1. Software Correctness Interacting programs SWEN224 2016-T2.
David Streader
Engineering & Computer Science
Victoria University of Wellington

2. Learning objectives Truth may be absolute but often appears relative
Transactional programs can be specified by functions from State to State or by Post Conditions.
Interacting programs preform events that can be observed before the program terminates
There are many types of real event.
Interacting programs can be specified by automata

3. Lies we like to tell small children!
1+1 = 2
Why is 1+1 ≠ 2 ?
We are computer scientists we know that 1+1 takes longer to compute that 2. And, takes more memory to compute.
Consequently we know 1+1 is NOT equal to 2.
So what do we mean when we say 1+1 = 2?
We are telling people we are not considering – observing the time it takes to compute nor the steps used in the computation. All we observe is the value computed.
So 1+1=2 is true or false depending upon what you observe!

4. Specifying transactional programs
A function from initial states to final states can be viewed as a specificaion for transactional programs
Programs progOne and progTwo both satisfy the same functional specification are functionaly equivalent
What about programs that interact?
How do you specify simple interacting programs?
When are two interacting programs equivalent?
progOne(x ; int)
x := x + 1;
x := 2 * x;
return x;
progTwo(x ; int)
x := 2 * x;
x := x + 2;
return x;

5. Σ= {Act,STOP,ERROR, _->_, _|_}
Event based processes
Event based programs and their specifications are often called processes.
The processes we will consider use:
Act, atomic events, first letter lower case, and
processes, first letter upper case
The simplest processes are STOP and ERROR
Additional processes are built by composing an event e and a process P or two processes P and Q
event prefixing e->P
Choice P|Q
Its called an algebra – or a simple programming language
Σ= {Act,STOP,ERROR, _->_, _|_}

6. Action prefixing event -> Process
The Process STOP does nothing
New process = event -> old process
Initially process Sp can only perform a coffeeBtn event it can not perform the coffee event.
automata {
Simp = coffee -> STOP. }
automata {
Sp = coffeeBtn->coffee -> STOP. }

7. Choice |
Processes can offer two events and allow a user to select which event they want.
Choice = a -> STOP | b->STOP.
VM = coin ->(coffeeBtn->coffee->STOP |
teaBtn->tea->STOP).

8. Determinism
The Vmx process can initially perform the coin event but what happens next?

9. Process equality
If all we can see of a process is the language they accept then VM and VMx are equal as they both accept:
coin,coffeeBtn,coffee
coin,teaBtn,tea
Alternatively if you repeatedly try to get a coffee from each machine you can observer their difference.
Which processes you can distinguish depends upon how you interact with, or observe, them. We will return to this in more detail later.

10. What is an event?
In the real informal world vending machines do not respond to a button being pushed until after a coin is inserted.
By not putting a coin in a vending machine you may block it from performing any event.
Receiving an is an event but not reading the will not block some one from sending it.
Events in our formal model behave like button pushing events
Later we will formalise the ability to block an event when we define how events from different processes synchronise!

11. Learning objectives Truth may be absolute but often appears relative
what you observe controls weather 1+1=2 or not.
Transactional programs can be specified by functions from State to State or by Post Conditions.
Interacting programs preform events that can be observed before the program terminates
There are many types of real event.
Interacting programs can be specified by automata