the seven principles of software engineeringuser.it.uu.se/~pierref/courses/ccp/slides.pdf · the...
TRANSCRIPT
The
Sev
en P
rinci
ples
of S
oftw
are
Eng
inee
ring
C. G
hezz
i, M
. Jaz
ayer
i, D
. Man
drio
li.Fun
dam
enta
ls o
f Sof
twar
e E
ngin
eeri
ng. P
rent
ice-
Hal
l, 19
91.
Rig
our
and
Exp
licitn
ess
Rig
our
and
expl
icitn
ess
are
a ne
cess
ary
com
plem
ent t
o un
stru
ctur
ed c
reat
ivity
.
Sep
arat
ion
of C
once
rns
Sep
arat
ely
deal
with
diff
eren
t ind
ivid
ual a
spec
ts o
f the
pro
blem
(su
ch a
s tim
e, q
ualit
ies,
vie
ws,
siz
e).
Mod
ular
ity
Iden
tify
mod
ules
(un
its o
f div
isio
n of
wor
k), t
hen
deal
with
intr
a-m
odul
e an
d in
ter-
mod
ule
deta
ils.
Abs
trac
tion
Iden
tify
and
focu
s on
the
impo
rtan
t asp
ects
of t
he p
robl
em, t
hus
obta
inin
g pu
rpos
e-sp
ecifi
cm
odel
s.
Ant
icip
atio
n of
Cha
nge
Iden
tify
aspe
cts
of th
e pr
oduc
t and
pro
cess
that
are
like
ly to
cha
nge,
and
pro
tect
from
thei
r ch
ange
s.
Gen
eral
ity
Sol
ving
a m
ore
gene
ral (
less
con
stra
ined
) pr
oble
m is
ofte
n ea
sier
, and
pro
vide
s re
use
oppo
rtun
ities
.
Incr
emen
talit
y
Suc
cess
ivel
y pr
oduc
e be
tter
appr
oxim
atio
ns to
a s
olut
ion
by im
prov
ing
on th
e pr
evio
us s
olut
ion.
The
Impa
ct o
f Bad
Spe
cific
atio
nsS
peci
ficat
ion
erro
rs a
re th
e m
ost
num
erou
s er
rors
:•
64%
of a
ll er
rors
are
spec
ifica
tion
erro
rs.
•36
% o
f all
erro
rs a
re p
rogr
amm
ing
erro
rs.
Spe
cific
atio
n er
rors
are
the
mos
tte
naci
ous
erro
rs:
•19
% o
f all
erro
rs a
resp
ecifi
catio
n er
rors
and
are
det
ecte
d be
fore
del
iver
y.•
45%
of a
ll er
rors
are
spec
ifica
tion
erro
rs a
nd a
re d
etec
ted
afte
r de
liver
y.•
9% o
f all
erro
rs a
re p
rogr
amm
ing
erro
rs a
nd a
re d
etec
ted
befo
re d
eliv
ery.
•27
% o
f all
erro
rs a
re p
rogr
amm
ing
erro
rs a
nd a
re d
etec
ted
afte
r de
liver
y.S
peci
ficat
ion
erro
rs a
re th
e m
ost
cost
ly e
rror
s:•
A s
peci
ficat
ion
erro
r ca
ught
whi
le d
esig
ning
cos
ts 2
.5 ti
mes
mor
e th
an w
hile
spe
cify
ing.
•A
spe
cific
atio
n er
ror
caug
ht w
hile
pro
gram
min
g co
sts
5.0
times
mor
e th
an w
hile
spe
cify
ing.
•A
spe
cific
atio
n er
ror
caug
ht w
hile
inte
grat
ing cos
ts 3
6.0
times
mor
e th
an w
hile
spe
cify
ing.
Con
side
ring
that
:•
Cor
rect
ing
spec
ifica
tion
erro
rsrep
rese
nts
66%
of t
he to
tal e
rror
cor
rect
ion
cost
.•
Cor
rect
ing
desi
gn e
rror
sre
pres
ents
25%
of t
he to
tal e
rror
cor
rect
ion
cost
.•
Cor
rect
ing
prog
ram
min
g er
rors
rep
rese
nts
9% o
f the
tota
l err
or c
orre
ctio
n co
st.
and
cons
ider
ing
that
the
tota
l err
or c
orre
ctio
n co
st r
epre
sent
s 50
% o
f the
tota
l cos
t of a
sof
twar
e,th
en w
e ha
ve th
at c
orre
ctin
g sp
ecifi
catio
n er
rors
rep
rese
nts
33%
of t
he to
tal c
ost o
f a s
oftw
are!
Spe
cific
atio
n T
empl
ate
(for
the
CC
P c
ours
e)G
iven
⟨arg
umen
ts a
nd th
eir
type
s⟩
[su
ch th
at⟨p
re-c
ondi
tion
on a
rgum
ents⟩ ],
prog
ram
⟨nam
e⟩[
mod
ifie
s⟨s
ome
argu
men
ts⟩an
d ]
retu
rns
⟨res
ults
and
thei
r ty
pes⟩
such
that
⟨pos
t-co
nditi
on o
n ar
gum
ents
and
res
ults
⟩[ ,
wit
hout
mod
ifyi
ng⟨s
ome
rem
aini
ng a
rgum
ents⟩ ].
[E
xam
ples
:⟨…
⟩. ]
[C
ount
er-e
xam
ples
:⟨…
⟩. ]
Rol
e of
the
Pre
-Con
ditio
n
•If
the
pre-
cond
ition
on
the
argu
men
ts d
oes
not h
old,
then
the
prog
ramm
ay r
etur
nany
res
ults
!•
If th
e pr
e-co
nditi
on o
n th
e ar
gum
entsdo
es h
old,
then
the
prog
ramm
ust r
etur
n re
sults
that
sat
isfy
the
post
-con
ditio
n!
Rol
e of
Wel
l-Cho
sen
(Cou
nter
-)E
xam
ples
•In
theo
ry:
The
y ar
e re
dund
ant w
ith th
e pr
e/po
st-c
ondi
tions
.•
Inpr
acti
ce:
+T
hey
ofte
n pr
ovid
e an
intu
itive
und
erst
andi
ng th
at n
o as
sert
ion
or d
efin
ition
cou
ld a
chie
ve.
+T
hey
ofte
n he
lp e
limin
ate
risks
of a
mbi
guity
in th
e as
sert
ions
by
illus
trat
ing
delic
ate
issu
es.
+If
they
con
trad
ict t
he p
re/p
ost-
cond
ition
s, th
en w
e kn
ow th
at s
omet
hing
is w
rong
som
ewhe
re!
A S
ampl
e S
peci
ficat
ion
Giv
entw
o in
tege
r-ar
rays
A[1
..M] a
nd B
[1..N
]su
ch th
atA
and
B a
re n
on-d
ecre
asin
gly
orde
red,
prog
ram
mer
gere
turn
san
inte
ger-
arra
y C
[1..M
+N
]su
ch th
atC
is th
e no
n-de
crea
sing
ly o
rder
ed p
erm
utat
ion
of th
e un
ion
of A
and
B,
wit
hout
mod
ifyi
ngA
and
B.
Exa
mpl
e:m
erge
( [1
,4,4
,6] ,
[2,3
,4] ,
[1,2
,3,4
,4,4
,6] )
.
Com
men
ts
•T
he u
sed
conc
epts
of “
non-
decr
easi
ngly
ord
ered
arr
ay”,
“pe
rmut
atio
n of
an
arra
y”, a
nd “
unio
n of
two
arra
ys”
are
assu
med
to b
e un
ders
tood
by
the
read
er in
the
sam
e w
ay a
s by
the
writ
er.
Thi
s al
so e
xpla
ins
the
role
of t
he e
xam
ples
.•
The
pro
gram
mus
t bede
term
inis
tic,
bec
ause
“C
isthe
…”,
and
not
“C
isa
…”.
•T
he a
rray
upp
er b
ound
s M
and
N a
reimpl
icit
arg
umen
ts (
and
shou
ld th
us a
lso
not b
e m
odifi
ed).
•F
orm
alis
ing
spec
ifica
tions
(as
adv
ocat
ed b
y m
any)
ofte
n gi
ves
rise
to lo
ng fo
rmul
as(s
ee th
e ne
xt s
lide
for
a sa
mpl
e fo
rmal
isat
ion)
, whi
ch is
unn
eces
sary
for
our
obje
ctiv
e:+
We
aim
at t
hem
anua
l con
stru
ctio
n of
cor
rect
pro
gram
s, n
ot a
t the
irau
tom
ated
con
stru
ctio
n:co
nstr
uctin
g th
ose
long
form
ulas
and
man
ually
man
ipul
atin
g th
em w
ould
be
mor
e er
rorp
rone
.+
We
aim
at t
he m
anua
lcons
truc
tion
of c
orre
ct p
rogr
ams,
not
at t
heir
auto
mat
edveri
fica
tion
.+
New
form
al s
ymbo
ls n
eed
to b
e in
form
ally
exp
lain
ed a
nyw
ay,
so th
at o
ne c
an v
erify
(!)
whe
ther
they
inde
ed c
aptu
re th
e in
form
al in
tent
ions
.
Exa
mpl
e:F
orm
alis
atio
n of
the
Spe
cific
atio
n of
a m
erge
Pro
gram
Pre
-con
ditio
n: o
rder
ed(A
,1,M
)and
orde
red(
B,1
,N)
Pos
t-co
nditi
on:p
erm
utat
ion(
A,M
,B,N
,C)a
ndor
dere
d(C
,1,M
+N
)
whe
re:
•or
dere
d(X
,L,U
)if-
and-
only
-iffo
r al
l int
eger
s I s
uch
thatL
≤I <
Uw
e ha
ve th
at
X[I]
≤X
[I+1]
(i.e.
, int
eger
-arr
ay X
[L..U
] is
non-
decr
easi
ngly
ord
ered
)
•pe
rmut
atio
n(A
,U,B
,V,C
)if-a
nd-o
nly-
iffo
r al
l int
eger
s I w
e ha
ve th
at
num
ber(
I,C,U
+V
) =nu
mbe
r(I,A
,U) +
num
ber(
I,B,V
)
(i.e.
, int
eger
-arr
ay C
[1..U
+V
] is
a pe
rmut
atio
n of
the
unio
n of
inte
ger-
arra
ys A
[1..U
] and
B[1
..V])
whe
re:
•nu
mbe
r(E
,X,U
) =th
e nu
mbe
r of
inte
gers
J s
uch
that1 ≤
J ≤U
whe
re w
e ha
ve th
at
X[J
] =E
(i.e.
, the
num
ber
of o
ccur
renc
es o
f int
eger
E in
inte
ger-
arra
y X
[1..U
])
The
Sev
en S
ins
of th
e S
peci
fier
Sou
rce:
Ber
tran
d M
eyer
. On
For
mal
ism
in S
peci
ficat
ions
.IE
EE
Sof
twar
e 2(
1):6
–26,
198
5.
Noi
seT
he p
rese
nce
in th
e te
xt o
f an
elem
ent t
hat d
oesn
’t ca
rry
info
rmat
ion
rele
vant
to a
ny fe
atur
e of
the
prob
lem
.Var
iant
s:R
edun
danc
y,R
emor
se.
Sile
nce
The
exi
sten
ce o
f a fe
atur
e of
the
prob
lem
that
is n
ot c
over
ed b
y an
y el
emen
tof
the
text
.
Ove
rspe
cific
atio
nT
he p
rese
nce
in th
e te
xt o
f an
elem
ent t
hat c
orre
spon
ds n
ot to
a fe
atur
e of
the
prob
lem
but
to fe
atur
es o
f a p
ossi
ble
solu
tion.
Con
trad
ictio
nT
he p
rese
nce
in th
e te
xt o
f tw
o or
mor
e el
emen
ts th
at d
efin
e a
feat
ure
of th
epr
oble
m in
an
inco
mpa
tible
way
.
Am
bigu
ityT
he p
rese
nce
in th
e te
xt o
f an
elem
ent t
hat m
akes
it p
ossi
ble
to in
terp
ret a
feat
ure
of th
e pr
oble
m in
at l
east
two
diffe
rent
way
s.
For
war
d R
efer
ence
The
pre
senc
e in
the
text
of a
n el
emen
t tha
t use
s fe
atur
es o
f the
pro
blem
not
defin
ed u
ntil
late
r in
the
text
.
Wis
hful
Thi
nkin
gT
he p
rese
nce
in th
e te
xt o
f an
elem
ent t
hat d
efin
es a
feat
ure
of th
e pr
oble
min
suc
h a
way
that
a c
andi
date
sol
utio
n ca
nnot
real
istic
ally
be
valid
ated
with
resp
ect t
o th
is fe
atur
e.
The
Pro
gram
min
g La
ngua
geD
ata
Typ
es
•B
oole
ans:
bool
ean
(val
ues:
true
and
fals
e)•
Inte
gers
:int
eger
(val
ues:
…,−
3,−2
,−1,
0, 1
, 2, 3
, …)
•A
rray
s:ar
ray[
⟨low
boun
d⟩..
⟨upb
ound
⟩]of
⟨type
⟩(e
mpt
y w
hen
low
boun
d= up
boun
d +
1)
Prim
itive
Sta
tem
ents
•S
impl
e A
ssig
nmen
t:⟨va
riabl
e⟩←
⟨exp
ress
ion⟩
Com
posi
tion
Mec
hani
sms
•S
eque
ntia
l Com
posi
tion:⟨
stat
emen
t⟩ ;⟨s
tate
men
t⟩•
Con
ditio
nal C
ompo
sitio
n:if
⟨con
ditio
n⟩th
en⟨s
tate
men
t⟩[
else ⟨sta
tem
ent⟩ ]
fi•
Itera
tive
Com
posi
tion:
whi
le⟨c
ondi
tion⟩
do⟨s
tate
men
t⟩od
Pro
gram
Cor
rect
ness
Def
initi
on:
The
stat
e of
a p
rogr
am P
at a
mom
ent M
con
sist
s of
the
valu
es o
f the
var
iabl
es o
f P a
t M.
Def
initi
on:
An
asse
rtio
n is
an
affir
mat
ion
rega
rdin
g a
prog
ram
sta
te.
Exa
mpl
es:T
he p
re/p
ost-
cond
ition
s of
spe
cific
atio
ns a
nd p
roof
inva
riant
s (s
ee b
elow
) ar
e as
sert
ions
.
Def
initi
on:
A p
rogr
am P
ispa
rtia
lly
corr
ect w
ith r
espe
ct to
a s
peci
ficat
ion
Sif,
eac
h tim
e P
term
inat
es o
n ar
gum
ents
that
sat
isfy
the
pre-
cond
ition
(in
clud
ing
the
type
s) o
f S,
P r
etur
ns r
esul
ts th
at s
atis
fy th
e po
st-c
ondi
tion
(incl
udin
g th
e ty
pes)
of S
.
Def
initi
on:
A p
rogr
am P
is (to
tall
y) c
orre
ct w
ith r
espe
ct to
a s
peci
ficat
ion
Sif
P te
rmin
ates
on
all a
rgum
ents
that
sat
isfy
the
pre-
cond
ition
(in
clud
ing
the
type
s) o
f San
d P
is p
artia
lly c
orre
ct w
ith r
espe
ct to
S.
Not
atio
n
Let P
be
a pr
ogra
m s
tate
men
t, an
d le
t Q a
nd R
be
asse
rtio
ns in
volv
ing
the
varia
bles
of P
.T
hen
the
nota
tion:
{ Q
}P
{ R
}
mea
ns th
at P
is to
tally
cor
rect
w.r
.t. th
e sp
ecifi
catio
n w
ith p
re-c
ondi
tion
Q a
nd p
ost-
cond
ition
R.
Hoa
re’s
Sem
antic
Law
sS
impl
e A
ssig
nmen
t { Q
[X/E
] }X
← E
{ Q
[X] }
(to
be r
ead
from
rig
ht to
left)
or:
{ Q
[X] }
X←
E{
Q[X
/X0]
and
X =
E[X
/X0]
}(t
o be
rea
d fr
om le
ft to
rig
ht)
(whe
re X
0 is
the
initi
al v
alue
of X
)
Seq
uent
ial C
ompo
sitio
n
if{
Q }
P 1{
R }
and
{ R
}P 2
{ S
}th
en{
Q }
P 1 ;
P 2{
S }
Con
ditio
nal C
ompo
sitio
n
if{
Q a
nd B
}P 1
{ R
}an
d{
Q a
nd n
ot B
}P 2
{ R
}th
en{
Q }
ifB
then
P 1el
seP 2
fi{
R }
Itera
tive
Com
posi
tion
if{
Inv
and
B }
P{
Inv
}th
en{
Inv
}w
hile
Bdo
Pod
{ In
v an
d no
t B }
Pro
ving
Pro
gram
s by
Com
puta
tiona
l Ind
uctio
nG
iven
a s
peci
ficat
ion
S, w
ith p
re-c
ondi
tion
Pre
and
pos
t-co
nditi
on P
ost,
and
a pr
ogra
m P
of t
he fo
rm:
⟨initi
alis
atio
n⟩ ;
whi
le⟨c
ondi
tion⟩
do⟨b
ody⟩
od [ ;⟨c
oncl
usio
n⟩ ]
apr
oof b
y co
mpu
tati
onal
indu
ctio
n of
tota
l cor
rect
ness
of P
with
res
pect
to S
pro
ceed
s in
2 s
teps
:
1.P
roof
of P
artia
l Cor
rect
ness
of P
with
res
pect
to S
:F
ind
an a
sser
tion
Inv,
cal
led
theinva
rian
t, th
at h
olds
eac
h tim
e⟨con
ditio
n⟩ is
eva
luat
ed,
expr
essi
ngw
hat h
as a
lrea
dy b
een
done
so
far,
i.e.
, pro
ve th
at In
v in
deed
hol
ds th
e 1
st ti
me:
{ P
re }
⟨initi
alis
atio
n⟩{
Inv
}(1
)
and
prov
e th
at a
fter
the
last
tim
e (i.
e., w
hen
the
loop
end
s), t
he p
rogr
am te
rmin
ates
cor
rect
ly:
{ In
van
dno
t⟨co
nditi
on⟩ }
⟨con
clus
ion⟩
{ P
ost }
or:
Inv
and
not⟨
cond
ition
⟩im
plie
sP
ost
(2)
and
prov
e th
at if
Inv
hold
s th
e nth ti
me,
then
Inv
will
inde
ed h
old
the
n+1st ti
me,
if a
ny:
{ In
van
d⟨c
ondi
tion⟩
}⟨b
ody⟩
{Inv
}(3
)
2.P
roof
of T
erm
inat
ion
of P
on
all a
rgum
ents
that
sat
isfy
Pre
:F
or in
stan
ce, f
ind
for
each
loop
an
inte
ger
func
tion
F o
n th
e pr
ogra
m v
aria
bles
,ca
lled
thev
aria
nt, t
hat i
s de
crea
sing
tow
ards
a lo
wer
bou
nd d
urin
g ea
ch it
erat
ion,
i.e.,
prov
e th
at F
inde
ed r
etur
ns a
low
er-b
ound
ed in
tege
r:
for
all a
rgum
ents
sat
isfy
ing
Pre
, fun
ctio
n F
ret
urns
a lo
wer
-bou
nded
inte
ger
(4)
and
prov
e th
at e
xecu
tion
of th
e lo
op b
ody
inde
ed d
ecre
ases
the
valu
e of
F:
{ In
van
d⟨c
ondi
tion⟩
and
F(…
)= f
}⟨b
ody⟩
{ F
(…)
<f }
(5)
Oth
er p
roof
met
hods
exi
st.For
inst
ance
, the
var
iant
may
incr
ease
tow
ards
an
uppe
r bo
und.
Com
men
ts o
n P
rogr
am P
rovi
ng b
y C
ompu
tatio
nal I
nduc
tion
•D
istin
guis
h be
twee
nspec
ific
atio
n va
riab
les,
prog
ram
var
iabl
es, a
ndpr
oof v
aria
bles
.
•T
he in
varia
nt o
ften
is “
sim
ilar”
to th
e po
st-c
ondi
tion
Pos
t.
•T
he in
varia
nt (
resp
. var
iant
)cann
ot b
e co
rrec
t (ex
cept
for
wei
rd p
rogr
ams)
if it
doe
s no
t inv
olve
all (
resp
. som
e of
) th
e va
riabl
es th
at a
ppea
r in
⟨con
ditio
n⟩or
that
are
mod
ified
by⟨b
ody⟩
.
•T
he p
roof
cann
ot b
e co
rrec
t (ex
cept
for
over
-spe
cific
spe
cific
atio
ns)
if it
does
not
app
eal t
o th
ew
hole
pre
-con
ditio
n an
d th
e w
hole
con
ditio
ns o
f all
if…
then
…el
se a
ndw
hile
sta
tem
ents
.
•T
he p
roof
cann
ot b
e co
rrec
t if t
he in
varia
nt a
nd th
e va
riant
do
not s
atis
fyea
ch o
f the
ir co
nditi
ons.
•If
a pr
oof s
tep
fails
, the
n ba
cktr
ack
to a
pre
viou
s pr
oof s
tep
and
fix it
or
chan
ge th
e (in
)var
iant
.
Eva
luat
ion
of P
rogr
am P
rovi
ng b
y C
ompu
tatio
nal I
nduc
tion
•A
dvan
tage
s:+
The
met
hodo
logy
rea
lly p
rodu
ces
proo
fs in
the
clas
sica
l und
erst
andi
ng o
f the
term
,be
caus
e th
ey a
re b
ased
on
axio
ms
and
infe
renc
e ru
les.
+T
he p
roof
rea
soni
ng is
mad
e on
the
(sta
tic)
text
of t
he p
rogr
am,
but n
ot o
n its
mul
tiple
— o
ften
infin
itely
man
y —
(dy
nam
ic)
exec
utio
ns.
Pro
gram
pro
ving
is th
us m
ore
pow
erfu
l tha
n pr
ogra
m te
stin
g!+
Whe
reas
pro
gram
test
ing
only
aim
s at
dete
ctin
g th
e ex
iste
nce
of e
rror
s,pr
ogra
m p
rovi
ng is
like
ly to
als
o he
lp inlo
cati
ng th
e er
rors
and
incor
rect
ing
them
.•
Dis
adva
ntag
es:
–C
orre
ctne
ss p
roof
s on
ly p
rove
(if c
orre
ct!)
the
corr
ectn
ess
of th
e pr
ogra
m w
.r.t.
its
spec
ifica
tion,
butn
othi
ng r
egar
ding
the
hard
war
e an
d so
ftwar
e pl
atfo
rm o
n w
hich
the
prog
ram
will
be
run.
•P
rogr
am p
rovi
ng a
nd p
rogr
am te
stin
g ar
e th
usco
mpl
emen
tary
, and
als
o pr
otot
ypin
g.•
(In)
varia
nts
may
bedi
ffic
ult t
o fin
d fo
r (u
ncom
men
ted)
pro
gram
s th
at o
ne h
as n
ot w
ritte
n on
esel
f,an
d ex
plic
it, r
igor
ous
proo
fs m
ay b
elong
and
dif
ficu
lt.
Thi
s is
not a
dis
adva
ntag
e of
pro
gram
pro
ving
(co
mpa
red
to p
rogr
am te
stin
g),
but r
athe
r ev
iden
ce th
atprog
ram
min
g it
self
is d
iffi
cult
!P
roof
s on
ly m
ake
expl
icit
the
reas
onin
g th
at w
as —
or
ough
t to
have
bee
n —
mad
e an
yway
.E
xplic
itly
doin
g su
ch p
roof
s te
ache
s us
the
risks
we
take
whe
n re
lyin
g on
unt
rain
ed in
tuiti
on.
•Is
it p
ossi
ble
to u
se th
is p
rogr
am p
rovi
ng m
etho
dolo
gy c
onst
ruct
ivel
y,th
at is
to a
ctua
llyco
nstr
uct c
orre
ct p
rogr
ams
right
aw
ay?Y
es, s
ee th
e ne
xt c
hapt
er!
Pro
gram
con
stru
ctin
g isea
sier
than
pro
ving
, bec
ause
one
con
trol
s th
e ac
tual
sol
utio
n pr
oces
s.
Con
stru
ctin
g P
rogr
ams
by C
omp’
l Ind
uctio
nG
iven
a s
peci
ficat
ion
S, w
ith p
re-c
ondi
tion
Pre
and
pos
t-co
nditi
on P
ost,
aco
nstr
ucti
on b
y co
mpu
tati
onal
indu
ctio
n of
a p
rogr
am P
of t
he fo
rm:
⟨initi
alis
atio
n⟩ ;
whi
le⟨c
ondi
tion⟩
do⟨b
ody⟩
od [ ;⟨c
oncl
usio
n⟩ ]
such
that
P is
tota
lly c
orre
ct w
ith r
espe
ct to
S p
roce
eds
in 6
ste
ps:
1.In
tuiti
ve Id
ea:
Des
crib
e th
e so
lutio
n id
ea th
at y
ou w
ill fo
llow
dur
ing
the
prog
ram
con
stru
ctio
n.
2.G
ener
al S
ituat
ion:
Usi
ng a
ninv
aria
nt (
asse
rtio
n) In
v, d
escr
ibe
the
prog
ram
sta
te th
at is
toal
way
s ho
ld b
efor
e⟨con
ditio
n⟩ is
eva
luat
ed, e
xpre
ssin
gwha
t has
alr
eady
bee
n do
ne s
o fa
r. U
sing
ava
rian
t (fu
nctio
n) F
, des
crib
e th
e in
tege
r qu
antit
y th
at is
to c
hang
e du
ring
each
iter
atio
n.
3.In
itial
isat
ion:
Infe
r⟨in
itial
isat
ion⟩
such
that
:
{ P
re }
⟨initi
alis
atio
n⟩{
Inv
}(1
)
4.Lo
op-C
ondi
tion
and
Con
clus
ion:
Infe
r⟨c
ondi
tion⟩
and
⟨con
clus
ion⟩
(if n
eces
sary
) su
ch th
at:
{ In
van
dno
t⟨co
nditi
on⟩ }
⟨con
clus
ion⟩
{ P
ost }
or:
Inv
and
not⟨
cond
ition
⟩im
plie
sP
ost
(2)
5.Lo
op-B
ody:
Infe
r⟨b
ody⟩
such
that
:
{ In
van
d⟨c
ondi
tion⟩
}⟨b
ody⟩
{Inv
}(3
)
and
such
that
:
for
all a
rgum
ents
sat
isfy
ing
Pre
, fun
ctio
n F
ret
urns
a lo
wer
-bou
nded
inte
ger
(4)
and
such
that
: { In
van
d⟨c
ondi
tion⟩
and
F(…
)= f
}⟨b
ody⟩
{ F
(…)
<f }
(5)
Oth
er m
etho
ds e
xist
.For
inst
ance
, the
var
iant
may
incr
ease
tow
ards
an
uppe
r bo
und.
6.D
ocum
enta
tion:
Com
men
t the
res
ultin
g pr
ogra
m w
ith a
t lea
st it
s sp
ecifi
catio
n,an
d co
mm
ent e
ach
of it
s lo
ops
with
its
inva
riant
and
var
iant
.
Com
men
ts o
n P
rogr
am C
onst
ruct
ion
by C
ompu
tatio
nal I
nduc
tion
•U
se d
iagr
ams
and
intr
oduc
e ap
prop
riate
not
atio
ns a
nd p
rope
rtie
s w
hene
ver
conv
enie
nt.
•If
Ste
p 5
in tu
rn n
eeds
a lo
op, t
hen
choo
se a
n ap
prop
riate
met
hodo
logy
and
app
ly it
.
•D
evis
ing
(in)v
aria
nts
isnot
an
addi
tiona
l and
art
ifici
al d
iffic
ulty
in p
rogr
am c
onst
ruct
ion,
but r
athe
r an
ess
entia
l ste
p th
ereo
f, ev
en if
not
mad
e ex
plic
it or
unc
onsc
ious
.
•P
rogr
am c
onst
ruct
ing
iseasi
er th
an p
rovi
ng, b
ecau
se o
ne c
ontr
ols
the
actu
al s
olut
ion
proc
ess.
The
Indu
ctio
n P
rinci
ple
Let P
be
a co
njec
ture
d pr
oper
ty o
f nat
ural
num
bers
(i.e
., th
e in
tege
rs th
at a
re≥
0).
(For
exa
mpl
e, “
the
fact
oria
l of a
ny n
atur
al n
umbe
r N
is la
rger
than
or
equa
l to
N”
is s
uch
a pr
oper
ty.)
To
prov
e th
at P
(N)
hold
s fo
rany
natu
ral n
umbe
r N
, we
proc
eed
in 2
inde
pend
ent s
teps
:
•B
ase
Cas
e:P
rove
that
P(0
) ho
lds.
•S
tep
Cas
e:P
rove
that
P(N
) ho
lds
for
N > 0
, ass
umin
g th
at P
(M)
hold
s fo
r al
l0
≤M
<N
.
Inde
ed, o
nce
thes
e tw
o ca
ses
are
prov
en,
they
inte
ract
so
as to
ach
ieve
that
P(N
) ho
lds
for
any
natu
ral n
umbe
r N
:
1.B
y th
e ba
se c
ase,
we
have
that
P(0
) ho
lds,
unc
ondi
tiona
lly.
2.B
y th
e st
ep c
ase,w
e ha
ve th
at P
(1)
hold
s, b
ecau
se P
(0)
hold
s by
1.
3.B
y th
e st
ep c
ase,w
e ha
ve th
at P
(2)
hold
s, b
ecau
se P
(0),
P(1
) ho
ld b
y 1,
2.
4.B
y th
e st
ep c
ase,w
e ha
ve th
at P
(3)
hold
s, b
ecau
se P
(0),
P(1
), P
(2)
hold
by
1, 2
, 3.
5.…
and
so
on, u
ntil
infin
ity! …
Thi
s pr
inci
ple,
kno
wn
ascom
plet
e m
athe
mat
ical
indu
ctio
n, c
an b
e ge
nera
lised
for
any
dom
ain
(not
just
nat
ural
num
bers
), w
heth
er lo
wer
-bou
nded
or
uppe
r-bo
unde
d.
Pro
ving
Pro
gram
s by
Str
uctu
ral I
nduc
tion
Giv
en a
spe
cific
atio
n S P,
with
pre
-con
ditio
n P
re P a
nd p
ost-
cond
. Pos
tP, a
nd a
pro
gram
P o
f the
form
:⟨in
itial
isat
ion⟩
;w
hile
⟨con
ditio
n⟩do
⟨bod
y⟩od [ ;
⟨con
clus
ion⟩
]a
proo
f by
stru
ctur
al in
duct
ion
of to
tal c
orre
ctne
ss o
f P w
ith r
espe
ct to
SP
proc
eeds
in 3
ste
ps:
1.Id
entif
icat
ion
of a
nau
xili
ary
prog
ram
A w
ithin
P, w
hich
per
form
swha
t rem
ains
to b
e do
ne,
and
iden
tific
atio
n of
a s
peci
ficat
ion
SA
for
A, w
ith p
re-c
ondi
tion
Pre A
and
pos
t-co
nd. P
ost
A,
such
that
som
e fu
nctio
n F
on
its v
aria
bles
has
a lo
wer
-bou
nded
dom
ain
acco
rdin
g to
Pre
A:
2.P
roof
of T
otal
Cor
rect
ness
of A
with
res
pect
to S A
:P
rove
theb
ase
case
:
{ P
reA
and
F(…
)= f
0w
ith f
0 m
inim
al }
A{
Pos
t A[f
0] }
(1)
and
prov
e th
estep
cas
e:
{ P
reA
and
F(…
)= f
iw
ith f
i non
-min
imal
}A
{ P
ost A
[fi]
}if
{ P
reA
and
F(…
)= f
j<
f i }
A{
Pos
t A[f
j] }
(2)
3.P
roof
of T
otal
Cor
rect
ness
of P
with
res
pect
to S P
, ass
umin
g to
tal c
orre
ctne
ss o
f A w
.r.t.
SA
:
{ P
reP }
⟨initi
alis
atio
n⟩ ;
A{
Pos
t P }
(3)
Com
men
ts o
n P
rogr
am P
rovi
ng b
y S
truc
tura
l Ind
uctio
n
•D
istin
guis
h be
twee
nspec
ific
atio
n va
riab
les,
prog
ram
var
iabl
es, a
ndpr
oof v
aria
bles
.•
The
aux
iliar
y pr
ogra
m A
ofte
n is
the
give
n pr
ogra
m P
with
out i
ts in
itial
isat
ion
stat
emen
ts:
the
met
hodo
logy
of s
truc
tura
l ind
uctio
n am
ount
s to
“ju
mpi
ng o
n th
e ru
nnin
g tr
ain.
”•
The
pos
t-co
nditi
on P
ost
A o
f the
aux
iliar
y pr
ogra
m A
is ag
ener
alis
atio
n of
Pos
t P.•
The
pos
t-co
nditi
on o
f the
aux
iliar
y pr
ogra
m Aca
nnot
be
corr
ect (
exce
pt fo
r w
eird
pro
gram
s) if
itdo
es n
ot in
volv
e al
l the
var
iabl
es th
at a
ppea
r in
⟨con
ditio
n⟩or
that
are
mod
ified
by⟨b
ody⟩
.•
The
pro
ofca
nnot
be
corr
ect (
exce
pt fo
r ov
er-s
peci
fic s
peci
ficat
ions
) if
it do
es n
ot a
ppea
l to
the
who
le p
re-c
ondi
tion
and
the
who
le c
ondi
tions
of a
llif
…th
en…
else
and
whi
le s
tate
men
ts.
•If
a pr
oof s
tep
fails
, the
n ba
cktr
ack
to a
pre
viou
s pr
oof s
tep
and
fix it
, or
chan
ge th
e au
xilia
rypr
ogra
m A
, or
chan
ge th
e sp
ecifi
catio
n of
A.
Eva
luat
ion
of P
rogr
am P
rovi
ng b
y S
truc
tura
l Ind
uctio
n
•A
dvan
tage
s an
d di
sadv
anta
ges:
the
sam
e as
for
prog
ram
pro
ving
by
com
puta
tiona
l ind
uctio
n.•
Spe
cs o
f aux
iliar
y pr
ogra
ms
may
be
diff
icul
t to
find
for
prog
ram
s th
at o
ne h
as n
ot w
ritte
n on
esel
f,an
d ex
plic
it, r
igor
ous
proo
fs m
ay b
elong
and
dif
ficu
lt.
Thi
s is
not a
dis
adva
ntag
e of
pro
gram
pro
ving
(co
mpa
red
to p
rogr
am te
stin
g),
but r
athe
r ev
iden
ce th
atprog
ram
min
g it
self
is d
iffi
cult
!P
roof
s on
ly m
ake
expl
icit
the
reas
onin
g th
at w
as —
or
ough
t to
have
bee
n —
mad
e an
yway
.E
xplic
itly
doin
g su
ch p
roof
s te
ache
s us
the
risks
we
take
whe
n re
lyin
g on
unt
rain
ed in
tuiti
on.
•Is
it p
ossi
ble
to u
se th
is p
rogr
am p
rovi
ng m
etho
dolo
gy c
onst
ruct
ivel
y,th
at is
to a
ctua
llyco
nstr
uct c
orre
ct p
rogr
ams
right
aw
ay?Y
es, s
ee th
e ne
xt c
hapt
er!
Pro
gram
con
stru
ctin
g isea
sier
than
pro
ving
, bec
ause
one
con
trol
s th
e ac
tual
sol
utio
n pr
oces
s.
Con
stru
ctin
g P
rogr
ams
by S
truc
t’l In
duct
ion
Giv
en a
spe
cific
atio
n S P,
with
pre
-con
ditio
n P
re P a
nd p
ost-
cond
ition
Pos
tP,
aco
nstr
ucti
on b
y st
ruct
ural
indu
ctio
n of
a p
rogr
am P
of t
he fo
rm:
⟨initi
alis
atio
n⟩ ;
whi
le⟨c
ondi
tion⟩
do⟨b
ody⟩
od [ ;⟨c
oncl
usio
n⟩ ]
such
that
P is
tota
lly c
orre
ct w
ith r
espe
ct to
SP
proc
eeds
in 5
ste
ps:
1.In
tuiti
ve Id
ea:
Des
crib
e th
e so
lutio
n id
ea th
at y
ou w
ill fo
llow
dur
ing
the
prog
ram
con
stru
ctio
n.2.
Gen
eral
isat
ion:
Usi
ng a
spe
cific
atio
n S A, w
ith p
re-c
ondi
tion
Pre A
and
pos
t-co
nditi
on P
ost
A,
of a
nau
xili
ary
prog
ram
A, w
hich
per
form
swha
t rem
ains
to b
e do
ne,
gene
ralis
e th
e sp
ecifi
catio
n S
Psu
ch th
at s
ome
func
tion
F o
n its
var
iabl
es h
as a
low
er-b
ound
ed d
omai
n ac
cord
ing
to P
reA
:3.
Aux
iliar
y P
rogr
am:
Infe
r⟨c
ondi
tion⟩
and
⟨con
clus
ion⟩
(if n
eces
sary
) su
ch th
at:
{ P
reA
and
F(…
)= f
0w
ith f
0 m
inim
al }
A{
Pos
t A[f
0] }
(1)
and
infe
r⟨b
ody⟩
such
that
:
{ P
reA
and
F(…
)= f
iw
ith f
i non
-min
imal
}A
{ P
ost A
[fi]
}if
{ P
reA
and
F(…
)= f
j<
f i }
A{
Pos
t A[f
j] }
(2)
4.In
itial
isat
ion:
Infe
r⟨in
itial
isat
ion⟩
such
that
:
{ P
reP }
⟨initi
alis
atio
n⟩ ;
A{
Pos
t P }
(3)
5.D
ocum
enta
tion:
Com
men
t the
res
ultin
g pr
ogra
m w
ith a
t lea
st it
s sp
ecifi
catio
n,an
d co
mm
ent e
ach
auxi
liary
pro
gram
with
its
spec
ifica
tion.
Com
men
ts o
n P
rogr
am C
onst
ruct
ion
by S
truc
tura
l Ind
uctio
n
•U
se d
iagr
ams
and
intr
oduc
e ap
prop
riate
not
atio
ns a
nd p
rope
rtie
s w
hene
ver
conv
enie
nt.
•If
Ste
p 3
in tu
rn n
eeds
a lo
op, t
hen
choo
se a
n ap
prop
riate
met
hodo
logy
and
app
ly it
.
•S
peci
fyin
g au
xilia
ry p
rogr
ams
isnot a
n ad
ditio
nal &
art
ifici
al d
iffic
ulty
in p
rogr
am c
onst
ruct
ion,
but r
athe
r an
ess
entia
l ste
p th
ereo
f, ev
en if
not
mad
e ex
plic
it or
unc
onsc
ious
.
•P
rogr
am c
onst
ruct
ing
iseasi
er th
an p
rovi
ng, b
ecau
se o
ne c
ontr
ols
the
actu
al s
olut
ion
proc
ess.
Com
puta
tiona
l Ind
uctio
nvs
.S
truc
tura
l Ind
uctio
nS
umm
ary
and
Com
paris
on
In a
pro
of /
cons
truc
tion
bycom
puta
tion
al in
duct
ion,
part
ial c
orre
ctne
ss o
f thee
ntir
e pr
ogra
m is
est
ablis
hed
by p
rovi
ng th
at a
ninva
rian
t hol
ds e
ach
time
the
loop
-con
ditio
n is
eva
luat
ed.
Thi
s in
varia
nt e
xpre
ssesw
hat h
as a
lrea
dy b
een
done
so
far,
afte
r so
me
itera
tions
.T
his
is p
rove
n by
sim
ple
mat
hem
atic
al in
duct
ion
on th
ecom
puta
tion
leng
th (
the
num
ber
of it
erat
ions
).T
erm
inat
ion
of th
e en
tire
prog
ram
is e
stab
lishe
d se
para
tely
.C
ritic
ism
:It
is u
nnec
essa
ry to
pro
ve p
artia
l cor
rect
ness
and
term
inat
ion
sepa
rate
ly,
and
it is
less
nat
ural
to r
easo
n on
the
com
puta
tion
leng
th r
athe
r th
an o
n th
e va
lues
of t
he v
aria
bles
.
In a
pro
of /
cons
truc
tion
bystr
uctu
ral i
nduc
tion,
tota
l cor
rect
ness
of t
heaux
ilia
ry p
rogr
am is
est
ablis
hed
by p
rovi
ng th
at it
spos
t-co
ndit
ion
hold
s af
ter
a fin
ite n
umbe
r of
iter
atio
ns.
Thi
s po
st-c
ondi
tion
expr
esse
sw
hat r
emai
ns to
be
done
, afte
r so
me
itera
tions
.T
his
is p
rove
n by
sim
ple
/ com
plet
e m
athe
mat
ical
indu
ctio
n on
thestru
ctur
e of
som
e va
riabl
e.T
otal
cor
rect
ness
of t
he e
ntire
pro
gram
is e
stab
lishe
dfr
om th
e to
tal c
orre
ctne
ss o
f the
aux
iliar
y pr
ogra
m a
nd th
ein
itia
lisa
tion
sta
tem
ents
.C
ritic
ism
:It
is le
ss n
atur
al to
won
der
“wha
t rem
ains
to b
e do
ne”
than
“w
hat h
as a
lread
y be
en d
one.
”
How
to C
hoos
e th
e “R
ight
” M
etho
dolo
gy?
The
cho
ice
of a
pro
of/c
onst
ruct
ion
met
hodo
logy
is n
eith
er a
rbitr
ary,
nor
a m
atte
r of
per
sona
l tas
te, a
s,fo
r a
give
n pr
oble
m, t
he r
easo
ning
or
prog
ram
may
be
muc
h si
mpl
er in
one
met
hod
than
in th
e ot
her.
Som
e ch
oice
heur
isti
cs c
an b
e fo
rmul
ated
:
•T
he m
etho
dolo
gy o
fstru
ctur
al in
duct
ion
is d
efin
itely
sup
erio
rw
hen
the
ques
tion
of “
wha
t rem
ains
to b
e do
ne?”
can
be a
nsw
ered
easi
lyw
ithou
t ref
errin
g to
“w
hat h
as a
lread
y be
en d
one
so fa
r.”
(Exa
mpl
e:bi
nary
sea
rch.
)•
Con
vers
ely,
the
met
hodo
logy
of
com
puta
tion
al in
duct
ion
seem
s su
perio
rw
hen
the
ques
tion
of “
wha
t rem
ains
to b
e do
ne?”
can
only
be
answ
eredw
ith
diff
icul
tyw
ithou
t ref
errin
g to
“w
hat h
as a
lread
y be
en d
one
so fa
r.”
How
ever
, a g
ood
spec
ialis
atio
n of
the
spec
ifica
tion
of th
e au
xilia
ry p
rogr
am c
an o
ften
be fo
und.
(Exa
mpl
e:th
e pl
atea
u pr
oble
m.)
•F
inal
ly, t
he m
etho
dolo
gy o
fcom
puta
tion
al in
duct
ion
seem
s su
perio
rw
hen
the
ques
tion
of “
wha
t rem
ains
to b
e do
ne?”
cann
ot b
e an
swer
edw
ithou
t ref
errin
g to
“w
hat h
as a
lread
y be
en d
one
so fa
r.”
How
ever
, a g
ood
spec
ialis
atio
n of
the
spec
ifica
tion
of th
e au
xilia
ry p
rogr
am c
an o
ften
be fo
und.
(Exa
mpl
e:ar
ray
com
pres
sion
.)
Con
sequ
ence
s of
App
lyin
g E
ither
Met
hodo
logy
Exp
erie
nce
show
s th
at m
uch
“bet
ter”
pro
gram
s ar
e co
nstr
ucte
dw
hen
follo
win
g ei
ther
of t
hese
two
met
hodo
logi
es r
athe
r th
an r
easo
ning
out
side
them
!