Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
Assignments Automated Reasoning

Assignments Automated Reasoning

General

The assignments are performed by pairs of students.
Send your work to one of the teachers: Wim Hesselink or Gerard Renardel, in the form of a dump file containing the relevant files.
How to make a dump file? With the command M-x dump-pvs-files which is also available in the menu PVS -> Files and Theories (3rd from below). The command asks for a "root", i.e. the file you are actually in. When providing a name for the dump file, include your name(s) and the number of the assignment (just to help us). The dump file will also contain the proof file (with extension .prf) that contains information in LISP format about what has been proved and how that is done.
A dump file can be read with emacs, but it is more convenient to unpack it with the command M-x undump-pvs-files .

Assignment 1

Deadline: Friday, September 16, 2005, 17.00 h.

The first assignment is about proving some (elementary) properties of the transitive closure R* of a relation R. The operator * is often called the Kleene star. In PVS we write star(R) for R*, and we define it as follows:


  relation: TYPE = pred[[T, T]]

  R, S: VAR relation

  x, y, z: VAR T

  star(R: relation): relation =
      (LAMBDA (x, y):
         (EXISTS (f: [nat -> T], n: nat):
            f(0) = x AND
             f(n) = y AND
              (FORALL (i: nat): i < n IMPLIES R(f(i), f(i + 1)))))

This definition and the lemmas that follow are all in the PVS-theory transclosure, given in the file trans.pvs. The prelude of PVS contains definitions of the properties reflexive?, symmetric? and transitive?. Some properties of star(R) are


  star_reflexive: LEMMA reflexive?(star(R))

  star_implied: LEMMA (FORALL (x,y): R(x,y) IMPLIES star(R)(x,y))

  star_preserves_symmetry: LEMMA symmetric?(R) IMPLIES symmetric?(star(R))

  star_transitive: LEMMA transitive?(star(R))

The first two will be proved during the second lecture. Proving the other two with PVS is the assignment of this week.

For those of you who found this easy, there is a bonus assignment:

State and prove the assertion that every reflexive and transitive relation S that is implied by R, is also implied by star(R).

First formalize this assertion as a THEOREM or LEMMA in PVS. This is a nontrivial task. It is recommended to ask one of the teachers to approve your formalization before you start to try and prove it. The proof requires induction, a subject for next week (but see the PVS Prover Guide p. 9 for an example, and p. 71-78 for a description of the proof rules involving induction).
It may be convenient to formulate an auxiliary lemma, or even to split the proof in lemmas. It is possible to obtain partial results: only the statement of the assertion to be proved, or only a proof of a lemma.

Assignment 2

Deadline: Wednesday, September 21, 2005, 17.00 h.

This is the bonus assignment of last week:

State and prove the assertion that every reflexive and transitive relation S that is implied by R, is also implied by star(R). See the file trans.pvs and the remarks above. Do not hesitate to ask one of the teachers to approve your formalization before you start to try and prove it.

Assignment 3

Deadline: Tuesday, October 4, 2005, 17.00 h.

In the file pvs-opgaven, you find several different PVS assignments. All pairs should choose a different assignment. Negotiate to get an appropriate one. Some are more challenging than others.
First some remarks that apply to all assignments. You are given an informal description of what a program is supposed to do. You are supposed to do the following:

Give a formal specification of the program with one or more Hoare triples.
Give a program (in a programming language like Modula-3 or C) that satisfies the specification.
Prove the program with PVS and the "programs" prelude. Take care to prove all TCCs generated (verify this at the end with "prove-importchain").
Write a report that explains the formal specification, the program, and its proof. Don't dwell on details, but carefully bridge the gap between the description below and the formal specification.
Give the report (on paper) to Wim Hesselink and send the pvs-dump file to wim@cs.rug.nl.
It is appreciated when you generalize the problem, provided you carefully indicate how the general version is instantiated to solve the special case.

Arrays are modelled as functions on subranges of the naturals. (See swap.pvs for an example with array modification.)
The first five programs should have linear time complexity.

Assignment 4

Deadline: Friday, October 14, 2005, 17.00 h.

Consider the following Prisoners' Problem:

There is a prison with N prisoners. One day, the warden tells them the following. All prisoners will be interrogated, one by one, in the interrogation room. The specific order of interrogations is unknown, but every prisoner will be interrogated again and again. In the interrogation room, there is a switch with the positions 'on' and 'off'; the present position is 'off'. The prisoners are free to observe and turn the switch during each interrogation. The warden will not turn the switch. All prisoners will be released as soon as one of them correctly tells the warden that all prisoners have been interrogated at least once. However, if the claim is incorrect, they will never get free. Beside the switch, there is no exchange of information possible between the prisoners. They now get one hour to devise a strategy that will guarantee their release. What will the strategy be?

Solve the problem (there is a hint) and implement the solution in Promela. Then demonstrate the following claims by model checking:

whenever one of the prisoners claims that they have all visited the interrogation room, then this is correct;
eventually, one of the prisoners will claim. (Hint: use acceptance labels and check for acceptance cycles, see the Introduction to the Model Checker Spin, p. 3, and the Concise Promela Reference.)

Finally, write a short report, where you describe your solution of the problem, how this is modelled in Promela, what you verified with SPIN, and how you verified it with SPIN: parameter settings, results, interpretation.
NB: do not use the name switch in Promela! switch is a keyword in C, and Promela is written in C.

Assignment 5

Deadline: Friday, October 28, 2005, 17.00 h.

You can do either one of the six assignments below or one of the first two exercises from the Exercise series of the System Validation course, given by Joost-Pieter Katoen and Henrik Bohnenkamp at the University of Twente. (The third exercise on the Berman-Garay protocol has been treated in lecture 9.) Choose one of the assignments described there. Again, different groups take different assignments, so negotiate with your colleague students.
Give a report that completely introduces the problem, how you formalized it in Promela, what SPIN experiments you performed, and what you learned from them. Send us the Promela files and describe the parameter settings used for the various experiments. What kind of (in)correctness conclusions can you draw? What remains uncertain from these experiments?

Assignment "Bounded Buffer"

This assignment is based on the bounded buffer described in Section 4.5 (p. 26-28) of the Collegedictaat on Concurrent Programming (in English), written by Wim Hesselink.

Model this program in Promela to show mutual exclusion and absence of deadlock. Show that products are always stored in empty slots and are always retrieved from full slots. Show that deadlock does not occur. Show that deadlock can occur when the producers, or the consumers can terminate. What choices for the numbers can you accommodate?

Assignment "Readers and Writers"

This assignment is based on the semaphore program for readers and writers described in Section 4.6 (p. 28-30) of the Collegedictaat on Concurrent Programming (in English), written by Wim Hesselink.

Model the program in Promela. Allow readers and writers to terminate. Show mutual exclusion and absence of deadlock. What choices for the numbers can you accommodate? Explain the warnings for superfluous code. Do you agree? Can you remove more superfluous code than SPIN observes?

Assignment "Exercise 7.2"

This assignment is based on Exercise 7.2 (p. 46) of the Collegedictaat on Concurrent Programming (in English), written by Wim Hesselink.

Given are two shared integer variables, x and y, initially 0, and the integer constants a,b > 0 and c,d >= 0. These actions are to be synchronized in such a way that they are executed atomically and preserve the safety conditions x <= y + c and y <= x + d; this should be done as nodeterminately as possible. Reduce the problem to a problem with a finite state space, and write in Promela an algorithm based on split binary semaphores, satisfying the requirements. Show that it does not lead to unnecessary deadlock. Use SPIN to determine the number of reachable states for some choices of the parameters. Can you generalize and prove some facts about this number?

Assignment "Two chambers" (about fairness)

Since semaphores are not necessarily fair, one may want to enforce fairness by additional measures. The following idea seems to be quite generally applicable.
In order to make the standard semaphore implementation of mutual exclusion fair, we introduce two chambers, indexed by a shared variable toggle: bit. A process that needs to enter CS, first enters chamber[toggle]. Processes in chamber[toggle] have to wait until toggle is modified. Therefore, all processes in the other chamber can enter CS consecutively. When the other chamber is empty, toggle is toggled. In this way, all processes that have entered a chamber, will eventually be able to enter CS.
Implement this idea. The chamber where a process is waiting, can be implemented as a private variable. Use two shared variables to count the processes in the chambers. Use a single semaphore to enforce mutual exclusion. The shape of your algorithm is as follows:


   proctype user(self) {
     do
     :: break /* processes are allowed to leave */
     :: enter chamber[toggle], possibly changing toggle
        wait until toggle has changed
        P(sema)
        CS
        V(sema)
        exit chamber, possibly changing toggle
     od
   }

Take care to avoid deadlock when a process enters a chamber while the other chamber is empty.
Make an abstract solution, where rather big atomic actions are used for entering and exiting the chambers. Verify fairness by SPIN experiments (assuming weak fairness underneath) and report about them in such a way that we can easily reproduce your results.
Optionally, implement your abstract solution only using (split) binary semaphores and report about this.

Assignment Leader Election in a Ring

This assignment is based on the Leader Election protocol in Section 8.4 (p. 54) of the Collegedictaat on Concurrent Programming (in English), written by Wim Hesselink.

Model the protocol in Promela and test it with Spin. Set the values of priv.self by means of a function like f(self) = (a*self+b) % 17, for some pairs a, b. Argue that your testing indicates (in)correctness of the protocol. Discuss safety and liveness.

Assignment Barrier synchronization for possibly terminating threads

Given are N environment threads (see below). At certain points in the computation, these threads need to wait for all other threads before they proceed with the next part of the computation. The environment threads can also nondeterministically terminate. Implement this synchronization by N barrier threads, that each communicate with its own environment thread by means of synchronous channels out[p] and in[p], and with each other via channels or shared variables. Accomplish this by implementing "synchronizer" and "logout". These program fragments are not allowed to access the shared variables activeCnt, wCnt, toggle, out, and in.

Test the safety of your solution with the "assert" that is given. Test its liveness also.
Hint: see Sections 2.5, 4.4, etc. of the Collegedictaat on Concurrent Programming (in English), written by Wim Hesselink.


#define Nproc 4
byte activeCnt = Nproc ; 
byte wCnt = 0 ;
bit toggle ;
chan out[Nproc] = [0] of {bit} ;
chan in[Nproc] = [0] of {bit} ;

proctype environ(byte self) {
  bit tog ;
  do
  :: // noncritical activity ;
     atomic {
       assert tog == toggle ;
       tog = ! tog ;
       wCnt ++ ;
       if 
       :: wCnt == activeCnt -> 
          toggle = ! toggle ;
          wCnt = 0 
       :: else
       fi ;
       out[self]!1
     } 
     // AWAIT:
     in[self]?_ 
  :: atomic {   // announce termination:
       activeCnt -- ;
       if 
       :: activeCnt == wCnt ->
          toggle = ! toggle ;
          wCnt = 0 
       :: else
       fi ;
       out[self]!0 ;
       break 
     }
  od 
}

proctype barrier(byte self) {
  do 
  :: out[self]?1 -> 
     "synchronizer" ;
     in[self]!0 
  :: out[self]?0 ->
     "logout" ;
     break
  od 
}

Gerard Renardel