CS 641 meeting -*- Outline -*-

* Specifications (Cohen's chapter 4)

	Note Hesselink uses a different notation, so no need to emphasize.

	Skip over 4.1 (it's obvious)

** what is programming? (omit)
-----------------------
 EQUATION WITH UNKNOWN SPECIFIED

consider x*x + b*x + c = 0
	could solve for x, b, or c!

x: x*x + b*x + c = 0
	means solve for x in...
-----------------------

-----------------------
   WHAT IS PROGRAMMING?

Programming is solving the equation:
	S: {Q} S {R}
-----------------------
	where Q and R are pre- and postconditions

	this points out that you have to tell what you want.
	Similarly in specification,
		have to say what you can change (what the program vars are)

** writing specifications
	We specify a program by stating a pre- and postcondition,
		as well what variables a program can modify

*** notation
-----------------------
TOTAL CORRECTNESS HOARE TRIPLE

	{Q} S {R}
  =def=
	 Q ==> wp.S.R
-----------------------
	The Hoare triple means if Q holds,
				 then execution of S always terminates
					in a state satisfying R
	The weakest precondition is an in Dijkstra's paper (see section 5.2)

** form of specification
-------------------
  FORM OF SPECIFICATION

example:
 var a,b,z: int {a >= 0 /\ b >= 0}
; z: z = a*b
-------------------
	this says that a,b,z are integers,
	and the statement S desired must satisfy
		{a >= 0 /\ b >= 0} S {z = a*b}
	but only z may be modified

----------------------
 SYNTAX OF SPECIFICATIONS

<spec> ::= 
      <decl>
  [ ; <decl> ] ...
    ; <ident-list> : <cond>
<decl> ::=
      var <ident-list> : <type> [ <cond> ]
<ident-list> ::= <ident> [ , <ident> ] ...
<cond> ::= <boolean-expression>
	| <label> : <boolean-expression>
----------------------
	where [ and ] surround optional stuff,
	and X ... means zero or more X's

*** examples
----------------
   EXAMPLE SPECS

set z to absolute value of x
  var x,z : int
 ; z : z = |x|

set z to its own absolute value
  var z : int {z = Z}
 ; z: z = |Z|
----------------
	in the first, the precondition is omitted (as it's true)
	in the second, Z is a ghost variable (name for a value)
		really we mean for all Z the above holds
	ghost vars are also called logical variables and spec. constants

------------------
swap the values of x and y
  var x,y: bool {x = X /\ y = Y}
 ; x,y : x = Y /\ y = X
------------------

	Q: can you specify setting z to the max of integers x and y?
	Q: can you specify setting x to the max of integers x and y?

-------------------
set q and r to the quotient of x by y:
  var x,y,q,r: int {x>=0 /\ y>0}
 ; q,r : q*y + r = x /\ 0<=r /\ r<y

set x to integer square root of N:
  var N: int {N >= 0}
  var x:int
 ; x : x <= sqrt(N) /\ sqrt(N) < x+1
------------
	where sqrt(N) is the square root of N (in math)

	Q: Can you specify a program that sets x to
		the integer log base 2 on N?

** arrays (4.4)
	an array is a function from indexes to elements (items)

-------------------
NOTATION FOR ARRAYS

var f(i : x <= i < y) : bool
-------------------
	this is permitted if x <= y (arrays can be empty, but must be sensible)
		x is lower bound, y is upper bound
	i is dummy index
	f is a bool-valued function defined on the domain {i | x <= i < y}

--------------------
f.k is an element of f
 =def= x <= k < y

length:  #f =def= y - x

v occurs in f
 =def= (exists i : x <= i < y : f.i = v)

def: bag.f is the multiset of elements of f

f(k:i<=k<j) is an array section
 =def= x <= i <= j <= y

var f(0..N-1): T
 =def= var f(i: 0 <= i < N): T

var f: array of int
 =def= var f(i:0 <= i < #f): int {#f >= 0}
--------------------
	in this last, {#f >= 0} is an assertion about #f, a precondition
		for use in a spec.

	Q: can you specify setting x to the max value occuring in an
		integer array g?
		note, can use abbreviations
** monotonicity defs.
	(don't spend time in class on this)

----------------
  DEFINITIONS RELATED TO SORTING
       AND MONOTONICITY

f is increasing
 =def= (all i,j:: i<j equiv f.i < f.j)

f is nondecreasing (or ascending)
 =def= (all i,j:: i<j <== f.i < f.j)

f is decreasing
 =def= (all i,j:: i<j equiv f.i > f.j)

f is nonincreasing (or decending)
 =def= (all i,j:: i<j <== f.i > f.j)
----------------
	I don't particularly like Cohen's terminology,
		as it is not in general use and (more important)
		there is nothing about it
		that helps distinguish "increasing" from "ascending"

** more examples of specs (4.7)
	(don't spend time in class on this)

	might do example 12 or 13

** other notations (4.8)

--------------------------
OTHER NOTATIONS FOR SPECIFICATIONS

Cohen's
 var x,y: int {x>y}
; x : x = y

Gries's:
 Given fixed integer y such that x>y,
 establish x = y

Dijkstra and Feijen's:
 |[ var y: int
   |[ var x: int {x>y}
     ;S
      {x = y}
   ]|
 ]|

Hesselink's:
  ext y, x!: int;
  pre x>y, post x=y
--------------------------