Prrs ts t - - PowerPoint PPT Presentation

Pr♦❣r❛♠s✱ ❙❡♠❛♥t✐❝s ❛♥❞ ❊✛❡❝t✐✈❡ ❆t♦♠✐❝✐t②

❙❤❛♥❦❛r ❆♣r✐❧ ✸✱ ✷✵✶✹

❖✉t❧✐♥❡

♣r♦❣r❛♠s

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

Pr♦❣r❛♠ str✉❝t✉r❡

♣r♦❣r❛♠s

program name ( params ) ia { pred } main functions input functions atomicity assumption {...} progress assumption {...}

❘❡❛❞✲♦♥❧② ✈❛r✐❛❜❧❡s

mysid: ✏t❤✐s✑ s✐❞ mytid: ✏t❤✐s✑ t✐❞

P❛r❛♠❡t❡rs r❡❛❞✲♦♥❧②

input rtype mysid.name ( params ) // ✐♥♣✉t ❢✉♥❝t✐♦♥ ia { pred } body rval ← sid.fname ( params ); // ❝❛❧❧ t♦ ❡♥✈✐r♦♥♠❡♥t ia { pred }

❙②st❡♠s ❛♥❞ ❚❤r❡❛❞s

♣r♦❣r❛♠s

startSystem (P (params))

✐♥st❛♥t✐❛t❡s ♣r♦❣r❛♠ P ❜❛s✐❝ s②st❡♠ ✐s ❝r❡❛t❡❞ ✇✐t❤ ❛ ✉♥✐q✉❡ s②st❡♠ ✐❞ ✭s✐❞✮ ✐♥st❛♥t✐❛t✐♥❣ t❤r❡❛❞ ❡①❡❝✉t❡s ♠❛✐♥ ❛♥❞ r❡t✉r♥s s②st❡♠ r❡♠❛✐♥s ❆❣❣r❡❣❛t❡ s②st❡♠ x✿ ❜❛s✐❝ s②st❡♠ x ❛♥❞ ✐ts ❞❡s❝❡♥❞❡❞ s②st❡♠s ❈♦♠♣♦s✐t❡ s②st❡♠✿ ❛r❜✐tr❛r② ❝♦❧❧❡❝t✐♦♥ ♦❢ s②st❡♠s

startThread(F (params))

❝r❡❛t❡s t❤r❡❛❞ ❡①❡❝✉t✐♥❣ ❧♦❝❛❧ ♥♦♥✲✐♥♣✉t ❢✉♥❝t✐♦♥ F r❡t✉r♥s ❛ ✉♥✐q✉❡ t❤r❡❛❞ ✐❞ ✭❛❜❜r t✐❞✮ t❤r❡❛❞ ❡♥❞s ✇❤❡♥ ✐t r❡❛❝❤❡s ❡♥❞ ♦❢ F

❙②st❡♠ t❡r♠✐♥❛t✐♦♥

♣r♦❣r❛♠s

P❧❛t❢♦r♠ ❡✈❡♥t✉❛❧❧② t❡r♠✐♥❛t❡s ❛ s②st❡♠ ✐❢ ❛ t❤r❡❛❞ ✐♥ s②st❡♠ ❤❛s ❡①❡❝✉t❡❞ endSystem() s②st❡♠ ✐s ❝♦♥t✐♥✉♦✉s❧② ✐♥ ❛ ❡♥❞❛❜❧❡ st❛t❡ ❙②st❡♠ ✐s ❡♥❞❛❜❧❡ ♥♦ ❣✉❡st t❤r❡❛❞s ✐♥ t❤❡ s②st❡♠ ♥♦ ❧♦❝❛❧ t❤r❡❛❞ ♦❢ t❤❡ s②st❡♠ ✐s ✐♥ ❛♥♦t❤❡r s②st❡♠ ❊♥s✉r❡s t❤❛t ❛ t❤r❡❛❞ ✐s ♥♦t ❧❡❢t ✐♥ ❧✐♠❜♦✳ ❆t t❡r♠✐♥❛t✐♦♥✱ ♣❧❛t❢♦r♠ t❡r♠✐♥❛t❡s ❛❧❧ ❧♦❝❛❧ t❤r❡❛❞s ❝❧❡❛♥s ✉♣ s②st❡♠✬s st❛t❡

❖✉t❧✐♥❡

s❡r✈✐❝❡ ♣r♦❣r❛♠s

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

❙❡r✈✐❝❡ ♣r♦❣r❛♠ str✉❝t✉r❡

s❡r✈✐❝❡ ♣r♦❣r❛♠s

❆ s❡r✈✐❝❡ ♣r♦❣r❛♠ ✐s ❡ss❡♥t✐❛❧❧② ❛ st❛t❡ ♠❛❝❤✐♥❡ ♦r❣❛♥✐③❡❞ ✐♥t♦ ✏✐♥♣✉t✑ ❛♥❞ ✏♦✉t♣✉t✑ ❢✉♥❝t✐♦♥s

service prog name(params) { ic {predicate in params} <main> // define and initialize variables <input functions> <output functions> <atomicity and progress assumptions> }

❉♦❡s ♥♦t ❝r❡❛t❡ ❛♥② ♦t❤❡r s②st❡♠ s♦ ♦♥❧② ♦♥❡ ❜❛s✐❝ s②st❡♠✱ ❡✈❡♥ ❢♦r ❛ ❞✐str✐❜✉t❡❞ s❡r✈✐❝❡ ❈r❡❛t❡s t❤r❡❛❞s ♦♥❧② t♦ ❡①❡❝✉t❡ ♦✉t♣✉t ❢✉♥❝t✐♦♥s ✭✐❢ ❛♥②✮ ▼❛①✐♠❛❧ ❛t♦♠✐❝✐t②✿ ❡✈❡r② ❛t♦♠✐❝ st❡♣ ❞♦❡s ✐♥♣✉t ♦r ♦✉t♣✉t

■♥♣✉t ❢✉♥❝t✐♦♥

s❡r✈✐❝❡ ♣r♦❣r❛♠s

❈♦♥s✐sts ♦❢ ✐♥♣✉t ♣❛rt✿ ❡①❡❝✉t❡❞ ❛t♦♠✐❝❛❧❧② ✇❤❡♥ ❢✉♥❝t✐♦♥ ✐s ❝❛❧❧❡❞ ♦✉t♣✉t ♣❛rt✿ ❡①❡❝✉t❡❞ ❛t♦♠✐❝❛❧❧② ✇❤❡♥ ❢✉♥❝t✐♦♥ r❡t✉r♥s ■♥♣✉t ♣❛rt ❝♦♥s✐sts ♦❢ ✐♥♣✉t ❝♦♥❞✐t✐♦♥✿ ♣r❡❞✐❝❛t❡ ✐♥ ✈❛rs ❛♥❞ ♣❛r❛♠s✱ ♥♦ s✐❞❡✲❡✛❡❝t ❜♦❞②✿ ♥♦♥✲❜❧♦❝❦✐♥❣ ❞❡t❡r♠✐♥✐st✐❝ ✉♣❞❛t❡ t♦ ♠❛✐♥✬s ✈❛rs ❇♦❞② ✐s ❡①❡❝✉t❡❞ ✐❢ ✐♥♣✉t ❝♦♥❞✐t✐♦♥ ❤♦❧❞s✱ ♦✴✇ ❢❛✉❧t ❖✉t♣✉t ♣❛rt ❝♦♥s✐sts ♦❢ ♦✉t♣✉t ❝♦♥❞✐t✐♦♥ ❛♥❞ ❜♦❞②✱ ❛s ✐♥ ✐♥♣✉t ♣❛rt ❇♦❞② ✐s ❡①❡❝✉t❡❞ ♦♥❧② ✐❢ ♦✉t♣✉t ❝♦♥❞✐t✐♦♥ ❤♦❧❞s✱ ♦✴✇ ❜❧♦❝❦ ◆♦t❡✿ ✐♥♣✉t ❢✉♥❝t✐♦♥ ♥❡✈❡r ❝❛❧❧s t❤❡ ❡♥✈✐r♦♥♠❡♥t

■♥♣✉t ❢✉♥❝t✐♦♥✿ ❣❡♥❡r❛❧ ❝❛s❡

s❡r✈✐❝❡ ♣r♦❣r❛♠s

input retType sid.fname(param) ic {predicate} body

✐♥♣✉t ♣❛rt

• utput(extParam, internalParam)
• c {pred}

body return rval;

♦✉t♣✉t ♣❛rt

• utput(.)✿ ✐♥tr♦❞✉❝❡s ❛❞❞✐t✐♦♥❛❧ ♣❛r❛♠❡t❡rs ❢♦r ♦✉t♣✉t ♣❛rt

extParam✿ r❡t✉r♥ ✈❛❧✉❡❀ ❛❧❧♦✇s ❡①t❡r♥❛❧ ♥♦♥❞❡t❡r♠✐♥✐s♠ internalParam✿ ❛❧❧♦✇s ✐♥t❡r♥❛❧ ♥♦♥❞❡t❡r♠✐♥✐s♠

♣❛r❛♠❡t❡rs ❝❛♥ ❤❛✈❡ ❛♥② ✈❛❧✉❡ ❛❧❧♦✇❡❞ ❜② ♦❝✬s pred ♣❛r❛♠❡t❡rs ♥♦t ✉♣❞❛t❡❞ ✐♥ ♦✉t♣✉t ❜♦❞②

❖✉t♣✉t ❢✉♥❝t✐♦♥

s❡r✈✐❝❡ ♣r♦❣r❛♠s

❖✉t♣✉t ❢✉♥❝t✐♦♥✿ ✏r❡✈❡rs❡✑ ♦❢ ❛♥ ✐♥♣✉t ❢✉♥❝t✐♦♥ ♦✉t♣✉t ♣❛rt ❢♦❧❧♦✇❡❞ ❜② ✐♥♣✉t ♣❛rt ❖✉t♣✉t ♣❛rt✿ ♦✉t♣✉t ❝♦♥❞✐t✐♦♥ ❛♥❞ ❜♦❞② ❜♦❞② ❡♥❞s ✐♥ ❝❛❧❧ t♦ ❡♥✈✐r♦♥♠❡♥t✱ s❛② sid.fn(param) ❛t♦♠✐❝❛❧❧② ❝r❡❛t❡ t❤r❡❛❞ ❛♥❞ ❡①❡❝✉t❡ ❜♦❞② ✭✐♥❝❧✉❞✐♥❣ ❝❛❧❧✮ ♦♥❧② ✐❢ ♦✉t♣✉t ❝♦♥❞✐t✐♦♥ ❤♦❧❞s✱ ♦✴✇ ❜❧♦❝❦ ■♥♣✉t ♣❛rt✿ ✐♥♣✉t ❝♦♥❞✐t✐♦♥ ❛♥❞ ❜♦❞② ❜♦❞② st❛rts ✇✐t❤ t❤❡ ❝❛❧❧✬s r❡t✉r♥ ✈❛❧✉❡ ✭✐❢ ❛♥②✮ ✉♣♦♥ r❡t✉r♥✱ ❛t♦♠✐❝❛❧❧② ❡①❡❝✉t❡ ❜♦❞② ❛♥❞ t❡r♠✐♥❛t❡ t❤r❡❛❞ ✐❢ ✐♥♣✉t ❝♦♥❞✐t✐♦♥ ❤♦❧❞s✱ ♦✴✇ ❢❛✉❧t ◆❡✈❡r ❝❛❧❧❡❞ ❜② ❡♥✈✐r♦♥♠❡♥t✳ Pr♦❣r❛♠ ❤❛s ♥♦ ♦t❤❡r ❝❛❧❧ t♦ sid.fn(.) s♦ ❛❧❧ ✐ts sid.fn(.) ❝❛❧❧s ❛r❡ ❝❛♣✉t❡❞ ❜② t❤❡ ♦✉t♣✉t ❝♦♥❞✐t✐♦♥

❖✉t♣✉t ❢✉♥❝t✐♦♥✿ ❣❡♥❡r❛❧ ❝❛s❡

s❡r✈✐❝❡ ♣r♦❣r❛♠s

• utput fname ( extParam, intParam) {
• c {oc predicate}
• utput body

rval ← sid.fn(args); ic {ic predicate} input body }

♦✉t♣✉t ♣❛rt✱ ❡♥❞s ❛t sid.fn(.) ✐♥♣✉t ♣❛rt✱ ❜❡❣✐♥s ❛t rval

extParam✿ sid ❛♥❞ args ♦❢ t❤❡ ❝❛❧❧ intParam✿ ✐♥t❡r♥❛❧ ♣❛r❛♠❡t❡rs✱ ❛❧❧♦✇s ✐♥t❡r♥❛❧ ♥♦♥❞❡t❡r♠✐♥✐s♠

❆t♦♠✐❝✐t② ❛♥❞ ♣r♦❣r❡ss ❛ss✉♠♣t✐♦♥s

s❡r✈✐❝❡ ♣r♦❣r❛♠s

❆t♦♠✐❝✐t② ❛ss✉♠♣t✐♦♥ ♠❛✐♥✱ ✐♥♣✉t ♣❛rts✱ ♦✉t♣✉t ♣❛rts Pr♦❣r❡ss ❛ss✉♠♣t✐♦♥ ♣r❡❞✐❝❛t❡ ✇✐t❤ t❡r♠s r❡♣❧❛❝❡❞ ❜② ❧❡❛❞s✲t♦ ❛ss❡rt✐♦♥s✱ ❡✳❣✳ P ⇒ Q − → ✭A ❧❡❛❞s✲t♦ B✮ ⇒ ✭C ❧❡❛❞s✲t♦ D✮

forsome(j: P)

− →

forsome(j: (A ❧❡❛❞s✲t♦ B) )

✏t❤r❡❛❞✲❧♦❝❛t✐♦♥✑ ❡①♣r❡ss✐♦♥s ❛r❡ r❡str✐❝t❡❞ t♦ ✏thread t in s.f✑ ❛♥❞ ✐ts ♥❡❣❛t✐♦♥ ✇❤❡r❡ s.f ✐s ❛♥ ✐♥♣✉t ❢✉♥❝t✐♦♥ ♦r ♦✉t♣✉t ❝❛❧❧ ♦❢ t❤❡ s❡r✈✐❝❡ ❧♦❝❛❧❧② r❡❛❧✐③❛❜❧❡✿ ✇✴♦ r❡q✉✐r✐♥❣ ✐♥♣✉ts ❢r♦♠ ❡♥✈✐r♦♥♠❡♥t

❋❛✉❧t✲❋r❡❡❞♦♠ ❛♥❞ ❯s❛❜✐❧✐t②

s❡r✈✐❝❡ ♣r♦❣r❛♠s

❙❡r✈✐❝❡ ♣r♦❣r❛♠ ♠✉st ❜❡ ❢❛✉❧t✲❢r❡❡ ❙❡r✈✐❝❡ ♣r♦❣r❛♠ ✇✐t❤ ✐♥t❡r♥❛❧ ♣❛r❛♠❡t❡rs ♠✉st ❜❡ ✉s❛❜❧❡ ❢♦r ❛♥② ✐♥♣✉t e✱ ❢♦r ❛♥② ✜♥✐t❡ ❡✈♦❧✉t✐♦♥s x ❛♥❞ y st ioseq(x) = ioseq(y)✱ e ❛❝❝❡♣t❡❞ ❛t ❡♥❞ ♦❢ x ✐✛ e ❛❝❝❡♣t❡❞ ❛t ❡♥❞ ♦❢ y ❖t❤❡r✇✐s❡ t❤❡ s❡r✈✐❝❡ ♣r♦❣r❛♠ ✐s ✉s❡❧❡ss ❛s ❛ st❛♥❞❛r❞

❖✉t❧✐♥❡

s❡♠❛♥t✐❝s

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

❙t❛t❡ tr❛♥s✐t✐♦♥ ♠♦❞❡❧

s❡♠❛♥t✐❝s

❚♦ r❡❛s♦♥ ❛❜♦✉t ❛ ♣r♦❣r❛♠✱ ♥❡❡❞ ❛ ♠❛t❤❡♠❛t✐❝❛❧ ♠♦❞❡❧ ♦❢ ✐ts ❡✈♦❧✉t✐♦♥s ❲❡ ✉s❡ ❛ st❛t❡ tr❛♥s✐t✐♦♥ ♠♦❞❡❧ st❛t❡✿ ✈❛❧✉❡ ❛ss✐❣♥♠❡♥t ♦❢ ✈❛rs✱ ♣❛r❛♠s✱ t❤r❡❛❞ ❧♦❝❛t✐♦♥s tr❛♥s✐t✐♦♥✿ st❛t❡ ❝❤❛♥❣❡ ❞✉❡ t♦ ❡①❡❝✉t✐♦♥ ♦❢ ❛♥ ❛t♦♠✐❝ st❡♣ ❡✈♦❧✉t✐♦♥✿ s❡q✉❡♥❝❡ ♦❢ tr❛♥s✐t✐♦♥s st❛rt✐♥❣ ❢r♦♠ ✐♥✐t✐❛❧ st❛t❡ Pr♦✈✐❞❡ st❛t❡ tr❛♥s✐t✐♦♥ ♠♦❞❡❧ ❢♦r ❛ ❝♦♠♣♦s✐t❡ s②st❡♠ M M ❝❛♥ ❜❡ t❤❡ ❛❣❣r❡❣❛t❡ s②st❡♠ ♦❢ ❛ ♣r♦❣r❛♠

❙t❛t❡ tr❛♥s✐t✐♦♥ ♠♦❞❡❧

s❡♠❛♥t✐❝s

State space transition evolution reachable state initial state e input or output states ❋✐rst tr❛♥s✐t✐♦♥ ❝r❡❛t❡s t❤❡ s②st❡♠ ✐♥✐t✐❛❧ st❛t❡✿ s②st❡♠ ♥♦t ②❡t ❝r❡❛t❡❞ ♥❡①t st❛t❡✿ s②st❡♠ ❡①✐sts

❙t❛t❡s ♦❢ M

s❡♠❛♥t✐❝s

❙t❛t❡ ♦❢ ❛ ❜❛s✐❝ s②st❡♠ ✈❛❧✉❡ ❛ss✐❣♥♠❡♥t ♦❢ ✈❛rs✱ ♣❛r❛♠s✱ t❤r❡❛❞ ❧♦❝❛t✐♦♥s ❙t❛t❡ ♦❢ ❝♦♠♣♦s✐t❡ s②st❡♠ M ✇✐t❤ ♠✉❧t✐♣❧❡ ❜❛s✐❝ s②st❡♠s ❝♦❧❧❡❝t✐♦♥ ♦❢ st❛t❡s ♦❢ t❤❡ ❜❛s✐❝ s②st❡♠s ✐♥ M ❢♦r ❛ st❛t❡ s ❛♥❞ ❛ ❝♦♠♣♦♥❡♥t s②st❡♠ P s.P✿ P✬s ❝♦♠♣♦♥❡♥t ♦❢ s

❚r❛♥s✐t✐♦♥s ♦❢ M

s❡♠❛♥t✐❝s

❚r❛♥s✐t✐♦♥✿ s, t ♦r s, e, t ✴✴ ❛t♦♠✐❝ st❡♣ ❡①❡❝✉t✐♦♥ s✿ st❛rt st❛t❡❀ ❢❛✉❧t✲❢r❡❡ e✿ ✐♥♣✉t ♦r ♦✉t♣✉t✱ ✐❢ ♣r❡s❡♥t t✿ ❡♥❞ st❛t❡❀ ❢❛✉❧t✲❢r❡❡ ♦r fault ❛t♦♠✐❝✐t② ❝❛♥ ❜❡ ❡✛❡❝t✐✈❡ ♦r ♣❧❛t❢♦r♠✲♣r♦✈✐❞❡❞ ❚②♣❡s ♦❢ tr❛♥s✐t✐♦♥s ❜❛s✐❝ ✐♥t❡r♥❛❧✿ ♥♦ ✐♦❀ ✐♥t❡r♥❛❧ t♦ ❛ ❜❛s✐❝ s②st❡♠ ✐♥♣✉t✿ ✐♥♣✉t e ❢r♦♠ ❡♥✈✐r♦♥♠❡♥t ♦✉t♣✉t✿ ♦✉t♣✉t e t♦ ❡♥✈✐r♦♥♠❡♥t ❝♦♠♣♦s✐t❡ ✐♥t❡r♥❛❧✿ ✐♦ e ❜❡t✇❡❡♥ t✇♦ ❜❛s✐❝ s②st❡♠s ♦❢ M ❋♦r ♥♦♥✲❢❛✉❧t② tr❛♥s✐t✐♦♥s ❜❛s✐❝ ✐♥t❡r♥❛❧✱ ✐♥♣✉t✱ ♦✉t♣✉t✿ ❛✛❡❝t ♦♥❧② ♦♥❡ ❜❛s✐❝ s②st❡♠ ♦❢ M ❝♦♠♣♦s✐t❡ ✐♥t❡r♥❛❧✿ ❛✛❡❝ts t✇♦ ❜❛s✐❝ s②st❡♠s ♦❢ M

❊✈♦❧✉t✐♦♥s

s❡♠❛♥t✐❝s

❊✈♦❧✉t✐♦♥ ♦❢ M✿ ♣❛t❤ ✐♥ t❤❡ st❛t❡ tr❛♥s✐t✐♦♥ ♠♦❞❡❧ st❛rts ❢r♦♠ ✐♥✐t✐❛❧ st❛t❡ ❤❛s ❛t ❧❡❛st ♦♥❡ tr❛♥s✐t✐♦♥ ✴✴ ❝r❡❛t❡s ✜rst ❜❛s✐❝ s②st❡♠ ♦❢ M ✜♥✐t❡ ✭❝❛♥ ❡♥❞ ✐♥ fault✮✱ ♦r ✐♥✜♥✐t❡ ✭♥♦ fault✮ ❈♦♠♣❧❡t❡ ❡✈♦❧✉t✐♦♥✿ ♦♥❡ t❤❛t s❛t✐s✜❡s ♣r♦❣r❡ss ❛ss✉♠♣t✐♦♥ ♦❢ M ❆❧❧♦✇❡❞ ❡✈♦❧✉t✐♦♥✿ ♦♥❡ ✇❤❡r❡ ❡✈❡r② ✐♥♣✉t ✐s ❛❧❧♦✇❡❞ ✐✳❡✳✱ ❡✈❡r② ✐♥♣✉t s❛t✐s✜❡s ✐ts ✐♥♣✉t ❛ss✉♠♣t✐♦♥ ❙❡t ♦❢ ❛❧❧♦✇❡❞ ❡✈♦❧✉t✐♦♥s ❞❡t❡r♠✐♥❡ M✬s ❝♦rr❡❝t♥❡ss ♣r♦♣❡rt✐❡s M ✐s ❢❛✉❧t✲❢r❡❡ ✐✛ ❡✈❡r② ❛❧❧♦✇❡❞ ❡✈♦❧✉t✐♦♥ ✐s ❢❛✉❧t✲❢r❡❡ ❛♥ ❛❧❧♦✇❡❞ ❡✈♦❧✉t✐♦♥ ❝❛♥ ❜❡ ❢❛✉❧t②

❖✉t❧✐♥❡

❛ss❡rt✐♦♥s

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

Pr❡❞✐❝❛t❡s

❛ss❡rt✐♦♥s

Pr❡❞✐❝❛t❡s✿ ❡①♣r❡ss ♣r♦♣❡rt✐❡s ♦❢ s②st❡♠ st❛t❡s ❢❛✉❧t st❛t❡ ❞♦❡s ♥♦t s❛t✐s❢② ❛♥② ♣r❡❞✐❝❛t❡ Pr❡❞✐❝❛t❡✿ ❜♦♦❧❡❛♥✲✈❛❧✉❡❞ ❝♦♥str✉❝t ✐♥ ❜♦♦❧❡❛♥✲✈❛❧✉❡❞ t❡r♠s✿ ✉s✉❛❧❧② ✐♥✈♦❧✈✐♥❣ s②st❡♠ q✉❛♥t✐t✐❡s ♣r♦♣♦s✐t✐♦♥❛❧ ♦♣❡r❛t♦rs✿ not✱ and✱ or✱ ⇒✱ ⇔ ✱ OR q✉❛♥t✐✜❡rs✿ forall✱ forsome✱ forone ❇♦✉♥❞ ✈❛r✐❛❜❧❡✿ ✈❛r✐❛❜❧❡ ❞❡✜♥❡❞ ✐♥ t❤❡ s❝♦♣❡ ♦❢ ❛ q✉❛♥t✐✜❡r ❋r❡❡ ✈❛r✐❛❜❧❡✿ ✈❛r✐❛❜❧❡ t❤❛t ✐s ♥♦t ❜♦✉♥❞ ■❢ ❢r❡❡ ✈❛r✐❛❜❧❡ x ♦❢ ♣r❡❞✐❝❛t❡ P ✐s ♥♦t ❛ s②st❡♠ q✉❛♥t✐t②✱ t❤❡♥ P ❤♦❧❞s ❛t ❛ st❛t❡ ✐✛ forall(x : P) ❤♦❧❞s ❛t t❤❡ st❛t❡

❆ss❡rt✐♦♥s

❛ss❡rt✐♦♥s

❆ss❡rt✐♦♥s✿ ❡①♣r❡ss ♣r♦♣❡rt✐❡s ♦❢ s②st❡♠ ❡✈♦❧✉t✐♦♥s ❢❛✉❧t② ❡✈♦❧✉t✐♦♥ ❞♦❡s ♥♦t s❛t✐s❢② ❛♥② ❛ss❡rt✐♦♥ ❚✇♦ ❦✐♥❞s ♦❢ ♣r♦♣❡rt✐❡s✿ s❛❢❡t② ❛♥❞ ♣r♦❣r❡ss ❙❛❢❡t②✿ ♥♦t❤✐♥❣ ✏❜❛❞✑ ❤❛♣♣❡♥s ✐❢ ❛ ✜♥✐t❡ s❡q✉❡♥❝❡ x ❞♦❡s ♥♦t s❛t✐s❢② ✐t✱ ♥♦ ❡①t❡♥s✐♦♥ ♦❢ x ✇✐❧❧ s❛t✐s❢② ✐t Pr♦❣r❡ss✿ s♦♠❡t❤✐♥❣ ✏❣♦♦❞✑ ❡✈❡♥t✉❛❧❧② ❤❛♣♣❡♥s ✐❢ ❛ ✜♥✐t❡ s❡q✉❡♥❝❡ x ❞♦❡s ♥♦t s❛t✐s❢② ✐t✱ t❤❡r❡ ✐s ❛♥ ❡①t❡♥s✐♦♥ ♦❢ x t❤❛t ✇✐❧❧ s❛t✐s❢② ✐t

❙❛❢❡t② ❛ss❡rt✐♦♥s

❛ss❡rt✐♦♥s

■♥✈❛r✐❛♥t ❛ss❡rt✐♦♥✿ ■♥✈ P ✴✴ P ♣r❡❞✐❝❛t❡ ❤♦❧❞s ❢♦r ❡✈♦❧✉t✐♦♥ x ✐❢ ❡✈❡r② ♥♦♥✲✐♥✐t✐❛❧ st❛t❡ ♦❢ x s❛t✐s✜❡s P ❯♥❧❡ss ❛ss❡rt✐♦♥✿ P ✉♥❧❡ss Q ✴✴ P✱ Q ♣r❡❞✐❝❛t❡s ❤♦❧❞s ❢♦r ❡✈♦❧✉t✐♦♥ x ✐❢ ❢♦r ❡✈❡r② ♥♦♥✲✐♥✐t✐❛❧ st❛t❡ s ♦❢ x s❛t✐s❢②✐♥❣ P and not Q✱ s ✐s t❤❡ ❧❛st st❛t❡ ♦❢ x ♦r t❤❡ ♥❡①t st❛t❡ s❛t✐s✜❡s P or Q ❙❛❢❡t② ❛ss❡rt✐♦♥✿ ♣r❡❞✐❝❛t❡ ❬t❡r♠s → ✐♥✈❛r✐❛♥t✴✉♥❧❡ss ❛ss❡rt✐♦♥s❪ ❡✳❣✳✱ forall(int n: (■♥✈ P) ⇒ (Q ✉♥❧❡ss R)) ❤♦❧❞s ❢♦r ❡✈♦❧✉t✐♦♥ x ✐❢ ♣r❡❞✐❝❛t❡ ❤♦❧❞s ❛❢t❡r ❡✈❛❧✉❛t✐♥❣ ✐ts ❝♦♠♣♦♥❡♥t ❛ss❡rt✐♦♥s ♦♥ x ❙❛❢❡t② ❛ss❡rt✐♦♥ ❤♦❧❞s ❢♦r ❛ s②st❡♠ ✐❢ ✐t ❤♦❧❞s ❢♦r ❛❧❧ ✐ts ❛❧❧♦✇❡❞ ❡✈♦❧✉t✐♦♥s

Pr♦❣r❡ss ❛ss❡rt✐♦♥s ✕ ✶

❛ss❡rt✐♦♥s

❲❡❛❦ ❢❛✐r♥❡ss ❢♦r t❤r❡❛❞ t ❤♦❧❞s ❢♦r ❡✈♦❧✉t✐♦♥ x ✐❢ x ✐s ✜♥✐t❡ ❛♥❞ t ✐s ❜❧♦❝❦❡❞ ✐♥ ❧❛st st❛t❡ ♦❢ x✱ ♦r x ✐s ✐♥✜♥✐t❡ ❛♥❞ t ❡①❡❝✉t❡s ✐♥✜♥✐t❡❧② ♦❢t❡♥ ♦r ✐s ❜❧♦❝❦❡❞ ✐♥✜♥✐t❡❧② ♦❢t❡♥ ❙tr♦♥❣ ❢❛✐r♥❡ss ❢♦r t❤r❡❛❞ t ❤♦❧❞s ❢♦r ❡✈♦❧✉t✐♦♥ x ✐❢ x ✐s ✜♥✐t❡ ❛♥❞ t ✐s ❜❧♦❝❦❡❞ ✐♥ ❧❛st st❛t❡ ♦❢ x✱ ♦r x ✐s ✐♥✜♥✐t❡ ❛♥❞ t ❡①❡❝✉t❡s ✐♥✜♥✐t❡❧② ♦❢t❡♥ ✐❢ ✐t ✐s ✉♥❜❧♦❝❦❡❞ ✐♥✜♥✐t❡❧② ♦❢t❡♥ ❲❡❛❦ ✭str♦♥❣✮ ❢❛✐r♥❡ss ❢♦r st❛t❡♠❡♥t S ✇❡❛❦ ✭str♦♥❣✮ ❢❛✐r♥❡ss ❢♦r ❡✈❡r② t❤r❡❛❞ ♦♥ S

Pr♦❣r❡ss ❛ss❡rt✐♦♥s ✕ ✷

❛ss❡rt✐♦♥s

▲❡❛❞s✲t♦ ❛ss❡rt✐♦♥✿ P ❧❡❛❞s✲t♦ Q ✴✴ P✱ Q ♣r❡❞✐❝❛t❡s ❤♦❧❞s ❢♦r ❡✈♦❧✉t✐♦♥ x ✐❢ ❢♦r ❡✈❡r② ♥♦♥✲✐♥✐t✐❛❧ st❛t❡ s ♦❢ x s❛t✐s❢②✐♥❣ P and not Q✱ s♦♠❡ ❧❛t❡r st❛t❡ s❛t✐s✜❡s P or Q Pr♦❣r❡ss ❛ss❡rt✐♦♥✿ ♣r❡❞ ❬t❡r♠s → ❢❛✐r♥❡ss✴❧❡❛❞s✲t♦ ❛ss❡rt✐♦♥s❪ ❡✳❣✳✱ forall(int n: (P ❧❡❛❞s✲t♦ Q) ⇒ (R ❧❡❛❞s✲t♦ S)) ❤♦❧❞s ❢♦r ❡✈♦❧✉t✐♦♥ x ✐❢ ♣r❡❞✐❝❛t❡ ❤♦❧❞s ❛❢t❡r ❡✈❛❧✉❛t✐♥❣ ✐ts ❝♦♠♣♦♥❡♥t ❛ss❡rt✐♦♥s ♦♥ x Pr♦❣r❡ss ❛ss❡rt✐♦♥ ❤♦❧❞s ❢♦r ❛ s②st❡♠ ✐❢ t❤❡ s②st❡♠ ✐s ❢❛✉❧t✲❢r❡❡ ❛♥❞ ❡✈❡r② ❝♦♠♣❧❡t❡ ❛❧❧♦✇❡❞ ❡✈♦❧✉t✐♦♥ s❛ts✜❡s ❛ss❡rt✐♦♥

❖✉t❧✐♥❡

❡①❡❝ s♣❧✐t✴st✐t❝❤

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

■♠❛❣❡ ❞❡✜♥✐t✐♦♥s

❡①❡❝ s♣❧✐t✴st✐t❝❤

▲❡t C ❜❡ ❛ ❝♦♠♣♦s✐t❡ s②st❡♠✳ ▲❡t P ❜❡ t❤❡ ❝♦♠♣♦s✐t❡ s②st❡♠ ♦❢ ❛ s✉❜s❡t ♦❢ ❜❛s✐❝ s②st❡♠s ♦❢ C✳ ❋♦r ❡✈❡r② st❛t❡✱ tr❛♥s✐t✐♦♥✱ ♦r ❡✈♦❧✉t✐♦♥ x ♦❢ C x ❤❛s ❛♥ ✐♠❛❣❡ ♦♥ P✱ ❞❡♥♦t❡❞ x.P ❋♦r st❛t❡ s ♦❢ C✿ s.P = ♣❛rt ♦❢ s ❝♦♥❝❡r♥✐♥❣ P ❋♦r tr❛♥s✐t✐♦♥ t = u, e, v ♦❢ C✿ t.P =

• u.P, e, v.P

✐❢ t ✐♥✈♦❧✈❡s P ♦✴✇ ❋♦r ❡✈♦❧✉t✐♦♥ x ♦❢ C✿ x.P = x ✇✐t❤ ❡✈❡r② tr❛♥s✐t✐♦♥ t r❡♣❧❛❝❡❞ ❜② t.P

❙♣❧✐tt✐♥❣

❡①❡❝ s♣❧✐t✴st✐t❝❤

▲❡t C ❜❡ ❛ ❝♦♠♣♦s✐t❡ s②st❡♠✳ ▲❡t P ❜❡ t❤❡ ❝♦♠♣♦s✐t❡ s②st❡♠ ♦❢ ❛ s✉❜s❡t ♦❢ C ▲❡t x ❜❡ ❛ ❢❛✉❧t✲❢r❡❡ ❡✈♦❧✉t✐♦♥ ♦❢ C st x.P ✐s ♥♦t ♥✉❧❧ ❚❤❡♦r❡♠ x.p ✐s ❛ ❢❛✉❧t✲❢r❡❡ ❡✈♦❧✉t✐♦♥ ♦❢ P ❢♦r ❛♥② ❛ss❡rt✐♦♥ β ♥♦t ✐♥✈♦❧✈✐♥❣ C − P✿ x s❛t✐s✜❡s β ✐✛ x.P s❛t✐s✜❡s β ✐❢ x ✐s ❛ ❝♦♠♣❧❡t❡ ❡✈♦❧✉t✐♦♥ ♦❢ C✿ x.P ✐s ❛ ❝♦♠♣❧❡t❡ ❡✈♦❧✉t✐♦♥ ♦❢ P Pr♦♦❢ ❡❛s②❀ ❜② ✐♥❞✉❝t✐♦♥ ♦♥ ★ tr❛♥s✐t✐♦♥s ✐♥ x❀ s❡❡ t❡①t

❙t✐t❝❤✐♥❣ ❚❤❡♦r❡♠

❡①❡❝ s♣❧✐t✴st✐t❝❤

▲❡t P✶✱ · · · ✱ PN ❜❡ ❞✐s❥♦✐♥t ❝♦♠♣♦s✐t❡ s②st❡♠s ▲❡t C ❜❡ ✉♥✐♦♥ ♦❢ P✶✱ · · · ✱ PN ▲❡t x✶✱ · · · ✱ xN ❜❡ ❢❛✉❧t✲❢r❡❡ ❡✈♦❧✉t✐♦♥s ♦❢ P✶✱ · · · ✱ PN ❉❡✜♥✐t✐♦♥✿ x✶✱ · · · ✱ xN ❛r❡ s✐❣♥❛t✉r❡✲❝♦♠♣❛t✐❜❧❡ ✐❢ t❤❡r❡ ✐s ❛ ♠❡r❣❡ y ♦❢ io(x✶)✱ · · · ✱ io(xN) s✉❝❤ t❤❛t yK ✐s ♦✉t♣✉t e ♦❢ Pi t♦ Pj ⇒ yK+✶ ✐s ✐♥♣✉t e ♦❢ io(xj) ❚❤❡♦r❡♠ t❤❡r❡ ✐s ❛ ❢❛✉❧t✲❢r❡❡ ❡✈♦❧✉t✐♦♥ z ♦❢ C st z.Pi = xi ❢♦r ❛❧❧ i ✐✛ x✶✱ · · · ✱ xN ❛r❡ s✐❣♥❛t✉r❡✲❝♦♠♣❛t✐❜❧❡ ❢♦r ❛♥② ❛ss❡rt✐♦♥ β ♥♦t ✐♥✈♦❧✈✐♥❣ C − Pi✿ z s❛t✐s✜❡s β ✐✛ xi s❛t✐s✜❡s β z ✐s ❛ ❝♦♠♣❧❡t❡ ❡✈♦❧✉t✐♦♥ ♦❢ C ✐✛ xi ✐s ❝♦♠♣❧❡t❡ ❡✈♦❧✉t✐♦♥ ♦❢ Pi ❢♦r ❛❧❧ i

❖✉t❧✐♥❡

❛✉① ✈❛rs

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s

❛✉① ✈❛rs

❘❡❝♦r❞ ✐♥❢♦r♠❛t✐♦♥ ❛❜♦✉t ❛ ♣r♦❣r❛♠✬s ❜❡❤❛✈✐♦r ✇✐t❤♦✉t ✐♥✢✉❡♥❝✐♥❣ ✐ts ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡ ❝♦♥❞✐t✐♦♥ ❛✉① ✈❛rs ❞♦ ♥♦t ❛♣♣❡❛r ✐♥ ♦✉t♣✉t ❝♦♥❞✐t✐♦♥s ❛✉① ✈❛r ✈❛❧✉❡ ♥♦t ✉s❡❞ ✐♥ ✉♣❞❛t✐♥❣ ❛ ♥♦♥✲❛✉① ✈❛r ❛♥② st❛t❡♠❡♥t ✐♥✈♦❧✈✐♥❣ ❛✉① ✈❛rs ✐s ❢❛✉❧t✲❢r❡❡ tr❡❛t ❛s ❛t♦♠✐❝ ✇✐t❤ ❛♥ ❛❞❥❛❝❡♥t ✏♥♦♥✲❛✉①✑ st❛t❡♠❡♥t ❚❤❡♦r❡♠✿ ▲❡t Q ❜❡ ♣r♦❣r❛♠ P ❡①t❡♥❞❡❞ ✇✐t❤ ❛✉①✐❧✐❛r② ✈❛rs ❢♦r ❛♥② Q✲❡✈♦❧✉t✐♦♥ x ✭❢❛✉❧t② ♦r ♥♦t✮✿ x.P ✐s ❛ P✲❡✈♦❧✉t✐♦♥ ❢♦r ❛♥② P✲❡✈♦❧✉t✐♦♥ y✿ t❤❡r❡ ✐s ❛ Q✲❡✈♦❧✉t✐♦♥ x st x.P = y ❢♦r ❛♥② ❛ss❡rt✐♦♥ β ♦❢ Q✿ P s❛t✐s✜❡s β ✐✛ Q s❛t✐s✜❡s β

❖✉t❧✐♥❡

❡✛ ❛t♦♠✐❝✐t②

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❞❡✜♥✐t✐♦♥

❡✛ ❛t♦♠✐❝✐t②

▲❡t S ❜❡ ❛ ❝♦❞❡ ❝❤✉♥❦ ✐♥ ❛ ♣r♦❣r❛♠ X S✲r✉♥✿ ❛♥ ❡①❡❝✉t✐♦♥ ♦❢ S ❜② ❛ t❤r❡❛❞ ✐♥ ❛♥ ❡✈♦❧✉t✐♦♥ s❡q✉❡♥❝❡ ♦❢ tr❛♥s✐t✐♦♥s t✶, t✷, · · · tn ♠❛② ♥♦t ❜❡ ❝♦♥t✐❣✉♦✉s✿ ❡❣✱ ti ❡♥❞ st❛t❡ = ti+✶ st❛rt st❛t❡ ♠❛② ❜❡ ✇❤♦❧❡ ♦r ♣❛rt✐❛❧ S✲r✉♥ ✐s ❛t♦♠✐❝ ✐❢ ❝♦♥t✐❣✉♦✉s ❛♥❞ ✇❤♦❧❡ S ✐s ❡✛❡❝t✐✈❡❧② ❛t♦♠✐❝ ✐❢✿ ❢♦r ❡✈❡r② ❡✈♦❧✉t✐♦♥ w✱ t❤❡r❡ ✐s ❛♥ ❡✈♦❧✉t✐♦♥ w ′ st ❡✈❡r② S✲r✉♥ ✐♥ w ′ ✐s ❛t♦♠✐❝ ioseq(w) ❡q✉❛❧s ioseq(w ′) ✐❢ w ✐s ❝♦♠♣❧❡t❡ t❤❡♥ w ′ ✐s ❝♦♠♣❧❡t❡

❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② t❤❡♦r❡♠

❡✛ ❛t♦♠✐❝✐t②

❚❤❡♦r❡♠✿ ❧❡t S ❜❡ ❡✛❡❝t✐✈❡❧② ❛t♦♠✐❝ ✐♥ s②st❡♠ X ❧❡t X ′ ❜❡ X ✇✐t❤ S ✭♣❧❛t❢♦r♠✲♣r♦✈✐❞❡❞✮ ❛t♦♠✐❝ ❧❡t β ❜❡ ❛ ❝♦rr❡❝t♥❡ss ♣r♦♣❡rt② ❝♦♥❝❡r♥✐♥❣ ♦♥❧② ioseqs(X) t❤❡♥ X s❛t✐s✜❡s β ✐✛ X ′ s❛t✐s✜❡s β

❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❢♦r ❛r❜✐tr❛r② ♣r♦♣❡rt✐❡s

❡✛ ❛t♦♠✐❝✐t②

▲❡t Z(.) ❜❡ ❛ ❢✉♥❝t✐♦♥ ♦♥ ❡✈♦❧✉t✐♦♥s ✴✴ ❡✳❣✳✱ ioseq(.) S ✐♥ ♣r♦❣r❛♠ X ✐s ❡✛❡❝t✐✈❡❧② ❛t♦♠✐❝ ✇rt Z ✐❢✿ ❢♦r ❡✈❡r② ❡✈♦❧✉t✐♦♥ w✱ t❤❡r❡ ✐s ❛♥ ❡✈♦❧✉t✐♦♥ w ′ st ❡✈❡r② S✲r✉♥ ✐♥ w ′ ✐s ❛t♦♠✐❝ Z(w) ❡q✉❛❧s Z(w ′) ✐❢ w ✐s ❝♦♠♣❧❡t❡ t❤❡♥ w ′ ✐s ❝♦♠♣❧❡t❡ ▲❡t β ❜❡ ❛ ❝♦rr❡❝t♥❡ss ♣r♦♣❡rt② ❝♦♥❝❡r♥✐♥❣ ♦♥❧② Z ✐✳❡✳✱ β(w) = β(w ′) ✐❢ Z(w) = Z(w ′) ❚❤❡♦r❡♠✿ ❧❡t S ❛♥❞ β ❜❡ ❛s ❛❜♦✈❡ ❧❡t X ′ ❜❡ X ✇✐t❤ S ✭♣❧❛t❢♦r♠✲♣r♦✈✐❞❡❞✮ ❛t♦♠✐❝ t❤❡♥ X s❛t✐s✜❡s β ✐✛ X ′ s❛t✐s✜❡s β

❖✉t❧✐♥❡

❝♦♠♠✉t❛t✐✈✐t②

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

❈♦♠♠✉t✐♥❣ tr❛♥s✐t✐♦♥s

❝♦♠♠✉t❛t✐✈✐t②

❈♦♠♠✉t❛t✐✈✐t② ✐s ❛♥ ✐♥❝r❡♠❡♥t❛❧ t❡❝❤♥✐q✉❡ ❢♦r w → w ′ ▲❡t Z(.) ❜❡ ❛ ❢✉♥❝t✐♦♥ ♦♥ s❡q✉❡♥❝❡s ♦❢ tr❛♥s✐t✐♦♥s ❆ s❡q✉❡♥❝❡ ♦❢ tr❛♥s✐t✐♦♥s x ✐s ♠❛ss❛❣❡❛❜❧❡ ✇rt Z ✐❢ ♠♦❞✐❢②✐♥❣ ♦♥❧② t❤❡ st❛t❡s ✐♥ x ②✐❡❧❞s ❛♥ ❡✈♦❧✉t✐♦♥ x′ s✳t✳Z(x) = Z(x′) ❆ ❝♦♥t✐❣✉♦✉s tr❛♥s✐t✐♦♥ ♣❛✐r ✭❝t♣✮ ✐s ❛ ♣❛✐r ♦❢ tr❛♥s✐t✐♦♥s t✶, t✷ s✳t✳ t✶✬s ❡♥❞ st❛t❡ ❡q✉❛❧s t✷✬s st❛rt st❛t❡ ❈t♣ t✶, t✷ ❝♦♠♠✉t❡s ✇rt Z ✐❢ ✐♥ ❡✈❡r② ❡✈♦❧✉t✐♦♥ w ✇✐t❤ t❤❡ ❝♣t✱ r❡♣❧❛❝✐♥❣ ✐t ❜② t✷, t✶ ②✐❡❧❞s ❛ s❡q✉❡♥❝❡ t❤❛t ✐s ♠❛ss❛❣❡❛❜❧❡ ✇rt Z ❚②♣✐❝❛❧❧② ✐❢ t✶ = a, F, b ❛♥❞ t✷ = b, G, c✱ ♦♥❧② b ❝❤❛♥❣❡s ✐❢ w = [· · · , a, F, b, b, G, c, · · · ] t❤❡♥ w ′ = [· · · , a, G, d, d, F, c, · · · ]

❈♦♠♠✉t✐♥❣ ❛t♦♠✐❝ st❛t❡♠❡♥ts

❝♦♠♠✉t❛t✐✈✐t②

▲❡t F ❛♥❞ G ❜❡ ❛t♦♠✐❝ st❛t❡♠❡♥ts ✐♥ ♣r♦❣r❛♠ X F, G ❝♦♠♠✉t❡s ✇rt Z ✐❢ ❡✈❡r② ❝t♣ t✶, t✷ s✳t✳ t✶ ✐s ❛♥ F✲tr❛♥s✐t✐♦♥ t✷ ✐s ❛ G✲tr❛♥s✐t✐♦♥ ❜② ❛♥♦t❤❡r t❤r❡❛❞ ❝♦♠♠✉t❡s ✇rt Z ▲❡t S ❜❡ ❛ ❝♦❞❡ ❝❤✉♥❦ ✐♥ ♣r♦❣r❛♠ X✳ ❋♦r ❡✈❡r② ❛t♦♠✐❝ F ✐♥ S ❛♥❞ ❛t♦♠✐❝ G ✐♥ X ✐❢ F, G ❝♦♠♠✉t❡s ✇rt Z t❤❡♥ ❡✈❡r② S✲r✉♥ ❝❛♥ ❜❡ ❝♦❛❧❡s❝❡❞ ✐❢ F, G ❝♦♠♠✉t❡s ✇rt Z t❤❡♥ ❡✈❡r② S✲r✉♥ ❝❛♥ ❜❡ ❝♦❛❧❡s❝❡❞ ❲❤❛t r❡♠❛✐♥s ✐s t♦ ❤❛♥❞❧❡ ♣❛rt✐❛❧ S✲r✉♥s

❍❛♥❞❧✐♥❣ ♣❛rt✐❛❧ r✉♥s

❝♦♠♠✉t❛t✐✈✐t②

▲❡t S ❜❡ ❛ ❝♦❞❡ ❝❤✉♥❦ ✐♥ ♣r♦❣r❛♠ X✳ ❆♥ ❛t♦♠✐❝ F ✐♥ S ✐s t❛✐❧✲❞r♦♣♣❛❜❧❡ ✇rt Z ✐❢ ❢♦r ❡✈❡r② ❡✈♦❧✉t✐♦♥ w ✇✐t❤ ❛ ♣❛rt✐❛❧ S✲r✉♥ ❡♥❞✐♥❣ ❛t F✱ ❞❡❧❡t✐♥❣ t❤❡ F✲tr❛♥s✐t✐♦♥ ②✐❡❧❞s ❛ s❡q✉❡♥❝❡ ♠❛ss❛❣❡❛❜❧❡ ✇rt Z ❆♥ ❛t♦♠✐❝ F ✐♥ S ✐s t❛✐❧✲❛♣♣❡♥❞❛❜❧❡ ✇rt Z ✐❢ ❢♦r ❡✈❡r② ❡✈♦❧✉t✐♦♥ w ✇✐t❤ ❛ S✲r✉♥ ❡♥❞✐♥❣ ❥✉st ❜❡❢♦r❡ F✱ ✐♥s❡rt✐♥❣ t❤❡ F✲tr❛♥s✐t✐♦♥ ❛t t❤❡ ❡♥❞ ♦❢ t❤❡ S✲r✉♥ ②✐❡❧❞s ❛ s❡q✉❡♥❝❡ ♠❛ss❛❣❡❛❜❧❡ ✇rt Z

❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② t❤❡♦r❡♠

❝♦♠♠✉t❛t✐✈✐t②

▲❡t t❤❡ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞ S ✐s ❛ ❝♦❞❡ ❝❤✉♥❦ ✐♥ ♣r♦❣r❛♠ X K ✐s ❛♥ ❛t♦♠✐❝ st❛t❡♠❡♥t ✐♥ S ❢♦r ❡✈❡r② ❛t♦♠✐❝ F ✐♥ S ❜❡❢♦r❡ K ❛♥❞ ❡✈❡r② G ✐♥ X F, G ❝♦♠♠✉t❡s ✇rt Z F ✐s t❛✐❧✲❞r♦♣♣❛❜❧❡ ✇rt Z ❢♦r ❡✈❡r② ❛t♦♠✐❝ F ✐♥ S ❛❢t❡r K ❛♥❞ ❡✈❡r② G ✐♥ X G, F ❝♦♠♠✉t❡s ✇rt Z F ✐s t❛✐❧✲❛♣♣❡♥❞❛❜❧❡ ✇rt Z ❚❤❡♥ S ✐s ❡✛❡❝t✐✈❡❧② ❛t♦♠✐❝ K ✐s s❛✐❞ t♦ ❜❡ t❤❡ ❛♥❝❤♦r ♦❢ S

❙♦♠❡ s✐♠♣❧❡ s✉✣❝✐❡♥t ❝♦♥❞✐t✐♦♥s

❝♦♠♠✉t❛t✐✈✐t②

❇❡❧♦✇✱ S✱ R✱ J✱ K ❛r❡ ❝♦❞❡ ❝❤✉♥❦s ✐♥ ♣r♦❣r❛♠ X S ❛♥❞ R ✐♥t❡r❢❡r❡ ✐❢ t❤❡② ❝♦♥✢✐❝t ✭♦✈❡r ❛ ✈❛r✐❛❜❧❡✮ ♦r ❜♦t❤ ❞♦ ✐♦ ❚❤❡♦r❡♠ ❧❡t S ❜❡ ❜❧♦❝❦❛❜❧❡ ♦♥❧② ❛t t❤❡ st❛rt ❧❡t S ♥♦t ✐♥t❡r❢❡r❡ ✇✐t❤ ❛♥② s✐♠✉❧t❛♥❡♦✉s❧② ❡①❡❝✉t❛❜❧❡ J t❤❡♥ S ✐s ❡✛❡❝t✐✈❡❧② ❛t♦♠✐❝✳ ❚❤❡♦r❡♠ ❧❡t S ❜❡ ❜❧♦❝❦❛❜❧❡ ♦♥❧② ❛t t❤❡ st❛rt ❧❡t K ❜❡ ❛t♦♠✐❝ ✐♥ S ❧❡t S ✇✴♦ K ♥♦t ✐♥t❡r❢❡r❡ ✇✐t❤ ❛♥② s✐♠✉❧t❛♥❡♦✉s❧② ❡①❡❝✉t❛❜❧❡ J t❤❡♥ S ✐s ❡✛❡❝t✐✈❡❧② ❛t♦♠✐❝ ❛♥❞ K ✐s ✐ts ❛♥❝❤♦r

❖✉t❧✐♥❡

♣r♦♦❢ r✉❧❡s

Pr♦❣r❛♠ ❙❡r✈✐❝❡ Pr♦❣r❛♠s ❙t❛t❡ tr❛♥s✐t✐♦♥ s❡♠❛♥t✐❝s ♦❢ s②st❡♠s ❆ss❡rt✐♦♥s ❛♥❞ t❤❡✐r ❡✈❛❧✉❛t✐♦♥ ❙♣❧✐tt✐♥❣ ❛♥❞ st✐t❝❤✐♥❣ ♦❢ ❡✈♦❧✉t✐♦♥s ❆✉①✐❧✐❛r② ✈❛r✐❛❜❧❡s ❊✛❡❝t✐✈❡ ❛t♦♠✐❝✐t② ❈♦♠♠✉t❛t✐✈✐t② Pr♦♦❢ r✉❧❡s

Pr♦♦❢ r✉❧❡s ♦✈❡r✈✐❡✇

♣r♦♦❢ r✉❧❡s

❆ss✉♠❡ ❛ ❣✐✈❡♥ ♣r♦❣r❛♠ t❤r♦✉❣❤♦✉t t❤✐s s❡❝t✐♦♥ Pr♦♦❢ r✉❧❡✿ t❡♠♣❧❛t❡ ♦❢ r❡q✉✐r❡♠❡♥ts ❛♥❞ ❝♦♥❝❧✉❞✐♥❣ ❛ss❡rt✐♦♥ ❝♦♥❝❧✉s✐♦♥ ❤♦❧❞s ✐❢ r❡q✉✐r❡♠❡♥ts ❤♦❧❞ r❡q✉✐r❡♠❡♥ts ✐♥✈♦❧✈❡ ♣r♦❣r❛♠✴♣r❡❞✐❝❛t❡s✴❛ss❡rt✐♦♥s ♣r❡❞✐❝❛t❡s✴❛ss❡rt✐♦♥s ♥❡❡❞ t♦ ❜❡ ✐♥✈❡♥t❡❞ r❡q✉✐r❡♠❡♥ts ♠❡❝❤❛♥✐❝❛❧❧② ❝❤❡❝❦❛❜❧❡ ❍♦❛r❡✲tr✐♣❧❡s✿ ♣r♦♣❡rt✐❡s ♦❢ ❝♦❞❡ ✐♥ ✐s♦❧❛t✐♦♥ Pr♦♦❢ r✉❧❡s ❢♦r s❛❢❡t② ❛ss❡rt✐♦♥s✿ ■♥✈ P❀ P ✉♥❧❡ss Q Pr♦♦❢ r✉❧❡s ❢♦r ♣r♦❣r❡ss ❛ss❡rt✐♦♥s✿ P ❧❡❛❞s✲t♦ Q

❍♦❛r❡✲tr✐♣❧❡s

♣r♦♦❢ r✉❧❡s

❍♦❛r❡✲tr✐♣❧❡ {P} S {Q} ✴✴ ❝♦❞❡ ❝❤✉♥❦ S✱ ♣r❡❞✐❝❛t❡s P✱ Q P✿ ♣r❡❝♦♥❞✐t✐♦♥❀ Q✿ ♣♦st❝♦♥❞✐t✐♦♥ ❋♦r S ♥♦♥❜❧♦❝❦✐♥❣ ❛♥❞ ♥♦♥✲✐♥♣✉t✿ {P} S {Q} ♠❡❛♥s ❡①❡❝✉t✐♥❣ S ✐♥ ✐s♦❧❛t✐♦♥ st❛rt✐♥❣ ❢r♦♠ ❛♥② st❛t❡ s❛t✐s❢②✐♥❣ P ❛❧✇❛②s t❡r♠✐♥❛t❡s ✇✐t❤ Q ❤♦❧❞✐♥❣ ❋♦r S ✇✐t❤ ❜❧♦❝❦✐♥❣✴✐♥♣✉t ❝♦♥❞✐t✐♦♥ B ❛♥❞ ❛❝t✐♦♥ C✿ {P} S {Q} ♠❡❛♥s {P and B} C {Q} ❚❡r♠✐♥♦❧♦❣② {P} S {Q} ❛❦❛ ✏S ✉♥❝♦♥❞✐t✐♦♥❛❧❧② ❡st❛❜❧✐s❤❡s Q ❢r♦♠ P✑ {true} S {Q} ❛❦❛ ✏S ✉♥❝♦♥❞✐t✐♦♥❛❧❧② ❡st❛❜❧✐s❤❡s Q✑ {Q} S {Q} ❛❦❛ ✏S ✉♥❝♦♥❞✐t✐♦♥❛❧❧② ♣r❡s❡r✈❡s Q✑

❍♦❛r❡✲tr✐♣❧❡ ❡①❛♠♣❧❡s

♣r♦♦❢ r✉❧❡s

{true} if x = y then x ← y+1 {(x = y+1) or (x = y)}

✭✈❛❧✐❞✮

{x = n} for (i in 0..10) x ← x+i {x = n + 55}

✭✈❛❧✐❞✮

{x = 3} x ← y + 1 {x = 4}

✭✐♥✈❛❧✐❞❀ ❡❣✱ ✐❢ y ✐s 1 ❛t st❛rt✮

{(x = 1) and (y = 1)} while (x > 0) x ← 2*x {y = 1}

✭✐♥✈❛❧✐❞❀ ❞♦❡s ♥♦t t❡r♠✐♥❛t❡✮

{true} await (x = y) x ← y+1 {x=y+1}

✭✈❛❧✐❞✮

{true} oc{x ≥ 1} y ← 1/(2−x) {y=1/(2−x)}

✭✐♥✈❛❧✐❞❀ ♠❛② ❞✐✈✐❞❡ ❜② ③❡r♦✮ Pr♦♦❢ r✉❧❡s ❢♦r ❍♦❛r❡✲tr✐♣❧❡s✿ s❡❡ t❡①t

❙❛❢❡t②✿ ✐♥✈❛r✐❛♥❝❡ ♣r♦♦❢ r✉❧❡

♣r♦♦❢ r✉❧❡s

■♥✈❛r✐❛♥❝❡ ✐♥❞✉❝t✐♦♥ r✉❧❡ ■♥✈ P ❤♦❧❞s ✐❢ t❤❡ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞✿ ✶✳ ❢♦r ✐♥✐t✐❛❧ ❛t♦♠✐❝ st❡♣ f ✿

{true} f {P}

✷✳ ❢♦r ❡✈❡r② ♥♦♥✲✐♥✐t✐❛❧ ❛t♦♠✐❝ st❡♣ e✿

{P} e {P}

❆❜♦✈❡ ❛❦❛ ✏P s❛t✐s✜❡s ✐♥✈❛r✐❛♥❝❡ r✉❧❡✑ ❚♦ ❡①♣❧♦✐t ❛ ♣r❡✈✐♦✉s❧②✲❡st❛❜❧✐s❤❡❞ ■♥✈ R ✶✳ {true} f {P} − → {true} f {R ⇒ P} ✷✳ {P}e {P} − → {P and R} e {R ⇒ P} ❆❜♦✈❡ ❛❦❛ ✏P s❛t✐s✜❡s ✐♥✈❛r✐❛♥❝❡ r✉❧❡ ❛ss✉♠✐♥❣ ■♥✈ R✑

❘❡❛❝❤❛❜❧❡ ✈s ✐♥✈❛r✐❛♥t ✈s ✐♥✈ r✉❧❡

♣r♦♦❢ r✉❧❡s

State space initial state R: reachable states P is invariant Q satisfies P Q R invariance rule not possible leaving Q

❙❛❢❡t②✿ ✉♥❧❡ss ♣r♦♦❢ r✉❧❡

♣r♦♦❢ r✉❧❡s

❯♥❧❡ss r✉❧❡ P ✉♥❧❡ss Q ❤♦❧❞s ✐❢ ❢♦r ❡✈❡r② ♥♦♥✲✐♥✐t✐❛❧ ❛t♦♠✐❝ st❡♣ e✿

{P and not Q} e {P or Q}

❆❜♦✈❡ ❛❦❛ ✏P s❛t✐s✜❡s ✉♥❧❡ss r✉❧❡✑ ❚♦ ❡①♣❧♦✐t ❛ ♣r❡✈✐♦✉s❧②✲❡st❛❜❧✐s❤❡❞ ■♥✈ R pre − → pre and R post − → R ⇒ post ❆❜♦✈❡ ❛❦❛ ✏P s❛t✐s✜❡s ✉♥❧❡ss r✉❧❡ ❛ss✉♠✐♥❣ ■♥✈ R✑

❙❛❢❡t②✿ ❝❧♦s✉r❡ ♣r♦♦❢ r✉❧❡s

♣r♦♦❢ r✉❧❡s

❈❧♦s✉r❡ r✉❧❡s✿ r❡q✉✐r❡♠❡♥ts ❞♦ ♥♦t ✐♥✈♦❧✈❡ ♣r♦❣r❛♠ ■♥✈ P ❤♦❧❞s ✐❢ P ❤♦❧❞s ■♥✈ P ❤♦❧❞s ✐❢ ■♥✈ Q ❛♥❞ ■♥✈ Q ⇒ P ❤♦❧❞ P ✉♥❧❡ss Q ❤♦❧❞s ✐❢ ■♥✈ P ⇒ Q ❤♦❧❞s P ✉♥❧❡ss Q ❤♦❧❞s ✐❢ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞✿ U ✉♥❧❡ss V ■♥✈ P ⇒ U ■♥✈ V ⇒ Q ❲❡ s❛② ✏❛ss❡rt✐♦♥ ❤♦❧❞s ✈✐❛ ❝❧♦s✉r❡ ♦❢ ❁❛ss❡rt✐♦♥s❃✑

Pr♦❣r❡ss✿ ❧❡❛❞s✲t♦ ✇❡❛❦✲❢❛✐r r✉❧❡

♣r♦♦❢ r✉❧❡s

e✳enabled✱ ❢♦r ❛t♦♠✐❝ st❡♣ e

(thread at e)

✐❢ e ✐s ♥♦♥✲❜❧♦❝❦✐♥❣

(thread at e) and B

✐❢ e ❤❛s ❜❧♦❝❦✐♥❣ ❝♦♥❞✐t✐♦♥ B ▲❡❛❞s✲t♦ ✇❡❛❦✲❢❛✐r r✉❧❡ P ❧❡❛❞s✲t♦ Q ❤♦❧❞s ✐❢ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞✿ e ✐s ❛ ✇❡❛❦✲❢❛✐r ❛t♦♠✐❝ st❡♣ (P and not Q) ⇒ e.enabled {P and not Q} e {Q} ❢♦r ❡✈❡r② ♥♦♥✲✐♥✐t✐❛❧ ❛t♦♠✐❝ st❡♣ f ✿ {P and not Q} f {P or Q} ❆❜♦✈❡ ❛❦❛ ✏P ❧❡❛❞s✲t♦ Q ✈✐❛ ✇❢❛✐r e

Pr♦❣r❡ss✿ ❧❡❛❞s✲t♦ str♦♥❣✲❢❛✐r r✉❧❡

♣r♦♦❢ r✉❧❡s

▲❡❛❞s✲t♦ str♦♥❣✲❢❛✐r r✉❧❡ P ❧❡❛❞s✲t♦ Q ❤♦❧❞s ✐❢ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞✿ e ✐s ❛ str♦♥❣✲❢❛✐r ❛t♦♠✐❝ st❡♣

(P and not Q and not e.enabled) ❧❡❛❞s✲t♦ (Q or e.enabled)

{P and not Q} e {Q} ❢♦r ❡✈❡r② ♥♦♥✲✐♥✐t✐❛❧ ❛t♦♠✐❝ st❡♣ f ✿ {P and not Q} f {P or Q} ❆❜♦✈❡ ❛❦❛ ✏P ❧❡❛❞s✲t♦ Q ✈✐❛ s❢❛✐r e

Pr♦❣r❡ss✿ ❝❧♦s✉r❡ ♣r♦♦❢ r✉❧❡s

♣r♦♦❢ r✉❧❡s

P ❧❡❛❞s✲t♦ (Q✶ ♦r Q✷) ❤♦❧❞s ✐❢ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞✿ P ❧❡❛❞s✲t♦ (P✶ ♦r Q✷) P✶ ❧❡❛❞s✲t♦ Q✶ P ❧❡❛❞s✲t♦ Q ❤♦❧❞s ✐❢ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞ ❢♦r s♦♠❡ R✿ ■♥✈ R (P ❛♥❞ R) ❧❡❛❞s✲t♦ (R ⇒ Q) (P✶ ❛♥❞ P✷) ❧❡❛❞s✲t♦ Q✷ ❤♦❧❞s ✐❢ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞ ❢♦r s♦♠❡ Q✶✿ P✶ ❧❡❛❞s✲t♦ Q✶ P✷ ✉♥❧❡ss Q✷ ■♥✈ (Q✶ ⇒ ♥♦t P✷) P ❧❡❛❞s✲t♦ Q ❤♦❧❞s ✐❢ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞ ❢♦r s♦♠❡ R✱ S✿ P ✉♥❧❡ss Q ■♥✈ (P ⇒ R) R ❧❡❛❞s✲t♦ S ■♥✈ (S ⇒ ♥♦t R)

Pr♦❣r❡ss✿ ✇❡❧❧✲❢♦✉♥❞❡❞ ❝❧♦s✉r❡ r✉❧❡

♣r♦♦❢ r✉❧❡s

P ❧❡❛❞s✲t♦ Q ❤♦❧❞s ✐❢ t❤❡ ❢♦❧❧♦✇✐♥❣ ❤♦❧❞✿ F ✐s ❛ ❢✉♥❝t✐♦♥ ♦♥ ❛ ❧♦✇❡r✲❜♦✉♥❞❡❞ ♣❛rt✐❛❧ ♦r❞❡r (Z, ≺) P ❧❡❛❞s✲t♦ (Q or forsome(x in Z : F(x)))

forall(x in Z:

F(x) ❧❡❛❞s✲t♦ (Q or forsome(w in Z, w ≺ x : F(w))) ❲❡ s❛② ✏❛ss❡rt✐♦♥ ❤♦❧❞s ✈✐❛ ❝❧♦s✉r❡ ♦❢ ❁❛ss❡rt✐♦♥s❃✑