Tech Report NWU-EECS-06-20

8/6/2019 Tech Report NWU-EECS-06-20

1/45

Electrical Engineering and Computer Science Department

Technical Report

NWU-EECS-06-20

2/21/2007

Abstraction Techniques for Model-Checking Parameterized Systems

N. Liveris; H. Zhou; R. Dick; Y. Chen; P. Banerjee

Abstract

In this paper we present a new abstraction technique that enables the usage of model

checking for the verification of parameterized systems. The technique targets

asynchronous systems. Compared to previous approaches the application of the proposedtechnique imposes fewer restrictions on the correctness property. Moreover, it can be

applied to a class of parameterized systems for which other abstraction methods may not

work. We demonstrate the effectiveness of the abstraction technique by applying it on a

self-stabilizing spanning tree construction algorithm.

Sponsors: NSF, Motorola

Keywords: program abstraction, verification, parameterized systems


2/45

Abstraction Techniques for Model-Checking

Parameterized Systems

N. Liveris, H. Zhou, R. Dick, Y. Chen, and P. Banejee

EECS Department, Northwestern University, Evanston IL 60208

College of Engineering, University of Illinois, Chicago IL 60607

Abstract. In this paper we present a new abstraction technique that enables the

usage of model checking for the verification of parameterized systems. The tech-

nique targets asynchronous systems. Compared to previous approaches the ap-

plication of the proposed technique imposes fewer restrictions on the correctness

property. Moreover, it can be applied to a class of parameterized systems for

which other abstraction methods may not work. We demonstrate the effective-

ness of the abstraction technique by applying it on a self-stabilizing spanning tree

construction algorithm.

1 Introduction

This paper describes a new abstraction technique for enabling the use of automatic

verification tools to check the correctness of parameterized systems.

There are two kinds of methods that are used for the verification of asynchronous

systems: deductive verification and model checking. Deductive verification is an in-

teractive verification method. The user is required to provide properties that facilitate

the proof by the tool. Model checking is an automatic method. However, it is efficient

only when applied to relatively small finite state space systems. Therefore, abstraction

is used to transform infinite or large state space systems to smaller finite state spacesystems, thereby enabling the use of model checking for their verification [9]. In this

paper we present an abstraction technique that enables the use of model checking for

the verification of asynchronous parameterized systems.

A parameterized system is built by the parallel composition of

processes, where

can be any natural number greater than a minimum value. Model checking can be

used for the verification of instances of a parameterized system with few processes, i.e.,

small

. Ideally we would like to prove the correctness of a parameterized system for

any number of processes. However, the number of those systems is infinite when there

is no upper bound for

. Moreover, even if an upper bound exists, verification may be

intractable for large

because the number of states increases exponentially with the

number of components in the system. There are two ways to overcome this difficulty:

one is to use control abstraction [12, 9], and the other is to use the methods of invisible

ranking [17, 2, 7].The idea behind control abstraction is to abstract away an arbitrary number of sym-

metric processes by using a network invariant . Then the correctness property can be

proved for the abstract system, which is composed of a finite number of processes and

the network invariant [9]. A difficulty with this approach is that the network invariant


3/45

needs to have the same set of observable variables as the system of symmetric processes

abstracted by it. Therefore, if each of the

processes has one observable variable and

we use a network invariant for these processes, the network invariant needs to have

observable variables. This problem has restricted the application of control abstrac-

tion to specific classes of distributed algorithms. Control abstraction has successfully

been applied on ring topologies of processes [11], in which every process has only two

neighbors and, therefore, the number of input/output variables for each process is inde-

pendent of

. It has also been successfully applied on systems for which the number

of shared variables does not increase with the number of processes. An example is a

mutual exclusion algorithm, in which all processes share only one semaphore [9].

An alternative approach is the method of invisible invariants [17]. The method can

be used to bound the number of processes needed to prove a correctness property for a

class of parameterized systems. The approach can be used for the verification of safety

properties [2] and response liveness properties [7]. Response liveness properties are

properties of the form , i.e., for every state satisfying assertion there is

a future state satisfying assertion . The paper does not discuss how other livenessproperties can be checked using this method. Moreover, the method imposes a number

of restrictions on the structure of the next state relation and the initial condition of the

system. The method can be automated, so the user does not have to observe the invariant

being used. In our work we target general liveness properties. More specifically, the

correctness property we prove for the spanning tree algorithm is a persistence property

(

). This type of property can be used to describe the correctness of self-stabilizing

systems.

In this paper we present an abstraction technique that builds on the theory of con-

trol abstraction. We target structures of processes, for which the number of observable

variables is a parameter. These structures are very common. One example is proving

a property for a process that is connected in a graph of arbitrary topology. Then the

number of neighbors with which the process interacts is a parameter. For this type ofstructure we provide an abstraction that reduces the number of observable variables to

a small finite number. Then model checking is used to check the correctness property

on the abstract system. If the property holds for the abstract system, then it holds for

the parameterized system for any valid value of the parameter. The proposed technique

can be used for checking general temporal properties. Moreover, it can be applied to a

class of parameterized systems for which other methods may not work.

The method is sufficient to prove that the correctness property is valid for the param-

eterized system. However, like control abstraction and invisible ranking, the proposed

method is incomplete. If a behavior of the abstract system does not satisfy the correct-

ness property, no conclusion can be drawn for the parameterized system. Additionally,

a number of restrictions must hold for the parameterized system to guarantee the sound-

ness of our approach. Most of these restrictions concern the atomicity of the actions ofthe parameterized systems.

In Section 2 we survey related work in this field and indicate our contributions.

Section 3 describes the systems we consider. Section 4 gives an overview of the pro-

posed technique. We demonstrate the application of the technique to a Spanning-Tree


4/45

construction algorithm in Section 5. The soundness of the technique is proved in the

appendix.

2 Related work

Instead of control abstraction, the method of invisible invariants can be used for the

verification of parameterized systems [17]. Arons et al. [2] present the method for the

verification of safety properties. Later the work was extended to include verification of

response liveness properties [7]. The authors describe a method to bound the number

of processes needed to prove a correctness property for a parameterized system. How-

ever, their method is applicable to a restricted class of distributed algorithms. One of

the restrictions is that a variable

taking values in 1

, can appear in two kinds of

expressions: and " " % ' 0 . These expressions can only appear in a formula that

compares expressions of the same type. This means that the only operators that can be

applied to are indexing ' 0 and relational operators 3 4 63 4 8 4 @ 4 B 4 C . When operatorsD E

1 and FE

1 are included, the size of the abstract system increases significantly. Only

response liveness property are discussed in that work. Our approach can be applied to

other temporal properties, for example persistence.

Other works on the abstraction of parameterized systems can only be applied to

high-atomicity distributed algorithms [5, 18,4, 6], in which a process can read the values

of all its

neighbors in one atomic step. Since this assumption may not be realistic for

large

, in our work we target low atomicity distributed algorithms.

Kurshan and McMillan presented a structural induction theorem for processes [12]

defining sufficient properties for the network invariants. The method was applied on

two examples; in the first the processes formed a complete graph and in the second

a ring. However, for the case of the complete graph the authors consider the observ-

able behavior as the sequence of actions taken. More specifically, in that example it is

the sequence of messages sent between the system and its environment. Therefore, theproblem we deal with in this paper was not discussed.

Kesten and Pnueli define a sound data abstraction method [10]. Their method is

useful for reducing the range of the data variables of the system. The user needs to

invent the abstraction function and in some case the progress monitor for a specific

system. Their method can be used as a preprocessing step to replace variables ranging

over parameterized or infinite domains to abstract variables, which range over finite

sets. Then our technique provides the user with an abstraction function to reduce the

number of variables in the system.

Other works discuss only safety properties for the verification of parameterized sys-

tems [8].

The abstraction technique presented in this paper is similar to temporal case split-

ting [15, 16] in that it reduces a vector of unbounded size to a vector with a fixed small

number of elements. With temporal case splitting the proof is decomposed to a largenumber of proof subgoals, which become a fixed number of problems using symme-

try properties. Our technique includes the abstraction of the fairness conditions of the

concrete system, especially on actions accessing or modifying the elements of the ab-

stracted vector. Moreover, we define fairness conditions for the abstract system based


5/45

on the existence of constant values stored in the vector. As we will show, these fairness

conditions are necessary, e.g., to prove the correctness of a spanning tree algorithm.

Additionally, constant values of the index type do not increase the size of the abstract

system in our approach.

3 Systems we consider - Notation

In this section we describe the types of systems we consider.

We deal with the verification of closed parameterized systems. A closed parameter-

ized system can be defined as

T

3 I 1

Q I 2

Q Q I

W

In the above formula I 1 4 I 2 4 4 I

are identical processes up to renaming. The

operatorQ

denotes parallel asynchronous composition and W

restriction. Both opera-

tors are defined in the literature [9]. In the above definition of the parameterized system

it is assumed that each processI Y

, forY `

1

, is independent of the number

ofprocesses in the system. For example, the

processes may be used to specify a mutual

exclusion algorithm with only one shared variable for the whole system [9]. However,

there are cases in which the number of observable variables of each process depends on

. In those cases, the definition of the system can be written as

Q

3 I 1

4

Q I 2

4

Q Q I

4

W(1)

While I Y 4

and I h 4

with Y 63 h differ only in their id values, I Y 4

and

I Y 4 s with

63 shave a different number of observable variables.

We are interested in proving the correctness of a parameterized systems described

by (1).

In this paper we follow a similar notation that is used by Abadi and Lamport [1] for

describing systems. Each system, which can be composed of one or more processes, is

represented by its specification u 3 w 4 y 4 N4 . is the state space of the specifica-tion, y is the set of initial states, N is the next state relation, and is thesupplementary property defined over . The state machine w 4 y 4 N defines the ma-chine property of u . For all systems we consider, u is machine closed and specifies

a liveness property. The definition of machine closure can be found in the literature [1,

13].

The next state relation is defined using a set of atomic actions

. Each action has aprecondition (or enable condition) prec

, which is a state function, and an effect part

eff

, which describes the values of the variables in the next state

, as a function of

the current state . Therefore, can be described as the conjunction of its preconditionand its effect1

1 Actions also contain conjucts of the form

for each variable

that must re-

main unchanged. Therefore, the effect of an action may be considered as the conjunct of

unch

. In the last formula

is a boolean combination of predicates of the form

, and unch is the conjunction of predicates of the form . We say that an

action reads a variable , when appears in a predicate in . An action mod-

ifies or writes a variable , when there is a predicate in and .

This classification is based on the syntax and can be performed by static analysis.


6/45

3 k prec

keff

A state pairw 4 `

N, if and only if there exists `

, such that prec

is truefor and the pair of states w 4 satisfies eff . Then the triple 4 4 is called atransition of the system. We assume there is a stuttering step ` and for all states

` , w 4 belongs to N.The liveness property

is a restriction imposed on the infinite behaviors of the

system. It can include the conjunction of strong and weak fairness properties specified

on some of the actions. We use W and S to represent the sets of actions with weak andstrong fairness properties respectively. The sets W and S are disjoint and subsets of

. Then

W k S . The weak and strong fairness properties are

defined as

3 prec

weff

3 prec w eff

The expression w eff evaluates to true when action is executed and the systemsstate changes. Therefore, for a pair of states

w 4

w 4

z3 weff

{ w 4 z3 eff k 63

For a more detailed description of weak (

) and strong (

) fairness properties, the

reader should refer to the literature [13].

Moreover,

can include justice and compassion requirements on sets of states. Jus-

tice requirements have the form and compassion requirements can be represented

as ~

, where

,~

, and

are atomic predicates which specify sets of states [9].

In this paper we assume that 4 ~ 4 are not specified on the shared variables of the sys-

tem, which are going to be abstracted, i.e., the variables in SV

(see Section 4 for the

definition of this set).A sequence of states, with ` , is a behavior of u if satisfies the specification

u . More specifically, it must hold that 4 0 ` y , Y B 0 : w 4 Y 4 4 Y 1 ` N, and

z3 , where

4 Y is the

Yth state in sequence .

We use this operator z3 to denote that an assertion is valid for a state or a set of states.

We extend its usage to temporal properties and sequences or sets of sequences. When

a specification is used at the LHS and a temporal formula at the RHS, the temporal

formula is valid for all behaviors of the specification.

For a state 3 4 Y ` y , where ` and Y ` y , we call the -part of the

state or -part of the state. The -part of the state includes only the variables in and

their values.

The operator denotes projection. For a state 3 4 Y , it holds 3 and

3 Y . That means is the projection of on the -part of the state and

is the projection of on the part of the state that is not included in . We usethe projection operator on sets of states as well.

Another operator that is commonly used is the property operator P. Operator P isdefined on a temporal property , which could be a system specification, and denotesall behaviors that satisfy .


7/45

Some variables of the system are local to a specific process, while others are observ-

able to all processes. We call the observable variables shared variables. We consider

vectors of shared variables of the form

sv1 ` ' 1

FS1 0

sv2 ` ' 1

FS2 0

sv ` ' 1

FS 0

where FS is a finite set for all Y in 1 . For simplicity, we restrict our discussions to

systems with only one parameter

and only one vector of shared variables sv. Then

the system state space can be represented as 3 ' 1

FS 0 , where isthe state space without the sv vector. In the rest of the paper we refer to each sv ' h 0 with

h ` 1

as a shared variable.

Besides vectors of shared variables, the system can have a finite set of variables that

are observable to all processes. The cardinality of the set must be independent of

. Weconsider these variables as part of and we restrict the usage of the term shared

variable only for an element of the vector sv.

If the effect of one action can be obtained from the effect of another action by replacing any appearance of one shared variable sv ' 0 with another shared variable

sv' h 0

, then eff

and eff

are called syntactically equivalent. For example, in Figure

1 only eff and eff are syntactically equivalent.

prec

r

svj

1

prec

r

svk

1

prec

p

svj

1

prec

r

svj

2

Fig. 1. Only the two leftmost actions have syntactically equivalent effects.

We now present our assumptions for the systems we consider. Then we elaborate

on the reasons for making these assumptions and their implications.

1. Although actions can read and modify a number of variables, they can eitherread or write at most one shared variable in each atomic step.

2. Each shared variable is a single-writer multi-reader variable. More specifically,

h `1

: sv ' h 0 can be written only by process h

3. The preconditions of the actions do not depend on the values of the shared variables.Therefore, reading or writing a shared variable can only be done by the effect part

of an action.

4. (a) There exist no action that reads only variables in and has the same effect

at some state as an action that reads a shared variable. More specifically, ifis an action that reads a shared variable and ` W S, then for any action that does not read a shared variable

w 4

`N :

w 4

6z3 weff

k weff


8/45

(b) There exist no action that modifies only variables in and has the sameeffect at some state as an action that writes a shared variable. More specifically,

if is an action that writes a shared variable and ` W S, then for any action that does not write a shared variable

w 4

` N : w 4 6z3 w eff k w eff

(c) Two actions that are not syntactically equivalent and access different shared

variables cannot have the same effect at some state , unless the shared vari-

ables accessed have the same value at . More formally, if and are two ac-tions of the system with eff 3 4 4 sv ' h 0 and eff 3 4 4 sv ' 0 ,then

w 4

`N : w 4 6z3 w eff k w eff k sv ' h 0 63 sv ' 0

We believe that the above constraints are common among many applications. Only

1 and 2 restrictions are needed when safety properties are checked. When liveness

conditions are checked, 3 and 4 restrictions must also hold. The restriction 3 hasbeen used in other works ([14],Chapter 9). Our intuition behind this restriction is that

reading a non-local variable should be an atomic action. The decision of a process

to execute an action should be based on local variables only. Note that processh

can

maintain a local copy ofsv ' h 0 and because of restriction2 the copy can be always equalto the value of the shared variable. The intuition behind 4 is that we cannot satisfy theliveness requirements of an action by simulating it with a completely different action.

However, syntactically equivalent actions are not restricted by 4. Most systems witha program counter for each process satisfy the 4 restriction. More specifically, if eachinstruction has a different successor, the effect of each action of one process is distinct.

Since the program counter is a local variable of each process, the effect of each action

cannot be simulated by an action of a different process.

The restrictions 1-4 do not need to hold for the fixed set of global variables in

. Therefore, we can have a fixed finite set of multi-writer variables.For the systems amenable to our technique the correctness property that we are

going to check is independent of the number of processes in the system. More specif-

ically, is expressed as a function of the local and shared variables of a finite set ofprocesses . The set is the same for all values

B

. For simplicity in this

paper we assume thatz z 3

1. This means that the correctness property is specified on

I 1

4

. Under symmetry conditions the property will hold

:I

4

, if it holds

forI

14

. Note that can be any LTL property that can be expressed using operators

and .

As noted before we are concerned with the verification of a closed parameterized

system. In such a system there is no interaction with the environment. The property

that we want to prove is described as a function of some variables of the system. These

variables represent the external part of the state. While all other variables belong to

the internal part of the state. The distinction of external and internal part of the state isdescribed in the literature [1].

In this section we presented the assumptions for the systems we consider and the

notation we use. In the next section we describe the proposed technique for the verifi-

cation of these systems.


9/45

4 The proposed technique

In this section we describe the proposed technique for the abstraction of parameterized

systems of the form of (1). We start by describing a verification framework in whichthis technique is useful (Section 4.1). Then we present in detail the abstraction of the

technique (Section 4.2). For simplicity, in this section we assume that z z 3 1 and that

there is only one parameter

and one shared variable sv with

elements. Because

z z 3 1, the number of shared variables in the abstract system is 2 ( 3 z z 1).

4.1 Overview of the approach

We wish to verify that property is valid for the closed parameterized system

Q

3 I 1

4

Q I 2

4

Q Q I

4

W

for all finite

B

, where

is the minimum number of processes in the

system.We assume that the system Q

and property satisfy all the assumptions de-scribed in Section 3. The property may be verified as follows:

1. The user provides a network invariant

[9], such that for any

I 2

4

Q Q I

4

and the number of local variables of

is finite and independent of

.

2. Following the steps of our technique as described in Section 4.2, the user obtains

the system u .

3. Model checking is used to automatically proveu z3

.

Then the user concludes that Q

z3 holds for all

B

.

In order for the third step to be successful,

and

I 1

4

should be finite-state

processes for any

. Note that for the modular abstraction relation of step 1 to be valid,

must have

observable variables.

In this paper we are dealing with the second step, which is described in the next

section.

4.2 Obtaining the abstract system

In this section we describe the technique to deriveu

fromu 3

Q I 1

4

W.

We denote the abstract system as u 3 w 4 y 4 N 4 and explain how each of thecomponents of the

ucan be obtained from the corresponding components of

u

3

w 4 y 4 N4 .

State space: The only change in the state space is that the shared variables sv ` ' 1

FS0 become sv ` ' 1 2 FS0 . Let be expressed as 3 sv ' 1

FS 0 , where

sv is the state space of all variables except sv. Then we can formally define as

3 sv ' 1 2 FS 0 . We denote sv the variable in ' 1 2 FS0 .


10/45

Next state relation: The next state relation N ofu

is defined by a new set of actionsA. We derive A from some newly defined actions and the u actions. Each action of u

is either an action of

or of I 1 4

. The actions of process

cannot modify

sv ' 1 0 because of the single-writer restriction (2). They can modify any of the

1

elements sv ' h 0 with h ` 2

. Let SV be the set of these elements, i.e.

SV

3 sv ' h 0 z h ` 2

On the other hand, the actions of processI

14

can access any of the elements of sv,

but can only modify sv ' 1 0 .

The following steps describe how we obtain A, which initially is an empty set.

T0 For each value in FS, we define and add to A an action of the form

v

3 k sv a 3 ' sva EXCEPT ! ' 2 0 3 v 0

k UNCHANGED w all other variables

The precondition of

is TRUE in all states and its effect is to change sv'

20

to anew value in FS. All other variables remain unchanged.

T1 For any action ` that does not access or write any of the variables in SV ,

`

A2.

T2 For any action `

that reads variable sv ' h 0 , with sv ' h 0 ` SV , we replace all

references to sv ' h 0 by sv ' 2 0 to obtain . Then we add to the set of actions A, i.e.

`

A.

T3 For any action `

that writes to variable sv' h 0

, with sv' h 0 `

SV , we replace all

references to sv ' h 0 by sv ' 2 0 to obtain . Then we add to A, i.e. ` A.

T4 For any action ` that reads an element sv ' 0 with ` 1

and ` ,

let eff 3 4 4 sv ' 0 . We define action as follows

3 kprec

k g e 3 1

kh

e

4e

4sva ' 1 0

k prec

kg

e

631

k h e 4 e 4 sva ' 2 0

Action is composed of two disjuncts, one for each possible value of

. The

first disjunct is the conjunction of prec , 3 1, and the effect expression of

action with every reference ofsv'1

0replaced by sv

'1

0. The second disjunct is the

conjunction of prec , 63 1, and the effect expression of action with every

reference to sv ' 1 0 replaced by sv ' 2 0 . The new action is added to A, i.e. ` A.

Note that there are no actions in that read more than one element of sv or read

and modify elements of sv because of restriction 1. Furthermore, if an action writesto a variable sv ' 0 , we can determine whether it is an action handled by rule T1 or

T3 based on the process performing the action because of restriction2. Consequently,any action in is handled by one of the 1

4 cases.

2 For simplicity for this and the following types of actions we do not describe the changes in the

unch

part. From now on we will use eff

to describe the

part of the action.


11/45


12/45


13/45

5.1 ST algorithm

In this algorithm each process executes the program displayed in appendix (Algorithm

1). The node with the greatest id, EQk, becomes the root of the tree. Eventually, everyother node

Ystores in its Root

' Y 0the id of the root. Moreover, eventually D

' Y 0holds

Ys

distance from the root and F' Y 0

its parent in the tree. NodeY

selects the parent node, so

that D' Y 0

is equal to the minimum distance, dist' Y 0

, from the root in the graph. Note that

dist' Y 0

is not a variable of the system.

For the spanning tree construction algorithm we want to prove the convergence

of any process with dist 3 after all its neighbors with dist 3

1 have converged

and some general properties on the graph hold. In order to do so, we assume process

I 1 4

is at distance from the root and has

1 neighbors. Out of the

1

neighbors at least one must be a neighbor at distance

1 from the root. Some of the

neighbors can have dist 3 or dist 3 1. There is no neighbor that can be at distance

less than

1 or more than

1. Otherwise,I

14

s distance would not be

, which

is a contradiction.

The property that we want to prove is

3

where H

3 k i ` 1 N : k dist ' i 0 3 l

1 k Root ' i 0 3 EQk

kD

' i 0 3 l

1

k dist ' i0 B l k Root ' i 0 3 EQk D ' i 0 B l

kRoot

' i 0 8 EQk

k j ` 2 N : lsv 3 sv ' j 0

and J

3 k Root ' 1 0 3 EQk

kD

'1

0 3 l

k F ' 1 0 ` j z j ` 2 N k dist ' j 0 3 l

1

Note here thatI

14

is not symmetric to all processes

I 2

4

4 4 I

4

.

However,I

14

cannot guess the dist values of the processes, so all processes are

identical up to renaming for I 1 4

. Moreover, I 1 4

is identical up to renaming to

all other process at distance from the root.

5.2 Data abstraction

In the variant of the ST algorithm, some of the variables range over parameterized or

infinite domains. These variables include

Root` '

1

0

D ` ' 1

0

0

F `

and variables used as local copies of their values (lRoot, lD, and lF).

We use data abstraction [10, 9] to reduce the state space of the system to a finite set,

which is independent of the number of processes in the system. More specifically, data


14/45

abstraction reduces the range of the above variables to a finite set. Even though the range

of the variables can be reduced, the number of the shared Root and D variables still

depends on

. Therefore, the abstraction technique presented in this paper is employed

as a next step to reduce the number of these variables to 2. Then we can use model

checking to verify the system.

Formally, the steps we followed to verify that the parameterized system Q

sat-

isfies property are

1. Abstracted the system and the property to Q

and in which all variablesrange over finite domains

2. Used the abstraction technique to transformQ

to u

The abstract property does not need to be abstracted in the second step because weassume it is expressed on variables not in SV

. If model checking proves that

u z3 ,

we conclude that Q

z3 because of Theorem 1. Moreover, because of resultspresented in the literature [10], Q

z3 Q

z3 .

The version of the algorithm after data abstraction can be seen in the appendix(Module Process - Algorithm 2). The variableRoot now ranges over the set

LTk,EQk

.

Model values LTk and EQk stand for less than root and equal to root, respectively.

Variable F is abstracted to

NotNeighborNode4NeighborLorMore

4NeighborLMinus1

41

.

Finally, all D values that are greater than are abstracted to DGTK model value. The

corresponding operators for the model values are defined using the principles of data

abstraction [10].

5.3 Theoretical preliminaries

The first task according to the overview of our approach (Section 4.1) is to build a

network invariant

for all processes other than I 1 . The following result can help

us simplify the construction of the network invariant.

Lemma 1. If every reachable state that satisfies is an initial state, then for any

Q

z3

if and only if

Q

z3

PROOF:We start with the direction

Q

z3 Q

z3

Suppose it holds Q

z3 and there is a behavior ofQ

for which

6z3 . Then

6z3

z3 k

z3 k z3 Consequently, there exists h ` such that the execution segment starting at state 4 h satisfies always and has infinitely many states. Since 4 h is also an initial state,there exists sequence with

4 Y 3

4 h Y 4 Y B0


15/45


16/45

and because of that

I 1

4

Q

W I 1

4

Q

W

The systemI

14

Q

can be seen in the appendix (Algorithm 2).

5.4 Application of the technique

We apply the proposed technique on the systemI

14

Q

and obtain the abstract

systemu

. The abstract system has 8000 states and TLC takes 2 minutes to prove the

property. The concrete system with

34 has 216800 states and TLC takes 40 minutes

to prove its correctness. In the appendix (Algorithm 3) the specification of the abstract

system in TLA+ is displayed. The variable SetOfLMinus1Neighbors, which was used

by the network invariant in the concrete system to leave the nodes at distance

1

unchanged, is removed using data abstraction.

6 Conclusions

In this paper we presented a new abstraction technique for the verification of parame-

terized systems using model checking. The technique imposes less restrictions on the

correctness property. We used the technique to prove a persistence temporal property

of a self-stabilizing spanning-tree construction algorithm. In the future we plan to work

on ways to automate the application of the abstraction technique and remove some of

the restrictions on the type of systems that this technique can be applied to.

References

1. ABADI, M., AND LAMPORT, L . The existence of refinement mappings. Theoretical Com-

puter Science 82, 2 (1991).

2. ARONS, T., PNUELI, A., RUAH, S., XU, J., AND ZUCK, L. D. Parameterized verification

with automatically computed inductive assertions. In CAV 01: Proceedings of the Inter-

national Conference on Computer Aided Verification (London, UK, 2001), Springer-Verlag,

pp. 221234.

3. ARORA, A., AND GOUDA, M. Distributed reset. IEEE Transactions on Computers 43, 9

(1994).

4. BAUKUS, K., LAKHNECH , Y., AND STAHL, K . Verification of parameterized protocols.

Journal of Universal Computer Science 7, 2 (2001), 141158.

5. CLARKE, E., TALUPUR , M., AND VEITH, H . Environment abstraction for parameterized

verification. In VMCAI 2006: Proceedings of the th International Conference on Verification,

Model Checking, and Abstract Interpretation (London, UK, 2006), Springer-Verlag, pp. 126

141.

6. EMERSON, E. A., AND KAHLON, V. Reducing model checking of the many to the few.

In CADE-17: Proceedings of the 17th International Conference on Automated Deduction

(London, UK, 2000), Springer-Verlag, pp. 236254.

7. FANG, Y., PITERMAN, N., PNUELI, A., AND ZUCK, L . Liveness with invisible ranking.

International Journal on Software Tools for Technology Transfer (STTT) 8, 3 (2006), 261

279.


17/45

8. JHALA, R., AND MCMILLAN, K. Array abstractions from proofs. In CAV 07, accepted for

publication (2007).

9. KESTEN, Y., AND PNUELI, A. Control and data abstraction: the cornerstones of practical

formal verification. International Journal on Software Tools for Technology Transfer (STTT)

2, 4 (2000).

10. KESTEN, Y., AND PNUELI, A. Verification by augmented finitary abstraction. Information

and Computation 163, 1 (2000), 203243.

11. KESTEN, Y., PNUELI, A., SHAHAR, E., AND ZUCK, L . D . Network invariants in action. In

CONCUR 02: Proceedings of the International Conference on Concurrency Theory (Lon-

don, UK, 2002), Springer-Verlag, pp. 101115.

12. KURSHAN, R. P., AND MCMILLAN, K. L. A structural induction theorem for processes.

Information and Computation 117, 1 (1995), 111.

13. LAMPORT, L. Specifying Systems: The TLA+ Language and Tools for Hardware and Soft-

ware Engineers. Addison-Wesley Professional, 2002.

14. LYNCH, N. Distributed Algorithms. Morgan Kaufmann Publishers, 1996.

15. MCMILLAN, K. L. Verification of an implementation of tomasulos algorithm by composi-

tional model checking. In CAV (1998), A. J. Hu and M. Y. Vardi, Eds., vol. 1427 of Lecture

Notes in Computer Science, Springer, pp. 110121.

16. MCMILLAN, K . L . A methodology for hardware verification using compositional model

checking. Science of Computer Programming 37, 13 (2000), 279309.

17. PNUELI, A., RUAH, S., AND ZUCK, L. D. Automatic deductive verification with invisible

invariants. In TACAS 2001: Proceedings of the 7th International Conference on Tools and

Algorithms for the Construction and Analysis of Systems (London, UK, 2001), Springer-

Verlag, pp. 8297.

18. PNUELI, A., XU, J., AND ZUCK, L. Liveness with (0,1,infinity)-counter abstraction. In CAV

02: Proceedings of the International Conference on Computer Aided Verification (London,

UK, 2002), Springer-Verlag, pp. 107122.


18/45


19/45

3 k prec

k 3 jk

eff

k 3

3 4 For any action that reads a variable sv ' 0 , with ` 1

and ` ,

let eff 3 4 4 ' 0 . We define action as follows

3 k prec k g e 3 1

kh

e

4e

4sv

'g

e

0

k 3

kprec

k 3 g e k

he

4e

4sv

'g

e

0

k 3 The new action is added to .

4 We define liveness condition built by the following algorithm:

(a)

3

TRUE

(b) For each action constructed from using any of the rules 3 1

3 4,

i. if`W, then

3

k prec eff k 63

ii. if ` S, then

3

k

prec eff k 63

where is the projection of state on .

(c) If is the conjunction of all justice and compassion requirements of u then

3

k

Note that by construction.

In order to prove thatu

andu

define the same externally visible property, we need to

prove conditions P1-P6, as Abadi and Lamport found [1]. For convenience, we repeat

the conditions P1-P6 as described in their paper

P1. for some set P2. (a) y

y

(b) For all 4 ` 1

y there exists 0 4 1 4 3 such that 4 0 ` y

and, for 0 8 Y @ , w 4 4 4 1 ` N

P3. Ifw 4

4 4

`

N

thenw 4 `

Nor 3

.P4. If w 4 ` N and 4 ` then there exist 4 0 4 4

1 4 3 such thatw 4 4 4 0 ` N

and, for 0 8 Y @ : w 4

4 4 1 ` N.

P5.

3 1

.

P6. For all ` the set 1

is finite and nonempty.


20/45

The set

1

is defined as the set of all states

3 4

for which 3 .

Lemma 2. Systems u and u

define the same externally visible property.

PRO OF S K ETCH: Using the wayu

was constructed (properties 0- 4), we prove

premises P1-P6. Based on Proposition 5 of Abadi and Lamports paper, the lemma is

implied from these premises.

PROOF:

1.1 implies P1

1.1. Because of1 it holds that

3

2

. If we substitute for 2

, the

following condition becomes true

3

2. 2 implies P2(a) and P2(b)PROOF SKETCH: We prove that

2 satisfies a much stronger property, i.e.,

y

3 1

y

This property is the same as P2 in Abadi and Lamports paper [1].

PROOF:

1

y 3 4

z ` y k 4

`

k 1

4

3

3 4 z ` y k ` k ` 2

3 y 2

3 y

3.3

0

3

4 imply P3

PROOF SKETCH: We prove P3 by doing a case based analysis of all actions in , us-

ing the properties 3 0

3 4. For each action ` we prove that all possible

transitions w 4 4 4 4 satisfy w 4 ` Nor 3 .3.1. CAS E: is constructed by rule

3

0, then

3

By definition of

(rule

3

0) for any 4

in

such thatw 4

4

4 4

is a transition ofu

, it holds that 3

. This is guaranteed by the second conjunct

of the definition.

3.2. CAS E: is constructed by rule3

1, then

w 4 `N

Let be an action constructedby rule 3 1. For any transition w 4 4 4 4 of system

u

we know that there is an action ofu

with the same precondition

and the same effect on the -part of the state. Therefore, is enabled at and canproduce

, when executed at

. This implies

w 4 `N.

3.3. CAS E: is constructed by rule 3 2, then w 4 ` NLet be an action constructedby rule 3 2. For any transition w 4 4 4 4 of system

u

we know that there is an action of system u such that

prec prec

eff eff

Therefore, is enabled at and can produce , when executed at . This impliesw 4 `

N.3.4. CAS E: is constructed by rule 3 3, then w 4 ` N

We can apply the same reasoning as in the Case 3.3.

3.5. CAS E: is constructed by rule3

4, then

w 4 `N


21/45

Let be an action constructedby rule3

4. For any transition

w 4

4

4 4

of systemu

we know that there is an action of systemu

such that

prec

k 3 1 k 4 4 sv ' 0 k 3

prec

k

3 k 4 4sv

' 0 k

3

1

E

prec k 4 4 sv ' 0

Since is expressed only on , we have

w 4

4

4

z3

w 4

z3

This impliesw 4 `

N.4. 3 0

3 4 imply P4PRO O F S K ETCH: We prove P4 by doing a case based analysis of all actions in

,

using the properties 3 0

3 4. For each w 4 ` N, we prove based on theaction that caused the transition

w 4

4 that there exist a sequence of actions in

that satisfy the premises of P4.

4.1. CAS E:

`

:1. w 4 4 is a transition of u 2. does not read or modify any element of SV

By rule 3 1 there exists action ` that is enabled at , for any value of, and can produce , if executed at . The value of remains unchanged by theexecution of. This implies w 4 4 4 belongs to N.

4.2. CAS E: ` :1.

w 4 4 is a transition of u 2. reads or modifies an element of SV

Let sv ' h 0 be the element read or modified, where h ` 2

. For each 4 `

there exists transition w 4 h 4 4 4 . The reason is that actions constructedby rule

3 0 are always enabled, so the action is enabled in . Therefore, it

holds w 4 h 4 4 ` N. Because of rules 3 2, 3 3 we know that there

exists action in

, whose precondition is the conjunction of the precondition of and

3 h. Therefore, this action is enabled in state

4 h . Moreover, its effect is

the effect of and it leaves unchanged. This implies thatw 4 h 4 4 h `

N.4.3. CAS E: ` :

1. w 4 4 is a transition of u

2. 3 prec k 4 4 sv ' 0 , where ` 1

In this case there exists action in

defined by rule3

4. Since

w 4 z3,

in state we have that 3 1 or ` 2

. If 3 1, then

w 4

z3

31

k 4

4sv

' 0 kprec

For every 4

`

, state 4

, with

3, is in and

w 4 4 4 z3 3 1 k 4 4 sv ' 0 k prec k 3 3 4

(3)

w 4 4 4 z3

If `

2

, then leth 3

withh `

2

. Then for all 4

`

, there isaction 0 created by rule 3 0 such that w 4 h 4 4 z3

0 . Then state 4 h

belongs to and satisfies 3 h

. Therefore,

w 4 h 4

4 h z3 3 h k

3 h kprec

k 4

4 sv ' 0 k 3

w 4 h 4

4 h z3


22/45

5.4 implies P5

PROOF SKETCH: The argument is based on the equivalence of

and

.

The property is expressed on variables in and is equivalent to . Therefore, forevery infinite behavior that satisfies , must satisfy . Moreover, for each

behavior satisfying , all corresponding behaviors produced by the machine of u

must satisfy .

6. P6 is valid by construction of the state space

For each

and each state , there are at most

1 values for , so at most

1

elements in the set 1

. Each state which is reachable for u has at least one

corresponding state 4 which is reachable for u

. Therefore, 1

is finite and

non-empty for each

.

The next lemma states that there exists a refinement mapping from the systemu

with the augmented prophecy variable to the abstract system constructed using rules

1

4. We represent the state

3 4

`

as 4

sv4

, where

is the part of the

state without the shared variable sv ( ` ). We consider 4 sv ' 1 0 the external partof the state, even though the external part of the state may be only a part of

4sv

'1

0 .

Extending to those cases should be straightforward. The shared variable is sv. In system

u

the shared variable ranges over ' 1

FS0 . The state of the abstract system can

be represented as 3 4 sv , where sv ` ' 1 2 FS 0 . The refinement mapping we

consider is the function

:

defined as

let

3 4 sv 4 in

` :

3 4 w sv ' 1 0 4 sv ' 0

By definition

preserves the external part and sets the first element of sv to sv'1

0and

the second to sv ' 0 , i.e.,

sv ' 1 0 3 sv ' 1 0

sv ' 2 0 3 sv ' 0

In order to prove that

is a refinement mapping, it is sufficient to show that

satisfies conditions 1

4 as shown in Abadi and Lamports paper [1]. We list the

1

4 conditions from that paper for the readers convenience.

R1. For all

` :

3

.

R2.

y

y .

R3. Ifw

4

`

N thenw

4

`N or

3

.

R4.

P

, where P is the property defined by

u

.

Lemma 3. Function is a refinement mapping from u to u

PROOF SKETCH: We prove the lemma by showing that

satisfies properties 1

4.

PROOF:

1. R1 is satisfied by the definition of

.


23/45


24/45

3.4. CAS E: Action is created by rule3

3. Then there exists an action created

by rule

3, such thatw

4

4

is a transition of

u.

PROOF: Action modifies element sv ' 0 . Moreover, because of the restriction1, it cannot read any sv variable. Therefore, the new value is a function of the state

. It must be independent of, since the effect of is the same as the effect ofbased on which was created. Based on and because of rule 3 is created.

Action has the same precondition and the same effect except that instead ofsv ' h 0 , sv ' 2 0 is modified. Therefore, is enabled in

. Moreover, for any value

that can assign to sv ' 0 as a function of , can assign that value to sv ' 2 0 asa function of . Changes to are the same for the two actions as they are taken

from . Consequently, w 4 w sv ' 1 0 4 sv ' 0 4 4 4 w sv ' 1 0 4 sv ' 0 3 w

4

4

is a transition ofu

.

3.5. CAS E: Action is created by rule 3 4. Then there exists an action createdby rule

4, such that

w

4

4

is a transition of

u.

PROOF: In order for to exist in , there must be an action ` , such that

3

prec

k 4 4

sv' 0

for a state function `

1

. Then there existsaction ` A defined by rule T4. For a state pair w 4 satisfying we have

w 4 z3

prec k 3 k 4 4 sv ' 1 0 k 3 1

3 k prec k 4 4 sv ' 0 k 3

w 4 z3 prec

k

3

k 4 4sv

'1

0 k 31

w 4 z3 3 k prec k 4 4 sv ' 0 k 3 1

w 4 z3 prec k 3 k 4 4 sv ' 1 0 k 3 1 k sv 3 sv

w 4 z3

k 3 k prec k 4 4 sv ' 0 k

3

k sv 3 sv k sv ' 0 3 sv ' 0

w 4 z3 prec k 4 4 sv ' 1 0 k 3 1 k sv ' 0 3 sv ' 0

w 4 z3

k 3

kprec

k 4 4 sv ' 0

k sv ' 0 3 sv ' 0 k sv ' 0 3 sv ' 0

w

4

z3 prec

k 4 4 sv ' 1 0 k 3 1 k sv ' 2 0 3 sv ' 2 0 w

4

z3 63 1 k prec k 4 4 sv ' 2 0 k sv ' 2 0 3 sv ' 2 0

w

4

z3

Therefore, w

4

4

is a transition of u .

4. R4 is satisfied by construction of .

PROOF:We prove that R4 holds by case analysis on the type of liveness conditions.

4.1. CAS E: If belongs toP u , then

satisfies all weak fairness conditionsof

.

PROOF:Suppose belongs to P u , but

violates the weak fairness con-dition of an action . We prove that this leads to contradiction. In order for to

belong toW, there must exist in

, such that `

W. Since

`

P u

, thebehavior must satisfy the weak fairness condition of,

z3

prec

weff

4.1.1. CAS E: Ifz3

prec

, then

z3 prec

.


25/45

PROOF:Because of rules T1-T3 and condition3, it holds that prec

prec

.

This condition holds for any T4 action as well, since in this case

prec

prec k 3 1 prec k 63 1 prec

Moreover, because of condition 3, the assertion prec is a function of onlythe part of the state. Since the two sequences and

agree on in each

state, for all Y with Y B 0

4 Y z3 prec

4 Y z3 prec

Consequently,

z3

prec

z3 prec

4.1.2. CAS E: If z3 w eff , then

z3 w eff .PROOF:For the proof we need to consider 4 cases, depending on the rule that

was used to generate from .4.1.2.1. CAS E: If was generated from by using rule T1,then z3 w eff

implies

z3 w eff .

PROOF:In this case eff

eff

by construction. Moreover, since eff

is a function of only the part of the behavior, for all Y B 0 it holds

4 Y 4 4 Y 1 z3 w eff

4 Y 4

4 Y 1 z3 w eff

Therefore,

z3 w

eff

z3 weff

4.1.2.2. CAS E: If was generated from by using rule T2,then z3 w eff implies

z3 weff

.

PROOF:Assume that accesses variable sv ' h 0 . It holds that

z3 w eff z3 w eff k 3 h z3 w eff k 63 h

We prove that either case implies

z3 weff

.

w 5 1. CAS E: z3 w eff k 3 h

z3 w eff .From rule T2 we know that

sv ' h 0 3 sv ' 2 0 eff eff (6)

In the states of in which 3 h , we have sv ' 0 3 sv ' h 0 . Moreover, foreach Y B 0, the value sv ' 0 in state 4 Y equals the value sv ' 2 0 of state

4 Y . Therefore, for every Y B 0, for any value ` FS:

4 Y z3

3 h ksv

' h 0 3

4 Y z3sv

'2

0 3

Then because of (6) and the fact that eff is a function only of andsv ' h 0 , it holds that

Y B 0 : 4 Y 4 4 Y 1 z3 w eff k 3 h

4 Y 4

4 Y 1

z3 weff

and because of that

z3 w eff k 3 h

z3 w eff

w 5 2. CAS E: 6z3 w eff k 3 h

z3 w eff .Since z3 w eff , there must be actions that simulate the effectof action infinitely often. Because of restriction 4a, these actions canonly be actions accessing one of the variables in SV . Because there is


26/45

a finite number of actions, there must exist action `

, which accesses

variable sv ' 0 , such that, z3 w eff k 3 k eff eff .

Then there must exist action in A. With the same reasoning as for casew 5 1, we can prove that

z3 w eff . Suppose eff 3 4 4 sv ' h 0

and eff 3 4 4 sv ' 0 are syntactically equivalent logic actions, theneff 3 4 4 sv ' 2 0 and eff 3 4 4 sv ' 2 0 . Therefore, eff

eff , which implies that

Y B 0 :

4 Y 4

4 Y 1 z3 w eff

4 Y 4

4 Y 1 z3 w eff

Consequently, if and are syntactically equivalent

z3 w

eff

k

63 h

z3 weff

What is left is the case in which and are not syntactically equivalent. Inthis case, because of restriction 4b, in order for eff

eff

to hold,

the value of the variable sv ' 0 accessed by must be equal to the value ofsv ' h 0 , in all pairs of states that satisfy eff eff . Because of that in

the corresponding states of

, sv ' 2 0 3 sv ' 0 3 sv ' h 0 . However, since sv ' h 0 3 sv ' 2 0 eff eff by construction of ,

Y B 0 : 4 Y 4 4 Y 1 z3 w eff k sv ' 0 3 sv ' h 0 k 3 k eff eff

4 Y 4

4 Y 1 z3 w eff

Consequently, in the case and are not syntactically equivalent

z3 w eff k 63 h

z3 w eff

Since in either case

z3 w eff holds, the proof is complete.4.1.2.3. CAS E: If was generated from by using rule T3,then

z3 weff

implies

z3 w eff .

PROOF:The proofis based again on two cases. The first isz3 w

eff

k

3 h

and the second z3 w eff k 63 h , where sv ' h 0 is the variable writ-

ten by action . We show that in both cases

z3 w eff .w 5 1. CAS E: z3 w eff k 3 h

z3 w eff .From rule T3 we know that

sv ' h 0 3 sv ' 2 0 k sv ' h 0 3 sv ' 2 0 eff eff (7)

In the states of in which 3 h , we have sv ' 0 3 sv ' h 0 and sv ' 0 3 sv ' h 0 .Moreover, for each Y B 0, the value sv ' 0 in state 4 Y equals the value

sv ' 2 0 of state

4 Y . Therefore, for every

Y B0, for any value

`FS:

4 Y z3 3 h k sv ' h 0 3

4 Y z3 sv ' 2 0 3 Then because of (7) and the fact that eff

is a function only of

and

sv ' h 0 , it holds that

Y B 0 : 4 Y 4 4 Y 1 z3 w eff k 3 h

4 Y 4

4 Y 1 z3 w eff

and because of that

z3 w eff k 3 h

z3 w eff

w 5 2. CAS E: 6z3 w eff k 3 h

z3 w eff .Since z3 w eff , there must be actions that simulate the effectof action infinitely often. Because of restriction 4a, these actions can


27/45

only be actions writing on one of the variables in SV . Because there is

a finite number of actions, there must exist action `

, which writes

variable sv ' 0 , such that, z3 w eff k 3 k eff eff .Then there must exist action in A. With the same reasoning as for case

w 5 1, we can prove that

z3 w eff . Note that if 3 h then thereis a contradiction, since we assumed that it cannot be the case that 3 h

infinitely often when w eff is satisfied by. Therefore, 63 h . However,that implies that z3 w eff k 3 k sv ' 0 3 sv ' 0 k sv ' h 0 3 sv ' h 0 k w eff .Otherwise, a change in sv ' 0 would not satisfy eff . Suppose eff 3

4 4 sv ' h 0 4 sv ' h 0 and eff 3 4 4 sv ' 0 4 sv ' 0 are syntactically equiv-alent actions, then eff

3 4 4 sv ' 2 0 4 sv ' 2 0 and eff 3 4 4 sv ' 2 0 4 sv ' 2 0 .Therefore, eff

eff

, which implies that

Y B0 :

4 Y 4

4 Y 1 z3 w eff

4 Y 4

4 Y 1 z3 w eff

Consequently, if and are syntactically equivalent

z3 w eff k 63 h

z3 w eff

What is left is the case in which and are not syntactically equiva-lent. In this case, because of restriction 4b, in order for eff

eff

to hold, the value of the variable sv ' 0 , which is equal to sv ' 0 , must

be equal to the value of sv ' h 0 , which is equal to sv ' h 0 , in all pairs of

states that satisfy eff eff . Because of that in the corresponding

states of

, sv

'2

0 3sv

' 0 3sv

' h 0and sv

'2

0 3sv

'2

0. However, since

sv ' h 0 3 sv ' 2 0 k sv ' h 0 3 sv ' 2 0 eff eff by construction of,

Y B0 :

4 Y 4 4 Y 1 z3 w eff k sv ' 0 3 sv ' h 0 k 3 k eff eff

4 Y 4

4 Y 1 z3 w eff

Consequently, in the case and are not syntactically equivalent

z3 w eff k 63 h

z3 w eff

The two results above complete the proof.

4.1.2.4. CAS E: If was generated from by using rule T4,then z3 w eff implies

z3 w eff .PROOF:Following the same reasoningas above we assume that z3 4 4 sv ' 0 .

Since the range of

is 1

, which is a finite set for all

, we have

z3 4 4 sv ' 1 0 h ` 2

: z3 4 4 sv ' h 0

In the case of z3 4 4 sv ' 1 0 , we have that for all Y B 0, 4 Y and

4 Y agree on e and sv ' 1 0 . Because of that

Y B 0 : w 4 Y 4 4 Y 1 z3 4 4 sv ' 1 0

w

4 Y 4

4 Y 1 z3 4 4 sv ' 1 0

Therefore, z3 4 4 sv ' 1 0

z3 4 4 sv ' 1 0

In case h ` 2

: z3 4 4 sv ' h 0 , we can split in two cases, i.e.,

3 h and 63 h , and follow the same reasoning as in step 4.1.2.2 to provethat

z3 4 4sv

'2

0 .


28/45

From all the above cases, it was shown that if z3 w

eff

, then

z3

weff

.

Since both cases, i.e., z3 prec and z3 w eff , lead to contra-diction, we conclude that

satisfies all weak fairness conditions of , when

belongs to P u .4.2. CAS E: If belongs to P u , then

satisfies all strong fairness condi-

tions of .

PROOF:This case will be proven similarly to step 4.1. More specifically, suppose

that there exists in P u and there exists in S, such that

is not satisfiedby

. We prove that this leads to a contradiction. In order for to belong toS, there must exist in S, such that z3

. Equivalently,

z3 prec w eff

z3

prec

z3 weff

For both cases we can prove that

z3 prec w eff

which is a contradiction.4.2.1. CAS E: If

z3 prec

, then

z3 prec

.

PROOF:Because of rules T1-T3, it holds that prec prec . Moreover,

because of condition 3, the assertion prec is a function of only the partof the state. Since the two sequences and

agree on in each state, for

all Y with Y B 0

4 Y z3 prec

4 Y z3 prec

Consequently,

z3 prec

z3 prec

4.2.2. CAS E: If z3 w eff , then

z3 w eff .PROOF:This is already proven in step 4.1.2.

Therefore, if

satisfies

, the sequence

satisfies

, which is acontradiction.

4.3. CAS E: If belongs to P u , then

satisfies all constant value fairnessconditions of

.

PROOF:In this case we need to prove that `

P u

implies that

`

C :

z3

. We prove this by contradiction. Assume that

`P

u

and

there exists ` C such that

6z3

. There are two cases; either belongsto W, or belongs to S.4.3.1. CAS E: ` W

z3

PROOF:Since is in P u , it must hold that z3

. Equivalently, it

holds that

z3 prec z3 w eff

We prove that each disjunct implies

z3

.

4.3.1.1. CAS E:

z3

prec

z3

PROOF:Since prec

is only a function of

:

Y B0 :

4 Y z3 prec

4 Y z3 prec

Therefore,

z3

prec

z3 prec


29/45

z3

4.3.1.2. CAS E: z3 w eff

z3

PROOF:

z3 w eff z3 4 4 sv ' 0

z3 4

4A

The condition 4 4

is specified only on the part of the state. There-

fore,

Y B 0 : 4 Y 4 4 Y 1 z3 4 4

4 Y 4

4 Y 1

z3 4

4

Consequently,

z3 4

4

z3 4

4

z3 4 4

This completes the proof for ` W.4.3.2. CAS E: ` S

z3

PROOF:Since is in P u , it must hold that z3

. Equivalently, itholds that

z3 prec z3 w eff For the first case we can follow a similar argument as for ` W, and for thesecond the argument is identical to the case ` W, to prove that

z3

.Therefore, we have a contradiction.

Since must be either in W or in S, the proof is completed.4.4. CAS E: If belongs to P

u

, then

satisfies all justice and compassion

requirements of

.

PROOF: Since for any justice requirement

, the assertion p is expressed only

on variables in and sv ' 1 0 , we have

Y B

0 :

4 Y z3

4 Y z3

z3

z3 The same result can be derived for any compassion requirement ~ ,

since~

and

are assertions expressed on and sv ' 1 0 . Therefore, z3

z3 Since belongs to P u , we have that z3 and, therefore,

satisfies

, which is the conjunction of all justice and compassion requirements of .

From Lemmas 2 and 3, Theorem 1 follows.


30/45

" $ %

) 1 3 5 6 1 8 9 A C 9 D E 1 H I H Q S U 9 C V D 1 V I S H Q X ` a ` b V I A e a g h b i E V 6 p H D 1 S U 3 q U 9 V 6 p H D 1 S U 3

S U V S 9 V x U 5 D H x 9 E E 9 9 x S 9 E 1 E E U H I q $ H D 9 H C 9 D V 5 V D S H Q S U 9 1 I 1 S 1 V 6 x H I A 1 S 1 H I E

V I A S U 9 Q V 1 D I 9 E E D 9 1 D 9 3 9 I S E Q H D S U 9 V x S 1 H I E H Q S U 9 5 D H x 9 E E 9 E V D 9 A 1 E 5 6 V 9 A q

a a

% j j k n o

%

% j j k n o

z { | } ~

{

~

D 9 5 D 9 E 9 I S E

a a

}

|

} |


31/45

}

|

}

|


32/45

" $ %

) 1 3 5 7 9 A 9 C E G 1 I Q S U V 9 3 7 E G W S C E 1 3 a S E S S c 5 E 3 S e E 7 9 A G S 5 c 1 1 A S p p U 7 1 a S A a c 1 C 9 3 1

E G 1 S p p U 7 e S E 7 9 A 9 C 9 u 3 E 1 e G A 7 v u 1

w x

k l m o l m k l m m k k l

z { | l } m m k m m m k l l

x m m m m m m k m

m l m

} l

k l l

l k } l

l } m

} l

k m m

} l

} l m l k } l m } l

l }

k m

k

l }

l }

l l l m

{

z

{

z

l l l l m

{

m

z

{


33/45

z

l o l m

{ m

m

{

z

l k o l m

l l l o m

{

{

z

k o l m

{

l } l }

{ l }

m

l


34/45


35/45


36/45


37/45


38/45

k m

k

E G 1 U 9 e S U e 9 p 7 1 5 7 U U 7 A 7 E 7 S U U G S 1 9 A 1 9 C E G 1 S U u 1 5 9 C E G 1 A 1 7 V G c 9 3 5

k m m l m

}

k

}

}

k l l

}

k

}

}

} k

} k

} m

}

}

k m

k m m l m

m l

} k

}

}

}

k

}

}

k

k

k

l l

k l

k

l

l m

k

l

k

9 E G 1 3 7 5 1 ! # $ & ) 0

k

k

l l

k l l

k

3


39/45


40/45

f } m V $ C $

m V $ C $

1 3

} d 4

4 f }

1 3

1 e

4

} d 4

5 B P s 8 E F S $ s r W s B C {

5 B V & B B $ E F S w C {

f }

w $

w $

1 3

4 f }

w $ 1 3

1 e

4

} d 4

W & H $ 8 w E w S F B C {

f }

w $

w $

1 3

} d 4

4

" B p B % & p % {

f } B % & p %

C S

1 3 P & " s % V F B

4 P & " s % V s % s % &

% s & % 8 ` s % & P s &


41/45


42/45


43/45

S w m

B p

l

B p )

y

1

l

S r s s 8 C S w

`

S `

3 y d 3

p % B

H 8 s

W s B F {

S `

F

5 B V & B B $ r W s B r s s 8

l

C S r s s 8 {

S w m

5 B E F S $ s r W s B r s s 8

l

C S r s s 8 {

w

l

w $

S w m

w

l

m

S w m

S w w

l

S w m C w $

B p

l

B p ) y 1

l

S r s s 8 C w $

S w m

B p

l

B p )

y

1

l

S r s s 8 C S w

`

S `

3

y

d 3

p % B

H 8 s

S r s s 8

B p

l

l

S w

B p

l

l

S `

" B p B p

l

{

3 y d 3

B 8 p % B

P & 8

H 8 s

H 8 s W s B

H 8 s

H 8 s W s B

F m P & " s % V F B C P & " s % V s % s % &

H 8 s

F {

F m P & " s % V F B C P & " s % V s % s % &

H 8 s

W s B F {

H 8 s

% s H & B B V % s % &


44/45

H 8 s

1 & p S F &

y 4 m S w $ { 1 e

f 3

B p

l

B p )

y

1

l

C & p S F &

3 y d 3

p % B C `

H 8 s

1 & p S F &

y

4 m

w $ { 1 e

f 3

B p

l

B p )

y

1

l

V $ C & p S F &

3 y d 3

p % B C `

P & 8

H 8 s

H 8 s

`

C S

V $ C m

w $ {

C m S w $ {

$

& H 8 s p {

B p

l

B p 0 ) y 1

l

p

3

y

d 3

p % B C `

{

f 3 4 1 d 3 y % s H & B B f 1

V % s % &

f 3 4 1 d 3 y % s H & B B V % s % &

5 8

B p m

l

V $ C

w $ {

p m r s s 8

l

p

{ w

l

p m S w $ {

S ` m P & " s % V s % s % & C P & " s % V F B

S r s s 8 m V $ C

S w m

w $

S r s s 8

S w m S w $ {

` m P s 8 P & " s % P s & C P & " s % V s % s % & C P & " s % V F B C


45/45

5 p % 8

p m r s s 8

l

p m V $ C

p m w

l

p m

w $ {

S r s s 8 m V $ C

S w m

w $

` m P s 8 P & " s % P s & C P & " s % V s % s % & C P & " s % V F B C

S ` m P & " s % V s % s % & C P & " s % V F B

p m r s s 8

l

p

{ w

l

p m S w $ {

P & 8

{ P & 8

V % s % & P & 8

` % & B B

{

H 8 s W s B {

{

H 8 s W s B {

F m P & " s % V F B C P & " s % V s % s % & {

H 8 s

W s B F { {

{

H 8 s

{

S r s s 8

S w

S S `

" B p

C S { {

`

P & " s % V s % s % & { { S `

P & " s % V s % s % & { {

& H

5 8

l

P & 8

` % & B B

W s % % & H 8 & B B

% s & % 8 ` s % & P s &

Tech Report NWU-EECS-06-20

Documents

Transcript of Tech Report NWU-EECS-06-20