sol1-2.pdf
TRANSCRIPT
-
8/18/2019 Sol1-2.pdf
1/4
Principles of Model CheckingSolutions to exercise class 1
Transition systems & linear-time properties
Prof. Dr. Joost-Pieter Katoen, Dr. Taolue Chen, and Ir. Mark Timmer
September, 14, 2012
Problem 1
1. Express the following informally-stated properties as LT-properties:
• An account with positive balance is opened.
P = Lω((∅+ {ab > 100}) (2AP )ω)
• The balance of an account is negative only finitely many times.
P = Lω((2AP )∗ ({ab = 0} +∅+ {ab > 100})ω)
• The balance of an account switches at least once from debit tocredit.
P = Lω((2AP )∗ {ab < 0} ({ab = 0} +∅+ {ab > 100}) (2AP )ω)
• Eventually, an account remains with more than e 100 credit.
P = Lω((2AP )∗ {ab > 100}ω)
• false and true.
P false
= ∅ and P true = Lω(
2AP ω
)
2. Determine for each LT-property whether it is a safety property or aliveness property. Justify your answer!
• An account with positive balance is opened.
– This is a safety property, since every trace that is not in P has a finite bad prefix: either {ab < 0} or {ab = 0}.
• The balance of an account is negative only finitely many times.
– This is a liveness property, since any finite trace can be ex-tended to satisfy P (for instance, by suffixing {ab > 100}ω).
1
-
8/18/2019 Sol1-2.pdf
2/4
• The balance of an account switches at least once from debit to
credit.– This is a liveness property, since any finite trace can be ex-
tended to satisfy P (for instance, by suffixing the infinite trace{ab < 0}{ab > 100}ω).
• Eventually, an account remains with more than e 100 credit.
– This is a liveness property, since any finite trace can be ex-tended with {ab > 100}ω to satisfy P .
• false and true.
– LT false
is a safety property. Every trace is erroneous, so allfinite prefixes are bad prefixes.
– LT true is a safety and a liveness property. The fact that itis a safety property is trivially true since there are no badtraces. The fact that it is a liveness property is immediatefrom the fact that every finite trace can be extended with anyinfinite trace to satisfy LT true.
Problem 2
We consider the following transition system T S :
s0
{a}s1 {b}
s2{a, b} s3∅ s4 {a, b}
δ η
γ αβ
α
γ
α
α β β
Let P be the set of traces of the form σ = A0A1A2 . . . ∈
2AP ω
such that
∞∃ k. Ak = {a, b} ∧ ∃n ≥ 0. ∀k > n.
a ∈ Ak ⇒ b ∈ Ak+1
.
For the following fairness assumptions F i with respect to the transition sys-tem T S , we decide whether or not T S |=F i P .
First of all, notice that T S |=F i P if and only if FairTraces F i(T S ) ⊆ P .Because of
∞
∃ k. Ak = {a, b}, each trace has to visit at least one of s2 or s4infinitely many times. Additionally, from some point onwards, each a-statemust be followed by a state that is annotated with (at least) b.
2
-
8/18/2019 Sol1-2.pdf
3/4
1. F 1 ={α},{β }, {δ, γ }, {η}, ∅
.
• It holds that T S |=F 1 P . To see why, notice that:
– Any trace that reaches s4 is not F 1-fair. After all, for suchtraces α is executed only finitely many times. This is in con-tradiction with the unconditional fairness assumption {α}.
Hence, the transition s3η
−→ s4 is never taken.
– Because of the strong fairness assumption {η}, the η actionmust be executed infinitely often if it is enabled infinitelyoften. Since it clearly cannot be executed infinitely often, itis not allowed to be enabled infinitely often. Hence, the states3 (in which it is enabled) cannot be visited infinitely often.From now on we only consider what happens after s3 wasvisited for the last time.
– We cannot stay forever in states s1 or s2 by only takingtheir α-transitions, because of the enabled γ transitions tos0 and s1, respectively. Due to the strong fairness assump-tion {δ, γ }, these γ -transitions must be taken at some point.Hence, every time s2 is visited, at some point we move to s1,and every time s1 is visited, at some point we move to s0.
– As β is enabled in s0, the strong fairness assumption {β }requires that if s0 is visited infinitely often, then so is s2.
– Hence, all F 1–fair paths visit exactly s0, s1 and s2 infinitelyoften. It is easy to see that the traces of such paths satisfythe property P . Therefore FairTraces F 1(T S ) ⊆ P and thusT S |=F 1 P .
2. F 2 =
{α}
,
{β }, {γ }
,
{η}
.
• We find T S |=F 2 P . To see why, consider the path π = (s0s2s3s1)ω
with its corresponding trace σ = ({a}{a, b}∅{b})ω. All fairnessassumptions are fulfilled: α is executed infinitely often, and so areβ and γ . The action η is never continuously enabled, so the weak
fairness assumption {η} does not forbid the path.Hence, π ∈ FairPaths F 2(T S ), but σ /∈ P . Therefore, we find
FairTraces F 2(T S ) ⊆ P and correspondingly T S |=F 2 P .
3
-
8/18/2019 Sol1-2.pdf
4/4