Exercise Solutions: Functional Verification

Exercise Solutions: Functional Verification

Prepared by

Stephen M. Thebaut, Ph.D.

University of Florida

Software Testing and Verification

Exercise (from Lecture Notes #21)

• Given

P = if x>=y then x,y := y,xf1 = (x>y x,y := y,x | true I)f2 = (x>y x,y := y,x | x<y I)f3 = (x≠y x,y := y,x)

• Fill in the following “correctness table”:

f1

f2

P

f3

C=Complete

S=Sufficient

N=Neither

“Identity” function:x,y := x,y

Exercise (from Lecture Notes #21)

• Given

P = if x>=y then x,y := y,xf1 = (x>y x,y := y,x | true I)f2 = (x>y x,y := y,x | x<y I)f3 = (x≠y x,y := y,x)

• Fill in the following “correctness table”:

f1

f2

P

f3

C=Complete

S=Sufficient

N=Neither

“Identity” function:x,y := x,y

Exercise (from Lecture Notes #21)

• Given

P = if x>=y then x,y := y,xf1 = (x>y x,y := y,x | true I)f2 = (x>y x,y := y,x | x<y I)f3 = (x≠y x,y := y,x)

• Fill in the following “correctness table”:

Cf1

f2

P

f3

C=Complete

S=Sufficient

N=Neither

“Identity” function:x,y := x,y

Exercise (from Lecture Notes #21)

• Given

P = if x>=y then x,y := y,xf1 = (x>y x,y := y,x | true I)f2 = (x>y x,y := y,x | x<y I)f3 = (x≠y x,y := y,x)

• Fill in the following “correctness table”:

Cf1

f2

P

f3

C=Complete

S=Sufficient

N=Neither

“Identity” function:x,y := x,y

Exercise (from Lecture Notes #21)

• Given

P = if x>=y then x,y := y,xf1 = (x>y x,y := y,x | true I)f2 = (x>y x,y := y,x | x<y I)f3 = (x≠y x,y := y,x)

• Fill in the following “correctness table”:

C

S

f1

f2

P

f3

C=Complete

S=Sufficient

N=Neither

“Identity” function:x,y := x,y

Exercise (from Lecture Notes #21)

• Given

P = if x>=y then x,y := y,xf1 = (x>y x,y := y,x | true I)f2 = (x>y x,y := y,x | x<y I)f3 = (x≠y x,y := y,x)

• Fill in the following “correctness table”:

C

S

f1

f2

P

f3

C=Complete

S=Sufficient

N=Neither

“Identity” function:x,y := x,y

Exercise (from Lecture Notes #21)

• Given

P = if x>=y then x,y := y,xf1 = (x>y x,y := y,x | true I)f2 = (x>y x,y := y,x | x<y I)f3 = (x≠y x,y := y,x)

• Fill in the following “correctness table”:

C

S

N

f1

f2

P

f3

C=Complete

S=Sufficient

N=Neither

“Identity” function:x,y := x,y

Exercise (from Lecture Notes #22)

• Prove f = [A] where

f = (x=17 x,y := 17,20 | true x,y := x,-x)

and A is:

if x=17 then y := x+3else y := -xend_if_else

if_then_else Correctness Conditions

• Complete correctness conditions for

f = [if p then G else H]

(where g = [G] and h = [H] have already been shown):

Prove: p (f = g) Л

¬p (f = h)

• Working correctness questions:

– When p is true, does f equal g?

– When p is false, does f equal h?

Proof that f = [P]

f = (x=17 x,y := 17,20 | true x,y := x,-x)

A: if x=17 then y := x+3 else y := -x end_if_else

Proof that f = [P]

f = (x=17 x,y := 17,20 | true x,y := x,-x)

A: if x=17 then y := x+3 Gelse y := -x Hend_if_else

Proof that f = [P]

f = (x=17 x,y := 17,20 | true x,y := x,-x)

A: if x=17 then y := x+3 Gelse y := -x Hend_if_else

By observation, g = x,y := x,x+3h = x,y := x,-x

Proof that f = [P] (cont’d)

• Therefore, by the Axiom of Replacement, it is sufficient to show:

f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] g hp

Proof that f = [P] (cont’d)

• Therefore, by the Axiom of Replacement, it is sufficient to show:

f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]

When p is true does f equal g?

When p is false does f equal h?

g hp

Proof that f = [P] (cont’d)

• Therefore, by the Axiom of Replacement, it is sufficient to show:

f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]

When p is true does f equal g?(x=17) (f = (x,y := 17,20))

When p is false does f equal h?

g hp

Proof that f = [P] (cont’d)

• Therefore, by the Axiom of Replacement, it is sufficient to show:

f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]

When p is true does f equal g?(x=17) (f = (x,y := 17,20))(x=17) (g = (x,y := x,x+3)

When p is false does f equal h?

g hp

Proof that f = [P] (cont’d)

• Therefore, by the Axiom of Replacement, it is sufficient to show:

f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]

When p is true does f equal g?(x=17) (f = (x,y := 17,20))(x=17) (g = (x,y := x,x+3)

= (x,y := 17,20))When p is false does f equal h?

g hp

Proof that f = [P] (cont’d)

• Therefore, by the Axiom of Replacement, it is sufficient to show:

f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]

When p is true does f equal g?(x=17) (f = (x,y := 17,20))(x=17) (g = (x,y := x,x+3) √

= (x,y := 17,20))When p is false does f equal h?

g hp

Proof that f = [P] (cont’d)

• Therefore, by the Axiom of Replacement, it is sufficient to show:

f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]

When p is true does f equal g?(x=17) (f = (x,y := 17,20))(x=17) (g = (x,y := x,x+3) √ = (x,y := 17,20))When p is false does f equal h?(x≠17) (f = (x,y := x,-x))

g hp

Proof that f = [P] (cont’d)• Therefore, by the Axiom of Replacement, it is

sufficient to show:f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]

When p is true does f equal g?(x=17) (f = (x,y := 17,20))(x=17) (g = (x,y := x,x+3) √

= (x,y := 17,20))When p is false does f equal h?

(x≠17) (f = (x,y := x,-x)) (x≠17) (h = (x,y := x,-x))

g hp

Proof that f = [P] (cont’d)• Therefore, by the Axiom of Replacement, it is

sufficient to show:f = (x=17 x,y := 17,20 | true x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]

When p is true does f equal g?(x=17) (f = (x,y := 17,20))(x=17) (g = (x,y := x,x+3) √

= (x,y := 17,20))When p is false does f equal h?

(x≠17) (f = (x,y := x,-x)) (x≠17) (h = (x,y := x,-x))

g hp

√

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f:

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f: (i<n i,t :=

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f: (i<n i,t := n,

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f: (i<n i,t := n,txn-i

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f: (i<n i,t := n,txn-i | i≥n

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f: (i<n i,t := n,txn-i | i≥n I)

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f: (i<n i,t := n,txn-i | i≥n I)

Alternative f:

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f: (i<n i,t := n,txn-i | i≥n I)

Alternative f: (i≤n i,t := n,txn-i | i>n I)

Exercise 1 (from Lecture Notes #23)

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Hypothesized f: (i<n i,t := n,txn-i | i≥n I)

Alternative f: (i≤n i,t := n,txn-i | i>n I)

Does it make any difference which we use?

Exercise 1 (from Lecture Notes #23)

while_do Correctness Conditions

• Complete correctness conditions for

f = [while p do g]

(where g = [G] has already been shown):

Prove:

term(f,M) Л

p (f = f o g) Л

¬p (f = I)

Proof that f = [M]

f = (i<n i,t := n,txn-i | i≥n I)

M: while i<n do t := tx i := i+1

end_while

Proof that f = [M]

f = (i<n i,t := n,txn-i | i≥n I)

M: while i<n do t := tx i := i+1

end_while

G

p

Proof that f = [M]

f = (i<n i,t := n,txn-i | i≥n I)

M: while i<n do t := tx i := i+1

end_while

By observation, g = [G] = (i,t := i+1,tx)

G

p

Proof that f = [M]

f = (i<n i,t := n,txn-i | i≥n I)

M: while i<n do t := tx i := i+1

end_while

By observation, g = [G] = (i,t := i+1,tx)

• Is loop termination guaranteed for any argument in D(f)?

G

p

Proof that f = [M]

f = (i<n i,t := n,txn-i | i≥n I)

M: while i<n do t := tx i := i+1

end_while

By observation, g = [G] = (i,t := i+1,tx)

• Is loop termination guaranteed for any argument in D(f)? YES. (Show this using the Method of Well-Founded Sets.)

G

p

Proof that f = [M] (cont’d)

• Does (i≥n) ( f = I )?

Proof that f = [M] (cont’d)

• Does (i≥n) ( f = I )?

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i≥n) ( f = I )? √

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i≥n) ( f = I )? √

• Does (i<n) ( f = f o g )?

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i≥n) ( f = I )? √

• Does (i<n) ( f = f o g )?

(i<n) ( f = i,t := n,txn-i )

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i≥n) ( f = I )? √

• Does (i<n) ( f = f o g )?

(i<n) ( f = i,t := n,txn-i )

(i<n) ( f o g = f o (i,t := i+1,tx) )

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i≥n) ( f = I )? √

• Does (i<n) ( f = f o g )?

(i<n) ( f = i,t := n,txn-i )

(i<n) ( f o g = f o (i,t := i+1,tx) )

What is f when applied after g changes the initial value of i?

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i≥n) ( f = I )? √

• Does (i<n) ( f = f o g )?

(i<n) ( f = i,t := n,txn-i )

(i<n) ( f o g = f o (i,t := i+1,tx) )

What is f when applied after g changes the initial value of i?

There are two cases to consider: i=n-1 & i<n-1

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-i

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-i

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx )

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = f o (i,t := i+1,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

= ? o (i,t := n-1+1,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

= ? o (i,t := n-1+1,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

= ? o (i,t := n-1+1,tx) = ? o (i,t := n,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

= ? o (i,t := n-1+1,tx) = I o (i,t := n,tx)

since gi(i=n-1) = n

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

= ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a:

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

= ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case a: √

(i=n-1) ( f = i,t := n,txn-(n-1)

= i,t := n,tx ) (i=n-1) ( f o g = ? o (i,t := i+1,tx)

= ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i )

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = f o (i,t := i+1,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = ? o (i,t := i+1,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) since gi(i<n-1) < n

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1))

Proof that f = [M] (cont’d)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? case b:

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Proof that f = [M] (cont’d)

• Does (i<n) ( f = f o g )? √ case b: √

(i<n-1) ( f = i,t := n,txn-i ) (i<n-1) ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i)

( Recall: f = (i<n i,t := n,txn-i | i≥n I) )

Exercise 2 (from Lecture Notes #23)

• For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R].

repeat: x := x−1 y := y+2until x=0

Exercise 2 (from Lecture Notes #23)

• For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R].

repeat: x := x−1 y := y+2until x=0

Hypothesized r:

Exercise 2 (from Lecture Notes #23)

• For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R].

repeat: x := x−1 y := y+2until x=0

Hypothesized r: (x>0 x,y := ?,?

Exercise 2 (from Lecture Notes #23)

• For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R].

repeat: x := x−1 y := y+2until x=0

Hypothesized r: (x>0 x,y := 0,?

Exercise 2 (from Lecture Notes #23)

• For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R].

repeat: x := x−1 y := y+2until x=0

Hypothesized r: (x>0 x,y := 0,y+2x)

repeat_until Correctness Conditions

• Complete correctness conditions for

f = [P] = [repeat g until p]

(where g = [G] has already been shown):

Prove:

term(f,P) Л

(p o g) (f = g) Л ¬(p o g) (f = f o g)

Proof that r = [R]

r = (x>0 x,y := 0,y+2x)

R: repeat:

x := x−1 y := y+2 until x=0

Proof that r = [R]

r = (x>0 x,y := 0,y+2x)

R: repeat:

x := x−1 y := y+2 until x=0

G

p

Proof that r = [R]

r = (x>0 x,y := 0,y+2x)

R: repeat:

x := x−1 y := y+2 until x=0

By observation, g = [G] = (x,y := x-1,y+2)

G

p

Proof that r = [R]

r = (x>0 x,y := 0,y+2x)

R: repeat:

x := x−1 y := y+2 until x=0

By observation, g = [G] = (x,y := x-1,y+2)

• Is loop termination guaranteed for any argument in D(r)?

G

p

Proof that r = [R]

r = (x>0 x,y := 0,y+2x)

R: repeat:

x := x−1 y := y+2 until x=0

By observation, g = [G] = (x,y := x-1,y+2)

• Is loop termination guaranteed for any argument in D(r)? YES. (Show this using the Method of Well-Founded Sets.)

G

p

Proof that r = [R] (cont’d)

• Does (p o g) (r = g) ?

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does (p o g) (r = g) ?

[ (x=0) o (x,y := x-1,y+2) ] ?

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does (p o g) (r = g) ?

[ (x=0) o (x,y := x-1,y+2) ] (x0=1)

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does (p o g) (r = g) ?

[ (x=0) o (x,y := x-1,y+2) ] (x0=1)

(x=1) ( r = (x,y := 0,y+2x)

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does (p o g) (r = g) ?

[ (x=0) o (x,y := x-1,y+2) ] (x0=1)

(x=1) ( r = (x,y := 0,y+2x)

= (x,y := 0,y+2) )

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does (p o g) (r = g) ?

[ (x=0) o (x,y := x-1,y+2) ] (x0=1)

(x=1) ( r = (x,y := 0,y+2x)

= (x,y := 0,y+2) )

(x=1) ( g = (x,y := x-1,y+2)

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does (p o g) (r = g) ?

[ (x=0) o (x,y := x-1,y+2) ] (x0=1)

(x=1) ( r = (x,y := 0,y+2x)

= (x,y := 0,y+2) )

(x=1) ( g = (x,y := x-1,y+2)

= (x,y := 0,y+2) )

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does (p o g) (r = g) ?

[ (x=0) o (x,y := x-1,y+2) ] (x0=1)

(x=1) ( r = (x,y := 0,y+2x)

= (x,y := 0,y+2) )

(x=1) ( g = (x,y := x-1,y+2)

= (x,y := 0,y+2) )

( Recall: r = (x>0 x,y := 0,y+2x) )

√

Proof that r = [R] (cont’d)

• Does ¬(p o g) (r = r o g) ?

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does ¬(p o g) (r = r o g) ?

¬[ (x=0) o (x,y := x-1,y+2) ] (x0≠1)

Thus, there are 2 cases to consider: x0<1 and x0>1.

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does ¬(p o g) (r = r o g) ?

¬[ (x=0) o (x,y := x-1,y+2) ] (x0≠1)

Thus, there are 2 cases to consider: x0<1 and x0>1.

case a:

(x<1) ( r = undefined )

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does ¬(p o g) (r = r o g) ?

¬[ (x=0) o (x,y := x-1,y+2) ] (x0≠1)

Thus, there are 2 cases to consider: x0<1 and x0>1.

case a:

(x<1) ( r = undefined ) (x<1) ( r o g = undefined o g since ((x>0) o g(x<1)) = false

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does ¬(p o g) (r = r o g) ?

¬[ (x=0) o (x,y := x-1,y+2) ] (x0≠1)

Thus, there are 2 cases to consider: x0<1 and x0>1.

case a:

(x<1) ( r = undefined ) (x<1) ( r o g = undefined o g = undefined ) since ((x>0) o g(x<1)) = false

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

• Does ¬(p o g) (r = r o g) ?

¬[ (x=0) o (x,y := x-1,y+2) ] (x0≠1)

Thus, there are 2 cases to consider: x0<1 and x0>1.

case a:

(x<1) ( r = undefined ) (x<1) ( r o g = undefined o g = undefined ) since ((x>0) o g(x<1)) = false

√

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

case b: (x>1) ( r = (x,y := 0,y+2x) )

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

case b: (x>1) ( r = (x,y := 0,y+2x) ) (x>1) ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

case b: (x>1) ( r = (x,y := 0,y+2x) ) (x>1) ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

case b: (x>1) ( r = (x,y := 0,y+2x) ) (x>1) ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1))

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

case b: (x>1) ( r = (x,y := 0,y+2x) ) (x>1) ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2))

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

case b: (x>1) ( r = (x,y := 0,y+2x) ) (x>1) ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) )

( Recall: r = (x>0 x,y := 0,y+2x) )

Proof that r = [R] (cont’d)

case b: (x>1) ( r = (x,y := 0,y+2x) ) (x>1) ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) )

( Recall: r = (x>0 x,y := 0,y+2x) )

√

Proof that r = [R] (cont’d)

case b: (x>1) ( r = (x,y := 0,y+2x) ) (x>1) ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) )

Therefore, ¬(p o g) (r = r o g) √

( Recall: r = (x>0 x,y := 0,y+2x) )

√

Exercise (from Lecture Notes #24)• Derive a limited invariant for the initialized

while loop using the Invariant Status Theorem.

{true} Z := X

J := 1 while J<>Y do Z := Z+X

J := J+1 end_while{Z=XY}

Exercise (from Lecture Notes #24)• Derive a limited invariant for the initialized

while loop using the Invariant Status Theorem.

{true} Z := X

J := 1 while J<>Y do Z := Z+X

J := J+1 end_while{Z=XY}

What function, h, is computed by the loop initialization?

Exercise (from Lecture Notes #24)• Derive a limited invariant for the initialized

while loop using the Invariant Status Theorem.

{true} Z := X

J := 1 while J<>Y do Z := Z+X

J := J+1 end_while{Z=XY}

What function, h, is computed by the loop initialization?

(Z,J := X,1)

Exercise (from Lecture Notes #24)• Derive a limited invariant for the initialized

while loop using the Invariant Status Theorem.

{true} Z := X

J := 1 while J<>Y do Z := Z+X

J := J+1 end_while{Z=XY}

What function, f, is computed by the while loop?

What function, h, is computed by the loop initialization?

(Z,J := X,1)

Exercise (from Lecture Notes #24)• Derive a limited invariant for the initialized

while loop using the Invariant Status Theorem.

{true} Z := X

J := 1 while J<>Y do Z := Z+X

J := J+1 end_while{Z=XY}

What function, f, is computed by the while loop?

(J≤Y Z,J,X := Z+X(Y-J),Y,X)

What function, h, is computed by the loop initialization?

(Z,J := X,1)

For f = (J≤Y Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space:

X f(X) foh(X0)

Z JX

For f = (J≤Y Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space:

X f(X) foh(X0)

Z Z+X(Y-J)JX

For f = (J≤Y Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space:

X f(X) foh(X0)

Z Z+X(Y-J) X0+X0(Y0-1)

JX

For f = (J≤Y Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space:

X f(X) foh(X0)

Z Z+X(Y-J) X0+X0(Y0-1)

J Y Y0

X X X0

For f = (J≤Y Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space:

and equating components of f(X) and foh(X0):

X f(X) foh(X0)

Z Z+X(Y-J) X0+X0(Y0-1)

J Y Y0

X X X0

For f = (J≤Y Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space:

and equating components of f(X) and foh(X0):

Z+X(Y-J) = X0+X0(Y0-1) Y = Y0

X = X0

X f(X) foh(X0)

Z Z+X(Y-J) X0+X0(Y0-1)

J Y Y0

X X X0

equating f(X) and foh(X0):

Z+X(Y-J) = X0+X0(Y0-1) Y = Y0

X = X0

equating f(X) and foh(X0):

Z+X(Y-J) = X0+X0(Y0-1) Y = Y0

X = X0

equating f(X) and foh(X0):

Z+X(Y-J) = X0+X0(Y0-1) Y = Y0

X = X0

Z+X(Y-J) = X+X(Y-1)

equating f(X) and foh(X0):

Z+X(Y-J) = X0+X0(Y0-1) Y = Y0

X = X0

Z+X(Y-J) = X+X(Y-1) Z = X+X(Y-1) - X(Y-J)

equating f(X) and foh(X0):

Z+X(Y-J) = X0+X0(Y0-1) Y = Y0

X = X0

Z+X(Y-J) = X+X(Y-1) Z = X+X(Y-1) - X(Y-J) = XJ

equating f(X) and foh(X0):

Z+X(Y-J) = X0+X0(Y0-1) Y = Y0

X = X0

Z+X(Y-J) = X+X(Y-1) Z = X+X(Y-1) - X(Y-J) = XJ

Recall that in Example 3 of Lecture 18, we proved the given assertion using this invariant.

Exercise Solutions: Functional Verification

Prepared by

Stephen M. Thebaut, Ph.D.

University of Florida

Software Testing and Verification