A bs Derivation

Kai Engelhardt
April 28, 2017

1 Introduction

In this short note we’re going to derive a recursive implementation of binary search on
arrays of integers. The purpose of this note is not only to demonstrate how to do the
derivation but also, by publishing the LATEX source, to aid students in tyesetting such a
derivation.
This particular version of binary search is supposed to return −1 if the item we’re
looking for is not in the array, and the index of a postion of the item if it is.

2 The Derivation

We start with a spec of the procedure bs. Special care was taken of the ranges of the
left and right boundaries l and r to ensure that recursive calls satisfy the precondition.

proc bs(value a, value N, value v, value l, value r, result p) ·

l ∈ 0..N ∧ r ∈ −1..N − 1 ∧ l ≤ r + 1 ∧ s 0 ed (a[0..N − 1]),
 
xa, N, v, l, r, p : y
(a0 [p] = v0 ∧ p ∈ l0 ..r0 ) ∨ (p = −1 ∧ ∀x ∈ l0 ..r0 (a0 [x] 6= v0 )) (1)
(1) v hc-framei
l ∈ 0..N ∧ r ∈ −1..N − 1 ∧ l ≤ r + 1 ∧ s 0 ed (a[0..N − 1])
 
xp : y(2)
(a[p] = v ∧ p ∈ l..r) ∨ (p = −1 ∧ ∀x ∈ l..r (a[x] 6= v))
v hif i
if l = r + 1
then xp : [l = r + 1 ∧ pre(2), post(2)]y(3)
else xp : [l 6= r + 1 ∧ pre(2), post(2)]y(4)
fi
(3) v hass, justified below in Sect. 2.1i
p := −1
(4) v hif i
if a[(r+l)/2] = v

1
 then xp : [a[(r+l)/2] = v ∧ pre(4), post(4)]y(5)
else xp : [a[(r+l)/2] 6= v ∧ pre(4), post(4)]y(6)
fi
(5) v hass, justified below in Sect. 2.2i
p := (r+l)/2
(6) v hif i
if a[(r+l) /2] < v
then xp : [a[(r+l)/2] < v ∧ pre(6), post(6)]y(7)
else xp : [a[(r+l)/2] 6< v ∧ pre(6), post(6)]y(8)
fi
(7) v hs-post, justified below in Sect. 2.3i
p : [pre(7), (post(2))[ /2+1 /l ]]
(r+l)

v hw-pre, justified below in Sect. 2.4i

p : [(pre(1))[ /2+1 /l ], (post(2))[ /2+1 /l ]
(r+l) (r+l)

v hproci
bs(a, N, v, (r+l)/2 + 1, r, p)
(8) v hs-post, justified below in Sect. 2.5i
p : [pre(8), (post(2))[ /2−1 /r ]]
(r+l)

v hw-pre, justified below in Sect. 2.6i

p : [(pre(1))[ /2−1 /r ], (post(2))[
(r+l) (r+l)/2−1
/r ]
v hproci
bs(a, N, v, l, (r+l)/2 − 1, p)
We gather the code for the procedure body of bs:
if l = r + 1
then p := −1
else if a[(r+l)/2] = v
then p := (r+l)/2
else if a[(r+l)/2] < v
then bs(a, N, v, (r+l)/2 + 1, r, p)
else bs(a, N, v, l, (r+l)/2 − 1, p)
fi
fi
fi

2.1 Proof of (3) v p := −1

We need to prove validity
p = p0 ∧ l = r + 1 ∧ pre(2) ⇒ (post(2))[−1 /p ]

2
i.e., the prerequisite of the relevant instance of ass. Expanding the definitions and
performing the substitution yields

p = p0 ∧ l = r + 1 ∧ l ∈ 0..N ∧ r ∈ −1..N − 1 ∧ l ≤ r + 1 ∧ s 0 ed (a[0..N − 1]) ⇒

(a[−1] = v ∧ −1 ∈ l..r) ∨ (−1 = −1 ∧ ∀x ∈ l..r (a[x] 6= v))

Clearly, we should establish the second disjunct of the RHS. Its first conjunct is obviously
true. And the second is vacuously true once we take the second conjunct of the LHS,
l = r + 1, into account, since that means that the range l..r is empty.

2.2 Proof of (5) v p := (r+l)/2

We need to prove validity of
(r+l)/2
p = p0 ∧ pre(5) ⇒ (post(5))[ /p ]

i.e., the prerequisite of the relevant instance of ass. Expanding the definitions and
performing the substitution yields
 
p = p0 ∧ a[(r+l)/2] = v ∧ l 6= r + 1 ∧
⇒
l ∈ 0..N ∧ r ∈ −1..N − 1 ∧ l ≤ r + 1 ∧ s 0 ed (a[0..N − 1])
(a[(r+l)/2] = v ∧ (r+l)/2 ∈ l..r) ∨ ((r+l)/2 = −1 ∧ ∀x ∈ l..r (a[x] 6= v)) .

This time, we should establish the first disjunct of the RHS. The first conjunct of that
is also the second conjunct in the LHS. Combining the LHS conjuncts l 6= r + 1 and
l ≤ r + 1 we obtain l ≤ r and hence l ≤ (r+l)/2 ≤ r—the second conjunct we’re trying to
establish.

2.3 Proof of pre(7) ∧ (post(2))[(r+l)/2+1 /l ] ⇒ post(7)

Expanding the definitions and performing the substitution yields
 
a[(r+l)/2] < v ∧ a[(r+l)/2] 6= v ∧ l 6= r + 1 ∧
 l ∈ 0..N ∧ r ∈ −1..N − 1 ∧ l ≤ r + 1 ∧ s 0 ed (a[0..N − 1]) ∧ ⇒
((a[p] = v ∧ p ∈ ((r+l)/2 + 1)..r) ∨ (p = −1 ∧ ∀x ∈ ((r+l)/2 + 1)..r (a[x] 6= v)))
(a[p] = v ∧ p ∈ l..r) ∨ (p = −1 ∧ ∀x ∈ l..r (a[x] 6= v))

According the third line of the LHS, there are two cases to consider:

1. a[p] = v ∧ p ∈ ((r+l)/2 + 1)..r: the fist disjunct of the RHS follows immediately.

2. p = −1 ∧ ∀x ∈ ((r+l)/2 + 1)..r (a[x] 6= v): we prove the second disjunct of the RHS.
Its first conjunct is part of this case. The second is marginally trickier. To see that
the larger subrange of a does not contain v, we consult the conjuncts a[(r+l)/2] < v
and s 0 ed (a[0..N − 1]) of the LHS. Those together imply that v cannot be found in
a[l..(r+l)/2].

3
2.4 Proof of pre(7) ⇒ (pre(1))[(r+l)/2+1 /l ]
Expanding the definitions and performing the substitution yields
 
a[(r+l)/2] < v ∧ a[(r+l)/2] 6= v ∧ l 6= r + 1 ∧
⇒
l ∈ 0..N ∧ r ∈ −1..N − 1 ∧ l ≤ r + 1 ∧ s 0 ed (a[0..N − 1])
(r+l)/2 + 1 ∈ 0..N ∧ r ∈ −1..N − 1 ∧ (r+l)/2 + 1 ≤ r + 1 ∧ s 0 ed (a[0..N − 1])

The uncoloured conjuncts of the LHS imply r, l ∈ 0..N − 1 and l ≤ r, which is sufficient
to ensure the uncoloured conjuncts of the RHS.

2.5 Proof of pre(8) ∧ (post(2))[(r+l)/2−1 /r ] ⇒ post(8)

etc.

2.6 Proof of pre(7) ⇒ (pre(1))[(r+l)/2−1 /r ]

etc