Formal Methods 133
n(n + 1)/2. erefore, upon continued execution of the system, sum will result in
(n + 1) + n(n + 1)/2, which is just (n + 1)(n + 1 + 1)/2 and the system is partially
correct.
Since by the induction hypothesis, by the nth iteration of the loop count has
been decremented n times (since the loop exited when count was initialized to n).
In the induction step, count was initialized to n + 1, so by the nth iteration it has a
value or 1. So after the n + 1st iteration it will be decremented to 0, and hence the
system exits from the loop and terminates.
Does this approach really prove correctness? It does, but if you don’t believe
it, try using Hoare logic to prove an incorrect specification segment to be correct,
for example: