1 Analysis of a class a case study We are going to prove the correctness of a class w.r.t. a specification. In order to formulate our hypotheses we start.

1

Analysis of a classa case study

We are going to prove the correctness of a class w.r.t. a specification. In order to formulate our hypotheses we start with experiments. On this base, the lemmas are formulated and proved. Finally the theorem on correctness of class is stated.

G. Mirkowska, A. Salwicki

Abstract

10th December 2003

2

Theses:

Class SIMULATION offered by Loglan’82 is quite a tool,

the hierarchical structure of the class is helpful during planning a simulating experiment,

the specification of the class makes easier to understand it,

MAIN THESIS: it is possible to prove the correctness of the class Simulation..

3

PlanPlan:

Problem: does the class PQ correctly implement the notion of priority queue?

class body (code of class PQ)

Definition - specification of the notion priority queue

Experiments

Formulating observations - lemmas

Proofs of lemmas

Theorem class PQ correctly implements the axioms of priority queue

4

Problem: czy podana poniżej klasa PQ poprawnie implementuje kolejkę priorytetową?

Zobaczmy tekst tej klasy

5

Unit PriorityQueues: class; unit elem: class (prior: real); ... unit node: class(el: elem); … unit queuehead:class; var root, last: node; unit Min: function: elem; … unit insert: procedure(e: elem); … unit delete: procedure(e: elem); … unit correct: procedure(e:elem, down: Boolean); end queuehead; end PriorityQueues;

6

unit elem: class (prior: real); var lab: node; unit virtual less: function(x: elem): Boolean; …begin lab := new node(this elem)end elem;

class elem

object of class elem

lab: node

prior: real

virtual less: function

label

objects of class elem will be presented as brown boxes

7

Class nodeUnit node: class(el: elem); var left, right, up: node ns: integer; unit virtual less: function(): Boolean; …end node;

Object of class node

el

ns =

left

right

up =

el

ns =

left

right

up

8

unit queuehead: class; (* obiekt tej klasy reprezentuje zbiór elementów z operacjami zob. niżej *) var root, last: node; const down := true, up := false;

unit min: function: elem; begin if root <>none then result := root.el fi end min; (* powinien zwracać element najmniejszy w zbiorze *)

unit insert: procedure(e: elem); … (* wstawia element e do zbioru*)

unit delete: procedure(e: elem); … (* usuwa element e ze zbioru*)

unit correct: procedure(r: elem, down: Boolean); (* poprawia, w górę lub w dół, strukturę zbioru zmienioną przez delete, insert *)

end queuehead;

Structure of class queuehead and its methods

9

unit insert: procedure(e: elem); var x,z: node;begin x := e.lab; if last = none then root := x; last, root.left, root.right := root (* x.up = none *) else if last.ns = 0 then last.ns := 1; z := last.left; last.left := x; x.up := last; x.left := z; x.right := x else last.ns := 2; z := last.right; last.right := x; x.right := z; x.up := last; z.left := x; last.left.right := x; x.left := last.left; last := z fi fi; call correct(r, false)end insert;

Inserting an element

To Lemma 3

10

unit delete: procedure(e: elem); var x, y, z: node;begin x := e.lab; z := last.left; if last.ns =0 then y := z.up; if y <>none then y.right := last else root := none fi; last.left, last := y else y := z.left; y.right := last; last.left := y fi; z.el.lab := x; x.el := z.el; last.ns := last.ns - 1; e.lab := z; z.el := e; if x.less(x.up) then call correct(x.el, down) else call correct(x.el, up) fiend delete;

Deleting an element down, up są stałymi logicznymi To Lemma 3

11

unit correct: procedure(r: elem, down: Boolean); var x, z: node, t: elem, fin,log: Boolean;begin z := r.lab; if down then (* DOWN *) while not fin do if z.ns = 0 then fin := true else if z.ns = 1 then x := z.left else (* z has two sons *) if z.left.less(z.right) then x := z.left else x := z.right fi fi; if z.less(x) then fin := true else t := x.el; x.el := z.el; z.el := t; z.el.lab :=z; x.el.lab:= x fi fi; z := x; od (* DOWN *)

1 of 2

12

else (* UP *) x := z.up; if x = none then log := true else log := x.less(z) fi; while not log do t := z.el; z.el := z.el; x.el := t; x.el.lab := x; z.el.lab := z; z := x; x := z.up; if x = none then log := true else log := x.less(z) fi od fi (* DOWN/UP*)end correct;

Correcting the results of insert/delete operations

2 of 2

13

Będziemy rozważać pewien obiekt klasy queuhead i efekty wykonywania operacji insert i delete na tym obiekcie. Zanim cokolwiek wstawimy, nowy obiekt klasy queuehead wygląda tak:

root = nonelast = nonemin: function : eleminsert: procedure(e: elem)delete: procedure(e: elem)

queuehead

Na następnych przeźroczach samego obiektu nie rysujemy, tylko jego atrybuty : root i last - zmienne wskazujące na obiekty typu node.

14

Specification of priority queue structure:

Signaturea two-sorted structure E - set of elements S - set of finite subsets of the set Eequipped with the following operations and predicates:

insert : E S S delete : E S S min : S E member : E S Booleanempty : S Boolean< : E E Boolean

and such that the following properties (= axioms of priority queues) holdis called priority queue.

1 of 2

15

Axioms A1) the set E is linearly ordered by the relation < i.e. the relation < is transitive, reflexive and anti-symmetric A2) [while empty(s) do s := delete(min(s), s) od] true i.e. every set s is finite A3) [s1 := insert(e,s)]{member(e, s1) & for every e1e, member(e1,s1) member(e1,s) } A4) [s1 := delete(e,s)]{ member(e, s1) & for every e1e, member(e1,s1) member(e1,s) } A5) empty(s) min(s) < e, for every e in E such that member(e,s) A6) empty(s) for every e, member(e,s) A7) member(e,s) begin s1 := s; result := false; while empty(s1) and result do if e = min(s1) then result := true fi; s1 := delete(;in(s1), s1) od end result

2 of 2

Specification of priority queue structure:

16

el

ns =

left

right

up

17

label

18

root

lastEmpty set none

19

insert(e1)El

ns = 0

left = this node

right = this node

up = none

labelroot

last

e1

20

insert(e2)el

ns = 1

left

right

up = none

labelroot

last

e1

el

ns =0

left

right=this nd

up

label

e2

21

insert(e3)el

ns = 2

left

right

up = none

labelroot

last

e1

el

ns =0

left

right

up

label labelel

ns =0

left

right

up

e2 e3

22

delete(e1)el

ns = 1

left

right

up = none

labelroot

last

e1

el

ns =0

left

right

up

label labelel

ns =0

left

right

up

e2 e3

After delete(e1), and before call correct

23

insert(e4)El

ns = 2

left

right

up = none

labelroot

last

e1

El

ns =1

left

right

up

label labelEl

ns =0

left

right

up

e2 e3

El

ns =0

left

right = none

up

label

e4

24

insert(e5)El

ns = 2

left

right

up = none

labelroot

last

e1

El

ns =2

left

right

up

label labelEl

ns =0

left

right

up

e2 e3

El

ns =0

left

right

up

label

e4

labelEl

ns =0

left

right

up

e5

25

insert(e6)El

ns = 2

left

right

up = none

labelroot

last

e1

El

ns =1

left

right

up

label labelEl

ns =0

left

right

up

e2 e3

El

ns =0

left

right

up

label

e4

labelEl

ns =0

left

right

up

e5

26

Properties of class “priorityQueues”

Let us consider an object pq in queuehead. Its attributes are root and last of type node.

We state that the following formulae are invariants of the object pq.

Definition 1Consider the set T of node objects that are accessible from the pq object by paths composed of .root arrow followed by a sequence of .left and .right arrows

o T o | pq.root(.left .right)* |

We shall see that this set is a tree.

27

Lemma 2The set T of objects of type node considered together with the function .up forms a tree. .up : | node | | node |

ProofA mathematical-algorithmic definition of the notion of tree reads: a set S is a treeiff (n S) while n =\= none do n := n.up od true We shall prove by induction on the number of executed commands insert and delete that the property given above holds for the set T.At the beginning the set T is empty hence it satisfies the lemma. After insertion of an element e1, our lemma is satisfied too. (For e1.lab.up = none)Suppose that the lemma is true for a set T created by execution of k commands insert and delete. Consider a new object of type node created by insert procedure. Its attribute up points to an already existing object. The values of the attribute up in “old” objects are as before. Similarly, an execution of delete(e) procedure does not change the property for it does not operate on .up attribute. (The node e.lab will be deleted from the set T.)Therefore, the lemma is true.

—

28

Lemma 3For every object n of type node its attribute ns is equal to the number of its sons.Proof.By easy inspection of the code of procedures insert and delete.

Corollary 4n.ns = 0 iff n is a leaf

29

The set T of objects of type node can be considered together with .left and .right operations.Definition 5We say an arrow .left is solid iff n.ns > 0.We say an arrow .right is solid iff n.ns = 2.Otherwise an arrow is said dotted.

Lemma 6The set T of node objects considered together with solid and arrows forms a binary tree.Prooffollows from the lemma 3 and the observation that if o = k.left (or o = k.right) then k.up = o.

.left.right

30

31

El

ns = 2

left

right

up = none

labelroot

last

e1

El

ns =1

left

right

up

label labelEl

ns =0

left

right

up

e2 e3

El

ns =0

left

right

up

label

e4

labelEl

ns =0

left

right

up

e5

32

Lemma 7The sum of ns attributes = number of nodes -1.

Lemma 8{: last = o & o.right = k & o.ns = 1 & o.left = n1 & e.lab = n & n.el=e} [call pq.insert(e)] {: last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 }

Proof What does it say the precondition ?

last

o

ns = 1rightleft

k

elns = 0right

n

e

lab

n1

el

ns = 0

33

last

o

ns = 2rightleft

k

elns = 1rightleft

n

elab

n1

el

ns = 0rightupleft

x

z

right

{: last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 & n.el=e}

34

last

o

ns = 2rightleft k

elns = 1rightleft

n

e

n1

lab

up

el

ns = 0

{: last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 }

35

Lemma 9procedure correct is correct with respect to its pre-condition:its post-condition:

36

Lemma 10Let x, y be two nodes in the set T if y is the father of x then the element associated with y is less than the element associated with its son ( x,y T) (x.up = y y. less(x))ProofAny operation on the tree T (insert or delete) concludes with the call of procedure correct. From the lemma on correct follows ...