Introduction to Formal Verification Methods Exercise 4

Transcription

1 Introduction to Formal Verification Methods Exercise 4 Guy Katz, May 30, 2013 Question 1 We argue that there exists a weakly fair non-progress cycle in the given model. ssuming weak fairness, every statement that is continuously enabled from a certain point in the run is eventually executed. Observe a run in which only process executes statements. Clearly, process would have to execute the two branches of its main loop interchangeably, once setting x to 2 and once setting it to 3. The condition x == 3 in process will evaluate to true only every second iteration. Hence, in the described run, although the progress step will be enabled infinitely often, it will not be continuously enabled. Thus, a run in which only process is scheduled is weakly fair, and a non-progress cycle exists. We argue that there doesn t exists a strongly fair non-progress cycle in the given model. ssuming strong fairness, the only situation in which a non-progress cycle exists is if the x == 3 condition of process evaluates to true only a finite number of time. This means that process has to be scheduled infinitely often. However, as process must alternate between the two branches of its main loop, x will indeed evaluate to 3 infinitely often contradicting our assumption. Hence, x will be equal to 3 infinitely often, and the progress statement in process will be executed infinitely often because of the fairness assumption. The claim follows. C We observe that in this model, much like in the previous one, both weak and strong fairness assumptions imply that process is scheduled infinitely often, and hence that the values of x alternate infinitely often between 2 and 3. We observe what happens in process. s the values of x alternate, both statements in process are infinitely often enabled, but never continuously; when x == 3 the first is enabled and the other isn t, and when x == 2 it s the other way around. Hence, when only weak fairness is assumed, a non-progress cycles exists a cycle in which only process is scheduled. However, when strong fairness is assumed, it suffices that the statements in process are enabled infinitely often to guarantee that they are infinitely often executed. Hence, no strongly fair non-progress cycles exist. 1

2 Question 2 We begin by observing the given property. trace satisfies property P if and only if a b holds infinitely often. Looking at the transition system, we note that there are two states in which this holds: state s 2 and state s 4. Thus, we deduce that the trace of a run will satisfy P if and only if the run visits either state s 2 or state s 4 an infinite number of times. Particularly, as runs can loop indefinitely in other states, say s 3, we get that T S P. In the subsequent sections, we will examine whether the fairness assumptions minimize the set of valid runs to include only those that satisfy P. We prove that T S F1 P. Observe the run ρ = s 0 s2 δ s3 s3 s3..., a run that only visits state s 3 after its third position. This run is F 1 -fair, as action is selected an infinite number of times. However, trace(ρ) / P, as neither state s 2 nor state s 4 is visited an infinite number of times. The claim follows. We prove that T S F2 P. Let ρ be an F 2 -fair run. y the unconditional part of F 2, it follows that ρ has an infinite number of transitions labeled. There are only 3 such transitions in the transition system s 0 s2, s 3 s3 and s 4 s4. Hence, at least one of them has to appear infinitely often in ρ. We look at each of the cases: 1. Transition s 0 s2 appears infinitely often. In this case, it immediately follows that ρ visits s 2 infinitely often, and hence satisfies P. 2. Transition s 4 s4 appears infinitely often. In this case, ρ visits s 4 infinitely often, and hence satisfies P. 3. Transition s 3 s3 appears infinitely often. In this case, ρ visits s 3 infinitely often. Observe state s 3 : this state only has two outgoing edges, one a self loop and the other leading to s 4. s soon as the run leaves s 3 to state s 4, it can no longer reach s 3 again. Hence, if ρ visits s 3 infinitely often, it has an infinite loop that includes only state s 3. η However, by the strong fairness part of F 2, this cannot happen. The edge s 3 s4 is labeled with η, and so ρ will have to traverse this edge eventually, contradicting the infinite loop in s 3. Hence this case cannot happen. s only cases (1) and (2) can occur, and both satisfy P, we conclude that any F 2 -fair run has to visit states s 2 or s 4 infinitely often, and hence T S F2 P, as needed. C We prove that T S F3 P. Observe the run ρ = s 0 α s1 α s1 α s1 α s1..., a run that only visits state s 1 starting from its second position. This run is F 3 -fair, as action α is selected an infinite number of times. However, trace(ρ) / P, as neither state s 2 nor state s 4 is visited an infinite number of times. The claim follows. D We prove that T S F4 P. Let ρ be an F 4 -fair run, and suppose towards contradiction that trace(ρ) / P. This implies that ρ visits neither state s 2 nor state s 4 infinitely often. s ρ is 2

3 infinite, it has to visit some state infinitely often; and by elimination, this has to be state s 0, s 1 or s State s 0 is visited infinitely often. s state s 0 has no self loops, and as we assume state s 2 is not visited infinitely often, it follows that state s 1 is also visited infinitely often. See next case. 2. State s 1 is visited infinitely often. ction η is enabled in state s 1. y the strong fairness assumption, it must also be selected infinitely often. There are only two edges labeled η in the transition system; one leads to state s 3 and one to state s 4. If either of them is traversed even once, the run cannot return to state s 1. Hence, this case cannot exist. 3. State s 3 is visited infinitely often. gain, action η is enabled infinitely often, and must be selected infinitely often. If the run has already reached state s 3, only one such η edge with action η is accessible: the edge s 3 s4. Hence, the run will eventually visit state s 4. Once there it can no longer return to state s 3, contradicting our assumption. Hence, this case also cannot exist. s all options lead to a contradiction, we have shown that no fair run can visit states s 0, s 1 or s 3 infinitely often while not visiting states s 2 and s 4 infinitely often. It follows that T S F4 P, as needed. E,F We show that T S F4 P = T S F5 P. Combined with section D, this answers both sections at once. Observe assumptions F 4 and F 5. ssumption F 5 contains the same strong fairness assumptions as F 4, and contains additional, weak fairness assumptions. dding fairness assumptions serves to decrease the number of fair runs; in other words, FairTraces F5 (T S) FairTraces F4 (T S) Now, if we assume that T S F4 P, then FairTraces F4 (T S) P. Hence, also FairTraces F5 (T S) P, and T S F5 P. From the above, it immediately follows that T S F5 P, and that no P as described in the question exists. Question 3 We will prove that one property that satisfies the requirements is: F min = (, {{γ, δ}}, ) To prove that this is correct, we will prove the following claim: for any run ρ of T S, run ρ is F min -fair if and only if trace(ρ) P. From this it will follow that (1) T S Fmin P, as all fair runs satisfy P, and that (2) F min is minimal, as any fairness assumption that does not eliminate at least the same runs as F min would include runs that violate P. The claim s proof follows. 3

4 Direction 1: Runs satisfying P are fair Suppose, towards contradiction, that there exists a run ρ that satisfies P, but that ρ is unfair. This means that ρ has an infinite suffix σ in which an edge labeled γ or δ is infinitely often enabled, but no edges labeled γ or δ are traversed. Looking at the graph, this situation is only possible if σ only visits states s 1 and s 2, without ever traversing the edges to states s 3, s 4 or s 5. However, as L(s 1 ) = L(s 2 ) =, this contradicts the fact that trace(ρ) P. We ve reached a contradiction, and hence every run that satisfies P is also F min -fair. Direction 2: Fair runs satisfy P Let ρ be a F min -fair run of T S. Run ρ would violate P if and only if it has a suffix that only visits states s 1 and s 2, which are the only states labeled neither p nor q. The only way to do this α, α is for this suffix to traverse the cycle s 1 s 2 s1 indefinitely. However, this means transitions labeled γ and δ would be infinitely often accessible, and their corresponding transitions would eventually have to be traversed, breaking the cycle. Hence, no such suffix exists. It follows that ρ has to visit states other than s 1 and s 2 infinitely often. Thus, trace(ρ) P, as needed. Question 4 We prove that there exist liveness properties P and P for which P P is not a liveness property. Let P = {a}. Let P be the liveness property eventually, always a, and let P be the liveness property eventually, always a. s any finite prefix can be extended into a word in P or a word in P, both these properties are indeed liveness properties. y definition, P P =. Hence, the finite prefix {a} cannot be extended into a word in P P. Thus, P P is not a liveness property, disproving the claim. We prove that for liveness properties P and P, the property P P is also a liveness property. P P is a liveness property if and only if every finite prefix ρ (2 P ) can be extended into a word in P P. s P is a liveness property, ρ can be extended into a word ρ P. s ρ P P, it follows that ρ can be extended into a word in P P, proving the claim. Question 5 We prove that for any LTL properties P 1 and P 2, it holds that closure(p 1 P 2 ) = closure(p 1 ) closure(p 2 ) Direction 1: closure(p 1 P 2 ) closure(p 1 ) closure(p 2 ) Let ρ closure(p 1 P 2 ). s pref(p 1 P 2 ) = pref(p 1 ) pref(p 2 ), every finite prefix of ρ is in pref(p 1 ) or in pref(p 2 ) or in both. s ρ has infinitely many finite prefixes, either pref(p 1 ) or pref(p 2 ) (or both) contain an infinite number of such prefixes. Without loss of generality, suppose that pref(ρ) pref(p 1 ) =. We next show that this implies that pref(ρ) pref(p 1 ). 4

5 Suppose, towards contradiction, that there exists a σ pref(ρ) such that σ / pref(p 1 ), and suppose that σ is of length k, i.e. σ = k. s pref(ρ) pref(p 1 ) =, there is another prefix, σ pref(ρ), such that σ pref(p 1 ) and σ > σ. However, for any word for which σ is a prefix, σ is also a prefix. Hence, σ pref(p 1 ), which is a contradiction. It follows that indeed, pref(ρ) pref(p 1 ). We ve shown that for every ρ closure(p 1 P 2 ), it holds that pref(ρ) pref(p 1 ) or pref(ρ) pref(p 2 ). Hence, ρ closure(p 1 ) closure(p 2 ). The claim follows. Direction 2: closure(p 1 ) closure(p 2 ) closure(p 1 P 2 ) Let ρ closure(p 1 ) closure(p 2 ). Without loss of generality, suppose that ρ closure(p 1 ). This implies that any finite prefix of ρ is in P 1, and hence also in P 1 P 2. It follows that ρ closure(p 1 P 2 ), and closure(p 1 ) closure(p 2 ) closure(p 1 P 2 ), as needed. We prove that there exist LTL properties P 1 and P 2 for which closure(p 1 P 2 ) closure(p 1 ) closure(p 2 ) Let P = {a}. Let P 1 be the liveness property eventually, always a, and let P 2 be the liveness property eventually, always a. s with any liveness property, any finite prefix can be extended into a word in P 1 or P 2, and hence: closure(p 1 ) = closure(p 2 ) = (2 P ) ω However, by definition P 1 P 2 =, and hence closure(p 1 P 2 ) =. Thus, closure(p 1 P 2 ) closure(p 1 ) closure(p 2 ), disproving the claim. Question 6 We will prove the three parts of the guidelines. The theorem will then follow by setting P safe = closure(p ) and P live = P ( (2 P ) ω \ closure(p ) ). We will prove that closure(p ) is a safety property. egin by observing that for any LTL property P, it holds that P closure(p ). This follows from the definition of a closure: for any σ P, any finite prefix of σ can be extended into an infinite word in P namely, into σ and so σ closure(p ). We use this fact in proving the following claim: Claim 1. Let P be an LTL property. Then pref(closure(p )) = pref(p ). Proof. s P closure(p ), we use set manipulation and write pref(closure(p )) = pref(p ) pref(closure(p ) \ P ) nd so, by showing that pref(closure(p ) \ P ) pref(p ) the claim will be proven. Observe some fixed ρ pref(closure(p ) \ P ). Clearly, ρ pref(closure(p )). Thus, there exists some (infinite) word σ closure(p ) such that ρ is a prefix of σ. y definition of a closure, σ closure(p ) implies that pref(σ) pref(p ). Hence, ρ pref(p ). This is true for any ρ pref(closure(p ) \ P ), and so we get that pref(closure(p ) \ P ) pref(p ). The claim follows. 5

6 We now turn to the main claim of this section. Recall that closure(p ) is a safety property if and only if every bad word σ (2 P ) ω \closure(p ) has a finite prefix ρ that cannot be extended into a word in closure(p ). Differently put, closure(p ) is a safety property if and only if the following condition holds: σ closure(p ) pref(σ) pref(closure(p )) Next, we prove both directions of this condition. Direction 1: ssume that σ closure(p ). This means that every finite prefix of σ is in pref(p ), i.e. pref(σ) pref(p ). y claim 1, this means that pref(σ) pref(closure(p )). Direction 2: ssume that pref(σ) pref(closure(p )). y claim 1, pref(σ) pref(p ). y definition of a closure, σ closure(p ). It follows that closure(p ) is indeed a safety property, as needed. We will show that P = P ( (2 P ) ω \ closure(p ) ) is a liveness property. y definition, this is equivalent to showing that pref(p ) = (2 P ). s it clearly holds that pref(p ) (2 P ), all that remains to show is that for every ρ (2 P ), it holds that ρ pref(p ). Observe some fixed ρ (2 P ). If ρ pref(p ), then ρ can be extended into a word in P (which is also in P ) and we re done. Suppose, then, that ρ / pref(p ), i.e. that ρ cannot be extended into a word in P. We extend ρ into some arbitrary infinite word σ; by the above, σ / P. Further, σ / closure(p ), because it has a prefix, ρ, that is not in pref(p ). Hence, σ ( (2 P ) ω \ closure(p ) ). This implies that ρ pref ( (2 P ) ω \ closure(p ) ) pref(p ). The claim follows. C We ve previously shown that for any LTL property P, it holds that P closure(p ). From this it follows that P = closure(p ) P. Using basic set theory, we also know that closure(p ) ( (2 P ) ω \ closure(p ) ) =. Putting the two equalities together we get that: s needed. P = P closure(p ) = (P closure(p )) = (P closure(p )) ( closure(p ) ( (2 P ) ω \ closure(p ) )) = closure(p ) ( P ( (2 P ) ω \ closure(p ) )) 6