Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Published byOscar Hicks Modified over 5 years ago

Similar presentations

Presentation on theme: "Prepared by Stephen M. Thebaut, Ph.D. University of Florida"— Presentation transcript:

1 Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Exam 2 Help Session Software Testing and Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida

2 A student writes: I would like to request you to provide some tips on hypothesizing functions for given programs. I refer in particular to Example 2 of Lecture Notes #24 and Question 1 of the self check quiz in lesson plan for Lecture Notes #’s 24 and 25. Although I followed the concept of synthesizing limited invariants, I found it difficult to come up with a function to represent the given program when I attempted these on my own.

3 General Rule of Thumb for hypothesizing functions of compound programs:
Work top-down, and Use the Axiom of Replacement Good example (nested if_then’s + sequencing): problem 4 of Problem Set 7 For while loops, see examples 1 and 2 from Lecture Notes #21.

4 Example 2 (from Lecture Notes #24)
Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop?

5 Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1

6 Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
When will P terminate? What measure would you use to prove this using the method of Well-Founded Sets? Use the measure in one or more conditional rules describing the function. For this case, the initial relationship between k and n determine three different loop “behaviors.” (What are they?)

7 Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := ?,? k=n  p,k := ?,? k>n  p,k := ?,?

8 Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
Number of times the body will execute P = while k<>n do p,k := 2p,k+1 k<n  p,k := p2n−k,n k=n  p,k := ?,? k>n  p,k := ?,? Value of k on termination

9 Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n k=n  p,k := p,k k>n  p,k := ?,?

10 Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n k=n  p,k := p,k := p2n−k,n k>n  p,k := ?,?

11 Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n k=n  p,k := p,k := p2n−k,n k>n  undefined

12 Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n k=n  p,k := p,k := p2n−k,n k>n  undefined Therefore, [P] = (k≤n  p,k := p2n−k,n)

13 Problem 1 from Self-Check Quiz
Consider the assertion: y := 0 t := x while t<>k do t := t–1 y := y+1 end_while What function, f, is computed by the while loop?

14 Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1 t>k  t,y := ?,? t=k  t,y := ?,? t<k  t,y := ?,?

15 Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) t=k  t,y := ?,? t<k  t,y := ?,?

16 Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := ?,? t<k  t,y := ?,?

17 Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y t<k  t,y := ?,?

18 Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y t<k  t,y := ?,?

19 Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y t<k  undefined

20 Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y t<k  undefined Therefore, [P] = (t≥k  t,y := k,y+t-k)

21 Another student writes:
I have some questions about exam 2 for fall 07, problem No 6. ...And I do not know how to make up counterexample.

22 6. (4 pts.) It was noted in class that wp(while b do s, Q) is the weakest (while) loop invariant which guarantees termination. Is it also the case that the wp(Repeat s until b) is the weakest (Repeat_until) loop invariant which guarantees termination? Carefully justify your answer. (Hint: recall that in Problem Set 6, you were asked to prove “finalization” from the while loop ROI using the weakest pre-condition as an invariant. Does “finalization” from the Repeat_until ROI hold using the weakest pre-condition as an invariant?)

23 6. (4 pts.) It was noted in class that wp(while b do s, Q) is the weakest (while) loop invariant which guarantees termination. Is it also the case that the wp(Repeat s until b) is the weakest (Repeat_until) loop invariant which guarantees termination? Carefully justify your answer. (Hint: recall that in Problem Set 6, you were asked to prove “finalization” from the while loop ROI using the weakest pre-condition as an invariant. Does “finalization” from the Repeat_until ROI hold using the weakest pre-condition as an invariant?) Answer: No. In general, the wp(Repeat s until b, Q) cannot be used as an invariant with the Repeat_until ROI. In particular, (wp(Repeat s until b) Л b ≠> Q in general). (Note that the ROI –- i.e., via the “initialization” antecedent {P} s {I} -- does not require “I” to hold until after s executes.

24 ROI for while loop and repeat_until loop
P  I, {I Л b} S {I}, (I Л b)  Q {P} while b do S {Q} {P} S {I}, {I Л  b} S {I}, (I Л b)  Q {P} repeat S until b {Q} Note that for the repeat_until loop, "I" need not hold UNTIL AFTER S executes.

25 Note that b Л (H1 V H2 V H3 V...)  Q
wp(repeat S until b, Q) = H1 V H2 V H3 V... where: H1 = wp(S, b Л Q) H2 = wp(S, ~b Л H1) H3 = wp(S, ~b Л H2) Hk = wp(S, ~b Л Hk-1) Note that b Л (H1 V H2 V H3 V...)  Q in general.

26 Finding counter-examples
Suppose you wish to prove (A => B) is FALSE. This can be done by finding just one case for which A is true and B is false. This case is referred to as a "counter-example". So, to prove that the hypothesized ROI: A, B, C {P} while b do S {Q} is FALSE, find one case for which A, B, and C are each true, but {P} while b do S {Q} is FALSE. ?

27 Finding counter-examples (cont'd)
How do you identify such a case? By exploiting the fallacy in the (FALSE) ROI. For example, what's the fallacy in the following ROI? P  I, (I Л b)  Q {P} while b do S {Q} ?

28 Finding counter-examples (cont'd)
How do you identify such a case? By exploiting the fallacy in the (FALSE) ROI. For example, what's the fallacy in the following ROI? P  I, (I Л b)  Q {P} while b do S {Q} Answer: The two antecedents do not require that "I" holds after S executes! So, choose P, b, S, Q, and I such that the two antecedents hold, but neither I nor Q will hold after S executes when b becomes false. ?

29 Finding counter-examples (cont'd)
P  I, (I Л b)  Q {P} while b do S {Q} For example, consider, for I: x=1 {x=1 Л y=-17} while y<0 do y := y+1 x := 2 end_while {x=1} ?

30 A really smokin’ example...
Consider the following assertion/ROI: “People who wear red shirts do not smoke.” = Wears red shirts(X) => Does not smoke(X) Wears red shirts(X) Does not smoke(X)

31 A really smokin’ example... (cont’d)
Is the assertion valid (true)? No. Proof by counterexample: This person satisfies the antecedent, but not the consequent!

32 Another example Does [(P Л ¬b)  Q]  [{P} while b do S {Q}] ? = (P Л ¬b)  Q {P} while b do S {Q} Counterexample: {x=0} while y<>5 do x := x+1; y := y+1 {x=0 Л y=5} for some initial value of y < 5. ?

33 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? a. For some initial values of z, S terminates with the final value of y being less than the final value of z.

34 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? a. For some initial values of z, S terminates with the final value of y being less than the final value of z. would not: The initial values of z for which this obser- vation holds may NOT satisfy pre-condition {z<0}.

35 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? b. Whenever the initial value of z is greater than -5, the final value of y is less than the final value of z if S happens to terminate.

36 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? b. Whenever the initial value of z is greater than -5, the final value of y is less than the final value of z if S happens to terminate. would not: The values of z for which this observation holds and for which the given pre-condition {z<0} holds may NOT result in termination.

37 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? c. When the initial value of z is -1, S terminates and the final value of y is 17.

38 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? c. When the initial value of z is -1, S terminates and the final value of y is 17. would not: The fact that y=17 on termination does NOT contradict the given post-condition {y=z+1} since the value of z could be 16 on termination

39 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? d. Whenever the initial value of z is even, S terminates with the final values of both z and y being odd.

40 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? d. Whenever the initial value of z is even, S terminates with the final values of both z and y being odd. would: Since there are clearly initial values of z that satisfy the precondition AND are even, the fact that the observed result contradicts the given post- condition implies that the assertion is false.

41 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? e. wp(S, y=z+1) = z≥0

42 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? e. wp(S, y=z+1) = z≥0 would not: The observation implies that there are no initial values of z satisfying the given pre-condition for which S will terminate in state Q, but it does NOT imply that the assertion is not vacuously correct, since S may not terminate for any initial values of z<0.

43 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? f. wp(S, y=z) = true

44 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? f. wp(S, y=z) = true would: The observation implies that S will terminate for all initial values of z (including those satisfying the given pre-condition) in a state that is inconsistent with the given post-condition.

45 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? g. wp(S, y=17) = z<0, and whenever the initial value of z is greater than -5, the final value of y is less than the final value of z if S happens to terminate.

46 Problem 1, Exam 2, Spring ‘11 1. Consider the assertion of weak correctness: {z<0} S {y=z+1}. Which of the following observations/ facts would allow one to deduce that the assertion is FALSE and which would not? g. wp(S, y=17) = z<0, and whenever the initial value of z is greater than -5, the final value of y is less than the final value of z if S happens to terminate. would: The first observation implies that S will terminate for all initial values of z<0; the second observation (together with the first) implies that when z = -4, -3, -2, or -1, S will terminate in a state that is inconsistent with the asserted post-condition. (But not because y=17...)

47 Confusion re “undefined” and “I” (Identity function)
“I am confused about ‘undefined’ and ‘I’. Suppose we have the program P like this: if (x>0) x := 9 end_if Is [P] = (x>0 -> x := 9|true -> I) or [P] = (x>0 -> x := 9|true -> undefined)?

48 Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Exam 2 Help Session Software Testing and Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Download ppt "Prepared by Stephen M. Thebaut, Ph.D. University of Florida"

Similar presentations

Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.

Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.

Axiomatic Verification I Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture 17.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
Weakest pre-conditions and towards machine consistency Saima Zareen.

Weakest pre-conditions and towards machine consistency Saima Zareen.
ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.

ESC Java. Static Analysis Spectrum Power Cost Type checking Data-flow analysis Model checking Program verification AutomatedManual ESC.
1 Intro to Induction Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 Intro to Induction Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.
Describing Syntax and Semantics

Describing Syntax and Semantics
Methods of Proof & Proof Strategies

Methods of Proof & Proof Strategies
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.

1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
Exam 2 Help Session Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification.

Exam 2 Help Session Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification.
Proofs of Correctness: An Introduction to Axiomatic Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida CEN 5035 Software Engineering.

Proofs of Correctness: An Introduction to Axiomatic Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida CEN 5035 Software Engineering.
1 Sections 1.5 & 3.1 Methods of Proof / Proof Strategy.

1 Sections 1.5 & 3.1 Methods of Proof / Proof Strategy.

Similar presentations

Ads by Google