Functional Verification II Software Testing and Verification Lecture Notes 22 Prepared by Stephen M. Thebaut, Ph.D. University of Florida

Previously Verifying correctness in program reading, writing, and validation Complete and sufficient correctness Compound programs and the Axiom of Replacement

Topics: Correctness conditions and working correctness questions: sequencing decision statements

Sequencing Correctness Conditions Suppose we wish to show f = [G; H] First, hypothesize functions g, h and prove: g = [G] and h = [H] By the Axiom of Replacement, the problem then reduces to proving f = [g; h]

Sequencing Correctness Conditions Complete correctness condition for f = [g; h]: Prove: f = h o g Working correctness question: Does f equal h composed with g? Note: h o g(x) = h(g(x))

Sequencing Example Prove f = [P] where f = (x,y := y+2,y) and P is: x := y+2; y := x-2 Proof: Let G be x := y+2 and H be y := x-2. Then, by observation, g = (x,y := y+2,y) and h = (x,y := x,x-2).

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x,y := y+2,y) = [g; h] Does f equal h composed with g? h o g = (x,y := x,x-2) o (x,y := y+2,y) = (x,y := y+2,(y+2)-2) = (x,y := y+2,y) = f √

Conditional Function Composition Suppose g = (x,y := 3,x-1) and h = (y>0  x,y := x+1,-y | y≤0  x,y := x,y). What is h o g... ? = (y>0  x,y := x+1,-y | y≤0  x,y := x,y) o (x,y := 3,x-1) = (x-1>0  x,y := 3+1,-(x-1) | x-1≤0  x,y := 3,x-1) = (x>1  x,y := 4,1-x | x≤1  x,y := 3,x-1)

Conditional Function Composition Suppose g = (x,y := 3,x-1) and h = (y>0  x,y := x+1,-y | y≤0  x,y := x,y). What is g o h... ? = (x,y := 3,x-1) o (y>0  x,y := x+1,-y | y≤0  x,y := x,y) = (x,y := (y>0  3,(x+1)-1) | (y≤0  3,x-1)) = (y>0  x,y := 3,(x+1)-1) | y≤0  x,y := 3,x-1)) = (y>0  x,y := 3,x | y≤0  x,y := 3,x-1))

if_then Correctness Conditions Complete correctness conditions for f = [if p then G] (where g = [G] has already been shown): Prove: p  (f = g) Л ¬p  (f = I) Working correctness questions: When p is true, does f equal g? When p is false, does f equal Identity?

if_then Example Prove f = [K] where f = (x := -|x|) and K is: if x>0 then x := x-2*x Proof: Let G be x := x-2*x Then, by observation, g = (x := x-2x)

if_then Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x := -|x|) = [if x>0 then x := x-2x] When p is true does f equal g? (x>0)  (f = (x := -x)) (x>0)  (g = (x := x-2x) √ = (x := -x)) When p is false does f equal identity? (x≤0)  (f = (x := x)) = I √

if_then_else Correctness Conditions Complete correctness conditions for f = [if p then G else H] (where g = [G] and h = [H] have already been shown): Prove: p  (f = g) Л ¬p  (f = h) Working correctness questions: When p is true, does f equal g? When p is false, does f equal h?

Exercise Prove f = [A] where f = (x=17  x,y := 17,20 | true  x,y := x,-x) and A is: if x= 17 then y := x+3 else y := -x end_if_else

Coming up next… Iteration Recursion Lemma (!) Termination predicate: term(f,P) Correctness conditions for while_do statement Correctness conditions for repeat_until statement

Functional Verification II Software Testing and Verification Lecture Notes 22 Prepared by Stephen M. Thebaut, Ph.D. University of Florida