fm lecturer 13(final)

Dr. Naveed Riaz

Design and Analysis of Algorithms

11

Formal Methods

Dr. Naveed Riaz


22

About Me Education

BCS UIIT Arid Rawalpindi

M.S. (Computer Science) SZABIST

Ph.D. (Computer Science) SZABIST

Research Interests Pattern Recognition

Digital Image Processing

Artificial Intelligence

International Publications More than 20 (Journal + Conference)

Dr. Naveed Riaz


33

Introduction to Formal Methods Branch of computer science in which we argue and

analyze the computer programs using formal techniques.

Programs specification and verification. Constructing programs.

Each step written is valid and lead to a correct solution

Number of tools and techniques are available.

Dr. Naveed Riaz


44

What is this Course all about? Why formal languages? What is wrong with informal

languages. Byte magazine published a list of notorious bugs.

1. 1987: Thorac – 25 ( The bug that killed )

2. 1990: AT & T (Break down)

3. 1991: Patriot Missiles software bug

4. Pentium Bug

Dr. Naveed Riaz


55

Can we properly test the software? Famous saying by Dijesktra -> By testing we can

only prove the present of bug not the absence of bug In order to prove mathematical theorem, counter

examples are provided 1. All numbers are < 1000

You can either provide formal prove or counter example

Overhead with test cases: Not possible to write huge number of test cases

Dr. Naveed Riaz


66

Test Cases VS F-M Test two equal Strings .

isEqual (“Cat”, Dog”) – Expected output: False

isEqual (“Testing”, Testing”) – Expected output: True

isEqual (“House”, Home”) – Expected output: False

Many number of possibilities

Dr. Naveed Riaz


77

Test Cases VS F-M Programming Exp:.

Equal = strlen(String1)== strlen(String2);

If (equal)

for ( i =0; i<strlen(String1); i++)

equal = String1[i] = = String2 [i];

return equal;

Dr. Naveed Riaz


88

Structure Programming Same phenomena can be seen with structure

programming. Usage of flow graph to understand program structure

Components of flow graph (Sequence, selection and loop)

Dr. Naveed Riaz


99

Flow Graphs Identify the flow diagram

Dr. Naveed Riaz


1010

Flow Graphs Bubble sort Flow graph

Sorted = false ; //1

While (!sorted){ //2

Sorted = true;

For(int i=0;i<size-1;i++){//3

If(a[i]>a[i+1]){ //4

Swap(a[i]>a[i+1]); //5

Sorted = false;

} //6

}//7

} //8

1

2

3

4

65

7

8

Dr. Naveed Riaz


1111

Flow Graphs Base upon flow graphs we try to write test cases to test the

different components of flow graph

Limitations of these kind of testing

3 types of test coverage's that we have when using flow graphs

Statement coverage: We make sure that every statement must be executed at least once.

Branch Coverage: Identify branches and try to test all the branches

Path Coverage: Execute all possible paths and then write test cases

Dr. Naveed Riaz


1212

Path Coverage overhead For(int i=0; i<N; i++) { //1

If(condition1)

// some statement //2

Else

Some statement //3

//some statement

} //5

How many paths are there

For N iteration?

1

2 3

4

5

Dr. Naveed Riaz


1313

Model-based solution We try to develop model of the system

We analyze the correctness of these models using mathematical techniques

What is a Model? Why Model required and How it help us?

Diskstra’s Game

Dr. Naveed Riaz


1414

Model-based solution Color of the last ball?

1 Ball Game : Suppose there is only one ball in jar

2 Ball Game: Suppose there is two balls in jar -> 3 possibilities

Both White

Both Black

1 W, 1 B

Dr. Naveed Riaz


1515

Model-based solution 3 Balls Game

Dr. Naveed Riaz


1616

Model-based solution If even number of white balls -> Last ball color Black

If odd number of white balls -> Last ball color White

Can you verify this for 100 balls in the jar? i.e. Our hypothesis is true or not?

To verify this we need formal proof -> built mathematical model

Dr. Naveed Riaz


1717

Mathematical Model If even number of white balls -> Last ball color Black

If odd number of white balls -> Last ball color White

(2 B out, 1 B in ) B-2+1, W=b-1, W

F(B,W) = (2 W out, 1 B in) B+1, W-2

(1 of each out, 1 W in) B-1, W-1+1 = B-1, W

In tow cases we reduces the black ball by 1 and maintain the number of white balls

In third case, we reduce the white ball by two and increases the black ball by 1.

Total number of balls is reduced by exactly one in each move.

Parity of the white ball does not change ( either 0 or 2)

Dr. Naveed Riaz


1818

Propositional Calculus Two tools will be used to built mathematical models ?

Logic and Set theory

What is a proposition? Statement which is either true or false e.g. My is name is Ali

(true or false)

A = B (true or false)

Which statement is not a proposition? You should read this book carefully.

Logic is built on proposition

Dr. Naveed Riaz


1919

Propositional Calculus Two tools will be used to built mathematical models ?

Logic and Set theory

What is a proposition? Statement which is either true or false e.g. My is name is Ali

(true or false)

A = B (true or false)

Which statement is not a proposition? You should read this book carefully.

Logic is built on proposition

Dr. Naveed Riaz


2020

Truth Table Implication

Only false when P (T) and F (F) otherwise implication is

always True.

If P is true only then we can make a statement about Q.

If P is false then we do not need to say any thing about Q.

Originally conditional statement (if or If-then-Else)

P Q P Q

T T T

T F F

F T T

F F T

Dr. Naveed Riaz


2121

Truth Table Bi-Conditional – (If and only If)

P > means p-> Q and Q ->P

Outcome is true if P and Q have the same value

If P and Q do not have same values then Bi-conditional is not true

Compare it with Exclusive OR

Can be used for equal statements

P Q P < Q

T T T

T F F

F F T

F T F

Dr. Naveed Riaz


2222

Tautology A Compound proposition which is always true,

irrespective of the truth values of the comprising propositions. p V ┐p

Contradiction -> Opposite to tautology. Proposition which is always false

p ˄ ┐p (outcome always false)

It is an important tool to prove the theorem

For example; We can take a hypothesis and then we can show that if we can assume something that end up in a logical contradiction and hence the hypothesis is incorrect else we can prove it.

Dr. Naveed Riaz


2323

Logical Equivalence

The proposition P and Q are called logically equivalent if p>q is tautology

It is written as;

P ≡Q

For example ; ┐(p v q) ≡ ┐p ˄ ┐q ( Demorgans Law)

Dr. Naveed Riaz


2424

Logic Puzzle The Island of Knights Knaves

Two types of resident -> Knights and Knaves

They have some special characteristics

Knights -> Always speak truth

Knaves -> Always speak lie

Based upon these information we need to solve some problems

Dr. Naveed Riaz


2525

Logic problem for the day Some one asks person A,

“Are you a knight?”

He replies, “If I am a knight then I will eat my hat”.

Prove that A has to eat his hat. Use the logic to solve this problem; First you have identify the proposition – then

hypothesis is required Think that what does this mean that a person A make a

statement “S” on island If person A is knight then statement “S” is true else

False

Dr. Naveed Riaz


2626

Logic problem for the day Two solution possible: Truth table and Logical

deduction rule First conversion to proposition is required

A is a knight: A

A eats his hat: H

If I am a knight then I will eat my hat.

A=> H

We have seen that ( X S)

Both have the same truth values there for;

(A A => H)

Dr. Naveed Riaz


2727

Using Truth Table Truth table column

A H A=> H A (A => H)

A H A=> H

T T T

F T T

T F F

F F T

Dr. Naveed Riaz


2828


A H A=> H A (A => H)

A A=> H A (A => H)

T T T

F T F

T F F

F T F

Dr. Naveed Riaz


2929


A H A=> H A (A => H)

A H A=> H A (A => H)

T T T T

F T T F

T F F F

F F T F

If another H having true result but with False value then?

Dr. Naveed Riaz


3030

Problem with Truth Table Any problem with the truth table? Perform good when the number of proposition is

small but if the number of proposition is large then? In truth table number of rows depends on the number

of variables: If we have two variables then … Another method is to built logical argument using

deduction rules.

Dr. Naveed Riaz


3131

Some useful Equivalences

Dr. Naveed Riaz


3232

Some useful Equivalences

Dr. Naveed Riaz


3333

Proof using Equivalences A ( A => H )

A ( not A or H)

(A and ( not A or H )) or (not A and not (not A or H))

A and ( not A or H) (A and not A ) or ( A and H) – Distributive law

False or (A and H)

A and H

not A and not ( not A or H) Demorgans law

not A and (A and not H) Associative

(not A and A ) and not H (Negation Law)

False and not H

false

Dr. Naveed Riaz


3434

Proof using Equivalences Hence proved

A ( not A or H)

(A and H ) or false

A and H

Dr. Naveed Riaz


3535

Rules for Inference & Logical Deduction

Introduction Rules If two proposition is given then;

p q (given)

p and q (conclude)

If one proposition is given then; p q if p is true then p and q is true

p and q p and q

Another; q if q is true then p=> will always true; p(not matter)

p => q

Dr. Naveed Riaz


3636


Elimination Rules

p and q p and q if p and q is true then p is true

p q

if p is true and p=>q is also true so q has to be true

p p => q

q

if your assumption is false then you can concluded anything

p not p false

false p

Dr. Naveed Riaz


3737


Rules Importance

Plays important role in logic e.g. Contradiction

If your assumption is false than no matter what ever you concluded e.g. Implication (Pre-condition)

Dr. Naveed Riaz


3838


Does the superman exist? If superman were able and willing to prevent evil , he would

do so. If superman were unable to prevent evil, he would be incapable; if he were unwilling to prevent evil, he would be malevolent. Superman does not prevent evil. If superman exists he is neither incapable nor malevolent. There for superman does not exits.

Dr. Naveed Riaz


3939


Superman Exits X Superman is willing to prevent evil W

Superman is able to prevent evil A

Superman is malevolent M

Superman is incapable I

Superman prevent evil E

Dr. Naveed Riaz


4040


1: Assume

(( W and A) => E)

and ( ( not A ) => I )

and ((not W) => M)

and ( not E )

and ( X => not ( I or M ))

Prove that not X

Logical conclusion is : Superman does not exits

Dr. Naveed Riaz


4141


2: Assume X

Use elimination rule to break No.1 down into 5 premises

3: ( W and A ) => E 4: ( not A ) => I 5: ( not W ) => M 6: not E 7: X => not ( I or M)

Dr. Naveed Riaz


4242

Now application of elimination on 2 and 7 derives another simple proposition

2: Assume X 7: X => not ( I or M )

8: not ( I or M )

Now Proving I or M will result in a contradiction

Dr. Naveed Riaz


4343

Now we will analyze W

9: Assume not W

10: M (from 5 & 9)

11: I or M ( from 10: introduction)

but Contradiction

Dr. Naveed Riaz


4444

12: Assume W (Now to check in W true case)

Two possibilities for A (true or false)

13: Assume A (true)

14: W and A (12 and 13)

15: E (from 3 and 14)

16: false (from 6 & 15)

17: I or M (from 16) -> again contradiction

Dr. Naveed Riaz


4545

18: Assume not A

19: I (4 and 18)

20: I or M (from 19)

21: I or M (from 17 & 20)

22: I or M (from 11 and 21)

23: false (Contradiction 8 and 22)

24: not X (from 2 and 23)

Dr. Naveed Riaz


4646

Logical problem for the day

On the island of knight and knaves, it is rumoured that there

is gold buried on the island. You ask one of the native, A, whether there is a gold on the island. He makes the following responses: “There is gold on this island if and only if I am a knight.”

The problem is as follows:

a) Can it be determined whether A is a knight or a knave?

b) Can it determined whether there is gold on the island?

Dr. Naveed Riaz


4747


There is gold on the island G

A is a knight A

Therefore we have A ( A G)

A G A <=> G A (A <=> H)

T T T T

F T F T

T F F F

F F T F

Dr. Naveed Riaz


4848

Quiz # 1 (1) Translate the following expression into logical

expression:

“Ali is either smart or honest, but Ali is not honest if he is smart.”

(2) Solve the puzzle using propositional logic:

There are two types of people on an island:

Knight: Always tell truth.

Knave: Always lie

A says: “B is a knight.”

B says: “Two of us are opposite types.”

Determine the types of A and B..

Island Rule: Ahmad is a knight if what he said is true and Ali is a knight if what he said is true.

Dr. Naveed Riaz


4949

Associativity of Equivalence

A B C

Can be evaluated as;

(A B) C

Or

A ( B C)

If we have two numbers : x and y. Add them (x + y) and find weather the ans is even or odd?

Dr. Naveed Riaz


5050

Even and Odd numbers

If we have two numbers : x and y. Add them and find

weather the ans is even or odd?

When the two numbers are odd then ans -> Even

i.e. m + n is even m is even n is even

m + n is even (m is even n is even)

Dr. Naveed Riaz


5151

A B C

A B C A B (A B) c

F F F T F

F F T T T

F T F F T

F T T F F

T F F F T

T F T F F

T T F T F

T T T T T

Dr. Naveed Riaz


5252

Full Adder

b a

C out FA C

da=1 A

b = 1 B

c= 1 C

c= 1 D

D = ( A B C)

Dr. Naveed Riaz


5353

Island Gold Problem

There is gold on the island G

A is a knight A

Therefore we have A ( A G)

A ( A G)

( A A ) G)

true G

G

Dr. Naveed Riaz


5454

Properties of equivalence

constant true

true p p

true = ( p p)

( true p) = p

Symmetry

( p q ) = ( q p)

e.g. p p q p r q

p p p q q r

true p true r

p r

Dr. Naveed Riaz


5555

Replace the term which is repeated odd number of times by

a single occurrence of the term and any term which is repeated an even number of times by removing all occurrences.

A is a knight A

A says “ I am a knight “ A

A A

Since this is always true, no meaning-full conclusion can be made.

Dr. Naveed Riaz


5656

A is a knight A

B is a knight B

A says “ I am the same type as B “ A B

A A B

B

Person is equivalent to the statement

Think about this problem logically

A Says “ I am the same type as B “

Dr. Naveed Riaz


5757

Island of knights and Knaves

Suppose A is the proposition “ Person A is a knight” and

suppose A makes a statement S. Then A is true is the same as S is true. That is:

A S

Dr. Naveed Riaz


5858


A tourist comes to a fork in the road, where one branch

leads to a restaurant and one does not. A native of the island is standing at the fork. Formulate a single yes/no question that the tourist can ask such that the answerer will be yes if the left fork leads to the restaurant, and otherwise the answerer will be no.

Dr. Naveed Riaz


5959


Let Q be the question

Let A be “the native is a knight”

Let L be “the left fork leads to the restaurant”

The response to the question Q is yes is equivalent to Q A

So we require that: L Q A or

Q ( L A)

Is the statement that “the left fork leads to the restaurant” equivalent to “your being a knight”?

Dr. Naveed Riaz


6060


There are two natives A and B. A says, “ B is a knight is the

same as I am a knave”.

What can you determine about A and B ?

A’s statement is : B ┐ not A

So, we have: A B not A

A not A B

false B

not B

A ?

Dr. Naveed Riaz


6161

Golden Rule

p Λ q p q p v q

Dr. Naveed Riaz


6262

Implication

p => q p p Λ q

p => q q p v q

Dr. Naveed Riaz


6363

Problem

A says: “ If I am a knight, B is a knight”.

A => B

A A => B

A A A Λ B

A Λ B

Dr. Naveed Riaz


6464


Three of the inhabitants – A, B, and C – were standing

together in a garden. A stranger passed by and asked A, “ Are you a knight or a knave?” A answered but the stranger could no understand. The stranger then asked B, “ What did A say?”. B replied, “ A said that he is a knave”. At this point, C said, “Don’t believe B; he is lying!”

What are A, B and C.

Dr. Naveed Riaz


6565

Problem

B’s statement is: A ┐A

C’s statement is: ┐B

So we have:

( B A ┐A ) ٨ ( C ┐B)

┐B ٨ ( C ┐B )

(┐B ٨ C ) (┐B ٨ ┐B)

(┐B ٨ C ) ┐B

┐B ٨ C

Dr. Naveed Riaz


6666

Problem

A says, either I am a knave or B is a knight.

A ┐A ۷ B

A ( A false ) ۷ B

A ( A v B false ۷ B

A A v B B

A ٨ B

Dr. Naveed Riaz


6767

Conditional Correctness

{ P} S {Q}

(initial state) (set of instruction) (Final State)

Expresses the conditional correctness of S

Binary search (pre-condition) - > Array must be in sorted form

Which means that, in-order to work this program properly we need to start with a given condition.

Post Condition: If the key is present then you will get the index, if the key is not present then you will get some value which will tell you that the key is not present (desired output).

If we start with “P” and ended with “Q” then our program is conditional corret.

Dr. Naveed Riaz


6868

Conditional Correctness

Suppose : post condition: n <0

S: n = n-1

Pre-condition: We started with n=0; n-1; end: n-1

Another point: We started with n = -10 ; n-1; -11

Which means that there are infinite number of values for n which will satisfy the post condition.

Weakest Pre-condition: N <= 0 (infinite possibilities ) and then – then get n <0

Dr. Naveed Riaz


6969

Weakest Pre-Condition

wp (z : = x , z ≥ y)

x ≥ y

Wp (t := x , t = xo)

x = xo

Wp ( i : = i +1 ; i <= n)

i < n

First and third exmp give many values to satisfy the final state and the middle give just one value

Dr. Naveed Riaz


7070

Weakest Pre-Condition

Suppose: Array which is not sorted and you want to implement

linear search.

Any condition on input: If data is not sorted still the linear search will give you result.

Wp: any arrangement of data in the array will give the out i.e. True

But in Binary search : if your data is not sorted you can not apply binary search

Wp: Specific arrangement required

Dr. Naveed Riaz


7171

Broad CAT of statements

Assignment statements

Selection ( Control statements)

Loops statements

Dr. Naveed Riaz


7272

Assignment Axiom

Wp (x : = e, Q(x) ) Q(e) -> e represents an expression

X will have the value which e had before executing the statement

Q(e) denotes the predicate obtained by substituting e for all free occurrences of x in the predicate Q

Dr. Naveed Riaz


7373

Assignment Axiom

Wp (i : = i-1, i = 0 )

i -1 = 0

Wp (i : = ( l + u ) div 2, l <= i <= u )

l <= ( l + u ) div 2 <= u

Wp (i : = 1, i = 0 )

1 = 0 : false

Hence for single assignment statement “Assignment Axiom perform good but our program contains more than one assignment Statements

Dr. Naveed Riaz


7474

Rules for Sequential Composition

Suppose that we have only set of assignment statements are given along with post condition so we need to determine the WP

Post condition will be achieved after executing the last statement

Which means that if we are at wp before last statement then -> meet post condition

Means that wp is the post condition for the previous statement

Wp ( S1; S2, Q) Wp ( S1, wp (S2, Q))

Dr. Naveed Riaz


7575


Wp (( x: = x +1; y: = y+1 ), x =y

Wp ( x: = x +1, wp (y: = y+1, x =y) -> Group post condition with last statement

Wp ( x: = x +1; x = y+1 ) -> Apply assignment Axiom

x+1 = y+1

x = y

So if we started with initial condition i.e. x= y and then we executed x and y statements then we will end with post condition

Dr. Naveed Riaz


7676


Wp (( x: = 2 * x +1; y: = y-1 ), y = 3 * x

Wp (x: = 2 * x +1, wp (y: = y-1, y = 3 * x ) -> Group post condition with last statement

Wp (x: = 2 * x +1; y- 1 = 3 * x ) -> Apply assignment Axiom

y -1 = 3 * ( 2 * x +1)

y = 6 * x + 4

Dr. Naveed Riaz


7777


Pre-condition and post-condition basically gives a specification for a function

Now we have to prove that a function or a set of statements meets its specification

Specification given in the form of pre and post conditions

We can calculate wp from post condition. In the same way we can calculate post condition from wp. But it is easier to work backward i.e. If objective (post condition) is given then it is so easy as compared to hidden objective.

Dr. Naveed Riaz


7878


{ x = x0 and y = y0 } initial condition

t: = x;

x:=y;

y:=t;

{x = y0 and y = x0} Final output

Dr. Naveed Riaz


7979


{ x = x0 and y = y0 } t: = x {t = xo and y = y0}

{t = xo and y = y0} post condition become precond

x:=y; y:=t;

{ y = x0 and x = y0}

{t = xo and y = y0} x := y {{t = xo and x = y0}

{t = xo and x = y0} y := t { y = x0 and x = y0}

Dr. Naveed Riaz


8080

Hoare’s Consequence Rule

Logical Implication

If statement is model by logical implication

P => Q i.e. If P then Q

P => Q Q => R

{Q} S {R} {P} S {Q}

{P} S {R} {P} S {R}

Dr. Naveed Riaz


8181

Rules for conditional

{P and C} S {Q}

P and (not C) => Q

{P} If C then S {Q}

If is divided into two portion (i.e. True or False)

So will check both true and false path and if in both cases with end with Q then our program will be correct

Dr. Naveed Riaz


8282

Rules for conditional

{P and C} S1 {Q}

{P and (not C)} S2 {Q}

{P} If C then S1 else S2 {Q}

If is divided into two portion (i.e. True or False)

So will check both true and false path and if in both cases with end with Q then our program will be correct

Dr. Naveed Riaz


8383

Dijkstra’s Healthiness Condition

wp (S, false) i.e. false – empty set

False – law of excluded miracle

wp (S, true) i.e. true – universal set

termination condition – all states that guarantee termination of S

Second case is special one and normally not in practise

In sequentional statements the program termination is guarantee

When Program may not terminate ?

Stuck in infinite loop

Dr. Naveed Riaz


8484

Dijkstra’s Healthiness Condition

In the case of loops when we will give argument about program correctness then => first loop in question actually terminate ( if it did not then no post condition)

If the loop terminate then argue about other

Secondly if loop terminate then what condition occur after it

Wp (while 0 = n do n := n -1 , true )

0 <= n

So if we start with any other value of “n” i.e. -1 then we will not get n = 0,

Dr. Naveed Riaz


8585

Verification

Invariant Something which is unchanging

Key to proofs for programs containing loops ( iteration or recursion)

• Questions seem to ask for the next change

• Answer lies in determining what does not change

Dr. Naveed Riaz


8686

Verification

What was the invariant condition in Dijasktra’s Game?

• Pulling the ball from jar is an iterative process

• Parity of white balls count

• i.e. If we started with even # of white balls we would have black ball at the end

• If we have started with odd number of white balls then colour of the last ball would be white ball

Dr. Naveed Riaz


8787

Verification

• Invariant => Parity of the white ball does not change

• i.e. If we take out two white or black balls outside jar, in that case we put a black ball inside jar

• Number of white balls either reduce by two or zero i.e. Parity does not change

• Second case: If got different color balls, we put the white ball back into the jar so parity does not change

• Think: identify the pattern would led us to identify the color of the last ball

• Why invariant condition is important ?

Dr. Naveed Riaz


8888

Verification

• Why invariant condition is important ?

• Because of iteration => you want to closer to your objective function

• You have to follow some pattern which will led's you one step closer to your objective function in iterative process

Dr. Naveed Riaz


8989

Classical Problem • Can you completely cover the chessboard with these

dominoes without partially using a domino? If so how. If not prove that you cannot.

Dr. Naveed Riaz


9090

Classical Problem • Key of invariant condition i.e. Shape of the tiles which we

are using to cover the chessboard ( some information store in color)

• Given piece will cover one light and one blue tile because on a cheeseboard we do not have two white or black tiles adjusnt to each other

• We have equal number of blue and white squares on chessboard

• If do not have equal number of squares then we will not cover the whole chessboard

• Condition: We have removed two squares of the same color i.e. We are left with more blue then white i.e. 32 blue and 30 whites

Dr. Naveed Riaz


9191

Conditional statements • If ( i <= j ) then

• m : = i;

• else

• m :=j

• (m <= i and m <= j) and ( m = i or m =j)

• Possible: when “m” is smaller than i and j

• Current program assign smallest value to “m”

• Question: what is the wp? i.e. What is the condition to impose on input i and j such that we get our objective

•

Dr. Naveed Riaz


9292

Conditional statements • Else Part

(i >j)

• m :=j ;

• (m = i or m = j) and ( m <= i and m <=j)

• (i > j) and ( j =i or j = j ) and ( j <=i and j <= j)

• ( i>j ) and (true) and ( j<= i and true)

• ( i >j) and ( j <= i )

• (i>j)

Dr. Naveed Riaz


9393

Conditional statements • If ( i <= j ) then

• m : = i;

• (m = i or m =j) and ( m <= i and m <= j)

• ( i < = j ) and ( i= i or i = j) and ( i < = i and i <= j)

• ( i <=j ) and ( true) and ( true and i <=j)

• ( i < = j) and ( i < = j)

• ( i< = j)

Dr. Naveed Riaz


9494

Conditional statements • ( i< = j) or ( i >j)

• Universal set

Dr. Naveed Riaz


9595

Tower of Hanoi

Dr. Naveed Riaz


9696

Tower of Hanoi

Dr. Naveed Riaz


9797

Tower of Hanoi

Dr. Naveed Riaz


9898

Invariant condition in Iteration • Recursive solution is given in every book

• But we need to find iterative solution

• Odd number moves involved smallest disk

• Smallest disk move in clock-wise or anti-clock wise depending on the number of disks

• If you started with even number of disks it would be clock wise, if started with odd number then anti-clock

• Your having only one move after moving small disk

• Finding the weakest pre-condition in loops are not simple as compared to conditional statements

Dr. Naveed Riaz


9999

Loop invariants • s = 0;

• for i: = 1 to n do

• s = s + a [i];

• What is the “loop invariant” ?

• Post condition: In “s” we want to have the sum of all the elements of an array.

• I got many answers in front of me: value of “i” between 1 and “n”. But that does not help us. Remember loop invariant definition.

Dr. Naveed Riaz


100100

Loop invariants • How step in the loop should take us closer to achieve our

objectives.

• How ?

• s = 0;

• for i: = 1 to n do

• s = s + a [i];

• Values of “s” will be stated in terms of formula.

• What is the value of “s” before start of the loop : S=0

• Value of “s” after first iteration : First element in it

• After two: “s” has the sum of first and second element.

• After three: Sum of first three elements

• After K iteration: S has the value which is the sum of 1 to k

Dr. Naveed Riaz


101101

Loop invariants • “s” is the sum of elements from a[1] to a [i] immediately

before i is incremented

• Think about While loop ( compare it with IF statement)

Dr. Naveed Riaz


102102

Weakest pre-condition for While statement

• { P} while B do S {Q}

• Let W be while B do S

• Condition for termination of the loop

• Po = ( not B)

• P1 = B and wp (S, Po) = wp ( S , not B) ( once true)

• Pk = B and wp ( S, P k-1)

Dr. Naveed Riaz


103103


• The invariant condition

• {I} while B do S { I and not B}

Dr. Naveed Riaz


104104


• a =0;

• i=0;

• while ( i<N)

• a = a + i++;

• Do we ever come out of this loop?

• Objective of this program is to add the first “n” numbers

• Loop invariant :

Constraints on the input?

Dr. Naveed Riaz


105105


• What would happen when “N” is zero or negative number

• When “N” is -1 then we have zero in a.

Dr. Naveed Riaz


106106

Dr. Naveed Riaz


107107

Functions

• Find the index of the minimum value in a function

• First write pre and post condition and then proof

• You need to pass the size of the array to function

• Any Conditions on the input?

• There is no specific condition to apply on input

• Pre-condition: True i.e. Any array of integer with any size

• Post condition: ?

Dr. Naveed Riaz


108108

Functions

• Function min ( X: in INTEGER_ARRAY)

• Return INTEGER

• Pre: True

• Post: j in X’First ........ X’Last :

• min (X) = X (j) and

• i in X’First ........ X’Last: min (x) <= X (i)

• and X = X’’

Dr. Naveed Riaz


109109

Functions • You need to specify that what would happen to the input

array ( i.e. Any change after function execution)

• The returning value will be the small among all but also ....

• The return value exists in the given set

• Question: If any of the specification component missing then ?

Dr. Naveed Riaz


110110

Another example

• We have an array and we want to find a key and want to determine that key is present or not. If present then return index – If key is not present then message not found

• Pre-condition ( any condition on input)?

• No Condition

• Post condition?

• Need to answerer some questions (about input and output array:

• Do we make any changes in array so X = X’’

• What about the key ( what is returning): Key found or not found.

Dr. Naveed Riaz


111111

Key search example

Pre: True

• Post: (( found and X (index) = key ) or

• ( N NOT found and

• ( j in X’First ........ X’Last :

• x (j) not equal key )) and ( X = X’’)

Dr. Naveed Riaz


112112

Another example

• Suppose we have a sorting function then array would modified?

• You have noted that until now, no condition is imposed on input so the pre-condition is true

• Restriction on input: any case?

• If I want to apply binary search algorithm then what will be the condition?

• Pre-condition? Array is sorted ( how you will specify)

• Specification -> data present at index “i” is <= data present at index “i+1”

• Post condition?

• Post condition is same as the previous searching strategy

Dr. Naveed Riaz


113113

Binary search Functions

Procedure binary_search ( X : in INTEGER_ARRAY;

key : in INTEGER;

Found: in out Boolean;

L : in out INTEGER

begin;

• bot: ( INTEGER := X’First;

• top: ( INTEGER := X’Last;

• Mid : INTEGER;

• L:= ( bot + top) / 2;

Dr. Naveed Riaz


114114

Binary search Functions

Found := X (L) = key;

While ( bot <= top AND NOT found) loop

begin;

mid := ( bot + top) / 2;

• If x (mid ) = key then

• found := TRUE;

• L := mid;

• Elseif X (mid) < key then

• bot := mid + 1

• Else top: = mid -1

• End if; end loop

Dr. Naveed Riaz


115115

• Look at the program - > Find the invariant condition

• The invariant condition is some how look like post condition

• Remember that loop invariant must be true in every iteration

• In case of loop you must provide loop termination proof

• Question: When your are designing loop then what is in your mind that why it will complete your work?

• You are starting with large space and with each iteration you are reducing the search space by half

• What you can say about that search space which you leave i.e. If you moved the index from top to middle – 1 ( you come to middle point because the key was actually smaller than the mid value so it can not be in the list from top to middle)

• Now your search space is from bottom to middle – 1

• What you can say about the post condition?

• If key is not present then you your bottom and top will cross each other.

Dr. Naveed Riaz


116116

• So one part of post condition is that found is not true and key is not present in the entire range.

• Loop invariant: If key is not present then in every iteration (i.e. When loop is start and when loop terminate) the key is not found and this condition is true.

• 2nd condition: The key is found (key is present at index)

Dr. Naveed Riaz


117117

• Some time proof is not easy and incorrect

• If you have formal specification, could you generate the program from that specification?

• If this is possible then no need to give proof of its correctness

• In this case, assignment axiom is simple but what about IF and loop statments

Dr. Naveed Riaz


118118

Program construction • Diskjestra Guarded command: It is like a conditional

statement

• i.e. Condition is a guard -> If guard is true we execute the statement

• There are multiple clauses and each clause have guard

• If more than one guard is true at the same time then one the statement will be selected arbitrary

• At least one of the guard has to be true

• If none of the guard is true in that case it is an error

Dr. Naveed Riaz


119119

Dijkstra’s Guarded Command • If C1 - S1

• [] C2 S2

• [] C3 S3

Dr. Naveed Riaz


120120

Dijkstra’s Guarded Command

• {P}

• If b1 S1

• [] b2 S2

• fi

• {Q}

• P => b1 v b2

• {P ^ b1 } S1 {Q}

• {P ^ b2} S2 { Q}

Dr. Naveed Riaz


121121

Constructing Conditional Statements

• {P} S {Q}

• P and Q are given, we want to calculate S.

• Three step Process:

• 1) Split the pre-condition into two ( or possibly more cases) b1 and b1. That is, identify b1 and b2 such that

• P => b1 v b2

Dr. Naveed Riaz


122122

Constructing Conditional Statements

• 2) Construct a program statement S1 that gurantees termination in a state satisfying Q given the pre-condition

• P ^ b1

• 3) Construct a program statement S1 that guarantees termination in a state satisfying Q given the pre-condition

• P ^ b2

• Termination case is not valid for assignment and conditional statements i.e. Only for iteration

Dr. Naveed Riaz


123123

Output variables

• { true} S { i= j}

• For S: i := j; or j:= i;

• Which one is input and which one is output variable?

• If “i” is the output variable then i:=j

Dr. Naveed Riaz


124124

Ghost variables

• Suppose we want to specify that the sum of two variables i and j should remain constant

• We specify this by introducing the Ghost variable C.

• This variable should not be used any where in the program.

• Then S is specified by

• { i + j = C} S { i + j = C}

• We tie input to the output using Ghost variables.

Dr. Naveed Riaz


125125

Simultaneous assignment statements

• x , y, z := 2 * y, x + y, 3 * z

• X, y := y, x

• Has the effect of swapping

• IF not using simultaneous assignments then?

Dr. Naveed Riaz


126126

Z-Specification, Structure and Schema

• New technique – model based specification

• Previously specification method and algebraic specific method

• Roots originate from Hore’s logic

• We use the concept of state and space concept

• State: State of any problem is the type or number of variables this problem have

• E.g. three variable a, b and c ( state)

• Space: All possible values these variables have

Dr. Naveed Riaz


127127

Z-Specification, Structure and Schema

• In algebraic specification we did not talk about the state of the system

• We only talk about the external behaviour i.e. These are the publically interfaces to the system and when we send a message to these interfaces then how the system will behave in terms of expected outcome so algebraic specification did not talk about the internal state of the system

• State-based specification take different approach and they do talk about the internal state of the system so when certain operation is performed, they tell you what are the internal changes to the system i.e. How the state of the system is defined and in response to a message or an operation perform on that entity for which we are defining the state, how does this operation change the state of the entity

Dr. Naveed Riaz


128128

Z-Specification Language

• VDM (Vienna Development Method)– Many derivative of VDM has been already presented

• Specification methodology which is greatly influenced by VDM

• Called Z- Specification

• Developed in England – Cambridge university

• English origin -> Do not call it ZEE ( American) , Its ZAD

• Z has number of features which make it easy

• Building systems using Z is easier as compared to other specification languages

• It is a state-based modelling language

Dr. Naveed Riaz


129129

Z-Specification Language

• Basic unit of Z-Specification is called Z-Schema

• Schema calculus is used to join different schema and rich the specification and built more complex system using smaller and simple system

Dr. Naveed Riaz


130130

Structure of Z- Schema

Container

Contents: N

Capacity: N

Contents <= Capacity

• No operations in this schema

• Contents and capacity defined the state of the system

• Predicate act like invariant

Schema signature

Schema Predicate

Dr. Naveed Riaz


131131

Structure of Z- Schema

BirthdayBook

Known: P Name

Birthday: Name <=> date

Known = dom Birthday

• Known is a set of names

• Birthday is a function which when applied to a name gives the birthday associate with it. (Domain to range mapping)

• Known is a set of values of Names for which the birthday is defined.

• Each person can you only one birthday

• Invariant: Name must associate with birthday.

Dr. Naveed Riaz


132132

One possible state of the system • Known = { Ahmed , Iram, Farrukh}

• Birthday = { Ahmed <-> 25-march,

• Iram <-> 20- dec,

• Farrukh <-> 25-march

• }

• Function types: One-to-One and On-to

• If every entity from domain map on the range ( On-to)

• So in birthday function we do not have such entry which do not have the ans:

Dr. Naveed Riaz


133133

Add new birthday

State change alert

? Mean input

Birthday’ mean new birthday

Dr. Naveed Riaz


134134

Find a birthday

State does not change

! Mean output

Dr. Naveed Riaz


135135

Find the person with birthday with a given date and

generate a card

Set of all values ‘n’ drawn from set known such that the value

Of the birthday function at n is today?

State does not change

Dr. Naveed Riaz


136136

Invalid

fm lecturer 13(final)

Engineering