## Loop Invariants and the While Loop Rule in Hoare Logic

### What is a Loop Invariant?

A **loop invariant** is a logical formula `I` that satisfies the following:

- **Holds before** the loop starts executing
- **Holds after every single iteration** of the loop
- **Holds after the loop terminates**

In essence, a loop invariant remains **true throughout the execution** of the loop, no matter how many iterations occur.

---

### Examples of Loop Invariants

```python
i = 0
j = 0
n = 10
while i < n:
    i = i + 1
    j = j + i
```

#### Loop Invariant: `i ≤ n` ✅

- Holds at the start (`i = 0`, `n = 10`)
- Still holds after every iteration (`i` increases, but doesn't exceed `n`)
- Holds when loop terminates (`i = n`)

#### Not a Loop Invariant: `i < n` ❌

- Fails at the end (`i = n` after final iteration)

#### Loop Invariant: `j ≥ 0` ✅

- Initially `j = 0`
- We add positive numbers (`i ≥ 1`), so `j` stays non-negative

---

### The While Loop Rule

If:

1. `{ P } while C do S { Q }`
2. `I` is a loop invariant
3. `{ I ∧ C } S { I }` (inductive step)

Then:

- We can prove `{ I } while C do S { I ∧ ¬C }`
- And then use postcondition weakening to derive the desired postcondition

---

### Example Proof Using the Loop Rule

We want to prove:

    { x ≤ n } while x < n: x = x + 1 { x ≥ n }

Choose invariant: `x ≤ n`

1. **Termination condition**: `¬(x < n)` is `x ≥ n`
2. After loop: `x ≤ n ∧ x ≥ n` → `x = n` → `x ≥ n` ✅

#### Proof Steps

- Use loop rule with invariant `x ≤ n`
- After loop: `x ≤ n ∧ x ≥ n` → postcondition weakening → `x ≥ n`

#### Inductive Step:

Show `{ x ≤ n ∧ x < n } x = x + 1 { x ≤ n }`

Using assignment rule:

- `x = x + 1` → precondition must be `x + 1 ≤ n`
- From `x < n` and `x ≤ n` → `x + 1 ≤ n` ✅ via precondition strengthening

---

### Loop Invariants vs Inductive Loop Invariants

An **inductive loop invariant** is a **stronger** condition:

- It must be **provable** using `{ I ∧ C } S { I }`
- So it not only stays true, but its truth can be **proven** through an inductive step

#### Example

```python
j = 1
i = 0
while i < n:
    j = j + i
    i = i + 1
```

- Loop invariant: `j ≥ 1` ✅ (holds initially and remains true)
- But **not inductive** — we can’t prove `{ j ≥ 1 ∧ i < n } ... { j ≥ 1 }`
- Why? Because `i` could be negative, and `j` could decrease (no guarantee of increase)

✅ To make it inductive: Strengthen to `j ≥ 1 ∧ i ≥ 0`

---

### Final Example: Proving a Specific Postcondition

Goal: Prove `{ i = 0 ∧ j = 0 ∧ n = 5 } while i < n: j += i; i += 1 { j = 15 }`

Observation:

- The loop is computing `j = 1 + 2 + ... + n`
- Closed-form: `j = n(n + 1) / 2 = 15` when `n = 5`

#### Loop Invariant:

- Use: `2j = i(i + 1)`  
- Add: `i ≤ n ∧ n = 5`  
- Together, this implies `i = 5` → `j = 15`

#### Summary:

To prove the postcondition, your loop invariant must be:

- **Strong enough to imply the postcondition**
- **Provable via induction** (i.e., an inductive loop invariant)

---

### Recap

- Loop invariants must **hold before, during, and after** loop execution
- Inductive invariants must satisfy the Hoare triple `{ I ∧ C } S { I }`
- Proof strategy:
    1. Choose an invariant
    2. Prove it's inductive
    3. Use the while rule
    4. Apply weakening to derive final postcondition
- One of the hardest challenges in program verification is **coming up with the right inductive loop invariants**
