ebook img

DTIC ADA488092: Revising Distributed UNITY Programs is NP-Complete PDF

0.41 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DTIC ADA488092: Revising Distributed UNITY Programs is NP-Complete

Revising Distributed UNITY Programs is NP-Complete⁄ Borzoo Bonakdarpour Sandeep S. Kulkarni Department of Computer Science and Engineering Michigan State University East Lansing, MI 48824, USA Email: {borzoo,sandeep}@cse.msu.edu Abstract speciflcation, change of environment, etc. As a con- crete example, consider the case where a program is We focus on automated revision techniques for diagnosedwithafailedpropertybyamodelchecker. adding Unity properties to distributed programs. Insuchacase, accesstoautomatedmethodsthatre- We show that unlike centralizedprograms where mul- vise the program with respect to the failed property tiple safety properties and one progress property can is highly advantageous. Clearly, transformational be added in polynomial-time, addition of a safety or approaches that provide reuse allows human exper- a progress Unity property to distributed programs is tise to be used in the design of input program, and signiflcantly more di–cult. Precisely, we show that permits use of expressive speciflcations during the such addition is NP-complete in the size of the given design of the input program. Inevitably, for such program’s state space. We also propose an e–cient revision to be useful, in addition to satisfaction of symbolic heuristic for addition of a leads-to property new properties, the output program must preserve to distributed programs, which has applications in existing properties of the input program as well. automated program synthesis. In our previous work in this context [8], we fo- cusedonrevisingprogramswithrespecttoUnity[7] Keywords: UNITY, Distributed programs, properties of a high atomicity (centralized) program Revision, Transformation, Formal methods. where the program could read and write all program variables in one atomic step. We emphasize that, 1 Introduction our revision method in [8] ensures that during re- vision, satisfaction of all existing Unity properties Program correctness is an important aspect and of the input program is preserved. In particular, we application of formal methods. Designing pro- showed that adding a conjunction of Unity safety grams to be correct-by-construction is, therefore, properties (i.e., unless, stable, and invariant) and one highly valuable. Taking the paradigm of correct-by- progress property (i.e., leads-to and ensures) can be constructiontoextremeleadsustosynthesizingpro- achieved in polynomial-time. However, we showed gramsfromtheirspeciflcation. Whilesynthesisfrom that the problem becomes NP-complete if we con- speciflcation is undoubtedly useful, it sufiers from sider addition of two progress properties. The rea- lack of reuse, limitation of expressibility of specifl- son for our focus on Unity properties is due to the cation used during synthesis (e.g., in case of unde- fact that Unity properties have been found highly cidable or highly complex languages), and inability valuable in describing a large class of programs. to utilize human knowledge (e.g., domain expertise). In this paper, we shift our focus to distributed Alternatively, inprogram revision onecantransform programs where processes can read and write only aninputprogramintoanoutputprogramthatmeets a subset of program variables. We expect the con- additional properties. As a matter of fact, in prac- cept of program revision to play a more crucial role tice, such properties are frequently identifled during in the context of distributed programs due to the a system’s life cycle due to reasons such incomplete complex structure of distributed programs where ⁄ non-determinism and race conditions make it signif- This work was partially sponsored by NSF CAREER CCR-0092724 and ONR Grant N00014-01-1-0744. icantly di–cult to assert program correctness. We 1 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2008 2. REPORT TYPE 00-00-2008 to 00-00-2008 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Revising Distributed UNITY Programs is NP-Complete 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Michigan State University,Department of Computer Science and REPORT NUMBER Engineering,East Lansing,MI,48824 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT We focus on automated revision techniques for adding Unity properties to distributed programs. We show that unlike centralized programs where multiple safety properties and one progress property can be added in polynomial-time, addition of a safety or a progress Unity property to distributed programs is significantly more difficult. Precisely, we show that such addition is NP-complete in the size of the given program’s state space. We also propose an efficient symbolic heuristic for addition of a leads-to property to distributed programs, which has applications in automated program synthesis. 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE Same as 13 unclassified unclassified unclassified Report (SAR) Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 flnd somewhat unexpected results about the com- our results on the complexity of addition of Unity plexity of adding Unity properties to distributed progress properties. We also present our symbolic programs. In particular, we flnd that the problem of heuristic and experimental results in Section 5. Re- adding only one Unity safety property or progress lated work is discussed in Section 6. We conclude progress property to distributed programs is NP- in Section 7. Appendix A provides a summary of complete in the size of the input program’s state notations. space, even though the corresponding problem can 2 Preliminary Concepts be solved in in polynomial-time for centralized pro- grams. In this section, we formally deflne the notion of dis- tributed programs. We also reiterate the concept of The knowledge of these complexity bounds is es- Unity properties introduced by Chandy and Misra pecially important in building tools for incremental [7]. synthesis. In particular, the NP-completeness re- sults demonstrate that tools for revising programs 2.1 Distributed Programs must utilize e–cient heuristics to expedite the revi- sion algorithm at the cost of completeness of that Intuitively, we deflne a distributed program in terms algorithm. With this motivation, in this paper, we ofasetofprocesses. Eachprocessisinturnspecifled propose an e–cient symbolic (BDD-based) heuris- by a state-transition system and is constrained by tic that adds a leads-to property to a distributed some read/write restriction over its set of variables. program. We integrate this heuristic with our Let V = fv0;v1¢¢¢vng be a flnite set of variables tool Sycraft [6] that is designed for adding fault- with flnite domains D0;D1¢¢¢Dn, respectively. A tolerance to existing distributed programs. Leads- state, say s, is determined by mapping each variable to properties are of special interest in fault-tolerant v in V, 0 • i • n, to a value in D . We denote the i i computing where recovery within a flnite number of value of a variable v in state s by v(s). The set of all steps is essential. To this end, one can flrst aug- possible states obtained by variables in V is called ment the program with all possible recovery transi- the state space and is denoted by S. A transition is tions that it can use. Clearly, this augmented pro- a pair of states of the form (s0;s1) where s0;s1 2 S. gram does not guarantee that it would recover to Deflnition 2.1 (state predicate) Let S be the a set of legitimate states (e.g., an invariant predi- state space obtained from variables in V. A state cate) although there is a potential to reach the legit- predicate is a subset of S. imate states from states reached in the presence of faults. In particular, it may continue to execute on Deflnition 2.2 (transition predicate) Let S be a cycle that is entirely outside the legitimate states thestatespaceobtainedfromvariablesinV. Atran- although from each state there is a path to reach sition predicate is a subset of S £S. the legitimate states. We apply our heuristics for adding a leads-to property to modify the augmented Deflnition 2.3 (process) A process p is specifled program so that from any state reached in the pres- by the tuple hV ;T ;R ;W i where V is a set of p p p p p enceoffaults, theprogramisguaranteedrecoveryto variables, T is a transition predicate in the state p its legitimate states within a flnite number of steps. space of p (denoted S ), R is a set of variables that p p As a side efiect of the tool for adding leads-to prop- p can read, and W is a set of variables that p can p erty, wealsoimplementacycleresolutionalgorithm. write such that W (cid:181) R (cid:181) V (i.e., we assume that p p p Our experimental results show that this algorithm p cannot blindly write a variable). can also be integrated with existing state-of-the-art Write restrictions. Let p = hV ;T ;R ;W i p p p p model checkers for assisting in developing programs be a process. Clearly, T must be disjoint from the p that are correct-by-construction. following transition predicate due to inability of p to change the value of variables that p cannot write: Organization. The rest of the paper is organized as follows. In Section 2, we present the preliminary NWp =f(s0;s1)jv(s0)6=v(s1)wherev 62Wpg. concepts. Then, we formally state the revision prob- Read restrictions. Let p = hV ;T ;R ;W i be p p p p lem in Section 3. Section 4 is dedicated to complex- a process, v be a variable in Vp, and (s0;s1) 2 Tp ity analysis of addition of Unity safety properties where s0 6= s1. If v is not in Rp, then p must include 0 to distributed programs. In Section 5, we present a corresponding transition from all states s where 0 2 s00 and s0 difier only in the value of v. Let (s00;s01) thatreachessd isadeadlocked computation. Clearly, be one such transition. Now, it must be the case such computations cannot be extended to an inflnite 0 that s1 and s1 are identical except for the value of v, computation. 0 0 and, the value of v must be the same in s and s . 0 1 For instance, let Vp = fa;bg and Rp = fag. Thus, 2.2 UNITY Properties since p cannot read b, the transition ([a = 0;b = WenowpresenttheformaldeflnitionsfortheUnity 0];[a = 1;b = 0]) and the transition ([a = 0;b = properties introduced by Chandy and Misra [7]. 1];[a = 1;b = 1]) have the same efiect as far as p Unity properties are categorized by two classes of is concerned. Thus, each transition (s0;s1) in Tp is associated with the following group predicate: safety and progress properties. These properties are deflned next. Groupp(s0;s1)=f(s00;s01)j Deflnition 2.6 (UNITY safety properties) 0 0 (8v 62Rp : (v(s0)=v(s10) ^ v(s0)=v(s10)))^ Let P and Q be arbitrary state predicates. (8v 2Rp : (v(s0)=v(s0) ^ v(s1)=v(s1)))g. † (Unless) An inflnite sequence of states s = Deflnition 2.4 (distributed program) A dis- hs0;s1¢¢¢isatisfles‘P unlessQ’ifi8i ‚ 0 : (si 2 tributed program ƒ is specifled by the tuple hPƒ;Iƒi (P \:Q)) ) (si+1 2 (P [Q)). Intuitively, if where Pƒ is a set of processes and Iƒ is a set of P holds in a state of s then either (1) Q never initial states. Without loss of generality, we assume holds in s and P is continuously true, or (2) thatthestatespaceofallprocessesinPƒ isidentical Q becomes true and P holds at least until Q (i.e., 8p;q 2 Pƒ :: (Vp = Vq)^(Dp = Dq)). Thus, becomes true. the set of variables (denoted Vƒ) and state space of † (Stable) An inflnite sequence of states s = vparorigarbalmesƒan(ddesntaotteedspSaƒce) aorfepirdoecnetsisceaslotfoƒth,eressepteoc-f hs0;s1¢¢¢i satisfles ‘stable P’ ifi s satisfles P unless false. Intuitively, P is stable ifi once it tively. In this sense, the set Iƒ of initial states of ƒ becomes true, it remains true forever. is a subset of Sƒ. Notation. Let ƒ = hPƒ;Iƒi be a distributed pro- † (Invariant) An inflnite sequence of states s = gram (or simply a program). The set Tƒ denotes the hs0;s1¢¢¢i satisfles ‘invariant P’ ifi s0 2 P and s collection of transition predicates of all processes of satisfles stable P. An invariant property always ƒ, i.e., Tƒ = Sp2PƒTp. holds. Deflnition 2.5 (computation) Let ƒ = Deflnition 2.7 (UNITY progress properties) hPƒ;Iƒi be a program. A sequence of states, s = Let P and Q be arbitrary state predicates. hs0;s1¢¢¢i, is a computation of ƒ ifi the following three conditions are satisfled: (1) s0 2 Iƒ, (2) † (Leads-to) An inflnite sequence of states s = 8i ‚ 0 : (si;si+1) 2 Tƒ, and (3) if s is flnite and hs0;s1¢¢¢i satisfles ‘P leads-to Q’ ifi (8i ‚ 0 : terminates in state s then there does not exist state l (s 2 P) ) (9j ‚ i : s 2 Q)). In other words, i j s such that (sl;s) 2 Tƒ. if P holds in a state s , i ‚ 0, of s then there i For a distributed program ƒ = hPƒ;Iƒi, we say exists a state sj in s, i • j, such that Q holds. thatasequenceofstates,s = hs0;s1¢¢¢sni,isacom- putation preflx of ƒ ifi 8j j 0 • j < n : (sj;sj+1)2 † (Ensures) An inflnite sequence of states s = Tƒ . We distinguish between a terminating com- hs0;s1¢¢¢isatisfles‘P ensuresQ’ifi(1)ifP\:Q putation and a deadlocked computation. Precisely, is true in a state si, i ‚ 0, then (1) si+1 2 when a computation s terminates in state sl, we as- (P [ Q), and (2) 9j ‚ i : sj 2 Q. In other sume that the transition (sl;sl) appears in transi- words, there exists a state sj where Q even- tion predicate of some process in Pƒ, i.e., s can be tually becomes true in sj and P remains true extended to an inflnite computation by stuttering at everywhere in between si and sj. s . On the other hand, if there exists a state s such l d We now deflne what it means for a program to that an outgoing transition (or a self-loop) from sd reflne a Unity property. Note that throughout this appears in transition predicate of no process in Pƒ paper, we assume that a program and its properties then s is a deadlock state and a computation of ƒ d have identical state space. 3 Deflnition 2.8 (reflnes) Let ƒ = hPƒ;Iƒi be a there in Iƒ. Moreover, since Iƒ denotes the set of program and L be a Unity property. We say that all initial states of ƒ, we should preserve them dur- ƒ reflnes L ifi all computations of ƒ are inflnite and ing the revision. Finally, we require that Tƒ0 should satisfy L. be a subset of Tƒ. Note that not all transitions of Deflnition 2.9 (speciflcation) A Unity specifl- Tƒ may0 be preserved in Tƒ0. Hence, we must ensure that ƒ does not deadlock. Based on Deflnition 2.9, caaUtionnit§yissatfehteycoornjpurnocgtrieosnsVprnio=p1eLrtiyw. here each Li is irfefl(in)eTsƒ§0 (cid:181),tThƒen, (ƒii0)aƒls0odroeeflsnnesot§d.eaTdhloucsk,,thanedre(viiisi)ioƒn e e One can easily extend the notion of reflnement to problem is formally deflned as follows: Unity speciflcations as follows. Given a program n ƒ and a speciflcation § = Vi=1Li, we say that ƒ Problem Statement 3.1 Given a program ƒ = reflnes § ifi for all i, 1 • i • n, ƒ reflnes Li. hPƒ;Iƒi and a Unity speciflcation §n, identify Concise representation of safety properties. ƒ0 = hPƒ0;Iƒ0i such that: NoticethattheUnitysafetypropertiescanbechar- acterized in terms of a set of bad transitions that (C1) Sƒ0 = Sƒ, should never occur in a program computation. For (C2) Iƒ0 = Iƒ, example, stable P requires that a transition, say (C3) Tƒ0 (cid:181) Tƒ, and 0 (s0;s1), where s0 2 P and s1 2= P, should never (C4) ƒ reflnes §n. occur in any computation of a program that reflnes Notethattherequirementofdeadlockfreedomisnot stable P. Hence, for simplicity, in this paper, when explicitly specifled in the above problem statement, dealing with safety Unity properties of a program 0 asitfollowsfrom‘ƒ reflnes§ ’. Throughoutthepa- n ƒ = hPƒ;Iƒi, we assume that they are represented per, weuse‘revision ofƒwithrespecttoaspeciflca- by a transition predicate B (cid:181) Sƒ £Sƒ whose tran- tion§ (orpropertyL)’and‘addition of§ (respec- n n sitions should never occur in any computation. tively, L) to ƒ’ interchangeably. In Sections 4 and 3 Problem Statement 5, we present our results on developing automated methods that solve the above revision problem with Given are a program ƒ = hPƒ;Iƒi and a (new) respect to difierent types of Unity properties. Unity speciflcation § . Our goal is to devise an au- n tomated method which revises ƒ so that the revised 4 Adding UNITY Safety Proper- 0 program (denoted ƒ = hPƒ0;Iƒ0i) (1) reflnes §n, ties to Distributed Programs and (2) continues reflning its existing Unity speci- flcation § , where § is unknown. Thus, during the As mentioned in Section 2, Unity safety properties e e revision, we only want to reuse the correctness of ƒ canbecharacterizedbyatransitionpredicate,sayB, 0 with respect to § so that the correctness of ƒ with whose transitions should occur in no computation of e respect to § is derived from ‘ƒ reflnes § ’. a program. In a centralized setting where programs e e Intuitively,inordertoensurethattherevisedpro- havenorestrictionsonreadingandwritingvariables, 0 gram ƒ continues reflning the existing speciflcation a program ƒ = hPƒ;Iƒi can be easily revised with § , weconstraintherevisionproblemsothattheset respect to B by simply (1) removing the transitions e 0 of computations of ƒ is a subset of the set of com- inBfromTƒ,and(2)makingnewlycreateddeadlock putationsofƒ. Inthissense,sinceUnityproperties states unreachable [8]. are not existentially quantifled (unlike in Ctl), we To the contrary, the above approach is not ade- are guaranteed that all computations of ƒ0 satisfy quate for a distributed setting, as it is sound (i.e., it the Unity properties that participate in § . constructs a correct program), but not complete (it e Now, we formally identify constraints on Sƒ0, Iƒ0, may fail to flnd a solution while there exists one). and Tƒ0. Observe that if Sƒ0 contains states that This is due to the issue of read restrictions in dis- are not in Sƒ, there is no guarantee that the cor- tributed programs, which associates each transition rectness of ƒ with respect to § can be reused to of a process with a group predicate. This notion of e 0 ensure that ƒ reflnes §e. Also, since Sƒ denotes grouping makes the revision complex, since a revi- the set of all states (not just reachable states) of ƒ, sion algorithm has to examine many combinations removing states from Sƒ is not advantageous. Like- to determine which group of transitions must be re- wise, Iƒ0 should not have any states that were not moved and, hence, what deadlock states need to be 4 handled. Indeed, we show that the issue of read † For each clause y , N + 1 • j • M +N, we j restrictions changes the class of complexity of the introduce state r . j revision problem entirely. † For each clause y , N +1 • j • M +N, and Instance. A distributed program ƒ = hPƒ;Iƒi j and Unity safety speciflcation § . variablexi inclauseyj,1 • i • N,weintroduce n 0 0 the following states: r ;s ;s ;t ;t . Decision problem. Does there exist a program ji ji ji ji ji 0 0 ƒ = hPƒ0;Iƒ0i such that ƒ meets the constraints Value assignments. Assignment of values to of Problem Statement 3.1 for the above instance? each variable at each state is shown in Figure 1-a We now show that the above decision problem is NP-complete by a reduction from the well-known (denoted by < v0;v1;v2;v3;v4 >). This part of our mapping is the most crucial factor in forming group satisflability problem. The SAT problem is as fol- predicates. lows: Processes. Program ƒ consists of four processes. Letx1;x2¢¢¢xN bepropositionalvariables. Formally, Pƒ = fp1;p2;p3;p4g. Transition predicate Given a Boolean formula y = yN+1 ^ and read/write restrictions of processes in Pƒ are as yN+2¢¢¢yM+N, where each clause yj, N + follows: 1 • j • M +N, is a disjunction of three or more literals, does there exist an assign- † Read/write restrictions. The read/write ment of truth values to x1;x2¢¢¢xN such restrictions of processes p1, p2, p3, and p4 are as that y is satisflable? follows: We note that the unconventional subscripting of { Rp1 = fv0;v2;v3g and Wp1 = fv0;v2;v3g. variables and clauses in the above deflnition of the { Rp2 = fv1;v2;v3g and Wp2 = fv1;v2;v3g. SAT problem is deliberately chosen to make our proofs simpler. { Rp3 = fv0;v1;v2;v3;v4g and Wp3 = fv0;v1;v2;v4g. Theorem 4.1 The problem of adding a Unity { Rp4 = fv0;v1;v2;v3;v4g and Wp4 = safety property to a distributed program is NP- fv0;v1;v3;v4g. complete. † Transition predicates. For each proposi- Proof. Since showing membership to NP is tional variable x , 1 • i • N, we include the i straightforward,weonlyneedtoshowthattheprob- following transitions in processes p1, p2, p3, and lem is NP-hard. Towards this end, we present a p4 (see Figure 1-a): polynomial-time mapping from an instance of the 0 0 SAT problem to a corresponding instance of our re- { Tp1 = f(bi;di);(bi;ci) j 1 • i • Ng. vision problem. Thus, we construct ƒ = hPƒ;Iƒi as { T = f(b0;c0);(b ;d ) j 1 • i • Ng. p2 i i i i follows. 0 Variables. The set of variables of program ƒ and, { Tp3 = f(ci;ai+1);(ci;ai+1); 0 hence, its processes is V = fv0;v1;v2;v3;v4g. The (di;ai+1);(di;ai+1) j 1 • i • Ng. 0 domain of these variables are respectively as follows: { Tp4 = f(ai;bi);(ai;bi) j 1 • i • Ng. f¡1;0;1g, f¡1;0;1g, f0;1g, f0;1g, f1;2¢¢¢M + Moreover, corresponding to each clause y , N+ Ng[fji j (1 • i • N)^(N+1 • j • M+N)g. We j 1 • j • M +N, and variable x , 1 • i • N, in note that ji in the last set is not an exponent, but a i clause y , we include transition (r ;r ) in T denotational symbol. j j ji p3 and the following: Reachable states. The set of reachable states in our mapping are as follows: { Ifx isaliteralinclausey thenweinclude i j transition (r ;s ) in T , (s ;t ) in T , † For each propositional variable xi, 1 • i • N, ji ji p2 ji ji p3 and (t ;b ) in T . in the instance of the SAT problem, we in- ji i p4 troduce the following states (see Figure 1-a): { If :x is a literal in clause y then we in- i j 0 0 0 0 0 0 ai;bi;bi;ci;ci;di;di. We require that states a1 clude transition (rji;sji) in Tp1, (sji;tji) in 0 0 and aN+1 are identical. Tp3, and (tji;bi) in Tp4. 5 (cid:1)(cid:2)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:2) (cid:1)(cid:2)(cid:4)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:2)(cid:4) (cid:17)(cid:11)(cid:18)(cid:11)(cid:19)(cid:20) (cid:3)(cid:2)(cid:4)(cid:1)(cid:2)(cid:3)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:2)(cid:5)(cid:4)(cid:5) (cid:3)(cid:2)(cid:4)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:2)(cid:5)(cid:4)(cid:5) (cid:9)(cid:10)(cid:14)(cid:15)(cid:13)(cid:10)(cid:1)(cid:15)(cid:13)(cid:10)(cid:3)(cid:15)(cid:13)(cid:10)(cid:4)(cid:15)(cid:13)(cid:10)(cid:5)(cid:16) (cid:26)(cid:25)(cid:26)(cid:11) (cid:7)(cid:4)(cid:5) (cid:6)(cid:4)(cid:5) (cid:7)(cid:4)(cid:4) (cid:6)(cid:4)(cid:4) (cid:7)(cid:4)(cid:3) (cid:6)(cid:4)(cid:3) (cid:6)(cid:2)(cid:4)(cid:1)(cid:2)(cid:3)(cid:7)(cid:6)(cid:5)(cid:2)(cid:7)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:2)(cid:5)(cid:4)(cid:5) (cid:6)(cid:2)(cid:4)(cid:1)(cid:2)(cid:3)(cid:6)(cid:5)(cid:2)(cid:7)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:2)(cid:5)(cid:4)(cid:5) (cid:7)(cid:7)(cid:8)(cid:8)(cid:9)(cid:9)(cid:10)(cid:10)(cid:11)(cid:11)(cid:12)(cid:12)(cid:12)(cid:12)(cid:13)(cid:13)(cid:8)(cid:8)(cid:1)(cid:3) (cid:7)(cid:4)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:4) (cid:10)(cid:4)(cid:1)(cid:2)(cid:3)(cid:7)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4) (cid:7)(cid:4)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2) (cid:4)(cid:8) (cid:21)(cid:7)(cid:7)(cid:8)(cid:8)(cid:8)(cid:9)(cid:9)(cid:9)(cid:10)(cid:10)(cid:22)(cid:11)(cid:11)(cid:23)(cid:12)(cid:12)(cid:13)(cid:12)(cid:12)(cid:1)(cid:13)(cid:13)(cid:8)(cid:8)(cid:4)(cid:5) (cid:1)(cid:5) (cid:1)(cid:4) (cid:1)(cid:3) (cid:1)(cid:1) (cid:21)(cid:8)(cid:9)(cid:22)(cid:23)(cid:13)(cid:3) (cid:24)(cid:26)(cid:8)(cid:25)(cid:25)(cid:20)(cid:19)(cid:12)(cid:27)(cid:26)(cid:27)(cid:9)(cid:19) (cid:7)(cid:1) (cid:6)(cid:1) (cid:11)(cid:4)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4) (cid:11)(cid:4)(cid:1)(cid:2)(cid:3)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2) (cid:4) (cid:27)(cid:29)(cid:28)(cid:12)(cid:8)(cid:13)(cid:30)(cid:27)(cid:25)(cid:19)(cid:11)(cid:19)(cid:8)(cid:13)(cid:12)(cid:10)(cid:11)(cid:27)(cid:31)(cid:13)(cid:26)(cid:25)(cid:31)(cid:27)(cid:27)(cid:22)(cid:9)(cid:26)(cid:11)(cid:12)(cid:19)(cid:8)(cid:11)(cid:12)(cid:25)(cid:13)(cid:13)(cid:31)(cid:13)(cid:14)(cid:11)(cid:12) (cid:5)(cid:4)(cid:6)(cid:5) (cid:3)(cid:4)(cid:6)(cid:5) (cid:3)(cid:6)(cid:1) (cid:5)(cid:6)(cid:1) (cid:5)(cid:4)(cid:2)(cid:3) (cid:3)(cid:4)(cid:2)(cid:3) (cid:3)(cid:2)(cid:1) (cid:5)(cid:2)(cid:1) (cid:8)(cid:4)(cid:1)(cid:2)(cid:3)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4) (cid:8)(cid:4)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2) (cid:4)(cid:9) (cid:29)(cid:28)(cid:8)(cid:30)(cid:25)(cid:11)(cid:19)(cid:8)(cid:12)(cid:11)(cid:27)(cid:13)(cid:26)(cid:31)(cid:27)(cid:27)(cid:9)(cid:26)(cid:11)(cid:19)(cid:8)(cid:12)(cid:25)(cid:31)(cid:13)(cid:11)(cid:12) (cid:2)(cid:6)(cid:5) (cid:2)(cid:6)(cid:1) (cid:2)(cid:2)(cid:3) (cid:2)(cid:2)(cid:1) (cid:10)(cid:4)(cid:9)(cid:6)(cid:1)(cid:2)(cid:3)(cid:7)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4)(cid:9)(cid:6)(cid:8) (cid:27)(cid:12)(cid:13)(cid:27)(cid:19)(cid:13)(cid:10)(cid:31)(cid:25)(cid:22)(cid:12)(cid:11)(cid:13)(cid:13)(cid:14) (cid:2)(cid:6) (cid:2)(cid:2) (a) Mapping SAT to addition of Unity safety properties. (b)ThestructureoftherevisedprogramforBoolean formula(x1_:x2_x3)^(x1_x2_:x4),wherex1 = true, x2 =false, x3 =false, and x4 =false. Figure 1: Reduction from the SAT problem. Note that only for the sake of illustration, Fig- 3. Transitions grouped with the rest of the transi- ure 1-a shows all possible transitions. However, tions in Figure 1-a are unreachable and, hence, in order to construct ƒ, based on the existence are irrelevant. of x or :x in y , we only include a subset of i i j Now,weshowthattheanswertotheSATproblem the transitions. is a–rmative if and only if there exists a solution to the revision problem. Thus, we distinguish two Initialstates. ThesetIƒrepresentsclausesofthe cases: instanceoftheSATproblem,i.e.,Iƒ = frj j N+1 • j • M +Ng. † ()) First, we show that if the given instance of Safety property. Let P be a state predicate that the SAT formula is satisflable then there exists contains all reachable states in Figure 1-a except c i a solution that meets the requirements of the and c0 (i.e., c ;c0 2 :P ). Thus, the properties stable i i i revision decision problem. Since the SAT for- P and invariant P can be characterized by the tran- mula is satisflable, there exists an assignment 0 0 sition predicate B = f(b ;c );(b ;c ) j 1 • i • Ng. i i i i of truth values to all variables xi, 1 • i • N, Similarly, let P and Q be two state predicates that such that each y , N +1 • j • M +N, is true. j contain all reachable states in Figure 1-a except c 0 i Now, we identify a program ƒ, that is obtained and c0. Thus, the safety property P unless Q can be i by adding the safety property represented by B characterized by B as well. In our mapping, we let to program ƒ as follows. B represent the safety speciflcation for which ƒ has 0 to be revised. { The state space of ƒ consists of all the Before we present our reduction from the SAT states of ƒ, i.e., Sƒ = Sƒ0. problem using the above mapping, we make the fol- { The initial states of ƒ0 consists of all the lowing observations regarding the grouping of tran- initial states of ƒ, i.e., Iƒ = Iƒ0. sitions in difierent processes: { Foreachvariablex ,1 • i • N,ifx istrue i i then we include the following transitions: 1. Duetoinabilityofprocessp1 toreadvariablev4, for all i, 1 • i • N, transitions (r ;s0 );(b0;d0), (ai;bi) in Tp4, (bi;di) in Tp2, and (di;ai+1) ji ji i i in T . and (bi;ci) are grouped in p1. p3 { For each variable x , 1 • i • N, if i 2. Duetoinabilityofprocessp2 toreadvariablev4, xi is false then we include the following 0 0 0 for all i, 1 • i • N, transitions (r ;s );(b ;d ), transitions:(a ;b ) in T , (b ;d ) in T , ji ji i i i i p4 i i p1 0 0 0 and (bi;ci) are grouped in p2. and (di;ai+1) in Tp3. 6 0 { For each clause y , N +1 • j • M +N, ƒ be the program that is obtained by adding j that contains literal x , if x is true, we the safety property § to program ƒ. Now, in i i n include the following transitions: (r ;r ) order to obtain a solution for SAT, we proceed j ji 0 in T , (r ;s ) in T , (s ;t ) in T , and as follows. If there exists a computation of ƒ p4 ji ji p2 ji ji p3 (t ;b ) in T . where state b is reachable then we assign x the ji i p4 i i truthvaluetrue. Otherwise,weassignthetruth { For each clause y , N +1 • j • M +N, j value false. that contains literal :x , if x is false, we i i include the following transitions: (r ;r ) We now show that the above truth assignment j ji in Tp4, (rji;s0ji) in Tp1, (s0ji;t0ji) in Tp3, and satisfles all clauses. Let yj be a clause for some (t0ji;b0i) in Tp4. j, N +1 • j • M +N, and let rj be the cor- 0 responding initial state in ƒ. Since r is an j 0 Asanillustration, weshowthepartialstructure initial state and ƒ cannot deadlock, the tran- of ƒ0, for the formula (x1_:x2_x3)^(x1_x2_ sition (rj;rji) must be present in ƒ0, for some :x4), where x1 = true, x2 = false, x3 = false, i, 1 • i • N. By the same argument, there andx4 = false,inFigure1-b. Noticethatstates must exist some transition that originates from whose all outgoing and incoming transitions are rji. This transition terminates in either sji or 0 0 eliminated are not illustrated. Now, we show s . Observe that ƒ cannot have both tran- ji that ƒ0 meets the requirements of the Problems sitions, as grouping of transitions will include 0 0 Statement 3.1: both (bi;ci) and (bi;ci) which in turn causes vi- 0 olation of safety by ƒ. Now, if the transition 1. The flrst three constraints of the decision from rji terminates in sji, then clause yj con- problem are trivially satisfled by construc- tainsliteralxi andxi isassignedthetruthvalue tion. true. Hence, yj evaluates to true. Likewise, if 0 the transition from r terminates in s then 2. We now show that constraint C4 holds. ji ji clause y contains literal :x and x is assigned First, it is easy to observe that by con- j i i the truth value false. Hence, y evaluates to struction, there exist no reachable dead- j true. Therefore, the assignment of values con- lock states in the revised program. Hence, sidered above is a satisfying truth assignment ifƒ reflnesUnity speciflcation§ then ƒ0 e for the given SAT formula. reflnes § as well. Moreover, if a compu- e 0 tation of ƒ reaches a state b for some i, 5 Adding UNITY Progress Prop- i from an initial state r (i.e., x is true in j i erties to Distributed Programs clause y ) then that computation cannot j violate safety since bad transition (b ;c ) This section is organized as follows. In Subsection i i is removed. This is due to the fact that 5.1, we show that adding a Unity progress property 0 (b ;c ) is grouped with transition (r ;s ) to a distributed program is NP-complete. Then, in i i ji ji 0 and this transition is not included in ƒ, Subsection 5.2, we present a symbolic heuristic for as literal x is true in y . Likewise, if a adding a leads-to property to a distributed program. i j 0 0 computation of ƒ reaches a state b for i 5.1 Complexity some i, from initial state r (i.e., x is false j i in clause yj) then that computation can- In a centralized setting, where programs have no 0 0 not violate safety since transition (b ;c ) restriction on reading and writing variables, a pro- i i is removed. This is due to the fact that gram, say ƒ = hPƒ;Iƒi, can be easily revised with 0 0 (bi;ci) is grouped with transition (rji;sji) respect to a progress property by simply (1) break- 0 andthistransitionisnotincludedinƒ, as ing non-progress cycles that prevent a program to xi is false. Thus, ƒ0 reflnes §n. eventually reach a desirable state predicate, and (2) removing deadlock states [8]. To the contrary, in a † (()Next,weshowthatifthereexistsasolution distributed setting, due to the issue of grouping, it to the revision problem for the instance iden- matters which transition (and as a result its corre- tifled by our mapping from the SAT problem, sponding group) is removed to break a non-progress then the given SAT formula is satisflable. Let cycle. 7 (cid:17)(cid:10)(cid:18)(cid:10)(cid:19)(cid:20) (cid:5)(cid:2) (cid:5)(cid:4) (cid:10)(cid:11)(cid:14)(cid:15)(cid:12)(cid:11)(cid:1)(cid:15)(cid:12)(cid:11)(cid:3)(cid:15)(cid:12)(cid:11)(cid:13)(cid:15)(cid:12)(cid:11)(cid:5)(cid:16) (cid:4)(cid:5)(cid:2)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:2)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4)(cid:3) (cid:1)(cid:5)(cid:2)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:2)(cid:5)(cid:2)(cid:7)(cid:4)(cid:5)(cid:2)(cid:4)(cid:3) (cid:31)(cid:27)(cid:25)(cid:27)(cid:10) (cid:10)(cid:5)(cid:2)(cid:1)(cid:2)(cid:3)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:2)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:3) (cid:9)(cid:5)(cid:8)(cid:2)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:8)(cid:2)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:3) (cid:6)(cid:6)(cid:6)(cid:6)(cid:21)(cid:7)(cid:7)(cid:7)(cid:7)(cid:8)(cid:7)(cid:8)(cid:8)(cid:8)(cid:8)(cid:9)(cid:9)(cid:9)(cid:9)(cid:22)(cid:10)(cid:10)(cid:10)(cid:10)(cid:23)(cid:11)(cid:11)(cid:11)(cid:11)(cid:11)(cid:11)(cid:11)(cid:12)(cid:11)(cid:1)(cid:12)(cid:12)(cid:12)(cid:12)(cid:9)(cid:9)(cid:9)(cid:9)(cid:3)(cid:5)(cid:13)(cid:1) (cid:5)(cid:2)(cid:1) (cid:6)(cid:2)(cid:1) (cid:6)(cid:3)(cid:2)(cid:3) (cid:5)(cid:2)(cid:3) (cid:6)(cid:4)(cid:1) (cid:5)(cid:4)(cid:1) (cid:6)(cid:3)(cid:4)(cid:5) (cid:5)(cid:4)(cid:5) (cid:6)(cid:2)(cid:11)(cid:1)(cid:2)(cid:2)(cid:1)(cid:3)(cid:2)(cid:4)(cid:3)(cid:5)(cid:2)(cid:6)(cid:4)(cid:5)(cid:5)(cid:2)(cid:2)(cid:4)(cid:7)(cid:5)(cid:2)(cid:2)(cid:5)(cid:2)(cid:2)(cid:5)(cid:6)(cid:2)(cid:4)(cid:5)(cid:2)(cid:5)(cid:4)(cid:2)(cid:7)(cid:3)(cid:4)(cid:3) (cid:11)(cid:5)(cid:2)(cid:6)(cid:1)(cid:5)(cid:2)(cid:2)(cid:3)(cid:1)(cid:6)(cid:2)(cid:3)(cid:5)(cid:2)(cid:4)(cid:4)(cid:5)(cid:5)(cid:2)(cid:2)(cid:4)(cid:7)(cid:2)(cid:5)(cid:5)(cid:2)(cid:2)(cid:2)(cid:4)(cid:5)(cid:2)(cid:5)(cid:4)(cid:2)(cid:4)(cid:5)(cid:2)(cid:3)(cid:6)(cid:3) (cid:7)(cid:8)(cid:2)(cid:7)(cid:1)(cid:2)(cid:2)(cid:1)(cid:3)(cid:2)(cid:6)(cid:3)(cid:5)(cid:6)(cid:2)(cid:6)(cid:5)(cid:2)(cid:5)(cid:4)(cid:2)(cid:8)(cid:5)(cid:2)(cid:2)(cid:5)(cid:8)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:5)(cid:6)(cid:2)(cid:4)(cid:3)(cid:3) (cid:28)(cid:24)(cid:28)(cid:26)(cid:24)(cid:21)(cid:11)(cid:7)(cid:29)(cid:7)(cid:12)(cid:29)(cid:25)(cid:7)(cid:26)(cid:25)(cid:10)(cid:19)(cid:8)(cid:10)(cid:19)(cid:19)(cid:7)(cid:7)(cid:12)(cid:22)(cid:11)(cid:10)(cid:11)(cid:9)(cid:10)(cid:26)(cid:23)(cid:26)(cid:12)(cid:30)(cid:27)(cid:12)(cid:27)(cid:30)(cid:25)(cid:26)(cid:30)(cid:12)(cid:26)(cid:26)(cid:3)(cid:8)(cid:26)(cid:22)(cid:8)(cid:27)(cid:27)(cid:10)(cid:19)(cid:10)(cid:11)(cid:19)(cid:7)(cid:11)(cid:7)(cid:10)(cid:11)(cid:25)(cid:25)(cid:12)(cid:30)(cid:14)(cid:30)(cid:12)(cid:12)(cid:15)(cid:12)(cid:13)(cid:12)(cid:13) (cid:7)(cid:3)(cid:1) (cid:7)(cid:1) (cid:1)(cid:1) (cid:7)(cid:1)(cid:3)(cid:3)(cid:3) (cid:4)(cid:3)(cid:3) (cid:8)(cid:3)(cid:3)(cid:7)(cid:3) (cid:1)(cid:5) (cid:7)(cid:3)(cid:5) (cid:4)(cid:3)(cid:5) (cid:8)(cid:3)(cid:5)(cid:7)(cid:5) (cid:10)(cid:2)(cid:1)(cid:2)(cid:3)(cid:6)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:7)(cid:2)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:6)(cid:3) (cid:9)(cid:8)(cid:2)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:8)(cid:2)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:4)(cid:3) (cid:26)(cid:11)(cid:12)(cid:26)(cid:19)(cid:12)(cid:9)(cid:30)(cid:25)(cid:22)(cid:11)(cid:10)(cid:12)(cid:14)(cid:15) (cid:8)(cid:1) (cid:4)(cid:1) (cid:4)(cid:2)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:7)(cid:2)(cid:5)(cid:2)(cid:4)(cid:5)(cid:2)(cid:6)(cid:3) (cid:1)(cid:2)(cid:1)(cid:2)(cid:3)(cid:4)(cid:5)(cid:2)(cid:6)(cid:5)(cid:2)(cid:7)(cid:2)(cid:5)(cid:2)(cid:7)(cid:4)(cid:5)(cid:2)(cid:7)(cid:4)(cid:3) (cid:2)(cid:3)(cid:1) (cid:2)(cid:3) (cid:2)(cid:5) (a) Mapping SAT to addition of a leads-to property. (b) The structure of the revised program for Boolean formula (x1_:x2_x3)^(x1_x2_:x4), where x1 = true, x2 = false, x3 =false, and x4 =false. Figure 2: Reduction from the SAT problem. Instance. A distributed program ƒ = hPƒ;Iƒi Value assignments. Assignment of values to and Unity progress property § . each variable at each state is shown in Figure 2-a n Decision problem. Does there exist a program (denoted by < v0;v1;v2;v3;v4 >). 0 0 ƒ = hPƒ0;Iƒ0i such that ƒ meets the constraints Processes. Program ƒ consists of four processes. of Problem Statement 3.1 for the above instance? Formally, Pƒ = fp1;p2;p3;p4g. Transition predicate and read/write restrictions of processes in Pƒ are as Theorem 5.1 The problem of adding a Unity follows: progress property to a distributed program is NP- complete. † Read/write restrictions. The read/write Proof. Since showing membership to NP is restrictions of processes p1, p2, p3, and p4 are as straightforward, we only show that the problem is follows: NP-hard by a reduction from the SAT problem. First, we present a polynomial-time mapping. { Rp1 = fv0;v1;v3g and Wp1 = fv0;v1;v3g. Variables. The set of variables of program ƒ { Rp2 = fv0;v1;v4g and Wp2 = fv0;v1;v4g. and, hence, its processes is V = fv0;v1;v2;v3;v4g. The domain of these variables are respectively as { Rp3 = fv0;v1;v2;v3;v4g and Wp3 = follows: f0;1g, f0;1g, f1;2¢¢¢M +Ng[fji j (1 • fv0;v2;v3;v4g. i • N)^(N +1 • j • M +N)g, f¡1;0;1g, and { Rp4 = fv0;v1;v2;v3;v4g and Wp4 = f¡1;0;1g. fv1;v2;v3;v4g. Reachable states. The set of reachable states in our mapping are as follows: † Transition predicates. For each proposi- tional variable x , 1 • i • N, we include the i † For each propositional variable xi, 1 • i • N, following transitions in processes p1, p2, p3, and we introduce the following states (see Figure 2- p4 (see Figure 2-a): 0 0 0 0 0 a): a , a , b , b , c , c , d , d , Q , and Q . i i i i i i i i i i 0 0 { T = f(b ;c );(b ;Q ) j 1 • i • Ng. † For each clause y , N + 1 • j • M +N, we p1 i i i i j 0 0 introduce state rj. { Tp2 = f(bi;ci);(bi;Qi) j 1 • i • Ng. 0 0 0 0 { T = f(a ;b );(a ;b );(c ;d );(c ;d ); † For each clause y , N +1 • j • M +N, and p3 i i i i i i i i j 0 0 (Q ;Q );(Q ;Q ) j 1 • i • Ng. x , 1 • i • N, in clause y , we introduce states i i i i i j 0 0 0 r , s , and s . { T = f(d ;b );(d ;b ) j 1 • i • Ng. ji ji ji p4 i i i i 8 Moreover, corresponding to each clause y , N+ values to all variables x , 1 • i • N, such that j i 1 • j • M +N, and variable x , 1 • i • N, in each y , N + 1 • j • M + N, is true. Now, i j 0 clause y , we include transition (r ;r ) in T we identify a program ƒ, that is obtained by j j ji p3 and the following: adding the progress property ⁄§Q to program ƒ as follows. { Ifx isaliteralinclausey thenweinclude i j 0 { The state space of ƒ consists of all the transition (r ;s ) in T , and (s ;a ) in ji ji p2 ji i states of ƒ, i.e., Sƒ = Sƒ0. T . p4 0 { The initial states of ƒ consists of all the { If :x is a literal in clause y then we in- i j 0 0 0 initial states of ƒ, i.e., Iƒ = Iƒ0. cludetransition(r ;s )inT and(s ;a ) ji ji p1 ji i { Foreachvariablex ,1 • i • N,ifx istrue in T . i i p4 then we include the following transitions: 0 0 Note that for the sake of illustration Figure 2-a (ai;bi), (ci;di), and (Qi;Qi) in Tp3, (bi;ci) 0 0 0 showsallpossibletransitions. However,inorder and (bi;Qi) in Tp2, and, (di;bi) in Tp4. to construct ƒ, based on the existence of xi or { For each variable xi, 1 • i • N, if xi is :xiinyj,weonlyincludeasubsetoftransitions. false then we include the following transi- 0 0 0 0 tions: (a ;b ), (c ;d ), and (Q ;Q ) in T , i i i i i i p3 Initial states. The set Iƒ of ƒ is the set of states (b0;c0) and (b ;Q ) in T , and, (d0;b ) in i i i i p1 i i that represent clauses of the boolean formula in the T . p4 instanceofSAT,i.e.,Iƒ = frj j N+1 • j • M+Ng. { For each clause y , N +1 • j • M +N, Progress property. In our mapping, the de- j that contains literal x , if x is true, we sirable progress property is of the form § · (true i i n leads-to Q), where Q = fQ ;Q0 j 1 • i • Ng (see include transition (rj;rji) in Tp4, (rji;sji) i i in T , and, (s ;a ) in T . Figure 2-a). Observe that § is a leads-to as well as p2 ji i p4 n an ensures property. This property in Linear Tem- { For each clause yj, N +1 • j • M +N, poral Logic (Ltl) is denoted by ⁄§Q (called always that contains literal :xi, if xi is false, we 0 eventually Q). include transition (rj;rji) in Tp4, (rji;sji) 0 0 Before we present our reduction from the SAT in Tp1, and, (sji;ai) in Tp4. problem using the above mapping, we make the fol- Asanillustration, weshowthepartialstructure lowing observations regarding the grouping of tran- of ƒ0, for the formula (x1_:x2_x3)^(x1_x2_ sitions in difierent processes: :x4), where x1 = true, x2 = false, x3 = false, and x4 = false in Figure 2-b. Notice that states 1. Due to inability of process p1 to read variable whose all outgoing and incoming transitions are 0 v2, for all i, 1 • i • N, transitions (rji;sji), eliminated are not illustrated. Now, we show 0 0 (bi;ci), and (bi;Qi) are grouped in process p1. that ƒ0 meets the requirements of the Problems Statement 3.1: 2. Due to inability of process p2 to read variable v2, for all i, 1 • i • N, transitions (rji;sji), 1. The flrst three constraints of the decision 0 0 (bi;ci), and (bi;Qi) are grouped in process p2. problem are trivially satisfled by construc- tion. 3. Transitions grouped with the rest of the transi- 2. We now show that constraint C4 holds. tions in Figure 2-a are unreachable and, hence, First, it is easy to observe that by con- are irrelevant. struction, there exist no reachable dead- Wedistinguishthefollowingtwocasesforreducing lock states in the revised program. Hence, the SAT problem to our revision problem : if ƒ reflnes Unity speciflcation §e then 0 ƒ reflnes § as well. Moreover, by con- e 0 † ()) First, we show that if the given instance of struction, all computations of ƒ eventu- 0 the SAT formula is satisflable then there exists ally reach either Q or Q and will stutter i i asolutionthatmeetstherequirementsofthere- there. This is due to the fact that if lit- vision decision problem. Since the SAT formula eral x is true in clause y then transition i j 0 0 issatisflable,thereexistsanassignmentoftruth (r ;s ) is not included in ƒ and, hence, ji ji 9

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.