**5.1** When proving the (partial) correctness of a loop, the invariant
appears both as an assumption (on entering the loop) and as a goal. This
means that it must be treated in two completely different ways. We illustrate
these different treatments by working with a formula F of the form

(forall Q(X)) P1(X) and P2(X)where Q(X) is something like 1 < X < N. This formula is really an abbreviation for an implication, of the form

(forall X) Q(X) implies P1(X) and P2(X).If P1 and P2 are both equations, then in assuming this formula, we introduce two conditional equations,

cq t1(X) = t1'(X) if 1 < X and X < N . cq t2(X) = t2'(X) if 1 < X and X < N .On the other hand, in trying to prove the formula, we would first eliminate the quantifier, then eliminate the implication, and finally eliminate the conjunction, so that the setup would be something like the following:

op x : Int . eq 1 < x = true . eq x < n = true . red t1(x) == t1'(x). red t2(x) == t2'(x).Of course, things are more complex for an invariant, because of taking account of the state, the precondition, etc.

To CSE 230 homepage

To CSE 230 notes page

Maintained by Joseph Goguen

© 2000, 2001, 2002 Joseph Goguen

Last modified: Thu Feb 21 14:31:02 PST 2002