IvprRler Colrpcp op SctENcE, TECHNoLocy exp MpptclN¡

Exen¿manroNs 2010

BEng Honours Degree in Computing Part III

MSc in Computing Science (Specialist)
for Intemal Students of the Imperial College of Science, Technology and Medicine
This paper is alsotakenfor the relevant examinationsfor the
Associateship of the City and Guilds of London Institute

PAPER C3O3

SOFTWARE ENGINEERING - SYSTEMS VERIFICATION

Friday 30 April 2010,14:30

Duration: 120 minutes

Answer THREE questions

Paper contains 4 questions

Calculators not required
 I Present the technical material related to the following question on automatic
verification of systems.

a Briefly describe the process of verifying a system by means of model checking.

b Briefly explain what the state-explosion problem is and how ordered binary
decision diagrams can alleviate the problem.

c Consider the propositional formula a A (b V c) and the variable ordering {a,b,c}

i) Draw the binary decision tree for the formula above under the ordering
specified.

ii) Draw the reduced ordered binary decision diagram for the formula above
under the ordering specified.

iii) Draw the reduced ordered binary decision diagram for the formula above
under the ordering {c,a,b}.

iv) Comment on your findings.

d Briefly describe the methodology of bounded model checking and explain to

what fragment of I:[L/crL it can be applied. Explain how bounded model
checking enables us to explore a limited portion of the model.

The four parts carry, respectively, 20Vo, 30Vo, 307o, and 20Vo of the marlcs.

@ Imperial College London 2010 Paper C303 Page I of 4

2 Consider a variant of the mutual exclusion problem in which

o two processes are present;

. no more than one process is in a critical state at the same time;

o once a process becomes critical, it cannot remain critical for more than two
ticks of the clock.

a Express liveness and safety specifications in CTL for the problem above.

b Give a pictorial representation of a model for the system above. Clarify any
assumption you make about possible loops on any state of the system.

c Check the satisfiability of the two formulas of Part a) against the model of Part
b). Additionally, state in CTL, if possible, the non-blocking property "every
. process can always request the use of the resource and evaluate its satisfiability
on the model of Part b)".

d Write NuSMV code for the variant of the mutual exclusion problem above. In
particular, comment on whether you permit the system to loop on any state at a
given tick of the clock, and the meaning of any fairness constraints added.

The four parts carry, respectively, 20Vo, 30Vo, 20Vo, and 30Vo of the marks.

@ Imperial College London 2010 Paper C303 PageZ of 4

3 Consider the following variant of the bit transmission problem in which an agent
,S (sender) is trying to send the value of a single bit to an agent .R (receiver):

o At the beginning of the run ,S either sends one bit or remains silent. After
that ,S waits silently for an acknowledgement from -R. Upon receipt of the
acknowledgement it remains silent.

o R remains silent until it receives the bit from ,S; once .R has received the bit,
-R sends acknowledgements back to ,S continuously.

o The channel is fair, i.e., it may drop messages but not infinitely often.

a Consider the formalism of interpreted systems, and describe local states, actions
and protocols for,S and ,R that formalise the protocol above.

b Consider a global transition function for the interpreted system in Part b) and
draw a succinct representation of the model depicting all the possible runs of the
system.

c Provide a convenient set of propositional variables and formulate (if possible)

the following properties in the temporal-epistemic logic CTLK:

When an acknowledgement has been received by S, S knows that R

knows the value of the bit.

Eventually R will know the value of the bit.

In the runs where S sends the bit infinitely often, R eventually knows the
value of the bit.

If any property above is not expressible in CTLK state why that is the case and,
if possible, suggest its formalisation in an alternative logic.

d Define an appropriate interpretation for the propositional atoms of Part c) and

evaluate at a chosen initial state of the model the formulas of Part c) above that
are expressible in the language of CTLK.

The four parts carry, respectively, 257o, 20Vo, 30Vo, and 25Vo of the marks.

@ Imperial College London 2010 Paper C303 Page 3 of 4

4 Consider the following issues in model checking via abstraction.

a Briefly define the notions of quotient model and completeness of an abstract

model. Explain their relevance with respect to the model checking problem.

b Consider the Kripke model M : (W,-R, n ) over propositions P : {p} where:

W : {1,2,J,4).
,? : { (1, 2), (1,3), (1, 4), (2, 2), (3, 1), (3, 2), (3, 4), (4, 4)} .

n(p) : {1,3,4}.
Answer the following questions on M.

Ð List all the pairs of states that are symmetric in M.

ii) Construct the symmetry quotient MlAut(M).

iii) Examine whether a sound quotient model of M that is smaller than
MlAut(M) exists.
iv) Examine whether an unsound quotient model of M exists.

The two parts carry, respectively, 35Vo, and 65Vo of the marl<s.

@ Imperial College London 2010 Paper C303 Page 4 of 4