1 / 30

Mathematical Reasoning with Objects

Mathematical Reasoning with Objects. Example. Specification: Operation Do_Nothing ( restores S: Stack); Goal: Same as ensures S = #S; Code: Procedure Do_Nothing ( restores S: Stack); Var E: Entry; Pop(E, S); Push(E, S); end Do_Nothing;. Exercise: Complete table and prove!.

pagem
Download Presentation

Mathematical Reasoning with Objects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Mathematical Reasoning with Objects

  2. Example Specification: Operation Do_Nothing (restores S: Stack); Goal: Same as ensures S = #S; Code: Procedure Do_Nothing (restores S: Stack); Var E: Entry; Pop(E, S); Push(E, S); end Do_Nothing;

  3. Exercise: Complete table and prove! Assume Confirm 0 … … Pop(E, S); 1 … … Push(E. S); 2 … …

  4. Exercise: Complete table and prove! Assume Confirm 0 … … Pop(E, S); 1 … … Push(E. S); 2 … … • But we can’t • Because there are no stacks in math • Because there are no “standard” math specifications of pop and push

  5. Mathematical Modeling

  6. Unlike mathematics that is implicit… • We view programming integers as though they are mathematical integers (subject to bounds, of course) • We associate mathematical operators (e.g., +) with operations we can do on integers in programs (e.g., +)

  7. Unlike mathematics that is implicit… • Mathematical connections need to be established and made explicit for typical software objects

  8. Mathematical modeling • Type Integer is modeled by Z; • Constraintsfor all i: Integer, • min_int <= i <= max_int;

  9. Alternatively… • Type Integer is modeled by Z; • Let i be an example Integer; • Constraints • min_int <= i <= max_int;

  10. Initial value specification… • Type Integer is modeled by Z; • exemplar i; • Constraints • min_int <= i <= max_int; • initialization ensures i = 0;

  11. Specification of operations … • Type Integer is modeled by Z; • … • specification of operations, e.g., i++ • Operation Increment • (updates i: Integer); • requires i < max_int; • ensures i = #i + 1;

  12. More examples … • What is a suitable way to model the state of a light bulb? • …

  13. More examples … • Type Light_Bulb_State • is modeled by B; • exemplar b; • Initialization ensures b = false; • Exercises: specification of operations Turn_On, Turn_Off, and Is_On

  14. More examples … • How would you model the state of a traffic light? • … • Alternative models and discussion

  15. Data abstraction examples … • How would you mathematically model a the contents of a stack? • Is a set model appropriate? • Why or why not? • What about a queue?

  16. Mathematical Modeling Summary • To write formal specifications, we need to model the state mathematically • Some objects we use in programming, such as Integers and Reals, have implicit models • For others, such as stacks, queues, lists, etc., we need to conceive explicit mathematical models

  17. Mathematical Modeling of Stacks Concept Stack_Template(type Entry; Max_Depth: Integer); uses String_Theory; Type Family Stack is modeled by … Operation Push… Operation Pop… … end Stack_Template;

  18. Concept Stack_Template(type Entry; Max_Depth: Integer); uses String_Theory; Type Family Stack is modeled by Str(Entry); exemplar S; constraints |S| <= Max_Depth; initialization ensures S = empty_string; … end Stack_Template; Mathematical Modeling of Stacks

  19. Specification of Stack Operations Operation Push (alters E: Entry; updates S: Stack); requires |S| < Max_Depth; ensures S = <#E> o #S; Operation Pop (replaces R: Entry; updates S: Stack); requires |S| > 0; ensures #S = <R> o S; Operation Depth (restores S: Stack): Integer; ensures Depth = |S|; …

  20. Exercise: Complete table and prove! Assume Confirm 0 … … Pop(E, S); 1 … … Push(E. S); 2 … …

  21. Recall: Basics of Mathematical Reasoning • Suppose you are verifying code for some operation P • Assume its requires clause in state 0 • Confirm its ensures clause at the end • Suppose that P calls Q • Confirm the requires clause of Q in the state before Q is called • Why? Because caller is responsible • Assume the ensures clause of Q in the state after Q • Why? Because Q is assumed to work • Prove assertions to be confirmed

  22. Collaborative Exercise: Answers Assume Confirm 0 … |S0| > 0 Pop(E, S); 1 S0 = <E1> o S1 |S1| < Max_Depth Push(E. S); 2 S2 = <E1> o S1 S2 = S0 …

  23. Discussion Is the code Correct? If not, fix it

  24. Collaborative Exercise: Answers Assume Confirm 0 |S0| <= Max_Depth |S0| > 0 Pop(E, S); 1 S0 = <E1> o S1 |S1| < Max_Depth Push(E. S); 2 S2 = <E1> o S1 S2 = S0 …

  25. Discussion Is the code Correct? If not, fix it Important Idea: The reasoning table can be filled mechanically Principles of reasoning about all objects and operations are the same Need mathematical specifications VC generation and automated verification demo

  26. Is the code correct for the given spec? Specification: Operation Do_Nothing (restores S: Stack); Code: Procedure Do_Nothing (restores S: Stack); Var E: Entry; If (Depth(S) /= 0) then Pop(E, S); Push(E, S); end; end Do_Nothing;

  27. Establish the path conditions Condition Assume Confirm 0 If (Depth(S) /= 0) then 1 |S0| /= 0 Pop(E, S); • 2 |S0| /= 0 Push(E, S); • 3 |S0| /= 0 end; • 4 S4 = S0

  28. Establish the sub-goals in state-oriented terms using a table Condition Assume Confirm 0 If (Depth(S) /= 0) then 1 |S0| /= 0 Pop(E, S); • 2 |S0| /= 0 Push(E, S); • 3 |S0| /= 0 end; • 4.1 |S0| = 0 S4 = S0 S4 = S0 • 4.2 |S0| /= 0 S4 = S3 S4 = S0

  29. Fill in other assumptions and obligations as before… Condition Assume Confirm 0 If (Depth(S) /= 0) then 1 |S0| /= 0 … … Pop(E, S); • 2 |S0| /= 0 … … Push(E, S); • 3 |S0| /= 0 … end; • 4.1 |S0| = 0 S4 = S0 S4 = S0 • 4.2 |S0| /= 0 S4 = S3 S4 = S0

  30. More Mathematical Reasoning • Create this example using the web interface, generate VCs, and prove them • For recursive implementations • Recursive calls are handled just as any other call • Need to show termination using a programmer-supplied decreasing “metric” • For iterative implementations, invariants and decreasing metrics are used

More Related