Exercise Solutions: Functional Verification Software Testing and Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete (and Sufficient) S=Sufficient (only) N=Neither f1 f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete (and Sufficient) S=Sufficient (only) N=Neither f1 f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete (and Sufficient) S=Sufficient (only) N=Neither f1 C f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete (and Sufficient) S=Sufficient (only) N=Neither f1 C f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete (and Sufficient) S=Sufficient (only) N=Neither f1 C S f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete (and Sufficient) S=Sufficient (only) N=Neither f1 C S f2 f3

Exercise (from Lecture Notes #21) “Identity” function: x,y := x,y Given P = if x>=y then x,y := y,x f1 = (x>y  x,y := y,x | true  I) f2 = (x>y  x,y := y,x | x<y  I) f3 = (x≠y  x,y := y,x) Fill in the following “correctness table”: P C=Complete (and Sufficient) S=Sufficient (only) N=Neither f1 C S N f2 f3

Exercise (from Lecture Notes #22) Prove f = [A] where f = (x=17  x,y := 17,20 | true  x,y := x,-x) and A is: if x=17 then y := x+3 else y := -x end_if_else

if_then_else Correctness Conditions Correctness conditions for f = [if p then G else H] (where g = [G] and h = [H] have already been shown): Prove: p  (f = g) Л ¬p  (f = h) Working correctness questions: When p is true, does f equal g? When p is false, does f equal h?

Proof that f = [P] f = (x=17  x,y := 17,20 | true  x,y := x,-x) A: if x=17 then y := x+3 else y := -x end_if_else

Proof that f = [P] f = (x=17  x,y := 17,20 | true  x,y := x,-x) A: if x=17 then y := x+3 G else y := -x H end_if_else

Proof that f = [P] f = (x=17  x,y := 17,20 | true  x,y := x,-x) A: if x=17 then y := x+3 G else y := -x H end_if_else By observation, g = x,y := x,x+3 h = x,y := x,-x

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) = (x,y := 17,20)) When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) √ = (x,y := 17,20)) When p is false does f equal h? g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) √ = (x,y := 17,20)) When p is false does f equal h? (x≠17)  (f = (x,y := x,-x)) g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) √ = (x,y := 17,20)) When p is false does f equal h? (x≠17)  (f = (x,y := x,-x)) (x≠17)  (h = (x,y := x,-x)) g p h

Proof that f = [P] (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x=17  x,y := 17,20 | true  x,y := x,-x) = [if x=17 then (x,y := x,x+3) else (x,y := x,-x)] When p is true does f equal g? (x=17)  (f = (x,y := 17,20)) (x=17)  (g = (x,y := x,x+3) √ = (x,y := 17,20)) When p is false does f equal h? (x≠17)  (f = (x,y := x,-x)) (x≠17)  (h = (x,y := x,-x)) g p h √

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f:

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t :=

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n 

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I)

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I) Alternative f:

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I) Alternative f: (i≤n  i,t := n,txn-i | i>n  I)

Exercise 1 (from Lecture Notes #23) For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M]. while i<n do t := t*x i := i+1 end_while Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I) Alternative f: (i≤n  i,t := n,txn-i | i>n  I) Does it make any difference which we use?

while_do Correctness Conditions Correctness conditions for f = [K] = [while p do G] (where K is closed for the domain of f†, and g = [G]): Prove: term(f,K) Л p  (f = f o g) Л ¬p  (f = I) †The loop K is closed for a set of data states S  [XS Л p(X)  g(X)S]

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while p G

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while By observation, g = [G] = (i,t := i+1,tx) and M is closed for D(f). p G

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while By observation, g = [G] = (i,t := i+1,tx) and M is closed for D(f). Is loop termination guaranteed for any argument in D(f)? p G

Proof that f = [M] f = (i<n  i,t := n,txn-i | i≥n  I) M: while i<n do t := t*x i := i+1 end_while By observation, g = [G] = (i,t := i+1,tx) and M is closed for D(f). Is loop termination guaranteed for any argument in D(f)? YES. (Show this using the Method of Well-Founded Sets.) p G

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )?

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? (i<n)  ( f = i,t := n,txn-i ) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? (i<n)  ( f = i,t := n,txn-i ) (i<n)  ( f o g = f o (i,t := i+1,tx) ) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? (i<n)  ( f = i,t := n,txn-i ) (i<n)  ( f o g = f o (i,t := i+1,tx) ) What is f when applied after g changes the initial value of i? ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i≥n)  ( f = I )? √ Does (i<n)  ( f = f o g )? (i<n)  ( f = i,t := n,txn-i ) (i<n)  ( f o g = f o (i,t := i+1,tx) ) What is f when applied after g changes the initial value of i? There are two cases to consider: i=n-1 & i<n-1 ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-i ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-i ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = f o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = ? o (i,t := n,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) since gi(i=n-1) = n ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case a: √ (i=n-1)  ( f = i,t := n,txn-(n-1) = i,t := n,tx ) (i=n-1)  ( f o g = ? o (i,t := i+1,tx) = ? o (i,t := n-1+1,tx) = I o (i,t := n,tx) = (i,t := n,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = f o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = ? o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) since gi(i<n-1) < n ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? case b: (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Proof that f = [M] (cont’d) Does (i<n)  ( f = f o g )? √ case b: √ (i<n-1)  ( f = i,t := n,txn-i ) (i<n-1)  ( f o g = (i,t := n,txn-i) o (i,t := i+1,tx) = (i,t := n,(tx)xn-(i+1)) = (i,t := n,(tx)xn-i-1) = (i,t := n,txn-i-1+1) = (i,t := n,txn-i) ( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0 Hypothesized r:

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0 Hypothesized r: (x>0  x,y := ?,?

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0 Hypothesized r: (x>0  x,y := 0,?

Exercise 2 (from Lecture Notes #23) For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R]. repeat: x := x−1 y := y+2 until x=0 Hypothesized r: (x>0  x,y := 0,y+2x)

repeat_until Correctness Conditions Correctness conditions for f = [R] = [repeat G until p] (where R is closed for the domain of f†, and g = [G]): Prove: term(f,R) Л (p o g)  (f = g) Л ¬(p o g)  (f = f o g) †A repeat_until loop is closed for a set of data states S  [XS Л ¬pog(X)  g(X)S]

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: x := x−1 until x=0

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: x := x−1 until x=0 G p

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: until x=0 R is closed for D(r) and g = [G] = (x,y := x-1,y+2) by observation G p

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: until x=0 R is closed for D(r) and g = [G] = (x,y := x-1,y+2) by observation Is loop termination guaranteed for any argument in D(r)? G p

Proof that r = [R] r = (x>0  x,y := 0,y+2x) R: repeat: until x=0 R is closed for D(r) and g = [G] = (x,y := x-1,y+2) by observation Is loop termination guaranteed for any argument in D(r)? YES. (Show this using the Method of Well-Founded Sets.) G p

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  ? ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) = (x,y := 0,y+2) ) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) = (x,y := 0,y+2) ) (x=1)  ( g = (x,y := x-1,y+2) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) = (x,y := 0,y+2) ) (x=1)  ( g = (x,y := x-1,y+2) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does (p o g)  (r = g) ? [ (x=0) o (x,y := x-1,y+2) ]  (x0=1) (x=1)  ( r = (x,y := 0,y+2x) = (x,y := 0,y+2) ) (x=1)  ( g = (x,y := x-1,y+2) √ ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. case a: (x<1)  ( r = undefined ) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. case a: (x<1)  ( r = undefined ) (x<1)  ( r o g = undefined o g since ((x>0) o g(x<1)) = false ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. case a: (x<1)  ( r = undefined ) (x<1)  ( r o g = undefined o g = undefined ) since ((x>0) o g(x<1)) = false ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) Does ¬(p o g)  (r = r o g) ? ¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1) Thus, there are 2 cases to consider: x0<1 and x0>1. case a: (x<1)  ( r = undefined ) (x<1)  ( r o g = undefined o g = undefined ) since ((x>0) o g(x<1)) = false √ ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) ) ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) ) √ ( Recall: r = (x>0  x,y := 0,y+2x) )

Proof that r = [R] (cont’d) case b: (x>1)  ( r = (x,y := 0,y+2x) ) (x>1)  ( r o g = (x,y := 0,y+2x) o (x,y := x-1,y+2) since ((x>0) o g(x>1)) = true = (x,y := 0,(y+2)+2(x-1)) = (x,y := 0,(y+2+2x-2)) = (x,y := 0,y+2x) ) Therefore, ¬(p o g)  (r = r o g) √ √ ( Recall: r = (x>0  x,y := 0,y+2x) )

Exercise (from Lecture Notes #24) Derive a limited invariant for the initialized while loop using the Invariant Status Theorem. {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Exercise (from Lecture Notes #24) Derive a limited invariant for the initialized while loop using the Invariant Status Theorem. What function, h, is computed by the loop initialization? {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY}

Exercise (from Lecture Notes #24) Derive a limited invariant for the initialized while loop using the Invariant Status Theorem. What function, h, is computed by the loop initialization? {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} (Z,J := X,1)

Exercise (from Lecture Notes #24) Derive a limited invariant for the initialized while loop using the Invariant Status Theorem. What function, h, is computed by the loop initialization? {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} (Z,J := X,1) What function, f, is computed by the while loop?

Exercise (from Lecture Notes #24) Derive a limited invariant for the initialized while loop using the Invariant Status Theorem. What function, h, is computed by the loop initialization? {true} Z := X J := 1 while J<>Y do Z := Z+X J := J+1 end_while {Z=XY} (Z,J := X,1) What function, f, is computed by the while loop? (J≤Y  Z,J,X := Z+X(Y-J),Y,X)

For f = (J≤Y  Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: X f(X) foh(X0) Z J X

For f = (J≤Y  Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: X f(X) foh(X0) Z Z+X(Y-J) J X

For f = (J≤Y  Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: X f(X) foh(X0) Z Z+X(Y-J) X0+X0(Y0-1) J X

For f = (J≤Y  Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: X f(X) foh(X0) Z Z+X(Y-J) X0+X0(Y0-1) J Y Y0 X X X0

X f(X) foh(X0) and equating components of f(X) and foh(X0): For f = (J≤Y  Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) Z Z+X(Y-J) X0+X0(Y0-1) J Y Y0 X X X0

X f(X) foh(X0) and equating components of f(X) and foh(X0): For f = (J≤Y  Z,J,X := Z+X(Y-J),Y,X), and h = (Z,J := X,1), an invariant qh(X)=( f(X)=foh(X0) ) can be derived by tabulating f(X) and foh(X0) for each member of the data space: and equating components of f(X) and foh(X0): X f(X) foh(X0) Z Z+X(Y-J) X0+X0(Y0-1) J Y Y0 X X X0 Z+X(Y-J) = X0+X0(Y0-1) Y = Y0 X = X0

equating f(X) and foh(X0): Z+X(Y-J) = X0+X0(Y0-1) Y = Y0 X = X0

equating f(X) and foh(X0): Z+X(Y-J) = X0+X0(Y0-1) Y = Y0 X = X0

equating f(X) and foh(X0): Z+X(Y-J) = X0+X0(Y0-1) Y = Y0 X = X0 Z+X(Y-J) = X+X(Y-1)

equating f(X) and foh(X0): Z+X(Y-J) = X0+X0(Y0-1) Y = Y0 X = X0 Z+X(Y-J) = X+X(Y-1) Z = X+X(Y-1) - X(Y-J)

equating f(X) and foh(X0): Z+X(Y-J) = X0+X0(Y0-1) Y = Y0 X = X0 Z+X(Y-J) = X+X(Y-1) Z = X+X(Y-1) - X(Y-J) = XJ

equating f(X) and foh(X0): Z+X(Y-J) = X0+X0(Y0-1) Y = Y0 X = X0 Z+X(Y-J) = X+X(Y-1) Z = X+X(Y-1) - X(Y-J) = XJ Recall that in Example 3 of Lecture 18, we proved the given assertion using this invariant.

Exercise Solutions: Functional Verification Software Testing and Verification Prepared by Stephen M. Thebaut, Ph.D. University of Florida