Exam 2 Help Session
Software Testing and Verification
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida
• A student writes:
I would like to request you to provide some tips
on hypothesizing functions for given programs. I
refer in particular to Example 2 of Lecture Notes
#24 and Question 1 of the self check quiz in
lesson plan for Lecture Notes #’s 24 and 25.
Although I followed the concept of synthesizing
limited invariants, I found it difficult to come up
with a function to represent the given program
when I attempted these on my own.
• General Rule of Thumb for hypothesizing
functions of compound programs:
– Work top-down, and
– Use the Axiom of Replacement
• Good example (nested if_then’s + sequencing):
problem 4 of Problem Set 7
• For while loops, see examples 1 and 2 from
Lecture Notes #21.
Example 2 (from Lecture Notes #24)
• Consider the assertion:
{n≥0}
p := 1
k := 0
while k<>n do
p := p*2
k := k+1
end_while
{p=2n}
What function, f,
is computed by
the while loop?
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
– When will P terminate?
– What measure would you use to prove this
using the method of Well-Founded Sets?
– Use the measure in one or more conditional
rules describing the function.
– For this case, the initial relationship
between k and n determine three different
loop “behaviors.” (What are they?)
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
k<n  p,k := ?,?
k=n  p,k := ?,?
k>n  p,k := ?,?
Example 2 (cont’d)
Number of times the
body will execute
• P = while k<>n do p,k := 2p,k+1
n−k
k<n  p,k := p2 ,n
Value of k on
k=n  p,k := ?,?
termination
k>n  p,k := ?,?
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
n−k
k<n  p,k := p2 ,n
k=n  p,k := p,k
k>n  p,k := ?,?
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
n−k
k<n  p,k := p2 ,n
k=n  p,k := p,k
:= p2n−k,n
k>n  p,k := ?,?
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
n−k
k<n  p,k := p2 ,n
k=n  p,k := p,k
:= p2n−k,n
k>n  undefined
Example 2 (cont’d)
• P = while k<>n do p,k := 2p,k+1
n−k
k<n  p,k := p2 ,n
k=n  p,k := p,k
:= p2n−k,n
k>n  undefined
Therefore,
[P] = (k≤n  p,k := p2n−k,n)
Problem 1 from Self-Check Quiz
• Consider the assertion:
y := 0
t := x
while t<>k do
t := t–1
y := y+1
end_while
What function, f,
is computed by
the while loop?
Problem 1 from Self-Check Quiz
(cont'd)
• P = while t<>k do t,y := t–1,y+1
t>k  t,y := ?,?
t=k  t,y := ?,?
t<k  t,y := ?,?
Problem 1 from Self-Check Quiz
(cont'd)
• P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
t=k  t,y := ?,?
t<k  t,y := ?,?
Problem 1 from Self-Check Quiz
(cont'd)
• P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := ?,?
t<k  t,y := ?,?
Problem 1 from Self-Check Quiz
(cont'd)
• P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := t,y
t<k  t,y := ?,?
Problem 1 from Self-Check Quiz
(cont'd)
• P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := t,y
:= k,y+t-k
t<k  t,y := ?,?
Problem 1 from Self-Check Quiz
(cont'd)
• P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := t,y
:= k,y+t-k
t<k  undefined
Problem 1 from Self-Check Quiz
(cont'd)
• P = while t<>k do t,y := t–1,y+1
t>k  t,y := k,y+1*(t-k)
:= k,y+t-k
t=k  t,y := t,y
:= k,y+t-k
t<k  undefined
Therefore,
[P] = (t≥k  t,y := k,y+t-k)
• Another student writes:
I have some questions about exam 2 for
fall 07, problem No 6.
...And I do not know how to make up
counterexample.
6. (4 pts.) It was noted in class that wp(while b do s, Q) is the
weakest (while) loop invariant which guarantees termination.
Is it also the case that the wp(Repeat s until b) is the weakest
(Repeat_until) loop invariant which guarantees termination?
Carefully justify your answer. (Hint: recall that in Problem Set
6, you were asked to prove “finalization” from the while loop
ROI using the weakest pre-condition as an invariant. Does
“finalization” from the Repeat_until ROI hold using the
weakest pre-condition as an invariant?)
6. (4 pts.) It was noted in class that wp(while b do s, Q) is the
weakest (while) loop invariant which guarantees termination.
Is it also the case that the wp(Repeat s until b) is the weakest
(Repeat_until) loop invariant which guarantees termination?
Carefully justify your answer. (Hint: recall that in Problem Set
6, you were asked to prove “finalization” from the while loop
ROI using the weakest pre-condition as an invariant. Does
“finalization” from the Repeat_until ROI hold using the
weakest pre-condition as an invariant?)
Answer: No. In general, the wp(Repeat s until b, Q) cannot be
used as an invariant with the Repeat_until ROI. In particular,
(wp(Repeat s until b) Л b ≠> Q in general). (Note that the ROI
–- i.e., via the “initialization” antecedent {P} s {I} -- does not
require “I” to hold until after s executes.
ROI for while loop and repeat_until loop
P  I, {I Л b} S {I}, (I Л b)  Q
{P} while b do S {Q}
{P} S {I}, {I Л  b} S {I}, (I Л b)  Q
{P} repeat S until b {Q}
Note that for the repeat_until loop, "I" need not
hold UNTIL AFTER S executes.
wp(repeat S until b, Q) = H1 V H2 V H3 V...
where:
H1 = wp(S, b Л Q)
H2 = wp(S, ~b Л H1)
H3 = wp(S, ~b Л H2)
Hk = wp(S, ~b Л Hk-1)
Note that b Л (H1 V H2 V H3 V...)  Q
in general.
Finding counter-examples
• Suppose you wish to prove (A => B) is FALSE.
• This can be done by finding just one case for
which A is true and B is false. This case is referred
to as a "counter-example".
• So, to prove that the hypothesized ROI:
A, B, C
{P} while b do S {Q}
?
is FALSE, find one case for which A, B, and C are
each true, but {P} while b do S {Q} is FALSE.
Finding counter-examples (cont'd)
• How do you identify such a case? By exploiting
the fallacy in the (FALSE) ROI.
• For example, what's the fallacy in the following
ROI?
P  I, (I Л b)  Q
{P} while b do S {Q}
?
Finding counter-examples (cont'd)
• How do you identify such a case? By exploiting
the fallacy in the (FALSE) ROI.
• For example, what's the fallacy in the following
ROI?
P  I, (I Л b)  Q
{P} while b do S {Q}
?
Answer: The two antecedents do not require that "I"
holds after S executes! So, choose P, b, S, Q, and I
such that the two antecedents hold, but neither I nor
Q will hold after S executes when b becomes false.
Finding counter-examples (cont'd)
P  I, (I Л b)  Q
{P} while b do S {Q}
For example, consider, for I: x=1
{x=1 Л y=-17}
while y<0 do
y := y+1
x := 2
end_while
{x=1}
?
A really smokin’ example...
• Consider the following assertion/ROI:
“People who wear red shirts do not smoke.”
=
Wears red shirts(X) => Does not smoke(X)
=
Wears red shirts(X)
Does not smoke(X)
A really smokin’ example... (cont’d)
• Is the assertion valid (true)?
• No. Proof by counterexample:
• This person satisfies the antecedent, but not the
consequent!
Another example
Does [(P Л ¬b)  Q]  [{P} while b do S {Q}] ?
=
(P Л ¬b)  Q
{P} while b do S {Q}
?
Counterexample:
{x=0} while y<>5 do x := x+1; y := y+1 {x=0 Л y=5}
for some initial value of y < 5.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
a. For some initial values of z, S terminates with the
final value of y being less than the final value of z.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
a. For some initial values of z, S terminates with the
final value of y being less than the final value of z.
would not: The initial values of z for which this observation holds may NOT satisfy pre-condition {z<0}.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
b. Whenever the initial value of z is greater than -5, the
final value of y is less than the final value of z if S
happens to terminate.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
b. Whenever the initial value of z is greater than -5, the
final value of y is less than the final value of z if S
happens to terminate.
would not: The values of z for which this observation
holds and for which the given pre-condition {z<0}
holds may NOT result in termination.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
c. When the initial value of z is -1, S terminates and the
final value of y is 17.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
c. When the initial value of z is -1, S terminates and the
final value of y is 17.
would not: The fact that y=17 on termination does NOT
contradict the given post-condition {y=z+1} since the
value of z could be 16 on termination
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
d. Whenever the initial value of z is even, S terminates
with the final values of both z and y being odd.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
d. Whenever the initial value of z is even, S terminates
with the final values of both z and y being odd.
would: Since there are clearly initial values of z that
satisfy the precondition AND are even, the fact that
the observed result contradicts the given postcondition implies that the assertion is false.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
e. wp(S, y=z+1) = z≥0
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
e. wp(S, y=z+1) = z≥0
would not: The observation implies that there are no
initial values of z satisfying the given pre-condition for
which S will terminate in state Q, but it does NOT imply
that the assertion is not vacuously correct, since S may
not terminate for any initial values of z<0.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
f. wp(S, y=z) = true
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
f. wp(S, y=z) = true
would: The observation implies that S will terminate for
all initial values of z (including those satisfying the given
pre-condition) in a state that is inconsistent with the
given post-condition.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
g. wp(S, y=17) = z<0, and whenever the initial value of
z is greater than -5, the final value of y is less than the
final value of z if S happens to terminate.
Problem 1, Exam 2, Spring ‘11
1. Consider the assertion of weak correctness:
{z<0} S {y=z+1}. Which of the following observations/
facts would allow one to deduce that the assertion is
FALSE and which would not?
g. wp(S, y=17) = z<0, and whenever the initial value of
z is greater than -5, the final value of y is less than the
final value of z if S happens to terminate.
would: The first observation implies that S will terminate
for all initial values of z<0; the second observation
(together with the first) implies that when z = -4, -3, -2,
or -1, S will terminate in a state that is inconsistent with
the asserted post-condition. (But not because y=17...)
Confusion re “undefined” and “I”
(Identity function)
“I am confused about ‘undefined’ and ‘I’.
Suppose we have the program P like this:
if (x>0)
x := 9
end_if
Is [P] = (x>0 -> x := 9|true -> I) or
[P] = (x>0 -> x := 9|true -> undefined)?
Exam 2 Help Session
Software Testing and Verification
Prepared by
Stephen M. Thebaut, Ph.D.
University of Florida