Week 4 solutions. March 21, From the left hand side formula we obtain ϕ ψ = ϕ ψ = We transform the left hand side formula as follows.

Transcription

1 Week 4 solutions March 21, a. ϕ ψ ϕ (ψ ϕ). From the left hand side formula we obtain ϕ ψ = ϕ ψ = ϕ ψ = (ψ ϕ) = True (ψ ϕ). Here, True = (ψ ϕ) ( ψ ϕ) (ψ ϕ) ( ψ ϕ). In True (ψ ϕ), only ( ψ ϕ) can hold before (ψ ϕ). In the right hand side formula, only ( ψ ϕ) can hold before (ψ ϕ) as well. Hence, we conclude that the equivalence holds. b. ϕ ψ (ϕ (ψ ϕ)). We transform the left hand side formula as follows. ϕ ψ = ϕ ψ = ϕ ψ. We already proved, that ϕ ψ ϕ (ψ ϕ), hence we can transform the right hand side formula as follows. (ϕ (ψ ϕ)) = ( ϕ ψ) = ( ϕ ψ). Now, let a = ϕ and b = ψ. We know, that (a b) a b, hence ϕ ψ ( ϕ ψ). c. (ϕ ψ) ( ϕ ψ). Left hand side formula is transformed as follows. (ϕ ψ) = (ϕ ψ). Right hand side formula is transformed as follows. ( ϕ ψ) = ( ϕ ψ) = (ϕ ψ). Hence, we conclude that the equivalence holds. d. (ϕ ψ) = ϕ ψ. The counter example is as follows. We consider a path, such that s 0 = (ϕ ψ), s 1 = (ϕ ψ), s 2 = ( ϕ ψ). For this path, the left hand side formula does not hold, since both ϕ and ψ must eventually become True simultaneously, whereas the right hand side formula holds for this path. Hence, the equivalence holds. e. ϕ ϕ ϕ. We transform the left hand side formula as follows. ϕ ϕ = ϕ (True ϕ) = ϕ (True ϕ) = ϕ. Hence, we conclude that the equivalence holds. 1

2 f. ϕ ϕ ϕ. The counter example is as follows. We consider a path, such that s 0 = ϕ, s 1 = ϕ. The right hand side formula holds for the path, since after ϕ eventually becomes True, there are no further obligations, whereas the left hand side formula does not hold, since, after ϕ eventually becomes True, from the next state, ϕ must hold. g. ϕ ψ (ϕ ψ). The counter example is as follows. Let there be a path s 0 (s 1 ) ω, such that s 0 = ϕ ψ, s 1 = ϕ ψ. For this path, the left hand side formula holds, since neither of ϕ and ψ hold, but the right hand side formula does not hold. h. ϕ ϕ. We transform the left hand side formula as follows. ϕ = (True ϕ) = True ϕ = True ϕ. The right hand side formula is transformed as follows. ϕ = True ϕ. From here, we can conclude that the equivalence holds. i. (ϕ ψ) ψ ϕ ψ. By applying the idempotency law to the left hand side formula, we can immediately conclude that the equivalence holds. 2 (a) (( ϕ (ϕ ψ)) ϕ). (b) (ϕ ψ) ϕ. (c) ϕ( ψ) ϕ. 3 First, the TA is defined as follows: TA = {Loc, Loc 0, Act, C,, Inv, AP, L} Loc = {s 0, s 1 } Loc 0 = {s 0 } Act = {switch on, switch off} C = {x, y} AP = Inv(s 0 ) = True Inv(s 1 ) = True L(s 0 ) = L(s 1 ) = The transitions are: x 1,switch on,{x,y} s 0 s 1 x 2,switch on,{x} s 1 s 1 2

3 s 1 y=3,switch off,{x} s 0 Now, TS = {S, Act,, I, AP, L } S = {(s 0, x, y) x, y R + } {(s 0, x, y) x, y R + } Act = {switch on, switch off} R + I = {(s 0, 0, 0)} AP = True L = The transitions are: switch on (s 0, x, y) (s 1, 0, 0), x, y, such that x 1, y 0 (s 0, x, y) d (s 0, x + d, y + d), x, y, d, such that x 0, y 0, d 0 switch on (s 1, x, y) (s 1, 0, y), x, y, such that x 2, y 0 (s 1, x, y) d (s 1, x + d, y + d), x, y, d, such that x 0, y 0, d 0 switch off (s 1, x, y) (s 0, 0, y), x, y, such that x 0, y = 3 The transition system is non-zeno, since there are no transitions without time constraints, which makes it impossible to conduct infinitely many actions in finite time. The transition system does not contain timelocks. In s 0 there are no invariants and the transition guard x 1 eventually becomes fulfilled. In s 1 there are no state invariants as well, and the switch on self-loop transition always becomes enabled after two time units. It is worth to note that when y becomes greater than 3, the switch off transition becomes unfeasible forever, but it does not create timelocks, since the switch on self-loop transition is always possible. 4 The automata are depicted on figures 3, 1 and 2. a i. Compl ii. (Inserted GotCoffee (Published1 Published2 Published3)) iii. (Inserted ServedCoffee) b There are no zeno paths in the model. An argument for this is that in the Person and Machine automata, each path from a state to the same state contains at least one transition with guards satisfying the following condition: for any clock x and any constant c, (x < c) holds. This guarantees that only finite amount of actions is possible within finite time. And the Observer automaton cannot proceed independently, without syncronizing with the Person and Machine. There are no timelocks paths in the model and informally it can be explained as follows. If we observe it, we can see that only two states of the Person automaton contain states with invariants. Otherwise, the model 3

4 can proceed. Let s consider both of the states with invariants. In the Person s Wait state, there is no possibility to end up in a deadlock, since whenever the following state is active, the only possible transition is out of this state, the Person s clock inevitably reaches the value which satisfies the transitions guard. Further, let s consider the Person s GotCoffee state. The state s invariant inevitably holds and there are no other circumstances which can prevent the transition. c Compl does not hold and the counter example is as follows. (Start,Idle,Idle2,x=0,y=0,z=0) (Wait,Inserted,Idle2,x=0,y=0,z=1) (Ready,Inserted,Idle2,x=0,y=3,z=4) (Ready,Inserted,Idle2,x=0,y=7,z=8) (GotCoffee,ServedCoffee,Idle2,x=0,y=2,z=10) (Start,Idle,Published3,x=2,y=4,z=12) (Start,Idle,Compl,x=2,y=4,z=12) As we can see, the Compl state of the observer is reached eventually (clock z tracks time elapsed from the previous publishing, and it is observable that 12 time units have passed). The two other properties hold and the argument is trivial. After (Inserted GotCoffee), it is impossible to avoid publising. Similarly, after the Inserted state, the ServedCoffee state is inevitable. In order for the first property to hold, it is enough to change the Person automaton. The changed automaton is provided in figure 4. The initial state is made urgent, in the Ready state, an invariant introduced, and the Go state is made committed. All of the changes prevent the automaton from unlimited waiting and limit the whole cycle in time, which makes the Compl state of the Observer automaton unreachable. 4

5 Figure 1: Machine automaton Figure 2: Observer automaton 5

6 Figure 3: Original person automaton Figure 4: Updated person automaton 6