Software Properties as Axioms and Theorems

Similar documents
Week 5 Tutorial Structural Induction

Finite Math Linear Programming 1 May / 7

Informatics 1 Functional Programming Lecture 5. Function properties. Don Sannella University of Edinburgh

PROGRAMMING IN HASKELL. CS Chapter 6 - Recursive Functions

True/False. MATH 1C: SAMPLE EXAM 1 c Jeffrey A. Anderson ANSWER KEY

The points (2, 2, 1) and (0, 1, 2) are graphed below in 3-space:

Shell CSCE 314 TAMU. Functions continued

Use the Associative Property of Multiplication to find the product.

Reasoning about programs. Chapter 9 of Thompson

AXIOMS FOR THE INTEGERS

Chapter 3 (part 3) Describing Syntax and Semantics

Computation Club: Gödel s theorem

Lectures 20, 21: Axiomatic Semantics

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Foundations of Computation

3.4 Deduction and Evaluation: Tools Conditional-Equational Logic

Thinking Induc,vely. COS 326 David Walker Princeton University

Range Minimum Queries Part Two

Formal Methods of Software Design, Eric Hehner, segment 1 page 1 out of 5

CPS 102: Discrete Mathematics. Quiz 3 Date: Wednesday November 30, Instructor: Bruce Maggs NAME: Prob # Score. Total 60

CS103 Spring 2018 Mathematical Vocabulary

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

Context-Free Grammars

Formal Semantics of Programming Languages

The design of a programming language for provably correct programs: success and failure

Reasoning About Programs Panagiotis Manolios

Programming with Math and Logic

Formal Semantics of Programming Languages

1. Mark the correct statement(s)

Logic and Computation

Boolean Algebra. P1. The OR operation is closed for all x, y B x + y B

(Refer Slide Time 3:31)

Section 1.5: Point-Slope Form

Lecture 6: Sequential Sorting

Fast Sorting and Selection. A Lower Bound for Worst Case

Induction Review. Graphs. EECS 310: Discrete Math Lecture 5 Graph Theory, Matching. Common Graphs. a set of edges or collection of two-elt subsets

CMSC 330: Organization of Programming Languages

CS240 Fall Mike Lam, Professor. Recurrences

FUNCTIONAL PEARLS The countdown problem

Lattice Polygon s and Pick s Theorem From Dana Paquin and Tom Davis 1 Warm-Up to Ponder

Proving Theorems with Athena

CSC Discrete Math I, Spring Sets

Behavioral Equivalence

Behavioral Equivalence

Programming Languages 3. Definition and Proof by Induction

It is important that you show your work. There are 134 points available on this test.

Propositional Logic Formal Syntax and Semantics. Computability and Logic

Test 1, Spring 2013 ( Solutions): Provided by Jeff Collins and Anil Patel. 1. Axioms for a finite AFFINE plane of order n.

Note that in this definition, n + m denotes the syntactic expression with three symbols n, +, and m, not to the number that is the sum of n and m.

MATH 423 Linear Algebra II Lecture 17: Reduced row echelon form (continued). Determinant of a matrix.

2 Second Derivatives. As we have seen, a function f (x, y) of two variables has four different partial derivatives: f xx. f yx. f x y.

Reasoning About Programs Panagiotis Manolios

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Scheme Basics > (butfirst '(help!)) ()

Revisiting Kalmar completeness metaproof

3.5 Day 1 Warm Up. Graph each line. 3.4 Proofs with Perpendicular Lines

The fundamental principle of identity for strings is informally given as follows.

Recursive definition of sets and structural induction

Chapter 10 Part 1: Reduction

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

Chapter 3 Data Representation

Euclidean Space. Definition 1 (Euclidean Space) A Euclidean space is a finite-dimensional vector space over the reals R, with an inner product,.

Lecture 3: Convex sets

CSCE 314 Programming Languages

Shell CSCE 314 TAMU. Higher Order Functions

SECTION 5.1. Sequences

1.1 - Introduction to Sets

Boolean algebra. June 17, Howard Huang 1

Programming Languages Fall 2013

Discrete Mathematics Lecture 4. Harper Langston New York University

Circuit analysis summary

Lecture 4: examples of topological spaces, coarser and finer topologies, bases and closed sets

To prove something about all Boolean expressions, we will need the following induction principle: Axiom 7.1 (Induction over Boolean expressions):

Propositional Calculus. Math Foundations of Computer Science

Indicate the option which most accurately completes the sentence.

Revision Problems for Examination 2 in Algebra 1

Matrices and Systems of Linear Equations

The Rule of Constancy(Derived Frame Rule)

Program Verification & Testing; Review of Propositional Logic

Relational Algebra 1

Abstract Interpretation Using Laziness: Proving Conway s Lost Cosmological Theorem

What s Half of a Half of a Half?

Fundamental Graph Algorithms Part Three

Recursively Defined Functions

Root Cover Pebbling on Graphs

Propositional Calculus. Math Foundations of Computer Science

3.7. Vertex and tangent

Chapter 3. Describing Syntax and Semantics ISBN

Chapter 3. Boolean Algebra and Digital Logic

IT 201 Digital System Design Module II Notes

Definition For vertices u, v V (G), the distance from u to v, denoted d(u, v), in G is the length of a shortest u, v-path. 1

Notes for Recitation 8

Encoding functions in FOL. Where we re at. Ideally, would like an IF stmt. Another example. Solution 1: write your own IF. No built-in IF in Simplify

Linear Equations in Linear Algebra

An Evolution of Mathematical Tools

Formal Systems and their Applications

Background Type Classes (1B) Young Won Lim 6/14/18

Why can you be sure that the second number in the ordered pairs for this data is always greater than or equal to the first?

6.001 Notes: Section 8.1

1 MATH 253 LECTURE NOTES for FRIDAY SEPT. 23,1988: edited March 26, 2013.

Transcription:

Applied Software Properties as Axioms and Theorems proofs by induction or How to Write Reliable Software and know it's reliable Applied 1

Example: Multiplexor Function Problem: Multiplex two sequences to form a new sequence mux [1, 2, 3, 4, 5] [6, 7, 8, 9, 10] = [1, 6, 2, 7, 3, 8, 4, 9, 5, 10] mux [1, 2, 3, 4, 5] [6, 7, 8] = [1, 6, 2, 7, 3, 8, 4, 5] mux [1, 2, 3, 4] [6, 7, 8, 9, 10] = [1, 6, 2, 7, 3, 8, 4, 9, 10] [x 1, x 2, x 3 ] denotes a sequence with three elements xs ++ ys denotes concatenation of the sequences xs and ys [x 1, x 2, x 3 ] ++ [y 1, y 2, y 3, y 4 ] = [x 1, x 2, x 3, y 1, y 2, y 3, y 4 ] Informal specification of mux mux [x 1, x 2, x n ] [y 1, y 2, y n ] = [x 1, y 1, x 2, y 2, x n, y n ] Note: append extra elements in either sequence to the end 2

Multiplexor Function Testing Problem: multiplex two sequences to form a new sequence mux [1, 2, 3, 4, 5] [6, 7, 8, 9, 10] = [1, 6, 2, 7, 3, 8, 4, 9, 5, 10] mux [1, 2, 3, 4, 5] [6, 7, 8] = [1, 6, 2, 7, 3, 8, 4, 5] mux [1, 2, 3, 4] [6, 7, 8, 9, 10] = [1, 6, 2, 7, 3, 8, 4, 9, 10] [x 1, x 2, x 3 ] denotes a sequence with three elements xs ++ ys denotes concatenation of the sequences xs and ys [x 1, x 2, x 3 ] ++ [y 1, y 2, y 3, y 4 ] = [x 1, x 2, x 3, y 1, y 2, y 3, y 4 ] Informal specification of mux mux [x 1, x 2, x n ] [y 1, y 2, y n ] = [x 1, y 1, x 2, y 2, x n, y n ] Note: append extra elements in either sequence to the end Suppose we've defined mux in a program and want to test it Example test: mux [1, 2, 3] [4, 5, 6, 7] == [1, 4, 2, 5, 3, 6, 7] That's an okay test, but hard to generalize for automated testing The following tests are wrong with lists of differing lengths muxtest1 xs ys = ((mux xs ys) 2n+1 == xs n if n length xs) muxtest2 xs ys = ((mux xs ys) 2n == ys n if n length ys) 3

Multiplexor More General Test Informal specification of mux mux [x 1, x 2, x n ] [y 1, y 2, y n ] = [x 1, y 1, x 2, y 2, x n, y n ] Note: append extra elements in either sequence to the end Suppose we've defined mux in a program and want to test it Example test: mux [1, 2, 3] [4, 5, 6, 7] == [1, 4, 2, 5, 3, 6, 7] That's an okay test, but hard to generalize for automated testing The following tests are wrong with lists of differing lengths muxtest xs ys = ((mux xs ys) 2n+1 == xs n if n length xs) muxtest xs ys = ((mux xs ys) 2n == ys n if n length ys) Let s think about a test that is easier to generalize mux [x 1, x 2, x n+1 ] [y 1, y 2, y m+1 ] = [x 1, y 1 ] ++ (mux [x 2, x n+1 ] [y 2, y m+1 ]) 4

Multiplexor Massive Testing Informal specification of mux mux [x 1, x 2, x n ] [y 1, y 2, y n ] = [x 1, y 1, x 2, y 2, x n, y n ] Note: append extra elements in either sequence to the end Suppose we've defined mux in a program and want to test it Example test: mux [1, 2, 3] [4, 5, 6, 7] == [1, 4, 2, 5, 3, 6, 7] That's an okay test, but hard to generalize for automated testing The following tests are wrong with lists of differing lengths muxtest xs ys = ((mux xs ys) 2n+1 == xs n if n length xs) muxtest xs ys = ((mux xs ys) 2n == ys n if n length ys) Let s think about a test that is easier to generalize mux [x 1, x 2, x n+1 ] [y 1, y 2, y m+1 ] = [x 1, y 1 ] ++ (mux [x 2, x n+1 ] [y 2, y m+1 ]) We can correctly generalize that test as follows muxtest (x : xs) (y : ys) = ((mux (x : xs) (y : ys)) == ([x, y] ++ (mux xs ys))) x : xs shorthand for [x] ++ xs We can use muxtest to run thousands of tests, automatically 5

Multiplexor Defining Properties Let s think about a test that is easier to generalize mux [x 1, x 2, x n+1 ] [y 1, y 2, y m+1 ] = [x 1, y 1 ] ++ (mux [x 2, x n+1 ] [y 2, y m+1 ]) We can correctly generalize that test as follows muxtest (x : xs) (y : ys) = ((mux (x : xs) (y : ys))==([x, y] ++ (mux xs ys))) x : xs shorthand for [x] ++ xs We can use muxtest to run thousands of tests, automatically How about some corner cases? mux xs [ ] = xs mux [ ] (y : ys) = (y : ys) 6

Multiplexor Defining Properties Let s think about a test that is easier to generalize mux [x 1, x 2, x n+1 ] [y 1, y 2, y m+1 ] = [x 1, y 1 ] ++ (mux [x 2, x n+1 ] [y 2, y m+1 ]) We can correctly generalize that test as follows muxtest (x : xs) (y : ys) = ((mux (x : xs) (y : ys))==([x, y] ++ (mux xs ys))) x : xs shorthand for [x] ++ xs We can use muxtest to run thousands of tests, automatically How about some corner cases? mux xs [ ] = xs mux [ ] (y : ys) = (y : ys) Now we have three simple properties that mux must satisfy mux (x : xs) (y : ys) = [x, y] ++ (mux xs ys) mux xs [ ] = [ ] mux [ ] (y : ys) = (y : ys) 7

Multiplexor Inductive Definition Let s think about a test that is easier to generalize mux [x 1, x 2, x n+1 ] [y 1, y 2, y m+1 ] = [x 1, y 1 ] ++ (mux [x 2, x n+1 ] [y 2, y m+1 ]) We can correctly generalize that test as follows muxtest (x : xs) (y : ys) = ((mux (x : xs) (y : ys))==([x, y] ++ (mux xs ys))) x : xs shorthand for [x] ++ xs We can use muxtest to run thousands of tests, automatically How about some corner cases? mux xs [ ] = xs mux [ ] (y : ys) = (y : ys) Now we have three simple properties that mux must satisfy mux (x : xs) (y : ys) = [x, y] ++ (mux xs ys) mux xs [ ] = [ ] mux [ ] (y : ys) = (y : ys) Surprise! All properties of mux derive from these That is, these properties form an inductive definition of mux 8

How to Define Functions Now we have three simple properties that mux must satisfy mux (x : xs) (y : ys) = [x, y] ++ (mux xs ys) mux xs [ ] = xs mux [ ] (y : ys) = (y : ys) Surprise! All properties of mux derive from these In other words, these simple properties define mux How to write inductive definitions 1. Write simple equations that the desired function must satisfy 2. Make sure there is an equation for each expected form of input 3. Make sure the input for each inductive reference is closer to a non-inductive case than the input form covered by the equation Writing reliable programs is as simple as that! 9

Axiomatic vs Derived Properties Now we have three simple properties that mux must satisfy mux (x : xs) (y : ys) = [x, y] ++ (mux xs ys) {Axiom M 1 } mux xs [ ] = xs {Axiom M 0.2 } mux [ ] (y : ys) = (y : ys) {Axiom M 0.1 } Surprise! All properties of mux derive from these In other words, these simple properties define mux How to write inductive definitions 1. Write simple equations that the desired function must satisfy 2. Make sure there is an equation for each expected form of input 3. Make sure the input for each inductive reference is closer to a non-inductive case than the input form covered by the equation Writing reliable programs is as simple as that! Even better, you can derive additional properties by induction Such as, for example, these properties {P 1 } if (elem x xs) then (elem x (mux xs ys)) {P 2 } if (elem y ys) then (elem y (mux xs ys)) {P 3 } if (elem z (mux xs ys)) then ((elem z xs) (elem z ys)) (elem x xs) is True iff x is an element of the sequence xs 10

Derived Properties are Theorems Now we have three simple properties that mux must satisfy mux (x : xs) (y : ys) = [x, y] ++ (mux xs ys) {Axiom M 1 } mux xs [ ] = xs {Axiom M 0.2 } mux [ ] (y : ys) = (y : ys) {Axiom M 0.1 } Surprise! All properties of mux derive from these In other words, these two simple properties define mux How to write inductive definitions 1. Write simple equations that the desired function must satisfy 2. Make sure there is an equation for each expected form of input 3. Make sure the input for each inductive reference is closer to a non-inductive case than the input form covered by the equation Writing reliable programs is as simple as that! Even better, you can derive additional properties by induction Such as, for example, these properties {P 1 } if (elem x xs) then (elem x (mux xs ys)) {P 2 } if (elem y ys) then (elem y (mux xs ys)) {P 3 } if (elem z (mux xs ys)) then ((elem z xs) (elem z ys)) (elem x xs) is True iff x is an element of the sequence xs 11

Property Derived by Induction Now we have three simple properties that mux must satisfy mux (x : xs) (y : ys) = [x, y] ++ (mux xs ys) {Axiom M 1 } mux xs [ ] = xs {Axiom M 0.2 } mux [ ] (y : ys) = (y : ys) {Axiom M 0.1 } elem x [ ] = False {Axiom E o } elem y (x : xs) = (y == x) (elem y xs) {Axiom E 1 } Theorem P 1 : if (elem x xs) then (elem x (mux xs ys)) that is, (elem x xs) (elem x (mux xs ys)) {as Boolean formula} Base case (elem x [ ]) (elem x (mux [ ] ys)) = False (elem x (mux [ ] ys)) {Axiom E o } = True {Boolean algebra} 12

Property Derived by Induction Now we have three simple properties that mux must satisfy mux (x : xs) (y : ys) = [x, y] ++ (mux xs ys) {Axiom M 1 } mux xs [ ] = xs {Axiom M 0.2 } mux [ ] (y : ys) = (y : ys) {Axiom M 0.1 } elem x [ ] = False {Axiom E o } elem y (x : xs) = (y == x) (elem y xs) {Axiom E 1 } Theorem P 1 : if (elem x xs) then (elem x (mux xs ys)) that is, (elem x xs) (elem x (mux xs ys)) {as Boolean formula} Inductive case when ys [ ] Note: proof is simpler when ys = [ ] (elem x (x 1 : xs)) (elem x (mux (x 1 : xs) (z: zs)) {rewrite non-empty ys as (z: zs)} = ((x==x 1 ) (elem x xs)) (elem x ([x 1, z] ++ (mux xs zs))) {Axioms E 1 and M 1 } = ((x==x 1 ) (elem x xs)) (elem x (x 1 : z: (mux xs zs))) {shorthand for ++} = ((x==x 1 ) (elem x xs)) ((x==x 1 ) (x==z) (elem x (mux xs zs))) {Ax E 1 } = ((x==x 1 ) ((x==x 1 ) (x==z) (elem x (mux xs zs)))) && {Boolean algebra} ((elem x xs) ((x==x 1 ) (x==z) (elem x (mux xs zs)))) = True && {more Boolean algebra} ((elem x xs) ((x==x 1 ) (x==z) (elem x (mux xs zs)))) = True {induction hypothesis, along with some Boolean algebra} 13

Using Logic to Ensure Reliable Software Pencil and paper proofs are just for practice Enables students to learn methods of reasoning Logic course at Oklahoma Univ includes hundreds of examples Course/results: http://www.cs.ou.edu/~beseme/sfwisdmpaper.pdf Textbook: Discrete Math Using a Computer (Springer 2006) Proofs follow the rigorous style of mux example presented here Real-life software engineering requires mechanized logic Getting all the details right in proofs isn't humanly possible Proofs with incorrect details are not proofs Non-proofs don't guarantee software properties Therefore, paper-and-pencil proofs provide no guarantees Mechanized logic verifies all the details, down to bit level So, it's feasible to know software properties for certain Also, mechanized logic can partially automate proofs This makes mechanized logic useful in the practice of SE Practical mechanized logic for industry: ACL2 SE course at Oklahoma Univ uses ACL2 with Proof Pad http://www.cs.ou.edu/~rlpage/secollab/engrswjfp.pdf 14

The End Applied 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback