Specifying an ADT Give function specification. Identify partial functions A function which cannot be applied on all of its possible parameters Categorize functions into: creator: creates a new ADT query: returns a value other than the ADT command: receives a value of the new ADT and returns a value of the new ADT Give preconditions for partial functions Give axioms to describe ADT behavior.

Preconditions Every partial function should have a precondition. If a function cannot return a value or should not be applied in a specific situation, it must have a precondition. Item-at(s:stack[G], i:integer) - cannot be applied unless 0 < i <= count() remove(s: stack[G]) – cannot be applied unless !empty(s)

Axioms Write axioms to describe the behavior of the ADT. The axioms are used for reasoning and for proving sufficiently completeness, therefore they should simplify expressions. You should have an axiom for every query applied on every command. If necessary add axioms of commands applied on commands. The expression on the right hand side of the axiom should be simpler than the one on the left hand side. In axioms, a simpler expression is shorter than a more complicated one: item-at(put(s, x), i) = item-at(s, i-1)

Forgetful Stack make: INTEGER FS[G] capacity: FS[G]  INTEGER item: FS[G] G put: FS[G]  G FS[G] remove: FS[G] FS[G] count: FS[G]  INTEGER item-at: FS[G]  INTEGER G AXIOMS A1.capacity(make(n)) = n A2.capacity(put(s, x)) = capacity(s) A3.capacity(remove(s)) = capacity(s) A4.count(make(n)) = 0 A5.count(put(s,x))=min(count(s)+1,capacity(s)) A6.count(remove(s)) = count(s) –1 A7.item(s) = item-at(s, 1) A8.item-at(put(s, x), 1) = x A9.i>1  item-at(put(s, x), i) = item-at(s, i-1) A10.item-at(remove(s), i) = item-at(s, i+1)      Preconditions make(n) require n  0 item(s) require count(s) > 0 put(s, x) require capacity(s) > 0 remove(s) require count(s) > 0 item-at(s, i) require 1  i  count(s)

Sufficiently complete Show correctness (explained later) Show that every query q i applied on every command cmd j reduces the expression. Use q i (make(n)) as base case for the induction. Assume that applying q i on an expression of size n returns a value. Show, using axioms, for every cmd j how to reduce q i (cmd j (s)) to q i (s) - the induction step.

Forgetful stack example q 1 = capacity cmd 1 = make(n) - Base case q 1 (cmd 1 ) = capacity(make(n)) = n (By Axiom 1) cmd 2 = put(s, x) q 1 (cmd 2 ) = capacity(put(s, x)) = capacity(s) (By Axiom 2) cmd 3 = remove(s) q 1 (cmd 3 ) = capacity(remove(s)) = capacity(s) (By Axiom 3)

Correctness Given expression e, prove using preconditions and axioms that every subexpression of e is correct. Proof by induction on the weight of expression e. Define a weight function on the functions of the ADT. Each ADT has its own weight function.

Correctness The creator is of zero weight - Base case Give a weight to every command. In the stack example: put increments the weight by 1 remove decrements the weight by 1 Assume the correctness of an expression e. Prove by induction by applying a command on an assumed correct expression s. The weight of s >= 0 (by the assumption)

Correctness Show that the weight of e 1 = cmd i (s) is non negative for every command cmd i. If cmd i has no precondition, like put(s, x) then e 1 = put(s, x) is correct, s assumed correct (non negative weight)  e 1 has non negative (positive) weight. Else, the outermost (last) command in e can be one of cmd j : cmd i  cmd j. e 1 = cmd i (s)  s = cmd j (s’)  e 1 = cmd i (cmd j (s ’ )) e 1 = remove(s)  s = put(s’, x)  e 1 = remove(put(s’, x)) Show using preconditions and axioms how the weight of e 1 remains non negative.