A THREE-BALL
GAME
Implication
P
Q
PQ
T
T
T
T
F
F
F
T
T
F
F
T
Bi-conditional if and only
if
P
Q
PQ
T
T
T
T
F
F
F
F
T
F
T
F
P Q means P Q Q P
A compound proposition that is always true,
irrespective of
Department of Computer Science, Virtual University of Pakistan
CS709: Formal Methods for software Engineering
Assignment 3
Fall 2008
Maximum Points: 100
Submission Date: Friday, 6th February 2009
Inst
Notorious Bugs BYTE, September 1995
http:/www.byte.com/art/9509/sec7/art20.htm
1987 : Therac-25 The Bug that killed
Notorious Bugs BYTE, September 1995
http:/www.byte.com/art/9509/sec7/art20.htm
199
Object Constraint Language
(OCL)
Types of expressions in OCL
Expressions can be used in a number of places
in a UML model:
To specify the initial value of an attribute or
association end.
To specif
Algebraic Specifications
The structure of an algebraic specification
SPECIFICATION NAME <Generic Parameters>
sort <name>
imports <LIST OF SPECIFICATION NAMES>
Informal description of the sort and its
New_List specification
Operation
Create
Cons(New_list, Elem)
Add(New_list, Elem)
Description
Brings a list into existence
Adds an element to the end of the list
Adds an element to the front of the
lis
PAIR
(A with cfw_ - = -: A, A Bool; undef : A,
B with cfw_ - = -: B, B Bool; undef : B)
sort Pair
constants undef : Pair
uses BOOLEAN
first : Pair A
second
: Pair B
pair : A, B Pair
- = - : Pair, Pair
A is a knight:
A
A eats his hat: H
A is a knight:
A
A eats his hat: H
If I am a knight then Ill
eat my hat:
A H
We have seen that (X S)
Therefore
(A A H)
Objective is to logically deduce H
Truth
Verification of Functions
Specification of a system as a set of
functions where the internal state is
hidden.
Each function is specified as a set of pre
and post conditions.
Pre-condition must hold
Loop Invariants
s = 0;
for i := 1 to n do
s = s + a[i];
What is the loop invariant?
s is the sum of elements from a[1] to a[i]
immediately before i is incremented!
Weakest Precondition for While
State
Class Invariants
Pre-conditions and post-conditions describe the properties
of individual methods.
A class invariant is a global property of the instances of a
class, which must be preserved by all me
jContractor
Preconditions
Naming convention
methodName_Precondition
e.g. for method X the precondition will be
X_Precondition
Returns a boolean
It has to be protected
A precondition method takes t
Let Q be the question
Let A be the native is a knight
Let L be the left fork leads to the restaurant
Let Q be the question
Let A be the native is a knight
Let L be the left fork leads to the restauran
Associativity of Equivalence
ABC
Associativity of Equivalence
ABC
can be evaluated as
(A B) C
or
A (B C)
Even and odd numbers
m+n is even m is even n is even
m+n is even (m is even n is even)
ABC
A
B