Prepared by Stephen M. Thebaut, Ph.D. University of Florida Exam 2 Help Session Software Testing and Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida

A student writes: I would like to request you to provide some tips on hypothesizing functions for given programs. I refer in particular to Example 2 of Lecture Notes #24 and Question 1 of the self check quiz in lesson plan for Lecture Notes #’s 24 and 25. Although I followed the concept of synthesizing limited invariants, I found it difficult to come up with a function to represent the given program when I attempted these on my own.

General Rule of Thumb for hypothesizing functions of compound programs: Work top-down, and Use the Axiom of Replacement Good example (nested if_then’s + sequencing): problem 4 of Problem Set 7 For while loops, see examples 1 and 2 from Lecture Notes #21.

Example 2 (from Lecture Notes #24) Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop?

Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1

Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1 When will P terminate? What measure would you use to prove this using the method of Well-Founded Sets? Use the measure in one or more conditional rules describing the function. For this case, the initial relationship between k and n determine three different loop “behaviors.” (What are they?)

Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1 k<n  p,k := ?,? k=n  p,k := ?,? k>n  p,k := ?,?

Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1 Number of times the body will execute P = while k<>n do p,k := 2p,k+1 k<n  p,k := p2n−k,n k=n  p,k := ?,? k>n  p,k := ?,? Value of k on termination

Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1 k<n  p,k := p2n−k,n k=n  p,k := p,k k>n  p,k := ?,?

Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1 k<n  p,k := p2n−k,n k=n  p,k := p,k := p2n−k,n k>n  p,k := ?,?

Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1 k<n  p,k := p2n−k,n k=n  p,k := p,k := p2n−k,n k>n  undefined

Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1 k<n  p,k := p2n−k,n k=n  p,k := p,k := p2n−k,n k>n  undefined Therefore, [P] = (k≤n  p,k := p2n−k,n)

Problem 1 from Self-Check Quiz Consider the assertion: y := 0 t := x while t<>k do t := t–1 y := y+1 end_while What function, f, is computed by the while loop?

Problem 1 from Self-Check Quiz (cont'd) P = while t<>k do t,y := t–1,y+1 t>k  t,y := ?,? t=k  t,y := ?,? t<k  t,y := ?,?

Problem 1 from Self-Check Quiz (cont'd) P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) t=k  t,y := ?,? t<k  t,y := ?,?

Problem 1 from Self-Check Quiz (cont'd) P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := ?,? t<k  t,y := ?,?

Problem 1 from Self-Check Quiz (cont'd) P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y t<k  t,y := ?,?

Problem 1 from Self-Check Quiz (cont'd) P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y t<k  t,y := ?,?

Problem 1 from Self-Check Quiz (cont'd) P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y t<k  undefined

Problem 1 from Self-Check Quiz (cont'd) P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y t<k  undefined Therefore, [P] = (t≥k  t,y := k,y+t-k)

Another student writes: I have some questions about exam 2 for fall 07, problem No 6. ...And I do not know how to make up counterexample.

6. (4 pts.) It was noted in class that wp(while b do s, Q) is the weakest (while) loop invariant which guarantees termination. Is it also the case that the wp(Repeat s until b) is the weakest (Repeat_until) loop invariant which guarantees termination? Carefully justify your answer. (Hint: recall that in Problem Set 6, you were asked to prove “finalization” from the while loop ROI using the weakest pre-condition as an invariant. Does “finalization” from the Repeat_until ROI hold using the weakest pre-condition as an invariant?)

6. (4 pts.) It was noted in class that wp(while b do s, Q) is the weakest (while) loop invariant which guarantees termination. Is it also the case that the wp(Repeat s until b) is the weakest (Repeat_until) loop invariant which guarantees termination? Carefully justify your answer. (Hint: recall that in Problem Set 6, you were asked to prove “finalization” from the while loop ROI using the weakest pre-condition as an invariant. Does “finalization” from the Repeat_until ROI hold using the weakest pre-condition as an invariant?) Answer: No. In general, the wp(Repeat s until b, Q) cannot be used as an invariant with the Repeat_until ROI. In particular, (wp(Repeat s until b) Л b ≠> Q in general). (Note that the ROI –- i.e., via the “initialization” antecedent {P} s {I} -- does not require “I” to hold until after s executes.

ROI for while loop and repeat_until loop P  I, {I Л b} S {I}, (I Л b)  Q {P} while b do S {Q} {P} S {I}, {I Л  b} S {I}, (I Л b)  Q {P} repeat S until b {Q} Note that for the repeat_until loop, "I" need not hold UNTIL AFTER S executes.

Note that b Л (H1 V H2 V H3 V...)  Q wp(repeat S until b, Q) = H1 V H2 V H3 V... where: H1 = wp(S, b Л Q) H2 = wp(S, ~b Л H1) H3 = wp(S, ~b Л H2) Hk = wp(S, ~b Л Hk-1) Note that b Л (H1 V H2 V H3 V...)  Q in general.

Finding counter-examples Suppose you wish to prove (A => B) is FALSE. This can be done by finding just one case for which A is true and B is false. This case is referred to as a "counter-example". So, to prove that the hypothesized ROI: A, B, C {P} while b do S {Q} is FALSE, find one case for which A, B, and C are each true, but {P} while b do S {Q} is FALSE. ?

Finding counter-examples (cont'd) How do you identify such a case? By exploiting the fallacy in the (FALSE) ROI. For example, what's the fallacy in the following ROI? P  I, (I Л b)  Q {P} while b do S {Q} ?

Finding counter-examples (cont'd) How do you identify such a case? By exploiting the fallacy in the (FALSE) ROI. For example, what's the fallacy in the following ROI? P  I, (I Л b)  Q {P} while b do S {Q} Answer: The two antecedents do not require that "I" holds after S executes! So, choose P, b, S, Q, and I such that the two antecedents hold, but neither I nor Q will hold after S executes when b becomes false. ?

Finding counter-examples (cont'd) P  I, (I Л b)  Q {P} while b do S {Q} For example, consider, for I: x=1 {x=1 Л y=-17} while y<0 do y := y+1 x := 2 end_while {x=1} ?

A really smokin’ example... Consider the following assertion/ROI: “People who wear red shirts do not smoke.” = Wears red shirts(X) => Does not smoke(X) Wears red shirts(X) Does not smoke(X)

A really smokin’ example... (cont’d) Is the assertion valid (true)? No. Proof by counterexample: This person satisfies the antecedent, but not the consequent!

Another example Does [(P Л ¬b)  Q]  [{P} while b do S {Q}] ? = (P Л ¬b)  Q {P} while b do S {Q} Counterexample: {x=0} while y<>5 do x := x+1; y := y+1 {x=0 Л y=5} ?

Problem 2, Exam 2, Summer ‘09 Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions. b. {K Л b} S {K}

Problem 2, Exam 2, Summer ‘09 Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions. b. {K Л b} S {K} true (See Lecture Notes #20.)

Loop Invariants and wp’s In general, will loops terminate when P  wp ? For while loops, does {wp Л b} S {wp} ? Does (wp Л ¬b)  Q ? √ √ √

Problem 2, Exam 2, Summer ‘09 Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions. b. {K Л b} S {K} true (See Lecture Notes #20.) e. {K Л b} repeat S until ¬b {Q}

Problem 2, Exam 2, Summer ‘09 Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions. b. {K Л b} S {K} true (See Lecture Notes #20.) e. {K Л b} repeat S until ¬b {Q} true

{K Л b} S T ¬b F {Q} ?

{K Л b} {K Л b} S S T = ¬b T ¬b F F S {Q} ? {Q} ?

S S S = ¬b = b ¬b S S {K Л b} {K Л b} {K Л b} T F T F T F {Q} ? {Q} ?

S S S = ¬b = b ¬b S S {K Л b} {K Л b} {K Л b} K since {K Л b} T F T F {Q} ? {Q} ? {Q} ?

S S S = ¬b = b ¬b S S {K Л b} {K Л b} {K Л b} K since {K Л b} T F T F {Q} ? {Q} ? {Q}  since (K Л ¬b)  Q

Problem 3, Exam 2, Summer ‘09 3. Circle either “true” or “false” for each of the following assertions. k. ({P} S {Q})  ({P} if b then S {(Q  b)})

Problem 3, Exam 2, Summer ‘09 3. Circle either “true” or “false” for each of the following assertions. k. ({P} S {Q})  ({P} if b then S {(Q  b)}) False

The assertion may seem plausible, but consider: Problem 3, Exam 2, Summer ‘09 3. Circle either “true” or “false” for each of the following assertions. k. ({P} S {Q})  ({P} if b then S {(Q  b)}) False The assertion may seem plausible, but consider: {z=1} y:=5 {z=1}  {z=1} if x=0 then y:=5 {(z=1  x=0)} ? where b (i.e., x=0) is false...

Problem 2, Exam 2, Spring ‘10 2. Circle either “true” or “false” for each of the following assertions. h. [{P Л b} S {Q}]  [{P} while b do S {Q}]

Problem 2, Exam 2, Spring ‘10 2. Circle either “true” or “false” for each of the following assertions. h. [{P Л b} S {Q}]  [{P} while b do S {Q}] False

Problem 2, Exam 2, Spring ‘10 {x=0} while x<5 do x:=x+1 {x=1} 2. Circle either “true” or “false” for each of the following assertions. h. [{P Л b} S {Q}]  [{P} while b do S {Q}] False Consider the counterexample: {x=0} while x<5 do x:=x+1 {x=1}

From Exam 2, Spring ‘10, problem 2 True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q}

From Exam 2, Spring ‘10, problem 2 True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q}

From Exam 2, Spring ‘10, problem 2 True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly True e. {wp(S, Q)  x>0} x := 17; S {Q}

From Exam 2, Spring ‘10, problem 2 True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q}

From Exam 2, Spring ‘10, problem 2 True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q} False

From Exam 2, Spring ‘10, problem 2 True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q} False How about: {x>0  wp(S, Q)} x := 17; S {Q} ?

From Exam 2, Spring ‘10, problem 2 True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q} False How about: {x>0  wp(S, Q)} x := 17; S {Q} ? True

Confusion re “undefined” and “I” (Identity function) “I am confused about ‘undefined’ and ‘I’. Suppose we have the program P like this: if (x>0) x := 9 end_if Is [P] = (x>0 -> x := 9|true -> I) or [P] = (x>0 -> x := 9|true -> undefined)?

Confusion re “undefined” and “I” (Identity function) “I am confused about ‘undefined’ and ‘I’. Suppose we have the program P like this: if (x>0) x := 9 end_if Is [P] = (x>0 -> x := 9|true -> I) or [P] = (x>0 -> x := 9|true -> undefined)? 

Prepared by Stephen M. Thebaut, Ph.D. University of Florida Exam 2 Help Session Software Testing and Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida