Addressing the Challenges of Current Software

Questions to Address Why? What? Where? How?

Some Work Binary search specifications Java C++ Any other language Are the algorithms correct? Do the implementations work? What’s the difference?

Why? Current software is too large for one person to understand. Students need tools for dealing with all sizes of projects. Maintenance makes up the majority of jobs. Students need to separate specifications from implementations.

What reasoning skills are necessary? Concept Inventory Boolean LogicStandard Logic Symbols, Standard Proof Techniques Discrete Math StructuresSets, Strings, Numbers, Relations, and other mathematical theories as needed Precise SpecificationsMathematical Descriptions of Software interfaces for clients and implementers. Math models for structures Pre and Post conditions for operations. Modular ReasoningEach Module needs to be proven correct only once. Verification ConditionsMathematical Assertions equivalent to the correctness of the program. Correctness ProofsApplication of Proof Techniques to the program

Specifications for Increment Operation Increment(updates i: int) requires i < max_int; ensures i = #i + 1;

Implementation of Increment Increment(updates i: int); i = i + 1; end Increment;

Reason about Increment Does the implementation meet the specification? How does the requires clause it in? Are there other possible implementations? Subtract 4 and add 5? Why not?

Work Write specifications for Decrement (requires and ensures clauses) Write an implementation assuming that there is a built in minus for integers.

Work Specify (write requires and ensures clauses )an operation that receives an integer and returns the value of that integer plus two. Implement your operation assuming you can access the operation “Increment.”

Operation PlusTwo(updates i: int); requires i < max_int – 1; ensures i = #i + 2; PlusTwo( updates i: int) Increment(i); end PlusTwo

Reason about the Program

Reasoning Table Operation PlusTwo State NumberAssumeConfirm 0i < max_int - 1 Increment(i) 1i1 = i0 + 1i < max_int Increment(i) 2i2 = i1 + 1i2 = i0 + 2

Work Specification: Operation Exchange(updates I, J: Integer); ensures I = #J and J = #I; Code: Procedure Exchange(updates I, J: Integer); I := Sum(I, J); J := Difference(I, J); I := Difference(I, J); End Exchange;

Are the Specs Sufficient? What about min_int and max_int? Add a requires clause

Need to Know Operation Difference (updates I: int, preserves J: int); requires I – J min_int; ensures I = I – J; Operation Sum (updates I: int, preserves J: int); requires I + J min_int; ensures I = I + J;

Reasoning Table State NumberAssumeConfirm 0I0 – J0 < max_int and I0 – J0 > min_int I = Difference(I, J); 1I1 = I0 – J0 and J1 = J0 J = Difference(I, J); 2J2 = I1 – J1 and I2 = I1 I = Difference(I, J); 3I3 = I2 - J2 and J3 = J2I3 = J0 and J3 = I0 Operation Exchange

More examples asoning.html asoning.html

Beyond Arithmetic Specifying components Work: How do java and C++ (or your favorite language) specify stacks?

Specify a stack mathematically Describe in terms of mathematical strings For generality, describe all stacks with one spec Allow for multiple implementations to promote efficiency

Requirements vs. Specifications Requirements definition Intended for customers in addition to software developers Informal descriptions are necessary Specification For use by members of a software development team Formal (mathematical) descriptions are necessary 21

Informal Specification: Examples C++ STL Template specifications Java util component specifications Questions for discussion Do they support information hiding? Do they support abstraction? Can they generalize? Is it possible to make them unambiguous? 22

Informal Specifications Straightforward descriptions Push pushes an item onto the top of this stack How much do they help? Use of metaphors A Queue is like a line at a fast food restaurant Do they generalize? Use of implementation details Push behaves like addElement method on Vector Is this appropriate for a user-oriented cover story? 23

Formal Interface Specification Communicates precisely the demands and responsibilities to component users and developers Allows for independent development of client and implementation components in parallel in a team environment Minimizes integration costs 24

Reasoning Benefits Formal Specifications make it possible to formally reason about correctness of software Such reasoning may be manual or mechanical (i.e. with automate support) 25

Languages for Formal Specification ANNA (and SPARK) for Ada JML for Java Larch/C++ for C++ Spec# for C3 … Eiffel RESOLVE … VDM Z 26

Specification Language Summary Some specification languages are designed for particular programming languages Some are general purpose Some specification languages are integrated with programming constructs A few additionally integrate the ability to perform formal mathematical reasoning 27

Meaning of Specifications Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions Callers are responsible for requirements Caller of Increment is responsible for making sure I < max_int Guarantees hold only if callers meet their requirements 28

Mathematical Strings Unlike sets, strings have order Example: Str(Z) for String of integers Notations Empty string (written: empty_string or  ) Concatenation: alpha o beta Length (written: |alpha| ) String containing one entry (e.g., ) 29

General Stack Template Specification We will use general stacks for this example reasoning Suppose Stack_Template is parameterized by type Entry and Integer Max_Depth Mathematical Modeling Type_Family Stack ⊆ Str(Entry); exemplar S; constraints |S| ≤ Max_Depth; initialization ensures S = Λ; 30

Specification of Stack Operations Operation Push (alters E: Entry; updates S: Stack) requires |S| < Max_Depth; ensures S = o #S; Operation Pop (replaces R: Entry; updates S: Stack) requires |S| > 0; ensures #S = o S; Operation Depth (restores S: Stack): Integer ensures Depth = |S|; 31

Example Specification Operation Do_Nothing (restores S: Stack) ensures S = #S Code: (Same as S.Push(S.Pop()) in Java) Procedure Do_Nothing (restores S: Stack) Var E: Entry Pop(E,S); Push(E,S); end Do_Nothing; 32

Exercise: Complete Table and Prove AssumeConfirm 0…… Pop(E, S); 1…… Push(E, S); 2…… CS 315 Spring

Example Specification Operation Do_Nothing (restores S: Stack) requires |S| > 0; ensures S = #S Code: (Same as S.Push(S.Pop()) in Java) Procedure Do_Nothing (restores S: Stack) Var E: Entry Pop(E,S); Push(E,S); end Do_Nothing; 34

Exercise: Complete Table and Prove AssumeConfirm 0…|S0| > 0 Pop(E, S); 1S0 = o S1|S1| < Max_Depth Push(E, S); 2S2 = o S1S2 = S0 CS 315 Spring Answers

What’s the Problem? Can you guarantee that Pop will do the right thing? What if your code first did a Push and then a Pop?

Work Write a generic specification for Queues.

Generic Component Examples

Proof Rules

Proof Rules for Verification code: Assume B; code1; Confirm Q; code; Assume B; code2; Confirm Q; code; If B then code1 else code2; endif; Confirm Q; No need to consider individual states.

Example Assume y ≠ 0; z := w/y; if z ≥ 0 then abs := z else abs := -z endif; Confirm abs = |w/y|;

Apply the rule automatically (1) Assume y ≠ 0; z := w/y; Assume z ≥ 0 ; abs := z; Confirm abs = |w/y|; (2) Assume y ≠ 0; z := w/y; Assume  (z ≥ 0); abs := z; Confirm abs = |w/y|;