applying mathematical reasoning throughout the cs curriculum

42
Applying Mathematical Reasoning throughout the CS Curriculum Addressing the Challenges of Current Software

Upload: fergus

Post on 10-Feb-2016

30 views

Category:

Documents


1 download

DESCRIPTION

Applying Mathematical Reasoning throughout the CS Curriculum. Addressing the Challenges of Current Software. Questions to Address. Why? What? Where? How?. Some Work. Binary search specifications Java C++ Any other language Are the algorithms correct? Do the implementations work? - PowerPoint PPT Presentation

TRANSCRIPT

Applying Mathematical Reasoning throughout the CS Curriculum

Applying Mathematical Reasoning throughout the CS Curriculum

Addressing the Challenges of Current SoftwareWhy? What? How? Where?1Questions to AddressWhy?What?Where? How?Some WorkBinary search specificationsJavaC++Any other languageAre the algorithms correct?Do the implementations work?Whats the difference?Why?Current software is too large for one person to understand.Students need tools for dealing with all sizes of projects.Maintenance makes up the majority of jobs.Students need to separate specifications from implementations.

What reasoning skills are necessary?Concept InventoryBoolean LogicStandard Logic Symbols, Standard Proof TechniquesDiscrete Math StructuresSets, Strings, Numbers, Relations, and other mathematical theories as neededPrecise SpecificationsMathematical Descriptions of Software interfaces for clients and implementers.Math models for structuresPre and Post conditions for operations.Modular ReasoningEach Module needs to be proven correct only once.Verification ConditionsMathematical Assertions equivalent to the correctness of the program.Correctness ProofsApplication of Proof Techniques to the programSpecifications for IncrementOperation Increment(updates i: int)requires i < max_int;ensures i = #i + 1;6Implementation of IncrementIncrement(updates i: int);i = i + 1; end Increment;I see you're using curly braces and 'int' for the type name which implies a Java/C++ look. But you also declare the parameter using a colon, which implies a Resolve look.Reason about IncrementDoes the implementation meet the specification?How does the requires clause it in?Are there other possible implementations?Subtract 4 and add 5?Why not?What are we going to have them do here?informal reasoning to see if the ensures clause is met. Talk about how the requires clause fits in, including briefvtalk about defensive programming.WorkWrite specifications for Decrement(requires and ensures clauses)Write an implementation assuming that there is a built in minus for integers.I'm thinking that when we say "write specifications", we could say "write specifications (i.e., requires and ensures clauses)"WorkSpecify (write requires and ensures clauses )an operation that receives an integer and returns the value of that integer plus two.Implement your operation assuming you can access the operation Increment.

Same here, "Specify" becomes "Specify (by writing requires/ensures clauses)"Operation PlusTwo(updates i: int);requires i < max_int 1;ensures i = #i + 2;PlusTwo( updates i: int)Increment(i);Increment(i);end PlusTwoReason about the ProgramReasoning TableOperation PlusTwoState NumberAssumeConfirm0i < max_int - 1Increment(i)1i1 = i0 + 1i < max_intIncrement(i)2i2 = i1 + 1i2 = i0 + 2I'm thinking I can show them in a detailed way how to build the reasoning table for PlusTwo, and then have them build a reasoning table for TakeAwayTwo.That sounds great. Should we put this talbe up, but remove some of the entries, so you can add them later? I guess we could animate the entries and work together as a group to fill in the table. Then you can suggest decrement by 2, maybe hinting about min_int.Work Specification: Operation Exchange(updates I, J: Integer); ensures I = #J and J = #I;

Code: Procedure Exchange(updates I, J: Integer); I := Sum(I, J);J := Difference(I, J);I := Difference(I, J); End Exchange;

There's no 'requires' clause. Yet overflow/underflow could happen. Did you intend that? I looked at later slides to see if you mention it later, but didn't see it.Are the Specs Sufficient?What about min_int and max_int?

Add a requires clauseNeed to KnowOperation Difference (updates I: int, preserves J: int);requires I J < max_int and I J > min_int;ensures I = I J;

Operation Sum (updates I: int, preserves J: int);requires I + J < max_int and I + J > min_int;ensures I = I + J;

No 'requires' clause.Reasoning TableState NumberAssumeConfirm0I0 J0 < max_int and I0 J0 > min_intI = Difference(I, J);1I1 = I0 J0 and J1 = J0J = Difference(I, J);2J2 = I1 J1 and I2 = I1I = Difference(I, J);3I3 = I2 - J2 and J3 = J2I3 = J0 and J3 = I0Operation ExchangeMore exampleshttp://www.cse.ohio-state.edu/rsrg/ http://www.cs.clemson.edu/group/resolve/teaching/reasoning.html

Beyond ArithmeticSpecifying components

Work: How do java and C++ (or your favorite language) specify stacks?Specify a stack mathematicallyDescribe in terms of mathematical stringsFor generality, describe all stacks with one specAllow for multiple implementations to promote efficiencyRequirements vs. SpecificationsRequirements definitionIntended for customers in addition to software developersInformal descriptions are necessary

SpecificationFor use by members of a software development teamFormal (mathematical) descriptions are necessary21Informal Specification:ExamplesC++ STL Template specificationsJava util component specificationshttp://doc.java.sun.com/DocWeb/api/java.util.Stackhttp://doc.java.sun.com/DocWeb/api/java.util.Queue

Questions for discussionDo they support information hiding?Do they support abstraction?Can they generalize?Is it possible to make them unambiguous?22Informal SpecificationsStraightforward descriptionsPush pushes an item onto the top of this stackHow much do they help?

Use of metaphorsA Queue is like a line at a fast food restaurantDo they generalize?

Use of implementation detailsPush behaves like addElement method on VectorIs this appropriate for a user-oriented cover story?23Here is the exact language used for Push on Sun's web page that you referenced in previous slide:

"Pushes an item onto the top of this stack."Java's AddElement uses the naming convention: addElementFormal Interface SpecificationCommunicates precisely the demands and responsibilities to component users and developers

Allows for independent development of client and implementation components in parallel in a team environment

Minimizes integration costs24Reasoning BenefitsFormal Specifications make it possible to formally reason about correctness of software

Such reasoning may be manual or mechanical (i.e. with automate support)25Languages for Formal SpecificationANNA (and SPARK) for AdaJML for JavaLarch/C++ for C++Spec# for C3EiffelRESOLVEVDMZ26Specification Language SummarySome specification languages are designed for particular programming languages

Some are general purpose

Some specification languages are integrated with programming constructs

A few additionally integrate the ability to perform formal mathematical reasoning27Meaning of SpecificationsRequirements and guaranteesRequires clauses are preconditionsEnsures clauses are postconditions

Callers are responsible for requirementsCaller of Increment is responsible for making sure I < max_int

Guarantees hold only if callers meet their requirements28It looks like you're missing a vertical bar for |input| < Max_Int

on the middle bullet.Mathematical StringsUnlike sets, strings have orderExample: Str(Z) for String of integers

NotationsEmpty string (written: empty_string or L)Concatenation: alpha o betaLength (written: |alpha| )String containing one entry (e.g., ) 29In the 2nd bullet list below, parens are used to introduce an example or to clarify. I saw the Length ( |alpha| )line in bullet #3, and I saw a call to an operation called Length.General Stack Template SpecificationWe will use general stacks for this example reasoning

Suppose Stack_Template is parameterized by type Entry and Integer Max_Depth

Mathematical ModelingType_Family Stack Str(Entry);exemplar S;constraints |S| Max_Depth;initialization ensures S = ;30Specification of Stack OperationsOperation Push (alters E: Entry; updates S: Stack)requires |S| < Max_Depth;ensures S = o #S;

Operation Pop (replaces R: Entry; updates S: Stack)requires |S| > 0;ensures #S = o S;

Operation Depth (restores S: Stack): Integerensures Depth = |S|;31ExampleSpecificationOperation Do_Nothing (restores S: Stack)ensures S = #SCode: (Same as S.Push(S.Pop()) in Java)Procedure Do_Nothing (restores S: Stack)Var E: EntryPop(E,S);Push(E,S);end Do_Nothing;32OK, I see that you are setting up the reasoning table to catch the problem with Do_Nothing having a requires clause of true.I'll bring a handout with the Stack spec so that the attendees will have it available when they do the Exercise on the next slide. They'll need it for requires/ensures clauses for Pop and PushGreat! I'll count on you to help them see that they will need a requries clause and to have table forms ready.

Thanks.Exercise: Complete Table and ProveAssumeConfirm0Pop(E, S);1Push(E, S);2CS 315 Spring 201133ExampleSpecificationOperation Do_Nothing (restores S: Stack)requires |S| > 0;ensures S = #SCode: (Same as S.Push(S.Pop()) in Java)Procedure Do_Nothing (restores S: Stack)Var E: EntryPop(E,S);Push(E,S);end Do_Nothing;34Exercise: Complete Table and ProveAssumeConfirm0|S0| > 0Pop(E, S);1S0 = o S1|S1| < Max_DepthPush(E, S);2S2 = o S1S2 = S0CS 315 Spring 201135AnswersWhats the Problem?Can you guarantee that Pop will do the right thing?What if your code first did a Push and then a Pop?So is the "problem" with the 1st bullet that in the reasoning table we only have ... in the assumes column in State 0?They'll need to see 2 things :1. They'll need to know something about Pop for the program to work and that without the requires clause the reasoning fails.2. The requries clause would be different if a Push were done first.

I hesititate to do this example just because we could make an argument that this is bad programming because you shouldn't need to know anything about thei implememtation in order to do the reasoning.

A purest would say that this implementation is wrong, because it doesn't meet the spec. The only proper implmentations would be ones that do not Push or Pop. they might check length or anything that doesn't need a require clause.

WorkWrite a generic specification for Queues.What about a handout that gives them the Queue spec without the requires and ensures clauses for all the operations, and they have to fill in those for this "Work" slide?Excellent idea. I'll bring some handouts for this. Generic Component Exampleshttp://resolve.cs.clemson.edu/interface/Proof RulesProof Rules for Verificationcode: Assume B; code1; Confirm Q;code; Assume B; code2; Confirm Q;--------------------------------------------------------------code; If B then code1 else code2; endif; Confirm Q;

No need to consider individual states.ExampleAssume y 0; z := w/y;

if z 0 then abs := z else abs := -zendif;Confirm abs = |w/y|;

Apply the rule automatically(1) Assume y 0; z := w/y;Assume z 0 ; abs := z; Confirm abs = |w/y|; (2) Assume y 0; z := w/y;Assume (z 0); abs := z; Confirm abs = |w/y|;