CS 641 meeting -*- Outline -*-

* developing loops (Cohen's chapters 9-10)

	Remark: these examples are simple, but same principles
		guide the development of more complex programs,
		where the aid is needed

	Recall: Basic problem (in developing a loop)
		is how to choose invariant and guard
		i.e. given postcondition R for a loop,
		need to choose invariant P, guard B, such that
			P /\ ~B ==> R
** deleting a conjunct (9)
	this heuristic applies when the postcondition is a conjunction

	If R has form X /\ Y, choose P as one, and B as negation of other
-------------
   HEURISTICS FOR CHOOSING INVARIANT

(deleting a conjunct):
 if postcondition R is a conjunction,
 then delete
      the most difficult to truthify.

(what's most difficult?):
  conjunct that gives enough info
  for solution (i.e, part of answer)
--------------

*** integer division example (9.1)
	suppose we want to program integer division
		without using it as a primitive

----------------
  EXAMPLE (INTEGER DIVISION)

  var x,y: int {Q: 0<=x /\ 0<y}
; var q,r:int
; q,r: (R:0<=r /\ r<y /\ q*y+r = x)
-----------------
	that is, Q is 0<=x /\ 0<y
		and R is r<y /\ 0<=r /\ q*y+r = x

**** choose invariant
	First, we choose an invariant, P,
		which should be such that ~B /\ P implies R

	Do this by deleting a conjunct...
	which one?

		q*y+r = x looks like most difficult
		but truthifying it doesn't necessarily give solution,
			because can make q=0, r=x!
		also this involves all the variables, so will make a better
			part of the invariant than a guard

		0 <= r doesn't look harder than r < y, but doesn't work out,
		so we pick r < y to delete.

	Thus
-----------------
0. choose invariant and guard
    invariant, P: 0<=r /\ q*y+r = x
    guard: r>=y,
------------------
**** establish invariant
	an assignment will do that
----------------
1. establish invariant
    {Q:  0<=x /\ 0<y}
    q,r := 0,x
    {P}
-----------------
	Q: check that wp.(q,r := 0,x).P <== Q?

**** choose bound function
	We plan to reduce r, so let the bound function be r.
------------------
2. choose bound function
	let bound function be r
------------------
**** develop loop body
	Now the loop body must decrease r, and also maintain P!
	guess it's going to be an assignment (creative)
		we say K>0 below to ensure progress
---------------
3. develop loop body
   solve for K>0 and E in
   {P /\ (r>=y)} r,q := r-K,E {P}
---------------
	we solve by assuming the precondition
		and working as follows

	      wp(r,q := r-K,E).P
	equiv	<def of P>
	      wp(r,q := r-K,E).(0<=r /\ q*y+r = x)
	equiv	<wp of assignment>
	      0<=r-K /\ E*y+(r-K) = x
	equiv	<arithmetic>
	      r>=K /\ (E*y + r-K = x)
	equiv	<by the precondition, wherein q*y+r = x>
	      r>=K /\ (E*y + r-K = q*y+r)
	equiv	<arithmetic>
	      r>=K /\ E = q + K/y
	equiv   <we can't do division, so have to choose for K something
		 that eliminates the divsison, namely a multiple of y,
		  we choose the smallest one possible;
		  as K must be positive to make progress, we choose K=y
		  note that this is also something we can get from the
		  precondition>
	      r>=y /\ E = q + 1
	equiv	<from the precondition, r>=y>
	      E = q +1

	so the body of the loop will be
		r,q := r-y,q+1

	Q: why does boundness hold?
		in general have to check that at this point

	so annotated solution

	{Q: 0 <= x /\ 0<y}
	q,r := 0,x
	{inv P: 0<=r /\ q*y+r = x}
	; do r >= y -> r,q := r-y,q+1 od
	{P /\ r < y, hence R: 0<=r /\ r<y /\ q*y+r = x}

*** linear search example (9.2)
----------------
   EXAMPLE (LINEAR SEARCH)

  var x: int {0 <= X /\ f.X}
; x: (R: 0 <= x /\ f.x
      /\ (all i : 0 <= i /\ i < x : ~f.x))
-----------------
	Q: can you develop this?  What are the steps?

	Remark: Cohen makes a big deal that programmers should recognize
		linear search, and just use it when it occurs.
		He doesn't seem to mind that they recode it each time...
		I think better it be captured in a procedure once for all,
		but this requires we admit procedures,
		and higher-order ones at that, into the language

*** avoid avoidable case analysis (9.3) (omit)
	heuristic: avoid avoidable case analysis
		(make everything look the same, preserve symmetry)
	use booleans as expressions
		i.e., x := B instead of if B -> X := true [] x := false fi
	use functions that already do case analysis (max)

*** postpone design decisions (9.4) (omit)
	heuristic: don't make a design decision until absolutely necessary.

** replacing constants by fresh variables (10)
	what if the postcondition is not a conjuction?
-------------------
   HEURISTICS FOR CHOOSING INVARIANT

(replace constants by fresh variables):
 If the postcondition has the form
	x = f.N,
 then rewrite it as
	x = f.n /\ n = N
 and choose
	invariant: x = f.n
	guard: ~(n = N)

(constrain fresh vars to ensure defined):
 If f is partial, 
	and defined on (i:0<=i<M)
 then choose
	invariant: x = f.n /\ (0<=n<M)
	guard: ~(n = N)
----------------------
	Now we can proceed as before

	example (10.2)

	  var b: array of int {#b > 0}
	; var x: int
	; x : (R: x = (MIN i : 0 <= i /\ i < #b : b.i))

	where MIN is not allowed in the program.

	Q: what constant can you eliminate?

	see Cohen's book for other examples.