Introduction to Mathematical Reasoning Computer Science School of

  • Slides: 23
Download presentation
Introduction to Mathematical Reasoning Computer Science School of Computing Clemson University Jason Hallstrom and

Introduction to Mathematical Reasoning Computer Science School of Computing Clemson University Jason Hallstrom and Murali Sitaraman Clemson University

School of Computing Clemson University o What does this code do to Integer I,

School of Computing Clemson University o What does this code do to Integer I, where Foo 1 and Bar 1 are functions that modify their argument? I = Foo 1(I); I = Bar 1(I);

School of Computing Clemson University o Or this to Integers I and J? I

School of Computing Clemson University o Or this to Integers I and J? I = Foo 2(I, J); J = Bar 2(I, J); I = Bar 2(I, J);

School of Computing Clemson University o What does this code do to Integer I?

School of Computing Clemson University o What does this code do to Integer I? I = Next(I); I = Prev(I);

School of Computing Clemson University o What does this code do to Integer x?

School of Computing Clemson University o What does this code do to Integer x? I = Next(I); I = Prev(I); o How sure are we?

School of Computing Clemson University o What does this code do to Integer x?

School of Computing Clemson University o What does this code do to Integer x? I = Next(I); I = Prev(I); o How sure are we? o Have to account for bounds in our analysis o Summary: … Need formal descriptions beyond names

School of Computing Clemson University o What does this code do to Integers I

School of Computing Clemson University o What does this code do to Integers I and J? I = Sum (I, J); J = Difference (I, J); I = Difference (I, J); o Same discussion as before…

Specification of Integer Operations School of Computing Clemson University o Think of ints as

Specification of Integer Operations School of Computing Clemson University o Think of ints as integers in math o Constraints, for all Integers I: min _Int <= I <= max_Int o Operation Next (I: Integer): Integer; requires I < max_int; ensures Next = I + 1; o Operation Prev (I: Integer): Integer; requires I > min_Int; ensures Prev = I - 1;

Specification of Integer Operations School of Computing Clemson University o Parameters are allowed to

Specification of Integer Operations School of Computing Clemson University o Parameters are allowed to be changed, depending on the language and how parameters are passed o So to make it clear that the parameter isn’t modified, we specify: o Operation Next (preserves I: Integer): Integer; requires I < max_int; ensures Next = I + 1;

Specification of Integer Operations School of Computing Clemson University o Parameters are allowed to

Specification of Integer Operations School of Computing Clemson University o Parameters are allowed to be changed, depending on the language and how parameters are passed o We can also specify: o Operation Increment (updates I: Integer); requires I < max_int; ensures I = #I + 1; o In the ensures clause, #I denotes the input I value o Exercise: Specify Decrement

Meaning of specifications School of Computing Clemson University o Requirements and guarantees Requires clauses

Meaning of specifications School of Computing Clemson University o Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions o Callers are responsible for requirements o Caller of Increment is responsible for making sure input I < max_int o Guarantees hold only if callers meet their requirements

Is the code correct for the given spec? School of Computing Clemson University Spec:

Is the code correct for the given spec? School of Computing Clemson University Spec: Operation Do_Nothing (updates I: Integer); requires … ensures I = #I; Code: Increment(I); Decrement(I);

These specs are the same… School of Computing Clemson University Spec: Operation Do_Nothing (preserves

These specs are the same… School of Computing Clemson University Spec: Operation Do_Nothing (preserves I: Integer); requires … Spec: Operation Do_Nothing (updates I: Integer); requires … ensures I = #I;

Methods for checking correctness School of Computing Clemson University o Testing? o Tracing or

Methods for checking correctness School of Computing Clemson University o Testing? o Tracing or inspection? o Mathematical reasoning

Mathematical reasoning School of Computing Clemson University o Goal: To prove correctness o Method:

Mathematical reasoning School of Computing Clemson University o Goal: To prove correctness o Method: The rest of this presentation o Can prove correctness on all valid inputs o Can show absence of bugs

Example: Prove correctness School of Computing Clemson University Spec: Operation Do_Nothing (updates I: Integer);

Example: Prove correctness School of Computing Clemson University Spec: Operation Do_Nothing (updates I: Integer); requires I < max_int; ensures I = #I; Code: Increment(I); Decrement(I);

Establish the goals in state-oriented terms using a table School of Computing Clemson University

Establish the goals in state-oriented terms using a table School of Computing Clemson University Assume Confirm 0 Increment(I); 1 Decrement(I) 2 I 2 = I 0

Assume requires clause at the beginning (Why? ) School of Computing Clemson University Assume

Assume requires clause at the beginning (Why? ) School of Computing Clemson University Assume 0 Confirm I 0 < max_int and … Increment(I); 1 Decrement(I) 2 I 2 = I 0

Assume calls work as advertised School of Computing Clemson University Assume 0 Confirm I

Assume calls work as advertised School of Computing Clemson University Assume 0 Confirm I 0 < max_Int and … Increment(I); 1 I 1 = I 0 + 1 Decrement(I) 2 I 2 = I 1 - 1 I 2 = I 0

Prove the goal(s) using assumptions School of Computing Clemson University o Prove I 2

Prove the goal(s) using assumptions School of Computing Clemson University o Prove I 2 = I 0 o Proof of I 2 = J 0 I 2 = I 1 – 1 (assumption in state 2) = (I 0 + 1) – 1 (assumption in state 1) = I 0 (simplification) o More proof needed…

More assertions to be confirmed (Why? ) School of Computing Clemson University Assume 0

More assertions to be confirmed (Why? ) School of Computing Clemson University Assume 0 Confirm I 0 < max_int and … I 0 < max_int I 1 = I 0 + 1 I 1 > min_int I 2 = I 1 - 1 I 2 = I 0 Increment(I); 1 Decrement(I) 2

Prove all assertions to be confirmed School of Computing Clemson University o Proofs -

Prove all assertions to be confirmed School of Computing Clemson University o Proofs - exercises

Basics of Mathematical Reasoning School of Computing Clemson University o Suppose you are verifying

Basics of Mathematical Reasoning School of Computing Clemson University o Suppose you are verifying code for some operation P Assume its requires clause in state 0 Confirm its ensures clause at the end o Suppose that P calls Q Confirm the requires clause of Q in the state before Q is called o Why? Because caller is responsible Assume the ensures clause of Q in the state after Q o Why? Because Q is assumed to work