Date post: | 26-Mar-2015 |
Category: |
Documents |
Upload: | andrew-coughlin |
View: | 212 times |
Download: | 0 times |
1
Analysis of a classa case study
We are going to prove the correctness of a class w.r.t. a specification. In order to formulate our hypotheses we start with experiments. On this base, the lemmas are formulated and proved. Finally the theorem on correctness of class is stated.
G. Mirkowska, A. Salwicki
Abstract
10th December 2003
2
Theses:
Class SIMULATION offered by Loglan’82 is quite a tool,
the hierarchical structure of the class is helpful during planning a simulating experiment,
the specification of the class makes easier to understand it,
MAIN THESIS: it is possible to prove the correctness of the class Simulation..
3
PlanPlan:
Problem: does the class PQ correctly implement the notion of priority queue?
class body (code of class PQ)
Definition - specification of the notion priority queue
Experiments
Formulating observations - lemmas
Proofs of lemmas
Theorem class PQ correctly implements the axioms of priority queue
4
Problem: czy podana poniżej klasa PQ poprawnie implementuje kolejkę priorytetową?
Zobaczmy tekst tej klasy
5
Unit PriorityQueues: class; unit elem: class (prior: real); ... unit node: class(el: elem); … unit queuehead:class; var root, last: node; unit Min: function: elem; … unit insert: procedure(e: elem); … unit delete: procedure(e: elem); … unit correct: procedure(e:elem, down: Boolean); end queuehead; end PriorityQueues;
6
unit elem: class (prior: real); var lab: node; unit virtual less: function(x: elem): Boolean; …begin lab := new node(this elem)end elem;
class elem
object of class elem
lab: node
prior: real
virtual less: function
label
objects of class elem will be presented as brown boxes
7
Class nodeUnit node: class(el: elem); var left, right, up: node ns: integer; unit virtual less: function(): Boolean; …end node;
Object of class node
el
ns =
left
right
up =
el
ns =
left
right
up
8
unit queuehead: class; (* obiekt tej klasy reprezentuje zbiór elementów z operacjami zob. niżej *) var root, last: node; const down := true, up := false;
unit min: function: elem; begin if root <>none then result := root.el fi end min; (* powinien zwracać element najmniejszy w zbiorze *)
unit insert: procedure(e: elem); … (* wstawia element e do zbioru*)
unit delete: procedure(e: elem); … (* usuwa element e ze zbioru*)
unit correct: procedure(r: elem, down: Boolean); (* poprawia, w górę lub w dół, strukturę zbioru zmienioną przez delete, insert *)
end queuehead;
Structure of class queuehead and its methods
9
unit insert: procedure(e: elem); var x,z: node;begin x := e.lab; if last = none then root := x; last, root.left, root.right := root (* x.up = none *) else if last.ns = 0 then last.ns := 1; z := last.left; last.left := x; x.up := last; x.left := z; x.right := x else last.ns := 2; z := last.right; last.right := x; x.right := z; x.up := last; z.left := x; last.left.right := x; x.left := last.left; last := z fi fi; call correct(r, false)end insert;
Inserting an element
To Lemma 3
10
unit delete: procedure(e: elem); var x, y, z: node;begin x := e.lab; z := last.left; if last.ns =0 then y := z.up; if y <>none then y.right := last else root := none fi; last.left, last := y else y := z.left; y.right := last; last.left := y fi; z.el.lab := x; x.el := z.el; last.ns := last.ns - 1; e.lab := z; z.el := e; if x.less(x.up) then call correct(x.el, down) else call correct(x.el, up) fiend delete;
Deleting an element down, up są stałymi logicznymi To Lemma 3
11
unit correct: procedure(r: elem, down: Boolean); var x, z: node, t: elem, fin,log: Boolean;begin z := r.lab; if down then (* DOWN *) while not fin do if z.ns = 0 then fin := true else if z.ns = 1 then x := z.left else (* z has two sons *) if z.left.less(z.right) then x := z.left else x := z.right fi fi; if z.less(x) then fin := true else t := x.el; x.el := z.el; z.el := t; z.el.lab :=z; x.el.lab:= x fi fi; z := x; od (* DOWN *)
1 of 2
12
else (* UP *) x := z.up; if x = none then log := true else log := x.less(z) fi; while not log do t := z.el; z.el := z.el; x.el := t; x.el.lab := x; z.el.lab := z; z := x; x := z.up; if x = none then log := true else log := x.less(z) fi od fi (* DOWN/UP*)end correct;
Correcting the results of insert/delete operations
2 of 2
13
Będziemy rozważać pewien obiekt klasy queuhead i efekty wykonywania operacji insert i delete na tym obiekcie. Zanim cokolwiek wstawimy, nowy obiekt klasy queuehead wygląda tak:
root = nonelast = nonemin: function : eleminsert: procedure(e: elem)delete: procedure(e: elem)
queuehead
Na następnych przeźroczach samego obiektu nie rysujemy, tylko jego atrybuty : root i last - zmienne wskazujące na obiekty typu node.
14
Specification of priority queue structure:
Signaturea two-sorted structure E - set of elements S - set of finite subsets of the set Eequipped with the following operations and predicates:
insert : E S S delete : E S S min : S E member : E S Booleanempty : S Boolean< : E E Boolean
and such that the following properties (= axioms of priority queues) holdis called priority queue.
1 of 2
15
Axioms A1) the set E is linearly ordered by the relation < i.e. the relation < is transitive, reflexive and anti-symmetric A2) [while empty(s) do s := delete(min(s), s) od] true i.e. every set s is finite A3) [s1 := insert(e,s)]{member(e, s1) & for every e1e, member(e1,s1) member(e1,s) } A4) [s1 := delete(e,s)]{ member(e, s1) & for every e1e, member(e1,s1) member(e1,s) } A5) empty(s) min(s) < e, for every e in E such that member(e,s) A6) empty(s) for every e, member(e,s) A7) member(e,s) begin s1 := s; result := false; while empty(s1) and result do if e = min(s1) then result := true fi; s1 := delete(;in(s1), s1) od end result
2 of 2
Specification of priority queue structure:
16
el
ns =
left
right
up
17
label
18
root
lastEmpty set none
19
insert(e1)El
ns = 0
left = this node
right = this node
up = none
labelroot
last
e1
20
insert(e2)el
ns = 1
left
right
up = none
labelroot
last
e1
el
ns =0
left
right=this nd
up
label
e2
21
insert(e3)el
ns = 2
left
right
up = none
labelroot
last
e1
el
ns =0
left
right
up
label labelel
ns =0
left
right
up
e2 e3
22
delete(e1)el
ns = 1
left
right
up = none
labelroot
last
e1
el
ns =0
left
right
up
label labelel
ns =0
left
right
up
e2 e3
After delete(e1), and before call correct
23
insert(e4)El
ns = 2
left
right
up = none
labelroot
last
e1
El
ns =1
left
right
up
label labelEl
ns =0
left
right
up
e2 e3
El
ns =0
left
right = none
up
label
e4
24
insert(e5)El
ns = 2
left
right
up = none
labelroot
last
e1
El
ns =2
left
right
up
label labelEl
ns =0
left
right
up
e2 e3
El
ns =0
left
right
up
label
e4
labelEl
ns =0
left
right
up
e5
25
insert(e6)El
ns = 2
left
right
up = none
labelroot
last
e1
El
ns =1
left
right
up
label labelEl
ns =0
left
right
up
e2 e3
El
ns =0
left
right
up
label
e4
labelEl
ns =0
left
right
up
e5
26
Properties of class “priorityQueues”
Let us consider an object pq in queuehead. Its attributes are root and last of type node.
We state that the following formulae are invariants of the object pq.
Definition 1Consider the set T of node objects that are accessible from the pq object by paths composed of .root arrow followed by a sequence of .left and .right arrows
o T o | pq.root(.left .right)* |
We shall see that this set is a tree.
27
Lemma 2The set T of objects of type node considered together with the function .up forms a tree. .up : | node | | node |
ProofA mathematical-algorithmic definition of the notion of tree reads: a set S is a treeiff (n S) while n =\= none do n := n.up od true We shall prove by induction on the number of executed commands insert and delete that the property given above holds for the set T.At the beginning the set T is empty hence it satisfies the lemma. After insertion of an element e1, our lemma is satisfied too. (For e1.lab.up = none)Suppose that the lemma is true for a set T created by execution of k commands insert and delete. Consider a new object of type node created by insert procedure. Its attribute up points to an already existing object. The values of the attribute up in “old” objects are as before. Similarly, an execution of delete(e) procedure does not change the property for it does not operate on .up attribute. (The node e.lab will be deleted from the set T.)Therefore, the lemma is true.
—
28
Lemma 3For every object n of type node its attribute ns is equal to the number of its sons.Proof.By easy inspection of the code of procedures insert and delete.
Corollary 4n.ns = 0 iff n is a leaf
29
The set T of objects of type node can be considered together with .left and .right operations.Definition 5We say an arrow .left is solid iff n.ns > 0.We say an arrow .right is solid iff n.ns = 2.Otherwise an arrow is said dotted.
Lemma 6The set T of node objects considered together with solid and arrows forms a binary tree.Prooffollows from the lemma 3 and the observation that if o = k.left (or o = k.right) then k.up = o.
.left.right
30
31
El
ns = 2
left
right
up = none
labelroot
last
e1
El
ns =1
left
right
up
label labelEl
ns =0
left
right
up
e2 e3
El
ns =0
left
right
up
label
e4
labelEl
ns =0
left
right
up
e5
32
Lemma 7The sum of ns attributes = number of nodes -1.
Lemma 8{: last = o & o.right = k & o.ns = 1 & o.left = n1 & e.lab = n & n.el=e} [call pq.insert(e)] {: last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 }
Proof What does it say the precondition ?
last
o
ns = 1rightleft
k
elns = 0right
n
e
lab
n1
el
ns = 0
33
last
o
ns = 2rightleft
k
elns = 1rightleft
n
elab
n1
el
ns = 0rightupleft
x
z
right
{: last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 & n.el=e}
34
last
o
ns = 2rightleft k
elns = 1rightleft
n
e
n1
lab
up
el
ns = 0
{: last = k & o.ns = 2 & o.right = n = last.left & n.up=o & o.left = n1 }
35
Lemma 9procedure correct is correct with respect to its pre-condition:its post-condition:
36
Lemma 10Let x, y be two nodes in the set T if y is the father of x then the element associated with y is less than the element associated with its son ( x,y T) (x.up = y y. less(x))ProofAny operation on the tree T (insert or delete) concludes with the call of procedure correct. From the lemma on correct follows ...