INSE web pages u Please explore them! – – u EVERYONE: please follow the “ minilecture schedule ” link & note your date! u Follow the “ schedule ” link if you want to print the lecture slides u Follow the “ brainstorms ” link for a summaries of last week ’ s tutorial –summaries of the next 2 tutorials will be added a few days later

INSE1 - Lecture 5 Program proof? -- we ’ ll look at one example system for achieving this

ANNA - annotated Ada  Designed to be “ programmer friendly ”  therefore looks like programming language  is in the Ada programming language + special “ annotating ” comments.

ANNA...  is used to “ annotate ” specifications;  is also used to annotate code, to enable checks that the code meets the specification - i.e.  program proof  This could be done for other languages - but hasn ’ t, barely (why not?)

Ada background  Ada procedures are usually written in two parts - a “ specification ” for the interface, and a “ body ” for the implementation.  E.g. given type Data is array(Index)of Element; a specification could be procedure Sort(X:in out Data);

An Annotation  an Ada comments starts with -- and continues to the end of the line;  an Anna formal comment starts with one of --| which introduces an annotation; --: which introduces virtual Ada text that obeys the same rules as Ada, but is called only from the annotations.

Annotating a specification  gives an “ outside view ” of the effect of calling the procedure: e.g. for SORT: procedure SORT(X:in out DATA); --| in all X(I)=X(J) => I=J --| out all X(I)=X(J) => I=J --| and all I X(I)<X(J) --| and all I in INDEX --| => X(I) = in X(J)

BUT  the “ no duplicates ” requirement is clearly a nuisance –  so how can we get rid of it?

Defining virtual text  for the version of SORT on the next slide: --: function Count(E:Element) --: return Integer is --: So_Far : Integer := 0; --: begin --: for I in Index loop --: if X(I)=E --: then So_Far := So_Far+1; --: end if; --: end loop; --: return So_Far; --: end Count;

Using virtual text  in annotation of a spec - e.g. for SORT: procedure SORT(X:in out DATA); --| out all I X(I)<X(J) --| and all I in INDEX --| => Count(X(I)) = Count(in X(J))  The postcondition says –the array is in order, with adjacent equal elements allowed; and –each value appears as many times after a call as before.

Program proof?  Suppose we put annotations between steps in the “ body ” of a procedure; and  use the precondition before the first step, postcondition after; then  each individual step in the instructions can then be “ proven ” relative to the annotations immediately before & after -  which proves the correctness of the code relative to the pre-& post-conditions.

Postscript to “ formal specification ”  other methods – notably VDM & Z – are oriented to building the program proving every design & coding step as you go; whereas  ANNA is oriented to proving already-written programs. u [For more on formal methods - take the f.m. units!]

After this lecture  Work through the example in the notes for an intuition of the idea -  but do not bother with the details.  Consider: if you were assigned to manage an S.E. project, in what cases would you want f.m. to be used?