School of Computing Clemson University

Mathematical Reasoning

Goal: To prove correctness Method: Use a reasoning table Prove correctness on all valid inputs

School of Computing Clemson University

Example: Prove Correctness

Spec: Operation Do_Nothing (i: Integer);

requires min_int <= i and i + 1 <= max_int;

ensures i = #i;

Code:Increment(i);Decrement(i);

School of Computing Clemson University

Design by Contract

Requirements and guarantees Requires clauses are preconditions Ensures clauses are postconditions

Caller is responsible for requirements

Postcondition holds only if caller meets operation’s requirements

School of Computing Clemson University

Basics of Mathematical Reasoning

Suppose you are proving the correctness for some operation P Confirm P’s ensures clause at the last state Assume P’s requires clause in state 0

School of Computing Clemson University

In State 2 – Establish Goal ofDo_Nothing’s Ensures Clause

Assume Confirm

0

Increment(i);1

Decrement(i)

2 i2 = i0

School of Computing Clemson University

In State 0Assume Do_Nothing’s Requires Clause

Assume Confirm

0 min_int <= i0 and i0 + 1 <= max_int

Increment(i);1

Decrement(i)

2 i2 = i0

School of Computing Clemson University

More Basics

Now, suppose that P calls Q Confirm Q’s requires clause in the state

before Q is called

Assume Q’s ensures clause in the state after Q is called

School of Computing Clemson University

Specification of Integer Operations

Operation Increment (i: Integer); requires i + 1 <= max_int; ensures i = #i + 1;

Operation Decrement (i: Integer); requires min_int <= i - 1; ensures i = #i – 1;

School of Computing Clemson University

Assume Calls Work as Advertised

Assume Confirm

0 min_int <= i0 and i0 + 1 <= max_int

Increment(i);1 i1 = i0 + 1

Decrement(i)

2 i2 = i1 - 1 i2 = i0

School of Computing Clemson University

More Preconditions Must Be Confirmed

Assume Confirm

0 min_int <= i0 and i0 + 1 <= max_int i0 + 1 <=

max_int

Increment(i);1 i1 = i0 + 1 min_int <= i1 - 1

Decrement(i)

2 i2 = i1 - 1 i2 = i0

School of Computing Clemson University

Write Down Verification Conditions(VCs)

Verification Condition for State 0

(min_int <= i0) ^ (i0 + 1 <= max_int) i0 + 1 <= max_int

School of Computing Clemson University

Write Down Verification Conditions(VCs)

VC for State 1 P1: min_int <= i0 (from State 0)

P2: i0 + 1 <= max_int (from State 0)

P3: i1 = i0 + 1 VC: P1 ^ P2 ^ P3 min_int <= i1 - 1

VC for State 2 P4: i2 = i1 - 1 VC: P1 ^ P2 ^ P3 ^ P4 i2 = i0

School of Computing Clemson University

Use Direct Proof Method

For p q Assume premise ‘p’ Show conclusion ‘q’ is true

Prove VC for State 0 Assume P1: min_int <= i0 Assume P2: i0 + 1 <= max_int Show: i0 + 1 <= max_int

School of Computing Clemson University

Prove VCs for State 1 & State 2

Prove VC for State 1 Assume P1: min_int <= i0 Assume P2: i0 + 1 <= max_int Assume P3: i1 = i0 + 1 Show: min_int <= i1 - 1

Prove VC for State 2 Assume P1 ^ P2 ^ P3 Assume P4: i2 = i1 – 1 Show: i2 = i0