This preview shows pages 1–4. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: The Science of Programming, Revisited Lecture 7 February 5, 2008 Maggie Myers and Robert van de Geijn 3 GoalOriented Programming So far, we have discussed how to prove program segments correct. What we show next is that the proof of correctness can be performed handinhand with the development of the program, making programming goaloriented. We will focus on developing loops. 3.1 General structure of a loopbased program Experience tells us that a loopbased program, annotated with assertions, will have the structure Step Annotated algorithm 1a { Q } precondition 4 S I initialization command 2 { P } invariant holds before the loop do 2 { P } invariant holds before each iteration 3 B → guard 2, 3 { P ∧ B } state if guard holds 5 S L update 2 { P } invariant holds after each iteration od 2,3 { P ∧ ¬ B } invariant holds after loop and guard is false 1b { R } postcondition which we will call the worksheet . The column labeled “Steps” indicates the order in which the worksheet will be filled, as we will discuss next. In the remainder of this section we will use a few examples to illustrate the approach. 3.2 Scanning an array Example 12 Let b [0 . . . ( n 1)] be an array of integers. Develop a program that computes i , the index of the first element of b that equals zero. 1 Step 1: Specify the input and output The example indicates what is to be computed. What we need to do first is translate this into a mathematical specification of the precondition Q and postcondition R : • Q : 1 ≤ n ∧ ( ∃ j  ≤ j < n : b [ j ] = 0). • R : 0 ≤ i < n ∧ ( ∀ j  ≤ j < i : b [ j ] = 0) ∧ b [ i ] = 0. These are entered for Step 1a and 1b in the worksheet. Step 1a { 1 ≤ n ∧ ( ∃ j  ≤ j < n : b [ j ] = 0) } 4 S I 2 { P } do 2 { P } 3 B → 2, 3 { P ∧ B } 5 S L 2 { P } od 2,3 { P ∧ ¬ B } 1b { ≤ i < n ∧ ( ∀ j  ≤ j < i : b [ j ] = 0) ∧ b [ i ] = 0 } Step 2: Determine an invariant The next step is to determine a loop invariant. No computation happens between where P ∧ ¬ B holds and where R must hold. Thus, it must be the case that P ∧ ¬ B → ≤ i < n ∧ ( ∀ j  ≤ j < i : b [ j ] = 0) ∧ b [ i ] = 0 . Frequently it is the case that P ∧¬ B is exactly R . (Notice that then certainly P ∧ ¬ B → R , since in this case P ∧ ¬ B ↔ R ). In other words R = ( P ∧ ¬ B ). (Recall that p ∧ q → p and hence p is weaker than p ∧ q .) Now, in our example the post condition is R : 0 ≤ i < n ∧ ( ∀ j  ≤ j < i : b [ j ] = 0) ∧ b [ i ] = 0 . While the loop is executing, that i is such that b [ i ] = 0 has not necessarily been achieved. This suggests weakening R to P : 0 ≤ i < n ∧ ( ∀ j  ≤ j < i : b [ j ] = 0) ∧ ( ∃ j  ≤ j < n : b [ j ] = 0) which can be further manipulated to 2 ≤ i < n ∧ ( ∀ j  ≤ j < i : b [ j ] = 0) ∧ ( ∃ j  ≤ j < n : b [ j ] = 0) ↔ < split range > ≤ i < n ∧ ( ∀ j  ≤ j < i : b [ j ] = 0) ∧ ‡ ( ∃ j  ≤ j < i : b [ j ] = 0) ∨ (...
View
Full
Document
This note was uploaded on 03/19/2008 for the course CS 336 taught by Professor Myers during the Spring '08 term at University of Texas at Austin.
 Spring '08
 Myers

Click to edit the document details