CS:5810 Formal Methods in SE Midterm Oct 12, 2017

Name: Example Solution

Please read these directions but wait for the signal to begin working

• You have 75 minutes to complete the test. Do not spend too much time on any
of the problems.

• Be sure to follow all directions as to the required form of your answer.

• If you find any ambiguities in a question, resolve them to the best of your
understanding and specify how you did it.

• Answer each question in the space provided. You should not need more space.
You can use the back of pages for scratch work.

• This booklet should have 8 pages including this one. Contact the exam proctor
immediately if it does not.
1. (9 points) True/False questions
Circle T or F depending on whether you think the statement is true or false.

T F Testing can only show the presence of errors, not their absence. (T)

T F Formal methods make testing unnecessary. (F)

T F Formal methods apply only at the early stages of software development. (F)

T F Formal methods can replace infinitely many test cases. (T)

T F Formal methods can guarantee the absence of errors in an implementation. (F)

T F Formal methods can find bugs in implementations, not specifications. (F)

T F The formal specification of a software component is pointless unless it is followed by the

formal verification of that component against its specs. (F)

T F One advantage of formal verification is that it can be always fully automated. (F)

T F A formal language must have a precise syntax and semantics. (T)

T F Alloy was designed for modeling software design and code. (F)

T F The transpose operation in Alloy is idempotent, that is, ~(~r) = r for all relations r.
(T)

T F When the Alloy Analyzer fails to find an instance of a model it is always because the
constraints expressed by model are jointly unsatisfiable. (T)

T F When the Alloy Analyzer fails to disprove an assertion for a model then that assertion
holds in the model. (F)

T F In computational systems, invariant (or safety) properties are properties that we expect
to hold at all times. (T)

T F Writing and checking expected properties of a Lustre model helps us check the correct-
ness of the modeled system with respect to its intended behavior. (T)

T F Lustre is an asynchronous data flow language. (F)

T F Lustre was designed primarily to model reactive systems. (T)

T F Kind 2 is sound with respect to invariant properties: if it says that a property of a

Lustre node is invariant, then it is so. (T)

Page 2
2. (9 points) Consider the following Alloy signature

sig Person { children: set Person }

sig Man, Woman extends Person

Use Alloy’s set comprehension construction to define the following sets:

1. The set of all people that have no children.

{ p: Person | no p.children }

2. The set of all people that have only girls (i.e., whose children, if any, are all female).
{ p: Person | p.children in Woman }

3. The set of all people that have exactly a boy and a girl.
{ p: Person | some c1: Man | some c2: Woman | p.children = c1 + c2 }

3. (3 points) Express as an Alloy formula the fact that three sets B1, B2, B3 are a partition of a
set A. Do not assume that these sets are signatures.

{
a = b1 + b2 + b3
no (b1 & b2)
no (b1 & b3)
no (b2 & b3)
}

4. (3 points) Compute the result of the following operation in Alloy

|{ (a,b,c), (a,c,e) }.{ (c,a), (c,d), (b,c) } = { (a,b,a), (a,b,d) }

5. (3 points) Given the relations

addr = { (B0,N0,D0,T0), (B0,N0,D1,T1), (B0,N1,D2,T0), B = { (B0) }

(B0,N1,D2,T1), (B1,N2,D3,T0), (B1,N2,D4,T1) } T = { (T1) }

compute the relation B.addr.T = { (N0,D1), (N1,D2) }

Page 3
6. (6 points) Each of the following Alloy constraints on a relation r of type A -> A (for some
signature A) expresses a property of binary relations.
Connect with a line each constraint to the corresponding property among those listed on the
right.
some r (1) (a) irreflexive (no element is related to itself)
r.r in r (2) (b) injective (no two elements are related to the same element)
no (iden & r) (3) (c) nonempty
~r in r (4) (d) transitive (if a is related to b and b to c then a is related to c)
~r.r in iden (5) (e) functional (every element is related to at most one element)
r.~r in iden (6) (f) symmetric (a is related to b only if b is related to a)

Recall that iden is the identity relation which holds only for pairs of the form (a, a) where a
is member of A.

1 7→ c, 2 7→ d, 3 7→ a, 4 7→ f , 5 7→ e, 6 7→ b

7. (10 points) Suppose you are modeling each of the following relations as a binary relation.
Which of the properties listed in the previous problem would you expect each relation to have?
(Write just the letter of a property.)

1. the relation sibling between people with the same biological parents;
a, f

2. the relation mother between a person and that person’s biological mother;
a, e

3. the relation contains between directories in a file system and their contents;
a, d

4. the relation successor between each integer number n and n + 1;

a, b, c, e

5. the ≤ relation between integers.

c, d

Page 4
8. (8 points) Consider the following Alloy model:

abstract sig Person {}

sig Faculty extends Person {}
sig Student extends Person {}
sig Instructor in Person {}
sig Course {
taughtby: one Instructor,
enrolled: some Student
}

For each of the instances below say whether it satisfies the model or not. If it does not, also
briefly explain why.

1. Person = { (Beth), (Jim), (Joe), (Kay), (Mary), (Tim) }

Faculty = { (Beth), (Joe) }
Student = { (Jim), (Kay), (Mary) }
Instructor = { (Beth), (Joe), (Kay) }
Course = { (History), (Math), (Science) }
taughtby = { (History, Joe), (Math, Kay), (Science, Beth) }
enrolled = { (History, Jim), (Math, Kay), (Science, Mary) }
Does not satisfy the model. Faculty and Student should form a partion of Person, but
Tim is in neither.

2. Person = { (Beth), (Jim), (Joe), (Kay), (Mary), (Tim) }

Faculty = { (Beth), (Joe) }
Student = { (Jim), (Kay), (Mary), (Tim) }
Instructor = { (Beth), (Joe), (Kay) }
Course = { (History), (Math), (Science) }
taughtby = { (History, Joe), (Math, Kay), (Science, Joe) }
enrolled = { (History, Jim), (Math, Kay), (Science, Mary) }
Satisfies the model.

3. Person = { (Beth), (Jim), (Joe), (Kay), (Mary), (Tim) }

Faculty = { (Beth), (Joe) }
Student = { (Jim), (Kay), (Mary), (Tim) }
Instructor = { (Beth), (Joe), (Kay) }
Course = { (History), (Math), (Science) }
taughtby = { (History, Joe), (Math, Kay), (Science, Joe) }
enrolled = { (History, Jim), (History, Kay), (Science, Mary) }
Does not satisfy the model. No one is enrolled in Math, against the multiplicity constraint
of enrolled.

Page 5
9. (9 points) Consider the following highly simplified Alloy model of a public library with several
book titles and one or more copy per title. At any one time, a book copy is available in the
library if it is not currently checked out by a library patron.

open ordering [Time] as T

sig Time {}
sig BookTitle { copies: some BookCopy }
sig BookCopy { available: Time }
fact { all c: BookCopy | one b: BookTitle | c in b.copies }

Now consider the following two operations:

Borrow: A patron borrows an available copy c of a book (title) b. The only effect of this
operation is that the checked out copy c becomes unavailable.
Return: A book copy c is returned to the library. The only effect of this operation is that the
returned copy becomes available again.

Provide below a definition of the Alloy predicates borrow and return, modeling the two opera-
tors described above. Then provide a definition of the trans predicate, modeling the transition
relation for a transition system corresponding to these two operators only.

pred borrow [ b:BookTitle, t,t’:Time ] {

some b.copies & available.t

some c: b.copies & available.t | available.t’ = available.t - c

}

pred return [ c:BookCopy, t,t’:Time ] {

available.t’ = available.t + c
}

pred trans [ t,t’:Time ] {

(some b:BookTitle | borrow[b,t,t’])
or
(some c:BookCopy | return [c,t,t’])
}

Page 6
10. (3 points) Define in Lustre the temporal operator UntilNow which takes a Boolean input X
and returns true iff X is currently true and has been continuously true from the start.

node UntilNow ( X : bool ) returns ( Y : bool );

let
Y = X -> X and pre Y;
tel

11. (3 points) Define in Lustre the temporal operator HasOccurred which takes a Boolean input
X and returns true if and only if X was ever true—possibly including now.

node HasOccurred ( X : bool ) returns ( Y : bool );

let
Y = X -> X or pre Y;
tel

12. (3 points) Define a Lustre node that takes as input an integer N and a Boolean Reset and
returns an integer value C satisfying the following requirements.
C starts at zero and increases by one at each step as long as it is stays (strictly) smaller than
the initial value of N and Reset is currently false. In all other cases, it goes back to zero.
Write your definition under the assumption that the initial value of N is positive (that is, do
not consider that possibility that initially N ≤ 0).

node Counter ( N : int; Reset: bool ) returns ( C : int );

let
C = 0 -> if Reset or pre C = First(N) - 1 then 0 else pre C + 1;
tel

13. (3 points (bonus)) [Optional]

Using the operator UntilNow, define in Lustre the Boolean operator IsConstant which takes
an integer input N and returns true if and only if N has maintained the same value from the
start.

node IsConstant ( N : int ) returns ( Y : bool );

let
Y = UntilNow(true -> N = pre N);
tel

Page 7
14. (14 points) Write in Lustre the following properties of Counter from the previous problem,
which we expect to hold when the initial value of N is positive.
You may use as needed the operators HasOccurred, UntilNow, IsConstant, and First where
First is the unary operator seen in class that always returns the initial value of its input
stream.
(Note that you can do this problem even if you did not complete those in the previous page.)
-- C ranges between 0, included, and the initial value of N, excluded

P1 = 0 <= C and C < N0;

-- C is 0 initially and at least every time Reset is true

P2 = C = 0 -> Reset => C = 0;

-- C increases unless Reset is true or its previous value was

-- 1 below the initial value of N

P3 = true -> (not Reset and pre C <> N0 - 1) => pre C < C;

-- C decreases only by going to 0

P4 = true -> C < pre C => C = 0;

-- When Reset is continuously true or N is initially 1

-- C is continuously 0

P5 = (UntilNow(Reset) or N0 = 1) => UntilNow(C = 0);

-- C is constant only if it is always 0

P6 = (IsConstant(C) = UntilNow(C = 0));

-- After the initial execution step, if N was initially > 1 and

-- there was no reset then C must have been 1 at some point

P7 = true -> N0 > 1 and UntilNow(not Reset) => HasOccurred(C = 1);

Note: P3, P4 are set to true initially because the property is really about later execution steps.

Page 8