Functional Verification II Software Testing and Verification Lecture

Functional Verification II Software Testing and Verification Lecture Notes 22 Prepared by Stephen M. Thebaut, Ph. D. University of Florida

From the Previous Lecture… • Verifying correctness in program reading, writing, and validation • Complete and sufficient correctness • Compound programs and the Axiom of Replacement

Today’s Topics: • Correctness conditions and working correctness questions: – sequencing – decision statements

Sequencing Correctness Conditions • Suppose we wish to show f = [G; H] • First, hypothesize functions g, h and prove: g = [G] and h = [H] • By the Axiom of Replacement, the problem then reduces to proving f = [g; h]

Sequencing Correctness Conditions • Correctness condition for f = [g; h]: Prove: f = h o g • Working correctness question: Does f equal h composed with g? • Note: h o g(x) = h(g(x))

Sequencing Example • Prove f = [P] where f = (x, y : = y+2, y) and P is: x : = y+2; y : = x-2 • Proof:

Sequencing Example • Prove f = [P] where f = (x, y : = y+2, y) and P is: x : = y+2; y : = x-2 • Proof: Let G be x : = y+2 and H be y : = x-2. Then, by observation, g = (x, y : = y+2, y) and h = (x, y : = x, x-2).

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h]

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g?

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g? h o g = (x, y : = x, x-2) o (x, y : = y+2, y)

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g? h o g = (x, y : = x, x-2) o (x, y : = y+2, y)

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g? h o g = (x, y : = x, x-2) o (x, y : = y+2, y)

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g? h o g = (x, y : = x, x-2) o (x, y : = y+2, y)

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g? h o g = (x, y : = x, x-2) o (x, y : = y+2, y) = (x, y : = y+2, (y+2)-2)

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g? h o g = (x, y : = x, x-2) o (x, y : = y+2, y) = (x, y : = y+2, (y+2)-2) = (x, y : = y+2, y)

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g? h o g = (x, y : = x, x-2) o (x, y : = y+2, y) = (x, y : = y+2, (y+2)-2) = (x, y : = y+2, y)

Sequencing Example (cont’d) Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x, y : = y+2, y) = [g; h] Does f equal h composed with g? h o g = (x, y : = x, x-2) o (x, y : = y+2, y) = (x, y : = y+2, (y+2)-2) = (x, y : = y+2, y) =f √

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y).

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ?

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1) = (x-1>0 x, y : = 3+1, -(x-1) | x-1≤ 0 x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is h o g. . . ? = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) o (x, y : = 3, x-1) = (x-1>0 x, y : = 3+1, -(x-1) | x-1≤ 0 x, y : = 3, x-1) = (x>1 x, y : = 4, 1 -x | x≤ 1 x, y : = 3, x-1)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y).

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is g o h. . . ?

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is g o h. . . ? = (x, y : = 3, x-1) o (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is g o h. . . ? = (x, y : = 3, x-1) o (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is g o h. . . ? = (x, y : = 3, x-1) o (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y)

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is g o h. . . ? = (x, y : = 3, x-1) o (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) = (x, y : = (y>0 3, (x+1)-1) | (y≤ 0 3, x-1))

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is g o h. . . ? = (x, y : = 3, x-1) o (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) = (x, y : = (y>0 3, (x+1)-1) | (y≤ 0 3, x-1)) = (y>0 x, y : = 3, (x+1)-1) | y≤ 0 x, y : = 3, x-1))

Conditional Function Composition Suppose g = (x, y : = 3, x-1) and h = (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y). What is g o h. . . ? = (x, y : = 3, x-1) o (y>0 x, y : = x+1, -y | y≤ 0 x, y : = x, y) = (x, y : = (y>0 3, (x+1)-1) | (y≤ 0 3, x-1)) = (y>0 x, y : = 3, (x+1)-1) | y≤ 0 x, y : = 3, x-1)) = (y>0 x, y : = 3, x | y≤ 0 x, y : = 3, x-1))

if_then Correctness Conditions • Correctness conditions for f = [if p then G] (where g = [G] has already been shown): Prove: p (f = g) Л ¬p (f = I) • Working correctness questions: – When p is true, does f equal g? – When p is false, does f equal Identity?

if_then Example • Prove f = [K] where f = (x : = -|x|) and K is: if x>0 then x : = x-2*x • Proof:

if_then Example • Prove f = [K] where f = (x : = -|x|) and K is: if x>0 then x : = x-2*x • Proof: Let G be x : = x-2*x Then, by observation, g = (x : = x-2 x)

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if p then g] (where G has been replaced by g)

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x]

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x] When p is true does f equal g? When p is false does f equal identity?

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x] When p is true does f equal g? (x>0) (f = (x : = -x)) When p is false does f equal identity?

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x] When p is true does f equal g? (x>0) (f = (x : = -x)) (x>0) (g = (x : = x-2 x) When p is false does f equal identity?

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x] When p is true does f equal g? (x>0) (f = (x : = -x)) (x>0) (g = (x : = x-2 x) = (x : = -x)) When p is false does f equal identity?

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x] When p is true does f equal g? (x>0) (f = (x : = -x)) (x>0) (g = (x : = x-2 x) √ = (x : = -x)) When p is false does f equal identity?

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x] When p is true does f equal g? (x>0) (f = (x : = -x)) (x>0) (g = (x : = x-2 x) √ = (x : = -x)) When p is false does f equal identity? (x≤ 0) (f = (x : = x))

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x] When p is true does f equal g? (x>0) (f = (x : = -x)) (x>0) (g = (x : = x-2 x) √ = (x : = -x)) When p is false does f equal identity? (x≤ 0) (f = (x : = x)) = I

if_then Example (cont’d) • Therefore, by the Axiom of Replacement, it is sufficient to show: f = (x : = -|x|) = [if x>0 then x : = x-2 x] When p is true does f equal g? (x>0) (f = (x : = -x)) (x>0) (g = (x : = x-2 x) √ = (x : = -x)) When p is false does f equal identity? (x≤ 0) (f = (x : = x)) = I √

if_then_else Correctness Conditions • Correctness conditions for f = [if p then G else H] (where g = [G] and h = [H] have already been shown): Prove: p (f = g) Л ¬p (f = h) • Working correctness questions: – When p is true, does f equal g? – When p is false, does f equal h?

Exercise • Prove f = [A] where f = (x=17 x, y : = 17, 20 | true x, y : = x, -x) and A is: if x= 17 then y : = x+3 else y : = -x end_if_else

Coming up next… • Iteration Recursion Lemma (!) • Termination predicate: term(f, P) • Correctness conditions for while_do statement • Correctness conditions for repeat_until statement

Functional Verification II Software Testing and Verification Lecture Notes 22 Prepared by Stephen M. Thebaut, Ph. D. University of Florida