Reading: Rosen 3.6 (program correctness), 2.5 (first part: integer representations)

Numbers vs Numerals

Number is an abstract idea; Numeral is an encoding of a number as a string. (Roman numerals, base-10 numerals, …). People often confuse a number with a representation of that number. When necessary add brackets and base around a numeral. (And, we'll write numbers as base-10 numerals w/o brackets…) This is the same old semantics/syntax distinction (quoting). (Also reminiscent of aliasing, in programs — you might have one object in your program, but as the program runs there might be several names for it (several variables referring to it).

How to convert? 471 = 4⋅10² + 7⋅10 + 1

What is [471]₈ ? [471]₈ = 4⋅8² + 7⋅8¹ + 1⋅8⁰ = 313

How to represent 313 in base 8? We just saw the answer, [471]₈. How to calculate this if we didn't know the answer?

313 = 4⋅64 + 57 
    = 4⋅46 + 7⋅8 + 1⋅1
    = [471]8

How to represent the number 313 in binary?

313 = 1⋅256 + 57
    = 1⋅256 + 0⋅128 + 0⋅64 + 1⋅32 + 19
    = 1⋅256 + 0⋅128 + 0⋅64 + 1⋅32 + 1⋅16 + 0⋅8 + 0⋅4 + 1⋅2 + 1⋅1
    = [100 110 011]2

Separately: Given a decimal number, how do you multiply by 10, or divide by 10? For a binary: What is [110 110 011]₂ doubled, and written (again) in binary? What is it halved, rounded down?

This observation leads to a bottom-up way of expressing (say) 41 in binary (generalizes to any base): Note that 41 is odd; what is the last digit of its binary representation? Has to be 1! And, all the other digits will be the representation of 40/2 = 20, since we can take that numeral and append a 1, to get twice 20 plus 1. Repeating the process:

     41 =                         20⋅2   + 1
        =                   (10⋅2+0)⋅2   + 1
        =                  10⋅22 + 0⋅2   + 1
        =              (5⋅2+0)⋅22 + 0⋅2   + 1
        =             5⋅23 + 0⋅22 + 0⋅2   + 1
        =        (2⋅2+1)⋅23 + 0⋅22 + 0⋅2   + 1
        =       2⋅24 + 1⋅23 + 0⋅22 + 0⋅2   + 1
        =  (1⋅2+0)⋅24 + 1⋅23 + 0⋅22 + 0⋅2   + 1
        = 1⋅25 + 0⋅24 + 1⋅23 + 0⋅22 + 0⋅2   + 1
        = 1⋅25 + 0⋅24 + 1⋅23 + 0⋅22 + 0⋅21 + 1⋅20
        = [101001]2.

• start with 41 and look for how many big powers of two it has (how many 32, how many 16s, …) and whittle down the amount left over,
or
• ask whether 41 is even/odd, write down the least-significant digit, and then recur on half our number (rounded down), prepending that sub-answer to our overal numeral.

To yourself, compare each of these algorithms in base 10.

Btw, "bit" comes from "binary digit".

Proofs about programs

;; rdigs->int: (listof real, int) → real
;; Return the number represented by d,
;; a list of digits base b, reversed.
;;
;; Test cases:
;;   (rdigs->int (list 1 7 4))   = 471   ; Using default b=10.
;;   (rdigs->int (list 1 7 4) 8) = 313
;;     ; Since for base 8,     4⋅64 + 7⋅8 + 1 = 313.
;;   
(define/opt (rdigs->int d [b 10])
  (cond [(empty? digs) 0]
        [(cons?  digs) (+ (first digs) (* b (rdigs->int (rest d) b)))]))
;
;  Note: for allowing optional arguments in scheme via "define/opt", 
;   see the teachpack-demo page,
; http://www.owlnet.rice.edu/~comp210/02fall/Handouts/teachpack-demo.shtml
; and follow the link at the bottom of the page for "optional arguments".

Let rd2i be the function: rd2i(d,b) = ∑_i=0^n-1 (d_i ⋅ bⁱ)
where n is d.length() and d = (list d₀ d₁ d₂ … d_n-1 d_n)

Proof goal: For a list of digits d, let P(d) be "(rdigs->int d b) = rd2i(d,b) = ∑_i=0^n-1 (d_i ⋅ bⁱ)" (for arbitrary b>0).
Note that we are relating program-outputs with a mathematical function.

Proof, by structural induction on d.

• case 1: d is empty; (rdigs->int empty) = 0 = ∑_i=0^-1 d_i holds.
• case 2: d is (cons d₀ r), where r = (list d₁ … d_n-1). We have:
  (rdigs->int d)
  = (+ (first d) (* b (rdigs->int (rest d)))) By code.
  = d₀ + b ⋅ rd2i((rest d)) Ind.hyp.
  = d₀ + b ⋅ ∑_i=0^(n-1)-1 d_i+1⋅bⁱ By def'n of rd2i.
  = d₀ + b ⋅ ∑_j=1^n-1 d_j ⋅b^j-1 Re-index[i/j-1].
  = d₀ + ∑_j=1^n-1d_j b^j) Distribute b.
  = d₀⋅b⁰ + ∑_j=1^n-1d_j⋅b^j) ; Mult d₀ by 1.
  = ∑_j=0^n-1 d_j⋅b^j. Sum notation.
  = rd2i(d) By def'n of rd2i.
  which is P(d), QED!

In retrospect, we could break this proof into two parts: in the math domain, show that rd2i as defined by the summation is the same as rd2i defined recursively; then in the program domain (which mirrors the recursive def'n of rd2i) we just leverage off the previous result. Thus the above could all be re-stated:

Lemma: For d a non-empty list of digits, rd2i(d) = (first d) + b⋅rd2i((rest d)). Proof of lemma:

      rd2i(d)                                           
    = ∑j=0n-1 dj⋅bj                      ; By def'n of rd2i.

    = d0⋅b0 +   ∑j=1n-1dj⋅bj             ; Sum notation.
    = d0    +   ∑j=1n-1dj⋅bj)            ; 
    = d0    + b⋅∑j=1n-1    dj  ⋅bj-1))   ; Factor out a b.
    = d0    + b⋅∑i=0(n-1)-1 di+1⋅bi))     ; Re-index[j/i+1].
    = d0    + b⋅rd2i((rest d))))        ; By def'n of rd2i.

Proof of P(d) = "rd2i(d) = (rdigs->int d)", by structural induction on d (a list of digits).

• case 1: d is empty; (rdigs->int empty) = 0 = ∑_i=0^-1d_i holds.
• case 2: d is (cons d₀ r), where r = (list d₁ … d_n-1). We have:

        (rdigs->int d) 
      = (first d) + b⋅(rdigs->int (rest d))))           ; By code.
      = (first d) + b⋅rd2i((rest d))))                  ; Ind.hyp.
      = rd2i(d)                                         ; By lemma.
  

/* rdigs->int:
 * rdigs->int: (listof real, int) → real
 * Return the number represented by d,
 * a list of digits base b, reversed.
 *
 */
real rdigs->int( (listof real) d, int b=10 ) {
  real sumSoFar ← 0;
  for (int i ← 0; i < d.length(); i ← i+1 )
    sumSoFar ← sumSoFar + (list-ref d i) * pow(b,i);
  return sumSoFar;
  }

/* Test cases:
 *   List A ← new Cons( 1, new Cons( 7, (new Cons( 4, theEmptyList))));
 *
 *   // Using default b=10:
 *   unless (rdigs->int(A) == 471)     { println("Test case 1 failed."); };
 *   // Since for base 8,     4 + 7*8 + 1*64 = 313:
 *   unless (rdigs->int(A, 8) == 289)  { println("Test case 2 failed."); };
 */

• Our loop invariant L: sumSoFar = ∑_k=0^i-1 d_k⋅b^k
• Our goal G: sumSoFar = ∑_k=0^d.length()-1 d_k⋅b^k
• Our loop-test C: 0 ≤ i < d.length().

Here's a new rule of inference requiring four premises (our "proof obligation"):

• L holds initially (precondition)
• L∧C → L′ (loop invariant maintained)
• L∧¬C → G (correctness)
• ¬C will eventually hold. (termination)

Lemma: d = d′; b = b′.
Corollary: d.length() = d′.length(); d.i = d′.i for all i

Show:

• (0) [precondition] Check.
• (1) [loop invariant maintained]

  Suppose L ∧ C: That is, we know sumSoFar = ∑_k=0^i-1 d_k⋅b^k i ≤ d.length(); (L is sometimes called the "loop hypothesis", analagous to "inductive hyp.") Then:

         sumSoFar′ = sumSoFar + di⋅bi 
                   = ∑k=0i-1 dk⋅bk + di⋅bi
                   = ∑k=0i dk⋅bk;
                   = ∑k=0i′-1 dk⋅bk;
  

  which is exactly L′, like we want. [Hmm, we didn't actually ever use C at all, oh well.]

• (2)

  [correctness] L∧¬C → G If ¬C, then &lnot;(i < d.length()), so i = d.length(), and so L = G, voila.

  Hmmm, wait a sec — how did we have i = d.length()? ¬C Only gives us i≥d.length() instead of equality, and we don't have any actual previous-fact to cite to conclude i = d.length()!

  We want to exclaim "but of course i=d.length(); it starts at 0 and we stop as soon as we hit d.length()!" Well, if it's so clearly true, maybe we should deign to mention the fact. Let's make our loop invariant stronger — make it L∧L₂, where L₂="i≤d.length()".

  Now, correctness is easy — out of (L ∧ L₂) ∧ ¬C, L₂∧¬C gives us i=d.length(); that and L gives us G.

  Of course, having boosted our loop invariant, we need to go back and show that (0) L₂ is also true as a precondition, and that (1) it's maintained. This is pretty easy (and as a matter of fact, in (1) we now need to appeal to C holding). Also, it requires knowing that length() always returns a non-negative value (which presumably you'd do by looking at that code and proving about it).

• (3)

  [termination] Initially i=0, and increases by a constant at each iteration, thus it will eventually become greater than d.length(). [This is a standard math th'm; provable by a variant of induction (though if that constant isn't an integer, you need to be a bit clever about the induction).]

When writing proofs, it's not unusual to discover snags, and need to go back and patch them up; your first write-up is rarely your last. You're encouraged to write up your proofs in a word processor, to avoid having to re-copy your homework.

The Structure of Loop Proofs

Reflecting a moment, on the style of proof: Programs that respect the intrinsic structural definition of their data (the "natural recursion" of Comp210) are amenable to proofs by induction. Programs which need to change state are harder to reason about (partly because our mathematics doesn't naturally reaon about time and state (change-over-time). Especially when the state is spread out over different functions (and if a function doesn't document what state it's modifying, things are bleak indeed). Such code is not only harder to reason about, it tends to be far more bug-prone.

A good programmer is aware of when a functional (state-free) approach is good, and when keeping state is appropriate; this is an important distinction you probably didn't realize you were learning in Comp210/How to Design Programs.

Just as the purpose of loop constructs is to provide a high-level way of separating ``do a task once'' from ``repeat the task as needed'', our proof framework is separating ``show that one iteration is correct'' from ``show that it's repeated as needed''. Our proof structure is reflecting the structure of the underlying program. Like induction, it gives us a rule of inference so that we don't have arguments which include a hand-wavy ``dot dot dot'' or ``and hey this keeps repeating until gee it must be giving the right answer''.

When to use primes?

If x is a variable in the program loop, our proof's ``x'' is the value at the start of the loop body. The primed version x′ is the value at the end of the loop body. When we talk of L′, we mean ``the statement like L, but with all variables primed''. In particular, our loop invariant L never mentions primed variables — it is the proof framework where we consider both L and L′.

More examples: The other direction

;; int->rdigs: integer, [int] → (listof int)
;; Return a list of digits base b, reversed.
;;
(define/opt (int->rdigs n [b 10])
  (cond [(zero?     n) empty]
        [(positive? n) (cons (remainder n b) (int->rdigs (quotient n b) b))]))

; Test cases:
;
(int->rdigs 471)   = (list 1 7 4)     ; Using default b=10.
(int->rdigs 289 8) = (list 1 7 4)
  ; Since for base 8,     4 + 7⋅8 + 1⋅64 = 289.
  ; (Hmm, 289 = 172 and 22 = 4, hmm 1,7,4… Numerology is real!)

Prove: rd2i((int->rdigs n b), b) = n.
Proof by strong induction(*) on n:

• base case, n=0: Check.
• inductive step, n>0
  which can be expressed n=b⋅m+j, where 0≤j<b and 0≤m<n; note that (remainder n b) = j and (quotient n b) = m.

        rd2i((int->rdigs n))
      = rd2i((cons (remainder n b) (int->rdigs (quotient n b) b)))   ; By code.
      = (remainder n b) + b⋅rd2i((int->rdigs (quotient n b) b)))      ; Lemma above.
      = (remainder n b) + b⋅(quotient n b)                            ; Ind.Hyp.
      = n.                                                           ; Thm:Rem/Quot.
  

List int2digs( int n, int b = 10 ) {
  List soln = theEmptyList();

  while (n > 0) {
    soln ← new Cons( remainder(n,b), soln );
    n ← quotient(n,b)
    }
  return soln;
  }

List int2digs( int n, int b = 10 ) {
  List soln = theEmptyList();
  int m = n;
  int loops = 0;   // A dummy variable to help state loop invariant.
                   // Just counts how many times we've executed the loop.

  while (m > 0) {
    soln ← new Cons( remainder(m,b), soln );
    m ← quotient(m,b)
    loops ← loops + 1;
    }
  return soln;
  }

/* Test cases:
 *
 * unless ((int->rdigs(471)).equals( new Cons( 4, new Cons( 7, new Cons( 1, theEmptyList()))) )) {
 *   printf("test case failed: int->rdigs(471) == %s.", int->rdigs(471).tostring());
 *   };
 *
 * unless ((int->rdigs(471,8)).equals( new Cons( 3, new Cons( 1, new Cons( 3, theEmptyList()))) )) {
 *   printf("test case failed: int->rdigs(313) == %s.", int->rdigs(313).tostring());
 *   };
 *
 */

(define/opt (int->rdigs n [b 10])
  (local {;; help: int, (listof digits) → list-of-digits
          ;;   [What purpose statement?]
          (define (help n digsSoFar)
             (cond [(zero? n)     digsSoFar]
                   [(positive? n) (help (quotient n b)
                                        (cons (remainder n b) digsSoFar))]))}
    (help n empty)))

;; help: returns the reversed list of digits representing n (base b),
;;       appended with digsSoFar.

List int2digs( int n, int b = 10 ) {
  List digsSoFar = theEmptyList();
  int m = n;

  while (m > 0) {
    digsSoFar ← new Cons( remainder(m,b), digsSoFar );
    m ← quotient(m,b)
    }
  }

int sumFrom( int a, int b )
  sum ← 0
  i   ← a
  while (i < b)
    sum ← sum+i
    i   ← i+1
  return sum