A red.w }
./ 4,2 Finding the K Smallest Values
swap(r,w) { red.r A white.w } ; and the case that r = w
r =w
A (\/i:r^i<w:white.i} A red.w } swap(r,w) { red.r } . The first requirement is met because the quantification (\/i:r^i<w:white.i) weakens to white.r (using the splitting and one-point rules) when r <w. The second holds because red.w and red.r are both equivalent to red.r A red.w whenr -w. This completes the verification of the guarded command red.w - swap(r,w) ; r,w := r+l,w + l . Exercise 14.1. Check formally the correctness of the guarded commands white.w - w := w + I
blue.w < b := b-l ; swap(b,w) .
14.2 Finding the K Smallest Values
Exercise 2.1 was about identifying the invariant properties in Hoare's algorithm for finding the 20 best values among 100 values in a deck of cards. In this section, we develop an implementation of the algorithm. If the exercise is no longer fresh in your mind, it may be worthwhile reading through it once more. The implementation developed below differs from Hoare's algorithm, but the essence remains the same. The algorithm is one of the first truly non-trivial algorithms to be developed with the intention of demonstrating formal program construction techniques; it is called the Find algorithm. The algorithm can be used to sort a sequence of values into percentiles without doing a complete sort (for example, finding the best 10% of students in an examination).
14: Sorting and Searching Algorithms
Before we can begin the development of the algorithm, we must agree on exactly what is to be computed. Hoare's description of the problem and its solution is informal, a drawback of which is a certain amount of ambiguity. Using a formal, mathematical language to specify the algorithm forces us to be completely precise in our specification of the problem. This is, just by itself, a useful exercise; Section 14.2.1 provides the details. Having agreed on a formal specification, the development of the algorithm is discussed in Section 14.2.2.
14.2.1 The Specification
We suppose we are given an array a of numbers, indexed from 0 onwards, of length N. Informally, we are required to determine those K array elements with the smallest values1, where 1 ^ K ^ N. This is an 'informal' specification because it is not at all clear what is meant by 'those K array elements with the smallest values'. If all the array values are distinct, there is no problem, but, in general, we can expect that some values in the array are repeated. If so, 'those K array elements with the smallest values' may not be well defined! To understand the difficulty better, suppose the array contains the following ten values.
Now, suppose we are required to find those two array elements with the smallest values. Clearly, this is impossible to do as there are three array elements with value 1, which is the smallest value of all array elements. The same difficulty occurs if we are required to find those five (or six) array elements with the smallest values. The problem here is with the use of the word 'those' in 'those K array elements...'. We may try to circumvent the problem by a subtle change in the wording: let us require, instead, that we determine those array elements with the K smallest values. (Note that the position of 'K' has shifted. It now counts values rather than array elements.) The change of wording makes a great deal of difference in the meaning, but now the specification is ambiguous! Suppose that, as before, we take K to be two. This time we are required to find those array elements with the two smallest values. There are two possible answers we can give. One answer is that 1 and 2 are the two smallest values in the array, and there are four array elements with these values the fourth, fifth, eighth and ninth.
, literally, Hoare's statement of the problem generalized to K. Specifically, Hoare states the following: 'It is required to single out those 20 thousand observations with smallest value; perhaps the 20 thousand nearest stars, or the 20 thousand shortest schoolchildren, or the 20 thousand students with lowest marks.' The reason for requiring that both K and N be strictly positive is explained later.
