b : bool;
I[ var n: mt;
b, n := false, 0
;don=/:N-+b:=hV/.n=O ;n:=n+l od
JI
{h =: (3 t : 0 s: t < N It = O)}
]1·
(Ii) I[ con N : lilt {N ;:::: OJ; I: array [O .. N) of inti var h ; bool;
I[ var n : mt;
b, n:= false, 0
; do n =f. N A -.h -> b:= j.n. = 0 ; n := n + 1 od
]1
{b _ (3 i ; 0 s: i < N . J.i = O)}
]1·
42
The Guarded Command Language
2.7 Summary
We have the following proof rules for constructs of the guarded command language.
skip:
assignment:
catenation:
selection:
"
repetition:
inner blocks:
{P} skip {Q} is equivalent to [P:::;. QJ
{P} x:= E {Q} is equivalent to [P :::;. def.E /\ Q{x:= E)]
{P} S; T {Q} is equivalent to
a predicate R exists such that {P} S {R} and {R} T {Q}
{P} if Bo _, So D BI -+ SI fi {Q} is equivalent to (i) [P :::;. Bo V Bd and
(li) {P/\Bo}So{Q} and {P/\B1}SdQ}
(i) {P /\ -.Bo /\ -.BI :::;. QJ
(ii) {P/\Bo}So{P} and {p/\BdSdP}
(iii) an integer function t on the state space exists such that [P /\ (Bo V BI) :::;. t;:::: 01,
{P /\ Bo /\ t = O} So {t < O}, and {P /\ e, /\ t =: O} Sdt < O}
implies
{P} do Bo - SO DBI - 51 od {Q}
For predicates P and Q in which y does not occur {P}I[vary:intj5ll{Q} is equivalent to {P}S{Q}
: The operational interpretation of {P} S {Q} IS
All executions of 5 starting m a state sattsfymg P termmate In a state satisfymg Q.
, Statements of the guarded command language satisfy the following rules:
{ P} S {false} is equivalent to [P == false]
{P}S{Q} and IPo:::;.P11mplies {Po}S{Q}
{P}5{Q} and [Q:::;.Qol Implies {P}5{Qo}
{P}S{Q} and {P}S{R} IS equivalent to {P}S{Q/\R}
{P}S{Q} and {R}S{Q} IS equivalent to {Pv R}S{Q}
Summary
43
Chapter 3
Quantifications
;,
i
Many practical programming problems involve the computation of a function over ~ sequence, such as the maximum element of a sequence of integers, the conjunction of a sequence of booleans, the sum of a sequence of integers, etc., In order to specify such computations, we introduce a uniform notation, which is similar to that used for universal and existential quantification.
Let X be a set and jet ffi be a binary operator on X such that ffi is commutative, associative and has e as identity, i.e.,
xffiy=yffix
a: ffi (y ffi z) = (x ffi y) E!) z effix=xE!)e=x
for all x, y, and z in X. For sequence X.t, 0 :5 z , and natural number n, we write
x.OE!) ... ffix.(n-l)
as
(E!) z : 0 :5 z < n ; x.i)
for which we have
(ffi ~ , 0 :5 i < 0 : x.i) = e
(ED t. ; 0 :5 ~ < n+l ; x.i) = (6:1 t . 0 :5 z < n ; x.i) ffi x.n
TIm; last line may be accompanied by the note 'split off i=n'. Due to the commutativitj and associativity of ffi any term may be split off. In general such a quantification is Q . the form'
\1
44
I
Quantifications
45
(ffix.R,F)
where x is a list of variables, R is a predicate, called the range of the quantification, and F is called the tenn. The term should be defined for all x that satisfy R. In general Rand F depend on z. In some formulas we make this dependence more explicit and we write
($x: n». F.x)
We have
(ffi x : false : F) = e, the identity of ED.
Addition and multiplication are well-known operators on Z. For these we have, for instance,
(+ t ; 3 :5 i < 5 : i2) = 32 + 42 = 25
(+ x, y : 0 :5 x < 3 A 0 :5 y < 3 ; x * y) = 9 (*1;;: 1:5 k < 4 ~k) = h2*3=6
(+x: false; F.x) = 0
(* x : false; F.x) = 1
As a more detailed example, we consider the binary operators max and min defined on Z by
amaxb = c == (a = c V b = c) A a:5 c tv b :5 c a min b = c == (a = c V b = c) A a '2 c ts b '2 c
An identity e for max should satisfy
e maxa = a for all a III Z, r.e., e ::; a for all a in Z
Since no such integer exiats, we extend Z with the value = oo for which, by definition, -00 :5 a for all a III Z. Similarly, we add 00 as identity for min. Thus, we have
[maxz : false: Pi) = -00 xmax-oo = x xmin-oo= -00
(min i ; false, F.i) = oo z min oo =x
X max 00 = 00
':,'1
::~
46
Quantifications
Addition and multiplication are not defined for 00 and -00, hence, expresSlOnS like 00 + a and 3 * -00 are not allowed. Operators min and max distribute 'over each other:
z min [maxz : R; F.i) = (maxi. R : x min F.i) x max (mint: R: F.i) = (mim. R: x max F.i)
Furthermore, we have for a non-empty range R
x + (maxr : R. F.i) = (max s : R; x + F.i) x + (min i . R; F.i) = (min t : R : x + F.i)
These rules are phrased as '+ distributes over max and min when the range IS nonempty'. The fact that max is idempotent, i.e., a max a = a for all a, may be expressed by
(maxr ; R V 5 , F) == (maxz . R. F) max [rnaxs ; 5 ; F)
A similar equality holds for min.
This concludes our treatment of min and max, Other binary operators with other rules, and other lists of properties could be gwen. However, instead of doing so, we shall consider the general binary operator Efl again, for which we have
1,
( Efl i : false , F) = e
(ED i : i = x : F) = F( i '= x) ( Efl i . R : F) ED (Efl i : 5 : F) ( ED z : R . F) Efl (ED t , R : G)
( Efl s . R V 5 . F) ED (ffi i . R 1\ 5 ; F) ( ED t . R : F Efl G)
(Eflz, Rx : (Efl] ; 5,] . F.i,j») = (Efly .5.] ; (Efli: Rs , F.i.j»
When ffi is idempotent as well, i.e., x Efl x = x for all x, then
( ffi Z ; R V S . F)
( ffi z ; R ; F) ffi (ffi z ; S ; F)
x ffi (6h . R ,F) = (ED z • R ; x ffi F) for R non-empty
Let 0 be a binary operator on X that distributes over Efl, and has e as zero, x 0 e = e @ x = e for all x in X. Then
x 0 (ED z : R ; F) = (ED i : R : x @ F)
(Efli'R.i:F.i) 0 (Eflz;S.z:G.i) = (Eflz,] .R« 1\ S.] ;F.i0G.j)
The following associative and commutative operators will be used frequently:
Quantifications
47
identity 0,
distributes over' max and min when the range IS non-empty;
identity 1,
zero 0,
distributes over +;
identity -00,
zero co
idempotent, distributes over min;
min identity 00,
+
*
max
zero -00
idempotent, distributes over max;
identity true,
zero false idempotent, distributes over V;
V identity false,
1\
zero true idempotent, distributes over 1\.
We mention some more rules for max and min,
For x ~ 0 and R non-empty:
x * (maxi. R.i ; F,i) = (rnax s : Rn: X * F.i)
x * (mini; R.i : F.i)
(mini. R.i: x* F.i)
and
-(maxt ; R.t : F.i) = (mini; R:« • -F.i)
Instead of (1\ i : R F) we write the more common (V i R· F) and instead of (Vi; R: F) we use (3i. R: F),
In derivations of programs, we often use the following relations (R 15 non-empty):
F.x = (maxi: R,t; F.i) = R.x 1\ (Vi: Rs . F.i S; F.x) F.x = (mint; Rs : F.i) _ R.x /I. (Vi; Rs . F.i ~ F.x)
46
Quantifications
Addition and multiplication are not defined for 00 and -00, hence, expressions like 00 + a and 3 * -00 are not allowed. Operators min and max distribute over each other:
x min [maxz . R ; F.i) = (maxi. R ; x min F.i) z max (min s : R; F.i) = (mint. R; x max F.i)
Furthermore, we have for a nan-empty range R
a: + (maxt. R. Pi)= (max s . R; x+Pi) x + (mint; R; F.i) = (mint; R; x + F.i)
These rules are phrased as '+ distributes over max and min when the range is nonempty'. The fact that max is idempotent, i.e., a max a = a for all a, may be expressed by
(max t : R V S . F) = (max t . R . F) max (max t • S . F)
A similar equality holds for min.
TIns concludes our treatment of min and max. Other binary operators with ' other rules, and other lists of properties could be given. However, instead of doing so, ' we shall consider the general binary operator $ again, for which we have - -
( $ z : false . F) = e
($t: t = x: F) = F(i:= x} ($ i . R ; F) $ (EB t • S . F) ( $ t . R . F) EB (EB t ; R : G)
( EB t . R V S _ F) $ ($ i ; R /\ S : F) ( $ i : R . F ffi G)
($t _ Ra . (EBl . S.l . F.i.j)) = (EBJ : S.J • (ffii. R.t - F.i.j))
When EB IS idempotent as well, r.e., x EB x = x for all x, then
( $ t : R V S . F) = ($ t . R ; F) EB ($ t : S . F)
z $ ($ t . R ; F) = (ffi t ; R; x $ F) for R non-empty
Let 0 be a binary operator on X that distributes over ffi, and has e as zero, i.e., x 0 e = e 0 x = e for all x III X. Then
x 0 ($ i : R . F) = ($ t ; R ; x 0 F)
(EBt. R.t _ F.i) 0 (EBt; S.t : G.i) = ($t,J . R» /\ S.J . F.t 0 G.j)
The following associative and commutative operators will be used frequently:
Q nan tifications
47
identity 0,
distributes over max and min when the range is non-empty;
identity 1,
zero 0,
distributes over +;
identity + oo,
zero 00
idempotent, distributes over min;
min identity 00,
+
*
max
zero -00
idempotent, distributes over max;
identity true,
zero false idempotent, distributes over V;
V identity false,
/\
zero true idempotent, distributes over /\.
We mention some more rules for max and mm ,
f
'I
I !t
For x ~ 0 and R non-empty:
x * (maxz . R.t : F.i) = (maxi; R.t ; x * F.i) x* (mini; Rx , F.i) = (mint. R.i: x *F.i)
and
-(maxt . Rs ; Pi) = (mint; R:» . -F.i)
R
F) and instead of
;1
!
Instead of (/\ i . R F) we write the more common (Vi (Vi. R; F) we use (3 i . R ; F).
In derivations of programs, we often use the following relations (R is non-empty):
F,x = (maxi. Rs , Pi) _ R.x /\ (Vi; R.« ; F.i::S F.x) F.x = (mini; R.t: F.i) _ R.x /\ (Vi; Rs . F.i ~ F.x)
48
Quan tifications
Quantifications
49
For summation, a common notation is (Et . R F) instead of (+i . R ; F), and for, Exercises
multiplication we use (IT t . R. F) instead of (* i . R. F). \
A quite different quantifier is 'the number of'. We introduce it as follows. Function # {false, true} -> {a, It IS defined by # .false = a and # . true = 1. Expression
(#1: R.1: F.i)
IS defined as
{Ei: R.i: #.(F.i»
For this quantifier we have
(#i: false; F.i) = 0
and, for n ;:: 0,
(# t ; a ::;; t < nH ; Pi) = (# i : a ::;; 1 < n : F.i) + # .(F.n)
_ f (#t:O::;;i<n;F.i}+l ifF.n
-1 (#z:O::;;z<n:F.i) if,F.n
Notice that
(3 i . R ; F) _ (# i : R ; F) ;:: 1
(Vi.R.F) _ (#t:R:F)=(#i:R:true)
We will use the following definitions for increasing, decreasing, ascending, and descending. Let N ;:: a and let Xla .. N) be an array of integers. Then
X IS increasing _ (Vi,): a :s i <s < N; X.t < X.j) X IS decreasing _ (Vi,): a :s t <: < N : X.l > X.j) X IS ascending = (Vi,]: O:S 1 <s < N : X.t :s x.j) X is descending _ (Vi,]: O:S t < j < N : X.i;:: X.j)
For example, a formal expression for 'r is the length of a longest ascending segment of X' is
r = (maxp,q: O:S p:S q:S N I\. (Vi,] : p::;; z <] < q: X.i:S X.j). q - p)
a. An integer array X[a .. N) IS given, where N ;:: 1. Express the following sentences in a formal way:
(a) T IS the sum of the elements of X. (b) m is the maximum of the array.
( c) X is increasing.
(d) all values of X are distinct. ( e) all values of X are equal.
(f) if X contains a 1 then X contains a a as well. (g) no two neighbors In X are equal.
[h) the maximum of X occurs only once in X.
(i) r is the length of a longest constant segment of X. (j) X is a permutation of fa .. N).
(k) all elements of X are prime numbers.
(1) the number of odd elements equals the number of even elements. (m) r is the product of the positive elements of X.
(n) T is the maximum of the sums of the segments of X. (0) X contains a square.
L An integer array X[a .. N) is given, where N ;:: 1. Express the following expressions in a natural language.
(a) b == (V i : a $ t < N : X.i ;:: 0)
(b) T = (maxp, q : a ::;; p :s q :s N I\. (V i : p :s ~ < q : X.i ;:: 0) . q - pJ (c) r = (# k . 0::;; k < N: (Vi: 0 S t < k : X.i < X.k))
(d) b == (31: a < i < N . X.(i-l) < X.i)
(e) r = (#p,q: O:s p < q < N; X.p = a I\. X.q::::::: 1) (f) s = (maxp, q : a :s p < q < N . x.p + x.q)
(g) b == (Vp,q:O:Spl\. a$q I\. p+q = N-1:X.p=X.q) (h) b == (3i:a$i<N:X.i=a)
2. Prove arnax(bminc) = (e maxbl min Ic rnax c).
50 Quantifications
3. The greatest common divisor of natural numbers x and y is denoted by xgcdy.
By definition 0 gcd 0 = o.
(0 Give a formal definition of gcd.
(ii) Show that gcd is commutative and associative. (iii) Prove that gcd has an identity.
(iv) Investigate whether * or + distribute over gcd.
4. Prove
l[ con N : int {N 2.: I}; J: array [O .. N) of int; var z : int;
![ var y: mt; x,Y:= O,N-l ;do x f.: y
_,. if [,» ::; J.y -+ x := z-l-I U f.y:::; f.x -t y:= y-l fi
od
J!
{f.x = (maxi : 0 ::; t < N ; f.i)}
]!.
Chapter 4
General Programming Techniques
4.0 Introduction
The rest of this book 15 devoted to the derivation of programs. In the chapters that follow we shall discuss domam specific techniques. However, in this chapter some general underlying techniques are presented. The programming problems that we are studyrug typically have solutions in which repetitions occur. Thus, the design of suitable invanants is crucial in the derivation of solutions to these problems.
As will turn out m the next sections and chapters, there are many ways in which an invariant may be deduced from (the contents of) the pre- and post-condition of a specification. Program derivation is not mecharncal: in general it is a challenging activity and it requires creativity. However, many programming problems may, to a large extent, be solved by pure calculation and by carefully applying the techniques discussed in this chapter. Moreover, the denvations show where the creativity comes in.
We do not always present completely annotated programs. Program derivations are carried out in such a way that the result is correct by design and that it is easy to deduce an annotated program with accompanytng proofs.
The effiCiency of a program is expressed as the upper bound of the number of steps that each repetition can take. This so-called time complexity is a function of (the values of) the constants in the specification. We use the V-notation to express the time complexity. If, for instance, a program has natural N as constant then 'the time complexity is V(f.N)' means that the number of steps is bounded by a constant times f.N. For instance, if the number of steps equals ~N2 -2N +4 then the time complexity IS O(N2).
Efficiency is of vital importance 1Il computing science. Usually, programs are written only once and they are executed many times. To illustrate the role of efficiency, we
'j
I" i ~ .,
.j.
51
52
General Programming Techniques
consider a program consisting of a repetition of a statement which requires, in isolation, one second for each execution. The program contains integer N as constant. The execution time of the program is shown below for the cases that the repetition performs 2log N, -IN, N, and N2 steps.
number of steps N = 1000 N = 1000000
2logN 10 seconds 20 seconds
-IN 30 seconds 15 mmutes
N 15 minutes 300 hours
N2 300 hours 30000 years If we succeed in speeding up the hardware such that execution of S takes a millisecond, i.e., we Improve it by a factor 1000, then we obtain the following figures.
number of steps N = 1000 N = 1000000
2logN 0.01 seconds 0.02 seconds
VN 0.03 seconds 1 second
N 1 second 15 mmutes
N2 15 minutes 30 years A Significant improvement of a program is not obtained by tricky adaptations that, for Instance, save a variable or save an assignment within a repetition. Such changes often destroy the elegance and clarity of the original algorithm. Similarly, case analysis m which 'easy to compute' cases are treated separately does not really help.
A huge improvement is a reduction from, for instance, O(N) to O(1og N). Such an Improvement IS obtained by transforming the program into a more efficient one, or by denvmg a completely different program. Examples of this are discussed in Chapter 5.
4.1
Taking conjuncts as invariant
When post-condition R is of the form P 1\ Q t one may try to take one of the conjuncts, say P, as an invariant, and the other one as negation of the guard of a repetition, leading to
{P}do..,Q -> Sad {P /\ Q}
In its simplest form this method yields, taking true as mvanant,
{true} do -.R _. S ad {R}
TakIng conjuncts as invariant
53
For instance, for integer variables x and y, x S y can be established by
do x > y - x, y r= y, x ad
for which true IS an Invariant and x - y 15 a bound function, as the reader may verify. A similar sorting program for four integers a, b, c, and d is obtained by taking true as invariant and the negations of the conjuncts of post-condition
as guards, leading to
{true}
do a > b _,. a, b := b, a Db> c __. b, c:= c, b Dc> d -4 c, d .= d. c ad
{a S b S c S d}
(Why does it terminate?)
A somewhat more interesting example IS the computation of div and mod when only operators + and - may be used. Its specification reads
l[conA,B; int{A ~ 01\ B > a}; var q, T : int;
divmod
{q = Adiv BAT = AmodB} II·
We rewrite post-condition R, usmg the definitions of div and mod, as
Conjunct 0::; r < B is an abbreviation of 0 S T /\ r < B; hence, we may write
There are three conjuncts and possible solutions may, for Instance, contain repetitions of the form
54
General Programmmg Techniques
{p. 0:::;1' f\ r < B}doA#q*B+r---. S od{Rl, {P: A = q * B + r f\ r < B} do 0 > r -+ S od {R}, or {P ; A = q * B + r 1\ 0:::; r} do r ;::: B -+ S od {R}
We choose as invariant
and as guard r ;::: B, the negation of r < B, leading to a program of the form
{P}dor;::: B ---. S od{R}
Invariant P is established by q, r;= 0, A. Since P implies 0 S r, we decide to take T as bound function. Then S has to decrease r. The guard is T ;:=: B, and, since B > 0, 1':= r-B IS a candidate for S. vVe derive
P(r;= r-B)
{substitution}
A = q * B + l' - B 1\ 0 :S r-B {calculus} A=(q-l)*B+r f\ r?_B
Hence,
P(q,r:= q+1,r-B)
{substitution, see above} A=q*B+r 1\ r?_B
~ { definition of P }
Pl\r;:=:B
This YIelds the following solutiou to diutnod:
q.r := O,A
{invariant P; A = q * B + r J\ 0:::; r, bound: r} ;dor;:=:B -+ q,r:=q+l,r-B od
(R}
The initial value of q is 0, its final value is A div B, and ill each step of the repetition q IS increased by L We conclude that ttns program has time complexity O(A div B).
Taking conjuncts as invariant
55
In the next chapter we show that, if one allows div 2 and mod 2 as operators as well, a program can be derived that has time complexity O(log(A div B)).
As another example, we derive a program for the computation of the square root, rounded down, of a natural number. It is specified by
I[ con N : int {N ;:=: O} i varx: int;
square root
{x2 S N A (x+1)2 > N}
n·
We try as invariant P : x2 :S N, which is established by x:= O. Negation of (x+l)2 > N yields (x+l)2 S N as guard, leading to
x:= 0 {P} ;do (x+l) * (x+1) S N ..... Sod {x2 :S N A (xH)2 > N}
Since P implies N - x2 ;:=: 0, N - x2 seems appropriate as bound function. However, N - x2 decreases for increasing x if and only if 0 S x, which cannot be inferred from P A B. This problem is solved by specifying a bound for x: strengthen P to
We investigate an increase of x by 1:
P(x:=x+ 1)
{ substitution}
O:S x+ 1/\ (x+1)2:S N
~ { calculus}
o :S x A {x+1)2 S N
{;:: { definition of P }
P A (x+I? ::::; N
leading to
{N;::: O}
x:= 0
{invariant P: 0::::; x 1\ x2 ::::; N, bound: N - x2} ;do (x+l) * (x+1) $ N --+ x:= x+1 od
{x2 S N 1\ (x+1)2 > N}
56
General Programming Techniques
This program has time complexity O( VN). In Chapter 6 we present a solution for square root that has time complexity O(log N).
Instead of x2 :::; N, we may also take (x+I)2 > N as invariant and x * x> N as guard. This choice leads to
{N 2: D}
x:=N
{invariant P' 0:::; x 1\ {x+l)2 > N, bound: x} ; do x * x > N -- x ;= x-I od
{x2 :::; N 1\ (x+l)2 > N}
EXecution of this program, however, takes about N - VN steps and has, therefore, time complexity O(N), which IS worse than O( VN).
As a final remark, we mention that it is quite common that invariants have to be strengthened with bounds for the variables involved. As a matter of fact, it IS a good habit to include bounds for the variables right away.
Exercises
For each exercise that is specified in natural language, one has to supply a formal specification first.
o. Derive a program for the computation of 310g N, rounded down, for positive Integer N,
L Derive, for given N, N 2: 0, a program for the computation of the smallest integer x that satisfies x3 - 6x2 + 9x 2: N,
2. Derive, for given N, N 2: 0, a program for the computation of the largest integer
x that satisfies x3 -- 6x2 + 9x ~ N. .5 :~<" - ! '".:' y .... CJ
~!' :11 i _ ,{ K t- 4- - J ._ 3 .?= 0 air: -;cc :> t..
3, Solve .?, :~( _ "3 ),'.-, -/ )
l[conA,B; Int{A > 01\ B> OJ; var z : int:
lcm
{x = A lcm B} ]1,
where lcm denotes the least common multiple, i.e, for A > 01\ B > 0:
AlcrnB = (mln s I:::; i /\ irnodA = 01\ imodB = 0: i)
RepJacing constants by variables
57
I
4.2 Replacing const.ant.s by variables
We consider the computation of A to the power B for given naturals A and B, This problem is formally specified as
I[ con A, B ; mt {A 2: 0 1\ B 2: O}; var r : inti
exponentiation
{r = AB}
]I,
where, by definition, 0° = 1. There IS no obvIOUS way In which the post-condition can be weakened to a suitable invariant. In the state space defined by r predicate r = AB corresponds to a single point. When we extend the state space by introducing a fresh variable x, say, the state space defined by r and x contains the entire line satisfying r = AS and in this space this relation may be more easily established. A way in which fresh variables can be introduced IS by replacing constants by variables. Such a replacement Yields a possible Invariant, For this specification possible choices are
r = x8, r = AX, and r = xY
We use the invariant
Po'
Then Po 1\ x = B implies the post-condition, and Po IS established by T, x:= 1, O. Furthermore, we specify an upper bound for x and add to the Invariant
Tins yields the program scheme
We investigate the effect of increasing x by 1 in S
Po(x:=x+ 1)
{ substitution}
Hence, {r = A"'+l} x;= x+l {Pol, Assuming Po 1\ PI 1\ X # B, we have
58
General Programmmg Techniques
(calculus} A*Ax
{Po}
A*r
from which we conclude
The invariance of Ph i.e.,
is easily proved and we obtain the following solution for exponentiation
I[ var x : inti T,x:=l,O
{invariant: Po 1\ PI, bound: B - x} ;do x i= B
_, {Po 1\ Pi 1\ x i= B} r:= r * A ;x:= x+1
{Po 1\ Pd
od
{Po 1\ Pi 1\ x = B, hence, r = All}
This program has time complexity O(B). In Section 4.4 we derive a solution that has , time complexity o (log BJ.
Constants are usually denoted by capital letters, and we often use the same letter' in lower-case for a variable that replaces a constant.
As a final example, we derive a solution to summation, which is specified below. To: show how exercises should be worked out, we present a 'm~del solution' to the problem .. Here: is the specification:
![ con N : int {N ~ a}; j , array [O .. N) of int; var x: int;
summation
{x = (1;i: O.s z < N ' j.i)} ]1·
RepJacmg constants by variabies
59
The quantification that appears in the post-condition has two constants; a and N. Let us replace N by variable n and propose invariant
Po ; x = (1; i : a :S i < n . f.i)
Then, by construction, Po 1\ n = N implies tile post-condition. Summation over an empty range equals 0, hence, Po IS established by n, x :; 0, O. We mvestigase an mcrease of n by 1 and we derive, assuming Po 1\ n i= N:
(1; t : 0 :5 % < n+I . f.i)
{split off i = n, 0 :S n < n-l-I : see below} (1;i : 0 :5 t < n ' f.i) + f.n
{Po}
x+f·n
Evidently, a :5 n is needed 10 the derivation above, which must be added to Po. From this derivation we conclude
{Po 1\ 0::::; n} x;= x + j.n {Po(n:= n+l)}
As a bound funtion N -n seems appropriate; for the proof of termmation we strengthen Po with n ::::; N as well. We now show how the solution IS presented.
Solution:
Replacing constant N by variable n gives nse to the following invariants,
Po: x=(1;t:O.s~<nf.i)
PI O:5n:SN
Proof 0:
(Po 1\ Pr)(n,x:= 0,0)
{ substitution}
o = p::: i : 0 ::::; t < 0 : J.i) 1\ 0 :S 0 ::::; N
,
j:!
If il
Ii
!
.f
P
r
I I
I
=
{ 0 is identity of + } 0=01\ 05,05,N
{ predicate calculus} 05N
60
General Programming Techniques
Proof 1: Assummg Po A P, An # N,
(Et ; 0 ~ t < n+l I.i)
= { split off t = n, 0 :$ n < n+ 1 }
(Et,O:$t<n I.i) + f.n
{Po}
x+l·n
and
O~n+l~N
~ (P.}
n#N
Proof 2:
Po A P, An = N
=> ( definttion of Po }
x = (El : 0 :$ t < N • f.i)
Proof 3;
r.
=> { definition of PI }
N-n?O
and
N - (n+ 1) < C
~ { calculus}
N-n=C
Replacing constants by vnrinbles
61
Together with these proofs, the following annotated program soives summation.
[var n : int; {N? O}
n,x:= 0,0
{Invariant: Po A P!, Proof 0,' bound: N - n} ;don-:fiN
-+ {Po A PI 1\ n # N} x:= x+ I.n ;n;=n+ 1
{Po A Ph Proof I}
I
i I I
I
I I I
i I I:
I;
!'
I
ad
{x = (El : 0 :$ 1 < N ' I.i), Proof 2, termmation: Proof 3}
]1
{x = (Ez; ° ~ 1 < N: f.i)}.
Some of the proofs presented above are really trivial (ef. Proof 2 and Proof 3) and they are omitted in other examples.
Verify that replacing constant 0 by variable n leads to invariants
x = (E i : n :$ 1 < N • I.i) O:$n:$N
to which the followmg program corresponds:
[var n : mt; n,x:= N,O ;don #0
-. x:= x + I.{n-I) ;n:=n -1
ad
Jl.
62
General Programmmg Techniques
Exercises
Derive solutions for the following programming problems.
O. ![ con N ; int {N 2: OJ; J ; array I.O .. N) of bool; var r : bool;
S
{r =:: (3i:O$i<N.J.i)}
JI·
1. I[ con N; mt {N 2: OJ; J • array [O .. N) ofint; var r : bool;
S
{r =:: (V i : a 5 t < N 0 J.i 2: oJ}
]I.
2. I[ con N : int {N 2: OJ; f - array [O .. N) ofint; var r : inti
S
{r = (maxi: a :S t < N . I.i)} ]1·
3. I[ con N ; mt {N 2: O]: I : array (O .. N) of inti var r : lilt;
S
{r = (#t: a 5 t < N: l.imod2 = a)}
JI·
4. I[ con N, X : int {N ;?: O}; I array (O .. N) of int: var r : mt:
S
{r = (I:t: 0 $ z < N • [.i » Xi)}
]1·
5. ![ con N ; mt {N 2:. I}; I array [O .. N) of int; var r : inti
S
{r = (maxz : a :S t A i2 < N ' 1.(i2))} ]1·
Strengthening lUvariants
63
4.3 Strengthening invariants
When an invariant for a repetition has been chosen, the termination requirement guides the construction of the statement of the repetition. For such a candidate one applies the proof rules. This may lead to an expression E which cannot easily be expressed ill terms of the program variables. A way to deal with this situation is to introduce a fresh program variable and an accompanying mvanant stating that the vanable equals E, Of course, the fact that this new invariant has to be established and kept invariant may pose other problems. We illustrate this point with some examples.
As a first example, we consider the Fibonacci function fib, delined by
I
i
I
I
I.
'; !, ~ I
If II
I!
1\
I
!
1
i!
:!
,
fib. a = 0, lib.l = 1, and
fih.(n+2) = lih.n + fib.(n+ll for n ;?: a
We are asked to denve a program for the computation of fib.N, i.e., we have to solve
I[ con N : int {N 2:. OJ; var x: lilt;
FibonaCCI
{x = fib.N}
]1,
and- we propose as invariant Po II Pl, where
Po, x = fib.n
which is established by n, x := 0, O.
An increase of n by 1 leads to expression fib.(n+l) which cannot be easily expressed in terms of x and n. Therefore. we introduce variable y of type int and invariant Q defined by
Q 0 y = fib.(n+l}
The strengthened invariant Po A Pi A Q IS established by n, x, y;= 0, 0, 1 .
The invariance of Po is now easily realized: from Q we infer that z r= y establishes Po(n:= n+l).
For Q(n:= n+L) we derive, assuming Po A PI A Q:
64 General Programming Techniques
fib.(n+2)
{ definition of fib, n :2 0 } fib.n + fib.(n+l)
{Po and Q}
x+y
This leads to the following solution:
![varn,y:mtj {N:20} n,x,y:=O,O,l
{invariants: Po II PI II Q, bound: N - n} ; do n1' N
....... x, y;= y, x+y ;n:= n-l-I
ad
{x = fib.N II Y = fib.(N+l)}
]I
{x = fib.N},
a program that has time complexity O(N). In Chapter 5 we derive a program for Fibonacci that has time complexity O{log N).
As a second example, we derive, given array f{O .. N), a program for the computation of the number of pairs «.» for which 0:::; t < J < N II f.i :::; 0 II l-i :2 O. A formal specification IS
I[ can N : int {N :2 OJ; j , array [O .. N) ofint; var r : inti
S
{r = (#1,J ; 0:::; t < J < N: j.i:::; 0 II I.i e: a)} JI·
Replacing constant N by variable n gives rise to invariants
Po- r=(#i,j:0::;t<J<n'j.z::;0Ilj.j:20j
Strengthening invariants 65
I I 'j I,
I
I
which are initialized by n, r ~= 0, 0 , since number-of quantification over an empty range IS O. Assuming Po A Pi lin#- N, we have
(# 1,1; 0 ::; z <s < n+l : j.t ::; 0 A I.i :2 0) {split off J = n }
(#i,J: 0::; t < 1 < n - /.z::; 0 II j.j:2 0) + (#z: 0::; 1 < n _ j.z::; 0 II In 2: 0) {Po}
r + (#1: 0::; i < n - Ii::; 0 A In 2: 0) { case analysis ]
f r
t r+{#z:O::;z<n:It::;Oj
if In < a if j.n 2: 0
=
{introduction of s with invariant Q, see below}
{ r if In < a r + s if j.n 2: 0
where s satisfies
if'
. ~,
Q: s=(#i:0:::;i<nj.1::;0)
Substitution of n = a YIelds that Q is established by n, S := 0, 0. For the invariance of Q, we derive, assuming PI II Q An # N,
(#z; 0::; i < n+l . f.t ::; 0)
(split off i = n, 0::; n < n-l-L :::; N} (# i ; 0 ::; i < n . It ::; 0) + # .(J.n ::; 0) :::: {Q}
s+ #.(f.n:::; 0)
= { definition of # }
{ s if j.n > 0
s + 1 if In s 0
These derivations yield a program that solves the problem:
66
General Programming Techmques
[var n,.5: rnt; {N;?: O}
n, r, .5 := 0, 0,0
{invariant: Po II PI II Q, bound: N - n} idon~ N
__, {Po /\ PI /\ Q II n ~ N} if J.n < 0 -. skip
o f.n ;?: 0 --t r:= r-l-s fi
{Fo(n:= n+1) /\ PI/\ Q II n ~ N}
; if [n. > 0 -t skip
o J.n ::; 0 -+ 3:= 3+1 fi
{( Po /\ PI /\ Q)( n := n+1)} ;n:=n+l
od
JI
{r = (#z,J : 0::; i < j < N: J.z::; 0/\ i.i ;?: O)}.
The reader may verify that the two selections
\
if [.n. < 0 -> skip
o J.n ;?: 0 --. r := r+s Ii
;if [vn. > 0 __, skip
o J.n ::; 0 -+ 5 := 5+1 fi
can be replaced by
if f.n < 0 ...... 3;= 3+1
o J.n = 0 --t '1", S:= '1"+5, a+L
o [.n. > 0 -+ l' := 1'+s Ii
due to the fact that Fo /\ PI II Q II n ¥- N can be used as assumption for all the derivations.
In the calculations we derived that the value of (#i: 0::; z < n: f.i::; 0) is needed for the invariance of Po. We could have decided to introduce another repetition in which
Strengthenmg mvanants
67
this value 15 computed.j.e.ja repetition that establishes s = (#1: 0:5 z < n: f.t:5 0). This naive approach leads to an O(N2) algorithm instead of the O(N) algorithm presented above.
Finally, we mention that the introduction of variables is always based upon some reasoning or derivation. They are not introduced by magic.
In the following example we consider the problem of the maximal sum of the elements of segments A[p .. q) of a given integer array A. A formal specification for this problem IS
I[ con N : int {N 2 O}; A. array iOHN) of int; var r : inti
maaseqsutn
{1' = {maxp, q ; 0 ::; p ::; q ::; N ; (2:: i : p ::; z < q : A.i))}
JI·
To make the expression in the post-condition more manageable, we define, for 0 ::; p ::; q ::; N:
S.p.q = (2:: 1 : p :5 z < q : A.i)
Post-condition R becomes
R. l' = (maxp, q : 0 ::; p ::; q ::; N ; S.p.q)
Replacing constant N by variable n yields Invariants Po and PI;
Po' T = (maxp, q : 0 ::; p :5 q::; n ; S.p.q)
which are initialized by n, T '= 0,0, since S.O.O = O. Assuming Po II P, 1\ n ~ N, we derive
(maxp, q : 0 ::; p ::; q ::; n+1 ; S.p.q)
= {split off q = n+l }
(maxp, q : 0 ::; p ::; q ::5 n . S.p.q) max (maxp : 0 ::; p ::; n+l ; S.p.(n+l)) {Po}
l' max (maxp : 0:5 p :5 n+l ; S.p.(n+1))
At this point it seems appropriate to introduce the variable sand accompanying invariant
68
General Programming Techniques
s = (maxp ~ 0 ~ p :s: n+l . S.p.(n+l))
However, for n=N (which is not excluded by PI) tills predicate is not defined. Replacing all occurrences of n by n-l Yields an expression that is defined for all n, 0 :s: n ~ N. Thus, if we define additional invariant Q by
Q: s = (maxp : 0 ~ p :s: n ; S.p.n)
then Q(n:= n+l) equals the relation that is needed, i.e.,
(maxp, q ~ 0 :s: p ~ q :s: n+l . S.p.q) {see previous derivation}
r max (maxp ; 0 ~ p ~ n-l-I > S.p.(n+l)) {assume Q(n:= n+l)}
r max s
This leads to a solution of the following form
II var n, s : inti
'establish Po A P, A Q' ida n oj. N
-+ 'establish Q(n:= n-l-I}' ;r'= r max s
;n:=n+l
ad
]I.
where 'establish Q(n:= n+l)' is formally specified as
I[ can N, n, T : inti A ' array [O .. N) of inti {Po A PI A n oj. N}
var s : inti
{Q}
S {Q(n:=n+l)}
]I.
For Q(n;= n+l), we derive, assuming Po A PI A Q A n oj. N:
Strengthenmg rnvarranes
69
(maxp ; ° ~ p ~ n-l-L ; S.p.(n+l)) {split off p = n+l, ° ~ n-l-I :s: N}
(maxp ~ 0:s: p ~ n. S.p.(n+l)) max S.(n+l).(n+l)
= {definition of S, summation over an empty range IS O}
(maxp: 0 ~ p ~ n : S.p.(n+1)) max °
= { definition of S}
- (maxp: ° ~ p :s: n ; S.p.n + A.n) max 0
{ + distributes over max when the range is non-empty, 0 ~ n} (Imaxp : 0 ~ p ~ n ; S.p.n) + A.n) max 0
{Q}
(s + A.n) maxO
From this derivation it follows that Q(n:= n+l) IS established by s:= (s+ A.n) maxO. Thus, we arnve at the following non-annotated solution to maxsegsum:
![ var n, s : lilt;
n, r, s:= 0,0, ° .do n oj. N
-+ s:= (s + A.n) maxO
;r:= rmaxs ;n:=n+l
ad
]1·
A nice solution to a not so simple problem. In order to get used to the calculations that are performed In such derivations, the reader should thoroughly analyse the derivation of this program. In these derivations we used the following properties of S:
S.n.n = 0 for 0 ~ n ~ N
S.p.(n+l) = S.p.n + A.n for O:s: p ~ n < N
We summarize these examples by showing the genera! pattern of the derivations carried out. Post-condition R is of the form
R; r=F.N
for some natural number N and function F defined on [O .. N]. The choice of invariants
Po· r = F.n PI: O~n~N
70
General Programming Tec1mlques
leads to a program of the form
I[ vat' n : lilt; n,T'= O,F.O .do n ¥- N
__. 'establish r::::: F.(n+1)' in;= n-l-I
od
]1,
and a calculation of the form
F.(n+l)
::::: { calculus}
F.n EB G.n
;;;:; {Po}
rEB G.n
= { introduction of vanable 5 and invariant Q}
rEBs
where s satisfies
Q. 5=G.n
Then r:= rEB s establishes Po(n:= n+L). Computation of G.(n+1) may Similarly lead to a relation of the form G.(n+l) = G.n 0 H.n in which case another invariant IS introduced. This process continues until (we hope) an expression comes up that is easily computed.
Sometimes, as In the derivation of maxsegsum, we obtain a relation of the form
F.(n+l) = F.n EB G.{n+l)
in which case
Q s= G.n
;:
"t· is introduced and the statement establishing Q(n:= n+ 1) precedes the statement es-.
tablishing Po{n:= n+1).
Strengthening invariants
71
Exercises
Derive solutions for the following programming problems.
O. ][conN: Int{N ~ I}j A: arraYIO .. N)ofint; var r : inti
S
- ,{/:, (maxp,q: 0::; p < q < N; A.p - Aq)} ].
,
1:
1. I[ con N : int {N ~ t}: A ; array (O .. N) ofint; var r: inti
S
{T = (#p, q: 0::; p < q < N : A.p * Aq;::: O)} II·
2. Derive for integer N, N;::: 1, and integer array A[O .. N) a program for the computation of the maximal sum of the non-empty segments of A
3. I[ con N : int {N 2: I}; A: array [O .. N) ofint; var r : inti
S
{r = (maxp,q: 0:5 p < q < N: (A.p - A.q)2)}
II·
( 4.1[ con N : int {N ;::: O}; A; array [0 .. N) of bool: var r : bool:
S
{r == (3p: 0:5 p :5 N ; (Vi; 0 :5 i < p: A.i) 11 (Vi; p::; ~ < N ...... A.i))}
]I.
5:',. Let N ;::: 0 and let A[O .. N) be an array of integers. For 0 :5 p :5 q :5 N, the credit ! of A[p .. q) is defined by
credit.p.q = (# i : p ::; i < q : A.i > 0) - (# i : p :5 ~ < q : Ai < 0)
Derive a program for the computation of a segment of A with maximal credit.
72
General Programmmg Tecilmqlles
--.~
--··6. Ii can N : int {N ~ OJ; A . array IO"N) ofint;
var r : inti
S
{r::::: (rnaxp, q . 0 :::; p :::; q :::; N : (II t : pSt < q : A.i))}
]I.
4.4 Tail invariants
In this section we discuss tail recursion. We used a form of tail recursion when we discussed the greatest common divisor algorithm III Section 2.5. That algorithm is based on properties of the function F defined for positive integers x and y by
F.x.y ::::: x gcd y. These properties are
F.x.x::::: x
F f F.(x-y).y if x > y
.x.y = l F.x.(y-x) if y > x
which IS an example of a so-called tail recursive definition. A repetition for the computation of F.A.E is obtained by choosing as invariant
F.x.y = F.A.B
as we did for the algorithm in Section 2.5.
As another example, consider
II con N : mt {N ~ O}; A . array IO .. NI of inti var r : inti
S
{T = (maxz . 0 :::; t :::; N , A.i)}
]I.
Define, for 0 :::; x :::; y s N, the function F by
F.x.y = (maxz : x :::; t :::; Y . Ai)
Tail invananrs
73
Then the post-condition of this specification can be written as
R: r=F.O.N
and F has the following properties:
(i) x=y '* F.x.y= A.x
(ii) x<y '* { F.x.y = F.(x+l l.y if A.x :::; A.y
F.x.y = F.x.(y-l) if A.y S A.x A repetition based on [i] and (iO has mvanant
P: F.x.y = F.O.N 1\ 0 :::; x s y :::; N
and its coding is straightforward:
I[varx,y: inti {N ~ o} x,y:=O,N
{invariant r. F.x.y::::: F.O.N 1\ 0 S x S u S N, bound: y - x} ;do x =F y
.... if A.x S A.y -> x;== z-l-I o A·y S A.x -. y ;= y-l fi
od
{P 1\ x = y, hence] A.x = F.O.N} iT:=A.x
]I
{T = [maxz : 0:::; i :::; N ; A.i)}.
The genera! setting of tail recursion IS as follows. A function F is given for which
(i) F.» = h:» if b.s:
(ii) F,» = F.(g.xl if =b,»:
and one is asked to derive a program that establishes r = F.X for some X. Taking
74
General Programming Techniques
P: F.x=F.X
as a 50-called tail tnllartant, YIelds
![varx, x:=X
{invariant: F.x = F.X} ;do --.b.x ....... x:= g.x od jr:=h.x
11
{r = F.X}
provided that the repetition terminates.
Solving a problem by tail recursion amounts to finding a suitable function F. A special case of tail recursion is the following.
An associative operator ffi is given with identity e. A function G has the following properties:
(0) G.x = a if b,»
(1) G.x= li:» ffi G.(g.x) if ..,b.x
and one IS asked to derive a program with post-condition r = G.X. This problem may be solved by a tail invariant of the form
P. G.X = r ffi G.x
which may be interpreted as
'the result' = 'what has been computed' ffi 'what still has to be computed'
Invariant P is stablished by r, x := e, X. Furthermore, if b.x holds, then
G.X =r$G.x {b.x, use (0) }
G.X = r$a
and, for ..,b.x
N?te that III almost each line of the derivation above 'G.X =' occurs. When applying tail invariants, we only derive the relevant parts, leading to derivations of the following form:
If b.x holds, then
=
G.X = r ffi G.x
{ ..,b.x, use (1) }
G.X = T ill (h.x ill G.(g.x)) { ffi is associative} G.X = (r $ h.x) ill G.(g.x) { definition of P }
,P(T,X :=1' $ h.x,g.x)
This yields the following program scheme
If $ is associative and has identity e, and G IS such that
(0) G.x = a if b,»
(1) G.x= h:» ffi G.(g.x) if .b.x
then
{true} I[varx;
X, r :.= X, e {invariant: G.X = T $ G.x} .do .b.x ....... X, r:= g.x, r ED h.x od {G.X = r$ a}
;r:=r$a
]1
[r = G.X}
provided that the repetition terminates.
rill G.x
= { b.x, use (0) }
Tlffia
and, for .b.x
Tail invananrs
75
76
General Programming Techniques
r 6'J G.x
[ -sb,», use (1) f r 6'J (h.x E9 G.(g.x))
{ $ is associative I (T' E9 h.x) E9 G.(g.xl
We illustrate tail recurSlon by two examples.
For natura! number X, G.x is the sum of the decimals of z , defined by
I
,j
C.O ",0
G.x '" x mod 10 + G.(x div 10) for x> 0
We are asked for a program with post-condition r = C.N for natural number N. The program scheme presented above Yields as tail Invariant
Po. G.N '" r + C.x
and as a lower bound for x, we add
For X = 0, we have r + C.x = r and for x > 0:
r+G.x
{ defimtlon of G, x > 01 r + (x mod 10 + C.(x div 10)) { + IS associativc ]
(1' + x mod 10) + C.(x div 10)
leading to
![varx:intj {N;?:O}
x,r:= N,O {invariant: Po /\ PI, bound: x} ;do x =F 0 -f X,r:= xdivl0,r +xmad 10 ad
11
{r = G.N}.
Note that a bound function IS specified to satisfy the termination requirement. Termination follows from
Tail invariants
77
xdivlO < x
[ heading for the definition of div } 10 * (xdivlO) < lO*x
{calculus}
xmodlO + 10* (xdiv 10) < xmodlO + lO*x { definition of div and mod }
x < x mod 10 + 10 * x
{xmodlO;?: O}
x<lO*x
{ calculus I
o<x
As a second example we reconsider exponentiation (cL Section 4.2), specified by I[con A,B: mt{A;?: 0/\ B;?: 01;
var r : mt;
exponentiation
{r = AB}
11·
For exponentiation, i.e., for function C defined by C.x.y = xY, we have, for x ;?: 0 II. Y ;?: 0:
(0) C.x.O = I
(ll C.x.y = 1 * C.(x*x).(ydiv 2) if y mod 2 = 0
C.x.y = x * G.x.(y-l) if yrnod2 = 1
A tail invariant corresponding to G is
Po. r * xY = AB
and a lower bound for y IS glVen by
From the recurrence relations for G 1 we infer
Po 1\ y>O 1\ ymod2=O::;.. Po(x,y:=x*x,ydiv2)
and
78
General Programmmg Techmques
PoAy>OAymod2=1;;;;;> PO(T",Y:=T"*x,y-l)
resulting in
[var x,y: int; {A 2: 01\ B 2: o} T",X,Y:= 1,A,B
{invariant: T" * xy = AB 1\ 0 :::; y, bound: y}
;doy;fO
-+ if y mod 2 = 0 -+ X, y:= X * X, y div 2 ~ ymod2 = 1 -+ T",y:= T" * x,y-l
fi
od
{r * xy ces AB 1\ Y = 0, hence, r = AB}
Since y halves at least every other step of the repetition, the time complexity of this program IS O(log B}.
The purpose of this section is not to explain how a specific problem can be formulated in terms of For G. In practice, we do not always define F or G explicitly. For instance, the exponentiauon program would be introduced by
'We choose a tail invariant P, defined by
P: T''''XY = AB
and we choose as guard Y '" 0'
In later chapters we win see many applications of the tail invarrant technique.
Exercises
O. Derive a program for the computation of A '" B where A and B are natural numbers. Apart from div 2, mod 2, and *2 only addition and subtraction are
allowed.
1. Derive a program for the computation of the number of factors 3 of natural positive number N.
2. Solve
I[ con N, X : int {N 2: o}; J - array lO .. N) of int; var r: int;
S
{T" == (l:~ ~ : 0 _::; i < N : J.t * X')} lit
by defining for 0 :::; n ::;: N
G.n = (Ei: n :::; t < N - f.t * x'-n)
and deriving a suitable recurrence relation for G. f3.The function fuse is defined on the natural numbers by
fusc.O = 0, Iusc.I = 1 fusc.(2*n) = fusc.n, and
fusc.{2m+l) = fusc.n + fusc.In-l-I} for n 2: 0
Derive a program for the computation of fusc.N, N 2: O. (Hint: compute fusc.78).
, ~olve
I[ con N, X: lilt {N 2: OJ; J _ array IO .. N) of int; var r : bool;
S
{r == (3i:O:::;i<N:!.t=O)}
II,
by defining for 0 5 n _::; N
G.n == (3i; n :::; i < N [.i = 0)
and deriving a suitable recurrence relation for G.
Tail invariants
79
80 General Programming Teciwiqlle5
5. An h-sequence is either a sequence consisting of the single element 0 or it is a 1, followed by two h-sequences. Syntactically, h-sequences may be defined by
(h) = 0 I 1 (h) (h)
Solve
I[ con N : int {N 2 O}; A ; array rO .. 2*N+ll of [0 .. 11; var r : bool;
S
{r == A is an it-sequence}
11·
4.5
Summary
In this chapter we discussed some general techniques that show how a suitable Invariant ~I may be derived from a given pre- and post-condition. We summarize these ideas.
Taking conjuncts
When the post-condition is a conjunction of predicates, take some of the conjuncts as invariants and take the negations of the other conjuncts as guards for a repetition. As a special case, one can try true as invariant and the negation of the post-condition as guard.
Replacmg constants by variables.
The replacement of one or more constants by variables yields a possible mvanant for a repetition.
Strengthenmg invariants,
When a choice for an invariant has been made, calculations may lead to an expression E that is neither easily computed nor easily expressed in terms of the program van abies. The extension of the state space with a variable and the addition of an invanant that expresses that this variable equals E may help obtain a solution to the problem.
Summar), 81
Tail invariants
The general setting of tail recursion is as follows. A function F is given for which
F.x = h.x if b,x
F.x"" F.(g.x) if ...,b.x
and one is asked to derive a program that establishes r = F.X for some X. Then F.x = F.X IS a good candidate as Invariant for a repetition that solves this problem.
A special case of tail recursion is applicable to the problem of computing G.X, where G is such that
(0) (1 )
G.x= a if b.»
G.x = li.s: aJ G.(g.x) if ...,b.x
m which Ell is an associative operator with identity e. Then G.X = r E9 G x
is good candidate for an mvanant, .
Exercises
Derive solutions to the following programming problems.
O. I[ con N : mt {N 2 l ]; A . array [O .. N) ofint; var b : bool;
S
{b == (3p,q:OSp<q<N:A.p-A.qS2)}
]I.
l~-)[ con N : mt {N 2 l ]: A : array [O .. N) of int:
., ~ ._ ,I
var T : lilt;
S
{T"" (#i: 0 S % < N: ('v'p: is p < N; A.i 2 A.p))}
11·
2. The function A is defined on the natural numbers by
7"
A.O= 1
A.(2n) = 2 * A.n, for n 2 1 A.(2n+1J = n + A.(2n), for n 2 0
82
Geuero! Programmmg TechnIques
Derive a program for the computation of A.N, N 2: o.
3. I[ con N; mt {N 2: 2}; A ; array [o .. N) ofint; var x, y : inti
S
{O ::; x < y < N 1\ lA.x * A.y! = (maxp, q : 0 ::; p < q < N : lA.p * A·qln
]I.
4. I[ con N : mt {N 2: 2}; A . array [O .. N) ofint; var r : int:
S
[r = (Ep, q: 0::; p < q < N : (A.p - A.qY)}
11· -:
5. Derive an O(logN) program for the computation of (Ei : 0 ::; i < N . A') where N and A are natural numbers.
6. I[ con N : int {N 2: O}; A ; array [o .. N) of inti var r : inti
S
{r = {#k: 0::; k::; N: ("Ii: k:S 1 < N. A.i 2: O))} ]I.
7. I[con N: mt {N 2: I}; var z : inti
Fiboluccl
{x = (Ei: 0::; t::; N: Jib.i * Jib.(N-i)} 11,
where fib is defined by
fib.O = 0, Jib.1 = 1, and
fib.{n+2) = fib.n + Jib.(n+lJ for n 2: 0
(Hint: replace both occurrences of N by n).
Chapter 5
Deriving Efficient Programs
5.0 Introduction
In this chapter we present two examples of efficient programs. The chapter may be skipped at first reading.
In Section 5.1 we present an efficient program for the computation of A div Band A mod B. In Section 5.2 we show a technique that is applicable to a class of algorithms. In that section we assume that the reader IS familiar with matrix multiplication.
Both examples are not simple and one of the purposes of this chapter IS to show how one can reason about these programs in a non-operational way.
5.1 Integer division
Our first example is the derivation of an efficient solution to Integer division. specified as
![conA,B: mt{A 2: 01\ B > O}; var q, r : mt:
divmoci
{q = Adiv B 1\ r = AmodB}
11·
in which apart from div 2, mod 2 and *2 (that are usually provided by machines) only addition and subtraction ate allowed. As pomted out in Section 4.1, post-condition R may be written as
R: A = q * B + r /\ O:S r < B
83
84
Deriving Efficwnt Programs
In Section 4.1 we chose as mvariant A = q * B + 1"' A 0 ~ 'I" leading to
q,T'=O,A
i do 'I" ~ B _. q, 1""= q + I, 'I" - B od
a program whose execution takes A div B steps.
It is quite easy to transform it into a program that is twice as efficient, by dividing by 2 * B instead of B. Such a transformation leads to the following program.
s.r= O,A {A=q*2*B+r A O~r}
; do 1'" ~ 2 * B - q, r t= q + 1, r - 2 * B od {A = q * 2 * B + r A 0 ~ r < 2 * B} ;q:=q*2
[A = q * B + TAO ~ T < 2 * B}
i if B ~ r --> q, r t= q + I, r - B o r < B -> skip
fi
{A = q * B + TAO ~ r < B}
Execution of this program takes & * (A div B) steps. Of course, we can apply this idea again, leading to a program that is four times as efficient as the original program (at the pnce of two selections). In general we may start with a division by 2k * B for some k 2. O. This idea leads to an invariant that is obtained from the post-condition by replacing constant B by variable b:
po· A = q * b + TAO ~ r < b
To guarantee b = 2k * B for some natural k; we introduce variable k as well and define mvanant PI by
Po A PI IS established by a repetition for WhICh
Q: A = q * b + r A 0 ~ r A b = 21; * BAD ~ k
is an invariant and 'I" ~ b the guard. Its coding is straightforward:
q,r,b,k:= O,A,B,O ;dor~b_'b,k:=b*2,k+l od
/
Integer diVISIOn
85
This part has time complexity O(log(Adiv B)}, since k is 0 initially and has the minimum t for which 2' > A div B as its final value.
As guard of the next repetition, we choose b =I B. To obtain an efficient algorithm . we investigate the effect of b:= b div 2 and we derive
Po A PI A b-::/: B
=
{ definitions of Po andP] J
A =." q * b + TAO::; T < b A b = 2k * B A 0 ~ k A b =I B {calculus}
A = q * b + TAO ~ r < b A b = 21. * B A 1 ~ k
{ heading for b:= b div 2 } A=(q*2)*(bdiv2)+r A O~r<2*(bdiv2) A 0 ~ k-l
A bdiv2 = 2k-J * B
Hence,
{Po A PI A b =F B}
q, b, k:= q * 2, b div 2, k-l
{A = q * b + 1"' /I. 0 ~ T < 2 * b A b = 2k * BAD ~ k}
Starting with the last line it is easy to establish Po A PI:
{A = q * b + r A 0 ~ 'I" < 2 * b A b = 2k * B A 0 ~ k} if r < b __. skip {Po A Pd
o r ~ b--+ s.r= q+1,1"'-b {Po A Pd fi
{Po A Pd
i: n
Thus, we arrive at the following program:
I[ var b, k : int: q,T,b,k:= O,A,B,O
;do 'I" ~ b- b,k:= b*2,k+l ad ;do b =I B
-> q,b,k:= q*2,bdiv2,k-l
iif r < b __. skip 3 'I" ~ b -t q, r'=:; q+l, r-b fi
od
11·
86
Denving Efficient Programs
In each step of the second repetition k IS decreased by 1. Its final value is 0, hence execution of the second repetition takes log(A div B) steps as well. We conclude that this program has time complexity O(log(A div B)),
Variable k plays a specific role, No other variable depends on k and leaving out this variable does not affect the algorithm. But k does playa role, since the invariant (and, hence, the correctness of the algorithm) depends on k, When we remove k, what would be an invariant of the resulting program? The solution is not difficult: the above program shows the existence of integer k such that all relations are satisfied. Replacing invariants P, and Q by
QQ A = q * b + r A 0 S; r 1\ (3 k : 0 S; k : b = 2k * B)
(
results in a program in which k does not occur any more:
{A 2: 0 A B > O} I[ var b : inti
q, r', b := 0, A, B
; do r 2: b -t b:= b * 2 od ;do b;6 B
_, q,b:=q*2,bdiv2
; if 1: < b _, skip 0 r 2: b _, q, r '= q+l, r-b fi
od
11
{q = Adiv BAr = AruodB}.
It is possible to derive this program in terms of Po, P PI. and QQ right from the beginning, As a disadvantage one has to perform all calculations with an existential quantification. Moreover, the efficiency considerations cannot be phrased in terms of k any more. The introduction of van able k makes it easier to reason about the program, and as k does not actually occur in the final program it is called a ghost 1Janable,
Finally, we remark that the correctness of the program presented above IS difficult to grasp without its derivation. Nevertheless, it is essentially the same division algorithm that is taught in primary school,
Integer division
Exercises
O. Derive an O(log N) algorithm for square root:
I[ can N ; int{N 2: OJ; var z : int;
square root
{Xf S; N A (x+1)2 > N} 11,
by introducmg variables y and k and invariants
Po X2 S; N A (X+y)2 > N
e., Y = 2k A 0 ::; k
1. Derive a program that has time complexity O(log N) for
I[ can N : int {N 2: I}; J : array IO .. N[ ofint {J.O < J,N}; var z : inti
S
{O ::; x < N A [,» < J.(x+1)}
11·
by introducing variable y and invariants
Po J.x < I-»
PI: Osx<YSN
2, Solve
l[conA,B; int{B > OJ; var q, r : inti
diu mod
{q = Adiv BAr = AmodB}
11·
87
88
Denvmg Efficient Programs
5.2 Fibonacci
Our second example Is the derivation of an G(log N) program for Fibonacci (cf. Section 4.3), specified by
1l can N: int {N 2: OJ; val' z : inti
Fibonaccl
{x = fib.NJ
ll,
I
where fib is defined by
fib.O = 0, fib.I = 1, and
fib.(n+2) = fib.n + fib.(n+1l for n 2: 0
In Section 4.3, we chose as invariant x = fib.n 1\ y = fib.(n+l), leading to
{N 2 Of I[val'y,n: mt: n,x,Y:= 0,0, 1 ;don # N
-> x,y:= y,x+y ;n:=n+1
ad
{x = !ib.N},
a program that has time complexity O(N). We derive from this program a more efficient one by a rather general technique exploiting the fact that the expressions assigned to x and y In the multiple assignment x, y:= y, x+y are linear combinations of x and y. In terms of matrices this assignment is denoted as
and the algorithm may be denoted as
FibollllcCJ
89
I[ val' y, n : mt;
;don"&N
II
{x = fib.N}.
An invariant of the program for Fibonacci is
and its post-condition IS
In Section 4.4 we developed an G(log N) program for P'T'Tlonentiation based on a tail -r N '
invariant. A SImilar approach to the computation of (~ ~) (~) IS appropriate,
using invariants .
which are initialized by n, z , y:= N, 0,1, A:= (~ 1) and for which we have
Pu 1\ n = ° :::::> x = fib.N 1\ Y = fib.{N+1l
90
Denvmg EfficIent Programs
This leads to the following program:
n,x,y:= N,D, 1 ;A:= (~ ~)
;do n f; 0
-> if n mod 2 = 0 -> A := A * A ; n := n div 2
o nmod2=1-> (:) :=A(:) ;n:=n-l fi
od
{x = fib.N}
/
A next step IS the elimination of the matrix operations. We compute some powers of
(~ ~):
(~~f=(~ i)(~ ~)=(~;) (~i)4=(i ;)(i ~)=(~~)
ThiS leads to the conjecture that all these powers are of the form (: a!b)' Indeed,
where p = 0.2 + b2 and q = ab + ba + b2, Hence, matrix A may be represented by two Integers: {lair (at b) represents matrix (: a! b ). Then
A := A * A corresponds to a, b:= a * a + b * b, a * b + b * a + b * b
and
( ; ) .= A ( ;) corresponds to x, u= a * x + b * u, b * x + a * y + b * y
Fibonacci
91
The final solution IS presented below.
{N 2 O}
I[ var a, b, n, y : mt:
a, b,x,y,n:= 0, I, 0, 1, N
;don;/:; °
if n mod 2 = ° __. a, b := a * a + b * b, a * b + b * a + b * b ; n := n div 2 o nmod2 = 1 _, x,Y:= o.*x+b*y,b*x+a*y+b*y ;n:= n-1 fi
od
{x = fib.N}
n·
Needless to say that this program cannot be easily understood without its derivation.
Exercises
Solve
o. l[conA,B,N: int {N 2 oj, var x: mt;
S
lx = (I: ~ ; 0 :5 t :5 N . AN-, * B')}
JI·
1. I[ con N : int {N 2 I}; var x: inti
Fibolucci
{x = (Et; 0:5 z ::; N: fib.s * fib.(N-i)}
]1,
where fib is defined by
fib.O = 0, fib.l = 1, and
fib.{n+2) = fib.n + fib.(n+l) for n 2 o.
.,',
Chapter 6
Searching
6.0 Introduction
Many programmmg problems can be viewed as a so-called searching problem. For instance, the square root problem of Section 4.1 may be formulated as 'search for the maximal natural number i for which i2 $ N', r.e., establish post-condition
X"" (rnaxr : 0 $ til i2 $ N: i)
It may also be formulated as
x = (min i ; 0 $ t II (i+1)2 > N; il
i.e., search for the minimal natural number I for which (i+l)2 > N. In Section 6.1 we discuss a simple program called Linear Search. The Bounded Linear Search IS presented III Section 6.2. In Section 6.3 we consider a more efficient scheme which IS applicable to a large class of search problems. That program lS known as the Bina11J Search. In Section 6.'1 we discuss a less well-known program scheme called Searchmg
by Elimmaiion.
6.1 Linear Search
We consider the following problem. For integer variahle x, b.x is a boolean expression such that
(3 i : 0 :s 1 : b.i)
An example of such an expression 15 (x+1} * (x+lJ > N. We are interested III the smallest natural t for which b.i holds. A formai specification of this problem IS
92
!
Linear Search 93
I[var z : inti
{(3i: 0 :S z : b.i)} Linear Search
{x = (mini: 0 :S t II b.: : i)}
II·
We rewnte the post-condinon:
R: 0 S x II b.x 1\ (Vi: 0 S I < X • ....,b.i)
A possible invanant IS obtained by the technique of taking a conjunct: we define P by
P> 0 $ x II (Vi: O:S '. < x . ,Ed)
which is irntialized by x:= O. As guard we choose, of course, -ds.u: Investigation of x:= x + 1 leads to
P(x:= x+l)
{ definition of P f
o :S x + 1 1\ (V i : 0 $ ~ < x + 1 , .b.i)
{:::o { heading for P }
OS; x II (Vi: 0 :s l < X + 1 : ....,b.i)
{ split off t = x, 0 :S x < x + 1 }
o :s x II (V i : 0 :S i < x . ...,b.i) 1\ ....,b.x { definition of P}
rj ,'I :.1,'
./ ;;
f .i~
,
" ,
~. ~
P 1\ ....,b.x
This gives rise to the followmg program:
x:=O;do-,b.x-+x:=x+lod.
For a proof of the correctness of this program we still have to provide a hound function. Note that we have not used the pre-condition yet. The pre-condition allows us to define constant X by
O:S X 1\ i.x
and we derive
94
Searching
p
=:- { definition of P }
(V i : 0 :;;: z i\ z < x . =b, i)
== { predicate calculus: trading}
(V i . 0 :;;: t 1\ b.i : i ? x)
=:- {O:;;:XI\LY}
X 2: x
Hence X - x IS a surtable bound function for the program presented above. We
formulate our result as follows. \
Linear Search
[var z : mt;
({3 i . 0 :;;: z : b.i)} x:=O
; do -,b.x -t x := x + 1 od {x == (mint: 0 :;;: z 1\ b.i : i)}
11·
Of course, the fact that 0 IS a lower bound IS not essential: the maximum z for which b.i holds is obtained by initializing x with an upper bound and replacing z := x + 1 by x:= x-l.
As an example, we solve the following problem.
I[con N: mt{N? OJ; A, array ltl .. Nlofint; {A.O < AN}
var T : inti
S
{T = (maxs : 0:;;: z < N 1\ At < A.(i+ll: i)}
11·
This problem can be solved by replacing constant N by van able n, an approach that leads to a less elegant algorithm, as the reader may verify. Applying the Linear Search, we obtain as solution:
Bounded Linear Seercli
95
S: {(3i : 0 :;;: i < N :.A.z < A.(i+l)}, see Proof, apply Linear Search} r:=N-l
;doA.T2:A.(T+l}-r:=r-lod
{T = (maxi; O:S i < N 1\ A.z < A.(i+ll : i)}
Proof:
(Vi: 0 :;;: t < N; A.i 2: A.(i+1»
=? { transitivity of 2: }
A.O 2: A.N
Hence,
AO < A.N =:- (3i; O:S t < N; A.z < A(i+l))
The program with its accompanying proof is all one has to provide as solution to the problem.
6.2 Bounded Linear Search
The Bounded Linear Search is a solution to the following problem. Given integer N, N 2: 0, and boolean array b[O .. N), one is asked to denve a program that assigns to variable x the least number i in [O .. N) for which b.i holds. If no such number exists in this domam, N should be assigned to x. A solution with mvanant
and program
x := 0 ; do -,b.x 1\ x =F N - x:= x+ 1 od
is not correct, since N does not belong to the domain of b and x = N IS not excluded by the invariant.
A formal specification of the problem IS
I[ con N : int {N ? a}; b : array 1:0 •. N) of bool; var x: int;
bounded linear search.
{x = (maxs : a $; t :::; N II (Y J : 0 :;;: J < Z : ,b.j) : i)}
11·
r.
I,
i
~~
!
96
Searciling
When we define (without, of course, actually changing b) b.N as true, the post-condition may be written as
R . 0 S x S N 1\ (V i : 0 S 1 < X . ...,b.i) 1\ b.x
As explained above, a repetition with -.b.x as guard 15 not possible. When we tak:.~_.x as part of the Invariant, it should be established by x := N, since N is the only value for which It 15 known that b has the value true. On the other hand, the first two conjuncts of R require x:= 0 as initialization. This 'conflict' is solved by the Introduction of integer variable y: we choose as invariant
Po. a S z S N 1\ (Vi: a $ i < x . ...,b.i) 1\ b.y
Then Po IS established by x, u= 0, N and Po 1\ x = y implies R. Hence, we choose x 4> y as guard for the repetition and y - x as bound function. As bounds for y we add
Ps x$y$N
to the invanant. Then Po 1\ P; 1\ z F y "* a $ x < N, and, hence, b.x may occur III the statement of the repetition. It IS now easy to derive
Po 1\ PI 1\ xi y 1\ =Ir.u: "* (Po 1\ Pd(x:= x+l)
. ~.
and
Po i\ P! 1\ x =F u 1\ b.s: "* (Po 1\ Pd(y:= z ]
i ' 3
This leads to the following solution:
Bounded Linear Search
I[ can N : mt {N ~ O}; b: array IO .. N) of bool; var z : inti
I[ var v : inti x,y:=O,N ;dox 4> y
-+ if -ib.» __, x:= z-l-L o b.x _, y:= x
fi
ad
]1
{x = (max i : a :::: t S N 1\ (V J : 0 S ] < 1 "b.j) : i)}
]1·
Bounded Linear Search
97
Exercises
Solve the following programming problems.
O. If can N : int {true};
var x : int;
S
{x = (mint: a :::: ~ 1\ 2' ~ N : i)}
]I.
1. I[ can N : mt {N > a};
var x: inti
S
{x = (max 1 : a :::: 1 1\ 2' :::: N : i)}
11·
2. I[con N: int {N ~ 2}; A; array It) .. N)ofint;
{(:Ii,] : a S 1 < J < N . A.l- A.J S 2)}
var 1': inti
S
{r = (maxz : a < z < N 1\ A.(i-l) - A.l :::: 2 : i)}
]I.
3. Derive a linear program for the Bounded Linear Search problem, based on the mvanant
x = (max e : n .c:; i S N f\ (V J : n S] < ~ . ...,b.j) : i)
What IS the disadvantage of thrs solution compared to the one presented in this section?
4. I[ var x : mt:
{(:Ii: i mt : b.i)} S
{b.x 1\ (Vi: Iii < Ixl . ...,h.i)} ]I.
;<,
i:
I' ~
, ,
i: f'
I
98 Searc1l1ug
5. I[ can N : int {N ~ O}; f array IO .. N) of inti
var r: inti
S
{r = (maxi: .0 :s; t :s; N t\ (V J : .0 :s; J < z . J.J :f.:. D) : i)}
Jl·
6. I[ con N : mt{ N ~ I}; A, B ; array IO .. NI of inti
{A.O < B.O t\ A.N;:;: B.N}
var r : inti
S
{r = (maxr : D:S; t < N t\ A.t < B.t t\ A.(i+ll ~ B.(i+l): i)}
]I.
6.3 Binary Search
For ascending and descending functions, searchmg may often be realized in a much more efficient way than by an application of the linear search. For instance, it IS much easier to find one's telephone number III a phone book than to find a name, given a telephone number. We explain the so-called Binary Search by solving
It can N, A : int {N ~ I}; f . array [.o .. N1 of int {f,.o :s; A < J.N}; var x: inti
binary search
(f,x:S; A < J.(x+l)}
11·
Note that, apart from f.D :s; A < f.N, nothing IS assumed about f,
The post-condition is a conjunction of two predicates: f.x :s; A, which 15 initialized by x:= .0; and A < j.(x+1), which is mitialized by x:= N-l. As we did for the Bounded Linear Search, we introduce a variable y and we define invariants Po and PI by
Po' f.x S A < I-u PI' 0 S x < y S N
Then, on account of the pre-condition, Po t\ PI is established by x, y:= .0, N. As guard of the repetition we choose x+1 =F y, and as bound function we choose y-x. For any It such that z: < It < y, we have y-h < y-x and h-x < y-x, hence, both x:= h and y:= It decrease y-x and both maintain P,. Furthermore,
Binary Seetcu
99
Po(x:= h)
"\
{substitution ~ f.lI:S; A < f.y
1= { definition of Po }
Po t\ J.I!:S; A
and
Po(y:= h)
{ substitution} f.x:S; A < f.ll
1= { definition of Po }
Po i\ A < f.h
This leads to
{J.O :s; A < J.N} I[ var y : int; x,y:=O,N
{invariant: Po t\ PI, bound: y - x} ;dox+l:j:y
_, I[ var It : tnt;
'establish s: < h < v' ;if J.h SA_, x:= h o A < f·h -+ y:= h fi
!
]I
ad
]I
{f.x :s; A < f.(x+l)}
I'
Since y ~ x is replace~ either by y - h or by h - z , the best choice for h IS the middle of [x .. yJ, i.e., (x+y) div 2. Indeed,
! ~
, I
: I
! :1
100 Searchmg
x < (x+y) div2 < y
- {calculus}
x + 1 :S (x+y) div 2 :S y - 1 \
.:= { div 2 is ascending}
2x + 2 :S x+y :S 2y - 2
- {calculus} x+2:Sy
{ calculus}
x < Y A x+11= y
.:= ( definition of p, }
PI A x+1 f.y
I Substitution in the above algorithm YIelds Hence, h:"=' (x+y) div 2 is a valid c ioice.
the solution:
Binary Search
{O < N A 1.0 :S A < J.N}
x,y:=O,N .do x+ll= y
-+ I[ var h : tnt;
h:= (x+y)div2
; if J.h :S A -+ x := h o A < J.h _,. u= h fi
11
od
{O ~ x < N A f.x ~ A < f.(x+1)}
Since y - x has initial value N and halves m each step of the repetition, the time cnrn plexrty of this program is O(log N).
Binar), Search 101
Variable h has been introduced to enable us to name a value between x and y. In the program above It IS just short for (x+y) div 2 and the only property of if that IS relevant to the correctness of the program IS x < li < y. Tills example shows another reason for the introduction of variables.
Note that 0 < h < N, from which we infer that /.0 and J.N are not Inspected during the execution of the program. Pre-condition J.O :S A < f.N IS only used for the initialization of x and y. When tills part of the pre-condition is replaced by true or, equivalently, by
f.0 :S A < J.N V f.0 > Ii V f.N 2: A
the post-condition is
O:Sx<N i\ (j.x:SA < f.(x+l) V j.O>A V f.N2:A)
We use this property in the following application of this algorithm. Let N 2: 1 and let JrO .. N) be an ascending array of integers. ,Ve are asked to denve a program for the computation of the boolean value 'integer A occurs in j[O .. N)'_ A forma! specification IS
I[ con N, A : int {N ~ I}; J array fO .. N) of int • {{Vi,j: O.:S i:S J < N ; J.i::; J.j}}
var r: boo!;
S
{r:;- (3i:0:Sl<N ].l=A)} ]I.
In view of the remarks above, we define, Since IN IS not inspected, [.N = 00 (without, of course, actually changing 1). Then A < f.N holds and the post-condition of the Binary Search IS
R; O:S x < N A (J.x :S A < ].(x+1) v A < f.0)
At this point (and only here!) the ascendingness of f comes Ill. From R and the ascendingnsss of f we infer
102 Searching
(3t:O:::;t<Nf.t=A) - f·x=A
Hence, we have
I[ con N, A: mt {N 2. I}; I: array [O .. N) of int {J IS ascending}; var b : booI;
I[ var x, y : int; x,y:= O,N ; do z-l I =1= y
_, II var It : mt;
h:= (x+y)div2
; if f.h :::; A -> x := h II A < f.1t -- u= It fi
(
]1
od
;6:= f.x = A
11
{b;;: (3t:O:::;t<N f.t=A)}
11·
This program is also known as 'the binary search'. It is an Important algorithm and every programmer should know this program and its danvatiou by h~art.
As a final example, we reconsider square root of Section 4.1, specified by
I[ con N ; int {N 2. OJ; var z : int:
square root
{x2 :::; N 1\ (x+I)2 >N}
]I.
F N 0 I 02 < N < (N+l)2 A straightforward application of the binary
or 2:, we lave _
search yields the following G(log N) program.
Binary Search 103
{N 2. O}
I[ var y : inti
x,y:= O,N+l {O:::; x < Y 1\ X2:::; N < y2, binary search} .do x+l i= y
--+ I[ var It : inti
h:= (x+y)div2
;if h * h 5. N -q::= h II N < h*h--+ y:=h fi
]1
ad
J[
{x2 5. N < (x+l)2}
Once again, we remark that the correctness of this program does nat depend on the fact that x2 is an ascending function of x on the natural numbers. However, when this program is used to establish b ::= (3 P : 0 5. p ; N = p2) for boolean variable b, then the ascendingness of x2 is needed.
Exercises
Derive a program for the following specifications.
o. I[ can N : lnt {N 2. a}; var 1" : bool;
S
{r;;: (3p;p2:0:N=p3)} ]I.
1. Derive forgiven N, N 2: 0, a program for the computation of the smallest integer x that satisfies x3 - 6x2 + 9x 2: N.
2. I[ can N : int {N 2: 1}; A, B : array (O .. Nl of int; {A.O 5. B.O 1\ A.N 2: B.N}
var r : inti
S
{a::; t: < N fI. A.T' 5. B.T' fI. A.(T'+l1 2: B.{T'+l)} JI·
Seerclung
6.4 Searching by Elimination
Searching by elimination IS the last technique discussed m this chapter. It may very well be studied at a later stage. Its derivation IS a first example of so-called program refinement. The resulting program IS obtained III a number of steps, and mtejmediate
programs have, for instance, sets as variables. l
We are given a finite set. Wand a boolean function Son W, such that S.w holds for some w E 11'. We are asked to derive a program with post-condition S.x. We identify boolean functions on Wand subsets of W. r.e., S is identified with {x E IV I S.x}. Thus, the post-condition may also be written as xES or as
R. Sn{x}~0
Note that in terms of sets the pre-condition 'S.w holds for some W III Hr' may be written as S n W ~ 0. We replace {x} by variable V and we define P; as a generalization of the pre- and post-conditIOn, by
P SnV~0I\V~W
From P 1\ WI = 1 we infer that. the unique element of V satisfies R. This leads to
{SnW#-0} V·=W
{invariant P . sn V ~ 0 A V ~ W, bound: WI}
.do IVI oF 1 ~ 'decrease IVI under mvariance of P' ad ;x:= 'the unique element of '"
From P 1\ IVI ~ 1 we conclude that WI ~ 2. Searching by elimination is based on the fact that of any two elements of" at least one may be removed without Violating P. Tins Yields the following approximation:
V:= 1V ida WI ~ 1
_, 'choose a and b in V, such that a ~ 6'
{a E " AbE V 1\ a ~ 6 1\ S n \f #- 0} i if Bo _, F .= V \ {a 1
o s, _, V·= V \ {b}
fi
ad
;:1;:= 'the unique element of V'
Seardung by Elimmation
105
From S n 11 ~ 0 we infer. =S,« => S n V \ {aJ ~ 0 and since 6 E V 1\ a -J. b also have S.b => S n V \ {a} ~ 0 H ,. r, we r II I. .. . ence, <S.« V S.b 15 a good choice for B«. More
rorrna y, t 115 IS derived as follows:
Snv~0:;;} Sn(V\{a})~0
= {aEV}
S.a V S n (V \ {a}) ~ 0 => S n (V \ {a}) ;f. 0 { predicate calculus}
S.a => Sn(V\ {a}) ~ 0
{:: {bEV\{a}J
S.a => S.b
- { predicate calculus J
-,S.a V S.b
On account of the symme~ry, -'S~b V S.a 15 a good chorea for Bl• Note that this choice YIelds two guards whose disjunction is true. Substitution of these guards into our preVIOUS program YIelds the first version of searching by elimination.
Searching by Elirnmation (0)
{(3w:wEW;S.w)} V:=W
;do WI ~ 1
_, 'choose a and b in V, such that a ~ h'
;if-,s.aVS.6 -TV,=V\{a} .
o -.S.b V S.a -t V <= V \ {b}
fi
ad
; x:= 'the unique element of V' {S.x}
We often encoun. ter situations m winch set I·V IS [·0 NI I tl t i/ b
.. . n la case . may e
represented by two integers a and b; 0 ::; a ::; b ::; N, such that
106 Searching
V= [a .. b]
IV I i= 1 corresponds to a 1= b
V ~::::; V \ {a} corresponds to a: == a + 1 V := V \ {b} corresponds to b:= b - 1
and the program may be encoded as
(
Searching by Elimination (1)
{(3 i : 0 s i s N ; S. i)} a,b:=O,N
;do a i= b
...... if S.a V S.b ..... a:= a + 1
n S.bV S.a -+ b:= 6-1
fi
ad
iX::: a
{S,x}
Our first application of searching by elimination is the derivation of a program that satisfies
I[ can N : int {N ~ OJ; f' array [O .. N] ofint; var x: inti
maxlocation
{O :s x :s N A f.x :: (maxi: 0 :s i :5 N ~ J.i)}
11·
The post-condition may be rewritten as
o 5, x :s N A (V i : 0 :s i $. N : f·i 5, f·x)
In order to use Searching by Elimination we define S by
S.x == (Vi:O$.i5,N:j.i:5j.x)
Seerchuig by Elimination 107
Then
+S,« V S.b
{ predicate calculus} S.a::} S.b
{ definition of S }
(Vi: O:S l S. N J.l S. f·a) ::} (Vi: 0 $. i:S N f.t S. f.b)
<= { transitivity of $. }
J.a:S f·b
Hence, [,a :s f·b ::} +S,« V S.b and, by symmetry, f,b :s [.a ::} -.S.b V S.a as well, This leads to the following solution to maxlocaiion
I[ var a, b ; inti a,b:=O,N ida a 7* b
-+ if f.a $. f.b _, a ;= a + 1 o f·b $. [.a _, b:= b - 1 fi
ad
iX;= a
11
{o 5, a; $. N 1\ f·x = (maxz : 0 $. is. N . f.i)}
Our second example IS known as the celebrity problem. It IS described as follows.
Among N+l persons, a celebrity IS someone who IS known by everyone, but does not know anyone. This relation between persons is represented by a boolean matrix k:
k.i.J == person i knows person J
Knowing that a celebrity exists among these persons, one IS asked to determme such a celebrity. A formal specification IS
l[conN: int{N ~ OJ; k: . arraYIO .. Nlx[O .. N] of bool: {(3 i ; 0 $. i -:;_ N : (V J . j '" i ; lc.j.i 1\ .k.t.j))} varx: tnt;
celebrity
{O 5, a: :s N 1\ (V J ' j ;/= x . k.j.« 1\ -.k.x.j))}
]I.
108
Searching
We choose S.x :.= (V J • J ¥- x . k.J.x II .,k.x.j) and we derive
.,s.a V S.b
-¢= { predicate calculus}
.,S.a
{ defini tion of S }
-.(V J J ¥- a , k.J.a II -.k.a.j) {De Morgan}
(3J . J ~ a : -.k.J.a V k.a.j)
-¢= {b~a}
-de.b.a V k.ab
S b k b V k b a Since k.a.b V ..,k.a.b :.= true, we strengthen
By symmetry, .,. -¢=., .a. . . . d htai as solution
the guards slightly, thereby destroying the symmetry, an we 0 am
(
j[ var a, b : tnt: a,b:=O,N ;da a ~ b
--+ if k.a.b -t a:= a+ 1 o ..,k.a.b ..... b;= b - 1 fi
(
od
;x;= a
11·
Exercises
0. Derive a program that non-deterministically computes a number in the range IO .. NI, N 2: 0.
Derive from genera! program scheme (0) a scheme for winch W = IO .. N] and V is
1. represented by Integers a and b such that 0 ::::; a < b ::::; N + land F = {a} U [b .. Nj.
2. What changes have to be made to the program schemes such that they satisfy
pre-condi non post-condi tion
HI ¥-0
S ¥- 0 =? S.X
Searching by Elunuuition
109
3. Solve the bounded linear search problem of Section 6.2 by applicatron of Searclung by Elimination .
4. The starting pit location problem IS stated as follows. There are N + 1 pits located along a circular race-track. The pits are numbered clockwise from a up to and Including N. At pit l, there are p.i gallons of petrol available. To race from pit i to Its clockwise neighbour one needs q.i gallons of petrol, One IS asked to determine a pit from which it IS possible to race a complete lap, starting With an empty fuel tank. To guarantee the existence of such a starting pit It IS gwen that
(E z : 0 ::::; 1 ~ N . p.i) = (E 1 : 0 ~ z ~ N. q.i)
A formal specification of the problem is
J[con N; mt{N ~ O}; p,q' array in .. Njofint; {(Et: 0::::; 1 s N: p.i) = (Ez : 0 s i ::::; N: q.i)} val' x: inti
starting pit location
{a ~ x ::::; N II (Vi: 0 ~ 1 ~ N , D.x.i 2: a)} II,
,
where D.Lj IS the difference of the number of gallons provided and the number of gallons needed, when racing from pit 1 to pit j in clockwise direction;
D.z.] = (E k ; k from z up to and not including J m clockwise direction: p.k _ q.k)
Chapter 7
(
Segment Problems
7.0 Introduction
In this chapter we illustrate programming by so-called segment problems. Such problems involve the computation of a longest or shortest segment that satisfies a fertain predicate, usually defined m terms of a given array. Many attempts have be, made (and are still made) to classify these problems with respect to the predicates tha\ define the segments one is interested in. In this chapter we do not classify these problems nor do we provide general program schemes that can be applied to all kinds of segment problems. Of course, some general aspects of this type of problem will emerge during our treatment.
The purpose of this chapter IS to show how problems may be solved, what decisions are made m the derivations and which properties playa specific role. The techniques used in this chapter are applicable to other classes of programming problems as well.
In Chapter 8 we apply a technique called Slope Search to segment problems. That technique yields another way in WhICh these problems may be solved.
7.1 Longest segments
Let N ;:::: 0 and let XIO .. N) be an integer array. We are interested in the length of a longest subsegment [p .. q) of [O .. N) that satisfies a certain predicate defined m terms of X. Examples of such predicates are
(V i : p ::; i < q : X.x = 0)
(V i : p ::; t < q : X.p ::; X.i) (#2: p::; 2 < g : X.1 = 0)::; 10
all elements are zero,
the segment IS Ieft-rnunmal,
the segment contams at most 10 zeros,
no
··.·1
..
Longest segments 111
(V i, J ; p .$ 1 < j < q ; X:« =fi x.j) all values are different.
In the following sections we solve these problems Each of th 1 it
Istics. . em las I sown character-
7.1.0 All zeros
~s;[~ fi~; ;~a~nple we solve the problem of deterrninmg the length of a longest segment one can . ia contains zero,s only. It is about the SImplest longest segment problem t . 17~gln~.and: hence, It IS very well suited to illustrating the calculations that ate ypica or t IS kmd of problem. A formal specification of this problem is
I[ con N : int {N ;:::: OJ; X' array [O .. N} of int:
var T: int;
all zeros
{T = (max p, q ; 0 .$ p ::; q :S N 1\ (V i : p < 2 < q' v . - 0) ) }
11· - ' .I ••• - , q-p
Our first step is the mtroduction of a nam, e for (V i : p < t < q , v - 0) Th
not I bbrevi I - ' .("t - . 15 does
on y a reviate t re post~condition, but, more importantly, it enables us to find
~ut Wo hlch parts of the derivation are independent of the specific form of the predicate
or ::; p ::; q ::; N we define A.p.q by .
A.p.q == (V i : p .:5 z < q . X.i = 0)
Post-condition R may then be written as
R. r = (maxp, q : 0 ::; P :S q ::; N 1\ A.p.q : q_p) What can be said about predicate A? It t
I I ld s erm, X,« = 0, does not depend on p or q.
t 10 S for empty segments, i.e.,
(0)
A.n.n
for 0 S n::; N
(A holds for empty segments)
:~~::::~~~f: ~s ~T~~~.Clr::;:~ ~~e;:U~ll~,segment satisfies A then all prefixes of that
(1) A.p.g => (V i : p ::; i ::; q : A.p.i) for 0 .:5 p ::; q ::; N and A is postfix-closed:
(A Is prefix-closed)
(2) A.p.g => (Vi; p::; i ::; g: A.z.q) for O:S p::; q::; N
(A 15 postfix-dosed)
,.,
Ii!
.;
j:
,. p
112 Segment Problems
Since the term, X.I = 0, in A neither depends on p nor on q, it does not matter whether we replace in R the constant 0 or the constant N by a variable. We propose as invariants Po and PI defined by
Po r = (maxp, s: 0 $: p:::; q $: n /\ A.p.q: q-p)
and
! I
For the lllitializatioll, we derive
(maxp, q . 0 $: p $: q $: a /\ A.p.q: q-p) {calculus}
(maxp,q: p = 01\ q = 0/\ A.p.q: q-p)
= { A~O.O, cf. (O_) }
a
;
from which we infer that Po /\ PI is imtialized by n, T'= a, o. Note that we l~sed (0).
For an increase of n by 1 we derive, assuming Po /\ P, /\ n # N, \
-,
(maxp,q: 0:::; p $: q $: n+l 1\ A.p.q: q-p) .
{split off q = n+l}
(maxp, q : 0 $: p $: q $: n 1\ A.p.q : q-p)
max (maxp: 0:::; p:::; n+l 1\ A.p.(n+lj : n+l-p)
{Po}
r' max (maxp: a $: p:::; n+l /\ A.p.(n+ll : n+l-p)
= { + distributes over max for a non-empty range, A.(n+l).(n+l), cf. (a)}
r max (n + 1 + (rnaxp : a :::; p :::; nH 1\ A.p.(nHl ' -p)
= { property of max and min }
T max (n + 1 - (rnln p : 0 $: p $: nH /\ A.p.(nH) ; p))
leading to the introduction of integer variable s and accompanying invariant
Q. s = (minp: 0:::; p $: n /\ A.p.n: p)
(Why is s not defined as s = (minp: 0 $: p:::; nH /\ A.p.(n+ll : p)?) From
(rnin p : a $: p$:O 1\ A.p.O : pJ = a
Longest segments 113
for infer that s should beinitialized at zero and we obtain a program of the followin
arm. g
{N ~ 0/\ (Vn; 0 $: n $: N . A.n.n)}
n, T, S := 0, 0, 0
[invanant: Po /\ P, /\ Q, bound: N - n J ;don #- N
_, 'establish Q(n:= n+l)' ;1"= rmax(n+l-s) ;n:=n+l
od
{1' = (max-p,q: 0 $: p::; q:::; N /\ A.p.q, q_p)}
This scheme leaves 'establish Q(n'= n+l)' as b hi S' A
. a SII pro em. mce holds for
empty segments, the range of the quantification in Q 15 non-empty and Q can be Written as the conjunction of Qo, QI, and Q2, defined as
o«. 0:::; s $: n Ql .A.s.n
Q2' (V p : 0 S p < s : .A.p.n)
Since A IS prefix-closed, we have A A (
• .p.n => • .p. n-t-L) for a $: p < n , and, hence,
We have Qo => Qo(n:= n+l) as well and we conclude
Qo 1\ Q2 /\ A.s.(n+l) => Q(n:=n+l) The fact that Q (n'- n+ 1) -. I' d b Q h
2·- IS Imp ie y 2 as another consequence, From
Q2(n:= n+l) = (\lp; 0::; P < s : .A.p.(n+1))
If
I:
we infer
Q:! => (minp: 0:::; p S n+l 1\ A.p.(n+l) : p) 2: s
i
;j
II ~
1' .. 1 Ij
114
Segment Problems
r I' I < P < n-l-I have to be lnv.estigated. For p = n+l we
e only values p ror w nc I S - - .' h I uI ti
know that A.p.( n+ 1) holds, so we usually start our investigations with t e ca c a Ion
of A.p.(n+l) for s ::; p::; n.
('" < < q X.l = 0), and we
We return to all zeros, for which A.p.q - v t P _ z
compute A.p.(n+l} for s::; p::; n:
A.p.(n+11
{ definition of A }
(Vi: p S 1 < n+l ; X.1 = 0)
_ { split off z = n, P S n ]
(Vi: p::; 1 < n; X.t = 0) A Xin = 0 { definition of A }
A.p.n II X,» = 0
Hence,
Q A X.n=O =? Q(n:=n+l)
and
X.n # 0 =? (Vp: S ::; p::; n : --,A.p.(n+1)) from which we infer, since A.(n+l1.(n+l) holds
X.n~O =? Q(n:=n+l)(s:::::n+l)
This leads to the following solution to all zeros;
I[ var n, S : mt: n,r,s:=O,O,O ;don#N
__. if X.n = 0 _, skip
o X.n#O --> s:=n+l fi
;r:= rrnax(n+l-sl ;n:= n-i-L
od
]l.
Note that we did not use the postfix-closedness of A.
{
Longest segments
115
7.1.1 Left-minimal segments
As another example of the approach outlined In the previous section, we consider the problem of the computation of the length of a longest segment that IS left-minimal. Its formal specification IS
I[ con N : int{ N ~ O}; X • array (O .. N) of inti var r : int:
S
{r = (rnaxp,q: 0::; p::; q::;_ N II (Vi:p S 1 < q: X.p:S X.i); q_p)}
)I.
As before, we sturt with the introduction of A and define for 0 :S p ::; q :S N
A.p.q "" (Vi: p:S 1 < q : X.P:S X.i)
Evidently, the term in A.p.q depends all p and does not depend on q. However, the Iollowmg properties of A.p.q do hold;
(0) A.n.n for 0 ::;_ n ::; N
(A hO},ds for empty segments) o {:.-,' til. ("'1- (J. "I~
. 71 ~ ."./.
and
(1) A.p.q ~ (Vi: p :S t ::; q : A.p.i) for 0 ::; p S N (A is prefix-closed)
But A is not postfix-dosed and the derivation of a program based on a replacement of the constant 0 by a variable is quite difficult, as the reader may verify. As in the previous section we define Po, Ph and Q (the conjunction of Qu, QI, and Q2) as
Po T"" (maxp, q : ° :S p :::; q:S n A A.p.q : q-p) PIO:Sn::;N
Qo. 0::; s::; n
Ql: A.s.n
Q2: (lfp: O:S P < s --,A.p.nj
Since A is prefix-closed, we have. as before,
Qo 1\ Q2 A A.s.(n+l) ~ Q(n;= n+l)
We derive, assuming Q AD::; n < N, for s :::; p :S n
,
i
116
Segment Problems
A.p.(n+l)
{ definition of A f
(Yi : pSt < n+l ; X.p S X.i) {split off 7 = n, p S n < n+ 1 I
(Yi: p S 1 < n : X.p S X.il A X.p S X.n { definition of A }
Ap.n A X.p S X.n
{
hence,
Q 1\ x» S X.n =? Q(n:= n+1l
When X.n < X,«, we have, starting with the last line of the derivation above,
A.p.n /\ X.p S X.n
=? [X.n < X,» f
X.p < x»
{ QJ, definition of As.n }
X.p < X.S 1\ (V i , s S i < n . X.s S X.i) ( 5 S P S n, X.n < X.s !
p=n
from which we infer
Q 1\ X.s> X.n =? Q(n:= n+l)(s:= n]
It IS now easy to code the program:
I[varn,s: mt:
n, r, s := 0,0,0
;do n;f N
if x» $ X.n ~ skip
U X.S > X.n ..... s:= n fi
; r'= T max(n+l-s) ;n:= n-l-I
od
Longest segments
117
7.1.2 At most ten .zeros
In this section we discuss a variation on the previous approach. Reconsider the program scheme of Section 7.1.0 in which 'establish Q(n:= n+l)' has to be refined. We assume that A is prefix-closed and holds for empty segments.
The pre-condition of 'establish Q(n:= n+I}' is Q, the conjunction of
Qo 0 $ s S n QJ: A.s.n
Q2: ('rtp: 0 $ p < s : ..,Ap.n)
As stated before, we have Qo '* Qo(n:= n-l-I] and, since A IS prefix-closed, we have Q2 ::::} Q2(n:= n+l) as well. Thus, Q Implies
0:::; S S n+1 1\ (Yp: 0 S p < s : -.Ap.(n+1))
which may be used as invariant for a repetition with guard -,A.s.(n+l) and bound function n+l-s (the invananca of s :::; n+l follows from A.(n+l).{n+l)). Substitution of this linear search III the program scheme results in the program below.
n, r, S := 0,0,0 ; do n;f N
-. do -,A.s.(n+l) ..... s:= 5+1 od ;r'= rrnax(n+1-s)
in:=n+l
od
{r = (maxp, q: 0:::; p:::; q:::; N 1\ A.p.q : q-p)}
To determine the time complexity of this 'program', we add ghost variable t:
n,T,s:=O,O,Oit:=O ;don i= N
-> do -.A.s.(n+l) -+ s:= s+1 ;t:= t+l od ;r'= rmax{n+l-s)
in::;: n+l ;t:= t+l
od
i .
~ f''-
118 Segment Problems
Variable t IS initialized at 0 and IS Incremented in each step of the outer repetition and in each step of the inner rapetition. Hence, the final value of t IS a good measure for the time complexity of the program. When s is Incremented by 1 then i is incremented by 1 and the same holds for nand t. Thus, the value of i - 5 - n is not changed during execution of the program. Initially this value IS zero. Thus,
t=5+n
lS an iuvariant of the program and holds initially. Since s ::; n s N is also an Illvalant of tbe repetitions, we have
t::;2N
from which we conclude that the time complexity 15 O(N). In this diSCUSSIOn we have assumed that -,A.s.(n+l) can be evaluated in constant time. If this 15 not thecase, refinement of this expression may lead .to a final program that IS not linear at all, \.
We use this scheme for the derivation of a program for the computation of t~F length of a longest segment that contains at most 10 zeros. Its formal specification is
[con N: lIlt{N 2. O]: X' array[O .. N)ofint; var r : inti
S
{r = (maxp,q: O:s. p:s. q:s. N 1\ (#t: p::; z < q: X.i = 0)::; 10: q-p)} 11·
With A.p.q defined as (#~ : p:s. t < q: X.t = 0) ::; 10, we have for 0::; s ::; n < N'
-,A.s.(n+l)
{ definition of A }
(#1; s::; z < n-l-L. X,« = 0) > 10
We introduce van able c and accompanymg invanaut Q' defined by
Q' c = (#t. s::; 1 < n _ X.1 = 0)
Provided that Q'(n:= n+l}, we may replace -..A.s.(n+l} by c> 10.
From (# t : 0 :s. t < 0 : X.» = 0) = 0 we conclude that c should be initialized at O. We obtam the following O(N) solution.
Longest segments
119
J[ var n, 5, C : mt;
n, r, 5, c:= 0,0,0,0
jdon=l=N
if X_n = 0 _, c:= c-j-I U Xn =1= 0 -. skip
fi
{c = (# t . 5 ::; t < n+1 ; X.t = OJ} ida c > 10
_, if .X.s = 0 -4 c:= c-l o X.S =1= 0 -> skip
fi
i5:= 5+1
od
;r-= .. max(n+l-s} ;n:=n+l
od
;1:·
),1
.,.1
The denvations of the selection statements III this program are straightforward and have been ieft to the reader.
7.1.3 All elements different
Our final example IS a ~roblem for which we denve a quadratic solution, despite the [act that the definmg predicate holds for empty segments, is prefix-closed and is postfixclo~ed. The problem ~s to determine for a sequence X, the length of a longest segment in whlc~ all valu_es are different, (Usmg more sophisticated data structures all O(N log N) solution to this problem can be derived, However, the treatment of such data structures IS beyond the scope of this book.) A formal specification of the problem IS
I[ Call N : !Ut{ N ~ OJ; X . array IO .. N) of inti var T: lilt;
S
{r = (maxp,q: 0::; p::; q::'; N 1\ A.p.q: q_p)}
]I,
!
where for 0 ::; p :s. q ::; N
A.p.q ;;;; (Vi,]: p:s. t < J < q : X.t -:/< X_i)
120
Segment Problems
Verify that A IS prefix-closed, postfix-closed and holds for empty segments. We define Po, PI and Q as before and we consider 'establish Q{n:=n+I)'. Its pre-condition is
Qo 0:5 s :5 n QI' A.s.n
Q2. (Vp: 0 S p < s : ..,A.p.n)
Since A is prefix-closed, Q2 implies (V p : 0 :5 p < s : -.A.p.( n+ 1». Furthermore, ( A.s.(n+ll
{ definition of A }
(Vi,] ; S S i < J < n+l; X.t oF X,j) {split off j = n }
(Vi,] ; s:5 t < j < n , X.1 oF X,j) 1\ (Vi; S:51 < n. Xl oF X.n) { definition of A }
A.s.n 1\ (Vi. sSt < n. xs « Xn)
Hence, Q(n:= n-l-I] IS the conjunction of the followmg four predicates:
0:5 s:5 n-l-I A.s.n
(Vi; sSt < n ; X.i oF X.nJ (Vp: a :5 p < s : -.A.p.(n+l))
The first, second, and last conjunct are implied by Q and the third conjunct holds for s "'" n. As we did for the Bounded Linear Search, we introduce a fresh variable (h) and we define invariant U as the conjunction of UIl, UI, U2, and U3;
Uo• s:5 h :5 n+l Ul A.s.n
U2 (Vi: h :5 1 < n : X.t =F X.n) U3 (Vp: 0 :5 p < s : -.A.p.(n+l))
These are initialized by h:= n, As guard we choose, of course, h =F s. Since A is postfix-closed, s i= h main tams Ut• A straightforward calculation yields
U 1\ It "" s 1\ X.{1L-ll;:fi X.n ::}- U(h:= h-I) U 1\ h=! s 1\ X.(II-I) =X.n =? U(s:=h)
Longest segments
121
and we obtain as solution:
It var n, s : mt:
n, r, s := 0, 0, 0 ;don;:fiN
-+ J[ val" h: : mt; h:=n ;do h;:fi s
-+ if X.{h-I) =F X.n -t 11:= h-l o X(h-l) = Xn -t s:= h
fi
od
]I
ir:= rmax(n+l-s) ;n:=n+l
od
11·
This program has time complexity O(N2).
Exercises
Derive an O(N) solution to
I[ con N : int {N ~ l}j X, array [O •. N) of int; vat r : mt;
S
{r = (maxp,q: 0 SF S q S N 1\ A.p.q: q_p)}
)I. '
where A.p.q IS defined as
O. (Vi,]: p:5 t Sj < q: X.z =X.j) CDX{p .. q) is Increasing.
2. ('Vi: p:5 i < q : X.1 S X.(q-l))
3. (# i : 'P $ t < q: Xi = 0) = 2
c,'
i c !':.
122
Segmen t Problems
, '1.,:The product of any two elements of X[p .. q) IS at least zero. 5. XIP .. q) IS monotouic (i.e. ascending or descending).
G, (Ei:pS:1,<q:Xi)mod3=O
The following exercises are more complicated and may be skipped at first reading.
7. X[p .. q) contams at most two distinct values,
(
8. (Vi: p s: t < q: IX.pl 2: X.i)
9. (Vi,): p s: t s: j < q: 0 s: X.t - X.) s: 1)
10. (Vi,): p s: t s:) < s : IXt- X·jl s: 1)
11. (Vi,) : p s: L s: J < q : Xi - X.J s: 1)
J
/
We present only one example of a shortest segment problem. In this section we show that the approach for longest segment problems may lead to rather complicated solutions when applied to a shortest segment problem. This section may be skipped at first reading: In Chapter 8 the same problem 15 solved III a much better way.
The problem is to compute the length of a shortest segment that con tams at least two zeros. It IS formally specified as
7.2
Shortest segments
I[ con N : mt {N 2: O}; X array IO •• N) of inti var r : inti
S
{r = (minp,q: 0 s: p s: q s N 1\ A.p.q: q-p)}
J!.
where, for 0 s: p s q s: N,
A.p.q;;;;; (#t:pS:t<q:X.L=Ol2;2
It is not known whether segments satisfytng A exist. When, for instance, X[O .. N) does not contain a zero then the post-condition is r = 00.
Predicate A does not hold for empty segments, IS not prefix-closed and not postfixdosed. However, -.A, defined by {-.A).p.q ;;;;; -.(A.p.q), does have these properties.
Shortest segments
123
ThCelduality between longest and shortest segment problems IS studied III more detail In iapter 8.
O defi may try to derive a program along the same lines as we did for longest segments y e mng ,
Pn• r = (minp,q: 0 s: p s: q:S n /\ A.p.q: q-p)
PI' OS:nS:N
Q s = (maxp : 0 s: P s: 11 1\ A.p.1I : pJ
Redomg all calculations of Section 7 1 0 with max rep'aced by nin d C
d . . 1 I an VIce versa
oes not work. ~he. pro~lem IS that the ranges of the quantifications may be empty and, henc:, no distribution of + over min can be applied. We conclude that if we want to stIck. to the approach of the previous sections, we should ensure that the ranges III the qua~ltlficat1ons are non-empty. Then all results of the preceding sections ITlay be used (WIth the replacements indicated above). Note that A,O.n guarantees that the ranges are non-empty. Thus, we arrive at the Iollowing program scheme:
'establish Po 11 Pj /\ Q A A.O.n'
[invanant: Po 1\ Pi 11 Q 1\ A.O.n, bound: N - 11} ;don# N
_, 'establish Q(n:= n+1)' ; r'= r min (n+1-s) ;n:= n+l
,
!i
il'l
j',1
1-. I~ I'c
t H--
i ~ :'
od
{r = (minp,q: o:S p s: q s: N 1\ A.p.q: q-p)}
WQ(e ~~tPone,the diSCUSSIOn of 'establish Po /\ p( 1\ Q /\ A.O.n' and we consider 'establish n.- n+1) first. We derive
Q
{definition of Q }
s = (maxp : 0 s: p :;:; 11 A A.p.n : pi
[A.O.n, hence, the range is non-empty}
o s: s s: 11 11 A.s.n 1\ (V p : s < p s: n : -.A.p.rt)
{ definition of A }
124 Segment Problems
O:S s :S n /\ (#i : s:S z < n : X.t = 0) :2: 2/\ (#i. s < i < n : X.t = 0) < 2 {calculus}
O:S s < n /\ X.S = 0/\ (#i; s < i < n : X.z = 0) = 1
and, hence,
Q(n:= n-l-L] = O:S s < n+1/\ X.s = 0/\ (#i. s < z < n+L: X.i = 0) = 1
Evidently
(
Q /\ X.n #- 0 =:> Q(n:= n+l)
whereas
Q/\X.n=O =:> (#i:s<i<n+1;X.i=0)=2
"
In the latter case s should be replaced by the unique t, s < t < n, for which X.~ O. This leads to the introduction of variable t with accompanying invariant Q' definf by
Q" S < t < n /\ X.t = 0
Then
Q /\ QI /\ X.n #- 0 =:> X.s = 0/\ X.t = 0 /\ (#i : s < i < n+l ; X.i = 0) = 1
and
Q /\ Q' /\ X.n = 0 =:> X.t = 0/\ X.n = 0/\ (#t; t < i < n+l; X.i = 0) = 1
which yields for 'establish Q(n:= n-l-L}'
if X.n 1: 0 -+ skip D X.n = 0 -+ s,t:= t,n fi
The only thing that is left to be done IS 'establish Po /\ PI /\ Q /\ QIl, Let us summarize these mvariants.
Po. T = (minp, q : 0 :S p S q :S n /\ A.p.q: q-p)
PI ~ O:S n:S N
Q . 5 = (maxp : 0 :S p :S n /\ A.p.n : p)
Q' : s < t < n /\ X.t = 0
Shortest segments 125
When X(O .. N) contains less th t h
Thus f '. an wo zeros, t ese Invariants cannot be established
, we per arm case analysis and we Introduce integer variable c for which .
c = (#z : a :S t < n ; X.i = 0) 1\ c:S 2 1\ (c = 2 V n = N)
th the post-condition of a repetition. Its derivation is straightforward. When c < ?
en 00 IS assigned to r, otherwise Pl, Q, and Q' are initialized such that -
n-s = (minp, q ; 0 :S p :S q :S n 1\ A.p.q : q-p)
~!~C~:r:oyre elegatntt,solutio1n.iS derived In Chapter 8, we do not show the calculations
presen lie resu ting program: '
I[ var n, c: inti n,c;= 0,0
; do n #- N 1\ c # 2
-> if X.n = a --> c:= c+1 D X.n 1: 0 -t skip fi ;n:=n+1
ad
; if c < 2 -+ T:= 00 Uc=2
-t I[ var 5, t : inti
5:= 0 ida X.5 # a -> 5:= s+I ad ;t:= 5+1 ido X.t #- 0 -+ t:= t+l ad ;n:=t+l
;1':= n-s jdon#N
-t if X.n # a ...... skip n X.n = 0 -+ S, t := t, n fi ;1':= 'rmin(n+l-s)
;n:=n+l
od
]1
fi
]1·
, ,
126 Segment Problems
Exercises
..
j
,
O. Solve
I[ con N : lilt {N ?: O}; X array IO .. N) ofint; {(Vi: 0 S z < N: 0 S. X.i S 2)}
var r : inti
S
{T = (minp,q: 0 S p S q S. Nil A.p.q: q-p)}
]I.
where A.p.q IS defined as
Values 0,1, and 2 occur III X[p .. q).
Chapter 8
Slope Search
8.0 Introduction
Slope Search, also known as Saddleback Search, IS a technique which IS applicable to a large class of problems that Involve quantifications over two bound variables, i.e., over an area contained in Z x Z. In most applications the term of such a quantification IS a monotoruc function of the bound variables, for mstauce, ascending in both variables or increasmg in one variable and decreasing III the other variable. Examples are the longest and shortest segment problems discussed In Chapter 7. For these problems the term 15 q - p, which IS an increasing function of q and a decreasmg function of p.
In Section 8.1 we discuss the basic prmciple of the slope search and we provide various examples of its use. In Section 8.2 slope search is applied to segment problems.
8.1
The basic principle
Let M and N be natural numbers and let array J : 10 .. MI x IO .. NI _, Z be ascending in both arguments, r.e.,
(Vi: 0 S. z S. M . (V J : 0 s.] < N f.x.] S. f.t.(j+I))) II(VJ: 0 s} S. N (Vi: aS z < M· f.x.) S f.(i+l).j))
Assume that a value X occurs III f, i.e.,
;i I
(3i,] : 0 S. t S u s » s.] S N f.~.] = X)
We are asked to denve a program that establishes for integer vanables a and b
a S a S M 1\ 0 S b S. N 1\ f.a.b = X
127
128
Slope Search
Array I is ascending In both arguments. Hence, I has its mimmum In (0,0) and its maximum m (M, N). Since X occurs In I, we have
1.0.0 :S X :S I·M.N
H > this information it does not help much to inspect 1.0.0 or I.M.N, Two other avmg , .,. . (0 N) d (M 0) We
pomts of [0 .. M1 x (0 .. N1 are possi?le ca~dldates for inspection: , an ,.
id (0 N) Since 1 is ascending In Its first argument, we have
consl er , .
f.O.N = (min i : 0 :S t :s M l.i.N)
hence,
1.0.N > X => (Vi: 0 :S l :S M f.t.N > X)
> 1 ION> X then the search area may be reduced to [O .. M1 x [O .. N -11·
i.e., w len ..
1 IS ascending in its second argument, we have
I.O.N = (maxj : 0 :S) :S N. I·O.j)
hence,
I.O.N < X => (V j : 0 :S ) :S N . J.D.) < Xl
h j 0 N < X then the search area may be reduced to [1..M1 x [O .. N]. i.e., w en ..
We formalize this discussion as follows. Let I and J be such that
o :S I :S M 1\ O:S J :S N 1\ J.I.J = X
The 'search area' is charactenzed by (1, J) E l.a .. M1 X 10 .. bl or, equivalently, we c~oose as mvanant for a repetition
P O$.a:S[i\]$.b:SN
hi I' t bli hed by n b'= 0 N The reduction of the s~arch area in terms of P IS
w IC I IS es a IS ~,.,.
given by the following derivations.
[.a.b < X
=> [I is ascending in its second argument, J :S b }
j.a.] < X
::::} {f.I,J = X}
a¥>[
(P, in particular, a $. I} a-l-L :S [
(
Since
)
T1Je bestc pnnciple
129
and
[.a.b » X
=> {J is ascending in its first argument, a :S I}
J.I.b> X
'* {j.I.J,,= X} b# J
{P, In particular, J :S b} J:s b-1
We conclude
Pi\J.a.b<X => P(a:=a+l) and Pl\f.a.6>X::::} P(b:=b-l)
This yields the following solution:
a, b :"= 0, N {invanant: P, bound: N - a + b}
;do J.a.b < X -> a;= a+l a j.a.b » X -> b:= 6-1 od
{f.a.b ea X}
This program has time complexity B(AI + N}. A Similar program IS obtained when we choose (M,O} as starting point.
An operational interpretation of this technique is the follOWing. The three-dimensional surface z ee I.x.y has as lowest point (0,0, J.O.O) and as highest point {M, N, J.M.Nl. Somewhere in between position X Occurs. To find that position one should not start at a mmimum or at a maximum, but somewhere in between, for instance, at (0, N, j.O.N) or at (ill, 0, I.M.O), and move along the slope of the surface m such a way that position X IS approximated as well as possible, r.e., by going down when the value is too high and by going up when the value is too Jow. Because of this interpretation, which will not be pursued any further, this technique IS called Slope Search.
Note that the points where J attainS its rnimmum or its maximum are not important. The other two points, that are either the maximum of a row and the minimurn of a column, or the mmimum of a row and the maximum of a column, are useful. When, for instance, j is ascending in its first argument and descending in its second argument, suitable invariants are 0 :S a :S I 1\ 0 :S 6 :S J or I $. a :S M 1\ J $. b :S N ,
The reduction of the search area, i.e., the reduction of the problem to a smaller problem of the same form, usually leads to the introduction of a tail invariant. For the above program, we have
130
Slope Searcll
(3 i,) : 0 ::; t s u 1\ 0 ::; ) ::; N . J.t.) = X)
(3 i, J ; a ::; i ::; M 1\ 0 ::;) ::; b : f. t.) = X)
as tail invanant. In the following sections we use tail mvanants of this form.
8.1.0 Searching
In the previous section we solved the problem of searching for a value III ~ twodimensional array, given that the value occurs in the array. In this section we c~nsider the following problem: we are given integers M and N, M 2: 0 A N 2: 0, and integer array flD .. M}xIO .. N) such that f IS ascending in both arguments. We are asked to determine whether value X occurs III f. A forma! specification IS
I[ con Iv!, N,X: tnt {M 2: ° AN::::: O]: f array[O .. M)x[O .. N)ofint; (J 15 ascending in both arguments f
var r : bool:
S
{r E (3i,) : 0 ::; ! < MAO :S) < N. f.l.) = X)}
]].
Following the strategy explained III the previous section, we define 'tail' G.a./] for
o :S a :S Iv! /\ D :S b ::; N by r '
G.a.u ;::; (3 i, J ; a :S t < M 1\ ° ::;) < b . J.z.) = X)
In terms of G, the post-condition of the specification may be written as
R. T;::; G.D.N
We introduce integers a and b and define tail mvanant Po by
Po: r V c.s» ;::; G.O.N
The bounds for a and b are specified by mvanant Pl .
PI 0 :S a :S Iv! 1\ D :S b :S N
A proper initialisation of Po A PI IS a, is, r i= 0, N, false. For a = Ai V b = 0 the range of the quantification in G is empty, hence,
)
The besic prmClpie
131
Po /\ (a = M V b= O)
{ definitions of Po and G} T V false EO G.O.N
- { predicate calculus }
r ;::; G.O.N
- { definition of R }
R
Furthermore, When r is true, then G
r V .a.b _ T, hence,
T V G.a.b ;::; G_O.N
- { T V G.a.b ;::; r ]
rEO G.O.N
and we conclude P 1\ (a = M V IJ = 0 V r) => R. Thus, we choose
a ,p M /\ b ,;f 0 A --,r
as guard of a repetition.
We investigate an increase of a by L Assummg 0 :S a < M /\ 0 < b :S N, then
G.a.b
{ definition of G J
(3i,) : a:S L < M t\ 0::;) < b . f_i.) = Xl { split off z = a J
G.(a+1).1l V (3) : 0::;) < b : f.a.) = Xl
{f is ascending in its second argument, O:S 6-1, assuming f.a.{b-ll < X f G.(a+l}.b V false
{predicate calculus}
G.(a+1)_b
Hence,
f·a.(b-l) < X => (G.a.b;::; G_(a+I}.b)
Similarly, we have for a decrease of b by 1:
132
Slope Search
G.a.b
{ definition of G }
(3i,J ; a :S i < M 1\ 0 :S) < b : 1.i.j = X)
_ { split off j = b-l }
G.a.(b-ll V (3i: a:S t < M' J.i.(b-ll = X) . ,
{1 is ascending in its first argument, a < M, assummg f.a.{ b-l) > X } G.a.(b-l) V false
{ predicate calculus} G.a.(b-l)
Hence,
1.a.(b-ll > X ::::} (G.a.b == G.a.(b-l))
X den frO<n<MI\O<b<N
For the rernammg case 1.a.(b-ll = , we enve 0 _ _
Po 1\ f.a.{b-l) = X
_ { definition of Po }
(r V G.n.b -= G.O.N) 1\ 1.a.(b-l) = X
::::} { definition of G 1
r V true == G.O.N
{ predicate calculus} true V G.a.b ;;: G.O.N {definition of Po } Po(r:= true)
These derivations lead to the following solution
I[ var a, b : mt; ( )}
b -ee, 0 N false {invariant: Po 1\ PI> bound: M - a + b + # . ...,r
n, IT. , t
. do a # M A b :;l 0 A ...,r
t -t if J.a.{b-l) < X -. a:= a-l-I D J.a.(b-1) > X -+ b:= b-1 o J.a.(b-l) == X -t r;= true fi
od
(
Tile basic principle
133
This program has optimal time complexity O(M+N), which is proved as follows. Let h{O .. NI be an integer array, then a program for the computation of
(3i : 0 :S ~ s N: Ii.: = X)
has at least time complexity OeN), since any correct program will inspect all ti.i In the case that X does not occur III h. Define array f[O .. Nlxl.o .. NI by
J.1.} = -00 if i +} < N
J.i.j = 00 if i + } > N
f·~·} = li.i if 1 + j ee N
Then J is ascending III both arguments and a correct program for the computation of
(3 i,) ; 0 .:s 1 :S N 1\ 0 :S} :S N J.t.J = X)
will inspect all J.i.(N-i) In the case that X does not occur in f.
8.1.1 Decomposition in a sum of two squares
As our second example, we derive a program for the computation of the number of ways in which a natural number N can be written as the sum of two squares. We supply an annotated program together with its numbered derrvations,
The first thing to do is to supply a formal specification:
I[ con N: int{N 2: OJ; var r : int;
S
Ir = (# X, Y : 0 .:s X :S y : x2 + y2 "" N)}
]I.
Since Xl + y2 is increasing 1U both arguments on the domain 0 .:s x :S y, we define G.a.b as
G.a.b = (#x,y: a.:s x ~ y:S b : x2 +y2 "" N)
and we choose as invariants
Po; r+ o.s» = (#x,y: O:S x.:sy: x2 +y2 = N) PI: O.:s a
134 Slope Search
I[ val' a, 6 : mt:
',a:= 0,0 {Linear Search.]
;6:= 0 ido b*b < N _, b:= 6+1 od {invariant: Po 1\ PI, Proof I, bound: 6 - a} ; do a:5 b
- if a* a +b* b < N -+ a:= a+l {Proof2}
o a * a + 6 * b > N ....... b;= b-1 {Proof 3}
o a * a + Ii * b = N -+ ',a:= ,+1, a+l {Proof 2}
o a * a + b * b = N -+ r, b :=: r+ 1, b-l {Proof 3} fi
The basic principte
135
In the following proofs we present the calculations for a solution.
G.(a+I).b + (#y; a.:5 Y S b: a2 + y2 = N) { a2 + yZ is increasing in u, a S b}
{ G.(a+l).b + 0 if a2 + b2 < N G.(a+l).b + 1 if a2 + v == N
Proof a
G.a.b
{ definition of G }
(#:x,y: a S x S y S b : x2 +y2 = N) { provided a > Ii}
Proof 3
We investigate a decrease of b by 1. For 0 S a :s b, we derive
o
G.a.b
{ definition of G }
(#:x, u : a S x :s y :s b : x2 + y2 = N) {split off y = b}
G.a.(b-l) + (#x: a S x:S b: x2 + b2 =: N) { x2 + b2 IS increasing m x, a :S b }
{ G.a.(b-ll + a if a2 + b2 > N G.a.(b-l) + 1 if at + b2 = N
Hence, Po 1\ a > b Implies the post-condition.
(
Proof 1
For the ini tializaticu, we derive for 0 :5 6
G.D.b
'\
{ definition of G } )
(#: x, u ; 0 :5 x :s y :5 b : Xl + y2 = N)
( range split I . x2 T 2 =.In
(#: x, y : 0 :S x :5 Y : xl + y2 == N) - (# x, y : 0 :5 x :s y 1\ Y > b . + y
l provided bZ ;::.: N, 0 :5 b}
(ifox,y: D:S x:5 y: x2 + y2 = N)
Solution:
Hence,
r = 0 1\ a = 0 II 0 :s b !\ bt ;::.: N
~ { see above}
r + G .a.b = (#: x, y : 0 S x :s Y : XZ + y2 = N) !\ 0 :s a { definitions of Po and PI }
Po II r,
Proof 2
. f b 1 For a < a < b we denve
We investigate an Increase 0 a y . L"' _ _ ,
ad
{r == (# x, y ; 0 :s x S y : Xl + yZ == N), Proof O}
G.a.b
{definition of G }
(#x, u : a :s x :S y S iJ: x2 + y2 = N) {split off x = a ~
11·
ThIS concludes the presentation of the solution. This program has time complexity O(..,fJll}. Imtializmg b by 0:= N leads to a program that has time complexity O(N) which IS as bad as a bruce force search in the area [o .. VNl x lo .. VNr.
136 Slope Search
One may wonder whether the two guarded commands a * a + b * b = N _. r, a:= 1'+1, a+1
a * a + b * b = N ---+ r, b:= 1'+1, b-1
may be replaced by
a * a+ 6* b = N - 1",a, b:= 1'+1.a+1, b-1
. 0 < a < b 1\ a~ + bZ = N, then
The only way to And out is by calculation: assume _ - (
o.s»
{ definition of G}
( # x, y . a :S x :S y :S b : x2 + y2 = N) { split off u = b}
. 2 b2 - N)
G.a.(b-1)+(#x;a:Sx:Sb:x+ - .)
[split off x = a in G.a.(b-1l}
G.(a+l}.(b-l) + (#y: a:S y:S b-1 ~ a2 -; y2:::: N) !
+ (# z : a :S x:S. b : x + b = N)
{a2 +b2 = N}
G.(a+ll.(b-l) + 1
Hence, this replacement is allowed, leading to
I[ var a, b : inti T c i= 0 0
. 6:='0 . do h b < N _. b:= b+l od
,. ,
'do a < b
, ..... if a * a + b * 6 < N a:= a+1
U a*a+6*6> N 6:=b-1
o a*a+b*6= N--+ T,a,b:=1'+1,a+1,6-1
fi
od
II·
8.1.2 Minimal distance
Our next example is the derivation of a progr~m for the computation of the mmimal distance of two ascending sequences. It IS specified by
The basic principle 137
If can .M, N ; int {M 2 0 A N 2 O};
f' array IO .. M) of int {j IS ascending}; 9 . array IO .. N) of int {g IS ascending}; var r : lilt;
S
{r = (minx,y: 0 S x < M A O:S y < N· Jf.x - g.y!)}
]I.
Note that f·x-g.y is ascending in x and descending m y and g.y- f.x IS descending in u: and ascending in y. The expression If.x - g.yl, being equal to (j.x - g.y) max (g.y_ j.x), does not have these properties. However, as will emerge from the derivations, a slope search still is possible. Since [.» - g.y and g.y - f.x have both ascending and descending properties, we define G.a.b for 0 :S a :S MAO :S b :S N as;
G.a.b = (minx, y : a :S x < M A b :S y < N . Jj.x - g.y!)
The post-condition may be written as
R; l' = G.O.O
and We propose as Invariants
Po. TminG.a.b = G.O.O
PI; O$a$MAOSbSN
These are initialized by a, b, r:= 0,0,00. Furthermore,
Po A (a = M Vb = N)
::::? { mmimum over an empty range is 00 }
T min 00 = G.O.O
{calculus}
r = G.O.O
This yields as guard a,,6 M A b,,6 N. For 0 $ a <M A O:S b < N we have
c.s»
= { definition of G }
(minx, y ; a :S x < Ai A b :S y < N . If.x _ g.y!)
= {split off x = a}
138 Slope Search
G.(a+l}.6 min (miny : 6::; y < N : If·a - g.y!) (g is ascending, assume g.b 2. [:« I G.(a+1}.6 min (miny : 6::; y < N . g.y - f.a) ( g IS ascending}
G.(a+l).b min (g.b - f·a)
Hence,
g.6 2. f.a "* G.a.b = G.(a+l}.lJmin(g.b - J.a)
On account of the symmetry of the specification in J and g, we have J.a 2. g.6 "* G.a.b = G.a.(b+l) min{f.a - g.b)
as well, We now have all ingredients for the solution:
[var a,b: mt;
r, a, b:= 00,0,0
. do a # M A 6 oF N
, _, if g.6 2. J.a _, (I, r'= e-l-L, r min (g.b - f.aJ a f.a 2. g.6 _, b,r:= 6+1,rmin(f.a- g.b) fi
ad
11·
. d tl roblems the denvations are rather simple and
When we know how to approa I lese p t
a program is easily constructed.
Exercises
Derive programs for the Iollowing problems.
O. I[ COil 111, N : tnt {M 2. 0 A N 2. OJ; .
J array 1.o .. M) of int [J IS increasing ]; 9 . array [O .. N} of int {g IS mcreasmgJ; vat r : mt;
comcidence count
{r = (#x,y: 0::; x < MilO::; y < N [,» = g.y)}
11·
The baste pnuciple
139
1. ![ COIl N: int {N.2 OJ; var r : int:
S
{r=(#x,y:O:::;xJ\ O:::;y:x3+y2=N)}
11·
2. [[conM,N:int{M2.0 II N~O}if array [O .. M)x[O .. N) of inc; (J is ascending in both arguments}
var r : mt;
S
{r = (#1,) : 0 :s 1 < M J\ 0 S j < N f.x.} = O)} JI·
(Hint: (#1.R:h.Z=O}=(#z:R:h.i2.0J-(#t.R;h.t>OJ).
3. The Welfare Crook: The sets U; V, and ~V are represented by increasmg mteger arrays flo .. J(), gIO .. L), and h[O .. A[). Derrve a program for the computation of an element of Un V n tV; gwen that such an element exists.
4. I[ can N: Int {N 2. 0Ji var r : bool;
S
{r =: (3x,y: 0 S » r. 0 S y: N ee 2" + 3Y)}
11·
5. I[ can AI: int fM ~ OJ; J • array {O .. M) of'int: {(\f i : 0 :::; z < M f.i 2. O)}
var r : int;
S
{r"" (#p,q: 0:::; p:::; q:::; u . (I:i: p::; t < q : f.i) <: 7)} Jr·
6. N points, numbered from 0 onwards, are located on a circle (in the rest of this exercise all point numbers should be taken modN). Point t+1ls the clockwise neighbor of point r. An mteger array, dist[O .. N), IS given such that dist.i is the distance (along the CIrcle) between pornts z and 1+1.
(i) Derive a program to determine whether there exist two pomts at opposite ends of a diameter of the circle.
(ii) Derive a program for the computation of two points that have maximal Euclidian distance.
140 Slope Search
8.2 Longest and shortest segments
d h test segment problems. Longest segment
In Chapter 7 we discussed longest an 5 or , .'
problems are of the form
I[ con N : int {N ~ O}i val: r : tnt:
maxseg
{T = (maxp, «: 0 ~ p ~ q ~ N A A.p.q: q-p)}
]I.
X[O N) Examples of
where A IS a predicate, typically related to some integer array ," ,
such predicates are
- . . < z < A P < j < q: X.Z "'" X.j) (X[P .. q) is constant)
A.p.q = (VZ,j . p - q -X < X .) (X[P .. q) is ascending)
A - (Vi J . P < t < j < q: .t _ .J
.p.q = ,'- - ) < 60 (X[P.,q) contains at most 60 zeros)
Ap,q:= (#t:P:5t<q:X.i=O_
For these examples, A satisfies (0 :5 p :5 q :5 N):
the empty segment is an A-segment A is prefix-closed
A 15 postfix-closed
(0) Ap.p
(1) A.p.q =? (Vs:p:5s:5q:A.p.s) (2) A.p.q =* (V s : p :5 s ::; q : As.q)
Shortest segment problems are of the form
neon N: int {N ~ OJ; var T: int;
mmseg
{r = (minp, q : 0:5 p :5 q :S N A A.p.q : q-p)}
]1·
Examples of predicates for these problems are
A - (3 i J' k : p < i J k < q : X.i = 0 A X.j = 1 A X.k = 2)
.p.q = ". -" .
(values 0, 1, and 2 occur in X[p .. q) )
. . X - 0) > 60 (X[P .. q) contains at least 60 zeros)
A.p.q:= (#i:p:St<q .. 1- _
For these examples, A satisfies (0::; p :5 q s N):
Longest and shortest segments 141
(0') -'A.p.p the empty segment is a ,A-segment
(1/) -.A.p.q =? (V s : p :S s :S q . -.A.p.s) -.A IS prefix-closed
(2') -.A.p.q =* (V s : p ~ s :S q' .A.s.q) -.A is postfiX-dosed
Note that
A satisfies (0), (1), and (2)
-.A satisfies (0'), (1'), and (2')
When We have a solution to maxseg for predicates that satisfy (0) and (1), then We have, by applying this solution to the reverse of X, a solution for predicates that satisfy (0) and (2). A similar remark pertains to trunseq.
In Section 8.2.0 we denve a program scheme for maxseg for the case that (0) and (1) hold. In Section 8.2.1 a program scheme is derived for minseq, for winch W) and (2') are assumed. These schemes are derived by means of the Slope Search technique. In Section 8,2.2 We apply such a scheme to obtain a program for the computation of the length of a shortest segment X[p .. q) that contains at least two zeros, J.e.,
A.p.q:= (#z:P:SZ<q:X.i=0)2:2
The same problem was solved in Section 7.2, but that solution is not very satisfactory.
8.2.0 Longest segments
Let N 2: 0 and let predicate A in the range 0 :S p ::; q :S N satisfy
(0) A.p.p the empty segment is an A-segment
(1) A.p.q =* (\I s : p :S s :S q : A,p.s) A is prefix-closed
We derive a program that has post-condition
R: -r = (maxp,q: O:S p:S s s. N A A.p.q: q_p)
Since q-p is ascending in q and descending in p, we define a.a.b for 0 S. a S. b ~ N by
c.s» = (rnaxp, q : a ~ p :S q ~ NAb s q s N A A.p.q : q_p)
Then R may be formulated as
R: r = G.O.O
As Invariants for a repetition we choose
142 Slope Seetcl:
Po r maxG,a.h = G,O.O
Pi. 0 S. a S. 6 S. N
b '- 0 0 -00 However since A.O.O holds, . a, h, r:=
These may be initialized by a, ,r - "" ,
o 0 0 IS also correct. We derive
, ,
G,a,N
{ definition of G ~
(maxp:a::;pS.Nf\A.p.N.N-p),. 1
{ e A a.N N-p is descending III p, a ::; N,
assum .. ,
N-a
Hence,
Po f\ b = N i\ Aa.b :::> R(r'= rmax(N-a))
. . To determine a condition
hi I ld b..L N V ..,A.a.b as guard of the repetition.
w IC 1 YW s -r- f 0 < a < 6 < N:
under which 6 may be increased, we derive or - -
G.a.b
{ definition of G, split off q = b}
G.a.(b+11 max (maxp: a::; p::; b 1\ A.p.b: b-p) {assume .4.a.b, b-p is descending III p, a ::; b} G.a.(b+l) max(b-aJ
Hence,
.r b ~ G.a.b = G.a.(b+1J max (b-a)
-",.(1. ~
Note that
PI f\ (b +- N V ..,.4,a.b) /\ A.a.b "*' 6 < N
. . t crease In a ."
For the case .,.4.a.b we mvestiga e_._ a; ~n a < Ii is not VIOlated by a:= a+ 1m this
Due to (0), we have ..,A.a.b :::> a r ,Ience -
case. We derive for 0 S. a S. b S. N f\ -..4.a.b
Longest alJd shortest segments
G.a.b
::: { definition of G, split off p = a}
G.(a+1).b max (maxq : a ::; g :5. N 1\ b:5. q ::; N 1\ A.a.q : g-al
= [as.b}
G.(a+1).b max (maxq: 6::; q:5. N /\ .4.a.q; q-a)
( (1), ..,.4.a.b, hence, (If q : b :5. q :5. N : ..,.4.a.q) } G.(a+1).b
Hence,
..,.4.a.b => G.a.b = G.(a+l).b
This concludes our derrvatiou. The program scheme for maxseg is shown below. As bound function, 2N - a - b will do.
maxseg: !f var (1, b : inti
(1, b, l' .= 0, 0, 0
; do Ii -=fi N V ..,.4.(1.b
..... if .4.(1.6 ..... r'::: rmax (b-a) ;6:= b+1 a ..,A.a.b -. a:= a+1
fi
od
;1':=== rmax(N-a)
{r = (maxp, q : 0 :5. p :5. q :5. N 1\ A.p.q: q-p) } J!.
Note that we did not use the [act that q - p IS ascending in q, only that It IS descending in p. A closer look at the range of the quantification in the post-condition (usmg the fact that A IS prefix-closed) reveals that on the one hand the descendingness plays a role and on the other hand the specific form of the range lS important.
To obtain a final program, one has to replace .4.a.b by a boolean expression. For mstance, we may try to add invariant c :;; A.a.b, which IS initialized by c:= true. Since 0 :5. a :5 6 :5. N, this Invanant is well defined.
143
144 Slope Search
8.2.1 Shortest segments
We now consider mmseg and we assume that A satisfies
(O'} .A.p.p
(2') .A.p.q =? (If s : p ~ s ~ s: .A.s.q)
the empty segment is a .A-segment
--.A is postfix-closed r
The following derivation IS almost a copy of the derivation presented in the previous subsection and the reader is advised to compare both texts carefully. We define G.a.b for 0 ~ a ~ b ~ N by
G.a.b = (minp, q : a ~ p ~ q ~ N 1\ b ~ q ~ N 1\ A.p.q: q-p)
Then post-condition R may be formulated as
R; r =G.O.O
As mvanants we propose
Po rminG.a.b = G.O.O PI: OS:a~b~N
which are established by a, b, r:= 0,0, oo . We derive
G.a.N
{definition of G }
(minp: a ~ p ~ N 1\ A.p.N: N-p) {assume .A.a.N, ..... A IS postfix-closed}
oo
Hence,
Po 1\ PI 1\ b = N 1\ .A.a.b => R
which yields b "k N V A.a.b as guard of the repetition. To determine a condition under which b rnay be increased, we denve for 0 ~ a ~ b < N:
G.a.b
{definition of G, split off q = b}
G.a.(b+l} min (minp : a ~ p ~ 6 1\ A.p.b : b-p) (assume .A.a.b .• A IS postfix-closed} G.a.(b+ll
)
Longest and shortest segments
Hence,
--A.a.b => G.a.b = G.a.(b+l) Note that
P 1\ (b';' N V A.a.b} 1\ -,A.a.b => b < N
For the case A abo ti
" we lOves igate an incr .
D t (0') ease 10 a.
ue 0 , We have A.a.b => a:;6 b hence < .
case. We denve for 0 S: a S: b S: N 1\ 'A.a.b a - b IS not VIOlated by a:= a+ 1 m this
a.a.b
{definition of a, split off p :; a}
a.(a+l}.h min (minq: as: q S: N 1\ b < < N A .
== { a S: b} - q - 1\ .a.q . q-a)
G.(a+rl.b min (minq: b < q < N 1\ A .
. - - .a.q . q-a)
{A.a.b, q - a is ascending in q}
G.(a+1}.h min (b - a)
=
Hence,
A.a.b =>- G.a.b = G (a+l) b . (b
. . nun -a)
This concludes OUr derivation. The ro a
bound function, 2N _ a _ b will do. P gr m scheme for mmseg IS shown below. As
minseg: If var a, b : inti
a, b, r ''''' 0,0, oo
; do b :;6 N V A.a.b
...... if -'A.a.b -.. b :== b+ 1
U A.a.b ...... l' ~=o r min (b-a) ; a:= a+l fi
od
]I. {r = (minp, q : o ~ p S q ~ N 1\ A.p.q: q_p)}
146
Slope Senten
Longest and shortest segments
147
8.2.2 At least two zeros revisited
In this subsection we apply the scheme for mmseg to obtain an algorithm for the computation of the length of a shortest segment of integer array XIO .. N) that contains
at least two zeros. For this problem '
1. If con N : lilt {N 2: I} i X array [D .. N) of inti var r : lilt;
S
It''= (maxp, q: D:S; P < q:S; IV /\ A.p.q: q - pH
where
i
A.a.b == (#~: a:S 1 < b; X.» = 0] 2 2
A.p.q ;: (#t: p < t < q : X,» = X.(i-l» = 37
2. JIcon IV: int{N 2: O}; X arraYID .. N)ofint.
{(Vi:0:St<N.Xi2:0)}· ,
var T : int;
S
{r=(maxp,q:D< < <N .
JJ. - p - q - II (E t : p:S; z < q : Xi) :S 3 . q - p)}
How would you solve this problem if ea "
once? ell element of X may be Inspected only
3. Let N 2: 0 and let YfO N) b
j.. e an integer D
computation of the length of a short t array. enve a program for the
es segment that can tams values ° 1 nd 2
l 1 a .
Then -.A holds [or empty segments and ..,A IS postfix-closed. To express A.a.6 as boolean expression, we introduce mteger van able c and accompanying invariant
Q" c = (#t : a :S 1 < b : X.l = 0)
Then A.u.b ;: c 2: 2 and -,A.a.6
c < 2. This leads to the followmg solution.
I[ var a, b, c : mt; r,a,b,c:=oo,O,O,O
;do b =fi N V c2 2
-> if c < 2 ..... if X.b = 0--. c:= e-l-I U X.b ofi 0 _, skip fi
; 6:= b+l
U c 2: 2 -. r'= r min (b - a)
; if X.a = 0 _, c i= c-l 0 X.a '# 0 --. skip fi
;a:= a+l
fi
ad
Compare this program with the Que derived In Chapter 7.
Exercises
o. ![ COIl N : int {N 2: O}; X array fO .. N) of int; {(Vi: 0 :S 1 < N ! X.i 2: l)}
var r : mt;
S
{r = [rnin p, q : 0 :S p :S q :s; N A (2:: t : p :s; t < q : X.i) 2: N : q - p)}
]I.
(
Chapter 9
Mixed Problems
In the preceding chapters we showed how to reason about programs and how to denve them from specifications. Arrays were only used as constants. In the final chapters of this book we discuss array manipulations and we solve problems by mtroducing auxiliary arrays.
A number of programmmg techniques have been described III these chapters. These techniques can only be mastered by applymg them to problems. To encourage the reader, we have chosen problems that can be solved with the theory of the preceding section. For instance, all the problems In Section 6.2 can be solved by a binary search and all the problems in Chapter 8 can be solved by a slope search. In this chapter we present a mix of problems. It is up to the reader to find out what strategies are most appropriate for the problem in hand. Each problem should be studied carefully: often more than one approach is applicable. All exercises admit a linear solution; however, for some of them an O(log N) solution exists.
The derivation is as Important as the resulting program. Both should not be complicated: exploit symmetry, avoid unnecessary case analysis, introduce suitable notation etc.
It IS not necessary to complete these exercises before going on to the next chapters.
This collection is presented here because all prerequisites needed to solve these exercises have been presented.
Some of the exercises are given by a formal specification. Others are formulated in English. For the latter, one has to supply a forma! specification first.
148
fl'Iixed Problems 149
Exercises
O. If can N; int {N 2 O}; A : arrayiO .. N} ofbooj.
var T: inti I
S
11.{T'= (#p; O:S P S N ~ (Vi; 0 S 1 < p: A.i) _ (3
i : 0 :S z < p : A.i))}
1. If con N: int{N 2 OJ; A. array IO .. N) of int; var r ; mt:
S
11.fr '= (~p, q: 0 S p < q < N; A.p + A.q)}
2. If con N : mt {N 2 0 l: I array IO .. N) of inti {J is ascending}
var r : mt;
S
{r,= (#p,q: O:S P S p+ q < N I.(p+q) - I.p= 37)} 11·
3. For mteger arrays IrO .• N) and g[O .. N) relation 1-; 9 IS defined by I -; 9 ~ (3 n : 0 :S n < N f.n < 9 71 1\ (V' . 0
. l. S 1 < n J.l '= g.i»
The relation -< IS called the lextc I
program that asSignS to boolean v:~:'~:lllcal ao' rderd· Derive for given I and g a • es a, ,an c such values that
(a ~ f -; gJ 1\ (b ~ f = g) 1\ (c ~ f ?- gJ
4. Integer array Iro NJ N > 0 .
•• , __, 15 convext r.e.,
(Vi: 0 < 1 < N. f.z:s ~(J.{i-l] + f.(i+1»)
D·
enve a program for the computation of (3i: 0 < z < N
- . f.i =; f.(i+l».
150
Mixed Problems
(.
5. I[ can N, A, B ; int {N 2: I}; i . array IO .. N) ofint; var z : mt;
S
{b =- (Vp, q ; 0 ::; p::; q :::; N .; AS (Ei : pSt < q : f·il :::; Bn
]I.
6. In the (x,y)-plane a collection G of M CIrcles is represented by integer array R[O .. M). Circle i has centre (0,0) and radius R.i (R.t > 0). Furthermore, a collection L of N lines is gIVen by integer array XIO .. N). Line 1 has equation x = X.t. Both R and X are increasmg. Denve a program for the computation of
(i) There exists a line III L that is tangent to a circle of G. (ii) The number of intersection points of Land G.
7. I[ can N: lilt {N 2: OJ; f array [O .. N) ofint; {f IS increasmg]
var r : inti
S
{r = (#x,y; 0 S x S y < N . f.y - f.x > y - x)}
11·
8. N points, numbered from 0 onwards, are located on a Circle (in the rest of this exercise all point numbers should be taken modN). Point 1+1 is the clockwise neighbor of point t. An integer array, dist[O .. N), 15 given such that dist.s 15 the distance (along the circle] between points i and i+L Derive a program to determme whether four of these points form a rectangle,
9. Array f[O .. NJ, N 2: 0, is mcreasmg, Derive a program for the computation of
(3i : 0::; t ::; N •. f.t = i)
10. I[ can N : mt{N 2: oj, f array rOooN) ofint; var r : mt;
S
{r = (# p, q : 0 ::; p S N 1\ 0 :::; q S N
(#t:O:::;t <p:j.t=O) < (#t:O:::;t<q' J.t= I))}
]I.
Mixed Problems
151
11. For integers J( and N, 0 < J( :::; N, and Integer array f[O .. N), one IS asked to compute the number of segments of length J( on which f is ascending.
12. Sets V and Ware represented by increasing rnteger arrays f(O .. M) and g(O .. N), M 2: 0 1\ N 2: o. Derrve a program with post-condition
b =- V£W
13. For integer array f[O .. NI, we have f.O = 0 1\ [.N # 0 Derive a program that
establishes for integer x .
[,» = 0 A f.(x+1l # 0
14. Fo~ integer arrayX[O .. N), N 2: 0, determine the length of a longest segment on which X attams Its maximum at most twice, I.e., a segment (p .. q) for which
(# i; p::; l < q : X.i = (max) ; p::;) < q : X.j)) S 2
15. For integer array X[O .. N), N 2: 0, determine the length of a longest prefix of X that contains zeros only.
16. I[con A,B,N: int{A 2: 1 A B 2: 11\ N 2: I}; Vat r : inti
S
Ir= (minp,q; l:::;p:::;N A lSqSN:IAP-Bql)} 11·
'/
Chapter 10
Array Manipulations
10.0 Introduction
In the preceding chapters arrays are used us constants. We now introduce statements that may change the value of an array. As we shall see in the following, these statements have quite complicated definitions. Thus, precision m mvariant calculations IS vital.
In Section 10.1 the array assignment IS introduced. It is of the form h.E:= F, where It IS an array and E and F are expressions. It differs from the ordinary assignment m that its execution affects the value of an entire function. In the definition this IS reflected by a substitution of functions for functions.
In Section 10.2 we discuss the swap operation which interchanges two function values. Many programmmg problems can be solved by means of swap operations on the arrays involved only. Sorting is one example of such a problem.
10.1 Array assignments
Throughout this section N IS a natural number, h[O .. N) IS an mteger array and E and Pare mteger expressions. The array assignment is of the form h.E;= F Its operational interpretation is 'replace the value of h.E by P' Before we present a formal definition we show by a small example how much this assignment differs from an ordinary assignment and how easily one may draw incorrect conclusions,
Suppose h.O = 1 and h.l = 1. Then h.(h.I) = h.l = 1 and statement h.(h.l):= 0 15 equivalent to h.I:= 0 and will result III h.(h.I) = h.O = L We conclude that
{h.O=I/\ h.l=l} h.(h.l):=O {h.(h.I)=l}
152
Arra)' assignrnenrs
153
[5 correct. This simple example h diff
di . . sows a I erence between an array assignment and
an or mary assignment for which we have, for example,
[true] x:= 0 {x = O}
Apparen~lYE h.~:=: F changes the value of h but not necessarily the value of the ex~:;~I~ !'< 'N10 ex] press the change III a function, we introduce the follOWing notation
- x am integer A, the function h(x'A) . [0 N) Z d fi db'
. • . _" _, [S e me y
h(x:A).l = f Ii.: if z ¥ x
1 A if z == X
We pronounce h(x'A) as 'h . t i I
b d Ii b . < exce~ m x w iere its value is A'. As an example Jet hjD 3)
e e ined y h.O = 2, h.l = '1, h.2 = 6, then h(I:S) is the function ' ..
11(1:5).0= 2
h(1:5).1 = 5
h(1:5).2"" 6
With this notational convention. h.E:= F may now be defined by {P} h.E-= P {Q} is equrvalent to IF => Q(h:= h(E:F»]
where, as usual Q(h· - h(E- F» d t Q hi .
I f h' .- . eno es m w ich ti IS replaced by h(E'P) As an
examp eat e Use of the rule of the array assrgnmsnr, we prove . .
{h.O = 1 1\ h.l = IJ h.(h.I):= 0 {h.(ft.I) == i]
Proof;
Assume h.O = 1 1\ h.I = 1. Vie derive
(h.(h.l»(h:== h(h.l;O» { substitution} h(h.l:0).(h(h.l:0}.1)
= {h~l = 1 }
h(I;O).(h(l:O).l )
{definition of h{x:A), 1 == 1 } h(l:O).O
{ definition of h(x:A), 1 =f. O}
h.O
{h.O = 1 f
1
154
Array Manipuiations
.'
l
It can be seen that for many array assignments, it is difficult to predict the outcome without calculations. Fortunately, there are many cases In which the effect of h.E := F
can be easily computed. /'___.
In the definition of :r;;= E conjunct deLE occurs. For array assignment h.E := F we require that E and F are well defined, and that the value of E is III the range of h. More formally, def.(h.E) IS defined by
fdef.(h.E) == deLE 1\ ° :S E < NI
and the formal definition of I~.E;= F IS
{P} Il.E:= F {Q} IS equtvalent to [P "* def.F 1\ def.(h.E) t\ Q(h:= h(E;F})]
In terms of weakest pre-conditions we have
[wp.(h.E;= F).Q ;;;: deLF 1\ def.(h.E} t\ Q(h;= !t(E:F))]
In calculations conjunct Q(h:= h{E:F» is the starting point. One should, however, be aware of the other two conjuncts too.
Multiple array assrguments are not allowed. If they were the program fragment
x,y;= 0,0 ;h.x,h.y:= 0, 1
would establish h.O = 0 or h.O "" 1. This problem ma.y be solved by the definition of an order (for mstance, from left to right] in which substitutions are performed. We prefer to avoid it by not allowing multiple assignments in which an array assignment occurs.
We present two examples III which we use the formal definition of the array assignment. Then, at the end of this section, we present the 'simple array assignment rule; which SImplifies calculations in certain cases.
As a first example of the derivation of a program in which array assignments are used, we solve all zeros specified by
I[ con N ; mt {N;:: OJ;
var ii : array [O .. N) of inti all zeros
{(V i : 0 .::; i < N ; h..~ = O)}
]I.
Array asSIgnments
155
Replacement of the constant N by tl . t
P, . ie 1Il eger vanabla n leads to Invanants Po and
Po; (Vi; O:S 1 < n; li.: = 0) PIO:Sn'::;N
which are established by n:= D. Wi
. e lnvestigate an lllcrease of n by 1 and d
assumtng Po t\ PI t\ n #. N, we enve,
(Vi: 0'::; i < n+l ; iu = 0) { split off x = n, 0 :S n }
(Vi: 0'::; i < n ; h:» ee 0) 1\ li.n. = 0 {Po}
(V i : 0 :S t < n . h.: = h.i) 1\ h.n == 0 {definition of h(x;A)}
(Vi: ~.::; x < n ; li.t = h(n:O).i) 1\ li.n. = h(n:O).n
:::: { Import t ee n}
(Vi; O:S t < n+1 : li.: == h(n: O).i)
Th: Iast line says that replacing h b h(n:O) j ._ .
ThIS Yields as solution to all zeros y r .e., !t.n._ 0, establishes Po(n:= n+l).
I[ var n : int: n:=O ;don#N
_, lt.n :»« 0 in;=n+l
od
]I.
As a second exampln we consider the rob! .
senes of outcomes of an expenment f thP . em of.computlDg a frequency table for a
o rowlOg a die. A formal specification IS
If con N: rnt {N > OJ· X array[-O N} f'
- I - •• 0 int:
{(V i : 0 :S i < N 1'::; X.x s G)} ,
Vat" h ; array [L61 of int:
frequency table
JI.{(Vi: 1'::; t'::; 6: Ii.: = (#k: 0'::; k < N. X.k = i))}
i.
156
Array Mampulations
Replacement of the constant N by variable n yields mvanants
Po (Vi. 1:5 t:5 6: h,t = C#k: 0:5 k < n . X.k = i))
P, 0:5 n:5 N
Substitution of n = 0 mto Po Yields
(V i .; 1 :5 t :5 6 : h.t = 01
for which we have seen a solution (VIZ, all zeros). For the increase of n by I, we present
. . n 1\ P 1\ n -I- N For any t 1 < t < 6 we have
the following derivation. Assume fO \ r. 1" ,_ _ !
(# k : 0 :S k < n+1 . X.k = i) {split off k ee n, 0 :S n }
(#k: 0:5 k < n. X.k =£1 +#.(X.n=i) ( case analysis}
f (#k:O:5k<n:X.k=i) ih¥X.n 1. (#k: 0:5 k < n . X.k = i) + 1 ih = X.n
{Po 1
f 11.2 if i ¥ X.n 1. h.(X.n) + 1 if t = X.n
{ definition of h(x:A} } h(X.n: h.(X.nl+l ).t
Hence, h has to be replaced by h{X.n: h.(X.nl+ 11. We arnve at the following solution to frequency table,
Uvar n: mt; n:=O
i I[varm; mt ;m:= 1 ;dom"/:. 7 -t h.m:= 0 ;=:= m+ 1 od ] ;don# N
- h.(X.n):= 1t.(X.nl + 1 ;n:= n+L
od
11·
We now introduce a simpler rule for the array assignment. As in all zeros, we often encounter a Situation in which
(Vi: 0 :S t < N : li.: = H.i)
.Arril)' assignments
157
has to be established, where expression JI IS such that h does not OCCUf III H. This may be solved by mtroducmg integer van able nand mvanant
P 0 :S n :5 N 1\ (\;I i : 0 :5 t < n : ii.i = H.i)
and the problem amounts to finding Integer expression E such that
fP II n"/:. N} h.n:= E {(Vi: 0:5 t < n+l; h.t = H.i)}
We denve, for 0 :S n < N,
(Vi: 0 :S t < n+1 . h.i = H.i)(h:= h(n:E))
- {substitution, h does not occur In H}
(Vi: 0 :S t < n+1 ; h(n:E).~ = H.i)
- {split off 1 = n, definition of h(x:A 11
(V i : 0 :S t < n . li.: = H.i) 1\ E = Hin.
Hence, we have the following rule. Simple Array ASSignment
If h does not OCCUf in H, then {P 1\ n -# N 1\ E = H.n} h.n:=E
{P(n:""n+1)}
where p: 0 :S n :S N 1\ (Vi: 0 :5 t < n : h.l = H.i)
Substitution of E = 0 yields the solution to all zeros, It may be presented as follows. ![ var n : inti
n:=O
{invariant: 0:5 tt S N 1\ (Vi: 0 :S i < n : h.t := 0): Simple array assignment} ;don;f:. N
-. h.n:""O ;n:=n + 1
)I.
od
{(Vi: 0 S 1 < N. li.: = O)}
158 Array Malllpulatiolls
Exercises
Derive solutions for the following prograrnmmg problems.
O. I[ can N: int{N 2. I}; I array lu .. N) ofint; val' h . array [0 .. N) of int;
summation
{(V k : 0 :5 k < N : li.k: = P:: t : 0 :5 z :5 k : I.i))}
II·
I. I[con N: inHN 2.I}i I.: array[O .. N)ofint; var Ii . array ID .. N) of inti
decomposition
{(V k : 0 :5 k < N I.k = (I:. i : 0 :5 t :5 k : h.i))}
11·
2. I[ con N : mt {N 2: I};
val' h. array IO .. N) of inti ({Vi: 0:5 t < N ; li.: = F.i)} decomposition m situ
{(V k : 0 :5 k < N ; F.k = (I:. i : 0 :5 t :5 k : h.i))}
il· \ ,
Note that F is a specification variable (cf. Section 2.0) and not a program vanable.
3. ~ con N : int {N 2: O}; X : array [OooN) of inti {(Vi: O:S z < N: 0:5 X.I < 100)}
val' A. arrayfO .. lOO)ofint;
S
{(Vi: 0 :5 t < 100: lu = (minp: 0 S p < N 1\ X.p = i : p))}
ll·
4. I[ con N : int {N 2: I}; X array jOooN) of int; {(V i : 0 S 1 < N ; 0 :s X.l < 100)}
var r : mt;
S
{r = (maxp, q: 0 S p < q < N 1\ X.p = X.{q-l) ,q - p)}
lI·
(Hint: introduce array h[O .. lOO) and use the previous exercrse.]
/
I
!
SWaps 159
5. Derrve a program to determine for natural N the frequency of the decimal digits in the decimal representation of N.
6. I[ con N ; lilt {N 2: O}; X . array [O .. N) of int; var h . array [O .. N) ofint;
S
{(Vi; 0 S t < N, h.t :; (max) : 0:5) :5 t : x.j»}
]I.
7. Prove:
If h. does not occur 1U H or E t then
{(Vi: i"p E; li.: = H.i) 1\ F"" C(h:= h(E:F»} h.E;=F
{(Vi:z"pE:h.t=H.i) 1\ h.E=G}.
and
If h: does not occur III H, E, or F, then {(Vi: t # E : h.t = H.i)}
h.E:=F
{(Vi:t::fiE:!u=H.i) 1\ h.E=F}.
10.2 Swaps
Many programming problems mvolvmg array manipulations can be solved by interchanging array values. Given mteger array h[O .. N), and mteger expressions E and F, we abbreviate the program fragment
IT var r : inti r:= «s :h.E:= h.F ;h.F'= r JI
to
swap.E.F
Its informal interpretation is 'interchange the values of h.E and li.F" However, as In the case of an array assignment, this operationalmterpretation does not help very much. To express its meaning formally, we extend the notation h(x;A) to two arguments and We define h{x, y : A, B) by
160 Array MaIllpu/atl0ns
h(x, y : A, Bl.t =
f h.. if i ¥ x " 1 ¥ !I
l A ifi "'x B ifi=,)
Then swap.E.F may be charactcnzed by
{PI swap.E.F {Q} IS equivalent to
[P '* clef.(iI.E) A def.(h.F) " Q(h:= h(E, P ; «r, h.E))1
As long as E and P do not depend on h (i.e., h does not OCCUf 111 E or P) things are relatively easy. Otherwise, it 15 very difficult to predict the effed of a swap without performing the necessary calculauons. This IS illustrated by the Iollowmg example. Let iI.O = 0 and h.l = L Then sw"-p.(h.01.(1I.1) is equivalent to swap.G.I which establishes h.O = 1 and 11.1 = O. In particular, we then have ".(h.l) = h.O = 1. Hence,
(11.(11.01 = O} swap.(1I.0).(ld) {h.(/d) = 01
does not hold. So a naive operational interpretation 15 liable to be faulty. We leave it as all exercise to the reader to provide a formal proof of
[1..0 = 0 r. h.l = 1 (hence, 1I.(h.O) = O}} slVal'.(h.01.(h.1)
(1I.(h.I) = 11
Fortunately, the situation is not so bad if we restrict ourselves to swaps of the form swap.E.P in which h does not occur m E Of P For this case [t IS easy to denve the following rule.
Simple swap statement:
If II does 110t occur III E Or P, then
{(IIi" ¥ E " • ¥ P: h.1 = Hoi) r. h.E = A A h.F = B} swap.E.P
{(Vi:t,f. EAt,f. P: /1.1 = H.i) A iI.E = B A li.F = Al
We will use this rule frequently, without explicit reference. In the Iollowmg subsections we present examples of its use.
I
/
/
SWIlPS HiI
10.2.0
The Dutoh National Flag
As a first example, we denve a program that swa I
red, white and blue In such a way t] t its fi ps t ie values of an array with elements
. , '~Ia I . inal value I '.
Nationnl Flag. Its specification IS S In accordance WIth the Dutch
l( con N : int {N 2 OJ;
ver n : array [O •• N) of fred, white billel'
Dutch National Flag "
f(3p q' 0 < P < < N (V'
, . - - q - ; • ; 0 :5 , < l' : h.t = red)
A (Vi: r:5 I < 'I : h .• = wbite) A(lfi: q:5. < N: 1..1 = blue)
)} u,
m w hich only swan operationj, are allow d _
- wuuwe as opernt.ons on h.
ft seems hard to estnblish this post-condition witho b .
final boundaries of the colours are Th r ut elUg able to tndicate where tbe
d . eretoro, we lllttoduce bl I .
erive a program with post-condition varia es r anr Wand We
R. (If j : 0'·:::; t < r ; h.« = red)
A (V i : r :5 , < W : h .• = white 1 A (V i : w s: • < N: li.1 = blue 1
dThere are several ways m which R may he weakened
uetng Integer variable b): . A possible mvannnt Is (intro-
(Vi: 0 S. < !" : h .• = red) "(lfi: r :5. < w; h .r "" white) " (V i : U/ :5 I < h ; h .• "" bIlle) .
which is established by r W b·= 0 0 0 TI' I
I· d ' ,. '" us C 100ce however I d t I
t> reate program. We have lost too mud '.' ea S 0 a rat ier com-
determmed, complete symmetry t b I symmetry. Smce three parts have to be ants Po and P, defined by canna e obtamed. Therefore, we choose as invarr,
po. p." P", " p.
P, OS:rSw:5b:5N
with
162 Array AJampuiBtiolls
p.. (V i : ° :S ' < T : 11.1 = red) P",. (Vi: T :S • < w: h .• = white) P.. (Vi: b:S 1 < N: h.1 = blue)
Po and PI are initialized by T, W, b:= 0,0, N. Furthermore,
Po"w=&o:>R
This yields w #- lJ as guard of a repetition. For w < &, the elements of lw .. b) nrc candidates for inspection. Two cliorces arc ObVlOUS: !II and b-: 1. \Ve choose !II and we discuss the other possibility later. This leads to n first approximation of the solution:
II var T, W, b : JUt;
T,!II,b:=[],O,N [invariant Po II PI, bound h-wf ido w;f b
..... if h.w= red Sr
~ h.u: = white S",
o h.w = blue -> S6 fi
ad
Note that
T = 'the number of red elements that have been detected'
w - r = 'the number of white elements tbat have been detected' N - h "" 'the number of blue elements that have been detected'
Hence, S; will contain the statement r:= r+ 1 and also w;= w+ I, keeping w - r nrvanant. Similarly, we expect that S", will contain the statement w;= w+ 1 and S6 will con tam 0:= b-L
Statement Sw ts the eastest one, since
Po /I, PI /I, h.u: = white ~ (Po II Pd(w:= w+I)
Hence, for S", we choose w:= w+ 1. Next we consider S~, which has h. w = blue as a pre-condition and for which swap.w.(b-ll IS nppropnute. From I' :S !II < b we mfer that swap.w.(b-I) docs not affect P" P"" or Pb, and we have
Swaps 163
{p. /I, P", /I, Ph IV w < b /I, h.w '" blue] Slvap.w.(b-l)
CPr /I, Pw 1\ Ph /I, tv < b /I, 1I.(b-l) '!o blue} ;6;=6-1
{Pr II F", /I, Fo /I, w:5 b}
Hence: for S6 we choose swap.w.{b-1j 'b'=
con dition ,. 6-1. We arc left with Sr, with pre.
P; /I, P'" /I, Ph /I, w < 6 /I, h.w = red
Statement swap.w.r seems npproprlate for estabr I .
be said about h.r 7 From P. r: ls.mg P(w;= w+lj. but wl'n! can
I. '" We truer r < tv =>- It r - whi t
r = w V l.r = white. This yields two cases. . - [ e , or, eqUivalently,
Case [i]: ,.. = w
{Pr 1\ P., /I, p. II r '" w < b II li.us = red} swup.ur.s-
{Pr /I, Po /I, I' = W < b /I, h.r >= ted} ;r, w;= r+l,w+l
{FT II n /I, r '" !II < b, hence P. /I, R /I, P. '
...... ,,.- b wI
Case (ii): h.r", white
{FT 1\ P., /I, n /I, w < b /I, It.w = red /I, ti.r = white} swap.1V.r
{P. /I, ti.r = red II (Vi' r+f < .
. . - • < w : h .• = whits] /I, Il.W = white II
.1', w:= 1'+1, w+l
CPr II F", /I, PA II w :S hi
H /I, !II < bl
We conclude that swap. w r . I' w·_ r+ 1 + 1
together, we obtrun the f~lla' win . - , W is a good choice for Sr. Taking all places
• g program.
164
Array Manipulations
I[ var r; w, b : int;
r, w, b:= 0,0, N {invariant Pu 1\ Ph bound b-w} ;dow 4 6
_, if h.w = red _, swap.w.r ;r, w:= r+l, w+l a h.w = white ...... w:= w+l
o li.ur = blue -- swap.w.(b-lJ ;b:= b-l fi
od
This program bas time complexity O(N). When the colours are uniformly distributed then ~N swaps are performed on the average. If one chooses to use h.{b-l) instead of h.u: then a program IS obtained whose execution takes N swaps on the average.
10.2.1 Rotation
In many problems that involve array mampulations the individual array elements do not playa specific role, and these problems may often be expressed, for instance, in terms of segments or sequences. In this subsection we solve such a problem by first deriving an abstract program. That program IS then refined mto a programin terms of array operations.
Assume that an integer array h[O .. N) and integer constant J(, 0 ~ J( < N, have been defined. The problem IS to rotate hover J( places, usmg swap operations only. A formal specification IS
[con 1(, N: mt{O ~ [( < N}; var it; array (O .. N) of int; {(Vi: 0 ~ z < N ; h.l = H.i)} rotation
{(Vi: 0 ~ a < N . h.«i+[() madN) = H.i)} l!,
in which only swap operations are allowed on h.
Note that H is a specification van able (d. Section 2.0) and not a program variable, i.e., H may not occur III statements. To eliminate mod N, we rewrite post-condition Ras
(Vi: 0 ~ t < N-K . h.(i+K) = H.i) A (Vi. N-K ~ t < N . IL.(i+K -N) = H.i)
)
Swaps
or, equivalently,
h[K.N) = Hfo .. N-!() A hIO .. K) = H[N-K..N) Apparently, this problem can be stated'
by X and H[N -J( N) bv Y F tl In terms of sequences. Let us denote H[O .. N -f()
. • .. J -ur lermore catenation of
position, for Instance HID N) d' sequences IS denoted by Juxta-
[J ' ." correspon s to XY Th t
, and the length of sequence U is denoted as I U e emp y sequence lS denoted by
may be specified by . In terms of sequences the problem
{h == XY}
rotation
{h = Y.\'}
where X and Yare as defined above When )(
post-condition can be established . :1 • and Y have the same length then the of X and Y m h YIelds h == YX. easi y. Indeed, swappmg the corresponding elements
When I.X < 1.1" then h may be written as h == "Uli
UV = 1", and we have to solve ., . where 1.U = l.X and
{h = XUV A lU = l.x} rotation
{It =UVX}
Let us denote the exchange in IL, A = ABeD
same length by SWAP.B.C TI this • of sequences Band C that have the
. len llS problem may be reduced to solving S in
{It = XUV II YX ee UVX A !.X == l.Ul
SWAP.X.U J
{h = UXV}
S
{h= UVX}
r.e., XV has to be transformed into Vt .
origmalone From this pomt - , a problem that IS of the same form as the
1.X S I. V a~d I. V < t.x S o~e may star~ th~ discussion agam and consider the cases
- •• . IIC an mvestlgatlon leads to the followmg invarrant:
p. h=AUVB A YX=AVUB
I.e., to establish the desired post-condition U i
InItially h = Xl", P is established by ,and ~ have to be lIIterchanged. Since
165
;,
" u. ,
166
Array Mampuiations
A, tr.v, B:= [J, X, Y,!l
Furthermore, we have
P J\ {U = [] V V = m => h = Y X
This Yields the followmg solution:
A,U, V,B;= [J,X, Y,[] {invariant P, bound: I.U + IY} ; do U >F [J J\ V # [1
. _, if I.U 2. l.V
-> 'split U U = UoU] J\ I.U, = l.l"
{h = AUoU] VB J\ YX = AVUOU1B} ·SWAP.U\.F
'{h=AUoVU1B J\ YX=AVUOU1B~
;U,B:=Uo,U]B
{It = AUVB J\ YX = AVUB}
o l.V 2. W ,
--. 'split V V = VOVI J\ l.Fo = I.U
{h = AUVoViB J\ YX = AVoViUB} ·SWAP.U.Vn
, {h = AVoUV[B J\ YX = AVijV[UB}
A V:=AVu Vi
, {I: = AUV; 1\ YX '" AVUE}
fi
ad {h=YX}.
. resent sequences A, U; V, and B
T ode tlus algorithm III terms of array n, we rep
o enc . I th t
by integer values a, b, k , and I, sue 1 a
A = h(O .. a) B = hlb .. N)
U = h[a .. a+k), hence, I.U = k \f = h[b-t..b), hence, 1. \f = I
')
!
[ var a, b, k, i ; inti
c, b, 1>., l:= 0, N, N -J(, f( ;do k "/; 0 1\ t # 0 -dfk~l
_, II var n : int in:= 6-L ; do n =fi b -. swap.n.(n-l) ;n:= n+1 od Jl ;k:= k-l ;6:== b-l
n 1 2. k
..... If var n : jut in:= a ;do n =fie a+k _, swap.n.(n+k) ;n:= n+1 od ] ;t:= l=k ;a:= a+k
Swaps
167
These relations are called coupling mvariants. Note that a+k = b=! should be a coupling invariant as well. In terms of a, b, k, and i, the algorithm is
fi
od
11·
To determine the time complexity of this program, we add the auxiliary variable t to record the number of swaps performed dunng its execution. We leave out the variables that are not relevant to this discussion. Tills YIelds
1[ var k, I, t : Int;
k,l:= N-K,K it:= 0 ;do k =fie 0 1\ t =fie 0
-. if k ~ t -> t:= Hi ;k:= k-i o l 2:: k -. t:= Hk ; l := L-k fi
ad
In this program, we recognize the algorithm for the computation of a greatest common divisor. Note that t + k: + I is constant durmg execution of the repetition. Initially, it has value 0 + f( + N - J( = N, hence,
is an invanant of the repetition. What can be said about the final values of k and i 7 Witb respect to k and !, We have as mvanant
kgcdl = ](gcd(N-J()
168 Array.Manipulations
and, since 0 gcd x = x gcd a = x = x+O, we have as post-condition
k+l = J(gcd(N-[() = J(gcdN
Swaps 169
and, smce t + k + I = N, we conclude that N - (J( gcd N) swaps are performed.
Denve solutions, with time complexit 0('2
array manipulatJ'ons all d y 1\), to the followmg problem
owe are swaps. .
The only
Exercises
4. [con zv . mt{N 2: 0Ji
var h . array rO .. N) of inti SOrt
{(Vi,);O Sz S) < N; li.: < h)')}
]I. - .
Derive solutions, with time complexity O(N), to the following problems. The only array manipulations allowed are swaps.
o. I[ con N : int {N 2: a} i
var h. array[O .. N)ofint; S
{(3 p ; 0 S p S N : (V i : 0 $ 2 < P : h.: $ O) II (V i : p $ I < N : h.i 2: O))}
II·
1.1!conN:mt{N2:0}i
var It, array ltl .. N)ofint;
s
{(Vi: 0 S 1< N II i mod S = 0: h.imod2 = 0) v (V i : 0 $ t < N 1\ I mod 2 = 1 : li.: mod 2 = 1)
1 II·
2. I[con k,N: mt{O S k < N}; var h . array IO .. N) of int; S
{h.k = (max i : a $ 1< N . h.i)}
JI·
3·I[conk,N:mt{O$k<N}; var h : array [O .. N) of inti S
{(3p,q: 0 $ p $ q $ N: (Vi:O $t < p : li.i < h.k) 1\ (V i : p $ I < q ; h.i = h.k) II (V i : q $ 2 < N : h » > It.k)
)} ]I.
Use a repetition within a repetition' d
titian Po II PI and as mvanant for t;n choose as.lllvanants for the outer repete Inner repetition Q where
PI, OSn;SN
and
(i) Po' (V i,] : 0 S t S) < n . li.: S h,j) Q; (Vi:k;StSn:h.t;Sh.n)
(El Po Q:
(Vi: a S t < n : (V J : t S J < N; h.: S h.j» (V J : k S J S N . li.t: S h.j)
(iii) Po; {V i : a S t < n ; (V J : 1 ;S J < N ; li.: S It))) Q: (V): n S) S k : h.n S h.j)
Chapter 11
Sortin.g
11.0 Introduction
Many programrnmg problems involving arrays admit efficient solutions if these arrays are ascending. Examples are Binary Search and Slope Search. This is one reason that makes sorting algorithms interesting. Another reason is that solving the sorting problem is a mce illustration of our progrcmmmg techniques. In this chapter we discuss some sorting algorithms, r.e., algorithms that establish ascendiuguess of an integer array without changing the bag [multiset l of values of the array (bags are a generalization of sets III the sense that a bag may contain multiple occurrences of an element). The latter requirement IS met if we restrict the array operations to swaps.
Let h[O .. N} be the mteger array to be sorted. Define, for 0 S p < Nand 0 S q < N, mversion.p.q by
inversion.p.q :; p < q /\ h.p > li.q
'Array h 15 ascending; IS equivalent to (# p, q : 0 S p < q < N : inversron.p.q) = O. The number of inversions is at most
(#p,q: 0 S p < q < N' true) = (Bi' 0 S ~ < N· i) = ~N(N-l). Swapping two neighbours In h decreases the number of inversions by at most 1 and so we conclude:
A sorting algorithm in which only neighbours are swapped has time complexity of at least O(N2).
In Section 11.1 sorting algorithms that have time complexity O(N2) are derived.
What can be said about the time complexity if elements are swapped that are not neighbours? To answer this question, we use the following argument. Assume that all elements of h are different, Then there are N! (N factorial) different arrangements of
170
Introduction 171
these elements and only one of these is as di
two possible outcomes and her rt cken mg. Each CDlnpanson of two elements has
, Ice, a er - cornpanso S h Zk ib
To ensure that all N! arrangements can b di ti . ~ we k ave . POSSI Ie outcomes.
k ~ 210g N!, and from mathernati . ~ I,S mgurs ed,. 2 must be l1t least N!, i.e., least C * N log N f C cs (Stlrhng s formula] It IS known that log N! IS at
or SOme > O. We formulate this result as follows.
A companson-ba.<;ed so ti leh .
r ng a gon m has time complexity of at least O(N log N).
In Section 11.2 we present O( N log N) sortin ! .
comparison-based algorithm is bucket g .a gorithrns. An ex~mp(e of a non-
values of h are within a small rang. $O~. I~III~ algonthm ]5 applicable When the 10.1), the frequency of each valu the, Stay " ,.' Slng a frequency table (cf. Section
e a occurs ill h can be computed d th I
are assigned to A In a.<;cending order leadi t I' an ese va ues O(N+j(). ' ng 0 an a gorithm that has time complexity
The sorting problem discussed In thrs chapter has the following specification:
I[ con N : int {N ~ I};
var h , array IO .. N) of inc; sort
((Vi,): 0:5! S) < N. li.: < h.j)}
n -
ill which only swap operations are allowed on h.
(0 :: ~l~i::~ ~ ~l~s :~~~em, We often encounter the following statement
if h.~ :5 li.] skip
U li.: > h.) swap.z.j
fi
for which we have
{P}
if li.: :5 h.) ..... skip
n h.t > li.] -. swap.~.) fi
{Q}
is equivalent to
IP '* Q(h:=h(i,;: h.iminh.),h.tmaxh.j»l
172
Sorting
11.1 Quadratic sorting algorithms
In this section we denve some CJ{N2) sorting ulgorithms, not because of their usefulness, but to illustrate the ways In which they may be denved and to show what kinds of problems are related to sorting. a lie should not try to memorize them nod we do not supply average-case tune complexity derivations, nor do we supply figures that compare these sorting algorithms with respect to SOUle test inputs.
The post-condition R of the specificatIOn of saI"l may be rewritten 111 several ways, for instance, as
('Ii: 0 < I < N: 1I.(i-l):S; h.i) ('Ii,) : 0 :s; , < J < N: h.i :s; h.j)
(V i : 0 :s; I < N -1 : ('I i : t ::; 1 < N : h: $ h·m
Each of these exprcsslOns may be generalized in several ways to obtum all invariant, In the Iollowrng subsections we choose one of these and derive a corresponding algorithm, leading to Insertion sart, selection sort, and bubble sort respectively. These ure Just three of the better-known quadratic solutions. Other mvestigations of this kind are lcft
to the reader,
11.1.0 Insertion Sort
We choose as post.condition
R: ('Ii,]: 0 $ < <] < N: )'" $1I.j)
Repiacmg the constant N by integer variable n yields mvanants Po and P, defined hy
Po. ('I i,] : 0 $ • <s < n : h.t ::; h.i)
P, l$n:S;N
which are established by rz:= L As guard of a repetition we choose hound function N-n will do. For 1 :s; n < N, we have
Po(n:= n+l) == (Vi,); O:s;, < J < n-l I : h.t::; h·i)
which equals Po apart from] "" n, i.e., Po can be written as
(V i,] : 0 ::; , < J < n+1 II ) ;f n : lu ::; It.i)
\Ve generalize this expression, mtroducmg the integer variable k, to
Q"adratic sorting algorithms 00; (Vi,); 0 :$ , < 1 < 'n-l-I II J ;f k: h" :s; h.j)
which Is mitialized by k '= n Furtl Q
because of the transitivi;y of' < I;rmor~, 0 1\ k = 0 '* Po( n := n+ 1) and also,
_, we iave, tor 1 :$ k :$ n,
173
Qo 1\ h.(k-I):$ h.k '* Po(n;= n+l)
as well. Hence,
Qo 1\ (k = 0 V h.(k-I) $ It,k) '* Po(n:= n+11 For the case k > 1 II II (k 1) J
- . - :> '.k we mvestigate a decrease of k by 1 and d
11,'0 enve
Qo
{ def nition of Qa t
(Vi,]:O:$' <) < n+ll\ J f k : Iu :$It.j)
- r dcfinition of max f
('1j; O:S; J < n.+! II] f k : It.] = (mnxl: O:s;,:s; J: h.i»
- { range spltt 1
(Vj:O:S;J<k-l:h.J=(mnx.:o<l< '1'))
(V ' . k+ 1 < - - J, 1.1 1\
J.' _ J < n+l : II,) = (mID" ; 0 :$, S J ; h.i}) 1\
h.(k-l) = (maxr : 0 S I:S; 1.:-1: h,i)
The first and the second conjunct of the las r '
swnp,(k- I 1.k. For the tI i d coui t me of this derivation are not affeded by
1 r conjunct, we have
h.(k-11 = (rnaxs : O:s;, S 1.:-1: 11.;) '* [ max calculus f
h.(k-l) max h.!.: "" (max. : 0:$' S k : It,i)
Hence if I. (k-l) > 1 k tl
,. t. len swnp.(k-l).k establishes
li.k: = (maxr , O:s;,:s; k : h,;)
and it can only falsify h.(k-i) = (rnaxs : 0 <, < k- . . ,
_ _ 1 . 11.>). from winch we infer
(001\ k?: 1 1\ h,(k-l) > h,k} swap.(k-l).k {Qo(k:= k-1)}
One may he tempted to translate this 1·
'establish Po(n;= n-t-I}': resu t mto the Iollowing program fragment for
.,
.'
I
-u
174
Sorting
[var k : mt; k:=n
; do k =P 01\ h.(k-l) > li.k: -+ swap.(k-l}.k ;1;;:= k-1 ad
II.
However, the guard k.p 0 II. h.(k-l) > n.k: IS not defined for k = O. We solve this problem by defining the bounds for k by
and taking case k = 1 out of the repetition. This leads to
Insertion Sort
I[ var n : inti n:= 1 ;don f-N
[var k : inti k:=n
; do k #- 1 i\ h.(k-l) > il.k -+ swap.(k-l}.k ; k:= k-1 ad ; if h.O > h.l -+ swap.D.I U h.O :s h.I _, skip fi
]I
;n:= n+l
od
JI.
When this program IS executed and hIs mitially decreasing then ~N(N-l) steps are performed. When h IS initially ascending then only N steps are performed.
11.1.1 Selection Sort
We write the post-condition of sort as
R . (V i : 0 :S t < N : (V J : t :S) < N ; fu :S h.j))
We replace the first occurrence of N by integer variable n, Replacement of both occurrences of N gives nse to Insertion Sort, as the reader may verify. Thus, we propose mvarrants Po and PI defined by
Po; (V i : 0 :s t < n : (V) : t :S j < N ; !Iot :s h.j» Pi O:Sn:SN
Quadratic sorting algorithms
175
We denve for D :s TZ < N:
Po(n:= n+I)
{substitution}
(Vi: 0 S t < n+1 : (V) : i S J < N; h.t S h.j» { split off t ee n, 0 :S n < n+ 1 }
Po II. (\I J : n :s) < N; h.n :S it.})
{ min calculus}
Po 1\ n.n"" (min) : n :S) < N ; h.j)
Hence, a possible solution to 'establish poe n := n+ 1)' is [var a . inti
'establish n :S a < N /\ It a == ( . . . .
. . mrn j . n S) < N: h.J) Without changlllg It'
,swap.n.a
11·
Note that swap.n.a does not affect PlI• A solution to tI bl '"
applYl!lg Searching by Elimi t' [cf I . . ie pr? em above IS obtained by
na Ion c. max GeatlGn In Section 6.3) with invariant
n < a < b < N 1\ (minj . <. N . . .
- - . n - J < : n.J) = (minj : as) S b : h.j)
Thus, we obtain the following solution, known as Selection Sort:
If var n : mt; n;=O ;don#N
...... I[vara,b; inti a,b:"" n,N-l ; do a", b
-+ if h.a:S h.b -+ b:= 6-1 U h.b:S li.a ...... a:== a+l fi
od
;swap.n.a
11
; n:"" n+l
od
This program will also take ~N(N-l} steps. The number of swaps is N.
176 Sortmg
11.1.2 Bubble Sort
Our finul example of an O(N'l sorting' algorithm IS known as bubble sort. We choose the Same mvunants as We did for Selection Sort:
Po. (Vi: 0 $ I < n : (V j : , $ ) < N : h .• $ h.j)) P,O$n$N
Then (cf. previous derrvation] We have
Po(n:= n-l-L] == Po 1\ h.n '" (min] : n $J < N: h.j)
Instead of computing a location of the minimum of h[n .. Nl, we replace m the last expression both occurrences of n by integer vunable k and We define Qo and QI by
Q.. h.k = (min) : k $ J < N : h.j) Ql n$k$N-l
which are established by k;"" N - L We derive
Qo
{definition of Qo I
h.k = [rnin j : k $J < N; ILj)
""' {Leibmz I
11.(1.:-1) minh.k = 11.(1.:-1) mmfmin j : k::;) < N; h.j) { calculus I
1..(1.:-1 ) min h, I.: '" (min] : k-l 5: J < N : h.j)
Hence, sorting h.(I.:-ll and h.1.: establishes Qo(I.::", 1.:-1). This yields as snlutinn a program known as Bubble Sort, which IS presented below. Execu tion of this program takes! N(N -1) steps. When the selection amounts to skip 10 each step of the inner repetition, we may conclude that hln .. N) IS ascending, and, hence, R holds. More precisely, We introduce boolean variable b and add mvanant P, .
p., b => hln .. N) 15 ascending
Then PI) 1\ b => R. To invariants Qo and Q, we add
Q.. b => hI k .. N) IS ascending
Quadrat!c sorting algoritiJms
177
This results In a second r b
execution of this verslonv:~:n; st::~le sort (Bubble Sort (lH. For Il5cending arrays
Bubble Sort (0)
II var " r rnt; n;=O ;don#N
-> [var 1.:; int; k,= N-l ; do k =F 1l
..... if h.(k-l):5 h.k: _, skill
o 1I.(k-1) > h.1.: -> swap.(k-l).k Il
od ;k:=k-!
; n;= "+1
ad
B1lbble Sort (I)
II var n ; int; b : bool; n, b := 0, false ;don? N I\...,b _, Ifvar k ; mt;
k,b;"" N- I, true ;do k;;f n
_, if h.(k-l) s: h.k _, skip
! h.(I.:-l) > it.k -> b;= false ; Swap. (k-l).k
od ;k;"'k-I
; n;"" n+1
od
178
Sorting
The solutions discussed in this section are only suited for sorting relatively small arrays (of Isngth at most 100). In the followmg scction we consider some more advanced sorting algorithms.
Exercises
O. Solve:
I[ con N : int {N 2: I}; X array (O .. N) of inti var h : array [O .. N) ofint;
sort
{(Vi; 0 s: t < N: (3J : 0 s: J < N; h.j = i)) II (Vi,; : 0 s: z s: J < N ; X.(h.i) s: X.(h.j))}
L A sorting algorithm IS called stable if the order of any two equal values is not changed. In terms of the previous exercise this means that the post-condition IS to be strengthened by
~ s: J 1\ X,» = X.J => h:» s: h.j
Which of the sorting algorithms of this section are stable?
2. Derive a program that sorts N paIrs lexicographically. The N pairs are {x.t, y.i) (0 s: t < N) and pomt (a, b) is Lexicographically smaller than {c, d) if
a < c V (a = C 1\ b < d)
3. Derrve a program that sorts integer matrix x . array IO .. /I{) x (O .. N) such that x IS ascending in both arguments.
4. Derive a program that sorts integer matrix x array [O .. lVf) x [O •. N) such that (Vi,J : 0 s: i S J < M ; x.i is Icxicographically at most x.j).
11.2 Advanced sorting algorithms
In this section we present the more practical sorting algorithms QUlcksort, Mergesort and Hcapsort: QUIcksort, Invented by C.A.R. Hoare, has worst-case time complexity O(~). Its average time complexity, however, is O(NlogN). It uses O(logN) auxiliary storage. Mergesort has worst-case time complexity O(NlogN). It uses an
Advanced sorting algOrithms
179
euxiliary array of length' N. Heapsort, invented b J W'!li
time complexity O(NlogN) b t ili y . 1 ams, also has worst-case
, u no aUX! rary array is needed.
Both QUicksort and Mergesort are more de ant! .
The bag of integers that "as to b t d i d.g. Y presented as recurswe programs
II e sor e IS ivided : t t bb .
of sorting these sub bags are combined to obtain III 0 wo su ags and the results
to the ongrnal bag For QUIcksort tl di I the sorted sequence corresponding
t: • ie IVl510n rnto subb is th .
tor Mergesort the combination of the sorted ags IS e e:sentlai part and
book, however. we do not treat recursion d :e~ences IS the esseutiat part. In this iteratiVe programs. an 0 programs are presented as ordinary
11.2.0 Quicksort
As before, Jet h(O .. N)be the array to be sorted Let z i
Performing the Dutch National Flag (DNF) l' . 'th =f ~.J _for some J, 0 s: J < N.
a gon m 0 SectlOn 10.2.0 with
red white blue
li,« < z h.t "= z h.£ > z
establishes post-condition
(V i : 0 ::; t < T ; h.t < z) 1\ (Vi: r S t < w ; li.i = z) II (V i : w :5 t < N: lu > z)
Hence. hfO .. r ] and h[w .. N) still Ltave to be sorted, i.e., this post-condition Implies
It IS ascending :; h[O .. r) IS ascending II h(w .. N) IS ascending
We may apply a Similar splitting to hlo r) and I [ '.
that still have to be sorted. A gene li ati z ~.:N), leading to four smaller parts mvanane. fa iza 1011 of this Idea IS expressed by the followlDg
p
h[O .. N) is ascending == (V v . v E F I di
. .. I IS ascen mg on v)
where V IS a set of disjOint subsegments of [O .. N} and wh f b
' ere or su segment v:
h is ascending on v == (V' .'
- t,] • t E v 1\ J E v 1\ t s: J ; lu s: h.j)
A program based on P is presented below.
180 Sorting
V'= ([O .. N)}
;da V #-0 ,
_.. 'choose 0: E V
; if length.a::; 1 _.. V ~"" V \ [o] n length.", ~ 2
-i 'choose J E a' 'z;= h.;
; 'perform DNF with z on a' {a=Jh,511(Vi;IEp:h.I<") II (Vi: IE! : h.1 = z) A (V i " E 5 : li.: :> z) I
y:= (V \ {a}) U {fJI U {51
fi
ad
'ram III the guarded command language, we (Why does it Lermmnte?'] To ohtum a }'r05 d we have to refine 'choose a E \I' and
fi d t ble representatton tor . , un !
hnve to in 11 SUI U t d by two integer arrays x and y, nne au
'choose 1 E n'. The set" call be represen e
integer vanable k, such that
V = {[x.L.y.i) I 0 ::; I < kj
. into three arts: {J, /, and o. At least one of the
The DNF part splits sequence 0: hi. h : t p t half the lenuth of a. When 'choose
d e 1 1 uth w tc 1 IS amos UJ" I
sezmcnts {J an u ius a en" f" f " length' we may hope t lilt
"... d' h lemont ° 1 a mlmm,u ,
0: E V' 15 refine to ic oose an ell deed let G" be the maxunum
! t f V will not be too arge. n ,. I 'f
the number of e ernen s a '11 t . f start with 11 segment of length" an, I
number of elements that \F WJ Call am I. we I I th Then
we choose 1ll each step an element of " at rrururna eng .
G.1 = I
G.n::;1+G.(ndiv2) (n221
from which we infer
G.n::; l+llogn
I of1ength 1 +llog N are needed. Since splittmg'
We conclude that for x and yon y arrays 1d . I element ngain we represent V
a nummal element of V into two parts vre S a miruma ,
by
Advanced sorting algorithms lSI
v = (fx.!.. y.i) I 0::; .1 < k} U ([p .. q)}
such that
(Vi: 0 < 1 < k ; y.1 - X.I ::; y.(i-I) _ x.(i-1))
and
(V i : 0 ::; • < k : q -1' ::; y .r - x.i)
Then
P 1\ k = 0 1\ q-P ::; 1 '* h is ascending
The value of 'logN IS easily computed. For 'choose 1 E [p •. q) , We choose (for the sake of symmetry) J = (p+q) dlv z, s.e., z:= h.«p+q)div2). The complete solution IS presented below. The lim! part consIsts of the computation of the upper bound for arrays x and y.
When this program IS applied to an mcreasmg sequence, then h[p .. q) IS divided mto two parts that both have length at most (q-p)div2. Let T." denote the time complexity of sorting an increasmg sequence of length n In this way. We have the followrng recurrence relation for T:
T.1 = 0
T.n = 2T.(!n) + n for" 2: 2
(For the Dutch National Flag n steps are needed.)
This recurrence relation has T.n '" n Iog n as solution: for au already mcreasmg sequence execution of this program takes O(N log N) steps.
When this program JS applied to an arbitrary seq uence and in each step the median of sequence h[p .. q) IS assigned to ", the same recurrence relation Is obtained. A linear program for the computation of the median does exist, but lis denvation IS ueyond the scope of this book.
When "II clements of It arc different and in each step of the repetition the muumurn of h[p .. q) IS assigned to ". execution takes ~N(N+l) steps, which IS the worst-case behavior of Quicksort. It can be shown that- the uverage execution time over nll permutations of [O .. N) IS O(NlogN).
The complete program is presented below.
182 Sorting
QUicksort
I[varn,m: mt; n,m:=O,l {m=2"}
idom < N ~ n,m:= n+l,m*2od
{n;:: 2JogN} .
; [var k,p,q: mt; x,Y' array [O .. n) ofmt; k,p,q:= O,O,N
. do k ~ 0 V q-p ;:: 2
t --+ if q-p :S 1 _, k:= k-l; p, q:= x.k, y.k
o q-p;:: 2 --t I[ var r,w, b, z : mt:
z:= h.({p+q) div2) ; r, w, b:= p,p, q
. do w ~ b --t if li.tu < z -+ swap.r.w; r, w:= r+l, w+l
, . Oh.w=z--+w:=w+l
U h.w > z _. Ii:= &-li swap.e.w fi
ad
; if r-p:S q-w -+ x.k:= w; y.k:= q; q:= r U q-w S r-p -+ x.k:= p; y.k:= r; p:= w fi
;k:= k+1
]1
fi
ad
JI
]1·
Exercises
Let N > 1 and Jet h[O .. N) be an array of integers. De,n.ve a program for the
O. comput~tion of the unique element of h, that occupies p.oSl.tlOn k when '~S s::tt:~ (0 :S k < N), without sorting the entire array h. (Hint: use the DN p
QUIcksort).
Advanced sorting elgoriiluns 183
"
Po; zlO .. c) +l- (x(a .. M) m y[b .. N)) = x m y
11.2.1 Mergesort.
Mergesort is based on the fact that two ascending sequences can be merged into one ascending sequence In linear time. To define the merge m of integer sequences x and y, we use the followmg notation: for integer a and sequence z, the sequence consisting of a followed by sequence x is denoted as ax. The merge of two sequences IS defined by
x m y = x if y is the empty sequence
x m y = y if x IS the empty sequence
b f a(x m by) if as b
axmy-
-l b(axmy) if b:S a
Then m has the following properties;
x IS ascending 1\ y IS ascending =? x m y IS ascending
The bag of elements of x m y is the sum of the bags of elements of x and y
These properties enable us to use merge In a sorting algorithm. Let us first present an algorithm for the computation of the merge of two sequences. Program merge 15 specified by
I(eon M,N: int {M;:: 01\ N;:: 0Ji z : array !O .. M) of int: y: arraYIO .. NJofint; var z : array[O .. M+N)ofintj
merge
[z,,",xmy}
11·
From the definition of In we infer that a tail mvanant is appropriate (cf. Section 4.4). Denoting catenation of sequences x and y by x ++ y, we define Po by
r., O:S a:S M /I O:S b::;: N 1\ 0::;: c:S M+N
Then
i
Po 1\ (a = M V 6 = N) "* z[O .. c) +t xla .. M) +l- y(b .. N) ""' x m y
You might also like
- Combinatorial Optimization: Alexander SchrijverNo ratings yetCombinatorial Optimization: Alexander Schrijver34 pages
- Dynamic Programming in Java: From Basics to Expert ProficiencyFrom EverandDynamic Programming in Java: From Basics to Expert ProficiencyNo ratings yet
- Programming From Specifications - Carroll Morgan (2nd. Edition, 1998) PDFNo ratings yetProgramming From Specifications - Carroll Morgan (2nd. Edition, 1998) PDF344 pages
- Combinatorial Algorithms - Edward M Reingold0% (1)Combinatorial Algorithms - Edward M Reingold12 pages
- Guide To Graph Algorithms Sequential Parallel and Distributed CompressNo ratings yetGuide To Graph Algorithms Sequential Parallel and Distributed Compress475 pages
- A Sampling of Remarkable Groups Thompson s Self similar Lamplighter and Baumslag Solitar Marianna C. Bonanome all chapter instant downloadNo ratings yetA Sampling of Remarkable Groups Thompson s Self similar Lamplighter and Baumslag Solitar Marianna C. Bonanome all chapter instant download53 pages
- Instant download (Ebook) A Sampling of Remarkable Groups: Thompson's, Self-similar, Lamplighter, and Baumslag-Solitar by Marianna C. Bonanome, Margaret H. Dean, Judith Putnam Dean ISBN 9783030019761, 9783030019785, 3030019764, 3030019780 pdf all chapter100% (3)Instant download (Ebook) A Sampling of Remarkable Groups: Thompson's, Self-similar, Lamplighter, and Baumslag-Solitar by Marianna C. Bonanome, Margaret H. Dean, Judith Putnam Dean ISBN 9783030019761, 9783030019785, 3030019764, 3030019780 pdf all chapter67 pages
- Algorithms For Playing and Solving GamesNo ratings yetAlgorithms For Playing and Solving Games39 pages
- (Graduate Texts in Mathematics) Bollobas B-Modern Graph Theory-Springer (2001)No ratings yet(Graduate Texts in Mathematics) Bollobas B-Modern Graph Theory-Springer (2001)408 pages
- Collection of Books To Read Preparing For ACM ICPC100% (2)Collection of Books To Read Preparing For ACM ICPC1 page
- MIR Vilenkin N Combinatorial Mathematics For Recreation 1972 PDFNo ratings yetMIR Vilenkin N Combinatorial Mathematics For Recreation 1972 PDF205 pages
- Burkill A Second Course in Mathematical Analysis PDFNo ratings yetBurkill A Second Course in Mathematical Analysis PDF268 pages
- Let Us C Y Kanitkar 01 - First Few PagesNo ratings yetLet Us C Y Kanitkar 01 - First Few Pages7 pages
- Pointers and Dynamic Objects: COMP171 Fall 2006No ratings yetPointers and Dynamic Objects: COMP171 Fall 200655 pages
- A Graduate Course in Algebra 1 by Ioannis Farmakis, Martin MoskowitzNo ratings yetA Graduate Course in Algebra 1 by Ioannis Farmakis, Martin Moskowitz445 pages
- Depth First Search Technique For Rule Based Expert System 1-Issue-4-2014No ratings yetDepth First Search Technique For Rule Based Expert System 1-Issue-4-20144 pages
- A Walk Through Combinatorics An Introduction to Enumeration and Graph Theory 4th Edition Miklós Bóna all chapter instant download100% (1)A Walk Through Combinatorics An Introduction to Enumeration and Graph Theory 4th Edition Miklós Bóna all chapter instant download65 pages
- Group Theory in Solid State Physics and Photonics: Problem Solving with MathematicaFrom EverandGroup Theory in Solid State Physics and Photonics: Problem Solving with MathematicaNo ratings yet
- What Have You Gained From Competitive ProgrammingNo ratings yetWhat Have You Gained From Competitive Programming313 pages
- Complete Data Structures and Algorithms GuideNo ratings yetComplete Data Structures and Algorithms Guide8 pages
- Complexity Theory - Course Notes - Sebastian A. TerwijnNo ratings yetComplexity Theory - Course Notes - Sebastian A. Terwijn101 pages
- Demidovich B Problems in Mathematical Analysis Mir 19700% (2)Demidovich B Problems in Mathematical Analysis Mir 1970496 pages
- Subrata Ray - Fortran 2018 With Parallel Programming (2020, CRC - Chapman & Hall - Taylor & Francis Group) PDFNo ratings yetSubrata Ray - Fortran 2018 With Parallel Programming (2020, CRC - Chapman & Hall - Taylor & Francis Group) PDF683 pages
- Dynamic Programming in Java: From Basics to Expert ProficiencyFrom EverandDynamic Programming in Java: From Basics to Expert Proficiency
- Programming From Specifications - Carroll Morgan (2nd. Edition, 1998) PDFProgramming From Specifications - Carroll Morgan (2nd. Edition, 1998) PDF
- Guide To Graph Algorithms Sequential Parallel and Distributed CompressGuide To Graph Algorithms Sequential Parallel and Distributed Compress
- A Sampling of Remarkable Groups Thompson s Self similar Lamplighter and Baumslag Solitar Marianna C. Bonanome all chapter instant downloadA Sampling of Remarkable Groups Thompson s Self similar Lamplighter and Baumslag Solitar Marianna C. Bonanome all chapter instant download
- Instant download (Ebook) A Sampling of Remarkable Groups: Thompson's, Self-similar, Lamplighter, and Baumslag-Solitar by Marianna C. Bonanome, Margaret H. Dean, Judith Putnam Dean ISBN 9783030019761, 9783030019785, 3030019764, 3030019780 pdf all chapterInstant download (Ebook) A Sampling of Remarkable Groups: Thompson's, Self-similar, Lamplighter, and Baumslag-Solitar by Marianna C. Bonanome, Margaret H. Dean, Judith Putnam Dean ISBN 9783030019761, 9783030019785, 3030019764, 3030019780 pdf all chapter
- (Graduate Texts in Mathematics) Bollobas B-Modern Graph Theory-Springer (2001)(Graduate Texts in Mathematics) Bollobas B-Modern Graph Theory-Springer (2001)
- Collection of Books To Read Preparing For ACM ICPCCollection of Books To Read Preparing For ACM ICPC
- MIR Vilenkin N Combinatorial Mathematics For Recreation 1972 PDFMIR Vilenkin N Combinatorial Mathematics For Recreation 1972 PDF
- Burkill A Second Course in Mathematical Analysis PDFBurkill A Second Course in Mathematical Analysis PDF
- A Graduate Course in Algebra 1 by Ioannis Farmakis, Martin MoskowitzA Graduate Course in Algebra 1 by Ioannis Farmakis, Martin Moskowitz
- Depth First Search Technique For Rule Based Expert System 1-Issue-4-2014Depth First Search Technique For Rule Based Expert System 1-Issue-4-2014
- A Walk Through Combinatorics An Introduction to Enumeration and Graph Theory 4th Edition Miklós Bóna all chapter instant downloadA Walk Through Combinatorics An Introduction to Enumeration and Graph Theory 4th Edition Miklós Bóna all chapter instant download
- Group Theory in Solid State Physics and Photonics: Problem Solving with MathematicaFrom EverandGroup Theory in Solid State Physics and Photonics: Problem Solving with Mathematica
- Complexity Theory - Course Notes - Sebastian A. TerwijnComplexity Theory - Course Notes - Sebastian A. Terwijn
- Demidovich B Problems in Mathematical Analysis Mir 1970Demidovich B Problems in Mathematical Analysis Mir 1970
- Subrata Ray - Fortran 2018 With Parallel Programming (2020, CRC - Chapman & Hall - Taylor & Francis Group) PDFSubrata Ray - Fortran 2018 With Parallel Programming (2020, CRC - Chapman & Hall - Taylor & Francis Group) PDF
- Combinatorial Algorithms: Enlarged Second EditionFrom EverandCombinatorial Algorithms: Enlarged Second Edition
- Dynamic Bayesian Networks: Fundamentals and ApplicationsFrom EverandDynamic Bayesian Networks: Fundamentals and Applications
- Digital Signal Processing (DSP) with Python ProgrammingFrom EverandDigital Signal Processing (DSP) with Python Programming