formal methods 2

Lecture 17 March 24, 2011 Formal Methods 2 CS 315 Spring 2011 1 Adapted from slides provided by Jason Hall and Murali Sitaraman (Clemson)

Upload: hung

Post on 24-Feb-2016




0 download


Formal Methods 2. Lecture 17 March 24, 2011. Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson). Some Mathematics is Implicit. We view programming integers as though they are mathematical integers (subject to bounds, of course) - PowerPoint PPT Presentation


Page 1: Formal Methods 2

CS 315 Spring 2011


Lecture 17March 24, 2011

Formal Methods 2

Adapted from slides provided by Jason Hallstrom and Murali Sitaraman (Clemson)

Page 2: Formal Methods 2

CS 315 Spring 2011


Some Mathematics is Implicit We view programming integers as

though they are mathematical integers (subject to bounds, of course)

We associate mathematical operators (e.g., +) with operations we can do on integers in programs (e.g., +)

This association can be made explicit

Page 3: Formal Methods 2

CS 315 Spring 2011


Mathematical Modeling Type Integer is modeled by Z;

For all i: Integer,min_int <= i <= max_int;

Page 4: Formal Methods 2

CS 315 Spring 2011


Alternatively Type Integer is modeled by Z;

Let i be an example;

Constraints for all i: Integer;min_int <= i <= max_int;

Page 5: Formal Methods 2

CS 315 Spring 2011


Alternatively Type Integer is modeled by Z;

exemplar i;constraints min_int <= i <=


Page 6: Formal Methods 2

CS 315 Spring 2011


Initial Value Specification Type Integer is modeled by Z;

exemplar i;constraints min_int <= i <=

max_int;initialization ensures i = 0;

Page 7: Formal Methods 2

CS 315 Spring 2011


Specification of Operations Type Integer is modeled by Z;

Specification of operations, e.g., i++

Operation Increment (updates i: Integer)

requires i < max_intensures i = #i +1

Page 8: Formal Methods 2

CS 315 Spring 2011


More Examples What is a suitable way to model the

state of a lightbulb?

Page 9: Formal Methods 2

CS 315 Spring 2011


More ExamplesType Light_Bulb_State is modeled by B;

exemplar b;Initialization ensures b = false;

Exercises: specification of operationsTurn_on, Turn_off, and Is_On

Page 10: Formal Methods 2

CS 315 Spring 2011


More Examples How would you model the state of a

traffic light?

Alternative models and discussion

Page 11: Formal Methods 2

CS 315 Spring 2011


More Examples How would you model a paper


Page 12: Formal Methods 2

CS 315 Spring 2011


Data Abstraction Examples How would you mathematically

model the contents of a stack? Is a set model appropriate? Why or why not?

What about modeling a queue?

Page 13: Formal Methods 2

CS 315 Spring 2011


Mathematical Modeling Summary To write formal specifications, we need to

model the state mathematically

Some objects we use in programming, such as Integers and Reals, have implicit models

For others, such as stacks, queues, lists, etc., we need to conceive explicit mathematical models

Page 14: Formal Methods 2

CS 315 Spring 2011


Formal Specification of Java Interfaces

Page 15: Formal Methods 2

CS 315 Spring 2011


Basics An interface

Describes what classes or components do Does not describe how they should do it

An interface Is a contract between component users

(clients) and developers (implementers) If the users satisfy the requirements for

using the component, the component will provide guarantees

Page 16: Formal Methods 2

CS 315 Spring 2011


Principles of Interface Design Information Hiding

Hide details unnecessary to use the component

Abstraction Provide a “cover story” or explanation in

user-oriented terms so they can understand the interface

Page 17: Formal Methods 2

CS 315 Spring 2011


Contract Specification Requirements and guarantees

Requires clauses are preconditions Ensures clauses are postconditions

Who is responsible for requires clauses?

What are the consequences of this?

Page 18: Formal Methods 2

CS 315 Spring 2011


Specification of Stacks Mathematical modeling

How can we think of stacks “mathematically”?

Page 19: Formal Methods 2

CS 315 Spring 2011


Mathematical Strings Unlike sets, strings have order

Example: Str(Z) for String of integers

Notations Empty string (Written empty_string or L) Concatenation (alpha o beta) Length ( |alpha| ) String containing one entry ( <5>)

Page 20: Formal Methods 2

CS 315 Spring 2011


Specification of IntStack Interface Suppose IntStack is an interface

uses Integer_Theory, String_Theory;

Think of stacks of Integers as “math strings” of integers this: Str(Z);

Specification of Constructor initialization ensures this = empty_string;

Exercises: Specification of other stack operations

Page 21: Formal Methods 2

CS 315 Spring 2011


Specification of IntStack InterfaceOperation push (int x)

updates this; restores x;ensures this = <x> o #this;

int Operation pop ();updates this;requires this /= empty_string;ensures #this = <result of pop()> o this;

bool Operation is_empty();preserves this;ensures result of is_empty = (this = empty_string)

Page 22: Formal Methods 2

CS 315 Spring 2011


Java Specification Questions What is the specification of “=“ to assign one

IntStack object to another?

If you defined a “clone” method, what is its specification?

What are the advantages of using “=“ over “clone”?

What are the advantages of using “clone” over “=“?