Download Integer Division - Lecture Notes - Introduction to Software Engineering | CS 3300 and more Study notes Software Engineering in PDF only on Docsity!
What Does this Program Do?
Q ← 0
R ← X
while (R ≥ Y)
R ← R − Y
Q ← Q + 1
How can you be sure?
• Integer division
─ Compute quotient Q and remainder R of X
divided by Y , for non-negative integer X and
positive integer Y
– Expressed as a function returning two results
<Q, R> ← DIVIDE(X, Y)
– Expressed as a relation of four variables
DIVIDE(X, Y, Q, R)
Answer
Preconditions
• What must be true about the inputs to this
program in order for the program to
successfully execute?
Q ← 0
R ← X
while (R ≥ Y) R ← R − Y Q ← Q + 1
Preconditions
• X ≥ 0 ∧ Y > 0
– The value of X is non-negative and
– The value of Y is positive before execution
begins
Q ← 0
R ← X
while (R ≥ Y) R ← R − Y Q ← Q + 1
Postconditions
• What must be true about the program
output variables after the program has
completed execution?
– Expressed in terms of input and output
variables
– Assuming that it terminates Q^ ←^0
R ← X
while (R ≥ Y) R ← R − Y Q ← Q + 1
Postconditions
• Y > 0 ∧
• X ≥ 0
Q ← 0
R ← X
while (R ≥ Y) R ← R − Y Q ← Q + 1
Postconditions
• Y > 0 ∧
• X ≥ 0 ∧
• Q ≥ 0
Q ← 0
R ← X
while (R ≥ Y) R ← R − Y Q ← Q + 1
Postconditions
• Y > R ≥ 0 ∧
• X ≥ 0 ∧
• Q ≥ 0
Q ← 0
R ← X
while (R ≥ Y) R ← R − Y Q ← Q + 1
Postconditions
• Y > R ≥ 0 ∧
• X ≥ 0 ∧
• Q ≥ 0 ∧
• X = Q ∗ Y + R Q ← 0
R ← X
while (R ≥ Y) R ← R − Y Q ← Q + 1
Proof Plan
• Construct flow chart
• Annotate with preconditions
• Add invariants at intermediate program
points based on the type of statement
executed
– Assignment
– Conditional
– Loop
Flow
Chart
START
Q ← 0
R ← X
R < Y
R ← R - Y
Q ← Q + 1
Yes No
EXIT
Add Pre-
Conditions
START
Q ← 0
R ← X
R < Y
R ← R - Y
Q ← Q + 1
Yes No
EXIT
X ≥ 0, Y > 0
Loops
- Unlike other statements, a loop, like the one in the example, has to deal with multiple incoming flows of control - That is, there are two ways of entering the loop - One from the start of the program - One after going around the loop at least once
- The statements inside the loop must be true in both circumstances
- In fact, they need to be true no matter how many times the loop is executed
- For this reason, they are called loop invariants
- Normally, you think of loops behaving differently on each iteration
- But the assertion has to stay the same
- That is, the loop invariant has to generalize over all iterations
- The analyst has to invent this generalization
More on Loop Invariants
• A loop invariant has to satisfies three
properties
- It must be true the first time execution reaches it
- If it is true after some number (n) of iterations, it must be true after n + 1
- It must be strong enough to imply the postcondition
• Recall, the post condition we are looking for is
– Y > R ≥ 0 ∧ X ≥ 0 ∧ Q ≥ 0 ∧ X = Q ∗ Y + R
• We already have Y > 0, Y > R, X ≥ 0
• Let's try R ≥ Y > 0, X ≥ 0, Q ≥ 0, X = R + Q ∗ Y
START
Q ← 0
R ← X
R < Y
R ← R - Y
Q ← Q + 1
Yes HALT No
X ≥ 0, Y > 0 X ≥ 0, Y > 0, Q = 0
R ≥ Y > 0, X ≥ 0, Q ≥ 0, X = R + Q ∗ Y
R ≥ 0, Y > 0, X ≥ 0, Q = 0, X = R
Y > R, Y ≥ 0, X ≥ 0
Example
More Invariants
• Let's try our first test. Is the invariant true the
first time through
- Condition before entering the loop R ≥ 0 , Y > 0, X ≥ 0, Q = 0, X = R
- Loop invariant R ≥ Y > 0, X ≥ 0, Q ≥ 0, X = R + Q ∗ Y
- R ≥ 0 and Y > 0 and R ≥ Y implies R ≥ Y > 0; so we are okay so far
- X still non-negative
- If Q equal to 0 , then it is certainly greater than or equal to it
- Finally, if Q = 0 and X = R then X does equal R + Q ∗ Y = R + 0 ∗ Y = R
Assignments One Last Time
- The algorithm includes the assignment statement R ← R - Y
- What is interesting about this statement is that the variable on the left hand side ( R ) also occurs on the right hand side
- If we naively state that the postcondition is {R = R - Y}, we would get nonsense
- Instead, we must introduce a little more notation and perform some algebraic manipulations
Assignments - 2
- Assume that the precondition for the assignment statement is {X = R + Q * Y} and the assignment statement R ← R - Y
- First, using the assignment statement, annotate the left hand R with a prime (R') - R' can be read as "the value of R after the assignment"
- Then, solve for R in terms of R': R' = R - Y ⇒ R' + Y = R
- Substitute this expression (R' + Y) into the precondition for all occurrences of R : {X = (R' + Y) + Q ∗ Y}
- Simplify to produce the postcondition (drop the prime): {X = R + (Q + 1) ∗ Y}
- The general rule is to solve for the variable without the apostrophe and plug that expression into the precondition
More
Assignments
Y > R ≥ 0, X ≥ 0, Q ≥ 0, X= R + Q * Y
R ≥ 0, X ≥ 0, Y > 0, Q ≥ 0 , X = R + (Q + 1) * Y
START
Q ← 0
R ← X
R < Y
R ← R - Y
Q ← Q + 1
Yes HALT No
X ≥ 0, Y > 0 X ≥ 0, Y > 0, Q = 0
R ≥ Y > 0, X ≥ 0, Q ≥ 0, X = R + Q * Y
R ≥ 0, Y > 0, X ≥ 0, Q = 0, X = R
Last Assignment
- Let's try this procedure on the last assignment statement in the algorithm Q ← Q + 1
- The precondition of the assignment is R ≥ 0, X ≥ 0, Y > 0, Q ≥ 0, X = R + (Q + 1) ∗ Y
- Set Q' = Q + 1
- Solve for Q: Q = Q' - 1
- Substitute into precondition: R ≥ 0, X ≥ 0, Y > 0, (Q' - 1) ≥ 0, X = R + ((Q' - 1) + 1) ∗ Y
- Simplify R ≥ 0, X ≥ 0, Y > 0, Q > 0, X = R + Q ∗ Y
Last
Assignment
Y > R ≥ 0, X ≥ 0, Q ≥ 0, X = R+QY*
R ≥ 0, X ≥ 0, Y > 0, Q ≥ 0 , X = R + (Q + 1) * Y
START
Q ← 0
R ← X
R < Y
R ← R - Y
Q ← Q + 1
Yes HALT No
X ≥ 0, Y > 0 X ≥ 0, Y > 0, Q = 0
R ≥ 0, X ≥ 0, Y > 0, Q > 0, X = R + Q * Y
R ≥ Y > 0, X ≥ 0, Q ≥ 0, X = R + Q * Y
R ≥ 0, Y > 0, X ≥ 0, Q = 0, X = R
Implications
- Notice that the postcondition of the last assignment labels the arc that returns to the top of the loop
- We can now make our second test on the loop invariant: if the loop has successfully executed n times, is will the invariant hold on the n + 1
- The postcondition on the nth execution (on any execution) is R ≥ 0, X ≥ 0, Y > 0, Q > 0, X = R + Q ∗ Y
- The loop invariant is R ≥ Y > 0, X ≥ 0, Q ≥ 0, X = R + Q ∗ Y
- Surely Q > 0 implies Q ≥ 0
- And R ≥ 0, Y > 0, and the loop condition R ≥ Y imply R ≥ Y > 0
- So the second test of our loop invariant is passed
Third Test
- It is easy to come up with loop invariants. After all, 1 + 1 = 2 is a loop invariant. It is true for every execution of any loop
- But it is not much good in proving programs
- We need to have loop invariants that imply the program's post conditions
- This is just another way of saying that the loop computation has to contribute to the producing the intended program result
- For the example program, the result of the loop is R ≥ 0, X ≥ 0, Y > 0, Q > 0, X = R + Q ∗ Y
- We also know from the conditional that R < Y
- The program post condition is Y > R ≥ 0, X ≥ 0, Q ≥ 0, X = Q ∗ Y + R
- So the third test is passed as well
Summary of Example
• Preconditions for successful execution
• Postconditions
• Examination of all possible paths
• Assignment
• Conditionals
• Loop
- Invariant
- First execution
- Induction
- Strong enough
Step 2
• Provide a convincing argument, in English,
that this is so