COMP2111 Lecture 1 Session 1, 2013

What, When, How

Kai Engelhardt

Revision: 1.1 Credits: Ken Robinson, John Reynolds,. . .

What

Put the word engineering back into SE. In marginally more detail (= Immd): climb up the ladder of evolution
1 2 3

Crap out code so it beats the compilers checks. Cobble together code that passes a few tests. Craft code that (provably) works according to specications.

When
All of it, and in this one session. Immd: we shall be spending time on acquiring and understanding languages to specify systems (both fully formal and informal ones) using such languages to specify some simple systems or tasks, clearly and concisely developing notions of renement between artifacts in said languages to guide a systematic code/system development process using renement to derive correct-by-construction, beautiful code from concise and clear specications

How

Well be using Event-B for all practical tasks. (This feeds into your SE workshops.) Well use light-weight informal methods to foster understanding. Well investigate the mathematical underpinnings of both:
1 2 3

Whats in a spec? Whats in a program? What does renement mean?

Top-Down Program Construction: an Example

Reminder: facts about the factorial function ! : N N are: 0! = 1 (n + 1)! = (n + 1) n! (fac1) (fac2)

(fac1) tells us what the factorial of 0 is while (fac2) shows how to nd the factorial of a number if we know the factorial of its predecessor. Task: Given a number n N, we want to compute its factorial n! in some variable f without changing n in the process. Plan:
1 2

Use (fac1) to compute 0!. Repeatedly use (fac2) to compute factorials of larger numbers

Who said COMP2111 was going to be dicult?!?

5

We could use f to save the last factorial we have computed, and an additional variable k to keep track of the number such that f = k !. Now we can adapt the plan to
1 2

Achieve f = k ! by setting k to 0 and f to 1. As long as k = n, increase k and change f in a way that preserves f = k !. k = 0; f = 1; while (k != n) { / increase k and change f while maintaining f=k! / }

In C, with comments for pseudo-code

(In)variants
f = k ! is called a loop invariant. Of course, loop bodies are supposed to change the state, but invariants express properties of the state that are preserved by executing the loop body. Invariants are crucial ingredients of correctness proofs, but they do not address termination. To argue termination of a loop (or recursion) we use variants, i.e., functions that map program states to N (or any other well-founded domain in general). To show that a loop terminates, one proves that every iteration of the body strictly decreases the value of the variant. A suitable variant here would be n k because / increase k and blah / decreases the value of n k by 1.
7

It remains to implement / increase k and change f while maintaining f=k! / We decide to change k rst k=k+1; / change f to reestablish f=k! / Observe that the invariant wont hold after the increment, but instead f = (k 1)! is true. k=k+1; / assuming f=(k1)!, change f to establish f=k! / (fac2) suggests the implementation f=kf

One popular formal notation for pseudo-code specications such as / assuming f=(k1)!, change f to establish f=k! / is Carroll Morgans specication statement f : [f = (k 1)!, f = k !] which expresses that, if the initial state satises the precondition f = (k 1)! then change only the variables listed in the frame f so that the resulting nal state satises the postcondition, f = k !. (See his book Programming from Specications .)

Reection
Weve followed a simple recipe
1

Take an unwritten portion of the program whose purpose is precisely and completely specied. Replace this portion by a statement which may in turn contain portions that are unwritten but precisely and completely specied. Prove (or at least convince yourself) that the new statement will meet its specication if its unwritten portions meet their specications. Repeat the above process until the entire program is written.

Taken almost verbatim from John C Reynolds seminal 1981 book, following, Niklaus Wirths program development by stepwise renement from 1971.
10

Reection contd
We havent accomplished anything we couldnt do before, but that wasnt really the point. We have alluded to concepts such as specication implementation assertion invariant What do they really mean? Carrolls book answers these questions. Abrials book, Modeling in Event-B does, too. Each in its own way. And so do many other books.

11

Event-B

Lets have a look at how such a development could look in Event-B. Ken Robinson kindly provided an introductory exercise to familiarise everybody with Rodin and Event-B.

12

Connection to Year 1

Besides the obvious relation to previous SE workshops, theres a fundamental connection to COMP1927 that moreover claries the approach of Event-B. Essentially, COMP1927 was about data structures + operations on them. Our rst example is a degenerate one in that respect: the data structure is a single natural number and the only operation computes the factorial of that number. In contrast to COMP1927, we elicited a formal specication of that operation: f : [n N, f = n!].

13

In COMP1927 youd read an informal requirement such as the data structure represents a directed graph (V , E ) and a desirable operation would tell you whether there is a path between two given vertices x and y Since weve learned about predicate logic and the specication statement, we can formalise that as b : x, y V , b n N, f : [0..n] V .f (0) = x f (n) = y i [1..n].(f (i 1), f (i )) E

Yes, that means you do need your little bit of predicate logic in this course.

14

General Setting

Some variables representing our abstract data. Sanity conditions, or data invariants, on the data representation. An initialisation of the variables that establishes the invariants. A set operations, each of which maintains the data invariants.

15

Example Variables: a list L Nodes and a quadratic matrix M of Boolean values to represent the nodes and edges of a directed graph. Data invariants: the list L of nodes should not contain repetitions n, m [0..|L| 1].n = m L(n) = L(m) and its length |L| should coincide with the size of quadratic matrix: M (B|L| )2 . Initialisation: L = [], M = . Operations: connectedness as above was non-intrusive: it did not aect the graph. Also imagine intrusive operations such as delete(e:Edge) and addnode(v:Node). They would naturally come with a proof obligation.

16

Meaning
To give proper meaning to all the bits, the various existing methods use one or more of an article or book describing the formal semantics of assertions, specications, programs etc a software tool implementing a particular semantics of said notions Hopefully, if both are provided, they coincide. If none or only the second is provided, avoid: amateur alert. Event-B + Rodin are in the good books: they have published formal semantics for the language and the tool appears to implement it.

17

What next

Do the introductory exercise. Questions = our COMP2111 forums Complaints and whingeing = /dev/null.

18