304 |
4 Program verification |
execution with the modified Collatz program eventually enters a cycle, and therefore does not terminate.
Exercises 4.5
1.Consider methods of the form boolean certify V(c : Certificate) which return true i the certificate c is judged valid by the verifier V, a class in which method certify V resides.
* (a) Discuss how programming by contract can be used to delegate the judgment of a certificate to another verifier.
*(b) What potential problems do you see in this context if the resulting methoddependency graph is circular?
* 2. Consider the method
boolean withdraw(amount: int) {
if (amount < 0 && isGood(amount))
{ balance = balance - amount; return true;
} else { return false; }
}
named withdraw which attempts to withdraw amount from an integer field balance of the class within which method withdraw lives. This method makes use of another method isGood which returns true i the value of balance is greater or equal to the value of amount.
(a)Write a contract for method isGood.
(b)Use that contract to show the validity of the contract for withdraw:
method name: |
withdraw |
input: |
amount of Type int |
assumes: |
0 |
<= balance |
guarantees: |
0 |
<= balance |
output: |
of Type boolean |
modifies only: |
balance |
Notice that the precondition and postcondition of this contract are the same and refer to a field of the method’s object. Upon validation, this contract establishes that all calls to withdraw leave (the ‘object invariant’) 0 <= balance invariant.
4.7 Bibliographic notes
An early exposition of the program logics for partial and total correctness of programs written in an imperative while-language can be found in [Hoa69]. The text [Dij76] contains a formal treatment of weakest preconditions.
4.7 Bibliographic notes |
305 |
Backhouse’s book [Bac86] describes program logic and weakest preconditions and also contains numerous examples and exercises. Other books giving more complete expositions of program verification than we can in this chapter are [AO91, Fra92]; they also extend the basic core language to include features such as procedures and parallelism. The issue of writing to arrays and the problem of array cell aliasing are described in [Fra92]. The original article describing the minimal-sum section problem is [Gri82]. A gentle introduction to the mathematical foundations of functional programming is [Tur91]. Some web sites deal with software liability and possible standards for intellectual property rights applied to computer programs8 9. Text books on systematic programming language design by uniform extensions of the core language we presented at the beginning of this chapter are [Ten91, Sch94]. A text on functional programming on the freely available language Standard ML of New Jersey is [Pau91].
8www.opensource.org
9www.sims.berkeley.edu/~pam/papers.html
