1 / 42

Applying Mathematical Reasoning throughout the CS Curriculum

Applying Mathematical Reasoning throughout the CS Curriculum. Addressing the Challenges of Current Software. Questions to Address. Why? What? Where? How?. Some Work. Binary search specifications Java C++ Any other language Are the algorithms correct? Do the implementations work?

fergus
Download Presentation

Applying Mathematical Reasoning throughout the CS Curriculum

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Applying Mathematical Reasoning throughout the CS Curriculum Addressing the Challenges of Current Software

  2. Questions to Address • Why? • What? • Where? • How?

  3. Some Work • Binary search specifications • Java • C++ • Any other language • Are the algorithms correct? • Do the implementations work? • What’s the difference?

  4. Why? • Current software is too large for one person to understand. • Students need tools for dealing with all sizes of projects. • Maintenance makes up the majority of jobs. • Students need to separate specifications from implementations.

  5. What reasoning skills are necessary?Concept Inventory

  6. Specifications for Increment Operation Increment(updates i: int) requires i < max_int; ensures i = #i + 1;

  7. Implementation of Increment • Increment(updates i: int); i = i + 1; end Increment;

  8. Reason about Increment • Does the implementation meet the specification? • How does the requires clause it in? • Are there other possible implementations? • Subtract 4 and add 5? • Why not?

  9. Work • Write specifications for Decrement (requires and ensures clauses) • Write an implementation assuming that there is a built in minus for integers.

  10. Work • Specify (write requires and ensures clauses )an operation that receives an integer and returns the value of that integer plus two. • Implement your operation assuming you can access the operation “Increment.”

  11. OperationPlusTwo(updatesi: int); requiresi < max_int – 1; ensuresi = #i + 2; PlusTwo( updatesi: int) Increment(i); Increment(i); endPlusTwo

  12. Reason about the Program

  13. Reasoning Table

  14. Work Specification: Operation Exchange(updates I, J: Integer); ensures I = #J and J = #I; Code: Procedure Exchange(updates I, J: Integer); I := Sum(I, J); J := Difference(I, J); I := Difference(I, J); End Exchange;

  15. Are the Specs Sufficient? • What about min_int and max_int? • Add a requires clause

  16. Need to Know Operation Difference (updates I: int, preserves J: int); requires I – J < max_int and I – J > min_int; ensures I = I – J; Operation Sum (updates I: int, preserves J: int); requires I + J < max_int and I + J > min_int; ensures I = I + J;

  17. Reasoning Table Operation Exchange

  18. More examples • http://www.cse.ohio-state.edu/rsrg/ • http://www.cs.clemson.edu/group/resolve/teaching/reasoning.html

  19. Beyond Arithmetic • Specifying components • Work: How do java and C++ (or your favorite language) specify stacks?

  20. Specify a stack mathematically • Describe in terms of mathematical strings • For generality, describe all stacks with one spec • Allow for multiple implementations to promote efficiency

  21. Requirements vs. Specifications • Requirements definition • Intended for customers in addition to software developers • Informal descriptions are necessary • Specification • For use by members of a software development team • Formal (mathematical) descriptions are necessary

  22. Informal Specification:Examples • C++ STL Template specifications • Java util component specifications • http://doc.java.sun.com/DocWeb/api/java.util.Stack • http://doc.java.sun.com/DocWeb/api/java.util.Queue • Questions for discussion • Do they support information hiding? • Do they support abstraction? • Can they generalize? • Is it possible to make them unambiguous?

  23. Informal Specifications • Straightforward descriptions • Push pushes an item onto the top of this stack • How much do they help? • Use of metaphors • A Queue is like a line at a fast food restaurant • Do they generalize? • Use of implementation details • Push behaves like addElement method on Vector • Is this appropriate for a user-oriented cover story?

  24. Formal Interface Specification • Communicates precisely the demands and responsibilities to component users and developers • Allows for independent development of client and implementation components in parallel in a team environment • Minimizes integration costs

  25. Reasoning Benefits • Formal Specifications make it possible to formally reason about correctness of software • Such reasoning may be manual or mechanical (i.e. with automate support)

  26. Languages for Formal Specification • ANNA (and SPARK) for Ada • JML for Java • Larch/C++ for C++ • Spec# for C3 • … • Eiffel • RESOLVE • … • VDM • Z

  27. Specification Language Summary • Some specification languages are designed for particular programming languages • Some are general purpose • Some specification languages are integrated with programming constructs • A few additionally integrate the ability to perform formal mathematical reasoning

  28. Meaning of Specifications • Requirements and guarantees • Requires clauses are preconditions • Ensures clauses are postconditions • Callers are responsible for requirements • Caller of Increment is responsible for making sure I < max_int • Guarantees hold only if callers meet their requirements

  29. Mathematical Strings • Unlike sets, strings have order • Example: Str(Z) for String of integers • Notations • Empty string (written: empty_string or L) • Concatenation: alpha o beta • Length (written: |alpha| ) • String containing one entry (e.g., <5>)

  30. General Stack Template Specification • We will use general stacks for this example reasoning • Suppose Stack_Template is parameterized by type Entry and Integer Max_Depth • Mathematical Modeling Type_FamilyStack ⊆ Str(Entry); exemplar S; constraints |S| ≤ Max_Depth; initialization ensures S = Λ;

  31. Specification of Stack Operations Operation Push (alters E: Entry; updates S: Stack) requires |S| < Max_Depth; ensures S = <#E> o #S; Operation Pop (replaces R: Entry; updates S: Stack) requires |S| > 0; ensures #S = <R> o S; Operation Depth (restores S: Stack): Integer ensures Depth = |S|;

  32. Example Specification OperationDo_Nothing (restores S: Stack) ensures S = #S Code: (Same as S.Push(S.Pop()) in Java) ProcedureDo_Nothing (restores S: Stack) Var E: Entry Pop(E,S); Push(E,S); endDo_Nothing;

  33. Exercise: Complete Table and Prove CS 315 Spring 2011

  34. Example Specification OperationDo_Nothing (restores S: Stack) requires |S| > 0; ensures S = #S Code: (Same as S.Push(S.Pop()) in Java) ProcedureDo_Nothing (restores S: Stack) Var E: Entry Pop(E,S); Push(E,S); endDo_Nothing;

  35. Exercise: Complete Table and Prove Answers CS 315 Spring 2011

  36. What’s the Problem? • Can you guarantee that Pop will do the right thing? • What if your code first did a Push and then a Pop?

  37. Work • Write a generic specification for Queues.

  38. Generic Component Examples • http://resolve.cs.clemson.edu/interface/

  39. Proof Rules

  40. Proof Rules for Verification code: Assume B; code1; Confirm Q; code; Assume B; code2; Confirm Q; -------------------------------------------------------------- code; If B then code1 else code2; endif; Confirm Q; No need to consider individual states.

  41. Example Assume y ≠ 0; z := w/y; if z ≥0 then abs := z else abs := -z endif; Confirm abs = |w/y|;

  42. Apply the rule automatically (1) Assume y ≠ 0; z := w/y; Assume z ≥0 ; abs := z; Confirm abs = |w/y|; (2) Assume y ≠ 0; z := w/y; Assume (z ≥0); abs := z; Confirm abs = |w/y|;

More Related