- A transition systems is a theoretical device that lets us study the evolution of a system like a distributed system and prove things about its behavior.
- Distributed systems are just so difficult to design that it really helps to have a theoretical framework in which to reason about system behavior.
- The autograder for the labs is built around a technology called model checking that is closely related to the study of transition systems.
- We will start with several non-distributed examples.

- Consider a robot that lives in a 2d integer grid world.
- It begins at the point \((0, 5)\)
- Its life evolves as a sequence of steps or moves
- At each step, the robot can either move north (up 1) or southeast (down and to the right by 1 each)
- No constraints on which move is chosen at each step -- both are always possible
- There is a "danger zone," which is a circle of radius 3 at the origin
- Question: is there
*any*sequence of steps that lead the robot into the danger zone?

Check out the following graphical depiction of the world. (Click the right arrow to visualize all possible steps.)

Depth: | 1 |

- From clicking around, we can see that in all possible executions, the robot stays outside of the red circle.
- How would we write down a convincing argument demonstrating this?
- There are several approaches.
- From visual inspection, the closest the robot ever gets to the circle is at the points \((2,3)\) and \((3,2)\), both of which are outside the circle.
- The robot starts on the line \(x + y = 5\). Moves to the southeast are parallel to this line, while moves to the north take the robot further above the line. So, the robot is always on or above this line. Since the red circle is entirely below the line, it follows that the robot never enters the circle.
- In addition to the previous argument, the robot also starts on the line \(x = 0\) (the \(y\)-axis). Moves to the southeast take the robot to the right of the \(y\)-axis. Moves to the north are parallel to this axis. So the robot is always on the \(y\)-axis or to the right of it. Combined with the previous argument, this gives a tighter bound on which states the robot can visit.
- A line through \((0,5)\) and tangent to the circle also separates all reachable states from the circle.

- You can check out each of these approaches with the corresponding checkbox in the figure above.

**Definition**: A *transition system* consists of

- a set of states \(S\)
- a set of initial states \(S_0\subseteq S\)
- a binary (i.e., 2-argument) transition relation \({\to}\subseteq S\times S\)

We can think of a transition system as a (potentially infinite) directed graph whose nodes are elements of \(S\) and whose edges are given by \(\to\). (While the definition works perfectly fine with a finite set of states, every example we will look at will have infinitely many states.)

**Example**: We can write the robot example more formally as follows

\[
\begin{align}
T^{\mathsf{robot}} &= (S^{\mathsf{robot}},\ S_0^{\mathsf{robot}},\ {\to}^{\mathsf{robot}})\\
S^{\mathsf{robot}} &= \mathbb{Z} \times \mathbb{Z}\\
S^{\mathsf{robot}}_0 &= \{(0, 5)\}\\
{\to^{\mathsf{robot}}} &= \{((x,y), (x, y+1)) \mid x,y\in\mathbb{Z}\} \cup {}\\
&\phantom{{}={}} \{((x,y), (x+1, y-1)) \mid x,y\in\mathbb{Z}\}\\
\end{align}
\]

The state space is all pairs of integers. There is only one initial state, namely \((0, 5)\). And there are two kinds of transitions: north and southeast.

**Definition**: Let \(T = (S, S_0, {\to})\) be a transition system. A state \(s\) is *reachable* in \(T\), written \(s\in\mathrm{Reach}(T)\),
if there exists an initial state \(s_0 \in S_0\)
and a path in \(\to\) from \(s_0\) to \(s\). (Here we are treating the relation \(\to\) as a directed graph).

To prove that a state is reachable, we construct a path.

**Examples**: In the robot system, the state \((3,3)\) is reachable, because

\[
(0,5)\to(1,4)\to(2,3)\to(3,2)\to(3,3)
\]

where all steps except the last are southeast steps, and the last is a north step. Also, all states on the line \(x + y = 5\) with \(x \ge 0\) are reachable by a sequence of southeast steps. In particular, to reach \((x, 5-x)\) where \(x \ge 0\), the robot can take \(x\) southeast steps from \((0,5)\).

Intuitively, the state \((-1, 5)\) is not reachable, because the robot starts east of this point, and neither available move allows the robot to move west (decrease \(x\)). Also, the original question we asked about the robot example can be phrased as asking whether any states in the red circle are reachable.

To prove that states are *not* reachable, we need to show that there are no paths.
Showing that something does not exist is generally harder, since we need to rule out all infinitely many paths.
Our approach to proving some state \(s\) is *not* reachable will be to find an *invariant* that rules out \(s\).

**Definition**: Let \(T = (S, S_0, {\to})\) be a transition system and let \(P\subseteq S\) be a set of states.
Then \(P\) is an *invariant* if

\[
\mathrm{Reach}(T) \subseteq P,
\]

i.e, if \(P\) contains all reachable states of \(T\).

Returning to our discussion above, if we want to show some \(s\) is not reachable, it suffices to find an invariant \(P\) such that \(s\not\in P\). (Since \(P\) is an invariant, it contains all reachable states. So \(s\) cannot be reachable, since it is not in \(P\).)

**Examples**: In any transition system, the set of all reachable states is an invariant.
In the robot system, the following are all invariants:

- \(\{(x,y)\mid x + y \ge 5\}\) (drawn in blue in the figure above)
- the set of all states above the purple tangent line in the figure above
- the set of all states outside the red circle (this was our original question)

More formally, let

\[
P^{\mathsf{robot}} = \{(x,y)\mid \sqrt{x^2 + y^2} > 3\},
\]

then \(P^{\mathsf{robot}}\) is an invariant of \(T^{\mathsf{robot}}\).

- In our original formulation, we were thinking about trying to
*avoid*the states*inside*the circle. Now we have rephrased the question to thinking about trying to*stay within*the set of states*outside*the circle. These are of course completely equivalent, and it is often useful to think both ways.

More generally, any superset of the (green) set of reachable states is an invariant by definition.

It is often useful to understand what it means to *not* be an invariant.
If \(P\) is not an invariant, it means that there is a state \(r\) that is reachable but not in \(P\).
We give such states a special name.

**Definition**: Let \(T = (S, S_0, {\to})\) be a transition system and let \(P\subseteq S\) be a set of states.
If \(r \in S\) is reachable but \(r\) is not in \(P\), then we call \(r\) a *counterexample to safety* (CTS) for \(P\).

**Example**: The set of points *on* the line \(x + y = 5\) is not an invariant, intuitively because the robot can move north off the line.
For example, the states \((0, 6)\) and \((1, 5)\) are both counterexamples to safety for this set,
since both are reachable states in \(T^{\mathsf{robot}}\) that are not on the line.

To prove that something is an invariant is conceptually tricky, because we have to consider all possible reachable states (and thus all possible paths that start in an initial state), and show that they all stay within the invariant. The main tool for doing this is induction.

**Definition**: Let \(T = (S, S_0, {\to})\) be a transition system and let \(I\subseteq S\) be a set of states.
Then \(I\) is an *inductive invariant* if

- \(S_0\subseteq I\), and
- whenever \(s\in I\) and \(s\to s'\), then \(s'\in I\).

The first clause says that \(I\) contains all initial states of \(T\). The second clause says that \(I\) is closed under steps of \(\to\), or in other words, there is no edge of \(\to\) that crosses the boundary of \(I\) from inside \(I\) to outside \(I\).

Notice that to check whether \(I\) is inductive, we only have to think about single edges of \(\to\), not paths.

The point of defining inductive invariants is the following lemma.

**Lemma**: An inductive invariant is an invariant.

*Proof*. Let \(T = (S, S_0, {\to})\) be a transition system, and suppose \(I\) is an inductive invariant of \(T\).
We will show \(I\) is an invariant, i.e., that \(I\) contains all reachable states.
So let \(s \in \mathrm{Reach}(T)\) be arbitrary.
By definition of \(\mathrm{Reach}(T)\), there exists an \(s_0\in S_0\) and a path \(p\) of edges in \(\to\) from \(s_0\) to \(s\).
We will proceed by induction on the number of edges in this path.

- Base case: Zero edges. In this case, the path is the empty path from \(s_0\) to itself, so \(s=s_0\). Since \(I\) is an inductive invariant, it follows that \(s\in I\) by the first clause of the definition of an inductive invariant.
- Inductive case. Suppose \(p\) consists of \(n \gt 0\) edges. Write \(s_0 \to s_1 \to \dots \to s_n\) for the states visited by \(p\), where \(s_n = s\). Since \(s_{n-1}\) is reachable by a path of length shorter than \(n\), the induction hypothesis tells us that \(s_{n-1}\in I\). Then since \(s_{n-1}\to s\) and \(I\) is an inductive invariant, it follows that \(s \in I\) by the second clause of the definition of an inductive invariant. \(\Box\)

**Example**: In the robot system, the set of points such that \(x+y\ge 5\) (drawn as the blue region in the figure above) is an inductive invariant.

*Proof*. Let \(I^{\mathsf{robot}} = \{(x,y)\mid x+y\ge 5\}\). We need to show \(I^{\mathsf{robot}}\) contains all initial states and is closed under steps of \(\to^{\mathsf{robot}}\).

- Base case: There is only one initial state, \((0,5)\), and it satisfies \(x + y\ge 5\).
- Inductive case: Assume \(s\in I^{\mathsf{robot}}\) and \(s\to s'\). We will show \(s'\in I^{\mathsf{robot}}\).
Write \(s = (x,y)\) and \(s'=(x',y')\). Since \(s\in I^{\mathsf{robot}}\), we have \(x+y\ge 5\).
We need to show \(x' + y' \ge 5\).
There are two possible steps that could be taken from \(s\) to \(s'\), either southeast or north.

Case southeast. In this case, \(x' = x + 1\) and \(y' = y - 1\). Then \[ \begin{align} x' + y' &= (x + 1) + (y - 1)\\ &= x + y\\ &\ge 5\\ \end{align} \]

Case north. In this case, \(x' = x\) and \(y' = y + 1\). Then \[ \begin{align} x' + y' &= x + (y + 1)\\ &> x + y\\ &\ge 5\\ \end{align} \] In either case, it follows that \(s'\in I^{\mathsf{robot}}\). \(\Box\)

Just as it is useful to understand when something is not an invariant,
it is also useful to understand when something is not an *inductive* invariant.

If \(I\) is not an inductive invariant, it means that one of the two clauses in the definition of an inductive invariant fails to hold. If the first clause fails, it means that there is an initial state that is not in \(I\). Such a state is also a counterexample to safety, so there is nothing new from this clause.

If the second clause fails, then it means that there are states \(s\) and \(s'\) such that \(s\in I\) and \(s\to s'\) but \(s'\not\in I\). In other words, \(s \to s'\) is an edge of the graph that crosses the boundary of \(I\) from inside \(I\) to outside \(I\). We give such edges a special name.

**Definition**: Let \(T = (S, S_0, {\to})\) be a transition system and let \(I\subseteq S\) be a set of states.
If \(s\) and \(s'\) are states in \(S\) such that \(s\in I\) and \(s\to s'\) but \(s'\not\in I\),
then we call \((s, s')\) a *counterexample to induction*.

**Example**: In the robot system, \(P^{\mathsf{robot}}\), the set of all states outside the red circle, is not an inductive invariant. (But it is an invariant!)
For example, the edge \((0,-4)\to(0,-3)\) is a counterexample to induction,
since it is an edge that uses a north move to cross from inside \(P^{\mathsf{robot}}\) to outside \(P^{\mathsf{robot}}\) .
Another CTI is \((-3, 3)\to(-2,2)\), which uses a southeast move to enter the red circle from the northwest.

When given a transition system \(T\) and set of states \(P\) that might or might not be an invariant, you should go through the following steps.

- Look for counterexamples to safety (CTSs) for \(P\).
- These are reachable states of \(T\) that are not in \(P\).
- If you find a CTS, you have shown that \(P\) is not an invariant.

- If you can't find any CTSs, you should move on to trying to prove \(P\) is an invariant.
The primary way to prove something is an invariant is to find an
*inductive*invariant. Start by setting \(I = P\). - Try to figure out if \(I\) is inductive.
Usually for the first few attempts it is not inductive, so you will want to look for a counterexample to induction (CTI).
- Remember that a CTI for \(I\) is a pair of states \(s \to s'\) such that \(s\in I\) but \(s'\not\in I\).
- If you find a CTI, you have shown that the current version of \(I\) is not inductive.
- You should
*strengthen*\(I\) (making it a smaller set by adding more constraints) to rule out \(s\) from your CTI. - With your new definition of \(I\), go to the top of this step and try again to figure out if it is inductive.

- You should
- If you can't find a CTI, try writing a proof that \(I\) is inductive.

- Suppose we are given \(T^{\mathsf{robot}}\) and \(P^{\mathsf{robot}}\) and we want to determine whether \(P^{\mathsf{robot}}\) is an invariant.
- Follow the recipe!
- Look for counterexamples to safety: are there any reachable states that are not in \(P^{\mathsf{robot}}\)?
- From drawing some pictures or clicking through the animations, intuitively it seems like no.

- So we move on to trying to find an inductive invariant that implies \(P^{\mathsf{robot}}\).
- We start by seeing if \(P^{\mathsf{robot}}\) is already inductive.
- It's not! \((0,-4)\to(0,-3)\) is a CTI

- We need to strengthen the invariant so that it rules out \((0,-4)\).
- A good choice is \(I^{\mathsf{robot}}\), all states on or above the line \(x+y=5\).
- We now check if \(I^{\mathsf{robot}}\) is inductive. Are there any CTIs?
- From doodling, it seems like there are no edges that cross from inside \(I^{\mathsf{robot}}\) to outside \(I^{\mathsf{robot}}\).

- Now we can try to write a proof that \(I^{\mathsf{robot}}\) is inductive. We did this above.
- Since \(I^{\mathsf{robot}}\) is an inductive invariant, it is an invariant. Also, \(I^{\mathsf{robot}} \subseteq P^{\mathsf{robot}}\), since if \(x + y \ge 5\), then

\[
\begin{align}
x^2 + y^2 &\ge x^2 + (5 - x)^2 \\
&= 2x^2 - 10x + 25 \\
&= 2(x - 5/2)^2 + 25/2 \\
&\ge 25/2 \\
&> 9.
\end{align}
\]

It follows that \(P^{\mathsf{robot}}\) is also an invariant.