develop - The Science of Programming, Revisited Lecture 7...

Info iconThis preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: The Science of Programming, Revisited Lecture 7 February 5, 2008 Maggie Myers and Robert van de Geijn 3 Goal-Oriented Programming So far, we have discussed how to prove program segments correct. What we show next is that the proof of correctness can be performed hand-in-hand with the development of the program, making programming goal-oriented. We will focus on developing loops. 3.1 General structure of a loop-based program Experience tells us that a loop-based program, annotated with assertions, will have the structure Step Annotated algorithm 1a { Q } precondition 4 S I initialization command 2 { P } invariant holds before the loop do 2 { P } invariant holds before each iteration 3 B → guard 2, 3 { P ∧ B } state if guard holds 5 S L update 2 { P } invariant holds after each iteration od 2,3 { P ∧ ¬ B } invariant holds after loop and guard is false 1b { R } postcondition which we will call the worksheet . The column labeled “Steps” indicates the order in which the worksheet will be filled, as we will discuss next. In the remainder of this section we will use a few examples to illustrate the approach. 3.2 Scanning an array Example 12 Let b [0 . . . ( n- 1)] be an array of integers. Develop a program that computes i , the index of the first element of b that equals zero. 1 Step 1: Specify the input and output The example indicates what is to be computed. What we need to do first is translate this into a mathematical specification of the precondition Q and postcondition R : • Q : 1 ≤ n ∧ ( ∃ j | ≤ j < n : b [ j ] = 0). • R : 0 ≤ i < n ∧ ( ∀ j | ≤ j < i : b [ j ] = 0) ∧ b [ i ] = 0. These are entered for Step 1a and 1b in the worksheet. Step 1a { 1 ≤ n ∧ ( ∃ j | ≤ j < n : b [ j ] = 0) } 4 S I 2 { P } do 2 { P } 3 B → 2, 3 { P ∧ B } 5 S L 2 { P } od 2,3 { P ∧ ¬ B } 1b { ≤ i < n ∧ ( ∀ j | ≤ j < i : b [ j ] = 0) ∧ b [ i ] = 0 } Step 2: Determine an invariant The next step is to determine a loop invariant. No computation happens between where P ∧ ¬ B holds and where R must hold. Thus, it must be the case that P ∧ ¬ B → ≤ i < n ∧ ( ∀ j | ≤ j < i : b [ j ] = 0) ∧ b [ i ] = 0 . Frequently it is the case that P ∧¬ B is exactly R . (Notice that then certainly P ∧ ¬ B → R , since in this case P ∧ ¬ B ↔ R ). In other words R = ( P ∧ ¬ B ). (Recall that p ∧ q → p and hence p is weaker than p ∧ q .) Now, in our example the post condition is R : 0 ≤ i < n ∧ ( ∀ j | ≤ j < i : b [ j ] = 0) ∧ b [ i ] = 0 . While the loop is executing, that i is such that b [ i ] = 0 has not necessarily been achieved. This suggests weakening R to P : 0 ≤ i < n ∧ ( ∀ j | ≤ j < i : b [ j ] = 0) ∧ ( ∃ j | ≤ j < n : b [ j ] = 0) which can be further manipulated to 2 ≤ i < n ∧ ( ∀ j | ≤ j < i : b [ j ] = 0) ∧ ( ∃ j | ≤ j < n : b [ j ] = 0) ↔ < split range > ≤ i < n ∧ ( ∀ j | ≤ j < i : b [ j ] = 0) ∧ ‡ ( ∃ j | ≤ j < i : b [ j ] = 0) ∨ (...
View Full Document

This note was uploaded on 03/19/2008 for the course CS 336 taught by Professor Myers during the Spring '08 term at University of Texas at Austin.

Page1 / 14

develop - The Science of Programming, Revisited Lecture 7...

This preview shows document pages 1 - 4. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online