Download presentation

Presentation is loading. Please wait.

Published byCason Segar Modified over 2 years ago

1
CSE 3341.03 Winter 2008 Introduction to Program Verification refining an interface

2
Exercise 7.2, 7.3(b) why all the complexity in the switch statement? language supports optimization -> complexity -> confusing logic -> harder to understand and verify is the complexity necessary? no: push it into an optimizing compiler

3
simpler switch to get the best of both worlds: we could code the switch statement in an unoptimized form with redundant statements so every case ends in a break annotate this with simpler conjunction of implications translate it into an optimized form, using break to eliminate the redundancies

4
7.2 Interfaces /* * If the object doesn't exist, add the object and return null, otherwise replace the * first object that matches and return the old object. * @param object The object to add. * @see Set#get */ public Object put(Object object);

5
Exercise 7.6 get(Object) = null and put(Object) = null and S = oldS union {Object} or remove(get(Object)) and put(Object) = get(Object)

6
7.3 refining an interface an easy case: the refinement extends the pre-condition (allowing more initial states) the new post-condition is a special case of the old.

7
proof obligations for refined interface verify that Pre implies Pre new and Post new implies Post

8
more complex refinement what needs to be verified? new code

9
refinement example TextModel, p.12-13 write inserts a character into or at the end of a text array BetterTextModel, p. 13-14 write inserts a character into or after the end of a text array, filling any gap with blanks

10
TextModel interface interface TextModel { void write (int pos, char ch); // insert char ch at position pos within the existing text. // pre-condition: //{ len = 'this.length'(nil) and txt = ‘this.text’(nil) and (0<= i < len implies 'this.read'(i) = array(txt,i)) and len < 'this.max'(nil)' and 0 <= pos <= len } // post-condition: //{ 'this.length'(nil) = len + 1 and (0 <= i < pos implies 'this.read'(i) = array(txt,i)) and 'this.read'(pos) = ch and pos < i < 'this.length'(nil) implies 'this.read'(i) = array(txt, i-1) }

11
BetterTextModel interface BetterTextModel { // pre-condition: //{ len = 'this.length'(nil) and txt = ‘this.text’(nil) and (0<= i < len implies 'this.read'(i) = array(txt,i)) and len < 'this.max'(nil) and 0 <= pos <= 'this.max'(nil) } // post-condition: //{ 'this.length'(nil) = max(len, pos) + 1 and (0 <= i < min(pos, len) implies array(txt, i) = 'this.read'(i)) and 'this.read'(pos) = ch and (pos < i < 'this.length'(nil) implies 'this.read'(i) = array(txt, i-1)) and (len < i < pos implies 'this.read'(i) = " ") }

12
Exercise 7.8 Given that the TextModel pre-condition holds, what is the (descriptive) post- condition when BetterTextModel's write(pos, ch) method is executed? min(pos, len) = pos and max(len, pos) = len and.. BetterTextModel's post-condition..

13
Well-behaved expressions BetterTextModel requires that the array length len < this.max problem: what ensures that this.max ≤ available addressable memory? very simple example (p. 14): int n1 = Integer.MAX_VALUE; int n2; n2 = n1 + 1; //{ n2 = n1 + 1}

14
assume all expressions are well-behaved given the code int n1; int n2; n2 = n1 + n2; //{ n2 = n1 + n2} we can only assume that n1 + n2 are "well- behaved", i. e. n1+ n2 ≤ Integer.MAX_VALUE so that the post-condition //{ n2 = n1 + n2} holds

15
partial functions another source of qualifications or restrictions: partial functions restricting variables to the domain of a function requires a pre-condition to be satisfied before the function is called. if we don’t want to have the code check every division operation (or top(stack) or rest(list) or a[i]) to see if the function is defined, we need a proof that the variable is "in bounds"

Similar presentations

OK

19-Aug-15 Simple Recursive Algorithms. 2 A short list of categories Algorithm types we will consider include: Simple recursive algorithms Backtracking.

19-Aug-15 Simple Recursive Algorithms. 2 A short list of categories Algorithm types we will consider include: Simple recursive algorithms Backtracking.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on area and perimeter for class 4 Ppt on earth hour day Ppt on asian continent outline Ppt on linear equations in two variables worksheet Difference between raster scan and random scan display ppt on tv Ppt on area of trapezium Ppt on history of olympics in usa Download ppt on jammu and kashmir tourism Ppt on cross-site scripting vulnerabilities What to expect at 30 week dr appt on the beach