THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester COMP2600 (Formal Methods in Software Engineering)

Transcription

1 THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester 2007 COMP2600 (Formal Methods in Software Engineering) Writing Period: 3 hours duration Study Period: 15 minutes duration Permitted Materials: None Answer ALL five questions. Question 5 has internal choice. The questions are followed by labelled, framed blank spaces into which your answers are to be written. Additional answer panels are provided (at the end of the paper) should you wish to use more space for an answer than is provided in the associated labelled panels. If you use an additional panel, be sure to indicate clearly the question and part to which it is linked. Name (family name first): Student Number: The following are for use by the examiners. Q1 Mark Q2 Mark Q3 Mark Q4 Mark Q5 Mark Total Mark COMP2600 (Formal Methods in Software Engineering) Page 1 of 34

2 QUESTION 1 [19 marks] Structural Induction and Lambda Calculus (a) The append function (++) for lists is defined as: (++) :: [a] -> [a] -> [a] [ ] ++ ys = ys (x:xs) ++ ys = x:(xs ++ ys) The function revapp reverses its first argument and appends it to its second argument. It is defined as revapp :: [a] -> [a] -> [a] revapp [] ys = ys revapp (x:xs) ys = revapp xs (x:ys) Prove by induction that revapp xs (ys ++ zs) = (revapp xs ys) ++ zs You need to choose an induction variable so that clauses of the definitions above are easily applied; the proof shown of the step case goal will guide you in this. (i) State and prove the base case goal QUESTION 1(a)(i) (ii) State the inductive hypothesis QUESTION 1(a)(ii) [1 mark] COMP2600 (Formal Methods in Software Engineering) Page 2 of 34

3 (iii) The following is a proof of the step case goal. Give the justification for each of the steps in the proof. QUESTION 1(a)(iii) revapp (x:xs) (ys ++ zs) = revapp xs (x : (ys ++ zs)) = revapp xs ((x:ys) ++ zs) = (revapp xs (x:ys)) ++ zs = (revapp (x:xs) ys) ++ zs (iv) In fact the proof above reveals that the main result, the goals and the inductive hypothesis should have a universal quantifier,... Explain why this is so. Restate the result being proved and/or the inductive hypothesis, with this quantifier included. QUESTION 1(a)(iv) [1 mark] COMP2600 (Formal Methods in Software Engineering) Page 3 of 34

4 (b) The following datatype declaration describes a binary tree type, containing data items of type a. data Tree a = TNode a (Tree a) (Tree a) TNil (i) Express 1 / \ 2 / \ 3 / \ as a binary tree, of the type Tree Int. QUESTION 1(b)(i) (ii) For such a tree you can define the left spine, which is a list of the data items down the left-hand edge of the tree. For the tree shown above this would be [1,2]. (The corresponding right spine would be just [1]). The left spine can be defined as follows: lsp :: Tree a -> [a] lsp TNil = [] lsp (TNode a tl tr) = a : lsp tl As you should recall, the map function for lists is given by: map :: (a -> b) -> [a] -> [b] map f [] = [] map f (x : xs) = (f x) : (map f xs) There is a map function for binary trees, which we call mapt, which applies a given transformation to every data item in the tree. mapt :: (a -> b) -> Tree a -> Tree b mapt f TNil = TNil mapt f (TNode a tl tr) = TNode (f a) (mapt f tl) (mapt f tr) We wish to prove by structural induction the result lsp (mapt f t) = map f (lsp t) COMP2600 (Formal Methods in Software Engineering) Page 4 of 34

5 (iii) State and prove the base case goal QUESTION 1(b)(iii) [1 mark] (iv) State the step case goal and the inductive hypotheses QUESTION 1(b)(iv) (v) Prove the step case goal. QUESTION 1(b)(v) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 5 of 34

6 (c) Use α-conversion to change the following to an equivalent expresssion in which distinct bound variables are represented by different letters. (λx. (λx. x + 2) 3 + x) 4 QUESTION 1(c) [1 mark] (d) Simplify the following expressions by applying functions to arguments where possible (and appropriate). (i) (λf. (λx. f (x + 2))) (λy. y 3) QUESTION 1(d)(i) (ii) (λf. f (λx. x + 6)) (λg. 3 g(4)) QUESTION 1(d)(ii) Recall that in (λx....), the scope of the λx. extends to the closing parenthesis. COMP2600 (Formal Methods in Software Engineering) Page 6 of 34

7 QUESTION 2 [23 marks] Natural Deduction and Z (a) Construct natural deduction proofs for the following tautologies of propositional logic. Do not use truth tables or algebraic laws; just use the introduction and elimination rules cited in lectures and shown at the end of this paper. (i) A C (A B) C B that is, A ((C (A B)) (C B)) QUESTION 2(a)(i) (ii) (A B) (B A) A that is, ((A B) (B A)) A QUESTION 2(a)(ii) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 7 of 34

8 (b) The answer box below contains the formulae that form the steps of a Natural Deduction proof of ( A B) (A B). You must complete the proof by adding the justifications for each step, giving the name of the deduction rule used, the prior steps that are used by the rule (if any) and showing assumptions that are discharged at that point. QUESTION 2(b) [3 marks] 1. A B 2. A 3. A 4. B 5. A A 6. B 7. B 8. B 9. A B 10. A B A B COMP2600 (Formal Methods in Software Engineering) Page 8 of 34

9 (c) Construct natural deduction proofs for the following tautology of predicate calculus. Use just the introduction and elimination rules for predicate calculus cited in lectures, plus the rules for propositional logic. ( x. P(x) Q(x)) }{{} (A) ( y. P(y)) ( z. R(z)) }{{} (B) ( w. Q(w) R(w)) }{{} (C) that is ( x. (P(x) Q(x))) ((( y. P(y)) ( z. R(z))) ( w. (Q(w) R(w)))) (You may use the notation (A),(B),(C) to abbreviate your answer) QUESTION 2(c) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 9 of 34

10 (d) The answer box below contains the formulae that form the steps of a Natural Deduction proof of ( x. P(x) Q(x)) ( y. P(y)) ( w. Q(w)) You must complete the proof by adding the justifications for each step, giving the name of the deduction rule used, the prior steps that are used by the rule (if any) and showing assumptions that are discharged at that point. QUESTION 2(d) [3 marks] 1. ( x. P(x) Q(x)) ( y. P(y)) 2. ( x. P(x) Q(x)) 3. ( y. P(y)) 4. P(x) Q(x) 5. P(x) 6. Q(x) 7. w. Q(w) 8. (P(x) Q(x)) ( w. Q(w)) 9. ( w. Q(w)) 10. ( x. P(x) Q(x)) ( y. P(y)) ( w. Q(w)) COMP2600 (Formal Methods in Software Engineering) Page 10 of 34

11 (e) The following Z schemas partially specify a system which acts as an address book for friends names, phone numbers and addresses. The given types in this specification are Person, Number and Address. The state schema for the system is: AddressBook entries : Person (Number Address) p : Person; n 1,n 2 : Number; a 1,a 2 : Address ((p (n 1,a 1 ) entries) (p (n 2,a 2 ) entries)) (a 1 = a 2 ) n : Number; p 1,p 2 : Person; a 1,a 2 : Address ((p 1 (n,a 1 ) entries) (p 2 (n,a 2 ) entries)) (a 1 = a 2 ) AddEntry o AddressBook p? : Person n? : Number a? : Address (p? (n?,a?)) entries n : Number; a : Address ((p? (n,a)) entries (a = a?) a : Address ((n?,a) (ran entries)) (a = a?) entries = entries {(p? (n?,a?))} (i) The phrase AddressBook appears in the AddEntry o schema. What is the point of having this line in the declarations part of the schema? QUESTION 2(e)(i) (ii) Give the postcondition(s) for the successful completion of the address book operation called AddEntry. QUESTION 2(e)(ii) [1 mark] COMP2600 (Formal Methods in Software Engineering) Page 11 of 34

12 (iii) Pick one of the possible precondition violations for AddEntry and write an appropriate error schema. QUESTION 2(e)(iii) (iv) Assuming that the address book starts out empty, write the Initial schema that describes the initial state of the system. QUESTION 2(e)(iv) [1 mark] (v) Express the system invariant for AddressBook in simple English. QUESTION 2(e)(v) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 12 of 34

13 QUESTION 3 [20 marks] Hoare Logic and Weakest Precondition Calculus In this question, many of the parts refer to the rules of Hoare Logic and the Weakest Precondition Calculus. These are to be found in Appendices 2 and 3 at the end of this paper. (a) For what pre-conditions P and programs A does {P} A {False} hold? QUESTION 3(a) [1 mark] (b) For a program A, describe the condition wp (A,False). QUESTION 3(b) [1 mark] (c) If the following proposed rule is valid then give a proof of its validity, using the rules of Hoare Logic; if it is not, then provide a counter-example. {P} S {Q R} {P} S {Q} {P} S {R} QUESTION 3(c) COMP2600 (Formal Methods in Software Engineering) Page 13 of 34

14 (d) In this part of the question we analyse a piece of code using Hoare logic. The following code, called Mult, does multiplication by repeated addition and doubling: t:=0; while n 0 do t := t + (n mod 2) * m; n := n div 2; m := m * 2; } Body Loop Mult Note: unlike in some programming languages, we use definitions of mod and div where regardless of the sign of n, n mod 2 is either 0 or 1. n div 2 is integer division, rounded towards. For example, 3 div 2 = 2 and 3 mod 2 = + 1 Thus, always, n = (n div 2) 2 + (n mod 2) (you may use this result later) (i) Using the deduction rules of Hoare Logic (see Appendix 2 on page 34), show that the formula t + n m = prod (call this R) is an invariant for the body of the loop. (That is, prove that {R}Body{R}) (Note: prod is a logical variable which does not appear in the program, but may appear in pre- or post-conditions, and has a single value throughout). QUESTION 3(d)(i) COMP2600 (Formal Methods in Software Engineering) Page 14 of 34

15 (ii) Use the previous result, {R}Body{R}, and add some more proof steps (again using the rules on page 34) to choose a suitable pre-condition P and prove that the following Hoare triple holds {P} Mult {t = prod} (make P as weak a precondition as possible to achieve the given postcondition). QUESTION 3(d)(ii) [3 marks] (iii) In what way(s) does the above Hoare triple fail to show the circumstances when the Mult program computes the product of the initial values of n and m? QUESTION 3(d)(iii) [1 mark] COMP2600 (Formal Methods in Software Engineering) Page 15 of 34

16 (e) In the remaining parts of this question we analyse the same program Mult using the Weakest Precondition Calculus. We find the weakest precondition of the program Mult. As before it has the following code: note also the remarks in part (c) about the meaning of div and mod. t:=0; while n 0 do t := t + (n mod 2) * m; n := n div 2; m := m * 2; } Body Loop We will also refer to these conditions Q : t = prod R : t + n m = prod Mult Our desired postcondition in this case is Q Let P i be the predicate that the while-loop will execute exactly i times and terminate in a state satisfying the post-condition Q. (P i is a condition on the state that must be true immediately before the while loop is executed). (i) Show that wp(body, R) = R QUESTION 3(e)(i) (ii) Let U(n) be a predicate involving n, but not involving t or m. What is wp(body,u(n))? You need not show details of the calculation, but state which Weakest Precondition rules are used to obtain your result. QUESTION 3(e)(ii) [1 mark] COMP2600 (Formal Methods in Software Engineering) Page 16 of 34

17 (iii) Show that P 0 is given by (n = 0) R. QUESTION 3(e)(iii) [1 mark] (iv) There is a general formula for P k, given by P k (2 k 1 n < 2 k ) R (This formula applies only for k 1). Prove this formula by induction. Ensure it is clear which value(s) of k are involved in the base case and the step case. You may use the result wp(body,r) = R, and you may use your answer to part (e)(ii). In using these, you may also use this result: wp(s, A B) = wp(s, A) wp(s, B) QUESTION 3(e)(iv) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 17 of 34

18 (v) Derive the (weakest) condition for the loop to execute some number of times and terminate in a state satisfying the post-condition, ie, wp(loop,q). QUESTION 3(e)(v) (vi) Derive the weakest pre-condition for whole program, ie, wp(mult,q). QUESTION 3(e)(vi) [1 mark] COMP2600 (Formal Methods in Software Engineering) Page 18 of 34

19 QUESTION 4 [20 marks] Finite State Machines and Turing Machines (a) (Finite State Machines) The following grammar, expressed in EBNF, is for binary numbers. The vocabulary of this language fragment is the set of characters { 0, 1 } and the start symbol is <S>. (In this context ε denotes the empty string.) <S> ::= 0 1 <C> <C> ::= 0 <C> 1 <C> ε Let L N be the language described by this grammar. Let L R be the set of strings in L N, reversed, ie L R = {reverse of w w L N }. (e.g. the string is in L R because is in L N.) (i) Give a finite state automaton, (which may be nondeterministic), with at most 3 states, which recognises the language L N. (Hint: A standard technique is to map each of the nonterminals of the grammar into states and (if necessary) add one final (accepting) state.) QUESTION 4(a)(i) COMP2600 (Formal Methods in Software Engineering) Page 19 of 34

20 (ii) Give a deterministic finite state automaton, with as few states as possible, which recognises the language L N. QUESTION 4(a)(ii) (iii) Explain why there can be no deterministic finite state automaton, which recognises the language L N, with fewer than four states. QUESTION 4(a)(iii) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 20 of 34

21 (iv) Give a finite state automaton, (which may be nondeterministic), with at most 3 states, which recognises the language L R. QUESTION 4(a)(iv) (v) Give regular expressions for the languages L N and L R. QUESTION 4(a)(v) (vi) Give a regular grammar for L R. QUESTION 4(a)(vi) COMP2600 (Formal Methods in Software Engineering) Page 21 of 34

22 (b) (Turing Machines) The following diagram shows a Turing machine, whose purpose is either to accept or reject the input string. The input string consists of 0 s and 1 s, and the rest of the tape is blank (Λ). (A string accepted if the machine reaches the halt state and rejected if the machine gets stuck in another state.) Initially the head is somewhere in the input string. 0 0,L S 0 1 1,L 0 0,L halt Λ Λ,R Λ Λ,S 1 1,L 0 Λ,R S 1 S 4 1 Λ,L 0 0,R S 1 2 1,R Λ Λ,L S 3 (i) What purposes do the states S 0 and S 2 serve? What purposes do the states S 1 and S 3 serve? QUESTION 4(b)(i) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 22 of 34

23 (ii) What change is accomplished on the tape between each time that state S 0 is left and the time it is next entered? QUESTION 4(b)(ii) (iii) What is the language accepted by this machine? QUESTION 4(b)(iii) COMP2600 (Formal Methods in Software Engineering) Page 23 of 34

24 QUESTION 5 [18 marks] Answer three parts of this five-part question. Each part is worth 6 marks for a maximum value of 18 marks. (a) (Computability) Assume that the Halting Problem has no solution. Consider a program canhalttest which takes an (encoded) program P and returns a result indicating whether there is some input on which P halts. Show that no such program can be written. QUESTION 5(a) [6 marks] COMP2600 (Formal Methods in Software Engineering) Page 24 of 34

25 (b) (Another Turing machine question) Specify a Turing machine which will multiply a binary number on its tape by 5. When we do this operation manually we would work from right to left and compute at each bit position a new value and a carry, which can be 0, 1,2 3 or 4. The pair (new bit, carry-out) is a simple function of old bit value and carry-in. The following table captures this function ,0 1,0 0,1 1,1 0,2 1 1,2 0,3 1,3 0,4 1,4 Λ 0,0 1,0 0,1 1,1 0,2 QUESTION 5(b) [6 marks] COMP2600 (Formal Methods in Software Engineering) Page 25 of 34

26 (c) (Pushdown Automata) M is the following deterministic PDA: M = ({q 0,q 1,q 2 },{a,b,#},{e,z},δ,q 0,Z,{q 2 }) where δ, the next state function, is given in the following table: a,z b,z #,Z a,e b,e #,E q 0 q 0,EZ q 1,EZ q 2,ε q 0,EE q 0,ε q 1 q 0,EZ q 1,EZ q 2,ε q 1,ε q 1,EE q 2 (Entries in this table that have a dash indicate no further operation happens; it will be acceptance if the state is q 2 or rejection otherwise. Entries that are a pair indicate the next state and the sequence of symbols that replace the previous top one on the stack. Remember that Z is used to mark the bottom of the stack.) (i) Which of the following strings does M recognise? ab# bab# aaa# aaabbbb# QUESTION 5(c)(i) (ii) What language does M recognise? QUESTION 5(c)(ii) COMP2600 (Formal Methods in Software Engineering) Page 26 of 34

27 M is a variation on M, as follows: M = ({q 0,q 1,q 2 },{a,b,#},{e,z},δ,q 0,Z,{q 2 }) where δ, its next state relation, is characterized in the following table, which gives the possibilities for next states based on the usual factors (current state, input symbol, stack top). (In the column headed ε, E the input is ignored, and the next state is only dependent on the current state and the symbol on the top of the stack.) a,z b,z #,Z a,e b,e #,E ε,e q 0 q 0,EZ q 1,EZ q 2,ε q 0,EE q 0,ε q 1,ε q 1 q 0,EZ q 1,EZ q 2,ε q 1,ε q 1,EE q 0,ε q 2 (i) What language does M accept? QUESTION 5(c)(i) COMP2600 (Formal Methods in Software Engineering) Page 27 of 34

28 (d) (Parsing) (i) Why is the following grammar left-recursive? S a S S S QUESTION 5(d)(i) [1 mark] (ii) Find an grammar which is not left-recursive and which recognises the same language as that of the grammar above. Is your grammar LL(1)? Why? QUESTION 5(d)(ii) COMP2600 (Formal Methods in Software Engineering) Page 28 of 34

29 (iii) Consider a similar language to that of the grammar above, but where each string has an additional symbol # at the end. This language could be given by the following grammar, using S as the start symbol S S# S a S S S Find an LL(1) grammar for that language. (Hint: do not try using the non-terminal S of the grammar given). QUESTION 5(d)(iii) (iv) Consider the grammar given by the following productions, with start symbol E E ::= T T E T ::= P T P P ::= (E) a b c d We use the grammar to parse the string a b c d. Show unambiguously, using parentheses, how the string is interpreted (for example, a (b (c d)), or ((a b) c) d, etc). QUESTION 5(d)(iv) [1 mark] COMP2600 (Formal Methods in Software Engineering) Page 29 of 34

30 (e) (Prolog) This question concerns four different Prolog programs, called A,B,C,D. For all four programs, the fact database contains the following two facts. parent(a,b). parent(b,c). Each of the four programs also contains two rules, as follows. A { ancestor(x,y) : ancestor(x,z),parent(z,y). ancestor(x, Y) : parent(x, Y). B { ancestor(x,y) : parent(x,y). ancestor(x, Y) : ancestor(x, Z), parent(z, Y). C { ancestor(x,y) : parent(z,y),ancestor(x,z). ancestor(x, Y) : parent(x, Y). D { ancestor(x,y) : parent(x,y). ancestor(x, Y) : parent(z, Y), ancestor(x, Z). For each program, the query ancestor(a,b). is run (and after a result is given, the system is prompted for further results). The four programs give these four different results. 1 3 A = a,b = b A = b,b = c A = a,b = c no returns no results, just runs forever 2 4 A = a,b = c A = a,b = b A = b,b = c no A = a,b = b A = b,b = c A = a,b = c after these results, runs forever (i) State which of the four programs give each of the four results. QUESTION 5(e)(i) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 30 of 34

31 (ii) Give reasons for your answer to the last part. You need to show how the differences between the four observed behaviours are related to the differences between the four programs. QUESTION 5(e)(ii) [3 marks] COMP2600 (Formal Methods in Software Engineering) Page 31 of 34

32 Additional answers. Clearly indicate the corresponding question and part. COMP2600 (Formal Methods in Software Engineering) Page 32 of 34

33 Appendix 1 - Natural Deduction Rules -I -E p q p q p q p p q q -I p p q p q p -E p q [p] r r [q] r -I [p] q p q -E p p q q -I -E [p] q q p [ p] q q p -I -E p(x) [x not free in assumptions] x. p(x) x. p(x) p(a) -I p(a) x. p(x) -E p(x) q [x arbitrary] x. p(x) q [x is not free in q] COMP2600 (Formal Methods in Software Engineering) Page 33 of 34

34 Appendix 2 - Rules of Hoare Logic Assignment Axiom: Precondition Strengthening: Postcondition Weakening: Sequence: Conditional: While: {P[e/v]} v := e {P} P Q {Q} S {R} {P} S {R} {P} S {Q} Q R {P} S {R} {P} S 1 {Q} {Q} S 2 {R} {P} S 1 ; S 2 {R} {P b} S 1 {Q} {P b} S 2 {Q} {P} if b then S 1 else S 2 {Q} {P b} S {P} {P} while b do S {P b} Appendix 3 - Rules about Weakest Preconditions wp(v:= e, Q(v)) Q(e) wp(a 1 ; A 2, Q) wp(a 1, wp(a 2, Q)) wp(if b then A 1 else A 2, Q) (b wp(a 1,Q)) ( b wp(a 2,Q)) (b wp(a 1,Q)) ( b wp(a 2,Q)) wp(if b then A, Q) (b wp(a,q)) ( b Q) (b wp(a,q)) ( b Q) If P k is the weakest predicate that must be true before while B do A executes to guarantee that the loop terminates after exactly k iterations in a state that satisfies Q, then P 0 b Q P k+1 b wp(a,p k ) wp(while b do A, Q) k. (k 0 P k ) COMP2600 (Formal Methods in Software Engineering) Page 34 of 34