Week 4 solutions
March 21, 2017
1
S
a. ϕ → ♦ψ ≡ ϕ (ψ ∨ ¬ϕ).
From the left hand side formula
S we obtain ϕ → ♦ψ = ¬ϕ ∨ ♦ψ =
♦¬ϕ ∨ ♦ψ = ♦(ψ ∨ ¬ϕ) = True (ψ ∨S¬ϕ). Here, True = (ψ ∧ ϕ) ∨ (¬ψ ∧
ϕ) ∨ (ψ ∧ ¬ϕ) ∨ (¬ψ ∧ ¬ϕ). In True (ψ ∨ ¬ϕ), only (¬ψ ∧ ϕ) can hold
before (ψ ∧ ¬ϕ). In the right hand side formula, only (¬ψ ∧ ϕ) can hold
before (ψ ∧ ¬ϕ) as well. Hence, we conclude that the equivalence holds.
S
b. ♦ϕ → ♦ψ ≡ (ϕ (ψ ∨ ¬ϕ)).
We transform the left hand side formula as follows. ♦ϕ → ♦ψ =
¬♦ϕ ∨ ♦ψ = ♦¬ϕ ∨ ♦ψ.
S
We already proved, that ϕ → ♦ψ ≡ ϕ (ψ∨¬ϕ),
hence we can transform
S
the right hand side formula as follows. (ϕ (ψ ∨ ¬ϕ)) = (ϕ → ♦ψ) =
(♦¬ϕ ∧ ♦ψ).
Now, let a = ♦¬ϕ and b = ♦ψ. We know, that (a ∨ b) 6≡ a ∨ b, hence
♦¬ϕ ∨ ♦ψ 6≡ (♦¬ϕ ∧ ♦ψ).
c. (ϕ ∨ ¬ψ) ≡ ¬♦(¬ϕ ∧ ψ).
Left hand side formula is transformed as follows. (ϕ∨¬ψ) = (ϕ∨¬ψ).
Right hand side formula is transformed as follows. ¬♦(¬ϕ∧ψ) = ¬(¬ϕ∧
ψ) = (ϕ ∨ ¬ψ). Hence, we conclude that the equivalence holds.
d. ♦(ϕ ∧ ψ) = ♦ϕ ∧ ♦ψ.
The counter example is as follows. We consider a path, such that s0 |=
¬(ϕ ∧ ψ), s1 |= (ϕ ∧ ¬ψ), s2 |= (¬ϕ ∧ ψ). For this path, the left hand side
formula does not hold, since both ϕ and ψ must eventually become True
simultaneously, whereas the right hand side formula holds for this path.
Hence, the equivalence holds.
e. ϕ ∧ ♦ϕ ≡ ϕ.
We transform
the left hand side
S
S formula as follows. ϕ ∧ ♦ϕ = ϕ ∧
(True ϕ) = ϕ ∧ (True ϕ) = ϕ. Hence, we conclude that the
equivalence holds.
1
f. ♦ϕ ∧ ϕ ≡ ♦ϕ.
The counter example is as follows. We consider a path, such that s0 |= ϕ,
s1 |= ¬ϕ. The right hand side formula holds for the path, since after ϕ
eventually becomes True, there are no further obligations, whereas the left
hand side formula does not hold, since, after ϕ eventually becomes True,
from the next state, ϕ must hold.
g. ♦ϕ → ♦ψ ≡ (ϕ → ♦ψ). The counter example is as follows. Let there
be a path s0 (s1 )ω , such that s0 |= ϕ ∧ ¬ψ, s1 |= ¬ϕ ∧ ¬ψ. For this path,
the left hand side formula holds, since neither of ♦ϕ and ♦ψ hold, but
the right hand side formula does not hold.
h. ♦ϕ ≡ ♦ ϕ.
S
We transform
the left hand
side formula as follows. ♦ϕ = (True ϕ) =
S
S
True ϕ = True ϕ.
S
The right hand side formula is transformed as follows. ♦ϕ = True ϕ.
From here, we can conclude that the equivalence holds.
S S
S
i. (ϕ ψ) ψ ≡ ϕ ψ. By applying the idempotency law to the left hand
side formula, we can immediately conclude that the equivalence holds.
2
S
(a) ((¬ϕ (ϕ ∧ ψ)) ∨ ¬ϕ).
S
(b) (ϕ ¬ψ) ∨ ϕ.
(c) ♦ϕ(♦ψ) ∨ ¬ϕ.
3
First, the TA is defined as follows: TA = {Loc, Loc0 , Act, C, →, Inv, AP, L}
Loc = {s0 , s1 }
Loc0 = {s0 }
Act = {switch on, switch off}
C = {x, y}
AP = ∅
Inv(s0 ) = True
Inv(s1 ) = True
L(s0 ) = ∅
L(s1 ) = ∅
The transitions → are:
x≥1,switch on,{x,y}
s0 −−−−−−−−−−−−−−→ s1
x≥2,switch on,{x}
s1 −−−−−−−−−−−−−→ s1
2
y=3,switch off,{x}
s1 −−−−−−−−−−−−−→ s0
0
0
Now, TS = {S, Act0 , →0 , I, AP
S ,L }
+
S = {(s0 , x, y) | x, y ∈ R } {(s
x, y) | x, y ∈ R+ }
S0 , +
0
Act = {switch on, switch off} R
I = {(s0 , 0, 0)}
AP0 = True
L0 = ∅
The transitions →0 are:
switch on
(s0 , x, y) −−−−−−−→ (s1 , 0, 0), ∀x, y, such that x ≥ 1, y ≥ 0
d
(s0 , x, y) −
→ (s0 , x + d, y + d), ∀x, y, d, such that x ≥ 0, y ≥ 0, d ≥ 0
switch on
(s1 , x, y) −−−−−−−→ (s1 , 0, y), ∀x, y, such that x ≥ 2, y ≥ 0
d
(s1 , x, y) −
→ (s1 , x + d, y + d), ∀x, y, d, such that x ≥ 0, y ≥ 0, d ≥ 0
switch off
(s1 , x, y) −−−−−−−→ (s0 , 0, y), ∀x, y, such that x ≥ 0, y = 3
The transition system is non-zeno, since there are no transitions without time
constraints, which makes it impossible to conduct infinitely many actions in
finite time.
The transition system does not contain timelocks. In s0 there are no invariants
and the transition guard x ≥ 1 eventually becomes fulfilled. In s1 there are no
state invariants as well, and the switch on self-loop transition always becomes
enabled after two time units. It is worth to note that when y becomes greater
than 3, the switch off transition becomes unfeasible forever, but it does not
create timelocks, since the switch on self-loop transition is always possible.
4
The automata are depicted on figures 3, 1 and 2.
a i. ¬Compl
ii. (Inserted ∧ GotCoffee → ♦(Published1 ∨ Published2 ∨ Published3))
iii. (Inserted → ♦ServedCoffee)
b There are no zeno paths in the model. An argument for this is that in the
Person and Machine automata, each path from a state to the same state
contains at least one transition with guards satisfying the following condition: for any clock x and any constant c, ¬(x < c) holds. This guarantees
that only finite amount of actions is possible within finite time. And the
Observer automaton cannot proceed independently, without syncronizing
with the Person and Machine.
There are no timelocks paths in the model and informally it can be explained as follows. If we observe it, we can see that only two states of the
Person automaton contain states with invariants. Otherwise, the model
3
can proceed. Let’s consider both of the states with invariants. In the
Person’s Wait state, there is no possibility to end up in a deadlock, since
whenever the following state is active, the only possible transition is out
of this state, the Person’s clock inevitably reaches the value which satisfies
the transitions guard. Further, let’s consider the Person’s GotCoffee state.
The state’s invariant inevitably holds and there are no other circumstances
which can prevent the transition.
c ¬Compl does not hold and the counter example is as follows.
(Start,Idle,Idle2,x=0,y=0,z=0)
(Wait,Inserted,Idle2,x=0,y=0,z=1)
(Ready,Inserted,Idle2,x=0,y=3,z=4)
(Ready,Inserted,Idle2,x=0,y=7,z=8)
(GotCoffee,ServedCoffee,Idle2,x=0,y=2,z=10)
(Start,Idle,Published3,x=2,y=4,z=12)
(Start,Idle,Compl,x=2,y=4,z=12)
As we can see, the Compl state of the observer is reached eventually (clock
z tracks time elapsed from the previous publishing, and it is observable
that 12 time units have passed).
The two other properties hold and the argument is trivial. After (Inserted∧
GotCoffee), it is impossible to avoid publising. Similarly, after the Inserted state, the ServedCoffee state is inevitable.
In order for the first property to hold, it is enough to change the Person
automaton. The changed automaton is provided in figure 4. The initial
state is made urgent, in the Ready state, an invariant introduced, and the
Go state is made committed. All of the changes prevent the automaton
from unlimited waiting and limit the whole cycle in time, which makes
the Compl state of the Observer automaton unreachable.
4
Figure 1: Machine automaton
Figure 2: Observer automaton
5
Figure 3: Original person automaton
Figure 4: Updated person automaton
6