Formal Program Specification

1
Formal Program Specification
Software Testing and Verification Lecture 16

• Prepared by
• Stephen M. Thebaut, Ph.D.
• University of Florida

2
Overview

• Review of Basics
• Propositions, propositional logic, predicates,
  predicate calculus
• Sets, Relations, and Functions
• Specification via pre- and post-conditions
• Specifications via functions

3

• Propositions, Propositional Logic, Predicates,
  and the Predicate Calculus

4
Propositions and Propositional Logic

• A proposition, P, is a statement of some alleged
  fact which must be either true or false, and not
  both.
• Which of the following are propositions?
• elephants are mammals
• France is in Asia
• go away
• 5 gt 4
• X gt 5

5
Propositions and Propositional Logic (contd)

• Propositional Logic is a formal language that
  allows us to reason about propositions. The
  alphabet of this language is
• P, Q, R, ?, V, ?, ?,
• where P, Q, R, are propositions, and the
  other symbols, usually referred to as
  connectives, provide ways in which compound
  propositions can be built from simpler ones.

6
Truth Tables

• Truth tables provide a concise way of giving the
  meaning of compound propositions in a tabular
  form.
• Example construct a truth table to show all
  possible interpretation for the following
  sentences
• A V B, A ? B, and A ? B

7
Example
A B A V B A ? B A ? B
T T
T F
F T
F F
8
Example
A B A V B A ? B A ? B
T T T
T F T
F T T
F F F
9
Example
A B A V B A ? B A ? B
T T T
T F T
F T T
F F F
10
Example
A B A V B A ? B A ? B
T T T T
T F T
F T T
F F F
11
Example
A B A V B A ? B A ? B
T T T T
T F T F
F T T
F F F
12
Example
A B A V B A ? B A ? B
T T T T
T F T F
F T T T
F F F
13
Example
A B A V B A ? B A ? B
T T T T
T F T F
F T T T
F F F T
14
Example
A B A V B A ? B A ? B
T T T T
T F T F
F T T T
F F F T
15
Example
A B A V B A ? B A ? B
T T T T T
T F T F F
F T T T F
F F F T T
16
Equivalence

• Two sentences are said to be equivalent if and
  only if their truth values are the same under
  every interpretation.
• If A is equivalent to B, we write A ? B.
• Exercise Use a truth table to show
• (P ? Q) ? (Q V P)

17
Equivalence (contd)

• Many users of logic slip into the habit of using
  ? and ? interchangeably.
• However, A?B is written down in the full
  knowledge that it may denote either true or false
  in some interpretation, whereas A?B is an
  expression of fact (i.e., the writer thinks it is
  true).

How would you write A ? B as an expression of
fact?
18
Predicates

• Predicates are expressions containing one or more
  free variables (place holders) that can be filled
  by suitable objects to create propositions.
• For example, instantiating the value 2 for X in
  the predicate Xgt5 results in the (false)
  proposition 2gt5.

19
Predicates (contd)

• In general, a predicate itself has no truth
  value it expresses a property or relation using
  variables.

20
Predicates (contd)

• Two ways in which predicates can give rise to
  propositions
• As illustrated above, their free variables may be
  instantiated with the names of specific objects,
  and
• They may be quantified. Quantification introduces
  two additional symbols
• ? and ?

21
Predicates (contd)

• ? and ? are used to represent universal and
  existential quantification, respectively.
• ?x duck(x) represents the proposition every
  object is a duck.
• ?x duck(x) represents the proposition there is
  at least one duck.

22
Predicates (contd)

• For a predicate with two free variables,
  quantifying over one of them yields another
  predicate with one free variable, as in
• ?x Q(x,y) or ?x Q(x,y)

23
Predicates (contd)

• Where appropriate, a domain of interest may be
  specified which contains the objects for which
  the quantifier applies. For example,
• ?i?1,2,,N Aigt0
• represents the predicate the first N elements
  of array A are all greater than 0.

24
Predicate Calculus

• The addition of a deductive apparatus gives us a
  formal system permitting proofs and derivations
  which we will refer to as the predicate calculus.
• The system is based on providing rules of
  inference for introducing and removing each of
  the five connective symbols plus the two
  quantifiers.

25
Predicate Calculus (contd)

• A rule of inference is expressed in the form
• A1, A2, , An
• C
• and is interpreted to mean
• (A1 ? A2 ? ? An) ? C

So why use a different notation?
26
Predicate Calculus (contd)

• Examples of deductive rules

A , B A
A A V B
A, A ? B B
A A
(contd)
27
Predicate Calculus (contd)

• Examples of deductive rules (contd)

A ? B, B ? A A ? B
A ? B A ? B
?x P(x) P(n1) ? P(n2) ? ? P(nk)
28

• Sets, Relations, and Functions

29
Sets and Relations

• A set is any well-defined collection of objects,
  called members or elements.
• The relation of membership between a member, m,
  and a set, S, is written
• m ? S
• If m is not a member of S, we write
• m ? S

30
Sets and Relations (contd)

• A relation, r, is a set whose members (if any)
  are all ordered pairs.
• The set composed of the first member of each pair
  is called the domain of r and is denoted D(r).
  Members of D(r) are called arguments of r.
• The set composed of the second member of each
  pair is called the range of r and is denoted
  R(r). Members of R(r) are called values of r.

31
Functions

• A function, f, is a relation such that for each x
  ? D(f) there exists a unique element (x,y) ? f.
• We often express this as y f(x), where y is the
  unique value corresponding to x in the function
  f.
• It is the uniqueness of y that distinguishes a
  function from other relations.

32
Functions (contd)

• It is often convenient to define a function by
  giving its domain and a rule for calculating the
  corresponding value for each argument in the
  domain.
• For example
• f (x,y)x ? 0,1, y x2 3x 2
• This could also be written
• f(x) x2 3x 2 where D(f)0,1

33
Conditional Rules

• Conditional rules are a sequence of (predicate ?
  rule) pairs separated by vertical bars and
  enclosed in parentheses
• (p1 ? r1 p2 ? r2 pk ? rk)

34
Conditional Rules (contd)

• The meaning is evaluate predicates p1, p2,pk in
  order for the first predicate, pi, which
  evaluates to true, if any, use the rule ri if no
  predicate evaluates to true, the rule is
  undefined. (Note that ? ? ?.)
• (p1 ? r1 p2 ? r2 pk ? rk)

35
Conditional Rules (contd)

• For example
• f ((x,y)(x divisible by 2 ? y x/2
• x divisible by 3 ? y x/3
• true ? y x))
• Note that true ? r has the effect of if all
  else fails (i.e., if all the previous predicates
  evaluate to false), use r.

36
Recursive Functions

• A recursive function is a function that is
  defined by using the function itself in the rule
  that defines it. For example
• oddeven(x) (x ? 0,1 ? x
• x gt 1 ?
  oddeven(x-2)
• x lt 0 ?
  oddeven(x2))
• Exercise define the factorial function
  recursively.

37

• Specification via Pre- and Post-Conditions

38
Specification via Pre- and Post-Conditions

• The (functional) requirements of a program may be
  specified by providing
• an explicit predicate on its state before
  execution (a pre-condition), and
• an explicit predicate on its state after
  execution (a post-condition).

39
Specification via Pre- and Post-Conditions
(contd)

• Describing the state transition in two parts
  highlights the distinction between
• the assumptions that an implementer is allowed to
  make in terms of initial state constraints, and
• the obligation that must be met in terms of final
  state constraints.

40
Specification via Pre- and Post-Conditions
(contd)

• The language of pre- and post-conditions is that
  of the predicate calculus.
• Predicates denote properties of program variables
  or relations between them.

41
Assumptions

• Reference to a variable in a predicate implies
  that it exists and is defined.
• Variables are assumed to be of type integer,
  unless the context of their use implies
  otherwise.
• A1N denotes an array with lower index bound
  of 1 and upper index bound of N (an integer
  constant).

42
Example 1

• Consider the pre- and post-conditions for a
  program that sets variable MAX to the maximum
  value of two integers, A and B.
• pre-condition ?
• post-condition ?

43
Example 1

• Consider the pre- and post-conditions for a
  program that sets variable MAX to the maximum
  value of two integers, A and B.
• pre-condition ?
• post-condition
• (MAXA ? A?B) V (MAXB ? B?A)
• ? ?

44
Example 1

• Consider the pre- and post-conditions for a
  program that sets variable MAX to the maximum
  value of two integers, A and B.
• pre-condition ?
• post-condition
• (MAXA ? A?B) V (MAXB ? B?A)
• ? AA ? BB
• (A denotes the initial value of variable A.)

45
Example 1

• Consider the pre- and post-conditions for a
  program that sets variable MAX to the maximum
  value of two integers, A and B.
• pre-condition true
• post-condition
• (MAXA ? A?B) V (MAXB ? B?A)
• ? AA ? BB
• (A denotes the initial value of variable A.)

46
Example 2

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition ?
• post-condition ?

47
Example 2

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition ?
• post-condition ?i?1,2,,N AiMIN ?

48
Example 2

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition ?
• post-condition ?i?1,2,,N AiMIN ?
• ?j?1,2,,N
  MINAj

49
Example 2

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition ?
• post-condition ?i?1,2,,N AiMIN ?
• ?j?1,2,,N
  MINAj ?
• AA

50
Example 2

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition ?
• post-condition ?i?1,2,,N AiMIN ?
• ?j?1,2,,N
  MINAj ?
• AA

51
Example 2

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition Ngt0
• post-condition ?i?1,2,,N AiMIN ?
• ?j?1,2,,N
  MINAj ?
• AA

52
Example 2

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition Ngt0
• post-condition ?i?1,2,,N AiMIN ?
• ?j?1,2,,N
  MINAj ?
• AA
• What does unsorted mean here?

53
Example 2 (contd)

• Possible interpretations of unsorted
• ?(?i?1,2,,N-1 Ai?Ai1 V
• ?i?1,2,,N-1 Ai?Ai1)
• the sort operation has not been applied to A
• What was the specifiers intent?

Assume we have determined that (2) was the
intent. How can this interpretation be captured
in a pre-condition?
54
Example 2 (contd)

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition Ngt0
• post-condition ?i?1,2,,N AiMIN ?
• ?j?1,2,,N
  MIN?Aj ?
• AA

55

• Specification via Functions

56
Specification via Functions

• Programs may also be specified in terms of
  intended program functions.
• These define mappings from initial to final data
  states and can be expanded into program control
  structures.
• The correctness of an expansion can be determined
  by considering correctness conditions associated
  with the control structures relative to the
  intended function.

57
Specification via Functions

• Program data mappings may be specified via the
  use of an assignment function.
• The domain of the function corresponds to the
  initial data states that would be trans-formed
  into final data states by a suitable program.

58
Specification via Functions (contd)

• For example, in a program with data space x, y,
  z, the assignment statement
• x y
• corresponds to a set of ordered pairs of the
  form
• ( (x, y, z), (y, y, z) )

final
initial
59
Specification via Functions (contd)

• Likewise, the function
• f (x ? 0 ? y ? 0 ? x, y xy, 0)
• specifies a program for which

60
Specification via Functions (contd)

• Likewise, the function
• f (x ? 0 ? y ? 0 ? x, y xy, 0)
• specifies a program for which
• the final value of x is the sum of the initial
  values of x and y, and

61
Specification via Functions (contd)

• Likewise, the function
• f (x ? 0 ? y ? 0 ? x, y xy, 0)
• specifies a program for which
• the final value of x is the sum of the initial
  values of x and y, and
• the final value of y is 0...

62
Specification via Functions (contd)

• Likewise, the function
• f (x ? 0 ? y ? 0 ? x, y xy, 0)
• specifies a program for which
• the final value of x is the sum of the initial
  values of x and y, and
• the final value of y is 0...
• if x and y are both initially ? 0. Otherwise,
  the program yields no result (e.g., does not
  terminate) in keeping with f being undefined in
  this case.

63
Formal Program Specification
Software Testing and Verification Lecture 16

• Prepared by
• Stephen M. Thebaut, Ph.D.
• University of Florida