Advanced Analysis of Algorithms

Verification of the correctness of algorithms

Dr. Muhammad Safyan

Department of computer Science
Government College University, Lahore
Today’s Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Algorithm Analysis

While designing an algorithm we have to take care of two aspects:

Algorithm Analysis

While designing an algorithm we have to take care of two aspects:

e Algorithm Correctness: Algorithm must give desired output
within finite time.
Algorithm Analysis

While designing an algorithm we have to take care of two aspects:

e Algorithm Correctness: Algorithm must give desired output
within finite time.
e Algorithm Efficiency: Algorithms must use minimum
resources while executing on a machine.
Algorithm Correctness
How to verify that algorithm is correct?
Algorithm Correctness
How to verify that algorithm is correct?
e Empirical method: Correctness can be verified by testing
different instances of the problem
Algorithm Correctness
How to verify that algorithm is correct?
e Empirical method: Correctness can be verified by testing
different instances of the problem
e Advantage:
e Simple
e Easy to apply
Algorithm Correctness
How to verify that algorithm is correct?
e Empirical method: Correctness can be verified by testing
different instances of the problem
e Advantage:
e Simple
e Easy to apply
e Disadvantage:
e It doesn’t guarantee the correctness
Algorithm Correctness
How to verify that algorithm is correct?
e Empirical method: Correctness can be verified by testing
different instances of the problem
e Advantage:
e Simple
e Easy to apply
e Disadvantage:
e It doesn’t guarantee the correctness
e Formal method: Mathematically it is proved that algorithm
will produce the required output for all the instances of the
problem within finite time.
Algorithm Correctness
How to verify that algorithm is correct?
e Empirical method: Correctness can be verified by testing
different instances of the problem
e Advantage:
e Simple
e Easy to apply
e Disadvantage:
e It doesn’t guarantee the correctness
e Formal method: Mathematically it is proved that algorithm
will produce the required output for all the instances of the
problem within finite time.
e Advantage:
e guarantees the correctness
Algorithm Correctness
How to verify that algorithm is correct?
e Empirical method: Correctness can be verified by testing
different instances of the problem
e Advantage:
e Simple
e Easy to apply
e Disadvantage:
e It doesn’t guarantee the correctness
e Formal method: Mathematically it is proved that algorithm
will produce the required output for all the instances of the
problem within finite time.
e Advantage:
e guarantees the correctness
e Disadvantage:
e Difficult
e Not possible for complex algorithms
Basic Notions

e Preconditions and Postconditions

e Algorithm State
e Assertions
e Annotation
Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

e Postconditions:Properties that must be satisfied by the result
Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

e Postconditions:Properties that must be satisfied by the result
e Example: Find the minimum, m, of a non-empty array, x [1..n]
Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

e Postconditions:Properties that must be satisfied by the result
e Example: Find the minimum, m, of a non-empty array, x [1..n]

Precondition: n ≥ 1 (array should be non empty)

Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

e Postconditions:Properties that must be satisfied by the result
e Example: Find the minimum, m, of a non-empty array, x [1..n]

Precondition: n ≥ 1 (array should be non empty)

Postcondition: m = min{x [i ]|1 ≤ i ≤ n}
Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

e Postconditions:Properties that must be satisfied by the result
e Example: Find the minimum, m, of a non-empty array, x [1..n]

Precondition: n ≥ 1 (array should be non empty)

Postcondition: m = min{x [i ]|1 ≤ i ≤ n}

e Partial correctness verification: prove that if an algorithm

terminates it leads to postcondition starting from precondition.
Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

e Postconditions:Properties that must be satisfied by the result
e Example: Find the minimum, m, of a non-empty array, x [1..n]

Precondition: n ≥ 1 (array should be non empty)

Postcondition: m = min{x [i ]|1 ≤ i ≤ n}

e Partial correctness verification: prove that if an algorithm

terminates it leads to postcondition starting from precondition.
e Intermediate steps in correctness verification:
Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

e Postconditions:Properties that must be satisfied by the result
e Example: Find the minimum, m, of a non-empty array, x [1..n]

Precondition: n ≥ 1 (array should be non empty)

Postcondition: m = min{x [i ]|1 ≤ i ≤ n}

e Partial correctness verification: prove that if an algorithm

terminates it leads to postcondition starting from precondition.
e Intermediate steps in correctness verification:
e analyze the algorithm state
Preconditions and Postconditions

e Preconditions:Properties that must be satisfied by the input

e Postconditions:Properties that must be satisfied by the result
e Example: Find the minimum, m, of a non-empty array, x [1..n]

Precondition: n ≥ 1 (array should be non empty)

Postcondition: m = min{x [i ]|1 ≤ i ≤ n}

e Partial correctness verification: prove that if an algorithm

terminates it leads to postcondition starting from precondition.
e Intermediate steps in correctness verification:
e analyze the algorithm state
e the effect of each processing step on the algorithm state
Today’s Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Algorithm State
e Algorithm state: set of values corresponding to all variables
used in the algorithm
Algorithm State
e Algorithm state: set of values corresponding to all variables
used in the algorithm
e During the execution of an algorithm its state changes (since
the variables change their values)
Algorithm State
e Algorithm state: set of values corresponding to all variables
used in the algorithm
e During the execution of an algorithm its state changes (since
the variables change their values)
e The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Algorithm State
e Algorithm state: set of values corresponding to all variables
used in the algorithm
e During the execution of an algorithm its state changes (since
the variables change their values)
e The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
Algorithm State
e Algorithm state: set of values corresponding to all variables
used in the algorithm
e During the execution of an algorithm its state changes (since
the variables change their values)
e The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
input: a,b output: x
Algorithm State
e Algorithm state: set of values corresponding to all variables
used in the algorithm
e During the execution of an algorithm its state changes (since
the variables change their values)
e The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
input: a,b output: x
precondition: a <> 0
Algorithm State
e Algorithm state: set of values corresponding to all variables
used in the algorithm
e During the execution of an algorithm its state changes (since
the variables change their values)
e The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
input: a,b output: x
precondition: a <>0 postcondition: x satisfies ax = b
Algorithm State
e Algorithm state: set of values corresponding to all variables
used in the algorithm
e During the execution of an algorithm its state changes (since
the variables change their values)
e The algorithm is correct if at the end of the algorithm its
state implies the postconditions
Example: Solving the equation ax = b, a <> 0
input: a,b output: x
precondition: a <>0 postcondition: x satisfies ax = b

Algorithm 8 Solve ax = b
1: procedure MyP r o c e d u r e ( r e a l a, b)
2: real x a = a0, b = b0, x = undefined
3: x ← b/a a = a0, b = b0, x = b0/a0
4: return x
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, c
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, c
input: a,b,c output: minimum real number
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, c
input: a,b,c output: minimum real number
precondition: a != b != c
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, c
input: a,b,c output: minimum real number
precondition: a <> b <> c postcondition: m = min{a, b,c }
Example: Assertions and Annotation
Find the minimum of the three distinct real numbers a, b, c
input: a,b,c output: minimum real number
precondition: a <> b <> c postcondition: m = min{a, b,c }

Algorithm:Minimum1
1: procedure minimum(real a, b, c) a <> b, b <> c, c <>a
2: if a < b then a <b
3: if a < c then
4: m←a a < b, a < c, m = a,⇒ m = min(a, b, c)
5: else
6: m←c a < b, c < a,m = c,⇒ m = min(a, b, c)
7: else b <a
8: if b < c then
9: m←b b < a,b < c, m = b⇒ m = min(a, b, c)
10: else
11: m← c b < a,c < b, m = c⇒ m = min(a, b, c)
return m
Example: Assertions and Annotation

A variant of previous Example:

Example: Assertions and Annotation

A variant of previous Example:

Algorithm : Minimum2
1: procedure minimum(real a, b, c) a <> b, b <> c, c <>a
2: m← a m =a
3: if m > bthen
4: m← b m ≤ a, m ≤ b
5: if m > c then
6: m← c m ≤ a, m ≤ b, m ≤ c
7:
return m
Basic steps in correctness verification

e Identify the preconditions and postconditions

e Annotate the algorithm with assertions concerning its state
such that
e the preconditions are satisfied
e the final assertion implies the postconditions
e Prove that by each processing step one arrives from the
previous assertion to the next assertion
Some Notation

e P: the precondition
e Q: the postcondition
e A: the algorithm
The triple (P, A, Q) denote a correct algorithm if for input data
which satisfy the preconditions P the algorithm will:
e lead to postconditions Q
e stop after a finite number of processing steps

P −→Q
A
Rules for correctness verification

To prove that an algorithm is correct it can be useful to know rules

corresponding to the usual statements:
e Sequential statement
e Conditional statement
e Loop statement
Today’s Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1, A2, . . . ,An
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1, A2, . . . ,An

Structure
A:
{P 0 }
A1
{ P1}
.
.
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1, A2, . . . ,An

Structure
A:
{P 0 }
A1
{ P1}
.
.
{Pi−1}
Ai
{P i }
.
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1, A2, . . . ,An

Structure
A:
{P 0 }
A1
{ P1}
.
.
{Pi−1}
Ai
{P i }
.
{P n − 1 }
An
{Pn}
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1, A2, . . . ,An

Structure Rule
A: If
{ P 0}
A1 P ⇒ P0
{ P1}
.
.
{Pi−1}
Ai
{P i }
.
{ P n− 1}
An
{Pn}
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1, A2, . . . ,An

Structure Rule
A: If
{ P 0}
A1 P ⇒P0
{ P 1}
P i−1 −→P
Ai
i,
..
wherei = 1,...,n
{Pi−1}
Ai
{P i }
.
{ P n− 1}
An
{Pn}
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1, A2, . . . ,An

Structure Rule
A: If
{ P 0}
A1 P ⇒P0
{ P 1}
P i−1 −→P
Ai
i,
..
wherei = 1,...,n
{ P i − 1} Pn ⇒ Q
Ai
{P i }
then
.
{ P n− 1}
An
{Pn}
Sequential Statements Rule
Let we have algorithm A with sequence of actions A1, A2, . . . ,An

Structure Rule Explanation

A: If If
{ P 0}
e the precondition
A1 P ⇒P0 implies the initial
{ P 1} assertion,
P i−1 −→P
Ai
i,
..
wherei = 1,...,n e each action
{ P i − 1} Pn ⇒ Q implies the next
Ai assertion
{ Pi } e the final assertion
. then
. implies the
{ P n− 1} post-condition
An P −
A
→Q
then
{ P n} the sequence is correct
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a,y = b, aux = undefined}
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a,y = b, aux = undefined}
aux ← x
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a,y = b, aux = undefined}
aux ← x
{x = a,y = b, aux = a}
x ←y
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a,y = b, aux = undefined}
aux ← x
{x = a,y = b, aux = a}
x ←y
{x = b, y = b, aux = a}
y ← aux
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1
{x = a,y = b, aux = undefined}
aux ← x
{x = a,y = b, aux = a}
x ←y
{x = b, y = b, aux = a}
y ← aux
{x = b, y = a,aux = a}⇒ Q
Example of Sequential Statement Rules

Problem: Let x and y be two variables having the values a and b,

respectively. Swap the values of the two variables.
precondition P : x = a, y = b
postcondition Q : x = b, y = a

variant 1 variant 2
{x = a,y = b, aux = undefined} {x = a, y = b}
aux ← x x← x+ y
{x = a,y = b, aux = a} {x = a + b, y = b}
x ←y y← x−y
{x = b, y = b, aux = a} {x = a + b, y = a}
y ← aux x← x−y
{x = b, y = a,aux = a}⇒ Q {x = b, y = a}⇒ Q
Today’s Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Conditional Statement Rule

Structure
A:
{P 0 }
If c then
{c, P 0 }
A1
{P 1 }
Conditional Statement Rule

Structure
A:
{P 0 }
If c then
{c, P 0 }
A1
{P 1 }
Else
{NOTc, P 0 }
A2
{P 2 }
EndIf
Conditional Statement Rule

Rule
If
Structure
A: e c is well defined
{ P 0} e c AND
A1
If c then P0 −→P1
{c, P 0 } e P1 ⇒ Q
A1
{ P 1} OR
Else
{NOTc, P 0 }
A2
{P 2 }
EndIf
Conditional Statement Rule

Rule
If
Structure
A: e c is well defined
{ P 0} e c AND
A1
If c then P0 −→P1
{c, P 0 } e P1 ⇒ Q
A1
{ P 1} OR
Else e NOT c AND
{NOTc, P 0 } P0 −→
A2
P2
A2 e P2 ⇒ Q
{ P 2}
then
EndIf
A
P −→Q
Conditional Statement Rule

Rule
If
Structure
A: e c is well defined
{ P 0} e c AND
A1 Explanation
If c then P0 −→P1
{c, P 0 } e P1 ⇒ Q e The condition c
A1 can be evaluated
{ P 1} OR e Both branches
Else e NOT c AND lead to the
{NOTc, P 0 } P0 −→
A2
P2 postconditions
A2 e P2 ⇒ Q
{ P 2}
then
EndIf
A
P −→Q
Example Conditional Statement Rules

Problem: Find the minimum of two distinct numbers a and b

precondition P : a <> b
precondition Q : m = mina, b

Algorithm:Minimum of two numbers

1: procedure Minimum {a <> b}
2: if a < b then {a < b}
3: m← a {a < b, m = a}⇒ Q
4: else {b < a}
5: m← b {b < a,m = b}⇒ Q
return m
Today’s Agenda

Algorithm Analysis

Basic Notions
Precondition and Postcondition
Algorithm State

Basic Steps in Correctness Verification

Rule for Correctness Verification

Sequential Statements Rule
Conditional Statements Rule
Loop Statements Rule
Loop Invariant
Termination Function
Loop Statement Rules

Not so easy task...

Loop Statement Rules

Not so easy task...

e a loop is correct when:
Loop Statement Rules

Not so easy task...

e a loop is correct when:
e If it finishes it leads to postconditions
e It finishes after a finite number of steps
Loop Statement Rules

Not so easy task...

e a loop is correct when:
e If it finishes it leads to postconditions
e It finishes after a finite number of steps
e If only the first property is satisfied then the loop is partially
correct
Loop Statement Rules

Not so easy task...

e a loop is correct when:
e If it finishes it leads to postconditions
e It finishes after a finite number of steps
e If only the first property is satisfied then the loop is partially
correct
e Partial correctness can be proved by using mathematical
induction or by using loop invariants
Loop Statement Rules

Not so easy task...

e a loop is correct when:
e If it finishes it leads to postconditions
e It finishes after a finite number of steps
e If only the first property is satisfied then the loop is partially
correct
e Partial correctness can be proved by using mathematical
induction or by using loop invariants
e Full correctness needs that the algorithm terminates
Loop Statement Rules

Let us consider while loop

{ P ⇒ P0}
While c Do
{c, P 0 }
A
{P 1 }
EndWhile
{NOTc, P 1 } ⇒ Q
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{ P ⇒ P0} which satisfies:
While c Do
{c, P 0 }
A
{P 1 }
EndWhile
{NOTc, P 1 } ⇒ Q
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{ P ⇒ P0} which satisfies:
While c Do 1. It is true at the beginning of
{c, P 0 } the loop
A
{P 1 }
EndWhile
{NOTc, P 1 } ⇒ Q
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{ P ⇒ P0} which satisfies:
While c Do 1. It is true at the beginning of
{c, P 0 } the loop
A
{ P 1} 2. As long as c is true it
remains true after each
EndWhile
{NOTc, P 1 } ⇒ Q execution of the loop body
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{ P ⇒ P0} which satisfies:
While c Do 1. It is true at the beginning of
{c, P 0 } the loop
A
{ P 1} 2. As long as c is true it
remains true after each
EndWhile
{NOTc, P 1 } ⇒ Q execution of the loop body
3. When c is false it implies the
postconditions
Loop Statement Rules

Let us consider while loop

Definition:
A loop invariant is an assertion
{ P ⇒ P0} which satisfies:
While c Do 1. It is true at the beginning of
{c, P 0 } the loop
A
{ P 1} 2. As long as c is true it
remains true after each
EndWhile
{NOTc, P 1 } ⇒ Q execution of the loop body
3. When c is false it implies the
postconditions
If we can find a loop invariant then that loop is partially correct
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 17 Minimum
1: m ← x[1]
2: i ← 2
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 18 Minimum
1: m ← x[1]
2: i ← 2 m = min{x [j]|j = 1 . . . i − 1}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 19 Minimum
1: m ← x[1]
2: i ← 2 d m = min{x [j]|j = 1 . . . i − 1}

3: while i ≤ n do
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 20 Minimum
1: m ← x[1]
2: i ← 2 m = min{x [j]|j = 1 . . . i − 1} 3:
while i ≤ n do d i ≤ n 4: if x [i ]
< m then
5: m ← x[i]
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 21 Minimum
1: m ← x[1]
2: i ← 2 m = min{x [j]|j = 1 . . . i − 1 }
3: while i ≤ n do di ≤ n
4: if x [i ] < m then
5: m ← x[i] d
{m = minx[j]|j = 1 ...i}
6: i← i+1
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 22 Minimum
1: m ← x[1]
2: i ← 2 m = min{x [j]|j = 1 . . . i − 1 }
3: while i ≤ n do di ≤ n
4: if x [i ] < m then
5: m ← x[i] d
{m = minx[j]|j = 1 ...i}
6: i ← i+ 1 d {m =
minx[j]|j = 1 ...i − 1}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 23 Minimum
1: m ← x[1]
2: i ← 2 m = min{x [j]|j = 1 . . . i − 1 }
3: while i ≤ n do i≤n
4: if x [i ] < m then
5: m ← x[i]
{m = minx[j]|j = 1 ...i}
6: i ← i+ 1 {m =
minx[j]|j = 1 ...i − 1}

Loop Invariant:
m = min{x[j]|j = 1 ...i − 1}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 24 Minimum Why?

1: m ← x[1]
2: i ← 2 m = min{x [j]|j = 1 . . . i − 1 }
3: while i ≤ n do di ≤ n
4: if x [i ] < m then
5: m ← x[i] d
{m = minx[j]|j = 1 ...i}
6: i ← i+ 1 d {m =
minx[j]|j = 1 ...i − 1}

Loop Invariant:
m = min{x[j]|j = 1 ...i − 1}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 25 Minimum Why? Because..

1: m ← x[1]
2: i ← 2 m = min{x [j]|j = 1 . . . i − 1 }
e when i = 2 and m = x [1] it
3: while i ≤ n do di ≤ n holds
4: if x [i ] < m then e while i ≤ n after the
5: m ← x[i] d execution of the loop body
{m = minx[j]|j = 1 ...i} it still holds
6: i ← i+ 1 d {m = e finally, when i = n + 1 it
minx[j]|j = 1 ...i − 1} implies
m = min{x[j]|j = 1 ...n}
Loop Invariant: which is exactly the
m = min{x[j]|j = 1 ...i − 1} postcondition
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 26 Minimum
1: i ← 1
2: m ← x[1]
{m = minx[j]|j = 1 ...i}
3: while i <n do i <n
4: i ← i+ 1 {m =
minx[j]|j = 1 ...i − 1}
5: if x [i ] < m then
6: m ← x[i]
{m = minx[j]|j = 1 ...i}
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 27 Minimum m = min{x[j]|j = 1 ...i}

1: i ← 1
2: m ← x[1]
{m = minx[j]|j = 1 ...i}
3: while i <n do i <n
4: i ← i+ 1 {m =
minx[j]|j = 1 ...i − 1}
5: if x [i ] < m then
6: m ← x[i]
{m = minx[j]|j = 1 ...i}

Loop Invariant:
Loop Invariant
Example: Find the minimum, m, of a non-empty array, x [1..n]
P: n ≥ 1
Q: m = min{x [i ]|1 ≤ i ≤ n}

Algorithm 28 Minimum m = min{x[j]|j = 1 ...i} Why?

1: i ← 1 Because..
2: m ← x[1]
e when i = 1 and m = x [1]
{m = minx[j]|j = 1 ...i}
the invariant is true
3: while i <n do i <n
4: i ← i+ 1 {m = e while i < n after the
minx[j]|j = 1 ...i − 1} execution of the loop body
5: if x [i ] < m then it still holds
6: m ← x[i] e finally, when i = n it
{m = minx[j]|j = 1 ...i} implies
m = min{x[j]|j = 1 ...n}
which is exactly the
Loop Invariant: postcondition
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] = x0 for j = 1 ...i − 1
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] =ƒ x0 for j = 1 . . . i −1

Algorithm 32 Minimum
1: i ← 1
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1

Algorithm 33 Minimum
1: i ← 1 d { x [j] < > x0 , j = 1 . . . i − 1}
2: while x [i ] < > x0 do
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1

Algorithm 34 Minimum
1: i ← 1 d { x [j] < > x0 , j = 1 . . . i − 1}
2: while x [i ] < > x0 do ¢
{ x [i ] < > x0 , x[j] < > x0 forj = 1 . . . i }
3: i← i+1 ¢
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1

Algorithm 35 Minimum
1: i ← 1 d { x [j] < > x0 , j = 1 . . . i − 1}
2: while x [i ] < > x0 do ¢
{ x [i ] < > x0 , x[j] < > x0 forj = 1 . . . i }
3: i← i+1 ¢
{ x [i] < > x0 , x[j] < > x0 forj = 1 . . . i − 1 }
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1
Algorithm 36 Minimum x[j] = x0 for j = 1 ...i − 1
1: i ← 1 d { x [j] < > x0 , j = 1 . . . i − 1}
2: while x [i ] < > x0 do ¢
{ x [i ] < > x0 , x[j] < > x0 forj = 1 . . . i }
3: i← i+1 ¢
{ x [i] < > x0 , x[j] < > x0 forj = 1 . . . i − 1 }
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1
Algorithm 37 Minimum x[j] = x0 for j = 1 ...i − 1
1: i ← 1 d { x [j] < > x0 , j = 1 . . . i − 1} Why?
2: while x [i ] < > x0 do ¢
{ x [i ] < > x0 , x[j] < > x0 forj = 1 . . . i }
3: i← i+1 ¢
{ x [i] < > x0 , x[j] < > x0 forj = 1 . . . i − 1 }
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1

Algorithm 38 Minimum x[j] = x0 for j = 1 ...i − 1

1: i ← 1 d { x [j] < > x0 , j = 1. . . i − 1} Why? Because..
2: while x [i ] < > x0 do ¢

3:
{ x [i ] < > x0 , x[j] < > x0 forj = 1 . . . i }
i← i+1 ¢
e when i = 1 the range
{ x [i] < > x0 , x[j] < > x0 forj = 1 . . . i − 1 } j = 1 . . . 0 is emptythus
the assertion is satisfied
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1

Algorithm 39 Minimum x[j] =x0 for j = 1 . . . i − 1

1: i ← 1 d { x [j] < > x0 , j = 1. . . i − 1} Why? Because..
2: while x [i ] < > x0 do ¢

3:
{ x [i ] < > x0 , x[j] < > x0 forj = 1 . . . i }
i← i+1 ¢
e when i = 1 the range
{ x [i] < > x0 , x[j] < > x0 forj = 1 . . . i − 1 } j = 1 . . . 0 is emptythus
the assertion is satisfied
e Let us suppose that
x [i ] <> x0 and the
invariant is true. Then x
[j] <> x0 for j = 1 ...i
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1

Algorithm 40 Minimum x[j] = x0 for j = 1 ...i − 1

1: i ← 1 d { x [j] < > x0 , j = 1. . . i − 1} Why? Because..
2: while x [i ] < > x0 do ¢

3:
{ x [i ] < > x0 , x[j] < > x0 forj = 1 . . . i }
i← i+1 ¢
e when i = 1 the range
{ x [i] < > x0 , x[j] < > x0 forj = 1 . . . i − 1 } j = 1 . . . 0 is emptythus
the assertion is satisfied
e Let us suppose that
x [i ] <> x0 and the
invariant is true. Then x
[j] <> x0 for j = 1 ...i
e After i = i + 1 we obtain
again x [j ] <> x0 for
j = 1 . . . i which is exactly
Loop Invariant
Example:Let x [1..n]be a non-empty array which contains x0. Find
the smallest index for which x [i ] = x0
P: n ≥ 1 and there exist 1 ≤ k ≤ n such that x [k] = x0
Q: x[i] = x0 and x[j] ƒ= x0 for j = 1 ...i − 1

Algorithm 41 Minimum x[j] = x0 for j = 1 ...i − 1

1: i ← 1 d { x [j] < > x0 , j = 1. . . i − 1} Why? Because..
2: while x [i ] < > x0 do ¢

3:
{ x [i ] < > x0 , x[j] < > x0 forj = 1 . . . i }
i← i+1 ¢
e when i = 1 the range
{ x [i] < > x0 , x[j] < > x0 forj = 1 . . . i − 1 } j = 1 . . . 0 is emptythus
the assertion is satisfied
e Let us suppose that
x [i ] <> x0 and the
invariant is true. Then x
[j] <> x0 for j = 1 ...i
e After i = i + 1 we obtain
again x [j ] <> x0 for
j = 1 . . . i which is exactly
Termination Function
To prove that a loop finishes after a finite number of iterations it
suffices to find a termination function
Termination Function
To prove that a loop finishes after a finite number of iterations it
suffices to find a termination function
Definition:
A function F : N → N is a termination function if it satisfies the
following properties:
1. F is strictly decreasing
2. if c is true then F (p) > 0 and if F (p) = 0 then c is false
Termination Function
To prove that a loop finishes after a finite number of iterations it
suffices to find a termination function
Definition:
A function F : N → N is a termination function if it satisfies the
following properties:
1. F is strictly decreasing
2. if c is true then F (p) > 0 and if F (p) = 0 then c is false
Remarks:
e F depends on the loop counter p (at the first execution of the
loop body p is 1, at the second it is 2 and so on )
e The loop counter is not necessarily an explicit variable (it can
be just a formal variable useful to analyze the loop
correctness)
e F reaches 0 because it is strictly decreasing; when F becomes
0 then c becomes false, thus the loop finishes.
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1:

Algorithm 42 Sum of Series

1: i ← 1
2: S ← 1
3: while i < n do
4: i ← i + 1 ip = ip−1 + 1
5: S ← i+1
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1:

Algorithm 44 Sum of Series

1: i ← 1
2: S ← 1
3: while i < n do
4: i ← i + 1 ip = ip−1 + 1
5: S ← i+1

F (p) = n − ip
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1:

Algorithm 46 Sum of Series

1: i ← 1
2: S ← 1
3: while i < n do
4: i ← i + 1 ip = ip−1 + 1
5: S ← i+1

F (p) = n − ip
F (p) = n − ip−1 − 1
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1:

Algorithm 48 Sum of Series

1: i ← 1
2: S ← 1
3: while i < n do
4: i ← i + 1 ip = ip−1 + 1
5: S ← i+1

F (p) = n − ip
F (p) = n − ip−1 − 1
F (p) = F (p − 1) − 1
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1:

Algorithm 50 Sum of Series

1: i ← 1
2: S ← 1
3: while i < n do
4: i ← i + 1 ip = ip−1 + 1
5: S ← i+1

F (p) = n − ip
F (p) = n − ip−1 − 1
F (p) = F (p − 1) − 1
F (p) < F (p − 1)
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1:

Algorithm 52 Sum of Series

1: i ← 1
2: S ← 1
3: while i < n do
4: i ← i + 1 ip = ip−1 + 1
5: S ← i+1

F (p) = n − ip
F (p) = n − ip−1 − 1
F (p) = F (p − 1) − 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1:

Algorithm 54 Sum of Series

1: i ← 1
2: S ← 1
3: while i < n do
4: i ← i + 1 ip = ip−1 + 1
5: S ← i+1

F (p) = n − ip
F (p) = n − ip−1 − 1
F (p) = F (p − 1) − 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
F (p) = 0 ⇒ ip = n
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1: Variant 2:
4: i ← i + 1 ip = ip−1 + 1
Algorithm 56 Sum of Series Algorithm 57 Sum of Series
5: S ← i+1 1: S ← 0
1: i ← 1
2: S ← 1 2: i ← 1
(p)
F3: = n i−<ipn do
while 3: while i ≤ n do
F (p) = n − ip−1 − 1 4: S ← i+ 1
F (p) = F (p − 1) − 1 5: i ← i + 1 ip = ip−1 + 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
F (p) = 0 ⇒ ip = n
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1: Variant 2:
4: i ← i + 1 dAlgorithm
ip = ip−1 +591 Sum of Series
Algorithm 58 Sum of Series
5: S ← i+1 1: S ← 0
1: i ← 1
2: S ← 1 2: i ← 1
(p)
F3: = n i−<ipn do
while 3: while i ≤ n do
F (p) = n − ip−1 − 1 4: S ← i+ 1
F (p) = F (p − 1) − 1 5: i ← i + 1 ip = ip−1 + 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
F (p) = n + 1 − ip
F (p) = 0 ⇒ ip = n
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1: Variant 2:
4: i ← i + 1 dAlgorithm
ip = ip−1 +611 Sum of Series
Algorithm 60 Sum of Series
5: S ← i+1 1: S ← 0
1: i ← 1
2: S ← 1 2: i ← 1
(p)
F3: = n i−<ipn do
while 3: while i ≤ n do
F (p) = n − ip−1 − 1 4: S ← i+ 1
F (p) = F (p − 1) − 1 5: i ← i + 1 ip = ip−1 + 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
F (p) = n + 1 − ip
F (p) = 0 ⇒ ip = n
F (p) = n + 1 − ip−1 − 1
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1: Variant 2:
4: i ← i + 1 dAlgorithm
ip = ip−1 +631 Sum of Series
Algorithm 62 Sum of Series
5: S ← i+1 1: S ← 0
1: i ← 1
2: S ← 1 2: i ← 1
(p)
F3: = n i−<ipn do
while 3: while i ≤ n do
F (p) = n − ip−1 − 1 4: S ← i+ 1
F (p) = F (p − 1) − 1 5: i ← i + 1 ip = ip−1 + 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
F (p) = n + 1 − ip
F (p) = 0 ⇒ ip = n
F (p) = n + 1 − ip−1 − 1
F (p) = F (p − 1) − 1
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1: Variant 2:
4: i ← i + 1 dAlgorithm
ip = ip−1 +651 Sum of Series
Algorithm 64 Sum of Series
5: S ← i+1 1: S ← 0
1: i ← 1
2: S ← 1 2: i ← 1
(p)
F3: = n i−<ipn do
while 3: while i ≤ n do
F (p) = n − ip−1 − 1 4: S ← i+1
F (p) = F (p − 1) − 1 5: i ← i + 1 ip = ip−1 + 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
F (p) = n + 1 − ip
F (p) = 0 ⇒ ip = n
F (p) = n + 1 − ip−1 − 1
F (p) = F (p − 1) − 1
F (p) < F (p − 1)
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1: Variant 2:
4: i ← i + 1 dAlgorithm
ip = ip−1 +671 Sum of Series
Algorithm 66 Sum of Series
5: S ← i+1 1: S ← 0
1: i ← 1
2: S ← 1 2: i ← 1
(p)
F3: = n i−<ipn do
while 3: while i ≤ n do
F (p) = n − ip−1 − 1 4: S ← i+1
F (p) = F (p − 1) − 1 5: i ← i + 1 ip = ip−1 + 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
F (p) = n + 1 − ip
F (p) = 0 ⇒ ip = n
F (p) = n + 1 − ip−1 − 1
F (p) = F (p − 1) − 1
F (p) < F (p − 1)
i < n ⇒ F (p) > 0
Termination Function
Example:S = 1 + 2 + ... + n
Variant 1: Variant 2:
4: i ← i + 1 dAlgorithm
ip = ip−1 +691 Sum of Series
Algorithm 68 Sum of Series
5: S ← i+1 1: S ← 0
1: i ← 1
2: S ← 1 2: i ← 1
(p)
F3: = n i−<ipn do
while 3: while i ≤ n do
F (p) = n − ip−1 − 1 4: S ← i+1
F (p) = F (p − 1) − 1 5: i ← i + 1 ip = ip−1 + 1
F (p) < F (p − 1)
ip < n ⇒ F (p) > 0
F (p) = n + 1 − ip
F (p) = 0 ⇒ ip = n
F (p) = n + 1 − ip−1 − 1
F (p) = F (p − 1) − 1
F (p) < F (p − 1)
i < n ⇒ F (p) > 0
F (p) = 0 ⇒ ip = n + 1
Termination Function

Example:find the first occurrence of x0 in x [1 . . .n]

Algorithm 70 Find the

occurrence
1: i ← 1
2: while x [i ] <> x0
do
3: i ← i+ 1 d
{ip = ip−1 + 1}
Termination Function

Example:find the first occurrence of x0 in x [1 . . .n]

Let k be the first occurrence of x0 in
Algorithm 71 Find the x[1...n]
occurrence
1: i ← 1
2: while x [i ] <> x0
do
3: i← i+1 d
{ip = ip−1 + 1}
Termination Function

Example:find the first occurrence of x0 in x [1 . . .n]

Let k be the first occurrence of x0 in
Algorithm 72 Find the x[1...n] F (p) = k − ip
occurrence
1: i ← 1
2: while x [i ] <> x0
do
3: i← i+1 d
{ip = ip−1 + 1}
Termination Function

Example:find the first occurrence of x0 in x [1 . . .n]

Let k be the first occurrence of x0 in
Algorithm 73 Find the x[1...n] F (p) = k − ip
occurrence F (p) = k − ip−1 − 1
1: i ← 1
2: while x [i ] <> x0
do
3: i← i+1 d
{ip = ip−1 + 1}
Termination Function

Example:find the first occurrence of x0 in x [1 . . .n]

Let k be the first occurrence of x0 in
Algorithm 74 Find the x[1...n] F (p) = k − ip
occurrence F (p) = k − ip−1 − 1
1: i ← 1
F (p) = F (p − 1) − 1
2: while x [i ] <> x0
do
3: i← i+1 d
{ip = ip−1 + 1}
Termination Function

Example:find the first occurrence of x0 in x [1 . . .n]

Let k be the first occurrence of x0 in
Algorithm 75 Find the x[1...n] F (p) = k − ip
occurrence F (p) = k − ip−1 − 1
1: i ← 1
F (p) = F (p − 1) − 1
2: while x [i ] <> x0 F (p) < F (p − 1)
do
3: i← i+1 d x[i] <> x0 ⇒ ip < k ⇒ F (p) > 0
{ip = ip−1 + 1} F (p) = 0 ⇒ ip = k ⇒ x[i] = x0