Finding Inductive Assertions

Temporal Verification of Reactive Systems: Safety

• Notes
• davidvictor
• 10

This preview shows pages 1–4. Sign up to view the full content.

CS256/Winter 2007 — Lecture #8 Zohar Manna 8-1 Finding Inductive Assertions Top-Down Approach Assertion propagation we have previously proven 0 χ and we want to prove 0 ϕ but { χ ϕ } τ { ϕ } is not state-valid for some τ ∈ T . What is the problem? (assuming that ϕ is indeed an invariant) 8-2 Top-Down Approach (Con’d) Σ ϕ τ ϕ χ P -accessible Solution: Take the largest set of states that will result in a ϕ -state when τ is taken. How? 8-3 Precondition of ϕ w.r.t. τ pre ( τ, ϕ ) : V 0 . ρ τ ϕ 0 pre ( τ, ϕ ) ϕ a state s satisfies pre ( τ, ϕ ) iff all τ -successors of s satisfy ϕ . Note: s trivially satisfies pre ( τ, ϕ ) if it does not have any τ - successors (i.e., τ is not enabled in s ). 8-4

This preview has intentionally blurred sections. Sign up to view the full version.

Precondition of ϕ w.r.t. τ (Con’d) Example: V : { x } integer ρ τ : x > 0 x 0 = x - 1 ϕ : x 2 pre ( τ, ϕ ) : x 0 . x > 0 x 0 = x - 1 | {z } ρ τ x 0 2 | {z } ϕ 0 x > 0 x - 1 2 x 0 x 3 j τ j +1 p p x 0 x 3 x 2 8-5 Properties of pre ( τ, ϕ ) By the definition of pre ( τ, ϕ ) , { χ ϕ pre ( τ, ϕ ) } τ { ϕ } is guaranteed to be state-valid. ϕ ϕ χ τ P -accessible But we have to justify adding the conjunct pre ( τ, ϕ ) to the antecedent. This can be done in two ways: 1. Incremental: prove 0 pre ( τ, ϕ ) 2. Strengthening: prove 0 ( ϕ pre ( τ, ϕ )) 8-6 Properties of pre ( τ, ϕ ) (Con’d) Claim: If ϕ is P -invariant then so is pre ( τ, ϕ ) for every τ ∈ T . Proof: Suppose ϕ is P -invariant, but pre ( τ, ϕ ) is not P -invariant. Then there exists a P -accessible state s such that s q / pre ( τ, ϕ ) . But then, by the definition of pre ( τ, ϕ ) , there exists a τ -successor s 0 of s such that s 0 q / ϕ . Since s is P -accessible, s 0 is also P -accessible, contradicting that ϕ is a P -invariant. 8-7 Properties of pre ( τ, ϕ ) (Con’d) Definition: A transition τ is said to be self-disabling if for every state s , τ is disabled in all τ -successors of s . Claim: For every assertion ϕ and self-disabling transition τ { ϕ pre ( τ, ϕ ) } τ { ϕ pre ( τ, ϕ ) } is state-valid. Proof: Assume s q ϕ pre ( τ, ϕ ) . Then by definition of pre ( τ, ϕ ) , for every s 0 , τ -successor of s , s 0 q ϕ . Since τ is self-disabling, τ is disabled in all τ -successors s 0 of s , and so trivially s 0 q pre ( τ, ϕ ) Thus for all τ -successors s 0 of s , s 0 q ϕ pre ( τ, ϕ ) . 8-8
Heuristic If the verification condition { χ ϕ } τ { ϕ } is not state-valid: Find pre ( τ, ϕ ) and then Strengthening approach: strengthen ϕ by adding the conjunct pre ( τ, ϕ ) prove 0 ( ϕ pre ( τ, ϕ )) or, Incremental approach: prove 0 pre ( τ, ϕ ) and add pre ( τ, ϕ ) to χ . Note: pre ( τ, ϕ ) is not guaranteed to be an inductive invariant, so the premises of inv have to be checked again. 8-9 Example: local x : integer where x = 1 0 : request x 1 : critical 2 : release x We want to prove 0 ( at - 1 x = 0) | {z } ϕ Problem: { at - 1 x = 0 } τ 0 { at - 1 x = 0 } is not state-valid.

This preview has intentionally blurred sections. Sign up to view the full version.

This is the end of the preview. Sign up to access the rest of the document.
• '
• NoProfessor
• Graph of a function, Precondition

{[ snackBarMessage ]}

What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern