1 / 9

Satisfiability example – from 9(13)

Satisfiability example – from 9(13). Proof obligation is now: forall o:Object, s:Store, p:Point & pre_Place(o,s,p) => inv_Store(Place(o,s,p)) which we can rewrite as: forall o:Object, s:Store, p:Point & RoomAt(o.xlength, o.ylength, s, p) => inv_Store(Place(o,s,p)).

fiona-preston
Download Presentation

Satisfiability example – from 9(13)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Satisfiability example – from 9(13) • Proof obligation is now: • forall o:Object, s:Store, p:Point & pre_Place(o,s,p) => inv_Store(Place(o,s,p)) • which we can rewrite as: • forall o:Object, s:Store, p:Point & RoomAt(o.xlength, o.ylength, s, p) =>inv_Store(Place(o,s,p))

  2. Satisfiability example (2) • Expanding both sides and rewriting leads to this: • forall o:Object, s:Store, p:Point & • let new_o = mk_Object(p,o.xlength,o.ylength) in • InBounds(new_o, s.xbound, s.ybound) • and (forall o in set s.contents & not Overlap(new_o,o)) • => • forall o in set (s.contents union {new_o}) & • InBounds(o,s.xbound,s.ybound) • and • not exists o1,o2 • in set (s.contents union {new_o}) & • o1 <> o2 and Overlap(o1,o2)

  3. Satisfiability example (3) • In ‘plain’ english, we have to prove that: • If an object being added to the store at a given point is within the bounds of the store and will not overlap with any of the existing contents, • then • all objects in the resulting store will fit within the bounds of the store, and none of them will overlap

  4. Satisfiability example (4) • Proof depends on the fact that the input store, s, is a valid store • i.e. we have • inv_Store(s) • which allows us to argue: • All objects in the input store fit within the bounds, and the new object fits within the bounds, so all objects in the resulting store will fit within bounds • No objects in the input store overlap, and the new object does not overlap with any objects in the input store, so no objects in the resulting store will overlap

  5. Exercise • Given these datatype definitions: • Word = seq of char; • Dictionary = set of Word • inv d = card d <= 500; • and this function • AddWord: Dictionary * Word -> Dictionary • AddWord(d,w) == d union {w} • pre card d < 500; • What is the satisfiability proof obligation? • How would you discharge it?

  6. Solution • Proof obligation: • forall d:Dictionary, w:Word & pre_AddWord(d,w) => inv_Dictionary(d union {w}) • forall d:Dictionary, w:Word & card d < 500 => card(d union {w}) <= 500 • forall d:Dictionary, w:Word & card d < 500 => (card d) + 1 <= 500 • which is true by rules of arithmetic.

  7. Satisfiability for implicit functions • From the Guided Tour, 2(24) • ExpertToPage(al:Alarm, per:Period, pl:Plant) r:Expert • post r in set pl.sch(per) and • al.quali in set r.quali • Satisfiability proof obligation is: • forall al:Alarm, per:Period, pl:Plant & • exists r:Expert & • r in set pl.sch(per) and • al.quali in set r.quali

  8. Satisfiability for implicit functions (2) • To prove: • forall al:Alarm, per:Period, pl:Plant & • exists r:Expert & • r in set pl.sch(per) and • al.quali in set r.quali • We have an invariant on Plant: • inv_Plant(p)== • forall a in set p.alarms & • forall per in set dom p.sch & • exists ex in set p.sch(per) & • a.quali in set ex.quali • Is this enough?

  9. Satisfiability for implicit functions (3) • Informally we argue that the plant has qualified, available experts available at all times for all sorts of alarms. • Something is missing: • ExpertToPage(al:Alarm, per:Period, pl:Plant) r:Expert • post r in set pl.sch(per) and • al.quali in set r.quali • We haven’t ensured that the inputs al:Alarm and per:Period are known to the plant! • ExpertToPage(al:Alarm, per:Period, pl:Plant) r:Expert • pre al in set pl.alarms and • per in set dom pl.sch • post r in set pl.sch(per) and • al.quali in set r.quali

More Related