Proving the

Correctness of
Iterative Programs
 Proving loop correctness
def function(arguments):
# INPUT specification on arguments
# OUTPUT specification

# Let us consider a simple program structure

# INITIALISATION
# LOOP — either while or for
# inside the loop: LOOP BODY
# EXIT CONDITION: LOOP TEST is no longer satisfied.

# Identify a property that holds BEFORE and AFTER the loop body
# This is called a LOOP INVARIANT
# ESTABLISH INVARIANT holds just as you enter loop
# i.e., INPUT spec and INITIALISATION IMPLIES INVARIANT
# execute the statements in the LOOP BODY
# CHECK INVARIANT holds after executing LOOP BODY

# — CHECK that LOOP INVARIANT and EXIT CONDITION IMPLIES

# the OUTPUT spec on result

# TERMINATION: CHECK that some measure on loop index is REDUCING

return result
 Example: factorial program

def fact(n):
# INPUT n >= 0
# OUTPUT ans == n!
# INVARIANT variable ans ==(i-1)!

ans = 1
i = 1 # i-1 == 0 and ans == 1 == 0!
while i <= n: # — TERMINATION: n-i+1 decreases to 0
# ASSERT INVARIANT ans == (i-1)!
ans = ans * i
# — ans now has value i!
i = i+1
# CHECK INVARIANT ans == (i-1)!
# — EXIT CONDITION: i > n, i.e. i == n+1
# ans == (i-1)! and i == n+1 IMPLIES ans == n!
return ans
 Iterative Fibonacci program
def fib(n):
# INPUT n >= 0
# OUTPUT ans == nth fib number

ans = 1
if (n==0) or (n==1):
return ans

# CHECK n==0 implies ans == 1

# CHECK n==1 implies ans == 1

else:
prev = 1
i = 2

# INVARIANT ans == fib(i-1) and prev == fib(i-2)

while (i <= n) : # TERMINATION: n-i+1 decreases to 0

# — ASSERT INVARIANT ans == fib (i-1) and prev == fib(i-2)
prev2 = prev
prev = ans
ans = prev2 + prev
i += 1
# — CHECK INVARIANT ans == fib (i-1) and prev == fib(i-2)

# EXIT CONDITION: i > n, i.e. i == n+1

# ans == fib(i-1) and i == n+1 IMPLIES ans == fib(n)
return ans # CHECK ans == nth fib number
Algebra of Sets
and Data Types
 Algebra of Data Types
Empty Set

“There is a set”
• How can one prove this claim?
• By producing a set
• What is the easiest set to produce?
• The empty set 0 = { }
• What is the characteristic function of 0?
• f(x) which returns False for every input x
• Exercise: Define this function for integers.

Singleton Set
“There is a set with exactly one element”
• The singleton set 1 = { • }
• Many such singletons, but all are “isomorphic”
• Characterised by: x in 1 /\ y in 1 implies x = y
 Cartesian Product

Cartesian Product

Given any two sets A and B

A x B = { (a,b) | a in A /\ b in B }

• Note: A x B =/= B x A
• but A x B ~ B x A (exists bijection between the sets)
• map (a,b) in A x B |—> (b,a) in B x A and vice versa
• (A x B) x C ~ A x (B x C) ~ A x B x C (but they are all different)
• map ((a,b),c) in (A x B) x C to (a,(b,c)) in A x (B x C)
• Exercise: Prove these are bijections
• A x 0 = 0 and 0 x B = 0 (Prove this)
• A x 1 ~ A and 1 x B ~ B (Prove this)
 Relations
Relation R between two sets A and B is any subset of A x B.
Generalises to k-ary relations: subsets of A1 x … x Ak

Relation Composition: Given R1 a relation between A and B,

and R2 a relation between B and C,
R1 o R2 = { (a,c) | (a,b) in R1 and (b,c) in R2 for some b in B }
is a relation between A and C.

Fact (Composition is associative): (R1 o R2) o R3 = R1 o (R2 o R3) (Prove this)

Identity Relation on A: IdA = { (a,a) | a in A}

Fact (Identity): R o IdB = R = IdA o R (Prove this)

Relational Inverse:
Given R a relation between A and B,
R— = { (b,a) | (a,b) in R } is a relation between B and A

Fact (Reversal): (R1 o R2)— = (R2)— o (R1)— (Prove this)

Fact (Involution): R = (R—)— (Prove this)

 Relations and functions
Total: Relation R between two sets A and B is total if
for each a in A, there is some (at least one) b in B such that (a,b) in R.

Onto: Relation R between two sets A and B is onto (surjective,epi) if

for each b in B, there is some (at least one) a in A such that (a,b) in R.

(Partial) Function:
Relation R between two sets A and B is a (partial) function if
for each a in A, there is (at most) one b in B such that (a,b) in R.
We write f: A —> B if f is a functional relation.
We write f(a) = b if (a,b) is in a functional relation f: A —> B

Injective: A (partial) function f: A —> B is 1-1 (injective, monomorphic) if

whenever f(a1) = f(a2) then a1 = a2

Bijection: A function f: A —> B is a bijection if it is 1-1 and onto.

 Binary Relations on A
A relation R between A and A is called a binary relation on A

Reflexivity: A binary relation R on A is called reflexive if

for all a in A: (a,a) in R

Fact: A binary relation R on A is reflexive iff R is a superset of IdA (Prove this)

Fact: IdA is a total 1-1 function. (Prove this)
Fact (Identity is its own inverse): IdA = (IdA)— (Prove this)

Symmetry: A binary relation R on A is called symmetric if

whenever (a,b) in R then (b,a) in R

Fact: A binary relation R on A is symmetric iff R— is a subset of R (Prove this)

Transitivity: A binary relation R on A is called transitive if

whenever (a,b) in R and (b,c) in R then (a,c) in R

Fact: A binary relation R on A is transitive iff R o R is a subset of R (Prove this)

 Disjoint Union of Sets

Suppose two sets A and B are disjoint

A+B=AUB

A + 0 = A and 0 + B = B

What if A and B are not disjoint?

• Colour their elements differently: say (red) fuchsia and (blue) turquoise
A+B=AUB

We can then find out if an element of A + B came from A or from B

by looking at the colour.
• Example: 1 + 1 = { •, • } ~ {False, True} = 2
Another way of doing this is by “tagging”, i.e., pairing with a “tag value”:
{ (0,a) | if a in A } U { (1,b) | b in B }

• A + B ~ B + A (bijection between the sets)

• (A + B) + C ~ A + (B + C) ~ A + B + C
• 1+ 1~2
• 2 + 1 ~ 3, …. etc.
 Natural Numbers N

Defined by Induction
• 0 is in N (Base case)
• If n is in N then successor of n (i.e., n+1) is in N (Induction case)
How does one “count” infinite sets?
The cardinality | A | of A ≤ the cardinality | B | of B if there is a total 1-1 function from A to B

Denumerable (Countable) Set: A set A is denumerable (countable) if there exists

a total 1-1 function (injection) f: A -> N (it suffices if it is to a subset of N)

Fact: N is denumerable.
Proof: IdN is a bijection from N to N

Fact: EVEN = { x in N | x == 2*y for some y in N} is denumerable. | EVEN | = | N |

Proof idea: (=>) EVEN is a subset of N . So | EVEN | ≤ | N |
(<=) f: N -> EVEN defined as the mapping { x |—> 2 • x} is a total 1-1 function. So | N | ≤ | EVEN |

Theorem: The integers Z are denumerable.

Proof Idea: Consider the following function from Z —> N
{ z |—> 2 • z if z is positive
z |—> 2 • | z | - 1 if z is negative}. Claim: this is a total 1-1 function. (Prove this)
 Another Countable Set: Lists of Natural Numbers

Defined by Induction
• [ ] is in N list (Base case)
• If x is in N and l is in N list then the list with first element x and rest of the list
as l is also in N list (Induction case)

• How many lists of length 1?

• How many lists of length 2? …
What is the cardinality of N list?
Fact: N list is a Denumerable Set
What is the 1-1 onto function from N list to N?

Theorem (Cauchy): The denumerable union of denumerable sets is denumerable.

We will first show

Theorem: The set of pairs of natural numbers N x N is a denumerable set.

Proof Idea: Consider the following function from N x N —> N

(i,j) |—> ( (i+j)• (i+j+1) / 2 ) + j
Claim: this is a total 1-1 function. (Prove this)