QUESTION 1
1a. See last page for the executions. One failing execution:
Start with a=b=1, visit Lines 3,7 (now a=1, b=0), Line 8, 11, 4:
assertion violated.
1b. You can say nothing about the concrete program. The run may be a
real counterexample, in which case we have found a bug, or it may
be spurious, in which case the abstraction needs to be refined.
1c. When a "choose" statement or a "*" is encountered, both options
are tried. This is important because we use abstraction, and when
we do not find enough information, we try all options. This way,
we will never miss a bug. (Although we may find too many.)
1d. Yes, assertions are safety properties. They say that something
bad never happens and violations are always of finite length.
NOTES ON QUESTION 1
For 1a, use the algorithm taught in class. Respect the nesting of
function calls, complete the computation for each function. Never do
a computation twice for the same function call (or you may end up
doing it infinitely oftne for an infinite recursion). The graph must
make it very simple to find the return value for a given call (this is
called a summary in the paper). This is important for the same
reason: if looking up a return value for a call involves redoing the
model checking, then an infinite recursion in the program causes an
infinite recursion in your model checking algorithm.
QUESTION 2
2a. AG ~(f=g /\ h=g)
2b. Whenever a car appears on the farm road, eventually the car
leaves, or the farm light turns green.
2c. The are complements (negations of each other).
AG( c -> AF (~c \/ f=g )) =
!! AG( ~c \/ AF (~c \/ f=g )) =
! EF!( ~c \/ AF (~c \/ f=g )) =
! EF( c /\ !AF (~c \/ f=g )) =
! EF( c /\ EG !(~c \/ f=g )) =
! EF( c /\ EG (c /\ f=r ))
2d.
[f=r] = {q0,q1,q2}
First compute EG(f=r)
EGp is computed as
Y = [p]
while Y changes do
Y = [p] /\ EX(Y)
For p = (f=r):
Y0 = [f=r] = {q0,q1,q2}
Y1 = {q0,q1,q2} \cap {q0,q1,q2,q3} = {q0,q1,q2}, done.
Now compute EF EG(f=r), which is the same as EF{q0,q1,q2}.
computed as
EF p is
Y = [p]
while Y changes do
Y = [p] \cup EX(Y)
For EF {q0,q1,q3}:
Y0 = {q0,q1,q2}
Y1 = {q0,q1,q2} \cup {q0,q1,q2,q3} =
Y2 = {q0,q1,q2} \cup {q0,q1,q2,q3} =
{q0,q1,q2,q3}
{q0,q1,q2,q3}, done.
All states satisfy EFEG(f=r).
2e. I will not repeat the algorithms. First compute EG(h=r), where
[h=r] = {q0,q2,q3}
Y0 = {q0,q2,q3}
Y1 = {q0,q2,q3}
= {q0,q2,q3}
= {q2,q3}
Y2 = {q0,q2,q3}
= {q0,q2,q3}
= {q2}
Y3 = {q0,q2,q3}
= {q0,q2,q3}
= {}
Y3 = {q0,q2,q3}
= {q0,q2,q3}
= {}, done.
\cap EX {q0,q2,q3}
\cap {q1,q2,q3}
\cap EX{q2,q3}
\cap {q1,q2}
\cap EX{q2}
\cap {q1}
\cap EX{}
\cap {}
Now we compute EF EG (h=r) which is equivalent to EF {}.
to see that EF{} = {}.
It is easy
Thus, no states satisfy EF EG(h=r)
2f. If the latter formula holds, that is bad: it means that for some
inputs the highway light remains red forever.
NOTES ON QUESTION 2.
Explain means "show you have understood". Thus, in 2b, you cannot say
"for all path always if a car arrives then for all paths eventually
the car is not there or the light is green". This answer shows no
understanding of the formula.
QUESTION 3.
3a. The loop invariant is {a+b = 5}
{true}
a = 0;
{a+5 = 5}
b = 5
{a+b = 5}
while(b != 0) do
{a+b = 5 /\ b != 0}
b = b - 1;
{a+1+b = 5}
a = a + 1;
{a+b = 5}
od
{a+b = 5 /\ b=0} <=> {a=5, b=0}
The weakest precondition sought is true.
3b. The rule is
{P /\ c} S {P}
---------------------------{P} while c do S od {P /\ !c}
In our case,
P = {a+b=5},
c = {b != 0}, and
S = "b = b-1; a = a+1".
3c. It is hard because correctness is undecidable. In particular, it
is hard to guess a loop invariant. (More precisely, that is also
undecidable.) What makes it hard is the mallocs and frees,
because they cause an unbounded state space. If we did not have
them, we would have Boolean programs and we know how to check
those.