CSE 230: Principles of Programming Languages
Notes on Chapter 5 of Algebraic Semantics (Iteration)

5.1 When proving the (partial) correctness of a loop, the invariant appears both as an assumption (on entering the loop) and as a goal. This means that it must be treated in two completely different ways. We illustrate these different treatments by working with a formula F of the form

      (forall Q(X)) P1(X) and P2(X) 
where Q(X) is something like 1 < X < N. This formula is really an abbreviation for an implication, of the form
      (forall X) Q(X) implies P1(X) and P2(X).
If P1 and P2 are both equations, then in assuming this formula, we introduce two conditional equations,
      cq t1(X) = t1'(X) if 1 < X and X < N .
      cq t2(X) = t2'(X) if 1 < X and X < N .  
On the other hand, in trying to prove the formula, we would first eliminate the quantifier, then eliminate the implication, and finally eliminate the conjunction, so that the setup would be something like the following:
      op x : Int .
      eq 1 < x = true .
      eq x < n = true .
      red t1(x) == t1'(x).
      red t2(x) == t2'(x).
Of course, things are more complex for an invariant, because of taking account of the state, the precondition, etc.


To CSE 230 homepage
To CSE 230 notes page
Maintained by Joseph Goguen
© 2000, 2001, 2002 Joseph Goguen
Last modified: Thu Feb 21 14:31:02 PST 2002