<p> Lectures 16 and 17</p><p>Formal Program Specification and Intro to Axiomatic Verification</p><p>Following a brief review of symbolic logic and recursive functions, we consider formal program specification via pre- and post-conditions and functions (“Formal Program Specification”). We then turn our attention to axiomatic verification and the weak correctness predicate. Our initial focus will be reasoning about the correctness of programs utilizing assignment statements, sequencing, and selection statements (“Axiomatic Verification I”). You will also read a paper by Steve King, et al., which addresses an interesting question: “Is proof more cost-effective than testing?</p><p>Formal Program Specification</p><p>Context:</p><p>We begin the second half of the course this week by shifting our focus from testing to formal program verification, which requires some familiarity with notations used to formally specify the functional behavior of programs.</p><p>Purpose:</p><p>The purpose of this week’s first lecture is to review some basic ideas from symbolic logic and discrete math. Following this, you will be introduced to the use of two formal specification techniques: specification via pre- and post-conditions, and specification via functions.</p><p>Competency Objectives:</p><p>At the end of this lesson, you will be able to: </p><p>1. Say, “Oh yea, I remember learning about propositions, truth tables, predicates, sets, relations, and functions in the 3rd grade!”, or something similar. </p><p>2. Write pre- and post-conditions that capture the required behavior of simple programs.</p><p>3. Use functional forms such as conditional rules, recursion, and assignment functions to capture the required behavior of simple programs.</p><p>Key Points: 2</p><p>1. A proposition, P, is a statement of some alleged fact which must be either true or false, and not both.</p><p>2. Predicates are expressions containing one or more free variables (place holders) that can be filled by suitable objects to create propositions.</p><p>3. A rule of inference is expressed in the form:</p><p>A1, A2, …, An ------C</p><p> and is interpreted to mean (A1 Л A2 Л … Л An) Þ C.</p><p>4. The (functional) requirements of a program may be specified by providing: an explicit predicate on its state before execution (a pre-condition), and an explicit predicate on its state after execution (a post-condition).</p><p>5. A pre-condition represents assumptions than an implementer is allowed to make, and a post-condition represents the obligation that must be met.</p><p>6. Programs may also be specified via the use of an assignment function, e.g., f = (x, y := x+y, 0) for which the final value of x is the sum of the initial values of x and y, and the final value of y is 0. </p><p>7. Conditional rules are a sequence of (predicate ® rule) pairs separated by vertical bars and enclosed in parentheses:</p><p>(p1 ® r1 | p2 ® r2 | … | pk ® rk)</p><p>The meaning is: evaluate predicates p1, p2,…pk in order; for the first </p><p> predicate, pi, which evaluates to true, it any, use the rule ri; if no predicate evaluates to true, the rule is undefined. (Note that “®” ≠ “Þ”.)</p><p>Axiomatic Verification I</p><p>Context:</p><p>We begin our consideration of formal specification with Axiomatic Verification. The idea is to trace a program’s state changes from an initial (pre-) condition to a final (post-) condition according to a set of self-evident rules (axioms). The rules used depend on the program construct being considered at each step of the process. </p><p>Purpose:</p><p>To motivate an appreciation for the benefits of studying axiomatic verification (and formal verification techniques in general), to introduce important notational conventions used to assert program correctness w.r.t. given pre- and post-conditions, and to motivate an understanding of the rules used to reason about how 3</p><p> various program constructs effect changes in program state. </p><p>Competency Objectives:</p><p>At the end of this lesson, you will be able to:</p><p>1. Precisely interpret the deceptively simple but critically important Weak Correctness Predicate, {P} S {Q}.</p><p>2. Reason about the effect of assignment statements, sequencing, and condition statements on program state, and prove the correctness of simple programs composed of those constructs.</p><p>Key Points:</p><p>1. To prove that program S is (weakly) correct with respect to pre- condition P and post-condition Q, it is sufficient to show:</p><p>{P} S {Q}.</p><p>Interpretation of {P} S {Q}: “if the input (initial state) satisfies pre-condition P and program S executes and terminates, then the output (final state) will (=must) satisfy post-condition Q.”</p><p>2. In general, if you know {P} S {Q}, and you also know K Þ P and Q Þ W, then it follows that {K} S {W}.</p><p>3. In general, if you know {P} S1 {R} and you know {R} S2 {Q} then you know {P} S1; S2 {Q}.</p><p>4. The necessary conditions for {P} if b then S1 else S2 {Q} to hold are: {P Л b} S1 {Q} and {P Л Øb} S2 {Q}.</p><p>5. The necessary conditions for {P} if b then S {Q} to hold are: {P Л b} S {Q} and (P Л Øb) Þ Q.</p><p>Reading Assignment: (from the required reading packet)</p><p>King, et al., "Is Proof More Cost-Effective than Testing?" IEEE Transactions on Software Engineering, Vol. 26, No. 8, August 2000.</p><p>Self-Check Quiz Questions 4</p><p>1. (2 pts.) Describe TWO ways in which the predicate x>5 can give rise to a proposition. Illustrate your answer with an example of each.</p><p>2. (3 pts.) Give a pre- and post-condition for a program that sets Boolean variable FOUND to true if the non-empty array A[1:N] contains one or more occurrences of value Y and to false otherwise.</p><p>3. (3 pts.) What is the truth value of the following assertions?</p><p> a. {x>0} y := x+1 {y≥0}</p><p> b. {|x|=10} while x <> 5 do x := x-1 {|x|<10}</p><p> c. {x≥0} S {x>0} Þ {x=17} S {x≥0}</p><p>4. (2 pts.) Prove the assertion:</p><p>{Y=X} if X<0 then Y:=-X else A:=5 {Y=|X|}</p><p> using the if_then_else Rule of Inference.</p>