1. Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Exam 2 Help Session
Software Testing and Verification
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida

2. A student writes:
I would like to request you to provide some tips on hypothesizing functions for given programs. I refer in particular to Example 2 of Lecture Notes #24 and Question 1 of the self check quiz in lesson plan for Lecture Notes #’s 24 and 25.
Although I followed the concept of synthesizing limited invariants, I found it difficult to come up with a function to represent the given program when I attempted these on my own.

3. General Rule of Thumb for hypothesizing functions of compound programs:
Work top-down, and
Use the Axiom of Replacement
Good example (nested if_then’s + sequencing): problem 4 of Problem Set 7
For while loops, see examples 1 and 2 from Lecture Notes #21.

4. Example 2 (from Lecture Notes #24)
Consider the assertion:
{n≥0}
p := 1
k := 0
while k<>n do
p := p*2
k := k+1
end_while
{p=2n}
What function, f, is computed by the while loop?

5. Example 2 (cont’d)
P = while k<>n do p,k := 2p,k+1

6. Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
When will P terminate?
What measure would you use to prove this using the method of Well-Founded Sets?
Use the measure in one or more conditional rules describing the function.
For this case, the initial relationship between k and n determine three different loop “behaviors.” (What are they?)

7. Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := ?,?
k=n  p,k := ?,?
k>n  p,k := ?,?

8. Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
Number of times the body will execute
P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n
k=n  p,k := ?,?
k>n  p,k := ?,?
Value of k on termination

9. Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n
k=n  p,k := p,k
k>n  p,k := ?,?

10. Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n
k=n  p,k := p,k
:= p2n−k,n
k>n  p,k := ?,?

11. Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n
k=n  p,k := p,k
:= p2n−k,n
k>n  undefined

12. Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1
k<n  p,k := p2n−k,n
k=n  p,k := p,k
:= p2n−k,n
k>n  undefined
Therefore,
[P] = (k≤n  p,k := p2n−k,n)

13. Problem 1 from Self-Check Quiz
Consider the assertion:
y := 0
t := x
while t<>k do
t := t–1
y := y+1
end_while
What function, f, is computed by the while loop?

14. Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1
t>k  t,y := ?,?
t=k  t,y := ?,?
t<k  t,y := ?,?

15. Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
t=k  t,y := ?,?
t<k  t,y := ?,?

16. Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := ?,?
t<k  t,y := ?,?

17. Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := t,y
t<k  t,y := ?,?

18. Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := t,y
t<k  t,y := ?,?

19. Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := t,y
t<k  undefined

20. Problem 1 from Self-Check Quiz (cont'd)
P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := t,y
t<k  undefined
Therefore,
[P] = (t≥k  t,y := k,y+t-k)

21. Another student writes:
I have some questions about exam 2 for fall 07, problem No 6.
...And I do not know how to make up counterexample.

22. 6. (4 pts.) It was noted in class that wp(while b do s, Q) is the weakest (while) loop invariant which guarantees termination. Is it also the case that the wp(Repeat s until b) is the weakest (Repeat_until) loop invariant which guarantees termination? Carefully justify your answer. (Hint: recall that in Problem Set 6, you were asked to prove “finalization” from the while loop ROI using the weakest pre-condition as an invariant. Does “finalization” from the Repeat_until ROI hold using the weakest pre-condition as an invariant?)

23. 6. (4 pts.) It was noted in class that wp(while b do s, Q) is the weakest (while) loop invariant which guarantees termination. Is it also the case that the wp(Repeat s until b) is the weakest (Repeat_until) loop invariant which guarantees termination? Carefully justify your answer. (Hint: recall that in Problem Set 6, you were asked to prove “finalization” from the while loop ROI using the weakest pre-condition as an invariant. Does “finalization” from the Repeat_until ROI hold using the weakest pre-condition as an invariant?)
Answer: No. In general, the wp(Repeat s until b, Q) cannot be used as an invariant with the Repeat_until ROI. In particular, (wp(Repeat s until b) Л b ≠> Q in general). (Note that the ROI –- i.e., via the “initialization” antecedent {P} s {I} -- does not require “I” to hold until after s executes.

24. ROI for while loop and repeat_until loop
P  I, {I Л b} S {I}, (I Л b)  Q
{P} while b do S {Q}
{P} S {I}, {I Л  b} S {I}, (I Л b)  Q
{P} repeat S until b {Q}
Note that for the repeat_until loop, "I" need not hold UNTIL AFTER S executes.

25. Note that b Л (H1 V H2 V H3 V...)  Q
wp(repeat S until b, Q) = H1 V H2 V H3 V...
where:
H1 = wp(S, b Л Q)
H2 = wp(S, ~b Л H1)
H3 = wp(S, ~b Л H2)
Hk = wp(S, ~b Л Hk-1)
Note that b Л (H1 V H2 V H3 V...)  Q
in general.

26. Finding counter-examples
Suppose you wish to prove (A => B) is FALSE.
This can be done by finding just one case for which A is true and B is false. This case is referred to as a "counter-example".
So, to prove that the hypothesized ROI:
A, B, C
{P} while b do S {Q}
is FALSE, find one case for which A, B, and C are each true, but {P} while b do S {Q} is FALSE. ?

27. Finding counter-examples (cont'd)
How do you identify such a case? By exploiting the fallacy in the (FALSE) ROI.
For example, what's the fallacy in the following ROI?
P  I, (I Л b)  Q
{P} while b do S {Q} ?

28. Finding counter-examples (cont'd)
How do you identify such a case? By exploiting the fallacy in the (FALSE) ROI.
For example, what's the fallacy in the following ROI?
P  I, (I Л b)  Q
{P} while b do S {Q}
Answer: The two antecedents do not require that "I" holds after S executes! So, choose P, b, S, Q, and I such that the two antecedents hold, but neither I nor Q will hold after S executes when b becomes false. ?

29. Finding counter-examples (cont'd)
P  I, (I Л b)  Q
{P} while b do S {Q}
For example, consider, for I: x=1
{x=1 Л y=-17}
while y<0 do
y := y+1
x := 2
end_while
{x=1} ?

30. A really smokin’ example...
Consider the following assertion/ROI:
“People who wear red shirts do not smoke.” =
Wears red shirts(X) => Does not smoke(X)
Wears red shirts(X)
Does not smoke(X)

31. A really smokin’ example... (cont’d)
Is the assertion valid (true)?
No. Proof by counterexample:
This person satisfies the antecedent, but not the consequent!

32. Another example
Does [(P Л ¬b)  Q]  [{P} while b do S {Q}] ? = (P Л ¬b)  Q {P} while b do S {Q} Counterexample: {x=0} while y<>5 do x := x+1; y := y+1 {x=0 Л y=5} ?

33. Problem 2, Exam 2, Summer ‘09
Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions.
b. {K Л b} S {K}

34. Problem 2, Exam 2, Summer ‘09
Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions.
b. {K Л b} S {K} true (See Lecture Notes #20.)

35. Loop Invariants and wp’s
In general, will loops terminate when
P  wp ?
For while loops, does {wp Л b} S {wp} ?
Does (wp Л ¬b)  Q ? √ √ √

36. Problem 2, Exam 2, Summer ‘09
Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions.
b. {K Л b} S {K} true (See Lecture Notes #20.)
e. {K Л b} repeat S until ¬b {Q}

37. Problem 2, Exam 2, Summer ‘09
Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions.
b. {K Л b} S {K} true (See Lecture Notes #20.)
e. {K Л b} repeat S until ¬b {Q} true

38. {K Л b} S T ¬b F
{Q} ?

39. {K Л b}
{K Л b} S S T = ¬b T ¬b F F S
{Q} ?
{Q} ?

40. S S S = ¬b = b ¬b S S {K Л b} {K Л b} {K Л b} T F T F T F {Q} ? {Q} ?

41. S S S = ¬b = b ¬b S S {K Л b} {K Л b} {K Л b} K since {K Л b} T F T F
{Q} ?
{Q} ?
{Q} ?

42. S S S = ¬b = b ¬b S S {K Л b} {K Л b} {K Л b} K since {K Л b} T F T F
{Q} ?
{Q} ?
{Q} 
since (K Л ¬b)  Q

43. Problem 3, Exam 2, Summer ‘09
3. Circle either “true” or “false” for each of the following assertions. k. ({P} S {Q})  ({P} if b then S {(Q  b)})

44. Problem 3, Exam 2, Summer ‘09
3. Circle either “true” or “false” for each of the following assertions. k. ({P} S {Q})  ({P} if b then S {(Q  b)}) False

45. The assertion may seem plausible, but consider:
Problem 3, Exam 2, Summer ‘09
3. Circle either “true” or “false” for each of the following assertions.
k. ({P} S {Q})  ({P} if b then S {(Q  b)})
False
The assertion may seem plausible, but consider:
{z=1} y:=5 {z=1}  {z=1} if x=0 then y:=5 {(z=1  x=0)} ?
where b (i.e., x=0) is false...

46. Problem 2, Exam 2, Spring ‘10
2. Circle either “true” or “false” for each of the following assertions. h. [{P Л b} S {Q}]  [{P} while b do S {Q}]

47. Problem 2, Exam 2, Spring ‘10
2. Circle either “true” or “false” for each of the following assertions. h. [{P Л b} S {Q}]  [{P} while b do S {Q}] False

48. Problem 2, Exam 2, Spring ‘10 {x=0} while x<5 do x:=x+1 {x=1}
2. Circle either “true” or “false” for each of the following assertions.
h. [{P Л b} S {Q}]  [{P} while b do S {Q}]
False
Consider the counterexample:
{x=0} while x<5 do x:=x+1 {x=1}

49. From Exam 2, Spring ‘10, problem 2
True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q}

50. From Exam 2, Spring ‘10, problem 2
True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q}

51. From Exam 2, Spring ‘10, problem 2
True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly True e. {wp(S, Q)  x>0} x := 17; S {Q}

52. From Exam 2, Spring ‘10, problem 2
True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q}

53. From Exam 2, Spring ‘10, problem 2
True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q} False

54. From Exam 2, Spring ‘10, problem 2
True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q} False How about: {x>0  wp(S, Q)} x := 17; S {Q} ?

55. From Exam 2, Spring ‘10, problem 2
True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)  x>0} x := 17; S {Q} False How about: {x>0  wp(S, Q)} x := 17; S {Q} ? True

56. Confusion re “undefined” and “I” (Identity function)
“I am confused about ‘undefined’ and ‘I’. Suppose we have the program P like this: if (x>0) x := 9 end_if Is [P] = (x>0 -> x := 9|true -> I) or [P] = (x>0 -> x := 9|true -> undefined)?

57. Confusion re “undefined” and “I” (Identity function)
“I am confused about ‘undefined’ and ‘I’. Suppose we have the program P like this: if (x>0) x := 9 end_if Is [P] = (x>0 -> x := 9|true -> I) or [P] = (x>0 -> x := 9|true -> undefined)? 

58. Prepared by Stephen M. Thebaut, Ph.D. University of Florida
Exam 2 Help Session
Software Testing and Verification
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida