Download presentation
Presentation is loading. Please wait.
1
CSE 3341.03 Winter 2008 Introduction to Program Verification refining an interface
2
Exercise 7.2, 7.3(b) why all the complexity in the switch statement? language supports optimization -> complexity -> confusing logic -> harder to understand and verify is the complexity necessary? no: push it into an optimizing compiler
3
simpler switch to get the best of both worlds: we could code the switch statement in an unoptimized form with redundant statements so every case ends in a break annotate this with simpler conjunction of implications translate it into an optimized form, using break to eliminate the redundancies
4
7.2 Interfaces /* * If the object doesn't exist, add the object and return null, otherwise replace the * first object that matches and return the old object. * @param object The object to add. * @see Set#get */ public Object put(Object object);
5
Exercise 7.6 get(Object) = null and put(Object) = null and S = oldS union {Object} or remove(get(Object)) and put(Object) = get(Object)
6
7.3 refining an interface an easy case: the refinement extends the pre-condition (allowing more initial states) the new post-condition is a special case of the old.
7
proof obligations for refined interface verify that Pre implies Pre new and Post new implies Post
8
more complex refinement what needs to be verified? new code
9
refinement example TextModel, p.12-13 write inserts a character into or at the end of a text array BetterTextModel, p. 13-14 write inserts a character into or after the end of a text array, filling any gap with blanks
10
TextModel interface interface TextModel { void write (int pos, char ch); // insert char ch at position pos within the existing text. // pre-condition: //{ len = 'this.length'(nil) and txt = ‘this.text’(nil) and (0<= i < len implies 'this.read'(i) = array(txt,i)) and len < 'this.max'(nil)' and 0 <= pos <= len } // post-condition: //{ 'this.length'(nil) = len + 1 and (0 <= i < pos implies 'this.read'(i) = array(txt,i)) and 'this.read'(pos) = ch and pos < i < 'this.length'(nil) implies 'this.read'(i) = array(txt, i-1) }
11
BetterTextModel interface BetterTextModel { // pre-condition: //{ len = 'this.length'(nil) and txt = ‘this.text’(nil) and (0<= i < len implies 'this.read'(i) = array(txt,i)) and len < 'this.max'(nil) and 0 <= pos <= 'this.max'(nil) } // post-condition: //{ 'this.length'(nil) = max(len, pos) + 1 and (0 <= i < min(pos, len) implies array(txt, i) = 'this.read'(i)) and 'this.read'(pos) = ch and (pos < i < 'this.length'(nil) implies 'this.read'(i) = array(txt, i-1)) and (len < i < pos implies 'this.read'(i) = " ") }
12
Exercise 7.8 Given that the TextModel pre-condition holds, what is the (descriptive) post- condition when BetterTextModel's write(pos, ch) method is executed? min(pos, len) = pos and max(len, pos) = len and.. BetterTextModel's post-condition..
13
Well-behaved expressions BetterTextModel requires that the array length len < this.max problem: what ensures that this.max ≤ available addressable memory? very simple example (p. 14): int n1 = Integer.MAX_VALUE; int n2; n2 = n1 + 1; //{ n2 = n1 + 1}
14
assume all expressions are well-behaved given the code int n1; int n2; n2 = n1 + n2; //{ n2 = n1 + n2} we can only assume that n1 + n2 are "well- behaved", i. e. n1+ n2 ≤ Integer.MAX_VALUE so that the post-condition //{ n2 = n1 + n2} holds
15
partial functions another source of qualifications or restrictions: partial functions restricting variables to the domain of a function requires a pre-condition to be satisfied before the function is called. if we don’t want to have the code check every division operation (or top(stack) or rest(list) or a[i]) to see if the function is defined, we need a proof that the variable is "in bounds"
Similar presentations
