1. CIS 540 Principles of Embedded Computation Spring 2016 http://www.seas.upenn.edu/~cis540/ Instructor: Rajeev Alur alur@cis.upenn.edu

2. Proof Rule for Proving Invariants  To establish that a property  is an invariant of transition system T  Find another property  such that  implies  (that is, a state satisfying  must satisfy  )  is an inductive invariant  Show that every initial state satisfies   Assume that a state s satisfies . Consider a state t such that (s,t) is a transition. Show that t must satisfy   This is a sound and complete strategy for establishing invariants 1.Sound means this is a correct proof technique 2.Complete: If  is an invariant, then there must exist some inductive strengthening  satisfying above conditions CIS 540 Spring 2016; Lecture Feb 8

3. Inductive Invariants Initial States Reachable States Property  Strengthening  CIS 540 Spring 2016; Lecture Feb 8

4. Correctness of GCD  Want to prove that (mode=stop -> y=gcd(m,n)) is invariant  But this property is not an inductive invariant  Consider property : gcd(x,y) = gcd (m,n)  Verify that this property is indeed an inductive invariant!  Captures the core logic of the program: Even though x and y are updated at every step, their gcd stays unchanged  When switching to “stop”, if x is 0, then gcd(0,y) is y; if y=0, then gcd(x,0)=x, and thus x=gcd(m,n) upon switching to stop loopstop nat x:=m; y:=n (x>0 & y>0)  if (x>y) then x:=x-y else y:=y-x ~ (x>0 & y>0)  if (x=0) then x:=y CIS 540 Spring 2016; Lecture Feb 8

5. Transition System for Leader Election  State variables:  For each node n, int id n := n; int r n := 1  Update during single transition:  Round counters: if r n < N then r n := r n +1  Identifiers: id n := max {id n, max {id m | m->n is a network link}} CIS 540 Spring 2016; Lecture Feb 8

6. Invariants for Leader Election  Initial state: for each node n, int id n := n; int r n := 1  Update during single transition:  if r n < N then r n := r n +1  id n := max {id n, max {id m | m->n is a network link}}  Consider: id n >= n (that is, for node n, id is at least n)  Obviously an invariant; is it an inductive invariant?  Let P be the set of identifiers of all nodes  What about: “for each node n, id n belongs to P” ? CIS 540 Spring 2016; Lecture Feb 8

7. Correctness of Leader Election  We expect id n to be max of all identifiers after N rounds.  Formal property:  For each n, r n =N -> id n = max P  Not inductive.  Goal: Find inductive strengthening that captures co-relation among all variables at intermediate steps  Informal: After k rounds, each r n equals k, and id n is max of identifiers of nodes that are <=k hops away from node n  Formal property:  1 : For all nodes m and n, r m = r n &  2 : For each node n, id n = max { m | distance(m,n) < r n }  Prove this property is an inductive invariant! CIS 540 Spring 2016; Lecture Feb 8

8. Proof: Base Case  Initial state s: for each node n, s(id n ) = n and s(r n ) = 1  Goal: Show that the following holds in this initial state s  1 : For each m and n, r m = r n &  2 : For each n, id n = max { m | distance(m,n) < r n }  s(r m ) = s(r n ) =1; so  1 holds  To show  2, consider a node n, we want to show s(id n ) = max { m | distance(m,n) < 1 }  The only node m with distance(m,n) < 1 is n itself, and s(id n ) = n, so above holds CIS 540 Spring 2016; Lecture Feb 8

9. Proof: Inductive Case  Consider an arbitrary state s, and assume both  1 and  2 hold  Let s(r n ) = k, for each node n  For k< N, consider the state t obtained by executing one step from s  Goal: Show that both  1 and  2 hold in state t.  Consider two nodes m and n.  t(r m ) = s(r m ) + 1 = k+1, and similarly, t(r n ) = k+1, so  1 holds in t  To show  2, consider a node n, we want to show t(id n ) = max { m| distance(m,n) < k+1}  Assumption 1 (from inductive hypothesis), for each node m s(id m ) = max { l | distance(l,m) < k}  Assumption 2 (from the transition description of the system): t(id n ) = max {s(id n ), max {s(id m ) | m->n is a network link}} CIS 540 Spring 2016; Lecture Feb 8

10. Proof: Inductive Case (Continued)  Let l be the node with highest identifier with distance(l,n) < k+1  Goal: to show that t(id n ) = l  Let distance(l, n) = d. We know d < k+1. Either d < k or d=k  Case (i): d < k  By assumption 1, s(id n ) cannot be less than l, so must be l  By assumption 2, t(id n ) cannot be less, and thus, must be l  Case (ii): d =k  By basic properties of graphs, there must be a node m such that distance(l,m) = k-1 and m->n is a network link  By assumption 1, s(id m ) cannot be less than l, so must be l  By assumption 2, t(id n ) cannot be less, and thus, must be l  The proof is complete! CIS 540 Spring 2016; Lecture Feb 8

11. Summary of Invariants  General purpose proof technique for proving safety properties of programs/models/systems  Inductive invariant:  Must hold in initial states  Preserved by every transition  To be inductive, property needs to capture relevant relationships among all relevant state variables  Benefit of finding inductive invariants:  Correctness reasoning becomes local (one needs to think about what happens in one step)  Tools available to check if a given property is inductive invariant  Area of active research: can a tool discover them automatically?  Science of deep specifications: www.deepspec.org CIS 540 Spring 2016; Lecture Feb 8

12. Requirements-based Design  Given:  Input/output interface of system C to be designed  Model E of the environment  Safety property  of the composite system  Design problem: Fill in details of C (state variables, initialization, and update) so that C || E satisfies the invariant  CIS 540 Spring 2016; Lecture Feb 8

13. Railroad Controller Example CIS 540 Spring 2016; Lecture Feb 8

14. Train Model  From the perspective of the controller, train is initially far away  Train can be away for an arbitrarily long period  When the train gets close, it communicates with the controller via an event, say, arrive, and now it is in a different state, say, wait  When near, train is monitoring the signal:  If the signal is green, it enters the bridge  If the signal is red, it continues to wait  A train can stay on bridge for a duration that is not exactly known (and not directly under the control of the traffic controller)  When the train leaves the bridge, it communicates with the controller via an event, say, leave, and goes back to away state  This behavior repeats: an away train may again request an entry  Both trains have symmetric behavior CIS 540 Spring 2016; Lecture Feb 8

15. Synchronous Component Train CIS 540 Spring 2016; Lecture Feb 8

16. {green, red} signal E Train E event({arrive,leave}) out E Controller {green, red} signal W Train W event({arrive,leave}) out W Controller Design Problem Safety Requirement: Following should be an invariant: ~ ( mode W = bridge & mode E = bridge) Trains should not be on bridge simultaneously CIS 540 Spring 2016; Lecture Feb 8

17. First Attempt at Controller Design  Controller maintains state variables to track the state of each signal  Both state variables are initially green  Set the output signals based on the corresponding state vars  If a train arrives, then update the opposite signal var to red to block the other train from entering  If a train leaves, reset the opposite signal var to green  What happens if both trains arrive simultaneously?  Give priority to east train: set west signal var to red CIS 540 Spring 2016; Lecture Feb 8

18. Synchronous Component Controller1 CIS 540 Spring 2016; Lecture Feb 8

19. westeastmode W mode E greengreenawayaway arrive! redgreenwaitwait redleave! redgreen redgreenwaitbridge greengreenwaitaway greenarrive! redgreenbridgewait redgreen redgreenbridgebridge CIS 540 Spring 2016; Lecture Feb 8

20. Second Attempt at Controller Design  What went wrong the first time? Controller did not remember whether a train was waiting at each entrance  Boolean variable near W remembers whether the west train wants to use the bridge  Initially 0  When the west train issues arrive, changed to 1  When the west train issues leave, reset back to 0  Invariant: mode W = away if and only if near W = 0  Variable near E is symmetric  Let’s also now keep both signals red by default  A signal is changed to green if the corresponding train is near, the other signal is not red, and changed back to red when train is away  Need still to resolve simultaneous arrivals by preferring one train CIS 540 Spring 2016; Lecture Feb 8