0

this is a homework but I just cannot get my head around this whole business with writing formal prooves. Could anyone crack this and write formal proof for postcondition of this fnc:

string REPLACE_BY (string s,char c,char d)

postcondition The returned value is the string formed from s by replacing every occurrence of c by d (and otherwise leaving s unchanged).

Robin Green
  • 32,079
  • 16
  • 104
  • 187
There is nothing we can do
  • 23,727
  • 30
  • 106
  • 194
  • maybe.. this belongs on cstheory.stackexchange.com? not sure? – gideon Mar 19 '11 at 10:13
  • @giddy: Nope. Cstheory is for research-level questions only. – sepp2k Mar 19 '11 at 10:43
  • Shouldn't every professional programmer be able to do such things? Isn't that part of a being programmer? – There is nothing we can do Mar 19 '11 at 10:45
  • I know you're having trouble wrapping your head around this prove business and all, but as a general rule when trying to prove that a function meets a given post-condition, you start by looking at the function's definition... which you did not include in the question. – sepp2k Mar 19 '11 at 10:48
  • @sepp2k isn't fnc declaration and "worded" postcondition sufficient for this task (I wasn't given definition at all by the way)? What for would one need to see guts of a fnc in order to be able to give formal proof for postcondition? – There is nothing we can do Mar 19 '11 at 10:53
  • @There: The declaration would only be sufficient if the postcondition followed from the type, which it does not. If the postcondition was "The returned value is a string." then clearly knowing the declaration would be enough, but in this case there are plenty of possible implementations for the given signature which do not meet the postcondition. If the assignment does not contain the definition, then defining the function (in a way which meets the postcondition) is probably part of the assignment. – sepp2k Mar 19 '11 at 10:59
  • @sepp2k and what is this (from postcondition):The returned value is the string ... – There is nothing we can do Mar 19 '11 at 11:04
  • @There: The first part of a longer sentence? If all you want to prove is that the function will return a string, here's your proof: The function signature lists the return type as string, so the function returns a string. qed – sepp2k Mar 19 '11 at 11:05
  • @sepp2k formal proof as shown here: http://math.uncc.edu/~droyster/math3181/notes/hyprgeom/node18.html – There is nothing we can do Mar 19 '11 at 11:10
  • @There: Fine. The signature gives us the following axioms: A_1: The return type is string. A_2: The first argument type is string. A_3: The second argument type is char. A_3 the third argument type is char. We want to prove that the return type is string. S_1: The return type is string, by A_1. qed. – sepp2k Mar 19 '11 at 11:15
  • @sepp2k we don't want to prove that the return type is string, what we want to prove is this: The returned value is the string formed from s by replacing every occurrence of c by d (and otherwise leaving s unchanged). – There is nothing we can do Mar 19 '11 at 11:21
  • @There: My point exactly. What I told you is that the only thing that you can prove from the signature alone is that the return type is string. You then mentioned that the post condition actually starts with the return type being string, to which I replied that while that is true, that is only a (rather insignificant) part of the post condition and then gave a trivial and pointless proof of this part to demonstrate how useless it is to only prove the things that can be proven using the declaration. – sepp2k Mar 19 '11 at 11:25
  • @sepp2k could you please write in formal form this:The returned value is the string formed from s by replacing every occurrence of c by d (and otherwise leaving s unchanged). – There is nothing we can do Mar 19 '11 at 11:28
  • @sepp worded postcondition says everything what you need to know in order to write this proof formally. – There is nothing we can do Mar 19 '11 at 11:29
  • @There: No, I can not. As I have already said that you can't prove that without the function's definition. If you could write such a proof without depending on the definition, this would imply that you could prove the post condition for any function with the given signature. Since clearly there are functions with the given signature which do not meet the post condition, it's not possible to prove this post condition while relying on the declaration alone. – sepp2k Mar 19 '11 at 11:31
  • ok here you have the def: for (int i = 0; i < s.size();++i){if (s[i] == c) {s[i] = d;}} return s; – There is nothing we can do Mar 19 '11 at 11:35
  • @sepp2k I take the silence on your part as you don't have a faintest idea how to write it. – There is nothing we can do Mar 19 '11 at 11:59

1 Answers1

1

In order to proove the correctness of the function (i.e. compliance to a post-condition if the input conforms to a given pre-condition), you need the function's implementation.

I will get you started by giving you the assumptions under which you will need to work, but leave the proof up to you since it's homework.

The assumptions are:

  1. that the method is defined as such:

    String replace_by(String s, char c, char d) {
    for (int i = 0; i < s.size();++i) { 
        if (s[i] == c) {
            s[i] = d;
        }
    } 
    return s;
}

  2. that the precondition is s != null /\ s.size() < Integer.MAX_VALUE

  3. old(s) is used to refer to the value of s before entering the function

  4. that the formal specification of your postcondition given in prose is 

    old(s) != null /\ s != null /\
\-/i in 0..(old(s).size()-1): (
       ((old(s)[i] == old(c)) && (s[i] == old(d)))
    \/ ((old(s)[i] != old(c)) && (s[i] == old(s)[i]))
)
/\ old(s).size() == s.size()

    (\-/ is the logical for-all operator, \/ is 'or' and /\ is 'and')

With this, you should be able to build a proof based on Hoare logic.

blubb
  • 9,510
  • 3
  • 40
  • 82