1 CS5219

NATIONAL UNIVERSITY OF SINGAPORE

CS5219 – AUTOMATED SOFTWARE VALIDATION

Semester 2, 2016/2017

Time Allowed: 2 Hours

INSTRUCTIONS TO STUDENTS

1. This assessment paper contains THREE(3) questions in multiple parts and comprises TEN (10)
pages.

2. Answer ALL questions in the space provided in this booklet.

3. Read through each question carefully and answer it EXACTLY and COMPLETELY as specified.
Think through your answers carefully before writing them on the exam paper. Show ALL of your
work, since partial credit cannot be awarded if it is unclear how you arrived at an answer.

4. This assessment counts 50% toward your final module mark.

5. This is an OPEN BOOK assessment, and it requires INDIVIDUAL effort.
6. Please write your Student Number below.

STUDENT NUMBER:

This portion is reserved for the examiner’s use only

Question Marks Remark

Question 1 17

Question 2 16

Question 3 17

Total 50
2 CS5219

Question 1. LTL Model Checking [17 marks]

Consider the following Kripke structure M , which is a simplified model of how a “bill” (a proposal for a
new law) becomes a law in the USA.

a. Consider the LTL property φ1 = F(Signed ∨ Vetoed). Apply the automata-based LTL model checking
algorithm to verify φ1 for M . Explain your work. Be sure to indicate whether the formula is satisfied
or violated and how you determined this. If violated, then be sure to present a counterexample trace
produced by the algorithm. [7 marks]
3 CS5219

[Question 1a continued]

BLANK PAGE
4 CS5219

[Question 1 continued]
b. Consider the LTL property φ2 = (¬Signed U President). Apply the automata-based LTL model
checking algorithm to verify φ2 for M . Explain your work. Be sure to indicate whether the formula is
satisfied or violated and how you determined this. If violated, then be sure to present a counterexample
trace produced by the algorithm. [10 marks]
5 CS5219

[Question 1b continued]

BLANK PAGE
6 CS5219

Question 2. CTL Model Checking [16 marks]

a. Consider the Kripke structure M of Question 1 and the CTL property φ3 = AG(Senate ⇒ (AX President)).
Apply the labeling algorithm for CTL model checking to verify φ3 for M . Explain your work. Be sure
to indicate whether the formula is satisfied or violated and how you determined this. [7 marks]
7 CS5219

[Question 2 continued]
b. Consider the Kripke structure M of Question 1 and the CTL property φ4 = AF EF(Approved ∧
(AX Signed)). Apply the labeling algorithm for CTL model checking to verify φ4 for M . Explain your
work. Be sure to indicate whether the formula is satisfied or violated and how you determined this.
[9 marks]
8 CS5219

Question 3. Probabilistic Model Checking [17 marks]

Consider the DTMC model below, which is a model of Herman’s self-stabilization protocol for three
nodes. The protocol involves token passing in a counterclockwise direction around a ring connecting the
nodes. In a state labeled Stable, exactly one process has a token, and in such states the label Tokeni
indicates that node i has the token. NOTE: Although no initial states are explicitly indicated in the model
(in order to make the diagram more readable), you should assume that every state can be an initial state,
with probability 1/8 of choosing a particular state as the initial state. In other words, the initial state
distribution is sinit = {1/8, 1/8, 1/8, 1/8, 1/8, 1/8, 1/8, 1/8} for {s0 , s1 , s2 , s3 , s4 , s5 , s6 , s7 }.

a. Given the above DTMC, specify a PCTL property requiring that the probability of reaching a stable
state is virtually guaranteed to occur. [2 marks]
9 CS5219

[Question 3 continued]
b. Is this an aperiodic DTMC? Is it reducible or irreducible? Justify your answers. [4 marks]

c. Identify the BSCCs of this DTMC, if any. [2 marks]

d. Given your answers for Questions 3b and 3c, is the property of Question 3a satisfied or violated?
Justify your answer. [2 marks]
10 CS5219

[Question 3 continued]
e. What is the probability that the protocol is not in a stable state within two steps through the model?
Justify your answer. [4 marks]

f. Does the protocol operate fairly, in the sense that, over time, each node is equally likely to be the one
holding the token? Justify your answer. [3 marks]

END OF PAPER