# Computer Science School of Computing Clemson University Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University.

## Presentation on theme: "Computer Science School of Computing Clemson University Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University."— Presentation transcript:

Computer Science School of Computing Clemson University Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University

School of Computing Clemson University  What does this code do to Integer I, where Foo1 and Bar1 are functions that modify their argument? I = Foo1(I); I = Bar1(I);

School of Computing Clemson University  Or this to Integers I and J? I = Foo2(I, J); J = Bar2(I, J); I = Bar2(I, J);

School of Computing Clemson University  What does this code do to Integer I? I = Next(I); I = Prev(I);

School of Computing Clemson University  What does this code do to Integer x? I = Next(I); I = Prev(I);  How sure are we?

School of Computing Clemson University  What does this code do to Integer x? I = Next(I); I = Prev(I);  How sure are we?  Have to account for bounds in our analysis  Summary: … Need formal descriptions beyond names

School of Computing Clemson University  What does this code do to Integers I and J? I = Sum (I, J); J = Difference (I, J); I = Difference (I, J);  Same discussion as before…

School of Computing Clemson University Specification of Integer Operations  Think of ints as integers in math  Constraints, for all Integers I: min _Int <= I <= max_Int  Operation Next (I: Integer): Integer; requires I < max_int; ensures Next = I + 1;  Operation Prev (I: Integer): Integer; requires I > min_Int; ensures Prev = I - 1;

School of Computing Clemson University Specification of Integer Operations  Parameters are allowed to be changed, depending on the language and how parameters are passed  So to make it clear that the parameter isn’t modified, we specify:  Operation Next (preserves I: Integer): Integer; requires I < max_int; ensures Next = I + 1;

School of Computing Clemson University Specification of Integer Operations  Parameters are allowed to be changed, depending on the language and how parameters are passed  We can also specify:  Operation Increment (updates I: Integer); requires I < max_int; ensures I = #I + 1;  In the ensures clause, #I denotes the input I value  Exercise: Specify Decrement

School of Computing Clemson University Meaning of specifications  Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions  Callers are responsible for requirements  Caller of Increment is responsible for making sure input I < max_int  Guarantees hold only if callers meet their requirements

School of Computing Clemson University Is the code correct for the given spec? Spec: Operation Do_Nothing (updates I: Integer); requires … ensures I = #I; Code: Increment(I); Decrement(I);

School of Computing Clemson University These specs are the same… Spec: Operation Do_Nothing (preserves I: Integer); requires … Spec: Operation Do_Nothing (updates I: Integer); requires … ensures I = #I;

School of Computing Clemson University Methods for checking correctness  Testing?  Tracing or inspection?  Mathematical reasoning

School of Computing Clemson University Mathematical reasoning  Goal: To prove correctness  Method: The rest of this presentation  Can prove correctness on all valid inputs  Can show absence of bugs

School of Computing Clemson University Example: Prove correctness Spec: Operation Do_Nothing (updates I: Integer); requires I < max_int; ensures I = #I; Code: Increment(I); Decrement(I);

School of Computing Clemson University Establish the goals in state-oriented terms using a table AssumeConfirm 0 Increment(I); 1 Decrement(I) 2I2 = I0

School of Computing Clemson University Assume requires clause at the beginning (Why?) AssumeConfirm 0I0 < max_int and … Increment(I); 1 Decrement(I) 2I2 = I0

School of Computing Clemson University Assume calls work as advertised AssumeConfirm 0I0 < max_Int and … Increment(I); 1I1 = I0 + 1 Decrement(I) 2I2 = I1 - 1I2 = I0

School of Computing Clemson University Prove the goal(s) using assumptions  Prove I2 = I0  Proof of I2 = J0 I2 = I1 – 1 (assumption in state 2) = (I0 + 1) – 1 (assumption in state 1) = I0 (simplification)  More proof needed…

School of Computing Clemson University More assertions to be confirmed (Why?) AssumeConfirm 0I0 < max_int I0 < max_int and … Increment(I); 1I1 = I0 + 1 I1 > min_int Decrement(I) 2I2 = I1 - 1I2 = I0

School of Computing Clemson University Prove all assertions to be confirmed  Proofs - exercises

School of Computing Clemson University Basics of Mathematical Reasoning  Suppose you are verifying code for some operation P Assume its requires clause in state 0 Confirm its ensures clause at the end  Suppose that P calls Q Confirm the requires clause of Q in the state before Q is called  Why? Because caller is responsible Assume the ensures clause of Q in the state after Q  Why? Because Q is assumed to work  Prove assertions to be confirmed

Download ppt "Computer Science School of Computing Clemson University Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University."

Similar presentations