lecture 03 java

8/12/2019 Lecture 03 java

1/13

Transition Diagrams

COMP2111 Lecture 4a

Session 1, 2013

Assertional Reasoning

Kai Engelhardt

Revision: 1.2

1
http://goforward/http://find/http://goback/


2/13

Transition Diagrams

Transition Diagrams

Definition

Letbe a state space. A transition diagramis a quadrupleP= (L,T, s, t), where:

L is a finite set oflocations

T is a finite set of triples(, cf, )called transitions, with, L, c : B, and f :

sL is the entrylocation

tL is the exitlocation

2
http://find/


3/13

Transition Diagrams

Transition diagrams can be thought of as a very simpleprogramming language with conditional branching, where theconditions on the branches need not be disjoint.

Or we could use them as an intermediate language to represent

sequental programs.

NB

Note the difference between these transition diagrams and thoseintroduced in se2011, which have||= 1.

3
http://find/


4/13

Transition Diagrams

Example (Transition Diagram)

A statement such as while (x > y) x--; can be understood asthe transition diagram

s true

l1xy t

x-- x>y

l2

4
http://find/


5/13

Transition Diagrams

A Familiar Example

initialisation of low,high

while condition on low,high

assignment to mid in terms of something like (low+high)/2if comparison involving A,a and mid

then assignment to low in terms of mid

else assignment to high in terms of mid

5
http://find/http://goback/


6/13

Transition Diagrams

A Familiar Example

s initialisation of low,high

1 while condition on low,high

2 assignment to mid in terms of something like (low+high)/23 if comparison involving A,a and mid

4 then assignment to low in terms of mid

5 else assignment to high in terms of mid

t

6

T i i Di
http://find/


7/13

Transition Diagrams

Execution Model

Definition

A computation (L ) starting in an initial state0 is a(finite or infinite) sequence ofconfigurations:0, 0 1, 1. . . such that 0=s, and:

For each computation stepi, i i+1, i+1 thereexist c and f such that

1 (i, cf, i+1) T,2 c(i), and3 i+1=f(i).

The sequence cannot be extended, i.e., if the sequence isfinite, its last configuration has no possible successors.

7

T iti Di
http://find/


8/13

Transition Diagrams

Classifying Computations

Each computation belongs to precisely one of three classes:

1 The sequence is finite, and its last configuration is of the formt, for some . Such a sequence is called a terminatingsequence.

2 The sequence is finite, but its last configuration is not of theprevious form. This must therefore be a deadlockconfiguration, that is, there doesnt exist a transition(, cf, )Tdeparting from the last location

= 1=t in such that c(1). Such a sequence iscalled a failingsequence.

3 The sequence is infinite. Such a sequence is called divergent.

8

Transition Diagrams


9/13

Transition Diagrams

Semantics

Denote by[[P]] the set of all computations ofPstarting with theinitial state . We define the meaningof the sequential transitiondiagram Pas a function:

M(P) ={val() : [[P]]}

where val()is

1 if terminates and its final configuration is t, , or

2 fail if fails, or

3 if diverges.

Thus the meaning of a transition diagram P is a function which for a given initial state gives the set of all possible outcomes,including the possibility of divergent and of failing computations( M(P) orfail M(P)).

9

Transition Diagrams
http://goforward/http://find/http://goback/


10/13

Transition Diagrams

Partial Correctness

Letbe a state space, let P= (L,T, s, t)be a transitiondiagram, and let , : B. We say that

{}P{}

iff() M(P)(), for all , .Observe that this captures partial correctnessbecause we simplyignore all potential failures and divergences ofP.

10

Transition Diagrams
http://find/


11/13

Transition Diagrams

Assertion Networks

Question

How can we prove{}P{}?

Definitions

An assertion networkfor transition diagram(L,T, s, t)is a

function Qassociating a predicate Q with each location L.The (local) verification condition for transition = (, cf, )is

Q cQ f . V

The symbol (circ in Event-B) denotes function composition. For

functions f :AB and g :BCwe define g f :AC by

(g f)(a) =g(f(a)), for all a A.11

Transition Diagrams


12/13

Transition Diagrams

Floyds Inductive Assertion Method

Definition

An assertion network is called inductive if all verification conditionsarevalid, that is, true in every state.

Theorem (Floyd)

If the assertion networkQ is inductive and the two implications Qs andQt are valid, then this proves{}P{}.

Observe that the number of verification conditions arising from aproof of{} (L,T, s, t) {} using Floyds method is2 + |T|.

12

Transition Diagrams
http://find/


13/13

g

Proof

It suffices to show that the final states of all terminating computationsstarting in -states are -states.Let =0, 0 1, 1 2, 2. . . k, k be aterminating computation such that (0).By induction we show that Qi(i)for all i {0, . . . , k}. Recall that0 =s. The first implication establishes the base case Q0(0). For theinductive case, assume Qi(i)for some i

lecture 03 java

Documents