Lectures 5 and 6 - 1st October 2019

Question 1

Why do liveness properties require more than propositional logic? What is needed instead?

Answer 1

Liveness properties require perspective on possible future situations. Propositional logic alone doesn’t require this.

Temporal logic is needed, as it includes temporal operators that fulfil this requirement.

Question 2

Why can safety properties mostly be written with propositional logic?

Answer 2

They often do not require temporal logic, as they usually just describe a property that should hold in a state.

Temporal operators are required to express properties concerning executions and not just states.

Question 3

What are never claims in Spin/PROMELA?

Answer 3

Code blocks that case the program to fail and give a trace of execution to an error whenever the statements (properties) in them evaluate to being true.

Question 4

Are statements in never claims atomic? Why?

Answer 4

They can be thought of as being atomic within the never claim, as they execute one-by-one. They aren’t atomic overall, however, as other processes can interleave inbetween them. This is because never claims get every other turn of execution.

Question 5

How do never claims and assert() statements compare?

Answer 5

Asserts are more simple but less powerful. If able, just use an assert rather than a never claim.

Question 6

What does it mean for a never claim to succeed?

Answer 6

It has found an error, represented as it terminating or infinitely going out of accepting labels in a loop. It will then cease the program’s execution and provide a trace of execution to the error as a counterexample of the model’s correctness.

Question 7

Does a never claim or another process execute first after global variables are initialised?

Answer 7

A never claim. It always executes before any other process after any global variables have been initialised.

Question 8

How do never claims execute with other processes?

Answer 8

They get every 2nd turn of execution.

Question 9

Why do loops need true nondeterministic options?

Answer 9

They don’t continue looping by default if they can’t execute any options. To keep them looping, there must always be an option they can execute - be an option they can always execute.

Question 10

How can never claims be specified more easily?

Answer 10

With linear temporal logic, which is then converted into an equivalent never claim.

Question 11

What are LTL statements composed of?

Answer 11

They are made of atomic propositions and boolean and temporal operators.

Question 12

How are LTL formulae included in PROMELA specifications?

Answer 12

Inline in the specification after the globals and before processes, in the format ltl[]’{‘’}’

Question 13

What does the operator □ represent in LTL?

Answer 13

always

Question 14

What does the operator ◇ represent in LTL?

Answer 14

eventually

Question 15

What does the operator X represent in LTL?

Answer 15

next

Question 16

What does the operator U represent in LTL?

Answer 16

strong until

Question 17

What does the operator W represent in LTL?

Answer 17

weak until

Question 18

What is the difference between the strong and weak until operations?

Answer 18

In strong until the second operand must eventually become true. Weak until holds if the first is always true and the second never becomes true.

Question 19

What does the operator → represent in LTL?

Answer 19

implies

Question 20

Which LTL operator can be used to represent an invariant system property?

Answer 20

p□q

Question 21

Which LTL operator can be used to represent a reply system property?

Answer 21

p◇q

Question 22

Which LTL operator can be used to represent a guranteed reply system property?

Answer 22

p→◇q

Question 23

Which LTL operator can be used to represent a progress system property?

Answer 23

p□ ◇q

Question 24

Which LTL operator can be used to represent a stability system property?

Answer 24

p◇ □q

Question 25

Which LTL operator can be used to represent an exclusion system property?

Answer 25

p→¬q

Question 26

What are the restrictions on the temporal logic of LTL formulae?

Answer 26

LTL formulae can only look at the present and future, and not the past.

Question 27

What is a trace?

Answer 27

Trace = trace of execution = the chronological list of states of an execution of a model up to a certain point.

Question 28

How do you represent a trace and property?

Answer 28

trace = t, property = p

relate the two with t ⊨ p iff t satisfies p

Question 29

What does it mean for a formula to be satisfied over a trace?

Answer 29

If the formula is true for the trace. By default, with no temporal operators, it will just be if it is true in the initial state/s. For it to be true in all, □ a is needed, for it to be true in the second state/s, X a, etc.

Question 30

What is the difference between a trace in PROMELA/SPIN and a trace of exection?

Answer 30

In PROMELA, traces of execution are called trails. Traces are atomic-like constructs that hold code blocks. Traces in PROMELA force communication sequences that must be valid across all executions of a program.

Question 31

What does the state-based nature of verification in SPIN allow us to check?

Answer 31

If a property ever holds (is reachable); if properties hold always, repeatedly, under certain conditions, never, etc; the states the system can be at (except for trace blocks in PROMELA specifications).

Question 32

What are trace constraints?

Answer 32

Atomic-like constructs that hold blocks of code that force communication sequences that must be valid across all executions of a program. They only concern the correctness of the communication actions of a specification.

Question 33

What are patterns of communication?

Answer 33

The order in which certain messages are exchanged between processes.

Question 34

What are communication actions?

Answer 34

Any statement which performs some data exchange between processes in PROMELA.

Question 35

What are the differences between trace conditions and never claims?

Answer 35

Never claims check the behaviour of a specification against disallowed behaviour and interleave with it.

Trace conditions force a specification to have certain patterns of communication and synchronise with it.

Question 36

What is an atomic proposition?

Answer 36

A statement or assertion that must be true or false.

Question 37

What are labelled transistion systems?

Answer 37

A theoretical state machine often used for describing the potential behaviour of discrete systems (i.e. systems with more than one state).