Functional Verification III

Functional Verification III

Prepared by

Stephen M. Thebaut, Ph.D.

University of Florida

Software Testing and Verification

Lecture Notes 23

Previously…

• Correctness conditions and working correctness questions:

– sequencing

– decision statements

Today’s Topics

• Iteration Recursion Lemma (IRL)

• Termination predicate: term(f,P)

• Correctness conditions for while_do statement

• Correctness conditions for repeat_until statement

• Subgoal Induction

Today’s Topics






Iteration Recursion Lemma (IRL)

• The IRL reduces the verification of programs with loops to a question of termination and the verification of loop-free programs by converting iteration to recursion.

• For while loops, the Lemma states:

f = [while p do g] = [if p then g;f end_if]

(note recursion)

Iteration Recursion Lemma (cont’d)

p

g

T

F

f =


p

g

T

F

p

g

T

F

p

g

T

F

f = =


p

g

T

F

p

g

T

F

p

g

T

F

p

g

T

F

f = = =

f


p

g

T

F

p

g

T

F

p

g

T

F

p

g

T

F

f = = =

f

p

g;f

T

F

=


• Rather than verify directly that f is the program function of

K = while p do g

which can be very difficult, it is sufficient to prove that

1. K terminates for all X D(f), and that

2. f is the program function of

Q = if p then g;f end_if

because [K] = [Q].

An important implication of the IRL

• Suppose for “input” X0 the while loop term-inates after n iterations with “output” Xn.

• Furthermore, let X1, X2, ..., Xn-1 be the in-termediate states generated by the loop.

• Then 0≤i<n, we know:

– p(Xi) (when g executes 1 or more times),

– Xi+1=g(Xi), and

– ¬p(Xn).

An important implication of the IRL (cont’d)

• As f = [while p do g] = [if p then g;f end_if], it follows that

f(X0) = f(X1) = ... = f(Xn) = Xn

• More generally, after each iteration of the loop, the function value of the current state, X, must be the same as the function value of the initial state, X0. That is:

f(X) = f(X0)

• We will revisit this observation in connection with Mill’s Invariant Status Theorem later.

Illustrative Example of IRL

• To further illustrate the fact that

[while p do g] = [if p then g;f end_if]

consider a concrete example...





• Let K = while y>0 do x,y := x+1,y−1p g





• Let K = while y>0 do x,y := x+1,y−1

• Claim: K is function equivalent to

Q = if y>0 then x,y := x+1,y−1;k end_if

where, by definition, k = [K].

p g

p k o g

Illustrative Example of IRL (cont’d)

Case (y>0):

For K = while y>0 do x,y := x+1,y−1, the loop body executes y times before the predicate y>0 becomes false. By observation, then, the final value of x is x0+(1)y0 = x0+y0 and the final value of y is 0. Thus,

(y>0) => k = (x,y := x+y,0)


Case (y>0):


(y>0) => k = (x,y := x+y,0)

Also, note that when y=0 initially,

k = I = (x,y := x,y) = (x,y := x+0,y)

= (x,y := x+y,0)


Case (y>0):


(y>0) => k = (x,y := x+y,0)

Also, note that when y=0 initially,

k = I = (x,y := x,y) = (x,y := x+0,y)

= (x,y := x+y,0)

Therefore, (y≥0) => k = (x,y := x+y,0)


Case (y>0): (cont’d)

[Q] is a composition of two functions, i.e., k o g, and may be determined by direct substitution.

For y>0 initially, y will be greater than OR EQUAL to 0 after executing the loop body, but since we know (y≥0) => k = (x,y := x+y,0), we have

[Q] = (x,y := x+y,0) o (x,y := x+1,y−1)





[Q] = (x,y := x+y,0) o (x,y := x+1,y−1)





[Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0)





[Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0)





[Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0) = k (the function computed by K)





[Q] = (x,y := x+y,0) o (x,y := x+1,y−1) = (x,y := (x+1)+(y−1),0) = (x,y := x+y,0) = k (the function computed by K)

Thus, [Q] = [K] when y>0.


Case (y≤0):

Since the predicate (y>0) fails, both K and Q do nothing, and are therefore equivalent.

Thus, [Q] = I = [K] when y≤0.


Case (y≤0):

Since the predicate (y>0) fails, both K and Q do nothing, and are therefore equivalent.

Thus, [Q] = I = [K] when y≤0.

Therefore, K is function equivalent to Q.

Today’s Topics






Termination Predicate

• The correctness of a looping program P depends, in part, on termination.

• Consideration is limited to programs whose termination can be established and the following predicate is defined:

term(f,P) ‘‘P terminates for every initial state X D(f)’’

Today’s Topics






Before we continue…

• Take out a piece of paper and a pen/pencil.

• Without looking back in the lecture notes, write down the correctness conditions for:

f = [if p then g]

if_then Correctness Conditions

• Correctness conditions for f = [if p then g]:

Prove: p (f = g) Л

¬p (f = I)



Prove: p (f = g) Л

¬p (f = I)

• So, aside from proving termination over the domain of f, what are the two corresponding conditions for:

f = [while p do g] = [if p then fog] ?



Prove: p (f = g) Л

¬p (f = I)

• So, aside from proving termination over the domain of f, what are the two corresponding conditions for:

f = [while p do g] = [if p then fog] ?

while_do Correctness Conditions

• Correctness conditions for

f = [K] = [while p do G]

(where K is closed for the domain of f†, and g = [G]):

Prove: term(f,K) Л

p (f = f o g) Л ¬p (f = I)

†A while loop is closed for a set of data states S [XS Л p(X) g(X)S]

while_do Correctness Conditions (cont’d)

• Working correctness questions:

– Is loop termination guaranteed for any argument of f ?

– When p is true does f equal f composed with g?

– When p is false does f equal Identity?

while_do Example

• Prove f = [T] where, for integers x, y, and z:

f = (y≥0 z,y := z+xy,0)

and T is:

while y<>0 do z := z+x y := y−1 end_while

while_do Example

• Prove f = [T] where, for integers x, y, and z:

f = (y≥0 z,y := z+xy,0)

and T is:

while y<>0 do z := z+x y := y−1 end_while

p

G

while_do Example (cont’d)

• Proof:

T is closed for D(f) and g = [G] = (z,y := z+x,y−1) by observation


• Proof:


– term(f,T)?


• Proof:


– term(f,T)?

f = (y≥0 z,y := z+xy,0)

and T is:

while y<>0 do z := z+x y := y−1end_while

So, does y≥0 initially T will terminate?


• Proof:


– term(f,T)? √ (Prove this…)


• Proof:



– Does (y=0) ( f = I )?¬p


• Proof:



– Does (y=0) ( f = I )?¬p

( Recall: f = (y≥0 z,y := z+xy,0) )


• Proof:



– Does (y=0) ( f = I )?

(y=0) ( f = (z,y := z+x(0),0)

( Recall: f = (y≥0 z,y := z+xy,0) )


• Proof:



– Does (y=0) ( f = I )?

(y=0) ( f = (z,y := z+x(0),0)

= (z,y := z,0) )


• Proof:



– Does (y=0) ( f = I )?

(y=0) ( f = (z,y := z+x(0),0)

= (z,y := z,0) )

(y=0) ( I = (z,y := z,0) )


• Proof:



– Does (y=0) ( f = I )?

(y=0) ( f = (z,y := z+x(0),0)

= (z,y := z,0) )

(y=0) ( I = (z,y := z,0) )


• Proof:



– Does (y=0) ( f = I )? √

(y=0) ( f = (z,y := z+x(0),0)

= (z,y := z,0) )

(y=0) ( I = (z,y := z,0) )


– Does (y0) ( f = f o g )?p


– Does (y0) ( f = f o g )?

case a: Does (y<0) ( f = f o g )?


– Does (y0) ( f = f o g )?


( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?


(y<0) ( f = undefined )

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?



(y<0) ( f o g = f o (z,y := z+x,y−1)

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?



(y<0) ( f o g = f o (z,y := z+x,y−1)

What is f when applied after g decrements the initially negative value of y?

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?



(y<0) ( f o g = undefined o (z,y := z+x,y−1)

since y<0 gy(y<0)<0

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?




= undefined )


– Does (y0) ( f = f o g )?




= undefined )


– Does (y0) ( f = f o g )?

case a: Does (y<0) ( f = f o g )? √



= undefined )


– Does (y0) ( f = f o g )?

case b: Does (y>0) ( f = f o g )?


– Does (y0) ( f = f o g )?


( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )

(y>0) ( f o g = f o (z,y := z+x,y−1)

( Recall: f = (y≥0 z,y := z+xy,0) )

– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )

(y>0) ( f o g = f o (z,y := z+x,y−1)

Again, what is f when applied after g decrements the initially positive value of y?

( Recall: f = (y≥0 z,y := z+xy,0) )



– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )

(y>0) ( f o g = (z,y := z+xy,0) o (z,y := z+x,y−1)

since y>0 gy(y>0)≥0

( Recall: f = (y≥0 z,y := z+xy,0) )


– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)


– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0) )


– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0) )

We could have also composed the full, conditional definition off with g, i.e. (y≥0 z,y := z+xy,0) o (z,y := z+x,y−1) to yield(y≥1 z,y := z+xy,0) which is just (z,y := z+xy,0) when y>0.


– Does (y0) ( f = f o g )?


(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0)


– Does (y0) ( f = f o g )?

case b: Does (y>0) ( f = f o g )? √

(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0)


– Does (y0) ( f = f o g )? √


(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0)


– Does (y0) ( f = f o g )? √


(y>0) ( f = (z,y := z+xy,0) )


= (z,y := (z+x)+x(y−1),0)

= (z,y := z+xy,0)

Therefore, f = [T].

Exercise 1

• For program M below, where all variables are integers, hypothesize a function f for [M] and prove f = [M].

while i<n do t := tx i := i+1 end_while

Today’s Topics






repeat_until Statement

• What are the correctness conditions for f = [R] = [repeat g until p]?

p

g

F

T

f =

repeat_until Statement (cont’d)

• An IRL for repeat_until statements:

f = [repeat g until p] = [g; if ¬p then f]

“Proof” by Picture

p

g

F

T

f =


p

g

F

T

f =

p

g

F

T

= p

g

T

F


p

g

F

T

f =

p

g

F

T

= p

g

T

F

=

f

p

g

T

F


p

g

F

T

f =

p

g

F

T

= p

g

T

F

=

f

p

g

T

F

=

f

¬p

g

F

T

repeat_until Statement (cont’d)

• Therefore, it is sufficient to verify that

1. R terminates for all X D(f), and that

2. f is the program function of

Q = g; if ¬p then f end_if

because [R] = [Q].

repeat_until Correctness Conditions

• Correctness conditions for

f = [R] = [repeat G until p]

(where R is closed for the domain of f†, and g = [G]):

Prove: term(f,R) Л

(p o g) (f = g) Л

¬(p o g) (f = f o g)†A repeat_until loop is closed for a set of data states S [XS Л ¬pog(X)

g(X)S]

repeat_until Correctness Conditions (cont’d)

• Working correctness questions:

– Is loop termination guaranteed for any argument of f ?

– When p o g is true does f equal g?

– When p o g is false does f equal f o g?

Exercise 2

• For program R below, where all variables are integers, hypothesize a function r for [R] and prove r = [R].

repeat: x := x−1 y := y+2until x=0

Today’s Topics






Subgoal Induction

• “Subgoal induction” is a proof method pro-posed by Morris and Wegbreit† that can be viewed as a generalization of (while loop) functional verification.

• It uses a variation of the Iteration Recursion Lemma (IRL) to identify relatively simple correctness conditions for a while loop surrounded by pre- and post-processing code.

†Morris, James & Ben Wegbreit, “Subgoal Induction,” CACM, Volume 20, No. 4, April 1977.

Subgoal Induction (cont’d)

• The key observation underlying the method is:

v = [while p do g end_while; t]≡

[if p then g;v else t end_if_else]

• The function equivalence of these programs, like that asserted in the IRL, is perhaps best illustrated graphically...


p

g

T

F

v =

t


p

g

T

F

p

T

F

p

T

F

=

t

g t

g t

v =


p

g

T

F

p

T

F

p

T

F

p

T

F

= =

v

t

g t

g t

g t

v =


p

g

T

F

p

T

F

p

T

F

p

T

F

= =

v

p

g;v

T

F

=

t t

g t

g t

g t

v =


• Suppose, now, that compound program K is:

h; while p do g end_while; t

and that v = [while p do g end_while; t].

• From the functional equivalence illustrated above and the fact that K = h;v, it therefore follows that:

[K] = v o h

= [if p then g;v else t end_if_else] o h


• Recall the correctness conditions for r = [if p then g else t]:

(1) p (r=g) and (2) ¬p (r=t).

• Thus, the complete correctness conditions for

f = [K] = [h; while p do g end_while; t]

are: (1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

where v = [while p do g end_while; t].


• Recall the correctness conditions for r = [if p then g else t]:

(1) p (r=g) and (2) ¬p (r=t).

• Thus, the correctness conditions for

f = [K] = [h; while p do g end_while; t]

are: (1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

where v = [while p do g end_while; t].

Subgoal induction vs. functional verification

• How does subgoal induction differ from the program decomposition strategy employed in functional verification†?

To show f = [h; while p do g end_while; t] using functional verification, an intermediate hypothesis and “sub-proof” for the loop is required, whereas t is part of the intermediate hypothesis in the subgoal induction case.

• Note that if t is the identify function, the two strategies are identical.

† I.e., functional verification as originally proposed by Mills.











Subgoal induction vs. functional verification (cont’d)

• But, if h is the identify function, then subgoal induction has an advantage since intended function f (if given) can then be used as the intermediate hypothesis. (In this case, treating the loop and t as a whole results in a more efficient proof.)

Subgoal Induction Example

• Use subgoal induction to prove f = [K] where, for integers x, y, and z:

f = (x≥0 x,y,z := 0,2x,2x)

and K is: y := 1

while x<>0 do y := y2 x := x-1 end_while

z := y

Subgoal Induction Example

• Use subgoal induction to prove f = [K] where, for integers x, y, and z:

f = (x≥0 x,y,z := 0,2x,2x)

and K is: y := 1 H

while x<>0 do y := y2 x := x-1 end_while

z := y T

G

Subgoal Induction Example (cont’d)

We need to show:

(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

But first, we must hypothesize a function for v (our “intermediate hypothesis”):

v = [while x<>0 do g end_while; z := y]


What is the function, v, of this program?

while x<>0 do y := y2 x := x-1end_whilez := y




x>0 x,y,z := ?, ? , ? )




x>0 x,y,z := 0, ? , ?




x>0 x,y,z := 0, y2x, ?




x>0 x,y,z := 0, y2x, y2x




x>0 x,y,z := 0, y2x, y2x x=0 x,y,z := ?, ?, ?




x>0 x,y,z := 0, y2x, y2x x=0 x,y,z := x, y, y





:= 0, y2x, y2x





:= 0, y2x, y2x

x<0 ?





:= 0, y2x, y2x

x<0 undefined





:= 0, y2x, y2x

x<0 undefined

Therefore, v is hypothesized to be:

(x≥0 x,y,z := 0, y2x, y2x)


Returning to the four correctness conditions:

(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(1) Does K terminate for all x≥0?

y := 1 while x<>0 do

y := y2 x := x-1 end_while

z := y



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(1) Does K terminate for all x≥0? YES



z := y

(Prove this using the Method of Well-Founded Sets.)



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?p



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?

case a: Does (x<0) ( v = v o g )?



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


( Recall: hypoth. v = (x≥0 x,y,z := 0, y2x, y2x) )



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


(x<0) ( v = undefined )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


(x<0) ( v = undefined ) (x<0) ( v o g = v o (x,y := x-1,2y)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


(x<0) ( v = undefined ) (x<0) ( v o g = ? o (x,y := x-1,2y)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


(x<0) ( v = undefined ) (x<0) ( v o g = undefined o (x,y := x-1,2y)

since x<0 ( gx(x<0) < 0 )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?



= undefined )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?



= undefined )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?

case a: Does (x<0) ( v = v o g )? YES


= undefined )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?

case b: Does (x>0) ( v = v o g )?




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


(x>0) ( v = (x,y,z := 0, y2x, y2x) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


(x>0) ( v = (x,y,z := 0, y2x, y2x) ) (x>0) ( v o g = v o (x,y := x-1,2y)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


(x>0) ( v = (x,y,z := 0, y2x, y2x) ) (x>0) ( v o g = ? o (x,y := x-1,2y)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?


(x>0) ( v = (x,y,z := 0, y2x, y2x) ) (x>0) ( v o g = (x,y,z := 0, y2x, y2x) o

(x,y := x-1,2y) since x>0 ( gx(x>0) ≥ 0 )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?



(x,y := x-1,2y) = (x,y,z := 0, 2y2x-1, 2y2x-1)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?



(x,y := x-1,2y) = (x,y,z := 0, 2y2x-1, 2y2x-1) = (x,y,z := 0, y2x, y2x) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?







(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )?

case b: Does (x>0) ( v = v o g )? YES






(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(2) Does (x0) ( v = v o g )? YES

case b: Does (x>0) ( v = v o g )? YES






(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(3) Does (x=0) ( v = t )? ¬p



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(3) Does (x=0) ( v = t )?

(x=0) ( v = (x,y,z := 0, y20, y20) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(3) Does (x=0) ( v = t )?

(x=0) ( v = (x,y,z := 0, y20, y20) ) = (x,y,z := 0, y, y) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(3) Does (x=0) ( v = t )?

(x=0) ( v = (x,y,z := 0, y20, y20) ) = (x,y,z := 0, y, y) )

(x=0) ( t = (x,y,z := 0, y, y) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(3) Does (x=0) ( v = t )?

(x=0) ( v = (x,y,z := 0, y20, y20) ) = (x,y,z := 0, y, y) )

(x=0) ( t = (x,y,z := 0, y, y) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(3) Does (x=0) ( v = t )? YES

(x=0) ( v = (x,y,z := 0, y20, y20) ) = (x,y,z := 0, y, y) )

(x=0) ( t = (x,y,z := 0, y, y) )




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(4) Does f = v o h ?



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh


f = (x≥0 x,y,z := 0,2x,2x)



(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh


f = (x≥0 x,y,z := 0,2x,2x)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh


f = (x≥0 x,y,z := 0,2x,2x)

voh = (x≥0 x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh


f = (x≥0 x,y,z := 0,2x,2x)

voh = (x≥0 x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z) = (x≥0 x,y,z := 0, (1)2x, (1)2x)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh


f = (x≥0 x,y,z := 0,2x,2x)

voh = (x≥0 x,y,z := 0, y2x, y2x) o (x,y,z := x,1,z) = (x≥0 x,y,z := 0, (1)2x, (1)2x) = (x≥0 x,y,z := 0, 2x, 2x)




(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh


f = (x≥0 x,y,z := 0,2x,2x)





(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

(4) Does f = v o h ? YES

f = (x≥0 x,y,z := 0,2x,2x)





(1) term(f,K), (2) p (v=vog),

(3) ¬p (v=t), and (4) f=voh

Therefore, for f = (x≥0 x,y,z := 0,2x,2x) and K:



z := y

we conclude, by subgoal induction, that f = [K].

Summary






Coming up next…

• Thinking about invariants again

• Invariant Status Theorem (IST)

• While Loop Initialization

• Utility of IST

Functional Verification III

Prepared by

Stephen M. Thebaut, Ph.D.

University of Florida

Software Testing and Verification

Lecture Notes 23

Documents

Functional Verification III