4.3.1 Representing Specifications

If one asks junior computer science (CS) students in a programming course to write

a C++ function that reads a real number and compute its square root, they would

4.3 SIMPLE INPUT OUTPUT PROGRAMS

Total Surjective

Deterministic

Reflexive

Symmetric Antisymmetric

Partial ordering

Total ordering

Figure 4.7 Properties of relations.

rush immediately to their computers to write code and run it; and yet this problem statement, despite being simple and short, leaves many questions unanswered. Consider that this statement may be interpreted in a wide range of manners, leading to a wide range of possible specifications, where space S is defined to be the set of real numbers:

1. Only nonnegative arguments will be submitted; the output is a (positive or non- positive) square root of the input value:

s 1 2 s,s s ≥ 0 =s

2. Only non-negative arguments will be submitted; the output is the nonnegative square root of the input value:

2 = s,s s ≥ 0 s =s s≥0

44 SOFTWARE SPECIFICATIONS

3. Only nonnegative arguments will be submitted; the output is an approximation (within a precision ε) of a (positive or non-positive) square root of the input value:

s,s s ≥ 0 2 s =s<ε

4. Only nonnegative arguments will be submitted; the output is an approximation (within a precision ε) of the non-negative square root of the input value:

4 = s,s s ≥ 0 s =s<ε s≥0

5. Negative arguments may also be submitted; for negative arguments, the output is −1; for nonnegative arguments, the output is a (positive or nonpositive) square root of the input value:

5 = s,s s ≥ 0 s =s s,s s < 0 s = −1

6. Negative arguments may also be submitted; for negative arguments, the output is −1; for nonnegative arguments, the output is the nonnegative square root of the input value:

R 6 = s,s s ≥ 0 s 2 =s s≥0

s,s s < 0 s = −1

7. Negative arguments may also be submitted; for negative arguments, the output is arbitrary; for nonnegative arguments, the output is an approximation (within a precision ε) of a (positive or nonpositive) square root of the input value:

R = s,s s≥0 s 2 7 =s<ε

s,s s < 0

8. Negative arguments may also be submitted; for negative arguments, the output is arbitrary; for nonnegative arguments, the output is an approximation (within a precision ε) of the non-negative square root of the input value:

R 8 = s,s s≥0 2 s =s<ε s≥0 s,s s < 0

9. Only nonnegative arguments will be submitted; the output must be within ε of the exact square root of the input (comparison with specification R 4 : Precision ε applies to the square root scale rather than the square scale):

R 9 = s,s s≥0 s−s<ε

4.3 SIMPLE INPUT OUTPUT PROGRAMS

We could go on and on. This simple example highlights two lessons: First, the importance of precision in specifying program requirements and second, the premise that relations enable us to achieve the required precision.

As a second illustrative example, consider the following requirement pertaining to space S defined by an array a[1..N] of some type, where N is greater than or equal to 1,

a variable x of the same type, and an index variable k, which we use to address array a: Search x in a and place its index in k. Again, this simple requirement lends itself to a wide range of interpretations, some of which we write as follows, along with their relational representation:

1. Variable x is known to be in a; place in k an index where x occurs in a.

F 1 = s,s h1≤h≤Nah=x ak=x

2. Variable x is known to be in a; place in k the first (smallest) index where x occurs in a.

F 2 = s,s h1≤h≤Nah=x ak=x h1≤h<kah x =F 1 s, s

h1≤h<kah x

3. Variable x is known to be in a; place in k an index where x occurs in a, while preserving a and x.

F 3 =F 1 s,s a = a x = x

4. Variable x is known to be in a; place in k the first (smallest) index where x occurs in a, while preserving a and x.

F 4 =F 2 s,s a = a x = x

5. Variable x is not known to be in a; if it is not, place 0 in k; else place in k an index where x occurs in a.

F 5 =F 1 s,s

h1≤h≤Nah x k=0

6. Variable x is not known to be in a; if it is not, place 0 in k; else place in k the first (smallest) index where x occurs in a.

F 6 =F 2 s, s

h1≤h≤Nah x k=0

7. Variable x is not known to be in a; if it is not, place 0 in k; else place in k an index where x occurs in a, while preserving a and x.

F 7 =F 3 s, s

h1≤h≤Nah x k=0

46 SOFTWARE SPECIFICATIONS

8. Variable x is not known to be in a; if it is not, place 0 in k; else place in k the first (smallest) index where x occurs in a, while preserving a and x.

F 8 =F 4 s,s

h1≤h≤Nah x k=0

Note that F 1 can be written simply as F 1 = s,s

a k = x since the clause

h 1 ≤ h ≤ N a h = x is a logical consequence of a k = x. We draw the reader’s attention to the importance of carefully watching which variables are primed and which are unprimed in a specification. By writing F 1 as we did, we mean that the final value of k points to a location in the original array a where the original value of x is located. As written, this relation specifies a search program. If, instead of F 1 , we had written the specification as follows:

F 1 = s,s a k = x ,

then it would be possible to satisfy this specification by the following simple program:

{k=1; x=a[1];}

If, instead of F 1 , we had written the specification as follows:

F 1 = s,s ak=x,

then it would be possible to satisfy this specification by the following simple program:

{k=1; a[1]=x;}

If, instead of F 1 , we had written the specification as follows:

F 1 = s,s ak=x,

then it would be possible to satisfy this specification by the following simple program:

{k=1; x=0; a[1]=0;}

Neither of these three programs is performing a search of variable x in array a.