Download - Lecture 01 java
-
8/12/2019 Lecture 01 java
1/18
COMP2111 Lecture 1
Session 1, 2013
What, When, How
Kai Engelhardt
Revision: 1.1Credits: Ken Robinson, John Reynolds,. . .
1
http://find/http://goback/ -
8/12/2019 Lecture 01 java
2/18
What
Put the word engineeringback into SE.In marginally more detail (= Immd): climb up the ladder of
evolution1 Crap out code so it beats the compilers checks.
2 Cobble together code that passes a few tests.
3 Craft code that (provably) works according to specifications.
2
http://find/ -
8/12/2019 Lecture 01 java
3/18
When
All of it, and in this one session.Immd: we shall be spending time on
acquiring and understanding languages to specify systems(both fully formal and informal ones)
using such languages to specify some simple systems or tasks,clearly and concisely
developing notions ofrefinementbetween artifacts in saidlanguages to guide a systematic code/system development
processusing refinement to derive correct-by-construction, beautifulcode from concise and clear specifications
3
http://find/http://goback/ -
8/12/2019 Lecture 01 java
4/18
How
Well be using Event-Bfor all practical tasks. (This feeds intoyour SE workshops.)
Well use light-weight informal methods to fosterunderstanding.
Well investigate the mathematical underpinnings of both:1 Whats in a spec?2 Whats in a program?
3 What does refinement mean?
4
http://find/ -
8/12/2019 Lecture 01 java
5/18
Top-Down Program Construction: an Example
Reminder: facts about the factorial function! : N N are:
0! = 1 (fac1)
(n+ 1)! = (n+ 1)n! (fac2)
(fac1) tells us what the factorial of0is while (fac2) shows how tofind the factorial of a number if we know the factorial of itspredecessor.Task: Given a number n N, we want to compute its factorial n!in some variable f without changing n in the process.
Plan:1 Use (fac1) to compute0!.
2 Repeatedly use (fac2) to compute factorials of larger numbers
Who said COMP2111 was going to be difficult?!?
5
http://find/ -
8/12/2019 Lecture 01 java
6/18
We could use fto save the last factorial we have computed, and
an additional variable kto keep track of the number such thatf =k!. Now we can adapt the plan to
1 Achieve f =k!by setting k to0and f to1.
2 As long as k=n, increase kand change f in a way that
preserves f =k!.In C, with comments for pseudo-code
k = 0; f = 1;while (k != n) {
/ increase k and change f while maintaining f=k!/}
6
http://find/ -
8/12/2019 Lecture 01 java
7/18
(In)variants
f =k!is called a loop invariant. Of course, loop bodies aresupposed to change the state, but invariants express properties ofthe state that are preserved by executing the loop body.Invariants are crucial ingredients of correctness proofs, but they donot address termination.
To argue termination of a loop (or recursion) we use variants, i.e.,functions that map program states to N(or any other well-foundeddomain in general). To show that a loop terminates, one provesthat every iteration of the body strictly decreases the value of thevariant.
A suitable variant here would be nkbecause
/ increase k and blah /
decreases the value ofnk by1.
7
http://goforward/http://find/http://goback/ -
8/12/2019 Lecture 01 java
8/18
It remains to implement
/ increase k and change f while maintaining f=k!/
We decide to change k first
k=k+1; / change f to reestablish f=k!/
Observe that the invariant wont hold after the increment, butinstead f = (k1)!is true.
k=k+1; / assuming f=(k1)!, change f to establish f=k!/
(fac2) suggests the implementationf = k f
8
http://find/ -
8/12/2019 Lecture 01 java
9/18
One popular formal notation for pseudo-code specifications such as/ assuming f=(k1)!, change f to establish f=k!/
is Carroll Morgans specification statement
f : [f = (k1)!, f =k!]
which expresses that, if the initial state satisfies the preconditionf = (k 1)!then change only the variables listed in the framef sothat the resulting final state satisfies the postcondition, f =k!.
(See his book Programming from Specifications.)
9
http://www.cs.ox.ac.uk/publications/books/PfS/http://www.cs.ox.ac.uk/publications/books/PfS/http://www.cs.ox.ac.uk/publications/books/PfS/http://find/ -
8/12/2019 Lecture 01 java
10/18
Reflection
Weve followed a simple recipe
1 Take an unwritten portion of the program whose purpose isprecisely and completely specified.
2 Replace this portion by a statement which may in turncontain portions that are unwritten but precisely and
completely specified.
3 Prove (or at least convince yourself) that the new statementwill meet its specification if its unwritten portions meet theirspecifications.
4 Repeat the above process until the entire program is written.Taken almost verbatim from John C Reynolds seminal 1981 book,
following, Niklaus Wirths program development by stepwise refinement
from 1971.
10
http://www.cs.cmu.edu/~jcr/craftprog.htmlhttp://www.cs.cmu.edu/~jcr/craftprog.htmlhttp://dl.acm.org/citation.cfm?doid=362575.362577http://dl.acm.org/citation.cfm?doid=362575.362577http://www.cs.cmu.edu/~jcr/craftprog.htmlhttp://find/ -
8/12/2019 Lecture 01 java
11/18
Reflection contd
We havent accomplished anything we couldnt do before, but thatwasnt really the point.We have alluded to concepts such as
specification
implementationassertion
invariant
What do they really mean?
Carrolls book answers these questions. Abrials book, Modeling inEvent-Bdoes, too. Each in its own way. And so do many otherbooks.
11
http://www.event-b.org/abook.htmlhttp://www.event-b.org/abook.htmlhttp://www.event-b.org/abook.htmlhttp://www.event-b.org/abook.htmlhttp://find/ -
8/12/2019 Lecture 01 java
12/18
Event-B
Lets have a look at how such a development could look in
Event-B.Ken Robinson kindly provided anintroductory exercisetofamiliarise everybody with Rodin and Event-B.
12
http://www.cse.unsw.edu.au/~cs2111/13s1/ass/ass0.htmlhttp://www.cse.unsw.edu.au/~cs2111/13s1/ass/ass0.htmlhttp://find/http://goback/ -
8/12/2019 Lecture 01 java
13/18
Connection to Year 1
Besides the obvious relation to previous SE workshops, theres afundamental connection to COMP1927 that moreover clarifies theapproach of Event-B.Essentially, COMP1927 was about data structures + operations onthem.Our first example is a degenerate one in that respect: the datastructure is a single natural number and the only operationcomputes the factorial of that number. In contrast to COMP1927,
we elicited a formal specification of that operation:f : [n N, f =n!].
13
http://find/ -
8/12/2019 Lecture 01 java
14/18
In COMP1927 youd read an informal requirement such as
the data structure represents a directed graph (V,E)and a desirable operation would tell you whether there isa path between two given verticesx andy
Since weve learned about predicate logic and the specification
statement, we can formalise that as
b:
x, yV, b
n N, f : [0..n]V.f(0) = xf(n) =yi[1..n].(f(i1), f(i)) E
Yes, that means you do need your little bit of predicate logic in thiscourse.
14
http://find/ -
8/12/2019 Lecture 01 java
15/18
General Setting
Some variablesrepresenting our abstract data.
Sanity conditions, or data invariants, on the data representation.An initialisation of the variables that establishes the invariants.A set operations, each of which maintains the data invariants.
15
http://find/ -
8/12/2019 Lecture 01 java
16/18
Example
Variables: a list L Nodes
and a quadratic matrix Mof Booleanvalues to represent the nodes and edges of a directed graph.Data invariants: the list L of nodes should not contain repetitions
n,m[0..|L| 1].n=mL(n)=L(m)
and its length|L| should coincide with the size of quadratic matrix:M(B|L|)2.Initialisation: L= [], M=.Operations: connectedness as above was non-intrusive: it did not
affect the graph. Also imagine intrusive operations such asdelete(e:Edge) and addnode(v:Node). They would naturallycome with a proof obligation.
16
http://find/ -
8/12/2019 Lecture 01 java
17/18
Meaning
To give proper meaning to all the bits, the various existingmethods use one or more of
an article or book describing the formal semantics ofassertions, specifications, programs etc
a software tool implementing a particular semantics of saidnotions
Hopefully, if both are provided, they coincide.If none or only the second is provided, avoid: amateur alert.
Event-B + Rodin are in the good books: they have publishedformal semantics for the language and the tool appears toimplement it.
17
http://find/ -
8/12/2019 Lecture 01 java
18/18
What next
Do theintroductory exercise.
Questions= our COMP2111 forumsComplaints and whingeing= /dev/null.
18
http://www.cse.unsw.edu.au/~cs2111/13s1/ass/ass0.htmlhttps://cgi.cse.unsw.edu.au/~forums/support/viewforum.php?f=1137https://cgi.cse.unsw.edu.au/~forums/support/viewforum.php?f=1137http://www.cse.unsw.edu.au/~cs2111/13s1/ass/ass0.htmlhttp://find/