Exercise Solutions: Functional Verification

Slides:



Advertisements
Similar presentations
Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.
Advertisements

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Lecture 15UofH - COSC Dr. Verma 1 COSC 3340: Introduction to Theory of Computation University of Houston Dr. Verma Lecture 15.
© Love Ekenberg The Algorithm Concept, Big O Notation, and Program Verification Love Ekenberg.
So far we have learned about:
Proving Program Correctness The Axiomatic Approach.
Introduction to Proofs
Reading and Writing Mathematical Proofs
Exam 2 Help Session Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification.
Proofs of Correctness: An Introduction to Axiomatic Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida CEN 5035 Software Engineering.
TABLES AND VALUES Section 1.5. Open Sentence Equation.
CSE Winter 2008 Introduction to Program Verification January 31 proofs through simplification.
ITEC 109 Lecture 11 While loops. while loops Review Choices –1 st –2 nd to ?th –Last What happens if you only use ifs? Can you have just an else by itself?
1.3 Open Sentences A mathematical statement with one or more variables is called an open sentence. An open sentence is neither true nor false until the.
Pre-Algebra 1-7 Ordered Pairs Learn to write solutions of equations in two variables as ordered pairs.
SOLVING TWO VARIABLE EQUATIONS Brittney. Methods ◦ Graphing ◦ Slope intercept y=mx+b ◦ Standard form Ax+By=C ◦ Substitution ◦ Solve for one variable then.
Direct Proof and Counterexample I Lecture 11 Section 3.1 Fri, Jan 28, 2005.
Functional Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 21.
White-Box Testing Techniques I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 7.
Proof Techniques CS160/CS122 Rosen: 1.5, 1.6, 1.7.
Axiomatic Verification II Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 18.
The Language of Sets If S is a set, then
Functional Verification III
(State) Model-Based Approaches I Software Specification Lecture 35
CSE322 PUMPING LEMMA FOR REGULAR SETS AND ITS APPLICATIONS
EQUATION IN TWO VARIABLES:
Proposition & Predicates
Proof Techniques.
White-Box Testing Techniques II
Functional Verification IV: Revisiting Loop Invariants
Predicate Transforms II
Functional Verification IV: Revisiting Loop Invariants
Functional Verification III
Copyright © Cengage Learning. All rights reserved.
White-Box Testing Techniques III
Formal Program Specification
Predicate Transforms I
White-Box Testing Techniques II
Functional Verification I
Exercise Solutions: Functional Verification
Formal Program Specification
Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Axiomatic Verification II
White-Box Testing Techniques III
Functional Verification I
Exercise 2x − 3 = 9 x = 6.
White-Box Testing Techniques I
Axiomatic Verification II
Axiomatic Verification I
Proofs of Correctness: An Introduction to Axiomatic Verification
Direct Proof and Counterexample I
2.2 The Limit of a Function.
Functional Verification II
Functional Verification IV: Revisiting Loop Invariants
Axiomatic Verification I
Predicate Transforms I
Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Functional Verification III
Predicate Transforms II
Functional Verification III
Algebraic Specification Software Specification Lecture 34
Problem Set 7: Functional Verification
Functional Verification IV: Revisiting Loop Invariants
Copyright © Cengage Learning. All rights reserved.
Predicate Transforms I
Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Copyright © Cengage Learning. All rights reserved.
Variables and Equations
Model-based vs. Functional Program Specification and Correctness
Formal Program Specification
Presentation transcript:

Exercise Solutions: Functional Verification Software Testing and Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete S=Sufficient N=Neither f1 f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete S=Sufficient N=Neither f1 f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete S=Sufficient N=Neither f1 C f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete S=Sufficient N=Neither f1 C f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete S=Sufficient N=Neither f1 C S f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete S=Sufficient N=Neither f1 C S f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete S=Sufficient N=Neither f1 C S N f2 f3

Exercise (from Lecture Notes #22) Prove f = [A] where f = (x=17  x,y := 17,20 | true  x,y := x,-x) and A is: if x=17 then y := x+3 else y := -x end_if_else

if_then_else Correctness Conditions Complete correctness conditions for f = [if p then G else H] (where g = [G] and h = [H] have already been shown): Prove: p  (f = g) Л ¬p  (f = h) Working correctness questions: When p is true, does f equal g? When p is false, does f equal h?

Proof that f = [P] f = (x=17  x,y := 17,20 | true  x,y := x,-x) A: if x=17 then y := x+3 else y := -x end_if_else

Proof that f = [P] f = (x=17  x,y := 17,20 | true  x,y := x,-x) A: if x=17 then y := x+3 G else y := -x H end_if_else

Proof that f = [P] f = (x=17  x,y := 17,20 | true  x,y := x,-x) A: if x=17 then y := x+3 G else y := -x H end_if_else By observation, g = x,y := x,x+3 h = x,y := x,-x

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) = (x,y := 17,20)) When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) √ = (x,y := 17,20)) When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) √ = (x,y := 17,20)) When p is false does f equal h? (x≠17)  (f = (x,y := x,-x)) g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) √ = (x,y := 17,20)) When p is false does f equal h? (x≠17)  (f = (x,y := x,-x)) (x≠17)  (h = (x,y := x,-x)) g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) √ = (x,y := 17,20)) When p is false does f equal h? (x≠17)  (f = (x,y := x,-x)) (x≠17)  (h = (x,y := x,-x)) g p h √

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f:

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t :=

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n 

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I)

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I) Alternative f:

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I) Alternative f: (i≤n  i,t := n,txn-i | i>n  I)

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I) Alternative f: (i≤n  i,t := n,txn-i | i>n  I) Does it make any difference which we use?

while_do Correctness Conditions Complete correctness conditions for f = [while p do g] (where g = [G] has already been shown): Prove: term(f,M) Л p  (f = f o g) Л ¬p  (f = I)

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while p G

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while By observation, g = [G] = (i,t := i+1,tx) p G

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while By observation, g = [G] = (i,t := i+1,tx) Is loop termination guaranteed for any argument in D(f)? p G

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while By observation, g = [G] = (i,t := i+1,tx) Is loop termination guaranteed for any argument in D(f)? YES. (Show this using the Method of Well-Founded Sets.) p G

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )?

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? (i<n)  ( f = i,t := n,txn-i ) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? (i<n)  ( f = i,t := n,txn-i ) (i<n)  ( f o g = f o (i,t := i+1,tx) ) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? (i<n)  ( f = i,t := n,txn-i ) (i<n)  ( f o g = f o (i,t := i+1,tx) ) What is f when applied after g changes the initial value of i? ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? (i<n)  ( f = i,t := n,txn-i ) (i<n)  ( f o g = f o (i,t := i+1,tx) ) What is f when applied after g changes the initial value of i? There are two cases to consider: i=n-1 & i<n-1 ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-i ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-i ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = f o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = ? o (i,t := n,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) since gi(i=n-1) = n ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: √ (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = f o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = ? o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) since gi(i<n-1) < n ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? √ case b: √ (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0 Hypothesized r:

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0 Hypothesized r: (x>0  x,y := ?,?

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0 Hypothesized r: (x>0  x,y := 0,?

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0 Hypothesized r: (x>0  x,y := 0,y+2x)

repeat_until Correctness Conditions Complete correctness conditions for f = [P] = [repeat g until p] (where g = [G] has already been shown): Prove: term(f,P) Л (p o g)  (f = g) Л ¬(p o g)  (f = f o g)

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: x := x−1 until x=0

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: x := x−1 until x=0 G p

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: until x=0 By observation, g = [G] = (x,y := x-1,y+2) G p

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: until x=0 By observation, g = [G] = (x,y := x-1,y+2) Is loop termination guaranteed for any argument in D(r)? G p

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: until x=0 By observation, g = [G] = (x,y := x-1,y+2) Is loop termination guaranteed for any argument in D(r)? YES. (Show this using the Method of Well-Founded Sets.) G p

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  ? ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) = (x,y := 0,y+2) ) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) = (x,y := 0,y+2) ) (x=1)  ( g = (x,y := x-1,y+2) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) = (x,y := 0,y+2) ) (x=1)  ( g = (x,y := x-1,y+2) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) = (x,y := 0,y+2) ) (x=1)  ( g = (x,y := x-1,y+2) √ ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. case a: (x<1)  ( r = undefined ) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. case a: (x<1)  ( r = undefined ) (x<1)  ( r o g = undefined o g since ((x>0) o g(x<1)) = false ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. case a: (x<1)  ( r = undefined ) (x<1)  ( r o g = undefined o g = undefined ) since ((x>0) o g(x<1)) = false ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. case a: (x<1)  ( r = undefined ) (x<1)  ( r o g = undefined o g = undefined ) since ((x>0) o g(x<1)) = false √ ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) ) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) ) √ ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) ) Therefore, ¬(p o g)  (r = r o g) √ √ ( Recall: r = (x>0  x,y := 0,y+2x) )

Exercise Solutions: Functional Verification Software Testing and Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.