Download presentation
Presentation is loading. Please wait.
Published byJahiem Knope Modified over 9 years ago
1
Computer Science School of Computing Clemson University Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University
2
School of Computing Clemson University What does this code do to Integer I, where Foo1 and Bar1 are functions that modify their argument? I = Foo1(I); I = Bar1(I);
3
School of Computing Clemson University Or this to Integers I and J? I = Foo2(I, J); J = Bar2(I, J); I = Bar2(I, J);
4
School of Computing Clemson University What does this code do to Integer I? I = Next(I); I = Prev(I);
5
School of Computing Clemson University What does this code do to Integer x? I = Next(I); I = Prev(I); How sure are we?
6
School of Computing Clemson University What does this code do to Integer x? I = Next(I); I = Prev(I); How sure are we? Have to account for bounds in our analysis Summary: … Need formal descriptions beyond names
7
School of Computing Clemson University What does this code do to Integers I and J? I = Sum (I, J); J = Difference (I, J); I = Difference (I, J); Same discussion as before…
8
School of Computing Clemson University Specification of Integer Operations Think of ints as integers in math Constraints, for all Integers I: min _Int <= I <= max_Int Operation Next (I: Integer): Integer; requires I < max_int; ensures Next = I + 1; Operation Prev (I: Integer): Integer; requires I > min_Int; ensures Prev = I - 1;
9
School of Computing Clemson University Specification of Integer Operations Parameters are allowed to be changed, depending on the language and how parameters are passed So to make it clear that the parameter isn’t modified, we specify: Operation Next (preserves I: Integer): Integer; requires I < max_int; ensures Next = I + 1;
10
School of Computing Clemson University Specification of Integer Operations Parameters are allowed to be changed, depending on the language and how parameters are passed We can also specify: Operation Increment (updates I: Integer); requires I < max_int; ensures I = #I + 1; In the ensures clause, #I denotes the input I value Exercise: Specify Decrement
11
School of Computing Clemson University Meaning of specifications Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions Callers are responsible for requirements Caller of Increment is responsible for making sure input I < max_int Guarantees hold only if callers meet their requirements
12
School of Computing Clemson University Is the code correct for the given spec? Spec: Operation Do_Nothing (updates I: Integer); requires … ensures I = #I; Code: Increment(I); Decrement(I);
13
School of Computing Clemson University These specs are the same… Spec: Operation Do_Nothing (preserves I: Integer); requires … Spec: Operation Do_Nothing (updates I: Integer); requires … ensures I = #I;
14
School of Computing Clemson University Methods for checking correctness Testing? Tracing or inspection? Mathematical reasoning
15
School of Computing Clemson University Mathematical reasoning Goal: To prove correctness Method: The rest of this presentation Can prove correctness on all valid inputs Can show absence of bugs
16
School of Computing Clemson University Example: Prove correctness Spec: Operation Do_Nothing (updates I: Integer); requires I < max_int; ensures I = #I; Code: Increment(I); Decrement(I);
17
School of Computing Clemson University Establish the goals in state-oriented terms using a table AssumeConfirm 0 Increment(I); 1 Decrement(I) 2I2 = I0
18
School of Computing Clemson University Assume requires clause at the beginning (Why?) AssumeConfirm 0I0 < max_int and … Increment(I); 1 Decrement(I) 2I2 = I0
19
School of Computing Clemson University Assume calls work as advertised AssumeConfirm 0I0 < max_Int and … Increment(I); 1I1 = I0 + 1 Decrement(I) 2I2 = I1 - 1I2 = I0
20
School of Computing Clemson University Prove the goal(s) using assumptions Prove I2 = I0 Proof of I2 = J0 I2 = I1 – 1 (assumption in state 2) = (I0 + 1) – 1 (assumption in state 1) = I0 (simplification) More proof needed…
21
School of Computing Clemson University More assertions to be confirmed (Why?) AssumeConfirm 0I0 < max_int I0 < max_int and … Increment(I); 1I1 = I0 + 1 I1 > min_int Decrement(I) 2I2 = I1 - 1I2 = I0
22
School of Computing Clemson University Prove all assertions to be confirmed Proofs - exercises
23
School of Computing Clemson University Basics of Mathematical Reasoning Suppose you are verifying code for some operation P Assume its requires clause in state 0 Confirm its ensures clause at the end Suppose that P calls Q Confirm the requires clause of Q in the state before Q is called Why? Because caller is responsible Assume the ensures clause of Q in the state after Q Why? Because Q is assumed to work Prove assertions to be confirmed
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.