Design and Analysis of Algorithms

Lecture 3:
Verification of the correctness of algorithms

Tauseef Iftikhar

Department of Computer Science

Government College University, Lahore.
Todays Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State
Assertions and Annotation

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Algorithm Analysis

While designing an algorithm we have to take care of two aspects:

Algorithm Analysis

While designing an algorithm we have to take care of two aspects:

I Algorithm Correctness: Algorithm must give desired output
within finite time.
Algorithm Analysis

While designing an algorithm we have to take care of two aspects:

I Algorithm Correctness: Algorithm must give desired output
within finite time.
I Algorithm Efficiency: Algorithms must use minimum
resources while executing on a machine.
Algorithm Correctness
How to verify that algorithm is correct?
Algorithm Correctness
How to verify that algorithm is correct?
I Empirical method: Correctness can be verified by testing
different instances of the problem
Algorithm Correctness
How to verify that algorithm is correct?
I Empirical method: Correctness can be verified by testing
different instances of the problem
I Advantage:
I Simple
I Easy to apply
Algorithm Correctness
How to verify that algorithm is correct?
I Empirical method: Correctness can be verified by testing
different instances of the problem
I Advantage:
I Simple
I Easy to apply
I Disadvantage:
I It doesnt guarantee the correctness
Algorithm Correctness
How to verify that algorithm is correct?
I Empirical method: Correctness can be verified by testing
different instances of the problem
I Advantage:
I Simple
I Easy to apply
I Disadvantage:
I It doesnt guarantee the correctness
I Formal method: Mathematically it is proved that algorithm
will produce the required output for all the instances of the
problem within finite time.
Algorithm Correctness
How to verify that algorithm is correct?
I Empirical method: Correctness can be verified by testing
different instances of the problem
I Advantage:
I Simple
I Easy to apply
I Disadvantage:
I It doesnt guarantee the correctness
I Formal method: Mathematically it is proved that algorithm
will produce the required output for all the instances of the
problem within finite time.
I Advantage:
I guarantees the correctness
Algorithm Correctness
How to verify that algorithm is correct?
I Empirical method: Correctness can be verified by testing
different instances of the problem
I Advantage:
I Simple
I Easy to apply
I Disadvantage:
I It doesnt guarantee the correctness
I Formal method: Mathematically it is proved that algorithm
will produce the required output for all the instances of the
problem within finite time.
I Advantage:
I guarantees the correctness
I Disadvantage:
I Difficult
I Not possible for complex algorithms
Basic Notions

I Preconditions and Postconditions

I Algorithm State
I Assertions
I Annotation
Todays Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State
Assertions and Annotation

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

I Postconditions:Properties that must be satisfied by the result
Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

I Postconditions:Properties that must be satisfied by the result
I Example: Find the minimum, m, of a non-empty array, x[1..n]
Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

I Postconditions:Properties that must be satisfied by the result
I Example: Find the minimum, m, of a non-empty array, x[1..n]

Precondition: n 1 (array should be non empty)

Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

I Postconditions:Properties that must be satisfied by the result
I Example: Find the minimum, m, of a non-empty array, x[1..n]

Precondition: n 1 (array should be non empty)

Postcondition: m = min{x[i]|1 i n}
Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

I Postconditions:Properties that must be satisfied by the result
I Example: Find the minimum, m, of a non-empty array, x[1..n]

Precondition: n 1 (array should be non empty)

Postcondition: m = min{x[i]|1 i n}

I Partial correctness verification: prove that if an algorithm

terminates it leads to postcondition starting from precondition.
Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

I Postconditions:Properties that must be satisfied by the result
I Example: Find the minimum, m, of a non-empty array, x[1..n]

Precondition: n 1 (array should be non empty)

Postcondition: m = min{x[i]|1 i n}

I Partial correctness verification: prove that if an algorithm

terminates it leads to postcondition starting from precondition.
I Intermediate steps in correctness verification:
Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

I Postconditions:Properties that must be satisfied by the result
I Example: Find the minimum, m, of a non-empty array, x[1..n]

Precondition: n 1 (array should be non empty)

Postcondition: m = min{x[i]|1 i n}

I Partial correctness verification: prove that if an algorithm

terminates it leads to postcondition starting from precondition.
I Intermediate steps in correctness verification:
I analyze the algorithm state
Preconditions and Postconditions

I Preconditions:Properties that must be satisfied by the input

I Postconditions:Properties that must be satisfied by the result
I Example: Find the minimum, m, of a non-empty array, x[1..n]

Precondition: n 1 (array should be non empty)

Postcondition: m = min{x[i]|1 i n}

I Partial correctness verification: prove that if an algorithm

terminates it leads to postcondition starting from precondition.
I Intermediate steps in correctness verification:
I analyze the algorithm state
I the effect of each processing step on the algorithm state
Todays Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State
Assertions and Annotation

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Algorithm State
I Algorithm state: set of values corresponding to all variables
used in the algorithm
Algorithm State
I Algorithm state: set of values corresponding to all variables
used in the algorithm
I During the execution of an algorithm its state changes (since
the variables change their values)
Algorithm State
I Algorithm state: set of values corresponding to all variables
used in the algorithm
I During the execution of an algorithm its state changes (since
the variables change their values)
I The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Algorithm State
I Algorithm state: set of values corresponding to all variables
used in the algorithm
I During the execution of an algorithm its state changes (since
the variables change their values)
I The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
Algorithm State
I Algorithm state: set of values corresponding to all variables
used in the algorithm
I During the execution of an algorithm its state changes (since
the variables change their values)
I The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
input: a,b output: x
Algorithm State
I Algorithm state: set of values corresponding to all variables
used in the algorithm
I During the execution of an algorithm its state changes (since
the variables change their values)
I The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
input: a,b output: x
precondition: a <> 0
Algorithm State
I Algorithm state: set of values corresponding to all variables
used in the algorithm
I During the execution of an algorithm its state changes (since
the variables change their values)
I The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
input: a,b output: x
precondition: a <> 0 postcondition: x satisfies ax = b
Algorithm State
I Algorithm state: set of values corresponding to all variables
used in the algorithm
I During the execution of an algorithm its state changes (since
the variables change their values)
I The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
input: a,b output: x
precondition: a <> 0 postcondition: x satisfies ax = b

Algorithm 8 Solve ax = b
1: procedure MyProcedure(real a, b)
2: real x . a = a0 , b = b0 , x = undefined
3: x b/a . a = a0 , b = b0 , x = b0 /a0
4: return x
Todays Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State
Assertions and Annotation

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Assertions and Annotation

I Assertions:statement (asserted to be true) about the

algorithm state
I Assertions are used to annotate the algorithms
Assertions and Annotation

I Assertions:statement (asserted to be true) about the

algorithm state
I Assertions are used to annotate the algorithms
I Annotation: is useful both in
I correctness verification
I documentation tool
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, b
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, b
input: a,b,c output: minimum real number
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, b
input: a,b,c output: minimum real number
precondition: a 6= b 6= c
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, b
input: a,b,c output: minimum real number
precondition: a 6= b 6= c postcondition: m = min{a, b, c}
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, b
input: a,b,c output: minimum real number
precondition: a 6= b 6= c postcondition: m = min{a, b, c}

Algorithm 13 Minimum1
1: procedure minimum(real a, b, c) . a <> b, b <> c, c <> a
2: if a < b then .a<b
3: if a < c then
4: m a . a < b, a < c, m = a, m = min(a, b, c)
5: else
6: m c . a < b, c < a, m = c, m = min(a, b, c)
7: else .b<a
8: if b < c then
9: mb . b < a, b < c, m = b m = min(a, b, c)
10: else
11: mc . b < a, c < b, m = c m = min(a, b, c)
return m
Example: Assertions and Annotation

A variant of previous Example:

Example: Assertions and Annotation

A variant of previous Example:

Algorithm 15 Minimum2
1: procedure minimum(real a, b, c) . a <> b, b <> c, c <> a
2: ma .m=a
3: if m > b then
4: mb . m a, m b
5: if m > c then
6: mc . m a, m b, m c
7:
return m
Basic steps in correctness verification

I Identify the preconditions and postconditions

I Annotate the algorithm with assertions concerning its state
such that
I the preconditions are satisfied
I the final assertion implies the postconditions
I Prove that by each processing step one arrives from the
previous assertion to the next assertion
Some Notation

I P: the precondition
I Q: the postcondition
I A: the algorithm
The triple (P, A, Q) denote a correct algorithm if for input data
which satisfy the preconditions P the algorithm will:
I lead to postconditions Q
I stop after a finite number of processing steps
A
P
Q
Rules for correctness verification

To prove that an algorithm is correct it can be useful to know rules

corresponding to the usual statements:
I Sequential statement
I Conditional statement
I Loop statement
Todays Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State
Assertions and Annotation

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1 , A2 , . . . , An
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1 , A2 , . . . , An

Structure
A:
{P0 }
A1
{P1 }
..
.
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1 , A2 , . . . , An

Structure
A:
{P0 }
A1
{P1 }
..
.
{Pi1 }
Ai
{Pi }
..
.
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1 , A2 , . . . , An

Structure
A:
{P0 }
A1
{P1 }
..
.
{Pi1 }
Ai
{Pi }
..
.
{Pn1 }
An
{Pn }
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1 , A2 , . . . , An

Structure
A:
Rule
{P0 }
If
A1
{P1 } P P0
..
.
{Pi1 }
Ai
{Pi }
..
.
{Pn1 }
An
{Pn }
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1 , A2 , . . . , An

Structure
A:
Rule
{P0 }
If
A1
{P1 } P P0
.. Ai
. Pi1 Pi ,
{Pi1 } wherei = 1, . . . , n
Ai
{Pi }
..
.
{Pn1 }
An
{Pn }
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1 , A2 , . . . , An

Structure
A:
Rule
{P0 }
If
A1
{P1 } P P0
.. Ai
. Pi1 Pi ,
{Pi1 } wherei = 1, . . . , n
Ai Pn Q
{Pi }
.. then
.
{Pn1 }
An
{Pn }
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1 , A2 , . . . , An
Explanation
Structure If
A: I the precondition
Rule
{P0 } implies the initial
If
A1 assertion,
{P1 } P P0
..
I each action
. Ai
Pi1 Pi , implies the next
{Pi1 } wherei = 1, . . . , n assertion
Ai Pn Q I the final
{Pi } assertion implies
.. then
. the
{Pn1 } A post-condition
P Q
An then
{Pn } the sequence is
correct
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a, y = b, aux = undefined}
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a, y = b, aux = undefined}
aux x
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a, y = b, aux = undefined}
aux x
{x = a, y = b, aux = a}
x y
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a, y = b, aux = undefined}
aux x
{x = a, y = b, aux = a}
x y
{x = b, y = b, aux = a}
y aux
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a, y = b, aux = undefined}
aux x
{x = a, y = b, aux = a}
x y
{x = b, y = b, aux = a}
y aux
{x = b, y = a, aux = a} Q
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1 variant 2
{x = a, y = b, aux = undefined} {x = a, y = b}
aux x x x +y
{x = a, y = b, aux = a} {x = a + b, y = b}
x y y x y
{x = b, y = b, aux = a} {x = a + b, y = a}
y aux x x y
{x = b, y = a, aux = a} Q {x = b, y = a} Q
Todays Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State
Assertions and Annotation

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Conditional Statement Rule

Structure
A:
{P0 }
If c then
{c, P0 }
A1
{P1 }
Conditional Statement Rule

Structure
A:
{P0 }
If c then
{c, P0 }
A1
{P1 }
Else
{NOTc, P0 }
A2
{P2 }
EndIf
Conditional Statement Rule

Rule
If
Structure
A: I c is well defined
{P0 } I c AND
If c then A1
P0 P1
{c, P0 } I P1 Q
A1
{P1 } OR
Else
{NOTc, P0 }
A2
{P2 }
EndIf
Conditional Statement Rule

Rule
If
Structure
A: I c is well defined
{P0 } I c AND
If c then A1
P0 P1
{c, P0 } I P1 Q
A1
{P1 } OR
Else I NOT c AND
A2
{NOTc, P0 } P0 P2
A2 I P2 Q
{P2 }
then
EndIf
A
P
Q
Conditional Statement Rule

Rule
If
Structure
A: I c is well defined
{P0 } I c AND
A1 Explanation
If c then P0 P1
{c, P0 } I P1 Q
I The condition c
A1 can be evaluated
{P1 } OR I Both branches
Else I NOT c AND lead to the
A2
{NOTc, P0 } P0 P2 postconditions
A2 I P2 Q
{P2 }
then
EndIf
A
P
Q
Example Conditional Statement Rules

Problem: Find the minimum of two distinct numbers a and b

precondition P : a <> b
precondition Q : m = mina, b

Algorithm 16 Minimum of two numbers

1: procedure Minimum . {a <> b}
2: if a < b then . {a < b}
3: ma . {a < b, m = a} Q
4: else . {b < a}
5: mb . {b < a, m = b} Q
return m
Todays Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State
Assertions and Annotation

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Loop Statement Rules

Not so easy task...

Loop Statement Rules

Not so easy task...

I a loop is correct when:
Loop Statement Rules

Not so easy task...

I a loop is correct when:
I If it finishes it leads to postconditions
I It finishes after a finite number of steps
Loop Statement Rules

Not so easy task...

I a loop is correct when:
I If it finishes it leads to postconditions
I It finishes after a finite number of steps
I If only the first property is satisfied then the loop is partially
correct
Loop Statement Rules

Not so easy task...

I a loop is correct when:
I If it finishes it leads to postconditions
I It finishes after a finite number of steps
I If only the first property is satisfied then the loop is partially
correct
I Partial correctness can be proved by using mathematical
induction or by using loop invariants
Loop Statement Rules

Not so easy task...

I a loop is correct when:
I If it finishes it leads to postconditions
I It finishes after a finite number of steps
I If only the first property is satisfied then the loop is partially
correct
I Partial correctness can be proved by using mathematical
induction or by using loop invariants
I Full correctness needs that the algorithm terminates
Loop Statement Rules

Let us consider while loop

{P P0 }
While c Do
{c, P0 }
A
{P1 }
EndWhile
{NOTc, P1 } Q
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{P P0 } which satisfies:
While c Do
{c, P0 }
A
{P1 }
EndWhile
{NOTc, P1 } Q
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{P P0 } which satisfies:
While c Do 1. It is true at the beginning of
{c, P0 } the loop
A
{P1 }
EndWhile
{NOTc, P1 } Q
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{P P0 } which satisfies:
While c Do 1. It is true at the beginning of
{c, P0 } the loop
A
{P1 } 2. As long as c is true it
EndWhile remains true after each
{NOTc, P1 } Q execution of the loop body
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{P P0 } which satisfies:
While c Do 1. It is true at the beginning of
{c, P0 } the loop
A
{P1 } 2. As long as c is true it
EndWhile remains true after each
{NOTc, P1 } Q execution of the loop body
3. When c is false it implies the
postconditions
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{P P0 } which satisfies:
While c Do 1. It is true at the beginning of
{c, P0 } the loop
A
{P1 } 2. As long as c is true it
EndWhile remains true after each
{NOTc, P1 } Q execution of the loop body
3. When c is false it implies the
postconditions
If we can find a loop invariant then that loop is partially correct
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x[1..n]
P: n 1
Q: m = min{x[i]|1 i n}

Algorithm 17 Minimum
1: m x[1]
2: i 2 .
m = min{x[j]|j = 1 . . . i 1}
3: while i n do .i n
4: if x[i] < m then m x[i]
. {m = minx[j]|j = 1 . . . i}
5: i i +1 .
{m = minx[j]|j = 1 . . . i 1}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x[1..n]
P: n 1
Q: m = min{x[i]|1 i n}
Loop Invariant:
m = min{x[j]|j = 1 . . . i 1}

Algorithm 18 Minimum
1: m x[1]
2: i 2 .
m = min{x[j]|j = 1 . . . i 1}
3: while i n do .i n
4: if x[i] < m then m x[i]
. {m = minx[j]|j = 1 . . . i}
5: i i +1 .
{m = minx[j]|j = 1 . . . i 1}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x[1..n]
P: n 1
Q: m = min{x[i]|1 i n}
Loop Invariant:
m = min{x[j]|j = 1 . . . i 1}
Why?
Algorithm 19 Minimum
1: m x[1]
2: i 2 .
m = min{x[j]|j = 1 . . . i 1}
3: while i n do .i n
4: if x[i] < m then m x[i]
. {m = minx[j]|j = 1 . . . i}
5: i i +1 .
{m = minx[j]|j = 1 . . . i 1}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x[1..n]
P: n 1
Q: m = min{x[i]|1 i n}
Loop Invariant:
m = min{x[j]|j = 1 . . . i 1}
Why? Because..
Algorithm 20 Minimum
I when i = 2 and m = x[1] it
1: m x[1]
2: i 2 . holds
m = min{x[j]|j = 1 . . . i 1} I while i n after the

3: while i n do .i n execution of the loop body

4: if x[i] < m then m x[i] it still holds
. {m = minx[j]|j = 1 . . . i} I finally, when i = n + 1 it

5: i i +1 . implies
{m = minx[j]|j = 1 . . . i 1} m = min{x[j]|j = 1 . . . n}
which is exactly the
postcondition
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x[1..n]
P: n 1
Q: m = min{x[i]|1 i n}

Algorithm 21 Minimum
1: i 1
2: m x[1] .
{m = minx[j]|j = 1 . . . i}
3: while i < n do .i <n
4: i i +1 .
{m = minx[j]|j = 1 . . . i 1}
5: if x[i] < m then
6: m x[i] .
{m = minx[j]|j = 1 . . . i}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x[1..n]
P: n 1
Q: m = min{x[i]|1 i n}
Loop Invariant:
m = min{x[j]|j = 1 . . . i}
Algorithm 22 Minimum
1: i 1
2: m x[1] .
{m = minx[j]|j = 1 . . . i}
3: while i < n do .i <n
4: i i +1 .
{m = minx[j]|j = 1 . . . i 1}
5: if x[i] < m then
6: m x[i] .
{m = minx[j]|j = 1 . . . i}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x[1..n]
P: n 1
Q: m = min{x[i]|1 i n}
Loop Invariant:
m = min{x[j]|j = 1 . . . i} Why?
Algorithm 23 Minimum
1: i 1
2: m x[1] .
{m = minx[j]|j = 1 . . . i}
3: while i < n do .i <n
4: i i +1 .
{m = minx[j]|j = 1 . . . i 1}
5: if x[i] < m then
6: m x[i] .
{m = minx[j]|j = 1 . . . i}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x[1..n]
P: n 1
Q: m = min{x[i]|1 i n}
Loop Invariant:
m = min{x[j]|j = 1 . . . i} Why?
Algorithm 24 Minimum Because..
1: i 1
I when i = 1 and m = x[1]
2: m x[1] .
the invariant is true
{m = minx[j]|j = 1 . . . i}
3: while i < n do .i <n I while i < n after the

4: i i +1 . execution of the loop body

{m = minx[j]|j = 1 . . . i 1} it still holds
5: if x[i] < m then I finally, when i = n it implies
6: m x[i] . m = min{x[j]|j = 1 . . . n}
{m = minx[j]|j = 1 . . . i} which is exactly the
postcondition
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Q: x[i] = x0 and x[j] 6= x0 for j = 1 . . . i 1
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Q: x[i] = x0 and x[j] 6= x0 for j = 1 . . . i 1

Algorithm 27 Mini-
mum
1: i 1 .

{x[j] <> x0 , j = 1 . . . i 1}

2: while x[i] <> x0

do . {x[i] <> x0 , x[j] <>
x0 forj = 1 . . . i}

3: i i +1 .

{x[i] <> x0 , x[j] <> x0 forj =

1 . . . i 1}
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Q: x[i] = x0 and x[j] 6= x0 for j = 1 . . . i 1
Loop Invariant:
x[j] 6= x0 for j = 1 . . . i 1
Algorithm 28 Mini-
mum
1: i 1 .

{x[j] <> x0 , j = 1 . . . i 1}

2: while x[i] <> x0

do . {x[i] <> x0 , x[j] <>
x0 forj = 1 . . . i}

3: i i +1 .

{x[i] <> x0 , x[j] <> x0 forj =

1 . . . i 1}
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Q: x[i] = x0 and x[j] 6= x0 for j = 1 . . . i 1
Loop Invariant:
x[j] 6= x0 for j = 1 . . . i 1 Why?
Algorithm 29 Mini-
mum
1: i 1 .

{x[j] <> x0 , j = 1 . . . i 1}

2: while x[i] <> x0

do . {x[i] <> x0 , x[j] <>
x0 forj = 1 . . . i}

3: i i +1 .

{x[i] <> x0 , x[j] <> x0 forj =

1 . . . i 1}
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Q: x[i] = x0 and x[j] 6= x0 for j = 1 . . . i 1
Loop Invariant:
x[j] 6= x0 for j = 1 . . . i 1 Why? Because..
Algorithm 30 Mini-
mum I when i = 1 the range j = 1 . . . 0 is
1: i 1 . empty thus the assertion is satisfied
{x[j] <> x0 , j = 1 . . . i 1}

2: while x[i] <> x0

do . {x[i] <> x0 , x[j] <>
x0 forj = 1 . . . i}

3: i i +1 .

{x[i] <> x0 , x[j] <> x0 forj =

1 . . . i 1}
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Q: x[i] = x0 and x[j] 6= x0 for j = 1 . . . i 1
Loop Invariant:
x[j] 6= x0 for j = 1 . . . i 1 Why? Because..
Algorithm 31 Mini-
mum I when i = 1 the range j = 1 . . . 0 is
1: i 1 . empty thus the assertion is satisfied
{x[j] <> x0 , j = 1 . . . i 1} I Let us suppose that x[i] <> x0 and
2: while x[i] <> x0 the invariant is true. Then x[j] <> x0
do . {x[i] <> x0 , x[j] <> for j = 1 . . . i
x0 forj = 1 . . . i}

3: i i +1 .

{x[i] <> x0 , x[j] <> x0 forj =

1 . . . i 1}
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Q: x[i] = x0 and x[j] 6= x0 for j = 1 . . . i 1
Loop Invariant:
x[j] 6= x0 for j = 1 . . . i 1 Why? Because..
Algorithm 32 Mini-
mum I when i = 1 the range j = 1 . . . 0 is
1: i 1 . empty thus the assertion is satisfied
{x[j] <> x0 , j = 1 . . . i 1} I Let us suppose that x[i] <> x0 and
2: while x[i] <> x0 the invariant is true. Then x[j] <> x0
do . {x[i] <> x0 , x[j] <> for j = 1 . . . i
x0 forj = 1 . . . i}
I After i = i + 1 we obtain again
3: i i +1 .
x[j] <> x0 for j = 1 . . . i which is
{x[i] <> x0 , x[j] <> x0 forj =
exactly the postcondition
1 . . . i 1}
Loop Invariant
Example:Let x[1..n]be an array which contains x0 . Find the
smallest index for which x[i] = x0
P: n 1 and there exist 1 k n such thta x[k] = x0
Q: x[i] = x0 and x[j] 6= x0 for j = 1 . . . i 1
Loop Invariant:
x[j] 6= x0 for j = 1 . . . i 1 Why? Because..
Algorithm 33 Mini-
mum I when i = 1 the range j = 1 . . . 0 is
1: i 1 . empty thus the assertion is satisfied
{x[j] <> x0 , j = 1 . . . i 1} I Let us suppose that x[i] <> x0 and
2: while x[i] <> x0 the invariant is true. Then x[j] <> x0
do . {x[i] <> x0 , x[j] <> for j = 1 . . . i
x0 forj = 1 . . . i}
I After i = i + 1 we obtain again
3: i i +1 .
x[j] <> x0 for j = 1 . . . i which is
{x[i] <> x0 , x[j] <> x0 forj =
exactly the postcondition
1 . . . i 1}
I Finally, when x[i] = x0 we obtain Q
Termination Function
To prove that a loop finishes after a finite number of iterations it
suffices to find a termination function
Termination Function
To prove that a loop finishes after a finite number of iterations it
suffices to find a termination function
Definition:
A function F : N N is a termination function if it satisfies the
following properties:
1. F is strictly decreasing
2. if c is true then F (p) > 0 and if F (p) = 0 then c is false
Termination Function
To prove that a loop finishes after a finite number of iterations it
suffices to find a termination function
Definition:
A function F : N N is a termination function if it satisfies the
following properties:
1. F is strictly decreasing
2. if c is true then F (p) > 0 and if F (p) = 0 then c is false
Remarks:
I F depends on the loop counter p (at the first execution of the
loop body p is 1, at the second it is 2 and so on )
I The loop counter is not necessarily an explicit variable (it can
be just a formal variable useful to analyze the loop
correctness)
I F reaches 0 because it is strictly decreasing; when F becomes
0 then c becomes false, thus the loop finishes.
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:

Algorithm 34 Sum of Series

1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:

Algorithm 36 Sum of Series

1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1

F (p) = n ip
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:

Algorithm 38 Sum of Series

1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1

F (p) = n ip
F (p) = n ip1 1
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:

Algorithm 40 Sum of Series

1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1

F (p) = n ip
F (p) = n ip1 1
F (p) = F (p 1) 1
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:

Algorithm 42 Sum of Series

1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1

F (p) = n ip
F (p) = n ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:

Algorithm 44 Sum of Series

1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1

F (p) = n ip
F (p) = n ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:

Algorithm 46 Sum of Series

1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1

F (p) = n ip
F (p) = n ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
F (p) = 0 ip = n
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1: Variant 2:

Algorithm 48 Sum of Series Algorithm 49 Sum of Series

1: i 1 1: S 0
2: S 1 2: i 1
3: while i < n do 3: while i n do
4: i i + 1 . ip = ip1 + 1 4: S i +1
5: S i +1 5: i i + 1 . ip = ip1 + 1

F (p) = n ip
F (p) = n ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
F (p) = 0 ip = n
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1: Variant 2:

Algorithm 50 Sum of Series Algorithm 51 Sum of Series

1: i 1 1: S 0
2: S 1 2: i 1
3: while i < n do 3: while i n do
4: i i + 1 . ip = ip1 + 1 4: S i +1
5: S i +1 5: i i + 1 . ip = ip1 + 1

F (p) = n ip F (p) = n + 1 ip
F (p) = n ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
F (p) = 0 ip = n
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1: Variant 2:

Algorithm 52 Sum of Series Algorithm 53 Sum of Series

1: i 1 1: S 0
2: S 1 2: i 1
3: while i < n do 3: while i n do
4: i i + 1 . ip = ip1 + 1 4: S i +1
5: S i +1 5: i i + 1 . ip = ip1 + 1

F (p) = n ip F (p) = n + 1 ip
F (p) = n ip1 1 F (p) = n + 1 ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
F (p) = 0 ip = n
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1: Variant 2:

Algorithm 54 Sum of Series Algorithm 55 Sum of Series

1: i 1 1: S 0
2: S 1 2: i 1
3: while i < n do 3: while i n do
4: i i + 1 . ip = ip1 + 1 4: S i +1
5: S i +1 5: i i + 1 . ip = ip1 + 1

F (p) = n ip F (p) = n + 1 ip
F (p) = n ip1 1 F (p) = n + 1 ip1 1
F (p) = F (p 1) 1 F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
F (p) = 0 ip = n
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:
Algorithm 56 Sum of Series
1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1
F (p) = n ip
F (p) = n ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
F (p) = 0 ip = n
Variant 2:
Algorithm 57 Sum of Series
1: S 0
2: i 1
3: while i n do
4: S i +1
5: i i + 1 . ip = ip1 + 1
F (p) = n + 1 ip
F (p) = n + 1 ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:
Algorithm 58 Sum of Series
1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1
F (p) = n ip
F (p) = n ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
F (p) = 0 ip = n
Variant 2:
Algorithm 59 Sum of Series
1: S 0
2: i 1
3: while i n do
4: S i +1
5: i i + 1 . ip = ip1 + 1
F (p) = n + 1 ip
F (p) = n + 1 ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
i < n F (p) > 0
Termination Function
Example:S = 1 + 2 + . . . + n
Variant 1:
Algorithm 60 Sum of Series
1: i 1
2: S 1
3: while i < n do
4: i i + 1 . ip = ip1 + 1
5: S i +1
F (p) = n ip
F (p) = n ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
ip < n F (p) > 0
F (p) = 0 ip = n
Variant 2:
Algorithm 61 Sum of Series
1: S 0
2: i 1
3: while i n do
4: S i +1
5: i i + 1 . ip = ip1 + 1
F (p) = n + 1 ip
F (p) = n + 1 ip1 1
F (p) = F (p 1) 1
F (p) < F (p 1)
i < n F (p) > 0
F (p) = 0 ip = n + 1
Termination Function

Example:find the first occurrence of x0 in x[1 . . . n]

Algorithm 62 Find the

occurrence
1: i 1
2: while x[i] <> x0
do
3: i i +1 .
{ip = ip1 + 1}
Termination Function

Example:find the first occurrence of x0 in x[1 . . . n]

Let k be the first occurrence of x0 in
Algorithm 63 Find the x[1 . . . n]
occurrence
1: i 1
2: while x[i] <> x0
do
3: i i +1 .
{ip = ip1 + 1}
Termination Function

Example:find the first occurrence of x0 in x[1 . . . n]

Let k be the first occurrence of x0 in
Algorithm 64 Find the x[1 . . . n] F (p) = k ip
occurrence
1: i 1
2: while x[i] <> x0
do
3: i i +1 .
{ip = ip1 + 1}
Termination Function

Example:find the first occurrence of x0 in x[1 . . . n]

Let k be the first occurrence of x0 in
Algorithm 65 Find the x[1 . . . n] F (p) = k ip
occurrence F (p) = k ip1 1
1: i 1
2: while x[i] <> x0
do
3: i i +1 .
{ip = ip1 + 1}
Termination Function

Example:find the first occurrence of x0 in x[1 . . . n]

Let k be the first occurrence of x0 in
Algorithm 66 Find the x[1 . . . n] F (p) = k ip
occurrence F (p) = k ip1 1
1: i 1
F (p) = F (p 1) 1
2: while x[i] <> x0
do
3: i i +1 .
{ip = ip1 + 1}
Termination Function

Example:find the first occurrence of x0 in x[1 . . . n]

Let k be the first occurrence of x0 in
Algorithm 67 Find the x[1 . . . n] F (p) = k ip
occurrence F (p) = k ip1 1
1: i 1
F (p) = F (p 1) 1
2: while x[i] <> x0
F (p) < F (p 1)
do
3: i i +1 . x[i] <> x0 ip < k F (p) > 0
{ip = ip1 + 1} F (p) = 0 ip = k x[i] = x0
Greatest Common Divisor

Analyze the correctness of the Euclids Algorithm P: a = a0 , b = b0

Q: i = gcd(a0 , b0 )

Algorithm 68 Find GCD

1: procedure gcd(a,b)
2: d a
3: i b
4: r dMODi
5: while r <> 0 do
6: d i
7: i r
8: r d MOD i
return
Greatest Common Divisor

Analyze the correctness of the Euclids Algorithm P: a = a0 , b = b0

Q: i = gcd(a0 , b0 )

Algorithm 69 Find GCD Loop invariant: gcd(d,i)=

1: procedure gcd(a,b) gcd(a0 , b0 )
2: d a
3: i b
4: r dMODi
5: while r <> 0 do
6: d i
7: i r
8: r d MOD i
return
Greatest Common Divisor

Analyze the correctness of the Euclids Algorithm P: a = a0 , b = b0

Q: i = gcd(a0 , b0 )

Algorithm 70 Find GCD Loop invariant: gcd(d,i)=

1: procedure gcd(a,b) gcd(a0 , b0 )
2: d a 1. d = a = a0 , i = b = b0
3: i b gcd(d,i) = gcd(a0 , b0 )
4: r dMODi
5: while r <> 0 do
6: d i
7: i r
8: r d MOD i
return
Greatest Common Divisor

Analyze the correctness of the Euclids Algorithm P: a = a0 , b = b0

Q: i = gcd(a0 , b0 )

Algorithm 71 Find GCD Loop invariant: gcd(d,i)=

1: procedure gcd(a,b) gcd(a0 , b0 )
2: d a 1. d = a = a0 , i = b = b0
3: i b gcd(d,i) = gcd(a0 , b0 )
4: r dMODi 2. gcd(dp , ip )=gcd(ip , dp MOD ip )
5: while r <> 0 do = gcd(dp+1 , ip+1 )
6: d i
7: i r
8: r d MOD i
return
Greatest Common Divisor

Analyze the correctness of the Euclids Algorithm P: a = a0 , b = b0

Q: i = gcd(a0 , b0 )

Algorithm 72 Find GCD Loop invariant: gcd(d,i)=

1: procedure gcd(a,b) gcd(a0 , b0 )
2: d a 1. d = a = a0 , i = b = b0
3: i b gcd(d,i) = gcd(a0 , b0 )
4: r dMODi 2. gcd(dp , ip )=gcd(ip , dp MOD ip )
5: while r <> 0 do = gcd(dp+1 , ip+1 )
6: d i
3. r = 0 i d gcd(d, i) = i
7: i r
8: r d MOD i
return
Greatest Common Divisor

Analyze the correctness of the Euclids Algorithm P: a = a0 , b = b0

Q: i = gcd(a0 , b0 )

Algorithm 73 Find GCD Loop invariant: gcd(d,i)=

1: procedure gcd(a,b) gcd(a0 , b0 )
2: d a 1. d = a = a0 , i = b = b0
3: i b gcd(d,i) = gcd(a0 , b0 )
4: r dMODi 2. gcd(dp , ip )=gcd(ip , dp MOD ip )
5: while r <> 0 do = gcd(dp+1 , ip+1 )
6: d i
3. r = 0 i d gcd(d, i) = i
7: i r
8: r d MOD i Termination Function: F (p) = rp
return