Exam 2 Help Session
-
Upload
rhona-mooney -
Category
Documents
-
view
37 -
download
2
description
Transcript of Exam 2 Help Session
Exam 2 Help Session
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida
Software Testing and Verification
• A student writes:
I would like to request you to provide some tips on hypothesizing functions for given programs. I refer in particular to Example 2 of Lecture Notes #24 and Question 1 of the self check quiz in lesson plan for Lectures Notes #’s 24 and 25.
Although I followed the concept of synthesizing limited invariants, I found it difficult to come up with a function to represent the given program when I attempted these on my own.
• General Rule of Thumb for hypothesizing functions of compound programs:
– Work top-down, and
– Use the Axiom of Replacement
• Good example (nested if_then’s + sequencing): problem 4 of Problem Set 7
• For while loops, see examples 1 and 2 from Lecture Notes #21.
Example 2 (from Lecture Notes #24)
• Consider the assertion:
{n≥0} p := 1 k := 0 while k<>n do p := p2 k := k+1 end_while{p=2n}
What function, f, is computed by the while loop?
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
– When will P terminate?
– What measure would you use to prove this using the method of Well-Founded Sets?
– Use the measure in one or more conditional rules describing the function.
– For this case, the initial relationship between k and n determine three different loop “behaviors.” (What are they?)
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
k<n p,k := p2n−k,n k=n p,k := p,k
:= p2n−k,n k>n undefined
Therefore,
[P] = (k≤n p,k := p2n−k,n)
Problem 1 from Self-Check Quiz
• Consider the assertion:
y := 0t := xwhile t<>k do
t := t–1y := y+1
end_while
What function, f, is computed by the while loop?
Problem 1 from Self-Check Quiz (cont'd)
• P = while t<>k do t,y := t–1,y+1
t>k t,y := k,y+1(t-k) := k,y+t-k t=k t,y := t,y
:= k,y+t-k t<k undefined
Therefore,
[P] = (t≥k t,y := k,y+t-k)
• Another student writes:
I have some questions about exam 2 for fall 07, problem No 6. And I do not know how to make up counterexample.
6. (4 pts.) It was noted in class that wp(while b do s, Q) is the weakest (while) loop invariant which guarantees termination. Is it also the case that the wp(Repeat s until b) is the weakest (Repeat_until) loop invariant which guarantees termination? Carefully justify your answer. (Hint: recall that in Problem Set 6, you were asked to prove “finalization” from the while loop ROI using the weakest pre-condition as an invariant. Does “finalization” from the Repeat_until ROI hold using the weakest pre-condition as an invariant?)
Answer: No. In general, the wp(Repeat s until b, Q) cannot be used as an invariant with the Repeat_until ROI. In particular, (wp(Repeat s until b) Л b ≠> Q in general). (Note that the ROI –- i.e., via the “initialization” antecedent {P} s {I} -- does not require “I” to hold until after s executes.
ROI for while loop and repeat_until loop
P I, {I Л b} S {I}, (I Л b) Q
{P} while b do S {Q}
{P} S {I}, {I Л b} S {I}, (I Л b) Q
{P} repeat S until b {Q}
Note that for the repeat_until loop, "I" need not hold UNTIL AFTER S executes.
wp(repeat S until b, Q) = H1 V H2 V H3 V...
where:
H1 = wp(S, b Л Q)
H2 = wp(S, ~b Л H1)
H3 = wp(S, ~b Л H2)
Hk = wp(S, ~b Л Hk-1)
Note that b Л (H1 V H2 V H3 V...) Q
in general.
Finding counter-examples
• Suppose you wish to prove (A => B) is FALSE.
• This can be done by finding just one case for which A is true and B is false. This case is referred to as a "counter-example".
• So, to prove that the hypothesized ROI:
A, B, C
{P} while b do S {Q}
is FALSE, find one case for which A, B, and C are each true, but {P} while b do S {Q} is FALSE.
?
Finding counter-examples (cont'd)
• How do you identify such a case? By exploiting the fallacy in the (FALSE) ROI.
• For example, what's the fallacy in the following ROI?
P I, (I Л b) Q
{P} while b do S {Q}
Answer: The two antecedents do not require that "I" holds after S executes! So, choose P, b, S, Q, and I such that the two antecedents hold, but neither I nor Q will hold after S executes when b becomes false.
?
Finding counter-examples (cont'd)
P I, (I Л b) Q
{P} while b do S {Q}
For example, consider, for I: x=1
{x=1 Л y=-17} while y<0 do y := y+1 x := 2 end_while{x=1}
?
Problem 2, Exam 2, Summer ‘09
2. Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions.
b. {K Л b} S {K} true (See Lecture Notes #20.)
Loop Invariants and wp’s
• In general, will loops terminate when P wp ?
• For while loops, does {wp Л b} S {wp} ?• Does (wp Л ¬b) Q ?
√
√√
Problem 2, Exam 2, Summer ‘09
2. Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions.
b. {K Л b} S {K} true (See Lecture Notes #20.)
e. {K Л b} repeat S until ¬b {Q} true
¬b
S
F
T
S
= ¬b
S
T
F
{K Л b}
{Q} ?
{K Л b}
{Q}
(since (K Л ¬b) Q)
K (since {K Л b} S {K})
Problem 3, Exam 2, Summer ‘09
3. Circle either “true” or “false” for each of the following assertions.
k. ({P} S {Q}) ({P} if b then S {(Q b)})
False
The assertion may seem plausible, but consider:
{z=1} y:=5 {z=1} {z=1} if x=0 then y:=5 {(z=1 x=0)} ?
Problem 2, Exam 2, Spring ‘10
2. Circle either “true” or “false” for each of the following assertions.
h. [{P Л b} S {Q}] [{P} while b do S {Q}]
False
Consider the counterexample:
{x=0} while x<5 do x:=x+1 {x=1}
• A student writes:
We've learned two ways of identifying loop invariant "I": a heuristic approach and a more systematic approach. My question is: since a systematic approach seems to be more effective, can we always use it to find I for all the problems?
• Unfortunately, no. The concept of an “invariant” as described in the context of axiomatic verification is directly related to a Rule of Inference (ROI), e.g.:
P I, {I Л b} S {I}, (I Л b) Q
{P} while b do S {Q}
• The antecedents represent the necessary and sufficient requirements for I (in terms of P, b, S, and Q) in order to use the ROI to deduce {P} while b do S {Q}.
• The heuristics considered in class are motivated by these necessary and sufficient requirements, and are therefore dependent on the program’s specification (P and Q), as well as the program itself.
• In contrast, a (full) invariant as defined in Mill’s Invariant Status Theorem is a logical condition with properties:
q(X0), ( q(X)Л p(X) ) qog(X), and ( q(X)Л¬p(X) ) ( X=f(X0) )
where q(X)=( f(X)=f(X0) ).
• The function f = [while p do g], which is “characterized by q on termination,” need not be consistent with the pre- and post-condition used to specify the program by a user/designer.
• Thus, an invariant derived using the Invariant Status Theorem may or may not allow one to prove that a user/designer specified post-condition will hold on termination of a loop.
• In “reasonable” cases, however, q may be useful, at least as a starting point, in a trial-and-error process.
• Additional research is needed to fully explore this area.
• A student writes:
I still have trouble in providing counter examples...
• Consider the following assertion/ROI:
“People who wear red shirts do not smoke.”
=
Wears red shirts(X) => Does not smoke(X)
=
Wears red shirts(X)
Does not smoke(X)
• Is the assertion valid (true)?
• No. Proof by counterexample:
• This person satisfies the antecedent, but not the consequent!
More examples
Does [(P Л ¬b) Q] [{P} while b do S {Q}] ?
=
[(P Л ¬b) Q]
[{P} while b do S {Q}]
Counterexample:
{x=0} while y<>5 do x := x+1; y := y+1 {x=0 Л y=5}
?
From Exam 2, Spring ‘10, problem 2
True or False?
c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly
e. {wp(S, Q)} x>0} x := 17; S {Q}
Confusion re “undefined” and “I” (Identity function)
“I am confused about ‘undefined’ and ‘I’. Suppose we have the program P like this:
if (x>0) x := 9 end_if
Is [P] = (x>0 -> x := 9|true -> I) or
[P] = (x>0 -> x := 9|true -> undefined)?
Exam 2 Help Session
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida
Software Testing and Verification