Presentation is loading. Please wait.

Presentation is loading. Please wait.

Specifications, continued. Announcements HW1 was due today at 2 HW2 will be out tonight No class on Tuesday, class next Friday Quiz 2 today Spring 15.

Published byBruno Mervin Craig Modified over 9 years ago

Similar presentations

Presentation on theme: "Specifications, continued. Announcements HW1 was due today at 2 HW2 will be out tonight No class on Tuesday, class next Friday Quiz 2 today Spring 15."— Presentation transcript:

1 Specifications, continued

2 Announcements HW1 was due today at 2 HW2 will be out tonight No class on Tuesday, class next Friday Quiz 2 today Spring 15 CSCI 2600, A Milanova 2

3 So Far Specifications Benefits of specifications Specification conventions Javadoc JML PoS specifications 3

4 Specifications Abstraction Modularity A client module can be developed in parallel with a server module Enable reasoning about correctness Spring 15 CSCI 2600, A Milanova 4

5 Javadoc for java.util.binarysearch public static int binarySearch(int[] a,int key) Searches the specified array of ints for the specified value using the binary search algorithm. The array must be sorted (as by the sort method, above) prior to making this call. If it is not sorted, the results are undefined. If the array contains multiple elements with the specified value, there is no guarantee which one will be found. Parameters: a - the array to be searched. key - the value to be searched for. Spring 15 CSCI 2600, A Milanova 5

6 Javadoc for java.util.binarysearch Returns: index of the search key, if it is contained in the array; otherwise, (-(insertion point) - 1). The insertion point is defined as the point at which the key would be inserted into the array; the index of the first element greater than the key, or a.length if all elements in the array are less than the specified key. Note that this guarantees that the return value will be >= 0 if and only if the key is found. So, what is wrong with this spec? Spring 15 CSCI 2600, A Milanova 6

7 The JML Convention Javadocs and PoS specifications are not machine-checkable JML (Java Modeling Language) is a formal specification language Builds on the ideas of Hoare logic End goal is automatic verification Does implementation obey contract? Given a spec S and implementation I, does I conform to S? Does client obey contract? Does it meet preconditions? Does it expect what method provides? 7

8 The JML Spec for binarySearch Precondition: requires: a != null && (\forall int i; 0 < i && i < a.length; a[i-1] <= a[i]; Postcondition: ensures: // long logical formula… Difficult problem and an active research area 8

9 PoS Specifications PoS specifications, due to Mike Ernst, are readable and rigorous Readability ensures that the spec is a helpful abstraction Rigor facilitates reasoning Apply reasoning to prove correctness Compare specifications (more on this later today) Spring 15 CSCI 2600, A Milanova 9

10 PoS Specification for binarySearch public static int binarySearch(int[] a,int key) Precondition: requires: a is sorted in ascending order Postcondition: modifies: none effects: none returns: i such that a[i] = key if such an i exists a negative integer otherwise throws: none Spring 15 CSCI 2600, A Milanova (based on slide by Michael Ernst) 10

11 Aside: Specifications and Dynamic Languages In statically-typed languages (C/C++, Java) type signature is a form of specification: List add(List l1, List l2) In dynamically-typed languages (Python, JavaScript), there is no type signature! def add(l1,l2): i = 0 res = [] for j in l1: res.append(j+l2[i]); i=i+1 return res 11

12 Specifications are imperative. Even more so for dynamically-typed languages! Why? def add(l1,l2): i = 0 res = [] for j in l1: res.append(j+l2[i]); i=i+1 return res Start spec with type signature. Then fill in the rest of the clauses. Write spec before code! Fall 15 CSCI 2600, A Milanova 12 Aside: Specifications and Dynamic Languages

13 Specification for addLists Spring 15 CSCI 2600, A Milanova 13 List add(List l1, List l2) requires: ? modifies: ? effects: ? returns: ? def add(l1, l2): i = 0 res = [] for j in l1: res.append(j+l2[i]); i=i+1 return res }

14 Outline Specifications Specification Style Specification Strength Substitutability Comparing specifications By hand By logical formulas Spring 15 CSCI 2600, A Milanova 14

15 Specification Style A method is called for its side effects (effects clause) or its return value (returns clause) It is bad style to have both effects and return There are exceptions. Can you think of one? E.g., HashMap.put returns the previous value E.g., Box.add returns true if successfully added Main point of spec is to be helpful Being overly formal does not help Being too informal does not help either Spring 15 CSCI 2600, A Milanova (slide based on slides by Michael Ernst) 15

16 Specification Style A specification should be Concise: not too many cases Informative and precise Specific (strong) enough: to make guarantees General (weak) enough: to permit (efficient) implementation Too weak a spec imposes too many preconditions and/or gives too few guarantees Too strong a spec imposes too few preconditions and/or gives too many guarantees. Burden on imple- mentation (e.g., is input sorted?); may hinder efficiency Spring 15 CSCI 2600, A Milanova (slide based on slides by Michael Ernst) 16

17 Specification Strength Sometimes, we need to compare specifications (we’ll see why a little later) “A is stronger than B” (i.e. A => B) means For every implementation I “I satisfies A” implies “I satisfies B” The opposite is not necessarily true For every client C “C meets the obligations of B” implies “C meets the obligations of A” The opposite is not necessarily true 17

18 Which One is Stronger? int find(int[] a, int value) { for (int i=0; i<a.length; i++) { if (a[i] == value) return i; } return -1; } Specification A: requires: a is non-null and value occurs in a returns: the smallest index i such that a[i] = value Specification B: requires: a is non-null and value occurs in a returns: i such that a[i] = value 18 Spring 15 CSCI 2600, A Milanova (example modified from Michael Ernst)

19 Which One is Stronger? int find(int[] a, int value) { for (int i=0; i<a.length; i++) { if (a[i] == value) return i; } return -1; } Specification A: requires: a is non-null and value occurs in a returns: i such that a[i] = value Specification B: requires: a is non-null returns: i such that a[i] = value or i = -1 if value is not in a Spring 15 CSCI 2600, A Milanova (example modified from Michael Ernst) 19

20 Which One is Stronger? String substring(int beginIndex) Specification A: requires: 0 <= beginIndex < length of this String object returns: new string with same value as the substring beginning at beginIndex and extending until the end of the current string Specification B: requires: nothing returns: new string with same value as the substring beginning at beginIndex and extending until the end of the current string throws: IndexOutOfBoundsException --- if beginIndex is negative or ≥ length of this String object 20

21 Why Care About Specification Strength? Because of substitutability! Principle of substitutability A stronger specification can always be substituted for a weaker one I.e., an implementation that conforms to a stronger specification can be used in a client that expects a weaker specification Spring 15 CSCI 2600, A Milanova 21

22 Substitutability Substitutability ensures correct hierarchies Client code: X x; … x.foo(index); Client is “polymorphic”: written against X, but it is expected to work with any subclass of X A subclass of X, say Y, may have its own implementation of foo, Y.foo(int). Client must work correctly with Y.foo(int) too! If the spec of Y.foo(int) is stronger than the spec of X.foo(int) then we can safely substitute Y.foo(int) for X.foo(int) ! 22

23 Substitutability 23 Client has contract with X : // meets precondition y = x.foo(0); // expects non-zero: z = w/y; Client has contract with X : // meets precondition y = x.foo(0); // expects non-zero: z = w/y; Class X requires: index >= 0 returns: result > 0 int foo(int index) Class X requires: index >= 0 returns: result > 0 int foo(int index) Class Y requires: index >= 1 returns: result >= 0 int foo(int index) Class Y requires: index >= 1 returns: result >= 0 int foo(int index) BAD! Y surprises the client! The principle of substitutability tells us that if the specification of Y.foo is stronger than the specification of X.foo, then it will be ok to use Y.foo !

24 Strengthening and Weakening Specification Strengthen a specification Require less of client: fewer/weaker conditions in requires clause AND/OR Promise more to client: effects, modifies, returns Effects/modifies affect fewer objects Weaken a specification Require more of client: more/stronger conditions to requires AND/OR Promise less to client: effects, modifies, returns clauses are weaker, easier to write into code 24

25 Ease of Use by Client; Ease of Implementation A stronger specification is easier to use Client has fewer preconditions to meet Client gets more guarantees in postconditions But a stronger spec is harder to implement! Weaker specification is easier to implement Larger set of preconditions, relieves implementation from the burden of handling different cases Easier to guarantee less in postcondition But weaker spec is harder to use 25

26 Specification Strength Let specification A consist of precondition P A and postcondition Q A Let specification B consist of precondition P B and postcondition Q B A is stronger than B if (but not only if!) P B is stronger than P A (this means, stronger specifications require less) Q A is stronger than Q B (stronger specifications promise more) 26

27 Exercise: Order by Strength Spec A: requires: a non-negative int argument returns: an int in [1..10] Spec B: requires: int argument returns: an int in [2..5] Spec C: requires: true // the weakest condition returns: an int in [2..5] Spec D: requires: an int in [1..10] returns: an int in [1..20] Spring 15 CSCI 2600, A Milanova 27

28 Group Exercise Spec A: “returns: an integer ≥ its argument” Spec B: “returns: a non-negative integer ≥ its argument” Spec C: “returns: argument + 1” Spec D: “returns: argument 2 “ Spec E: “returns: Integer.MAX_VALUE” Implementations: Code 1: return arg*2; Code 2: return abs(arg); Code 3: return arg+5; Code 4: return arg*arg; Code 5: return Integer.MAX_VALUE; Spring 15 CSCI 2600, A Milanova (due to Michael Ernst) 28 A B CDE 1 2 3 4 5

29 Review “A is stronger than B” means For every implementation I “I satisfies A” implies “I satisfies B” The opposite is not necessarily true! A larger world of implementations satisfy the weaker spec B than the stronger spec A Consequently, a it is easier to implement a weaker spec! Weaker specs require more AND/OR Weaker specs guarantee (promise) less 29

30 Outline Specifications Specification Style Specification Strength Substitutability Comparing specifications By hand By logical formulas Spring 15 CSCI 2600, A Milanova 30

31 Comparing Specifications By hand; examine each clause Logical formulas representing the spec Use whichever is most convenient Comparing specs enables reasoning about class hierarchies. Make Y subclass of X only if Y’s methods have stronger specs than X’s Spring 15 CSCI 2600, A Milanova (slides based on Michael Ernst) 31

32 Comparing by Hand requires clause Stronger spec has fewer conditions in requires modifies clause Stronger spec modifies fewer objects. Stronger spec guarantees more objects stay unmodified! effects, returns and throws clauses Stronger spec guarantees more in effects, returns and throws clauses. They are harder to implement, but easier to use by client Spring 15 CSCI 2600, A Milanova (due to Mike Ernst) 32

33 Exercise Specification A: requires: a is non-null and value occurs in a modifies: none effects: none returns: the smallest index i such that a[i] = value Specification B: requires: a is non-null and value occurs in a // same as A modifies: none // same as A effects: none // same as A returns: i such that a[i] = value // fewer guarantees Therefore, A is stronger. In fact, A’s postcondition implies B’s postcondition 33

34 Example Specification A: requires: a is non-null and value occurs in a modifies: none effects: none returns: i such that a[i] = value Specification B: requires: a is non-null // fewer conditions! modifies: none // same effects: none // same returns: i such that a[i] = value if value occurs in a and i = -1 if value is not in a // guarantees more! Therefore, B is stronger! Spring 15 CSCI 2600, A Milanova 34

35 Comparing by Logical Formulas Specification A is a logical formula: P A => Q A (meaning, precondition of A implies postcondition of A) Spec A is stronger than spec B if and only if for each implementation I, (I satisfies A)=>(I satisfies B) which is equivalent to A => B A => B means (P A => Q A ) => (P B => Q B ) Recall from FoCS and/or Intro to Logic: p => q Ξ !p V q Spring 15 CSCI 2600, A Milanova 35

36 Comparing by Logical Formulas (P A => Q A ) => (P B => Q B ) = !(P A => Q A ) ∨ (P B => Q B ) = [ due to law p => q = !p ∨ q ] !(!P A ∨ Q A ) ∨ (!P B ∨ Q B ) = [ due to p => q = !p ∨ q ] (P A ∧ !Q A ) ∨ (!P B ∨ Q B ) = [ due to !(p V q) = !p ∧ !q ] (!P B ∨ Q B ) ∨ (P A ∧ !Q A ) = [ due to commutativity of ∨ ] (!P B ∨ Q B ∨ P A ) ∧ (!P B ∨ Q B ∨ !Q A ) [ distributivity ] [ P B => (Q B ∨ P A ) ] ∧ [ ( P B ∧ Q A ) => Q B ] Translation: A is stronger than B if and only if P B implies Q B or P A AND Q A together with P B implies Q B Spring 15 CSCI 2600, A Milanova 36

37 Example Specification B: requires: a is non-null and value occurs in a [ P B ] returns: i such that a[i] = value [ Q B ] Specification A: requires: a is non-null [ P A ] returns: i such that a[i] = value if value occurs in a and i = -1 if value is not in a [ Q A ] Clearly, P B => P A (P B includes P A and one more condition) Also, P B ∧ Q A => Q B. P B says that “ value occurs in a ” and Q A, says “ value occurs in a => returns i such that a[i]=value ”. Thus, “returns i such that a[i]=value ”, which is exactly Q B, holds. 37

38 Comparison by Logical Formulas We often use this stronger (but simpler) test: If P B => P A and Q A => Q B then A is stronger than B Spring 15 CSCI 2600, A Milanova 38

39 Converting PoS Specs into Logical Formulas PoS specification requires: R modifies: M effects: E is equivalent to this logical formula R => ( E ∧ (nothing but M is modified) ) throws and returns are absorbed into effects E Spring 15 CSCI 2600, A Milanova (slide modified from slides by Michael Ernst) 39

40 Convert Spec to Formula, step 1: absorb throws and returns into effects PoS specification convention requires: (unchanged) modifies: (unchanged) effects: returns: absorbed into “effects” throws: Spring 15 CSCI 2600, A Milanova (slide modified from slides by Michael Ernst) 40

41 set from java.util.ArrayList T set(int index, T element) requires: true modifies: this[index] effects: this post [index] = element throws: IndexOutOfBoundsException if index < 0 || index ≥ size returns: this pre [index] Absorb effects, returns and throws into new effects: if index < 0 || index ≥ size then throws IndexOutOfBoundsException else this post [index] = element and returns this pre [index] Spring 15 CSCI 2600, A Milanova (slide modified from slides by Michael Ernst) 41 Convert Spec to Formula, step 1: absorb throws and returns into effects

42 set from java.util.ArrayList T set(int index, T element) requires: true modifies: this[index] effects: if index < 0 || index ≥ size then throws IndexOutOfBoundsException else this post [index] = element and returns this pre [index] Denote effects expression by E. Resulting formula is: true => (E ∧ (foreach i ≠ index, this post [i] = this pre [i])) Spring 15 CSCI 2600, A Milanova (slide modified from slides by Michael Ernst) 42 Convert Spec to Formula, step 2: Convert into Formula

43 Exercise Convert PoS spec into logical formula public static int binarySearch(int[] a,int key) requires: a is sorted in ascending order modifies: none effects: none returns: i such that a[i] = key if such an i exists; -1 otherwise Spring 15 CSCI 2600, A Milanova 43

44 Exercise static void listAdd2(List lst1, List lst2) requires: lst1, lst2 are non-null. lst1 and lst2 are same size. modifies: lst1 effects: i-th element of lst1 is replaced with the sum of i-th elements of lst1 and lst1 returns: none Spring 15 CSCI 2600, A Milanova 44

45 Exercise private static void swap(int[] a, int i, int j) requires: a non-null, 0<=i,j<a.length modifies: a[i] and a[j] effects: a post [i]=a pre [j] and a post [j]=a pre [i] returns: none Spring 15 CSCI 2600, A Milanova 45 static void swap(int[] a, int i, int j) { int tmp = a[j]; a[j] = a[i]; a[i] = tmp; }

Download ppt "Specifications, continued. Announcements HW1 was due today at 2 HW2 will be out tonight No class on Tuesday, class next Friday Quiz 2 today Spring 15."

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy Eivind J. Nordby.

Karlstad University Computer Science Design Contracts and Error Management Design Contracts and Errors A Software Development Strategy Eivind J. Nordby.
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?

Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
Identity and Equality Based on material by Michael Ernst, University of Washington.

Identity and Equality Based on material by Michael Ernst, University of Washington.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.

1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.

Announcements We are done with homeworks Second coding exam this week, in recitation –Times will be posted later today –If in doubt, show up for your regular.
1 Design by Contract with JML CS 3331 Fall 2009 Gary T. Leavens and Yoonsik Cheon. Design by Contract with JML. Available from

1 Design by Contract with JML CS 3331 Fall 2009 Gary T. Leavens and Yoonsik Cheon. Design by Contract with JML. Available from
Object Oriented Design An object combines data and operations on that data (object is an instance of class) data: class variables operations: methods Three.

Object Oriented Design An object combines data and operations on that data (object is an instance of class) data: class variables operations: methods Three.
Abstraction Functions. Announcements Exam 1 on Tuesday March 3 rd Closed book/phone/laptop 2 cheat pages allowed (handwritten or typed) 1 double-sided.

Abstraction Functions. Announcements Exam 1 on Tuesday March 3 rd Closed book/phone/laptop 2 cheat pages allowed (handwritten or typed) 1 double-sided.
Overview of Java (continue). Announcements You should have access to your repositories and HW0 If you have problems getting HW0, let me know If you’ve.

Overview of Java (continue). Announcements You should have access to your repositories and HW0 If you have problems getting HW0, let me know If you’ve.
Searching. 2 Searching an array of integers If an array is not sorted, there is no better algorithm than linear search for finding an element in it static.

Searching. 2 Searching an array of integers If an array is not sorted, there is no better algorithm than linear search for finding an element in it static.
Searching and Sorting I 1 Searching and Sorting 1.

Searching and Sorting I 1 Searching and Sorting 1.
CS 106 Introduction to Computer Science I 03 / 07 / 2008 Instructor: Michael Eckmann.

CS 106 Introduction to Computer Science I 03 / 07 / 2008 Instructor: Michael Eckmann.
Specifications. Announcements HW1 is due Friday To submit answers, commit Error in HW1: In problem 8, part 2 z = 0 should be z = MAX_INT 2.

Specifications. Announcements HW1 is due Friday To submit answers, commit Error in HW1: In problem 8, part 2 z = 0 should be z = MAX_INT 2.
CS 106 Introduction to Computer Science I 10 / 15 / 2007 Instructor: Michael Eckmann.

CS 106 Introduction to Computer Science I 10 / 15 / 2007 Instructor: Michael Eckmann.
CS 106 Introduction to Computer Science I 10 / 16 / 2006 Instructor: Michael Eckmann.

CS 106 Introduction to Computer Science I 10 / 16 / 2006 Instructor: Michael Eckmann.
CS 106 Introduction to Computer Science I 03 / 17 / 2008 Instructor: Michael Eckmann.

CS 106 Introduction to Computer Science I 03 / 17 / 2008 Instructor: Michael Eckmann.

Similar presentations

Ads by Google