Basics of Formal Methods: Propositions - PowerPoint PPT Presentation

1 / 21

About This Presentation

Title:

Basics of Formal Methods: Propositions

Description:

Use logical operators (e.g. ) Give examples of predicates. Use universal & existential quantifiers ... Quantifiers 2. Syntax: Existential Quantifiers 'there is' ... – PowerPoint PPT presentation

Number of Views:78

Avg rating:3.0/5.0

Slides: 22

Provided by: julie57

Category:

more less

Transcript and Presenter's Notes

Title: Basics of Formal Methods: Propositions

1
Basics of Formal Methods Propositions
Predicates

Use logical operators (e.g. ? ?)
Give examples of predicates
Use universal existential quantifiers
Write specifications using arrays

2
Propositions

A proposition is either true or false
2 is even
5 gt 6 23 2 3
A logical expression
No variables so it has a constant value
Can use logical operators
AND, OR, NOT, Implication, iff (if and only if)
Determine values of complex expressions
Truth tables
Boolean algebra rules for simplification

3
Implication (? gt)
Defined to be true here

Corresponds to implies
If it is raining, I take my umbrella
It is raining ? I take my umbrella
Only false if p is true and q is false
it is raining and I dont take my umbrella

4
Bi-implication (? ltgt)

Corresponds to if only if
I see Alex Ferguson if only if I see Man Us
boss
I see Alex Ferguson ? I see Man Us boss
Only false if p and q are unequal
p ? q is equal to p ? q AND q ? p

5
Precedence

not, and, or, gt and ltgt
! p q r gt s
( ((! p) q) r ) gt s
If in doubt, use brackets
Associativity
gt is right associative
p gt q gt r means p gt (q gt r)
Other operators are associative
(p q) r equals p (q r)

Dont use anything as complex as this. Too hard
to understand!
6
Predicates

To write specifications
Need expressions involving variables
Need to be able to handle arrays/sequences
Short expression handling repeated data
Examples
x gt y
x gt 0 AND x lt 100
Not constant
Value of expression depends on variables
Use the same operators as prepositions

x y are free variables
7
Example Specification

int max (int x, int y)
requires true
ensures xgty \resultx xlty \resulty
Explain this specification
What is \result?
What is the signature?
What does the pre-condition mean?
What is the purpose of a post-condition?
What must an implementation do?
Is the specification complete?

8
Max for Arrays
A very inflexible max function

int max (int arr)
requires arr.length 3
ensures arr0 gt arr1 arr0 gt arr2
\result arr0 // similarly for
other elements
Bad news with three elements
Disastrous with 100
Need new notation
Quantifiers
?x 0..9 x2 lt 100 ?x 0..4 x2 lt 10
? x 0..3 x2 x

Can replace x by another variable without
changing the meaning
x is a bound variable
9
Quantifiers 1

Syntax Universal Quantifier (?)
?bound variable type specification predicate
?apositive a gt 0
?bound variable ? set predicate
?a ? 1..3 a gt 0
JML Syntax
(\forall int a a gt 0)
(\forall int a a gt 1 a lt 3 a gt 0)

The brackets are necessary
10
Quantifiers 2

Syntax Existential Quantifiers
? there is and ?! there is exactly one
? a ? 0..2 a2 a
? a int a2 a
?! a ? 0..2 a2 a
Evaluate the above predicates
JML Syntax
(\exists int a a gt 0 a lt 2 aa a)
(\exists int a aa a)
No direct equivalent of E!

11
Max for Arrays 2

int max (int arr)
requires true
ensures (\forall int i 0lti iltarr.length()
\result ? arri)
What does this mean?
Is it a correct specification for max?

int max (int arr) requires true ensures
(\forall int i 0lti iltarr.length() \result
gt arri) (\exists int i 0lti
iltarr.length() \result arri)
problems?
int max (int arr) requires arr.length()gt0 ensur
es (\forall int i 0lti iltarr.length()
\result gt arri) (\exists int
i 0lti iltarr.length() \result arri)
12
What if the range of ? is empty?

?x 0..2 x2 lt 5
0 lt 5 AND 1 lt 5 AND 4 lt 5
Quantified expression is true if
For every value of x in the range, x2 lt 5
i.e no value in the range makes x2 lt 5 false
?x 0..-1 x2 lt 5
True
no value of x in the range makes x2 lt 5 false (as
there are no values in the range)
?x 0..-1 x2 gt 5
True
No value in range makes x2 gt 5 false

13
What if the range of ? is empty?

?x 1..3 x2 gt 2
1 gt 2 OR 4 gt 2 OR 9 gt 2
Quantified expression is true if
a value of x in the range makes x2gt2 true
?x 0..-1 x2 gt 2
False
since no value of x in the range makes x2 gt 2
true (as there are no values in the range)
?x 0..-1 x2 lt 5

14
Bound and Free Variables

?x 0..2 ?y 0..1 yx2 lt z
Is the expressions value the same, if
You replace
x with a
y with a
z with a
x with y
y with x
Which variables are free, which bound?
Give a rule for replacing variables

Replace bound variables with any variable except
a free variable or an in-scope bound variable.
15
Simplifications

? i ? N ? (? j ? N ? predicate ( i, j ))
can be simplified to
? i ? N, j ? N ? predicate ( i, j )
or
? i, j ? N ? predicate ( i, j )

16
Combinations of Quantifiers

Are these two the same?
?i ? N ? ? j ? N ? predicate ( i, j ))
?j ? N ? ? i ? N ? predicate ( i, j ))
Consider using lt as the predicate

17
? - summation

? - sum expressions over a variable range
Range of i is 0..3
Value is 0 1 4 9 14
If range is empty, value is 0
JML
(\sum int i 0lti ilt3 i i)

18
? - product

? - multiply expressions over a range
Value is 1 4 9 36
JML
(\product int i 0lti ilt3 i i)

19
Conditional Expression

ltconditiongt ? ltexpressiongt ltexpressiongt
This is an expression not a statement
It has a value
What does the following put in m?
m a gt b ? a b
There must be a then-part an else-part
Like C
max (agtb? a b)

20
Example
\result (\sum int i 0lti iltarr.length()
arrit ? 1 0)
The post condition must constrain the result So
r must appear in it
Its supposed to count the number of occurrences
of t in the array. Whats the error?