THE AUSTRALIAN NATIONAL UNIVERSITY · THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester 2009...

THE AUSTRALIAN NATIONAL UNIVERSITY

Second Semester 2009

COMP2600(Formal Methods for Software Engineering)

Writing Period: 3 hours duration

Study Period: 15 minutes duration

Permitted Materials: One A4 page with hand-written notes on both sides

Answer ALL questionsTotal marks: 100

The questions are followed by labelled blank spaces into which your answers are to be written.

Additional answer panels are provided (at the end of the paper) should you wish to use morespace for an answer than is provided in the associated labelled panels. If you use an additionalpanel, be sure to indicate clearly the question and part to which it is linked.

Student Number:

The following spaces are for use by the examiners.

Q1 Q2 Q3 Q4

Q5 Q6 Q7 Q8 Total

COMP2600 (Formal Methods for Software Engineering) Page 1 of 26

QUESTION 1 [13 marks]The following questions ask for proofs using natural deduction. Present your proofs in the Fitchstyle as used in lectures. Use only the introduction and elimination rules given in Appendix 1.Number each line and include justifications for each step in your proofs.

(a) Give a natural deduction proof of (a→ b)→ (a→ (c→ (b ∧ c))).QUESTION 1(a) [4 marks]

(b) Give a natural deduction proof of (a ∧ b)→ (¬b→¬a).QUESTION 1(b) [3 marks]


(c) What follows is a proof of (a→ b)→ (¬a ∨ b) with the justifications missing.

1. (a→ b)2. ¬(¬a ∨ b)3. ¬a4. ¬a ∨ b5. (¬a ∨ b) ∧ ¬(¬a ∨ b)6. a7. b8. ¬a ∨ b9. (¬a ∨ b) ∧ ¬(¬a ∨ b)10. ¬a ∨ b11. (a→ b)→ (¬a ∨ b)

Reproduce the proof below, adding justifications which show which rules are used oneach statement. Use the Fitch proof style which shows the scope of each assumption.QUESTION 1(c) [3 marks]


(d) Give a natural deduction proof of

(∀z. (P (z) ∧Q(z))) → ((∀x. P (x)) ∧ (∀y. Q(y)))

Take care with parentheses and variable names.QUESTION 1(d) [3 marks]


QUESTION 2 [12 marks]

(a) Give an inductive proof the fact that consecutively mapping two functions over a list isequivalent to mapping their composition over the list. That is:

map f (map g xs) = map (f.g) xs

The definitions of map and compose (.) are:

map f [] = [] -- M1

map f (x:xs) = f x : map f xs -- M2

(f . g) x = f (g x) -- C

(i) State and prove the base case goalQUESTION 2(a)(i) [2 marks]


(ii) State the inductive hypothesisQUESTION 2(a)(ii) [1 mark]

(iii) Now complete the step caseQUESTION 2(a)(iii) [3 marks]


(b) Simple arithmetic expressions can be represented in Haskell with the following algebraicdata type:

data Exp = Num Int | Add Exp Exp | Mul Exp Exp

For example, 3 + 4× 5 is represented by Add (Num 3) (Mul (Num 4) (Num 5))

The following function evaluates these simple arithmetic expressions:

eval :: Exp -> Int

eval (Num n) = n -- E1

eval (Add e1 e2) = (eval e1) + (eval e2) -- E2

eval (Mul e1 e2) = (eval e1) * (eval e2) -- E3

Addition and multiplication are commutative (e1+e2 = e2+e1 and e1*e2 = e2*e1) so weexpect that applying the following function will not affect the value of the expression:

commute :: Exp -> Exp

commute (Num n) = Num n -- C1

commute (Add e1 e2) = Add (commute e2) (commute e1) -- C2

commute (Mul e1 e2) = Mul (commute e2) (commute e1) -- C3

Confirm this expectation by proving that, for all expressions e of type Exp,

eval(commute e) = eval e

(i) State and prove the base case goalQUESTION 2(b)(i) [2 marks]


(ii) State the inductive hypothesisQUESTION 2(b)(ii) [1 mark]

(iii) Now complete the step caseQUESTION 2(b)(iii) [3 marks]



(a) For which programs S does {False} S {True} hold?QUESTION 3(a) [2 marks]

(b) The following piece of code is called Half :

x := 0;y := 0;while (x < a)

x := x + 2;y := y + 1;

We wish to use Hoare Logic (Appendix 2) to show that:

{True} Half {x = 2 ∗ y}

In the questions below (and your answers), we may refer to the loop code as Loop, thebody of the loop (i.e. x:=x+2;y:=y+1;) as Body, and the initialisation assignments (i.e.x:=0;y:=0;) as Init.

(i) Given the desired postcondition {x = 2 ∗ y}, what is a suitable invariant for Loop?(Hint: notice that the postcondition is independent of the value of a.)QUESTION 3(b)(i) [3 marks]


(ii) Prove that your answer to the previous question is indeed a loop invariant. That is, ifwe call your invariant P , show that {P} Body {P}. Be sure to properly justify eachstep of your proof.QUESTION 3(b)(ii) [3 marks]

(iii) Using the previous result and some more proof steps show that

{True} Half {x = 2 ∗ y}

Be sure to properly justify each step of your proof.QUESTION 3(b)(iii) [4 marks]



(a) If wp(S,True) = False, what do we know about S?QUESTION 4(a) [2 marks]

(b) This question also concerns the program Half, but a different postcondition:

x := 0;y := 0;while (x < a)

x := x + 2;y := y + 1;

The postcondition Q we require is y ∗ 2 = a and we wish to calculate the weakestprecondition that establishes Q:

wp(Half, y ∗ 2 = a)

(i) Pk is the loop precondition which ensures the while-loop terminates after k iterationswith Q true. Using the wp calculus (Appendix 3) calculate P0, P1, P2 and P3.QUESTION 4(b)(i) [3 marks]


(ii) Suggest a general form Pk for all k ≥ 1 and prove your formula by induction.QUESTION 4(b)(ii) [3 marks]

(iii) Derive the weakest condition for the loop to execute some finite number of times andterminate in a state satisfying Q. That is, calculate wp(Loop, Q). (Do not eliminatequantifiers at this stage — you will find that easier in the next step.)QUESTION 4(b)(iii) [2 marks]

(iv) Using the result established in the previous step, derive the weakest precondition forthe whole program. That is, calculate wp(Half, Q).QUESTION 4(b)(iv) [3 marks]



(a) Use α-conversion to change the following to an equivalent expression in which distinctbound variables are represented by different letters:

(λx. (λx. λy. (λx. y) x) (λy. x))

QUESTION 5(a) [1 mark]

(b) Reduce the following expression to normal form, showing each step in the reduction:

(λn. λs. λz. s (n s z)) (λs. λz. s (s z))

QUESTION 5(b) [2 marks]


(c) Draw the syntax tree for the following expression:

λf.λx. succ (f (succ x))

QUESTION 5(c) [2 marks]

(d) Extract type constraints from your syntax tree. You may assume that succ :: Int → Int .QUESTION 5(d) [3 marks]


(e) Solve these type constraints to yield types for f, x, and the whole expression.QUESTION 5(e) [2 marks]


(f) The following typing statement has a problem:

∅ ` λ(f : Int → Bool) . f (f 5) :: (Int → Bool)→ Int

Starting with this statement, draw as much of its type derivation tree as possible. If youcannot complete the derivation then clearly indicate why no further progress can be made.The lambda calculus typing rules are given in Appendix 4. For brevity, contract Int to Iand Bool to B. Turn the page 90◦ and draw it landscape if you like.QUESTION 5(f) [2 marks]



(a) Design a finite state automaton to check whether bit strings have even parity. That is, yourFSA should recognise the language of non-empty strings over the alphabet Σ = {0, 1},which contain an even number of 1s.QUESTION 6(a) [4 marks]

(b) The following non-deterministic finite state automaton A4 recognises binary numeralsthat are divisible by 4 (that is, they end in 00). The alphabet is Σ = {0, 1}.

A4: ��- S0

-0��60

��?

1

��S1

-0 ��

S2

Give a regular expression for this language.QUESTION 6(b) [2 marks]


(c) Design a deterministic finite state automaton which recognises exactly the same languageas A4.QUESTION 6(c) [3 marks]

(d) Prove that your DFA accepts any binary numeral that ends in 00. That is, assuming theinitial state is S0 and the final state is Sf , show that

∀w ∈ Σ∗ . N∗(S0, w00) = Sf

QUESTION 6(d) [4 marks]


QUESTION 7 [12 marks]Consider the following context-free grammar G over alphabet {a, b, c}:

S → aSa | bSb | cSc | aa | bb | cc

(a) What is the language L(G) generated by grammar G? Be precise and include someillustrative examples.QUESTION 7(a) [3 marks]

(b) Carefully explain why the language L(G) is context-free. In particular, explain why itcannot be recognised by a finite state automaton.QUESTION 7(b) [3 marks]


(c) Derive a non-deterministic push-down automaton which recognises L(G).QUESTION 7(c) [3 marks]

(d) Suppose we wanted to design a deterministic push-down automaton to recognise L(G).Can you foresee any significant problems in doing so?QUESTION 7(d) [3 marks]



(a) The following diagram shows a Turing machine, whose purpose is either to accept orreject the input string. The input string consists of ‘a’s and ‘b’s, and the rest of the tape isblank. (A string accepted if the machine reaches the halt state and rejected if the machinegets stuck in another state.) Initially the head is somewhere on the input string.

��S0

-

��?

aa,L

��6bb,L

-

ΛΛ,R

��S1

-

aΛ,R

��S2

��?

aa,R

�� bb,R

?

ΛΛ,L

��S3

�

bΛ,L

��S4

�

ΛΛ,S

��halt

@@

@@@

@@@

@@I

bb,L

(i) Give a general description of the purpose of states S0 and S1.QUESTION 8(a)(i) [2 marks]


(ii) What change is accomplished on the tape if the machine moves from state S1 to stateS4?QUESTION 8(a)(ii) [3 marks]

(iii) What is the language accepted by this machine?QUESTION 8(a)(iii) [3 marks]


(b) Design a Turing Machine which adds an even parity check bit to the right hand end of abit string. The tape initially contains a non-empty string of binary digits and the read headis somewhere on the string. If there is an odd number of 1s in the string, the machine addsanother 1 to the right hand end of the string and halts. If there is an even number of 1s inthe string, the machine adds a 0 to the right hand end of the string and halts. For example:

0011000 =⇒ 001100000011010 =⇒ 001101010000000 =⇒ 00000000

QUESTION 8(b) [5 marks]


Additional answers. Clearly indicate the corresponding question and part.









Appendix 1 — Natural Deduction Rules

(∧I)p q

p ∧ q(∧E)

p ∧ q

p q

(∨I)p

p ∨ q q ∨ p(∨E)

[p] [q]

p ∨ q r r

r

(→I)

[p]

q

p→ q(→E)

p p→ q

q

(¬I)

[p]

q ∧ ¬q¬p

(¬E)

[¬p]q ∧ ¬qp

(∀I)P (a) (a arbitrary)

∀x. P (x)

(∀E)∀x. P (x)

P (a)

(∃I)P (a)

∃x. P (x)

(∃E)∃x. P (x) P (a)→ q (a arbitrary)

q (a is not free in q)

COMP2600 (Formal Methods for Software Engineering) — Additional material

Appendix 2 — Hoare Logic Rules

• Precondition Strengthening:

{Pw} S {Q} Ps =⇒ Pw

{Ps} S {Q}

• Postcondition Weakening:

{P} S {Qs} Qs =⇒ Qw

{P} S {Qw}

• Assignment:{Q(e)} x := e {Q(x)}

• Sequence:{P} S1 {Q} {Q} S2 {R}

{P} S1;S2 {R}

• Conditional:{P ∧ b} S1 {Q} {P∧ ∼ b} S2 {Q}{P} if b then S1 else S2 {Q}

• While Loop:{P ∧ b} S {P}

{P} while b do S {P∧ ∼ b}


Appendix 3 — Weakest Precondition Rules

wp(x := e, Q(x)) ≡ Q(e)

wp(S1;S2, Q) ≡ wp(S1, wp(S2, Q))

wp(if b then S1 else S2, Q) ≡ (b =⇒ wp(S1, Q)) ∧ (¬b =⇒ wp(S2, Q))

≡ (b ∧ wp(S1, Q)) ∨ (¬b ∧ wp(S2, Q))

wp(if b then S,Q) ≡ (b =⇒ wp(S,Q)) ∧ (¬b =⇒ Q)

≡ (b ∧ wp(S,Q)) ∨ (¬b ∧Q)

Pk is the weakest predicate that must be true before while b do S executes, in order for the loopto terminate after exactly k iterations in a state that satisfies Q.

P0 ≡ ¬b ∧Q

Pk+1 ≡ b ∧ wp(S, Pk)

wp(while b do S,Q) ≡ ∃k.(k ≥ 0 ∧ Pk)

Appendix 4 — Lambda Calculus Typing Rules

x : τ ∈ Γ

Γ ` x :: τ(Variable)

Γ, x : τ1 ` e2 :: τ2

Γ ` λ(x : τ1). e2 :: τ1 → τ2

(Abstraction)

Γ ` e1 :: τ11 → τ12 Γ ` e2 :: τ11

Γ ` e1 e2 :: τ12

(Application)


Date post:	21-Jun-2020
Category:	Documents
Upload:	others
View:	8 times
Download:	0 times

THE AUSTRALIAN NATIONAL UNIVERSITY · THE AUSTRALIAN NATIONAL UNIVERSITY Second Semester 2009...

Documents