CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Proof Rule for Proving Invariants To establish that a property is an invariant of transition system T Find another property such that implies (that is, a state satisfying must satisfy ) is an inductive invariant Show that every initial state satisfies Assume that a state s satisfies . Consider a state t such that (s,t) is a transition. Show that t must satisfy This is a sound and complete strategy for establishing invariants 1.Sound means this is a correct proof technique 2.Complete: If is an invariant, then there must exist some inductive strengthening satisfying above conditions CIS 540 Spring 2016; Lecture Feb 8
Inductive Invariants Initial States Reachable States Property Strengthening CIS 540 Spring 2016; Lecture Feb 8
Correctness of GCD Want to prove that (mode=stop -> y=gcd(m,n)) is invariant But this property is not an inductive invariant Consider property : gcd(x,y) = gcd (m,n) Verify that this property is indeed an inductive invariant! Captures the core logic of the program: Even though x and y are updated at every step, their gcd stays unchanged When switching to “stop”, if x is 0, then gcd(0,y) is y; if y=0, then gcd(x,0)=x, and thus x=gcd(m,n) upon switching to stop loopstop nat x:=m; y:=n (x>0 & y>0) if (x>y) then x:=x-y else y:=y-x ~ (x>0 & y>0) if (x=0) then x:=y CIS 540 Spring 2016; Lecture Feb 8
Transition System for Leader Election State variables: For each node n, int id n := n; int r n := 1 Update during single transition: Round counters: if r n < N then r n := r n +1 Identifiers: id n := max {id n, max {id m | m->n is a network link}} CIS 540 Spring 2016; Lecture Feb 8
Invariants for Leader Election Initial state: for each node n, int id n := n; int r n := 1 Update during single transition: if r n < N then r n := r n +1 id n := max {id n, max {id m | m->n is a network link}} Consider: id n >= n (that is, for node n, id is at least n) Obviously an invariant; is it an inductive invariant? Let P be the set of identifiers of all nodes What about: “for each node n, id n belongs to P” ? CIS 540 Spring 2016; Lecture Feb 8
Correctness of Leader Election We expect id n to be max of all identifiers after N rounds. Formal property: For each n, r n =N -> id n = max P Not inductive. Goal: Find inductive strengthening that captures co-relation among all variables at intermediate steps Informal: After k rounds, each r n equals k, and id n is max of identifiers of nodes that are <=k hops away from node n Formal property: 1 : For all nodes m and n, r m = r n & 2 : For each node n, id n = max { m | distance(m,n) < r n } Prove this property is an inductive invariant! CIS 540 Spring 2016; Lecture Feb 8
Proof: Base Case Initial state s: for each node n, s(id n ) = n and s(r n ) = 1 Goal: Show that the following holds in this initial state s 1 : For each m and n, r m = r n & 2 : For each n, id n = max { m | distance(m,n) < r n } s(r m ) = s(r n ) =1; so 1 holds To show 2, consider a node n, we want to show s(id n ) = max { m | distance(m,n) < 1 } The only node m with distance(m,n) < 1 is n itself, and s(id n ) = n, so above holds CIS 540 Spring 2016; Lecture Feb 8
Proof: Inductive Case Consider an arbitrary state s, and assume both 1 and 2 hold Let s(r n ) = k, for each node n For k< N, consider the state t obtained by executing one step from s Goal: Show that both 1 and 2 hold in state t. Consider two nodes m and n. t(r m ) = s(r m ) + 1 = k+1, and similarly, t(r n ) = k+1, so 1 holds in t To show 2, consider a node n, we want to show t(id n ) = max { m| distance(m,n) < k+1} Assumption 1 (from inductive hypothesis), for each node m s(id m ) = max { l | distance(l,m) < k} Assumption 2 (from the transition description of the system): t(id n ) = max {s(id n ), max {s(id m ) | m->n is a network link}} CIS 540 Spring 2016; Lecture Feb 8
Proof: Inductive Case (Continued) Let l be the node with highest identifier with distance(l,n) < k+1 Goal: to show that t(id n ) = l Let distance(l, n) = d. We know d < k+1. Either d < k or d=k Case (i): d < k By assumption 1, s(id n ) cannot be less than l, so must be l By assumption 2, t(id n ) cannot be less, and thus, must be l Case (ii): d =k By basic properties of graphs, there must be a node m such that distance(l,m) = k-1 and m->n is a network link By assumption 1, s(id m ) cannot be less than l, so must be l By assumption 2, t(id n ) cannot be less, and thus, must be l The proof is complete! CIS 540 Spring 2016; Lecture Feb 8
Summary of Invariants General purpose proof technique for proving safety properties of programs/models/systems Inductive invariant: Must hold in initial states Preserved by every transition To be inductive, property needs to capture relevant relationships among all relevant state variables Benefit of finding inductive invariants: Correctness reasoning becomes local (one needs to think about what happens in one step) Tools available to check if a given property is inductive invariant Area of active research: can a tool discover them automatically? Science of deep specifications: CIS 540 Spring 2016; Lecture Feb 8
Requirements-based Design Given: Input/output interface of system C to be designed Model E of the environment Safety property of the composite system Design problem: Fill in details of C (state variables, initialization, and update) so that C || E satisfies the invariant CIS 540 Spring 2016; Lecture Feb 8
Railroad Controller Example CIS 540 Spring 2016; Lecture Feb 8
Train Model From the perspective of the controller, train is initially far away Train can be away for an arbitrarily long period When the train gets close, it communicates with the controller via an event, say, arrive, and now it is in a different state, say, wait When near, train is monitoring the signal: If the signal is green, it enters the bridge If the signal is red, it continues to wait A train can stay on bridge for a duration that is not exactly known (and not directly under the control of the traffic controller) When the train leaves the bridge, it communicates with the controller via an event, say, leave, and goes back to away state This behavior repeats: an away train may again request an entry Both trains have symmetric behavior CIS 540 Spring 2016; Lecture Feb 8
Synchronous Component Train CIS 540 Spring 2016; Lecture Feb 8
{green, red} signal E Train E event({arrive,leave}) out E Controller {green, red} signal W Train W event({arrive,leave}) out W Controller Design Problem Safety Requirement: Following should be an invariant: ~ ( mode W = bridge & mode E = bridge) Trains should not be on bridge simultaneously CIS 540 Spring 2016; Lecture Feb 8
First Attempt at Controller Design Controller maintains state variables to track the state of each signal Both state variables are initially green Set the output signals based on the corresponding state vars If a train arrives, then update the opposite signal var to red to block the other train from entering If a train leaves, reset the opposite signal var to green What happens if both trains arrive simultaneously? Give priority to east train: set west signal var to red CIS 540 Spring 2016; Lecture Feb 8
Synchronous Component Controller1 CIS 540 Spring 2016; Lecture Feb 8
westeastmode W mode E greengreenawayaway arrive! redgreenwaitwait redleave! redgreen redgreenwaitbridge greengreenwaitaway greenarrive! redgreenbridgewait redgreen redgreenbridgebridge CIS 540 Spring 2016; Lecture Feb 8
Second Attempt at Controller Design What went wrong the first time? Controller did not remember whether a train was waiting at each entrance Boolean variable near W remembers whether the west train wants to use the bridge Initially 0 When the west train issues arrive, changed to 1 When the west train issues leave, reset back to 0 Invariant: mode W = away if and only if near W = 0 Variable near E is symmetric Let’s also now keep both signals red by default A signal is changed to green if the corresponding train is near, the other signal is not red, and changed back to red when train is away Need still to resolve simultaneous arrivals by preferring one train CIS 540 Spring 2016; Lecture Feb 8