1 CS5219

NATIONAL UNIVERSITY OF SINGAPORE

CS5219 – AUTOMATED SOFTWARE VALIDATION

S
Semester 2, 2016/2017

Time Allowed: 2 Hours

ER
INSTRUCTIONS TO STUDENTS

1. This assessment paper contains THREE(3) questions in multiple parts and comprises TEN (10)
pages.

2. Answer ALL questions in the space provided in this booklet.

3. Read through each question carefully and answer it EXACTLY and COMPLETELY as specified.
Think through your answers carefully before writing them on the exam paper. Show ALL of your
SW
work, since partial credit cannot be awarded if it is unclear how you arrived at an answer.

4. This assessment counts 50% toward your final module mark.

5. This is an OPEN BOOK assessment, and it requires INDIVIDUAL effort.
6. Please write your Student Number below.

STUDENT NUMBER:

This portion is reserved for the examiner’s use only

AN

Question Marks Remark

Question 1 17

Question 2 16

Question 3 17

Total 50
2 CS5219

Question 1. LTL Model Checking [17 marks]

Consider the following Kripke structure M , which is a simplified model of how a “bill” (a proposal for a
new law) becomes a law in the USA.

S
ER
a. Consider the LTL property φ1 = F(Signed ∨ Vetoed). Apply the automata-based LTL model checking
algorithm to verify φ1 for M . Explain your work. Be sure to indicate whether the formula is satisfied
SW
or violated and how you determined this. If violated, then be sure to present a counterexample trace
produced by the algorithm. [7 marks]
Answer: To verify M against φ1 , we first need to construct a Büchi automaton to represent ¬φ1 =
¬F(Signed ∨ Vetoed) ≡ G ¬(Signed ∨ Vetoed) ≡ G(¬Signed ∧ ¬Vetoed). The following automaton
A¬φ1 recognizes ¬φ1 :
AN
3 CS5219

[Question 1a continued]
We then need to construct the synchronous product of A¬φ1 with M :

S
ER
SW
This product automaton is able to produce a run with an infinite number of visits to some accepting
state. Therefore, M violates φ1 , with counterexample s0 sω
2.
1 mark for negating φ1 , 1 mark for a correct Büchi automaton, 3 marks for a correct synchronous
product, 1 mark for the correct verification result, 1 mark for explaining the result correctly.
AN

BLANK PAGE
4 CS5219

[Question 1 continued]
b. Consider the LTL property φ2 = (¬Signed U President). Apply the automata-based LTL model
checking algorithm to verify φ2 for M . Explain your work. Be sure to indicate whether the formula is
satisfied or violated and how you determined this. If violated, then be sure to present a counterexample
trace produced by the algorithm. [10 marks]

S
Answer: To verify M against φ2 , we first need to construct a Büchi automaton to represent ¬φ2 =
¬(¬Signed U President) ≡ ((¬Signed ∧ ¬President) U (Signed ∧ ¬President)) ∨ G(¬Signed ∧
¬President). The following automaton A¬φ2 recognizes ¬φ2 :

ER
SW
AN
5 CS5219

[Question 1b continued]
We then need to construct the synchronous product of A¬φ2 with M :

S
ER
SW
This product automaton is able to produce a run with an infinite number of visits to some accepting
AN

state. Therefore, M violates φ2 , with counterexample s0 sω

2.
1 mark for negating φ2 , 2 marks for a correct Büchi automaton, 5 marks for a correct synchronous
product, 1 mark for the correct verification result, 1 mark for a suitable counterexample derived from
the synchronous product.

BLANK PAGE
6 CS5219

Question 2. CTL Model Checking [16 marks]

a. Consider the Kripke structure M of Question 1 and the CTL property φ3 = AG(Senate ⇒ (AX President)).
Apply the labeling algorithm for CTL model checking to verify φ3 for M . Explain your work. Be sure
to indicate whether the formula is satisfied or violated and how you determined this. [7 marks]

S
Answer: To verify M against φ3 , we first need to write φ3 in normal form: φ3 = AG(Senate ⇒
(AX President)) ≡ ¬E(true U ¬(¬Senate ∨ (AX President))) ≡ ¬E(true U (Senate ∧
¬(AX President))) ≡ ¬E(true U (Senate ∧ EX ¬President))).
We then construct the parse tree of the normal form of φ3 and label each node with the set of states

ER
satisfying the subformula represented by the node:

SW
The initial state does label the root of the parse tree. Therefore, M satisfies φ3 .
2 marks for correctly reducing φ3 to normal form, 1 mark for a correct decomposition of the normal
form into a parse tree, 2 marks for the correct state labeling, 1 mark for the correct verification result,
and 1 mark for the correct explanation of the result.
AN
7 CS5219

[Question 2 continued]
b. Consider the Kripke structure M of Question 1 and the CTL property φ4 = AF EF(Approved ∧
(AX Signed)). Apply the labeling algorithm for CTL model checking to verify φ4 for M . Explain your
work. Be sure to indicate whether the formula is satisfied or violated and how you determined this.
[9 marks]

S
Answer: To verify M against φ4 , we first need to write φ4 in normal form: φ4 = AF EF(Approved ∧
(AX Signed)) ≡ ¬EG ¬EF(Approved ∧ (AX Signed)) ≡ ¬EG ¬E(true U (Approved ∧ (AX Signed))) ≡
¬EG ¬E(true U (Approved ∧ (¬EX ¬Signed))).
We then construct the parse tree of the normal form of φ4 and label each node with the set of states

ER
satisfying the subformula represented by the node:

SW
The initial state does not label the root of the parse tree. Therefore, M violates φ4 .
3 marks for correctly reducing φ4 to normal form, 1 mark for a correct decomposition of the normal
form into a parse tree, 3 marks for the correct state labeling, 1 mark for the correct verification result,
AN

and 1 mark for the correct explanation of the result.

8 CS5219

Question 3. Probabilistic Model Checking [17 marks]

Consider the DTMC model below, which is a model of Herman’s self-stabilization protocol for three
nodes. The protocol involves token passing in a counterclockwise direction around a ring connecting the
nodes. In a state labeled Stable, exactly one process has a token, and in such states the label Tokeni
indicates that node i has the token. NOTE: Although no initial states are explicitly indicated in the model

S
(in order to make the diagram more readable), you should assume that every state can be an initial state,
with probability 1/8 of choosing a particular state as the initial state. In other words, the initial state
distribution is sinit = {1/8, 1/8, 1/8, 1/8, 1/8, 1/8, 1/8, 1/8} for {s0 , s1 , s2 , s3 , s4 , s5 , s6 , s7 }.

ER
SW
AN

a. Given the above DTMC, specify a PCTL property requiring that the probability of reaching a stable
state is virtually guaranteed to occur. [2 marks]
Answer: “Virtually guaranteed to occur” is another way of saying “eventually, with virtual certainty”,
so a property such as P≥1 [F Stable] would suffice.
1 mark for correct syntax, and 1 mark for correct use of atomic propositions.
9 CS5219

[Question 3 continued]
b. Is this an aperiodic DTMC? Is it reducible or irreducible? Justify your answers. [4 marks]
Answer: The DTMC is aperiodic because all its states are aperiodic, since for each state, returns
to the state occur in various numbers of steps whose greatest common divisor is 1. The DTMC is
reducible because a proper subset of its states forms a BSCC.

S
1 mark for a correct answer to each question, and 1 mark for a correct explanation in each case.
c. Identify the BSCCs of this DTMC, if any. [2 marks]
Answer: The DTMC contains one BSCC, {s1 , s2 , s3 , s4 , s5 , s6 }.

ER
1 mark for recognizing that the “Stable” states together constitute one BSCC, 1 mark for not including
other states in the BSCCs. Their answer for this question should be consistent with their answer for
Question 3b. If they answer Question 3b incorrectly but have a consistent answer for this question,
then they will lose just 1 mark for this question.
d. Given your answers for Questions 3b and 3c, is the property of Question 3a satisfied or violated?
Justify your answer. [2 marks]
Answer: It is a fundamental property of finite DTMCs that with probability 1, some BSCC will be
reached and all its states visited infinitely often. In this DTMC, the (one) BSCC corresponds exactly
to the states labeled “Stable”, and so with probability 1, the model will eventually reach a Stable state.
1 mark for applying the correct general property of DTMCs, and 1 mark for relating it correctly to this
DTMC.
SW
AN
10 CS5219

[Question 3 continued]
e. What is the probability that the protocol is not in a stable state within two steps through the model?
Justify your answer. [4 marks]
Answer: This requires computing the transient state distribution for two steps. Since states s0 and
s7 are the only non-stable states, the model would have to initiate in one of those two states, and thus

S
the computation of the transient state distribution can be confined to those two states. With probability
1/4, the model initiates in one of those two states,; with probability 1/4 the model will remain in one
of those two states after one step; and with probability 1/4 the model will remain in one of those two
states after a second step. Thus, the probability being sought is (1/4) ∗ (1/4) ∗ (1/4), or 1/64. Some
students may work this out by calculating the full transient state distribution for two steps, but if they

ER
reason straightforwardly as above, they would still earn full credit.
1 mark for a correct answer, and 3 marks for correct calculations or reasoning.
f. Does the protocol operate fairly, in the sense that, over time, each node is equally likely to be the one
holding the token? Justify your answer. [3 marks]
Answer: “Over time” is a hint that a steady-state probability is being referred to, and in the steady
state, the DTMC will be executing inside its BSCC. The BSCC has symmetric structure with equal
probabilities on the transitions, so the steady state distribution has equal probabilities (1/6) of being in
any of the six states of the BSCC. Each node is represented by two of the six states, so each node is
equally likely to be holding the token, meaning the protocol does operate fairly.
1 mark for the correct answer, and 2 marks for a correct explanation.
SW
AN

END OF PAPER