1 / 23

Introduction to Mathematical Reasoning

Introduction to Mathematical Reasoning. Jason Hallstrom and Murali Sitaraman Clemson University. What does this code do to Integer I, where Foo1 and Bar1 are functions that modify their argument? I = Foo1(I); I = Bar1(I);. Or this to Integers I and J? I = Foo2(I, J);

kgass
Télécharger la présentation

Introduction to Mathematical Reasoning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Mathematical Reasoning Jason Hallstrom and Murali Sitaraman Clemson University

  2. What does this code do to Integer I, where Foo1 and Bar1 are functions that modify their argument? I = Foo1(I); I = Bar1(I);

  3. Or this to Integers I and J? I = Foo2(I, J); J = Bar2(I, J); I = Bar2(I, J);

  4. What does this code do to Integer I? I = Next(I); I = Prev(I);

  5. What does this code do to Integer x? I = Next(I); I = Prev(I); How sure are we?

  6. What does this code do to Integer x? I = Next(I); I = Prev(I); How sure are we? Have to account for bounds in our analysis Summary: … Need formal descriptions beyond names

  7. What does this code do to Integers I and J? I = Sum (I, J); J = Difference (I, J); I = Difference (I, J); Same discussion as before…

  8. Specification of Integer Operations Think of ints as integers in math Constraints, for all Integers I: min _Int <= I <= max_Int Operation Next (I: Integer): Integer; requires I < max_int; ensures Next = I + 1; Operation Prev (I: Integer): Integer; requires I > min_Int; ensures Prev = I - 1;

  9. Specification of Integer Operations Parameters are allowed to be changed, depending on the language and how parameters are passed So to make it clear that the parameter isn’t modified, we specify: Operation Next (preserves I: Integer): Integer; requires I < max_int; ensures Next = I + 1;

  10. Specification of Integer Operations Parameters are allowed to be changed, depending on the language and how parameters are passed We can also specify: Operation Increment (updates I: Integer); requires I < max_int; ensures I = #I + 1; In the ensures clause, #I denotes the input I value Exercise: Specify Decrement

  11. Meaning of specifications • Requirements and guarantees • Requires clauses are preconditions • Ensures clauses are postconditions • Callers are responsible for requirements • Caller of Increment is responsible for making sure input I < max_int • Guarantees hold only if callers meet their requirements

  12. Is the code correct for the given spec? Spec: Operation Do_Nothing (updates I: Integer); requires … ensures I = #I; Code: Increment(I); Decrement(I);

  13. These specs are the same… Spec: Operation Do_Nothing (preserves I: Integer); requires … Spec: Operation Do_Nothing (updates I: Integer); requires … ensures I = #I;

  14. Methods for checking correctness • Testing? • Tracing or inspection? • Mathematical reasoning

  15. Mathematical reasoning Goal: To prove correctness Method: The rest of this presentation Can prove correctness on all valid inputs Can show absence of bugs

  16. Example: Prove correctness Spec: Operation Do_Nothing (updates I: Integer); requires I < max_int; ensures I = #I; Code: Increment(I); Decrement(I);

  17. Establish the goals in state-oriented terms using a table Assume Confirm 0 Increment(I); 1 Decrement(I) 2 I2 = I0

  18. Assume requires clause at the beginning (Why?) Assume Confirm 0 I0 < max_int and … Increment(I); 1 Decrement(I) 2 I2 = I0

  19. Assume calls work as advertised Assume Confirm 0 I0 < max_Int and … Increment(I); 1 I1 = I0 + 1 Decrement(I) 2 I2 = I1 - 1I2 = I0

  20. Prove the goal(s) using assumptions • Prove I2 = I0 • Proof of I2 = J0 • I2 = I1 – 1 (assumption in state 2) • = (I0 + 1) – 1 (assumption in state 1) • = I0 (simplification) • More proof needed…

  21. More assertions to be confirmed (Why?) Assume Confirm 0 I0 < max_int I0 < max_int and … Increment(I); 1 I1 = I0 + 1 I1 > min_int Decrement(I) 2 I2 = I1 - 1I2 = I0

  22. Prove all assertions to be confirmed • Proofs - exercises

  23. Basics of Mathematical Reasoning • Suppose you are verifying code for some operation P • Assume its requires clause in state 0 • Confirm its ensures clause at the end • Suppose that P calls Q • Confirm the requires clause of Q in the state before Q is called • Why? Because caller is responsible • Assume the ensures clause of Q in the state after Q • Why? Because Q is assumed to work • Prove assertions to be confirmed

More Related