Lecture 3 Abstraction by Specification CS201j Engineering Software University of Virginia Computer Science David Evans http www cs virginia edu evans Menu Validation Abstraction by Specification 4 September 2003 CS 201J Fall 2003 2 Testing Recap Testing can find problems but can t prove your program works Since exhaustive testing is impossible select test cases with maximum probability of finding bugs A successful test case is one that reveals a bug in your program If we can t test all possible paths through a program how can we increase our confidence that it works 4 September 2003 CS 201J Fall 2003 3 Analysis Make claims about all possible paths by examining the program code directly not executing it Use formal semantics of programming language to know what things mean Use formal specifications of procedures to know that they do 4 September 2003 CS 201J Fall 2003 4 Hopelessness of Analysis It is impossible to correctly determine if any interesting property is true for an arbitrary program The Halting Problem it is impossible to write a program that determines if an arbitrary program halts 4 September 2003 CS 201J Fall 2003 5 Compromises Accept unsoundness and incompleteness False positives sometimes an analysis tool will report warnings for a program when the program is actually okay unsoundness False negatives sometimes an analysis tool will report no warnings for a program even when the program violates properties it checks incompleteness 4 September 2003 CS 201J Fall 2003 6 Extended Static Checking ESC Java Analysis tool developed at DEC Compaq HP Research Lab Is unsound and incomplete False negatives Just because it finds no warnings doesn t mean your code is correct False positives Sometimes it will warn even when your code is correct PS2 use without adding annotations Later use annotations to document program assumptions 4 September 2003 CS 201J Fall 2003 7 Abstraction by Specification 4 September 2003 CS 201J Fall 2003 8 Managing Complexity Divide problem into subproblems that Can be solved independently Can be combined to solve the original problem How do we know they can be solved independently How do we know they can be combined to solved the original problem 4 September 2003 CS 201J Fall 2003 9 Abstraction A I3 I4 I1 I2 I5 An abstraction is a many to one map 4 September 2003 CS 201J Fall 2003 10 Using Abstractions A I3 Client I4 I1 I2 I5 When a client uses an abstraction it should work as the client expects it to no matter with implementation is provided How should client know what to expect 4 September 2003 CS 201J Fall 2003 11 Specification Tells the client of an abstraction what she can expect it to do Tells the implementer of an abstraction what the implementation must do to satisfy the client Contract between client and implementer Client will only rely on behavior described by specification Implementer will provide an implementation that satisfies the specification 4 September 2003 CS 201J Fall 2003 12 Good Specifications Clear precise and unambiguous Clients and implementers will agree on what they mean Complete Describe the behavior of the abstraction in all situations Declarative Describe what the abstraction should do not how it should do it 4 September 2003 CS 201J Fall 2003 13 Formality of Specifications Informal written in a natural language e g English People can disagree on what it means Degrees of informality Formal written in a specification language Meaning is defined by specification language whose meaning is defined precisely but eventually informally May be analyzed by machines 4 September 2003 CS 201J Fall 2003 14 What do you call people who decide what informal specifications mean 4 September 2003 CS 201J Fall 2003 15 Example Informal Specification Excessive bail shall not be required nor excessive fines imposed nor cruel and unusual punishments inflicted 8th Amendment 4 September 2003 CS 201J Fall 2003 16 Correct Implementation public static boolean violatesEigthAmendment Punishment p EFFECTS Returns true if p violates the 8 th amendment cruel and unusual punishments return p isCruel p isUnusual Or did they mean p isCruel p isUnusual 4 September 2003 CS 201J Fall 2003 17 Example Good Informal Specification A player is in an offside position if he is nearer to his opponents goal line than both the ball and the second last opponent A player is not in an offside position if he is in his own half of the field of play or he is level with the second last opponent or he is level with the last two opponents Offence A player in an offside position is only penalised if at the moment the ball touches or is played by one of his team he is in the opinion of the referee involved in active play by interfering with play or interfering with an opponent or gaining an advantage by being in that position No Offence There is no offside offence if a player receives the ball directly from a goal kick or a throw in or a corner kick http www fifa com fifa handbook laws 2002 LOTG2002 E pdf Law 11 4 September 2003 CS 201J Fall 2003 18 Procedural Specifications Specification for a procedure describes What its inputs are What the mapping between inputs and outputs are What it can do the state of the world 4 September 2003 CS 201J Fall 2003 19 Requires and Effects Header name of procedure types of parameters and return value Java declaration Clauses comments in Java REQUIRES precondition the client must satisfy before calling EFFECTS postcondition the implementation satisfy at return 4 September 2003 CS 201J Fall 2003 20 Contract Client promises to satisfy the precondition in the requires clause Implementer promises if client satisfies the precondition the return value and state when the function returns will satisfy the postcondition 4 September 2003 CS 201J Fall 2003 21 Specification Contract f REQUIRES precondition EFFECTS postcondition precondition f postcondition 4 September 2003 If the precondition is true after we call f the postcondition is true CS 201J Fall 2003 22 Specification Example public String bestStock REQUIRES false EFFECTS Returns the name of the best stock to buy on the NASDAQ tomorrow Can we implement a procedure that satisfies this specification Yes any implementation will satisfy this specification If the precondition in the requires clause is not satisfied the procedure can do anything and still satisfy its specification 4 September 2003 CS 201J Fall 2003 23 Specification Example public String bestStock REQUIRES true EFFECTS Returns the name of