Introduction to Formal Verification Methods Exercise 4
|
|
- Melvyn Ryan
- 5 years ago
- Views:
Transcription
1 Introduction to Formal Verification Methods Exercise 4 Guy Katz, May 30, 2013 Question 1 We argue that there exists a weakly fair non-progress cycle in the given model. ssuming weak fairness, every statement that is continuously enabled from a certain point in the run is eventually executed. Observe a run in which only process executes statements. Clearly, process would have to execute the two branches of its main loop interchangeably, once setting x to 2 and once setting it to 3. The condition x == 3 in process will evaluate to true only every second iteration. Hence, in the described run, although the progress step will be enabled infinitely often, it will not be continuously enabled. Thus, a run in which only process is scheduled is weakly fair, and a non-progress cycle exists. We argue that there doesn t exists a strongly fair non-progress cycle in the given model. ssuming strong fairness, the only situation in which a non-progress cycle exists is if the x == 3 condition of process evaluates to true only a finite number of time. This means that process has to be scheduled infinitely often. However, as process must alternate between the two branches of its main loop, x will indeed evaluate to 3 infinitely often contradicting our assumption. Hence, x will be equal to 3 infinitely often, and the progress statement in process will be executed infinitely often because of the fairness assumption. The claim follows. C We observe that in this model, much like in the previous one, both weak and strong fairness assumptions imply that process is scheduled infinitely often, and hence that the values of x alternate infinitely often between 2 and 3. We observe what happens in process. s the values of x alternate, both statements in process are infinitely often enabled, but never continuously; when x == 3 the first is enabled and the other isn t, and when x == 2 it s the other way around. Hence, when only weak fairness is assumed, a non-progress cycles exists a cycle in which only process is scheduled. However, when strong fairness is assumed, it suffices that the statements in process are enabled infinitely often to guarantee that they are infinitely often executed. Hence, no strongly fair non-progress cycles exist. 1
2 Question 2 We begin by observing the given property. trace satisfies property P if and only if a b holds infinitely often. Looking at the transition system, we note that there are two states in which this holds: state s 2 and state s 4. Thus, we deduce that the trace of a run will satisfy P if and only if the run visits either state s 2 or state s 4 an infinite number of times. Particularly, as runs can loop indefinitely in other states, say s 3, we get that T S P. In the subsequent sections, we will examine whether the fairness assumptions minimize the set of valid runs to include only those that satisfy P. We prove that T S F1 P. Observe the run ρ = s 0 s2 δ s3 s3 s3..., a run that only visits state s 3 after its third position. This run is F 1 -fair, as action is selected an infinite number of times. However, trace(ρ) / P, as neither state s 2 nor state s 4 is visited an infinite number of times. The claim follows. We prove that T S F2 P. Let ρ be an F 2 -fair run. y the unconditional part of F 2, it follows that ρ has an infinite number of transitions labeled. There are only 3 such transitions in the transition system s 0 s2, s 3 s3 and s 4 s4. Hence, at least one of them has to appear infinitely often in ρ. We look at each of the cases: 1. Transition s 0 s2 appears infinitely often. In this case, it immediately follows that ρ visits s 2 infinitely often, and hence satisfies P. 2. Transition s 4 s4 appears infinitely often. In this case, ρ visits s 4 infinitely often, and hence satisfies P. 3. Transition s 3 s3 appears infinitely often. In this case, ρ visits s 3 infinitely often. Observe state s 3 : this state only has two outgoing edges, one a self loop and the other leading to s 4. s soon as the run leaves s 3 to state s 4, it can no longer reach s 3 again. Hence, if ρ visits s 3 infinitely often, it has an infinite loop that includes only state s 3. η However, by the strong fairness part of F 2, this cannot happen. The edge s 3 s4 is labeled with η, and so ρ will have to traverse this edge eventually, contradicting the infinite loop in s 3. Hence this case cannot happen. s only cases (1) and (2) can occur, and both satisfy P, we conclude that any F 2 -fair run has to visit states s 2 or s 4 infinitely often, and hence T S F2 P, as needed. C We prove that T S F3 P. Observe the run ρ = s 0 α s1 α s1 α s1 α s1..., a run that only visits state s 1 starting from its second position. This run is F 3 -fair, as action α is selected an infinite number of times. However, trace(ρ) / P, as neither state s 2 nor state s 4 is visited an infinite number of times. The claim follows. D We prove that T S F4 P. Let ρ be an F 4 -fair run, and suppose towards contradiction that trace(ρ) / P. This implies that ρ visits neither state s 2 nor state s 4 infinitely often. s ρ is 2
3 infinite, it has to visit some state infinitely often; and by elimination, this has to be state s 0, s 1 or s State s 0 is visited infinitely often. s state s 0 has no self loops, and as we assume state s 2 is not visited infinitely often, it follows that state s 1 is also visited infinitely often. See next case. 2. State s 1 is visited infinitely often. ction η is enabled in state s 1. y the strong fairness assumption, it must also be selected infinitely often. There are only two edges labeled η in the transition system; one leads to state s 3 and one to state s 4. If either of them is traversed even once, the run cannot return to state s 1. Hence, this case cannot exist. 3. State s 3 is visited infinitely often. gain, action η is enabled infinitely often, and must be selected infinitely often. If the run has already reached state s 3, only one such η edge with action η is accessible: the edge s 3 s4. Hence, the run will eventually visit state s 4. Once there it can no longer return to state s 3, contradicting our assumption. Hence, this case also cannot exist. s all options lead to a contradiction, we have shown that no fair run can visit states s 0, s 1 or s 3 infinitely often while not visiting states s 2 and s 4 infinitely often. It follows that T S F4 P, as needed. E,F We show that T S F4 P = T S F5 P. Combined with section D, this answers both sections at once. Observe assumptions F 4 and F 5. ssumption F 5 contains the same strong fairness assumptions as F 4, and contains additional, weak fairness assumptions. dding fairness assumptions serves to decrease the number of fair runs; in other words, FairTraces F5 (T S) FairTraces F4 (T S) Now, if we assume that T S F4 P, then FairTraces F4 (T S) P. Hence, also FairTraces F5 (T S) P, and T S F5 P. From the above, it immediately follows that T S F5 P, and that no P as described in the question exists. Question 3 We will prove that one property that satisfies the requirements is: F min = (, {{γ, δ}}, ) To prove that this is correct, we will prove the following claim: for any run ρ of T S, run ρ is F min -fair if and only if trace(ρ) P. From this it will follow that (1) T S Fmin P, as all fair runs satisfy P, and that (2) F min is minimal, as any fairness assumption that does not eliminate at least the same runs as F min would include runs that violate P. The claim s proof follows. 3
4 Direction 1: Runs satisfying P are fair Suppose, towards contradiction, that there exists a run ρ that satisfies P, but that ρ is unfair. This means that ρ has an infinite suffix σ in which an edge labeled γ or δ is infinitely often enabled, but no edges labeled γ or δ are traversed. Looking at the graph, this situation is only possible if σ only visits states s 1 and s 2, without ever traversing the edges to states s 3, s 4 or s 5. However, as L(s 1 ) = L(s 2 ) =, this contradicts the fact that trace(ρ) P. We ve reached a contradiction, and hence every run that satisfies P is also F min -fair. Direction 2: Fair runs satisfy P Let ρ be a F min -fair run of T S. Run ρ would violate P if and only if it has a suffix that only visits states s 1 and s 2, which are the only states labeled neither p nor q. The only way to do this α, α is for this suffix to traverse the cycle s 1 s 2 s1 indefinitely. However, this means transitions labeled γ and δ would be infinitely often accessible, and their corresponding transitions would eventually have to be traversed, breaking the cycle. Hence, no such suffix exists. It follows that ρ has to visit states other than s 1 and s 2 infinitely often. Thus, trace(ρ) P, as needed. Question 4 We prove that there exist liveness properties P and P for which P P is not a liveness property. Let P = {a}. Let P be the liveness property eventually, always a, and let P be the liveness property eventually, always a. s any finite prefix can be extended into a word in P or a word in P, both these properties are indeed liveness properties. y definition, P P =. Hence, the finite prefix {a} cannot be extended into a word in P P. Thus, P P is not a liveness property, disproving the claim. We prove that for liveness properties P and P, the property P P is also a liveness property. P P is a liveness property if and only if every finite prefix ρ (2 P ) can be extended into a word in P P. s P is a liveness property, ρ can be extended into a word ρ P. s ρ P P, it follows that ρ can be extended into a word in P P, proving the claim. Question 5 We prove that for any LTL properties P 1 and P 2, it holds that closure(p 1 P 2 ) = closure(p 1 ) closure(p 2 ) Direction 1: closure(p 1 P 2 ) closure(p 1 ) closure(p 2 ) Let ρ closure(p 1 P 2 ). s pref(p 1 P 2 ) = pref(p 1 ) pref(p 2 ), every finite prefix of ρ is in pref(p 1 ) or in pref(p 2 ) or in both. s ρ has infinitely many finite prefixes, either pref(p 1 ) or pref(p 2 ) (or both) contain an infinite number of such prefixes. Without loss of generality, suppose that pref(ρ) pref(p 1 ) =. We next show that this implies that pref(ρ) pref(p 1 ). 4
5 Suppose, towards contradiction, that there exists a σ pref(ρ) such that σ / pref(p 1 ), and suppose that σ is of length k, i.e. σ = k. s pref(ρ) pref(p 1 ) =, there is another prefix, σ pref(ρ), such that σ pref(p 1 ) and σ > σ. However, for any word for which σ is a prefix, σ is also a prefix. Hence, σ pref(p 1 ), which is a contradiction. It follows that indeed, pref(ρ) pref(p 1 ). We ve shown that for every ρ closure(p 1 P 2 ), it holds that pref(ρ) pref(p 1 ) or pref(ρ) pref(p 2 ). Hence, ρ closure(p 1 ) closure(p 2 ). The claim follows. Direction 2: closure(p 1 ) closure(p 2 ) closure(p 1 P 2 ) Let ρ closure(p 1 ) closure(p 2 ). Without loss of generality, suppose that ρ closure(p 1 ). This implies that any finite prefix of ρ is in P 1, and hence also in P 1 P 2. It follows that ρ closure(p 1 P 2 ), and closure(p 1 ) closure(p 2 ) closure(p 1 P 2 ), as needed. We prove that there exist LTL properties P 1 and P 2 for which closure(p 1 P 2 ) closure(p 1 ) closure(p 2 ) Let P = {a}. Let P 1 be the liveness property eventually, always a, and let P 2 be the liveness property eventually, always a. s with any liveness property, any finite prefix can be extended into a word in P 1 or P 2, and hence: closure(p 1 ) = closure(p 2 ) = (2 P ) ω However, by definition P 1 P 2 =, and hence closure(p 1 P 2 ) =. Thus, closure(p 1 P 2 ) closure(p 1 ) closure(p 2 ), disproving the claim. Question 6 We will prove the three parts of the guidelines. The theorem will then follow by setting P safe = closure(p ) and P live = P ( (2 P ) ω \ closure(p ) ). We will prove that closure(p ) is a safety property. egin by observing that for any LTL property P, it holds that P closure(p ). This follows from the definition of a closure: for any σ P, any finite prefix of σ can be extended into an infinite word in P namely, into σ and so σ closure(p ). We use this fact in proving the following claim: Claim 1. Let P be an LTL property. Then pref(closure(p )) = pref(p ). Proof. s P closure(p ), we use set manipulation and write pref(closure(p )) = pref(p ) pref(closure(p ) \ P ) nd so, by showing that pref(closure(p ) \ P ) pref(p ) the claim will be proven. Observe some fixed ρ pref(closure(p ) \ P ). Clearly, ρ pref(closure(p )). Thus, there exists some (infinite) word σ closure(p ) such that ρ is a prefix of σ. y definition of a closure, σ closure(p ) implies that pref(σ) pref(p ). Hence, ρ pref(p ). This is true for any ρ pref(closure(p ) \ P ), and so we get that pref(closure(p ) \ P ) pref(p ). The claim follows. 5
6 We now turn to the main claim of this section. Recall that closure(p ) is a safety property if and only if every bad word σ (2 P ) ω \closure(p ) has a finite prefix ρ that cannot be extended into a word in closure(p ). Differently put, closure(p ) is a safety property if and only if the following condition holds: σ closure(p ) pref(σ) pref(closure(p )) Next, we prove both directions of this condition. Direction 1: ssume that σ closure(p ). This means that every finite prefix of σ is in pref(p ), i.e. pref(σ) pref(p ). y claim 1, this means that pref(σ) pref(closure(p )). Direction 2: ssume that pref(σ) pref(closure(p )). y claim 1, pref(σ) pref(p ). y definition of a closure, σ closure(p ). It follows that closure(p ) is indeed a safety property, as needed. We will show that P = P ( (2 P ) ω \ closure(p ) ) is a liveness property. y definition, this is equivalent to showing that pref(p ) = (2 P ). s it clearly holds that pref(p ) (2 P ), all that remains to show is that for every ρ (2 P ), it holds that ρ pref(p ). Observe some fixed ρ (2 P ). If ρ pref(p ), then ρ can be extended into a word in P (which is also in P ) and we re done. Suppose, then, that ρ / pref(p ), i.e. that ρ cannot be extended into a word in P. We extend ρ into some arbitrary infinite word σ; by the above, σ / P. Further, σ / closure(p ), because it has a prefix, ρ, that is not in pref(p ). Hence, σ ( (2 P ) ω \ closure(p ) ). This implies that ρ pref ( (2 P ) ω \ closure(p ) ) pref(p ). The claim follows. C We ve previously shown that for any LTL property P, it holds that P closure(p ). From this it follows that P = closure(p ) P. Using basic set theory, we also know that closure(p ) ( (2 P ) ω \ closure(p ) ) =. Putting the two equalities together we get that: s needed. P = P closure(p ) = (P closure(p )) = (P closure(p )) ( closure(p ) ( (2 P ) ω \ closure(p ) )) = closure(p ) ( P ( (2 P ) ω \ closure(p ) )) 6
Safety and Liveness Properties
Safety and Liveness Properties Lecture #6 of Model Checking Joost-Pieter Katoen Lehrstuhl 2: Software Modeling and Verification E-mail: katoen@cs.rwth-aachen.de November 5, 2008 c JPK Overview Lecture
More informationTransition Systems and Linear-Time Properties
Transition Systems and Linear-Time Properties Lecture #1 of Principles of Model Checking Joost-Pieter Katoen Software Modeling and Verification Group affiliated to University of Twente, Formal Methods
More informationBasics of Linear Temporal Proper2es
Basics of Linear Temporal Proper2es Robert B. France State vs ac2on view Ac2on view abstracts out states; focus only on ac2on labels State view: focus only on states and the proposi2ons that are true in
More informationChapter 4: Computation tree logic
INFOF412 Formal verification of computer systems Chapter 4: Computation tree logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 CTL: a specification
More informationChapter 3: Linear-Time Properties
Chapter 3: Linear-Time Properties Prof. Ali Movaghar Verification of Reactive Systems Outline n n To verify the transition system model of the system under consideration, we need to specify the property
More informationTimo Latvala. March 7, 2004
Reactive Systems: Safety, Liveness, and Fairness Timo Latvala March 7, 2004 Reactive Systems: Safety, Liveness, and Fairness 14-1 Safety Safety properties are a very useful subclass of specifications.
More informationFinite-State Model Checking
EECS 219C: Computer-Aided Verification Intro. to Model Checking: Models and Properties Sanjit A. Seshia EECS, UC Berkeley Finite-State Model Checking G(p X q) Temporal logic q p FSM Model Checker Yes,
More informationRuntime Verification. Grigore Roşu. University of Illinois at Urbana-Champaign
Runtime Verification Grigore Roşu University of Illinois at Urbana-Champaign 2 Contents 1 Introduction 7 2 Background, Preliminaries, Notations 13 3 Safety Properties 17 3.1 Finite Traces...........................
More informationFailure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications
Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications Shengbing Jiang and Ratnesh Kumar Abstract The paper studies failure diagnosis of discrete event systems with
More informationFAIRNESS FOR INFINITE STATE SYSTEMS
FAIRNESS FOR INFINITE STATE SYSTEMS Heidy Khlaaf University College London 1 FORMAL VERIFICATION Formal verification is the process of establishing whether a system satisfies some requirements (properties),
More informationComputer-Aided Program Design
Computer-Aided Program Design Spring 2015, Rice University Unit 3 Swarat Chaudhuri February 5, 2015 Temporal logic Propositional logic is a good language for describing properties of program states. However,
More informationChapter 5: Linear Temporal Logic
Chapter 5: Linear Temporal Logic Prof. Ali Movaghar Verification of Reactive Systems Spring 94 Outline We introduce linear temporal logic (LTL), a logical formalism that is suited for specifying LT properties.
More informationLecture 11 Safety, Liveness, and Regular Expression Logics
Lecture 11 Safety, Liveness, and Regular Expression Logics Safety and Liveness Regular Expressions w-regular Expressions Programs, Computations, and Properties Guarantee, Response, and Persistance Properties.
More informationCMSC 451: Lecture 7 Greedy Algorithms for Scheduling Tuesday, Sep 19, 2017
CMSC CMSC : Lecture Greedy Algorithms for Scheduling Tuesday, Sep 9, 0 Reading: Sects.. and. of KT. (Not covered in DPV.) Interval Scheduling: We continue our discussion of greedy algorithms with a number
More informationOn Safety Properties and Their Monitoring
Scientific Annals of Computer Science vol.??, 201?, pp. 1 39 On Safety Properties and Their Monitoring Grigore Roşu 1 Abstract This paper addresses the problem of runtime verification from a foundational
More informationChapter 3: Linear temporal logic
INFOF412 Formal verification of computer systems Chapter 3: Linear temporal logic Mickael Randour Formal Methods and Verification group Computer Science Department, ULB March 2017 1 LTL: a specification
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationEquivalence of Regular Expressions and FSMs
Equivalence of Regular Expressions and FSMs Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Regular Language Recall that a language
More informationComputation Tree Logic
Computation Tree Logic Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: zheng@cse.usf.edu Phone: (813)974-4757 Fax: (813)974-5456 Hao Zheng (CSE,
More informationTemporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure
Outline Temporal Logic Ralf Huuck Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness Model Checking Problem model, program? M φ satisfies, Implements, refines property, specification
More informationDecentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication
Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication Stavros Tripakis Abstract We introduce problems of decentralized control with communication, where we explicitly
More informationModel checking for LTL (= satisfiability over a finite-state program)
Model checking for LTL (= satisfiability over a finite-state program) Angelo Montanari Department of Mathematics and Computer Science, University of Udine, Italy angelo.montanari@uniud.it Gargnano, August
More informationUnderstanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55
Understanding IC3 Aaron R. Bradley ECEE, CU Boulder & Summit Middle School Understanding IC3 1/55 Further Reading This presentation is based on Bradley, A. R. Understanding IC3. In SAT, June 2012. http://theory.stanford.edu/~arbrad
More informationFrom Liveness to Promptness
From Liveness to Promptness Orna Kupferman Hebrew University Nir Piterman EPFL Moshe Y. Vardi Rice University Abstract Liveness temporal properties state that something good eventually happens, e.g., every
More informationTemporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.
EE 244: Fundamental Algorithms for System Modeling, Analysis, and Optimization Fall 2016 Temporal logic Stavros Tripakis University of California, Berkeley Stavros Tripakis (UC Berkeley) EE 244, Fall 2016
More informationAbstractions and Decision Procedures for Effective Software Model Checking
Abstractions and Decision Procedures for Effective Software Model Checking Prof. Natasha Sharygina The University of Lugano, Carnegie Mellon University Microsoft Summer School, Moscow, July 2011 Lecture
More informationComputation Tree Logic (CTL) & Basic Model Checking Algorithms
Computation Tree Logic (CTL) & Basic Model Checking Algorithms Martin Fränzle Carl von Ossietzky Universität Dpt. of Computing Science Res. Grp. Hybride Systeme Oldenburg, Germany 02917: CTL & Model Checking
More informationLinear-Time Logic. Hao Zheng
Linear-Time Logic Hao Zheng Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: zheng@cse.usf.edu Phone: (813)974-4757 Fax: (813)974-5456 Hao Zheng (CSE, USF)
More informationNondeterministic finite automata
Lecture 3 Nondeterministic finite automata This lecture is focused on the nondeterministic finite automata (NFA) model and its relationship to the DFA model. Nondeterminism is an important concept in the
More informationThe Las-Vegas Processor Identity Problem (How and When to Be Unique)
The Las-Vegas Processor Identity Problem (How and When to Be Unique) Shay Kutten Department of Industrial Engineering The Technion kutten@ie.technion.ac.il Rafail Ostrovsky Bellcore rafail@bellcore.com
More informationDesign of Distributed Systems Melinda Tóth, Zoltán Horváth
Design of Distributed Systems Melinda Tóth, Zoltán Horváth Design of Distributed Systems Melinda Tóth, Zoltán Horváth Publication date 2014 Copyright 2014 Melinda Tóth, Zoltán Horváth Supported by TÁMOP-412A/1-11/1-2011-0052
More informationFlows and Cuts. 1 Concepts. CS 787: Advanced Algorithms. Instructor: Dieter van Melkebeek
CS 787: Advanced Algorithms Flows and Cuts Instructor: Dieter van Melkebeek This lecture covers the construction of optimal flows and cuts in networks, their relationship, and some applications. It paves
More informationLecture: Workload Models (Advanced Topic)
Lecture: Workload Models (Advanced Topic) Real-Time Systems, HT11 Martin Stigge 28. September 2011 Martin Stigge Workload Models 28. September 2011 1 System
More informationPHIL12A Section answers, 28 Feb 2011
PHIL12A Section answers, 28 Feb 2011 Julian Jonker 1 How much do you know? Give formal proofs for the following arguments. 1. (Ex 6.18) 1 A B 2 A B 1 A B 2 A 3 A B Elim: 2 4 B 5 B 6 Intro: 4,5 7 B Intro:
More information1 Introduction. 1.1 The Problem Domain. Self-Stablization UC Davis Earl Barr. Lecture 1 Introduction Winter 2007
Lecture 1 Introduction 1 Introduction 1.1 The Problem Domain Today, we are going to ask whether a system can recover from perturbation. Consider a children s top: If it is perfectly vertically, you can
More informationOverview. overview / 357
Overview overview6.1 Introduction Modelling parallel systems Linear Time Properties Regular Properties Linear Temporal Logic (LTL) Computation Tree Logic syntax and semantics of CTL expressiveness of CTL
More informationMathematical Logic Propositional Logic - Tableaux*
Mathematical Logic Propositional Logic - Tableaux* Fausto Giunchiglia and Mattia Fumagalli University of Trento *Originally by Luciano Serafini and Chiara Ghidini Modified by Fausto Giunchiglia and Mattia
More informationLecture 2 Automata Theory
Lecture 2 Automata Theory Ufuk Topcu Nok Wongpiromsarn Richard M. Murray Outline: Transition systems Linear-time properties Regular propereties EECI, 14 May 2012 This short-course is on this picture applied
More informationDecentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication 1
Decentralized Control of Discrete Event Systems with Bounded or Unbounded Delay Communication 1 Stavros Tripakis 2 VERIMAG Technical Report TR-2004-26 November 2004 Abstract We introduce problems of decentralized
More informationIC3 and Beyond: Incremental, Inductive Verification
IC3 and Beyond: Incremental, Inductive Verification Aaron R. Bradley ECEE, CU Boulder & Summit Middle School IC3 and Beyond: Incremental, Inductive Verification 1/62 Induction Foundation of verification
More informationSnapshots. Chandy-Lamport Algorithm for the determination of consistent global states <$1000, 0> <$50, 2000> mark. (order 10, $100) mark
8 example: P i P j (5 widgets) (order 10, $100) cji 8 ed state P i : , P j : , c ij : , c ji : Distributed Systems
More informationCS357: CTL Model Checking (two lectures worth) David Dill
CS357: CTL Model Checking (two lectures worth) David Dill 1 CTL CTL = Computation Tree Logic It is a propositional temporal logic temporal logic extended to properties of events over time. CTL is a branching
More informationInfinite Games. Sumit Nain. 28 January Slides Credit: Barbara Jobstmann (CNRS/Verimag) Department of Computer Science Rice University
Infinite Games Sumit Nain Department of Computer Science Rice University 28 January 2013 Slides Credit: Barbara Jobstmann (CNRS/Verimag) Motivation Abstract games are of fundamental importance in mathematics
More informationAvoiding Approximate Squares
Avoiding Approximate Squares Narad Rampersad School of Computer Science University of Waterloo 13 June 2007 (Joint work with Dalia Krieger, Pascal Ochem, and Jeffrey Shallit) Narad Rampersad (University
More informationOutline Inverse of a Relation Properties of Relations. Relations. Alice E. Fischer. April, 2018
Relations Alice E. Fischer April, 2018 1 Inverse of a Relation 2 Properties of Relations The Inverse of a Relation Let R be a relation from A to B. Define the inverse relation, R 1 from B to A as follows.
More information12 Hash Functions Defining Security
12 Hash Functions A hash function is any function that takes arbitrary-length input and has fixed-length output, so H : {0, 1} {0, 1} n. Think of H (m) as a fingerprint of m. Calling H (m) a fingerprint
More informationWell-Founded Iterations of Infinite Time Turing Machines
Well-Founded of Infinite Time Turing Machines Robert S. Lubarsky Florida Atlantic University August 11, 2009 Useful for ordinal analysis Useful for ordinal analysis Iteration and hyper-iteration/feedback
More informationModel Checking of Safety Properties
Model Checking of Safety Properties Orna Kupferman Hebrew University Moshe Y. Vardi Rice University October 15, 2010 Abstract Of special interest in formal verification are safety properties, which assert
More informationCDS 270 (Fall 09) - Lecture Notes for Assignment 8.
CDS 270 (Fall 09) - Lecture Notes for Assignment 8. ecause this part of the course has no slides or textbook, we will provide lecture supplements that include, hopefully, enough discussion to complete
More informationM17 MAT25-21 HOMEWORK 6
M17 MAT25-21 HOMEWORK 6 DUE 10:00AM WEDNESDAY SEPTEMBER 13TH 1. To Hand In Double Series. The exercises in this section will guide you to complete the proof of the following theorem: Theorem 1: Absolute
More informationAn Introduction to Temporal Logics
An Introduction to Temporal Logics c 2001,2004 M. Lawford Outline Motivation: Dining Philosophers Safety, Liveness, Fairness & Justice Kripke structures, LTS, SELTS, and Paths Linear Temporal Logic Branching
More informationGeneralized Pigeonhole Properties of Graphs and Oriented Graphs
Europ. J. Combinatorics (2002) 23, 257 274 doi:10.1006/eujc.2002.0574 Available online at http://www.idealibrary.com on Generalized Pigeonhole Properties of Graphs and Oriented Graphs ANTHONY BONATO, PETER
More informationAssignment 3 Logic and Reasoning KEY
Assignment 3 Logic and Reasoning KEY Print this sheet and fill in your answers. Please staple the sheets together. Turn in at the beginning of class on Friday, September 8. Recall this about logic: Suppose
More informationDiagnosis of Repeated/Intermittent Failures in Discrete Event Systems
Diagnosis of Repeated/Intermittent Failures in Discrete Event Systems Shengbing Jiang, Ratnesh Kumar, and Humberto E. Garcia Abstract We introduce the notion of repeated failure diagnosability for diagnosing
More informationMAT 3271: Selected solutions to problem set 7
MT 3271: Selected solutions to problem set 7 Chapter 3, Exercises: 16. Consider the Real ffine Plane (that is what the text means by the usual Euclidean model ), which is a model of incidence geometry.
More informationMTH 2032 Semester II
MTH 232 Semester II 2-2 Linear Algebra Reference Notes Dr. Tony Yee Department of Mathematics and Information Technology The Hong Kong Institute of Education December 28, 2 ii Contents Table of Contents
More informationTemporal logics and explicit-state model checking. Pierre Wolper Université de Liège
Temporal logics and explicit-state model checking Pierre Wolper Université de Liège 1 Topics to be covered Introducing explicit-state model checking Finite automata on infinite words Temporal Logics and
More informationLecture 16: Computation Tree Logic (CTL)
Lecture 16: Computation Tree Logic (CTL) 1 Programme for the upcoming lectures Introducing CTL Basic Algorithms for CTL CTL and Fairness; computing strongly connected components Basic Decision Diagrams
More informationModel Checking: An Introduction
Model Checking: An Introduction Meeting 3, CSCI 5535, Spring 2013 Announcements Homework 0 ( Preliminaries ) out, due Friday Saturday This Week Dive into research motivating CSCI 5535 Next Week Begin foundations
More informationLogic Model Checking
Logic Model Checking Lecture Notes 10:18 Caltech 101b.2 January-March 2004 Course Text: The Spin Model Checker: Primer and Reference Manual Addison-Wesley 2003, ISBN 0-321-22862-6, 608 pgs. the assignment
More informationHomework 2: Temporal logic
ICS-E5010 Computer-Aided Verification and Synthesis, Spring 2016 Stavros Tripakis Homework 2: Temporal logic Assigned: January 20, 2016 Due: February 1, 2016 Total: 235 points. 1. (20 points) Two formulae
More informationLecture 2 Automata Theory
Lecture 2 Automata Theory Ufuk Topcu Nok Wongpiromsarn Richard M. Murray EECI, 18 March 2013 Outline Modeling (discrete) concurrent systems: transition systems, concurrency and interleaving Linear-time
More informationMore on Regular Languages and Non-Regular Languages
More on Regular Languages and Non-Regular Languages CSCE A35 Decision Properties of Regular Languages Given a (representation, e.g., RE, FA, of a) regular language L, what can we tell about L? Since there
More informationRepresentations of quivers
Representations of quivers Gwyn Bellamy October 13, 215 1 Quivers Let k be a field. Recall that a k-algebra is a k-vector space A with a bilinear map A A A making A into a unital, associative ring. Notice
More informationTransition Predicate Abstraction and Fair Termination
Transition Predicate Abstraction and Fair Termination Andreas Podelski and Andrey Rybalchenko Max-Planck-Institut für Informatik Saarbrücken, Germany POPL 2005 ETH Zürich Can Ali Akgül 2009 Introduction
More informationCS 6110 Lecture 21 The Fixed-Point Theorem 8 March 2013 Lecturer: Andrew Myers. 1 Complete partial orders (CPOs) 2 Least fixed points of functions
CS 6110 Lecture 21 The Fixed-Point Theorem 8 March 2013 Lecturer: Andrew Myers We saw that the semantics of the while command are a fixed point. We also saw that intuitively, the semantics are the limit
More informationLecture 20 : Markov Chains
CSCI 3560 Probability and Computing Instructor: Bogdan Chlebus Lecture 0 : Markov Chains We consider stochastic processes. A process represents a system that evolves through incremental changes called
More informationBefore we show how languages can be proven not regular, first, how would we show a language is regular?
CS35 Proving Languages not to be Regular Before we show how languages can be proven not regular, first, how would we show a language is regular? Although regular languages and automata are quite powerful
More informationCS 453 Operating Systems. Lecture 7 : Deadlock
CS 453 Operating Systems Lecture 7 : Deadlock 1 What is Deadlock? Every New Yorker knows what a gridlock alert is - it s one of those days when there is so much traffic that nobody can move. Everything
More informationSafety and Liveness. Thread Synchronization: Too Much Milk. Critical Sections. A Really Cool Theorem
Safety and Liveness Properties defined over an execution of a program Thread Synchronization: Too Much Milk Safety: nothing bad happens holds in every finite execution prefix Windows never crashes No patient
More informationFormal Verification Techniques. Riccardo Sisto, Politecnico di Torino
Formal Verification Techniques Riccardo Sisto, Politecnico di Torino State exploration State Exploration and Theorem Proving Exhaustive exploration => result is certain (correctness or noncorrectness proof)
More informationAutomata-Theoretic Model Checking of Reactive Systems
Automata-Theoretic Model Checking of Reactive Systems Radu Iosif Verimag/CNRS (Grenoble, France) Thanks to Tom Henzinger (IST, Austria), Barbara Jobstmann (CNRS, Grenoble) and Doron Peled (Bar-Ilan University,
More informationOn Stabilizing Departures in Overlay Networks
On Stabilizing Departures in Overlay Networks Dianne Foreback 1, Andreas Koutsopoulos 2, Mikhail Nesterenko 1, Christian Scheideler 2, and Thim Strothmann 2 1 Kent State University 2 University of Paderborn
More informationω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear:
ω-automata ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear: in verification, as encodings of non-terminating executions of a program. in arithmetic,
More informationAnd, even if it is square, we may not be able to use EROs to get to the identity matrix. Consider
.2. Echelon Form and Reduced Row Echelon Form In this section, we address what we are trying to achieve by doing EROs. We are trying to turn any linear system into a simpler one. But what does simpler
More information4 Limit and Continuity of Functions
Module 2 : Limits and Continuity of Functions Lecture 4 : Limit at a point Objectives In this section you will learn the following The sequential concept of limit of a function The definition of the limit
More informationIntroduction to Turing Machines. Reading: Chapters 8 & 9
Introduction to Turing Machines Reading: Chapters 8 & 9 1 Turing Machines (TM) Generalize the class of CFLs: Recursively Enumerable Languages Recursive Languages Context-Free Languages Regular Languages
More informationSAT-Based Verification with IC3: Foundations and Demands
SAT-Based Verification with IC3: Foundations and Demands Aaron R. Bradley ECEE, CU Boulder & Summit Middle School SAT-Based Verification with IC3:Foundations and Demands 1/55 Induction Foundation of verification
More informationAlgorithms. NP -Complete Problems. Dong Kyue Kim Hanyang University
Algorithms NP -Complete Problems Dong Kyue Kim Hanyang University dqkim@hanyang.ac.kr The Class P Definition 13.2 Polynomially bounded An algorithm is said to be polynomially bounded if its worst-case
More informationValency Arguments CHAPTER7
CHAPTER7 Valency Arguments In a valency argument, configurations are classified as either univalent or multivalent. Starting from a univalent configuration, all terminating executions (from some class)
More informationFinitary Winning in \omega-regular Games
Finitary Winning in \omega-regular Games Krishnendu Chatterjee Thomas A. Henzinger Florian Horn Electrical Engineering and Computer Sciences University of California at Berkeley Technical Report No. UCB/EECS-2007-120
More informationSolutions for Math 217 Assignment #3
Solutions for Math 217 Assignment #3 (1) Which of the following sets in R n are open? Which are closed? Which are neither open nor closed? (a) {(x, y) R 2 : x 2 y 2 = 1}. (b) {(x, y, z) R 3 : 0 < x + y
More informationLecture 11: Generalized Lovász Local Lemma. Lovász Local Lemma
Lecture 11: Generalized Recall We design an experiment with independent random variables X 1,..., X m We define bad events A 1,..., A n where) the bad event A i depends on the variables (X k1,..., X kni
More informationUNIT 3 REASONING WITH EQUATIONS Lesson 2: Solving Systems of Equations Instruction
Prerequisite Skills This lesson requires the use of the following skills: graphing equations of lines using properties of equality to solve equations Introduction Two equations that are solved together
More informationAutomata-based Verification - III
CS3172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20/22: email: howard.barringer@manchester.ac.uk March 2005 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationComputer Science 385 Analysis of Algorithms Siena College Spring Topic Notes: Limitations of Algorithms
Computer Science 385 Analysis of Algorithms Siena College Spring 2011 Topic Notes: Limitations of Algorithms We conclude with a discussion of the limitations of the power of algorithms. That is, what kinds
More informationProblem Set 3 Due: Wednesday, October 22nd, 2014
6.89: Algorithmic Lower Bounds Fall 24 Prof. Erik Demaine TAs: Sarah Eisenstat, Jayson Lynch Problem Set 3 Due: Wednesday, October 22nd, 24 Problem. A Tour of Hamiltonicity Variants For each of the following
More informationModal and Temporal Logics
Modal and Temporal Logics Colin Stirling School of Informatics University of Edinburgh July 23, 2003 Why modal and temporal logics? 1 Computational System Modal and temporal logics Operational semantics
More informationAlan Bundy. Automated Reasoning LTL Model Checking
Automated Reasoning LTL Model Checking Alan Bundy Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures have
More informationCIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Specification Patterns Copyright 2001-2002, Matt Dwyer, John Hatcliff, Robby. The syllabus and all lectures for this
More informationAlgorithms Exam TIN093 /DIT602
Algorithms Exam TIN093 /DIT602 Course: Algorithms Course code: TIN 093, TIN 092 (CTH), DIT 602 (GU) Date, time: 21st October 2017, 14:00 18:00 Building: SBM Responsible teacher: Peter Damaschke, Tel. 5405
More informationCommunicating Parallel Processes. Stephen Brookes
Communicating Parallel Processes Stephen Brookes Carnegie Mellon University Deconstructing CSP 1 CSP sequential processes input and output as primitives named parallel composition synchronized communication
More informationProbabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford
Probabilistic Model Checking Michaelmas Term 20 Dr. Dave Parker Department of Computer Science University of Oxford Overview PCTL for MDPs syntax, semantics, examples PCTL model checking next, bounded
More informationModel for reactive systems/software
Temporal Logics CS 5219 Abhik Roychoudhury National University of Singapore The big picture Software/ Sys. to be built (Dream) Properties to Satisfy (caution) Today s lecture System Model (Rough Idea)
More informationDiscrete Structures Proofwriting Checklist
CS103 Winter 2019 Discrete Structures Proofwriting Checklist Cynthia Lee Keith Schwarz Now that we re transitioning to writing proofs about discrete structures like binary relations, functions, and graphs,
More informationOverview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?
Computer Engineering and Networks Overview Discrete Event Systems Verification of Finite Automata Lothar Thiele Introduction Binary Decision Diagrams Representation of Boolean Functions Comparing two circuits
More informationProperty Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms
Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms Wen-ling Huang and Jan Peleska University of Bremen {huang,jp}@cs.uni-bremen.de MBT-Paradigm Model Is a partial
More informationAppendix A. Formal Proofs
Distributed Reasoning for Multiagent Simple Temporal Problems Appendix A Formal Proofs Throughout this paper, we provided proof sketches to convey the gist of the proof when presenting the full proof would
More informationModel Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the
Sérgio Campos, Edmund Why? Advantages: No proofs Fast Counter-examples No problem with partial specifications can easily express many concurrency properties Main Disadvantage: State Explosion Problem Too
More informationAN APPROXIMATION ALGORITHM FOR COLORING CIRCULAR-ARC GRAPHS
AN APPROXIMATION ALGORITHM FOR COLORING CIRCULAR-ARC GRAPHS Wei-Kuan Shih 1 and Wen-Lian Hsu 2 Key Words: graph, clique, coloring, matching, algorithm ABSTRACT Consider families of arcs on a circle. The
More information