Finding Inductive Assertions

Temporal Verification of Reactive Systems: Safety

Info iconThis preview shows pages 1–4. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: CS256/Winter 2007 — Lecture #8 Zohar Manna 8-1 Finding Inductive Assertions Top-Down Approach Assertion propagation we have previously proven χ and we want to prove ϕ but { χ ∧ ϕ } τ { ϕ } is not state-valid for some τ ∈ T . What is the problem? (assuming that ϕ is indeed an invariant) 8-2 Top-Down Approach (Con’d) Σ ϕ τ ϕ ∧ χ P-accessible Solution: Take the largest set of states that will result in a ϕ-state when τ is taken. How? 8-3 Precondition of ϕ w.r.t. τ pre ( τ, ϕ ) : ∀ V . ρ τ → ϕ pre ( τ, ϕ ) ϕ a state s satisfies pre ( τ, ϕ ) iff all τ-successors of s satisfy ϕ . Note: s trivially satisfies pre ( τ, ϕ ) if it does not have any τ- successors (i.e., τ is not enabled in s ). 8-4 Precondition of ϕ w.r.t. τ (Con’d) Example: V : { x } integer ρ τ : x > ∧ x = x- 1 ϕ : x ≥ 2 pre ( τ, ϕ ) : ∀ x . x > ∧ x = x- 1 | {z } ρ τ → x ≥ 2 | {z } ϕ x > → x- 1 ≥ 2 x ≤ ∨ x ≥ 3 j τ j +1 p p x ≤ ∨ x ≥ 3 x ≥ 2 8-5 Properties of pre ( τ, ϕ ) By the definition of pre ( τ, ϕ ) , { χ ∧ ϕ ∧ pre ( τ, ϕ ) } τ { ϕ } is guaranteed to be state-valid. ϕ ϕ ∧ χ τ P-accessible But we have to justify adding the conjunct pre ( τ, ϕ ) to the antecedent. This can be done in two ways: 1. Incremental: prove pre ( τ, ϕ ) 2. Strengthening: prove ( ϕ ∧ pre ( τ, ϕ )) 8-6 Properties of pre ( τ, ϕ ) (Con’d) Claim: If ϕ is P-invariant then so is pre ( τ, ϕ ) for every τ ∈ T . Proof: Suppose ϕ is P-invariant, but pre ( τ, ϕ ) is not P-invariant. Then there exists a P-accessible state s such that s q / pre ( τ, ϕ ) . But then, by the definition of pre ( τ, ϕ ) , there exists a τ-successor s of s such that s q / ϕ . Since s is P-accessible, s is also P-accessible, contradicting that ϕ is a P-invariant. 8-7 Properties of pre ( τ, ϕ ) (Con’d) Definition: A transition τ is said to be self-disabling if for every state s , τ is disabled in all τ-successors of s . Claim: For every assertion ϕ and self-disabling transition τ { ϕ ∧ pre ( τ, ϕ ) } τ { ϕ ∧ pre ( τ, ϕ ) } is state-valid. Proof: Assume s q ϕ ∧ pre ( τ, ϕ ) . Then by definition of pre ( τ, ϕ ) , for every s , τ-successor of s , s q ϕ . Since τ is self-disabling, τ is disabled in all τ-successors s of s , and so trivially s q pre ( τ, ϕ ) Thus for all τ-successors s of s , s q ϕ ∧ pre ( τ, ϕ ) . 8-8 Heuristic If the verification condition { χ ∧ ϕ } τ { ϕ } is not state-valid: Find pre ( τ, ϕ ) and then • Strengthening approach: strengthen ϕ by adding the conjunct pre ( τ, ϕ ) prove ( ϕ ∧ pre ( τ, ϕ )) or, • Incremental approach: prove pre ( τ, ϕ ) and add pre ( τ, ϕ ) to χ ....
View Full Document

Page1 / 10

Finding Inductive Assertions - CS256/Winter 2007 —...

This preview shows document pages 1 - 4. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online