Exercise Solutions: Functional
Verification
Software Testing and Verification
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida
Exercise (from Lecture Notes #21)
“Identity” function:
x,y := x,y
• Given
P = if x>=y then x,y := y,x
f1 = (x>y  x,y := y,x | true  I)
f2 = (x>y  x,y := y,x | x<y  I)
f3 = (x≠y  x,y := y,x)
• Fill in the following “correctness table”:
P
f1
f2
f3
C=Complete
S=Sufficient (only)
N=Neither
Exercise (from Lecture Notes #22)
• Prove f = [A] where
f = (x=17  x,y := 17,20 | true  x,y := x,-x)
and A is:
if x= 17 then
y := x+3
else
y := -x
end_if_else
if_then_else Correctness Conditions
• Complete correctness conditions for
f = [if p then G else H]
(where g = [G] and h = [H] have already been
shown):
Prove: p  (f = g) Л
¬p  (f = h)
• Working correctness questions:
– When p is true, does f equal g?
– When p is false, does f equal h?
Proof that f = [P]
f = (x=17  x,y := 17,20 | true  x,y := x,-x)
A:
if x=17 then
y := x+3 G
else
y := -x
H
end_if_else
By observation, g = x,y := x,x+3
h = x,y := x,-x
Proof that f = [P] (cont’d)
• Therefore, by the Axiom of Replacement, it is
sufficient to show:
f = (x=17  x,y := 17,20 | true  x,y := x,-x)
= [if x=17 then (x,y := x,x+3) else (x,y := x,-x)]
g
h
p
When p is true does f equal g?
(x=17)  (f = (x,y := 17,20))
(x=17)  (g = (x,y := x,x+3)
= (x,y := 17,20))
When p is false does f equal h?
(x≠17)  (f = (x,y := x,-x))
(x≠17)  (h = (x,y := x,-x))
√
√
Exercise 1 (from Lecture Notes #23)
• For program M below, where all variables are
integers, hypothesize a function f for [M] and
prove f = [M].
while i<n do
t := t*x
i := i+1
end_while
Hypothesized f: (i<n  i,t := n,txn-i | i≥n  I)
Alternative f: (i≤n  i,t := n,txn-i | i>n  I)
Does it make any difference which we use?
while_do Correctness Conditions
• Complete correctness conditions for
f = [while p do g]
(where g = [G] has already been shown):
Prove:
term(f,M) Л
p  (f = f o g) Л
¬p  (f = I)
while_do Correctness Conditions
(cont’d)
• Working correctness questions:
– Is loop termination guaranteed for
any argument of f ?
– When p is true does f equal f
composed with g?
– When p is false does f equal Identity?
Proof that f = [M]
f = (i<n  i,t := n,txn-i | i≥n  I)
p
M: while i<n do
t := t*x
G
i := i+1
end_while
By observation, g = [G] = (i,t := i+1,tx)
• Is loop termination guaranteed for any
argument in D(f)? YES. (Show this using the
Method of Well-Founded Sets.)
Proof that f = [M] (cont’d)
• Does (i≥n)  ( f = I )? √
( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )
Proof that f = [M] (cont’d)
• Does (i≥n)  ( f = I )? √
• Does (i<n)  ( f = f o g )?
(i<n)  ( f = i,t := n,txn-i )
(i<n)  ( f o g = f o (i,t := i+1,tx) )
What is f when applied after g changes the
initial value of i?
( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )
There are two cases to consider: i=n-1 & i<n-1
Proof that f = [M] (cont’d)
• Does (i<n)  ( f = f o g )?
case a:
(i=n-1)  ( f = i,t := n,txn-(n-1)
= i,t := n,tx )
(i=n-1)  ( f o g = ? o (i,t := i+1,tx)
= ? o (i,t := n-1+1,tx)
= I o (i,t := n,tx)
since g i (i=n-1) = n
( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )
Proof that f = [M] (cont’d)
• Does (i<n)  ( f = f o g )?
case a: √
(i=n-1)  ( f = i,t := n,txn-(n-1)
= i,t := n,tx )
(i=n-1)  ( f o g = ? o (i,t := i+1,tx)
= ? o (i,t := n-1+1,tx)
= I o (i,t := n,tx)
= (i,t := n,tx)
( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )
Proof that f = [M] (cont’d)
• Does (i<n)  ( f = f o g )?
case b:
(i<n-1)  ( f = i,t := n,txn-i )
(i<n-1)  ( f o g = (i,t := n,txn-i) o
(i,t := i+1,tx)
since g i (i<n-1) < n
( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )
Proof that f = [M] (cont’d)
• Does (i<n)  ( f = f o g )? √
case b: √
(i<n-1)  ( f = i,t := n,txn-i )
(i<n-1)  ( f o g = (i,t := n,txn-i) o
(i,t := i+1,tx)
= (i,t := n,(tx)xn-(i+1))
= (i,t := n,(tx)xn-i-1)
= (i,t := n,txn-i-1+1)
= (i,t := n,txn-i)
( Recall: f = (i<n  i,t := n,txn-i | i≥n  I) )
Exercise 2 (from Lecture Notes #23)
• For program R below, where all variables
are integers, hypothesize a function r for
[R] and prove r = [R].
repeat:
x := x−1
y := y+2
until x=0
Hypothesized r: (x>0  x,y := 0,y+2x)
repeat_until Correctness Conditions
• Complete correctness conditions for
f = [P] = [repeat g until p]
(where g = [G] has already been shown):
Prove:
term(f,P) Л
(p o g)  (f = g) Л
¬(p o g)  (f = f o g)
Proof that r = [R]
r = (x>0  x,y := 0,y+2x)
R:
repeat:
x := x−1
y := y+2
until x=0
p
G
By observation, g = [G] = (x,y := x-1,y+2)
• Is loop termination guaranteed for any
argument in D(r)? YES. (Show this using the
Method of Well-Founded Sets.)
Proof that r = [R] (cont’d)
• Does (p o g)  (r = g) ?
[ (x=0) o (x,y := x-1,y+2) ]  (x0=1)
(x=1)  ( r = (x,y := 0,y+2x)
= (x,y := 0,y+2) )
(x=1)  ( g = (x,y := x-1,y+2)
= (x,y := 0,y+2) )
( Recall: r = (x>0  x,y := 0,y+2x) )
√
Proof that r = [R] (cont’d)
• Does ¬(p o g)  (r = r o g) ?
¬[ (x=0) o (x,y := x-1,y+2) ]  (x0≠1)
Thus, there are 2 cases to consider: x0<1
and x0>1.
case a:
(x<1)  ( r = undefined )
(x<1)  ( r o g = undefined o g
= undefined )
since ((x>0) o g(x<1)) = false
( Recall: r = (x>0  x,y := 0,y+2x) )
√
Proof that r = [R] (cont’d)
case b:
(x>1)  ( r = (x,y := 0,y+2x) )
(x>1)  ( r o g = (x,y := 0,y+2x) o
(x,y := x-1,y+2)
√
since ((x>0) o g(x>1)) = true
= (x,y := 0,(y+2)+2(x-1))
= (x,y := 0,(y+2+2x-2))
= (x,y := 0,y+2x) )
Therefore, ¬(p o g)  (r = r o g) √
( Recall: r = (x>0  x,y := 0,y+2x) )
Exercise Solutions: Functional
Verification
Software Testing and Verification
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida