5 Exercise Formal Specification winter term 2010/11

Size: px

Start display at page:

Download "5 Exercise Formal Specification winter term 2010/11"

Gwendoline Lucas
6 years ago
Views:

1 5 Exercise Formal Specification winter term 2010/11 Dipl.-Wirt.-Inf. Ulrich Wolffgang Department of Information Systems, University of Münster January 12, 2011

2 Agenda Exercise 12 Exercise 13 Next exercise sheet

3 Agenda Exercise 12 Exercise 13 Next exercise sheet

4 Exercise 12: Task Construct a specification for a stack! Use Z to provide schemes that reflect the following characteristics: The stack stores elements of type Element. The stack has a fixed size that can be specified by the user when initializing the stack. The Push operation adds an element to the top of the stack. The Pop operation returns and removes the topmost element. But be sure to include schemes for error handling when applying Push on a full and Pop on an empty stack.

5 Basic types of the stack: [Element] State space: Stack size : N top : N elements : N Element Exercise 12: Solution is a partial function: domain only subset of source N range subset of type set [Element]. E.g.: elements = {1 Foo, 2 Bar} = {(1, Foo), (2, Bar)}

6 Exercise 12: Solution (continued) Implicitly Stack is defined as: Stack size : N top : N elements : N Element Implicility a change of state is defined by Stack as: Stack = Stack Stack or alternatively as: Stack Stack Stack

7 Exercise 12: Solution (continued) Implicitly no change of state is defined by ΞStack as: ΞStack Stack size = size top = top elements = elements

8 Initial state: InitStack Stack size? : N Exercise 12: Solution (continued) top = 0 size = size? elements = Using Stack instead of Stack is possible, too. Stacks with a size of 0 are allowed, so no error handling is specified for that case. Define messages: Message ::= StackIsFull StackIsEmpty ElementSaved

9 Exercise 12: Solution (continued) Push Stack element? : Element output! : Message top < size top = top + 1 size = size elements = elements {top element?} output! = ElementSaved

10 Exercise 12: Solution (continued) Pop Stack element! : Element top > 0 top = top 1 size = size element! = elements(top)

11 Exercise 12: Solution (continued) Or alternatively: Pop Stack element! : Element top > 0 top = top 1 size = size elements = elements\{top elements(top)} element! = elements(top)

12 Exercise 12: Solution (continued) StackIsFull ΞStack output! : Message top size output! = StackIsFull StackIsEmpty ΞStack output! : Message top 0 output! = StackIsEmpty

13 Exercise 12: Solution (continued) Using schema disjunction for combining successful and unsuccessful operations: TryToPush = Push StackIsFull TryToPop = Pop StackIsEmpty

14 Agenda Exercise 12 Exercise 13 Next exercise sheet

15 Exercise 13: Task Prove the assertion of partial correctness by using Hoare Logic. Provide a step by step solution for: {n > 0 m > 0 x = n y = m} while (x y) do if x > y then x := x y else y := y x {x = gcd(n m)} You may use the following lemmata: gcd(x, x) = x, for all x gcd(x y, y) = gcd(x, y), if x > y gcd(x, y x) = gcd(x, y), if x < y Hint: Choose an invariant, which expresses that the gcd(x,y) remains stable.

16 1) {A} skip {A} Exercise 13: Hoare logic proof rules 2) {B[x/e]} x := e {B} e.g.: {x 1 0} x := x 1 {x 0} 3) {A} c 1 {C}, {C} c 2 {B} {A} c 1 ; c 2 {B} 4) {A b} c 1 {B}, {A b} c 2 {B} {A} if b then c 1 else c 2 {B} 5) {A b} c {A} {A} while b do c {A b} 6) = (A A ) {A } c {B } = (B B) {A} c {B} Application of rules determined by syntax of program.

17 Exercise 13: Solution Lemma1 : gcd(x, x) = x, for all x Lemma2 : gcd(x y, y) = gcd(x, y), if x > y Lemma3 : gcd(x, y x) = gcd(x, y), if x < y Invariant I : gcd(x, y) = gcd(n, m) Term A : gcd(x y, y) = gcd(n, m) Term B : gcd(x, y x) = gcd(n, m) 2 2 = (I x y x > y A),{A} x := x y {I}, = (I I) 6 = (I x y x > y B),{B} y := y x {I}, = (I I) 6 {I x y x > y} x := x y {I}, {I x y x > y} y := y x {I} 4 {I x y} if x > y then x := x y else y := y x {I} 5 = (n,m > 0 x = n y = m I),{I}while(x y)do if x > y then x := x y else y := y x {I x y}, = (I x y x = gcd(n,m)) 6 {n > 0 m > 0 x = n y = m} while (x y) do if x > y then x := x y else y := y x {x = gcd(n, m)} x = gcd(n, m) is true because of Lemma1 in conjunction with x = y x = n y = m. Term A is true because of Lemma2 in conjunction with I x y x > y. Term B is true because of Lemma3 in conjunction with I x y x > y. Proof is made bottom-up and ends at rule 2, as it is an axiom no further proof needed. Condition x > 0 y > 0 needed for termination of the algorithm, but not for proving partial correctness. gcd proven to be partial correct but does not terminate for e.g. gcd(8, 4): (8, 4) (12, 4)...

18 Agenda Exercise 12 Exercise 13 Next exercise sheet

19 Next exercise sheet exercise sheet 6 will be online at the end of this week. final exercise sheet one task on transforming a program into a logic formula and one task on CTL CTL will be covered in the regular lecture on Monday

20 Questions?

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages Lecture 19 Tuesday, April 3, 2018 1 Introduction to axiomatic semantics The idea in axiomatic semantics is to give specifications