Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 6: Reasoning about Data Abstractions.

Published byMauricio Stickney Modified over 9 years ago

Similar presentations

Presentation on theme: "David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 6: Reasoning about Data Abstractions."— Presentation transcript:

1 David Evans http://www.cs.virginia.edu/evans CS201J: Engineering Software University of Virginia Computer Science Lecture 6: Reasoning about Data Abstractions

2 16 September 2003CS 201J Fall 20032 Requests By 5pm tomorrow send any questions you have about Java programming to cs201j-staff@cs.virginia.edu –We’ll go over questions raised in class Thursday or section Friday Please don’t harass the Assistant Coaches! –If they are not in Small Hall, don’t bother them with 201J questions. They have their own work to do also.

3 16 September 2003CS 201J Fall 20033 Rep Invariant The Representation Invariant expresses properties all legitimate objects of the ADT must satisfy I : C → Boolean Function from concrete representation to a Boolean. Helps us reason about correctness of methods independently

4 16 September 2003CS 201J Fall 20034 Reasoning with Rep Invariants Prove all objects satisfy the invariant before leaving the implementation code Assume all objects passed in satisfy the invariant REQUIRES: Rep Invariant is true for this (and any other reachable ADT objects) EFFECTS: Rep Invariant is true for all new and modified ADT object on exit.

5 16 September 2003CS 201J Fall 20035 Preserving the Rep Invariant Abstract Type Concrete Representation class implementation clients down up StringSet () Constructors must initialize this in a way that satisfies the rep invariant insert (String s) up Mutators: assume rep invariant holds on entry, ensure that it holds on all exits Cannot manipulate rep directly

6 16 September 2003CS 201J Fall 20036 Rep Invariant for StringSet public class StringSet { // OVERVIEW: StringSets are unbounded, // mutable sets of Strings. // A typical StringSet is {x1,..., xn} // Representation: private Vector rep; // RepInvariant (c) = //c contains no duplicates //&& c != null && all elements are Strings

7 16 September 2003CS 201J Fall 20037 Implementing Insert public void insert (String s) { // MODIFIES: this // EFFECTS: Adds s to the elements of this: // this_post = this_pre U { s } if (!isIn (s)) { rep.add (s); } } Possibly correct implementation: we need to know how to map rep to abstraction notation to know if this_post = this_pre U { s }

8 16 September 2003CS 201J Fall 20038 Abstraction Function The Abstraction Function maps a concrete state to an abstract state: AF : C → A Function from concrete representation to the abstract notation introduced in overview specification. Range is concrete states for which rep invariant is true

9 16 September 2003CS 201J Fall 20039 Abstraction Function for StringSet public class StringSet { // OVERVIEW: StringSets are unbounded, // mutable sets of Strings. // A typical StringSet is {x1,..., xn} // Representation: private Vector rep; // AF (c) = // { AF String (c.rep[i]) | 0 <= i < c.rep.size () }

10 16 September 2003CS 201J Fall 200310 Correctness of Insert public void insert (String s) { // MODIFIES: this // EFFECTS: Adds s to the elements of this: // this_post = this_pre U { s } if (!isIn (s)) { rep.add (s); } } Use abstraction function to show if add implements its specification, the AF (rep_post) = AF (rep_pre) U { AF String ( s)}

11 16 September 2003CS 201J Fall 200311 Correctness of Insert Path 1: isIn (s) is true this is not modified, this_post = this_pre public boolean isIn (String s) // EFFECTS: Returns true iff s is an element of this. So, if isIn (s) returns true, we know s  this_pre. s  x  x  s = x Hence, this_post = this_pre = this_pre  s AF (rep_post) = AF (rep_pre) U { AF String (s)} public void insert (String s) { // MODIFIES: this // EFFECTS: Adds s to the elements of this: // this_post = this_pre U { s } if (!isIn (s)) { rep.add (s); } }

12 16 September 2003CS 201J Fall 200312 Correctness of Insert Path 2: isIn (s) is false this_post = this_pre.add (s) If isIn (s) returns false, we know s  this_pre. So, we need to know that AF ( rep_pre.add(s) ) = AF ( rep_pre ) U { AF String (s)} What does add do? public void insert (String s) { // MODIFIES: this // EFFECTS: Adds s to the elements of this: // this_post = this_pre U { s } if (!isIn (s)) { rep.add (s); } }

13 16 September 2003CS 201J Fall 200313 Correctness of Insert boolean add (Object o) // Modifies: this // Effects: Appends o to the end of this. // this_post.size = this_pre.size + 1 // this_post[i] = this_pre[i] //forall 0 <= i < this_pre.size // this_post[this_pre.size] = o public void insert (String s) { // MODIFIES: this // EFFECTS: Adds s to the elements of this: // this_post = this_pre U { s } if (!isIn (s)) { rep.add (s); } }

14 16 September 2003CS 201J Fall 200314 Correctness of Insert java.util.Vector.add (Object o) // Modifies: this // Effects: Adds o to the end of this. // this_post.size = this_pre.size + 1 // this_post[i] = this_pre[i] //forall 0 <= i < this_pre.sze // this_post[this_pre.size] = o public void insert (String s) { // MODIFIES: this // EFFECTS: Adds s to the elements of this: // this_post = this_pre U { s } if (!isIn (s)) { rep.add (s); } } So, after rep.add (s) : rep_post.size = rep_pre.size + 1 rep_post[i] = rep_pre[i] forall 0 <= i < rep_pre.size rep_post[rep_pre.size] = s

15 16 September 2003CS 201J Fall 200315 Correctness of Insert public void insert (String s) { // MODIFIES: this // EFFECTS: Adds s to the elements of this: // this_post = this_pre U { s } if (!isIn (s)) { rep.add (s); } } rep_post.size == rep_pre.size + 1 rep_post[i] = rep_pre[i] forall 0 <= i < rep_pre.size rep_post[rep_pre.size] = s AF (rep_post) = { AF String (rep_post[i]) | 0 <= i < rep_post.size } = { rep_post[0], rep_post[1], …, rep_post[rep_post.size – 1] } = { rep_pre[0], rep_pre[1], …, rep_pre[rep_post.size – 1], s } = AF ( rep_pre ) U { s } AF (c) = { AF String (c.rep[i]) | 0 <= i < c.rep.size () }

16 16 September 2003CS 201J Fall 200316 Reality Check Writing abstraction functions, rep invariants, testing code thoroughly, reasoning about correctness, etc. for a big program is a ridiculous amount of work! Does anyone really do this? –Yes (and a lot more), but usually only when its really important to get things right: Cost per line of code: –Small, unimportant projects: $1-5/line –WindowsNT: about $100/line –FAA’s Automation System (1982-1994): $900/line

17 16 September 2003CS 201J Fall 200317 PS2 Wagering Strategy How did you decide what to wager? How should you have decided what to wager?

18 16 September 2003CS 201J Fall 200318 Commerce School Strategy If p is the probability your code is correct, Expected Return = wp – 2w (1-p) = 3wp - 2w If p < 2/3, maximize with w = 0. If p = 2/3, expected return is 0 regardless of wager. If p > 2/3, expected return increases with w, bet maximum.

19 16 September 2003CS 201J Fall 200319 Psychological Strategies Expected return is a bad model, since the value is non-linear –If my ps was worth 90 without wager, 1/3 change of getting a 50 is not worth 2/3 chance of getting 110. Dave is probably crazy for asking such a question, so I have no clue how this will be graded

20 16 September 2003CS 201J Fall 200320 Why Confidence Matters? Incorrect code, no confidence –Worthless, no one can use it (but if they do, they get what they deserve) Correct code, no confidence –Worthless, no one can use it (but if they do, they get lucky) Incorrect code, high confidence –Dangerous! Correct code, high confidence –Valuable

21 16 September 2003CS 201J Fall 200321 Easy way to get 100 on PS 2: Get full credit for questions 1-4 Answer question 5 (specify name trends) badly (0): static public void main (String args[]) // REQUIRES: false // EFFECTS: Prints out a correct proof of // P = NP.

22 16 September 2003CS 201J Fall 200322 Remaining Answers 6.Implement program that satisfies spec: 7.Testing Strategy No testing necessary, no way to satisfy requires 8.Bet: 20 static public void main (String args[]) { // REQUIRES: false // EFFECTS: Prints out a correct proof of P = NP. System.err.println (“Ha ha ha!”) } Note: I didn’t actually want you to do this!

23 16 September 2003CS 201J Fall 200323 Charge Remember to email your Java programming questions to cs201j-staff@cs.virginia.edu PS3 is due 1 week from today –I have office hours now

Download ppt "David Evans CS201J: Engineering Software University of Virginia Computer Science Lecture 6: Reasoning about Data Abstractions."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Cs205: engineering software university of virginia fall 2006 Specifying Procedures David Evans www.cs.virginia.edu/cs205.

Cs205: engineering software university of virginia fall 2006 Specifying Procedures David Evans
Cs2220: Engineering Software Class 10: Generic Datatypes Fall 2010 University of Virginia David Evans.

Cs2220: Engineering Software Class 10: Generic Datatypes Fall 2010 University of Virginia David Evans.
David Evans CS201j: Engineering Software? University of Virginia Computer Science Lecture 2: Java Semantics, Validation.

David Evans CS201j: Engineering Software? University of Virginia Computer Science Lecture 2: Java Semantics, Validation.
CS0007: Introduction to Computer Programming Introduction to Classes and Objects.

CS0007: Introduction to Computer Programming Introduction to Classes and Objects.
Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.

Composition CMSC 202. Code Reuse Effective software development relies on reusing existing code. Code reuse must be more than just copying code and changing.
Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.

Data Abstraction II SWE 619 Software Construction Last Modified, Spring 2009 Paul Ammann.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Concurrent Programming.

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 16: Concurrent Programming.
CSE 331 SOFTWARE DESIGN & IMPLEMENTATION ABSTRACT DATA TYPES II Autumn 2011.

CSE 331 SOFTWARE DESIGN & IMPLEMENTATION ABSTRACT DATA TYPES II Autumn 2011.
CSE 331 Software Design & Implementation Dan Grossman Fall 2014 Data Abstraction: Abstract Data Types (ADTs) (Based on slides by Mike Ernst, David Notkin,

CSE 331 Software Design & Implementation Dan Grossman Fall 2014 Data Abstraction: Abstract Data Types (ADTs) (Based on slides by Mike Ernst, David Notkin,
Cs205: engineering software university of virginia fall 2006 Semantics and Specifying Procedures David Evans www.cs.virginia.edu/cs205.

Cs205: engineering software university of virginia fall 2006 Semantics and Specifying Procedures David Evans
Cs2220: Engineering Software Class 11: Subtyping and Inheritance Fall 2010 University of Virginia David Evans.

Cs2220: Engineering Software Class 11: Subtyping and Inheritance Fall 2010 University of Virginia David Evans.
Computer Science II 810:062 Section 01 Session 2 - Objects and Responsibilities.

Computer Science II 810:062 Section 01 Session 2 - Objects and Responsibilities.
Cs2220: Engineering Software Class 8: Implementing Data Abstractions Fall 2010 University of Virginia David Evans.

Cs2220: Engineering Software Class 8: Implementing Data Abstractions Fall 2010 University of Virginia David Evans.
Data Abstraction CS 201j: Engineering Software University of Virginia Computer Science Nathanael Paul

Data Abstraction CS 201j: Engineering Software University of Virginia Computer Science Nathanael Paul
CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 2: Orders of Growth

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 2: Orders of Growth
Cs205: engineering software university of virginia fall 2006 Data Abstraction David Evans www.cs.virginia.edu/cs205.

Cs205: engineering software university of virginia fall 2006 Data Abstraction David Evans
CS61B L03 Building Objects (1)Garcia / Yelick Fall 2003 © UCB 2003-08-29  Dan Garcia (www.cs.berkeley.edu/~ddgarcia) Kathy Yelick  (www.cs.berkeley.edu/~yelick)

CS61B L03 Building Objects (1)Garcia / Yelick Fall 2003 © UCB  Dan Garcia ( Kathy Yelick  (
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 12: Subtyping Rules What’s the.

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 12: Subtyping Rules What’s the.

Similar presentations

Ads by Google