3 views

Uploaded by eecs.northwestern.edu

- NWU-EECS-06-08
- T22 CPS Macros Overview[1]
- Tech Report NWU-EECS-06-10: Time-sharing Parallel Applications With Performance Isolation and Control
- Tech Report NWU-EECS-06-18
- NWU-EECS-06-16
- NWU-EECS-06-17
- NWU-EECS-06-01
- NWU-EECS-06-03
- Tech Report NWU-EECS-06-09: Lucid Dreaming: Reliable Analog Event Detection for Energy-Constrained Applications
- NWU-EECS-06-06: Hardness of Approximation and Greedy Algorithms for the Adaptation Problem in Virtual Environments
- NWU-EECS-06-11
- Tech Report NWU-EECS-06-15: On the Use of Parallel Connections in Web Browsers
- LSMW Handbook
- Tech Report NWU-EECS-06-07: Putting the User in Direct Control of CPU Scheduling
- thesis lintao zhang
- [Wiberg]_Schaum's_State_Space_Linear.pdf
- Creating Lift Versus Building the Base- Current Trends in Marketing Dynamics
- Abstraction, Encapsulation, And Information Hiding
- Week 3 Concurrent Programming Abstraction.ppt
- Mcs

You are on page 1of 45

Technical Report NWU-EECS-06-20 2/21/2007 Abstraction Techniques for Model-Checking Parameterized Systems

N. Liveris; H. Zhou; R. Dick; Y. Chen; P. Banerjee

Abstract

In this paper we present a new abstraction technique that enables the usage of model checking for the verification of parameterized systems. The technique targets asynchronous systems. Compared to previous approaches the application of the proposed technique imposes fewer restrictions on the correctness property. Moreover, it can be applied to a class of parameterized systems for which other abstraction methods may not work. We demonstrate the effectiveness of the abstraction technique by applying it on a self-stabilizing spanning tree construction algorithm.

N. Liveris , H. Zhou, R. Dick , Y. Chen , and P. Banejee

EECS

Department, Northwestern University, Evanston IL 60208 College of Engineering, University of Illinois, Chicago IL 60607

Abstract. In this paper we present a new abstraction technique that enables the usage of model checking for the verication of parameterized systems. The technique targets asynchronous systems. Compared to previous approaches the application of the proposed technique imposes fewer restrictions on the correctness property. Moreover, it can be applied to a class of parameterized systems for which other abstraction methods may not work. We demonstrate the effectiveness of the abstraction technique by applying it on a self-stabilizing spanning tree construction algorithm.

1 Introduction

This paper describes a new abstraction technique for enabling the use of automatic verication tools to check the correctness of parameterized systems. There are two kinds of methods that are used for the verication of asynchronous systems: deductive verication and model checking. Deductive verication is an interactive verication method. The user is required to provide properties that facilitate the proof by the tool. Model checking is an automatic method. However, it is efcient only when applied to relatively small nite state space systems. Therefore, abstraction is used to transform innite or large state space systems to smaller nite state space systems, thereby enabling the use of model checking for their verication [9]. In this paper we present an abstraction technique that enables the use of model checking for the verication of asynchronous parameterized systems. A parameterized system is built by the parallel composition of processes, where can be any natural number greater than a minimum value. Model checking can be used for the verication of instances of a parameterized system with few processes, i.e., small . Ideally we would like to prove the correctness of a parameterized system for any number of processes. However, the number of those systems is innite when there is no upper bound for . Moreover, even if an upper bound exists, verication may be intractable for large because the number of states increases exponentially with the number of components in the system. There are two ways to overcome this difculty: one is to use control abstraction [12, 9], and the other is to use the methods of invisible ranking [17, 2, 7]. The idea behind control abstraction is to abstract away an arbitrary number of symmetric processes by using a network invariant . Then the correctness property can be proved for the abstract system, which is composed of a nite number of processes and the network invariant [9]. A difculty with this approach is that the network invariant

needs to have the same set of observable variables as the system of symmetric processes abstracted by it. Therefore, if each of the processes has one observable variable and we use a network invariant for these processes, the network invariant needs to have observable variables. This problem has restricted the application of control abstraction to specic classes of distributed algorithms. Control abstraction has successfully been applied on ring topologies of processes [11], in which every process has only two neighbors and, therefore, the number of input/output variables for each process is independent of . It has also been successfully applied on systems for which the number of shared variables does not increase with the number of processes. An example is a mutual exclusion algorithm, in which all processes share only one semaphore [9]. An alternative approach is the method of invisible invariants [17]. The method can be used to bound the number of processes needed to prove a correctness property for a class of parameterized systems. The approach can be used for the verication of safety properties [2] and response liveness properties [7]. Response liveness properties are properties of the form , i.e., for every state satisfying assertion there is a future state satisfying assertion . The paper does not discuss how other liveness properties can be checked using this method. Moreover, the method imposes a number of restrictions on the structure of the next state relation and the initial condition of the system. The method can be automated, so the user does not have to observe the invariant being used. In our work we target general liveness properties. More specically, the correctness property we prove for the spanning tree algorithm is a persistence property ( ). This type of property can be used to describe the correctness of self-stabilizing systems. In this paper we present an abstraction technique that builds on the theory of control abstraction. We target structures of processes, for which the number of observable variables is a parameter. These structures are very common. One example is proving a property for a process that is connected in a graph of arbitrary topology. Then the number of neighbors with which the process interacts is a parameter. For this type of structure we provide an abstraction that reduces the number of observable variables to a small nite number. Then model checking is used to check the correctness property on the abstract system. If the property holds for the abstract system, then it holds for the parameterized system for any valid value of the parameter. The proposed technique can be used for checking general temporal properties. Moreover, it can be applied to a class of parameterized systems for which other methods may not work. The method is sufcient to prove that the correctness property is valid for the parameterized system. However, like control abstraction and invisible ranking, the proposed method is incomplete. If a behavior of the abstract system does not satisfy the correctness property, no conclusion can be drawn for the parameterized system. Additionally, a number of restrictions must hold for the parameterized system to guarantee the soundness of our approach. Most of these restrictions concern the atomicity of the actions of the parameterized systems. In Section 2 we survey related work in this eld and indicate our contributions. Section 3 describes the systems we consider. Section 4 gives an overview of the proposed technique. We demonstrate the application of the technique to a Spanning-Tree

construction algorithm in Section 5. The soundness of the technique is proved in the appendix.

2 Related work

Instead of control abstraction, the method of invisible invariants can be used for the verication of parameterized systems [17]. Arons et al. [2] present the method for the verication of safety properties. Later the work was extended to include verication of response liveness properties [7]. The authors describe a method to bound the number of processes needed to prove a correctness property for a parameterized system. However, their method is applicable to a restricted class of distributed algorithms. One of the restrictions is that a variable taking values in 1 , can appear in two kinds of expressions: and . These expressions can only appear in a formula that compares expressions of the same type. This means that the only operators that can be applied to are indexing and relational operators . When operators 1 and 1 are included, the size of the abstract system increases signicantly. Only response liveness property are discussed in that work. Our approach can be applied to other temporal properties, for example persistence. Other works on the abstraction of parameterized systems can only be applied to high-atomicity distributed algorithms [5, 18, 4, 6], in which a process can read the values of all its neighbors in one atomic step. Since this assumption may not be realistic for large , in our work we target low atomicity distributed algorithms. Kurshan and McMillan presented a structural induction theorem for processes [12] dening sufcient properties for the network invariants. The method was applied on two examples; in the rst the processes formed a complete graph and in the second a ring. However, for the case of the complete graph the authors consider the observable behavior as the sequence of actions taken. More specically, in that example it is the sequence of messages sent between the system and its environment. Therefore, the problem we deal with in this paper was not discussed. Kesten and Pnueli dene a sound data abstraction method [10]. Their method is useful for reducing the range of the data variables of the system. The user needs to invent the abstraction function and in some case the progress monitor for a specic system. Their method can be used as a preprocessing step to replace variables ranging over parameterized or innite domains to abstract variables, which range over nite sets. Then our technique provides the user with an abstraction function to reduce the number of variables in the system. Other works discuss only safety properties for the verication of parameterized systems [8]. The abstraction technique presented in this paper is similar to temporal case splitting [15, 16] in that it reduces a vector of unbounded size to a vector with a xed small number of elements. With temporal case splitting the proof is decomposed to a large number of proof subgoals, which become a xed number of problems using symmetry properties. Our technique includes the abstraction of the fairness conditions of the concrete system, especially on actions accessing or modifying the elements of the abstracted vector. Moreover, we dene fairness conditions for the abstract system based

C 4 B 4 @ 4 8 4 63 4 A9$9A9$5753

EF

E 9D

on the existence of constant values stored in the vector. As we will show, these fairness conditions are necessary, e.g., to prove the correctness of a spanning tree algorithm. Additionally, constant values of the index type do not increase the size of the abstract system in our approach.

In this section we describe the types of systems we consider. We deal with the verication of closed parameterized systems. A closed parameterized system can be dened as In the above formula 1 2 are identical processes up to renaming. The restriction. Both operaoperator denotes parallel asynchronous composition and tors are dened in the literature [9]. In the above denition of the parameterized system it is assumed that each process , for 1 , is independent of the number of processes in the system. For example, the processes may be used to specify a mutual exclusion algorithm with only one shared variable for the whole system [9]. However, there are cases in which the number of observable variables of each process depends on . In those cases, the denition of the system can be written as

and with differ only in their id values, and with have a different number of observable variables. We are interested in proving the correctness of a parameterized systems described by (1). In this paper we follow a similar notation that is used by Abadi and Lamport [1] for describing systems. Each system, which can be composed of one or more processes, is represented by its specication N . is the state space of the specication, is the set of initial states, N is the next state relation, and is the supplementary property dened over . The state machine N denes the machine property of . For all systems we consider, is machine closed and species a liveness property. The denition of machine closure can be found in the literature [1, 13]. The next state relation is dened using a set of atomic actions . Each action has a precondition (or enable condition) prec , which is a state function, and an effect part eff , which describes the values of the variables in the next state , as a function of the current state . Therefore, can be described as the conjunction of its precondition and its effect1 While

h d jiX2

X2de d X2dg7 d e

Actions also contain conjucts of the form for each variable that must remain unchanged. Therefore, the effect of an action may be considered as the conjunct of unch . In the last formula is a boolean combination of predicates of the form , and unch is the conjunction of predicates of the form . We say that an action reads a variable , when appears in a predicate in . An action modies or writes a variable , when there is a predicate in and . This classication is based on the syntax and can be performed by static analysis.

gfI 4Y

5b4 w 4 y

W 2

T

1 2

4 y w 3 P4 5P4 xvu

` ! aY

Y PAI f

d X2eV9 &

(1)

A state pair N , if and only if there exists , such that prec is true for and the pair of states satises eff . Then the triple is called a transition of the system. We assume there is a stuttering step and for all states , belongs to N . The liveness property is a restriction imposed on the innite behaviors of the system. It can include the conjunction of strong and weak fairness properties specied on some of the actions. We use W and S to represent the sets of actions with weak and strong fairness properties respectively. The sets W and S are disjoint and subsets of . Then . The weak and strong fairness properties are S W dened as

The expression eff evaluates to true when action is executed and the systems state changes. Therefore, for a pair of states

For a more detailed description of weak ( ) and strong ( ) fairness properties, the reader should refer to the literature [13]. Moreover, can include justice and compassion requirements on sets of states. Justice requirements have the form and compassion requirements can be represented as , where , , and are atomic predicates which specify sets of states [9]. In this paper we assume that are not specied on the shared variables of the system, which are going to be abstracted, i.e., the variables in SV (see Section 4 for the denition of this set). A sequence of states, with , is a behavior of if satises the specication . More specically, it must hold that 0 , 0: 1 N , and , where is the th state in sequence . We use this operator to denote that an assertion is valid for a state or a set of states. We extend its usage to temporal properties and sequences or sets of sequences. When a specication is used at the LHS and a temporal formula at the RHS, the temporal formula is valid for all behaviors of the specication. For a state , where and , we call the -part of the state or -part of the state. The -part of the state includes only the variables in and their values. The operator denotes projection. For a state , it holds and . That means is the projection of on the -part of the state and is the projection of on the part of the state that is not included in . We use the projection operator on sets of states as well. Another operator that is commonly used is the property operator P . Operator P is dened on a temporal property , which could be a system specication, and denotes all behaviors that satisfy .

aVf 3

u k t6 3 |1

eff

gA$ $q2r$ w x

Y4 3 bAm$

y ` pY

BY y ` Ga a 4

` g

4 ~4 $g ~ q

A w w q23 u

prec

gAA Aq2y$ w x

u w iq23 t

prec

eff

eff

eff

TRA4 nb 4

v`

g`

u s v1 t s rp q k u q

!Vfnfw 4 b

y ` Y4 3 |HpbAm$

3z

` 4 i!Rfmbw

Y P$4

qq ~

4 Vfnfw

Vf P Y 3 Vf P

y3 z

k k l3

prec eff

` o u

Some variables of the system are local to a specic process, while others are observable to all processes. We call the observable variables shared variables. We consider vectors of shared variables of the form sv2 1 1 FS2 FS

where FS is a nite set for all in 1 . For simplicity, we restrict our discussions to systems with only one parameter and only one vector of shared variables sv. Then 1 FS , where is the system state space can be represented as the state space without the sv vector. In the rest of the paper we refer to each sv with 1 as a shared variable. Besides vectors of shared variables, the system can have a nite set of variables that are observable to all processes. The cardinality of the set must be independent of . We consider these variables as part of and we restrict the usage of the term shared variable only for an element of the vector sv. If the effect of one action can be obtained from the effect of another action by replacing any appearance of one shared variable sv with another shared variable sv , then eff and eff are called syntactically equivalent. For example, in Figure 1 only eff and eff are syntactically equivalent.

prec r sv j

prec r sv k

prec p sv j

Fig. 1. Only the two leftmost actions have syntactically equivalent effects.

We now present our assumptions for the systems we consider. Then we elaborate on the reasons for making these assumptions and their implications. 1. Although actions can read and modify a number of variables, they can either read or write at most one shared variable in each atomic step. 2. Each shared variable is a single-writer multi-reader variable. More specically,

3. The preconditions of the actions do not depend on the values of the shared variables. Therefore, reading or writing a shared variable can only be done by the effect part of an action. 4. (a) There exist no action that reads only variables in and has the same effect at some state as an action that reads a shared variable. More specically, if is an action that reads a shared variable and W S , then for any action that does not read a shared variable

N :

eff

eff

2V

0 &h '

: sv

P q

2V

2 q

` 4 w Anbi

` h ! 91

prec r sv j

2R

0 &h '

T e2R '

0 1 '

sv

0 0

sv1 1

FS1

` T h 0 &h '

(b) There exist no action that modies only variables in and has the same effect at some state as an action that writes a shared variable. More specically, if is an action that writes a shared variable and W S , then for any action that does not write a shared variable

(c) Two actions that are not syntactically equivalent and access different shared variables cannot have the same effect at some state , unless the shared variables accessed have the same value at . More formally, if and are two acsv and eff sv ,then tions of the system with eff

N :

We believe that the above constraints are common among many applications. Only 1 and 2 restrictions are needed when safety properties are checked. When liveness conditions are checked, 3 and 4 restrictions must also hold. The restriction 3 has been used in other works ([14],Chapter 9). Our intuition behind this restriction is that reading a non-local variable should be an atomic action. The decision of a process to execute an action should be based on local variables only. Note that process can maintain a local copy of sv and because of restriction 2 the copy can be always equal to the value of the shared variable. The intuition behind 4 is that we cannot satisfy the liveness requirements of an action by simulating it with a completely different action. However, syntactically equivalent actions are not restricted by 4. Most systems with a program counter for each process satisfy the 4 restriction. More specically, if each instruction has a different successor, the effect of each action of one process is distinct. Since the program counter is a local variable of each process, the effect of each action cannot be simulated by an action of a different process. The restrictions 1-4 do not need to hold for the xed set of global variables in . Therefore, we can have a xed nite set of multi-writer variables. For the systems amenable to our technique the correctness property that we are going to check is independent of the number of processes in the system. More specifically, is expressed as a function of the local and shared variables of a nite set of processes . The set is the same for all values . For simplicity in this paper we assume that 1. This means that the correctness property is specied on 1 . Under symmetry conditions the property will hold : , if it holds for 1 . Note that can be any LTL property that can be expressed using operators and . As noted before we are concerned with the verication of a closed parameterized system. In such a system there is no interaction with the environment. The property that we want to prove is described as a function of some variables of the system. These variables represent the external part of the state. While all other variables belong to the internal part of the state. The distinction of external and internal part of the state is described in the literature [1]. In this section we presented the assumptions for the systems we consider and the notation we use. In the next section we describe the proposed technique for the verication of these systems.

1 ' &h ' 1A p$ A3 Anbw 0 63 0 k w k w 6z 4 )' 2Rgm$ 0 4 4 3 nh ' 2VgmgGj 0 4 4 3

4 I

eff eff

N :

eff

eff

sv

e B

sv

3z ( z

` 4 w fmb

4 4 I I

2V

In this section we describe the proposed technique for the abstraction of parameterized systems of the form of (1). We start by describing a verication framework in which this technique is useful (Section 4.1). Then we present in detail the abstraction of the technique (Section 4.2). For simplicity, in this section we assume that 1 and that and one shared variable sv with elements. Because there is only one parameter 1, the number of shared variables in the abstract system is 2 ( 1). 4.1 Overview of the approach We wish to verify that property is valid for the closed parameterized system

for all nite , where is the minimum number of processes in the system. We assume that the system Q and property satisfy all the assumptions described in Section 3. The property may be veried as follows: 1. The user provides a network invariant 2 [9], such that for any

and the number of local variables of is nite and independent of . 2. Following the steps of our technique as described in Section 4.2, the user obtains the system . 3. Model checking is used to automatically prove . Then the user concludes that Q holds for all . and 1 should be nite-state In order for the third step to be successful, processes for any . Note that for the modular abstraction relation of step 1 to be valid, must have observable variables. In this paper we are dealing with the second step, which is described in the next section. 4.2 Obtaining the abstract system from 1 . In this section we describe the technique to derive We denote the abstract system as N and explain how each of the components of the can be obtained from the corresponding components of N . State space: The only change in the state space is that the shared variables sv 1 FS become sv 1 2 FS . Let be expressed as sv 1 FS , where sv is the state space of all variables except sv. Then we can formally dene as sv 1 2 FS . We denote sv the variable in 1 2 FS .

3 u W $ 4 RR 2u I Q 3

z z f 3 3z ( z

4 I i B

rG 4 RQ!TR 4 I I Q

4 4 y4 w 3 ib1 1P u u

3z u

3 z

0 ! 3 ' ! v` ' 0

4 y P4 5P4 w

3z pp z

Next state relation: The next state relation N of is dened by a new set of actions A. We derive A from some newly dened actions and the actions. Each action of is either an action of or of 1 . The actions of process cannot modify sv 1 because of the single-writer restriction (2). They can modify any of the 1 elements sv with 2 . Let SV be the set of these elements, i.e. SV

sv

On the other hand, the actions of process 1 can access any of the elements of sv, but can only modify sv 1 . The following steps describe how we obtain A, which initially is an empty set. T0 For each value in FS, we dene and add to A an action of the form sva sva EXCEPT ! 2 v v UNCHANGED all other variables The precondition of is TRUE in all states and its effect is to change sv 2 to a new value in FS. All other variables remain unchanged. T1 For any action that does not access or write any of the variables in SV , A2 . that reads variable sv , with sv SV , we replace all T2 For any action references to sv by sv 2 to obtain . Then we add to the set of actions A, i.e. A. T3 For any action that writes to variable sv , with sv SV , we replace all references to sv by sv 2 to obtain . Then we add to A, i.e. A. T4 For any action that reads an element sv with 1 and , let eff sv . We dene action as follows prec ge 1 h e e sva 1 prec ge 1 h e e sva 2 Action is composed of two disjuncts, one for each possible value of . The rst disjunct is the conjunction of prec , 1, and the effect expression of action with every reference of sv 1 replaced by sv 1 . The second disjunct is the conjunction of prec , 1, and the effect expression of action with every reference to sv 1 replaced by sv 2 . The new action is added to A, i.e. A. Note that there are no actions in that read more than one element of sv or read and modify elements of sv because of restriction 1. Furthermore, if an action writes to a variable sv , we can determine whether it is an action handled by rule T1 or T3 based on the process performing the action because of restriction 2. Consequently, any action in is handled by one of the 1 4 cases.

2

For simplicity for this and the following types of actions we do not describe the changes in the unch part. From now on we will use eff to describe the part of the action.

` V

0 d '

$

! `$ ` `0 (&h '

`0 a&h '

0 '

4 I ` z0 e T vh bnh ' 3

3 i$

0 &h '

4 I

0 0 ' 3

0 '

' H3

0 &h '

kvr3 x

k vx

k k r3

0 '

Initial states: The initial states can be obtained by the projection of on and the set of initial values for the variables sv. In the element sv 1 has the same set of initial values as sv 1 in the original system. For sv 2 the set of initial values is the set of all possible initial values in the original system for the elements in SV . Liveness conditions: Based on the rule used to dene an action its weak or strong fairness properties will be specied. For any constructed based on rule 1 from action , the action inherits the weak or strong fairness properties, if any, of . The same happens for any produced from by rules 2 4. However, in this case can be considered as being constructed from a set of actions . For any such the fairness property added to will be the weakest property specied for any action in . More formally, if can be constructed by any using one of the rules 1 4, then

In the relations above W and S are the complements of W and S , respectively. Besides the strong and weak fairness conditions on actions, we specify some liveness conditions related to constants. More specically, suppose for any and for all behaviors of Q , there exists 2 and FS, such that it holds sv . If there exists an action W , accessing sv , then we dene condition obtained from eff by replacing each occurrence of sv by the value . We dene constraint

We denote as C the set of the actions that read shared variables, which for all and for all behaviors of Q have a constant value. Note that the does not need to be the same specic index for all behaviors, if the fairness properties are specied on a 2 . set of syntactically equivalent actions that are dened for all Finally, for any justice or compassion conditions expressed on variables only on and sv 1 , we require that the abstract system satises the conditions , as well. Then can be expressed as

The example below is a demonstration of rule T2. The new action is created from 1 actions of the abstract system. If there exists a constant value in the concrete system for some 2 and 2 : Action W S , then the new abstract action is included in C .

i B

` ! Y

4 x &dA4 Xm$mq

` h

` h T 5

` ! |

For an action

prec

4 x &dA 4 Xm$mq

prec

i j B

0 1 '

/ 0

/ 0

/ 0

/ 0

/ 0

l`

0 1 '

/ 0

W S

e` o

0 '

6 3 k p 2 3 p 6 3 P k 63

0 '

` T p

A w

k 2 3 p

3 ( P ( 2

0 '

$4Rgmgn 4 x1 ' 30

0 '

2V

module a

concrete version

...

abstract version

...

In the appendix we give the complete proof for the soundness of the technique. In the next section we demonstrate the usefulness of the proposed technique by applying it on a spanning-tree construction algorithm.

5 Spanning-Tree example

In this section we describe the application of the proposed technique on a variant of Arora and Goudas Spanning-Tree (ST) construction algorithm [3]. In the appendix (Algorithm 1-3) the TLA+ descriptions of different versions of the ST algorithm are displayed. The algorithm is explained in Section 5.1. In Section 5.2 we present a version of the ST-algorithm after the application of data abstraction. In Section 5.3 we present some theoretical preliminaries. We report the results of the application of our technique in Section 5.4.

3z u

Theorem 1. If

, then

:Q

3 z

i B

!Tx

x r3

... Next

Action

w 0 ' V0 '

3& 3 &

63

xvk x x vk

k r3

... Action

!Tx T ` vr3 x

... Next

2 N : Action j

module b

var1 var2 u1 1 u2 u2 var2 var2 sva 2 1 var2 sva 2 UNCHANGED other variables

UNCHANGED

w 0' V0 '

3 3

63

xk x x k x k

k l3 k

... Action j

other variables

5.1 ST algorithm In this algorithm each process executes the program displayed in appendix (Algorithm 1). The node with the greatest id, EQk, becomes the root of the tree. Eventually, every other node stores in its Root the id of the root. Moreover, eventually D holds s distance from the root and F its parent in the tree. Node selects the parent node, so that D is equal to the minimum distance, dist , from the root in the graph. Note that dist is not a variable of the system. For the spanning tree construction algorithm we want to prove the convergence of any process with dist after all its neighbors with dist 1 have converged and some general properties on the graph hold. In order to do so, we assume process 1 is at distance from the root and has 1 neighbors. Out of the 1 1 from the root. Some of the neighbors at least one must be a neighbor at distance neighbors can have dist or dist 1. There is no neighbor that can be at distance less than 1 or more than 1. Otherwise, 1 s distance would not be , which is a contradiction. The property that we want to prove is

where H

and J

Note here that 1 is not symmetric to all processes 2 . However, 1 cannot guess the dist values of the processes, so all processes are identical up to renaming for 1 . Moreover, 1 is identical up to renaming to all other process at distance from the root. 5.2 Data abstraction In the variant of the ST algorithm, some of the variables range over parameterized or innite domains. These variables include

and variables used as local copies of their values (lRoot, lD, and lF). We use data abstraction [10, 9] to reduce the state space of the system to a nite set, which is independent of the number of processes in the system. More specically, data

0 | 0 G

Root D

1 1

4 PT4!TA7 4 I I 4

B p0 '

4 I 4 I 4 I 4 I 3 ` d0 ' k T ` z p0 ' k 3 10 ' k 3 10 ' k l3 0' 3 ! ` vk 8 (0 ' k 3 10 ' k 0 ' jk B 3 k 0 ' 30 ' k 3 k d0 ' k ! ` gr3 q3

1 N:

dist i

0!Y'

4 I

0!Y'

e` ' ! 'j` ! j`

Vt3

0!Y'

0 iY'

4 I

0!Y'

0 !Y'

abstraction reduces the range of the above variables to a nite set. Even though the range of the variables can be reduced, the number of the shared Root and D variables still depends on . Therefore, the abstraction technique presented in this paper is employed as a next step to reduce the number of these variables to 2. Then we can use model checking to verify the system. Formally, the steps we followed to verify that the parameterized system Q satises property are 1. Abstracted the system and the property to Q range over nite domains 2. Used the abstraction technique to transform Q and in which all variables

The abstract property does not need to be abstracted in the second step because we assume it is expressed on variables not in SV . If model checking proves that , we conclude that Q because of Theorem 1. Moreover, because of results presented in the literature [10], Q Q . The version of the algorithm after data abstraction can be seen in the appendix (Module Process - Algorithm 2). The variable Root now ranges over the set LTk,EQk . Model values LTk and EQk stand for less than root and equal to root, respectively. Variable F is abstracted to NotNeighborNode NeighborLorMore NeighborLMinus1 1 . Finally, all D values that are greater than are abstracted to DGTK model value. The corresponding operators for the model values are dened using the principles of data abstraction [10]. 5.3 Theoretical preliminaries The rst task according to the overview of our approach (Section 4.1) is to build a network invariant for all processes other than 1 . The following result can help us simplify the construction of the network invariant.

Q

if and only if

Consequently, there exists such that the execution segment starting at state satises always and has innitely many states. Since is also an initial state, there exists sequence with 0

1ih4

B Y 4Y 3 Y a7Pjih4 P$4 !h4 ow ` |h w oiqr3 z ql3 z k w k eoiq5qr3 z x w evvq2r36z z ql3 i Gq3 z qy3 i z z rqy3

qr3 i z

for which

z 3 u

u

to

3 i z

I

3z

3z

rqr36z

Sequence is also a behavior of Q and satises that , which implies that Q For the direction we note that any behavior of Q fore, for any such that the following property holds

Consequently, whenever the conclusion of the implication is false, the hypothesis is false, too. Lemma 1 provides us with a safety property , which can be used to simplify the network invariant . More specically, we are interested in nding a system 1 , which species at least the same behaviors that Q species. The systems Q and 1 are not restricted, since any process adjacent to , with 1, is communicating with Q , providing input values to some processes in Q . However, for any value of these inputs a behavior of Q that violates is not a property that can satisfy . The reason is that is a safety property that is violated by a nite sequence, whereas can only be satised by an innite behavior. In general to nd whether holds for Q we only need to check behaviors for which holds. All other behaviors satisfy trivially. Therefore, for all inputs should not produce any state that violates . In this case we choose to be the process that writes on the shared variables in SV any values that do not violate . Process has no inputs and no local variables. It species the behaviors that are dened by the projection of on SV , P P SV . Therefore, all possible behaviors that the system 2 species and which satisfy , are specied by

does not have any inputs. Because all inputs of 1 are the SV In this case variables, which are outputs of , the system 1 is restricted. For the property at the LHS of (2) we can dene a specication with exactly the same sequences as behaviors. The new system will be the same as 2 with additional conjuncts SV in the initial condition and SV in the next state relation. Formally,

Moreover, we assume for all inputs of process and can take any value. Since both exactly the same set of observable variables

that they are local variables to each and have no inputs and have

P SV

vq2

I Q I A 4 VUQT!&S 4 P

pla

P SV

P SV

A

w oiq

Q

that satises

satises

vqP

owiqkq q

I Q I $ 4 RQT!&S 4 P

vP

SQR 4 I AvqP

3 A 52

4 RQT!&S 4 I I Q $ 2 3

(2)

The system

5.4 Application of the technique We apply the proposed technique on the system 1 and obtain the abstract system . The abstract system has 8000 states and TLC takes 2 minutes to prove the property. The concrete system with 4 has 216800 states and TLC takes 40 minutes to prove its correctness. In the appendix (Algorithm 3) the specication of the abstract system in TLA+ is displayed. The variable SetOfLMinus1Neighbors, which was used by the network invariant in the concrete system to leave the nodes at distance 1 unchanged, is removed using data abstraction.

6 Conclusions

In this paper we presented a new abstraction technique for the verication of parameterized systems using model checking. The technique imposes less restrictions on the correctness property. We used the technique to prove a persistence temporal property of a self-stabilizing spanning-tree construction algorithm. In the future we plan to work on ways to automate the application of the abstraction technique and remove some of the restrictions on the type of systems that this technique can be applied to.

References

1. A BADI , M., AND L AMPORT, L. The existence of renement mappings. Theoretical Computer Science 82, 2 (1991). 2. A RONS , T., P NUELI , A., RUAH , S., X U , J., AND Z UCK , L. D. Parameterized verication with automatically computed inductive assertions. In CAV 01: Proceedings of the International Conference on Computer Aided Verication (London, UK, 2001), Springer-Verlag, pp. 221234. 3. A RORA , A., AND G OUDA , M. Distributed reset. IEEE Transactions on Computers 43, 9 (1994). 4. BAUKUS , K., L AKHNECH , Y., AND S TAHL , K. Verication of parameterized protocols. Journal of Universal Computer Science 7, 2 (2001), 141158. 5. C LARKE , E., TALUPUR , M., AND V EITH , H. Environment abstraction for parameterized verication. In VMCAI 2006: Proceedings of the th International Conference on Verication, Model Checking, and Abstract Interpretation (London, UK, 2006), Springer-Verlag, pp. 126 141. 6. E MERSON , E. A., AND K AHLON , V. Reducing model checking of the many to the few. In CADE-17: Proceedings of the 17th International Conference on Automated Deduction (London, UK, 2000), Springer-Verlag, pp. 236254. 7. FANG , Y., P ITERMAN , N., P NUELI , A., AND Z UCK , L. Liveness with invisible ranking. International Journal on Software Tools for Technology Transfer (STTT) 8, 3 (2006), 261 279.

1 1 1

SS 4 I Q

8. J HALA , R., AND M C M ILLAN , K. Array abstractions from proofs. In CAV 07, accepted for publication (2007). 9. K ESTEN , Y., AND P NUELI , A. Control and data abstraction: the cornerstones of practical formal verication. International Journal on Software Tools for Technology Transfer (STTT) 2, 4 (2000). 10. K ESTEN , Y., AND P NUELI , A. Verication by augmented nitary abstraction. Information and Computation 163, 1 (2000), 203243. 11. K ESTEN , Y., P NUELI , A., S HAHAR , E., AND Z UCK , L. D. Network invariants in action. In CONCUR 02: Proceedings of the International Conference on Concurrency Theory (London, UK, 2002), Springer-Verlag, pp. 101115. 12. K URSHAN , R. P., AND M C M ILLAN , K. L. A structural induction theorem for processes. Information and Computation 117, 1 (1995), 111. 13. L AMPORT, L. Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley Professional, 2002. 14. LYNCH , N. Distributed Algorithms. Morgan Kaufmann Publishers, 1996. 15. M C M ILLAN , K. L. Verication of an implementation of tomasulos algorithm by compositional model checking. In CAV (1998), A. J. Hu and M. Y. Vardi, Eds., vol. 1427 of Lecture Notes in Computer Science, Springer, pp. 110121. 16. M C M ILLAN , K. L. A methodology for hardware verication using compositional model checking. Science of Computer Programming 37, 13 (2000), 279309. 17. P NUELI , A., RUAH , S., AND Z UCK , L. D. Automatic deductive verication with invisible invariants. In TACAS 2001: Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (London, UK, 2001), SpringerVerlag, pp. 8297. 18. P NUELI , A., X U , J., AND Z UCK , L. Liveness with (0,1,innity)-counter abstraction. In CAV 02: Proceedings of the International Conference on Computer Aided Verication (London, UK, 2002), Springer-Verlag, pp. 107122.

Proof of correctness

In this section we prove the correctness of the proposed technique. It is enough to prove that . As before stands for the concrete system 1 . We are going to use the theory of renement mappings [1] to prove that the abstraction is with a prophecy correct. More specically, we rst dene system by augmenting variable and then we dene a renement mapping from to . A.1 System with a prophecy variable

1 The state space 2 . This implies that 2 in all reachable states of . 2 The set of initial states 2 . As a consequence, can have any value in 2 initially. 3 From the set of actions of , based on which N is dened, we are going to derive the set of actions , which dene the next state relation N of . There are four types of actions in : 3 0 includes 1 actions of the form j j UNCHANGED all other variables where 2 and sv is the next element in SV that is going to be read or written. These actions are always enabled. 3 1 For any action that does not modify or read any of the variables in SV , a new action is dened, which has as an effect the conjunction of the effect of and the condition . The new action is included in : prec eff 3 2 For any action that reads one of the variables in SV , a new action is dened and added to . Let the accessed variable be sv . The precondition of is the conjunction of the precondition of and . The effect is the same as the effect of and is left unchanged prec j eff 3 3 For any action that modies one of the variables in SV , a new action is dened and added to . Let the modied variable be sv . The precondition of is the conjunction of the precondition of and . The effect is the same as the effect of and is left unchanged

hc3 0 nh '

4 P4 3 u y w

u u ou W A SR 4 2 Q I

T `

y T yy3 y

u

T `

0 nh '

3 n

ou

3 n 3

` ! vh k 3 k n l3

3 n k

4 5b4 3 u 4 y w

k l3

k l3

u u

N L system from

T u

In order to prove that and dene the same externally visible property, we need to prove conditions P1-P6, as Abadi and Lamport found [1]. For convenience, we repeat the conditions P1-P6 as described in their paper P1. for some set P2. (a) (b) For all 1 there exists 0 1 and, for 0 , 1 N then P3. If N N or . P4. If N and then there exist 0 0 N and, for 0 : 1 P5. .

Vf

the set 1

` iA U 3 4

N .

y ` 4 v mb

3 T!$4 4

Note that

by construction.

5k r3

such that

such that

u

where is the projection of state on . is the conjunction of all justice and compassion requirements of (c) If

x k VV t6 3 |1 q A

w q2 k y3

ii. if

S , then

prec

w iqP$k y3

prec

eff

eff

` V

3 4 For any action that reads a variable sv , with 1 and let eff . We dene action as follows prec ge 1 h e e sv g e prec ge h e e sv g e The new action is added to . 4 We dene liveness condition built by the following algorithm: (a) TRUE (b) For each action constructed from using any of the rules 3 1 i. if W , then

` T aVg

0 Pg '

3 n 3

k l3 k k k

prec j eff

3 4,

then

P ROOF SKETCH: Using the way was constructed (properties 0- 4), we prove premises P1-P6. Based on Proposition 5 of Abadi and Lamports paper, the lemma is implied from these premises. P ROOF: 1. 1 implies P1 1.1. Because of 1 it holds that 2 . If we substitute for 2 , the following condition becomes true 2 satises a much stronger property, i.e., 1 This property is the same as P2 in Abadi and Lamports paper [1]. P ROOF: 1 1

$! 4Sbg4

$! 4Sbg4

$! 4Sf$4

`i!Vfnfw 4 `i!Vfnfw 4 ` 4 !SAnbw V u u 4 4 # nfAw `i!Vfnfw 4 ` 4 TRAnbw R u u 4 4 # nfAw `i!Vf4nfw u 3 Syi 4 4 # nb$w 4nb ` 4 fnfw 4 4 $ 4 f$4 # nb$w

3 V 3 t 5`

3.

3 0 3 4 imply P3 P ROOF SKETCH: We prove P3 by doing a case based analysis of all actions in , us we prove that all possible 3 4. For each action ing the properties 3 0 satisfy N or . transitions 3.1. C ASE: is constructed by rule 3 0, then By denition of (rule 3 0) for any in such that , it holds that is a transition of . This is guaranteed by the second conjunct of the denition. 3.2. C ASE: is constructed by rule 3 1, then N Let be an action constructed by rule 3 1. For any transition we know that there is an action of of system with the same precondition and the same effect on the -part of the state. Therefore, is enabled at and can produce , when executed at . This implies N. 3.3. C ASE: is constructed by rule 3 2, then N Let be an action constructed by rule 3 2. For any transition we know that there is an action of system of system such that prec prec eff eff Therefore, is enabled at and can produce , when executed at . This implies N. 3.4. C ASE: is constructed by rule 3 3, then N We can apply the same reasoning as in the Case 3.3. 3.5. C ASE: is constructed by rule 3 4, then N

y q2

3 y

2.

Lemma 2. Systems

and

3 tG$A

nb 4 3

Vf

The set 1

for which

prec sv Since is expressed only on , we have This implies N. 4. 3 0 3 4 imply P4 P ROOF SKETCH: We prove P4 by doing a case based analysis of all actions in , using the properties 3 0 3 4. For each N , we prove based on the action that caused the transition that there exist a sequence of actions in that satisfy the premises of P4. : 4.1. C ASE: 1. is a transition of 2. does not read or modify any element of SV that is enabled at , for any value of By rule 3 1 there exists action , and can produce , if executed at . The value of remains unchanged by the execution of . This implies belongs to N . 4.2. C ASE: : 1. is a transition of 2. reads or modies an element of SV Let sv be the element read or modied, where 2 . For each there exists transition . The reason is that actions constructed by rule 3 0 are always enabled, so the action is enabled in . Therefore, it holds N . Because of rules 3 2, 3 3 we know that there , whose precondition is the conjunction of the precondition of exists action in . Therefore, this action is enabled in state . Moreover, its effect is and the effect of and it leaves unchanged. This implies that N . 4.3. C ASE: : 1. is a transition of 2. prec sv , where 1 In this case there exists action in dened by rule 3 4. Since , 1 or 2 . If 1, then in state we have that 1 sv prec For every , state , with , is in and If 2 , then let with 2 . Then for all , there is action created by rule 3 0 such that . Then state 0 0 belongs to and satises . Therefore, prec sv

0 4 k P$ ' 4 gm$51 3 k 0 4 4 k m 1b$ ' 2RXm$51$r3 1 k 3 k 0 4 4 3 k m 1bVg ' RgmgGk $51 u 4 4 $! 4Sbg4 # nfAw

1 sv prec

3 4

Let be an action constructed by rule 3 4. For any transition we know that there is an action of system of system such that prec 1 sv prec sv

3 $!h 4 f$#1ihnfA z 4 4 w 3 0 4 k k h v3 eaVg3 $!h 4 f$#1ihnfAw k h 3 z 4 4 k1b$ ' 4 Xm$51 h 3 v$ 1ih4nf 3 $! 4Sbg#1ih4Vb$w z 4 ` ! 4Vb ` 3 Vglqh ! $ ` T h 3 $ 4 bg# nb$w z 4 4 k k1P$ ' 4 Xm$5k a$3 $ 4 bg# nb$w 0 4 3 z 4 4 3 1 3 & 4nb ` a! 4Rb k 0 1b$ ' 4 gm$5k $ 3 Anbw 4 3 z 4 3 $ T i$ ` 3g 3 zTRfmbw 4 0Pg ' 2RXngGk 4 4 3 ! `$ ou TRf4 nbw 4 ` ` 4 4 4 A1ih2Vf$7ihmbAw h 3 ` 4 4 AT Sbg#!h4RbAw

(3)

` i! 4b

ih4mb

` T h

3 fnf z 4 w

` 4 !VAnbw

TRA4 nbw 4

3 A 4 f$7 nfAw z 4 4

s f x E R ` 4 a!Rfnfw

TRf4 nbw 4 `

TRf4 nbw 4 `

0 &h '

5. 4 implies P5 P ROOF SKETCH: The argument is based on the equivalence of and . The property is expressed on variables in and is equivalent to . Therefore, for every innite behavior that satises , must satisfy . Moreover, for each behavior satisfying , all corresponding behaviors produced by the machine of must satisfy . 6. P6 is valid by construction of the state space For each and each state , there are at most 1 values for , so at most 1 elements in the set 1 . Each state which is reachable for has at least one .

The next lemma states that there exists a renement mapping from the system with the augmented prophecy variable to the abstract system constructed using rules 1 4. We represent the state as sv , where is the part of the state without the shared variable sv ( ). We consider sv 1 the external part of the state, even though the external part of the state may be only a part of sv 1 . Extending to those cases should be straightforward. The shared variable is sv. In system the shared variable ranges over 1 FS . The state of the abstract system can be represented as sv , where sv 1 2 FS . The renement mapping we consider is the function : dened as let

sv in

By denition preserves the external part and sets the rst element of sv to sv 1 and the second to sv , i.e., sv

In order to prove that is a renement mapping, it is sufcient to show that satises conditions 1 4 as shown in Abadi and Lamports paper [1]. We list the 1 4 conditions from that paper for the readers convenience.

P ROOF SKETCH: We prove the lemma by showing that P ROOF: 1. R1 is satised by the denition of .

satises properties

u ou u u f u b u 3

` 4 $ f u 7 b u w b A f u 3

ja u ` $4 bw y y ja P u `

to

4.

0 '

sv 2

0 '

30 ' 3 0 '

sv 1

sv 1

0 '

sv 1 sv

0 ' m$ 4

0 ' m$ 4

4 m$ 4

Therefore, 1

is nite and

b u

! '` T '

0

` V nf3 ` 4

` m

nf 4 Vf

0 '

5 : sv 1 sv sv 1 2. R2 is satised by construction of . P ROOF:By construction , where sv 1 , sv 2 sv 1 sv 2 are the sets of possible initial values of sv 1 and possible initial values of the elements in SV , respectively. For any state sv it holds : sv 1 sv and , sv 1 Since 2 , . sv 1 , and sv sv 2 : Therefore, . We proved that . This implies that . 3. Rules T0 T4 imply R3 is satised by f. created by one of the P ROOF:For any N there must exist action rules 3 0- 3 4, such that is a transition of . There are four cases based on which rule was used for the creation of . 3.1. C ASE: Action is created by rule 3 0. Then there exists an action created is a transition of . by rule 0, such that P ROOF: Action modies only the value of (by construction). After the action sv can have any value in FS. There is an action A created by 0, which leaves all variables unchanged and sets sv 2 . Since is always enabled, it is enabled in . Its effect is to leave and sv 1 unchanged and set sv 2 sv . Therefore, the next state is . Consequently, is a transition of . 3.2. C ASE: Action is created by rule 3 1. Then there exists an action created by rule 1, such that is a transition of . P ROOF: Action can modify only the values of , sv 1 to , sv 1 (by construction). In order for to be in , there must exist an action of with the same precondition and effect on sv 1 . Because of rule 1 an action exists in A with the same precondition and effect on sv 1 . Therefore, sv 1 sv 2 sv 1 sv 2 is a transition of . 3.3. C ASE: Action is created by rule 3 2. Then there exists an action created by rule 2, such that is a transition of . P ROOF: In this case accesses variable sv with 2 . Action cannot modify any of the elements of sv because of the restriction 1. Moreover, by construction cannot modify . In order for to be enabled in , . So, this action modies to by accessing sv . For this action to be constructed by rule 3 2, there must exist action of . Therefore, because of rule 2, there must exist A with the same precondition and effect as , except that sv is replaced by sv 2 . However, in by the denition of , sv 2 sv . Consequently, has the same precondition and effect on as . Since neither sv 1 nor sv 2 changes, the next state after the execution of in is . This means that is a transition of .

yeXb u vo ` y ` G0 ' 2 9 ! y ` y ` ` y E e0 ' A0 ' 20 ' $m$G b u p ` 4 w4 3 y 4 ngH 4 3 0 ' E y y y y E | y ( P 3 u 3 3 4 w4 #mb G0 ' 4mgH$A0 ' 20 ' gm$A $gb 3 A0 ' P0 ' gm$GXb u k 4 w4 3 0 ' m$Xmb k 4 3

sv 1 sv (5)

0 '

3t&T0 '1 3

u T0 ' 0 ' u

4 A$A u 4 #Vf u w

e`

0&h ' 4 Agf u 4 #b u w u ' w 4 ' 4 ' w4 04 1 g 4 gV4 1A0 1 P0 $mXAw 0 ' m 4

4 Agf u 4 #b u w

4 Agf u 4 #b u w

0 '

4 $$4 nfw

$A u

0 ' m 4

Vf u

`ma 4 m$3 4 a y V u ` Vf u

P ROOF:Let

(4)

`$$nbw 4 2 u y y y ` vXf u y ` m

4 $$f u 4 7Vb u w

3.4. C ASE: Action is created by rule 3 3. Then there exists an action created by rule 3, such that is a transition of . P ROOF: Action modies element sv . Moreover, because of the restriction 1, it cannot read any sv variable. Therefore, the new value is a function of the state . It must be independent of , since the effect of is the same as the effect of based on which was created. Based on and because of rule 3 is created. Action has the same precondition and the same effect except that instead of sv , sv 2 is modied. Therefore, is enabled in . Moreover, for any value that can assign to sv as a function of , can assign that value to sv 2 as a function of . Changes to are the same for the two actions as they are taken from . Consequently, sv 1 sv sv 1 sv is a transition of . 3.5. C ASE: Action is created by rule 3 4. Then there exists an action created by rule 4, such that is a transition of . P ROOF: In order for to exist in , there must be an action , such that prec sv for a state function 1 . Then there exists action A dened by rule T4. For a state pair satisfying we have

Therefore,

4. R4 is satised by construction of . P ROOF:We prove that R4 holds by case analysis on the type of liveness conditions. 4.1. C ASE: If belongs to P , then satises all weak fairness conditions of . P ROOF:Suppose belongs to P , but violates the weak fairness con dition of an action . We prove that this leads to contradiction. In order for to , there must exist in , such that W . Since P , the belong to W behavior must satisfy the weak fairness condition of , 4.1.1. C ASE: If

u f u u A u ou 4 $$f u 4 #b u w 3 $$f u 7Vb u w z 4 3 ' n 1 k ' 2 4 k 4 k iA$A u #b u z 4 w 0 R0 1' nUU00 1 k0 d $Rgmg0 G 2R gmgG o36 gV33 iA$A u #b u xx R ' 3 ' 3 k ' 51 1 4 4 k z 4 w 0 ' bVg ' R0 ' 3 0 ' k z 4 w 3 0 k bVg ' RXngG1 0 4 4 k k aVgck 3 igAnfx 3 3 3 4 4 k z 4 w R0 ' mT 0 ' 0 k ' $bv1'k 0 ' k 2Rgm$ 5k 1 n k 3 igAnfx 3 0 Vg 3 n 3 z 4 w P$ ' PRgm$51 0 44 k k $k 3 $$nbx 3 n k $50 ' 2SXm$5k n 1 3 $$nbx 3 3 k 44 3 k z 4 w 3 k 0 $ 4 4 k 3 H i$$nb z 4 w & m 1$P51'k 0 ' RXmR$g515k n k 1 a $H33 i$$nbxx 3 4 m$ 4 3 k z 4 w 3 k 0 $ 4 4 k z 4 m 1gPv1'k 0 ' PRg4 m$g515k & k 1 3 $xx 3 $$nbw 3 V 4 R m$ 3 k 4 $$nbw ` T $ ` P$ ' bRXngGm 0 44 k 3 ` 4 Agf u 4 #b u w u u $$f u 4 7Vb u i$$ 0 ' 20 ' g 4 gg4 A0 ' P0 ' $mXAw 4 w 3 4 w 4 4 w4 0 ' 0 ' Vf u 0 1 &h ' ' 0

prec

prec

sv 1 sv

prec

prec

sv 1 sv

prec

sv 1 prec sv sv sv sv 1 prec sv sv

sv sv

prec

sv

1 sv sv sv 1 sv 2 sv 2

prec

sv 1 1 prec

sv 2

is a transition of

prec

eff

prec , then

prec .

b u

0 ' 4 Agf u 4 #b u w

1 sv

sv

sv

sv 2 sv 2

P ROOF:Because of rules T1-T3 and condition 3, it holds that prec prec . This condition holds for any T4 action as well, since in this case prec prec 1 prec 1 prec Moreover, because of condition 3, the assertion prec is a function of only the part of the state. Since the two sequences and agree on in each state, for all with 0 prec prec Consequently, prec prec 4.1.2. C ASE: If eff , then eff . P ROOF:For the proof we need to consider 4 cases, depending on the rule that was used to generate from . 4.1.2.1. C ASE: If was generated from by using rule T1, then eff implies eff . P ROOF:In this case eff eff by construction. Moreover, since eff is a function of only the part of the behavior, for all 0 it holds 1 eff 1 eff Therefore, eff eff 4.1.2.2. C ASE: If was generated from by using rule T2, then eff implies eff . P ROOF:Assume that accesses variable sv . It holds that eff eff eff We prove that either case implies eff . 5 1. C ASE: eff eff . From rule T2 we know that sv sv 2 eff eff (6) In the states of in which , we have sv sv . Moreover, for each 0, the value sv in state equals the value sv 2 of state . Therefore, for every 0, for any value FS: sv sv 2 Then because of (6) and the fact that eff is a function only of and sv , it holds that 0 : 1 eff 1 eff and because of that eff eff 5 2. C ASE: eff eff . Since eff , there must be actions that simulate the effect of action innitely often. Because of restriction 4a, these actions can only be actions accessing one of the variables in SV . Because there is

$ oq3 z w A oqy3 u 1e3 1g $qy36z w z h k w w $ oqr3 u v3 1$ g5qy3 z w z h k w AA $3 if A7 u $P$# u $ w z Y4 4 Y4 h 1e3 1g $3 if A4 gbA4 $ k w z Y 4 Y BY G 0 &h ' d0 ' 3 bA# u 1&h ' iv3 3 bA4 3 z Y4 3 0 k h z Y ` 9 B Y Y4 P$# u 0 1 ' Y bA4 0 ' B iY 0 nh ' 0 ' 3 h j3 A G0 ' d&h ' 30 A oqy3 z u 1e3 1g $qy3 z w h k w w A woqr3 u z hv6 3 1$ A5q3 z x1he3 1g Aq3 z ($ oq3 z k w k w w 0 nh ' $ oqr3 u w z

g oq3 z w

g oq3 z w

(

A woqr3 u $ oqr3 z z w $ w3 zf A7 u $pP$# u g Y4 4 Y4 aA w3 f mA4 gdbA4 g z Y 4 Y B aY $ oqr3 u w z

x 3 k p1 $5

Since in either case eff holds, the proof is complete. 4.1.2.3. C ASE: If was generated from by using rule T3, then eff implies eff . P ROOF:The proof is based again on two cases. The rst is eff and the second eff , where sv is the variable writ ten by action . We show that in both cases eff . 5 1. C ASE: eff eff . From rule T3 we know that sv sv 2 sv sv 2 eff eff (7) In the states of in which , we have sv sv and sv sv . Moreover, for each 0, the value sv in state equals the value sv 2 of state . Therefore, for every 0, for any value FS: sv sv 2 Then because of (7) and the fact that eff is a function only of and sv , it holds that 0 : 1 eff 1 eff and because of that eff eff 5 2. C ASE: eff eff . Since eff , there must be actions that simulate the effect of action innitely often. Because of restriction 4a, these actions can

$ oq3 z w A oqy3 u 1e3 1g $qy36z w z h k w w $ oqr3 u v3 1$ g5qy3 z w z h k w AA $3 if A7 u $P$# u $ w z Y4 4 Y4 h 1e3 1g $3 if A4 gbA4 $ k w z Y 4 Y BY G 0 &h ' 3 d0 ' 3 bA# u 1&h ' iv3 3 bA4 z Y4 3 0 k h z Y ` B aY Y4 bA# u 0 d ' Y bA4 0 ' B iY Unh ' 0 ' 0 3 0 nh ' 0 ' 3 h 3 $ 0 1 3 &h ' R0 d &h ' ' 0 k ' 30 A oqy3 u 1e3 1g $qy3 z w z h k w w A oqy3 u w z 0 &h ' h 6 3 g $qt3 z k w 1h3 1g $qe3 z k w $ oqr3 u w z g oq3 z w $ oqy3 u w z A oqr3 u av6 3 g $qy3 z w z h k w A 3 if $# u gdbA7 u A w z Y4 4 Y4 $$ r3 Rnh ' 11 ' 1A $3 if $4 $pP$4 A k k0 30 k w z Y 4 Y BY a $ G0 1 1nh ' ' 30 0 &h ' )' p0 1 u 30 3 ' 0 &h ' 0 1 ' a A oqr3 u av6 3 g $qy3 z w z h k w A 3 if A7 u $P$# u $ w z Y4 4 Y4 GA 3 if A7 u $P$# u $ w z Y4 4 Y4 BY a 0 d RXngGy ' 4 4 3 0 1 PRgm$rG ' 44 3 )' 2RgmgGt 0 4 4 3 0&h ' 2RXngGp 4 4 3 A oq3 u w z w gA G y3 1A Aq3 z k k w 0 1 ' `

eff

a nite number of actions, there must exist action , which accesses variable sv , such that, eff eff eff . Then there must exist action in A. With the same reasoning as for case 5 1, we can prove that eff . Suppose eff sv and eff sv are syntactically equivalent logic actions, then sv 2 and eff sv 2 . Therefore, eff eff , which implies that eff 0: 1 eff 1 eff Consequently, if and are syntactically equivalent eff eff What is left is the case in which and are not syntactically equivalent. In this case, because of restriction 4b, in order for eff eff to hold, the value of the variable sv accessed by must be equal to the value of sv , in all pairs of states that satisfy eff eff . Because of that in the corresponding states of , sv 2 sv sv . However, since sv sv 2 eff eff by construction of , 0 : 1 eff sv sv eff 1 eff Consequently, in the case and are not syntactically equivalent eff eff

The two results above complete the proof. 4.1.2.4. C ASE: If was generated from by using rule T4, then eff implies eff . sv P ROOF:Following the same reasoning as above we assume that Since the range of is 1 , which is a nite set for all , we have sv 1 2 : sv In the case of sv 1 , we have that for all 0, and agree on e and sv 1 . Because of that 0 : 1 sv 1 1 sv 1 Therefore, sv 1 sv 1 In case 2 : sv , we can split in two cases, i.e., and , and follow the same reasoning as in step 4.1.2.2 to prove that sv 2 .

$$

only be actions writing on one of the variables in SV . Because there is a nite number of actions, there must exist action , which writes variable sv , such that, eff eff eff . Then there must exist action in A. With the same reasoning as for case 5 1, we can prove that eff . Note that if then there is a contradiction, since we assumed that it cannot be the case that innitely often when eff is satised by . Therefore, . However, that implies that eff sv sv sv sv eff . Otherwise, a change in sv would not satisfy eff . Suppose eff sv sv and eff sv sv are syntactically equiv alent actions, then eff sv 2 sv 2 and eff sv 2 sv 2 . , which implies that Therefore, eff eff 0: 1 eff 1 eff Consequently, if and are syntactically equivalent eff eff What is left is the case in which and are not syntactically equivalent. In this case, because of restriction 4b, in order for eff eff to hold, the value of the variable sv , which is equal to sv , must be equal to the value of sv , which is equal to sv , in all pairs of states that satisfy eff eff . Because of that in the corresponding states of , sv 2 sv sv and sv 2 sv 2 . However, since sv sv 2 sv sv 2 eff eff by construction of , 0 : 1 eff sv sv eff eff 1 eff Consequently, in the case and are not syntactically equivalent eff eff

A 3 if A7 u $P$# u $ w z Y4 4 Y4 GA 3 if A7 u $P$# u $ w z Y4 4 Y4 BY a G 0 ' P0 ' 4 Xm$e( 4 4 3 0 ' 20 ' 4 gm$p 4 4 3 !U)' P)' 4RXm$e( 0 40 4 3 !U&h ' P&h ' RXngG 0 40 4 4 3 0 1 ' A$ wkR&h ' mU&h ' R)' mU)' y3 1A Aq3 z 0 3 0 k0 3 0 k k w h 63 p5 A w h c3 h v3 $ oqr3 u w z w gA G y3 1A Aq3 z k k w 0 1 ' r3 Rnh ' k k0 A i 0 ' 3 &h ' R0 ' 1nh ' 0 k 30 0 ' U0 ' 3 0 nh ' 11 ' 0 ' u 30 3 0 &h ' &h ' 0 01 ' 1 ' 0 A oqr3 u av6 3 g $qy3 z w z h k w A woqr3 z u av6 3 g $qy3 z h k w A 3 if $# u gdbA7 u A w z Y4 4 Y4 k 1A $3 if $4 $pP$4 A w z Y 4 Y c` 30 11 '

0 ' 4 XngGy3 A A7 u g#bA# u Aw 4 z Y4 4Y4 G0 ' 4 g4mgGt3 A A4 $#bA4 Aw z Y 4Y BY a 0 ' Y4 bA7 u bA4 Y Y B 0 ' 2Rgm$q3 z 4 4 0&h ' 4 Xm$qy3 z 4 ` h x 4 ! ei0 ' 4 g m$qy3 z T $ $ oqr3 u w z

0 ' 2Rgm$qr3 i u 4 4 z h 6 3 h e3 nh ' RgmgGq3 z 0 4 4 ! ` h 0 d 4 gm$qy3 u 0 ' 4 gmgGq y3 z ' 4 z 4

BY a

From all the above cases, it was shown that if eff , then eff . Since both cases, i.e., prec and eff , lead to contra satises all weak fairness conditions of diction, we conclude that , when belongs to P . 4.2. C ASE: If belongs to P , then satises all strong fairness conditions of . P ROOF:This case will be proven similarly to step 4.1. More specically, suppose that there exists in P and there exists in S , such that is not satised . We prove that this leads to a contradiction. In order for to belong to by S , there must exist in S , such that . Equivalently, prec eff prec eff For both cases we can prove that prec eff which is a contradiction. 4.2.1. C ASE: If prec , then prec . P ROOF:Because of rules T1-T3, it holds that prec prec . Moreover, because of condition 3, the assertion prec is a function of only the part of the state. Since the two sequences and agree on in each state, for all with 0 prec prec Consequently, prec prec

4.2.2. C ASE: If eff , then eff . P ROOF:This is already proven in step 4.1.2. Therefore, if satises , the sequence satises , which is a contradiction. 4.3. C ASE: If belongs to P , then satises all constant value fairness conditions of . P ROOF:In this case we need to prove that P implies that C : . We prove this by contradiction. Assume that P and there exists C such that . There are two cases; either belongs to W , or belongs to S . 4.3.1. C ASE: W , it must hold that is in P P ROOF:Since . Equivalently, it holds that prec eff We prove that each disjunct implies . 4.3.1.1. C ASE: prec P ROOF:Since prec is only a function of : 0 : prec prec Therefore, prec prec

3 u z

r3 $P$4 u l3 bA4 G w z Y w z Y BY u 3 u iqy3 z z w u 3 u z $ oqr3 z iqy3 z w x w u t 3 z b u u 3 u ` z u 3 u 6z ` b ` u u 3 u z ` A ` u u f u u u u g oqy3 i u w z $ oqy3 z w w z ql3 u w ql3 z

u

g oq3 z w $ oqy3 z w

w z iqr3 u

u

b u u w iq3 z

w iqr3 z

b u

b u

B Y

$ oq w u Y

eff

eff

0:

Consequently,

This completes the proof for W . 4.3.2. C ASE: S is in P , it must hold that P ROOF:Since . Equivalently, it holds that prec eff For the rst case we can follow a similar argument as for W , and for the second the argument is identical to the case W , to prove that . Therefore, we have a contradiction. Since must be either in W or in S , the proof is completed. 4.4. C ASE: If belongs to P , then satises all justice and compassion requirements of . P ROOF: Since for any justice requirement , the assertion p is expressed only on variables in and sv 1 , we have 0 : The same result can be derived for any compassion requirement , since and are assertions expressed on and sv 1 . Therefore, belongs to P , we have that Since and, therefore, satises , which is the conjunction of all justice and compassion requirements of . From Lemmas 2 and 3, Theorem 1 follows.

u y3 u z

~ qq

u

4 z ndA4 Xm$mqr3 4 z ndA4 Xm$mqr3 ndA4 Xm$m3 b $1 4 z Y4 4 z Gm1A4 gm$m3 A A4 Xm$mqr3 z 4 1 ' 4 Xm$mqr3 z 0 4 u 3 z u 3 z

sv 1

$ oqr3 z w u 3 z

it3 z r3 z u iy3 z 0 ' 2V z qy3 u qy3 z ee3 zP$4# u 3 bA4 Y z Y 0 q u A u

x qr3 z w f u u 3 u ` z ` u u n1A4 gm$mqr3 z 4 u $pP$1 u A 4 Y4 Y 4Y $4 g#bA4 A BY G A2RXm$m 4 4 A oqy3 z w u A oqy3 z w u ' f u BY

cBvRvs 2d c2@s

cF

@ hsc

rhR@@ y

hR@@

| ## TW

}

2d

cT

'c

2d

'c@s

v2uc

cwvR@R7 c

@ hsc

cF

sR@@

hR@@

| ## 4 TW

}

c cT

P R fx & x

yc

tc 7ccwvR@R7Gtcy c 'c

uc2@s c

cc2@s

@ hsc

cF

q A 9 V 6 5 E 1 A 9 D V E 9 E E 9 x H D 5 9 U S Q H E I H 1 S x V 9 U S D H Q E S I 9 3 9 D 1 9 D E E 9 I D 1 V Q 9 U S A I V BBW7F47GRBGFBB2G77GR#74GRsFGw(BG472BGFB7F4R7Gd7R E I H 1 1 A I H x 6 V 1 1 I 1 9 U S Q H S D V 5 V D 9 C H 9 D H $ q I H U E E 1 E 9 S x 9 9 E E 9 x H D 5 U x V 9 S V U S 74GS 77BRWGS 74'7GTRcR@7BBFr#sF4BGsBw2GBwFsryRwv7Fu tsFS G4R'7r7FS G4RE @7f7RdcGYR#RWFR7GTRP4GFB(B@8 47(420 3 U 1 D H p 6 V 9 U q 3 U 1 D H p 6 V i b h g a e A I V b ` a ` X Q H S I V 1 D V C 9 U S Q H I H 1 E D 9 C A 9 1 6 5 3 1 ) % ('&#! $ "

Y cG

ywv ywv

T cBvRR7 T cBvRR7 cF cF

W cG

FwT yw'T R !@

cF cF

cBvRR7 cBvRR7 cF cF

vv cF

sR7

hR@@

| ##

} P

Y Y

w@s

cBR@R7 @ hsc

sR@@

hR@@

| ## 4 TW

}

c cT ct

P R

@s

cBvRR7 2d c2@s

v2

nr 0y

! { h z Rfe g fe

m 2nrfgb nt m f#4b~hnDDi l u l l t l !{

l } DhHs 2 k l

l q l p qDhDH`~qsR!ifn DhH} t k l

h | y { z y R2#f#dx

l k k w m u t m l s p k q m l p o m l k i h g e 6ff!F!02v(ns@hd6hrsD2FDnsDddRj#fd D !FRbFh#yw x

h h y # g #ne 2r 2r !{

m fis'Y(trhnRDD#u l p s o k

m f#4 bF(hnDDi s p o l l t l

m f#4b~R8hF(b~iDi l u s p o k q l

h y # h z Rfe g fe

RrFH0 m

q q k q ssqribDFq`r!b~H w 0y 0y nr

bqBT k hr k w l u k FbFb8

l qDbb}

m l nsDbb}

g y ##f

g w

d n0y m

dF e

dl } } l 0y } l

d nnt m

dF e

dl } 0y

2rFbP m w

l p bhsR!bDH`rH8' t q w nt 0y 0y nr

bqB k

bqB k

5 A 9 7 E e H@64

Xf##x e g y e h g l l DD'#rw x

l p sF!bDH`~q t 0y

bqB k

q w k ~n'bb6D0

E 3 1 p 9 3 5 5 1 A E e 1 3 3 !4s6284H644689

bDbbDFq`rq t

h

s p w s p Ri k b8

k hr d bqB6jbnDD s m k l l t l i

w m l gnsDbb} dH fhr s s m k

m l 2Dbb}

g y ##f

g

d e

dl D } } l s

42rFhr s m k d e

dl D } } l

2rFH m s P s

2r s

0 P

k bqB 8 hr6Fb~R8bF(b~4 s m k l u s p o k q l i 0

w m l g2sDbb} 8H fbqB s s m k

m l nsDbb}

g y ##f } l s } l

g

e

l }

f2rFbqB s m k e

l }

2rFH m s s

2v Rr

s s

2r

0y 0y

k bqB s w s k b8

bqB' k 0 w

l qDbb}

m l 2Dbb}

g y ##f

g w y

d f0y m

d e

dl } } l 0y

8 fnt m

d e

dl } } l 0y

p Ri

k b8

l u k FbFb8 k b8

l qDhH}

k l m l fsDbb}

g y ##f

g yw s s

h f2Dh } l } l h l } h l }

bqB k s ` b8 k

l qDbb}

m l 2sDbb}

g y ##f ws

g w

dH fbqB s s m k

e

l } } l s

d2rFbqB s m k e

l } } l

2rFH m s y s s T

2r

s T

k hr #d bqB8h~F8hFi s m k l u s p o l i s p

k bqB 8 hr6Fb~hnYi s m k l u l l t l i

w s p l 24Fbu k b8

l qDhH}

m l n#sDhH}

g y ## ws

g w

fq hr s s m k

d e

dDl } } l s

dRrRhr s m k d e

dDl } } l

2vFb m s s s

2r k bqB s

bqB k

dHRrH

vn0y2nnh m t q

bD''DDq t l l

g y e h g ##!{

hD( t

fjDD' e { l l

g y e h g ##!{

f4j

k h6

q q

k Yrq

k h6

m l 2#sDbb} h d e

g y ##f

g

dDl l } } g !{

z e 2fsH2rH

# h x x

p s FhH}

2d e

l q l p DbDH`rqF!ifYf2 t k ` k b8

m l 2#sDbb} h d e

g y ##f

g

dDl l } } g !{

z e #RfsPHRrHi# s h x x

p s FhH}

2d e

l q l p DbDH`rqF!ifYf2 t k k `b8

5 A 9 7 E e H@64

bD''DDq#yw t l l x

p l Rihu k b8

k h6

t q m l p t q p ~shDbbDH`~RsF!hYFq`rby

q w k sqrY2'bh#8FYY0r2

l l k Dn6Dbu

l l w Y2!h#

k i fYrq

k 1!Fi

DFh

HbDbbDFq`rq t w i(iHhDbbDH`~q s t p l iRihu k b8 k h6 q q4jdHiY l qFbu k b8 w 8 P

qns

s}

Tg0y 0y

h} hr6F k q

y }

H2rbRi0s} s

h} hr6Fy~ k q }

m t n0y2nnhs} bqB~ k q }

qRs

s}

T0y

h} bqB8F k q Hns h}

l q l p DhDH`~qsR!ifn t k s} hr6F k q y }

gg

m t 20ynnnbybqB k s

{ C yx B s W rs $S FE B DiQk@vGX'(5 4 d k#A} 4 G# e 921 3 21 DQ f $ a f !}G# y f 4 e 921 3 21 ID$QC2v m D$V f !}f y df { C yx B s W r $ BB& VB 2xzvqDi(7'(5 4 d G#A} 4 k e ID1 3D1DQ f !}k $ f 4 e I21 32IaV f ~!}f 1 $ y df { C y x r $ B B & V B |2xz6Di(7'(5 wvvr l R l (uYiGqon l d f v v p B st r p p m wvG l R l (uYiGqon l d f v v p B st r p p m 8ss vutr i S C8ss w Ak Sr g d f 7TBS p iu(%p DC(p (B hd f (" B B% 8 g B%p i` 2Cxw S2CAvut Sr hj(vvp I S 8 s s g df B % i ` C p g df B % 8 99(B he(vvp 7B S B C#F9!'v(u"G&Qi'v('u"GQP V%s P C &%s %s V%s & Ci&usQ%("A&qgPsQ929C9CIQDDDQDDV P s 8 PC $ wC$ C$ ` 2xw 2Avutr qI7B S C S C8ss S C ` C p 1 3 d14 3 2A y 4h f e d 9iIgd20c w

B8 & & ` C W V $ C S % F8 P C B &H & F E& C B% & "&8 5 4 3 1 ) RA27b!8!aIYXDUTB'0RQA(IGA(D(A@@97620 ('$ #! &&% "

r df & s P& % s ` 8% & s% ikq'DvvkR7G('Ua !z7RIzRzzR7D &%s %s V%s & 'v(v'v(u"GQP 4 k #9!'v(u"GQP D1 B F V%s & 3 iDC2 f vvp ('v!}f d f S g % &% B { % &% Bx pB vp (''bI(" 6 f y 4 k 4 d G#A} 3 D1 $ IQw f $ IQw f !}f d f y { C yx B S wE 8 $ H& 2xi#F'XwQgwD9((W 4 d G#A} 4 k e ID1 3219$Qw f ~!}k f 4 y 3 D1 IQw $ f $ f y IQw !}f d f { C yx S FE $ BB& VB 2xzw vGX#Di(7'(5 y d f f { C yx B s W r s $S F E 8 s PB 2xzvqG9AXvq(5 4 d k#A} 4 G# e 921 3 21 a f a f !}G# y f 4 4 d k#A} 3 21 IDQ2Iav $ C $ V m $ C $ V m y IDQ2Iav !}f df

iB% 3 d 3 u(vvp I g 2 y ` f u v C g v 1 ) p l pB @i 2a f l 0 y 07B f i7 a f vi 2D$V gf l 0 y 07B f i7 C v 1 ) p l pB f a $ wC m v w 9Qa l x &usQv(u"GQ!Pvq P%s & 8s P m ` f v w l x f a a f l vut v 8ss r $ DQ f # l kx v 8ss r f ` df Bs W s 8 vvAH iB% 3 d 3 u(p D g 2 y u ` f v g v 1 ) p l pB @i CDa f l 0 y 07B f 7 a f v@i DD$V f l 0 y 07B f 7 C g v 1 ) p l pB f a $ wC m v w IQv l f ` {vB#F9!xV'v("GQx % s & P m `x f v w l x $ DV f l vutx v 8ss r a f a f v l k 8ss r D$Q f l vutx v 8ss r f ` $ DV f l vutx v 8ss r df

vAH s 8 7TRz

v @i9$Qw9A8ks Sr f l 0 y 0(B f i7 C s g v 1 ) p l pB $ wC m S IYvw v w S # l qw oiGp w p m S ikp l p m v w I$Qw f v l u w 8s vust Sr f v l 8vutu ss r p ikp mw S {'ksr SC@ l vsutR6#vDiB(7V'(5u 8s v 8 s rx r $ B& B F f ` S df { F s 8 9x vAH i ` CB% 3 d 3 D(vvp I g 2 y v @iw 2CAk Sr f # l 0 y 07B f ( S 8ss g v 1 ) p l pB p m S oGp w vzIQCAks Sr gf # l 0 y 07B f ( i $ w 8s v 1 ) p l pB $ wC m S IQ~w p m v w Gp l $ IQw f w S Sw a l f v w p m v w Gp l p m S iGp w {'vustr C# l skRxivsqrG9vFGXvqz7 8 s S v 8 s r B W s $S E 8 s PB 5 oipGp a l m v w { s %s & 8s &uQP("AqPgQPm` z Sx ` f ` S df i ` CB% 3 d 3 I(p D g 2 y u v iw S2Avsut Sr f l y 7B f 7 C8 s g v 1 ) p l pB p m S oiGp w vbIQA8vut Sr gf v l y 7B f i7 i $ wC ss 1 ) p l pB IQw $ wC m S Sw # l x f v w $ f S IYw w 9Qw # l x $ f v w $ IQw f w S { a f vsutr S 8 s a f l vustrxx v 8s x p m w ikp av# l u ` f ` S df

Bs W r s 8 v22vAH

r s 8 2vAH

s 8 vGH {9FiW vAH q'%(%v'%v("A&q9CiB#!'%u"GQvox xBs s 8 & s s V s P F V s & P m F {9x s 8 & % % V % s & C B F V s & P m F vAH q's(vs'v("AqP9i#F!'%u"GQvox Bvs22vGH W r s 8 r s 8 2vGH B vsWvGH s 8 s 8 vGH iu(%p 87B g 3d2 y u B 3 { pBx B vr l 7bIp(" f ` S v v p vr l r l 7B f w S v G l vr l p7B f 8vsustr S df

df

8& iQP

s 8 vAH

iB% 3 d 3 u(p D g 2 y u S` f ` vi S C8 s s g v 1 ) p l pB @w 2Gvut Sr f l y x7B f 7 p m S oiGp w v @iI$QGvut Sr f l y x7B f 7 w C8ss g v 1 ) p l pB $ wC m S IQw v w S l w p m S ikp w p m v w iGp a l p m S ikp w $ IQw f l v w {8 s Cv 8 s s rx B W r s $ F B5 'skr S@ l vutisqkSAEn7 p oiGp mw S {8 s Cv s rx B s W r $ B & B 'vsutr S# l 8ksRivqDiBAV75 F f ` S df { Fx B s s 8 IzivW vAH iB% 3 d 3 (vvp I g y S` f u ` vi S C8 ss g v 1 ) p l pB buw Ak Sr f l 0 y 0(B f i7 p m S ikp w

C B F V%s & P C &%s %s V%s & P C & s P%s & 8s P m ` #9!'v(u"GQi'v('u"GQDiuQv(u"GQ!Pvq 7G7TzR(zT(7u(7An T( TTTzT7z#(GT { $ w pp Sx m S IQvGDow a f vutr 8ss S $ w p m S IQvjikp w C$ V m 8ss S IaDDDvvutr B F V%s & P C &%s %s V%s & P m S i#!'u"GQ2i'v('u"GQv` { $ w pp Sx m v w { IQvGqo9oap l a f p l kR6ikxq v 8 s s rx r p p m p v{ $ w p x C $ V t r pp m pB bIQjiGp YDIDDqiGq l 7

df

!8975

&%s % VBB&Hs% 3 d 14 'v('(7(u'U y A!3f d f &%s % V '(UX u2g16(A(k' y G!3f d f bz6 f BB&Hs% 3 d 14 { x i ` CB% 3 d 3 I(vvp I g 2 y x v v 1 ) p l pB p f r l 0 y 07B f i7 d f { px s 8H & RG (i $ { $ w pp Sx m i C qvIYjikoG2a g { $ w p x m iC $ i S C (vIQvjikp A#DDV g (uoIDa g rs 8 DRGH s 8 RGH i ` CB% 3 d 3 D(p D g 2 y u vi& S & C $ g v 1 ) p l p zFvvp GI2DV f r l 0 y 0(B f i7B !3f e 1 { $ w p x m 4 I2UIQiGp oxG y jFp GI0iu df & S & 1 i ` CB% 3 d 3 D(p D g 2 y u vi& S & C g v 1 ) p l p zFvvp GI2a f r l 0 y 0(B f i7B !3f e 1 { $ w pp Sx m 4 929QjiGoxG y jFp GI0iu df & S & 1 df df `

8& iQP

df r s 8 2vAH

df vAH s 8 7TRz

& s P& % s ` 8%& s% uQIvk7AUaQ BB& ` v8 & AI7!%x @7' biQP l !875

{ &% %s V s & '{'vs(v'%v(u"GQP f ` XzX'(v'v("AqP f z Sx x {{&% s %s V%s & `x x GT(7z9bR2TTu { i C xp {'uo9SDa g 97B" f ` ao9S f w Y f vutr S S 8ss Sx { vGH 7z6x @7' 0x s 8 { x { F s {9xiBW { x x % s V s P C B F V% s & P m F vs8AH Au6@70i6&vs(%v'%v("G&Q9i#!'("Aqq {uv22vGH 7z6@7'0x B s W r s 8 { x x { B s W s 8 { x x uvvGH 7z6@7'0x 8& &%s % V iQTPv( 8 & {x QTP7z6 { p Sx m v w { vI$QwvjikpqIzap l a f p l vut6ikoxq v 8 s s rx r p p m p #9!'v(u"GQ2i'v(v'v(u"GQv` B F V%s & P C &%s %s V%s & P m S #9!x'v("G&QCi'%v(v'v(u"GQDikqv("GQ!PvQv C BF V%s P & s %s V%s & P C & s P%s & 8s P m ` $ w p m S IYjikp w C $ V m 8ss S IaI2Dvkr {9$Qikp op l i6ikoxq w p x m v w rpp m p C $ V m v 8ss r rpp m p D9DDvap l kiqiGqoxq

df

- T22 CPS Macros Overview[1]Uploaded byAndy Chong
- Tech Report NWU-EECS-06-10: Time-sharing Parallel Applications With Performance Isolation and ControlUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-06-18Uploaded byeecs.northwestern.edu
- NWU-EECS-06-01Uploaded byeecs.northwestern.edu
- NWU-EECS-06-08Uploaded byeecs.northwestern.edu
- NWU-EECS-06-16Uploaded byeecs.northwestern.edu
- NWU-EECS-06-03Uploaded byeecs.northwestern.edu
- NWU-EECS-06-11Uploaded byeecs.northwestern.edu
- NWU-EECS-06-17Uploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-06-09: Lucid Dreaming: Reliable Analog Event Detection for Energy-Constrained ApplicationsUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-06-15: On the Use of Parallel Connections in Web BrowsersUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-06-07: Putting the User in Direct Control of CPU SchedulingUploaded byeecs.northwestern.edu
- NWU-EECS-06-06: Hardness of Approximation and Greedy Algorithms for the Adaptation Problem in Virtual EnvironmentsUploaded byeecs.northwestern.edu
- LSMW HandbookUploaded bykowan7
- thesis lintao zhangUploaded byneohckim
- [Wiberg]_Schaum's_State_Space_Linear.pdfUploaded byAdib Hashemi
- Creating Lift Versus Building the Base- Current Trends in Marketing DynamicsUploaded byValerie Chong Kar Yan
- Abstraction, Encapsulation, And Information HidingUploaded bycarlosalva24
- Week 3 Concurrent Programming Abstraction.pptUploaded byElaine LaLa
- McsUploaded bynetcity143
- Event Management System Vb Net ReportUploaded bySikkandhar Jabbar
- 14-GRASP-1Uploaded bypitchrks19841
- HW13A_solUploaded byHilmi Nur Ardian
- Lec 8Uploaded byKaran Chawla
- Core Java InterviewUploaded byJai Shankar Roy
- 395 ICS MATLABUploaded byRishi Mukherjee
- MCS a.pdfUploaded byBADRI VENKATESH
- VKFUploaded bynav_nag9596
- fluid tank.pdfUploaded byMunther Mohd
- cnotes4Uploaded byASADDirvi

- Tech Report NWU-EECS-11-07: VNET/P: Bridging the Cloud and High Performance Computing Through Fast Overlay NetworkingUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-12-01: OSA: An Optical Switching Architecture for Data Center Networks with Unprecedented FlexibilityUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-11-10: An Introduction to the Palacios Virtual Machine Monitor -- Version 1.3Uploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-11-09: Acoustic Sensing of Location and User Presence on Mobile Computers, by Stephen P. TarziaUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-10-11: PAD: Power-Aware Directory Placement in Distributed CachesUploaded byeecs.northwestern.edu
- Tech Report 9-1990-5 Parallel Structure Recognition with Uncertainty: Coupled Segmentation and MatchingUploaded byeecs.northwestern.edu
- Tech Report NWU-CS-03-27: Towards Virtual Networks for Virtual Machine Grid ComputingUploaded byeecs.northwestern.edu
- Tech Report NWU-CS-03-16: Tsunami: A Wavelet Toolkit for Distributed SystemsUploaded byeecs.northwestern.edu
- NWU-CS-05-07Uploaded byeecs.northwestern.edu
- Tech Report NWU-CS-05-03: Modeling Vehicular Traffic and Mobility for Vehicular Wireless NetworksUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-09-09: Using Analogy to Overcome Brittleness in AI SystemsUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-09-03: What’s Wrong with Network Positioning and Where Do We Go From Here?Uploaded byeecs.northwestern.edu
- NWU-CS-05-13Uploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-07-09: A Dynamic-Programming Algorithm for Reducing the Energy Consumption of Pipelined System-Level Streaming ApplicationsUploaded byeecs.northwestern.edu
- NWU-CS-03-19Uploaded byeecs.northwestern.edu
- Tech Report NWU-CS-01-06: Windows performance modeling and data reduction using WatchTower and ArgusUploaded byeecs.northwestern.edu
- Tech Report NWU-CS-99-01: Using Stochastic Intervals to Predict Application Behavior on Contended ResourcesUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-09-22: Pitfalls for Testbed Evaluations of internet SystemsUploaded byeecs.northwestern.edu
- Tech Report 16 - August 1991 (Institute for Learning Sciences): Where's the AI?Uploaded byeecs.northwestern.edu
- NWU-EECS-09-16: Where the Sidewalk Ends -- Extending the Internet AS Graph Using Traceroutes From P2P UsersUploaded byeecs.northwestern.edu
- nwu-cs-02-11Uploaded byeecs.northwestern.edu
- Tech Report NWU-CS-99-02: A Practical Methodology for Defining Histograms for Predictions and SchedulingUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-09-14: Palacios and Kitten: High Performance Operating Systems For Scalable Virtualized and Native SupercomputingUploaded byeecs.northwestern.edu
- Tech Report NWU-EECS-07-11:Back of the Envelope Reasoning for Robust Quantitative Problem SolvingUploaded byeecs.northwestern.edu
- Tech Report NWU-CS-05-10: Hierarchical Parallel Markov Models for Interactive Social AgentsUploaded byeecs.northwestern.edu
- Tech Report NWU-CS-05-08: A System for Indexing and Archiving RSS FeedsUploaded byeecs.northwestern.edu
- Tech Report NWU-CS-05-06: VSched: Mixing Batch And Interactive Virtual Machines Using Periodic Real-time SchedulingUploaded byeecs.northwestern.edu
- NWU-CS-05-09Uploaded byeecs.northwestern.edu
- NWU-CS-05-12Uploaded byeecs.northwestern.edu
- Tech Report NWU-CS-99-03: Stochastic SchedulingUploaded byeecs.northwestern.edu

- 01 Historia de La Filosofia Moderna TomoII W Windelband.pdf.PdfCompressor 2044246Uploaded byLucky Olivet
- Custom Authentication and AuthoUploaded byMarcelo Souza
- Tb 89 MahajanUploaded byedededson
- DBMSUploaded byanon_287796990
- Uni of Melb - K.nogeste - Project Integration ManagementUploaded byRaj Presentationist
- Modeling Regulators as Autotransformers.pdfUploaded byLucas Godoi
- Novalogic MIG29Fulcrum UserManual 1ed80Uploaded bySlobodan Cekic
- Cellular and WirelessII [Compatibility Mode]Uploaded byAr อ๋า Anuchit
- Epm InstallUploaded byMushtaq Ahmed
- TMS34020Uploaded byzoki
- Chap 002Uploaded byYudhi Kurniawan
- Serial Communication ProtocolsUploaded byVissu Sweet
- Ppt Power Factor for ConfernceUploaded bykavin22
- SAP Product Costing Interview QuestionsUploaded bySuneetha Mathukumalli
- Construction of Syntax TreesUploaded bymangalasery
- The Economics of the Cloud MicrosoftUploaded byViorel Horlescu
- Georgia Petridou SHMUploaded byGeorgia Petridou
- doc14Uploaded byCristna Ullfig
- Om Shutter Report PagesUploaded byPratik Modak
- Autocad Design Suite 2013 System Requirements EnUploaded byBruce Parker
- Thermostat for Room HeaterUploaded bySigid Ariewibowo
- G120_EntrenamientoUploaded byRicky Mclaughlin
- System Management Mode Rootkits by Shawn Embleton and Sherri SparksUploaded bystimoceiver
- UsersMan CableIQUploaded bygodomirlex
- Bingo TutorialUploaded byMarie Gabay Damocles
- script 1 bitslerUploaded byMastersBestHackers
- DVB-T2Uploaded byReza Mosallanezhad
- Pruning of Blind Decoding Results for Long Term EvolutionUploaded byInternational Journal for Scientific Research and Development - IJSRD
- 1- Semiconductors and DiodesUploaded bySethiSheikh
- 10.1.1.17.3977Uploaded byNikolay Karelin