Solutions to Homework#5 - Program Verification | CS 476, Assignments of Computer Science

Material Type: Assignment; Class: Program Verification; Subject: Computer Science; University: University of Illinois - Urbana-Champaign; Term: Unknown 1989;

Typology: Assignments

Pre 2010

Uploaded on 03/11/2009

koofers-user-z16
koofers-user-z16 🇺🇸

1

(1)

9 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS476 Homework #5, Due 11am on 12/1
Note: Answers to the exercises listed below should be handed to the instructor in formatted form. Furthemore,
the code for the examples should also be emailed to the instructor.
1. The following two exercises use the latest version (with support for this Java subset) of the ITP download-
able from the course web site, which has an extension of the list of commands of the ITP specifically de-
signed to support Hoare logic reasoning in our programming language. This latest version should only be
used for verifying Java programs. For all other purposes, for example to verify inductive properties of a
functional module, you should still use the previous version of the ITP that you have used before. For any
questions/problems that you may have using this experimental version of the Java-ITP tool you can consult
Ralf Sasse ([email protected]).
First unpack the downloaded file with ’tar xvfz homework-cs476.tar.gz’
The way this extension works is as follows:
start the latest version of Maude
load into Maude the functional module defining the semantics of our language, java-es-flat.maude, (for
speed reason we use the flattened version).
define a program (BlockStatements)foo in a module foo.maude importing java-es-flat.maude by
declaring a constant foo and giving an equation defining the constant as the corresponding program text.
Also declare a constant foo-init which contains all declarations necessary for your program and make
sure there are no (”Java”) declarations in your program foo. The module foo.maude should also contain
all auxiliary functions needed in a proof of correctness of program foo. (Note that in the two excercises
below this has already been done for you, in the files div2.maude and sumn.maude.)
load foo.maude (The above mentioned file instead)
then load the included version of itp-tool.maude
then, to prove a Hoare triple
{P}foo {Q}
you give a javax command, or a javax-inv command which also needs an invariant.
In the homework this command has already been spelled out for you in ”sumn.itp” whereas in ”div2.itp” the
invariant is missing. Before loading ”div2.itp” you need to enter your own invariant in the marked place. Then
you can interact with the ITP tool to discharge the created first-order goals.
Note that you can write your solution (i.e. the commands you used to discharge a goal) directly below the
javax-inv command and then in one shot load the module which will create the goal and discharge it.
Here is the sumn.maude module, that you can download es explained above:
fmod SUMN-JAVAX is
including JAVAX .
op sum : Int -> Int .
var N : Int .
ceq sum(N) = 0 if N <= 0 .
ceq sum(N) = N + sum(N - 1) if 0 < N .
op sumn : -> BlockStatements .
1
pf3
pf4

Partial preview of the text

Download Solutions to Homework#5 - Program Verification | CS 476 and more Assignments Computer Science in PDF only on Docsity!

CS476 Homework #5, Due 11am on 12/

Note: Answers to the exercises listed below should be handed to the instructor in formatted form. Furthemore, the code for the examples should also be emailed to the instructor.

  1. The following two exercises use the latest version (with support for this Java subset) of the ITP download- able from the course web site, which has an extension of the list of commands of the ITP specifically de- signed to support Hoare logic reasoning in our programming language. This latest version should only be used for verifying Java programs. For all other purposes, for example to verify inductive properties of a functional module, you should still use the previous version of the ITP that you have used before. For any questions/problems that you may have using this experimental version of the Java-ITP tool you can consult Ralf Sasse ([email protected]). First unpack the downloaded file with ’tar xvfz homework-cs476.tar.gz’ The way this extension works is as follows: - start the latest version of Maude - load into Maude the functional module defining the semantics of our language, java-es-flat.maude, (for speed reason we use the flattened version). - define a program (BlockStatements) foo in a module foo.maude importing java-es-flat.maude by declaring a constant foo and giving an equation defining the constant as the corresponding program text. Also declare a constant foo-init which contains all declarations necessary for your program and make sure there are no (”Java”) declarations in your program foo. The module foo.maude should also contain all auxiliary functions needed in a proof of correctness of program foo. (Note that in the two excercises below this has already been done for you, in the files div2.maude and sumn.maude.) - load foo.maude (The above mentioned file instead) - then load the included version of itp-tool.maude - then, to prove a Hoare triple {P } foo {Q} you give a javax command, or a javax-inv command which also needs an invariant.

In the homework this command has already been spelled out for you in ”sumn.itp” whereas in ”div2.itp” the invariant is missing. Before loading ”div2.itp” you need to enter your own invariant in the marked place. Then you can interact with the ITP tool to discharge the created first-order goals. Note that you can write your solution (i.e. the commands you used to discharge a goal) directly below the javax-inv command and then in one shot load the module which will create the goal and discharge it. Here is the sumn.maude module, that you can download es explained above:

fmod SUMN-JAVAX is including JAVAX. op sum : Int -> Int. var N : Int. ceq sum(N) = 0 if N <= 0. ceq sum(N) = N + sum(N - 1) if 0 < N.

op sumn : -> BlockStatements.

op sumn-init : -> BlockStatements. eq sumn = ’C = #i(1) ; ’X = #i(0) ; while (’C <= ’N) { ’X = ’X + ’C ; ’C = ’C + #i(1) ; }. eq sumn-init = (int ’C ; int ’X ; int ’N ;). endfm

and here is the sumn.itp goal you have to prove (downloadable the same way):

select ITP-TOOL. loop init-itp.

(javax-inv SUMN-JAVAX : --- specification variables (N:Int) --- precondition ( ((int-val(S:WrappedState[’N])) = (N:Int) & (0 <= N:Int) = (true)) ) --- program sumn-init sumn --- postcondition ( (int-val(S:WrappedState[’X])) = (sum(N:Int)) ) --- invariant ( (int-val(S:WrappedState[’X])) = (sum(int-val(S:WrappedState[’C]) + -(1))) & (1 <= int-val(S:WrappedState[’C])) = (true) & ((int-val(S:WrappedState[’C]) + -(1)) <= int-val(S:WrappedState[’N])) = (true) & (int-val(S:WrappedState[’N])) = (N:Int)) .)

  1. Similarly, here is the div2.maude module:

fmod DIV2-JAVAX is including JAVAX. op div2 : -> BlockStatements. op div2-init : -> BlockStatements. eq div2 = ’Y = #i(0) ; while (#i(1) < ’X)

  1. (Ex.13.2) Define an equality enrichment for the following module, which you can retrieve from the course web page:

fmod NAT-MSET is sorts Nat NatMSet. subsorts Nat < NatMSet. op 0 : -> Nat [ctor]. op s : Nat -> Nat [ctor]. op nil : -> NatMSet [ctor]. op __ : NatMSet NatMSet -> NatMSet [ctor assoc comm id: nil]. endfm