Javier Esparza | Technische Universität München (original) (raw)
Papers by Javier Esparza
Population protocols are a well established model of distributed computation by mobile finite-sta... more Population protocols are a well established model of distributed computation by mobile finite-state agents with very limited storage. A classical result establishes that population protocols compute exactly predicates definable in Presburger arithmetic. We initiate the study of the minimal amount of memory required to compute a given predicate as a function of its size. We present results on the predicates xgeqnx \geq nxgeqn for ninmathbbNn \in \mathbb{N}ninmathbbN, and more generally on the predicates corresponding to systems of linear inequalities. We show that they can be computed by protocols with O(logn)O(\log n)O(logn) states (or, more generally, logarithmic in the coefficients of the predicate), and that, surprisingly, some families of predicates can be computed by protocols with O(loglogn)O(\log\log n)O(loglogn) states. We give essentially matching lower bounds for the class of 1-aware protocols.
Population protocols (Angluin et al., PODC, 2004) are a formal model of sensor networks consistin... more Population protocols (Angluin et al., PODC, 2004) are a formal model of sensor networks consisting of identical mobile devices. Two devices can interact and thereby change their states. Computations are infinite sequences of interactions satisfying a strong fairness constraint. A population protocol is well-specified if for every initial configuration C of devices, and every computation starting at C, all devices eventually agree on a consensus value depending only on C. If a protocol is well-specified, then it is said to compute the predicate that assigns to each initial configuration its consensus value. In a previous paper we have shown that the problem whether a given protocol is well-specified and the problem whether it computes a given predicate are decidable. However, in the same paper we prove that both problems are at least as hard as the reachability problem for Petri nets. Since all known algorithms for Petri net reachability have non-primitive recursive complexity, in th...
Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science, 2020
In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical theorem stating that every form... more In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical theorem stating that every formula of Past LTL (the extension of LTL with past operators) is equivalent to a formula of the form Λni =1 GFφi ∨FGψi, where φi and ψi contain only past operators. Some years later, Chang, Manna, and Pnueli built on this result to derive a similar normal form for LTL. Both normalisation procedures have a non-elementary worst-case blow-up, and follow an involved path from formulas to counter-free automata to star-free regular expressions and back to formulas. We improve on both points. We present a direct and purely syntactic normalisation procedure for LTL yielding a normal form, comparable to the one by Chang, Manna, and Pnueli, that has only a single exponential blow-up. As an application, we derive a simple algorithm to translate LTL into deterministic Rabin automata. The algorithm normalises the formula, translates it into a special very weak alternating automaton, and applies a simple...
Angluin et al. proved that population protocols compute exactly the predicates definable in Presb... more Angluin et al. proved that population protocols compute exactly the predicates definable in Presburger arithmetic (PA), the first-order theory of addition. As part of this result, they presented a procedure that translates any formula varphi\varphivarphi of quantifier-free PA with remainder predicates (which has the same expressive power as full PA) into a population protocol with 2O(textpoly(∣varphi∣))2^{O(\text{poly}(|\varphi|))}2O(textpoly(∣varphi∣)) states that computes varphi\varphivarphi. More precisely, the number of states of the protocol is exponential in both the bit length of the largest coefficient in the formula, and the number of nodes of its syntax tree. In this paper, we prove that every formula varphi\varphivarphi of quantifier-free PA with remainder predicates is computable by a leaderless population protocol with O(textpoly(∣varphi∣))O(\text{poly}(|\varphi|))O(textpoly(∣varphi∣)) states. Our proof is based on several new constructions, which may be of independent interest. Given a formula varphi\varphivarphi of quantifier-free PA with remainder predicates, a first construction produc...
Population protocols are a formal model of computation by identical, anonymous mobile agents inte... more Population protocols are a formal model of computation by identical, anonymous mobile agents interacting in pairs. Their computational power is rather limited: Angluin et al. have shown that they can only compute the predicates over mathbbNk\mathbb{N}^kmathbbNk expressible in Presburger arithmetic. For this reason, several extensions of the model have been proposed, including the addition of devices called cover-time services, absence detectors, and clocks. All these extensions increase the expressive power to the class of predicates over mathbbNk\mathbb{N}^kmathbbNk lying in the complexity class NL when the input is given in unary. However, these devices are difficult to implement, since they require that an agent atomically receives messages from all other agents in a population of unknown size; moreover, the agent must know that they have all been received. Inspired by the work of the verification community on Emerson and Namjoshi's broadcast protocols, we show that NL-power is also achieved by extendin...
2015 Formal Methods in Computer-Aided Design (FMCAD)
Algorithms for the coverability problem have been successfully applied to safety checking for con... more Algorithms for the coverability problem have been successfully applied to safety checking for concurrent programs. In a former paper (An SMT-based Approach to Coverability Analysis, CAV14) we have revisited a constraint approach to coverability based on classical Petri net analysis techniques and implemented it on top of state-of-the-art SMT solvers. In this paper we extend the approach to fair termination; many other liveness properties can be reduced to fair termination using the automata-theoretic approach to verification. We use T-invariants to identify potential infinite computations of the system, and design a novel technique to discard false positives, that is, potential computations that are not actually executable. We validate our technique on a large number of case studies.
In rendezvous protocols an arbitrarily large number of indistinguishable finitestate agents inter... more In rendezvous protocols an arbitrarily large number of indistinguishable finitestate agents interact in pairs. The cutoff problem asks if there exists a number B such that all initial configurations of the protocol with at least B agents in a given initial state can reach a final configuration with all agents in a given final state. In a recent paper [HS20], Horn and Sangnier prove that the cutoff problem is equivalent to the Petri net reachability problem for protocols with a leader, and in EXPSPACE for leaderless protocols. Further, for the special class of symmetric protocols they reduce these bounds to PSPACE and NP, respectively. The problem of lowering these upper bounds or finding matching lower bounds is left open. We show that the cutoff problem is P-complete for leaderless protocols, NP-complete for symmetric protocols with a leader, and in NC for leaderless symmetric protocols, thereby solving all the problems left open in [HS20]. Further, we also consider a variant of the cutoff problem suggested in [HS20] and prove that that variant is P-complete for leaderless protocols and NL-complete for leaderless symmetric protocols.
Proceedings of the ACM Symposium on Principles of Distributed Computing - PODC '17, 2017
Population protocols are a well established model of computation by anonymous, identical finite s... more Population protocols are a well established model of computation by anonymous, identical finite state agents. A protocol is well-specified if from every initial configuration, all fair executions reach a common consensus. The central verification question for population protocols is the well-specification problem: deciding if a given protocol is well-specified. Esparza et al. have recently shown that this problem is decidable, but with very high complexity: it is at least as hard as the Petri net reachability problem, which is EXPSPACE-hard, and for which only algorithms of non-primitive recursive complexity are currently known. In this paper we introduce the class WS 3 of well-specified strongly-silent protocols and we prove that it is suitable for automatic verification. More precisely, we show that WS 3 has the same computational power as general well-specified protocols, and captures standard protocols from the literature. Moreover, we show that the membership problem for WS 3 reduces to solving boolean combinations of linear constraints over N. This allowed us to develop the first software able to automatically prove well-specification for all of the infinitely many possible inputs. * − → C ′. An execution is an infinite sequence of configurations C 0 C 1 • • • such that C i − → C i+1 for every i ∈ N. An execution C 0 C 1 • • • is fair if for * * * − → C ′ , then there exists x : T → N such that (C, C ′ , x) satisfies all of the flow equations. However, this over-approximation alone is too crude for the verification of protocols.
We show how to verify the correctness of insertion of elements into red-black trees-a form of bal... more We show how to verify the correctness of insertion of elements into red-black trees-a form of balanced search trees-using analysis techniques developed for graph rewriting. We first model red-black trees and operations on them using hypergraph rewriting. Then we use the tool Augur, which computes approximated unfoldings, in order to show that insertion preserves the property that there are no two consecutive red nodes in a tree, a requirement for red-black trees. Furthermore, we prove that the tree remains balanced by exploiting a type system that can be obtained as an instance of a general framework. Research partially supported by DFG project SANDS and EC RTN 2-2001-00346 SegraVis. 3 Insertion into Red-Black Trees using Graph Rewriting We introduce now the concepts of graph rewriting rule and rewriting step, which will be used to model the insertion of a new node into a red-black tree. Definition 3 (Graph rewriting rule). A graph rewriting rule r is a tuple (L, R, α) where L and R are hypergraphs, called the left-hand side and righthand side of the rule, while α : V L → V R is an injective function.
Lecture Notes in Computer Science, 2015
We characterize the complexity of liveness verification for parameterized systems consisting of a... more We characterize the complexity of liveness verification for parameterized systems consisting of a leader process and arbitrarily many anonymous and identical contributor processes. Processes communicate through a shared, bounded-value register. While each operation on the register is atomic, there is no synchronization primitive to execute a sequence of operations atomically. We analyze the case in which processes are modeled by finite-state machines or pushdown machines and the property is given by a Büchi automaton over the alphabet of read and write actions of the leader. We show that the problem is decidable, and has a surprisingly low complexity: it is NP-complete when all processes are finite-state machines, and is PSPACE-hard and in NEXPTIME when they are pushdown machines. This complexity is lower than for the nonparameterized case: liveness verification of finitely many finite-state machines is PSPACE-complete, and undecidable for two pushdown machines. For finite-state machines, our proofs characterize infinite behaviors using existential abstraction and semilinear constraints. For pushdown machines, we show how contributor computations of high stack height can be simulated by computations of many contributors, each with low stack height. Together, our results characterize the complexity of verification for parameterized systems under the assumptions of anonymity and asynchrony.
We present a set of reduction rules for LTL model-checking of 1-safe Petri nets. Our reduction te... more We present a set of reduction rules for LTL model-checking of 1-safe Petri nets. Our reduction techniques are of two kinds: (1) Linear programming techniques which are based on well-known Petri net techniques like invariants and implicit places, and (2) local net reductions. We show that the conditions for the application of some local net reductions can be weakened if one is interested in LTL model-checking using the approach of [EH00,EH01]. Finally, we present a number of experimental results and show that the model-checking time of a net system can be significantly decreased if it has been preprocessed with our reduction techniques.
This paper focuses on the problem of computing the minimal test suite for a terminating multithre... more This paper focuses on the problem of computing the minimal test suite for a terminating multithreaded program that covers all its executable statements. We have in previous work shown how to use unfoldings to capture the true concurrency semantics of multithreaded programs and to generate test cases for it. In this paper we rely on this earlier work and show how the unfolding can be used to generate the minimal test suite that covers all the executable statements of the program. The problem of generating such a minimal test suite is shown to be NP-complete in the size of the unfolding, and as a side result, covering executable transitions of any terminating safe Petri net is also NP-complete in the size of its unfolding. We propose SMT-encodings to these problems and give initial results on applying this encoding to compute the minimal test suite for several benchmarks.
We report on an implementation of the unfolding approach to model-checking LTL-X recently present... more We report on an implementation of the unfolding approach to model-checking LTL-X recently presented by the authors. Contrary to that work, we consider an state-based version of LTL-X, which is more used in practice. We improve on the checking algorithm; the new version allows to reuse code much more e#ciently. We present results on a set of case studies.
... We thank Wilfried Brauer for his continuous support and his help in finding a publisher, and R... more ... We thank Wilfried Brauer for his continuous support and his help in finding a publisher, and Ronan Nugent, from Springer, for his smooth handling of the publication process. M¨unchen, Germany and Espoo, Finland, October 2007 Javier Esparza Keijo Heljanko Page 10. ...
We show how to verify the correctness of insertion of ele-ments into red-black trees—a form of ba... more We show how to verify the correctness of insertion of ele-ments into red-black trees—a form of balanced search trees—using anal-ysis techniques developed for graph rewriting. We first model red-black trees and operations on them using hypergraph rewriting. Then we use the tool Augur, which computes approximated unfoldings, in order to show that insertion preserves the property that there are no two consec-utive red nodes in a tree, a requirement for red-black trees. Furthermore, we prove that the tree remains balanced by exploiting a type system that can be obtained as an instance of a general framework.
Formal Methods in System Design, 2002
... In Section 3 we show that McMil-lan's algorithm is just an element of a whole family of ... more ... In Section 3 we show that McMil-lan's algorithm is just an element of a whole family of algorithms for the construction of finite complete prefixes. ... Page 16. 102 generated by the new algorithm for the 1-safe system of Figure l(a), re-spectively. ...
Lecture Notes in Computer Science, 1995
... Javier Esparza and Astrid Kiehn ... It was also shown that the modal mu-calculus is un-decida... more ... Javier Esparza and Astrid Kiehn ... It was also shown that the modal mu-calculus is un-decidable. ... where z _ y if there is a path in N= leading from x to y and x#y if there are e,e IEE, e ~ e I such that 'e = "e' and e -< x and e I _ y (we then say that x and y are in conflict). ...
ABSTRACT. This paper introduces two new structural objects for the study of nets: handles and bri... more ABSTRACT. This paper introduces two new structural objects for the study of nets: handles and bridges. They are shown to provide sufficient, although not necessary, conditions of good behaviour for general ordinary nets, as well as a new characterisation of structural liveness and ...
Population protocols are a well established model of distributed computation by mobile finite-sta... more Population protocols are a well established model of distributed computation by mobile finite-state agents with very limited storage. A classical result establishes that population protocols compute exactly predicates definable in Presburger arithmetic. We initiate the study of the minimal amount of memory required to compute a given predicate as a function of its size. We present results on the predicates xgeqnx \geq nxgeqn for ninmathbbNn \in \mathbb{N}ninmathbbN, and more generally on the predicates corresponding to systems of linear inequalities. We show that they can be computed by protocols with O(logn)O(\log n)O(logn) states (or, more generally, logarithmic in the coefficients of the predicate), and that, surprisingly, some families of predicates can be computed by protocols with O(loglogn)O(\log\log n)O(loglogn) states. We give essentially matching lower bounds for the class of 1-aware protocols.
Population protocols (Angluin et al., PODC, 2004) are a formal model of sensor networks consistin... more Population protocols (Angluin et al., PODC, 2004) are a formal model of sensor networks consisting of identical mobile devices. Two devices can interact and thereby change their states. Computations are infinite sequences of interactions satisfying a strong fairness constraint. A population protocol is well-specified if for every initial configuration C of devices, and every computation starting at C, all devices eventually agree on a consensus value depending only on C. If a protocol is well-specified, then it is said to compute the predicate that assigns to each initial configuration its consensus value. In a previous paper we have shown that the problem whether a given protocol is well-specified and the problem whether it computes a given predicate are decidable. However, in the same paper we prove that both problems are at least as hard as the reachability problem for Petri nets. Since all known algorithms for Petri net reachability have non-primitive recursive complexity, in th...
Proceedings of the 35th Annual ACM/IEEE Symposium on Logic in Computer Science, 2020
In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical theorem stating that every form... more In the mid 80s, Lichtenstein, Pnueli, and Zuck proved a classical theorem stating that every formula of Past LTL (the extension of LTL with past operators) is equivalent to a formula of the form Λni =1 GFφi ∨FGψi, where φi and ψi contain only past operators. Some years later, Chang, Manna, and Pnueli built on this result to derive a similar normal form for LTL. Both normalisation procedures have a non-elementary worst-case blow-up, and follow an involved path from formulas to counter-free automata to star-free regular expressions and back to formulas. We improve on both points. We present a direct and purely syntactic normalisation procedure for LTL yielding a normal form, comparable to the one by Chang, Manna, and Pnueli, that has only a single exponential blow-up. As an application, we derive a simple algorithm to translate LTL into deterministic Rabin automata. The algorithm normalises the formula, translates it into a special very weak alternating automaton, and applies a simple...
Angluin et al. proved that population protocols compute exactly the predicates definable in Presb... more Angluin et al. proved that population protocols compute exactly the predicates definable in Presburger arithmetic (PA), the first-order theory of addition. As part of this result, they presented a procedure that translates any formula varphi\varphivarphi of quantifier-free PA with remainder predicates (which has the same expressive power as full PA) into a population protocol with 2O(textpoly(∣varphi∣))2^{O(\text{poly}(|\varphi|))}2O(textpoly(∣varphi∣)) states that computes varphi\varphivarphi. More precisely, the number of states of the protocol is exponential in both the bit length of the largest coefficient in the formula, and the number of nodes of its syntax tree. In this paper, we prove that every formula varphi\varphivarphi of quantifier-free PA with remainder predicates is computable by a leaderless population protocol with O(textpoly(∣varphi∣))O(\text{poly}(|\varphi|))O(textpoly(∣varphi∣)) states. Our proof is based on several new constructions, which may be of independent interest. Given a formula varphi\varphivarphi of quantifier-free PA with remainder predicates, a first construction produc...
Population protocols are a formal model of computation by identical, anonymous mobile agents inte... more Population protocols are a formal model of computation by identical, anonymous mobile agents interacting in pairs. Their computational power is rather limited: Angluin et al. have shown that they can only compute the predicates over mathbbNk\mathbb{N}^kmathbbNk expressible in Presburger arithmetic. For this reason, several extensions of the model have been proposed, including the addition of devices called cover-time services, absence detectors, and clocks. All these extensions increase the expressive power to the class of predicates over mathbbNk\mathbb{N}^kmathbbNk lying in the complexity class NL when the input is given in unary. However, these devices are difficult to implement, since they require that an agent atomically receives messages from all other agents in a population of unknown size; moreover, the agent must know that they have all been received. Inspired by the work of the verification community on Emerson and Namjoshi's broadcast protocols, we show that NL-power is also achieved by extendin...
2015 Formal Methods in Computer-Aided Design (FMCAD)
Algorithms for the coverability problem have been successfully applied to safety checking for con... more Algorithms for the coverability problem have been successfully applied to safety checking for concurrent programs. In a former paper (An SMT-based Approach to Coverability Analysis, CAV14) we have revisited a constraint approach to coverability based on classical Petri net analysis techniques and implemented it on top of state-of-the-art SMT solvers. In this paper we extend the approach to fair termination; many other liveness properties can be reduced to fair termination using the automata-theoretic approach to verification. We use T-invariants to identify potential infinite computations of the system, and design a novel technique to discard false positives, that is, potential computations that are not actually executable. We validate our technique on a large number of case studies.
In rendezvous protocols an arbitrarily large number of indistinguishable finitestate agents inter... more In rendezvous protocols an arbitrarily large number of indistinguishable finitestate agents interact in pairs. The cutoff problem asks if there exists a number B such that all initial configurations of the protocol with at least B agents in a given initial state can reach a final configuration with all agents in a given final state. In a recent paper [HS20], Horn and Sangnier prove that the cutoff problem is equivalent to the Petri net reachability problem for protocols with a leader, and in EXPSPACE for leaderless protocols. Further, for the special class of symmetric protocols they reduce these bounds to PSPACE and NP, respectively. The problem of lowering these upper bounds or finding matching lower bounds is left open. We show that the cutoff problem is P-complete for leaderless protocols, NP-complete for symmetric protocols with a leader, and in NC for leaderless symmetric protocols, thereby solving all the problems left open in [HS20]. Further, we also consider a variant of the cutoff problem suggested in [HS20] and prove that that variant is P-complete for leaderless protocols and NL-complete for leaderless symmetric protocols.
Proceedings of the ACM Symposium on Principles of Distributed Computing - PODC '17, 2017
Population protocols are a well established model of computation by anonymous, identical finite s... more Population protocols are a well established model of computation by anonymous, identical finite state agents. A protocol is well-specified if from every initial configuration, all fair executions reach a common consensus. The central verification question for population protocols is the well-specification problem: deciding if a given protocol is well-specified. Esparza et al. have recently shown that this problem is decidable, but with very high complexity: it is at least as hard as the Petri net reachability problem, which is EXPSPACE-hard, and for which only algorithms of non-primitive recursive complexity are currently known. In this paper we introduce the class WS 3 of well-specified strongly-silent protocols and we prove that it is suitable for automatic verification. More precisely, we show that WS 3 has the same computational power as general well-specified protocols, and captures standard protocols from the literature. Moreover, we show that the membership problem for WS 3 reduces to solving boolean combinations of linear constraints over N. This allowed us to develop the first software able to automatically prove well-specification for all of the infinitely many possible inputs. * − → C ′. An execution is an infinite sequence of configurations C 0 C 1 • • • such that C i − → C i+1 for every i ∈ N. An execution C 0 C 1 • • • is fair if for * * * − → C ′ , then there exists x : T → N such that (C, C ′ , x) satisfies all of the flow equations. However, this over-approximation alone is too crude for the verification of protocols.
We show how to verify the correctness of insertion of elements into red-black trees-a form of bal... more We show how to verify the correctness of insertion of elements into red-black trees-a form of balanced search trees-using analysis techniques developed for graph rewriting. We first model red-black trees and operations on them using hypergraph rewriting. Then we use the tool Augur, which computes approximated unfoldings, in order to show that insertion preserves the property that there are no two consecutive red nodes in a tree, a requirement for red-black trees. Furthermore, we prove that the tree remains balanced by exploiting a type system that can be obtained as an instance of a general framework. Research partially supported by DFG project SANDS and EC RTN 2-2001-00346 SegraVis. 3 Insertion into Red-Black Trees using Graph Rewriting We introduce now the concepts of graph rewriting rule and rewriting step, which will be used to model the insertion of a new node into a red-black tree. Definition 3 (Graph rewriting rule). A graph rewriting rule r is a tuple (L, R, α) where L and R are hypergraphs, called the left-hand side and righthand side of the rule, while α : V L → V R is an injective function.
Lecture Notes in Computer Science, 2015
We characterize the complexity of liveness verification for parameterized systems consisting of a... more We characterize the complexity of liveness verification for parameterized systems consisting of a leader process and arbitrarily many anonymous and identical contributor processes. Processes communicate through a shared, bounded-value register. While each operation on the register is atomic, there is no synchronization primitive to execute a sequence of operations atomically. We analyze the case in which processes are modeled by finite-state machines or pushdown machines and the property is given by a Büchi automaton over the alphabet of read and write actions of the leader. We show that the problem is decidable, and has a surprisingly low complexity: it is NP-complete when all processes are finite-state machines, and is PSPACE-hard and in NEXPTIME when they are pushdown machines. This complexity is lower than for the nonparameterized case: liveness verification of finitely many finite-state machines is PSPACE-complete, and undecidable for two pushdown machines. For finite-state machines, our proofs characterize infinite behaviors using existential abstraction and semilinear constraints. For pushdown machines, we show how contributor computations of high stack height can be simulated by computations of many contributors, each with low stack height. Together, our results characterize the complexity of verification for parameterized systems under the assumptions of anonymity and asynchrony.
We present a set of reduction rules for LTL model-checking of 1-safe Petri nets. Our reduction te... more We present a set of reduction rules for LTL model-checking of 1-safe Petri nets. Our reduction techniques are of two kinds: (1) Linear programming techniques which are based on well-known Petri net techniques like invariants and implicit places, and (2) local net reductions. We show that the conditions for the application of some local net reductions can be weakened if one is interested in LTL model-checking using the approach of [EH00,EH01]. Finally, we present a number of experimental results and show that the model-checking time of a net system can be significantly decreased if it has been preprocessed with our reduction techniques.
This paper focuses on the problem of computing the minimal test suite for a terminating multithre... more This paper focuses on the problem of computing the minimal test suite for a terminating multithreaded program that covers all its executable statements. We have in previous work shown how to use unfoldings to capture the true concurrency semantics of multithreaded programs and to generate test cases for it. In this paper we rely on this earlier work and show how the unfolding can be used to generate the minimal test suite that covers all the executable statements of the program. The problem of generating such a minimal test suite is shown to be NP-complete in the size of the unfolding, and as a side result, covering executable transitions of any terminating safe Petri net is also NP-complete in the size of its unfolding. We propose SMT-encodings to these problems and give initial results on applying this encoding to compute the minimal test suite for several benchmarks.
We report on an implementation of the unfolding approach to model-checking LTL-X recently present... more We report on an implementation of the unfolding approach to model-checking LTL-X recently presented by the authors. Contrary to that work, we consider an state-based version of LTL-X, which is more used in practice. We improve on the checking algorithm; the new version allows to reuse code much more e#ciently. We present results on a set of case studies.
... We thank Wilfried Brauer for his continuous support and his help in finding a publisher, and R... more ... We thank Wilfried Brauer for his continuous support and his help in finding a publisher, and Ronan Nugent, from Springer, for his smooth handling of the publication process. M¨unchen, Germany and Espoo, Finland, October 2007 Javier Esparza Keijo Heljanko Page 10. ...
We show how to verify the correctness of insertion of ele-ments into red-black trees—a form of ba... more We show how to verify the correctness of insertion of ele-ments into red-black trees—a form of balanced search trees—using anal-ysis techniques developed for graph rewriting. We first model red-black trees and operations on them using hypergraph rewriting. Then we use the tool Augur, which computes approximated unfoldings, in order to show that insertion preserves the property that there are no two consec-utive red nodes in a tree, a requirement for red-black trees. Furthermore, we prove that the tree remains balanced by exploiting a type system that can be obtained as an instance of a general framework.
Formal Methods in System Design, 2002
... In Section 3 we show that McMil-lan's algorithm is just an element of a whole family of ... more ... In Section 3 we show that McMil-lan's algorithm is just an element of a whole family of algorithms for the construction of finite complete prefixes. ... Page 16. 102 generated by the new algorithm for the 1-safe system of Figure l(a), re-spectively. ...
Lecture Notes in Computer Science, 1995
... Javier Esparza and Astrid Kiehn ... It was also shown that the modal mu-calculus is un-decida... more ... Javier Esparza and Astrid Kiehn ... It was also shown that the modal mu-calculus is un-decidable. ... where z _ y if there is a path in N= leading from x to y and x#y if there are e,e IEE, e ~ e I such that 'e = "e' and e -< x and e I _ y (we then say that x and y are in conflict). ...
ABSTRACT. This paper introduces two new structural objects for the study of nets: handles and bri... more ABSTRACT. This paper introduces two new structural objects for the study of nets: handles and bridges. They are shown to provide sufficient, although not necessary, conditions of good behaviour for general ordinary nets, as well as a new characterisation of structural liveness and ...