Example proof of inductive invariant

March 1, 2011

private static int fi3(int x, int y)

/*: requires "x >= 0 & y >= 0"
ensures "result = x * y" */
{
int r = 0;
int i = y;
while //: inv "..."
(i > 0) {
i = i - 1;
r = r + x;
}
return r;
}

The loop invariant is

I : r = (y-i) * x & i >=0
To prove the three conditions, we prove that
I holds at loop entry From the precondition and the two initial assignments we have

x≥0 & y≥0 & r=0 & i=y

From y ≥ 0 & i = y it follows that i ≥ 0, which proves the second part of our invariant.
Also, at loop entry,
r = (y − i) ∗ x = 0 ∗ x = 0
which holds as well, proving our invariant holds at loop entry.
I is maintained over loop iteration We want to prove

r = (y − i) ∗ x & i≥0 & i>0 → r0 = (y − i0 ) ∗ x & i0 ≥ 0

1
 Since i > 0 and i0 = i − 1 it follows that i0 ≥ 0. The first part of the invariant holds as follows:

r0 = r + x
= (y − i) ∗ x + x
= (y − i + 1) ∗ x
= (y − (i − 1)) ∗ x
= (y − i0 ) ∗ x

Hence, the invariant is maintained across loops.

I implies postcondition after loop We need to prove that

r = (y − i) ∗ x & i≥0 & ¬(i > 0) → result = x ∗ y

r = (y − i) ∗ x & i≥0 & ¬(i > 0)

⇔ r = (y − i) ∗ x & i≥0 & i≤0
⇔ r = (y − i) ∗ x & i = 0
⇔ r = (y − 0) ∗ x
⇔ r =y∗x

Hence, we have proven that all three conditions for the invariant hold.