CMPSCI 250 Discussion #1: What Is A Proof?

David Mix Barrington

13/15 September 2004

Solution for this discussion:

Here is an example of a Java method that is supposed to get some integers from the user until it sees a Control-D:

public static int sumInts ( )
   // Reads ints from, one per line, until a line with Control-D.
   // Returns sum of integers read.
   int soFar = 0;
   String thisLine;
   // Java stuff necessary to read from
      BufferedReader br = new BufferedReader (new InputStreamReader (;

      ("Enter integers, one per line, then Control-D:");
   while ( (thisLine = br.readLine()) != null) {
      soFar += Integer.parseInt (thisLine);}
   return soFar;}

What does it mean for this code to be ``correct''? We would like to be sure that if the user does the right thing (inputs the integers as requested), the method will return the correct value. In general we can say what we want from the code by giving preconditions and postconditions. A precondition is a statement that should be true before the code is executed --- here it is ``the user inputs zero or more integers, one per line, followed by a blank line''. A postcondition is something that should be true after the code is executed if the preconditions were met. Here our postcondition is ``the returned value is the sum of the given integers''. We define the code to be partially correct if the postconditions must always be true after execution whenever the preconditions were true before. (So partial correctness says nothing about how to handle erroneous input, for example, unless the preconditions and postconditions say how to do so.)

How could we be sure that this code is correct? Coding mistakes are easy to make, and even if the compiler finds no syntax errors there could be subtle errors of logic. We could test the code on sample inputs, but some errors might cause bad behavior only on rare inputs that we didn't think to test (and in most cases we could never test all the relevant inputs).

What we need is a formal argument --- a proof! We want to show how the statement of partial correctness follows logically from things that we can assume to be true. The things we can assume are the basic properties of the language and the library procedures. For example, if the user does input an integer, the properties of readLine and Integer.parseInt can tell us how that integer will go from the input device into the value of some variable in our program.

Writing Exercise:

  1. Formulate a useful loop invariant for the code above -- a statement that should be true just before the test of the while loop each time. Explain why if your invariant holds when the while loop exits, the desired postcondition has been met.
  2. Formulate useful preconditions, postconditions, and a loop invariant for the following method:

    public static natural div (natural x, natural y)
    {// Returns x/y unless y is zero
        int q = 0;
        while (x >= y) {
              x -= y; q++;}
        return q;}

Last modified 15 September 2004