Add to collection(s) Add to saved
  1. Math
  2. Advanced Math
  3. Logic

Assignment 4

advertisement 
CSI 5110 Principles of Formal Software Development
Fall 2015
Assignment 4
Assigned November 2, due Thursday, November 12 at 10:00
1. page 303, 4.4 (1c). Please see page 301, 4.3 (15) for the definition of Multi2.
2. page 304 (2). For part (b) just explain (in detail). You do not need a proof.
3. The following Java class implements a clock. The JML specifications describe the class
invariants and some of the behavior of its methods.
public class Clock {
private int hour;
private int minute;
private int second;
//@ private invariant 0 <= hour && hour <= 23;
//@ private invariant 0 <= minute && minute <= 59;
//@ private invariant 0 <= second && second <= 59;
//@ ensures getHour() == 12 && getMinute() == 0 && getSecond() == 0;
public Clock()
{ hour = 12; minute = 0; second = 0; }
//@ ensures 0 <= \result && \result <= 23;
public /*@ pure @*/ int getHour()
{ return hour; }
//@ ensures 0 <= \result && \result <= 59;
public /*@ pure @*/ int getMinute()
{ return minute; }
//@ ensures 0 <= \result && \result <= 59;
public /*@ pure @*/ int getSecond()
{ return second; }
/*@ assignable hour, minute, second;
@ ensures \old(getSecond()) < 59 ==>
(getSecond() == \old(getSecond())+1 &&
getMinute() == \old(getMinute()) &&
getHour() == \old(getHour()))
@ ensures \old(getSecond()) == 59 ==> getSecond() == 0
@*/
public void tick()
{ second = second + 1;
if (second == 60) { second = 0; minute = minute + 1; }
if (minute == 60) { minute = 0; hour = hour + 1; }
if (hour == 24) { hour = 0; }
}
}
1
(a) Explain why the specification of the tick method is lightweight. Does the tick
method meet its specification? If not, explain why.
(b) Write a heavyweight JML specification that captures the full correct behavior of
a method called addMinutes that takes an integer representing a valid number of
minutes. The number must represent an amount of time that is less than an hour.
The method must update the current clock time by adding the input number of
minutes. Be sure to include an assignable clause to your specification.
(c) Write code for the addMinutes method that meets your specification for part (b)
above. If you are not familiar with Java, you may use another programming language
syntax, such as the programming language from Chapter 4 augmented with arrays
and booleans.
(d) Suppose all calls to getSecond in the JML specifications were replaced by occurrences
of the instance variable second. List other changes that would be required so that
all the specifications remain correct.
4. Below is a machine code program which traverses an integer list located in register r0
and counts the number of elements of the list that are positive. The result is returned in
register r0 . This program is a minor modification of the one in the course notes.
Π1
Π2
Π3
Π4
:
:
:
:
Π5
Π6
Π7
Π8
Π9
Π10
Π11
Π12
Π13
Π14
Π15
:
:
:
:
:
:
:
:
:
:
:
Precondition: (r0 :m intlist ∧ r3 = 0)
ADD r1 := r3 + r3 ;
INV (r0 :m intlist ∧ r1 :m int ∧ r3 = 0 ∧ r1
LD r5 := m(r0 + 0);
INV (r0 :m intlist ∧ r1 :m int ∧ r3 = 0 ∧ r1
∧ r5 = m(r0 + 0))
BEQ (r5 = r3 ) 9;
LD r2 := m(r0 + 1);
LD r0 := m(r0 + 2);
INV (r0 :m intlist ∧ r1 :m int ∧ r3 = 0 ∧ r1
BGT (r5 > r2 ) − 6;
ADDC r1 := r1 + 1
INV (r0 :m intlist ∧ r1 :m int ∧ r3 = 0 ∧ r1
BEQ (r3 = r3 ) − 9;
INV (r1 :m int ∧ r1 ≥ 0)
ADDC r0 := r1 + 0;
RET;
Postcondition: (r0 ≥ 0)
% initialize result to 0
≥ 0)
% r5 gets tag
≥0
% jump if list tag is 0
% load next int in r2
% r0 gets pointer to rest of list
≥ 0)
% jump back if value is < 1
% otherwise add 1 to result
≥ 0)
% jump back
% move final result to r0
Find the verification condition using the method described in class (the VCG method).
Show each V Ci for i = 1, . . . , 15. Your verification condition should have 6 conjuncts.
2
5. Extra Credit
(a) Prove the verification condition. In addition to the rules of propositional logic, and
the usual laws of integer arithmetic, the rules listed on the next page can be used.
Note that these rules include named versions of the typing and safety rules in the
course notes. Your verification condition should have 6 conjuncts.
(b) From the information below about one particular state of the machine before execution of the program, prove that the precondition holds for this state.
Register
r0
r3
Value
201
0
Memory Address
201
202
203
..
.
Value
1
2
401
304
..
.
0
401
402
403
1
0
304
3
0:m int
int zero
x :m int
int succ
x + 1 :m int
x :m int
y :m int
int plus
x + y :m int
v :m intlist
list tag
m(v) = 0 ∨ m(v) = 1
v :m intlist
list readable
readable(v)
v :m intlist
m(v) = 1
list field1
m(v + 1) :m int
v :m intlist
m(v) = 1
list field2
m(v + 2) :m intlist
v :m intlist
m(v) = 1
list readable1
readable(v + 1)
v :m intlist
m(v) = 1
list readable2
readable(v + 2)
m(v) = 0
empty list
v :m intlist
m(v) = 1
m(v + 1) :m int
v :m intlist
4
m(v + 2) :m intlist
non empty list
Related documents
This is “Halstead`s Software Science”
This is “Halstead`s Software Science”
Processing Tutorial 1: Loops
Processing Tutorial 1: Loops
Complexity analysis
Complexity analysis
What is the goal of testing?
What is the goal of testing?
Experience
Experience
Algebra II – 8
Algebra II – 8
Java Arithmetic First understand integer division (assumed by Java
Java Arithmetic First understand integer division (assumed by Java
EE 356 Fall 2016 C# WPF – Lists and Queues
EE 356 Fall 2016 C# WPF – Lists and Queues
tutorial7
tutorial7
Chapter 2 – The Fundamentals
Chapter 2 – The Fundamentals
Multidimensional arrays Multidimensional arrays as arguments to functions Declaration:
Multidimensional arrays Multidimensional arrays as arguments to functions Declaration:
LECTURE 1 OVERVIEW AND HISTORY
LECTURE 1 OVERVIEW AND HISTORY
Download
advertisement