### Software Validation and Verification First Exercise Sheet

#### Exercise 1

For this exercise we give the following definition:

**Definition 1.** Deterministic Transition System Let  $TS = (S, Act, \rightarrow, I, AP, L)$  be a transition system.

- 1. TS is called action-deterministic if  $|I| \leq 1$  and  $|Post(s, \alpha)| \leq 1$  for all states s and actions  $\alpha$ .
- 2. TS is called AP-deterministic if  $|I| \leq 1$  and  $|Post(s) \cap \{s' \in S \mid L(s') = A\}| \leq 1$  for all states s and  $A \in 2^{AP}$ .

Consider the following the transition system  $TS_1$ .



- **a)** Give the formal definition of  $TS_1$ .
- **b)** Specify a finite and an infinite execution of  $TS_1$ .
- c) Decide whether TS<sub>1</sub> is an *AP*-deterministic or an action-deterministic transition system. Justify your answer.

Consider the following mutual exclusion algorithm that uses the shared variables  $y_1$  and  $y_2$  (which are initially both 0):

```
Process P_1:
                                                     Process P_2:
while true do
                                                     while true do
  ... non-critical section ...
                                                        ... non-critical section ...
  y_1 := y_2 + 1
                                                        y_2 := y_1 + 1
                                                        wait until (y_1 = 0) \sqrt{z_2} < y_1)
  wait until (y_2 = 0) \lor (y_1 \le y_2)
  ... critical section ...
                                                        ... critical section ...
  y_1 := 0
                                                        y_2 := 0
  ... non-critical section ...
                                                        ... non-critical section ...
\mathbf{od}
                                                     \mathbf{od}
```

Questions:

- a) Give the program graph representation of both processes. (A pictorial representation suffices)
- b) Give the reachable part of the transition system of  $P_1 ||| P_2$  where  $y_1 \leq 2$  and  $y_2 \leq 2$ .

The circuit  $C_1$  describes the layout of a hardware adder that stores a 2-bit binary number represented by the registers  $r_0$  and  $r_1$ . In each cycle, the value of x is added to the currently stored value; y is used as the carry bit:



Give the transition system representation  $TS_1$  of the circuit  $C_1$ .

In the following, whenever transition systems are compared via = or  $\neq$ , this means (in)equality **up to renaming of states** (i.e. isomorphism).

**a)** Show that, the handshaking  $\parallel_H$  operator **is not** associative, i.e. that in general

$$(\mathsf{TS}_1 \parallel_H \mathsf{TS}_2) \parallel_{H'} \mathsf{TS}_3 \neq \mathsf{TS}_1 \parallel_H (\mathsf{TS}_2 \parallel_{H'} \mathsf{TS}_3)$$

**b)** The handshaking operator || that forces transition systems to synchronize over their common actions **is** associative. Show that

$$\underbrace{(\mathsf{TS}_1 \parallel \mathsf{TS}_2) \parallel \mathsf{TS}_3}_L = \underbrace{\mathsf{TS}_1 \parallel (\mathsf{TS}_2 \parallel \mathsf{TS}_3)}_R$$

where TS<sub>1</sub>, TS<sub>2</sub>, TS<sub>3</sub> are arbitrary (finite) transition systems. To this end, show that the bijective function  $f_{\approx}: (S_1 \times S_2) \times S_3 \rightarrow S_1 \times (S_2 \times S_3)$  given by  $f_{\approx}(\langle \langle s_1, s_2 \rangle, s_3 \rangle) = \langle s_1, \langle s_2, s_3 \rangle \rangle$  preserves the transition relation in the sense that

$$I \stackrel{\alpha}{\longrightarrow}_{L} I' \iff f_{\approx}(I) \stackrel{\alpha}{\longrightarrow}_{R} f_{\approx}(I') \tag{1}$$

where  $I, I' \in S_L, S_L$  is the state space of transition system L and  $\longrightarrow_L, \longrightarrow_R$  are the transition relations of L and R, respectively.

**Hint:** When considering an action  $\alpha$ , you need only distinguish the cases

- (i)  $\alpha \in Act_1 \setminus (Act_2 \cup Act_3)$
- (ii)  $\alpha \in (Act_1 \cap Act_2) \setminus Act_3$
- (iii)  $\alpha \in Act_1 \cap Act_2 \cap Act_3$

(Act<sub>i</sub> is the action set of  $TS_i$ ) as all other cases are symmetric. Also, for simplicity, it suffices to show the direction " $\Longrightarrow$ " of condition (1). However, keep in mind that L and R are not necessarily action-deterministic (see exercise sheet 1).



Consider the following leader election algorithm: For  $n \in \mathbb{N}$ , *n* processes  $\mathcal{P}_1, \ldots, \mathcal{P}_n$  are located in a ring topology where each process is connected by an unidirectional, asynchronous channel to its neighbour as outlined below.



To distinguish the processes, each process *i* is assigned a unique identifier  $id(\mathcal{P}_i) \in \{1, ..., n\}$  that is written to private variable  $id_i$ . The aim of the algorithm is to elect the process with the highest identifier as the (unique) leader within the ring. Therefore each process executes the following algorithm using another private variable  $m_i$  (which is initially 0):

```
send(id<sub>i</sub>); // send own id to next process.
while (true) do {
   receive (m<sub>i</sub>);
   if (m<sub>i</sub> == id<sub>i</sub>) then stop; // process i is the leader
   if (m<sub>i</sub> > id<sub>i</sub>) then send(m<sub>i</sub>); // forward other identifier
}
```

- a) Model the leader election protocol for *n* processes as a channel system.
- **b)** Give an initial execution fragment of  $TS([\mathcal{P}_1 | \mathcal{P}_2 | \mathcal{P}_3])$  such that at least one process has executed its send-statement within the body of the while-loop. Assume for  $1 \le i \le 3$ , that process  $\mathcal{P}_i$  has identifier  $id_i = i$ .