A THREE-BALL
GAME
Implication
P
Q
PQ
T
T
T
T
F
F
F
T
T
F
F
T
Bi-conditional if and only
if
P
Q
PQ
T
T
T
T
F
F
F
F
T
F
T
F
P Q means P Q Q P
A compound proposition that is always true,
irrespective of the truth values of the comprising
propositions, is ca

Department of Computer Science, Virtual University of Pakistan
CS709: Formal Methods for software Engineering
Assignment 3
Fall 2008
Maximum Points: 100
Submission Date: Friday, 6th February 2009
Instructions
The purpose of this assignment is to give you

Notorious Bugs BYTE, September 1995
http:/www.byte.com/art/9509/sec7/art20.htm
1987 : Therac-25 The Bug that killed
Notorious Bugs BYTE, September 1995
http:/www.byte.com/art/9509/sec7/art20.htm
1990:
AT&T long distance break down
Notorious Bugs BYTE, S

Object Constraint Language
(OCL)
Types of expressions in OCL
Expressions can be used in a number of places
in a UML model:
To specify the initial value of an attribute or
association end.
To specify the derivation rule for an attribute or
association e

Algebraic Specifications
The structure of an algebraic specification
SPECIFICATION NAME <Generic Parameters>
sort <name>
imports <LIST OF SPECIFICATION NAMES>
Informal description of the sort and its operations
Operation signatures setting out the names a

New_List specification
Operation
Create
Cons(New_list, Elem)
Add(New_list, Elem)
Description
Brings a list into existence
Adds an element to the end of the list
Adds an element to the front of the
list
Head(New_List)
Tail(New_list)
Returns the first eleme

PAIR
(A with cfw_ - = -: A, A Bool; undef : A,
B with cfw_ - = -: B, B Bool; undef : B)
sort Pair
constants undef : Pair
uses BOOLEAN
first : Pair A
second
: Pair B
pair : A, B Pair
- = - : Pair, Pair Bool
pair(undef, undef) = undef
pair(x, y) = pair(u, v

A is a knight:
A
A eats his hat: H
A is a knight:
A
A eats his hat: H
If I am a knight then Ill
eat my hat:
A H
We have seen that (X S)
Therefore
(A A H)
Objective is to logically deduce H
Truth Table Columns
A
H
A H
A (A H)
Proof Using Truth Table

Verification of Functions
Specification of a system as a set of
functions where the internal state is
hidden.
Each function is specified as a set of pre
and post conditions.
Pre-condition must hold if the post-condition is to
be true.
Example minimum
f

Loop Invariants
s = 0;
for i := 1 to n do
s = s + a[i];
What is the loop invariant?
s is the sum of elements from a[1] to a[i]
immediately before i is incremented!
Weakest Precondition for While
Statement
cfw_P while B do S cfw_Q
Let W be while B do S
c

Class Invariants
Pre-conditions and post-conditions describe the properties
of individual methods.
A class invariant is a global property of the instances of a
class, which must be preserved by all methods.
A class invariant is an assertion in the class d

jContractor
Preconditions
Naming convention
methodName_Precondition
e.g. for method X the precondition will be
X_Precondition
Returns a boolean
It has to be protected
A precondition method takes the same arguments as the
method it is associated with a

Let Q be the question
Let A be the native is a knight
Let L be the left fork leads to the restaurant
Let Q be the question
Let A be the native is a knight
Let L be the left fork leads to the restaurant
The response to the question Q is yes is
equivalent t

Associativity of Equivalence
ABC
Associativity of Equivalence
ABC
can be evaluated as
(A B) C
or
A (B C)
Even and odd numbers
m+n is even m is even n is even
m+n is even (m is even n is even)
ABC
A
B
C
A B
(A B) C
F
F
F
T
F
F
F
T
T
T
F
T
F
F
T
F
T
T
F
F
T