Laws of Programming

Table of Contents
1 Laws of Programming
‘Universally true’ and ‘Stronger Than’
Strengthening laws
Monotonicity Laws
Skip laws
Assignment laws
Erasure laws
Erasure law for skip
Erasure law for assigment
The forward substitution law
Example:
Example:
Example: Swap
Backward Substitution
Alternation law
Example: Find the minimum
(c) Theodore Norvell, adapted by Reza Shahidi
While
Advanced Computing law
Concepts (incomplete
for Engineering, 2024 Slideversion)
Set 0-3. Derivation.
Laws of Programming

‘Universally true’ and ‘Stronger Than’

We will look at various general laws that are helpful in deriving

programs.
If a boolean expression A is true regardless of the values of its
free variables, it is said to be universally true.
Here are some examples of universally true expressions:

true
x≥x
x + 42 > x
x ∈ {x , y , z }
p∧q ⇒p

A boolean expression B is considered to be stronger than a

boolean expression A if

B ⇒ A, is universally true
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

‘Universally true’ and ‘Stronger Than’

For example

0<x<y

is stronger than

0≤x≤y

If A is stronger than B, we say B is weaker than A.

Some examples

A is stronger than A ∨ B
A is stronger than B ⇒ A
A ∧ B is stronger than A
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Strengthening laws

Monotonicity properties: If B is stronger than A then

B ∧ C is stronger than A ∧ C
B ∨ C is stronger than A ∨ C
C ⇒ B is stronger than C ⇒ A
Anti-monotonicity properties: If B is stronger than A then
¬A is stronger than ¬B
A ⇒ C is stronger than B ⇒ C
(Perhaps we should say “stronger than or the same as”, but this
is a mouthful.)
The strengthening law says: If B is stronger than A then
⟨A⟩ ⊑ ⟨B⟩
Some examples
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Strengthening laws

⟨A ∨ B⟩ ⊑ ⟨A⟩
⟨B ⇒ A⟩ ⊑ ⟨A⟩
⟨A⟩ ⊑ ⟨A ∧ B⟩
Monotonicity properties: If ⟨A⟩ ⊑ ⟨B⟩ then

⟨A ∧ C⟩ ⊑ ⟨B ∧ C⟩
⟨A ∨ C⟩ ⊑ ⟨B ∨ C⟩
⟨C ⇒ A⟩ ⊑ ⟨C ⇒ B⟩
Anti-monotonicity properties: If ⟨A⟩ ⊑ ⟨B⟩ then
⟨¬B⟩ ⊑ ⟨¬A⟩
⟨B ⇒ C⟩ ⊑ ⟨A ⇒ C⟩
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Monotonicity Laws

With the natural numbers, N, the operations of addition and

multiplication are monotonic with respect to ≤: For example, if
p , q, and r are natural numbers, then if p ≤ q, we have
p + r ≤ q + r and p · r ≤ q · r .
Similarly we can say that our programming operators are
monotonic with respect to refinement.
In particular, if f , g , and h are specifications such that f ⊑ g , we
have
f ∧h ⊑g∧h
f ∨h ⊑g∨h
h⇒f ⊑h⇒g
f ; h ⊑ g; h
h; f ⊑ h; g
if A then f else h ⊑ if A then g else h
if A then h else f ⊑ if A then h else g
while A do f ⊑ while A do g
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Assignment laws

The following laws follow from the definition of skip and the
strengthening laws

x′ = x ⊑ skip
x′ = x ∧ y′ = y ⊑ skip
x ′ = x ∧ y ′ = y ∧ z′ = z ⊑ skip

The following laws follow from the definition of assignment and

the strengthening law

x′ = E ⊑ x := E
x′ = E ∧ y′ = y ⊑ x := E
x ′ = E ∧ y ′ = y ∧ z′ = z ⊑ x := E

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Erasure laws

The above laws for skip and assignment can be generalized.

Consider x ′ ≥ x , this is weaker than x ′ = x , we have

x ′ ≥ x ⊑ x ′ = x ⊑ skip

More generally any expression A will be weaker than x ′ = x if

replacing every x ′ in A with an x gives a universally true
expression. (This is the one-point law.).
We’ll use the notation Ae to mean the expression A with all
primes removed.
E.g. x]′ ≥ x is x ≥ x .

In general we have an
Erasure law for skip. ⟨A⟩ ⊑ skip exactly if A e is universally
true.
Example: ⟨x > 0 ⇒ x ′ ≥ 0⟩ ⊑ skip since x > 0 ⇒ x ≥ 0 is
universally true.
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Erasure laws

Consider a state space with integer variables x and y . We have

x ′ = x + 42 ∧ y ′ = y

stronger than
x′ > x ∧ y′ ≥ y
since x + 42 > x ∧ y ≥ y is universally true.
In general we have the following
Erasure law for assignment ⟨A⟩ ⊑ V := E exactly if A[V ] ′ : E]

is universally true.
Example ⟨x ′ = x ∧ y ′ = t ⟩ ⊑ y := t since (x ′ = x ∧ y ′ = t ) [y ′ : t ]
is x ′ = x ∧ t = t and since x ′ = ] x ∧ t = t is x = x ∧ t = t which is
universally true.
Example ⟨x ′ = y ∧ y ′ = x ⟩ ⊑ x , y := y , x since
(x ′ = y ∧ y ′ = x ) [x ′ , y ′ ; y , x ] is y = y ∧ x = x , which is universally
true.
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

The forward substitution law

The following forward substitution law is very useful for

introducing assignment statements into programs
The forward substitution law ⟨A[V : E]⟩ = (V := E; ⟨A⟩)
Consider refining ⟨x ′ = 3x + 42 ∧ y ′ = 3x + 41⟩

x ′ = 3x + 42 ∧ y ′ = 3x + 41
⊑ “rewrite 41 as 42 − 1”
D E
x ′ = 3x + 42 ∧ y ′ = 3x + 42 − 1
⊑ “forward substitution”
x := 3x + 42; x ′ = x ∧ y ′ = x − 1

We Dcan use parallel assignment. ConsiderE

P
g = i ≤ n ⇒ s ′ = s + k ∈{i ,..n} a (k )
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

The forward substitution law

Then
* X +
i + 1 ≤ n ⇒ s ′ = s + a (i ) + a (k )
k ∈{i +1,..n}
= Substitution law
i , s := i + 1, s + a (i ) ; g

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

The forward substitution law

Consider the following specification

x′ = y ∧ y′ = x

We will assume that multiple assignments are not allowed.

We’ll also assume that there is a variable t of appropriate type.
Can we derive a sequential composition of single assignments
that does the job?
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

The forward substitution law

x′ = y ∧ y′ = x
= Forward substitution
t := x ; x ′ = y ∧ y ′ = t
= Forward substitution
t := x ; x := y ; x ′ = x ∧ y ′ = t
⊑ Erasure law for assignment
t := x ; x := y ; y := t

Note how the last step also uses a monotonicity law. We

generally won’t call attention to uses of monotonicity laws. They
are used implicitly.

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Backward Substitution

We can also introduce an assignment as the final statement,

using the backward substitution law.
Let E′ be an expression identical to E except with a prime
added to each variable.
The backward substitution law ⟨A⟩ ⊑ (⟨A[V′ : E′ ]⟩ ; V := E)
Example. Consider swapping again. Again, we’ll assume there

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Backward Substitution

is a variable t that we can use.

x′ = y ∧ y′ = x
⊑ “Backward substitution”
x ′ = y ∧ t ′ = x ; y := t
⊑ “Backward substitution”
y ′ = y ∧ t ′ = x ; x := y ; y := t
⊑ “Erasure law”
t := x ; x := y ; y := t

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Example: Find the minimum

Once we have checked a condition, it can become a

precondition. This idea is captured in the alternation law

f = if A then (⟨A⟩ ⇒ f ) else (¬ ⟨A⟩ ⇒ f )

We know that

min(a , b ) = a , if a ≤ b (1)
min(a , b ) = b , if b ≤ a (2)

Suppose we wish to implement

f = a ′ = min(a , b )

f
= Alternation law
if a ≤ b then (⟨a ≤ b ⟩ ⇒ f ) else (⟨a > b ⟩ ⇒ f )
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Example: Find the minimum

We can implement the first case as follows

⟨a ≤ b ⟩ ⇒ f
= Defn of f
a ≤ b ⇒ a ′ = min(a , b )
= By (1)
a ≤ b ⇒ a′ = a
⊑ Erasure law
skip
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Example: Find the minimum

The second case is implemented by

⟨a > b ⟩ ⇒ f
= Defn of f
D E
a > b ⇒ a ′ = min(a , b )
⊑ Strengthening
D E
a ≥ b ⇒ a ′ = min(a , b )
= (2)
a ≥ b ⇒ a′ = b
⊑ Erasure law
a := b
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Example: Find the minimum

Now we have

f
= Alternation law
if a ≤ b then (⟨a ≤ b ⟩ ⇒ f ) else (⟨a > b ⟩ ⇒ f )
⊑ Above results
if a ≤ b then skip else a := b

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array

One property of the while loop is the following. Let

w = while A do h

then
w = if A then (h ; w ) else skip
While law (incomplete version): For any g , h , and A, such
that ..., if
g ⊑ if A then (h ; g ) else skip ,
then
g ⊑ while A do h
[Later we will complete this law (fill in the “...”) with additional
conditions that ensure it is valid. In the mean time we will
blithely ignore the “such that ...”.]
For this problem, we calculate the sum of all the elements in an
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array

array of integers a of size n (a natural number)

* X +
′
f= s = a (k )
k ∈{0,..n}

We’ll assume a natural number variable i is in the state space.

The strategy is to find a generalization of the problem g that
can serve as the specification of a loop:

f
⊑ Substitution law
i , s := 0, 0 ; g

where * X +
′
g= i≤n⇒s =s+ a (k )
k ∈{i ,..n}
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array

Now the problem remaining is to derive a program for g .

In the case where i = n the problem is easy to solve

g
⊑
if i , n
then ⟨i , n⟩ ⇒ g
else ⟨i = n⟩ ⇒ g
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array

Tackling the second problem first we have

*  +
 X 
 
i = n ⇒ i ≤ n ⇒ s ′ = s + a (k )
 
k ∈{i ,..n}
= One point law
*  +
 X 
 
i = n ⇒ n ≤ n ⇒ s ′ = s + a (k )
 
k ∈{i ,..n}
= Since n ≤ n is true and true ⇒ p is p

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array
* X +
i = n ⇒ s′ = s + a (k )
k ∈{n,..n}

= Since {n, ..n} = ∅

* X +
′
i=n⇒s =s+ a (k )
k ∈∅

= The sum over an empty set is 0

i = n ⇒ s′ = s
⊑ Erasure law
skip

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array

In the second case

*  +
 X 
 
i , n ⇒ i ≤ n ⇒ s ′ = s + a (k )
 
k ∈{i ,..n}
= Shunting
* X +
′
i ,n∧i ≤n ⇒s =s+ a (k )
k ∈{i ,..n}
= Simplify
* X +
′
i<n⇒s =s+ a (k )
k ∈{i ,..n}

= If i < n we can rewrite {i , ..n} as {i } ∪ {i + 1, ..n}

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array
* X +
i < n ⇒ s′ = s + a (k )
k ∈{i }∪{i +1,..n}

= Split the summation

* X +
i < n ⇒ s ′ = s + a (i ) + a (k )
k ∈{i +1,..n}
= Rewrite
* the antecedant +
X
i + 1 ≤ n ⇒ s ′ = s + a (i ) + a (k )
k ∈{i +1,..n}
= Substitution law
i , s := i + 1, s + a (i ) ; g

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array

Putting these results together (with monotonicity) we get that

g
⊑
if i , n
then ⟨i , n⟩ ⇒ g
else ⟨i = n⟩ ⇒ g
⊑ Above calculations
if i , n
then (i , s := i + 1, s + a (i ); g )
else skip

Now we apply the while law

g ⊑ while i , n do i , s := i + 1, s + a (i )
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Summation of an array

and thus (by monotonicity)

f ⊑ i , s := 0, 0;
while i , n do
i , s := i + 1, s + a (i )

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Greatest Common Denominator

a | b iff natural number a divides natural number b . I.e. there

exists a q ∈ N such that aq = b
The greatest common divisor of two natural numbers a and b
is a natural number gcd(a , b ) with the following properties.

gcd(a , b ) | a , for all natural numbers a , b

gcd(a , b ) | b , for all natural numbers a , b
if c | a and c | b then c | gcd(a , b ),
for all natural numbers a , b , c

From these properties we can derive the following facts (proof

(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Greatest Common Denominator

left as exercise)

gcd(a , 0) = a , (3)
for all natural numbers a , where a , 0
gcd(a , b ) = gcd(b , a modb ), (4)
for all natural numbers a , b where b , 0

g = a , 0 ∨ b , 0 ⇒ a ′ = gcd(a , b )

g
= Alternation
if b , 0
then ⟨b , 0⟩ ⇒ g
else ⟨b = 0⟩ ⇒ g
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Greatest Common Denominator

In the second case we have (after shunting)

b = 0 ∧ (a , 0 ∨ b , 0) ⇒ a ′ = gcd(a , b )
= One point and identity law for ∨
b = 0 ∧ a , 0 ⇒ a ′ = gcd(a , 0)
= Fact (3)
b = 0 ∧ a , 0 ⇒ a′ = a
⊑ Erasure law for skip
skip
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Greatest Common Denominator

In the first case we have (after shunting)

b , 0 ∧ (a , 0 ∨ b , 0) ⇒ a ′ = gcd(a , b )
= Propositional logic: (p ∧ (q ∨ p )) = p
b , 0 ⇒ a ′ = gcd(a , b )
= Fact (4)
b , 0 ⇒ a ′ = gcd(b , a modb )
⊑ Strengthening (by weakening the antecedent)
b , 0 ∨ a modb , 0 ⇒ a ′ = gcd(b , a modb )
= Substitution law
a , b := b , a modb ; g
(c) Theodore Norvell, adapted by Reza Shahidi
Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.
Laws of Programming

Greatest Common Denominator

Now putting the two cases together we get

g
⊑
if b , 0
then a , b := b , a modb ; g
else skip

So by the while loop law we have

g ⊑ while b , 0 do a , b := b , a modb

(c) Theodore Norvell, adapted by Reza Shahidi

Advanced Computing Concepts for Engineering, 2024 Slide Set 0-3. Derivation.