with some sample...

THE AUSTRALIAN NATIONAL UNIVERSITY

Second Semester 2012

COMP2600(Formal Methods for Software Engineering)

Writing Period: 3 hours duration

Study Period: 15 minutes duration

Permitted Materials: One A4 page with hand-written notes on both sides

Answer ALL questionsTotal marks: 100

Note internal choice in Question 9

WITH SOME SAMPLE SOLUTIONS

The questions are followed by labelled blank spaces into which your answers are to be written.

Additional answer panels are provided (at the end of the paper) should you wish to use morespace for an answer than is provided in the associated labelled panels. If you use an additionalpanel, be sure to indicate clearly the question and part to which it is linked.

The following spaces are for use by the examiners.

Q1 (NatDed) Q2 (StrInd) Q3 (Hoare) Q4 (WP) Q5 (FSA)

Q6 (CFL) Q7 (TM) Q8 (Z) Q9 (1 of 2) Total

COMP2600 (Formal Methods for Software Engineering) of30

QUESTION 1 [12 marks] (Natural Deduction)

The following questions ask for proofs using natural deduction. Present your proofs in the Fitchstyle as used in lectures. You may use the introduction and elimination rules given in Appendix1, as well as the following derived rule:

(contradiction)p ∧ ¬p

q

Number each line and include justifications for each step in your proofs.

(a) Give a natural deduction proof of(p ∧ q)⇒ r

¬(p ∧ (q ∧ ¬r))

QUESTION 1(a) [4 marks]

1 (p ∧ q)⇒ r

2 p ∧ (q ∧ ¬r)

3 p ∧-E, 2

4 q ∧ ¬r ∧-E, 2

5 q ∧-E, 4

6 p ∧ q ∧-I, 3, 5

7 r →-E, 1, 6

8 ¬r ∧-E, 4

9 r ∧ ¬r ∧-I, 7, 8

10 ¬(p ∧ (q ∧ ¬r)) ¬I, 2–9


(b) Give a natural deduction proof ofc ⇒ (a ∨ b)(c ∧ ¬a)⇒ b

QUESTION 1(b) [4 marks]

1 c ⇒ (a ∨ b)

2 c ∧ ¬a

3 c ∧-E, 2

4 a ∨ b →-E, 1, 3

5 a

6 ¬a ∧-E, 2

7 a ∧ ¬a ∧-I, 5, 6

8 b contradiction,7

9 b

10 b R, 9

11 b ∨-E, 4, 5–8, 9–10

12 (c ∧ ¬a)⇒ b →-I, 2–11


(c) Give a natural deduction proof ofP ∧ ∃ x.Q(x)∃ x.(P ∧ Q(x))

wherex does not appear free inP.

Take care with parentheses and variable names.

QUESTION 1(c) [4 marks]

1 P ∧ ∃ x.Q(x)

2 P ∧-E, 1

3 ∃ x.Q(x) ∧-E, 1

4 a Q(a)

5 P ∧ Q(a) ∧-I, 2, 4

6 ∃ x. (P ∧ Q(x)) ∃-I, 5

7 ∃ x. (P ∧ Q(x)) ∃-E, 3, 4–6


QUESTION 2 [12 marks] (Structural Induction)

In all proofs indicate the justification (eg, the line of a definition used) for each step.

(a) Given the following definitions of(++) andcount:

[] ++ ys = ys -- (A1)

(x:xs) ++ ys = x : (xs ++ ys) -- (A2)

count [] = 0 -- (C1)

count (x:xs) = 1 + count xs -- (C2)

Prove the following

count(xs ++ ys) = (count xs) + (count ys)

(i) State and prove the base case goal

QUESTION 2(a)(i) [1 mark]

We use induction onxs (notys): the clue here is that the definition of(++) is recursive on its first argumentxs.

Base case: xs = []Show thatcount([] ++ ys) = (count []) + (count ys)

Proof:count([] ++ ys)

= count ys -- by (A1)= 0 + count ys -- by arithmetic= count [] + count ys -- by (C1)


(ii) State the inductive hypothesis

QUESTION 2(a)(ii) [1 mark]

For proving the step case withxs = a:as,the inductive hypothesis is:

count(as ++ ys) = (count as) + (count ys) -- (IH)

(iii) State and prove the step case goal:

QUESTION 2(a)(iii) [3 marks]

Step case: (for xs = a:as)Assuming the inductive hypothesis (IH) above, show that:count(a:as ++ ys) = (count a:as) + (count ys)

Proof:count(a:as ++ ys)

= count(a:(as ++ ys)) -- by (A2)= 1 + count(as ++ ys) -- by (C2)= 1 + count as + count ys -- by (IH)= (count a:as) + (count ys) -- by (C2)


(b) Binary trees can be represented in Haskell with the followingalgebraic data type:

data Tree a = Nul | Node a (Tree a) (Tree a)

We can flatten the tree to a list using a pre-order or in-order traversal, given by functionspre andin below:

pre Nul = [] -- (PR1)

pre (Node a t1 t2) = (a : (pre t1)) ++ (pre t2) -- (PR2)

in Nul = [] -- (IN1)

in (Node a t1 t2) = (in t1) ++ (a : (in t2)) -- (IN2)

Prove the following property:

count(pre t) = count(in t)

You may use the result you proved in Part (a) of this question:

count(xs ++ ys) = (count xs) + (count ys) -- (LEMMA1)

(i) State and prove the base case goal.

QUESTION 2(b)(i) [1 mark]

Base case: t = NulShow thatcount(pre Nul) = count(in Nul)

Proof:count(pre Nul)

= count [] -- by (PR1)= count(in Nul) -- by (IN1)


(ii) State the inductive hypotheses.

QUESTION 2(b)(ii) [1 mark]for the step caset = Node a t1 t2:

count(pre t1) = count(in t1) -- (IH1)count(pre t2) = count(in t2) -- (IH2)

(iii) State and prove the step case goal.

QUESTION 2(b)(iii) [5 marks]

Step case: (for t = Node a t1 t2)Assuming the inductive hypotheses (IH1) and (IH2) as above,provecount(pre (Node a t1 t2)) = count(in (Node a t1 t2))

Proof:count(pre (Node a t1 t2))

= count (a : (pre t1) ++ (pre t2)) -- by (PR2)= count (a : (pre t1)) + count(pre t2) -- by (LEMMA1)= 1 + count (pre t1) + count (pre t2) -- by (C2)= 1 + count (in t1) + count (pre t2) -- by (IH1)= 1 + count (in t1) + count (in t2) -- by (IH2)= count (in t1) + 1 + count (in t2) -- by arithmetic= count (in t1) + count (a : (in t2)) -- by (C2)= count ((in t1) ++ a : (in t2)) -- by (LEMMA1)= count (in (Node a t1 t2)) -- by (IN2)


QUESTION 3 [12 marks] (Hoare Logic)

(a) The following algebraicequivalencewill be useful in both this section, and the next sec-tion on Weakest Precondition Calculus. You may use it at any time, regardless of whetheryou succesfully answer this question, so long as you explictly refer to it as ‘Lemma’.

Prove, using standard algebraic manipulations, that

t + x =

(x + 8− 4

4

)2

⇔ t =

(x − 4

4

)2


t + x =(

x+8−44

)2

=(

x+44

)2

= x2+8x+1616

⇔ t + 16x16

= x2+8x+1616

⇔ t = x2+8x+1616

− 16x16

= x2−8x+1616

=(

x−44

)2

Consider the following code fragment:

t := 1;

x := 0;

while (x 6= 8 * n) do

t := t + x;

x := x + 8

}Body

Loop

OddSquare

We wish to use the rules ofHoare Logic(Appendix 3) to show that the value oft, if and whenthis code terminates, will be then’th odd square. That is, we will try to prove

{True} OddSquare {Post}.

where

Post ≡ ( t = (2n − 1)2 )

You may assume that all variables are typed integer. In the questions below we will refer to thecode fragment asOddSquare, to the loop code asLoop, and to the body of the loop asBody.Make sure that every step of your proof is numbered, and is justified by citing the rule, andany previous proof steps, that you are using.


(b) We will need an invariant forLoop. We suggest

Inv ≡ ( t =

(x − 4

4

)2

).

Prove that

{Inv} Body {Inv}.


1. {t =

(x + 8− 4

4

)2

} x := x+ 8 {Inv} (Asst.)

2. {t + x =

(x + 8− 4

4

)2

} t := t+ x {t =

(x + 8− 4

4

)2

} (Asst.)

3. {Inv} t := t+ x {t =

(x + 8− 4

4

)2

} (Lemma, Precond. Equiv.)

4. {Inv} Body {Inv} (1,3, Seq.)

(c) Using part (b), prove that

{Inv} Loop {Post}.


5. (Inv ∧ x 6= 8 ∗ n)⇒ Inv (Basic Logic)

6. {Inv ∧ x 6= 8 ∗ n} Body {Inv} ((b),5, Precond. Strength.)

7. {Inv} Loop {Inv ∧ x = 8 ∗ n} (6, While)

8. (Inv ∧ x = 8 ∗ n)⇒ Post (Basic Math.)

9. {Inv} Loop {Post} (7,8, Postcond. Weak.)

COMP2600 (Formal Methods for Software Engineering) of 30

(d) Using part (c), prove that

{True} OddSquare {Post}.

QUESTION 1(d) [3 marks]

10. {t =

(0− 4

4

)2

} x := 0 {Inv} (Asst.)

11. {1 =

(0− 4

4

)2

} t := 1 {t =

(0− 4

4

)2

} (Asst.)

12. {True} t := 1 {t =

(0− 4

4

)2

} (11, Precond. Equiv.)

13. {True} t := 1; x := 0 {Inv} (10,12, Seq.)

14. {True} OddSquare {Post} (13,(c), Seq.)


QUESTION 4 [12 marks] (Weakest Precondition Calculus)

As with the previous question, we will consider the code fragmentOddSquare:

t := 1;

x := 0;

while (x 6= 8 * n) do

t := t + x;

x := x + 8

}Body

Loop

OddSquare

We will use the rules of theWeakest Precondition Calculus(Appendix 4) to calculate

wp(OddSquare, t = (2n − 1)2).

As in the previous question we will use the abbreviationsLoop andBody for the indicated partsof the code. You may continue to make use of the lemma from part(a) of the previous questionby referring to it explicitly as ‘Lemma’.Remember to simplify your answers wherever possible,and show all your working when you do so.

(a) We will want to calculate

wp(Loop, t = (2n − 1)2).

First, prove thatP0 (the predicate expressing success for this weakest precondition afterzero loop iterations) is equal to

x = 8n ∧ t =

(x − 4

4

)2


P0 ≡ ¬ (x 6= 8 ∗ n) ∧ t = (2n − 1)2

≡ x = 8 ∗ n ∧ t =(2 ∗

x8− 1

)2

≡ x = 8n ∧ t =(x4− 1

)2

≡ x = 8n ∧ t =

(x4−

4

4

)2

≡ x = 8n ∧ t =

(x − 4

4

)2


(b) CalculateP1 (the predicate expressing success after one loop iteration).


P1 ≡ x 6= 8n ∧ wp(Body,P0)

≡ x 6= 8n ∧ wp(t := t+ x, wp(x := x+ 8,P0))

≡ x 6= 8n ∧ wp(t := t+ x, x + 8 = 8n ∧ t =

(x + 8− 4

4

)2

)

≡ x 6= 8n ∧ x + 8 = 8n ∧ t + x =

(x + 8− 4

4

)2

)

≡ x + 8 = 8n ∧ t =

(x − 4

4

)2

(x 6= 8n can be eliminated because we know thatx+8 = 8n. The simplificationon the right is the lemma from Question 2.)

(c) Hence suggest (without proof) an expression forPk (the predicate expressing success afterk loop iterations) that holds for allk ≥ 0.

QUESTION 4(c) [1 mark]

Pk ≡ x + 8k = 8n ∧ t =(

x−44

)2

(d) Given your answer to part (c), state

wp(Loop, t = (2n − 1)2).

Do not attempt any simplification at this stage.

QUESTION 4(d) [1 mark]

∃ k. k ≥ 0 ∧ Pk

≡ ∃ k. k ≥ 0 ∧ x + 8k = 8n ∧ t =(

x−44

)2


(e) Hence find

wp(OddSquare, t = (2n − 1)2).

State this result in the simplest form possible.

QUESTION 4(e) [3 marks]

wp(OddSquare, t = (2n − 1)2)

≡ wp(t := 1, wp(x := 0, wp(Loop, t = (2n − 1)2)

≡ wp(t := 1, ∃ k. k ≥ 0 ∧ 0 + 8k = 8n ∧ t =(0−44

)2)

≡ ∃ k. k ≥ 0 ∧ 0 + 8k = 8n ∧ 1 =(0−44

)2)

≡ ∃ k. k ≥ 0 ∧ k = n ∧ True

≡ n ≥ 0

(f) Given any code fragmentS and assertionQ, does it always hold that

wp(S,¬ Q) ⇔ ¬ wp(S,Q) ?

If you answeredyes, give a short explanation in plain English (not a formal proof). Ifyou answeredno, give a counter-example (you do not need to formally prove that it is acounter-example).

QUESTION 4(f) [2 marks]

No.

Let S be a program that never terminates, e.g.while False do x:=x. Let QbeFalse.

(thenwp(S,¬ Q) ≡ wp(S, True) ≡ False;

but¬ wp(S,Q) ≡ ¬ wp(S,False) ≡ ¬ False ≡ True.)


QUESTION 5 [12 marks] (Finite State Automata)

(a) Consider the deterministic finite state automatonA:

��

S0- -a, b

��

S1��

�a

-b ��

��S2

� a, b

Define a new deterministic finite state automaton that accepts the same language asA butis minimal.QUESTION 5(a) [2 marks]

��

S0- -a, b

��

S1��

�a, b

(S0 andS2 are minimal;S0 is the start state so cannot be removed, so we removeS2 and redirect the arc intoS2 to go toS0.)

(b) Consider the deterministic finite state automatonB:

��

S0-��

��?

u

-d

��

S1��

��?

d

-u

��

S2��

-d

�@I u ��

S3

��?

d, u

Give a fully rigorous proof that any string of the formα d u d β, whereα, β are arbitrarystrings in{d, u}∗, is not accepted byB.

You may use without proof thelemma

N∗(S3, β) = S3 for all β ∈ {d, u}∗

as long as you are explicit about when you are using it.



We will prove thatN∗(S0, α d u d β) = S3, asS3 is the only non-final state.

By the append theoremN∗(S0, α d u d β) = N∗(N∗(S0, α), d u d β).

We cannot know whatN∗(S0, α) is, so we will try every possibility:

N∗(S0, d u d β) = N∗(S1, u d β) = N∗(S2, d β) = N∗(S3, β) = S3 (lemma).N∗(S1, d u d β) = N∗(S1, u d β) = N∗(S2, d β) = N∗(S3, β) = S3 (lemma).N∗(S2, d u d β) = N∗(S3, u d β) = S3 (lemma).N∗(S3, d u d β) = S3 (lemma).

So no matter what stateN∗(S0, α) is, we end up inS3 as required.

(c) Consider the right-linear grammar

S0 → aS0 | bS0 | aS1

S1 → a | b

Using the algorithm given in lectures, draw a (non-deterministic) finite state automatonthat accepts the same language.


��

S0-

��?

a, b

-a

��

S1-a, b

��

Sf��


(d) Describe the language that the grammar and non-deterministic finite state automaton ofquestion (c) accept.

Your answer may be in mathematical notation or plain English. Formal proof of yourclaim is not required.

QUESTION 5(d) [1 mark]

Strings over{a, b} whose last-but-one token is ana.

(e) Using thesubset constructionalgorithm, derive adeterministicfinite state automatonfrom the non-deterministic automaton you gave as your answer to question (c).

Be clear about how states of your deterministic automaton arederived from states of theoriginal non-deterministic automaton.

QUESTION 5(e) [3 marks]

��

S0-

��?

b

-a

��

S01

?

a

��

��

��

��

b

��

S0f��

6

b

��

��

��

a

��

S01f�� a�

b


QUESTION 6 [10 marks] (Context-Free Languages)

Let L be the language

{an b an | n ≥ 0}

(a) Give a clear explanation whyL is not a regular language.

Your explanation should be in English; a rigorous mathematical proof is not necessary.


A finite state automata forL would need to keep track of how manya’s it hasread. But the only ‘memory’ a FSA has are its finitely many states, so it cannotpossibly keep count of arbitrarily long strings ofa’s.

(b) Give acontext-free grammarthat generatesL.

UseS as the start symbol of your grammar.


S −→ a S a | b


(c) Using the algorithm given in lectures, convert the context-free grammar you defined in(b) into a description of apush-down automaton.Useq0 as your start state,Z as the initial stack symbol, and indicate your final states byunderlining them. The first transition is given for you.


δ(q0, ǫ, Z) = q1 / S Z

δ(q1, ǫ, S) = q1 / a S a

δ(q1, ǫ, S) = q1 / b

δ(q1, a, a) = q1 / ǫ

δ(q1, b, b) = q1 / ǫ

δ(q1, ǫ, Z) = q2 / ǫ

(d) The algorithm used for question (c) produces anon-deterministicpush-down automaton.Design adeterministicpush-down automaton that recognisesL.

Useq0 as your start state,Z as the initial stack symbol, and underline any final states.

(Note: this machine needs to be designed from scratch, so youmay be able to answerthis question even if you did not answer questions (b) and (c).)


δ(q0, a, Z) = q0 / a Z

δ(q0, a, a) = q0 / a a

δ(q0, b, Z) = q2 / ǫ (to accept immediately if string isb)

δ(q0, b, a) = q1 / a

δ(q1, a, a) = q1 / ǫ

δ(q1, ǫ, Z) = q2 / ǫ


QUESTION 7 [6 marks] (Turing Machines)

The Turing machineM below, previously given in lectures,

• accepts any binary number (non-empty string over{0, 1}) and increments it by one;

• accepts the empty stringǫ and outputs1;

• rejects any other string:

��

S0-

��?

00,R

11,R

-

ΛΛ,L

��

S1

��?

10,L

-

Λ1,S

01,S ��

��S2��

��

(a) Give a full trace that shows the action of the machineM on the input101.

QUESTION 7(a) [1 mark]

[S0]101 ⇒ 1[S0]01

⇒ 10[S0]1

⇒ 101[S0]Λ

⇒ 10[S1]1

⇒ 1[S1]00

⇒ 1[S2]10

(b) Design a Turing machine that takes as input strings of the form

# 1 1 . . . 1︸︷︷︸n

for n > 0, and returns as output

k #

wherek is thebinary representation ofn.In other words, this machine should convertunary numbers into binary numbers. The# symbol is simply there to help your machine separate your input and output as you go.For this question you do not need to worry about the case that the input is not in theexpected form, e.g. if it is empty, or contains0’s; you will be marked correct if yourmachine works correctly on the expected input.(Hint: you may like to re-use parts of the Turing machine M.)



��

T0-

��?

11,R

00,R

#

#,R

-ΛΛ,L

��

T1��

?

1Λ,L

��

T3

��610,L

6

Λ1,S

01,S

��

T2�� 1

1,L�

#

#,L

• StateT0 moves the head to the far right of the tape; corresponds to stateS2

of the machineM.

• StateT1 deletes the furthest right1 if it can. If it cannot (i.e. if there areno1’s and it reads a#) it halts accepting.

• StateT2 moves the head left over the# to be at the far right of the binarynumber; corresponds to stateS0 of M.

• StateT3 increments the binary number; corresponds to stateS1 of M.


QUESTION 8 [16 marks] (Specification in Z)

The system,CarInsurance, that is partially modelled in this question is one where a companyinsures cars, writing insurance policies with individual owners. Each policy is for one car, ofsome model (which includes make and year), that is owned by a particular person of known age.The annual premium is set on the basis of the car’s model, the owner’s age and sex, togetherwith the number of years insured.

[Car][Model][Person]

Age == {15 . . 90}

Sex ::= male | female

sexOf : Person → Sex

Policycar : Modelowner : Personage : AgeyearsWithoutClaim : N

noClaimBonus : N → R

modelOfCar : Car → Model

CarInsurancepolicies : PPolicybasicPremium : Model 7→ R

riskFactor : (Model × Age × Sex) 7→ R

∀m : Model • basicPremium(m) > 0∀m : Model, a : Age, s : Sex •

riskFactor(m, a, s) ≥ 1.0∀ p1, p2 : Policy •((p1.owner = p2.owner) ∧ (p1.age > p2.age))

⇒ (p1.age − p2.age) ≤ 1

(a) In the above prelude to the specification of operations and queries, which identifiers are

(i) the given types,

(ii) the introduced types?

QUESTION 8(a) [1 mark]

1. The given types areCar, Model andPerson.2. The introduced types areAge, Sex andPolicy.

(b) In the above prelude to the specification of operations and queries, which identifiers are

(i) the introduced constants (both defined and axiomatically introduced),(ii) the global variables for the system?

QUESTION 8(b) [1 mark]

1. The introduced constants aresexOf , noClaimBonus, modelOfCar, male andfemale.2. The global variables arepolicies, basicPremium andriskFactor.


(c) Why are the global variablesbasicPremium andriskFactor declared aspartial functions?

QUESTION 8(c) [1 mark]

It is unlikely that the insurance company will want to determine the basicpremiums and risk factors forall models of cars.

(d) Describe in simple terms what the third system invariant says.


The age of a client should not differ in two of his/her policies by more thana year.

(e) There is a system invariant missing. It is that no car should appear in two policies.Suggest, using Z notation, a suitable extra invariant for the state schema.

QUESTION 8(e) [1 mark]

∀ p1, p2 : Policy • {p1, p2} ⊂ policies ⇒(p1.car = p2.car) ⇒ (p1 = p2)

(f) Write the predicate part of theInitial schema for this system.

QUESTION 8(f) [1 mark]

policies := ∅

basicPremium := ∅

riskFactor := ∅

(g) Write a schema for the enquiry,InvoiceAmount, which yields in variablepremium! theamount the client will be charged for the coming year on policy p?.The premium to be computed is the product of the basic premium, the risk factor and theno-claim-bonus (which depends on the number of years with noclaims).

QUESTION 8(g) [1 mark]

InvoiceAmountΞCarInsurancep? : Policypremium! : R

premium′ = basicPremium(modelOfCar(p?.car))∗ riskFactor(p?.car, p?.age, sexOf (p?.owner))∗ noClaimBonus(p?.yearsWithoutClaim)


(h) The following schema specifies the operation of an existing client renewing his/her insur-ance policy for a particular car. It has a problem.

RenewPolicyo

∆CarInsurancep? : PolicynewPolicy : Policy

p? ∈ policiesnewPolicy.car = p?.carnewPolicy.owner = p?.ownernewPolicy.age = p?.age + 1newPolicy.yearsWithoutClaim = p?.yearsWithoutClaim + 1policies′ = policies \ {p?} ∪ {newPolicy}riskFactor′ = riskFactor

(i) What is the problem in this schema? How do you fix it?

QUESTION 8(i) [1 mark]

There is no postcondition for the final value of the state variablebasicPremium.The following should be added:

basicPremium′ = basicPremium

(j) Write an operation schema,RaisePremium, that increases the basic premium of all modelsby 1 percent.

QUESTION 8(j) [2 marks]

RaisePremium∆CarInsurance

policies′ = policies∀m : Model • m ∈ dom(basicPremium) ⇒

basicPremium′(m) = basicPremium(m) ∗ 1.01riskFactor′ = riskFactor


(k) Write a schema,NumberOfOwners, specifying an enquiry that gives the number of carowners with policies currently held; the output variable should beownerCount!.

QUESTION 8(k) [2 marks]

NumberOfOwnersΞCarInsuranceownerCount! : N

owners : PPerson

∀ x : Person • x ∈ owners ⇔∃ p : Policy • p ∈ policies ∧ x = p.owner

ownerCount! = #owners

(l) Write a schemaNewPolicyo that specifies the operation of creating a new car insurancepolicy for a client.Hint: Adapt the schemaRenewPolicyo. You will need to define some different variablesand write some different postconditions.

QUESTION 8(l) [3 marks]

NewPolicyo

∆CarInsurancecar? : Carage? : Ageowner? : PersonnewPolicy : Policy

∀ p : Policy • (p ∈ policies) ⇒ car? 6= p.carnewPolicy.car = car?newPolicy.owner = owner?newPolicy.age = age?newPolicy.yearsWithoutClaim = 0policies′ = policies ∪ {newPolicy}basicPremium′ = basicPremiumriskFactor′ = riskFactor


QUESTION 9 [8 marks] (Choice ofone of two topics)

(a) Lambda Calculus and Prolog

(b) Computability

Attempt just ONE of the two parts (a) or (b) of this question (noting that some parts haveseveral subparts, totalling 8 marks). (If you start to writeanswers to more than one part, indicateCLEARLY which one is to be marked).

(a) Lambda Calculus and Prolog

(i) Useα-conversion to change the following to an equivalent expression in which dis-tinct bound variables are represented by different letters:

(λ a. λ b. (λ a. (λ a. b) (λ b. (λ a. a) b)) a)

QUESTION 9(a)(i) [1 mark]

(λ a. λ b. (λ a. (λ a. b) (λ b. (λ a. a) b)) a)

The easy bits underlined!

= (λ a. λ b. (λ f . (λ c. b) (λ e. (λ d. d) e)) a)

(ii) Reduce the following expression to normal form, showingeach step in the reduction:

(λm. λ n. n m) (λ s. λ z. s (s z)) (λ s. λ z. s z)

QUESTION 9(a)(ii) [2 marks]

(λm. λ n. n m)(λ s. λ z. s (s z))(λ s. λ z. s z)= (λ n. n (λ s. λ z. s (s z)))(λ s. λ z. s z)= (λ s. λ z. s z)(λ s. λ z. s (s z))= (λ z. (λ s. λ z. s (s z))z)= (λ s. (λ z. s (s z)))


PROLOG Questions

The following items constitute the fact database in a Prologprogram:uses(sue, java)uses(tom, java)uses(ann, perl)uses(tom, perl)

(iii) Give a goal appropriate to finding programmers using both Java and Perl.

QUESTION 9(a)(iii) [1 mark]

uses(X, java), uses(X, perl)

(iv) Describe what happens during execution of this goal; your description should haveenough detail to include an account of the backtracking involved, and to give theresult(s) of the goal.

QUESTION 9(a)(iv) [2 marks]

• uses(sue, java) matches uses(X, java) leading to subgoal uses(sue, perl)which fails.

• uses(tom, java) then matches uses(X, java) leadingto subgoal uses(tom, perl) which succeeds.So first answer is X=tom

• Nothing else matches uses(X, java) so the main goal finally fails.Thus no more answers.

(v) Theusesall relation between a programmer and a list of languages succeeds if theprogrammer uses all the languages in the list. For example:

usesall(tom, [java, perl])is satisfied given the above database.Give rules (one of which will be recursive) to implement theusesall relation.(Recall that[X|Xs] is the Prolog equivalent of the Haskell notation(x:xs). Thus[X|Xs] matches[1,2,3,4] by settingX = 1 andXs = [2,3,4].)

QUESTION 9(a)(v) [2 marks]

usesall(X,[ ]).usesall(X, [Y| Ys]) :- uses(X,Y), usesall(X, Ys).


(b) Computability

(i) In this course you have learned that certain types of abstract machine correspondexactly to certain types of language. For example,finite state automatacorrespondto regular languages.What type of abstract machine corresponds exactly to therecursive languages?

QUESTION 9(b)(i) [1 mark]Total Turing Machines (i.e. TMs thatalways halt).

(ii) Let U be theuniversal Turing machinethat takes as input pairs(M,w), whereM isan (encoded) Turing machine andw is any string, and then acts asM would onw.Let L(U) be the language ofU, i.e. the pairs(M,w) for which M acceptsw.Prove thatL(U) is not a recursive language.

QUESTION 9(b)(ii) [7 marks]Suppose for contradiction that there exists a total Turing MachineN thatacceptsL(U).

Let P be a Turing Machine that takes as input encoded Turing MachinesMand(a) accepts ifN halts rejecting(M,M);(b) halts rejecting ifN accepts(M,M).

DoesP acceptP?

Yes –thenN rejects(P,P), soP rejectsP – contradiction;No – thenN accepts(P,P), soP acceptsP – contradiction.

Either way we have a contradiction, soP cannot exist.

But P was derived in a straightfoward manner fromN, soN cannot exist.


Additional answers. Clearly indicate the corresponding question and part.

Additional answers. Clearly indicate the corresponding question and part.


Appendix 1 — Natural Deduction Rules

Propositional Calculus

(∧ I)p q

p ∧ q(∧ E)

p ∧ q

p

p ∧ q

q

(∨ I)p

p ∨ q

p

q ∨ p(∨ E)

[p] [q]...

...

p ∨ q r r

r

(⇒I)

[p]...

q

p ⇒ q(⇒E)

p p ⇒ q

q

(¬I)

[p]...

q ∧ ¬q

¬p(¬E)

[¬p]...

q ∧ ¬q

p

Predicate Calculus

(∀ I)P(a) (a arbitrary)

∀ x. P(x)(∀E)

∀ x. P(x)

P(a)

(∃ I)P(a)

∃ x. P(x)(∃E)

∃ x. P(x)

[P(a)]...q (a arbitrary)

q (a is not free inq)

COMP2600 (Formal Methods for Software Engineering) — Additional material

Appendix 2 — Truth Table Values

p q p ∨ q p ∧ q p ⇒ q ¬ p p ⇔ qT T T T T F TT F T F F F FF T T F T T FF F F F T T T


Appendix 3 — Hoare Logic Rules

• Precondition Strengthening:

Ps ⇒ Pw {Pw} S {Q}

{Ps} S {Q}

• Postcondition Weakening:

{P} S {Qs} Qs ⇒ Qw

{P} S {Qw}

• Assignment:

{Q(e)} x := e {Q(x)}

• Sequence:

{P} S1 {Q} {Q} S2 {R}{P} S1; S2 {R}

• Conditional:

{P ∧ b} S1 {Q} {P ∧ ¬ b} S2 {Q}

{P} if b then S1 elseS2 {Q}

• While Loop:

{P ∧ b} S {P}{P} while b do S {P ∧ ¬ b}

Appendix 4 — Weakest Precondition Rules

wp(x := e, Q(x)) ≡ Q(e)

wp(S1; S2, Q) ≡ wp(S1,wp(S2, Q))

wp(if b then S1 else S2, Q) ≡ (b ⇒ wp(S1, Q)) ∧ (¬ b ⇒ wp(S2, Q))

≡ (b ∧ wp(S1, Q)) ∨ (¬ b ∧ wp(S2, Q))

Pk is the weakest predicate that must be true before whileb do S executes, in order for the loopto terminate after exactlyk iterations in a state that satisfiesQ.

P0 ≡ ¬ b ∧ Q

Pk+1 ≡ b ∧ wp(S,Pk)

wp(while b do S, Q) ≡ ∃ k. (k ≥ 0 ∧ Pk)


Appendix 5 — Short Glossary of Mathematical Symbols in Z

Logic

∧ conjunction ∀ for all ⇒ implies∨ disjunction ∃ there exists ⇔ if and only if¬ negation B type boolean

Sets

∅ empty set ⊆ subset × cartesian product{ } empty set ⊇ superset P power set∈ in set ∪ set union # set size6∈ not in set ∩ set intersection . . up to (as in{1 . . 7})min smallest in set max greatest in set N natural numbers

Relations and Functions

↔ relation dom domain ⊳ domain restriction→ total function ran range ⊲ range restriction7→ partial function R−1 inverse of R7→ maplet R(| S |) image of set S under R

Schemas

∆ indicates operation Ξ indicates enquiry =̂ schema definition


with some sample...

Documents