Depth: | 1 |

*Proof*. Let \(T = (S, S_0, {\to})\) be a transition system, and suppose \(I\) is an inductive invariant of \(T\). We will show \(I\) is an invariant, i.e., that \(I\) contains all reachable states. So let \(s \in \mathrm{Reach}(T)\) be arbitrary. By definition of \(\mathrm{Reach}(T)\), there exists an \(s_0\in S_0\) and a path \(p\) of edges in \(\to\) from \(s_0\) to \(s\). We will proceed by induction on the number of edges in this path. - Base case: Zero edges. In this case, the path is the empty path from \(s_0\) to itself, so \(s=s_0\). Since \(I\) is an inductive invariant, it follows that \(s\in I\) by the first clause of the definition of an inductive invariant. - Inductive case. Suppose \(p\) consists of \(n \gt 0\) edges. Write \(s_0 \to s_1 \to \dots \to s_n\) for the states visited by \(p\), where \(s_n = s\). Since \(s_{n-1}\) is reachable by a path of length shorter than \(n\), the induction hypothesis tells us that \(s_{n-1}\in I\). Then since \(s_{n-1}\to s\) and \(I\) is an inductive invariant, it follows that \(s \in I\) by the second clause of the definition of an inductive invariant. \(\Box\) **Example**: In the robot system, the set of points such that \(x+y\ge 5\) (drawn as the blue region in the figure above) is an inductive invariant.

*Proof*. Let \(I^{\mathsf{robot}} = \{(x,y)\mid x+y\ge 5\}\). We need to show \(I^{\mathsf{robot}}\) contains all initial states and is closed under steps of \(\to^{\mathsf{robot}}\). - Base case: There is only one initial state, \((0,5)\), and it satisfies \(x + y\ge 5\). - Inductive case: Assume \(s\in I^{\mathsf{robot}}\) and \(s\to s'\). We will show \(s'\in I^{\mathsf{robot}}\). Write \(s = (x,y)\) and \(s'=(x',y')\). Since \(s\in I^{\mathsf{robot}}\), we have \(x+y\ge 5\). We need to show \(x' + y' \ge 5\). There are two possible steps that could be taken from \(s\) to \(s'\), either southeast or north. - Case southeast. In this case, \(x' = x + 1\) and \(y' = y - 1\). Then \[ \begin{align} x' + y' &= (x + 1) + (y - 1)\\ &= x + y\\ &\ge 5\\ \end{align} \] - Case north. In this case, \(x' = x\) and \(y' = y + 1\). Then \[ \begin{align} x' + y' &= x + (y + 1)\\ &> x + y\\ &\ge 5\\ \end{align} \] In either case, it follows that \(s'\in I^{\mathsf{robot}}\). \(\Box\) ### Counterexamples to Induction (CTIs) Just as it is useful to understand when something is not an invariant, it is also useful to understand when something is not an *inductive* invariant. If \(I\) is not an inductive invariant, it means that one of the two clauses in the definition of an inductive invariant fails to hold. If the first clause fails, it means that there is an initial state that is not in \(I\). Such a state is also a counterexample to safety, so there is nothing new from this clause. If the second clause fails, then it means that there are states \(s\) and \(s'\) such that \(s\in I\) and \(s\to s'\) but \(s'\not\in I\). In other words, \(s \to s'\) is an edge of the graph that crosses the boundary of \(I\) from inside \(I\) to outside \(I\). We give such edges a special name. **Definition**: Let \(T = (S, S_0, {\to})\) be a transition system and let \(I\subseteq S\) be a set of states. If \(s\) and \(s'\) are states in \(S\) such that \(s\in I\) and \(s\to s'\) but \(s'\not\in I\), then we call \((s, s')\) a *counterexample to induction*. **Example**: In the robot system, \(P^{\mathsf{robot}}\), the set of all states outside the red circle, is not an inductive invariant. (But it is an invariant!) For example, the edge \((0,-4)\to(0,-3)\) is a counterexample to induction, since it is an edge that uses a north move to cross from inside \(P^{\mathsf{robot}}\) to outside \(P^{\mathsf{robot}}\) . Another CTI is \((-3, 3)\to(-2,2)\), which uses a southeast move to enter the red circle from the northwest. ## The Recipe When given a transition system \(T\) and set of states \(P\) that might or might not be an invariant, you should go through the following steps. - Look for counterexamples to safety (CTSs) for \(P\). - These are reachable states of \(T\) that are not in \(P\). - If you find a CTS, you have shown that \(P\) is not an invariant. - If you can't find any CTSs, you should move on to trying to prove \(P\) is an invariant. The primary way to prove something is an invariant is to find an *inductive* invariant. Start by setting \(I = P\). - Try to figure out if \(I\) is inductive. Usually for the first few attempts it is not inductive, so you will want to look for a counterexample to induction (CTI). - Remember that a CTI for \(I\) is a pair of states \(s \to s'\) such that \(s\in I\) but \(s'\not\in I\). - If you find a CTI, you have shown that the current version of \(I\) is not inductive. - You should *strengthen* \(I\) (making it a smaller set by adding more constraints) to rule out \(s\) from your CTI. - With your new definition of \(I\), go to the top of this step and try again to figure out if it is inductive. - If you can't find a CTI, try writing a proof that \(I\) is inductive. ### The Recipe on the robot - Suppose we are given \(T^{\mathsf{robot}}\) and \(P^{\mathsf{robot}}\) and we want to determine whether \(P^{\mathsf{robot}}\) is an invariant. - Follow the recipe! - Look for counterexamples to safety: are there any reachable states that are not in \(P^{\mathsf{robot}}\)? - From drawing some pictures or clicking through the animations, intuitively it seems like no. - So we move on to trying to find an inductive invariant that implies \(P^{\mathsf{robot}}\). - We start by seeing if \(P^{\mathsf{robot}}\) is already inductive. - It's not! \((0,-4)\to(0,-3)\) is a CTI - We need to strengthen the invariant so that it rules out \((0,-4)\). - A good choice is \(I^{\mathsf{robot}}\), all states on or above the line \(x+y=5\). - We now check if \(I^{\mathsf{robot}}\) is inductive. Are there any CTIs? - From doodling, it seems like there are no edges that cross from inside \(I^{\mathsf{robot}}\) to outside \(I^{\mathsf{robot}}\). - Now we can try to write a proof that \(I^{\mathsf{robot}}\) is inductive. We did this [above](#robot-inductive-proof). - Since \(I^{\mathsf{robot}}\) is an inductive invariant, it is an invariant. Also, \(I^{\mathsf{robot}} \subseteq P^{\mathsf{robot}}\), since if \(x + y \ge 5\), then \[ \begin{align} x^2 + y^2 &\ge x^2 + (5 - x)^2 \\ &= 2x^2 - 10x + 25 \\ &= 2(x - 5/2)^2 + 25/2 \\ &\ge 25/2 \\ &> 9. \end{align} \] It follows that \(P^{\mathsf{robot}}\) is also an invariant.