the seven principles of software engineeringuser.it.uu.se/~pierref/courses/ccp/slides.pdf · the...

21
The Seven Principles of Software Engineering C. Ghezzi, M. Jazayeri, D. Mandrioli. Fundamentals of Software Engineering. Prentice-Hall, 1991. Rigour and Explicitness Rigour and explicitness are a necessary complement to unstructured creativity. Separation of Concerns Separately deal with different individual aspects of the problem (such as time, qualities, views, size). Modularity Identify modules (units of division of work), then deal with intra-module and inter-module details. Abstraction Identify and focus on the important aspects of the problem, thus obtaining purpose-specific models. Anticipation of Change Identify aspects of the product and process that are likely to change, and protect from their changes. Generality Solving a more general (less constrained) problem is often easier, and provides reuse opportunities. Incrementality Successively produce better approximations to a solution by improving on the previous solution.

Upload: phambao

Post on 15-Feb-2019

246 views

Category:

Documents


0 download

TRANSCRIPT

The

Sev

en P

rinci

ples

of S

oftw

are

Eng

inee

ring

C. G

hezz

i, M

. Jaz

ayer

i, D

. Man

drio

li.Fun

dam

enta

ls o

f Sof

twar

e E

ngin

eeri

ng. P

rent

ice-

Hal

l, 19

91.

Rig

our

and

Exp

licitn

ess

Rig

our

and

expl

icitn

ess

are

a ne

cess

ary

com

plem

ent t

o un

stru

ctur

ed c

reat

ivity

.

Sep

arat

ion

of C

once

rns

Sep

arat

ely

deal

with

diff

eren

t ind

ivid

ual a

spec

ts o

f the

pro

blem

(su

ch a

s tim

e, q

ualit

ies,

vie

ws,

siz

e).

Mod

ular

ity

Iden

tify

mod

ules

(un

its o

f div

isio

n of

wor

k), t

hen

deal

with

intr

a-m

odul

e an

d in

ter-

mod

ule

deta

ils.

Abs

trac

tion

Iden

tify

and

focu

s on

the

impo

rtan

t asp

ects

of t

he p

robl

em, t

hus

obta

inin

g pu

rpos

e-sp

ecifi

cm

odel

s.

Ant

icip

atio

n of

Cha

nge

Iden

tify

aspe

cts

of th

e pr

oduc

t and

pro

cess

that

are

like

ly to

cha

nge,

and

pro

tect

from

thei

r ch

ange

s.

Gen

eral

ity

Sol

ving

a m

ore

gene

ral (

less

con

stra

ined

) pr

oble

m is

ofte

n ea

sier

, and

pro

vide

s re

use

oppo

rtun

ities

.

Incr

emen

talit

y

Suc

cess

ivel

y pr

oduc

e be

tter

appr

oxim

atio

ns to

a s

olut

ion

by im

prov

ing

on th

e pr

evio

us s

olut

ion.

The

Impa

ct o

f Bad

Spe

cific

atio

nsS

peci

ficat

ion

erro

rs a

re th

e m

ost

num

erou

s er

rors

:•

64%

of a

ll er

rors

are

spec

ifica

tion

erro

rs.

•36

% o

f all

erro

rs a

re p

rogr

amm

ing

erro

rs.

Spe

cific

atio

n er

rors

are

the

mos

tte

naci

ous

erro

rs:

•19

% o

f all

erro

rs a

resp

ecifi

catio

n er

rors

and

are

det

ecte

d be

fore

del

iver

y.•

45%

of a

ll er

rors

are

spec

ifica

tion

erro

rs a

nd a

re d

etec

ted

afte

r de

liver

y.•

9% o

f all

erro

rs a

re p

rogr

amm

ing

erro

rs a

nd a

re d

etec

ted

befo

re d

eliv

ery.

•27

% o

f all

erro

rs a

re p

rogr

amm

ing

erro

rs a

nd a

re d

etec

ted

afte

r de

liver

y.S

peci

ficat

ion

erro

rs a

re th

e m

ost

cost

ly e

rror

s:•

A s

peci

ficat

ion

erro

r ca

ught

whi

le d

esig

ning

cos

ts 2

.5 ti

mes

mor

e th

an w

hile

spe

cify

ing.

•A

spe

cific

atio

n er

ror

caug

ht w

hile

pro

gram

min

g co

sts

5.0

times

mor

e th

an w

hile

spe

cify

ing.

•A

spe

cific

atio

n er

ror

caug

ht w

hile

inte

grat

ing cos

ts 3

6.0

times

mor

e th

an w

hile

spe

cify

ing.

Con

side

ring

that

:•

Cor

rect

ing

spec

ifica

tion

erro

rsrep

rese

nts

66%

of t

he to

tal e

rror

cor

rect

ion

cost

.•

Cor

rect

ing

desi

gn e

rror

sre

pres

ents

25%

of t

he to

tal e

rror

cor

rect

ion

cost

.•

Cor

rect

ing

prog

ram

min

g er

rors

rep

rese

nts

9% o

f the

tota

l err

or c

orre

ctio

n co

st.

and

cons

ider

ing

that

the

tota

l err

or c

orre

ctio

n co

st r

epre

sent

s 50

% o

f the

tota

l cos

t of a

sof

twar

e,th

en w

e ha

ve th

at c

orre

ctin

g sp

ecifi

catio

n er

rors

rep

rese

nts

33%

of t

he to

tal c

ost o

f a s

oftw

are!

Spe

cific

atio

n T

empl

ate

(for

the

CC

P c

ours

e)G

iven

⟨arg

umen

ts a

nd th

eir

type

s⟩

[su

ch th

at⟨p

re-c

ondi

tion

on a

rgum

ents⟩ ],

prog

ram

⟨nam

e⟩[

mod

ifie

s⟨s

ome

argu

men

ts⟩an

d ]

retu

rns

⟨res

ults

and

thei

r ty

pes⟩

such

that

⟨pos

t-co

nditi

on o

n ar

gum

ents

and

res

ults

⟩[ ,

wit

hout

mod

ifyi

ng⟨s

ome

rem

aini

ng a

rgum

ents⟩ ].

[E

xam

ples

:⟨…

⟩. ]

[C

ount

er-e

xam

ples

:⟨…

⟩. ]

Rol

e of

the

Pre

-Con

ditio

n

•If

the

pre-

cond

ition

on

the

argu

men

ts d

oes

not h

old,

then

the

prog

ramm

ay r

etur

nany

res

ults

!•

If th

e pr

e-co

nditi

on o

n th

e ar

gum

entsdo

es h

old,

then

the

prog

ramm

ust r

etur

n re

sults

that

sat

isfy

the

post

-con

ditio

n!

Rol

e of

Wel

l-Cho

sen

(Cou

nter

-)E

xam

ples

•In

theo

ry:

The

y ar

e re

dund

ant w

ith th

e pr

e/po

st-c

ondi

tions

.•

Inpr

acti

ce:

+T

hey

ofte

n pr

ovid

e an

intu

itive

und

erst

andi

ng th

at n

o as

sert

ion

or d

efin

ition

cou

ld a

chie

ve.

+T

hey

ofte

n he

lp e

limin

ate

risks

of a

mbi

guity

in th

e as

sert

ions

by

illus

trat

ing

delic

ate

issu

es.

+If

they

con

trad

ict t

he p

re/p

ost-

cond

ition

s, th

en w

e kn

ow th

at s

omet

hing

is w

rong

som

ewhe

re!

A S

ampl

e S

peci

ficat

ion

Giv

entw

o in

tege

r-ar

rays

A[1

..M] a

nd B

[1..N

]su

ch th

atA

and

B a

re n

on-d

ecre

asin

gly

orde

red,

prog

ram

mer

gere

turn

san

inte

ger-

arra

y C

[1..M

+N

]su

ch th

atC

is th

e no

n-de

crea

sing

ly o

rder

ed p

erm

utat

ion

of th

e un

ion

of A

and

B,

wit

hout

mod

ifyi

ngA

and

B.

Exa

mpl

e:m

erge

( [1

,4,4

,6] ,

[2,3

,4] ,

[1,2

,3,4

,4,4

,6] )

.

Com

men

ts

•T

he u

sed

conc

epts

of “

non-

decr

easi

ngly

ord

ered

arr

ay”,

“pe

rmut

atio

n of

an

arra

y”, a

nd “

unio

n of

two

arra

ys”

are

assu

med

to b

e un

ders

tood

by

the

read

er in

the

sam

e w

ay a

s by

the

writ

er.

Thi

s al

so e

xpla

ins

the

role

of t

he e

xam

ples

.•

The

pro

gram

mus

t bede

term

inis

tic,

bec

ause

“C

isthe

…”,

and

not

“C

isa

…”.

•T

he a

rray

upp

er b

ound

s M

and

N a

reimpl

icit

arg

umen

ts (

and

shou

ld th

us a

lso

not b

e m

odifi

ed).

•F

orm

alis

ing

spec

ifica

tions

(as

adv

ocat

ed b

y m

any)

ofte

n gi

ves

rise

to lo

ng fo

rmul

as(s

ee th

e ne

xt s

lide

for

a sa

mpl

e fo

rmal

isat

ion)

, whi

ch is

unn

eces

sary

for

our

obje

ctiv

e:+

We

aim

at t

hem

anua

l con

stru

ctio

n of

cor

rect

pro

gram

s, n

ot a

t the

irau

tom

ated

con

stru

ctio

n:co

nstr

uctin

g th

ose

long

form

ulas

and

man

ually

man

ipul

atin

g th

em w

ould

be

mor

e er

rorp

rone

.+

We

aim

at t

he m

anua

lcons

truc

tion

of c

orre

ct p

rogr

ams,

not

at t

heir

auto

mat

edveri

fica

tion

.+

New

form

al s

ymbo

ls n

eed

to b

e in

form

ally

exp

lain

ed a

nyw

ay,

so th

at o

ne c

an v

erify

(!)

whe

ther

they

inde

ed c

aptu

re th

e in

form

al in

tent

ions

.

Exa

mpl

e:F

orm

alis

atio

n of

the

Spe

cific

atio

n of

a m

erge

Pro

gram

Pre

-con

ditio

n: o

rder

ed(A

,1,M

)and

orde

red(

B,1

,N)

Pos

t-co

nditi

on:p

erm

utat

ion(

A,M

,B,N

,C)a

ndor

dere

d(C

,1,M

+N

)

whe

re:

•or

dere

d(X

,L,U

)if-

and-

only

-iffo

r al

l int

eger

s I s

uch

thatL

≤I <

Uw

e ha

ve th

at

X[I]

≤X

[I+1]

(i.e.

, int

eger

-arr

ay X

[L..U

] is

non-

decr

easi

ngly

ord

ered

)

•pe

rmut

atio

n(A

,U,B

,V,C

)if-a

nd-o

nly-

iffo

r al

l int

eger

s I w

e ha

ve th

at

num

ber(

I,C,U

+V

) =nu

mbe

r(I,A

,U) +

num

ber(

I,B,V

)

(i.e.

, int

eger

-arr

ay C

[1..U

+V

] is

a pe

rmut

atio

n of

the

unio

n of

inte

ger-

arra

ys A

[1..U

] and

B[1

..V])

whe

re:

•nu

mbe

r(E

,X,U

) =th

e nu

mbe

r of

inte

gers

J s

uch

that1 ≤

J ≤U

whe

re w

e ha

ve th

at

X[J

] =E

(i.e.

, the

num

ber

of o

ccur

renc

es o

f int

eger

E in

inte

ger-

arra

y X

[1..U

])

The

Sev

en S

ins

of th

e S

peci

fier

Sou

rce:

Ber

tran

d M

eyer

. On

For

mal

ism

in S

peci

ficat

ions

.IE

EE

Sof

twar

e 2(

1):6

–26,

198

5.

Noi

seT

he p

rese

nce

in th

e te

xt o

f an

elem

ent t

hat d

oesn

’t ca

rry

info

rmat

ion

rele

vant

to a

ny fe

atur

e of

the

prob

lem

.Var

iant

s:R

edun

danc

y,R

emor

se.

Sile

nce

The

exi

sten

ce o

f a fe

atur

e of

the

prob

lem

that

is n

ot c

over

ed b

y an

y el

emen

tof

the

text

.

Ove

rspe

cific

atio

nT

he p

rese

nce

in th

e te

xt o

f an

elem

ent t

hat c

orre

spon

ds n

ot to

a fe

atur

e of

the

prob

lem

but

to fe

atur

es o

f a p

ossi

ble

solu

tion.

Con

trad

ictio

nT

he p

rese

nce

in th

e te

xt o

f tw

o or

mor

e el

emen

ts th

at d

efin

e a

feat

ure

of th

epr

oble

m in

an

inco

mpa

tible

way

.

Am

bigu

ityT

he p

rese

nce

in th

e te

xt o

f an

elem

ent t

hat m

akes

it p

ossi

ble

to in

terp

ret a

feat

ure

of th

e pr

oble

m in

at l

east

two

diffe

rent

way

s.

For

war

d R

efer

ence

The

pre

senc

e in

the

text

of a

n el

emen

t tha

t use

s fe

atur

es o

f the

pro

blem

not

defin

ed u

ntil

late

r in

the

text

.

Wis

hful

Thi

nkin

gT

he p

rese

nce

in th

e te

xt o

f an

elem

ent t

hat d

efin

es a

feat

ure

of th

e pr

oble

min

suc

h a

way

that

a c

andi

date

sol

utio

n ca

nnot

real

istic

ally

be

valid

ated

with

resp

ect t

o th

is fe

atur

e.

The

Pro

gram

min

g La

ngua

geD

ata

Typ

es

•B

oole

ans:

bool

ean

(val

ues:

true

and

fals

e)•

Inte

gers

:int

eger

(val

ues:

…,−

3,−2

,−1,

0, 1

, 2, 3

, …)

•A

rray

s:ar

ray[

⟨low

boun

d⟩..

⟨upb

ound

⟩]of

⟨type

⟩(e

mpt

y w

hen

low

boun

d= up

boun

d +

1)

Prim

itive

Sta

tem

ents

•S

impl

e A

ssig

nmen

t:⟨va

riabl

e⟩←

⟨exp

ress

ion⟩

Com

posi

tion

Mec

hani

sms

•S

eque

ntia

l Com

posi

tion:⟨

stat

emen

t⟩ ;⟨s

tate

men

t⟩•

Con

ditio

nal C

ompo

sitio

n:if

⟨con

ditio

n⟩th

en⟨s

tate

men

t⟩[

else ⟨sta

tem

ent⟩ ]

fi•

Itera

tive

Com

posi

tion:

whi

le⟨c

ondi

tion⟩

do⟨s

tate

men

t⟩od

Pro

gram

Cor

rect

ness

Def

initi

on:

The

stat

e of

a p

rogr

am P

at a

mom

ent M

con

sist

s of

the

valu

es o

f the

var

iabl

es o

f P a

t M.

Def

initi

on:

An

asse

rtio

n is

an

affir

mat

ion

rega

rdin

g a

prog

ram

sta

te.

Exa

mpl

es:T

he p

re/p

ost-

cond

ition

s of

spe

cific

atio

ns a

nd p

roof

inva

riant

s (s

ee b

elow

) ar

e as

sert

ions

.

Def

initi

on:

A p

rogr

am P

ispa

rtia

lly

corr

ect w

ith r

espe

ct to

a s

peci

ficat

ion

Sif,

eac

h tim

e P

term

inat

es o

n ar

gum

ents

that

sat

isfy

the

pre-

cond

ition

(in

clud

ing

the

type

s) o

f S,

P r

etur

ns r

esul

ts th

at s

atis

fy th

e po

st-c

ondi

tion

(incl

udin

g th

e ty

pes)

of S

.

Def

initi

on:

A p

rogr

am P

is (to

tall

y) c

orre

ct w

ith r

espe

ct to

a s

peci

ficat

ion

Sif

P te

rmin

ates

on

all a

rgum

ents

that

sat

isfy

the

pre-

cond

ition

(in

clud

ing

the

type

s) o

f San

d P

is p

artia

lly c

orre

ct w

ith r

espe

ct to

S.

Not

atio

n

Let P

be

a pr

ogra

m s

tate

men

t, an

d le

t Q a

nd R

be

asse

rtio

ns in

volv

ing

the

varia

bles

of P

.T

hen

the

nota

tion:

{ Q

}P

{ R

}

mea

ns th

at P

is to

tally

cor

rect

w.r

.t. th

e sp

ecifi

catio

n w

ith p

re-c

ondi

tion

Q a

nd p

ost-

cond

ition

R.

Hoa

re’s

Sem

antic

Law

sS

impl

e A

ssig

nmen

t { Q

[X/E

] }X

← E

{ Q

[X] }

(to

be r

ead

from

rig

ht to

left)

or:

{ Q

[X] }

X←

E{

Q[X

/X0]

and

X =

E[X

/X0]

}(t

o be

rea

d fr

om le

ft to

rig

ht)

(whe

re X

0 is

the

initi

al v

alue

of X

)

Seq

uent

ial C

ompo

sitio

n

if{

Q }

P 1{

R }

and

{ R

}P 2

{ S

}th

en{

Q }

P 1 ;

P 2{

S }

Con

ditio

nal C

ompo

sitio

n

if{

Q a

nd B

}P 1

{ R

}an

d{

Q a

nd n

ot B

}P 2

{ R

}th

en{

Q }

ifB

then

P 1el

seP 2

fi{

R }

Itera

tive

Com

posi

tion

if{

Inv

and

B }

P{

Inv

}th

en{

Inv

}w

hile

Bdo

Pod

{ In

v an

d no

t B }

Pro

ving

Pro

gram

s by

Com

puta

tiona

l Ind

uctio

nG

iven

a s

peci

ficat

ion

S, w

ith p

re-c

ondi

tion

Pre

and

pos

t-co

nditi

on P

ost,

and

a pr

ogra

m P

of t

he fo

rm:

⟨initi

alis

atio

n⟩ ;

whi

le⟨c

ondi

tion⟩

do⟨b

ody⟩

od [ ;⟨c

oncl

usio

n⟩ ]

apr

oof b

y co

mpu

tati

onal

indu

ctio

n of

tota

l cor

rect

ness

of P

with

res

pect

to S

pro

ceed

s in

2 s

teps

:

1.P

roof

of P

artia

l Cor

rect

ness

of P

with

res

pect

to S

:F

ind

an a

sser

tion

Inv,

cal

led

theinva

rian

t, th

at h

olds

eac

h tim

e⟨con

ditio

n⟩ is

eva

luat

ed,

expr

essi

ngw

hat h

as a

lrea

dy b

een

done

so

far,

i.e.

, pro

ve th

at In

v in

deed

hol

ds th

e 1

st ti

me:

{ P

re }

⟨initi

alis

atio

n⟩{

Inv

}(1

)

and

prov

e th

at a

fter

the

last

tim

e (i.

e., w

hen

the

loop

end

s), t

he p

rogr

am te

rmin

ates

cor

rect

ly:

{ In

van

dno

t⟨co

nditi

on⟩ }

⟨con

clus

ion⟩

{ P

ost }

or:

Inv

and

not⟨

cond

ition

⟩im

plie

sP

ost

(2)

and

prov

e th

at if

Inv

hold

s th

e nth ti

me,

then

Inv

will

inde

ed h

old

the

n+1st ti

me,

if a

ny:

{ In

van

d⟨c

ondi

tion⟩

}⟨b

ody⟩

{Inv

}(3

)

2.P

roof

of T

erm

inat

ion

of P

on

all a

rgum

ents

that

sat

isfy

Pre

:F

or in

stan

ce, f

ind

for

each

loop

an

inte

ger

func

tion

F o

n th

e pr

ogra

m v

aria

bles

,ca

lled

thev

aria

nt, t

hat i

s de

crea

sing

tow

ards

a lo

wer

bou

nd d

urin

g ea

ch it

erat

ion,

i.e.,

prov

e th

at F

inde

ed r

etur

ns a

low

er-b

ound

ed in

tege

r:

for

all a

rgum

ents

sat

isfy

ing

Pre

, fun

ctio

n F

ret

urns

a lo

wer

-bou

nded

inte

ger

(4)

and

prov

e th

at e

xecu

tion

of th

e lo

op b

ody

inde

ed d

ecre

ases

the

valu

e of

F:

{ In

van

d⟨c

ondi

tion⟩

and

F(…

)= f

}⟨b

ody⟩

{ F

(…)

<f }

(5)

Oth

er p

roof

met

hods

exi

st.For

inst

ance

, the

var

iant

may

incr

ease

tow

ards

an

uppe

r bo

und.

Com

men

ts o

n P

rogr

am P

rovi

ng b

y C

ompu

tatio

nal I

nduc

tion

•D

istin

guis

h be

twee

nspec

ific

atio

n va

riab

les,

prog

ram

var

iabl

es, a

ndpr

oof v

aria

bles

.

•T

he in

varia

nt o

ften

is “

sim

ilar”

to th

e po

st-c

ondi

tion

Pos

t.

•T

he in

varia

nt (

resp

. var

iant

)cann

ot b

e co

rrec

t (ex

cept

for

wei

rd p

rogr

ams)

if it

doe

s no

t inv

olve

all (

resp

. som

e of

) th

e va

riabl

es th

at a

ppea

r in

⟨con

ditio

n⟩or

that

are

mod

ified

by⟨b

ody⟩

.

•T

he p

roof

cann

ot b

e co

rrec

t (ex

cept

for

over

-spe

cific

spe

cific

atio

ns)

if it

does

not

app

eal t

o th

ew

hole

pre

-con

ditio

n an

d th

e w

hole

con

ditio

ns o

f all

if…

then

…el

se a

ndw

hile

sta

tem

ents

.

•T

he p

roof

cann

ot b

e co

rrec

t if t

he in

varia

nt a

nd th

e va

riant

do

not s

atis

fyea

ch o

f the

ir co

nditi

ons.

•If

a pr

oof s

tep

fails

, the

n ba

cktr

ack

to a

pre

viou

s pr

oof s

tep

and

fix it

or

chan

ge th

e (in

)var

iant

.

Eva

luat

ion

of P

rogr

am P

rovi

ng b

y C

ompu

tatio

nal I

nduc

tion

•A

dvan

tage

s:+

The

met

hodo

logy

rea

lly p

rodu

ces

proo

fs in

the

clas

sica

l und

erst

andi

ng o

f the

term

,be

caus

e th

ey a

re b

ased

on

axio

ms

and

infe

renc

e ru

les.

+T

he p

roof

rea

soni

ng is

mad

e on

the

(sta

tic)

text

of t

he p

rogr

am,

but n

ot o

n its

mul

tiple

— o

ften

infin

itely

man

y —

(dy

nam

ic)

exec

utio

ns.

Pro

gram

pro

ving

is th

us m

ore

pow

erfu

l tha

n pr

ogra

m te

stin

g!+

Whe

reas

pro

gram

test

ing

only

aim

s at

dete

ctin

g th

e ex

iste

nce

of e

rror

s,pr

ogra

m p

rovi

ng is

like

ly to

als

o he

lp inlo

cati

ng th

e er

rors

and

incor

rect

ing

them

.•

Dis

adva

ntag

es:

–C

orre

ctne

ss p

roof

s on

ly p

rove

(if c

orre

ct!)

the

corr

ectn

ess

of th

e pr

ogra

m w

.r.t.

its

spec

ifica

tion,

butn

othi

ng r

egar

ding

the

hard

war

e an

d so

ftwar

e pl

atfo

rm o

n w

hich

the

prog

ram

will

be

run.

•P

rogr

am p

rovi

ng a

nd p

rogr

am te

stin

g ar

e th

usco

mpl

emen

tary

, and

als

o pr

otot

ypin

g.•

(In)

varia

nts

may

bedi

ffic

ult t

o fin

d fo

r (u

ncom

men

ted)

pro

gram

s th

at o

ne h

as n

ot w

ritte

n on

esel

f,an

d ex

plic

it, r

igor

ous

proo

fs m

ay b

elong

and

dif

ficu

lt.

Thi

s is

not a

dis

adva

ntag

e of

pro

gram

pro

ving

(co

mpa

red

to p

rogr

am te

stin

g),

but r

athe

r ev

iden

ce th

atprog

ram

min

g it

self

is d

iffi

cult

!P

roof

s on

ly m

ake

expl

icit

the

reas

onin

g th

at w

as —

or

ough

t to

have

bee

n —

mad

e an

yway

.E

xplic

itly

doin

g su

ch p

roof

s te

ache

s us

the

risks

we

take

whe

n re

lyin

g on

unt

rain

ed in

tuiti

on.

•Is

it p

ossi

ble

to u

se th

is p

rogr

am p

rovi

ng m

etho

dolo

gy c

onst

ruct

ivel

y,th

at is

to a

ctua

llyco

nstr

uct c

orre

ct p

rogr

ams

right

aw

ay?Y

es, s

ee th

e ne

xt c

hapt

er!

Pro

gram

con

stru

ctin

g isea

sier

than

pro

ving

, bec

ause

one

con

trol

s th

e ac

tual

sol

utio

n pr

oces

s.

Con

stru

ctin

g P

rogr

ams

by C

omp’

l Ind

uctio

nG

iven

a s

peci

ficat

ion

S, w

ith p

re-c

ondi

tion

Pre

and

pos

t-co

nditi

on P

ost,

aco

nstr

ucti

on b

y co

mpu

tati

onal

indu

ctio

n of

a p

rogr

am P

of t

he fo

rm:

⟨initi

alis

atio

n⟩ ;

whi

le⟨c

ondi

tion⟩

do⟨b

ody⟩

od [ ;⟨c

oncl

usio

n⟩ ]

such

that

P is

tota

lly c

orre

ct w

ith r

espe

ct to

S p

roce

eds

in 6

ste

ps:

1.In

tuiti

ve Id

ea:

Des

crib

e th

e so

lutio

n id

ea th

at y

ou w

ill fo

llow

dur

ing

the

prog

ram

con

stru

ctio

n.

2.G

ener

al S

ituat

ion:

Usi

ng a

ninv

aria

nt (

asse

rtio

n) In

v, d

escr

ibe

the

prog

ram

sta

te th

at is

toal

way

s ho

ld b

efor

e⟨con

ditio

n⟩ is

eva

luat

ed, e

xpre

ssin

gwha

t has

alr

eady

bee

n do

ne s

o fa

r. U

sing

ava

rian

t (fu

nctio

n) F

, des

crib

e th

e in

tege

r qu

antit

y th

at is

to c

hang

e du

ring

each

iter

atio

n.

3.In

itial

isat

ion:

Infe

r⟨in

itial

isat

ion⟩

such

that

:

{ P

re }

⟨initi

alis

atio

n⟩{

Inv

}(1

)

4.Lo

op-C

ondi

tion

and

Con

clus

ion:

Infe

r⟨c

ondi

tion⟩

and

⟨con

clus

ion⟩

(if n

eces

sary

) su

ch th

at:

{ In

van

dno

t⟨co

nditi

on⟩ }

⟨con

clus

ion⟩

{ P

ost }

or:

Inv

and

not⟨

cond

ition

⟩im

plie

sP

ost

(2)

5.Lo

op-B

ody:

Infe

r⟨b

ody⟩

such

that

:

{ In

van

d⟨c

ondi

tion⟩

}⟨b

ody⟩

{Inv

}(3

)

and

such

that

:

for

all a

rgum

ents

sat

isfy

ing

Pre

, fun

ctio

n F

ret

urns

a lo

wer

-bou

nded

inte

ger

(4)

and

such

that

: { In

van

d⟨c

ondi

tion⟩

and

F(…

)= f

}⟨b

ody⟩

{ F

(…)

<f }

(5)

Oth

er m

etho

ds e

xist

.For

inst

ance

, the

var

iant

may

incr

ease

tow

ards

an

uppe

r bo

und.

6.D

ocum

enta

tion:

Com

men

t the

res

ultin

g pr

ogra

m w

ith a

t lea

st it

s sp

ecifi

catio

n,an

d co

mm

ent e

ach

of it

s lo

ops

with

its

inva

riant

and

var

iant

.

Com

men

ts o

n P

rogr

am C

onst

ruct

ion

by C

ompu

tatio

nal I

nduc

tion

•U

se d

iagr

ams

and

intr

oduc

e ap

prop

riate

not

atio

ns a

nd p

rope

rtie

s w

hene

ver

conv

enie

nt.

•If

Ste

p 5

in tu

rn n

eeds

a lo

op, t

hen

choo

se a

n ap

prop

riate

met

hodo

logy

and

app

ly it

.

•D

evis

ing

(in)v

aria

nts

isnot

an

addi

tiona

l and

art

ifici

al d

iffic

ulty

in p

rogr

am c

onst

ruct

ion,

but r

athe

r an

ess

entia

l ste

p th

ereo

f, ev

en if

not

mad

e ex

plic

it or

unc

onsc

ious

.

•P

rogr

am c

onst

ruct

ing

iseasi

er th

an p

rovi

ng, b

ecau

se o

ne c

ontr

ols

the

actu

al s

olut

ion

proc

ess.

The

Indu

ctio

n P

rinci

ple

Let P

be

a co

njec

ture

d pr

oper

ty o

f nat

ural

num

bers

(i.e

., th

e in

tege

rs th

at a

re≥

0).

(For

exa

mpl

e, “

the

fact

oria

l of a

ny n

atur

al n

umbe

r N

is la

rger

than

or

equa

l to

N”

is s

uch

a pr

oper

ty.)

To

prov

e th

at P

(N)

hold

s fo

rany

natu

ral n

umbe

r N

, we

proc

eed

in 2

inde

pend

ent s

teps

:

•B

ase

Cas

e:P

rove

that

P(0

) ho

lds.

•S

tep

Cas

e:P

rove

that

P(N

) ho

lds

for

N > 0

, ass

umin

g th

at P

(M)

hold

s fo

r al

l0

≤M

<N

.

Inde

ed, o

nce

thes

e tw

o ca

ses

are

prov

en,

they

inte

ract

so

as to

ach

ieve

that

P(N

) ho

lds

for

any

natu

ral n

umbe

r N

:

1.B

y th

e ba

se c

ase,

we

have

that

P(0

) ho

lds,

unc

ondi

tiona

lly.

2.B

y th

e st

ep c

ase,w

e ha

ve th

at P

(1)

hold

s, b

ecau

se P

(0)

hold

s by

1.

3.B

y th

e st

ep c

ase,w

e ha

ve th

at P

(2)

hold

s, b

ecau

se P

(0),

P(1

) ho

ld b

y 1,

2.

4.B

y th

e st

ep c

ase,w

e ha

ve th

at P

(3)

hold

s, b

ecau

se P

(0),

P(1

), P

(2)

hold

by

1, 2

, 3.

5.…

and

so

on, u

ntil

infin

ity! …

Thi

s pr

inci

ple,

kno

wn

ascom

plet

e m

athe

mat

ical

indu

ctio

n, c

an b

e ge

nera

lised

for

any

dom

ain

(not

just

nat

ural

num

bers

), w

heth

er lo

wer

-bou

nded

or

uppe

r-bo

unde

d.

Pro

ving

Pro

gram

s by

Str

uctu

ral I

nduc

tion

Giv

en a

spe

cific

atio

n S P,

with

pre

-con

ditio

n P

re P a

nd p

ost-

cond

. Pos

tP, a

nd a

pro

gram

P o

f the

form

:⟨in

itial

isat

ion⟩

;w

hile

⟨con

ditio

n⟩do

⟨bod

y⟩od [ ;

⟨con

clus

ion⟩

]a

proo

f by

stru

ctur

al in

duct

ion

of to

tal c

orre

ctne

ss o

f P w

ith r

espe

ct to

SP

proc

eeds

in 3

ste

ps:

1.Id

entif

icat

ion

of a

nau

xili

ary

prog

ram

A w

ithin

P, w

hich

per

form

swha

t rem

ains

to b

e do

ne,

and

iden

tific

atio

n of

a s

peci

ficat

ion

SA

for

A, w

ith p

re-c

ondi

tion

Pre A

and

pos

t-co

nd. P

ost

A,

such

that

som

e fu

nctio

n F

on

its v

aria

bles

has

a lo

wer

-bou

nded

dom

ain

acco

rdin

g to

Pre

A:

2.P

roof

of T

otal

Cor

rect

ness

of A

with

res

pect

to S A

:P

rove

theb

ase

case

:

{ P

reA

and

F(…

)= f

0w

ith f

0 m

inim

al }

A{

Pos

t A[f

0] }

(1)

and

prov

e th

estep

cas

e:

{ P

reA

and

F(…

)= f

iw

ith f

i non

-min

imal

}A

{ P

ost A

[fi]

}if

{ P

reA

and

F(…

)= f

j<

f i }

A{

Pos

t A[f

j] }

(2)

3.P

roof

of T

otal

Cor

rect

ness

of P

with

res

pect

to S P

, ass

umin

g to

tal c

orre

ctne

ss o

f A w

.r.t.

SA

:

{ P

reP }

⟨initi

alis

atio

n⟩ ;

A{

Pos

t P }

(3)

Com

men

ts o

n P

rogr

am P

rovi

ng b

y S

truc

tura

l Ind

uctio

n

•D

istin

guis

h be

twee

nspec

ific

atio

n va

riab

les,

prog

ram

var

iabl

es, a

ndpr

oof v

aria

bles

.•

The

aux

iliar

y pr

ogra

m A

ofte

n is

the

give

n pr

ogra

m P

with

out i

ts in

itial

isat

ion

stat

emen

ts:

the

met

hodo

logy

of s

truc

tura

l ind

uctio

n am

ount

s to

“ju

mpi

ng o

n th

e ru

nnin

g tr

ain.

”•

The

pos

t-co

nditi

on P

ost

A o

f the

aux

iliar

y pr

ogra

m A

is ag

ener

alis

atio

n of

Pos

t P.•

The

pos

t-co

nditi

on o

f the

aux

iliar

y pr

ogra

m Aca

nnot

be

corr

ect (

exce

pt fo

r w

eird

pro

gram

s) if

itdo

es n

ot in

volv

e al

l the

var

iabl

es th

at a

ppea

r in

⟨con

ditio

n⟩or

that

are

mod

ified

by⟨b

ody⟩

.•

The

pro

ofca

nnot

be

corr

ect (

exce

pt fo

r ov

er-s

peci

fic s

peci

ficat

ions

) if

it do

es n

ot a

ppea

l to

the

who

le p

re-c

ondi

tion

and

the

who

le c

ondi

tions

of a

llif

…th

en…

else

and

whi

le s

tate

men

ts.

•If

a pr

oof s

tep

fails

, the

n ba

cktr

ack

to a

pre

viou

s pr

oof s

tep

and

fix it

, or

chan

ge th

e au

xilia

rypr

ogra

m A

, or

chan

ge th

e sp

ecifi

catio

n of

A.

Eva

luat

ion

of P

rogr

am P

rovi

ng b

y S

truc

tura

l Ind

uctio

n

•A

dvan

tage

s an

d di

sadv

anta

ges:

the

sam

e as

for

prog

ram

pro

ving

by

com

puta

tiona

l ind

uctio

n.•

Spe

cs o

f aux

iliar

y pr

ogra

ms

may

be

diff

icul

t to

find

for

prog

ram

s th

at o

ne h

as n

ot w

ritte

n on

esel

f,an

d ex

plic

it, r

igor

ous

proo

fs m

ay b

elong

and

dif

ficu

lt.

Thi

s is

not a

dis

adva

ntag

e of

pro

gram

pro

ving

(co

mpa

red

to p

rogr

am te

stin

g),

but r

athe

r ev

iden

ce th

atprog

ram

min

g it

self

is d

iffi

cult

!P

roof

s on

ly m

ake

expl

icit

the

reas

onin

g th

at w

as —

or

ough

t to

have

bee

n —

mad

e an

yway

.E

xplic

itly

doin

g su

ch p

roof

s te

ache

s us

the

risks

we

take

whe

n re

lyin

g on

unt

rain

ed in

tuiti

on.

•Is

it p

ossi

ble

to u

se th

is p

rogr

am p

rovi

ng m

etho

dolo

gy c

onst

ruct

ivel

y,th

at is

to a

ctua

llyco

nstr

uct c

orre

ct p

rogr

ams

right

aw

ay?Y

es, s

ee th

e ne

xt c

hapt

er!

Pro

gram

con

stru

ctin

g isea

sier

than

pro

ving

, bec

ause

one

con

trol

s th

e ac

tual

sol

utio

n pr

oces

s.

Con

stru

ctin

g P

rogr

ams

by S

truc

t’l In

duct

ion

Giv

en a

spe

cific

atio

n S P,

with

pre

-con

ditio

n P

re P a

nd p

ost-

cond

ition

Pos

tP,

aco

nstr

ucti

on b

y st

ruct

ural

indu

ctio

n of

a p

rogr

am P

of t

he fo

rm:

⟨initi

alis

atio

n⟩ ;

whi

le⟨c

ondi

tion⟩

do⟨b

ody⟩

od [ ;⟨c

oncl

usio

n⟩ ]

such

that

P is

tota

lly c

orre

ct w

ith r

espe

ct to

SP

proc

eeds

in 5

ste

ps:

1.In

tuiti

ve Id

ea:

Des

crib

e th

e so

lutio

n id

ea th

at y

ou w

ill fo

llow

dur

ing

the

prog

ram

con

stru

ctio

n.2.

Gen

eral

isat

ion:

Usi

ng a

spe

cific

atio

n S A, w

ith p

re-c

ondi

tion

Pre A

and

pos

t-co

nditi

on P

ost

A,

of a

nau

xili

ary

prog

ram

A, w

hich

per

form

swha

t rem

ains

to b

e do

ne,

gene

ralis

e th

e sp

ecifi

catio

n S

Psu

ch th

at s

ome

func

tion

F o

n its

var

iabl

es h

as a

low

er-b

ound

ed d

omai

n ac

cord

ing

to P

reA

:3.

Aux

iliar

y P

rogr

am:

Infe

r⟨c

ondi

tion⟩

and

⟨con

clus

ion⟩

(if n

eces

sary

) su

ch th

at:

{ P

reA

and

F(…

)= f

0w

ith f

0 m

inim

al }

A{

Pos

t A[f

0] }

(1)

and

infe

r⟨b

ody⟩

such

that

:

{ P

reA

and

F(…

)= f

iw

ith f

i non

-min

imal

}A

{ P

ost A

[fi]

}if

{ P

reA

and

F(…

)= f

j<

f i }

A{

Pos

t A[f

j] }

(2)

4.In

itial

isat

ion:

Infe

r⟨in

itial

isat

ion⟩

such

that

:

{ P

reP }

⟨initi

alis

atio

n⟩ ;

A{

Pos

t P }

(3)

5.D

ocum

enta

tion:

Com

men

t the

res

ultin

g pr

ogra

m w

ith a

t lea

st it

s sp

ecifi

catio

n,an

d co

mm

ent e

ach

auxi

liary

pro

gram

with

its

spec

ifica

tion.

Com

men

ts o

n P

rogr

am C

onst

ruct

ion

by S

truc

tura

l Ind

uctio

n

•U

se d

iagr

ams

and

intr

oduc

e ap

prop

riate

not

atio

ns a

nd p

rope

rtie

s w

hene

ver

conv

enie

nt.

•If

Ste

p 3

in tu

rn n

eeds

a lo

op, t

hen

choo

se a

n ap

prop

riate

met

hodo

logy

and

app

ly it

.

•S

peci

fyin

g au

xilia

ry p

rogr

ams

isnot a

n ad

ditio

nal &

art

ifici

al d

iffic

ulty

in p

rogr

am c

onst

ruct

ion,

but r

athe

r an

ess

entia

l ste

p th

ereo

f, ev

en if

not

mad

e ex

plic

it or

unc

onsc

ious

.

•P

rogr

am c

onst

ruct

ing

iseasi

er th

an p

rovi

ng, b

ecau

se o

ne c

ontr

ols

the

actu

al s

olut

ion

proc

ess.

Com

puta

tiona

l Ind

uctio

nvs

.S

truc

tura

l Ind

uctio

nS

umm

ary

and

Com

paris

on

In a

pro

of /

cons

truc

tion

bycom

puta

tion

al in

duct

ion,

part

ial c

orre

ctne

ss o

f thee

ntir

e pr

ogra

m is

est

ablis

hed

by p

rovi

ng th

at a

ninva

rian

t hol

ds e

ach

time

the

loop

-con

ditio

n is

eva

luat

ed.

Thi

s in

varia

nt e

xpre

ssesw

hat h

as a

lrea

dy b

een

done

so

far,

afte

r so

me

itera

tions

.T

his

is p

rove

n by

sim

ple

mat

hem

atic

al in

duct

ion

on th

ecom

puta

tion

leng

th (

the

num

ber

of it

erat

ions

).T

erm

inat

ion

of th

e en

tire

prog

ram

is e

stab

lishe

d se

para

tely

.C

ritic

ism

:It

is u

nnec

essa

ry to

pro

ve p

artia

l cor

rect

ness

and

term

inat

ion

sepa

rate

ly,

and

it is

less

nat

ural

to r

easo

n on

the

com

puta

tion

leng

th r

athe

r th

an o

n th

e va

lues

of t

he v

aria

bles

.

In a

pro

of /

cons

truc

tion

bystr

uctu

ral i

nduc

tion,

tota

l cor

rect

ness

of t

heaux

ilia

ry p

rogr

am is

est

ablis

hed

by p

rovi

ng th

at it

spos

t-co

ndit

ion

hold

s af

ter

a fin

ite n

umbe

r of

iter

atio

ns.

Thi

s po

st-c

ondi

tion

expr

esse

sw

hat r

emai

ns to

be

done

, afte

r so

me

itera

tions

.T

his

is p

rove

n by

sim

ple

/ com

plet

e m

athe

mat

ical

indu

ctio

n on

thestru

ctur

e of

som

e va

riabl

e.T

otal

cor

rect

ness

of t

he e

ntire

pro

gram

is e

stab

lishe

dfr

om th

e to

tal c

orre

ctne

ss o

f the

aux

iliar

y pr

ogra

m a

nd th

ein

itia

lisa

tion

sta

tem

ents

.C

ritic

ism

:It

is le

ss n

atur

al to

won

der

“wha

t rem

ains

to b

e do

ne”

than

“w

hat h

as a

lread

y be

en d

one.

How

to C

hoos

e th

e “R

ight

” M

etho

dolo

gy?

The

cho

ice

of a

pro

of/c

onst

ruct

ion

met

hodo

logy

is n

eith

er a

rbitr

ary,

nor

a m

atte

r of

per

sona

l tas

te, a

s,fo

r a

give

n pr

oble

m, t

he r

easo

ning

or

prog

ram

may

be

muc

h si

mpl

er in

one

met

hod

than

in th

e ot

her.

Som

e ch

oice

heur

isti

cs c

an b

e fo

rmul

ated

:

•T

he m

etho

dolo

gy o

fstru

ctur

al in

duct

ion

is d

efin

itely

sup

erio

rw

hen

the

ques

tion

of “

wha

t rem

ains

to b

e do

ne?”

can

be a

nsw

ered

easi

lyw

ithou

t ref

errin

g to

“w

hat h

as a

lread

y be

en d

one

so fa

r.”

(Exa

mpl

e:bi

nary

sea

rch.

)•

Con

vers

ely,

the

met

hodo

logy

of

com

puta

tion

al in

duct

ion

seem

s su

perio

rw

hen

the

ques

tion

of “

wha

t rem

ains

to b

e do

ne?”

can

only

be

answ

eredw

ith

diff

icul

tyw

ithou

t ref

errin

g to

“w

hat h

as a

lread

y be

en d

one

so fa

r.”

How

ever

, a g

ood

spec

ialis

atio

n of

the

spec

ifica

tion

of th

e au

xilia

ry p

rogr

am c

an o

ften

be fo

und.

(Exa

mpl

e:th

e pl

atea

u pr

oble

m.)

•F

inal

ly, t

he m

etho

dolo

gy o

fcom

puta

tion

al in

duct

ion

seem

s su

perio

rw

hen

the

ques

tion

of “

wha

t rem

ains

to b

e do

ne?”

cann

ot b

e an

swer

edw

ithou

t ref

errin

g to

“w

hat h

as a

lread

y be

en d

one

so fa

r.”

How

ever

, a g

ood

spec

ialis

atio

n of

the

spec

ifica

tion

of th

e au

xilia

ry p

rogr

am c

an o

ften

be fo

und.

(Exa

mpl

e:ar

ray

com

pres

sion

.)

Con

sequ

ence

s of

App

lyin

g E

ither

Met

hodo

logy

Exp

erie

nce

show

s th

at m

uch

“bet

ter”

pro

gram

s ar

e co

nstr

ucte

dw

hen

follo

win

g ei

ther

of t

hese

two

met

hodo

logi

es r

athe

r th

an r

easo

ning

out

side

them

!