1. School of Computing Clemson University Mathematical Reasoning  Goal: To prove correctness  Method: Use a reasoning table  Prove correctness on all valid inputs

2. School of Computing Clemson University Example: Prove Correctness Spec: Operation Do_Nothing (i: Integer); requires min_int <= i and i + 1 <= max_int; ensures i = #i; Code: Increment(i); Decrement(i);

3. School of Computing Clemson University Design by Contract  Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions  Caller is responsible for requirements  Postcondition holds only if caller meets operation’s requirements

4. School of Computing Clemson University Basics of Mathematical Reasoning  Suppose you are proving the correctness for some operation P Confirm P’s ensures clause at the last state Assume P’s requires clause in state 0

5. School of Computing Clemson University In State 2 – Establish Goal of Do_Nothing’s Ensures Clause AssumeConfirm 0 Increment(i); 1 Decrement(i) 2i2 = i0

6. School of Computing Clemson University In State 0 Assume Do_Nothing’s Requires Clause AssumeConfirm 0min_int <= i0 and i0 + 1 <= max_int Increment(i); 1 Decrement(i) 2i2 = i0

7. School of Computing Clemson University More Basics  Now, suppose that P calls Q Confirm Q’s requires clause in the state before Q is called Assume Q’s ensures clause in the state after Q is called

8. School of Computing Clemson University Specification of Integer Operations  Operation Increment (i: Integer); requires i + 1 <= max_int; ensures i = #i + 1;  Operation Decrement (i: Integer); requires min_int <= i - 1; ensures i = #i – 1;

9. School of Computing Clemson University Assume Calls Work as Advertised AssumeConfirm 0min_int <= i0 and i0 + 1 <= max_int Increment(i); 1i1 = i0 + 1 Decrement(i) 2i2 = i1 - 1i2 = i0

10. School of Computing Clemson University More Preconditions Must Be Confirmed AssumeConfirm 0min_int <= i0 and i0 + 1 <= max_int Increment(i); 1i1 = i0 + 1 min_int <= i1 - 1 Decrement(i) 2i2 = i1 - 1 i2 = i0

11. School of Computing Clemson University Write Down Verification Conditions(VCs)  Verification Condition for State 0 (min_int <= i0) ^ (i0 + 1 <= max_int)  i0 + 1 <= max_int

12. School of Computing Clemson University Write Down Verification Conditions(VCs)  VC for State 1 P1: min_int <= i0 (from State 0) P2: i0 + 1 <= max_int (from State 0) P3: i1 = i0 + 1 VC: P1 ^ P2 ^ P3  min_int <= i1 - 1  VC for State 2 P4: i2 = i1 - 1 VC: P1 ^ P2 ^ P3 ^ P4  i2 = i0

13. School of Computing Clemson University Use Direct Proof Method  For p  q  Assume premise ‘p’  Show conclusion ‘q’ is true  Prove VC for State 0 Assume P1: min_int <= i0 Assume P2: i0 + 1 <= max_int Show: i0 + 1 <= max_int

14. School of Computing Clemson University Prove VCs for State 1 & State 2  Prove VC for State 1 Assume P1: min_int <= i0 Assume P2: i0 + 1 <= max_int Assume P3: i1 = i0 + 1 Show: min_int <= i1 - 1  Prove VC for State 2 Assume P1 ^ P2 ^ P3 Assume P4: i2 = i1 – 1 Show: i2 = i0