Specifications. Prof. Clarkson Fall Today s music: Nice to know you by Incubus

Similar documents
6.170 Lecture 6 Procedure specifications MIT EECS

Behavioral Equivalence

Shared Variables and Interference

Comparing procedure specifications

Behavioral Equivalence

Reasoning about programs

Last time. Reasoning about programs. Coming up. Project Final Presentations. This Thursday, Nov 30: 4 th in-class exercise

Shared Variables and Interference

Testing. Prof. Clarkson Fall Today s music: Wrecking Ball by Miley Cyrus

Abstraction and Specification

Reasoning About Imperative Programs. COS 441 Slides 10

Forward Assignment; Strongest Postconditions

Announcements. Specifications. Outline. Specifications. HW1 is due Thursday at 1:59:59 pm

Interpreters. Prof. Clarkson Fall Today s music: Step by Step by New Kids on the Block

Hoare Logic: Proving Programs Correct

Formal Methods of Software Design, Eric Hehner, segment 24 page 1 out of 5

AXIOMS OF AN IMPERATIVE LANGUAGE PARTIAL CORRECTNESS WEAK AND STRONG CONDITIONS. THE AXIOM FOR nop

Violations of the contract are exceptions, and are usually handled by special language constructs. Design by contract

Menu. Algebraic Simplification - Boolean Algebra EEL3701 EEL3701. MSOP, MPOS, Simplification

Lecture 6: Sequential Sorting

Lectures 20, 21: Axiomatic Semantics

Semantics. There is no single widely acceptable notation or formalism for describing semantics Operational Semantics

Lecture 4 Specifications

Async. Prof. Clarkson Fall Today s music: It's Gonna be Me by *NSYNC

Assertions. Assertions - Example


Formal Methods of Software Design, Eric Hehner, segment 1 page 1 out of 5

Formal Methods. CITS5501 Software Testing and Quality Assurance

Program Verification. Aarti Gupta

Chapter 3. Describing Syntax and Semantics ISBN

Abstraction Functions and Representation Invariants

15-122: Principles of Imperative Computation (Section G)

Harvard School of Engineering and Applied Sciences CS 152: Programming Languages

Arguing for program correctness and writing correct programs

Hardware versus software

Foundations, Reasoning About Algorithms, and Design By Contract CMPSC 122

Fall Recursion and induction. Stephen Brookes. Lecture 4

Specification and Verification I

Verification in Coq. Prof. Clarkson Fall Today s music: Check Yo Self by Ice Cube

Formal Semantics. Prof. Clarkson Fall Today s music: Down to Earth by Peter Gabriel from the WALL-E soundtrack

Chapter 1 Programming: A General Overview

CSE 142/143 Unofficial Commenting Guide Eric Arendt, Alyssa Harding, Melissa Winstanley

Hoare Logic. COMP2600 Formal Methods for Software Engineering. Rajeev Goré

Program Verification using Templates over Predicate Abstraction. Saurabh Srivastava and Sumit Gulwani

Announcements. Written Assignment 2 due today at 5:00PM. Programming Project 2 due Friday at 11:59PM. Please contact us with questions!

Abstract Interpretation

Definition For vertices u, v V (G), the distance from u to v, denoted d(u, v), in G is the length of a shortest u, v-path. 1

Fall Lecture 3 September 4. Stephen Brookes

Prof. Dr. A. Podelski, Sommersemester 2017 Dr. B. Westphal. Softwaretechnik/Software Engineering

Lambda Calculus and Type Inference

Formal Systems II: Applications

Rethinking Automated Theorem Provers?

SECTION 1: CODE REASONING + VERSION CONTROL

Monads. Prof. Clarkson Fall Today s music: Vámanos Pal Monte by Eddie Palmieri

SECTION 1: CODE REASONING + VERSION CONTROL

CS 161 Computer Security

No model may be available. Software Abstractions. Recap on Model Checking. Model Checking for SW Verif. More on the big picture. Abst -> MC -> Refine

Inheritance, cont. Notes Chapter 6 and AJ Chapters 7 and 8

CMSC 330: Organization of Programming Languages. Formal Semantics of a Prog. Lang. Specifying Syntax, Semantics

6. Hoare Logic and Weakest Preconditions

Static Program Analysis

Program Verification & Testing; Review of Propositional Logic

Writing code that I'm not smart enough to write. A funny thing happened at Lambda Jam

Lecture Notes: Hoare Logic

Chapter 1 Programming: A General Overview

(a) (4 pts) Prove that if a and b are rational, then ab is rational. Since a and b are rational they can be written as the ratio of integers a 1

Math 213 Calculus III Practice Exam 2 Solutions Fall 2002

Lecture 5 - Axiomatic semantics

Lecture 1 Contracts : Principles of Imperative Computation (Fall 2018) Frank Pfenning

Program Syntax; Operational Semantics

Extended Static Checking for Java

CORRECTNESS ISSUES AND LOOP INVARIANTS

Searching Algorithms/Time Analysis

Logic and Computation Lecture 20 CSU 290 Spring 2009 (Pucella) Thursday, Mar 12, 2009

Testing. Wouter Swierstra and Alejandro Serrano. Advanced functional programming - Lecture 2. [Faculty of Science Information and Computing Sciences]

Second Examination Solution

Propositional Calculus: Boolean Algebra and Simplification. CS 270: Mathematical Foundations of Computer Science Jeremy Johnson

References: internet notes; Bertrand Meyer, Object-Oriented Software Construction; 10/14/2004 1

Introduction to Prof. Clarkson Fall Today s music: Prelude from Final Fantasy VII by Nobuo Uematsu (remastered by Sean Schafianski)

An Annotated Language

Variables. Substitution

CMSC 330: Organization of Programming Languages

CSE 331 Software Design and Implementation. Lecture 4 Specifications

Modules and Representation Invariants

CS Prof. Clarkson Fall 2014

a correct statement? You need to know what the statement is supposed to do.

Exam 1 CSCI 2600 Principles of Software October 6, 2015

Numerical Computations and Formal Methods

Amortized Analysis. Prof. Clarkson Fall Today s music: : "Money, Money, Money" by ABBA

Exam 1 CSCI 2600 Principles of Software October 6, 2015

1 / 43. Today. Finish Euclid. Bijection/CRT/Isomorphism. Fermat s Little Theorem. Review for Midterm.

Functional Programming in Coq. Nate Foster Spring 2018

Proofs are Programs. Prof. Clarkson Fall Today s music: Proof by Paul Simon

Programming Languages Third Edition

Thinking Induc,vely. COS 326 David Walker Princeton University

Chapter 6 : Modularity Using Functions (pp )

SFWR ENG 3S03: Software Testing

Introduction to Axiomatic Semantics

Testing, Debugging, and Verification exam DIT082/TDA567. Day: 9 January 2016 Time: Will be published mid February or earlier

CSE 331 Software Design & Implementation

Transcription:

Specifications Prof. Clarkson Fall 2015 Today s music: Nice to know you by Incubus

Question Would you like a tiny bonus to your final grade for being here on time today? A. Yes B. Sí C. Hai D. Haan E. Naam

Review Previously in 3110: Behavioral equivalence Proofs of correctness by induction on naturals, lists, trees,... Today: Verify that a function implementation satisfies its specification

Specification vs. Implementation Specification ("spec"): (* [max x y] is the maximum of [x] and [y]. *) val max : int -> int -> int Implementation: let max x y = if x>=y then x else y

Specifications (* postcondition:... precondition :... *) val f: t1 -> t2 Postcondition: guaranteed to be true of value returned by function Precondition: must be true of value passed to function as argument

Specifications Choices of how to write specification comment for max's precondition: omit precondition: none. requires: nothing. assumes: nothing....

Specifications Choices of how to write specification comment for max's postcondition: [max x y] is the maximum of [x] and [y]. postcondition: [max x y] is the maximum of [x] and [y]. returns: [max x y] is the maximum of [x] and [y]. ensures: [max x y] is the maximum of [x] and [y]....

Verification Verification: prove that implementation satisfies specification Proof gets to assume precondition Proof has to establish that postcondition holds Might use behavioral equivalence Might use structural induction...

Question Which of the following defines "maximum"? A. (max x y) >= x and (max x y) >= y B. (max x y) = x or (max x y) = y C. The conjunction of A and B D. None of the above

Question Which of the following defines "maximum"? A. (max x y) >= x and (max x y) >= y B. (max x y) = x or (max x y) = y C. The conjunction of A and B D. None of the above

Verification of max (* returns: max x y is the maximum of x and y. * that is: * (max x y) >= x * and * (max x y) >= y * and * (max x y = x) or (max x y = y). *) val max : int -> int -> int let max x y = if x>=y then x else y Let's give a proof that max satisfies its specification...

let max x y = if x>=y then x else y Verification of max Theorem: (max x y) >= x and (max x y) >= y and (max x y = x) or (max x y = y) Proof: by case analysis Case: x >= y Note that max x y ~ x, because max x y -->* x when x >= y. Substituting x for (max x y) in the theorem, we have x >= x and x >= y and (x=x or x=y). By math and the assumption that x >= y, that holds.

let max x y = if x>=y then x else y Verification of max Theorem: (max x y) >= x and (max x y) >= y and (max x y = x) or (max x y = y) Proof: by case analysis Case: x < y Note that max x y ~ y, because max x y -->* y when x < y. Substituting y for (max x y) in the theorem, we have y >=x and y >= y and (y=x or y=y). By math and the assumption that x < y, that holds.

let max x y = if x>=y then x else y Verification of max Theorem: (max x y) >= x and (max x y) >= y and (max x y = x) or (max x y = y) Proof: by case analysis Case: x >= y... Case: x < y... Those two cases are exhaustive. QED

Another implementation of max (* (max' x y) >= x and (max' x y) >= y and (max' x y = x) or (max' x y = y) *) let max' x y = (abs(y-x)+x+y)/2 (* returns: abs x is x if x>=0, otherwise -x *) val abs : int -> int Modular verification: use only the specs of other functions, not their implementations But if we don't have code, can't use ~ and eval... (in this case we could appeal to math, but we won't) Instead use specification!

Specifications, in general (* postcondition: f x is z where R(z) precondition : Q(x) *) val f: t1 -> t2 e.g. (* returns: abs x is z where z=x if x>=0, otherwise z=-x *) val abs : int -> int R(z) = z=x or z=-x and z>=0 Q(x) = true

Using specifications in proofs (* postcondition: f x is z where R(z) precondition : Q(x) *) val f: t1 -> t2 New axiom: specification if Q(x) and f is total then there exists z such that f x ~ z and R(z) This axiom introduces an assumption about f that might not be warranted: someone should also verify f!

let max' x y = (abs(y-x)+x+y)/2 Verification of max' Theorem: (max' x y) >= x and (max' x y) >= y and (max' x y = x) or (max' x y = y) Proof: by case analysis Case: y-x >= 0 equiv. y >= x Note that abs(y-x) ~ y-x by specification and by assumption that y >= x. So max' x y ~ (y-x + x + y)/2 ~ (y+y)/2 ~ y. Substituting y for (max x y) in the theorem, we have y >= x and y >= y and (y=x or y=y). By math and the assumption that y >= x, that holds.

let max' x y = (abs(y-x)+x+y)/2 Verification of max' Theorem: (max' x y) >= x and (max' x y) >= y and (max' x y = x) or (max' x y = y) Proof: by case analysis Case: y-x < 0 equiv. y < x Note that abs(y-x) ~ x-y by specification, math, and by assumption that y < x. So max' x y ~ (x-y + x + y)/2 ~ (x+x)/2 ~ x. Substituting x for (max x y) in the theorem, we have x >= x and x >= y and (x=x or x=y). By math and the assumption that y < x, that holds.

let max' x y = (abs(y-x)+x+y)/2 Verification of max' Theorem: (max' x y) >= x and (max' x y) >= y and (max' x y = x) or (max' x y = y) Proof: by case analysis Case: y-x >= 0... Case: y-x < 0... Those two cases are exhaustive. QED

Verification of max' # max' max_int 0;; - : int = -1 (abs(0-max_int)+max_int+0)/2 = (abs(-max_int)+max_int)/2 = (max_int+max_int)/2 = -2/2 = -1

Question What went wrong? A. There's a bug in our proof B. There's a bug in our specification of max C. There's a bug in our specification of abs D. There's a bug in our implementation E. Something else

Question What went wrong? A. There's a bug in our proof B. There's a bug in our specification of max C. There's a bug in our specification of abs D. There's a bug in our implementation E. Something else (mainly this) We agreed to ignore the limits of machine arithmetic...

Machine arithmetic (* requires: min_int <= x ++ y <= max_int *) val (+) : int -> int -> int (* requires: min_int <= x -- y <= max_int *) val (-) : int -> int -> int where ++ and -- denote the "ideal" math operators in counterexample, we attempt to compute max_int+max_int so our implementation of max' doesn't guarantee those preconditions hold when it calls (+) and (-) we could add a precondition to max' to rule out that behavior...

Corrected spec for max' (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) * requires: min_int/2 <= x <= max_int/2 * and min_int/2 <= y <= max_int/2 *) let max' x y = (abs(y-x)+x+y)/2 Theorem: if min_int/2 <= x <= max_int/2 and min_int/2 <= y <= max_int/2 then max' x y >= x and max' x y >= y and (max' x y = x or max' x y = y) Proof: omitted. QED

Verified max' vs max (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) * requires: min_int/2 <= x <= max_int/2 * and min_int/2 <= y <= max_int/2 *) let max' x y = (abs(y-x)+x+y)/2 (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) *) let max x y = if x>=y then x else y max' assumes more about its input than max does...max' has a stronger precondition

Strength of preconditions Given two preconditions PRE1 and PRE2 such that PRE1 => PRE2 (and PRE1 not logically equivalent to PRE2) e.g., x>1 => x>0 PRE1 is stronger than PRE2: assumes more function can be called under fewer circumstances PRE2 is weaker than PRE1: assumes less function can be called under more circumstances The weakest possible precondition is to assume nothing, but that might make implementation difficult The strongest possible precondition is to assume so much that the function can never be called

Verified max' vs max (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) * requires: min_int/2 <= x <= max_int/2 * and min_int/2 <= y <= max_int/2 *) let max' x y = (abs(y-x)+x+y)/2 (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) *) let max x y = if x>=y then x else y max' assumes more about its input than max does...max' has a stronger precondition...max' can be called under fewer circumstances; maybe less useful to clients

Strength of postconditions Given two postconditions POST1 and POST2 such that POST1 => POST2 (and POST1 not logically equivalent to POST2) e.g., returns a stably-sorted list => returns a sorted list POST1 is stronger than POST2: promises more function result can be used under more circumstances POST2 is weaker than POST1: promises less function result can be used under fewer circumstances The weakest possible postcondition is to promise nothing The strongest possible postcondition is to promise so much that the function could never be implemented

Question Which is the stronger postcondition for find? A: (* returns: find lst x is an index * at which x is found in lst * requires: x is in lst *) B: (* returns: find lst x is the first index * at which x is found in lst * requires: x is in lst *) val find: 'a list -> 'a -> int

Question Which is the stronger postcondition for find? A: (* returns: find lst x is an index * at which x is found in lst * requires: x is in lst *) B: (* returns: find lst x is the first index * at which x is found in lst * requires: x is in lst *) val find: 'a list -> 'a -> int

Satisfaction of specs Suppose a client gives us a spec to implement. Could we implement a function that meets a different spec, verify that implementation against that other spec, and still make the client happy? Analogy: In Java, if you're asked to implement a function that returns a List, could you instead return an Object? an ArrayList?

Satisfaction of specs If a client asked for A, could we give them B? If a client asked for B, could we give them A? A: (* returns: find lst x is an index * at which x is found in lst * requires: x is in lst *) B: (* returns: find lst x is the first index * at which x is found in lst * requires: x is in lst *)

Satisfaction of specs If a client asked for A, could we give them B? Yes. If a client asked for B, could we give them A? No. A: (* returns: find lst x is an index * at which x is found in lst * requires: x is in lst *) B: (* returns: find lst x is the first index * at which x is found in lst * requires: x is in lst *)

Satisfaction of specs If a client asked for C, could we give them D? If a client asked for D, could we give them C? C: (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) * requires: min_int/2 <= x <= max_int/2 * and min_int/2 <= y <= max_int/2 *) D: (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) *)

Satisfaction of specs If a client asked for C, could we give them D? Yes. If a client asked for D, could we give them C? No. C: (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) * requires: min_int/2 <= x <= max_int/2 * and min_int/2 <= y <= max_int/2 *) D: (* returns: a value z s.t. * z>=x and z>=y and (z=x or z=y) *)

Question Suppose a client gives us a spec to implement: requires: PRE returns: POST Which of the following could we instead implement and still satisfy the client? A. Weaker PRE and weaker POST B. Weaker PRE and stronger POST C. Stronger PRE and weaker POST D. Stronger PRE and stronger POST E. None of the above

Question Suppose a client gives us a spec to implement: requires: PRE returns: POST Which of the following could we instead implement and still satisfy the client? A. Weaker PRE and weaker POST B. Weaker PRE and stronger POST i.e., assume less and promise more C. Stronger PRE and weaker POST D. Stronger PRE and stronger POST E. None of the above

Refinement Specification B refines specification A if any implementation of B is also an implementation of A Any implementation of "find first" is an implementation of "find any", so "find first" refines "find any" Any implementation of "max" is an implementation of "max of small ints", so "max" refines "max of small ints" How can we verify that SPEC2 refines SPEC1? Need to prove that PRE1 => PRE2 i.e., PRE2 is weaker than (or equivalent to) PRE1 and that POST2 => POST1 ie., POST2 is stronger than (or equivalent to) POST1

Refinement and exercises We give you a SPEC1 for an exercise You refine that to a new SPEC2 Weaken the precondition or strengthen the postcondition You submit an implementation of SPEC2 By the definition of refinement, any implementation of SPEC2 is an implementation of SPEC1 so you are J But if you incorrectly refine the spec, then you are L (strengthen the precondition or weaken the postcondition)

Refinement and exercises We give you a SPEC1 for an exercise You implement that You are J We post a refined SPEC2 on Piazza. Weakens precondition or strengthens postcondition An implementation of SPEC1 is not necessarily an implementation of SPEC2! You are L Which is why one of my commandments to TAs is "Don't refine the spec." And why I tell you, "This is unspecified; do something reasonable."

Proof We worked only somewhat formally today Wrote formulas involving and, or, => How do we know we got it right? Formal verification: checked by machine maybe machine generates the proof maybe machine only checks the proof For that, we need formal logic (see CS 4860) and proof assistants and maybe special purpose logics for reasoning about programs (see CS 4110)

Upcoming events [Thursday] A5 due, including Async and design phase of project This is specified. THIS IS 3110

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback