ACM. PODC,. 1983. K.M.. Chandi and. J. Misra. Parallel. Program. Design: A Foundation. Addison-Wesley,. 1988. L. Christoff and. I. Christoff. Efficient algorithms.
Formal
Verification
of Timed
Properties
Anna
of Randomized
Pogosyants
Laboratory Massachusettss
anya,
Roberto
Computer
Institute
Cambridge, emaik
and
for
MA
Segala Science
02139
USA
segala@theory.
lcs.
1
mit.
[11]
a method
The
for
the
analysis
of a randomized method
bound
consists
statements
of the
distributed of proving
of the
expected
auxiliary
form
time
algorithm
com-
U ~
U’,
which
in
U’
that
are
reach least
a state
ology
to
in
set
prove
the
check.
In
statements, bound
hoc
this
a new
each
consists to the
the
As a consequence,
proofs
can
algorithms be verified
tic
by
analysis
is a useful
distributed
analyze.
As with
proofs
are
a result, only
are many
informal
presented,
for
they
the
does
existing
[3, 4, 9]),
sometimes randomized proofs, are
often
ad
common. Most of the mistakes come gether probabilistic and non-deterministic problem hard
with
to
informal
be convinced
and that
ad all
hoc
the
even from
and
are preformal
mistakes
is that
cases
are
it
is
to
the
time
whether
U
&.
of
t with
a probabilis-
U’
to
the
is satisfied
problem time
by some
of
bound
specific
non-randomized
original
Prove
each
ments
using
by
checking statement
non-randomized
algorithm
randomized
consid-
of the
is derived
algorithm.
non-probabilistic
some
of the
non-randomized,
Here
we focus of reducing
on the
second
system, A implies
U’ for
call
the
system
A
A is obtained
from
M
choices
of M
ing
the
all
that
to give
other
the
by
some
The
in
by A,
ordi-
specific
outcomes,
M.
Informally,
of J4
probabilistic and
by chang-
into
nondeter-
should
is always
a
validity
U’ for
of the
outcomes
a
A4, to
the
U L
automato;.
choices
provide
b;
so that of
some
M
We
de~oted
forcing
forced
probability
steps.
validity
a generating
statefor
algorithms.
third
denoted
bound
techniques
system,
probabilistic
choices.
their
and
a probabilistic
non-probabilistic U ~
time
existing
distributed
of
ministic
ered. In
The
way
We
are
considering tochoices. Another
arguments
possible
simple
verify
when
hoc;
is
a state
and
even
algorithms and
meaning
from
within
of checking
statement
U’ is satisfied
from
of problems to
Its
is started
is reached
U and
p is a proba-
number.
non-probabilistic
algorithm.
3.
but
hard
U’
statement
where
algo~ithm,
real
algorithm
the
U ~
not tech-
applied,
solution
the
U’,
p.
problem
bound
whether
mechanically.
(e.g.,
algorithms
sented
tool
computation
randomized
each
time
nary,
Randomization
of
at least
bound
U ~
an algorithm
a randomized
de-
bound
Introduction
1
of
as sug-
P
of a time
that be
states
algo-
statements
time
form
difficult
time
can
probabilistic
a state
Reduce
2,
proved
problem
several
of a randomized boztnd
time is
and
of a statement
then
time
a positive
whenever
U,
properties
of the
of
probability
Unfortunately,
the
A
t is
and
that
at
probabilistic
probabilistic
of reducing
analysis
will
method-
statement
overcome
it
probability
error-prone
to prove
U,
a formal
arguments.
we
set
t with
a specific
is generally
non-randomized
correctness
in
of
in
provide
scratch:
paper
which
for
time not
operational
probability.
niques
within
technique
statement
involve
in ‘a state
validity
reasoning
veloping
begins does
from
of ad
operational
U’ [11]
statement
means
to
algorithm
p . However,
bound by
the
[1 1].
sets
bility, whenever
timed
probabilistic
is an expression
time
mean
the
into
gested
is presented.
probabilistic
edu
Decompose rithm
In
Algorithms*
of Technology
Abstract
plexity
Distributed
greater
be chosen than
so
or equal
to p. this
verify
methodology
paper timed
we provide properties
consists
of the
a methodology of randomized following
that algorithms,
allows
us
Once
Our
tomata
steps.
eral
existing
bound
“Research supported m part by the Advanced Research Projects Agency of the Department of Defense, monitored by the Office of Naval Research under contracts NOO014-92-J-1795 and NOOO14-92-J4033, by the National Science Foundation under grants 9115797-CCR and S915206-CCR, and by the Office of Naval Research under contract NOOO14-91-J-1O46.
the
in the
associates
174
a time
progress The arates
style
of [10]. real
roughly
upper bound The existence ing
can
bound
to
statement.
of our
ausev-
new
time
on progress
function some
is a funcof
the
function
states
gives
an
reaching a state of U’. is sufficient for provproofs
be machine methodology from
the
based
a progress
can
probability
prove
with
Moreover,
method
generating algorithms,
A progress
numbers
speaking,
advantage
completely
since
a technique
on the time left until of a progress function
function main
be used
We present
tion
out,
(non-randomized)
techniques
functions that
is carried
ordinary
=tatements.
of a system;
Permission to make digital/hard copies of all or part of this materiai for personal or classr?orn use is granted without fee provided that the copies are not made or dmtrlbuted for profit or commercial advantage, the copyright notice, the title of the publication and its date appear, and notice is given that copyright is by permission of the ACM, Inc. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires specific pem-ission andlor fee. PODC 95 Ottawa Ontario CA e 1995 ACM 0-89791-710-3/95/08. .$3.50
reduction
describe
based
on the
checked. is that
non-determinism,
it
septhus
eliminating
the
rectness arguments ferent can
allows
for A
method;
by
then,
and,
be checked for
ing
We tion
level
cases.
details the
the
sketch
carried tine
out
We
the
that
on
proof
the
for
where
statement
the
rest
progress
functions;
time
through rithm contains
2
some
The
ad
finite
presents hoc
techniques
available
on
several
as follows.
Section
model,
describes
proof
3 presents of
the
and
shows
to
Section and
of the
concluding
a simplified
introduces
Rabin
the
method
[17],
automata; and
introduces
the
how
of
4 presents
illustrates
the
our
correctness
abled
We
section
define
of the
timed
automata
ments
U ~
U‘.
technique
2.1
the
automata, of
based
on progress
Semi-Timed
Automata
Definition
2.1
[12],
Furthermore,
A semi-timed
which
algo-
can
be
and
the
the
ment
az
finite
and
automaton
and
In this
state-
verification
Statements
A consists
A is
of
A
exists
(A)
ezecution
all
the
An
Denote
and
state
reals
in
set of
is an execu-
state.
co.
a
first
last
of the
by frag”
is a start
the
the
sum
start-
a state,
0 there
the
of four
components
execution
by
ezec”
executions
by
(A) of A,
(s, a, s’)
fragment
not
enable
exists
al
aZ =
written exists
paper
al
by ktate(a)
to be complete
A fimte
of a semi-timed
functions.
and Time
and
execution
execution
a simplification
we formalize
we int reduce
results
by fstate(cr)
An
of ax-
automaton
denote
Trans(A);
concatenated.
is the
5
framework.
are
the
by Mime(a)
=
actions
trajectory
ending
Denote
itime(w)
axioms,
the
actions
each
of admissible
s if there
of A.
of A and
that
non-probabilistic
for
state
s of A is said
ends
states
Framework
we introduce
semi-timed
is finite,
de-
discussion.
and
of A.
first
s of A is reachable
of a, In this
a
fragments
sets
for the
of cr. Denote
if
trajectory The
role
of A.
actions
a is said
A that
remarks.
Non-probabilistic
U
transi-
a semi-timed
so that
from
that
denote
(s, a, s’) in
or a is finite
them
Section
if
if a is finite,
whose
from
state
technique
proofi
called
automaton
the
states
such S,+I)
the
execution
probabilisprove
is
U ezt(A)
are
of a semi-timed
and,
passage
A state
time
version
znt(A)
of time.
them
fragment
a,+l,
exec(A)
satisfy relation
alternating
a state,
transition
2 on
set
R+}
respectively.
of
based
set
of [12] is that
a fundamental
a of
fragment
and
the
I t c
x States(A),
Trans(A)
passage
a of A is admissible
oper-
sets:
is the
{v(t)
a semi-timed to
we omit
execution
tion
with
overcomes
play thus
execution
time
the
of
automaton
actual
of w and,
the
=
x Actzons(A)
transition
of a; furthermore,
[6,8]
disjoint
ezt(A)
actions;
required
seal sl az S2.,.,
state
statements,
of
not
with
are
actions,
time(A)
between
the
and
=
time(A)),
time(A)
denotes
a timed
transitions,,
some
of
combined
is organized
fragments
some
a
and
elements
difference and
is not
do
ing
[14]
11, 14, 16].
statements,
of Lehmann
for
of[11]
bound
means
algorithms,
Section
generating
by giving
by
verification
models
bound
work
states;
■
model
An
and
G States(A)
The
a sequence
random-
work
of start
relation
restrict
paper,
[5] to han-
result
time
non-probabilistic
probabilistic
for
1; the the
of
here
ioms
confi-
defined
UNITY
methodology,
paper and
work
main
time(A)
standard
functions
properties
probability
is proved of
al[4],
distributed
The
extends
techniques;
Our
statements,
16]. ranking
probabilistic
of [6,8,
the
bound
tic
on
of the
on
The fined which
ezt(A),
of internal
Actions(A)
automaton
[15].
Ben-Or we are
a completeness
with
The
in
of the
where
rou-
set
actions,
Trans(A)
tions.
the
(int(A), ext(A)
a transition
●
as well.
of [16]
non-randomized
limitations
to most
~ States(A)
set of time-passage
lem-
[7].
of
we gained,
11,14,
provides
collection
presents
int(A), is the
time(A).
randomized
faults
Start(A)
signature =
int(A) the
We
be found
of the
action
where
used
main
Prover
set
of external
of
We
automated
of states;
Sig(A)
fill
functions.
can
liveness
work
arguments.
The
the
[6,8,
checking
based
ordinary
a timed
verifica-
all
States(A)
in
always
of randomized
based
hold
model each
that
algorithms in
a technique
extensive
●
can
algorithm
Larch
applies
on verification
and
that
and
the
experience
the
probability,
ational
a non-empty
prover.
[11]).
progress
stopping
establishing
algorithms;
presents
formal
we reproved and
detail
with
appears
properties
●
way of listing all of not consider-
asin
of correctness
a technique,
states,
a set
methodol-
the
automatic)
methodology work
algorithms
dle
and
distributed
Previous
ized
of our
●
proof
theorem
Philosophers
using
consensus
randomized
on
dif-
parts
can
for
and
in full
(hand
our
presents
at
of our
reader
example
[11],
proofs
the
for based
technique
automata
proofs the
sketched
and,
hoc
be considered
a systematic the possibility
[9](same
from
proof
dent
cor-
ad
of a proof
critical
automatic
Dining
Rabin
of
complete gorithm
new
generating
parts
can
most
a skeptical
randomized
using
in
out
parameters
advantages
provides reducing
the
and
proof
an
carried
description
cases
the
Moreover,
Lehmann mas
proofs
be
the
by
mistakes eliminates
easily.
applied
of
key
necessary,
evident: it cases, thus
some
in the
to level
the
mechanically high
ogy are possible
proofs
interesting
if
of
method
high
specifying some
detail,
source
our
of details.
be given
more
common
Moreover,
and
levels
Even
most
proofs.
< t and
Let A be a semi-timed automaton, U, U’ ~ >0 Then u ~ u ~ denotes a predicate that .
/state(a’)
c U’.
9
2.2
Proving
Time
Bound
Statements
measure. set
There
are
timed
automata.
progress time
several
techniques Here
functions,
bound
based
which
Theorem
2.3
States(A).
Suppose
Let
that +
‘P : States(A)
1.
Ijs
E U
2,
For
ail
then
there
prove
idea
of
of
semi-
based
the the
is a subset
on
validity
of
technique
is
automaton,
exist
A
space
space
Dirac
two
U, U’
~
space
whose
functions
Definition
3.2
sists
components:
of four a set
l?~”,
●
a non-empty
hold:
●
a timed
●
a transition
and
eitherp(s)
A ‘P(s)
transitions(s,
a, s’)
t or
if a is not (P(s)
U 2
such
that
p(s)
action
v(At)
then
p(s’)
a time-passage
is true
action
then
either-p(s’)A
States(M)
a partial
function The
A such given
that
from
action
by ‘P(s).
Condition of
tic
bound
the
(p, ‘P)
function
of
is borrowed
onto
The
this
partial until
the
nonnegative
abilistic
state
M
from
start
formalizing Then by
bound
which
an
ing
statements
with
we show
reducing
involve
3.1
the
probabilistic
states
a transitions,,
that
the
upper
All
We
refer
to the
probabilistic
of
a
=
a progress
statements how
the
such
U
~
to
U ~
model U’
statements
problem
for proving
semi-timed
of the
the
and
be verified
Automata
lection count
of subsets
and
P
and
such
many
of Q that
union
is
and
a function that
for
pairwise
formally
that
does
and Time
each
to
verify
at
most
C that
Q, for
countably
is closed that
from
3
any
to
P[C] every many
elements (Q, F, P) =
~zGC
discrete points
a triplet space,
under
~ c F,
collection
space
~
space is the sample
such
disjoint
A probability for
action
v(t), (Q,7, P))
if (s,
c
state
M
is fully
and
each
probabilisstate
of
M
a,+l,
If only
the
M
the
unfolding
automaton
and of the
in
can
which
Probabilistic
the
can
probabilistic
be
studied.
be thought
the
transition
relation
of
then
choosing
at most
one
of then
automaton,
where
execution
resolving
resolved,
of M.
automaton
Q.
non-
choices
are
fragment objects
E
as well.
of
nondeterministic choices
exists
the
case result
semi-timed
the
a state, s,+]
executions
is
start-
0 there
such–that
is the
M
with
>
probabilistic M
execution are
i
to
of M
of
ending
for
the
probabilistic
a probabilistic
In-
of as the
a probabilistransition
for
unfolding.
3.3
A
probabilistic
semi-timed
semi-timed
of
of
actions
each
nondeterministic
execution
automaton
automaton,
States(H)
Bound
to
a probabilistic
probabilistic
finite
similarly
fragment
and
for
P))
and
fragments
Definition
not
is
is used
applies
a fully
state
a that
fragment
a probabilistic
of
if
(Q, F,
probabilistic
are defined
execution
states
that
case
the
An
such
G /rag*(M);
let
M
fragment
H
is a fully
of
a
probabilis-
that: q range
over
the
states
of
H;
3.1 A probability is a set, also called
able
states;
a time-passage
i.e.,
executions
such
formally,
each
model.
and,
of
tic
Statements Definition where tl
of start
■
alternating
behavior
tic
Semi-Timed
with
automaton
case.
execution
result
by
probability.
Probabilistic
con-
x Probs(States(M)),
start
and
terminology
execution
U’. We P automaton
this
problem
M
transition.
so al S1 a2s2...,
An
prob-
of [17],
within
can
a new
automaton
= 1.
one
one
a state,
the
of tkibrm.
exactly
a of
we obtain
methodology
Ifll
fragments
for
idea
U’.
both
is a simplification the
its Dx
Sig(M);
transition
non-probabdistic
of
Framework
by introducing
model,
by
■
~ States(M)
distribution,
then
at most
a sequence
[10].
our
each
semi-timed
has
a state
bound
The
the
are
describes
is correct.
function.
we present
time
if
Denote
semi-timed
Actions(M)
x
to a Dirac
Execution
of
function
function reaching
upper
real
of states
of the
2 (a, b) ensure
each
Probabilistic section
set is {z}.
distribution
element.
G
that
we call In this
sample
signature
such
if
M. 3
space
2.3 defines
consists
values
left
t;Conditions with
A
the
that
as a progress
of Theorem
function
and
time
1 guarantees associated
pair
states of the
Informally,
U is at most
the
sample
relation
A probabilistic
■
conditions
is true,
upper bound on
a Dirac one
set Start(M)
Trans(M),
A.
the
domain
p(s)
denote
whose
of states;
leads
or s’ E u’.
for
(p, ‘P) satisfying
numbers.
Probs(X)
A
enables A pair
let
exactly
A probabilistic
Trans(M)
p(S’));
~ P(s’))
U’
X,
is called
contains
States(M) (a)
set
distributions
of X.
probability
sample the
arbitrary
probability
●
Bool,
+
the following
key
to
be a semi-timed
A
that
properties
a techniqne,
any
theorem.
p : States(A)
such
The
following
prove
present
is useful
statements.
on the
to
we
For
of discrete
also
[0, 1] such
F
complement called that
of at most
of 3,
~[uic,]
P[{z}]. probability with
if F It
=
~ States(M);
each
{qas
P[C’].
all
2Q and
there
Sig(M);
transition(q,
transition(ktate
the
of H
is immediate
space
a positive
for
1
countably
= ~,
is discrete
=
=
Start(H)
and
a u-field, P[Q]
{C, },
Sig(lT)
(Q, 5, P) is a col-
are
probability
176
I s E Q’}
and
states
of H
there
a, (Q, ~,
(q), a, (0’, P’[gas] are
>’,
P))
of H
there
P’))
of M
such
= P[s]
reachable,
is an execution
of H
for i.e., that
all
exists that
a
0 =
s c Q’;
for
each
leads
to
state q.
g
We say that a state H
a probabilistic
s of M
of
if
a probabilistic
bilistic
execution
Start(H)
=
fragment
H starts
A probabilistic
semi-timed
execution
fragment
{s}.
automaton
M
that
with
of M
starts
with
space.
esecutiorz is a probaa state
each of
3.1
have
[17].
execution
feveryc
Remark we
probabilistic
time
A probabilistic
fragment
ompleteexecution
Thedefinition
given
here
The-main
Hof
Missaid
of lf
inadmissible.
ofaprobabilistic
is simpler
differences
than
are
the
can
now
bound
start
of
state
of
can
be
an
than
just
[17]
definition
Definition
■
that
given
following:
in
-
rather
a probabilistic
execution
fragment
arbitrary
execution
fragment
finite
each
3.4
tic
that
denotes
a predicate
execution
fragment
distribution
over
symbol The to if
first
feature
state we
6 that
in
to
probabilistic
that
to
using
however, randomized
to the
is a strong
a probabilistic one
of H
can
Below
be
we define
and
a = qoalgl
cr~ the from a’
of M
is easy
to
(crJ)TH
= cr.
We
a of ~H
< t and
inference
rules
H,
a-field
executions
be
PH
probabilities
[17]
it
the
abilistic cution
probability
space
fragment, Given space
of
so
H}.
A
The
unique
extension
E
that
of
is a unique
above,
and
H
a of
H,
2.
to
(fl~,
3.
events
semi-timed execution
of the
associated
and with
each
have
1Note that a cone Ca can be used to express fimte execution a occurs
&
L
are
semi-timed
au-
U % W’
U“;
U’ IJ U“;
P is
Bound
validity U’
of
for
Statements a probabilistic
a probabilistic
hinted
of
at
random
in
[11],
draws
execution
that
starting
give
the
time
semi-timed consists
of
the
of
M,
that and
may
occur
choose
in
some
a
of the
from
a state
is
resolved,
chosen
of
U,
the
outcomes
no
matter
chosen
with
some
draws
give
how
random minimum
p;
that
whenever a state
technique
the
of U’
chosen is reached
behind
teed
whenever
In
results. The set
i.e.,
an
gives ability
a
ment
exe-
that
H
the
time
177
two
steps
withi~
for
the
time
chosen t.
the
t.
first
If
we
each
outcomes. the
give
chosen the
step
probabilistic
in a state
steps
in
are
of U,
reformulated
terms that
specific of the start
in
random
draws
minimum
prob-
can
be
formulated
execution P[@
~ OH] in terms
be carryed out by showing that a of @ a state of U’ is reached a non-probabilistic
of intu-
is guaran-
some
of M
Then
second
the
success
be reformulated
admissible
two
build
draws
of the
starts
step can fragment
that
random
that of
arguments Usually
is exactly
can
chosen
that
informal
fragments
every
of M
the
literature.
execution such
of the
the third execution
the
specific
requirement
Once
probability
some
of U and one
to
in
an algorithm
first
as follows:
prob-
appear
@ of admissible
for
since
seversJ
corresponds
that
ition
is a well
sufficient
the fact
then
Time
nondeterminism
of
measure
probabilistic
a different
new
ones
outcomes;
correctness
a.
automaton, may
a set
Show
This
mea-
of ~H,
are not
semi-timed automaton
fragments, is
subset
alone
derive
Then,
U“,
U I-I U“
which
outcome,
a state
is a measurable
However,
+
the
U
probability
space. of H
to
existing
steps.
draws
a
product
~H)
be used from
smallest
generating ~H,
Uf
prove
M,
Show
I cr is a
probability
probability
thus
can
be a probabilistic
Probabilistic
possible it
probability
is the
set that
P
1. Choose
c#lH
consisting
of the
that
G States(M).
then
probabilistic
with
is the
M
and
statement
following
al
Then,
{al
The
PH [c~]
transition
there
~H C~,
as a prefixl.
a probabilistic
fragment
cones
as follows:
each
property
of
=
a’ such
u u’”.
automaton
by
execution
~H
a-field
is the of
set
a prefix
■
statements
U’”
U’,
technique
bound
probabilistic
a probabilistic
is the
a
cones
its
starts
is the
that,
), let
associated
that
U!
Proving
3.2
a
fragment
fragment
of [11]
Let
U“,
if U +
u’
that
Note
execution
execution
having
of ~H.
analysis
each
that
M
3.
of H,
fragment,
qO m alslazsz...
~H
event
probabilktic
=
each
sample
probability
elament
For
set
is shown the
execution
of
admis-
eu~,t(ll)
a has
P
M.
Denote
)az Mate(q2) . . . .
the
on
the
An
the
contains
defined
defined
for
studied.
the
of
measure
having
that
execution that
sure
qO (a’
of H.
H
U’
each
of is
of
state
for
c U’.
bound
3.5 U, U’,
.2. if U ~
execution
qOaI (goalsl)az(qoalslazsz).
execution can
start
that
iff
L
a
of
fragments
go be the
M
au-
U
following.
the
H
fragment
on execution Let
of M.
with
define
behavior
every
such
ktate(cr’)
time
the
probabilktic fragment
executions
execution
of a probabilistic
show
complete
an
go A alistrate(ql
sequence
now
the
a2g2 . . . be an execution
starting the
executions
then
for
Then
here
the
if
is true
R~O.
fragment
paper
we prove
Specifically, of M,
by
fragment
denote
and
with
semi-timed
c
> p, where
■ between
operations
definition
is an execution
that
that
t
P~[eu,,J
1.
in
In this
results
event
of a probabilistic
a probabilistic
States(M),
execution
going
to resolve
~
of U,
Proposition
case.
correspondence.
execution
the
are
cannot the
be
definition
probabilistic
is necessary
randomization.
fragment
two
the
we
be used
M
An of ~H
y
a special
nondeterminism
automaton
represented
exploit let
the
executions.
execution
plus
what
formal
a state
the
to a ~robabilit
feature
the
event
of M.
with
tomaton,
prove
correspondence
probabilistic
probabilistic of
all
semi-timed
its
lead state)
second
randomization
carry There
the
resolve
nondeterminism; over
to
3.5;
able
can
arxobabilis-
deadlock.
is necessary be
astateof
(action,
models
automaton
we assume
of [17]
pairs
Proposition
want
from
fragment
is needed. an
sible
Some
leaves
execution
Let
U, U’
ltirne(cr’)
a state;
transition
associates
give
tomaton,
probabilistic 2.
structure
that
statement.
of executions 1. the
abstract
to be
execution
the
a more
is a function
We
Start(M). m-knissiblei
Thus,
schema
automaton,
frag> p. of
@,
for any within called
a generating contain
automaton,
@, and
the
generating
are
done.
of
automata built
carry
2.2 can
tomaton
that
automaton
To
Section
so that
we show
for
leads
out
this
or
any
be
applied.
step
the
technique Given
the
admissible
execution
for
a set
properties
of
then
progress
In
we
function
non-probabilistic
@, a generating
described
above
Example
4
executions
admissible
to U’withintimet,
last
other
@ with
its
each
section
The
problem
same
to
as follows. 3.6
tomaton, ments
and
let
of M.
=
a set
prove
E
States(A)
is
the
set
admissible
au-
execution
the
=
of
c
finite
{q G States(A) iff
generating
prefixes
of A by
state
Z’rarzs(A)
I 3aZe@CV
to flip
a process
associated
and
that
one
symmetry
is ready
is necessary
The
then
the
Once
given
LR.
a coin,
process flips.
we are proving
URUF},
following.
U ~
C {~ fl,
%’z and
probabtistic and
TL7Z7-
F},
U @ U j
process one
Progress
g U L for
%
process
s of ~
We
and the
of X.
c {~
such
that
U ~
Xk+l
set of states
C
of X such
is
C. of
the
set
7
transition
a state
be the
to
flipped
that
F.
of
at least
coin
reason
=
71
F
1 some
another
this
xk
Let
reach-
two
the
Consider
that
in
statement
that
or ~ is
towards
exist
is
probabil-
transition,
must
asymmetrically.
completeness
that
some
is in P, which
of !7 there
reaching
if
21 and
go to C on the
state
for
for
that
time
~ is a substantial
in each
element
is
within
some
will
Reaching
C, since
processes
statement then
either
process
reached.
a key
this
a coin,
1/2
same
ing
of
to flip
proof
leads
time
be that
bound The
Since
Automaton
if some
outcomes
within
flipped
the
is that
two
coin,
is
to
intuition
the
is broken. The
the Generating
time
later
U j} 73
bound
combine
and
form
Xk+l
statement
the
of 7.
for each
statements
U fi
E {~
a partition using
U j}.
We
of the
prove
three
Proposition
a
sets,
3.5.
UC,
wAF(J~uL, Proof. LR
Denote where
u,
by
left,
is equal
and
to
right,
left
and
the
S = {(fli~k, ~efik), (fl~Pk-1, r@tk_l 4.2 by showing that the set @I = the In
the
rest
of the
paper
we analyze
only
~
~
~ UC.
conditions
of Theorem
Lemma
4.1,
PH[
abilistic
execution
G
>
1/2
fragments
H
)}. we fir-st~(LR, for
all
that
of
states
of
respectively.
Let
prove Lemma 71 ) satisfies
t= 1 and
3.8 with
n OH]
sets
right,
p =
1/2.
From
admissible
start
with
prob-
a state
of
is left
to
F].
4.3
Help
Before an
in Building
proving
the
auxiliary
result,
condition timed
bound
that
can
k, consisting
of an that
Assume
restrict
our start
3.8.
such
first
occurrence
a leads
Lemma
4.1
fragment
of M
number-s for Q]
H
be an
admissible
with
O and
Then
a state
of [11].
transitiova(s,
pj.
to
that U)
such
Lemma
4.1
coins.
Each
draws
and
lowed. then
is called
algorithms
If
action the each
Lemma
nondeterminism coin
is flipped
at least
a coin
be the
Mate(s).
that
the a,’s
a,
U;
The
?
of
U, each
1 < j
(l QH]
>
p(s)
identifies
4.1 can or the
first
the
the
be used
is resolved
in
[11]
since
< n
and
P[Uj
the coin
possible
outcomes that
~
is flipped
that
j7ippedk,k_1 or flipk_l
s./ast(T8 and p on
@I.
It
true for A].
) and
States(Al
We do it
(s) be a predioccur in S. For s. now
instead
now
respectively.
ktate(s).
), and
the
of
function
as follows:
~
s E restates
althe no
head
=
(rnin(s.last(jlipk),
complete
proof out
induction,
a time
(cf.
(p(s),
showing This
which Section
E {E
uf’
Informally,
p(s)
that
U Zt
p(s)
is
s @ ~t
p(s)) that
can
4.7).
the
The
coin u
yet.
is a progress
180
the
That
by
effect
proof
to
carry function,
of Theo-
standard
struc-
of all actions, can
be
proof
one
verified
me-
together
with
■
s is a reachable processes
function
conditions
state
k and
of Al
k – 1 did
such
not
flip
is,
A =j7ippedk,k_1
s G restates
However,
1/2.
that
and
– snow).
is a progress the
be done
considers
says
U R})
s.last(flipk_l))
that by
2.3 are satisfied.
any
a coin, either
A =flippedk,k-l(s)
chanically by a computer. The complete its automation can be found in [15].
of
how
gives
R~O
be carried
at
fair are
of flipping
Let jlipk
s. X,,
predicate
The
tural
random
that
no matter
probabihty that
most
by flipping
of the
process
to say
the
can rem
~
. . ..p~).
in
of AI. either
As.xk = F A (S.XL1 As G ~?_~ \ CT
be real
rnin(pl,
method.
for
first
execution
pr-obab~ity
Gt U .CT is
write
: States(Al)
occur
P1, . . ..p~
~
Mate(s) .last(T,)
following
probabilistic
the
one
identifies
we X,,
automaton
function
Star-t(Al) progress
Define set
generating
Let s be a state that is true iff
fragments
of the
is introduced
a, identifies
set
the
occur in a, the first
for
lemma
randomization
that
using
be the
shorthand
us
■
the
show
cate
U, of Let
Al
P(s)
(Q, F, P))
PH~rst~(M,
z’
, each
initially
initially
class
a start
of the
following
M’,
and
M’
The if
E R+ U {co}
T) of
transition
relation
a E Actions(M),
Trans(
in of
b))
iff
basic,
state
com-
if some O;
the
action
upper(T)
if some co.
c Q (S’. now
2. (s. basic,
T
in U.
●
Istate(q).
●
lstate(g).last(
●
lstate(q).first(
~,
conditions
P))
verifying 2.3.
Recall to
P’))
I s c Q},
is a transition
and
of &f,
P’[s.basic]
= P[S]
where
for
all
Q’ =
defined
T in
the
that Al
for
all
(b)
c
Cl such
for
all s’ c C? such
or
T is not
lower(T)
and T)
is
T
in
s’.last(
T)
and
( Time
T)
s’.last(
enabled
enabled
=
T)
action,
(M,
not
in
s’. basic
(c)
for
P(s) in s’, if a c
l“
= s. now
+
s’.fkrt
snow+ T,
upper(
then
s’.first(
T);
if
T)
=
v(t), then
say
following
(s, v(t),
=
We
verify
ing
the
We to
often
s’)
conditions
ii.
s’.first( s’.last( the
s
s.last(
that
T)
= s.first(
T)
of
following
part
4.6
s of
b) for
●
Time(M,
(p(s),
S.rlow
●
s.last(T)
4.2 we have
considered stated
time
Al
@l
generating
the
for
of Thechosen
the
that
function
and
to support
bound we have
the
claim:
(s)
G {5
UF U R})
s.last(f?ipk_l)) is a progress
of Theorem
s c Start(Al
).
p(s)
=
false.
=
true.
We In
case
this
function
and
Proposition
two
by analyz-
4.7.
cases.
U CT trivially.
s c gt
case
by definition,
– s.nozu).
2.3 separately.
distinguish
this
In
2. Consider
a transition
true.
distinguish
We
‘P(s)