1. Strongest postcondition rules
sp(skip, P) = P
sp(x := a, P) = v. x=a[v/x]  P[v/x]
sp(S1; S2, P) = sp(S2, sp(S1, P))
sp(if b then S1 else S2, P) = sp(S1, b  P)  sp(S2, b  P)
sp(while b do {} S, P) =   b where {b  } S {} and P  b  
Inv  ((Inv  b)  wp(S, Inv))  ((Inv  b)  Q)
Parameterized by the loop invariant Inv

2. Exponentiation prog. – prove
Background axioms:
{ } t := 0; { } res := 1; { } Inv = { } while (t < y) do { } { } res := res * x; { } t := t + 1; { } { } { }

3. Small array update rules (sp)
[array-loadF] { a=b } x := y[a] { x=y(b) }
In both rules v, g, and b are fresh
[array-updateF] { y=g  a=b } y[a] := x { y=g[bx] } same as [array-updateF] { y=g  a=b } y := y[ax] { y=g[bx] }

4. Rewrite assignment as function update
b[i] := a[j]

5. Calculate the postcondition 2
{ ob=b  a(j)=x  z.0z<i  ob(z)=x } b := b[ia(j)] { }

6. Array-max program – specify
nums : array N : int // N stands for num’s length { N0  nums=orig_nums } x := 0 res := nums[0] Inv = { } while x < N if nums[x] > res then res := nums[x] x := x + 1
{ x=N }
{ m. (m0  m<N)  nums(m)res }
{ m. m0  m<N  nums(m)=res }
{ nums=orig_nums }

7. Array-max program – specify
nums : array N : int // N stands for num’s length { N0 } x := 0 res := nums[0] while x < N if nums[x] > res then res := nums[x] x := x + 1

8. Total correctness semantics for While
[ P[a/x] ] x := a [ P ]
[assp]
[ P ] skip [ P ]
[skipp]
[ P ] S1 [ Q ], [ Q ] S2 [ R ] [ P ] S1; S2 [ R ]
[compp]
[ b  P ] S1 [ Q ], [ b  P ] S2 [ Q ] [ P ] if b then S1 else S2 [ Q ]
[ifp]
[whilep]
[ b  P  t=k ] S [ P  t<k ] [ P ] while b do S [ b  P ]
P  t0
[ P’ ] S [ Q’ ] [ P ] S [ Q ]
[consp]
if PP’ and Q’Q

9. Two counters
[ ] b := 0; Variant = [ ] while (x0  y0) do b := 1−b; if (b) x := x−1 else y := y−1 [ true ]

10. Slow countdown: find variant
[ true ] flag := 0; Variant = [ ] while (x>0) do flag := 1−flag; if flag=0 then x := x−1
[ true ]