Tech Report NWU-EECS-06-20
-
Upload
eecsnorthwesternedu -
Category
Documents
-
view
220 -
download
0
Transcript of Tech Report NWU-EECS-06-20
-
8/6/2019 Tech Report NWU-EECS-06-20
1/45
Electrical Engineering and Computer Science Department
Technical Report
NWU-EECS-06-20
2/21/2007
Abstraction Techniques for Model-Checking Parameterized Systems
N. Liveris; H. Zhou; R. Dick; Y. Chen; P. Banerjee
Abstract
In this paper we present a new abstraction technique that enables the usage of model
checking for the verification of parameterized systems. The technique targets
asynchronous systems. Compared to previous approaches the application of the proposedtechnique imposes fewer restrictions on the correctness property. Moreover, it can be
applied to a class of parameterized systems for which other abstraction methods may not
work. We demonstrate the effectiveness of the abstraction technique by applying it on a
self-stabilizing spanning tree construction algorithm.
Sponsors: NSF, Motorola
Keywords: program abstraction, verification, parameterized systems
-
8/6/2019 Tech Report NWU-EECS-06-20
2/45
Abstraction Techniques for Model-Checking
Parameterized Systems
N. Liveris, H. Zhou, R. Dick, Y. Chen, and P. Banejee
EECS Department, Northwestern University, Evanston IL 60208
College of Engineering, University of Illinois, Chicago IL 60607
Abstract. In this paper we present a new abstraction technique that enables the
usage of model checking for the verification of parameterized systems. The tech-
nique targets asynchronous systems. Compared to previous approaches the ap-
plication of the proposed technique imposes fewer restrictions on the correctness
property. Moreover, it can be applied to a class of parameterized systems for
which other abstraction methods may not work. We demonstrate the effective-
ness of the abstraction technique by applying it on a self-stabilizing spanning tree
construction algorithm.
1 Introduction
This paper describes a new abstraction technique for enabling the use of automatic
verification tools to check the correctness of parameterized systems.
There are two kinds of methods that are used for the verification of asynchronous
systems: deductive verification and model checking. Deductive verification is an in-
teractive verification method. The user is required to provide properties that facilitate
the proof by the tool. Model checking is an automatic method. However, it is efficient
only when applied to relatively small finite state space systems. Therefore, abstraction
is used to transform infinite or large state space systems to smaller finite state spacesystems, thereby enabling the use of model checking for their verification [9]. In this
paper we present an abstraction technique that enables the use of model checking for
the verification of asynchronous parameterized systems.
A parameterized system is built by the parallel composition of
processes, where
can be any natural number greater than a minimum value. Model checking can be
used for the verification of instances of a parameterized system with few processes, i.e.,
small
. Ideally we would like to prove the correctness of a parameterized system for
any number of processes. However, the number of those systems is infinite when there
is no upper bound for
. Moreover, even if an upper bound exists, verification may be
intractable for large
because the number of states increases exponentially with the
number of components in the system. There are two ways to overcome this difficulty:
one is to use control abstraction [12, 9], and the other is to use the methods of invisible
ranking [17, 2, 7].The idea behind control abstraction is to abstract away an arbitrary number of sym-
metric processes by using a network invariant . Then the correctness property can be
proved for the abstract system, which is composed of a finite number of processes and
the network invariant [9]. A difficulty with this approach is that the network invariant
-
8/6/2019 Tech Report NWU-EECS-06-20
3/45
needs to have the same set of observable variables as the system of symmetric processes
abstracted by it. Therefore, if each of the
processes has one observable variable and
we use a network invariant for these processes, the network invariant needs to have
observable variables. This problem has restricted the application of control abstrac-
tion to specific classes of distributed algorithms. Control abstraction has successfully
been applied on ring topologies of processes [11], in which every process has only two
neighbors and, therefore, the number of input/output variables for each process is inde-
pendent of
. It has also been successfully applied on systems for which the number
of shared variables does not increase with the number of processes. An example is a
mutual exclusion algorithm, in which all processes share only one semaphore [9].
An alternative approach is the method of invisible invariants [17]. The method can
be used to bound the number of processes needed to prove a correctness property for a
class of parameterized systems. The approach can be used for the verification of safety
properties [2] and response liveness properties [7]. Response liveness properties are
properties of the form , i.e., for every state satisfying assertion there is
a future state satisfying assertion . The paper does not discuss how other livenessproperties can be checked using this method. Moreover, the method imposes a number
of restrictions on the structure of the next state relation and the initial condition of the
system. The method can be automated, so the user does not have to observe the invariant
being used. In our work we target general liveness properties. More specifically, the
correctness property we prove for the spanning tree algorithm is a persistence property
(
). This type of property can be used to describe the correctness of self-stabilizing
systems.
In this paper we present an abstraction technique that builds on the theory of con-
trol abstraction. We target structures of processes, for which the number of observable
variables is a parameter. These structures are very common. One example is proving
a property for a process that is connected in a graph of arbitrary topology. Then the
number of neighbors with which the process interacts is a parameter. For this type ofstructure we provide an abstraction that reduces the number of observable variables to
a small finite number. Then model checking is used to check the correctness property
on the abstract system. If the property holds for the abstract system, then it holds for
the parameterized system for any valid value of the parameter. The proposed technique
can be used for checking general temporal properties. Moreover, it can be applied to a
class of parameterized systems for which other methods may not work.
The method is sufficient to prove that the correctness property is valid for the param-
eterized system. However, like control abstraction and invisible ranking, the proposed
method is incomplete. If a behavior of the abstract system does not satisfy the correct-
ness property, no conclusion can be drawn for the parameterized system. Additionally,
a number of restrictions must hold for the parameterized system to guarantee the sound-
ness of our approach. Most of these restrictions concern the atomicity of the actions ofthe parameterized systems.
In Section 2 we survey related work in this field and indicate our contributions.
Section 3 describes the systems we consider. Section 4 gives an overview of the pro-
posed technique. We demonstrate the application of the technique to a Spanning-Tree
-
8/6/2019 Tech Report NWU-EECS-06-20
4/45
construction algorithm in Section 5. The soundness of the technique is proved in the
appendix.
2 Related work
Instead of control abstraction, the method of invisible invariants can be used for the
verification of parameterized systems [17]. Arons et al. [2] present the method for the
verification of safety properties. Later the work was extended to include verification of
response liveness properties [7]. The authors describe a method to bound the number
of processes needed to prove a correctness property for a parameterized system. How-
ever, their method is applicable to a restricted class of distributed algorithms. One of
the restrictions is that a variable
taking values in 1
, can appear in two kinds of
expressions: and " " % ' 0 . These expressions can only appear in a formula that
compares expressions of the same type. This means that the only operators that can be
applied to are indexing ' 0 and relational operators 3 4 63 4 8 4 @ 4 B 4 C . When operatorsD E
1 and FE
1 are included, the size of the abstract system increases significantly. Only
response liveness property are discussed in that work. Our approach can be applied to
other temporal properties, for example persistence.
Other works on the abstraction of parameterized systems can only be applied to
high-atomicity distributed algorithms [5, 18,4, 6], in which a process can read the values
of all its
neighbors in one atomic step. Since this assumption may not be realistic for
large
, in our work we target low atomicity distributed algorithms.
Kurshan and McMillan presented a structural induction theorem for processes [12]
defining sufficient properties for the network invariants. The method was applied on
two examples; in the first the processes formed a complete graph and in the second
a ring. However, for the case of the complete graph the authors consider the observ-
able behavior as the sequence of actions taken. More specifically, in that example it is
the sequence of messages sent between the system and its environment. Therefore, theproblem we deal with in this paper was not discussed.
Kesten and Pnueli define a sound data abstraction method [10]. Their method is
useful for reducing the range of the data variables of the system. The user needs to
invent the abstraction function and in some case the progress monitor for a specific
system. Their method can be used as a preprocessing step to replace variables ranging
over parameterized or infinite domains to abstract variables, which range over finite
sets. Then our technique provides the user with an abstraction function to reduce the
number of variables in the system.
Other works discuss only safety properties for the verification of parameterized sys-
tems [8].
The abstraction technique presented in this paper is similar to temporal case split-
ting [15, 16] in that it reduces a vector of unbounded size to a vector with a fixed small
number of elements. With temporal case splitting the proof is decomposed to a largenumber of proof subgoals, which become a fixed number of problems using symme-
try properties. Our technique includes the abstraction of the fairness conditions of the
concrete system, especially on actions accessing or modifying the elements of the ab-
stracted vector. Moreover, we define fairness conditions for the abstract system based
-
8/6/2019 Tech Report NWU-EECS-06-20
5/45
on the existence of constant values stored in the vector. As we will show, these fairness
conditions are necessary, e.g., to prove the correctness of a spanning tree algorithm.
Additionally, constant values of the index type do not increase the size of the abstract
system in our approach.
3 Systems we consider - Notation
In this section we describe the types of systems we consider.
We deal with the verification of closed parameterized systems. A closed parameter-
ized system can be defined as
T
3 I 1
Q I 2
Q Q I
W
In the above formula I 1 4 I 2 4 4 I
are identical processes up to renaming. The
operatorQ
denotes parallel asynchronous composition and W
restriction. Both opera-
tors are defined in the literature [9]. In the above definition of the parameterized system
it is assumed that each processI Y
, forY `
1
, is independent of the number
ofprocesses in the system. For example, the
processes may be used to specify a mutual
exclusion algorithm with only one shared variable for the whole system [9]. However,
there are cases in which the number of observable variables of each process depends on
. In those cases, the definition of the system can be written as
Q
3 I 1
4
Q I 2
4
Q Q I
4
W(1)
While I Y 4
and I h 4
with Y 63 h differ only in their id values, I Y 4
and
I Y 4 s with
63 shave a different number of observable variables.
We are interested in proving the correctness of a parameterized systems described
by (1).
In this paper we follow a similar notation that is used by Abadi and Lamport [1] for
describing systems. Each system, which can be composed of one or more processes, is
represented by its specification u 3 w 4 y 4 N4 . is the state space of the specifica-tion, y is the set of initial states, N is the next state relation, and is thesupplementary property defined over . The state machine w 4 y 4 N defines the ma-chine property of u . For all systems we consider, u is machine closed and specifies
a liveness property. The definition of machine closure can be found in the literature [1,
13].
The next state relation is defined using a set of atomic actions
. Each action has aprecondition (or enable condition) prec
, which is a state function, and an effect part
eff
, which describes the values of the variables in the next state
, as a function of
the current state . Therefore, can be described as the conjunction of its preconditionand its effect1
1 Actions also contain conjucts of the form
for each variable
that must re-
main unchanged. Therefore, the effect of an action may be considered as the conjunct of
unch
. In the last formula
is a boolean combination of predicates of the form
, and unch is the conjunction of predicates of the form . We say that an
action reads a variable , when appears in a predicate in . An action mod-
ifies or writes a variable , when there is a predicate in and .
This classification is based on the syntax and can be performed by static analysis.
-
8/6/2019 Tech Report NWU-EECS-06-20
6/45
3 k prec
keff
A state pairw 4 `
N, if and only if there exists `
, such that prec
is truefor and the pair of states w 4 satisfies eff . Then the triple 4 4 is called atransition of the system. We assume there is a stuttering step ` and for all states
` , w 4 belongs to N.The liveness property
is a restriction imposed on the infinite behaviors of the
system. It can include the conjunction of strong and weak fairness properties specified
on some of the actions. We use W and S to represent the sets of actions with weak andstrong fairness properties respectively. The sets W and S are disjoint and subsets of
. Then
W k S . The weak and strong fairness properties are
defined as
3 prec
weff
3 prec w eff
The expression w eff evaluates to true when action is executed and the systemsstate changes. Therefore, for a pair of states
w 4
w 4
z3 weff
{ w 4 z3 eff k 63
For a more detailed description of weak (
) and strong (
) fairness properties, the
reader should refer to the literature [13].
Moreover,
can include justice and compassion requirements on sets of states. Jus-
tice requirements have the form and compassion requirements can be represented
as ~
, where
,~
, and
are atomic predicates which specify sets of states [9].
In this paper we assume that 4 ~ 4 are not specified on the shared variables of the sys-
tem, which are going to be abstracted, i.e., the variables in SV
(see Section 4 for the
definition of this set).A sequence of states, with ` , is a behavior of u if satisfies the specification
u . More specifically, it must hold that 4 0 ` y , Y B 0 : w 4 Y 4 4 Y 1 ` N, and
z3 , where
4 Y is the
Yth state in sequence .
We use this operator z3 to denote that an assertion is valid for a state or a set of states.
We extend its usage to temporal properties and sequences or sets of sequences. When
a specification is used at the LHS and a temporal formula at the RHS, the temporal
formula is valid for all behaviors of the specification.
For a state 3 4 Y ` y , where ` and Y ` y , we call the -part of the
state or -part of the state. The -part of the state includes only the variables in and
their values.
The operator denotes projection. For a state 3 4 Y , it holds 3 and
3 Y . That means is the projection of on the -part of the state and
is the projection of on the part of the state that is not included in . We usethe projection operator on sets of states as well.
Another operator that is commonly used is the property operator P. Operator P isdefined on a temporal property , which could be a system specification, and denotesall behaviors that satisfy .
-
8/6/2019 Tech Report NWU-EECS-06-20
7/45
Some variables of the system are local to a specific process, while others are observ-
able to all processes. We call the observable variables shared variables. We consider
vectors of shared variables of the form
sv1 ` ' 1
FS1 0
sv2 ` ' 1
FS2 0
sv ` ' 1
FS 0
where FS is a finite set for all Y in 1 . For simplicity, we restrict our discussions to
systems with only one parameter
and only one vector of shared variables sv. Then
the system state space can be represented as 3 ' 1
FS 0 , where isthe state space without the sv vector. In the rest of the paper we refer to each sv ' h 0 with
h ` 1
as a shared variable.
Besides vectors of shared variables, the system can have a finite set of variables that
are observable to all processes. The cardinality of the set must be independent of
. Weconsider these variables as part of and we restrict the usage of the term shared
variable only for an element of the vector sv.
If the effect of one action can be obtained from the effect of another action by replacing any appearance of one shared variable sv ' 0 with another shared variable
sv' h 0
, then eff
and eff
are called syntactically equivalent. For example, in Figure
1 only eff and eff are syntactically equivalent.
prec
r
svj
1
prec
r
svk
1
prec
p
svj
1
prec
r
svj
2
Fig. 1. Only the two leftmost actions have syntactically equivalent effects.
We now present our assumptions for the systems we consider. Then we elaborate
on the reasons for making these assumptions and their implications.
1. Although actions can read and modify a number of variables, they can eitherread or write at most one shared variable in each atomic step.
2. Each shared variable is a single-writer multi-reader variable. More specifically,
h `1
: sv ' h 0 can be written only by process h
3. The preconditions of the actions do not depend on the values of the shared variables.Therefore, reading or writing a shared variable can only be done by the effect part
of an action.
4. (a) There exist no action that reads only variables in and has the same effect
at some state as an action that reads a shared variable. More specifically, ifis an action that reads a shared variable and ` W S, then for any action that does not read a shared variable
w 4
`N :
w 4
6z3 weff
k weff
-
8/6/2019 Tech Report NWU-EECS-06-20
8/45
(b) There exist no action that modifies only variables in and has the sameeffect at some state as an action that writes a shared variable. More specifically,
if is an action that writes a shared variable and ` W S, then for any action that does not write a shared variable
w 4
` N : w 4 6z3 w eff k w eff
(c) Two actions that are not syntactically equivalent and access different shared
variables cannot have the same effect at some state , unless the shared vari-
ables accessed have the same value at . More formally, if and are two ac-tions of the system with eff 3 4 4 sv ' h 0 and eff 3 4 4 sv ' 0 ,then
w 4
`N : w 4 6z3 w eff k w eff k sv ' h 0 63 sv ' 0
We believe that the above constraints are common among many applications. Only
1 and 2 restrictions are needed when safety properties are checked. When liveness
conditions are checked, 3 and 4 restrictions must also hold. The restriction 3 hasbeen used in other works ([14],Chapter 9). Our intuition behind this restriction is that
reading a non-local variable should be an atomic action. The decision of a process
to execute an action should be based on local variables only. Note that processh
can
maintain a local copy ofsv ' h 0 and because of restriction2 the copy can be always equalto the value of the shared variable. The intuition behind 4 is that we cannot satisfy theliveness requirements of an action by simulating it with a completely different action.
However, syntactically equivalent actions are not restricted by 4. Most systems witha program counter for each process satisfy the 4 restriction. More specifically, if eachinstruction has a different successor, the effect of each action of one process is distinct.
Since the program counter is a local variable of each process, the effect of each action
cannot be simulated by an action of a different process.
The restrictions 1-4 do not need to hold for the fixed set of global variables in
. Therefore, we can have a fixed finite set of multi-writer variables.For the systems amenable to our technique the correctness property that we are
going to check is independent of the number of processes in the system. More specif-
ically, is expressed as a function of the local and shared variables of a finite set ofprocesses . The set is the same for all values
B
. For simplicity in this
paper we assume thatz z 3
1. This means that the correctness property is specified on
I 1
4
. Under symmetry conditions the property will hold
:I
4
, if it holds
forI
14
. Note that can be any LTL property that can be expressed using operators
and .
As noted before we are concerned with the verification of a closed parameterized
system. In such a system there is no interaction with the environment. The property
that we want to prove is described as a function of some variables of the system. These
variables represent the external part of the state. While all other variables belong to
the internal part of the state. The distinction of external and internal part of the state isdescribed in the literature [1].
In this section we presented the assumptions for the systems we consider and the
notation we use. In the next section we describe the proposed technique for the verifi-
cation of these systems.
-
8/6/2019 Tech Report NWU-EECS-06-20
9/45
4 The proposed technique
In this section we describe the proposed technique for the abstraction of parameterized
systems of the form of (1). We start by describing a verification framework in whichthis technique is useful (Section 4.1). Then we present in detail the abstraction of the
technique (Section 4.2). For simplicity, in this section we assume that z z 3 1 and that
there is only one parameter
and one shared variable sv with
elements. Because
z z 3 1, the number of shared variables in the abstract system is 2 ( 3 z z 1).
4.1 Overview of the approach
We wish to verify that property is valid for the closed parameterized system
Q
3 I 1
4
Q I 2
4
Q Q I
4
W
for all finite
B
, where
is the minimum number of processes in the
system.We assume that the system Q
and property satisfy all the assumptions de-scribed in Section 3. The property may be verified as follows:
1. The user provides a network invariant
[9], such that for any
I 2
4
Q Q I
4
and the number of local variables of
is finite and independent of
.
2. Following the steps of our technique as described in Section 4.2, the user obtains
the system u .
3. Model checking is used to automatically proveu z3
.
Then the user concludes that Q
z3 holds for all
B
.
In order for the third step to be successful,
and
I 1
4
should be finite-state
processes for any
. Note that for the modular abstraction relation of step 1 to be valid,
must have
observable variables.
In this paper we are dealing with the second step, which is described in the next
section.
4.2 Obtaining the abstract system
In this section we describe the technique to deriveu
fromu 3
Q I 1
4
W.
We denote the abstract system as u 3 w 4 y 4 N 4 and explain how each of thecomponents of the
ucan be obtained from the corresponding components of
u
3
w 4 y 4 N4 .
State space: The only change in the state space is that the shared variables sv ` ' 1
FS0 become sv ` ' 1 2 FS0 . Let be expressed as 3 sv ' 1
FS 0 , where
sv is the state space of all variables except sv. Then we can formally define as
3 sv ' 1 2 FS 0 . We denote sv the variable in ' 1 2 FS0 .
-
8/6/2019 Tech Report NWU-EECS-06-20
10/45
Next state relation: The next state relation N ofu
is defined by a new set of actionsA. We derive A from some newly defined actions and the u actions. Each action of u
is either an action of
or of I 1 4
. The actions of process
cannot modify
sv ' 1 0 because of the single-writer restriction (2). They can modify any of the
1
elements sv ' h 0 with h ` 2
. Let SV be the set of these elements, i.e.
SV
3 sv ' h 0 z h ` 2
On the other hand, the actions of processI
14
can access any of the elements of sv,
but can only modify sv ' 1 0 .
The following steps describe how we obtain A, which initially is an empty set.
T0 For each value in FS, we define and add to A an action of the form
v
3 k sv a 3 ' sva EXCEPT ! ' 2 0 3 v 0
k UNCHANGED w all other variables
The precondition of
is TRUE in all states and its effect is to change sv'
20
to anew value in FS. All other variables remain unchanged.
T1 For any action ` that does not access or write any of the variables in SV ,
`
A2.
T2 For any action `
that reads variable sv ' h 0 , with sv ' h 0 ` SV , we replace all
references to sv ' h 0 by sv ' 2 0 to obtain . Then we add to the set of actions A, i.e.
`
A.
T3 For any action `
that writes to variable sv' h 0
, with sv' h 0 `
SV , we replace all
references to sv ' h 0 by sv ' 2 0 to obtain . Then we add to A, i.e. ` A.
T4 For any action ` that reads an element sv ' 0 with ` 1
and ` ,
let eff 3 4 4 sv ' 0 . We define action as follows
3 kprec
k g e 3 1
kh
e
4e
4sva ' 1 0
k prec
kg
e
631
k h e 4 e 4 sva ' 2 0
Action is composed of two disjuncts, one for each possible value of
. The
first disjunct is the conjunction of prec , 3 1, and the effect expression of
action with every reference ofsv'1
0replaced by sv
'1
0. The second disjunct is the
conjunction of prec , 63 1, and the effect expression of action with every
reference to sv ' 1 0 replaced by sv ' 2 0 . The new action is added to A, i.e. ` A.
Note that there are no actions in that read more than one element of sv or read
and modify elements of sv because of restriction 1. Furthermore, if an action writesto a variable sv ' 0 , we can determine whether it is an action handled by rule T1 or
T3 based on the process performing the action because of restriction2. Consequently,any action in is handled by one of the 1
4 cases.
2 For simplicity for this and the following types of actions we do not describe the changes in the
unch
part. From now on we will use eff
to describe the
part of the action.
-
8/6/2019 Tech Report NWU-EECS-06-20
11/45
-
8/6/2019 Tech Report NWU-EECS-06-20
12/45
-
8/6/2019 Tech Report NWU-EECS-06-20
13/45
5.1 ST algorithm
In this algorithm each process executes the program displayed in appendix (Algorithm
1). The node with the greatest id, EQk, becomes the root of the tree. Eventually, everyother node
Ystores in its Root
' Y 0the id of the root. Moreover, eventually D
' Y 0holds
Ys
distance from the root and F' Y 0
its parent in the tree. NodeY
selects the parent node, so
that D' Y 0
is equal to the minimum distance, dist' Y 0
, from the root in the graph. Note that
dist' Y 0
is not a variable of the system.
For the spanning tree construction algorithm we want to prove the convergence
of any process with dist 3 after all its neighbors with dist 3
1 have converged
and some general properties on the graph hold. In order to do so, we assume process
I 1 4
is at distance from the root and has
1 neighbors. Out of the
1
neighbors at least one must be a neighbor at distance
1 from the root. Some of the
neighbors can have dist 3 or dist 3 1. There is no neighbor that can be at distance
less than
1 or more than
1. Otherwise,I
14
s distance would not be
, which
is a contradiction.
The property that we want to prove is
3
where H
3 k i ` 1 N : k dist ' i 0 3 l
1 k Root ' i 0 3 EQk
kD
' i 0 3 l
1
k dist ' i0 B l k Root ' i 0 3 EQk D ' i 0 B l
kRoot
' i 0 8 EQk
k j ` 2 N : lsv 3 sv ' j 0
and J
3 k Root ' 1 0 3 EQk
kD
'1
0 3 l
k F ' 1 0 ` j z j ` 2 N k dist ' j 0 3 l
1
Note here thatI
14
is not symmetric to all processes
I 2
4
4 4 I
4
.
However,I
14
cannot guess the dist values of the processes, so all processes are
identical up to renaming for I 1 4
. Moreover, I 1 4
is identical up to renaming to
all other process at distance from the root.
5.2 Data abstraction
In the variant of the ST algorithm, some of the variables range over parameterized or
infinite domains. These variables include
Root` '
1
0
D ` ' 1
0
0
F `
and variables used as local copies of their values (lRoot, lD, and lF).
We use data abstraction [10, 9] to reduce the state space of the system to a finite set,
which is independent of the number of processes in the system. More specifically, data
-
8/6/2019 Tech Report NWU-EECS-06-20
14/45
abstraction reduces the range of the above variables to a finite set. Even though the range
of the variables can be reduced, the number of the shared Root and D variables still
depends on
. Therefore, the abstraction technique presented in this paper is employed
as a next step to reduce the number of these variables to 2. Then we can use model
checking to verify the system.
Formally, the steps we followed to verify that the parameterized system Q
sat-
isfies property are
1. Abstracted the system and the property to Q
and in which all variablesrange over finite domains
2. Used the abstraction technique to transformQ
to u
The abstract property does not need to be abstracted in the second step because weassume it is expressed on variables not in SV
. If model checking proves that
u z3 ,
we conclude that Q
z3 because of Theorem 1. Moreover, because of resultspresented in the literature [10], Q
z3 Q
z3 .
The version of the algorithm after data abstraction can be seen in the appendix(Module Process - Algorithm 2). The variableRoot now ranges over the set
LTk,EQk
.
Model values LTk and EQk stand for less than root and equal to root, respectively.
Variable F is abstracted to
NotNeighborNode4NeighborLorMore
4NeighborLMinus1
41
.
Finally, all D values that are greater than are abstracted to DGTK model value. The
corresponding operators for the model values are defined using the principles of data
abstraction [10].
5.3 Theoretical preliminaries
The first task according to the overview of our approach (Section 4.1) is to build a
network invariant
for all processes other than I 1 . The following result can help
us simplify the construction of the network invariant.
Lemma 1. If every reachable state that satisfies is an initial state, then for any
Q
z3
if and only if
Q
z3
PROOF:We start with the direction
Q
z3 Q
z3
Suppose it holds Q
z3 and there is a behavior ofQ
for which
6z3 . Then
6z3
z3 k
z3 k z3 Consequently, there exists h ` such that the execution segment starting at state 4 h satisfies always and has infinitely many states. Since 4 h is also an initial state,there exists sequence with
4 Y 3
4 h Y 4 Y B0
-
8/6/2019 Tech Report NWU-EECS-06-20
15/45
-
8/6/2019 Tech Report NWU-EECS-06-20
16/45
and because of that
I 1
4
Q
W I 1
4
Q
W
The systemI
14
Q
can be seen in the appendix (Algorithm 2).
5.4 Application of the technique
We apply the proposed technique on the systemI
14
Q
and obtain the abstract
systemu
. The abstract system has 8000 states and TLC takes 2 minutes to prove the
property. The concrete system with
34 has 216800 states and TLC takes 40 minutes
to prove its correctness. In the appendix (Algorithm 3) the specification of the abstract
system in TLA+ is displayed. The variable SetOfLMinus1Neighbors, which was used
by the network invariant in the concrete system to leave the nodes at distance
1
unchanged, is removed using data abstraction.
6 Conclusions
In this paper we presented a new abstraction technique for the verification of parame-
terized systems using model checking. The technique imposes less restrictions on the
correctness property. We used the technique to prove a persistence temporal property
of a self-stabilizing spanning-tree construction algorithm. In the future we plan to work
on ways to automate the application of the abstraction technique and remove some of
the restrictions on the type of systems that this technique can be applied to.
References
1. ABADI, M., AND LAMPORT, L . The existence of refinement mappings. Theoretical Com-
puter Science 82, 2 (1991).
2. ARONS, T., PNUELI, A., RUAH, S., XU, J., AND ZUCK, L. D. Parameterized verification
with automatically computed inductive assertions. In CAV 01: Proceedings of the Inter-
national Conference on Computer Aided Verification (London, UK, 2001), Springer-Verlag,
pp. 221234.
3. ARORA, A., AND GOUDA, M. Distributed reset. IEEE Transactions on Computers 43, 9
(1994).
4. BAUKUS, K., LAKHNECH , Y., AND STAHL, K . Verification of parameterized protocols.
Journal of Universal Computer Science 7, 2 (2001), 141158.
5. CLARKE, E., TALUPUR , M., AND VEITH, H . Environment abstraction for parameterized
verification. In VMCAI 2006: Proceedings of the th International Conference on Verification,
Model Checking, and Abstract Interpretation (London, UK, 2006), Springer-Verlag, pp. 126
141.
6. EMERSON, E. A., AND KAHLON, V. Reducing model checking of the many to the few.
In CADE-17: Proceedings of the 17th International Conference on Automated Deduction
(London, UK, 2000), Springer-Verlag, pp. 236254.
7. FANG, Y., PITERMAN, N., PNUELI, A., AND ZUCK, L . Liveness with invisible ranking.
International Journal on Software Tools for Technology Transfer (STTT) 8, 3 (2006), 261
279.
-
8/6/2019 Tech Report NWU-EECS-06-20
17/45
8. JHALA, R., AND MCMILLAN, K. Array abstractions from proofs. In CAV 07, accepted for
publication (2007).
9. KESTEN, Y., AND PNUELI, A. Control and data abstraction: the cornerstones of practical
formal verification. International Journal on Software Tools for Technology Transfer (STTT)
2, 4 (2000).
10. KESTEN, Y., AND PNUELI, A. Verification by augmented finitary abstraction. Information
and Computation 163, 1 (2000), 203243.
11. KESTEN, Y., PNUELI, A., SHAHAR, E., AND ZUCK, L . D . Network invariants in action. In
CONCUR 02: Proceedings of the International Conference on Concurrency Theory (Lon-
don, UK, 2002), Springer-Verlag, pp. 101115.
12. KURSHAN, R. P., AND MCMILLAN, K. L. A structural induction theorem for processes.
Information and Computation 117, 1 (1995), 111.
13. LAMPORT, L. Specifying Systems: The TLA+ Language and Tools for Hardware and Soft-
ware Engineers. Addison-Wesley Professional, 2002.
14. LYNCH, N. Distributed Algorithms. Morgan Kaufmann Publishers, 1996.
15. MCMILLAN, K. L. Verification of an implementation of tomasulos algorithm by composi-
tional model checking. In CAV (1998), A. J. Hu and M. Y. Vardi, Eds., vol. 1427 of Lecture
Notes in Computer Science, Springer, pp. 110121.
16. MCMILLAN, K . L . A methodology for hardware verification using compositional model
checking. Science of Computer Programming 37, 13 (2000), 279309.
17. PNUELI, A., RUAH, S., AND ZUCK, L. D. Automatic deductive verification with invisible
invariants. In TACAS 2001: Proceedings of the 7th International Conference on Tools and
Algorithms for the Construction and Analysis of Systems (London, UK, 2001), Springer-
Verlag, pp. 8297.
18. PNUELI, A., XU, J., AND ZUCK, L. Liveness with (0,1,infinity)-counter abstraction. In CAV
02: Proceedings of the International Conference on Computer Aided Verification (London,
UK, 2002), Springer-Verlag, pp. 107122.
-
8/6/2019 Tech Report NWU-EECS-06-20
18/45
-
8/6/2019 Tech Report NWU-EECS-06-20
19/45
3 k prec
k 3 jk
eff
k 3
3 4 For any action that reads a variable sv ' 0 , with ` 1
and ` ,
let eff 3 4 4 ' 0 . We define action as follows
3 k prec k g e 3 1
kh
e
4e
4sv
'g
e
0
k 3
kprec
k 3 g e k
he
4e
4sv
'g
e
0
k 3 The new action is added to .
4 We define liveness condition built by the following algorithm:
(a)
3
TRUE
(b) For each action constructed from using any of the rules 3 1
3 4,
i. if`W, then
3
k prec eff k 63
ii. if ` S, then
3
k
prec eff k 63
where is the projection of state on .
(c) If is the conjunction of all justice and compassion requirements of u then
3
k
Note that by construction.
In order to prove thatu
andu
define the same externally visible property, we need to
prove conditions P1-P6, as Abadi and Lamport found [1]. For convenience, we repeat
the conditions P1-P6 as described in their paper
P1. for some set P2. (a) y
y
(b) For all 4 ` 1
y there exists 0 4 1 4 3 such that 4 0 ` y
and, for 0 8 Y @ , w 4 4 4 1 ` N
P3. Ifw 4
4 4
`
N
thenw 4 `
Nor 3
.P4. If w 4 ` N and 4 ` then there exist 4 0 4 4
1 4 3 such thatw 4 4 4 0 ` N
and, for 0 8 Y @ : w 4
4 4 1 ` N.
P5.
3 1
.
P6. For all ` the set 1
is finite and nonempty.
-
8/6/2019 Tech Report NWU-EECS-06-20
20/45
The set
1
is defined as the set of all states
3 4
for which 3 .
Lemma 2. Systems u and u
define the same externally visible property.
PRO OF S K ETCH: Using the wayu
was constructed (properties 0- 4), we prove
premises P1-P6. Based on Proposition 5 of Abadi and Lamports paper, the lemma is
implied from these premises.
PROOF:
1.1 implies P1
1.1. Because of1 it holds that
3
2
. If we substitute for 2
, the
following condition becomes true
3
2. 2 implies P2(a) and P2(b)PROOF SKETCH: We prove that
2 satisfies a much stronger property, i.e.,
y
3 1
y
This property is the same as P2 in Abadi and Lamports paper [1].
PROOF:
1
y 3 4
z ` y k 4
`
k 1
4
3
3 4 z ` y k ` k ` 2
3 y 2
3 y
3.3
0
3
4 imply P3
PROOF SKETCH: We prove P3 by doing a case based analysis of all actions in , us-
ing the properties 3 0
3 4. For each action ` we prove that all possible
transitions w 4 4 4 4 satisfy w 4 ` Nor 3 .3.1. CAS E: is constructed by rule
3
0, then
3
By definition of
(rule
3
0) for any 4
in
such thatw 4
4
4 4
is a transition ofu
, it holds that 3
. This is guaranteed by the second conjunct
of the definition.
3.2. CAS E: is constructed by rule3
1, then
w 4 `N
Let be an action constructedby rule 3 1. For any transition w 4 4 4 4 of system
u
we know that there is an action ofu
with the same precondition
and the same effect on the -part of the state. Therefore, is enabled at and canproduce
, when executed at
. This implies
w 4 `N.
3.3. CAS E: is constructed by rule 3 2, then w 4 ` NLet be an action constructedby rule 3 2. For any transition w 4 4 4 4 of system
u
we know that there is an action of system u such that
prec prec
eff eff
Therefore, is enabled at and can produce , when executed at . This impliesw 4 `
N.3.4. CAS E: is constructed by rule 3 3, then w 4 ` N
We can apply the same reasoning as in the Case 3.3.
3.5. CAS E: is constructed by rule3
4, then
w 4 `N
-
8/6/2019 Tech Report NWU-EECS-06-20
21/45
Let be an action constructedby rule3
4. For any transition
w 4
4
4 4
of systemu
we know that there is an action of systemu
such that
prec
k 3 1 k 4 4 sv ' 0 k 3
prec
k
3 k 4 4sv
' 0 k
3
1
E
prec k 4 4 sv ' 0
Since is expressed only on , we have
w 4
4
4
z3
w 4
z3
This impliesw 4 `
N.4. 3 0
3 4 imply P4PRO O F S K ETCH: We prove P4 by doing a case based analysis of all actions in
,
using the properties 3 0
3 4. For each w 4 ` N, we prove based on theaction that caused the transition
w 4
4 that there exist a sequence of actions in
that satisfy the premises of P4.
4.1. CAS E:
`
:1. w 4 4 is a transition of u 2. does not read or modify any element of SV
By rule 3 1 there exists action ` that is enabled at , for any value of, and can produce , if executed at . The value of remains unchanged by theexecution of. This implies w 4 4 4 belongs to N.
4.2. CAS E: ` :1.
w 4 4 is a transition of u 2. reads or modifies an element of SV
Let sv ' h 0 be the element read or modified, where h ` 2
. For each 4 `
there exists transition w 4 h 4 4 4 . The reason is that actions constructedby rule
3 0 are always enabled, so the action is enabled in . Therefore, it
holds w 4 h 4 4 ` N. Because of rules 3 2, 3 3 we know that there
exists action in
, whose precondition is the conjunction of the precondition of and
3 h. Therefore, this action is enabled in state
4 h . Moreover, its effect is
the effect of and it leaves unchanged. This implies thatw 4 h 4 4 h `
N.4.3. CAS E: ` :
1. w 4 4 is a transition of u
2. 3 prec k 4 4 sv ' 0 , where ` 1
In this case there exists action in
defined by rule3
4. Since
w 4 z3,
in state we have that 3 1 or ` 2
. If 3 1, then
w 4
z3
31
k 4
4sv
' 0 kprec
For every 4
`
, state 4
, with
3, is in and
w 4 4 4 z3 3 1 k 4 4 sv ' 0 k prec k 3 3 4
(3)
w 4 4 4 z3
If `
2
, then leth 3
withh `
2
. Then for all 4
`
, there isaction 0 created by rule 3 0 such that w 4 h 4 4 z3
0 . Then state 4 h
belongs to and satisfies 3 h
. Therefore,
w 4 h 4
4 h z3 3 h k
3 h kprec
k 4
4 sv ' 0 k 3
w 4 h 4
4 h z3
-
8/6/2019 Tech Report NWU-EECS-06-20
22/45
5.4 implies P5
PROOF SKETCH: The argument is based on the equivalence of
and
.
The property is expressed on variables in and is equivalent to . Therefore, forevery infinite behavior that satisfies , must satisfy . Moreover, for each
behavior satisfying , all corresponding behaviors produced by the machine of u
must satisfy .
6. P6 is valid by construction of the state space
For each
and each state , there are at most
1 values for , so at most
1
elements in the set 1
. Each state which is reachable for u has at least one
corresponding state 4 which is reachable for u
. Therefore, 1
is finite and
non-empty for each
.
The next lemma states that there exists a refinement mapping from the systemu
with the augmented prophecy variable to the abstract system constructed using rules
1
4. We represent the state
3 4
`
as 4
sv4
, where
is the part of the
state without the shared variable sv ( ` ). We consider 4 sv ' 1 0 the external partof the state, even though the external part of the state may be only a part of
4sv
'1
0 .
Extending to those cases should be straightforward. The shared variable is sv. In system
u
the shared variable ranges over ' 1
FS0 . The state of the abstract system can
be represented as 3 4 sv , where sv ` ' 1 2 FS 0 . The refinement mapping we
consider is the function
:
defined as
let
3 4 sv 4 in
` :
3 4 w sv ' 1 0 4 sv ' 0
By definition
preserves the external part and sets the first element of sv to sv'1
0and
the second to sv ' 0 , i.e.,
sv ' 1 0 3 sv ' 1 0
sv ' 2 0 3 sv ' 0
In order to prove that
is a refinement mapping, it is sufficient to show that
satisfies conditions 1
4 as shown in Abadi and Lamports paper [1]. We list the
1
4 conditions from that paper for the readers convenience.
R1. For all
` :
3
.
R2.
y
y .
R3. Ifw
4
`
N thenw
4
`N or
3
.
R4.
P
, where P is the property defined by
u
.
Lemma 3. Function is a refinement mapping from u to u
PROOF SKETCH: We prove the lemma by showing that
satisfies properties 1
4.
PROOF:
1. R1 is satisfied by the definition of
.
-
8/6/2019 Tech Report NWU-EECS-06-20
23/45
-
8/6/2019 Tech Report NWU-EECS-06-20
24/45
3.4. CAS E: Action is created by rule3
3. Then there exists an action created
by rule
3, such thatw
4
4
is a transition of
u.
PROOF: Action modifies element sv ' 0 . Moreover, because of the restriction1, it cannot read any sv variable. Therefore, the new value is a function of the state
. It must be independent of, since the effect of is the same as the effect ofbased on which was created. Based on and because of rule 3 is created.
Action has the same precondition and the same effect except that instead ofsv ' h 0 , sv ' 2 0 is modified. Therefore, is enabled in
. Moreover, for any value
that can assign to sv ' 0 as a function of , can assign that value to sv ' 2 0 asa function of . Changes to are the same for the two actions as they are taken
from . Consequently, w 4 w sv ' 1 0 4 sv ' 0 4 4 4 w sv ' 1 0 4 sv ' 0 3 w
4
4
is a transition ofu
.
3.5. CAS E: Action is created by rule 3 4. Then there exists an action createdby rule
4, such that
w
4
4
is a transition of
u.
PROOF: In order for to exist in , there must be an action ` , such that
3
prec
k 4 4
sv' 0
for a state function `
1
. Then there existsaction ` A defined by rule T4. For a state pair w 4 satisfying we have
w 4 z3
prec k 3 k 4 4 sv ' 1 0 k 3 1
3 k prec k 4 4 sv ' 0 k 3
w 4 z3 prec
k
3
k 4 4sv
'1
0 k 31
w 4 z3 3 k prec k 4 4 sv ' 0 k 3 1
w 4 z3 prec k 3 k 4 4 sv ' 1 0 k 3 1 k sv 3 sv
w 4 z3
k 3 k prec k 4 4 sv ' 0 k
3
k sv 3 sv k sv ' 0 3 sv ' 0
w 4 z3 prec k 4 4 sv ' 1 0 k 3 1 k sv ' 0 3 sv ' 0
w 4 z3
k 3
kprec
k 4 4 sv ' 0
k sv ' 0 3 sv ' 0 k sv ' 0 3 sv ' 0
w
4
z3 prec
k 4 4 sv ' 1 0 k 3 1 k sv ' 2 0 3 sv ' 2 0 w
4
z3 63 1 k prec k 4 4 sv ' 2 0 k sv ' 2 0 3 sv ' 2 0
w
4
z3
Therefore, w
4
4
is a transition of u .
4. R4 is satisfied by construction of .
PROOF:We prove that R4 holds by case analysis on the type of liveness conditions.
4.1. CAS E: If belongs toP u , then
satisfies all weak fairness conditionsof
.
PROOF:Suppose belongs to P u , but
violates the weak fairness con-dition of an action . We prove that this leads to contradiction. In order for to
belong toW, there must exist in
, such that `
W. Since
`
P u
, thebehavior must satisfy the weak fairness condition of,
z3
prec
weff
4.1.1. CAS E: Ifz3
prec
, then
z3 prec
.
-
8/6/2019 Tech Report NWU-EECS-06-20
25/45
PROOF:Because of rules T1-T3 and condition3, it holds that prec
prec
.
This condition holds for any T4 action as well, since in this case
prec
prec k 3 1 prec k 63 1 prec
Moreover, because of condition 3, the assertion prec is a function of onlythe part of the state. Since the two sequences and
agree on in each
state, for all Y with Y B 0
4 Y z3 prec
4 Y z3 prec
Consequently,
z3
prec
z3 prec
4.1.2. CAS E: If z3 w eff , then
z3 w eff .PROOF:For the proof we need to consider 4 cases, depending on the rule that
was used to generate from .4.1.2.1. CAS E: If was generated from by using rule T1,then z3 w eff
implies
z3 w eff .
PROOF:In this case eff
eff
by construction. Moreover, since eff
is a function of only the part of the behavior, for all Y B 0 it holds
4 Y 4 4 Y 1 z3 w eff
4 Y 4
4 Y 1 z3 w eff
Therefore,
z3 w
eff
z3 weff
4.1.2.2. CAS E: If was generated from by using rule T2,then z3 w eff implies
z3 weff
.
PROOF:Assume that accesses variable sv ' h 0 . It holds that
z3 w eff z3 w eff k 3 h z3 w eff k 63 h
We prove that either case implies
z3 weff
.
w 5 1. CAS E: z3 w eff k 3 h
z3 w eff .From rule T2 we know that
sv ' h 0 3 sv ' 2 0 eff eff (6)
In the states of in which 3 h , we have sv ' 0 3 sv ' h 0 . Moreover, foreach Y B 0, the value sv ' 0 in state 4 Y equals the value sv ' 2 0 of state
4 Y . Therefore, for every Y B 0, for any value ` FS:
4 Y z3
3 h ksv
' h 0 3
4 Y z3sv
'2
0 3
Then because of (6) and the fact that eff is a function only of andsv ' h 0 , it holds that
Y B 0 : 4 Y 4 4 Y 1 z3 w eff k 3 h
4 Y 4
4 Y 1
z3 weff
and because of that
z3 w eff k 3 h
z3 w eff
w 5 2. CAS E: 6z3 w eff k 3 h
z3 w eff .Since z3 w eff , there must be actions that simulate the effectof action infinitely often. Because of restriction 4a, these actions canonly be actions accessing one of the variables in SV . Because there is
-
8/6/2019 Tech Report NWU-EECS-06-20
26/45
a finite number of actions, there must exist action `
, which accesses
variable sv ' 0 , such that, z3 w eff k 3 k eff eff .
Then there must exist action in A. With the same reasoning as for casew 5 1, we can prove that
z3 w eff . Suppose eff 3 4 4 sv ' h 0
and eff 3 4 4 sv ' 0 are syntactically equivalent logic actions, theneff 3 4 4 sv ' 2 0 and eff 3 4 4 sv ' 2 0 . Therefore, eff
eff , which implies that
Y B 0 :
4 Y 4
4 Y 1 z3 w eff
4 Y 4
4 Y 1 z3 w eff
Consequently, if and are syntactically equivalent
z3 w
eff
k
63 h
z3 weff
What is left is the case in which and are not syntactically equivalent. Inthis case, because of restriction 4b, in order for eff
eff
to hold,
the value of the variable sv ' 0 accessed by must be equal to the value ofsv ' h 0 , in all pairs of states that satisfy eff eff . Because of that in
the corresponding states of
, sv ' 2 0 3 sv ' 0 3 sv ' h 0 . However, since sv ' h 0 3 sv ' 2 0 eff eff by construction of ,
Y B 0 : 4 Y 4 4 Y 1 z3 w eff k sv ' 0 3 sv ' h 0 k 3 k eff eff
4 Y 4
4 Y 1 z3 w eff
Consequently, in the case and are not syntactically equivalent
z3 w eff k 63 h
z3 w eff
Since in either case
z3 w eff holds, the proof is complete.4.1.2.3. CAS E: If was generated from by using rule T3,then
z3 weff
implies
z3 w eff .
PROOF:The proofis based again on two cases. The first isz3 w
eff
k
3 h
and the second z3 w eff k 63 h , where sv ' h 0 is the variable writ-
ten by action . We show that in both cases
z3 w eff .w 5 1. CAS E: z3 w eff k 3 h
z3 w eff .From rule T3 we know that
sv ' h 0 3 sv ' 2 0 k sv ' h 0 3 sv ' 2 0 eff eff (7)
In the states of in which 3 h , we have sv ' 0 3 sv ' h 0 and sv ' 0 3 sv ' h 0 .Moreover, for each Y B 0, the value sv ' 0 in state 4 Y equals the value
sv ' 2 0 of state
4 Y . Therefore, for every
Y B0, for any value
`FS:
4 Y z3 3 h k sv ' h 0 3
4 Y z3 sv ' 2 0 3 Then because of (7) and the fact that eff
is a function only of
and
sv ' h 0 , it holds that
Y B 0 : 4 Y 4 4 Y 1 z3 w eff k 3 h
4 Y 4
4 Y 1 z3 w eff
and because of that
z3 w eff k 3 h
z3 w eff
w 5 2. CAS E: 6z3 w eff k 3 h
z3 w eff .Since z3 w eff , there must be actions that simulate the effectof action infinitely often. Because of restriction 4a, these actions can
-
8/6/2019 Tech Report NWU-EECS-06-20
27/45
only be actions writing on one of the variables in SV . Because there is
a finite number of actions, there must exist action `
, which writes
variable sv ' 0 , such that, z3 w eff k 3 k eff eff .Then there must exist action in A. With the same reasoning as for case
w 5 1, we can prove that
z3 w eff . Note that if 3 h then thereis a contradiction, since we assumed that it cannot be the case that 3 h
infinitely often when w eff is satisfied by. Therefore, 63 h . However,that implies that z3 w eff k 3 k sv ' 0 3 sv ' 0 k sv ' h 0 3 sv ' h 0 k w eff .Otherwise, a change in sv ' 0 would not satisfy eff . Suppose eff 3
4 4 sv ' h 0 4 sv ' h 0 and eff 3 4 4 sv ' 0 4 sv ' 0 are syntactically equiv-alent actions, then eff
3 4 4 sv ' 2 0 4 sv ' 2 0 and eff 3 4 4 sv ' 2 0 4 sv ' 2 0 .Therefore, eff
eff
, which implies that
Y B0 :
4 Y 4
4 Y 1 z3 w eff
4 Y 4
4 Y 1 z3 w eff
Consequently, if and are syntactically equivalent
z3 w eff k 63 h
z3 w eff
What is left is the case in which and are not syntactically equiva-lent. In this case, because of restriction 4b, in order for eff
eff
to hold, the value of the variable sv ' 0 , which is equal to sv ' 0 , must
be equal to the value of sv ' h 0 , which is equal to sv ' h 0 , in all pairs of
states that satisfy eff eff . Because of that in the corresponding
states of
, sv
'2
0 3sv
' 0 3sv
' h 0and sv
'2
0 3sv
'2
0. However, since
sv ' h 0 3 sv ' 2 0 k sv ' h 0 3 sv ' 2 0 eff eff by construction of,
Y B0 :
4 Y 4 4 Y 1 z3 w eff k sv ' 0 3 sv ' h 0 k 3 k eff eff
4 Y 4
4 Y 1 z3 w eff
Consequently, in the case and are not syntactically equivalent
z3 w eff k 63 h
z3 w eff
The two results above complete the proof.
4.1.2.4. CAS E: If was generated from by using rule T4,then z3 w eff implies
z3 w eff .PROOF:Following the same reasoningas above we assume that z3 4 4 sv ' 0 .
Since the range of
is 1
, which is a finite set for all
, we have
z3 4 4 sv ' 1 0 h ` 2
: z3 4 4 sv ' h 0
In the case of z3 4 4 sv ' 1 0 , we have that for all Y B 0, 4 Y and
4 Y agree on e and sv ' 1 0 . Because of that
Y B 0 : w 4 Y 4 4 Y 1 z3 4 4 sv ' 1 0
w
4 Y 4
4 Y 1 z3 4 4 sv ' 1 0
Therefore, z3 4 4 sv ' 1 0
z3 4 4 sv ' 1 0
In case h ` 2
: z3 4 4 sv ' h 0 , we can split in two cases, i.e.,
3 h and 63 h , and follow the same reasoning as in step 4.1.2.2 to provethat
z3 4 4sv
'2
0 .
-
8/6/2019 Tech Report NWU-EECS-06-20
28/45
From all the above cases, it was shown that if z3 w
eff
, then
z3
weff
.
Since both cases, i.e., z3 prec and z3 w eff , lead to contra-diction, we conclude that
satisfies all weak fairness conditions of , when
belongs to P u .4.2. CAS E: If belongs to P u , then
satisfies all strong fairness condi-
tions of .
PROOF:This case will be proven similarly to step 4.1. More specifically, suppose
that there exists in P u and there exists in S, such that
is not satisfiedby
. We prove that this leads to a contradiction. In order for to belong toS, there must exist in S, such that z3
. Equivalently,
z3 prec w eff
z3
prec
z3 weff
For both cases we can prove that
z3 prec w eff
which is a contradiction.4.2.1. CAS E: If
z3 prec
, then
z3 prec
.
PROOF:Because of rules T1-T3, it holds that prec prec . Moreover,
because of condition 3, the assertion prec is a function of only the partof the state. Since the two sequences and
agree on in each state, for
all Y with Y B 0
4 Y z3 prec
4 Y z3 prec
Consequently,
z3 prec
z3 prec
4.2.2. CAS E: If z3 w eff , then
z3 w eff .PROOF:This is already proven in step 4.1.2.
Therefore, if
satisfies
, the sequence
satisfies
, which is acontradiction.
4.3. CAS E: If belongs to P u , then
satisfies all constant value fairnessconditions of
.
PROOF:In this case we need to prove that `
P u
implies that
`
C :
z3
. We prove this by contradiction. Assume that
`P
u
and
there exists ` C such that
6z3
. There are two cases; either belongsto W, or belongs to S.4.3.1. CAS E: ` W
z3
PROOF:Since is in P u , it must hold that z3
. Equivalently, it
holds that
z3 prec z3 w eff
We prove that each disjunct implies
z3
.
4.3.1.1. CAS E:
z3
prec
z3
PROOF:Since prec
is only a function of
:
Y B0 :
4 Y z3 prec
4 Y z3 prec
Therefore,
z3
prec
z3 prec
-
8/6/2019 Tech Report NWU-EECS-06-20
29/45
z3
4.3.1.2. CAS E: z3 w eff
z3
PROOF:
z3 w eff z3 4 4 sv ' 0
z3 4
4A
The condition 4 4
is specified only on the part of the state. There-
fore,
Y B 0 : 4 Y 4 4 Y 1 z3 4 4
4 Y 4
4 Y 1
z3 4
4
Consequently,
z3 4
4
z3 4
4
z3 4 4
This completes the proof for ` W.4.3.2. CAS E: ` S
z3
PROOF:Since is in P u , it must hold that z3
. Equivalently, itholds that
z3 prec z3 w eff For the first case we can follow a similar argument as for ` W, and for thesecond the argument is identical to the case ` W, to prove that
z3
.Therefore, we have a contradiction.
Since must be either in W or in S, the proof is completed.4.4. CAS E: If belongs to P
u
, then
satisfies all justice and compassion
requirements of
.
PROOF: Since for any justice requirement
, the assertion p is expressed only
on variables in and sv ' 1 0 , we have
Y B
0 :
4 Y z3
4 Y z3
z3
z3 The same result can be derived for any compassion requirement ~ ,
since~
and
are assertions expressed on and sv ' 1 0 . Therefore, z3
z3 Since belongs to P u , we have that z3 and, therefore,
satisfies
, which is the conjunction of all justice and compassion requirements of .
From Lemmas 2 and 3, Theorem 1 follows.
-
8/6/2019 Tech Report NWU-EECS-06-20
30/45
" $ %
) 1 3 5 6 1 8 9 A C 9 D E 1 H I H Q S U 9 C V D 1 V I S H Q X ` a ` b V I A e a g h b i E V 6 p H D 1 S U 3 q U 9 V 6 p H D 1 S U 3
S U V S 9 V x U 5 D H x 9 E E 9 9 x S 9 E 1 E E U H I q $ H D 9 H C 9 D V 5 V D S H Q S U 9 1 I 1 S 1 V 6 x H I A 1 S 1 H I E
V I A S U 9 Q V 1 D I 9 E E D 9 1 D 9 3 9 I S E Q H D S U 9 V x S 1 H I E H Q S U 9 5 D H x 9 E E 9 E V D 9 A 1 E 5 6 V 9 A q
a a
% j j k n o
%
% j j k n o
z { | } ~
{
~
D 9 5 D 9 E 9 I S E
a a
}
|
} |
-
8/6/2019 Tech Report NWU-EECS-06-20
31/45
}
|
}
|
-
8/6/2019 Tech Report NWU-EECS-06-20
32/45
" $ %
) 1 3 5 7 9 A 9 C E G 1 I Q S U V 9 3 7 E G W S C E 1 3 a S E S S c 5 E 3 S e E 7 9 A G S 5 c 1 1 A S p p U 7 1 a S A a c 1 C 9 3 1
E G 1 S p p U 7 e S E 7 9 A 9 C 9 u 3 E 1 e G A 7 v u 1
w x
k l m o l m k l m m k k l
z { | l } m m k m m m k l l
x m m m m m m k m
m l m
} l
k l l
l k } l
l } m
} l
k m m
} l
} l m l k } l m } l
l }
k m
k
l }
l }
l l l m
{
z
{
z
l l l l m
{
m
z
{
-
8/6/2019 Tech Report NWU-EECS-06-20
33/45
z
l o l m
{ m
m
{
z
l k o l m
l l l o m
{
{
z
k o l m
{
l } l }
{ l }
m
l
-
8/6/2019 Tech Report NWU-EECS-06-20
34/45
-
8/6/2019 Tech Report NWU-EECS-06-20
35/45
-
8/6/2019 Tech Report NWU-EECS-06-20
36/45
-
8/6/2019 Tech Report NWU-EECS-06-20
37/45
-
8/6/2019 Tech Report NWU-EECS-06-20
38/45
k m
k
E G 1 U 9 e S U e 9 p 7 1 5 7 U U 7 A 7 E 7 S U U G S 1 9 A 1 9 C E G 1 S U u 1 5 9 C E G 1 A 1 7 V G c 9 3 5
k m m l m
}
k
}
}
k l l
}
k
}
}
} k
} k
} m
}
}
k m
k m m l m
m l
} k
}
}
}
k
}
}
k
k
k
l l
k l
k
l
l m
k
l
k
9 E G 1 3 7 5 1 ! # $ & ) 0
k
k
l l
k l l
k
3
-
8/6/2019 Tech Report NWU-EECS-06-20
39/45
-
8/6/2019 Tech Report NWU-EECS-06-20
40/45
f } m V $ C $
m V $ C $
1 3
} d 4
4 f }
1 3
1 e
4
} d 4
5 B P s 8 E F S $ s r W s B C {
5 B V & B B $ E F S w C {
f }
w $
w $
1 3
4 f }
w $ 1 3
1 e
4
} d 4
W & H $ 8 w E w S F B C {
f }
w $
w $
1 3
} d 4
4
" B p B % & p % {
f } B % & p %
C S
1 3 P & " s % V F B
4 P & " s % V s % s % &
% s & % 8 ` s % & P s &
-
8/6/2019 Tech Report NWU-EECS-06-20
41/45
-
8/6/2019 Tech Report NWU-EECS-06-20
42/45
-
8/6/2019 Tech Report NWU-EECS-06-20
43/45
S w m
B p
l
B p )
y
1
l
S r s s 8 C S w
`
S `
3 y d 3
p % B
H 8 s
W s B F {
S `
F
5 B V & B B $ r W s B r s s 8
l
C S r s s 8 {
S w m
5 B E F S $ s r W s B r s s 8
l
C S r s s 8 {
w
l
w $
S w m
w
l
m
S w m
S w w
l
S w m C w $
B p
l
B p ) y 1
l
S r s s 8 C w $
S w m
B p
l
B p )
y
1
l
S r s s 8 C S w
`
S `
3
y
d 3
p % B
H 8 s
S r s s 8
B p
l
l
S w
B p
l
l
S `
" B p B p
l
{
3 y d 3
B 8 p % B
P & 8
H 8 s
H 8 s W s B
H 8 s
H 8 s W s B
F m P & " s % V F B C P & " s % V s % s % &
H 8 s
F {
F m P & " s % V F B C P & " s % V s % s % &
H 8 s
W s B F {
H 8 s
% s H & B B V % s % &
-
8/6/2019 Tech Report NWU-EECS-06-20
44/45
H 8 s
1 & p S F &
y 4 m S w $ { 1 e
f 3
B p
l
B p )
y
1
l
C & p S F &
3 y d 3
p % B C `
H 8 s
1 & p S F &
y
4 m
w $ { 1 e
f 3
B p
l
B p )
y
1
l
V $ C & p S F &
3 y d 3
p % B C `
P & 8
H 8 s
H 8 s
`
C S
V $ C m
w $ {
C m S w $ {
$
& H 8 s p {
B p
l
B p 0 ) y 1
l
p
3
y
d 3
p % B C `
{
f 3 4 1 d 3 y % s H & B B f 1
V % s % &
f 3 4 1 d 3 y % s H & B B V % s % &
5 8
B p m
l
V $ C
w $ {
p m r s s 8
l
p
{ w
l
p m S w $ {
S ` m P & " s % V s % s % & C P & " s % V F B
S r s s 8 m V $ C
S w m
w $
S r s s 8
S w m S w $ {
` m P s 8 P & " s % P s & C P & " s % V s % s % & C P & " s % V F B C
-
8/6/2019 Tech Report NWU-EECS-06-20
45/45
5 p % 8
p m r s s 8
l
p m V $ C
p m w
l
p m
w $ {
S r s s 8 m V $ C
S w m
w $
` m P s 8 P & " s % P s & C P & " s % V s % s % & C P & " s % V F B C
S ` m P & " s % V s % s % & C P & " s % V F B
p m r s s 8
l
p
{ w
l
p m S w $ {
P & 8
{ P & 8
V % s % & P & 8
` % & B B
{
H 8 s W s B {
{
H 8 s W s B {
F m P & " s % V F B C P & " s % V s % s % & {
H 8 s
W s B F { {
{
H 8 s
{
S r s s 8
S w
S S `
" B p
C S { {
`
P & " s % V s % s % & { { S `
P & " s % V s % s % & { {
& H
5 8
l
P & 8
` % & B B
W s % % & H 8 & B B
% s & % 8 ` s % & P s &