Specifications, conclusion. Abstract Data Types (ADTs) Based on notes by Michael Ernst, University of Washington
Announcements HW1 is due at 2pm HW2 will be posted tomorrow Currently grading HW0 and Quiz 1 Switching to Submitty Discussion Board Starting from HW2 discussion LMS will no longer be monitored for new messages but all existing content stays Dafny exercise 1 (optional, 2 pts extra towards HW1)
Dafny Exercise 1 Weakest precondition: ?? if (x < 0) { y = x * x; } else { y = x * 2; y = y * 5 / x - 7; if (y = 3) { y = (y * 2 + 10) / 2 - y y = y + 4 Postcondition: y < 15 Compute the weakest precondition Verify your program with Dafny Submit your Dafny code on Submitty, “Dafny exercise 1”. Deadline midnight Saturday.
So far Specifications Benefits of specifications Specification conventions Javadoc JML/Dafny PoS specifications
Outline Specifications, conclusion Specification style Specification strength Substitutability Comparing specifications, informally Comparing specifications with logical formulas Converting PoS specification into logical formulas
Comparison by Logical Formulas The following is a sufficient condition: If PB => PA and QA => QB then A is stronger than B PB => PA and QA => QB A is stronger than B Too strict a requirement E.g., we may have a case when QA => QB does not hold and yet A is stronger than B. Spring 18 CSCI 2600, K. Kuzmin, A Milanova
Example: int find(int[] a, int val) Specification B: requires: a is non-null and val occurs in a [ PB ] returns: i such that a[i] = val [ QB ] Specification A: requires: a is non-null [ PA ] returns: i such that a[i] = val if value val occurs in a and -1 if value val does not occur in a [ QA ] Clearly, PB => PA. But QA, which states “val occurs in a => returns i such that a[i]=val AND val does not occur in a => returns -1“ does not imply QB!
Comparing by Logical Formulas (I satisfies specification A) is a logical formula: PA => QA (PA is the precondition of A, QA is the postcondition of A) Spec A is stronger than spec B if and only if for each implementation I, (I satisfies A)=>(I satisfies B) which is equivalent to A => B A is stronger than B iff (PA => QA) => (PB => QB) Recall from FoCS and/or Intro to Logic: p => q Ξ !p V q Comparison using logical formulas is precise but can be difficult to carry out. It is often difficult to express all preconditions and postconditions with precise logical formulas! Spring 18 CSCI 2600, K. Kuzmin, A Milanova
Comparing by Logical Formulas (PA => QA) => (PB => QB) = !(PA => QA) ∨ (PB => QB) = [ due to law p => q = !p∨q ] !(!PA ∨ QA) ∨ (!PB ∨ QB) = [ due to p => q = !p ∨ q ] (P A ∧ !QA ) ∨ (!PB ∨ QB) = [ due to !(p V q) = !p ∧ !q ] (!PB ∨ QB) ∨ (P A ∧ !QA ) = [ due to commutativity of ∨ ] (!PB ∨ QB ∨ PA) ∧ (!PB ∨ QB ∨ !QA) [ distributivity ] [ PB => (QB ∨ PA) ] ∧ [ ( PB ∧ QA ) => QB ] A is stronger than B if and only if PB => QB is true trivially or PB implies PA AND QA together with PB imply QB (i.e., for the inputs permitted by PB, QB holds) First term in conjunction states what’s required of PA in order for A to be stronger than B. Second term in conjunction states what’s required of QA in order for A to be stronger than B. Spring 18 CSCI 2600, K. Kuzmin, A Milanova
Example: int find(int[] a, int val) Specification B: requires: a is non-null and val occurs in a [ PB ] returns: i such that a[i] = val [ QB ] Specification A: requires: a is non-null [ PA ] returns: i such that a[i] = val if val occurs in a and -1 if val does not occur in a [ QA ] PB => PA (PB includes PA and one more condition) Now, let’s show PB ∧ QA => QB. PB implies “val occurs in a”. QA, states “val occurs in a => returns i s.t. a[i]=val”. PB ∧ QA => “returns i s.t. a[i]=val”, precisely QB!
Example: int find(int[] a, int val) Specification B: requires: a is non-null and val occurs in a [ PB ] returns: i such that a[i] = val [ QB ] Specification A: requires: a is non-null [ PA ] returns: i such that a[i] = val if val occurs in a and -1 if val does not occur in a [ QA ] Intuition: QA, by itself, does not imply QB because A may return -1. But QA does imply QB for the inputs permitted by B. Thus, it’s still ok to substitute A for B.
Converting PoS Specs into Logical Formulas PoS specification has 5 clauses Precondition: requires: … Postcondition: modifies: … , effects: …, returns: …, throws: … To reason about PoS specs, we must first convert specs into P => Q logical formulas Step 1: absorbs returns and throws into effects Step 2: convers into logical formula Spring 18 CSCI 2600, K. Kuzmin, A Milanova
Converting PoS Specs into Logical Formulas PoS specification requires: R modifies: M effects: E is equivalent to this logical formula R => ( E ∧ (nothing but M is modified) ) throws and returns are absorbed into effects E Spring 18 CSCI 2600, K. Kuzmin, A Milanova (slide modified from slides by Michael Ernst)
Convert Spec to Formula, step 1: absorb throws and returns into effects PoS specification convention requires: (unchanged) modifies: (unchanged) effects: returns: absorbed into effects throws: Spring 18 CSCI 2600, K. Kuzmin, A Milanova (slide modified from slides by Michael Ernst)
Convert Spec to Formula, step 1: absorb throws and returns into effects set from java.util.ArrayList<T> T set(int index, T element) requires: true modifies: this[index] effects: thispost[index] = element throws: IndexOutOfBoundsException if index < 0 || index ≥ size returns: thispre[index] Absorb effects, returns and throws into new effects: if index < 0 || index ≥ this.size then throw IndexOutOfBoundsException else thispost[index] = element and returns thispre[index] Spring 18 CSCI 2600, K. Kuzmin, A Milanova (slide modified from slides by Michael Ernst)
Convert Spec to Formula, step 2: Convert into Formula set from java.util.ArrayList<T> T set(int index, T element) requires: true modifies: this[index] effects: if index < 0 || index ≥ this.size then throws IndexOutOfBoundsException else thispost[index] = element and returns thispre[index] Denote effects expression by E. Resulting formula is: true => (E ∧ (foreach i ≠ index, thispost[i] = thispre[i])) Spring 18 CSCI 2600, K. Kuzmin, A Milanova (slide modified from slides by Michael Ernst)
Exercise Convert PoS spec into logical formula public static int binarySearch(int[] a,int key) requires: a is sorted in ascending order modifies: none effects: none returns: i such that a[i] = key if such an i exists; -1 otherwise effects: E: if key occurs in a then returns i such that a[i] = key else returns -1. a is sorted => (E & (foreach i, a_pre[i] = a_post[i])) Spring 18 CSCI 2600, K. Kuzmin, A Milanova
Exercise Convert spec into logical formula static void listAdd2(List<Integer> lst1, List<Integer> lst2) requires: lst1, lst2 are non-null. lst1 and lst2 are same size. modifies: lst1 effects: i-th element of lst1 is replaced with the sum of i-th elements of lst1 and lst2 returns: none effects Spring 18 CSCI 2600, K. Kuzmin, A Milanova