In tro duction to F unctional Programming: Lecture 5 1 In - PDF document

In tro duction to F unctional Programming: Lecture 5 1 In tro duction to F unctional Programming John Harrison Univ ersit y of Cam bridge Lecture 5 Pro ving Programs Correct T opics co v ered: � The correctness problem � T esting and v eri�cation � T ermination and totalit y � Exp onen tial and gcd � App ending and rev ersing John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 2 The correctness problem Programs are written to p erform some particular task. Ho w ev er, it is often v ery hard to write a program that p erforms its in tended function | as programmers kno w w ell. In practice, most large programs ha v e `bugs'. Some bugs are harmless, others merely irritating. They can cause �nancial and public relations disasters (e.g. the P en tium FDIV bug). In some situation bugs can b e deadly . P eter Neumann: `Computer Related Risks'. John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 3 Dangerous bugs Some situations where bugs can b e deadly include: � Heart pacemak ers � Aircraft autopilots � Car engine managemen t systems and an tilo c k braking systems � Radiation therap y mac hines � Nuclear reactor con trollers These applications are said to b e safety critic al . John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 4 T esting and v eri�cation One go o d w a y to trac k do wn bugs is through extensiv e testing. But usually there are to o man y p ossible situations to try them all exhaustiv ely , so there ma y still b e bugs lying undetected. Program testing can b e v ery useful for demonstrating the presence of bugs, but it is only in a few un usual cases where it can demonstrate their absence. An alternativ e is veri�c ation , where w e try to pr ove that a program b eha v es as required. Consider ordinary mathematical theorems, lik e N ( N + 1) n = N � n = n =0 2 W e can test this for man y particular v alues of N , but it is easier and more satisfactory simply to pr ove it (e.g. b y induction). John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 5 The limits of v eri�cation The en terprise of v eri�cation can b e represen ted b y this diagram: Actual requiremen ts 6 Mathematical sp eci�cation 6 Mathematical mo del 6 Actual system It is only the cen tral link that is mathematically precise. The others are still informal | all w e can do is try to k eep them small. John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 6 V erifying functional programs W e suggested earlier that functional programs migh t b e easier to reason ab out formally , b ecause they corresp ond directly to the mathematical functions that they represen t. This is arguable, but at least w e will try to sho w that reasoning ab out some simple functional programs is straigh tforw ard. W e need to remem b er that, in general, functional programs are p artial functions. Sometimes w e need a separate argumen t to establish termination. Often, the pro ofs pro ceed b y induction, parallelling the de�nition of the functions in v olv ed b y recursion. John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 7 Exp onen tiation (1) Recall the follo wing simple de�nition of natural n um b er exp onen tiation: - fun exp x n = if n = 0 then 1 else x * exp x (n - 1); W e will pro v e that this satis�es the follo wing sp eci�cation: F or all n � 0 and x , exp x n terminates and n exp x n = x The function is de�ned b y (primitiv e) recursion. The pro of is b y (step-b y-step, mathematical) induction. John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 8 Exp onen tiation (2) � If n = 0, then b y de�nition exp x n = 1. Since 0 for an y in teger x , w e ha v e x = 1, so the desired fact is established. n � Supp ose w e kno w exp x n = x . Because n � 0, w e also kno w n + 1 6 = 0. Therefore: exp x ( n + 1) = x � exp x (( n + 1) � 1) = x � exp x n n = x � x n +1 = x Q.E.D. 0 Note that w e assume 0 = 1, an example of ho w one m ust state the sp eci�cation precisely! John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 9 Greatest common divisor (1) W e de�ne a function to calculate the gcd of t w o in tegers using Euclid's algorithm. - fun gcd x y = if y = 0 then x else gcd y (x mod y); W e w an t to pro v e: F or an y in tegers x and y , gcd x y terminates and returns a gcd of x and y . Here w e need to b e ev en more careful ab out the sp eci�cation. What is a gcd of t w o negativ e n um b ers? John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 10 Greatest common divisor (2) W e write x j y , pronounced ` x divides y ', to mean that y is an in tegral m ultiple of x , i.e. there is some in teger d with y = dx . W e sa y that d is a c ommon divisor of x and y if d j x and d j y . W e sa y that d is a gr e atest common divisor if: � W e ha v e d j x and d j y 0 0 0 � F or an y other in teger d , if d j x and d j y then 0 d j d . Note that unless x and y are b oth zero, w e do not sp ecify the sign of the gcd. The sp eci�cation do es not constrain the implemen tation completely . John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 11 Greatest common divisor (3) No w w e come to the pro of. The gcd function is no longer de�ned b y primitive recursion. In fact, gcd x y is de�ned in terms of gcd y (x mod y) in the step case. W e do not, therefore, pro ceed b y step-b y-step mathematical induction, but b y wel lfounde d induction on j y j . The idea is that this quan tit y (often called a me asur e ) decreases with eac h call. W e can use it to pro v e termination, and as a handle for w ellfounded induction. In complicated recursions, �nding the righ t w ellfounded ordering on the argumen ts can b e tric ky . But in man y cases one can use this simple `measure' approac h. John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 12 Greatest common divisor (4) No w w e come to the pro of. Fix some arbitrary n . W e supp ose that the theorem is established for all argumen ts x and y with j y j < n , and w e try to pro v e it for all x and y with j y j = n . There are t w o cases. First, supp ose that y = 0. Then gcd x y = x b y de�nition. No w trivially x j x and x j 0, so it is a common divisor. Supp ose d is another common divisor, i.e. d j x and d j 0. Then immediately w e get d j x , so x is a gr e atest common divisor. This establishes the �rst part of the induction pro of. John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998

In tro duction to F unctional Programming: Lecture 5 13 Greatest common divisor (5) No w supp ose y 6 = 0. W e w an t to apply the inductiv e h yp othesis to gcd y ( x mo d y ). W e will write r = x mo d y for short. The basic prop ert y of the mod function that w e use is that, since y 6 = 0, for some in teger q w e ha v e x = q y + r and j r j < j y j . Since j r j < j y j , the inductiv e h yp othesis tells us that d = gcd y ( x mo d y ) is a gcd of y and r . W e just need to sho w that it is a gcd of x and y . It is certainly a common divisor, since if d j y and d j r w e ha v e d j x , as x = q y + r . 0 0 No w supp ose d j x and d j y . By the same 0 0 equation, w e �nd that d j r . Th us d is a common divisor of y and r , but then b y the inductiv e 0 h yp othesis, d j d as required. John Harrison Univ ersit y of Cam bridge, 23 Jan uary 1998