1 / 30

Exam 2 Help Session

Exam 2 Help Session. Prepared by Stephen M. Thebaut, Ph.D. University of Florida. Software Testing and Verification. A student writes:

rhona-mooney
Download Presentation

Exam 2 Help Session

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exam 2 Help Session Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification

  2. A student writes: I would like to request you to provide some tips on hypothesizing functions for given programs. I refer in particular to Example 2 of Lecture Notes #24 and Question 1 of the self check quiz in lesson plan for Lectures Notes #’s 24 and 25. Although I followed the concept of synthesizing limited invariants, I found it difficult to come up with a function to represent the given program when I attempted these on my own.

  3. General Rule of Thumb for hypothesizing functions of compound programs: • Work top-down, and • Use the Axiom of Replacement • Good example (nested if_then’s + sequencing): problem 4 of Problem Set 7 • For while loops, see examples 1 and 2 from Lecture Notes #21.

  4. Example 2 (from Lecture Notes #24) • Consider the assertion: {n≥0} p := 1 k := 0 while k<>n do p := p*2 k := k+1 end_while {p=2n} What function, f, is computed by the while loop?

  5. Example 2 (cont’d) P = while k<>n do p,k := 2p,k+1 When will P terminate? What measure would you use to prove this using the method of Well-Founded Sets? Use the measure in one or more conditional rules describing the function. For this case, the initial relationship between k and n determine three different loop “behaviors.” (What are they?)

  6. Example 2 (cont’d) • P = while k<>n do p,k := 2p,k+1 k<n  p,k := p2n−k,n k=n  p,k := p,k := p2n−k,n k>n  undefined Therefore, [P] = (k≤n  p,k := p2n−k,n)

  7. Problem 1 from Self-Check Quiz Consider the assertion: y := 0 t := x while t<>k do t := t–1 y := y+1 end_while What function, f, is computed by the while loop?

  8. Problem 1 from Self-Check Quiz (cont'd) P = while t<>k do t,y := t–1,y+1 t>k  t,y := k,y+1*(t-k) := k,y+t-k t=k  t,y := t,y := k,y+t-k t<k  undefined Therefore, [P] = (t≥k  t,y := k,y+t-k)

  9. Another student writes: I have some questions about exam 2 for fall 07, problem No 6. And I do not know how to make up counterexample.

  10. 6. (4 pts.) It was noted in class that wp(while b do s, Q) is the weakest (while)loop invariant which guarantees termination. Is it also the case that the wp(Repeat s until b) is the weakest (Repeat_until) loop invariant which guarantees termination? Carefully justify your answer. (Hint: recall that in Problem Set 6, you were asked to prove “finalization” from the while loop ROI using the weakest pre-condition as an invariant. Does “finalization” from the Repeat_until ROI hold using the weakest pre-condition as an invariant?) Answer: No. In general, the wp(Repeat s until b, Q) cannot be used as an invariant with the Repeat_until ROI. In particular, (wp(Repeat s until b) Лb ≠> Q in general). (Note that the ROI –- i.e., via the “initialization” antecedent {P} s {I} -- does not require “I” to hold until after s executes.

  11. ROI for while loop and repeat_until loop P  I, {IЛ b} S {I}, (IЛb)  Q {P} while b do S {Q} {P} S {I}, {IЛ b} S {I}, (IЛ b)  Q {P} repeat S until b {Q} Note that for the repeat_until loop, "I" need not hold UNTIL AFTER S executes.

  12. wp(repeat S until b, Q) = H1 V H2 V H3 V... where: H1 = wp(S, b ЛQ) H2 = wp(S, ~b ЛH1) H3 = wp(S, ~b ЛH2) Hk = wp(S, ~b Л Hk-1) Note that b Л (H1 V H2 V H3 V...)  Q in general.

  13. Finding counter-examples • Suppose you wish to prove (A => B) is FALSE. • This can be done by finding just one case for which A is true and B is false. This case is referred to as a "counter-example". • So, to prove that the hypothesized ROI: A, B, C {P} while b do S {Q} is FALSE, find one case for which A, B, and C are each true, but {P} while b do S {Q} is FALSE. ?

  14. Finding counter-examples (cont'd) • How do you identify such a case? By exploiting the fallacy in the (FALSE) ROI. • For example, what's the fallacy in the following ROI? P  I, (IЛb)  Q {P} while b do S {Q} Answer: The two antecedents do not require that "I" holds after S executes! So, choose P, b, S, Q, and I such that the two antecedents hold, but neither I nor Q will hold after S executes when b becomes false. ?

  15. Finding counter-examples (cont'd) P  I, (IЛb)  Q {P} while b do S {Q} For example, consider, for I: x=1 {x=1 Л y=-17} while y<0 do y := y+1 x := 2 end_while {x=1} ?

  16. Problem 2, Exam 2, Summer ‘09 • Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions. b. {K Л b} S {K} true (See Lecture Notes #20.)

  17. Loop Invariants and wp’s • In general, will loops terminate when P  wp ? • For while loops, does {wp Л b} S {wp} ? • Does (wp Л ¬b)  Q ? √ √ √

  18. Problem 2, Exam 2, Summer ‘09 • Suppose {P} while b do S {Q} for some P, Q, b, and S. Suppose, too, that K = wp(while b do S, Q). Circle “necessarily true” or “not necessarily true” for each of the following assertions. b. {K Л b} S {K} true (See Lecture Notes #20.) e. {K Л b} repeat S until ¬b {Q} true

  19. {K Лb} {K Лb} S K (since {K Лb} S {K}) S T = ¬b T ¬b F S F {Q} ? {Q} (since (K Л ¬b)  Q)

  20. Problem 3, Exam 2, Summer ‘09 3. Circle either “true” or “false” for each of the following assertions. k. ({P} S {Q})  ({P} if b then S {(Q b)}) False The assertion may seem plausible, but consider: {z=1} y:=5 {z=1}  {z=1} if x=0 then y:=5 {(z=1  x=0)} ?

  21. Problem 2, Exam 2, Spring ‘10 2. Circle either “true” or “false” for each of the following assertions. h. [{P Л b} S {Q}]  [{P} while b do S {Q}] False Consider the counterexample: {x=0} while x<5 do x:=x+1 {x=1}

  22. A student writes: We've learned two ways of identifying loop invariant "I": a heuristic approach and a more systematic approach. My question is: since a systematic approach seems to be more effective, can we always use it to find I for all the problems? • Unfortunately, no. The concept of an “invariant” as described in the context of axiomatic verification is directly related to a Rule of Inference (ROI), e.g.: P  I, {IЛ b} S {I}, (IЛb)  Q {P} while b do S {Q}

  23. The antecedents represent the necessary and sufficient requirementsfor I (in terms of P, b, S, and Q) in order to use the ROI to deduce {P} while b do S {Q}. • The heuristics considered in class are motivated by these necessary and sufficient requirements, and are therefore dependent on the program’s specification (P and Q), as well as the program itself. • In contrast, a (full) invariant as defined in Mill’s Invariant Status Theorem is a logical condition with properties: q(X0), ( q(X)Лp(X) ) qog(X), and ( q(X)Л¬p(X) ) ( X=f(X0) ) where q(X)=( f(X)=f(X0) ).

  24. The function f = [while p do g],which is “characterized by q on termination,” need not be consistent with the pre- and post-condition used to specify the program by a user/designer. • Thus, an invariant derived using the Invariant Status Theorem may or may not allow one to prove that a user/designer specified post-condition will hold on termination of a loop. • In “reasonable” cases, however, q may be useful, at least as a starting point, in a trial-and-error process. • Additional research is needed to fully explore this area.

  25. A student writes: I still have trouble in providing counter examples... • Consider the following assertion/ROI: “People who wear red shirts do not smoke.” = Wears red shirts(X) => Does not smoke(X) = Wears red shirts(X) Does not smoke(X)

  26. Is the assertion valid (true)? • No. Proof by counterexample: • This person satisfies the antecedent, but not the consequent!

  27. More examples Does [(P Л ¬b)  Q]  [{P} while b do S {Q}] ? = [(P Л ¬b)  Q] [{P} while b do S {Q}] Counterexample: {x=0} while y<>5 do x := x+1; y := y+1 {x=0 Л y=5} ?

  28. From Exam 2, Spring ‘10, problem 2 True or False? c. {x=5} while k <= 5 do k := k+3 {k-x≥0} strongly e. {wp(S, Q)}  x>0} x := 17; S {Q}

  29. Confusion re “undefined” and “I” (Identity function) “I am confused about ‘undefined’ and ‘I’. Suppose we have the program P like this:                                   if (x>0)                                        x := 9                                   end_if Is [P] = (x>0 -> x := 9|true ->I) or [P] = (x>0 -> x := 9|true ->undefined)? 

  30. Exam 2 Help Session Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification

More Related