10.1.2 Path Functions

The following definition introduces the semantics of paths, in terms of the function that they define on their space.

• The effect of each variable declaration of the form “ <type> x” is to change the state of the program from what it was prior to the declaration (say, S) to

S× <type>.

• We assume that prior to any variable declarations, the space of the program is limited to two implicit state variables, namely the input stream and the output

stream; both of these can be modeled as sequences, where read(x) returns

the first element of the input stream and removes it therefrom, while write

(x) appends x to the output stream. • The semantics of an assignment statement is defined by:

x=E= s,s s def E x=Es s=s ,

10.1 PATHS AND PATH CONDITIONS 197

where def(E) is the set of states on which E can be evaluated, and the symbol _ stands for all the other (than x) variables of the space.

• The semantics of a condition is defined by the following equations:

c true = s,s s=scs

c false = s,s s = s ¬c s

• The semantics of sequence is defined by the following equation:

es1;es2 = es1 es2

Definition: Path Function The function of a path is the function computed induc- tively according to the semantic rules provided above.

As an illustration of these rules, we compute, for example, the function of path p8 in the gcd program, which reads as follows:

• p8: int x; int y; // line 1 read(x); read(y);

2 ((x!=y)? true); ((x>y)? false); y=y-x; //

3 ((x!=y)? true); ((x>y)? true); x=x-y; //

4 ((x!=y)? true); ((x>y)? false); y=y-x; //

5 ((x!=y)? false);

6 write(x);

We let is and os designate, respectively, the input stream and the output stream, and we let head and tail designate, respectively, the operation that returns the head of a stream and its tail (remainder once the head is removed). We interpret the first line as letting the space of the program be defined as:

S = is × os × int × int The functions of line 2 and line 7 are then defined on space S by, respectively:

is = tail s,s length is ≥ 2 x = head is 2 is os = os F 7 = s, s x = x y = y is = is os = os x ,

y = head tail is

where we use the dot to designate concatenation. Lines 3 and 5 have the same code: hence they compute the same function, which is:

F 3 =F 5 = s,s x < y x = x y = y −x is = is os = os As for line 4, it computes the following function:

F 4 = s, s x > y x = x−y y = y is = is os = os

198 STRUCTURAL CRITERIA

Finally, line 6 computes a subset of identity, as follows:

F 6 = s, s x = y x = x y = y is = is os = os Computing the product F 2 • F 3 • F 4 • F 5 • F 6 • F 7 , we find:

= {associativity, substitution}

F 2 • s, s x < y x = x y = y −x is = is os = os • s, s x > y x = x −y y = y is = is os = os F 5 • F 6 • F 7

= {relational product}

F 2 • s,s x < y x > y−x x = 2x−y y = y−x is = is os = os F 5 • F 6 • F 7

= {associativity, substitution}

F 2 • s, s x < y x > y−x x = 2x−y y = y−x is = is os = os •

s, s x < y x = x y = y −x is = is os = os •F 6 • F 7

= {relational product} x < y x > y−x 2x−y < y−x x = 2x−y y = 2y−3x is = is

F 2 • s,s • F 6 • F 7

os = os

= {associativity, substitution (post-restriction)} x < y x > y−x 2x−y < y−x x = 2x−y y = 2y−3x is = is

F 2 • s,s • F 7

os = os x = y'

= {simplification, assumption that x and y are both positive}

F 2 • s,s 5x = 3y x = 2x −y y = 2y−3x is = is os = os •F 7

= {relational product, abbreviating each function by its initial} l is ≥ 2 5 × h is = 3 × h t is

= {relational product} l is ≥ 2 5 × h is = 3 × h t is

x = 2 × h is −h t is s,s

y = 2 × h t is −3 × h is is = t 2 is os = os 2 × h is −h t is

10.1 PATHS AND PATH CONDITIONS 199

This function reflects the impact of the path on the state variables; remember that l(is), h(is), and h(t(is)) are (respectively) the length, first element, and second element of the input stream. Note that if the first element is 18 and the second element is 30, then upon execution of this path, the input stream is truncated by two, and the output stream is augmented by a new element, whose value is: 2 × 18 − 30 = 6. Indeed, 6 is the greatest common divisor of 18 and 30.

Before we close this section, we give a useful rule on how to compute the product of two functions that are written in the following form (on some space S defined by two variables x and y):

s,s p x,y x = Ex x,y y = Ey x,y Let functions F 1 and F 2 be written as:

F 1 = s,s p 1 x,y x=E 1 x x,y y=E 1 y x,y ,

F 2 = s,s p 2 x,y x=E 2 x 2 x,y y=E y x,y Then the product of functions F 1 and F 2 is given by the following formula:

F 1 • F 2 = s,s p 1 x,y p 2 E 1 x x,y ,E 1 y x,y

x=E 2 1 1 2 x 1 E x 1 x,y ,E y x, y y=E y E x x,y ,E y x,y As an illustration, consider the following functions on a space S defined by integer

variables x and y:

F 1 = s,s x > y x = 2x + y y = 2y + x ,

F 2 = s,s x > 2y x = 3x + 2y y = 3y + 2x

Then the product of these two functions yields the following result:

F 1 • F 2 = s,s x > y 2x + y > 2 2y + x x = 3 2x + y + 2 2y + x y = 3 2y + x + 2 2x + y

After simplification, we find:

F 1 • F 2 = s,s x > y y < 0 x = 8x + 7y y = 8y + 7x The product of two functions takes a special, simpler, form whenever one of the

factors is a subset of the identity; specifically, we have

s,s q x,y s = s • s,s p x,y x = Ex x,y y = Ey x,y

= s,s q x,y p x,y x = Ex x,y y = Ey x,y

200 STRUCTURAL CRITERIA

and

s, s p x,y x = Ex x,y y = Ey x,y • s, s q x,y s=s

= s,s p x,y x = Ex x,y y = Ey x,y q x ,y In order to spare the reader the trouble of having to refer to the definition whenever

he/she must compute the product of two functions, we present below a set of rules that streamline this process.

Computing the Product of Two Functions . We let space S be defined by two vari- ables x and y of types X and Y, and we let F and G be defined as follows:

F= s,s f x,y x = Fx x,y y = Fy x,y G= s,s g x,y x = Gx x,y y = Gy x,y

Where f and g are predicates and Fx, Fy, Gx, Gy are expressions that return values of the right type (X, Y, X, Y). Then, the product F • G can be written as:

As an illustration of this formula, we consider the product of the following functions on space S defined by natural variables n, f, and k:

• F= s,s k n+1n=nf=f×kk=k+1. • G= s,s k ≤ n + 1 n = n f = f × n

k −1 k=n+1.

Applying the proposed formula, we find the following relation:

F •G = {proposed formula}

n s,s k n+1k+1≤n+1n=nf=f×k×

k=n+1 k + 1 −1

= {merging the preconditions, simplifying}

s,s k < n + 1 n = n f = f × k ×

k=n+1

= {because k = k × k − 1 !}

s,s k < n + 1 n = n f = f ×

k=n+1

k −1

10.1 PATHS AND PATH CONDITIONS 201