[PDF] - In tro duction to F unctional Programming: Lecture 5 1 In PDF Document

SLIDE 1 In tro duction to F unctional Programming: Lecture 5 1 In tro duction to F unctional Programming John Harrison Univ ersit y

f

Cam bridge Lecture 5 Pro ving Programs Correct T

pics

co v ered:

The

correctness problem

T

esting and v erication

T

ermination and totalit y

Exp
nen

tial and gcd

App

ending and rev ersing John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 2 In tro duction to F unctional Programming: Lecture 5 2 The correctness problem Programs are written to p erform some particular task. Ho w ev er, it is

ften

v ery hard to write a program that p erforms its in tended function | as programmers kno w w ell. In practice, most large programs ha v e `bugs'. Some bugs are harmless,

thers

merely irritating. They can cause nancial and public relations disasters (e.g. the P en tium FDIV bug). In some situation bugs can b e deadly . P eter Neumann: `Computer Related Risks'. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 3 In tro duction to F unctional Programming: Lecture 5 3 Dangerous bugs Some situations where bugs can b e deadly include:

Heart

pacemak ers

Aircraft

autopilots

Car

engine managemen t systems and an tilo c k braking systems

Radiation

therap y mac hines

Nuclear

reactor con trollers These applications are said to b e safety critic al. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 4 In tro duction to F unctional Programming: Lecture 5 4 T esting and v erication One go

d

w a y to trac k do wn bugs is through extensiv e testing. But usually there are to

man

y p

ssible

situations to try them all exhaustiv ely , so there ma y still b e bugs lying undetected. Program testing can b e v ery useful for demonstrating the presence

f

bugs, but it is

nly

in a few un usual cases where it can demonstrate their absence. An alternativ e is veric ation, where w e try to pr

ve

that a program b eha v es as required. Consider

rdinary

mathematical theorems, lik e

n=N

n=0 n = N (N + 1) 2 W e can test this for man y particular v alues

f

N , but it is easier and more satisfactory simply to pr

ve

it (e.g. b y induction). John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 5 In tro duction to F unctional Programming: Lecture 5 5 The limits

f

v erication The en terprise

f

v erication can b e represen ted b y this diagram: Actual system Mathematical mo del Mathematical sp ecication Actual requiremen ts 6 6 6 It is

nly

the cen tral link that is mathematically precise. The

thers

are still informal | all w e can do is try to k eep them small. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 6 In tro duction to F unctional Programming: Lecture 5 6 V erifying functional programs W e suggested earlier that functional programs migh t b e easier to reason ab

ut

formally , b ecause they corresp

nd

directly to the mathematical functions that they represen t. This is arguable, but at least w e will try to sho w that reasoning ab

ut

some simple functional programs is straigh tforw ard. W e need to remem b er that, in general, functional programs are p artial functions. Sometimes w e need a separate argumen t to establish termination. Often, the pro

fs

pro ceed b y induction, parallelling the denition

f

the functions in v

lv

ed b y recursion. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 7 In tro duction to F unctional Programming: Lecture 5 7 Exp

nen

tiation (1) Recall the follo wing simple denition

f

natural n um b er exp

nen

tiation:

fun

exp x n = if n = then 1 else x * exp x (n

1);

W e will pro v e that this satises the follo wing sp ecication: F

r

all n

and

x, exp x n terminates and exp x n = x n The function is dened b y (primitiv e) recursion. The pro

f

is b y (step-b y-step, mathematical) induction. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 8 In tro duction to F unctional Programming: Lecture 5 8 Exp

nen

tiation (2)

If

n = 0, then b y denition exp x n = 1. Since for an y in teger x, w e ha v e x = 1, so the desired fact is established.

Supp
se

w e kno w exp x n = x n . Because n

0,

w e also kno w n + 1 6= 0. Therefore: exp x (n + 1) = x

exp

x ((n + 1)

1)

= x

exp

x n = x

x

n = x n+1 Q.E.D. Note that w e assume = 1, an example

f

ho w

ne

m ust state the sp ecication precisely! John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 9 In tro duction to F unctional Programming: Lecture 5 9 Greatest common divisor (1) W e dene a function to calculate the gcd

f

t w

in

tegers using Euclid's algorithm.

fun

gcd x y = if y = then x else gcd y (x mod y); W e w an t to pro v e: F

r

an y in tegers x and y , gcd x y terminates and returns a gcd

f

x and y . Here w e need to b e ev en more careful ab

ut

the sp ecication. What is a gcd

f

t w

negativ

e n um b ers? John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 10 In tro duction to F unctional Programming: Lecture 5 10 Greatest common divisor (2) W e write xjy , pronounced `x divides y ', to mean that y is an in tegral m ultiple

f

x, i.e. there is some in teger d with y = dx. W e sa y that d is a c

mmon

divisor

f

x and y if djx and djy . W e sa y that d is a gr e atest common divisor if:

W

e ha v e djx and djy

F
r

an y

ther

in teger d , if d jx and d jy then d jd. Note that unless x and y are b

th

zero, w e do not sp ecify the sign

f

the gcd. The sp ecication do es not constrain the implemen tation completely . John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 11 In tro duction to F unctional Programming: Lecture 5 11 Greatest common divisor (3) No w w e come to the pro

f.

The gcd function is no longer dened b y primitive recursion. In fact, gcd x y is dened in terms

f

gcd y (x mod y) in the step case. W e do not, therefore, pro ceed b y step-b y-step mathematical induction, but b y wel lfounde d induction

n

jy j. The idea is that this quan tit y (often called a me asur e) decreases with eac h call. W e can use it to pro v e termination, and as a handle for w ellfounded induction. In complicated recursions, nding the righ t w ellfounded

rdering
n

the argumen ts can b e tric ky . But in man y cases

ne

can use this simple `measure' approac h. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 12 In tro duction to F unctional Programming: Lecture 5 12 Greatest common divisor (4) No w w e come to the pro

f.

Fix some arbitrary n. W e supp

se

that the theorem is established for all argumen ts x and y with jy j < n, and w e try to pro v e it for all x and y with jy j = n. There are t w

cases.

First, supp

se

that y = 0. Then gcd x y = x b y denition. No w trivially xjx and xj0, so it is a common divisor. Supp

se

d is another common divisor, i.e. djx and dj0. Then immediately w e get djx, so x is a gr e atest common divisor. This establishes the rst part

f

the induction pro

f.

John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 13 In tro duction to F unctional Programming: Lecture 5 13 Greatest common divisor (5) No w supp

se

y 6= 0. W e w an t to apply the inductiv e h yp

thesis

to gcd y (x mo d y ). W e will write r = x mo d y for short. The basic prop ert y

f

the mod function that w e use is that, since y 6= 0, for some in teger q w e ha v e x = q y + r and jr j < jy j. Since jr j < jy j, the inductiv e h yp

thesis

tells us that d = gcd y (x mo d y ) is a gcd

f

y and r . W e just need to sho w that it is a gcd

f

x and y . It is certainly a common divisor, since if djy and djr w e ha v e djx, as x = q y + r . No w supp

se

d jx and d jy . By the same equation, w e nd that d jr . Th us d is a common divisor

f

y and r , but then b y the inductiv e h yp

thesis,

d jd as required. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 14 In tro duction to F unctional Programming: Lecture 5 14 App end (1) No w consider an example concerning lists rather than n um b ers. Dene:

fun

append [] l = l | append (h::t) l = h::(append t l); This is supp

sed

to join together t w

lists.

W e w an t to pro v e that the

p

eration is asso ciativ e, i.e. for an y three lists l 1 , l 2 and l 3 w e ha v e: app end l 1 (app end l 2 l 3 ) = app end (app end l 1 l 2 ) l 3 W e can pro ceed b y induction

n

the length

f

l 1 , but since the function w as dened b y structural recursion

v

er lists, it is more natural to pro v e the theorem b y structur al induction. The principle is: if a prop ert y holds for the empt y list, and whenev er it holds for t it holds for an y h :: t, then it holds for an y list. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 15 In tro duction to F unctional Programming: Lecture 5 15 App end (2) W e pro ceed, then, b y structural induction

n

l 1 . There are t w

cases

to consider. First, supp

se

l 1 = []. Then w e ha v e: app end l 1 (app end l 2 l 3 ) = app end [] (app end l 2 l 3 ) = app end l 2 l 3 = app end (app end [] l 2 ) l 3 = app end (app end l 1 l 2 ) l 3 As required. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 16 In tro duction to F unctional Programming: Lecture 5 16 App end (3) No w supp

se

l 1 = h :: t. W e ma y assume that for an y l 2 and l 3 w e ha v e: app end t (app end l 2 l 3 ) = app end (app end t l 2 ) l 3 Therefore: app end l 1 (app end l 2 l 3 ) = app end (h :: t) (app end l 2 l 3 ) = h :: (app end t (app end l 2 l 3 )) = h :: (app end (app end t l 2 ) l 3 ) = app end (h :: (app end t l 2 )) l 3 ) = app end (app end (h :: t) l 2 ) l 3 ) = app end (app end l 1 l 2 ) l 3 ) The theorem is pro v ed. John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 17 In tro duction to F unctional Programming: Lecture 5 17 Rev erse (1) F

r

a nal example, let us dene a function to rev erse a list:

fun

rev [] = [] | rev (h::t) = append (rev t) [h]; > val rev = fn : 'a list

>

'a list

rev

[1,2,3]; > val it = [3, 2, 1] : int list W e will pro v e that for an y list l w e ha v e: rev(rev l ) = l This is again a structural induction. Ho w ev er w e require t w

lemmas,

whic h can also b e pro v ed b y structural induction: app end l [] = l rev(app end l 1 l 2 ) = app end (rev l 2 ) (rev l 1 ) John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 18 In tro duction to F unctional Programming: Lecture 5 18 Rev erse (2) First supp

se

that l = []. Then the pro

f

is easy: rev(rev l ) = rev (rev []) = rev [] = [] = l No w supp

se

that l = h :: t and w e kno w that rev(rev t) = t John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 19 In tro duction to F unctional Programming: Lecture 5 19 Rev erse (3) rev(rev l ) = rev(rev (h :: t)) = rev(app end (rev t) [h]) = app end (rev [h]) (rev(rev t)) = app end (rev [h]) t = app end (rev (h :: [])) t = app end (app end [] [h]) t = app end [h] t = app end (h :: []) t = h :: (app end [] t) = h :: t = l John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998

SLIDE 20 In tro duction to F unctional Programming: Lecture 5 20 Harder cases Here is a dicult exercise: pro v e that the follo wing terminates for n > 0.

fun

Conway 1 = 1 | Conway 2 = 1 | Conway n = let val x = Conway(n-1) in Conway(x) + Conway(n-x) end; > val Conway = fn : int

>

int Here is an unsolv ed problem: do es the follo wing alw a ys terminate?

fun

Collatz n = if n <= 1 then else if n mod 2 = then Collatz(n div 2) else Collatz(3 * n + 1); > val Collatz = fn : int

>

int John Harrison Univ ersit y

f

Cam bridge, 23 Jan uary 1998