Software Engineering using Formal Methods |
TDA293/DIT270, LP1, HT2016 |
Lab 2 - Specification and Verification of Programs using KeYThis lab consists of the following three problems: Problem 1: First-Order LogicProve the validity of the following untyped first-order formula using the sequent calculus. $$(\forall x; ((r(x) \rightarrow \neg g(x)) \wedge (g(x) \rightarrow \neg r(x)))) \wedge (\forall x; \forall y; (i(x,y) \rightarrow r(x) \vee r(y))) \rightarrow (\neg \exists x; \exists y; (i(x,y) \wedge g(x) \wedge g(y))) \wedge (\exists x; \exists y; i(x,y) \rightarrow \exists z; r(z))$$ You may assume that the formula speaks about traffic lights placed at intersections, where the unary predicates r and g speak about a traffic light being red or green respectively, and the binary predicate i can be interpreted as two lights standing at the same intersection.To solve this problem you must first formulate it in a KeY problem file. As KeY does not have the notion of untyped, you must define a new sort which all predicates and variables will reference. Also define the predicates required in order to formulate the problem. Now load the file in KeY and prove it using the first-order logic rules presented during the lectures, Sequent Calculus Rules. You are NOT allowed to use any other rules. In particular letting KeY auto-prove the formula will not help you much, as the proof is vastly different and uses many rules which are forbidden. Hint: If you are generating the rules instAll and instEx through drag-and-drop, you can instead generate the allowed rules allLeft and exRight by simply dragging the formula onto the term rather than the other way around. ReportingFor Part 1 of the assignment you can save your KeY proof into a file. In KeY, once you are done with the proof, go to File and then choose Save (use as extension .proof). Problem 2: JML SpecificationsThe file NumericTextBox.java contains the unimplemented class NumericTextBox. Its methods and fields are commented, informally describing the specifications for the class. Your assignment is to formalize these specifications using JML. Please read the entire Java file, especially the comments, before starting. You do not need to implement or prove anything.Problem 3: Verification with KeYThe class BinarySearch that can be found in the file BinarySearch.java contains an array of numbers which it searches for a query using the binary search algorithm. Some implementations and JML-specifications are given already. In this task you will practise verification with KeY.Task 3.1: Normal BehaviourVerify with KeY that the method performBinarySearch meets its specification. Make sure that "Method Treatment" under "Proof Search Strategy" is set to "None" before you start. You may have to inline methods or make use of certain method contracts to prove your goal. Furthermore, it might be necessary to use the rules AllLeft and/or ExRight. Hint 1: In order to decide whether you need to inline a method or use its contract it is useful to carefully read the contract of the method. If it is not meaningful for the proof you are carrying out then you probably will have to inline the method. On the other hand, if the contract provides useful information to close the proof you will need apply the contract. Hint 2: As mentioned earlier, you might need to use the rules AllLeft and/or ExRight. In order to find out which substitution is needed, it is important to understand which part of the proof cannot be closed. In particular, examine the labels of the branching nodes. Those are marked by a folder symbol, green for closed, and light blue for open branches. These labels give good indications about the case this branch is concerned with. To get a better intuition about the case at hand, it is good to relate this information to the original Java/JML file.Inlining methods or using contracts
Here you have an example on how to inline a method: example Task 3.2: Exceptional BehaviourYou may have noticed that the method eliminateDuplicates does not meet its specification for the exceptional behaviour case. Change the implementation of the eliminateDuplicates method so that it meets its specification for exceptional behaviour and verify that this is indeed the case. You may modify the setting for method treatment to any option of your choice for this task. Hint: It might be possible that you have to switch the method treat "Method Treatment" under "Proof Search Strategy" from "None" to "Contract".Task 3.3: InvariantsThe class Drawing that you can find in the file Drawing.java contains a two-dimensional array that models a canvas onto which lines can be drawn. When a point is coloured, the corresponding entry in the array is set to true. The class has two invariants. One specifies that the canvas must be square and one specifies that every coloured point on the canvas must be part of either a horizontal or a vertical line. The proof of every method contract also automatically includes the invariants as assumptions and as proof goals. Thus, showing any method contract also includes proving that the respective method preserves the invariants. We will now take a closer look at proving invariants by proving contracts without postconditions so that the proof obligations are reduced to the preservation of invariants.In this task you will verify two such contracts. Before you start, toggle in the toolbar the (green) "aggregation of simplification rules", and make sure that both "Method Treatment" and "Loop Treatment" under "Proof Search Strategy" are set to "None". When symbolic execution reaches a call to another method, or a loop, you will have to perform interactive steps in order to continue with the proof.
Submission Guidelines
| |
Home | Course | Schedule | Exam | Exercises | Labs | Eval | Tools | W. Ahrendt, Oct 21, 2016 |