TSC Workshop, May 2008, U Oklahoma 1 Teaching Software Correctness May 13-15, 2008, University of Oklahoma Rex Page, U Oklahoma [email protected]Assistants Carl Eastlund (lead), Northeastern U [email protected]Ryan Ralston, U Oklahoma [email protected]Zac White, U Oklahoma [email protected]http://www. cs . ou . edu /~ rlpage / SEcollab / tsc 1 Collaboration with Matthias Felleisen - NSF/DUE 0633664 , 0813529 , 0632872 Session 01 — 9:00-10:15, May 13
31
Embed
TSC Workshop, May 2008, U Oklahoma 1 Teaching Software Correctness May 13-15, 2008, University of Oklahoma Rex Page, U [email protected] Assistants Carl.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TSC Workshop, May 2008, U Oklahoma 1
Teaching Software CorrectnessMay 13-15, 2008, University of
2003 SE course• Programs: Scheme (DrScheme)• Verify correctness: ACL2
2004 SE course• Program/Verify: ACL2• File I/O only
2005 SE course• ACL2, File I/O• ESC paper, FDPE'05
2006 SE course• DrACuLA prog'g environment• File I/O + GUI
2007 SE course• DrACuLa prog's env• with DoubleCheck
2008 plans• DrACuLa + DblChk• + Modules
TSC Workshop, May 2008, U Oklahoma 44
Low defect rate
Process
Design
Quality
Predictable quality Reliable schedule Do it right
not necessarily fast
Primarily for people Think “Strunk and White”
The Three Themes of SE-I
PSP - Humphrey
Equation-Based Programming
ACL2 – J MooreLisp with mechanical logic
Besides a mathematical inclination, an exceptionally good mastery of one's native tongue is the most vital asset of a competent programmer. — Dijkstra
TSC Workshop, May 2008, U Oklahoma 55
Provably Correct Software300 Years in the Making
If we had some exact language … or at least a kind of truly philosophic writing, in which the ideas were reduced to a kind of alphabet of human thought,
then all that follows rationally from what is given could be found by a kind of calculus, just as arithmetical or geometrical problems are solved.
- Gottfried Leibniz (about 1700)
Symbolic logic - Boole, Frege, Peano, … (mid to late 1800s)
Mechanization Is Necessarywithout it, you get lost in details
Even simple properties lead to big proofs Associativity proof (as presented) lacks many details
Millions of details in proofs about big programsPeople can’t keep track of millions of detailsBut, computers canComputers couldn’t 10 years ago – not enough capacity
People formulate properties … computers push detailsProof organized into lemmas — like software in modulesOn the level of “rigorous” mathematical proof
– Not fully formalSome lemma architectures are better than others
– Just as some modular decompositions of software are superior
Formulation of properties is a big task– Experience and judgment required — as in software
(null x) = (equal x nil)(consp (cons x y)) = T(atom (cons x y)) = nil(atom x) = (null (consp x))(endp xs) = (atom xs) – allowed only on true lists
x, y, xs — any formula
Thes
e op
erat
ors, p
lus a
way to
defi
ne n
ew
oper
ator
s, a
re suffi
cient
to d
escr
ibe
any
com
puta
tion
TSC Workshop, May 2008, U Oklahoma 16
Defining Operators in ACL2
Exercise Define an operator to deliver the 3rd and 4th elements Assume the operand is a list of at least four elements
abbreviation of (car (cdr xs))
defun – a “special form” (defun f (a1 a2 … an) v)
f, a symbol, names the operator being definedai, a symbol, stands for the ith operand (n may be zero)v, a formula, specifies the value the operator will deliver
abbreviation of (cons (car xs) (cons (cadr xs) nil))
After the defun, (f u1 u2 … un) denotes the formula v with each occurrence of ai replaced by the formula ui
defun has effect of attaching a name to an operator defun is a “command” – commands alter the current ACL2 world
– Ordinary formulas do not alter the world defun does not deliver a value
– Ordinary formulas do deliver values Examples
(defun drop-two (xs) (cdr (cdr xs))) (drop-two i’(a b c d e)) = (c d e) (drop-two (drop-two i’(a b c d e))) = (e)
(defun take-two (xs) (list (car xs) (cadr xs))) (take-two i’(a b c d e)) = (a b)
Define an operator that delivers a value other than nil if neither operand denotes nil, and nil if both operands denote nil(&& formula-denoting-nil any-formula) = nil(&& any-formula formula-denoting-nil) = nil(&& non-nil-formula non-nil-formula) = non-nil-formula
Define an operator that delivers nil if both operands denote nil, and a value other than nil if either operand denotes a non-nil value(|| non-nil-formula any-formula) = non-nil-formula (|| any-formula non-nil-formula) = non-nil-formula (|| formula-denoting-nil formula-denoting-nil) = nil
Define an operator that delivers a value other than nil if its operand denotes nil, and nil if its operand denotes a non-nil value(~ non-nil-formula) = nil(~ formula-denoting-nil) = non-nil-formula
TSC Workshop, May 2008, U Oklahoma 21
SolutionsSolutions
(defun && (x y) (if x y nil))(defun || (x y) (if x x y))(defun ~ (x) (if x nil t))
All require dividend and divisor: (floor 8 3) = 2Operands may be rationals, but quotients are integers
numeric operands only abs, min, max integer or rational operands only zp, posp natural number operand only Recognizers: natp, integerp, rationalp, acl2-numberp
Character and string operators char-upcase, char-downcase, char-code, code-char character operands char<, char<=, …, char-equal character operands string-append, subseq, string-upcase string operands string<, string<=, …, string-equal string