# 1 Analysis of a class a case study We are going to prove the correctness of a class w.r.t. a specification. In order to formulate our hypotheses we start.

## Presentation on theme: "1 Analysis of a class a case study We are going to prove the correctness of a class w.r.t. a specification. In order to formulate our hypotheses we start."— Presentation transcript:

1 Analysis of a class a case study We are going to prove the correctness of a class w.r.t. a specification. In order to formulate our hypotheses we start with experiments. On this base, the lemmas are formulated and proved. Finally the theorem on correctness of class is stated. G. Mirkowska, A. Salwicki Abstract 10 th December 2003

2 Theses : Class SIMULATION offered by Loglan82 is quite a tool, the hierarchical structure of the class is helpful during planning a simulating experiment, the specification of the class makes easier to understand it,. MAIN THESIS: it is possible to prove the correctness of the class Simulation.

3 Plan Plan :  Problem: does the class PQ correctly implement the notion of priority queue?  class body (code of class PQ)  Definition - specification of the notion priority queue  Experiments  Formulating observations - lemmas  Proofs of lemmas  Theorem class PQ correctly implements the axioms of priority queue

4 Problem: czy podana poniżej klasa PQ poprawnie implementuje kolejkę priorytetową? Zobaczmy tekst tej klasyklasy

5 Unit PriorityQueues: class; unit elem: class (prior: real);... unit node: class(el: elem);  unit queuehead:class; var root, last: node; unit Min: function: elem;  unit insert: procedure(e: elem);  unit delete: procedure(e: elem);  unit correct: procedure(e:elem, down: Boolean); end queuehead; end PriorityQueues;

6 unit elem: class (prior: real); var lab: node; unit virtual less: function(x: elem): Boolean;  begin lab := new node(this elem) end elem; class elem object of class elem lab: node prior: real virtual less: function label objects of class elem will be presented as brown boxes

7 Class node Unit node: class(el: elem); var left, right, up: node ns: integer; unit virtual less: function(): Boolean;  end node; Object of class node el ns = left right up = el ns = left right up

8 unit queuehead: class; (* obiekt tej klasy reprezentuje zbiór elementów z operacjami zob. niżej *) var root, last: node; const down := true, up := false; unit min: function: elem; begin if root <>none then result := root.el fi end min; (* powinien zwracać element najmniejszy w zbiorze *) unit insert: procedure(e: elem);  (* wstawia element e do zbioru*) unit delete: procedure(e: elem);  (* usuwa element e ze zbioru*) unit correct: procedure(r: elem, down: Boolean); (* poprawia, w górę lub w dół, strukturę zbioru zmienioną przez delete, insert *) end queuehead; Structure of class queuehead and its methods

9 unit insert: procedure(e: elem); var x,z: node; begin x := e.lab; if last = none then root := x; last, root.left, root.right := root (* x.up = none *) else if last.ns = 0 then last.ns := 1; z := last.left; last.left := x; x.up := last; x.left := z; x.right := x else last.ns := 2; z := last.right; last.right := x; x.right := z; x.up := last; z.left := x; last.left.right := x; x.left := last.left; last := z fi fi; call correct(r, false) end insert; Inserting an element To Lemma 3

10 unit delete: procedure(e: elem); var x, y, z: node; begin x := e.lab; z := last.left; if last.ns =0 then y := z.up; if y <>none then y.right := last else root := none fi; last.left, last := y else y := z.left; y.right := last; last.left := y fi; z.el.lab := x; x.el := z.el; last.ns := last.ns - 1; e.lab := z; z.el := e; if x.less(x.up) then call correct(x.el, down) else call correct(x.el, up) fi end delete; Deleting an element down, up są stałymi logicznymi To Lemma 3

11 unit correct: procedure(r: elem, down: Boolean); var x, z: node, t: elem, fin,log: Boolean; begin z := r.lab; if down then (* DOWN *) while not fin do if z.ns = 0 then fin := true else if z.ns = 1 then x := z.left else (* z has two sons *) if z.left.less(z.right) then x := z.left else x := z.right fi fi; if z.less(x) then fin := true else t := x.el; x.el := z.el; z.el := t; z.el.lab :=z; x.el.lab:= x fi fi; z := x; od (* DOWN *) 1 of 2

12 else (* UP *) x := z.up; if x = none then log := true else log := x.less(z) fi; while not log do t := z.el; z.el := z.el; x.el := t; x.el.lab := x; z.el.lab := z; z := x; x := z.up; if x = none then log := true else log := x.less(z) fi od fi (* DOWN/UP*) end correct; Correcting the results of insert/delete operations 2 of 2

13 Będziemy rozważać pewien obiekt klasy queuhead i efekty wykonywania operacji insert i delete na tym obiekcie. Zanim cokolwiek wstawimy, nowy obiekt klasy queuehead wygląda tak: root = none last = none min: function : elem insert: procedure(e: elem) delete: procedure(e: elem) queuehead Na następnych przeźroczach samego obiektu nie rysujemy, tylko jego atrybuty : root i last - zmienne wskazujące na obiekty typu node.

14 Specification of priority queue structure: Signature a two-sorted structure E - set of elements S - set of finite subsets of the set E equipped with the following operations and predicates: insert : E S S delete : E S S min : S E member : E S Boolean empty : S Boolean < : E E Boolean and such that the following properties (= axioms of priority queues) hold is called priority queue. 1 of 2

15 Axioms A1) the set E is linearly ordered by the relation < i.e. the relation < is transitive, reflexive and anti-symmetric A2) [while empty(s) do s := delete(min(s), s) od] true i.e. every set s is finite A3) [s1 := insert(e,s)]{member(e, s1) & for every e1 e, member(e1,s1) member(e1,s) } A4) [s1 := delete(e,s)]{ member(e, s1) & for every e1 e, member(e1,s1) member(e1,s) } A5) empty(s) min(s) < e, for every e in E such that member(e,s) A6) empty(s) for every e, member(e,s) A7) member(e,s) begin s1 := s; result := false; while empty(s1) and result do if e = min(s1) then result := true fi; s1 := delete(;in(s1), s1) od end result 2 of 2 Specification of priority queue structure:

16 el ns = left right up

17 label

18 root last Empty set none

19 insert(e1) El ns = 0 left = this node right = this node up = none label root last e1

20 insert(e2) el ns = 1 left right up = none label root last e1 el ns =0 left right = this nd up label e2

21 insert(e3) el ns = 2 left right up = none label root last e1 el ns =0 left right up label el ns =0 left right up e2 e3

22 delete(e1) el ns = 1 left right up = none label root last e1 el ns =0 left right up label el ns =0 left right up e2 e3 After delete(e1), and before call correct

23 insert(e4) El ns = 2 left right up = none label root last e1 El ns =1 left right up label El ns =0 left right up e2 e3 El ns =0 left right = none up label e4

24 insert(e5) El ns = 2 left right up = none label root last e1 El ns =2 left right up label El ns =0 left right up e2 e3 El ns =0 left right up label e4 label El ns =0 left right up e5

25 insert(e6) El ns = 2 left right up = none label root last e1 El ns =1 left right up label El ns =0 left right up e2 e3 El ns =0 left right up label e4 label El ns =0 left right up e5

26 Properties of class  priorityQueues  Let us consider an object pq in queuehead. Its attributes are root and last of type node. We state that the following formulae are invariants of the object pq. Definition 1 Consider the set T of node objects that are accessible from the pq object by paths composed of.root arrow followed by a sequence of.left and.right arrows o T o | pq.root(.left.right)* | We shall see that this set is a tree.

27 Lemma 2 The set T of objects of type node considered together with the function.up forms a tree..up : | node | | node | Proof A mathematical-algorithmic definition of the notion of tree reads: a set S is a tree iff ( n S) while n =\= none do n := n.up od true We shall prove by induction on the number of executed commands insert and delete that the property given above holds for the set T. At the beginning the set T is empty hence it satisfies the lemma. After insertion of an element e1, our lemma is satisfied too. (For e1.lab.up = none) Suppose that the lemma is true for a set T created by execution of k commands insert and delete. Consider a new object of type node created by insert procedure. Its attribute up points to an already existing object. The values of the attribute up in  old  objects are as before. Similarly, an execution of delete(e) procedure does not change the property for it does not operate on.up attribute. (The node e.lab will be deleted from the set T.) Therefore, the lemma is true.

28 Lemma 3 For every object n of type node its attribute ns is equal to the number of its sons. Proof. By easy inspection of the code of procedures insert and delete.insertdelete Corollary 4 n.ns = 0 iff n is a leaf

29 The set T of objects of type node can be considered together with.left and.right operations. Definition 5 We say an arrow.left is solid iff n.ns > 0. We say an arrow.right is solid iff n.ns = 2. Otherwise an arrow is said dotted. Lemma 6 The set T of node objects considered together with solid and arrows forms a binary tree. Proof follows from the lemma 3 and the observation that if o = k.left (or o = k.right) then k.up = o..left.right

30

31 El ns = 2 left right up = none label root last e1 El ns =1 left right up label El ns =0 left right up e2 e3 El ns =0 left right up label e4 label El ns =0 left right up e5

32 Lemma 7 The sum of ns attributes = number of nodes -1. Lemma 8 { : last = o & o.right = k & o.ns = 1 & o.left = n1 & e.lab = n & n.el=e} [call pq.insert(e)] { : last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 } Proof What does it say the precondition ? last o ns = 1 right left k el ns = 0 right n e lab n1 el ns = 0

33 last o ns = 2 right left k el ns = 1 right left n e lab n1 el ns = 0 right up left x z right { : last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 & n.el=e}

34 last o ns = 2 right left k el ns = 1 right left n e n1 lab up el ns = 0 { : last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 }

35 Lemma 9 procedure correct is correct with respect to its pre-condition: its post-condition:

36 Lemma 10 Let x, y be two nodes in the set T if y is the father of x then the element associated with y is less than the element associated with its son ( x,y T) (x.up = y y. less(x)) Proof Any operation on the tree T (insert or delete) concludes with the call of procedure correct. From the lemma on correct follows...

Download ppt "1 Analysis of a class a case study We are going to prove the correctness of a class w.r.t. a specification. In order to formulate our hypotheses we start."

Similar presentations