Mid-Semester Quiz Second Semester, 2012

Transcription

1 THE AUSTRALIAN NATIONAL UNIVERSITY Mid-Semester Quiz Second Semester, 2012 COMP2600 (Formal Methods for Software Engineering) Writing Period: 1 hour duration Study Period: 10 minutes duration Permitted Materials: One A4 page with hand-written notes on both sides The questions are followed by labelled blank spaces into which your answers are to be written. Additional answer panels are provided at the end of the paper should you wish to use more space for an answer than is provided in the associated labelled panels. Student Number: Q1 Mark Q2 Mark Q3 Mark Q4 Mark Q5 Mark Total Mark COMP2600 (Formal Methods for Software Engineering) Page 1 of 14

2 QUESTION 1 [12 marks] Natural Deduction (a) Using truth tables, prove or disprove for the following statement. Indicate whether the statement has a proof, or give a counterexample. A (B C) (A B) C QUESTION 1(a) [3 marks] A B C B C A (B C) A B (A B) C result T T T T T F T F T T F F F T T F T F F F T F F F (b) Give a natural deduction proof of A (B C) (A B) C (may be continued next page) QUESTION 1(b) [5 marks] COMP2600 (Formal Methods for Software Engineering) Page 2 of 14

3 QUESTION 1(b), continued (c) Give a natural deduction proof of QUESTION 1(c) ( x. P(x)) x. P(x) [4 marks] COMP2600 (Formal Methods for Software Engineering) Page 3 of 14

4 QUESTION 2 [10 marks] Structural Induction Here is the usual Haskell definition of a binary tree: data Tree a = Nul Node a ( Tree a) ( Tree a) Given these function definitions: sumt Nul = 0 -- ( ST1 ) sumt ( Node a t1 t2) = a + sumt t1 + sumt t2 -- ( ST2 ) suml [] = 0 -- ( SL1 ) suml (x:xs) = x + suml xs -- ( SL2 ) flatten Nul = [] -- (F1) flatten ( Node a t1 t2) = flatten t1 ++ ( a : flatten t2) -- ( F2) [] ++ ys = ys -- (A1) (x:xs) ++ ys = x : (xs ++ ys) -- (A2) and the following lemma: suml ( xs ++ ys) = suml xs + suml ys -- ( L1) Prove the following property using structural induction: sumt t = suml ( flatten t) (a) State and prove the base case goal. QUESTION 2(a) [2 marks] COMP2600 (Formal Methods for Software Engineering) Page 4 of 14

5 (b) State the induction hypotheses. QUESTION 2(b) [2 marks] (c) State and prove the step case goal. QUESTION 2(c) [6 marks] COMP2600 (Formal Methods for Software Engineering) Page 5 of 14

6 QUESTION 3 [11 marks] Hoare Logic Consider the following code fragment Square, in which all variables are typed integer: i := 0; s := 0; while (i n) do s := s + n; i := i + 1 } Body Loop Square This code takes an integer n, and is intended to calculate n 2 and assign that value to s. To confirm this, we we wish to use the rules of Hoare Logic (Appendix 3) to show that { True } Square { s = n 2 }. In the questions below (and your answers), we may refer to the loop code as Loop, and the body of the loop as Body. Make sure that every step of your proof is numbered, and is justified by citing the rule, and any previous proof steps, that you are using. (a) We will need an invariant for Loop. We suggest Inv ( s = i n ). Prove that {Inv} Body {Inv}. QUESTION 3(a) [4 marks] COMP2600 (Formal Methods for Software Engineering) Page 6 of 14

7 (b) Using the result of part (a), prove that {Inv} Loop {s = n 2 }. QUESTION 3(b) [3 marks] (c) Using the result of part (b), prove that {True} Square {s = n 2 }. QUESTION 3(c) [3 marks] (d) The code fragment Square would get stuck in an infinite loop for some initial values of n. Explain why it is not necessary to consider this possibility when choosing a precondition for this code. QUESTION 3(d) [1 mark] COMP2600 (Formal Methods for Software Engineering) Page 7 of 14

8 QUESTION 4 [11 marks] Weakest Precondition Calculus As with the previous question, we will consider the code fragment Square: i := 0; s := 0; while (i n) do s := s + n; i := i + 1 } Body Loop Square We will use the rules of the weakest precondition calculus (Appendix 4) to calculate wp(square, s = n 2 ). As in the previous question we will use the abbreviations Loop and Body for the indicated parts of the code. Remember to simplify your answers wherever possible, and show all your working when you do so. (a) We will need to calculate wp(loop, s = n 2 ). First, state P 0 (the predicate expressing success for this weakest precondition after zero loop iterations). QUESTION 4(a) [1 mark] COMP2600 (Formal Methods for Software Engineering) Page 8 of 14

9 (b) We claim that the general format for P k (expressing success after k loop iterations for k 0) is P k ( i + k = n s = i 2 + k i ) Suppose that this holds for some k. Then prove that P k+1 ( i + (k + 1) = n s = i 2 + (k + 1) i ) QUESTION 4(b) [6 marks] COMP2600 (Formal Methods for Software Engineering) Page 9 of 14

10 (c) Given parts (a) and (b), state wp(loop, s = n 2 ). Do not attempt any simplification at this stage. QUESTION 4(c) [1 mark] (d) Hence find wp(square, s = n 2 ). State this result in the simplest form possible. QUESTION 4(d) [3 marks] COMP2600 (Formal Methods for Software Engineering) Page 10 of 14

11 QUESTION 5 [6 marks] Specification using Z A certain software engineering student, planning to write a program to keep track of her collection of DVDs, is starting with a specification of the system. It is called MyDVDs, and this is where she is up to: [Movie] [Actor] Score == {i : N i 10} MyDVDs mine : P Movie stars : Movie Actor rating : Movie Score dom stars mine dom rating mine Initial MyDVDs mine = AddMovie o MyDVDs m? : Movie cast? : P Actor AddActor o MyDVDs m? : Movie a? : Actor m? mine mine = mine {m?} rating = rating a : Actor ((m? a) stars ) (a cast?) n : movie n m? {n} stars = {n} stars m? mine (m? a?) stars stars = stars ({m? a?}) rating = rating RankMovie o MyDVDs m? : Movie s? : Score m? mine stars = stars rating (m?) = s? n : Movie (n m?) rating (n) = rating(n) Duets o ΞMyDVDs a?, b? : Actor ms! : P Movie (a) What are the types that are either (i) given or (ii) introduced by definition? QUESTION 5(a) [1 mark] COMP2600 (Formal Methods for Software Engineering) Page 11 of 14

12 (b) Explain why is used in the type of the variable rating, rather than or. QUESTION 5(b) [1 mark] (c) Why does the predicate part of the Initial schema only mention one global variable? QUESTION 5(c) [1 mark] (d) The postcondition n : movie n m? {n} stars = {n} stars appears in the schema AddMovie o. Express the author s intent simply in English. QUESTION 5(d) [1 mark] (e) It turns out that there is an error in the schema AddActor o that is repeated in the predicate part of RankMovie o. Suggest what it is. QUESTION 5(e) [1 mark] (f) The predicate part of the enquiry schema, Duets o, is blank! The intention of this enquiry is to return a list of movies in the database in which both given actors appear. Suggest suitable pre-conditions and/or post-conditions to complete the schema. QUESTION 5(f) [1 mark] COMP2600 (Formal Methods for Software Engineering) Page 12 of 14

13 Additional answers. Clearly indicate the corresponding question and part. Additional answers. Clearly indicate the corresponding question and part. COMP2600 (Formal Methods for Software Engineering) Page 13 of 14

14 Additional answers. Clearly indicate the corresponding question and part. Additional answers. Clearly indicate the corresponding question and part. COMP2600 (Formal Methods for Software Engineering) Page 14 of 14

15 Appendix 1 Natural Deduction Rules Propositional Calculus ( I) p q p q ( E) p q p p q q [p] [q] ( I) p p q p q p ( E).. p q r r r [p]. ( I) q p q ( E) p q p q [p] [ p].. ( I) q q p ( E) q q p Predicate Calculus ( I) P(a) (a arbitrary) x. P(x) ( E) x. P(x) P(a) [P(a)] ( I) P(a) x. P(x) ( E) x. P(x). q (a arbitrary) q (a is not free in q) COMP2600 (Formal Methods for Software Engineering) Additional material

16 Appendix 2 Truth Table Values p q p q p q p q p p q T T T T T F T T F T F F F F F T T F T T F F F F F T T T COMP2600 (Formal Methods for Software Engineering) Additional material

17 Appendix 3 Hoare Logic Rules Precondition Strengthening: P s P w {P w } S {Q} {P s } S {Q} Postcondition Weakening: Assignment: Sequence: Conditional: While Loop: {P} S {Q s } Q s Q w {P} S {Q w } {Q(e)} x := e {Q(x)} {P} S 1 {Q} {Q} S 2 {R} {P} S 1 ; S 2 {R} {P b} S 1 {Q} {P b} S 2 {Q} {P} if b then S 1 else S 2 {Q} {P b} S {P} {P} while b do S {P b} Appendix 4 Weakest Precondition Rules wp(x := e, Q(x)) Q(e) wp(s 1 ; S 2, Q) wp(s 1, wp(s 2, Q)) wp(if b then S 1 else S 2, Q) (b wp(s 1, Q)) ( b wp(s 2, Q)) (b wp(s 1, Q)) ( b wp(s 2, Q)) P k is the weakest predicate that must be true before while b do S executes, in order for the loop to terminate after exactly k iterations in a state that satisfies Q. P 0 b Q P k+1 b wp(s, P k ) wp(while b do S, Q) k. (k 0 P k ) COMP2600 (Formal Methods for Software Engineering) Additional material

18 Appendix 5 Short Glossary of Mathematical Symbols in Z Logic conjunction for all implies disjunction there exists if and only if negation B type boolean Sets empty set subset cartesian product { } empty set superset P power set in set set union # set size not in set set intersection.. up to (as in {1.. 7}) min smallest in set max greatest in set N natural numbers Relations and Functions relation dom domain domain restriction total function ran range range restriction partial function R 1 inverse of R maplet R( S ) image of set S under R Schemas indicates operation Ξ indicates enquiry = schema definition COMP2600 (Formal Methods for Software Engineering) Additional material