3EA3 Lecture 16: Linear Search

Transcription

1 3EA3 Lecture 16: Linear Search Musa Al-hassy Specifications and Correctness 2018 Abstract These notes accompany the slide-deck of the same title, which aims to demonstrate how the linear search program can be derived by using the delete a conjunct technique to find an invariant from an end goal. We recall the search algorithm of the previous lecture, as well a particularly helpful theorem regarding finite optimization. The exposition is similar to section 9.2 of [?], but differs in that we are looking at the bounded linear search: There may be no solution but only a finite number of candidates is inspected. Contents 1 The deleting a conjunct Heuristic 2 2 Problem Statement 2 3 Specifying the Problem Ghosts In The Machine Finding the invariant Induced Extrema Definition for Numbers Rewriting our Goal Program Outline, Thus Far Deleting a conjunct Program Outline, Thus Far Bound Function Decreasing The Bound Invariant Maintenance 4 7 Conclusion 5 8 Frama-C 5

2 1 The deleting a conjunct Heuristic When programming, an end goal R can usually be construed as consiting of two main conjuncts: R inv done. Programming is about ensuring that R will be true by assigning to the variables that occur in it. Pick values for the variables and see what parts of R will be true. Such parts will constitute the invariant and live in conjunct inv. The parts of R that are not easily truthified constitute the done condition and so form part of the loop guard. This approach to finding an invariant gives the program outline: { Givens intilisation ; DO done??? OD { inv done; i.e., R 2 Problem Statement Linear Search Given a problem with solution space S : Z B, we are asked to find the least solution in the interval 0..N-1, for N 0, if any, otherwise we are to output N. ( The developed algorithm will take linear time in-terms of the given array length. ) 3 Specifying the Problem At a first glance, it might seem that our desired end goal is to assign to a variable i such that i = ( j 0 j < N S j j) That is, i is the least index j : 0..N-1 that is a solution, i.e., S j. However, when there are no solutions inspected i.e., j : 0..N-1 S j false then the quantification becomes i = ( j 0 j < N S j j) = ( j false j) = +, since + is the identity of minima. To avoid working with notions of infinity, we want S j to be true for some j. This is the approach followed by [?], 9.2. Alternatively, we can postulate that S N true: We shall never actually access S at location N but will suppose that N is a solution point. Now the above quantification, ( j 0 j < N S j j), is necessarily finite. 3.1 Ghosts In The Machine It is common to refer to S N as a postulated value, a fictitious element, a ghost value. Since it will be used in the logical correctness and derivation of the algorithm, but never actually occur whence a ghost to the program. Thus we have the program outline, { N 0? { R : i = ( j 0 j N S j j) Ghost: S N true 4 Finding the invariant The end goal is phrased rather succinctly however the technique we are currently learning about requires we construe it as a few conjuncts. To that end, we recall an important property from finite lattice theory. 4.1 Induced Extrema Definition for Numbers Provided Q non-empty and finite, f m = ( x Q x f x) Q m ( x Q x f m f x) (f m) is the least f-image point over the domain Q precisely when m is in the domain and all other image points over the domain are above it. Dually, f m = ( x Q x f x) Q m ( x Q x f x f m)

3 4.2 Rewriting our Goal Hence, our end goal can be rewritten from i = ( j 0 j N S j j) to 0 i N S i ( j 0 j N S j i j). We now have a host of conjuncts to consider deleting! Before moving on observe that we tend to phrase the bounds on a variable in the range-portion of our quantification notation whereas our most recent rendition of the end goal contains a quantification with bounds on j is multiple positions. Let us massage it so that it takes on the familiar shape we are comfortable working with. In the context of the other conjuncts, 0 i N S i, we massage the third one with the aim of simplifying it. j 0 j N Sj i j = { Use the -trading law to bring the inclusions closer together j 0 j N Sj i j = { Now the shunting law to bring them ever closer j 0 j N (Sj i j) = { Contraposition in the hopes of bringing them closer j 0 j N ( i j Sj) = { Shunting to bring the inclusions side-by-side j 0 j N i j Sj = { Use the -trading law to bring the inclusions into the range area j 0 j N i j Sj = { Let s try to clean-up the messy range: 0 j N i j j = { Inclusion chain notation and negation of an order 0 j j N j < i = { Context gives i N and identity of 0 j j N j < i N = { Order theory j < i N j N and definition of implication: p q p q p 0 j j < i N = { Inclusion chain notation; context gives i N and identity of 0 j < i 0 j < i Sj 4.3 Program Outline, Thus Far Thus we have the program outline, { N 0? { R : 0 i N S i ( j 0 j < i S j) Ghost: S N true Note that R reads: i is a Solution point in the region 0..N and every point before it in that region is not a Solution point. 4.4 Deleting a conjunct Looking at R : 0 i N S i ( j 0 j < i S j) The inclusion is the easiest to truthify and can be done so in two ways: Setting i to be 0 or setting it to be N. We choose the former the latter results in the dual linear search algorithm which begins searching from the top and proceeding down. Anyhow, setting R[i = 0] is 0 0 N S 0 ( j 0 j < 0 S j). The first and last cojuncts are immedately true exercise! Whereas the second needn t be true e.g., in the case S only has odd numbers as solution points.... Thus we take inv: 0 i N ( j 0 j < i S j) done: S i 4.5 Program Outline, Thus Far { N 0 i = 0 ; DO done??? OD { inv done; i.e., R

4 5 Bound Function If we could ensure the loop terminates, then we would have inv done; i.e., R. So let us bound the number of possible iterations. Within the loop we have that N - i is a non-negative integer and so may serve as a bound function. Indeed, 5.1 Decreasing The Bound inv done = { Definitions 0 i N ( j 0 j < i Sj) Si { Inclusion chain notation and weakening i N { Arihtmetic 0 N i If we can decrease the bound function, then we re closer to termination. As such an increase in i results in a decrease in N i. So we pick the simplest possible increase: i = i Invariant Maintenance However, we must ensure that our increase does not break the invariant; otherwise after the loop we may not have inv done! To that end, we need to ensure {inv done i = i + 1 {inv. By the definition of the Hoare Triple and the WP assignment rule, it suffices to assume inv done and show inv[i = i + 1]. As a separation of concerns, we prove the conjuncts one at a time: We begin with the more difficult of the two: j 0 j < i + 1 Sj = { Split-off term the only obvious thing to do ( j 0 j < i Sj) Si = { The first conjunct is assumed in inv! true Si = { The second conjunct is just done! true true = { Idempotency of true Next the simpler conjunct, 0 i + 1 N = { Inclusion chain notation 0 i + 1 i + 1 N { Order theory 0 i i + 1 N = { The first conjunct is assumed in inv! true i + 1 N = { -identity and order theory i < N = { It s not at all clear how to proceed, so let s suppose that i < N were not and seek to find a contradiction. That is, we shall show i < N false which is tantamount to our goal, i < N, since this is a variation of double negation: p p false. Let us calculate, i < N = { Order negation N i = { The assumption inv along with -identeity. i N N i { Antisymmetry i = N { Leibniz Si SN = { Assumption done and fictious value SN false true = { False is not true; formally: Identity of. false We have thus obtained our desired contradiction and i < N must be true. true Alternatively, one can prove i < N by instantiating the second conjunct of inv[i := i + 1], which we leave as a fun exercise.

5 7 Conclusion Since the candidate loop body, i = i + 1, preserves the invariant, we have concluded programming and thus have obtained the correct-by-construction code: { N 0 i = 0 { inv : 0 i N ( j 0 j < i S j) bf : N - i ; DO (S i) i = i + 1 OD { inv (S i); i.e., i = ( j : 0..N S i) Ghost: S N true 8 Frama-C Let us calm our conscious by having an external tool ensure our development did not go awry: /*@ requires 0 <= N && assigns ensures 0 <= \result <= ensures \forall integer j; 0 <= j < int LinearSearch(const int N, const bool* S) { ==> S[j]!= true; // Extend S to be true at N. #define SS(x) (x == N? true : S[x]) int i = 0; /*@ loop invariant InRange: 0 <= i <= loop invariant NoSolutionThusFar: \forall integer j; 0 <= j < loop assigns loop variant N-i; */ while(! SS(i) ) i++; ==> SS(j)!= true; return i; More fully, // -*- compile-command: "NAME=16_LinearSearch ; gcc -w $NAME.c -o $NAME.exe ;./$NAME.exe ; sleep 3s" #include <stdio.h> #include <stdbool.h> #include "GCL.h" // // To use type agnostic PrintArray(). // frama-c-gui -wp 16_LinearSearch.c //////////////////////////////////////////////////////////////////////////////////// // Return the location of 55 in the given array S if it is there; // otherwise return the length of the array. /*@ requires 0 <= N && assigns ensures 0 <= \result <= int LinearSearch_0(const int N, const int* S) { //@ ghost S[N] = 55; int i = 0; /*@ loop invariant 0 <= i <= loop invariant \forall integer j; 0 <= j < loop assigns loop variant N-i; */ while( 55!= S[i] ) i++; ==> 55!= S[j]; return i;

6 /* Even though the assignment to S[N] is not visible to the compiler, * it is an assignment to a memory location that might be accessed elsewhere * by another ghost clause. The ghost variables are like any other variables. * * We may omit the assigns clause if we like since the const qualifiers * ensure that we are not modifying the given parameters. * **/ // What will happen if you _actually_ try to execute this algorithm when 55 S? // Frama-C gives only green... //////////////////////////////////////////////////////////////////////////////////// // Find the smallest solution to S : 0..N-1 B, if it exists, otherwise return N. // Obtain the result by inspecting the S -elements from 0 onward until a solution is found, if any. // /*@ requires 0 <= N && assigns ensures 0 <= \result <= ensures \forall integer j; 0 <= j < \result ==> S[j]!= int LinearSearch(const int N, const bool* S) { // Extend S to be true at N. #define SS(x) (x == N? true : S[x]) int i = 0; /*@ loop invariant InRange: 0 <= i <= loop invariant NoSolutionThusFar: \forall integer j; 0 <= j < loop assigns loop variant N-i; */ while(! SS(i) ) i++; ==> SS(j)!= true; return i; /* Note we do not need the S[N] = true; since our logic uses SS. * Were our logic to use S, then need the ghost. **/ //////////////////////////////////////////////////////////////////////////////////// // P is an Boolean expression possibly involving i. // #define PredicateToArray(A, N, P) \ for(int i = 0; i!= N; i++) A[i] = P; int main() { #define N 26 bool S[N] = {0; // S[i] = i is a positive multiple of 3 and 5 // PredicateToArray(S, N, 0 < i && i % 3 == 0 && i % 5 == 0); // S[i] = i is odd and greater than 7 PredicateToArray(S, N, 7 < i && i % 2 == 1); // S[i] = i 2 = -1 ; i.e., the integer i squared is negative; which is impossible. // PredicateToArray(S, N, i * i == -1); PrintArray(S, N); int location = LinearSearch(N, S); // int location = LinearSearch_0(N, S); // Segmentation fault, my old friend. if (location == N) printf("\ns has no solutions!"); else printf("\ns[ %d ] is a solution to the problem!", location); printf("\nbye!\n"); return 0;