Specifications Continued

1
Specifications- Continued

• Francis Suraweera
• School of CIT
• Griffith University
• Nathan 4111
• These notes are derived from the book Program
  Derivation by Geoff Dromey

2
Role of the Specification

• What do we mean by
• A program is correct?
• It can be only correct wrt some separate
• entity its specification.

3
Specification cont.

• Consider the following

Q
R
FINAL STATES Output data
INITIAL STATES Input data
Program
The state-model for a program specification
4
Specifications Cont.

• The two sets of interest are
• One describing the allowable initial states or
  inputs, or data supplied to the program
• Another describing the corresponding final
  states, or required output or data produced by
  the program.

5
Specification cont.

• Most problems we are concerned with can be
  specified by two predicates
• A precondition, Q characterizing the allowable
  initial states
• A postcondition, R characterizing the allowable
  final states.

6
Specification Cont.

• The pair (Q, R) define a specification
• To satisfy a specification
• the input must make Q true, and
• the output must make R true.

7
Specification Cont.

• A predicate is a condition that is either true or
  false depending on the values of its variables.
• Example
• N gt 0
• The above (predicate) is true for N 1, 2, 3,
• and false for N 0, -1, -2, -3 .etc.

8
Example of a Specification

• Sorting of N integers
• Precondition, Q
• there is at least one integer to be sorted
• Postcondition, R
• Rearrange the input data so that the integers
• form a sequence from the smallest to the
• largest.

9
Sorting of N integers cont.

• Q N ? 1
• R (?j 1 lt j ? N aj-1 ? aj ) ? perm(a, A)

10
The Design Process

• Design involves two essential things
• Decomposition of a problem into simpler
  sub-problems
• Refinement of strategy for solving a problem
• (or sub-problem) by introducing additional
• detail i.e., make the strategy more explicit

11
Example Building a house

• The process starts with client visiting an
  architect.
• The requirements are as follows
• 3 bedrooms, (all to be in one area) and 2
  bathrooms,
• A large lounge,
• A kitchen with large bench space,
• A dinning room

12
Example Building a house

• Architects proposed floor plan

Bath
Lounge
Bedroom
Bedroom
Kitchen
Bedroom
Dinning room
Bath
13
Building the house contd.

• The architect then consults the client
• This is to check clients satisfaction with the
• plan
• If the client is not happy then refine the
• plan.

14
Example Building a house

• Architects refined floor plan

Bath
Lounge
Bedroom
Bedroom
Kitchen
Bedroom
Dinning room
Bath
15
Lessons for the program designers

• L1 have a detailed plan and design document
  before building the house
• L2 the process of creating a plan and developing
  a design from the plan is separated from the
  process of building and
• L3 the detailed design is arrived at by a
  process of refinement.

16
Problem1

• We have a group of people scattered among several
  threatened locations A, B, and C each of which is
  progressively further from some safe destination,
  D.
• To save the people, they must be transported from
  where they are (i.e., A, B, or C) to the safe
  destination, D.
• Assume that in order to transport the people to
  D, it is necessary to build a makeshift road
  network through to D.

17
Problem1 continued.

• Consider the following

D
C
B
A
Possible starting locations
Destination location
18
Problem1 Refinement1.

• Precondition Q1
• 1(a) Build a road from A to D, the destination
• 1(b) Transport the people from A to D

A
D
19
Problem1 continued.

• Precondition Q1
• This mechanism will solve the problem in a
  restricted circumstance
• the whole population lives at location A
• Note the above refinement will contribute to the
  general solution to the problem.

A
D
20
Problem1 continued.

• NOTE
• A refinement such as
• build a road from C to B
• is rejected at this stage because it could not
  establish the postcondition.

A
C
B
21
Problem1 Refinement 2.

• Precondition Q2
• 2(a) Build a road from B to A
• 2(b) Transport the population from B to A,
• and then to D.

B
A
22
Problem1 Refinement 2.

• Precondition Q2
• Again, this mechanism will solve the problem in a
  restricted circumstance that
• the whole population lives either at A or B

B
A
D
23
Problem1 Refinement 3.

• Precondition Q3
• 3(a) Build a road from C to B
• 3(b) Transport the population from C to B,
• and then on to A, and subsequently D.

C
B
24
Problem1 continued.

• With refinements 1, 2, and 3 - (Q1, Q2, Q3)
• We have a mechanism to solve the problem in
• the circumstance that
• - the whole population lives at either A, or B,
  or C.

D
C
B
A
25
Problem1 continued.
Q3
refinement3
refinement2
Q2
refinement1
Q1
Goal
Distance from the Goal
26
Pre- and Postconditions

• Definition
• A condition (precondition or postcondition) is
  said to be stronger if it is true for fewer
  cases.

27
Pre- and Postconditions

• For example, the condition
• N gt 0 which is true for N 1, 2, 3,
• but excludes N 0
• is stronger than the condition
• N ? 0 which is true for N 0, 1, 2, 3,
• NOTE N ? 0 is weaker than N gt 0.

28
Weakest Precondition Calculations

• Example
• Consider the problem of computing the quotient,
  q, and the remainder, r, when a natural number X
  is divided by a divisor D.
• This problem can be solved by assigning to r the
  value of X and then repeatedly subtracting
  multiples of D from r until r is less than D.

29
Weakest Precondition Calculations - continued

• Suppose X 27 and D 6

r q X D
27 0 27 6
21 1 27 6
15 2 27 6
9 3 27 6
3 4 27 6
The remainder is 3 and the quotient is 4
30
Weakest Precondition Calculations - continued
The relation between q, r, X and D is given by
X q.D r .(1) this is called an
invariant. A simple program for this is r X
q 0 While r ? D do r r
D q q 1 End
31
Commands by calculation

• If q and r represent different values of the
• q and r variables, then the following holds
• X q.D r (2)
• Now suppose we also know that the equation
• r r D (3)
• holds. (corresponds to the program command).
• Show how to obtain q q 1

32
Notation for substitution

• If P is a formula, x is a variable, and a is a
  term then is the formula that results in when
  each free occurrence of x in P is replaced by a.
• Example Given that P is (?y)(y gtx)
• P(x/2) (?y)(y gt 2)
• P(x/xz) (?y)(y gt xz)

x
P
a
33
Assignment statement

• assigment identifier expression
• Example
• s s i
• i i 1

34
If statement

• An IF statement allows the selection and
  execution of just one of a number of possible
  commands S1, S2, , SN.
• To define an IF statement we need the concept of
  a guarded command.
• A guarded command is of the form
• Guard ? statement

35
If statement

• The guard is a predicate which evaluates to
  either true or false. The statement to the right
  of the arrow is executed only if the guard
  evaluates to true.

36
If statement

• For a set of guards B1, B2, , BN and a set of
  statements S1, S2, , SN we have
• If B1 ? S1
• B2 ? S2
• B3 ? S3
• ....
• BN ? SN
• fi

37
DO statement

• For a set of guards B1, B2, , BN and a set of
  statements S1, S2, , SN we have
• Do B1 ? S1
• B2 ? S2
• B3 ? S3
• ....
• BN ? SN
• oD

38
Weakest Precondition and the state model

• What, for a given initial state, will be the
• corresponding final state produced by the
• program?
• Given some set of final states what corresponding
  initial states would produce those final states
  when transformed by a given program?

39
Weakest Precondition

• For a terminating program statement, S,
• and a required postcondition R,
• wp(S, R)
• symbolizes the weakest precondition such
• that execution of S is certain to establish
• the postcondition.

40
Properties of Weakest Precondition

• Law of the excluded miracle (1)
• There are no states in which the execution of a
• mechanism S can begin and guarantee to
• terminate in a state satisfying FALSE.
• NO proofs are given. (For proofs please refer to
• Program Derivation by Geoff Dromey.

41
Properties of Weakest Precondition

• Law of conjunction (2)
• For a mechanism S and a postconditions R1 and
• R2 the following equivalence holds
• wp(S, R1) ? wp(S, R2) ? wp(S, R1 ? R2)

42
Properties of Weakest Precondition

• Law of disjunction (3)
• For a mechanism S and a postconditions R1 and
• R2
• wp(S, R1) ? wp(S, R2) ? wp(S, R1 ? R2)

43
Properties of Weakest Precondition

• Law of monotonicity (4)
• For a mechanism S and a postconditions R1 and
• R2 the following relation applies
• (R1 ? R2) ? (wp(S, R1) ? wp(S, R2))

44
The Weakest Precondition Concept

• Given the operation
• add 4 marbles to the existing number of
  marbles
• and that after the operation there are exactly 6
  marbles how many marbles must there have been
  before execution of the operation?

45
The Weakest Precondition Concept - Continued

• The answer is 2.
• Let x number of marbles to start with
• Then
• x ???
• S x x 4
• x 6

46
The Weakest Precondition Concept

• The precondition calculation
• x ???
• S x x 4
• x 6
• ----------------------------------
• wp( x x 4, x 6)
• ? x 4 6
• ? x 2 (note ? means equivalent)

47
Weakest Precondition Examples

• Complete the following weakest precondition
  calculations.
• wp( i 3, i 3)
• wp( i i 1, i 3)
• wp( i j 1, i 3)

48
Weakest Precondition Examples

• Complete the following weakest precondition
  calculations.
• wp( i 3, i 3)
• ? 3 3
• ? true

49
Weakest Precondition Examples

• Complete the following weakest precondition
  calculations.
• wp( i i 1, i 3)
• ? i 1 3
• ? i 2

50
Weakest Precondition Examples

• Complete the following weakest precondition
  calculations.
• wp( i j 1, i 3)
• ? j 1 3
• ? j 2

51
Weakest Precondition Examples

• Determine the weakest precondition wp(S, R) for
  the following commands S and postconditions R.
• S R
• i i 2 i gt 1
• i i 2 j j 2 i j 0
• ai 1 ai aj

52
Weakest Precondition Examples

• Solution to Problem
• S R
• i i 2 i gt 1
• ---------------------------------------------
• wp(i i 2, i gt 1)
• i2 gt 1
• ? i gt -1

53
Weakest Precondition Examples

• Solution to problem
• i i 2 j j 2 i j 0
• --------------------------------------------------
  -
• wp(ii 2 jj 2, i j 0)
• For these problems, apply wp(S1 S2, R)
• ? wp(S1, wp(S2, R))

54
Weakest Precondition Examples

• Solution
• wp(S1, wp(S2, R))
• ? wp(i i 2, wp(j j 2, i j 0)
• ? wp(i i 2, i j 2 0)
• ? (i 2 j 2 0)
• i j 0
• NOTE this method can be generalized to
• handle wp calculations for S1 S2 S3 etc.

55
Weakest Precondition Examples

• Given
• S ai 1 R ai aj
• ----------------------------------------------
• wp(ai 1, ai aj)
• ? 1 aj

56
Weakest Precondition Examples

• Try this problem
• ???
• a BC (S1)
• b a D (S2)
• Postcondition 2b gt X

57
Weakest Precondition Examples

• Step1
• wp(b a D, 2b gt X)
• corresponds to calculation of wp(S2, R)
• ? 2(a D) gt X
• Step2
• wp(a BC, 2(a D) gt X)
• ? 2(BC D) gt X

58
Strongest Postcondition Calculations

• Notation
• sp(P, S) ? reasoning forwards
• Useful in doing verification of programs
• wp(S,R)gtreasoning backwards

59
Strongest Postcondition Calculations

• Suppose we have
•  
• P x gt 3
•  
• x x 2
•  
• R ????

60
Strongest Postcondition Calculations

• R must be expressed in terms of the new x
  (eliminate old x)
•  
• x x 2 and so we get
•  
• xold x -2
•  
• Substituting for xold in P we get
•  
• R x - 2 gt 3 x gt 5

61
Strongest Postcondition Calculations

• Strongest Postcondition
•   sp( x gt 3, x x 2) x gt 5
• P xold gt 3
•  
• x xold 2
•  
• R x gt 5

62
Strongest Postcondition Calculations

• P Precondition
• S1
• S2
• sp(P, S1 S2) ? ???
• To do this apply
• sp(P, S1 S2) ? sp(sp(P, S1), S2)

63
Strongest Postcondition Calculations Example

• Pre p xi
• p p x
• i i 1
• Post ???
• ------------------------------------
• sp(P, S1 S2) ? sp(sp(P, S1), S2)
• Step1
• sp(p xi, p p x)

64
Strongest Postcondition Calculations Example

• Step1
• sp(p xi, p p x)
• ? p xi x
• Step2
• sp(p (i 1)x, i i 1 )
• ? i (p/x 1) 1
• ? i p/x
• ? p xi