Computer Science School of Computing Clemson University

Reasoning with Objects and Web Interface Demo

Jason Hallstrom and Murali SitaramanClemson University

School of Computing Clemson University

Example

Specification:Operation Do_Nothing (restores S: Stack);

Goal: Same as ensures S = #S;Code: (Same as S.Push(S.Pop()) in Java)

Procedure Do_Nothing (restores S: Stack);

Var E: Entry;Pop(E, S);Push(E, S);

end Do_Nothing;

School of Computing Clemson University

Exercise: Complete table and prove!

Assume Confirm

0 … … Pop(E, S);

1 … …Push(E, S);

2 … …

Don’t yet! Instead of IntStacks, we will use general stacks for this example reasoning…because verifying reusable, generic software has more pay-off!

School of Computing Clemson University

General Stack Template Specification

Instead of IntStacks, we will use general stacks for this example reasoning

Suppose Stack_Template is parameterized by type Entry and Integer Max_Depth

Mathematical Modeling Type Stack is modeled by Str(Entry);

exemplar S; constraints |S| <= Max_Depth; initialization ensures S = empty_string;

School of Computing Clemson University

Specification of Stack Operations

Operation Push (alters E: Entry; updates S: Stack);requires |S| < Max_Depth;ensures S = <#E> o #S;

Operation Pop (replaces R: Entry; updates S: Stack);requires |S| > 0;ensures #S = <R> o S;

Operation Depth (restores S: Stack): Integer;ensures Depth = |S|;

…

School of Computing Clemson University

Collaborative Exercise: Complete table and prove!

Assume Confirm

0 … … Pop(E, S);

1 … …Push(E, S);

2 … …

School of Computing Clemson University

Collaborative Exercise: Answers

Assume Confirm

0 … |S0| > 0 Pop(E, S);

1 S0 = <E1> o S1 |S1| < Max_Depth Push(E, S);

2 S2 = <E1> o S1 S2 = S0 …

School of Computing Clemson University

Discussion

Can you explain why there are three confirm assertions?

Is the code Correct? If not, fix it!

School of Computing Clemson University

Discussion

Can you explain why there are three confirm assertions?

Is the code Correct? If not, fix it! You can either rewrite the code with an

“if” statement or add the following requires clause to Do_Nothing operation requires |S| > 0;

School of Computing Clemson University

Key Ideas

The reasoning table can be filled mechanically; no intelligence is required and even a computer can do it!

Principles of reasoning about all objects and operations are the same Need mathematical models and

specifications

School of Computing Clemson University

Automated Reasoning

The assume and confirm assertions we wrote out in the table can be generated automatically

Each confirm assertion becomes a “goal”. The assumptions that can be used to prove that are the “givens”.

A goal along with the givens is called a verification condition (VC).

For the Do_Nothing example, three VCs need to be proved, because there are three assertions to be confirmed.

School of Computing Clemson University

Web Interface Demo

Google “clemson resolve” Click on the web interface link Select Stack_Template under Concepts Select Do_Nothing_Capability under

the tab Enhancements Select Do_Nothing_Realiz under the

Tab Enhancement Realizations

School of Computing Clemson University

Web Interface Demo

Click on Generate VCs tab. You should see 3 VCs. See if you can prove the goals from the

givens! It should be easy… Note #1: The VC generator minimizes

the need for new names, such as S1, S2, S3, etc., so there are less names and they don’t correspond to states in the code directly.

Note #2: VC generator uses S’, S’’, etc.

School of Computing Clemson University

Web Interface Help

Click the Help tab on the right top corner

You should see Screencasts. They illustrate “how to” for various web interface activities; more use cases continue to be added.

You should see Tutorials. The help learn specific principles; more tutorials are under development.