Formal Program Specification

1
Formal Program Specification
Software Testing and Verification Lecture 16

• Prepared by
• Stephen M. Thebaut, Ph.D.
• University of Florida

2
Overview

• Review of Basics
• Propositions, propositional logic, predicates,
  predicate calculus
• Sets, Relations, and Functions
• Specification via pre- and post-conditions
• Specifications via functions

3

• Propositions, Propositional Logic, Predicates,
  and the Predicate Calculus

4
Propositions and Propositional Logic

• A proposition, P, is a statement of some alleged
  fact which must be either true or false, and not
  both.
• Which of the following are propositions?
• elephants are mammals
• France is in Asia
• go away
• 5 gt 4
• X gt 5

5
Propositions and Propositional Logic (contd)

• Propositional Logic is a formal language that
  allows us to reason about propositions. The
  alphabet of this language is
• P, Q, R, ?, V, ?, ?,
• where P, Q, R, are propositions, and the
  other symbols, usually referred to as
  connectives, provide ways in which compound
  propositions can be built from simpler ones.

6
Truth Tables

• Truth tables provide a concise way of giving the
  meaning of compound forms in a tabular form.
• Example construct a truth table to show all
  possible interpretation for the following
  sentences
• A V B, A ? B, and A ? B

7
Example
A B A V B A ? B A ? B
T T
T F
F T
F F
8
Equivalence

• Two sentences are said to be equivalent if and
  only if their truth values are the same under
  every interpretation.
• If A is equivalent to B, we write A ? B.
• Exercise Use a truth table to show
• (P ? Q) ? (Q V P)

9
Equivalence (contd)

• Many users of logic slip into the habit of using
  ? and ? interchangeably.
• However, A?B is written down in the full
  knowledge that it may denote either true or false
  in some interpretation, whereas A?B is an
  expression of fact (i.e., the writer thinks it is
  true).

How would you write A ? B as an expression of
fact?
10
Predicates

• Predicates are expressions containing one or more
  free variables (place holders) that can be filled
  by suitable objects to create propositions.
• For example, instantiating the value 2 for X in
  the predicate Xgt5 results in the (false)
  proposition 2gt5.

11
Predicates (contd)

• In general, a predicate itself has no truth
  value it expresses a property or relation using
  variables.

12
Predicates (contd)

• Two ways in which predicates can give rise to
  propositions
• As illustrated above, their free variables may be
  instantiated with the names of specific objects,
  and
• They may be quantified. Quantification introduces
  two additional symbols
• ? and ?

13
Predicates (contd)

• ? and ? are used to represent universal and
  existential quantification, respectively.
• ?x duck(x) represents the proposition every
  object is a duck.
• ?x duck(x) represents the proposition there is
  at least one duck.

14
Predicates (contd)

• For a predicate with two free variables,
  quantifying over one of them yields another
  predicate with one free variable, as in
• ?x Q(x,y) or ?x Q(x,y)

15
Predicates (contd)

• Where appropriate, a domain of interest may be
  specified which identifies the objects for which
  the quantifier applies. For example,
• ?i?1,2,,N Aigt0
• represents the predicate the first N elements
  of array A are all greater than 0.

16
Predicate Calculus

• The addition of a deductive apparatus gives us a
  formal system permitting proofs and derivations
  which we will refer to as the predicate calculus.
• The system is based on providing rules of
  inference for introducing and removing each of
  the five connective symbols plus the two
  quantifiers.

17
Predicate Calculus (contd)

• A rule of inference is expressed in the form
• A1, A2, , An
• C
• and is interpreted to mean
• (A1 ? A2 ? ? An) ? C

18
Predicate Calculus (contd)

• Examples of deductive rules

A , B A
A A V B
A, A ? B B
A A
(contd)
19
Predicate Calculus (contd)

• Examples of deductive rules (contd)

A ? B, B ? A A ? B
A ? B A ? B
?x P(x) P(n1) ? P(n2) ? ? P(nk)
20

• Sets, Relations, and Functions

21
Sets and Relations

• A set is any well-defined collection of objects,
  called members or elements.
• The relation of membership between a member, m,
  and a set, S, is written
• m ? S
• If m is not a member of S, we write
• m ? S

22
Sets and Relations (contd)

• A relation, r, is a set whose members (if any)
  are all ordered pairs.
• The set comprised of the first member of each
  pair is called the domain of r and is denoted
  D(r). Members of D(r) are called arguments of r.
• The set comprised of the second member of each
  pair is called the range of r and is denoted
  R(r). Members of R(r) are called values of r.

23
Functions

• A function, f, is a relation such that for each x
  ? D(f) there exists a unique element (x,y) ? f.
• We often express this as yf(x), where y is the
  unique value corresponding to x in the function
  f.
• It is the uniqueness of y that distinguishes a
  function from other relations.

24
Functions (contd)

• It is often convenient to define a function by
  giving its domain and a rule for calculating the
  corresponding value for each argument in the
  domain.
• For example
• f (x,y)x ? 0,1, y x2 3x 2
• This could also be written
• f(x) x2 3x 2 where D(f)0,1

25
Conditional Rules

• Conditional rules are a sequence of (predicate ?
  rule) pairs separated by vertical bars and
  enclosed in parentheses
• (p1 ? r1 p2 ? r2 pk ? rk)

26
Conditional Rules (contd)

• The meaning is evaluate predicates p1, p2,pk in
  order for the first predicate, pi, which
  evaluates to true, if any, use the rule ri if no
  predicate evaluates to true, the rule is
  undefined. (Note that ? ? ?.)
• (p1 ? r1 p2 ? r2 pk ? rk)

27
Conditional Rules (contd)

• For example
• f ((x,y)(x divisible by 2 ? y x/2
• x divisible by 3 ? y x/3
• true ? y x))
• Note that true ? r has the effect of if all
  else fails (i.e., if all the previous predicates
  evaluate to false), use r.

28
Recursive Functions

• A recursive function is a function that is
  defined by using the function itself in the rule
  that defines it. For example
• oddeven(x) (x ? 0,1 ? x
• x gt 1 ?
  oddeven(x-2)
• x lt 0 ?
  oddeven(x2))
• Exercise define the factorial function
  recursively.

29

• Specification via Pre- and Post-Conditions

30
Specification via Pre- and Post-Conditions

• The (functional) requirements of a program may be
  specified by providing
• an explicit predicate on its state before
  execution (a pre-condition), and
• an explicit predicate on its state after
  execution (a post-condition).

31
Specification via Pre- and Post-Conditions
(contd)

• Describing the state transition in two parts
  highlights the distinction between
• the assumptions that an implementer is allowed to
  make, and
• the obligation that must be met.

32
Specification via Pre- and Post-Conditions
(contd)

• The language of pre- and post-conditions is that
  of the predicate calculus.
• Predicates denote properties of program variables
  or relations between them.

33
Assumptions

• Reference to a variable in a predicate implies
  that it exists and is defined.
• Variables are assumed to be of type integer,
  unless the context of their use implies
  otherwise.
• A1N denotes an array with lower index bound
  of 1 and upper index bound of N (an integer
  constant).

34
Example 1

• Consider the pre- and post-conditions for a
  program that sets variable MAX to the maximum
  value of two integers, A and B.
• pre-condition ?
• post-condition ?

35
Example 2

• Consider the pre- and post-conditions for a
  program that sets variable MIN to the minimum
  value in the unsorted, non-empty array A1N.
• pre-condition ?
• post-condition ?
• What does unsorted mean here?

36
Example 2 (contd)

• Possible interpretations of unsorted
• ?(?i?1,2,,N-1 Ai?Ai1 V
• ?i?1,2,,N-1 Ai?Ai1)
• the sort operation has not been applied to A
• What was the specifiers intent?

37

• Specification via Functions

38
Specification via Functions

• Programs may also be specified in terms of
  intended program functions.
• These define explicit mappings from initial to
  final data states for individual variables and
  can be expanded into program control structures.
• The correctness of an expansion can be determined
  by considering correctness conditions associated
  with the control structures relative to the
  intended function.

39
Specification via Functions (contd)

• Data mappings may be specified via the use of a
  concurrent assignment function.
• The domain of the function corresponds to the
  initial data states that would be trans-formed
  into final data states by a suitable program.
• For example...

40
Specification via Functions (contd)

• The conditional function
• f (x ? 0 ? y ? 0 ? x, y xy, 0)
• specifies a program, say F, for which
• the final value of x is required to be the sum of
  the initial values of x and y, and
• the final value of y is required to be 0...
• if x and y are both initially ? 0. Otherwise,
  F may yield some other result (sufficient
  correct-ness) or not terminate (complete
  correctness) in keeping with f being undefined in
  this case.

41
Specification via Functions (contd)

• Similarly, in a program with data space x, y, z,
  the sequence of assignment statements
• x x1 y 2x
• computes a function that can be specified by the
  concurrent assignment function
• f (x,y,z x1,2(x1),z)
• This function could also be specified using the
  short-hand notation
• f (x,y x1,2(x1))
• implying an assignment into that portion of the
  data space containing x and y, while that
  containing z is assumed to be unmodified.

42
Specification via Functions (contd)

• In addition, when an intended function is
  followed by a list of variables surrounded by
  characters, the intent is to specify a programs
  effect on these variables only. Other variables
  are assumed to receive arbitrary, unspecified
  values.
• For example, consider a program with variables x,
  y, and temp. The intended function description
• f (x,y y,x) x,y
• is equivalent to (x,y,temp y,x,?) where ?
  represents an arbitrary, unspecified value.

43
Comparing specification approaches

• Pre- and post-conditions for a program with data
  space x, y, z, temp that is required to swap the
  values of x and y and leave z un-changed (but has
  no requirement concerning the disposition of
  temp)
• pre-condition true
• post-condition xy ? yx ? zz
• Comparable intended function (f1)
• f1 (x,y y,x) x,y,z
• (z is unmodified and temp gets an unspecified
  value)

44
Comparing specification approaches (contd)

• Pre- and post conditions given that the initial
  values of z and temp can be assumed to be greater
  that 0
• pre-condition zgt0 ? tempgt0
• post-condition xy ? yx ? zz
• Comparable intended function (f2)
• f2 (zgt0 ? tempgt0 ? x,y y,x) x,y,z
• Comparable in the context of sufficient
  correctness. f2
• is undefined when (zgt0 ? tempgt0) evaluates
  to false.

45
Formal Program Specification
Software Testing and Verification Lecture 16

• Prepared by
• Stephen M. Thebaut, Ph.D.
• University of Florida