Presentation is loading. Please wait.

Presentation is loading. Please wait.

Specification and Verification in Introductory Computer Science Frank Pfenning Carnegie Mellon University MSR-CMU Center for Computational Thinking May.

Published byNancy Keeler Modified over 9 years ago

Similar presentations

Presentation on theme: "Specification and Verification in Introductory Computer Science Frank Pfenning Carnegie Mellon University MSR-CMU Center for Computational Thinking May."— Presentation transcript:

1 Specification and Verification in Introductory Computer Science Frank Pfenning Carnegie Mellon University MSR-CMU Center for Computational Thinking May 14, 2012 www.cs.cmu.edu/~fp/courses/15122 c0.typesafety.net Principal Contributors: Rob Arnold, Tom Cortina, Ian Gillis, Jason Koenig, William Lovas, Karl Naden, Rob Simmons, Jakob Uecker MSR Collaborators: Rustan Leino, Nikolaj Bjørner MS Guest Speaker: Jason Yang (Windows team) MSR Inspiration: Manuvir Das, Peter Lee

2 Outline Background and guiding principles Role in the curriculum Learning goals C0 Language (Lecture sample) Research plans May 14, 20122MSR-CMU Center for Computational Thinking

3 Background 15-122 Principles of Imperative Computation Part of a major core CS curriculum revision – 15-110/112 Principles of Computing/Programming – 15-150 Principles of Functional Programming – 15-210 Parallel & Sequential Data Structs. & Algs. – 15-214 Software System Construction Still under development – Pilot in Fall 2010, every semester since then – Now taught ~630 students, majors & non-majors – Adoption at Tübingen, Germany, Spring 2012 May 14, 20123MSR-CMU Center for Computational Thinking

4 Core Curriculum Chart 15-112 Fundamentals of Programming 15-122 Principles of Imperative Computation 15-150 Principles of Functional Programming 15-214 Software System Construction 15-210 Seq. & Par. Data Structs. & Algs. 15-213 Computer Systems 15-251 Great Ideas of Theoretical CS 21-127 Concepts of Modern Math May 14, 20124MSR-CMU Center for Computational Thinking 15-110 Principles of Computing

5 Guiding Principles Computational thinking and programming must go hand-in-hand Algorithm and data structure design, analysis, and implementation is an intellectual activity We build abstractions from an understanding of the concrete Rigorous types, invariants, specifications, interfaces are crucial May 14, 20125MSR-CMU Center for Computational Thinking

6 Role in the New Curriculum Precondition: some programming experience – Self-taught or high-school programming or 15-112 – Python and Java most common – Broad rather than deep; diverse Postcondition: preparation for 15-2xx courses – 15-210: Par. & Seq. Data Structs. & Algs. – 15-213: Computer Systems – 15-214: Software System Construction May 14, 20126MSR-CMU Center for Computational Thinking

7 Learning Goals Computational thinking Programming skills Specific data structures and algorithms Application contexts May 14, 20127MSR-CMU Center for Computational Thinking

8 Computational Thinking Algorithmic concepts vs. code Abstraction and interfaces Specification vs. implementation Pre- and post-conditions, loop invariants Data structure invariants Logical and operational reasoning Asymptotic complexity and practical efficiency Programs as data Exploiting randomness May 14, 20128MSR-CMU Center for Computational Thinking

9 Programming Skills Deliberate programming Understand static and dynamic semantics Develop, test, debug, rewrite, refine Invariants, specifications Using and designing APIs Use and implement data structures – Emphasis on mutable state (“RAM model”) Render algorithms into correct code – Emphasis on imperative programming May 14, 20129MSR-CMU Center for Computational Thinking

10 Some Algorithmic Concepts Asymptotic analysis – Sequential computation – Time and space – Worst-case vs. average-case – Amortized analysis – Common classes: O(n), O(n*log(n)), O(n 2 ), O(2 n ) Divide and conquer Self-adjusting data structures Randomness Sharing May 14, 201210MSR-CMU Center for Computational Thinking

11 Specific Alg’s and Data Struct’s Binary search Sorting (selection sort, mergesort) Stacks and queues Hash tables Priority queues (heaps) Binary search trees (red/black, randomized) Tries Binary decision diagrams (SAT, validity) Graph traversal (depth-first, breadth-first) Minimum spanning trees (Prim’s alg., Kruskal’s alg.) Union-find May 14, 201211MSR-CMU Center for Computational Thinking

12 Application Contexts See algorithms in context of use Engage students’ interest Assignments (all written+programming) – Image manipulation – Text processing (Shakespeare word freq’s) – Grammars and parsing – Maze search – Huffman codes – Puzzle solving (Lights Out) – Implementing a virtual machine (C0VM) May 14, 201212MSR-CMU Center for Computational Thinking

13 Language Weeks 1-10: Use C0, a small safe subset of C, with a layer to express contracts – Garbage collection (malloc/free) – Fixed range modular integer arithmetic – Language unambiguously defined – Contracts as boolean expressions Weeks 11-14: Transition to C – Exploit positive habits, assertion macros – Pitfalls and idiosyncrasies of C May 14, 201213MSR-CMU Center for Computational Thinking

14 Type Structure t = int | bool | struct s | t* | t[] Distinguish pointers and arrays Distinguish ints and booleans Structs and arrays live in memory; ints, bools, and pointers in variables Strings and chars as abstract types May 14, 201214MSR-CMU Center for Computational Thinking

15 Control Structure Variables and assignment Separation of expressions and statements Conditionals, while, and for loops Functions Other considerations – Minimal operator overloading – No implicit type conversions – Initialization May 14, 201215MSR-CMU Center for Computational Thinking

16 Rationale for C0 Imperative implementations of simple algorithms are natural in this fragment Simplicity permits effective analysis – Proving invariants, sound reasoning Concentrate on principles first, C later Industrial use of assertions (SAL, Spec#) – Guest lecture by J. Yang from MS Windows team May 14, 201216MSR-CMU Center for Computational Thinking

17 Lecture Example In actual lecture use blackboard, plus laptop for writing code Recurring theme Computational Thinking Data Structures and Algorithms Programming May 14, 201217MSR-CMU Center for Computational Thinking

18 Lecture 13: Priority Queues Lecture 14: Restoring Invariants Restoring Invariants Priority Queues Heaps Trees as Arrays May 14, 201218MSR-CMU Center for Computational Thinking

19 Heap Interface May 14, 2012MSR-CMU Center for Computational Thinking19 typedef struct heap* heap; bool heap_empty(heap H); /* is H empty? */ heap heap_new(int limit) /* create new heap */ //@requires limit > 0; //@ensures heap_empty(\result); ; void heap_insert(heap H, int x); /* insert x into H */ int heap_min(heap H) /* find minimum */ //@requires !heap_empty(H); ; int heap_delmin(heap H) /* delete minimum */ //@requires !heap_empty(H); ;

20 Checking Heap Invariants May 14, 2012MSR-CMU Center for Computational Thinking20 struct heap { int limit; int next; int[] heap; }; bool is_heap(heap H) //@requires H != NULL && \length(H->heap) == H->limit; { if (!(1 next && H->next limit)) return false; for (int i = 2; i next; i++) if (!(H->heap[i/2] heap[i])) return false; return true; }

21 Heap Insertion May 14, 2012MSR-CMU Center for Computational Thinking21 void heap_insert(heap H, int x) //@requires is_heap(H); //@requires !heap_full(H); //@ensures is_heap(H); { H->heap[H->next] = x; H->next++; sift_up(H, H->next-1); }

22 Preliminary Course Assessment First four course instances successful – Covered envisioned material and more – Excellent exam and assignment performance – Lecture notes – Positive student feedback Interesting programming assignments – Using our C0 compiler weeks 1-10, gcc thereafter – Linked with C/C++ libraries May 14, 201222MSR-CMU Center for Computational Thinking

23 Some Course Tools C0 to C compiler (cc0), front end v3 C0 interpreter and debugger (new Su 2012) C0 tutorial C0 language reference Binaries for Windows, Linux, Mac OS X C0VM for last assignment May 14, 201223MSR-CMU Center for Computational Thinking

24 Contracts Currently, contracts are checked dynamically if compiled with cc0 -d Contracts are enormously useful – Bridge the gap from algorithm to implementation – Express programmer intent precisely – Catch bugs during dynamic checking – Debugging aid (early failure, localization) Not easy to learn effective use of contracts May 14, 201224MSR-CMU Center for Computational Thinking

25 Exploiting Contracts Further Ongoing research Contracts could be even more useful – Static verification (MSR: Daphne, Boogie, Z3) – Counterexample, test generation (MSR: Pex) – Autograding of code and contracts The educational setting creates unique challenges and opportunities – Explainable static analysis (null ptrs, array bounds) – Pedagogically sound design – Diversity of student programmers May 14, 201225MSR-CMU Center for Computational Thinking

26 Summary 15-122 Principles of Imperative Computation Freshmen-level course emphasizing the interplay between computational thinking, algorithms, and programming in simple setting C0, a small safe subset of C, with contracts Contracts pervasive, checked only dynamically Research question: can we use static analysis and theorem proving to aid in achieving student learning goals? MSR collaborators: Rustan Leino, Nikolaj Bjørner Visits: F. Pfenning, J. Yang, R. Leino, K. Naden, J. Koenig, May 14, 2012MSR-CMU Center for Computational Thinking26

27 Priority Queues Generalizes stacks and queues Abstract interface – Create a new priority queue – Insert an element – Remove a minimal element May 14, 201227MSR-CMU Center for Computational Thinking

28 Heaps Alternative 1: unsorted array – Insert O(1), delete min O(n) Alternative 2: sorted array – Insert O(n), delete min O(1) Alternative 3: heap – Partially sorted! May 14, 201228MSR-CMU Center for Computational Thinking

29 Heaps A heap represents a priority queue as a binary tree with two invariants Shape: – Tree is complete (missing nodes bottom-right) Order: – Each interior node is greater-or-equal to its parent – OR: each node is less-or-equal to all its children Guarantee a minimal element is at root! May 14, 201229MSR-CMU Center for Computational Thinking

30 1 node2 nodes3 nodes4 nodes 5 nodes6 nodes7 nodes Shape Invariant May 14, 201230MSR-CMU Center for Computational Thinking

31 2 43 789 2 43 7891 Inserting into Heap By shape invariant, know where new element should go Now have to restore ordering invariant May 14, 201231MSR-CMU Center for Computational Thinking

32 Order invariant satisfied, except between new node and its parent (“looking up”) Swapping with parent will restore locally Parent may now violate invariant 2 41 7893 2 43 7891 Sifting Up May 14, 201232MSR-CMU Center for Computational Thinking

33 1 42 7893 2 41 7893 Invariant Restored When reaching root (no parent!), ordering invariant restored everywhere We have a valid heap! May 14, 201233MSR-CMU Center for Computational Thinking

34 Analysis Insert requires O(log(n)) swaps in worst case Logarithmic thinking: complete binary tree with n elements has 1+log(n) levels Delete min also O(log(n)), omitted here May 14, 2012MSR-CMU Center for Computational Thinking34

35 Exploit shape invariant Binary numbering system for nodes, root is 1 Left child is n0 = 2*n; right child is n1 = 2*n+1 Parent is at n/2; 0 is unused 1 1011 101110100111 1 23 5647 Heaps as Arrays May 14, 201235MSR-CMU Center for Computational Thinking

36 Creating a Heap May 14, 2012MSR-CMU Center for Computational Thinking36 heap heap_new(int limit) //@requires 1 <= limit; //@ensures is_heap(\result) && heap_empty(\result); { heap H = alloc(struct heap); H->limit = limit; H->next = 1; H->heap = alloc_array(int, limit); return H; } Pre/postconditions are easy to specify and reason about How to automate?

37 Almost a Heap May 14, 2012MSR-CMU Center for Computational Thinking37 bool is_heap_except_up(heap H, int n) //@requires H != NULL && \length(H->heap) == H->limit; { int i; if (!(1 next && H->next limit)) return false; for (i = 2; i next; i++) if (!(i == n || H->heap[i/2] heap[i])) return false; return true; } // is_heap_except_up(H, 1) == is_heap(H); Captures permitted violation precisely Observation at end for postcondition of sift_up

38 Sifting Up / Restoring Invariant May 14, 2012MSR-CMU Center for Computational Thinking38 void sift_up(heap H, int n) //@requires 1 limit; //@requires is_heap_except_up(H, n); //@ensures is_heap(H); { int i = n; while (i > 1) //@loop_invariant is_heap_except_up(H, i); { if (H->heap[i/2] heap[i]) return; swap(H->heap, i/2, i); i = i/2; } //@assert i == 1; //@assert is_heap_except_up(H, 1); return; }

Download ppt "Specification and Verification in Introductory Computer Science Frank Pfenning Carnegie Mellon University MSR-CMU Center for Computational Thinking May."

Similar presentations

Advanced programming tools at Microsoft

Advanced programming tools at Microsoft
Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,

Writing specifications for object-oriented programs K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 21 Jan 2005 Invited talk, AIOOL 2005 Paris,
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Data Structure & Abstract Data Type

Data Structure & Abstract Data Type
Exam Review 3 Chapters 10 – 13, 15 CSC212 Section FG CS Dept, CCNY.

Exam Review 3 Chapters 10 – 13, 15 CSC212 Section FG CS Dept, CCNY.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?

Addressing the Challenges of Current Software. Questions to Address Why? What? Where? How?
Introduction to Computer Science 2 Lecture 7: Extended binary trees

Introduction to Computer Science 2 Lecture 7: Extended binary trees
COL 106 Shweta Agrawal and Amit Kumar

COL 106 Shweta Agrawal and Amit Kumar
Transform and Conquer Chapter 6. Transform and Conquer Solve problem by transforming into: a more convenient instance of the same problem (instance simplification)

Transform and Conquer Chapter 6. Transform and Conquer Solve problem by transforming into: a more convenient instance of the same problem (instance simplification)
Lecture 8 CS203. Implementation of Data Structures 2 In the last couple of weeks, we have covered various data structures that are implemented in the.

Lecture 8 CS203. Implementation of Data Structures 2 In the last couple of weeks, we have covered various data structures that are implemented in the.
1 Chapter 6 Priority Queues (Heaps) General ideas of priority queues (Insert & DeleteMin) Efficient implementation of priority queue Uses of priority queues.

1 Chapter 6 Priority Queues (Heaps) General ideas of priority queues (Insert & DeleteMin) Efficient implementation of priority queue Uses of priority queues.
CS 307 Fundamentals of Computer Science 1 Abstract Data Types many slides taken from Mike Scott, UT Austin.

CS 307 Fundamentals of Computer Science 1 Abstract Data Types many slides taken from Mike Scott, UT Austin.
CSE 830: Design and Theory of Algorithms

CSE 830: Design and Theory of Algorithms
1 abstract containers hierarchical (1 to many) graph (many to many) first ith last sequence/linear (1 to 1) set.

1 abstract containers hierarchical (1 to many) graph (many to many) first ith last sequence/linear (1 to 1) set.
Data Structures, Spring 2004 © L. Joskowicz 1 DAST – Final Lecture Summary and overview What we have learned. Why it is important. What next.

Data Structures, Spring 2004 © L. Joskowicz 1 DAST – Final Lecture Summary and overview What we have learned. Why it is important. What next.
1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.

1 ES 314 Advanced Programming Lec 2 Sept 3 Goals: Complete the discussion of problem Review of C++ Object-oriented design Arrays and pointers.
Marc Smith and Jim Ten Eyck

Marc Smith and Jim Ten Eyck
PRIORITY QUEUES AND HEAPS Lecture 16 CS2110 Spring 2015.

PRIORITY QUEUES AND HEAPS Lecture 16 CS2110 Spring 2015.
Mathematics throughout the CS Curriculum Support by NSF #

Mathematics throughout the CS Curriculum Support by NSF #

Similar presentations

Ads by Google