COMP2111 Lecture 5a Session 1, 2013

Hoare Logic Example

Deriving a Maximum Segment-Sum Algorithm
Kai Engelhardt

Revision: 1.1

Example: Maximum Segment-Sum

Suppose we have a C-style array A[N ] of numbers and want to write a program P that nds i j such that the sum A[i ] + . . . + A[j 1] is maximal. That sum is to be stored in s . With
j 1

ss(i , j ) =
k =i

A[k ]

we can specify the task as {true} P {I (N )} where I (m) = i , j 0 i j m s = ss(i , j ) i , j (0 i j m s ss(i , j ))

Hoping that theres an O (N ) solution, we guess that a loop over A should feature in that solution. So we introduce a loop with a dummy body, Q , and an invariant inspired by the postcondition. {true} i , j , s , m := 0, 0, 0, 0; {I (m)} while m < N do {I (m) m < N }Q {I (m + 1) m < N } m := m + 1 {I (m)} od {I (m) m N } {I (N )}

By looking at simple example arrays such as 1 2 3 5 1 5 1 2 3 5 1 5 we realise that our invariant is too weak. By keeping track not only of i and j maximising s = ss(i , j ) for the array prex A[0]..A[n 1] but also the k that maximises e = ss(k , n), we arrive at a second candidate program with an additional invariant. J (m) = 0 i j m N s = ss(i , j ) 0 k m e = ss(k , m) k (0 k m ss(k , m) e )

{true} i , j , s , m, e , k := 0, 0, 0, 0, 0, 0; {I (m) J (m)} while m < N do {I (m) J (m) m < N } Q; {I (m + 1) J (m + 1) m < N } m := m + 1 {I (m) J (m)} od {I (m) J (m) m N } {I (N )}

For Q we propose if e + A[m] > s else if e + A[m] < 0 else e := e + A[m] which can be re-arranged (= tute exercise) into if e < A[m] then e , k := 0, m + 1 else e := e + A[m] ; if e > s then i , j , s := k , m + 1, e
This wouldnt make a dierence for modern compilers but the code looks neater this way and follows a more logical path in that we rst update e and then see whether current e is an improvement over the old s .
6

// we have a new s // A[m] kills e

then i , j , s , e := k , m + 1, e + A[m], e + A[m] then e , k := 0, m + 1

We still need to prove that this is a suitable implementation of Q : {I (m) J (m) m < N } if e < A[m] then e , k := 0, m + 1 else e := e + A[m] ; if e > s then i , j , s := k , m + 1, e {I (m + 1) J (m + 1) m < N } Once again guided by Hoare logic, in this case a one-armed version of the if-rule from tute 3 (in addition to the ubiquitous assigment axiom and sequential composition rule) we nd an intermediate assertions. As you prove in tute 4, a suitable one-armed if rule is: { g } P { } , g {} if g then P { } if-1

{I (m) J (m) m < N } if e < A[m] then e , k := 0, m + 1 else e := e + A[m] ; = (e > s (I (m + 1) J (m + 1) m < N )[k ,m+1,e /i ,j ,s ]) (e s I (m + 1) J (m + 1) m < N )

if e > s then i , j , s := k , m + 1, e {I (m + 1) J (m + 1) m < N }

NB No brain cells were wasted on nding this intermediate assertion . All we did was go backwards from the postcondition to devise an assertion that makes the second Hoare triple valid by construction.

Once more, using the 2-armed version of the if rule, {g } P { } , {g } Q { } {} if g then P else Q { } if

we we pipe the intermediate assertion through the rst of the two if statements. {I (m) J (m) m < N } (e < A[m] [0,m+1 /e ,k ]) (e A[m] [e +A[m] /e ]) Two adjacent assertions, {}{ } indicate an application of the consequence rule, which means we are obliged to prove that is valid. We still need to convince ourselves that the sizable implication is indeed valid. (Update: I did that in my theorem prover of choice. It was quite a drag.)
9

But we are not done yet. Careful inspection of the program reveals that i , j , and k form a set of auxiliary variables: they have no eect on the ow of control and they only occur on the right hand sides of assignments to auxiliary variables in the set. Hence the set can be omitted from the program. {True } s , m, e := 0, 0, 0; while m < N do if e < A[m] then e := 0 else e := e + A[m] ; if e > s then s := e ; m := m + 1 od {I (N )}

10