Transcript Lecture 26 (FM).pptx
Design and Analysis of Algorithms
Formal Methods in Software Engineering Lecture # 26
Dr. Naveed Riaz
11
Design and Analysis of Algorithms
Conditional Correctness
{ P} S {Q} (initial state) (set of instruction) (Final State) Expresses the conditional correctness of S Binary search (pre-condition) - > Array must be in sorted form Which means that, in-order to work this program properly we need to start with a given condition.
Post Condition: If the key is present then you will get the index, if the key is not present then you will get some value which will tell you that the key is not present (desired output).
If we start with “P” and ended with “Q” then our program is conditional corret.
Dr. Naveed Riaz
22
Design and Analysis of Algorithms
Conditional Correctness
Suppose : post condition: n <0 S: n = n-1 Pre-condition: We started with n=0; n-1; end: n-1 Another point: We started with n = -10 ; n-1; -11 Which means that there are infinite number of values for n which will satisfy the post condition.
Weakest Pre-condition: N <= 0 (infinite possibilities ) and then – then get n <0
Dr. Naveed Riaz
33
Design and Analysis of Algorithms
Weakest Pre-Condition
wp (z : = x , z ≥ y) x ≥ y Wp (t := x , t = xo) x = xo Wp ( i : = i +1 ; i <= n) i < n First and third exmp give many values to satisfy the final state and the middle give just one value
Dr. Naveed Riaz
44
Design and Analysis of Algorithms
Weakest Pre-Condition
Suppose: Array which is not sorted and you want to implement linear search.
Any condition on input: If data is not sorted still the linear search will give you result.
Wp: any arrangement of data in the array will give the out i.e. True But in Binary search : if your data is not sorted you can not apply binary search Wp: Specific arrangement required
Dr. Naveed Riaz
55
Design and Analysis of Algorithms
Broad CAT of statements
Assignment statements Selection ( Control statements) Loops statements
Dr. Naveed Riaz
66
Design and Analysis of Algorithms
Assignment Axiom
Wp (x : = e, Q(x) ) Q(e) -> e represents an expression X will have the value which e had before executing the statement Q(e) denotes the predicate obtained by substituting e for all free occurrences of x in the predicate Q
Dr. Naveed Riaz
77
Design and Analysis of Algorithms
Assignment Axiom
Wp (i : = i-1, i = 0 ) i -1 = 0 Wp (i : = ( l + u ) div 2, l <= i <= u ) l <= ( l + u ) div 2 <= u Wp (i : = 1, i = 0 ) 1 = 0 : false Hence for single assignment statement “Assignment Axiom perform good but our program contains more than one assignment Statements
Dr. Naveed Riaz
88
Design and Analysis of Algorithms
Rules for Sequential Composition
Suppose that we have only set of assignment statements are given along with post condition so we need to determine the WP Post condition will be achieved after executing the last statement Which means that if we are at wp before last statement then -> meet post condition Means that wp is the post condition for the previous statement Wp ( S1; S2, Q) Wp ( S1, wp (S2, Q))
Dr. Naveed Riaz
99
Design and Analysis of Algorithms
Rules for Sequential Composition
Wp (( x: = x +1; y: = y+1 ), x =y Wp ( x: = x +1, wp (y: = y+1, x =y) -> Group post condition with last statement Wp ( x: = x +1; x = y+1 ) -> Apply assignment Axiom x+1 = y+1 x = y So if we started with initial condition i.e. x= y and then we executed x and y statements then we will end with post condition
Dr. Naveed Riaz
Design and Analysis of Algorithms
Rules for Sequential Composition
Wp (( x: = 2 * x +1; y: = y-1 ), y = 3 * x Wp (x: = 2 * x +1, wp (y: = y-1, y = 3 * x ) -> Group post condition with last statement Wp (x: = 2 * x +1; y- 1 = 3 * x ) -> Apply assignment Axiom y -1 = 3 * ( 2 * x +1) y = 6 * x + 4
Dr. Naveed Riaz
Design and Analysis of Algorithms
Rules for Sequential Composition
Pre-condition and post-condition basically gives a specification for a function Now we have to prove that a function or a set of statements meets its specification Specification given in the form of pre and post conditions We can calculate wp from post condition. In the same way we can calculate post condition from wp. But it is easier to work backward i.e. If objective (post condition) is given then it is so easy as compared to hidden objective.
Dr. Naveed Riaz
Design and Analysis of Algorithms
Rules for Sequential Composition
{ x = x0 and y = y0 } initial condition t: = x; x:=y; y:=t; {x = y0 and y = x0} Final output
Dr. Naveed Riaz
Design and Analysis of Algorithms
Rules for Sequential Composition
{ x = x0 and y = y0 } t: = x {t = xo and y = y0} {t = xo and y = y0} post condition become precond x:=y; y:=t; { y = x0 and x = y0} {t = xo and y = y0} x := y {{t = xo and x = y0} {t = xo and x = y0} y := t { y = x0 and x = y0}
Dr. Naveed Riaz
Design and Analysis of Algorithms
Hoare’s Consequence Rule
Logical Implication If statement is model by logical implication P => Q i.e.
If P then Q P => Q {Q} S {R} {P} S {R} Q => R {P} S {Q} {P} S {R}
Dr. Naveed Riaz
Design and Analysis of Algorithms
Rules for conditional
{P and C} S {Q} P and (not C) => Q {P} If C then S {Q} If is divided into two portion (i.e. True or False) So will check both true and false path and if in both cases with end with Q then our program will be correct
Dr. Naveed Riaz
Design and Analysis of Algorithms
Rules for conditional
{P and C} S1 {Q} {P and (not C)} S2 {Q } {P} If C then S1 else S2 {Q} If is divided into two portion (i.e. True or False) So will check both true and false path and if in both cases with end with Q then our program will be correct
Dr. Naveed Riaz
Design and Analysis of Algorithms
Dijkstra’s Healthiness Condition
wp (S, false) i.e. false – empty set False – law of excluded miracle wp (S, true) i.e. true – universal set termination condition – all states that guarantee termination of S Second case is special one and normally not in practise In sequentional statements the program termination is guarantee When Program may not terminate ?
Stuck in infinite loop
Dr. Naveed Riaz
Design and Analysis of Algorithms
Dijkstra’s Healthiness Condition
In the case of loops when we will give argument about program correctness then => first loop in question actually terminate ( if it did not then no post condition) If the loop terminate then argue about other Secondly if loop terminate then what condition occur after it Wp (while 0 = n do n := n -1 , true ) 0 <= n So if we start with any other value of “n” i.e. -1 then we will not get n = 0,
Dr. Naveed Riaz
Verification
Design and Analysis of Algorithms
Invariant
Something which is unchanging Key to proofs for programs containing loops ( iteration or recursion) • Questions seem to ask for the next change • Answer lies in determining what does not change
Dr. Naveed Riaz
Verification
Design and Analysis of Algorithms
What was the invariant condition in Dijasktra’s Game?
• • • Pulling the ball from jar is an iterative process Parity of white balls count i.e. If we started with even # of white balls we would have black ball at the end • If we have started with odd number of white balls then colour of the last ball would be white ball
Dr. Naveed Riaz
Verification
Design and Analysis of Algorithms
• • • Invariant => Parity of the white ball does not change i.e. If we take out two white or black balls outside jar, in that case we put a black ball inside jar • Number of white balls either reduce by two or zero i.e. Parity does not change Second case: If got different color balls, we put the white ball back into the jar so parity does not change • Think : identify the pattern would led us to identify the color of the last ball • Why invariant condition is important ?
Dr. Naveed Riaz
Verification
Design and Analysis of Algorithms
• • Why invariant condition is important ?
Because of iteration => you want to closer to your objective function • You have to follow some pattern which will led's you one step closer to your objective function in iterative process
Dr. Naveed Riaz
Design and Analysis of Algorithms
Classical Problem
• Can you completely cover the chessboard with these dominoes without partially using a domino? If so how. If not prove that you cannot.
Dr. Naveed Riaz
Design and Analysis of Algorithms
Classical Problem
• Key of invariant condition i.e. Shape of the tiles which we are using to cover the chessboard ( some information store in color) • Given piece will cover one light and one blue tile because on a cheeseboard we do not have two white or black tiles adjusnt to each other • • We have equal number of blue and white squares on chessboard • If do not have equal number of squares then we will not cover the whole chessboard Condition: We have removed two squares of the same color i.e. We are left with more blue then white i.e. 32 blue and 30 whites
Dr. Naveed Riaz