5 Program Correctness
|
|
- Meryl Nicholson
- 7 years ago
- Views:
Transcription
1 5 Program Correctness 5.1. Introduction For any application, the designer of a distributed system has the responsibility of certifying the correctness of the system, before users start using it. This guarantee might possibly hold as long every hardware and software component works according to specifications. This chapter explains what correctness criteria are considered important for distributed systems. In message passing models, the state of a distributed system consists of the local states of all the processes, and the states of the channels connecting these processes. For the locally shared variable models, channel states are irrelevant. The state of a distributed system is also called its configuration. From any state, the execution of each eligible action takes the system to a new state. A computation consists of a sequence of atomic actions that transform a given initial state to a final statte. With partial ordering of events, and nondeterministic scheduling of actions, such sequences are not always unique -- depending on system characteristics and implementation policies, the sequence of actions can vary from one run to another. Yet, from the perspective of a system designer, it is important to certify that the system operates "correctly" for every possible run. C D E A B F L G H I J K Fig History of a distributed system. Circles represent states and arcs represent actions causing state transitions. 1
2 Fig. 5.1 represents the history of a computation that begins from the initial state A and ends in the final state L. Each arc corresponds to an atomic action that causes a state transition. Note that in each of the states B and G, there are two possible actions: this corresponds to nondeterministic choices made by the scheduler(s). The history Σ can be represented as the set of the following three state sequences {ABCDEFL, ABGHIFL, ABGJKIFL}. Each state sequence is also called a behavior computation does not terminate, then some of the behaviors can be infinite. of the system. If a Regardless of what properties are considered to judge correctness, it is important to note that one or more successful "test runs" of the system can never guarantee that the system will behave correctly under all possible circumstances. This is because, such test runs may at best certify the correctness for some specific behaviors, but these can never capture all possible behaviors. To paraphrase Dijkstra, "test runs can at best reveal the presence of bugs, but not their absence." It is tempting to prove correctness by enumerating all possible interleavings of atomic actions, and testing or reasoning about each of these behaviors. However, because of the explosive growth in the number of such behaviors, this approach soon turns out to be impractical -- at least for nontrivial distributed systems. For example, with n processes each executing a sequence of m atomic actions, the total number of possible interleavings is (n m)! (m!) n Therefore, to exhaustively test even a small system, one can easily exceed the computing capacity available with today's fastest computers Correctness Criteria What properties of a distributed system do we look for, when we certify the correctness of a distributed system? The desirable attributes can be broadly classified into two different categories: liveness and safety. Most of the useful properties of a system can be classified either as a liveness or as a safety property. 2
3 5.2.1 Safety Properties A safety property intuitively implies that "bad things never happen." Different systems have different notions of what can be termed as a bad thing. Consider the history shown in Fig Let a safety property be specified by the statement: "the value of a certain integer variable temperature should never exceed 100." If this safety property has to hold for a system, then it must hold for every state of the system. Thus, if we find that in state G temperature = 107, then we immediately conclude that the safety property is violated - we need not wait for what will happen to temperature thereafter. To demonstrate that a safety property is violated, it is sufficient to demonstrate that it does not hold during an initial prefix of a behavior. Safety properties can often be defined using an invariant relationship. What follows are some examples of safety properties in well-known synchronization problems. Mutual Exclusion Consider a number of processes trying to periodically enter a critical section. Once a process successfully enters the critical section, it is expected to do some work, exit the critical section, and then try for a reentry later. The program for a typical process is outlined below: do true entry protocol; critical section; exit protocol od Here, the requirement of the safety property is that, at most one process can be in the critical section. Accordingly, the safety invariant can be written as Ncs 1, where Ncs is the number of processes in the critical section at any time. A bad thing corresponds to a situation in which two or more processes are in the critical section at the same time. 3
4 Bounded Capacity Channel A transmitter process P and a receiver process Q are communicating through a channel of bounded capacity B. The usual conditions of this communication are: (i) the transmitter should not send messages when the channel is full, and (ii) the receiver should not try to receive messages when the channel is empty. The following invariant represents a safety property that must be satisfied in every state of the system: 0 np - nc B where, np = number of items produced by the transmitter process; nc = number of items consumed by the receiver process; B = channel capacity. Let B = 20. A bad thing happens when np = 45, nc= 25, and the producer produces one more item. Readers and Writers Problem A number of reader and writer processes update a file. To get a consistent view of the file, it is important to enforce the criteria that (i) writers get exclusive access to the file, and (ii) readers access the file only when no writer is writing. The required safety property can be expressed by the invariant [( nw 1) (nr=0)] [(nw=0) (nr 0)] where, nw = number of writer processes updating the file; nr = number of reader processes reading the file. Here, a bad thing will happen, if a writer is granted write access when a reader is reading the file. Absence of Deadlock In every distributed system, deadlock is a bad thing to happen. A system is deadlocked, when after a finite sequence of actions, the system reaches a state in which all the guards are false, but the system has not reached the final state. Consider a computation that starts from a precondition P and is expected to satisfy the postcondition Q on 4
5 termination. Let GG be the disjunction of the guards in S. Then the desired safety property can be expressed by the invariant (Q GG). Partial Correctness An important type of safety property is partial correctness. Partial correctness of a program asserts that "if the program terminates," then the resulting state is the final state satisfying the desired postcondition. The bad thing here is the possibility of the program terminating with a wrong answer, or entering into a deadlock. Using the example from the previous paragraph, program S is partial correct when GG Q, so the same safety invariant (Q GG) applies to partial correctness also. Partial correctness does not, however, say anything about whether the given program will terminate -- that is a different and often a deeper issue. The absence of safety can be established by proving the existence of a bad state that is reachable from the initial state, and violates the safety criterion. To prove safety, it is thus necessary to assert that in every state that is reachable from the initial state, the safety criteria holds Liveness Properties The essence of a liveness property is that "good things eventually happen." Eventuality is a tricky issue -- it simply implies that the event happens after a finite number of actions, but no expected upper bound for the number of actions is implied in the statement 1. Consider the statement: "Every criminal is eventually brought to justice." Suppose that the crime was committed on January 1, 1990, but the criminal is still at large. Can we say that the statement is false? No -- since who knows, the criminal may be arrested tomorrow! It is thus impossible to prove the falsehood of a liveness property by examining a finite prefix of the behavior. Of course, if the accused person is taken to court today and proven guilty, then the liveness property is trivially proved. But this may be a matter of luck -- apparently no one knows how long we have to wait. Here are some examples of well-known liveness properties. 1 It is often sufficient to guarantee that the events happens with probability 1. 5
6 Progress Consider the classical mutual exclusion problem, where a number of processes try to enter a critical section. A desirable feature here is for every process to make progress towards the goal, and eventually enter the critical section. Thus, progress towards the critical section is a liveness property. The progress is violated, if there exists at least one infinite behavior, in which a progress remains outside its critical section Absence of guaranteed progress is commonly known as livelock or starvation. Fairness Fairness is a liveness property, as it determines whether an action is eventually executed by the scheduler. As is customary with progress properties, fairness does not guarantee when or after how many steps the action is scheduled. Reachability The problem of reachability addresses the following question: Given a net with an initial state S0, does there exist a finite behavior that changes the system state to S? If so, then S is said to be reachable from S0. Reachability is a liveness property. Network protocol designers who believe in testing a protocol rather than proving its correctness, often run simulation programs to explore the possible states that the protocol could lead the system into, and check if there is anything "bad" about those states. The goal is to find out if a "bad state" is reachable from an initial state through some sequence of legal actions. Needless to say, they succeed in reaching a fraction of the set of possible states into which the system can move in real life. Many protocol certifications are based on this type of testing. The testing of reachability through simulation is never foolproof, and takes a heavy toll of system resources, often leading to the so-called state-explosion problem. Termination Program termination is a liveness property. It guarantees that starting from the initial state, every feasible behavior leads the system to a state in which all the guards are false, and the desired postcondition is satisfied. Note that partial correctness simple ensures that if all the guards are false, then the goal state is reached. It does not tell us anything about whether the terminal state is reachable. The total correctness of a program is the combination of partial correctness and termination. 6
7 An Example Consider a system of four processes P0 through P3 as shown in Fig Each process has a variable color represented by an integer from the set {0,1,2,3}. We will represent the color of a process i by the symbol c[i]. The objective is to devise an algorithm, so that regardless of the initial colors of the different processes, eventually no two processes have the same color. P1 P2 P0 P3 Figure 5.2. A system of four processes. Every process wants a color that is different from the colors of its neighboring processes. Let N.i denote the set of neighbors of process i. We propose the following program for every process Pi {0,1,2,3} in the system. program colorme {for process i} do j : j N.i :: (c[i] = c[j]) c[i] := (c[i] + 2) mod 4 od Is the program partially correct? Note that only by checking the guards, it is easy to conclude that if the program terminates, i.e. if all the guards are false, then the following condition holds: ( i, j j N.i :: c[i] c[j]) (1) By definition, this is the desired postcondition. So the system is partially correct. 7
8 However, it is easy to find out that the program may not terminate. Consider the initial state A represented by the values c[0] = 0, c[1] = 0, c[2] = 2, c[3] = 2. Fig 5.3 shows that at least one possible sequence of actions by which the system can reach the starting state A without ever satisfying the desired postcondition (1). This cyclic behavior demonstrates that it is possible for the program to run for ever. Therefore, the program is partially correct, but not totally correct. Note that it is possible for this program to reach termination if an alternate sequence of actions is chosen by the schedulers. For example, if in state A, process P1 makes a move, then the state c[0] = 0, c[1] = 2, c[2] = 2, c[3] = 2 is reached and condition (1) is satisfied! However, termination is not "guaranteed" as long as there exists a single infinite behavior where the conditions of the goal state are not satisfied. State action c[0] c[1] c[2] c[3] A B P0 moves C P2 moves D P0 moves E P1 moves F P0 moves G P3 moves H P0 moves I P2 moves J P0 moves K P1 moves L P0 moves A P3 moves Fig An infinite behavior for the system in Fig
9 5.3 Concluding Remarks This chapter explains what is meant by correctness. It does not describe any method of proving correctness. Although most useful properties of a distributed system can be classified as either a liveness or a safety property, it is possible to come across properties which do not belong to either of these two classes. Consider the statement, "there is a 90% probability that an earthquake of magnitude greater than 8.8 will hit California before the year 2000." This is neither a liveness nor a safety property. An implicit assumption made in this chapter is that all well-behaved programs will terminate. This may not always be the case -- particularly for open systems. An open system (also called a reactive system) is one that responds to changes in the environment, and are particularly useful in real-time systems. A system that assumes the environment to be fixed is called a closed system. Correctness often depends on assumptions made about the underlying model. Such assumptions include program semantics, the choice of the scheduler, or the grain of atomicity. A given property may hold if we assume strong fairness, but may not hold if we assume weak fairness. Another property may be true only if we choose a "coarse-grain" atomicity, but may cease to hold with "fine-grain" atomicity. However, in general, if a property holds in a weaker model, then it also holds for the stronger models. In the next chapter, we will discuss various methods of proving the correctness of programs. 5.4 Bibliography Lamport [L77] was the first to point out the importance of safety and liveness properties in proving concurrent programs. Alpern and Schneider [AS85] demonstrated how most of the useful properties related to program correctness can be classified either as a liveness or as a safety property. The book by Francez [F86] contains an extensive discussion on the issue of fairness. Partial correctness proofs are extensively dealt with in [OG76]. The book by David Gries [G81] contains an excellent description of the various methods for proving the correctness of sequential programs. 9
10 Exercises 1. Consider the following system of processes. Each process Pi has an integer P1 P2 P0 P3 variable c[i] whose values can range from 0 to 3. Now consider the following program: do j : j N.i :: (c[i] = c[j]) c[i] := (c[i] + 1) mod 4 od Enumerate all the behaviors of the above program. Is there an infinite behavior? [Warning: This exercise can be very time consuming] 2. Classify each statement as a liveness or a safety property: (a) No object in the universe can travel at a speed larger than the speed of light. (b) This problem is not difficult - I think it can be solved. (c) The message will reach my friend within an hour. (d) The price of every stock will increase. (e) The Sun rises in the east and sets in the west. (f) Every person will eventually die. 3. Consider a system of n processes 0, 1, 2,, n-1. Each process works in phases. The phase of a process is represented by an integer variable p. Initially, for every process, p = 0. In each phase, a process does some work. A process is allowed to begin phase k+1, when every process has completed their work in phase k. 10
11 (i) Write the program for a typical process i. You must convince yourself that the program works, but you need not demonstrate any formal correctness proof. (ii) List the safety properties that you need to prove in order to establish the correctness of your program. For each safety property, specify an invariant. (iii) State all the liveness properties relevant to this problem. 4. Five processes P0, P1, P2, P3, P4 are trying to acquire unique names from a set S containing five or more names. Each process Pi starts by choosing an arbitrary initial name x[i] from the set S. Assume that each process can read the names of every other process, and let Ri denote the set of residual names not taken by any of the processes. The program for process Pi is as follows: do ( j x[i] = x[j]) ( b b Ri ) x[i] := b od Argue using program behaviors that the above program will terminate with central schedulers, but may not terminate with distributed schedulers. 5. Consider the following Petri net. Use behaviors to decide if the marking M(a) = 1, M(b) = 0, and M(c) = 1, M(d) = 0 is reachable from the given initial marking: c a b d 6. Consider the transition model of a distributed system, and assume that the system can remain in one of 16 possible states. From each state, there are at most three possible state transitions. Then determine the maximum amount of space that may be required to decide whether a state A is reachable from another state B. 11
Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification
Introduction Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification Advanced Topics in Software Engineering 1 Concurrent Programs Characterized by
More informationBrewer s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services
Brewer s Conjecture and the Feasibility of Consistent, Available, Partition-Tolerant Web Services Seth Gilbert Nancy Lynch Abstract When designing distributed web services, there are three properties that
More informationSpecification and Analysis of Contracts Lecture 1 Introduction
Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.
More informationEnforcing Security Policies. Rahul Gera
Enforcing Security Policies Rahul Gera Brief overview Security policies and Execution Monitoring. Policies that can be enforced using EM. An automata based formalism for specifying those security policies.
More information3. Mathematical Induction
3. MATHEMATICAL INDUCTION 83 3. Mathematical Induction 3.1. First Principle of Mathematical Induction. Let P (n) be a predicate with domain of discourse (over) the natural numbers N = {0, 1,,...}. If (1)
More informationTesting LTL Formula Translation into Büchi Automata
Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland
More informationT-79.186 Reactive Systems: Introduction and Finite State Automata
T-79.186 Reactive Systems: Introduction and Finite State Automata Timo Latvala 14.1.2004 Reactive Systems: Introduction and Finite State Automata 1-1 Reactive Systems Reactive systems are a class of software
More informationDiscrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2
CS 70 Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2 Proofs Intuitively, the concept of proof should already be familiar We all like to assert things, and few of us
More informationLecture Notes on Linear Search
Lecture Notes on Linear Search 15-122: Principles of Imperative Computation Frank Pfenning Lecture 5 January 29, 2013 1 Introduction One of the fundamental and recurring problems in computer science is
More informationCHAPTER II THE LIMIT OF A SEQUENCE OF NUMBERS DEFINITION OF THE NUMBER e.
CHAPTER II THE LIMIT OF A SEQUENCE OF NUMBERS DEFINITION OF THE NUMBER e. This chapter contains the beginnings of the most important, and probably the most subtle, notion in mathematical analysis, i.e.,
More informationRegular Expressions and Automata using Haskell
Regular Expressions and Automata using Haskell Simon Thompson Computing Laboratory University of Kent at Canterbury January 2000 Contents 1 Introduction 2 2 Regular Expressions 2 3 Matching regular expressions
More informationCoverability for Parallel Programs
2015 http://excel.fit.vutbr.cz Coverability for Parallel Programs Lenka Turoňová* Abstract We improve existing method for the automatic verification of systems with parallel running processes. The technique
More informationHow To Make A Correct Multiprocess Program Execute Correctly On A Multiprocedor
How to Make a Correct Multiprocess Program Execute Correctly on a Multiprocessor Leslie Lamport 1 Digital Equipment Corporation February 14, 1993 Minor revisions January 18, 1996 and September 14, 1996
More informationCHAPTER 3. Methods of Proofs. 1. Logical Arguments and Formal Proofs
CHAPTER 3 Methods of Proofs 1. Logical Arguments and Formal Proofs 1.1. Basic Terminology. An axiom is a statement that is given to be true. A rule of inference is a logical rule that is used to deduce
More informationCOMP 250 Fall 2012 lecture 2 binary representations Sept. 11, 2012
Binary numbers The reason humans represent numbers using decimal (the ten digits from 0,1,... 9) is that we have ten fingers. There is no other reason than that. There is nothing special otherwise about
More informationFactoring & Primality
Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount
More informationPROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE
International Journal of Computer ScienceandCommunication Vol. 2, No. 1, January-June2011, pp. 153-157 PROPERTECHNIQUEOFSOFTWARE INSPECTIONUSING GUARDED COMMANDLANGUAGE Neeraj Kumar Singhania University,
More informationMathematical Induction
Mathematical Induction In logic, we often want to prove that every member of an infinite set has some feature. E.g., we would like to show: N 1 : is a number 1 : has the feature Φ ( x)(n 1 x! 1 x) How
More informationFundamentals of Software Engineering
Fundamentals of Software Engineering Model Checking with Temporal Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner
More informationReading 13 : Finite State Automata and Regular Expressions
CS/Math 24: Introduction to Discrete Mathematics Fall 25 Reading 3 : Finite State Automata and Regular Expressions Instructors: Beck Hasti, Gautam Prakriya In this reading we study a mathematical model
More informationContinued Fractions and the Euclidean Algorithm
Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction
More informationPETRI NET BASED SUPERVISORY CONTROL OF FLEXIBLE BATCH PLANTS. G. Mušič and D. Matko
PETRI NET BASED SUPERVISORY CONTROL OF FLEXIBLE BATCH PLANTS G. Mušič and D. Matko Faculty of Electrical Engineering, University of Ljubljana, Slovenia. E-mail: gasper.music@fe.uni-lj.si Abstract: The
More informationOn strong fairness in UNITY
On strong fairness in UNITY H.P.Gumm, D.Zhukov Fachbereich Mathematik und Informatik Philipps Universität Marburg {gumm,shukov}@mathematik.uni-marburg.de Abstract. In [6] Tsay and Bagrodia present a correct
More informationINCIDENCE-BETWEENNESS GEOMETRY
INCIDENCE-BETWEENNESS GEOMETRY MATH 410, CSUSM. SPRING 2008. PROFESSOR AITKEN This document covers the geometry that can be developed with just the axioms related to incidence and betweenness. The full
More informationLecture 9 verifying temporal logic
Basics of advanced software systems Lecture 9 verifying temporal logic formulae with SPIN 21/01/2013 1 Outline for today 1. Introduction: motivations for formal methods, use in industry 2. Developing models
More informationNP-Completeness and Cook s Theorem
NP-Completeness and Cook s Theorem Lecture notes for COM3412 Logic and Computation 15th January 2002 1 NP decision problems The decision problem D L for a formal language L Σ is the computational task:
More informationThe last three chapters introduced three major proof techniques: direct,
CHAPTER 7 Proving Non-Conditional Statements The last three chapters introduced three major proof techniques: direct, contrapositive and contradiction. These three techniques are used to prove statements
More information3. Reaction Diffusion Equations Consider the following ODE model for population growth
3. Reaction Diffusion Equations Consider the following ODE model for population growth u t a u t u t, u 0 u 0 where u t denotes the population size at time t, and a u plays the role of the population dependent
More informationSUBGROUPS OF CYCLIC GROUPS. 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by
SUBGROUPS OF CYCLIC GROUPS KEITH CONRAD 1. Introduction In a group G, we denote the (cyclic) group of powers of some g G by g = {g k : k Z}. If G = g, then G itself is cyclic, with g as a generator. Examples
More informationNotes on Complexity Theory Last updated: August, 2011. Lecture 1
Notes on Complexity Theory Last updated: August, 2011 Jonathan Katz Lecture 1 1 Turing Machines I assume that most students have encountered Turing machines before. (Students who have not may want to look
More informationA Framework for the Semantics of Behavioral Contracts
A Framework for the Semantics of Behavioral Contracts Ashley McNeile Metamaxim Ltd, 48 Brunswick Gardens, London W8 4AN, UK ashley.mcneile@metamaxim.com Abstract. Contracts have proved a powerful concept
More informationTuring Machines: An Introduction
CIT 596 Theory of Computation 1 We have seen several abstract models of computing devices: Deterministic Finite Automata, Nondeterministic Finite Automata, Nondeterministic Finite Automata with ɛ-transitions,
More information88 CHAPTER 2. VECTOR FUNCTIONS. . First, we need to compute T (s). a By definition, r (s) T (s) = 1 a sin s a. sin s a, cos s a
88 CHAPTER. VECTOR FUNCTIONS.4 Curvature.4.1 Definitions and Examples The notion of curvature measures how sharply a curve bends. We would expect the curvature to be 0 for a straight line, to be very small
More informationTHE DIMENSION OF A VECTOR SPACE
THE DIMENSION OF A VECTOR SPACE KEITH CONRAD This handout is a supplementary discussion leading up to the definition of dimension and some of its basic properties. Let V be a vector space over a field
More informationSoftware Engineering using Formal Methods
Software Engineering using Formal Methods Model Checking with Temporal Logic Wolfgang Ahrendt 24th September 2013 SEFM: Model Checking with Temporal Logic /GU 130924 1 / 33 Model Checking with Spin model
More informationTemporal Logics. Computation Tree Logic
Temporal Logics CTL: definition, relationship between operators, adequate sets, specifying properties, safety/liveness/fairness Modeling: sequential, concurrent systems; maximum parallelism/interleaving
More informationConcepts of Concurrent Computation
Chair of Software Engineering Concepts of Concurrent Computation Bertrand Meyer Sebastian Nanz Lecture 3: Synchronization Algorithms Today's lecture In this lecture you will learn about: the mutual exclusion
More informationSudoku puzzles and how to solve them
Sudoku puzzles and how to solve them Andries E. Brouwer 2006-05-31 1 Sudoku Figure 1: Two puzzles the second one is difficult A Sudoku puzzle (of classical type ) consists of a 9-by-9 matrix partitioned
More informationArguments and Dialogues
ONE Arguments and Dialogues The three goals of critical argumentation are to identify, analyze, and evaluate arguments. The term argument is used in a special sense, referring to the giving of reasons
More informationSet Theory Basic Concepts and Definitions
Set Theory Basic Concepts and Definitions The Importance of Set Theory One striking feature of humans is their inherent need and ability to group objects according to specific criteria. Our prehistoric
More informationLecture 3: Finding integer solutions to systems of linear equations
Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture
More informationA Systematic Approach. to Parallel Program Verication. Tadao TAKAOKA. Department of Computer Science. Ibaraki University. Hitachi, Ibaraki 316, JAPAN
A Systematic Approach to Parallel Program Verication Tadao TAKAOKA Department of Computer Science Ibaraki University Hitachi, Ibaraki 316, JAPAN E-mail: takaoka@cis.ibaraki.ac.jp Phone: +81 94 38 5130
More information8 Divisibility and prime numbers
8 Divisibility and prime numbers 8.1 Divisibility In this short section we extend the concept of a multiple from the natural numbers to the integers. We also summarize several other terms that express
More informationHow to Build a Highly Available System Using Consensus
How to Build a Highly Available System Using Consensus Butler W. Lampson 1 Microsoft 180 Lake View Av., Cambridge, MA 02138 Abstract. Lamport showed that a replicated deterministic state machine is a general
More informationAlgebraic and Transcendental Numbers
Pondicherry University July 2000 Algebraic and Transcendental Numbers Stéphane Fischler This text is meant to be an introduction to algebraic and transcendental numbers. For a detailed (though elementary)
More informationConcurrent Programming
Concurrent Programming Principles and Practice Gregory R. Andrews The University of Arizona Technische Hochschule Darmstadt FACHBEREICH INFCRMATIK BIBLIOTHEK Inventar-Nr.:..ZP.vAh... Sachgebiete:..?r.:..\).
More informationU.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra
U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory
More informationToday s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary
Today s Agenda Quiz 4 Temporal Logic Formal Methods in Software Engineering 1 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 2 1 Buchi Automata
More informationAdversary Modelling 1
Adversary Modelling 1 Evaluating the Feasibility of a Symbolic Adversary Model on Smart Transport Ticketing Systems Authors Arthur Sheung Chi Chan, MSc (Royal Holloway, 2014) Keith Mayes, ISG, Royal Holloway
More informationHandout #1: Mathematical Reasoning
Math 101 Rumbos Spring 2010 1 Handout #1: Mathematical Reasoning 1 Propositional Logic A proposition is a mathematical statement that it is either true or false; that is, a statement whose certainty or
More informationUsing Use Cases for requirements capture. Pete McBreen. 1998 McBreen.Consulting
Using Use Cases for requirements capture Pete McBreen 1998 McBreen.Consulting petemcbreen@acm.org All rights reserved. You have permission to copy and distribute the document as long as you make no changes
More informationFollow links for Class Use and other Permissions. For more information send email to: permissions@pupress.princeton.edu
COPYRIGHT NOTICE: Ariel Rubinstein: Lecture Notes in Microeconomic Theory is published by Princeton University Press and copyrighted, c 2006, by Princeton University Press. All rights reserved. No part
More informationInvestigating a File Transfer Protocol Using CSP and B
Noname manuscript No. (will be inserted by the editor) Investigating a File Transfer Protocol Using CSP and B Neil Evans, Helen Treharne Department of Computer Science, Royal Holloway, University of London
More informationIs Sometime Ever Better Than Alway?
Is Sometime Ever Better Than Alway? DAVID GRIES Cornell University The "intermittent assertion" method for proving programs correct is explained and compared with the conventional method. Simple conventional
More informationSoftware Modeling and Verification
Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system
More informationExample 1. Consider the following two portfolios: 2. Buy one c(s(t), 20, τ, r) and sell one c(s(t), 10, τ, r).
Chapter 4 Put-Call Parity 1 Bull and Bear Financial analysts use words such as bull and bear to describe the trend in stock markets. Generally speaking, a bull market is characterized by rising prices.
More informationBasic Proof Techniques
Basic Proof Techniques David Ferry dsf43@truman.edu September 13, 010 1 Four Fundamental Proof Techniques When one wishes to prove the statement P Q there are four fundamental approaches. This document
More informationCITIZENS AND BUSINESSES OF ST. CHARLES COUNTY:
CITIZENS AND BUSINESSES OF ST. CHARLES COUNTY: The St. Charles County Prosecuting Attorney s Office Bad Check Unit assists citizens in the collection and prosecution of bad checks given to them in St.
More informationFairness in Routing and Load Balancing
Fairness in Routing and Load Balancing Jon Kleinberg Yuval Rabani Éva Tardos Abstract We consider the issue of network routing subject to explicit fairness conditions. The optimization of fairness criteria
More informationFormal Verification by Model Checking
Formal Verification by Model Checking Natasha Sharygina Carnegie Mellon University Guest Lectures at the Analysis of Software Artifacts Class, Spring 2005 1 Outline Lecture 1: Overview of Model Checking
More informationA Static Analyzer for Large Safety-Critical Software. Considered Programs and Semantics. Automatic Program Verification by Abstract Interpretation
PLDI 03 A Static Analyzer for Large Safety-Critical Software B. Blanchet, P. Cousot, R. Cousot, J. Feret L. Mauborgne, A. Miné, D. Monniaux,. Rival CNRS École normale supérieure École polytechnique Paris
More informationThe Drinking Philosophers Problem
The Drinking Philosophers Problem K. M. CHANDY and J. MISRA University of Texas at Austin The problem of resolving conflicts between processes in distributed systems is of practical importance. A conflict
More informationKNOWLEDGE FACTORING USING NORMALIZATION THEORY
KNOWLEDGE FACTORING USING NORMALIZATION THEORY J. VANTHIENEN M. SNOECK Katholieke Universiteit Leuven Department of Applied Economic Sciences Dekenstraat 2, 3000 Leuven (Belgium) tel. (+32) 16 28 58 09
More informationMATH10040 Chapter 2: Prime and relatively prime numbers
MATH10040 Chapter 2: Prime and relatively prime numbers Recall the basic definition: 1. Prime numbers Definition 1.1. Recall that a positive integer is said to be prime if it has precisely two positive
More informationINF5140: Specification and Verification of Parallel Systems
Motivation INF5140: Specification and Verification of Parallel Systems Lecture 1 Introduction: Formal Methods Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2009 Outline
More informationFormal Languages and Automata Theory - Regular Expressions and Finite Automata -
Formal Languages and Automata Theory - Regular Expressions and Finite Automata - Samarjit Chakraborty Computer Engineering and Networks Laboratory Swiss Federal Institute of Technology (ETH) Zürich March
More informationMathematical Induction
Mathematical Induction (Handout March 8, 01) The Principle of Mathematical Induction provides a means to prove infinitely many statements all at once The principle is logical rather than strictly mathematical,
More informationChapter II. Controlling Cars on a Bridge
Chapter II. Controlling Cars on a Bridge 1 Introduction The intent of this chapter is to introduce a complete example of a small system development. During this development, you will be made aware of the
More informationINF5140: Specification and Verification of Parallel Systems
INF5140: Specification and Verification of Parallel Systems Lecture 7 LTL into Automata and Introduction to Promela Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2007 Gerardo
More informationModel Checking based Software Verification
Model Checking based Software Verification 18.5-2006 Keijo Heljanko Keijo.Heljanko@tkk.fi Department of Computer Science and Engineering Helsinki University of Technology http://www.tcs.tkk.fi/~kepa/ 1/24
More informationAn example of a computable
An example of a computable absolutely normal number Verónica Becher Santiago Figueira Abstract The first example of an absolutely normal number was given by Sierpinski in 96, twenty years before the concept
More informationFocus on Essay Writing
Focus on Essay Writing Essay writing is a process and a product. You need to focus on the process in order to achieve a high quality product. What is an essay? The word essay originally meant to test or
More information6.2 Permutations continued
6.2 Permutations continued Theorem A permutation on a finite set A is either a cycle or can be expressed as a product (composition of disjoint cycles. Proof is by (strong induction on the number, r, of
More informationarxiv:0908.3127v2 [math.gt] 6 Sep 2009
MINIMAL SETS OF REIDEMEISTER MOVES arxiv:0908.3127v2 [math.gt] 6 Sep 2009 MICHAEL POLYAK Abstract. It is well known that any two diagrams representing the same oriented link are related by a finite sequence
More informationCHAPTER 1. Historical Background of Criminal Law
Chapter 1 Multiple Choice CHAPTER 1 Historical Background of Criminal Law 1. The fact that the U.S. Constitution has survived for over two hundred years and is capable of being interpreted in light of
More informationPractical Guide to the Simplex Method of Linear Programming
Practical Guide to the Simplex Method of Linear Programming Marcel Oliver Revised: April, 0 The basic steps of the simplex algorithm Step : Write the linear programming problem in standard form Linear
More informationThe Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.
The Prime Numbers Before starting our study of primes, we record the following important lemma. Recall that integers a, b are said to be relatively prime if gcd(a, b) = 1. Lemma (Euclid s Lemma). If gcd(a,
More informationTOPOLOGY: THE JOURNEY INTO SEPARATION AXIOMS
TOPOLOGY: THE JOURNEY INTO SEPARATION AXIOMS VIPUL NAIK Abstract. In this journey, we are going to explore the so called separation axioms in greater detail. We shall try to understand how these axioms
More information6.080/6.089 GITCS Feb 12, 2008. Lecture 3
6.8/6.89 GITCS Feb 2, 28 Lecturer: Scott Aaronson Lecture 3 Scribe: Adam Rogal Administrivia. Scribe notes The purpose of scribe notes is to transcribe our lectures. Although I have formal notes of my
More informationNetwork File Storage with Graceful Performance Degradation
Network File Storage with Graceful Performance Degradation ANXIAO (ANDREW) JIANG California Institute of Technology and JEHOSHUA BRUCK California Institute of Technology A file storage scheme is proposed
More information6.852: Distributed Algorithms Fall, 2009. Class 2
.8: Distributed Algorithms Fall, 009 Class Today s plan Leader election in a synchronous ring: Lower bound for comparison-based algorithms. Basic computation in general synchronous networks: Leader election
More informationProperties of Stabilizing Computations
Theory and Applications of Mathematics & Computer Science 5 (1) (2015) 71 93 Properties of Stabilizing Computations Mark Burgin a a University of California, Los Angeles 405 Hilgard Ave. Los Angeles, CA
More informationThis asserts two sets are equal iff they have the same elements, that is, a set is determined by its elements.
3. Axioms of Set theory Before presenting the axioms of set theory, we first make a few basic comments about the relevant first order logic. We will give a somewhat more detailed discussion later, but
More information1 if 1 x 0 1 if 0 x 1
Chapter 3 Continuity In this chapter we begin by defining the fundamental notion of continuity for real valued functions of a single real variable. When trying to decide whether a given function is or
More informationCAs and Turing Machines. The Basis for Universal Computation
CAs and Turing Machines The Basis for Universal Computation What We Mean By Universal When we claim universal computation we mean that the CA is capable of calculating anything that could possibly be calculated*.
More informationHomework 1 (Time, Synchronization and Global State) - 100 Points
Homework 1 (Time, Synchronization and Global State) - 100 Points CS25 Distributed Systems, Fall 2009, Instructor: Klara Nahrstedt Out: Thursday, September 3, Due Date: Thursday, September 17 Instructions:
More informationCryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones
Cryptanalysis of a Partially Blind Signature Scheme or How to make $100 bills with $1 and $2 ones Gwenaëlle Martinet 1, Guillaume Poupard 1, and Philippe Sola 2 1 DCSSI Crypto Lab, 51 boulevard de La Tour-Maubourg
More informationFormal Verification of Software
Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification
More informationQuotes from Object-Oriented Software Construction
Quotes from Object-Oriented Software Construction Bertrand Meyer Prentice-Hall, 1988 Preface, p. xiv We study the object-oriented approach as a set of principles, methods and tools which can be instrumental
More informationRepresenting Reversible Cellular Automata with Reversible Block Cellular Automata
Discrete Mathematics and Theoretical Computer Science Proceedings AA (DM-CCG), 2001, 145 154 Representing Reversible Cellular Automata with Reversible Block Cellular Automata Jérôme Durand-Lose Laboratoire
More informationChapter 3. Cartesian Products and Relations. 3.1 Cartesian Products
Chapter 3 Cartesian Products and Relations The material in this chapter is the first real encounter with abstraction. Relations are very general thing they are a special type of subset. After introducing
More informationBounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances
Bounded Cost Algorithms for Multivalued Consensus Using Binary Consensus Instances Jialin Zhang Tsinghua University zhanggl02@mails.tsinghua.edu.cn Wei Chen Microsoft Research Asia weic@microsoft.com Abstract
More informationWHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT?
WHAT ARE MATHEMATICAL PROOFS AND WHY THEY ARE IMPORTANT? introduction Many students seem to have trouble with the notion of a mathematical proof. People that come to a course like Math 216, who certainly
More informationThis chapter is all about cardinality of sets. At first this looks like a
CHAPTER Cardinality of Sets This chapter is all about cardinality of sets At first this looks like a very simple concept To find the cardinality of a set, just count its elements If A = { a, b, c, d },
More information(IALC, Chapters 8 and 9) Introduction to Turing s life, Turing machines, universal machines, unsolvable problems.
3130CIT: Theory of Computation Turing machines and undecidability (IALC, Chapters 8 and 9) Introduction to Turing s life, Turing machines, universal machines, unsolvable problems. An undecidable problem
More informationWRITING A CRITICAL ARTICLE REVIEW
WRITING A CRITICAL ARTICLE REVIEW A critical article review briefly describes the content of an article and, more importantly, provides an in-depth analysis and evaluation of its ideas and purpose. The
More informationI. GROUPS: BASIC DEFINITIONS AND EXAMPLES
I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called
More informationThe BBP Algorithm for Pi
The BBP Algorithm for Pi David H. Bailey September 17, 2006 1. Introduction The Bailey-Borwein-Plouffe (BBP) algorithm for π is based on the BBP formula for π, which was discovered in 1995 and published
More informationlogic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?
5. LTL, CTL Last part: Alloy logic language, static/dynamic models SAT solvers Today: Temporal Logic (LTL, CTL) Verified Software Systems 1 Overview How can we model check of a program or system? Modeling
More informationCONTINUED FRACTIONS AND PELL S EQUATION. Contents 1. Continued Fractions 1 2. Solution to Pell s Equation 9 References 12
CONTINUED FRACTIONS AND PELL S EQUATION SEUNG HYUN YANG Abstract. In this REU paper, I will use some important characteristics of continued fractions to give the complete set of solutions to Pell s equation.
More information