0

I don't understand where I went wrong. Mutual exclusion is return by SAT in the Z3 solver. Did I make an error? I'm using four arrays for the four places in my picture, and I want to check that no two processes enter the critical section at the same time.

(declare-const p0 (Array Int Int))
(declare-const p1 (Array Int Int))
(declare-const p2 (Array Int Int))
(declare-const p3 (Array Int Int))
(declare-const p4 (Array Int Int))
(define-fun t0 ((i Int)) Bool
 (and
  (= (select p1 (+ i 1)) (- (select p1 i) 1))
  (>= (select p1 i) 1)
  (= (select p2 (+ i 1)) (- (select p2 i) 1))
  (>= (select p2 i) 1)
  (= (select p0 (+ i 1)) (+ (select p0 i) 1))
 )
)
(define-fun t1 ((i Int)) Bool
 (and
  (= (select p0 (+ i 1)) (- (select p0 i) 1))
  (>= (select p0 i) 1)
  (= (select p1 (+ i 1)) (+ (select p1 i) 1))
  (= (select p2 (+ i 1)) (+ (select p2 i) 1))
 )
)
(define-fun t2 ((i Int)) Bool
 (and
  (= (select p4 (+ i 1)) (- (select p4 i) 1))
  (>= (select p4 i) 1)
  (= (select p2 (+ i 1)) (- (select p2 i) 1))
  (>= (select p2 i) 1)
  (= (select p3 (+ i 1)) (+ (select p3 i) 1))
 )
)
(define-fun t3 ((i Int)) Bool
 (and
  (= (select p3 (+ i 1)) (- (select p3 i) 1))
  (>= (select p3 i) 1)
  (= (select p4 (+ i 1)) (+ (select p4 i) 1))
  (= (select p2 (+ i 1)) (+ (select p2 i) 1))
 )
)
(define-fun prop0 ((i Int)) Bool
 (and
  (> (select p0 i) 0)
  (> (select p3 i) 0)
 )
)
(define-fun prop1 ((i Int)) Bool
  (> (select p0 i) 0)
)
(assert (= (select p0 0) 0))
(assert (= (select p1 0) 1))
(assert (= (select p2 0) 1))
(assert (= (select p3 0) 0))
(assert (= (select p4 0) 1))

(assert (or (t0 0) (t1 0)))
;(assert (or (t0 1) (t1 1)))
;(assert (or (t0 2) (t1 2)))
;(assert (or (t0 3) (t1 3)))
;(assert (or (t0 4) (t1 4)))
;(assert (or (t0 5) (t1 5)))

;(assert (or (prop0 0) (prop0 1) (prop0 2)))
;(assert (and (or (t0 0) (t1 0)) (prop1 0)))
(assert (or (t0 1) (t1 1)))

;here i check p0 and p3 are never in critical section together
(assert (or (prop0 0) (prop0 1)))
(check-sat)

enter image description here

TT.
  • 15,774
  • 6
  • 47
  • 88
uwevil
  • 660
  • 6
  • 12
  • 1
    It would be very helpful if you would provide comments for these expressions and explain in English what you are trying to accomplish at each step. Are you generating this instance from a tool or did you create this by hand? – mtrberzi Jan 15 '16 at 04:02
  • I created by hand. P0... p4 are 4 place like in photo. Each place contains an array, each case in array symbolize an instance of time t. For exampe, (select p0 1) p0 at time 1. T0.. t3 are transition. The properties that i want to check is prop0. 2 process can go in critical section at same time. – uwevil Jan 15 '16 at 08:24

1 Answers1

1

Z3 is working perfectly well. The problem is that token decrement is not formalized properly. t0 and t1 can fire at the same time and according to the specification only one token will be reduced from p2. You have:

t0 <=> decrease p2 and ...

t2 <=> decrease p2 and ...

But two decrements by one at the same time does not mean a decrement by two.

Moreover, you should take care of more things, like unchanged number of token in the case of no fire, etc.

mmpourhashem
  • 91
  • 1
  • 6
  • Thanks, you are absolutely reason, but how can i make sure that t0 is fired and t2 cannot be fired because the token in p2 is gone at the instant i+1? – uwevil Jan 20 '16 at 09:16
  • The next value of p2 depends on t0, t1, t2, and t3. The following assertion takes care of all the 16 cases: `nextp2 = p2 + (ite t0 -1 0) + (ite t2 -1 0) + (ite t1 1 0) + (ite t3 1 0)` – mmpourhashem Jan 21 '16 at 03:06