School of Computing Clemson University Mathematical Reasoning Goal: To prove correctness Method: Use a reasoning table Prove correctness on all valid inputs
School of Computing Clemson University Example: Prove Correctness Spec: Operation Do_Nothing (i: Integer); requires min_int <= i and i + 1 <= max_int; ensures i = #i; Code: Increment(i); Decrement(i);
School of Computing Clemson University Design by Contract Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions Caller is responsible for requirements Postcondition holds only if caller meets operation’s requirements
School of Computing Clemson University Basics of Mathematical Reasoning Suppose you are proving the correctness for some operation P Confirm P’s ensures clause at the last state Assume P’s requires clause in state 0
School of Computing Clemson University In State 2 – Establish Goal of Do_Nothing’s Ensures Clause AssumeConfirm 0 Increment(i); 1 Decrement(i) 2i2 = i0
School of Computing Clemson University In State 0 Assume Do_Nothing’s Requires Clause AssumeConfirm 0min_int <= i0 and i0 + 1 <= max_int Increment(i); 1 Decrement(i) 2i2 = i0
School of Computing Clemson University More Basics Now, suppose that P calls Q Confirm Q’s requires clause in the state before Q is called Assume Q’s ensures clause in the state after Q is called
School of Computing Clemson University Specification of Integer Operations Operation Increment (i: Integer); requires i + 1 <= max_int; ensures i = #i + 1; Operation Decrement (i: Integer); requires min_int <= i - 1; ensures i = #i – 1;
School of Computing Clemson University Assume Calls Work as Advertised AssumeConfirm 0min_int <= i0 and i0 + 1 <= max_int Increment(i); 1i1 = i0 + 1 Decrement(i) 2i2 = i1 - 1i2 = i0
School of Computing Clemson University More Preconditions Must Be Confirmed AssumeConfirm 0min_int <= i0 and i0 + 1 <= max_int Increment(i); 1i1 = i0 + 1 min_int <= i1 - 1 Decrement(i) 2i2 = i1 - 1 i2 = i0
School of Computing Clemson University Write Down Verification Conditions(VCs) Verification Condition for State 0 (min_int <= i0) ^ (i0 + 1 <= max_int) i0 + 1 <= max_int
School of Computing Clemson University Write Down Verification Conditions(VCs) VC for State 1 P1: min_int <= i0 (from State 0) P2: i0 + 1 <= max_int (from State 0) P3: i1 = i0 + 1 VC: P1 ^ P2 ^ P3 min_int <= i1 - 1 VC for State 2 P4: i2 = i1 - 1 VC: P1 ^ P2 ^ P3 ^ P4 i2 = i0
School of Computing Clemson University Use Direct Proof Method For p q Assume premise ‘p’ Show conclusion ‘q’ is true Prove VC for State 0 Assume P1: min_int <= i0 Assume P2: i0 + 1 <= max_int Show: i0 + 1 <= max_int
School of Computing Clemson University Prove VCs for State 1 & State 2 Prove VC for State 1 Assume P1: min_int <= i0 Assume P2: i0 + 1 <= max_int Assume P3: i1 = i0 + 1 Show: min_int <= i1 - 1 Prove VC for State 2 Assume P1 ^ P2 ^ P3 Assume P4: i2 = i1 – 1 Show: i2 = i0