Upload
moses-bryan
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
CS 315 Spring 2011
1
Lecture 17March 24, 2011
Formal Methods 2
Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson)
CS 315 Spring 2011
2
Some Mathematics is Implicit
We view programming integers as though they are mathematical integers (subject to bounds, of course)
We associate mathematical operators (e.g., +) with operations we can do on integers in programs (e.g., +)
This association can be made explicit
CS 315 Spring 2011
3
Mathematical Modeling
Type Integer is modeled by Z;
For all i: Integer,min_int <= i <= max_int;
CS 315 Spring 2011
4
Alternatively
Type Integer is modeled by Z;
Let i be an example;
Constraints for all i: Integer;min_int <= i <= max_int;
CS 315 Spring 2011
5
Alternatively
Type Integer is modeled by Z;exemplar i;constraints min_int <= i <=
max_int;
CS 315 Spring 2011
6
Initial Value Specification
Type Integer is modeled by Z;exemplar i;constraints min_int <= i <=
max_int;initialization ensures i = 0;
CS 315 Spring 2011
7
Specification of Operations
Type Integer is modeled by Z;…
Specification of operations, e.g., i++
Operation Increment (updates i: Integer)
requires i < max_intensures i = #i +1
CS 315 Spring 2011
8
More Examples
What is a suitable way to model the state of a lightbulb?
CS 315 Spring 2011
9
More Examples
Type Light_Bulb_State is modeled by B;
exemplar b;Initialization ensures b = false;
Exercises: specification of operationsTurn_on, Turn_off, and Is_On
CS 315 Spring 2011
10
More Examples
How would you model the state of a traffic light?
Alternative models and discussion
CS 315 Spring 2011
11
More Examples
How would you model a paper weight?
CS 315 Spring 2011
12
Data Abstraction Examples
How would you mathematically model the contents of a stack? Is a set model appropriate? Why or why not?
What about modeling a queue?
CS 315 Spring 2011
13
Mathematical Modeling Summary
To write formal specifications, we need to model the state mathematically
Some objects we use in programming, such as Integers and Reals, have implicit models
For others, such as stacks, queues, lists, etc., we need to conceive explicit mathematical models
CS 315 Spring 2011
14
Formal Specification of Java Interfaces
CS 315 Spring 2011
15
Basics
An interface Describes what classes or components do Does not describe how they should do it
An interface Is a contract between component users
(clients) and developers (implementers) If the users satisfy the requirements for
using the component, the component will provide guarantees
CS 315 Spring 2011
16
Principles of Interface Design
Information Hiding Hide details unnecessary to use the
component
Abstraction Provide a “cover story” or explanation in
user-oriented terms so they can understand the interface
CS 315 Spring 2011
17
Contract Specification
Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions
Who is responsible for requires clauses?
What are the consequences of this?
CS 315 Spring 2011
18
Specification of Stacks
Mathematical modeling How can we think of stacks
“mathematically”?
CS 315 Spring 2011
19
Mathematical Strings
Unlike sets, strings have order Example: Str(Z) for String of integers
Notations Empty string (Written empty_string or L) Concatenation (alpha o beta) Length ( |alpha| ) String containing one entry ( <5>)
CS 315 Spring 2011
20
Specification of IntStack Interface
Suppose IntStack is an interface uses Integer_Theory, String_Theory;
Think of stacks of Integers as “math strings” of integers this: Str(Z);
Specification of Constructor initialization ensures this = empty_string;
Exercises: Specification of other stack operations
CS 315 Spring 2011
21
Specification of IntStack Interface
Operation push (int x)updates this; restores x;ensures this = <x> o #this;
int Operation pop ();updates this;requires this /= empty_string;ensures #this = <result of pop()> o this;
bool Operation is_empty();preserves this;ensures result of is_empty = (this = empty_string)
CS 315 Spring 2011
22
Java Specification Questions
What is the specification of “=“ to assign one IntStack object to another?
If you defined a “clone” method, what is its specification?
What are the advantages of using “=“ over “clone”?
What are the advantages of using “clone” over “=“?