Discrete Math and Reasoning about Software Correctness Computer

Discrete Math and Reasoning about Software Correctness Computer Science School of Computing Clemson University Joseph E. Hollingsworth (jholly@ius. edu) Murali Sitaraman (murali@clemson. edu) http: //www. cs. clemson. edu/group/resolve/ This research is funded in part by NSF grants CCF-0811748, CCF‐ 1161916, DUE-1022191, and DUE-1022941.

Overview School of Computing Clemson University o Software correctness proofs o Connections between software correctness and discrete math foundations o Key example: Recursive code correctness and induction

Basics School of Computing Clemson University o Software is correct if it meets its specifications. o Is the following code segment correct? Assume all variables are Integers. Assume I = #I and J = #J; Temp = I; I = J; J = Temp; Confirm I = #J and J = #I;

Basics School of Computing Clemson University o Software is correct if it meets its specifications. o Is the following code segment correct? Assume all variables are Integers. Assume I = #I and J = #J; Temp : = I; I : = J; J : = Temp; Confirm I = #J and J = #I;

Assignment Rule School of Computing Clemson University Assume I = #I and J = #J; Temp : = I; I : = J; J : = Temp; Confirm I = #J and J = #I; o Since J is assigned Temp, if we can prove Temp = #I before the last assignment, then J would equal #I after that assignment (our goal)

Simplify School of Computing Clemson University Assume I = #I and J = #J; Temp : = I; I : = J; J : = Temp; Confirm I = #J and J = #I; o becomes (change is shown in italics) Assume I = #I and J = #J; Temp : = I; I : = J; Confirm I = #J and Temp = #I;

Simplify again School of Computing Clemson University Assume I = #I and J = #J; Temp : = I; I : = J; Confirm I = #J and Temp = #I; o becomes Assume I = #I and J = #J; Temp : = I; Confirm J = #J and Temp = #I;

Simplify one more time School of Computing Clemson University Assume I = #I and J = #J; Temp : = I; Confirm J = #J and Temp = #I; o becomes Assume I = #I and J = #J; Confirm J = #J and I = #I;

Correctness to Discrete Math School of Computing Clemson University o Simplify one more time. Assume I = #I and J = #J; Confirm J = #J and I = #I; o The above is the same as: (I = #I and J = #J) (J = #J and I = #I); o True, because P P;

Basics School of Computing Clemson University o What did we just do? o Mathematically prove that a piece of code is correct using integer theory and logic. o The process is mechanical. o This is unlike testing where we can only show presence of errors, but not their absence.

Exercise School of Computing Clemson University o Is the following code segment correct? Assume all variables are Integers. o Work it out on the given sheet. Assume I = #I and J = #J; I : = I + J; J : = I - J; I : = I - J; Confirm I = #J and J = #I;

Simplify School of Computing Clemson University Assume I = #I and J = #J; I : = I + J; J : = I - J; I : = I - J; Confirm I = #J and J = #I; o becomes Assume I = #I and J = #J; I : = I + J; J : = I - J; Confirm (I – J) = #J and J = #I;

Simplify again School of Computing Clemson University Assume I = #I and J = #J; I : = I + J; J : = I - J; Confirm (I – J) = #J and J = #I; o becomes Assume I = #I and J = #J; I : = I + J; Confirm (I – J)) = #J and (I – J) = #I;

Simplify expression School of Computing Clemson University Assume I = #I and J = #J; I : = I + J; Confirm (I – J)) = #J and (I – J) = #I; o becomes Assume I = #I and J = #J; I : = I + J; Confirm J = #J and (I – J) = #I;

Simplify one last time School of Computing Clemson University Assume I = #I and J = #J; I : = I + J; Confirm J = #J and (I – J) = #I; o becomes Assume I = #I and J = #J; Confirm J = #J and ((I + J) – J) = #I; o becomes Assume I = #I and J = #J; Confirm J = #J and I = #I;

Discussion and Demo School of Computing Clemson University o Is the code correct? o Math integers vs. computational integers o Assume and confirm assertions come from requires and ensures clauses of operations o Mechanical “proof” rules exist for all programming constructs, including if statements, while statements, objects, pointers, etc. o They all have discrete math foundations. o Demo site: http: //www. cs. clemson. edu/group/resolve/

Part II: Recursion and induction School of Computing Clemson University

Example School of Computing Clemson University int sum(int j, int k) // requires j >= 0 // ensures result = j + k { if (j == 0) { return k; } else { j--; int r = sum(j, k); return r + 1; } }

Reasoning Pattern School of Computing Clemson University o Similar to an inductive proof o Base case (e. g. , j == 0) o Reason code works for the base case o Recursive case (e. g. , j != 0) o Assume that the recursive call j--; r = sum(j, k) works o Reason that the code works for the case of j o Show assumption is legit, i. e. , show termination

Recursion: Base case School of Computing Clemson University int sum(int j, int k) // requires j >= 0 // ensures result = j + k { if (j == 0) { return k; // Assume: (j = 0) ^ (result = k) // Confirm ensures: result = 0 + k } else {. . . } }

Recursion: Inductive Assumption School of Computing Clemson University int sum(int j, int k) // requires j >= 0 // ensures result = j + k { if (j == 0) {. . . } else { j--; int r = sum(j, k); // Assume: r = (j – 1) + k return r + 1; } }

Recursion: Inductive Proof Step School of Computing Clemson University int sum(int j, int k) // requires j >= 0 // ensures result = j + k { if (j == 0) {. . . } else { j--; int r = sum(j, k); return r + 1; // Assume: (r = (j – 1) + k) ^ // (result = r + 1) // Confirm ensures: result = j + k }

Reasoning: Recursive Case School of Computing Clemson University o For the inductive proof to be legit, the inductive assumption must be legit o This requires showing that an argument passed to the recursive call is strictly smaller o This is the proof of termination o To prove termination automatically, programmers need to provide a progress metric (j decreases in the example)

Reasoning about iterative code School of Computing Clemson University o Also appeals to induction o Loops need to include an “invariant” and a progress metric for termination o Invariant is established for the base case (i. e. , before the loop is entered) o Invariant is assumed at the beginning of an iteration and confirmed at the beginning of the next o Also needs a progress metric and a proof of termination

Part III: Discrete Math and Software Modeling School of Computing Clemson University

Discrete Math and Specifications School of Computing Clemson University o Discrete structures, such as numbers, sets, etc. , are used in mathematical modeling of software o Example using another discrete structure: Mathematical strings o Strings are useful to specify and reason about CS structures, such as stacks, queues, lists, etc. o Example: Verify recursive code that reverses a character string or a queue

Basic Math Strings School of Computing Clemson University o Unlike sets, strings have order Example: Str(Z) for String of integers o Notations Empty string (written empty_string or L) Concatenation ( alpha o beta ) Length ( |alpha| ) String containing one entry ( <5> )

Theorems from string theory School of Computing Clemson University o Various theorems from string theory are necessary to prove software correctness o VCs in proving correctness of iterative Queue Append realization o Demo: http: //www. cs. clemson. edu/g roup/resolve/ o Theorem: string concatenation is associative: , : Str( ), x: , (( o <x>) o ) = ( o (<x> o ))

Theorems from string theory School of Computing Clemson University o Various theorems from string theory are necessary to prove software correctness o VCs in proving correctness of recursive Queue Flip or Text Flip realization o Demo: http: //www. cs. clemson. edu/g roup/resolve/ o String reversal theorem: : Str( ), x: , Reverse ( o <x>) = <x> o Reverse( )

Summary School of Computing Clemson University o Discrete math foundations are central for developing correct software. o Modern programming languages are being enhanced with specification language counterparts to facilitate verification of software correctness o Example spec/programming language combinations include JML (Java Modeling Language)/Java, Spec#/C#, and RESOLVE (an integrated language).