From bultan@cs.umd.edu Fri Mar 13 12:07:10 1998 Date: Fri, 13 Mar 1998 12:03:19 -0500 (EST) From: Tevfik Bultan To: library@cs.umd.edu Subject: ps file for CS-TR-3822 UMIACS-TR-97-62 %!PS-Adobe-2.0 %%Creator: dvips 5.55 Copyright 1986, 1994 Radical Eye Software %%Title: paper.dvi %%CreationDate: Wed Dec 10 13:10:01 1997 %%Pages: 11 %%PageOrder: Ascend %%BoundingBox: 0 0 612 792 %%EndComments %DVIPSCommandLine: dvips paper %DVIPSParameters: dpi=300, comments removed %DVIPSSource: TeX output 1997.12.10:1309 %%BeginProcSet: tex.pro /TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N /X{S N}B /TR{translate}N /isls false N /vsize 11 72 mul N /hsize 8.5 72 mul N /landplus90{false}def /@rigin{isls{[0 landplus90{1 -1}{-1 1} ifelse 0 0 0]concat}if 72 Resolution div 72 VResolution div neg scale isls{landplus90{VResolution 72 div vsize mul 0 exch}{Resolution -72 div hsize mul 0}ifelse TR}if Resolution VResolution vsize -72 div 1 add mul TR[matrix currentmatrix{dup dup round sub abs 0.00001 lt{round}if} forall round exch round exch]setmatrix}N /@landscape{/isls true N}B /@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{ /nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array /BitMaps X /BuildChar{CharBuilder}N /Encoding IE N end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{ /sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0] N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{ 128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 sub]{ch-image}imagemask restore}B /D{/cc X dup type /stringtype ne{]} if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N}B /I{ cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin 0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul add .99 lt{/QV}{/RV}ifelse load def pop pop}N /eop{SI restore showpage userdict /eop-hook known{eop-hook}if}N /@start{userdict /start-hook known{start-hook}if pop /VResolution X /Resolution X 1000 div /DVImag X /IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for 65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0 0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V {}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7 getinterval dup(Display)eq exch 0 4 getinterval(NeXT)eq or}{pop false} ifelse}{false}ifelse end{{gsave TR -.1 .1 TR 1 1 scale rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1 .1 TR rulex ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /QV{gsave newpath transform round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail {dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M} B /d{-3 M}B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{ 4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{ p 1 w}B /r{p 2 w}B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B /bos{/SS save N}B /eos{SS restore}B end %%EndProcSet %%BeginProcSet: special.pro TeXDict begin /SDict 200 dict N SDict begin /@SpecialDefaults{/hs 612 N /vs 792 N /ho 0 N /vo 0 N /hsc 1 N /vsc 1 N /ang 0 N /CLIP 0 N /rwiSeen false N /rhiSeen false N /letter{}N /note{}N /a4{}N /legal{}N}B /@scaleunit 100 N /@hscale{@scaleunit div /hsc X}B /@vscale{@scaleunit div /vsc X}B /@hsize{/hs X /CLIP 1 N}B /@vsize{/vs X /CLIP 1 N}B /@clip{ /CLIP 2 N}B /@hoffset{/ho X}B /@voffset{/vo X}B /@angle{/ang X}B /@rwi{ 10 div /rwi X /rwiSeen true N}B /@rhi{10 div /rhi X /rhiSeen true N}B /@llx{/llx X}B /@lly{/lly X}B /@urx{/urx X}B /@ury{/ury X}B /magscale true def end /@MacSetUp{userdict /md known{userdict /md get type /dicttype eq{userdict begin md length 10 add md maxlength ge{/md md dup length 20 add dict copy def}if end md begin /letter{}N /note{}N /legal{} N /od{txpose 1 0 mtx defaultmatrix dtransform S atan/pa X newpath clippath mark{transform{itransform moveto}}{transform{itransform lineto} }{6 -2 roll transform 6 -2 roll transform 6 -2 roll transform{ itransform 6 2 roll itransform 6 2 roll itransform 6 2 roll curveto}}{{ closepath}}pathforall newpath counttomark array astore /gc xdf pop ct 39 0 put 10 fz 0 fs 2 F/|______Courier fnt invertflag{PaintBlack}if}N /txpose{pxs pys scale ppr aload pop por{noflips{pop S neg S TR pop 1 -1 scale}if xflip yflip and{pop S neg S TR 180 rotate 1 -1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not and{pop S neg S TR pop 180 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip not and{ppr 1 get neg ppr 0 get neg TR}if}{noflips{TR pop pop 270 rotate 1 -1 scale}if xflip yflip and{TR pop pop 90 rotate 1 -1 scale ppr 3 get ppr 1 get neg sub neg ppr 2 get ppr 0 get neg sub neg TR}if xflip yflip not and{TR pop pop 90 rotate ppr 3 get ppr 1 get neg sub neg 0 TR}if yflip xflip not and{TR pop pop 270 rotate ppr 2 get ppr 0 get neg sub neg 0 S TR}if}ifelse scaleby96{ppr aload pop 4 -1 roll add 2 div 3 1 roll add 2 div 2 copy TR .96 dup scale neg S neg S TR}if}N /cp {pop pop showpage pm restore}N end}if}if}N /normalscale{Resolution 72 div VResolution 72 div neg scale magscale{DVImag dup scale}if 0 setgray} N /psfts{S 65781.76 div N}N /startTexFig{/psf$SavedState save N userdict maxlength dict begin /magscale false def normalscale currentpoint TR /psf$ury psfts /psf$urx psfts /psf$lly psfts /psf$llx psfts /psf$y psfts /psf$x psfts currentpoint /psf$cy X /psf$cx X /psf$sx psf$x psf$urx psf$llx sub div N /psf$sy psf$y psf$ury psf$lly sub div N psf$sx psf$sy scale psf$cx psf$sx div psf$llx sub psf$cy psf$sy div psf$ury sub TR /showpage{}N /erasepage{}N /copypage{}N /p 3 def @MacSetUp}N /doclip{ psf$llx psf$lly psf$urx psf$ury currentpoint 6 2 roll newpath 4 copy 4 2 roll moveto 6 -1 roll S lineto S lineto S lineto closepath clip newpath moveto}N /endTexFig{end psf$SavedState restore}N /@beginspecial{SDict begin /SpecialSave save N gsave normalscale currentpoint TR @SpecialDefaults count /ocount X /dcount countdictstack N}N /@setspecial {CLIP 1 eq{newpath 0 0 moveto hs 0 rlineto 0 vs rlineto hs neg 0 rlineto closepath clip}if ho vo TR hsc vsc scale ang rotate rwiSeen{rwi urx llx sub div rhiSeen{rhi ury lly sub div}{dup}ifelse scale llx neg lly neg TR }{rhiSeen{rhi ury lly sub div dup scale llx neg lly neg TR}if}ifelse CLIP 2 eq{newpath llx lly moveto urx lly lineto urx ury lineto llx ury lineto closepath clip}if /showpage{}N /erasepage{}N /copypage{}N newpath }N /@endspecial{count ocount sub{pop}repeat countdictstack dcount sub{ end}repeat grestore SpecialSave restore end}N /@defspecial{SDict begin} N /@fedspecial{end}B /li{lineto}B /rl{rlineto}B /rc{rcurveto}B /np{ /SaveX currentpoint /SaveY X N 1 setlinecap newpath}N /st{stroke SaveX SaveY moveto}N /fil{fill SaveX SaveY moveto}N /ellipse{/endangle X /startangle X /yrad X /xrad X /savematrix matrix currentmatrix N TR xrad yrad scale 0 0 1 startangle endangle arc savematrix setmatrix}N end %%EndProcSet %%BeginProcSet: color.pro TeXDict begin /setcmykcolor where{pop}{/setcmykcolor{dup 10 eq{pop setrgbcolor}{1 sub 4 1 roll 3{3 index add neg dup 0 lt{pop 0}if 3 1 roll }repeat setrgbcolor pop}ifelse}B}ifelse /TeXcolorcmyk{setcmykcolor}def /TeXcolorrgb{setrgbcolor}def /TeXcolorgrey{setgray}def /TeXcolorgray{ setgray}def /TeXcolorhsb{sethsbcolor}def /currentcmykcolor where{pop}{ /currentcmykcolor{currentrgbcolor 10}B}ifelse /DC{exch dup userdict exch known{pop pop}{X}ifelse}B /GreenYellow{0.15 0 0.69 0 setcmykcolor}DC /Yellow{0 0 1 0 setcmykcolor}DC /Goldenrod{0 0.10 0.84 0 setcmykcolor} DC /Dandelion{0 0.29 0.84 0 setcmykcolor}DC /Apricot{0 0.32 0.52 0 setcmykcolor}DC /Peach{0 0.50 0.70 0 setcmykcolor}DC /Melon{0 0.46 0.50 0 setcmykcolor}DC /YellowOrange{0 0.42 1 0 setcmykcolor}DC /Orange{0 0.61 0.87 0 setcmykcolor}DC /BurntOrange{0 0.51 1 0 setcmykcolor}DC /Bittersweet{0 0.75 1 0.24 setcmykcolor}DC /RedOrange{0 0.77 0.87 0 setcmykcolor}DC /Mahogany{0 0.85 0.87 0.35 setcmykcolor}DC /Maroon{0 0.87 0.68 0.32 setcmykcolor}DC /BrickRed{0 0.89 0.94 0.28 setcmykcolor} DC /Red{0 1 1 0 setcmykcolor}DC /OrangeRed{0 1 0.50 0 setcmykcolor}DC /RubineRed{0 1 0.13 0 setcmykcolor}DC /WildStrawberry{0 0.96 0.39 0 setcmykcolor}DC /Salmon{0 0.53 0.38 0 setcmykcolor}DC /CarnationPink{0 0.63 0 0 setcmykcolor}DC /Magenta{0 1 0 0 setcmykcolor}DC /VioletRed{0 0.81 0 0 setcmykcolor}DC /Rhodamine{0 0.82 0 0 setcmykcolor}DC /Mulberry {0.34 0.90 0 0.02 setcmykcolor}DC /RedViolet{0.07 0.90 0 0.34 setcmykcolor}DC /Fuchsia{0.47 0.91 0 0.08 setcmykcolor}DC /Lavender{0 0.48 0 0 setcmykcolor}DC /Thistle{0.12 0.59 0 0 setcmykcolor}DC /Orchid{ 0.32 0.64 0 0 setcmykcolor}DC /DarkOrchid{0.40 0.80 0.20 0 setcmykcolor} DC /Purple{0.45 0.86 0 0 setcmykcolor}DC /Plum{0.50 1 0 0 setcmykcolor} DC /Violet{0.79 0.88 0 0 setcmykcolor}DC /RoyalPurple{0.75 0.90 0 0 setcmykcolor}DC /BlueViolet{0.86 0.91 0 0.04 setcmykcolor}DC /Periwinkle {0.57 0.55 0 0 setcmykcolor}DC /CadetBlue{0.62 0.57 0.23 0 setcmykcolor} DC /CornflowerBlue{0.65 0.13 0 0 setcmykcolor}DC /MidnightBlue{0.98 0.13 0 0.43 setcmykcolor}DC /NavyBlue{0.94 0.54 0 0 setcmykcolor}DC /RoyalBlue{1 0.50 0 0 setcmykcolor}DC /Blue{1 1 0 0 setcmykcolor}DC /Cerulean{0.94 0.11 0 0 setcmykcolor}DC /Cyan{1 0 0 0 setcmykcolor}DC /ProcessBlue{0.96 0 0 0 setcmykcolor}DC /SkyBlue{0.62 0 0.12 0 setcmykcolor}DC /Turquoise{0.85 0 0.20 0 setcmykcolor}DC /TealBlue{0.86 0 0.34 0.02 setcmykcolor}DC /Aquamarine{0.82 0 0.30 0 setcmykcolor}DC /BlueGreen{0.85 0 0.33 0 setcmykcolor}DC /Emerald{1 0 0.50 0 setcmykcolor}DC /JungleGreen{0.99 0 0.52 0 setcmykcolor}DC /SeaGreen{ 0.69 0 0.50 0 setcmykcolor}DC /Green{1 0 1 0 setcmykcolor}DC /ForestGreen{0.91 0 0.88 0.12 setcmykcolor}DC /PineGreen{0.92 0 0.59 0.25 setcmykcolor}DC /LimeGreen{0.50 0 1 0 setcmykcolor}DC /YellowGreen{ 0.44 0 0.74 0 setcmykcolor}DC /SpringGreen{0.26 0 0.76 0 setcmykcolor} DC /OliveGreen{0.64 0 0.95 0.40 setcmykcolor}DC /RawSienna{0 0.72 1 0.45 setcmykcolor}DC /Sepia{0 0.83 1 0.70 setcmykcolor}DC /Brown{0 0.81 1 0.60 setcmykcolor}DC /Tan{0.14 0.42 0.56 0 setcmykcolor}DC /Gray{0 0 0 0.50 setcmykcolor}DC /Black{0 0 0 1 setcmykcolor}DC /White{0 0 0 0 setcmykcolor}DC end %%EndProcSet TeXDict begin @defspecial /PsFragDict 20 dict def PsFragDict begin /PsFragCheckShow { PsFragNewShow { /s exch def s (\\tex) anchorsearch { pop pop false } { pop /showit true def PsFragNoShowStrings { s eq {/showit false def} if} forall showit } ifelse } { pop true } ifelse } bind def /PsFragMoveShow { exch stringwidth pop 0 rmoveto {pop} repeat } bind def /PsFragNoShowStrings [] def /PsFragNewShow true def end /show { PsFragDict begin dup PsFragCheckShow {show} {0 PsFragMoveShow} ifelse end} bind def /ashow { PsFragDict begin dup PsFragCheckShow {ashow} {2 PsFragMoveShow} ifelse end} bind def /kshow { PsFragDict begin dup PsFragCheckShow {kshow} {1 PsFragMoveShow} ifelse end} bind def /widthshow { PsFragDict begin dup PsFragCheckShow {widthshow} {3 PsFragMoveShow} ifelse end} bind def /awidthshow { PsFragDict begin dup PsFragCheckShow {awidthshow} {5 PsFragMoveShow} ifelse end} bind def @fedspecial end TeXDict begin 40258431 52099146 1000 300 300 (/bird/bultan/doc/papers/issta98/paper.dvi) @start /Fa 6 118 df82 D 101 D110 D114 D<7FFFC060E0C040E040C0E06080E02080E02000E00000E00000E00000E00000E00000E0 0000E00000E00000E00000E00000E00000E0000FFE0013137F9216>116 DI E /Fb 4 82 df<1FFE000601800600C00600C00C01800C03000FFE000C07001801801801 80180180180300300E00FFF800120E7E8D16>66 D<1FC00600060006000C000C000C000C 0018001800180018003000FE000A0E7E8D0D>73 D<1FFE000603800601800600C00C0180 0C01800C06000FF800180000180000180000180000300000FC0000120E7E8D12>80 D<01F8000E0E00180300300100600180C00180C00180C00180C00300C00300C00600670C 0038B0001FC20000C20000C400007C0000300011127E8D16>I E /Fc 2 111 df<181818303030606060C0C0050B7E8B09>48 D110 D E /Fd 16 122 df<00FC000303000E01C01C00E03800703000307000386000 18E0001CE0001CE0001CE0001CE0001CE0001CE0001C7000387000383000303800701C00 E00E01C003030000FC0016177E961C>79 D<0F88305860384018C008C008C008E000F000 7F003FE01FF003F80038001C000C800C800C800CC008E018D83087C00E177E9614>83 D<00800001C00001C00001C0000260000260000260000430000430000C18000818000FF8 00100C00100C00100C00300E00F81F8011117F9014>97 DI<03F0800E0D8018 0380300180600080600080C00000C00000C00000C00000C0000060008060008030010018 01000E060003F80011117F9014>I101 D105 D108 DII<03F0000C0C00180600 300300600180400080C000C0C000C0C000C0C000C0C000C0600180600180300300180600 0C0C0003F00012117F9015>II114 D<1F2020E04060C020C020C00070003F001FC001E00070003080308030C020 E0409F800C117F900F>II121 D E /Fe 1 52 df<001800003C000066 0000C3000181800300C00600600C003018001830000C600006C0000360000630000C1800 180C00300600600300C001818000C300006600003C0000180018177F961B>51 D E /Ff 2 52 df<7FFFF0FFFFF8C00018C00018C00018C00018C00018C00018C00018C0 0018C00018C00018C00018C00018C00018C00018C00018C00018C00018FFFFF8FFFFF815 157D971C>50 D<00080000001C0000003600000063000000C180000180C0000300600006 0030000C00180018000C003000060060000300C0000180C0000180600003003000060018 000C000C00180006003000030060000180C00000C180000063000000360000001C000000 080000191A7D991F>I E /Fg 3 96 df87 D<00003000000000380000000078000000007800000000FC00000000FC00000000FC0000 0001CE00000001CE00000001CE0000000387000000038700000003870000000703800000 07038000000E01C000000E01C000000E01C000001C00E000001C00E000001C00E0000038 0070000038007000003800700000700038000070003800007000380000E0001C0000E000 1C0001C0000E0001C0000E0001C0000E0003800007000380000700038000070007000003 80070000038007000003800E000001C00E000001C00E000001C01C000000E01C000000E0 380000007038000000703800000070700000003870000000387000000038E00000001CE0 0000001CC00000000C26347E7F2B>94 DI E /Fh 41 121 df<00C001C0030006000C001C0038003000700070006000E000E000E000 E000E000E000E000600070007000300038001C000C000600030001C000C00A1D7A9914> 40 D<8000C0006000300018001C000E0006000700070003000380038003800380038003 80038003000700070006000E001C00180030006000C0008000091D7C9914>I<70F8FCFC 7C0C1830E0C0060A798414>44 D<0300030007000F003F00F70047000700070007000700 07000700070007000700070007000700070007007FF07FF00C177C9614>49 D<0FC01FF03838701CE00EE00EE00E400E000E001C001C00380030007000E001C0030006 000C00180E300E7FFE7FFE0F177E9614>I<0FC01FF03838701C701C201C001C001C0038 007007E007F00038001C000E000E400EE00EE00E701C78383FF00FC00F177E9614>I<01 E007F00E38181C38FC71FC739E739EE70EE70EE70EE70EE70EE70EE70E739C739C71F838 F018060E1E07F801F00F177E9614>64 D66 D<03C60FFE1C3E181E381E700E700E600EE000E000E000E000E000E000E000600E700E70 0E380C181C1C380FF003C00F177E9614>II72 DI76 DI<1FF07FFC783C 701CE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00EE00E701C783C 7FFC1FF00F177E9614>79 DI82 D<7FFF80FFFF80E1C380E1C380E1C380E1C38001C00001C00001C00001C00001C00001C0 0001C00001C00001C00001C00001C00001C00001C00001C00001C0000FF8000FF8001117 7F9614>84 D87 D<1FC0007FF000707800201800001C00001C0007FC001FFC003C 1C00701C00E01C00E01C00E01C00707C003FFF800F8F8011107E8F14>97 DI<03F80FFC1C1C380870006000E000E000E000E00060007000380E1C1E0FFC03 F00F107E8F14>I<007E00007E00000E00000E00000E00000E00000E0007CE000FFE001C 3E00301E00700E00E00E00E00E00E00E00E00E00E00E00E00E00700E00301E00383E001F EFC007CFC012177F9614>I<07E00FF01C38301C700CE00EE00EFFFEFFFEE00060007000 380E1C1E0FFC03F00F107E8F14>I<07CF001FFF80383B80301800701C00701C00701C00 3018003838003FF00037C0007000007000003FF8001FFC003FFE00700F00E00380E00380 E00380E003807007003C1E001FFC0007F00011197F8F14>103 DI<0300078007 80030000000000000000007F807F80038003800380038003800380038003800380038003 800380FFFCFFFC0E187D9714>I<006000F000F0006000000000000000001FF01FF00070 0070007000700070007000700070007000700070007000700070007000700070007040E0 E0C07F803F000C207E9714>IIIII< 07C01FF03C78701C701CE00EE00EE00EE00EE00EE00E701C783C3C781FF007C00F107E8F 14>II114 D<0FD83FF86038C038C038F0007F803FF007F8001C6006E006F006F81CFFF8CFE00F107E 8F14>I<030007000700070007007FFCFFFC07000700070007000700070007000700070E 070E070E070C03FC00F00F157F9414>II< FE3F80FE3F801C1C001C1C001C1C001C1C000E38000E38000E3800063000077000077000 07700003E00003E00003E00011107F8F14>II<7E3F007E3F001E38000E780007700007E00003E00001C00003C00003E0000770000E 78000E38001C1C00FE3F80FE3F8011107F8F14>I E /Fi 31 120 df<40E060202040408003087D8209>59 D<0FFFC0018060018030030030030030030030 0300E006038007FF800601C00600C00C00C00C00C00C00C00C0180180700FFFC0014117E 9017>66 D<00FC400302C00C01C0180080300080600080600000C00000C00000C00000C0 0000C00200C002004004006008001830000FC00012117D9016>I<0FFFE0018060018020 03002003002003042003040006080007F8000608000608200C10400C00400C00800C0180 180380FFFF0013117E9016>69 D<0FF1FE01803001803003006003006003006003006006 00C007FFC00600C00600C00C01800C01800C01800C0180180300FF1FE017117E9019>72 D<0FF001800180030003000300030006000600060006000C000C000C000C001800FF000C 117E900E>I<0FF001800180030003000300030006000600060006000C010C010C020C06 180EFFFC10117E9015>76 D<0F80FE01C01001C010026020026020023020023020041840 041840040C40040C40080680080680080380080380180100FE010017117E9018>78 D<00FC000303000C01801800C03000C06000C06000C0C000C0C000C0C000C0C00180C001 80C00300600600600C003838000FC00012117D9017>I<0FFF800180C001806003006003 00600300600300C006018007FE000600000600000C00000C00000C00000C0000180000FF 000013117E9013>I<00FC000303000C01801800C03000C06000C06000C0C000C0C000C0 C000C0C00180C00180C00300438600644C003878000FE100006100006200006600007C00 00380012167D9018>I<0FFF000180C00180600300600300600300600300C006038007FC 000607000603000C03000C03000C03000C0308180310FF01E015117E9017>I<01F90607 080310021002100018000F8003F0003800080008400840084010E0609F8010117D9013> I<3FFFC03060C040604040C04080C04080C04000C0000180000180000180000180000300 000300000300000300000600007FE00012117E9012>I<072018E0306060606060C0C0C0 C0C0C841C862D03C700D0B7E8A11>97 D<0780184030C060006000C000C000C000402060 C01F000B0B7E8A0E>99 D<07801840304060407F80C000C000C000402020C01F000B0B7E 8A0F>101 D<03900C7018303030303060606060606020E031C01EC000C000C04180C300 7E000C107E8A0F>103 D<3C000C000C001800180018001BE03430383030303030606060 60606460C4C0C8C0700E117E9012>I<040C000000000070589898303060646468300612 7E910B>I<0020002000000000000000000000038004C008C008C000C001800180018001 8003000300030003004600CC0078000B1780910D>I<3C000C000C001800180018001870 31903230340038007F00618061906190C1A0C0C00C117E9010>I<781818303030306060 6060C0C0C8C8D07005117E900A>I<71F1F09A1A189C1C18981818181818303030303030 303032303062606064606038170B7E8A1B>I<71F09A189C189818181830303030303230 62606460380F0B7E8A13>I<07C01820303060106018C030C030C020406021801F000D0B 7E8A0F>I<071018A0306060606060C0C0C0C0C0C041C063803D8001800180030003000F C00C107E8A0E>113 D<73C09C209860980018003000300030003000600060000B0B7E8A 0E>I<0F001080218020003E001F0001808080C00083007C00090B7D8A0F>I<08181818FF 30303030606062646438080F7E8E0C>I<3810C04830C08C304098304018304030608030 608030608030610010E2000F1C00120B7E8A16>119 D E /Fj 46 122 df<007F8001E0C00780E00F01F00F01F00F01F00F00E00F00000F0000FFFFF0FFFF F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00F00 F00F00F07FC3FE7FC3FE171A809919>12 D45 D<78FCFCFCFC7806067D850C>I<000180000380000380000700000700000E00000E0000 0E00001C00001C0000380000380000700000700000700000E00000E00001C00001C00001 C0000380000380000700000700000700000E00000E00001C00001C000038000038000038 0000700000700000E00000E00000C0000011257E9B16>I<00C003C0FFC0FFC003C003C0 03C003C003C003C003C003C003C003C003C003C003C003C003C003C003C003C07FFE7FFE 0F187D9716>49 D<0FF0003FFC00787E00FC1F00FC1F80FC0F80FC0F80780F80001F8000 1F00001E00003C0000780000700000E0000180000301800601800C01801003803FFF007F FF00FFFF00FFFF0011187E9716>I<07F0001FFC00383E007C3E007C1F007C1F007C1F00 383F00003E00003C0000780007F000003C00001E00001F00001F80781F80FC1F80FC1F80 FC1F00F81F00703E003FFC000FF00011187E9716>I<000600000E00001E00003E00007E 0000DE00019E00011E00031E00061E000C1E00181E00301E00601E00C01E00FFFFE0FFFF E0001E00001E00001E00001E00001E0001FFE001FFE013187F9716>I<78FCFCFCFC7800 0000000078FCFCFCFC7806117D900C>58 D<00030000000780000007800000078000000F C000000FC000001BE000001BE000001BE0000031F0000031F0000060F8000060F80000E0 FC0000C07C0000C07C0001803E0001FFFE0003FFFF0003001F0003001F0006000F800600 0F800E000FC0FFC07FFCFFC07FFC1E1A7F9921>65 DI<001FE02000FFFCE003F80F E007C003E01F8001E01F0000E03E0000E07E0000607C000060FC000000FC000000FC0000 00FC000000FC000000FC000000FC000000FC0000007C0000607E0000603E0000601F0000 C01F8000C007C0038003F80F0000FFFC00001FF0001B1A7E9920>IIII73 D76 DI<003FC00001E0780007801E000F000F001F000F803E0007C03E0007C0 7C0003E07C0003E0FC0003F0FC0003F0FC0003F0FC0003F0FC0003F0FC0003F0FC0003F0 FC0003F07C0003E07E0007E03E0007C03E0007C01F000F800F801F0007C03E0001E07800 003FC0001C1A7E9921>79 DI82 D<07F0401FFDC03C0FC07803C07001C0F001 C0F000C0F000C0F80000FF00007FF8003FFF001FFF800FFFC001FFE0000FE00003F00001 F0C000F0C000F0C000F0E000E0F001E0FC03C0EFFF8083FE00141A7E9919>I<7FFFFF80 7FFFFF80781F0780701F0380601F0180E01F01C0C01F00C0C01F00C0C01F00C0001F0000 001F0000001F0000001F0000001F0000001F0000001F0000001F0000001F0000001F0000 001F0000001F0000001F0000001F0000001F000007FFFC0007FFFC001A1A7E991F>I<0F F0001C3C003E1E003E0E003E0F001C0F00000F0000FF000FCF003E0F007C0F00F80F00F8 0F00F80F00F817007C27E01FC3E013117F9015>97 DI<03 FC000F0E001C1F003C1F00781F00780E00F80000F80000F80000F80000F8000078000078 00003C01801C03000F060003FC0011117F9014>I<000FE0000FE00001E00001E00001E0 0001E00001E00001E00001E003F9E00F07E01C03E03C01E07801E07801E0F801E0F801E0 F801E0F801E0F801E07801E07801E03C01E01C03E00F0DFC03F9FC161A7F9919>I<03F0 000E1C001C0E003C0700780700780780F80780F80780FFFF80F80000F800007800007800 003C01801C03000E060003FC0011117F9014>I<00FE0003C700078F800F0F800F0F800F 07000F00000F00000F0000FFF000FFF0000F00000F00000F00000F00000F00000F00000F 00000F00000F00000F00000F00000F00000F00007FE0007FE000111A80990E>I<07E3C0 1C3CE0381CE0781EC0781E00781E00781E00781E00381C001C380027E000200000200000 3000003FFE001FFF801FFFC07003C0E000E0E000E0E000E0E000E07001C03C078007FC00 13197F9016>II<3C007E007E007E007E003C0000000000 000000007E007E001E001E001E001E001E001E001E001E001E001E001E001E001E00FF80 FF80091B7F9A0D>I<00F001F801F801F801F800F0000000000000000003F803F8007800 78007800780078007800780078007800780078007800780078007800787078F878F878F8 F071E03F800D22839A0E>IIIII<03F8000E0E003C07803803807803C07803C0 F803E0F803E0F803E0F803E0F803E0F803E07803C07C07C03C07800E0E0003F80013117F 9016>II<03F0C00F0DC01E05C03C07C07C03C07803C0F803C0F803C0F8 03C0F803C0F803C07803C07C03C03C03C01C07C00E0BC003F3C00003C00003C00003C000 03C00003C0001FF8001FF815187F9017>II<1FB020704030C030C030F000FF 807FE03FF807F8003CC00CC00CE00CE008F830CFE00E117F9011>I<0600060006000600 0E000E001E003FF0FFF01E001E001E001E001E001E001E001E001E181E181E181E181E18 0F3003E00D187F9711>III121 D E /Fk 10 103 df<020408103020604040C0C0C0C0C0C0C0C040406020301008040207 1A7F920C>40 D<8040201018080C0404060606060606060604040C081810204080071A7E 920C>I<00C00000C00000C00000C00000C00000C00000C00000C00000C000FFFF80FFFF 8000C00000C00000C00000C00000C00000C00000C00000C00000C00011147E8F17>43 D<1F00318060C04040C060C060C060C060C060C060C060C060404060C031801F000B107F 8F0F>48 D<0C003C00CC000C000C000C000C000C000C000C000C000C000C000C000C00FF 8009107E8F0F>I<1F00618040C08060C0600060006000C00180030006000C0010202020 7FC0FFC00B107F8F0F>I61 D<01E0006000600060006000600F6030E06060C060C060C060C060C06060 6030E01F780D117F9011>100 D<1F00318060C0C0C0FFC0C000C000C000604030801F00 0A0B7F8A0E>I<07000D801800180018001800FE00180018001800180018001800180018 0018007E00091180900A>I E /Fl 39 121 df<60F0F06004047D830A>58 D<60F0F070101020204040040A7D830A>I<0000300000F00003C0000700001C00007800 01E0000780000E0000380000F00000F000003800000E000007800001E000007800001C00 0007000003C00000F000003014167D921B>I<07FFF800E00E00E00700E00300E00301C0 0301C00701C00701C00E03803C03FFF003FFF003803C07001C07000E07000E07000E0E00 1C0E001C0E00380E00701C01E0FFFF0018177F961B>66 D<001F8200E04403802C07001C 0C001C1C0008380008300008700008600000E00000E00000E00000C00000C00020C00020 C00040E000406000806001003002001C1C0007E00017177E9619>I<07FFF80000E00E00 00E0030000E0038000E0018001C001C001C001C001C000C001C000C0038001C0038001C0 038001C0038001C0070003800700038007000300070007000E000E000E000C000E001800 0E0070001C01C000FFFF00001A177F961D>I<07FFFF8000E0038000E0010000E0010000 E0010001C0010001C0010001C0400001C04000038080000381800003FF80000381800007 0100000701000007010000070000000E0000000E0000000E0000000E0000001C000000FF C0000019177F9616>70 D<001F8100F06201801607000E0E000E1C000438000430000470 0004600000E00000E00000E00000C007FEC00070C00070E00070E000E06000E07000E030 01E00C06C003F84018177E961B>I<07FE1FF800E0038000E0038000E0038000E0038001 C0070001C0070001C0070001C0070003800E0003800E0003FFFE0003800E0007001C0007 001C0007001C0007001C000E0038000E0038000E0038000E0038001C007000FF83FE001D 177F961D>I<07FE00E000E000E000E001C001C001C001C0038003800380038007000700 070007000E000E000E000E001C00FFC00F177E960F>I<07FF0000E00000E00000E00000 E00001C00001C00001C00001C00003800003800003800003800007000007000807000807 00100E00100E00300E00200E00601C01E0FFFFC015177F9618>76 D<001FC000707001C01803001C06000C0E000E1C000E18000E38000E30000E70000E7000 0E70000E70001CE0001C6000387000387000707000E03801C01803800E0E0003F0001717 7F961B>79 D<07FFF00000E01C0000E0060000E0070000E0070001C0070001C0070001C0 070001C00E0003801C000380700003FF80000380E0000700700007003800070038000700 38000E0070000E0070000E0070800E0070801C003100FF801E0019177F961B>82 D<003E1000C1A00100E00200600600600C00400C00400E00000F000007E00007FC0001FE 00003F00000780000380000380200180400300400300600600600400D8180087E0001417 7E9615>I<1FFFFE381C0E201C04601C04401C0440380480380400380000380000700000 700000700000700000E00000E00000E00000E00001C00001C00001C00001C00003C0007F FC0017177F9615>I86 D<071018F0307060706060C060C060C06080C080C480C4 C1C446C838700E0E7E8D13>97 D<7C0018001800180018003000300030003000678068C0 70406060C060C060C060C06080C080C08180C10046003C000B177E960F>I<07C00C2010 7020706000C000C000C00080008000C010C02060C03F000C0E7E8D0F>I<003E000C000C 000C000C0018001800180018073018F0307060706060C060C060C06080C080C480C4C1C4 46C838700F177E9612>I<07C01C20301060106020FFC0C000C000C000C000C010402060 C01F000C0E7E8D10>I<000E0013003700360060006000600060006007FC00C000C000C0 00C000C001800180018001800180018003000300030003006600E600CC007800101D7E96 11>I<00E2031E060E0C0E0C0C180C180C180C101810181018183808F007300030003060 60E060C1C07F000F14808D11>I<1F0006000600060006000C000C000C000C0018F01B18 1C08180838183018301830306030603160616062C022C03C10177E9614>I<0300038003 000000000000000000000000001C002400460046008C000C001800180018003100310032 0032001C0009177F960C>I<00180038001000000000000000000000000001C002200430 0430086000600060006000C000C000C000C001800180018001806300E300C60078000D1D 80960E>I<1F0006000600060006000C000C000C000C00181C1866188E190C32003C003F 00318060C060C460C460C8C0C8C0700F177E9612>I<3E0C0C0C0C181818183030303060 606060C0C8C8C8D07007177E960B>I<383C1E0044C6630047028100460301008E070300 0C0603000C0603000C060600180C0600180C0620180C0C20180C0C403018044030180780 1B0E7F8D1F>I<383C0044C6004702004602008E06000C06000C06000C0C00180C00180C 40181840181880300880300F00120E7F8D15>I<07C00C20101020186018C018C018C018 80308030C060C0C061803E000D0E7E8D11>I<1C3C22462382230346030603060306030C 060C060C0C0C081A3019E018001800300030003000FC001014808D12>I<38F045184638 46308C000C000C000C001800180018001800300030000D0E7F8D10>114 D<07C00C201870187038001E000FC003E000606060E060C0C0C1803F000C0E7E8D10>I< 030003000600060006000600FFC00C000C000C0018001800180018003000308030803100 31001E000A147F930D>I<1C0200260600460600460600860C000C0C000C0C000C0C0018 18001818801818801838800C5900078E00110E7F8D14>I<1C04260E4606460686040C04 0C040C0418081808181018100C6007800F0E7F8D11>I<1C020426060E46060646060686 0C040C0C040C0C040C0C041818081818081818100818100C2C2003C7C0170E7F8D19>I< 0F1F0011A18020C38020C300418000018000018000018000030000030200C30200E70400 C5080078F000110E7F8D14>I E /Fm 14 107 df0 D<000FC000007FF80001F03E0003800700060001800C0000C01800006030000030300000 306000001860000018C000000CC000000CC000000CC000000CC000000CC000000CC00000 0C60000018600000183000003030000030180000600C0000C0060001800380070001F03E 00007FF800000FC0001E1D7E9623>13 D<0000300000F00001C0000700001E0000780001 E0000380000E00003C0000F00000F000003800000E000007800001E000007800001C0000 07000003C00000F00000300000000000000000000000000000000000007FFFE0FFFFF014 1E7D951B>20 DI<01FF8007 FF800E0000180000300000600000600000600000C00000C00000FFFF80FFFF80C00000C0 00006000006000006000003000001800000E000007FF8001FF8011167D9218>50 D<0003000300060006000C000C00180018003000300060006000C000C001800180030003 00060006000C000C00180018003000300060006000C0004000101E7B9600>54 D<400010C000306000606000606000603000C03000C01801801FFF800FFF000C03000C03 00060600060600030C00030C0001980001980001980000F00000F0000060000060001417 809615>56 DII<00400000E00000E00001B00001B000 031800031800060C00060C000C06000C06001803001803003001803001806000C06000C0 C00060C0002013137E9218>94 DI<007800C00180030003000300030003000300030003000300030003000600 0C00F0000C00060003000300030003000300030003000300030003000300018000C00078 0D217E9812>102 DI106 D E /Fn 53 124 df<00FCF807839C0E079C1C0708 1C07001C07001C07001C07001C0700FFFFE01C07001C07001C07001C07001C07001C0700 1C07001C07001C07001C07001C07001C0700FF1FE01617809615>11 D<0102040C1818303070606060E0E0E0E0E0E0E0E0E0E060606070303018180C04020108 227D980E>40 D<8040203018180C0C0E060606070707070707070707070606060E0C0C18 183020408008227E980E>I<003000003000003000003000003000003000003000003000 003000003000003000FFFFFCFFFFFC003000003000003000003000003000003000003000 00300000300000300000300016187E931B>43 D<60F0F070101020204040040A7D830A> I<0008001800300030003000600060006000C000C000C001800180018003000300060006 0006000C000C000C00180018001800300030003000600060006000C000C0000D217E9812 >47 D<07C018303018701C600C600CE00EE00EE00EE00EE00EE00EE00EE00EE00E600C60 0C701C30181C7007C00F157F9412>I<03000700FF000700070007000700070007000700 07000700070007000700070007000700070007007FF00C157E9412>I<0F8030E0407080 30C038E0384038003800700070006000C00180030006000C08080810183FF07FF0FFF00D 157E9412>I<0FE030306018701C701C001C00180038006007E000300018000C000E000E E00EE00EC00C401830300FE00F157F9412>I<20303FE03FC0240020002000200020002F 8030E020700030003800384038E038E0388030406020C01F000D157E9412>53 D<07E018302018600C600C700C78183E101F600FC00FF018F8607C601EC00EC006C006C0 04600C38300FE00F157F9412>56 D<07C0183030186018E00CE00CE00EE00EE00E601E30 1E186E0F8E000E000C001C70187018603020C01F800F157F9412>I<60F0F06000000000 000060F0F060040E7D8D0A>I<60F0F06000000000000060F0F07010102020404004147D 8D0A>I61 D66 D<00FC100383300E00B01C0070380030300030700010600010E0 0010E00000E00000E00000E00000E00000E000106000107000103000203800201C00400E 008003830000FC0014177E9619>II70 D72 DI76 D78 D<00FC000303000E01C01C00E0380070300030700038600018E0001CE0001CE0001CE000 1CE0001CE0001CE0001C7000387000383000303800701C00E00E01C003030000FC001617 7E961B>II82 D<7FFFF860381840380840380880380480380480380400 380000380000380000380000380000380000380000380000380000380000380000380000 380000380000380007FFC016177F9619>84 D91 D93 D<1FC0386038301038003803F81E3830387038E039E039E07970FF1F1E100E7F8D12>97 DI<07F01838303870106000E000E000E000E000600070083008183007C00D0E7F 8D10>I<007E00000E00000E00000E00000E00000E00000E00000E00000E0007CE001C3E 00300E00700E00600E00E00E00E00E00E00E00E00E00600E00700E00301E00182E0007CF C012177F9614>I<0FC0186030307038E018FFF8E000E000E000600070083010183007C0 0D0E7F8D10>I<03E006700E701C201C001C001C001C001C00FF801C001C001C001C001C 001C001C001C001C001C001C001C00FF800C1780960B>I<0F9E18E33060707070707070 306018C02F80200060003FE03FF83FFC600EC006C006C006600C38380FE010157F8D12> II<183C3C1800000000007C1C1C1C1C1C1C1C1C1C1C1C1CFF081780960A>I<0300 078007800300000000000000000000001F80038003800380038003800380038003800380 0380038003800380038003804380E300E7007C00091D82960B>I108 D II<07C018303018600C600CE00EE00EE00EE00EE00E701C 3018183007C00F0E7F8D12>II114 D<1F4060C0C040C040E000FF007F801FC001E080608060C060E0C09F 000B0E7F8D0E>I<080008000800180018003800FF803800380038003800380038003800 38403840384038401C800F000A147F930E>IIIII123 D E /Fo 45 121 df<0180038006000C001800 3800300070007000E000E000E000E000E000E000E000700070003000380018000C000600 0380018009197B9612>40 D<80C06030181C0C0E0E070707070707070E0E0C1C183060C0 8008197C9612>I<60F0F878183030E0C00509798312>44 D<060006000E001E00FE00EE 000E000E000E000E000E000E000E000E000E000E000E000E00FFE0FFE00B147D9312>49 D<0F803FC070E0E070E038E038403800380030007000E000C00180030006000C00183830 387FF87FF80D147E9312>I<0FE03FF07838701C201C001C0038007807E007F00038001C 000E000E400EE00EE01C78383FF00FC00F147F9312>I61 D<03E007F01E18381C30FC71FE739EE30EE70EE70EE70EE7 0EE30C739C71F830F038001E0E07FE03F80F147F9312>64 D66 D<03E60FFE1C3E381E700E700E600EE000E000E000E000E000E000600E700E700E381C1C 380FF003E00F147F9312>IIII72 DI76 DII<3FE07FF07070 E038E038E038E038E038E038E038E038E038E038E038E038E038E03870707FF03FE00D14 7E9312>II82 D<7FFEFFFEE38EE38EE38E03800380038003800380038003800380038003800380038003 801FF01FF00F147F9312>84 D87 D<3F807FC070E0207000700F F03FF07870E070E070E07070F03FFE1F3E0F0E7E8D12>97 D<07F01FF8383870106000E0 00E000E000E0006000703838381FF007E00D0E7E8D12>99 D<00F800F800380038003800 3807B81FF8387870386038E038E038E038E0386038707838781FFE0FBE0F147F9312>I< 07801FE0387070706038E038FFF8FFF8E0006000703838381FF007C00D0E7E8D12>I<00 7E00FF01C70382038003807FFEFFFE03800380038003800380038003800380038003803F F83FF81014809312>I<0F9E1FFF38E7707070707070707038E03FC03F8070003FE03FF8 3FFC701EE00EE00EE00E600C783C1FF00FE010167F8D12>II< 06000F000F000600000000000000FF00FF00070007000700070007000700070007000700 0700FFF0FFF00C157D9412>I<00C001E001E000C00000000000001FE01FE000E000E000 E000E000E000E000E000E000E000E000E000E000E000E000E040C0E1C0FF807E000B1C7E 9412>IIII I<0F803FE038E07070E038E038E038E038E038F078707038E03FE00F800D0E7E8D12>I< FBE0FFF03C38381C380C380E380E380E380E380C381C3C383FF03BC03800380038003800 3800FE00FE000F157F8D12>I114 D<1FF03FF06070C070E0007F003FE00FF000786018E018 F030FFE0DFC00D0E7E8D12>I<06000E000E000E007FF8FFF80E000E000E000E000E000E 000E000E380E380E3807F003C00D127F9112>IIII<7C7C7C7C1CF00EE00FC007C00380078007C00E E01EF01C70FC7EFC7E0F0E7F8D12>I E /Fp 23 120 df<70F8F8F870000000000070F8 F8F870050F7D8E0B>58 D<007F8103FFF707E03F0F000F1E00073C00077C0003780003F8 0000F80000F80000F80000F80000F80000F800007800037C00033C00031E00060F000C07 E03803FFF0007FC018177E961D>67 D69 D73 D77 DI<007F800003C0F0000F003C001E001E003C000F003C000F007C000F 8078000780F80007C0F80007C0F80007C0F80007C0F80007C0F80007C0F80007C0780007 807C000F803C000F003E001F001E001E000F003C0003C0F000007F80001A177E961F>I< 7FFFFF007FFFFF00783E0F00603E0300E03E0380C03E0180C03E0180C03E0180003E0000 003E0000003E0000003E0000003E0000003E0000003E0000003E0000003E0000003E0000 003E0000003E0000003E000007FFF00007FFF00019177F961C>84 D86 D<0FE0003838003C1C003C1E00181E00001E0000FE000F9E003C1E00781E00F01E00F01E 00F01E00786FC01F87C0120F7F8E14>97 DI<001F80001F800007800007800007 8000078000078000078003F7801E1F80380780780780700780F00780F00780F00780F007 80F00780700780780780380F801C1FE007E7E013177F9617>100 D<07F01C18380C78067007F007F007FFFFF000F0007000780038031E0603FC100F7F8E13 >I<387C7C7C3800000000FCFC3C3C3C3C3C3C3C3C3C3C3CFFFF08187F970B>105 D108 DII<07F0001C1C00380E00700700700700F00780F00780F00780 F00780F00780700700700700380E001C1C0007F000110F7F8E14>I114 D<1FF060704030C030E000FF007FE03FF00FF80078C018C018E010F020CFC00D0F7F8E10 >I<0600060006000E000E001E003FE0FFE01E001E001E001E001E001E001E001E301E30 1E301E300E2007C00C157F9410>I118 DI E /Fq 4 95 df0 D<081C1C3838383070706060C0C0060D 7E8D09>48 D<03FE0FFE1C00300060006000C000C000FFFEFFFEC000C000600060003000 1C000FFE03FE0F127D8E15>50 D<01000380038006C006C00C600C601830183030183018 600C600CC006C0020F0F7D8E15>94 D E /Fr 55 122 df<0003FE000E03001C07001806 00380000380000700000700000700000700007FFFC00E01C00E03800E03800E03800E038 01C07001C07001C07001C07001C0E403C0E40380E40380E4038068038030030000070000 070000660000E60000CC00007800001821819916>12 D<183C3C1C08080810204080060B 78990C>39 D<000400180030006000C0008001800300030006000E000C001C0018001800 38003000300070007000600060006000E000E000E000C000C000C000C000C00060006000 600020003000100008000E267B9B10>I<00400060002000300010001800180018001800 18001800180018001800180018003800380030003000700070006000E000C000C001C001 8003800300060006000C00180010002000400080000D267F9B10>I<1838783808101020 204080050B7D830C>44 DI<3078F06005047C830C>I<0000 080000180000180000300000300000600000600000C00000C00001800003000003000006 00000600000C00000C0000180000300000300000600000600000C00000C0000180000300 000300000600000600000C00000C0000180000180000300000600000600000C000008000 0015257F9B14>I<000800180030007001F00E7000E000E000E000E001C001C001C001C0 038003800380038007000700070007000F00FFF00D187C9714>49 D<007C000186000203000403800483800883801083801083801083801107001207000C0E 00001C000030000060000180000200000C00001001002001003C060067FE00C1FC0080F0 0011187D9714>I<003E0000C3000101800201800481C00441C008838004838007030000 0600000C0001F000001800000C00000C00000E00000E00600E00E01C00E01C0080380040 300020E0001F800012187D9714>I<03018003FF0003FC00022000040000040000040000 04000008000009E0000E1800081800001C00001C00001C00001C00201C00701C00E03800 80300040700040E0002180001E000011187C9714>53 D<001F0000608001808003038006 03800E00001C000018000038000039F000721800740C00780E00700E00F00E00E00E00E0 0E00E00E00E01C00E01C0060380060700030C0001F800011187C9714>I<09C04017E080 1FF1803C1F00300200600600400400800C00000800001800003000003000007000006000 00E00000C00001C00001C00001800003800003800003800007000003000012187B9714> I<003E0000C1000100800200C00600C00600C00E018007030007860003CC0001F00001F8 00067C000C3E00180E00300700600700600700C00600C00600600C006018003070000FC0 0012187D9714>I<007C000186000703000E03000C03801C038038038038038038038038 0780380700380F001817000C270007CE00000E00000C00001C00001800E03000E0600080 C000C380003E000011187C9714>I<0000200000600000600000E00001E00001E0000270 00027000047000087000087000107000107000207000207000407000807000FFF0010038 0100380200380400380400380C00381C0038FF01FF181A7E991D>65 D<03FFF800700E00700600700700E00700E00700E00700E00701C00E01C01C01C03801C0 7003FFE003807003803803801C07001C07001C07001C07001C0E00380E00380E00700E00 E01C03C0FFFF00181A7D991B>I<000F8200706200C01603801E07000C0E000C1C000C18 000C380008300008700000700000E00000E00000E00000E00000E00020E00020E00020E0 00406000406000803001001006000C180003E000171A7A991B>I<03FFF80000700E0000 7007000070030000E0018000E0018000E0018000E001C001C001C001C001C001C001C001 C001C003800380038003800380038003800300070007000700070007000E0007000C000E 001C000E0038000E0070000E00E0001C038000FFFE00001A1A7D991D>I<03FFFF007007 00700300700100E00100E00100E00100E00101C08001C08001C08001C18003FF00038100 0381000381000702000700040700040700080E00080E00180E00100E00301C00E0FFFFE0 181A7D991A>I<03FFFF00700700700300700100E00100E00100E00100E00101C08001C0 8001C08001C18003FF000381000381000381000702000700000700000700000E00000E00 000E00000E00001E0000FFE000181A7D9919>I<000FC100302100C01301800F0700060E 00060C0006180006380004300004700000700000E00000E00000E00000E007FEE00070E0 0070E00070E000706000E06000E03000E01801E00C064003F840181A7A991E>I<01FF80 00380000380000380000700000700000700000700000E00000E00000E00000E00001C000 01C00001C00001C0000380000380000380000380000700000700000700000700000E0000 FFE000111A7E990F>73 D<03FF8000700000700000700000E00000E00000E00000E00001 C00001C00001C00001C0000380000380000380000380000700000700100700100700200E 00200E00600E00400E00C01C0380FFFF80141A7D9918>76 D<03F8001FC00078003C0000 78003C000078005C0000B800B80000B800B800009C013800009C013800011C027000011C 027000011C047000011C087000021C08E000021C10E000021C10E000021C20E000041C41 C000041C41C000041C81C000041C81C000080F038000080F038000080E038000180C0380 00380C070000FF083FF000221A7D9922>I<03F007F8007801C00078008000780080009C 0100009C0100009C0100008E0100010E0200010602000107020001070200020384000203 8400020384000201C4000401C8000401C8000400E8000400E8000800F000080070000800 70001800700038002000FF0020001D1A7D991D>I<001F8000706001C03003001806001C 0E000C1C000C18000E38000E30000E70000E70000EE0001CE0001CE0001CE00038E00038 E00030E00070E000E0E000C06001807003003806001C1C0007E000171A7A991D>I<03FF F800701C00700600700700E00700E00700E00700E00701C00E01C00E01C01C01C0380380 7003FF800380000380000700000700000700000700000E00000E00000E00000E00001C00 00FFC000181A7D991A>I<003F1000609001807001007003002006002006002006002006 000007000007C00003F80001FE00007F00000F8000038000018000018020018020018060 0300600300600600700C00C8180087E000141A7D9916>83 D<3FFFFC381C0C201C04401C 0440380480380480380480380400700000700000700000700000E00000E00000E00000E0 0001C00001C00001C00001C000038000038000038000038000078000FFF800161A79991B >I86 DI<03 CC0E2E181C381C301C701CE038E038E038E038C072C072C07260F261341E180F107C8F14 >97 D<7E000E000E000E001C001C001C001C00380038003BC03C307830701870187018E0 38E038E038E038C070C060C0E060C063801E000D1A7C9912>I<01F006080C1818383010 70006000E000E000E000E000E008E010602030C01F000D107C8F12>I<001F8000038000 0380000380000700000700000700000700000E00000E0003CE000E2E00181C00381C0030 1C00701C00E03800E03800E03800E03800C07200C07200C0720060F2006134001E180011 1A7C9914>I<01E006181C08380870087010FFE0E000E000E000E000E0086010602030C0 1F000D107C8F12>I<000700001980001B80003B00003000003000007000007000007000 00700007FF0000E00000E00000E00000E00000E00001C00001C00001C00001C00001C000 038000038000038000038000038000070000070000070000660000E40000CC0000700000 112181990C>I<00F300038B800607000E07000C07001C0700380E00380E00380E00380E 00301C00301C00301C00183C0018780007B800003800003800007000607000E0E000C1C0 007F000011177E8F12>I<1F80000380000380000380000700000700000700000700000E 00000E00000E7C000F86001E07001E07001C07001C0700380E00380E00380E00381C0070 1C80701C80703880703900E01900600E00111A7E9914>I<030706000000000000384C4E 8E9C9C1C3838707272E2E4643808197C980C>I<1F800380038003800700070007000700 0E000E000E0E0E131C271C431C801F003C003F8039C038E070E270E270E270E4E0646038 101A7E9912>107 D<3F0707070E0E0E0E1C1C1C1C3838383870707070E4E4E4E4683008 1A7D990A>I<307C1E00598663009E0783809E0703809C0703809C070380380E0700380E 0700380E0700380E0E00701C0E40701C0E40701C1C40701C1C80E0380C80601807001A10 7C8F1F>I<307C005986009E07009E07009C07009C0700380E00380E00380E00381C0070 1C80701C80703880703900E01900600E0011107C8F16>I<01F006180C0C180E300E700E 600EE00EE00EE00CE01CE018E030606030C01F000F107C8F14>I<030F000590C009E0C0 09C06009C06009C0600380E00380E00380E00380E00701C00701800703800703000E8E00 0E78000E00000E00001C00001C00001C00001C0000FF00001317808F14>I<30F059189E 389C189C009C0038003800380038007000700070007000E00060000D107C8F10>114 D<03E004300830187018601C001F801FC00FE000E00060E060E06080C041803E000C107D 8F10>I<06000E000E000E000E001C001C00FFC01C003800380038003800700070007000 7000E100E100E100E200640038000A177C960D>I<38064C074E0E8E0E9C0E9C0E1C1C38 1C381C381C7039703970393079389A0F0C10107C8F15>I<38184C1C4E1C8E0C9C0C9C0C 1C08380838083808701070107020304018C00F000E107C8F12>I<380C304C0E384E1C38 8E1C189C1C189C1C181C381038381038381038381070702070702070704030704018B880 0F0F0015107C8F19>I<38064C074E0E8E0E9C0E9C0E1C1C381C381C381C703870387038 307838F00F700070006060E0E1C0C18047003C0010177C8F13>121 D E /Fs 23 107 df0 D<8000C0C001C060030030060018 0C000C180006300003600001C00001C0000360000630000C1800180C00300600600300C0 01C08000C012127A911E>2 D<00080000000C0000000C0000000C0000000C0000000C00 00000C0000000C0000000C0000000C0000000C0000000C0000FFFFFF80FFFFFF80000C00 00000C0000000C0000000C0000000C0000000C0000000C0000000C0000000C0000000C00 00FFFFFF80FFFFFF80191A7E981E>6 D<0007F00000003FFE000000780F000001C001C0 00038000E00006000030000C000018001800000C001800000C0030000006006000000300 60000003006000000300C000000180C000000180C000000180C000000180C000000180C0 00000180C00000018060000003006000000300600000030030000006001800000C001800 000C000C000018000600003000038000E00001C001C00000780F0000003FFE00000007F0 000021217E9926>13 D<007FFE03FFFE0780000C00001800003000006000006000006000 00C00000C00000C00000C00000C000006000006000006000003000001800000C00000780 0003FFFE007FFE0000000000000000000000000000000000007FFFFE7FFFFE171F7D971E >18 D<00000600001E0000780001E0000780001E0000780001E0000780001E0000780000 E000007800001E000007800001E000007800001E000007800001E000007800001E000006 0000000000000000000000000000000000007FFFFCFFFFFE171F7D971E>20 D<0400000004000000080000001000000020000000FFFFFFFFFFFFFFFF20000000100000 00080000000400000004000000200C7D8E26>32 D<000000200000000020000000001000 00000008000000000400FFFFFFFF80FFFFFFFF8000000004000000000800000000100000 000020000000002000210C7E8E26>I<0004000000000C00000000180000000018000000 0030000000006000000000FFFFFF8003FFFFFF8007000000003C00000000F0000000003C 000000000E00000000030000000001FFFFFF8000FFFFFF80006000000000300000000018 0000000018000000000C000000000400000021167E9326>40 D<00001000000000180000 00000C000000000C000000000600000000030000FFFFFF8000FFFFFFE000000000700000 00001E0000000007800000001E0000000038000000006000FFFFFFC000FFFFFF80000000 030000000006000000000C000000000C00000000180000000010000021167E9326>I<00 7FE003FFE00780000C0000180000300000300000600000600000C00000C00000FFFFE0FF FFE0C00000C000006000006000003000003000001800000C000007800003FFE0007FE013 187D941A>50 D<0000600000600000C00000C0000180000180000300000300000600000C 00000C0000180000180000300000300000600000600000C00000C0000180000180000300 000300000600000600000C0000180000180000300000300000600000600000C000004000 0013227B9900>54 D<400010C000306000606000606000603000C03000C03000C0180180 1FFF800FFF000C03000C0300060600060600060600030C00030C00019800019800019800 00F00000F00000F000006000006000141A809915>56 DII<0010003007B018603070307060D860D860D8E0DCE19CE19CE1 9CE31CE31CE31CE31CE61CE61CE61CEC1C6C186C187C383830383018603780300030000E 1E7E9B13>I<400008C00018C00018C00018C00018C00018C00018C00018C00018C00018 C00018C00018C00018C00018C00018C00018C000186000303000601E03C00FFF8001FC00 15167E951A>91 D<01FC000FFF801E03C0300060600030C00018C00018C00018C00018C0 0018C00018C00018C00018C00018C00018C00018C00018C00018C00018C00018C0001840 000815167E951A>I<00200000700000700000D80000D800018C00018C00030600030600 0603000603000603000C01800C01801800C01800C0300060300060600030600030C00018 C0000815167E951A>94 DI<007001C00380070007000700070007000700070007000700 07000700070007000E001C00F0001C000E00070007000700070007000700070007000700 0700070007000700038001C000700C257D9B13>102 DI106 D E /Ft 45 121 df<60F0F06004047D830B>58 D<60F0F070101010202040 80040B7D830B>I<00000E00003C0000F00003C0000F00003C0000F00003C0000F00003C 0000F00000F000003C00000F000003C00000F000003C00000F000003C00000F000003C00 000E17167D931E>I62 D<01FFFE000038070000380380003803C0007003C0007003C000 7003C0007003C000E0078000E0070000E01E0000E03C0001FFF80001C01C0001C00E0001 C00F0003800F0003800F0003800F0003800F0007001E0007001E0007003C00070078000E 01E000FFFF80001A1A7E991D>66 D<0007E040003C18C000E005C001C003C00380018007 0001800E0001801C0001803C000100380001007800000078000000F0000000F0000000F0 000000F0000000F0000400F0000400F0000400F00008007000100030001000380060001C 0080000703000001FC00001A1A7E991B>I<01FFFC000038070000380380003801C00070 00E0007000E0007000E0007000F000E000F000E000F000E000F000E000F001C001E001C0 01E001C001E001C001C0038003C0038003C0038003800380070007000E0007001E000700 3800070070000E01E000FFFF00001C1A7E9920>I<01FFFFC0003801C0003800C0003800 400070004000700040007000400070004000E0400000E0400000E0400000E0C00001FF80 0001C0800001C0800001C080000381000003800100038001000380020007000200070004 0007000C00070018000E007800FFFFF0001A1A7E991C>I<01FFFF800038038000380180 003800800070008000700080007000800070008000E0400000E0400000E0400000E0C000 01FF800001C0800001C0800001C080000381000003800000038000000380000007000000 0700000007000000070000000F000000FFF00000191A7E9919>I<01FF8FFC003801C000 3801C0003801C00070038000700380007003800070038000E0070000E0070000E0070000 E0070001FFFE0001C00E0001C00E0001C00E0003801C0003801C0003801C0003801C0007 0038000700380007003800070038000E007000FFE7FF001E1A7E9920>72 D<03FF8000380000380000380000700000700000700000700000E00000E00000E00000E0 0001C00001C00001C00001C0000380000380000380000380000700000700000700000700 000F0000FFE000111A7F9911>I<01FFC000380000380000380000700000700000700000 700000E00000E00000E00000E00001C00001C00001C00001C00003800003800803800803 80100700100700300700200700600E01C0FFFFC0151A7E991A>76 D<01FC0007F0003C000F00003C000F00003C001700005C002E00004E002E00004E004E00 004E004E00008E009C00008E011C00008E011C00008E021C00010E023800010E04380001 0E083800010E0838000207107000020710700002072070000207407000040740E0000407 80E000040780E0000C0700E0001C0601C000FF861FFC00241A7E9925>I<000FE0000038 380000E00E0001C00700070007000F0003800E0003801C0003803C0003C0380003C07800 03C0780003C0F0000780F0000780F0000780F0000F00F0000F00F0000E00F0001E00F000 3C0070003800700070003800E0001C03C0000E0F000003F800001A1A7E991D>79 D<01FFFC0000380F000038038000380380007003C0007003C0007003C0007003C000E007 8000E0078000E00F0000E01E0001C0380001FFE00001C0000001C0000003800000038000 000380000003800000070000000700000007000000070000000E000000FFE000001A1A7E 9919>I<000FE0000038380000E00E0001C00700078007000F0007800E0003801C000380 3C0003C0380003C0780003C0780003C0F0000780F0000780F0000780F0000700F0000F00 F0000E00F0001E00F0001C0070703800708070003904E0001D07C0000F0F000003FE0400 0006040000060C00000718000007F8000007F0000007E0000003C0001A217E991E>I<01 FFF80000381E0000380700003807800070078000700780007007800070078000E00F0000 E00E0000E01C0000E0700001FFC00001C0C00001C0600001C07000038070000380700003 807000038070000700F0000700F0000700F0400700F0800E007980FFE01E001A1A7E991D >I<001F080060D800803801003803001006001006001006001006000007000007C00003 FC0001FF00007F800007C00001C00001C00000C02000C02000C060018060018060030070 0600CC0C0083F000151A7E9917>I<3FFFFF80380E0180200E0080400E0080401C008080 1C0080801C0080801C008000380000003800000038000000380000007000000070000000 7000000070000000E0000000E0000000E0000000E0000001C0000001C0000001C0000001 C0000003C000007FFE0000191A7F9916>I86 D<01FF83FE003C00F0003C00C0001C 0080001E0100000E0200000E040000070800000710000007A0000003C0000003C0000001 C0000003C0000007E0000004E0000008F000001070000020700000403800008038000100 3C0002001C0006001E001E001E00FF80FFC01F1A7F9920>88 D<03980C5C183838383038 7038E070E070E070E070C0E2C0E2C0E2E1E262643C380F107E8F14>97 D<7E000E000E000E001C001C001C001C00380038003BC03C607870703070307030E070E0 70E070E070C0E0C0C0C1C0E18063003C000C1A7E9910>I<03E006181C18383830107000 6000E000E000E000E000C008E010602030C01F000D107E8F11>I<003F00070007000700 0E000E000E000E001C001C039C0C5C1838383830387038E070E070E070E070C0E2C0E2C0 E2E1E262643C38101A7E9914>I<03E00E101810381070107020FFC0E000E000E000E000 E008E010602030C01F000D107E8F12>I<0007C0000C600018E00018C000380000380000 380000380000700000700007FF0000700000700000E00000E00000E00000E00000E00000 E00001C00001C00001C00001C00001C000038000038000038000030000030000670000E6 0000CC000078000013217E9913>I<00E60317060E0E0E0C0E1C0E381C381C381C381C30 3830383038387818F00F700070007000E060E0E1C0C3807E0010177F8F12>I<1F800003 80000380000380000700000700000700000700000E00000E00000E78000F8C001E0E001C 0E001C0E001C0E00381C00381C00381C00383800703880703880707080707100E0320060 1C00111A7E9916>I<03000380030000000000000000000000000000003C004E004E008E 008E009C001C001C0038003800390071007100720072003C00091A7E990D>I<0004000E 000C000000000000000000000000000000E0013002380438043804380070007000700070 00E000E000E000E001C001C001C001C003806380E700C60078000F21809910>I<1F8003 800380038007000700070007000E000E000E0E0E331C471C831D001E003C003F8039C038 E070E270E270E270E4E0646038101A7E9914>I<3F0707070E0E0E0E1C1C1C1C38383838 70707070E4E4E4E46838081A7E990B>I<383E0F804CC330C08F03C0E08F03C0E08E0380 E08E0380E01C0701C01C0701C01C0701C01C070380380E0388380E0388380E0708380E07 10701C0320300C01C01D107E8F22>I<383C004CC6008F07008E07008E07008E07001C0E 001C0E001C0E001C1C00381C40381C40383840383880701900300E0012107E8F17>I<03 E006101C18381C300C701C601CE01CE01CE018E038C030E07060E021801F000E107E8F13 >I<070F0009918011E1C011C0C011C0C011C0C00381C00381C00381C00381C007038007 03000707000706000E8C000E70000E00000E00001C00001C00001C00001C0000FF000012 17818F13>I<03840C5C1838383830387038E070E070E070E070C0E0C0E0C0E0E1E063C0 3DC001C001C003800380038003803FE00E177E8F11>I<38704D988F388E188E008E001C 001C001C001C003800380038003800700030000D107E8F11>I<03E00618081818381830 1C001FC00FE007F000700030E030E030806040C03F000D107E8F12>I<01800380038003 80038007000700FFE007000E000E000E000E001C001C001C001C00384038403840388019 000E000B177F960E>I<1C0600260700470E00870E008E0E008E0E000E1C001C1C001C1C 001C1C003838803838803838801838801C59000F8E0011107E8F16>I<1C0C261E470E87 068E068E060E041C041C041C0838083808381018200C4007800F107E8F13>I<1C030626 038F4707078707038E07038E07030E0E021C0E021C0E021C0E04381C04381C04181C081C 1C100C262007C3C018107E8F1C>I<0F1E11A321E741C341C041C0038003800380038007 020702C702EB04CB0870F010107E8F16>I E /Fu 82 124 df<00FC7C0183C607078E06 07040E07000E07000E07000E07000E07000E0700FFFFF00E07000E07000E07000E07000E 07000E07000E07000E07000E07000E07000E07000E07000E07000E07007F0FF0171A8099 16>11 D<00FC000182000703000607000E02000E00000E00000E00000E00000E0000FFFF 000E07000E07000E07000E07000E07000E07000E07000E07000E07000E07000E07000E07 000E07000E07007F0FE0131A809915>I<00FF000387000707000607000E07000E07000E 07000E07000E07000E0700FFFF000E07000E07000E07000E07000E07000E07000E07000E 07000E07000E07000E07000E07000E07000E07007F9FE0131A809915>I<007E1F8001C1 70400703C060060380E00E0380400E0380000E0380000E0380000E0380000E038000FFFF FFE00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E0380E00E03 80E00E0380E00E0380E00E0380E00E0380E00E0380E07F8FE3FC1E1A809920>I<60C0F1 E0F9F068D0081008100810102010202040C1800C0B7F9913>34 D<60F0F8680808081010 20C0050B7D990B>39 D<00800100020004000C0008001800300030003000600060006000 6000E000E000E000E000E000E000E000E000E000E0006000600060006000300030003000 180008000C00040002000100008009267D9B0F>I<8000400020001000180008000C0006 000600060003000300030003000380038003800380038003800380038003800380030003 00030003000600060006000C0008001800100020004000800009267E9B0F>I<000C0000 000C0000000C0000000C0000000C0000000C0000000C0000000C0000000C0000000C0000 000C0000000C0000FFFFFF80FFFFFF80000C0000000C0000000C0000000C0000000C0000 000C0000000C0000000C0000000C0000000C0000000C0000000C0000191A7E951E>43 D<60F0F07010101020204080040B7D830B>II<60F0F06004047D 830B>I<0004000C00180018001800300030003000600060006000C000C000C001800180 01800300030003000600060006000C000C000C0018001800180030003000300060006000 6000C000C0000E257E9B13>I<078018603030303060186018E01CE01CE01CE01CE01CE0 1CE01CE01CE01CE01CE01CE01C6018601870383030186007800E187E9713>I<03000700 FF0007000700070007000700070007000700070007000700070007000700070007000700 070007000700FFF00C187D9713>I<0F80106020304038803CC01CE01C401C003C003800 380070006000C001800100020004040804100430083FF87FF8FFF80E187E9713>I<0F80 10E02070607870382038007800700070006000C00F8000E000700038003C003CE03CE03C C03C4038407030E00F800E187E9713>I<00300030007000F000F001700370027004700C 7008701070307020704070C070FFFF00700070007000700070007007FF10187F9713>I< 30183FF03FE03FC02000200020002000200027C03860203000380018001C001C401CE01C E01C80184038403030E00F800E187E9713>I<01E006100C1818383038300070006000E0 00E7C0E860F030F018E018E01CE01CE01C601C601C701830183030186007C00E187E9713 >I<40007FFE7FFC7FFC4008801080108020004000400080018001800100030003000300 030007000700070007000700070002000F197E9813>I<07801860303020186018601860 1870103C303E600F8007C019F030F86038401CC00CC00CC00CC00C6008201018600FC00E 187E9713>I<07801860303070306018E018E018E01CE01CE01C601C603C303C185C0F9C 001C00180018003870307060604021801F000E187E9713>I<60F0F06000000000000000 0060F0F06004107D8F0B>I<60F0F060000000000000000060F0F0701010102020408004 177D8F0B>I61 D<000C0000000C0000000C0000001E0000001E 0000003F000000270000002700000043800000438000004380000081C0000081C0000081 C0000100E0000100E00001FFE00002007000020070000600780004003800040038000800 1C0008001C001C001E00FF00FFC01A1A7F991D>65 DI<00 3F0201C0C603002E0E001E1C000E1C0006380006780002700002700002F00000F00000F0 0000F00000F00000F000007000027000027800023800041C00041C00080E000803003001 C0C0003F00171A7E991C>IIII<003F020001C0C60003002E000E001E001C000E001C 00060038000600780002007000020070000200F0000000F0000000F0000000F0000000F0 000000F001FFC070000E0070000E0078000E0038000E001C000E001C000E000E000E0003 00160001C06600003F82001A1A7E991E>III<1FFC00E000E000E000E000E000E000E000E0 00E000E000E000E000E000E000E000E000E000E000E040E0E0E0E0E041C061801E000E1A 7D9914>IIII I<007F000001C1C000070070000E0038001C001C003C001E0038000E0078000F00700007 00F0000780F0000780F0000780F0000780F0000780F0000780F0000780F000078078000F 0078000F0038000E003C001E001C001C000E0038000700700001C1C000007F0000191A7E 991E>II<007F000001C1C000070070000E0038001C001C 003C001E0038000E0078000F0070000700F0000780F0000780F0000780F0000780F00007 80F0000780F0000780F00007807000070078000F0038000E003C1C1E001C221C000E4138 000741F00001E1C000007F80800001C0800000C0800000E1800000FF0000007F0000003E 0000001C0019217E991E>II<0FC21836200E6006C006C002C002C002E00070007E 003FE01FF807FC003E000E00070003800380038003C002C006E004D81887E0101A7E9915 >I<7FFFFF00701C0700401C0100401C0100C01C0180801C0080801C0080801C0080001C 0000001C0000001C0000001C0000001C0000001C0000001C0000001C0000001C0000001C 0000001C0000001C0000001C0000001C0000001C0000001C0000001C000003FFE000191A 7F991C>IIII<7FC0FF000F003C0007003000078020000380600001C0 400001E0800000E1800000710000007A0000003C0000001C0000001E0000001E00000017 000000278000004380000041C0000081E0000100E0000100700002007800040038000C00 1C001E003E00FF80FFC01A1A7F991D>II<7FFFC078038070038060070040070040 0E00401C00401C0000380000380000700000E00000E00001C00001C00003800007004007 00400E00400E00401C00C0380080380180700380700780FFFF80121A7E9917>II<1830204040804080810081008100B160F9F078F030600C0B7B9913>II<3F8070C070E020700070007007F01C7030707070E070E071E071E0F171FB1E 3C10107E8F13>97 DI<07F80C1C381C30087000E000E000 E000E000E000E0007000300438080C1807E00E107F8F11>I<007E00000E00000E00000E 00000E00000E00000E00000E00000E00000E0003CE000C3E00380E00300E00700E00E00E 00E00E00E00E00E00E00E00E00E00E00600E00700E00381E001C2E0007CFC0121A7F9915 >I<07C01C3030187018600CE00CFFFCE000E000E000E0006000300438080C1807E00E10 7F8F11>I<01F0031807380E100E000E000E000E000E000E00FFC00E000E000E000E000E 000E000E000E000E000E000E000E000E000E007FE00D1A80990C>I<0FCE187330307038 703870387038303018602FC02000600070003FF03FFC1FFE600FC003C003C003C0036006 381C07E010187F8F13>II<18003C003C00180000000000 0000000000000000FC001C001C001C001C001C001C001C001C001C001C001C001C001C00 1C00FF80091A80990A>I<018003C003C001800000000000000000000000000FC001C001 C001C001C001C001C001C001C001C001C001C001C001C001C001C001C001C001C041C0E1 80E3007E000A2182990C>IIIII<07E01C38300C 700E6006E007E007E007E007E007E0076006700E381C1C3807E010107F8F13>I I<03C2000C2600381E00300E00700E00E00E00E00E00E00E00E00E00E00E00E00E00700E 00700E00381E001C2E0007CE00000E00000E00000E00000E00000E00000E00007FC01217 7F8F14>II<1F2060E04020C020C020F0007F003FC01FE000F080708030C030C020 F0408F800C107F8F0F>I<0400040004000C000C001C003C00FFC01C001C001C001C001C 001C001C001C001C201C201C201C201C200E4003800B177F960F>IIIIII<7FF86070407040E041C041C00380070007000E08 1C081C08381070107030FFF00D107F8F11>II E /Fv 43 122 df<387CFEFEFE7C3807077C8610>46 D<00180000780001F800FFF800FF F80001F80001F80001F80001F80001F80001F80001F80001F80001F80001F80001F80001 F80001F80001F80001F80001F80001F80001F80001F80001F80001F80001F80001F80001 F80001F8007FFFE07FFFE013207C9F1C>49 D<03FC000FFF003C1FC07007E07C07F0FE03 F0FE03F8FE03F8FE01F87C01F83803F80003F80003F00003F00007E00007C0000F80001F 00003E0000380000700000E01801C0180380180700180E00380FFFF01FFFF03FFFF07FFF F0FFFFF0FFFFF015207D9F1C>I<00FE0007FFC00F07E01E03F03F03F03F81F83F81F83F 81F81F03F81F03F00003F00003E00007C0001F8001FE0001FF000007C00001F00001F800 00FC0000FC3C00FE7E00FEFF00FEFF00FEFF00FEFF00FC7E01FC7801F81E07F00FFFC001 FE0017207E9F1C>I<0000E00001E00003E00003E00007E0000FE0001FE0001FE00037E0 0077E000E7E001C7E00187E00307E00707E00E07E00C07E01807E03807E07007E0E007E0 FFFFFEFFFFFE0007E00007E00007E00007E00007E00007E00007E000FFFE00FFFE17207E 9F1C>I<1000201E01E01FFFC01FFF801FFF001FFE001FF8001BC0001800001800001800 0018000019FC001FFF001E0FC01807E01803E00003F00003F00003F80003F83803F87C03 F8FE03F8FE03F8FC03F0FC03F07007E03007C01C1F800FFF0003F80015207D9F1C>I<00 1F8000FFE003F07007C0F00F01F81F01F83E01F83E01F87E00F07C00007C0000FC0800FC 7FC0FCFFE0FD80F0FF00F8FE007CFE007CFC007EFC007EFC007EFC007E7C007E7C007E7C 007E3C007C3E007C1E00F80F00F00783E003FFC000FF0017207E9F1C>I<600000780000 7FFFFE7FFFFE7FFFFC7FFFF87FFFF87FFFF0E00060E000C0C00180C00300C00300000600 000C00001C0000180000380000780000780000F00000F00000F00001F00001F00001F000 03F00003F00003F00003F00003F00003F00003F00001E00017227DA11C>I<387CFEFEFE 7C380000000000000000387CFEFEFE7C3807167C9510>58 D<0000700000000070000000 00F800000000F800000000F800000001FC00000001FC00000003FE00000003FE00000003 FE00000006FF000000067F0000000E7F8000000C3F8000000C3F800000183FC00000181F C00000381FE00000300FE00000300FE00000600FF000006007F00000E007F80000FFFFF8 0000FFFFF800018001FC00018001FC00038001FE00030000FE00030000FE000600007F00 0600007F00FFE00FFFF8FFE00FFFF825227EA12A>65 D<0003FE0080001FFF818000FF01 E38001F8003F8003E0001F8007C0000F800F800007801F800007803F000003803F000003 807F000001807E000001807E00000180FE00000000FE00000000FE00000000FE00000000 FE00000000FE00000000FE00000000FE000000007E000000007E000001807F000001803F 000001803F000003801F800003000F8000030007C000060003F0000C0001F800380000FF 00F000001FFFC0000003FE000021227DA128>67 D69 DI73 D76 DI<0007FC0000003FFF800000FC07E00003F001F8 0007E000FC000FC0007E001F80003F001F80003F003F00001F803F00001F807F00001FC0 7E00000FC07E00000FC0FE00000FE0FE00000FE0FE00000FE0FE00000FE0FE00000FE0FE 00000FE0FE00000FE0FE00000FE0FE00000FE07E00000FC07F00001FC07F00001FC03F00 001F803F80003F801F80003F000FC0007E0007E000FC0003F001F80000FC07E000003FFF 80000007FC000023227DA12A>79 DI82 D<01FC0407FF8C1F03FC3C007C7C003C78001C78001CF8000C F8000CFC000CFC0000FF0000FFE0007FFF007FFFC03FFFF01FFFF80FFFFC03FFFE003FFE 0003FF00007F00003F00003FC0001FC0001FC0001FE0001EE0001EF0003CFC003CFF00F8 C7FFE080FF8018227DA11F>I<7FFFFFFF807FFFFFFF807E03F80F807803F807807003F8 03806003F80180E003F801C0E003F801C0C003F800C0C003F800C0C003F800C0C003F800 C00003F800000003F800000003F800000003F800000003F800000003F800000003F80000 0003F800000003F800000003F800000003F800000003F800000003F800000003F8000000 03F800000003F800000003F800000003F800000003F800000003F8000003FFFFF80003FF FFF80022227EA127>I<07FC001FFF803F07C03F03E03F01E03F01F01E01F00001F00001 F0003FF003FDF01FC1F03F01F07E01F0FC01F0FC01F0FC01F0FC01F07E02F07E0CF81FF8 7F07E03F18167E951B>97 DI<00FF8007FFE00F83F01F03F03E03F07E03F07C01E0 7C0000FC0000FC0000FC0000FC0000FC0000FC00007C00007E00007E00003E00301F0060 0FC0E007FF8000FE0014167E9519>I<0001FE000001FE0000003E0000003E0000003E00 00003E0000003E0000003E0000003E0000003E0000003E0000003E0000003E0001FC3E00 07FFBE000F81FE001F007E003E003E007E003E007C003E00FC003E00FC003E00FC003E00 FC003E00FC003E00FC003E00FC003E00FC003E007C003E007C003E003E007E001E00FE00 0F83BE0007FF3FC001FC3FC01A237EA21F>I<00FE0007FF800F87C01E01E03E01F07C00 F07C00F8FC00F8FC00F8FFFFF8FFFFF8FC0000FC0000FC00007C00007C00007E00003E00 181F00300FC07003FFC000FF0015167E951A>I<003F8000FFC001E3E003C7E007C7E00F 87E00F83C00F80000F80000F80000F80000F80000F8000FFFC00FFFC000F80000F80000F 80000F80000F80000F80000F80000F80000F80000F80000F80000F80000F80000F80000F 80000F80000F80000F80007FF8007FF80013237FA211>I<03FC1E0FFF7F1F0F8F3E07CF 3C03C07C03E07C03E07C03E07C03E07C03E03C03C03E07C01F0F801FFF0013FC00300000 3000003800003FFF801FFFF00FFFF81FFFFC3800FC70003EF0001EF0001EF0001EF0001E 78003C7C007C3F01F80FFFE001FF0018217E951C>II<1C003E007F007F007F003E 001C000000000000000000000000000000FF00FF001F001F001F001F001F001F001F001F 001F001F001F001F001F001F001F001F001F001F00FFE0FFE00B247EA310>I<0038007C 00FE00FE00FE007C0038000000000000000000000000000003FE03FE003E003E003E003E 003E003E003E003E003E003E003E003E003E003E003E003E003E003E003E003E003E003E 003E783EFC3EFC3CFC7C78F87FE01F800F2E83A311>IIIII<00FE0007FFC00F83E01E00F03E00F87C007C7C007C7C00 7CFC007EFC007EFC007EFC007EFC007EFC007EFC007E7C007C7C007C3E00F81F01F00F83 E007FFC000FE0017167E951C>II114 D<0FF3003FFF00781F00600700E00300E00300F00300FC00007FE0007F F8003FFE000FFF0001FF00000F80C00780C00380E00380E00380F00700FC0E00EFFC00C7 F00011167E9516>I<0180000180000180000180000380000380000780000780000F8000 3F8000FFFF00FFFF000F80000F80000F80000F80000F80000F80000F80000F80000F8000 0F80000F80000F81800F81800F81800F81800F81800F830007C30003FE0000F80011207F 9F16>II120 DI E /Fw 2 104 df<000F0038007000E001C001C001C001C001C001C001C0 01C001C001C001C001C001C001C001C001C001C0038007001E00F0001E000700038001C0 01C001C001C001C001C001C001C001C001C001C001C001C001C001C001C001C000E00070 0038000F10317CA419>102 DI E /Fx 31 122 df44 D<03C00FF01FF83C3C381C700E700E700EE007E007E007E007E007E007E007E007E007E0 07E007E007E007700E700E700E381C3C3C1FF80FF007E0101D7E9B15>48 D<07C01FF03878701C601EE00EC00F400F400700070007000F000E001E001C003C007800 F001E001C0038007000E001C0038007000FFFFFFFF101C7E9B15>50 D<003C00007C00005C0000DC0001DC00019C00039C00039C00071C00071C000E1C000E1C 001C1C003C1C00381C00781C00701C00F01C00FFFFC0FFFFC0001C00001C00001C00001C 00001C00001C00001C00121B7F9A15>52 D55 D<001C0000003E0000003E0000002E0000006700000067000000E78000 00C7800000C3800001C3C0000183C0000181C0000381E0000381E0000700F0000700F000 0600F0000E0078000FFFF8000FFFF8001C003C001C003C0018003C0038001E0038001E00 70001F0070000F0070000F00E0000780191D7F9C1C>65 D<003FC000FFF003C0F0078030 0F00001E00003C00003C0000780000780000780000F00000F00000F00000F00000F00000 F00000F00000F00000F000007800007800007800003C00003C00001E00000F0008078018 03C07800FFF0003F80151F7D9D1B>67 DI77 D80 D<03F8000FFE001C0F00380700700300600000E00000E00000E00000E00000 F000007800007F00003FE0001FFC0007FE0001FF00001F800007800003C00003C00001C0 0001C00001C00001C0C00180E00380F007007C0E001FFC0007F000121F7E9D17>83 D85 D<0FC03FF07FF8703840 1C001C001C00FC0FFC3FFC781CE01CE01CE01CF07C7FFC7FDC3F1C0E127E9114>97 D<07E00FF81FFC3C1C70047000E000E000E000E000E000E000700070043C1C1FFC0FF807 E00E127E9112>99 D<000E000E000E000E000E000E000E000E000E000E000E0F8E1FEE3F FE7C3E700E700EE00EE00EE00EE00EE00EE00EF00E701E7C3E3FFE1FEE0F8E0F1D7E9C15 >I<07C01FE03FF078787018601CFFFCFFFCFFFCE000E000E000700070043C1C3FFC1FF8 07E00E127E9112>I<00FC01FC03FC07000E000E000E000E000E000E000E00FFE0FFE00E 000E000E000E000E000E000E000E000E000E000E000E000E000E000E000E000E1D809C0D >I<03C3C00FFFC01FFFC01C3800381C00381C00381C00381C00381C001C38001FF8001F F0003BC0003800003800001FFC001FFF003FFF80700780E001C0E001C0E001C0F003C07C 0F803FFF001FFE0007F800121B7F9115>I105 D107 DIII<03F0000FFC001F FE003C0F00780780700380E001C0E001C0E001C0E001C0E001C0F003C07003807807803C 0F001FFE000FFC0003F00012127F9115>II114 D<1FC03FF07FF0F030E000E000F0007F003FC01FE000F0 003800388038F078FFF07FE01FC00D127F9110>I<1C001C001C001C001C001C00FFE0FF E01C001C001C001C001C001C001C001C001C001C001C001C001C201FF00FF007C00C187F 970F>III121 D E /Fy 29 119 df<000078007C7800FC7801FC7803C000038000078000 078000078000078000078000078000078000078000FFFC78FFFC78FFFC78078078078078 078078078078078078078078078078078078078078078078078078078078078078078078 078078078078078078078078078078152480A31A>12 D<787878781830306060E0050A7C 830E>44 D46 D<000FE000007FF80000FFFC0003F03E0007C01F 000F800F000F01FF801E07FF803C0FFF803C0F1F80781E0FC0783C07C0783C07C0F03C07 C0F07803C0F07803C0F07803C0F07803C0F07803C0F07803C0F07803C0F03C0780783C07 80783C0780781E0F003C0F1E003C0FFE001E07FC000F01F0000F80000007C003C003F00F 8000FFFF00007FFC00000FE0001A237DA221>64 D66 D<000FF000007FFC0000FF FF0001F01F0003C00700078000000F0000001E0000003E0000003C0000003C0000007800 00007800000078000000F0000000F0000000F0000000F0000000F0000000F0000000F000 0000F0000000F00000007800000078000000780000003C0000003C0000003E0000001E00 00000F0000000780008003C0038001F00F8000FFFF00007FFC00000FF00019257DA31F> I<000FF000003FFE0000FFFF8001F80F8003E00380078000000F0000001E0000001E0000 003C0000003C000000780000007800000078000000F0000000F0000000F0000000F00000 00F0000000F0000000F000FFC0F000FFC0F000FFC0780003C0780003C0780003C03C0003 C03C0003C01E0003C01E0003C00F0003C0078003C003E003C001F807C000FFFFC0003FFF 00000FF8001A257DA321>71 D76 D82 D84 D<07E01FF83FFC381E20 1E000F000F000F000F00FF07FF1FFF3E0F780FF00FF00FF00FF00FF83F7FFF3FEF1F8F10 167E9517>97 DI<01FC0007FF000FFF801F03803C0180780000780000700000F0 0000F00000F00000F00000F00000F000007800007800007800003C00401F03C00FFFC007 FF8001FC0012167E9516>I<0003C00003C00003C00003C00003C00003C00003C00003C0 0003C00003C00003C00003C00003C003E3C00FFBC01FFFC03F0FC03C07C07803C07803C0 F003C0F003C0F003C0F003C0F003C0F003C0F003C0F003C07803C07803C03C07C03E0FC0 1FFFC00FFBC003E3C012237EA219>I<03F00007FC001FFE003E0F003C07807803807803 80F001C0FFFFC0FFFFC0FFFFC0F00000F00000F000007000007800007800003C00801F07 800FFF8007FF0001F80012167E9516>I<01F07807FFF80FFFF81F1F001E0F003C07803C 07803C07803C07803C07801E0F001F1F000FFE001FFC0019F0003800003800003C00001F FE001FFFC01FFFE03FFFF07801F07800F8F00078F00078F00078F000787800F03E03E01F FFC00FFF8001FC0015217F9518>103 DII107 DIII<01FC0007FF000FFF801F07C03C01E07800F07800F0700070F00078 F00078F00078F00078F00078F000787800F07800F07C01F03E03E01F07C00FFF8007FF00 01FC0015167F9518>II114 D<07F01FFC3FFE3C0E780678007800 7C003F003FF01FF80FFC01FE001F000F000F000FC00FF81EFFFE3FFC0FF010167F9513> I<0F000F000F000F000F000F00FFF8FFF8FFF80F000F000F000F000F000F000F000F000F 000F000F000F000F000F000F080F1C07FC07F803E00E1C7F9B12>III E /Fz 26 122 df<7F80FF80FF80FF80FF80FF80FF80FF80FF800000 00000000000000000000000000000000000000000000000000000000FF80FF80FF80FF80 FF80FF80FF80FF807F8009217AA016>58 D<00007FF800000000FFFC00000001FFFE0000 0001FFFE00000001FFFE00000003FFFF00000003FFFF00000003FFFF00000007FFFF8000 0007FDFF80000007FDFF8000000FF9FFC000000FF9FFC000000FF8FFC000001FF8FFE000 001FF0FFE000001FF0FFE000003FF07FF000003FE07FF000003FE07FF000007FE03FF800 007FE03FF800007FC03FF80000FFC01FFC0000FFC01FFC0000FF801FFC0001FF800FFE00 01FF800FFE0001FF000FFE0003FF000FFF0003FF0007FF0007FE0007FF8007FE0007FF80 07FFFFFFFF800FFFFFFFFFC00FFFFFFFFFC00FFFFFFFFFC01FFFFFFFFFE01FFFFFFFFFE0 1FF80000FFE03FF00000FFF03FF000007FF03FF000007FF07FE000007FF87FE000003FF8 7FE000003FF8FFC000003FFCFFC000001FFCFF8000001FFC7F0000000FF82E327DB135> 65 D<7FFFFFC00000FFFFFFFC0000FFFFFFFF0000FFFFFFFFC000FFFFFFFFE000FFFFFF FFF000FFE003FFF000FFE0007FF800FFE0003FF800FFE0001FFC00FFE0001FFC00FFE000 0FFC00FFE0000FFC00FFE0000FFC00FFE0000FFC00FFE0000FFC00FFE0001FFC00FFE000 1FF800FFE0003FF800FFE0007FF000FFE001FFE000FFFFFFFFC000FFFFFFFF8000FFFFFF FE0000FFFFFFFF8000FFFFFFFFE000FFE01FFFF800FFE0007FFC00FFE0001FFE00FFE000 0FFE00FFE00007FF00FFE00003FF00FFE00003FF80FFE00003FF80FFE00001FF80FFE000 01FF80FFE00001FF80FFE00003FF80FFE00003FF80FFE00003FF80FFE00007FF00FFE000 0FFF00FFE0001FFF00FFE0007FFE00FFFFFFFFFC00FFFFFFFFF800FFFFFFFFF000FFFFFF FFE000FFFFFFFF00007FFFFFF80000293279B135>I<00001FFF00000001FFFFE0000007 FFFFFC00001FFFFFFF00007FFFFFFF0000FFFFFFFF0001FFFFFFFF0003FFFC03FE0007FF E0007E000FFF80001E000FFE00000E001FFE000006001FFC000000003FF8000000003FF8 000000007FF8000000007FF0000000007FF0000000007FF000000000FFE000000000FFE0 00000000FFE000000000FFE000000000FFE000000000FFE000000000FFE000000000FFE0 00000000FFE000000000FFE000000000FFE000000000FFE000000000FFE000000000FFE0 000000007FF0000000007FF0000000007FF0000000007FF8000000003FF8000000003FF8 000000001FFC000000001FFE000003000FFE000007000FFF80000F0007FFE0003F0003FF FC01FF8001FFFFFFFF8000FFFFFFFF80007FFFFFFF80001FFFFFFE000007FFFFF8000001 FFFFE00000001FFF000029347CB232>I<7FC0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FF E0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FF E0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FF E0FFE0FFE0FFE07FC00B327AB118>73 D<7FFFFFC000FFFFFFF800FFFFFFFF00FFFFFFFF 80FFFFFFFFC0FFFFFFFFE0FFE003FFF0FFE0007FF0FFE0003FF8FFE0001FF8FFE0001FF8 FFE0001FFCFFE0001FFCFFE0000FFCFFE0000FFCFFE0000FFCFFE0000FFCFFE0000FFCFF E0001FFCFFE0001FFCFFE0001FF8FFE0001FF8FFE0003FF8FFE0007FF0FFE003FFF0FFFF FFFFE0FFFFFFFFC0FFFFFFFF00FFFFFFFE00FFFFFFF000FFE0000000FFE0000000FFE000 0000FFE0000000FFE0000000FFE0000000FFE0000000FFE0000000FFE0000000FFE00000 00FFE0000000FFE0000000FFE0000000FFE0000000FFE0000000FFE0000000FFE0000000 FFE0000000FFE00000007FC0000000263279B132>80 D<000FFE000000FFFFC00003FFFF F00007FFFFFC000FFFFFFF001FFFFFFF003FFFFFFF003FFFFFFF007FF803FE007FE0007E 007FC0003E00FF80000E00FF80000600FF80000000FF80000000FF80000000FFC0000000 FFE00000007FF80000007FFF8000007FFFF800003FFFFF80001FFFFFE0001FFFFFF0000F FFFFF80007FFFFFC0001FFFFFE0000FFFFFF00003FFFFF800003FFFF8000003FFFC00000 03FFC0000000FFE00000007FE00000007FE00000003FE00000003FE00000003FE0600000 3FE07800003FE07C00007FE07F00007FC07FC000FFC0FFF803FFC0FFFFFFFF80FFFFFFFF 00FFFFFFFF003FFFFFFE000FFFFFFC0003FFFFF00000FFFFC000000FFE000023347CB22C >83 D86 D<001FFC0000FFFF8003FFFFE007 FFFFF00FFFFFF80FE00FFC0F800FFC0F0007FE0E0007FE0C0007FE000007FE000007FE00 0007FE000FFFFE00FFFFFE03FFFFFE0FFF07FE1FF807FE3FF007FE7FE007FEFFC007FEFF C007FEFFC007FEFFC007FEFFC007FEFFC00FFE7FE01FFE7FF07FFE3FFFFFFE1FFFF7FE0F FFE7FE07FF87FE01FC03FC1F217EA026>97 D<001FFC0000FFFF0003FFFFC007FFFFF00F FFFFF01FFC07F03FF001F03FE000E07FE000607FE000007FC00000FFC00000FFC00000FF C00000FFC00000FFC00000FFC00000FFC00000FFC00000FFC00000FFC00000FFC000007F C000007FE000087FE000383FE000783FF001F81FFC0FF80FFFFFF807FFFFF803FFFFE000 FFFF80001FF8001D217DA023>99 D<000001FE000003FF000003FF000003FF000003FF00 0003FF000003FF000003FF000003FF000003FF000003FF000003FF000003FF000003FF00 0003FF000003FF000003FF003FC3FF01FFF3FF03FFFBFF07FFFFFF0FFFFFFF1FFC0FFF3F F003FF3FE003FF7FE003FF7FE003FF7FC003FFFFC003FFFFC003FFFFC003FFFFC003FFFF C003FFFFC003FFFFC003FFFFC003FFFFC003FFFFC003FFFFC003FF7FC003FF7FE003FF7F E003FF3FE003FF3FF007FF1FF81FFF0FFFFFFF07FFFFFF03FFFBFF01FFE3FF003F81FE20 327DB128>I<000FFC00007FFF8001FFFFE007FFFFF00FFFFFF81FFC0FF81FF003FC3FE0 03FE7FE001FE7FC001FE7FC001FFFFC000FFFFC000FFFFC000FFFFFFFFFFFFFFFFFFFFFF FFFFFFFFFFFEFF800000FFC00000FFC000007FC000007FC000007FE000003FE000063FF0 000E1FF8003E0FFE01FE0FFFFFFE03FFFFFE01FFFFF8007FFFE00007FE0020217EA025> I<0007FF80001FFF80007FFF8000FFFF8001FFFF8003FF078003FE018007FE000007FE00 0007FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE00007FFFF0 00FFFFF800FFFFF800FFFFF8007FFFF00007FE000007FE000007FE000007FE000007FE00 0007FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE00 0007FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE00 0007FE000007FE000007FE000007FE000003FC000019327FB118>I<001FF003E000FFFE 1FF003FFFFFFF007FFFFFFF00FFFFFE1F00FF83FE0001FF01FF0001FE00FF0003FE00FF8 003FE00FF8003FE00FF8003FE00FF8003FE00FF8003FE00FF8003FE00FF8001FE00FF000 1FF01FF0000FF83FE0000FFFFFE00007FFFFC00007FFFF80000EFFFE00000E1FF000000E 000000000F000000001F800000001FFFFFC0000FFFFFFC000FFFFFFE000FFFFFFF8007FF FFFFC007FFFFFFC01FFFFFFFE03FFFFFFFE07F80007FF0FF00001FF0FF00000FF0FF0000 0FF0FF00000FF0FF00000FF07F80001FE07FC0003FE03FF000FFC01FFFFFFF800FFFFFFF 0007FFFFFE0001FFFFF800001FFF800024307FA027>I<7F800000FFC00000FFC00000FF C00000FFC00000FFC00000FFC00000FFC00000FFC00000FFC00000FFC00000FFC00000FF C00000FFC00000FFC00000FFC00000FFC00000FFC07F80FFC1FFE0FFC3FFF0FFCFFFF8FF DFFFFCFFDE0FFCFFF807FEFFF007FEFFE007FEFFE007FEFFC007FEFFC007FEFFC007FEFF C007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFF C007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFF C007FE7F8003FC1F327CB128>I<7FC0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE0FFE07FC0 00000000000000000000000000003FC07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE0 7FE07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE07FE0 7FE07FE07FE03FC00B337DB213>I<7F80FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FF C0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FF C0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FFC0FF C0FFC0FFC07F800A327CB113>108 D<7F803FC000FF00FFC1FFF007FFC0FFC3FFF80FFF E0FFC7FFFC1FFFF0FFCFFFFE3FFFF8FFDE07FE781FF8FFF803FFE00FFCFFF003FFC00FFC FFE003FF800FFCFFE003FF800FFCFFC003FF000FFCFFC003FF000FFCFFC003FF000FFCFF C003FF000FFCFFC003FF000FFCFFC003FF000FFCFFC003FF000FFCFFC003FF000FFCFFC0 03FF000FFCFFC003FF000FFCFFC003FF000FFCFFC003FF000FFCFFC003FF000FFCFFC003 FF000FFCFFC003FF000FFCFFC003FF000FFCFFC003FF000FFCFFC003FF000FFCFFC003FF 000FFCFFC003FF000FFCFFC003FF000FFCFFC003FF000FFC7F8001FE0007F836217CA03F >I<7F807F80FFC1FFE0FFC3FFF0FFCFFFF8FFDFFFFCFFDE0FFCFFF807FEFFF007FEFFE0 07FEFFE007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC0 07FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FEFFC0 07FEFFC007FEFFC007FEFFC007FEFFC007FEFFC007FE7F8003FC1F217CA028>I<000FFC 000000FFFFC00003FFFFF00007FFFFF8000FFFFFFC001FFC0FFE003FF003FF003FE001FF 007FE001FF807FE001FF807FC000FF807FC000FF80FFC000FFC0FFC000FFC0FFC000FFC0 FFC000FFC0FFC000FFC0FFC000FFC0FFC000FFC0FFC000FFC0FFC000FFC0FFC000FFC07F C000FF807FE001FF807FE001FF803FF003FF003FF003FF001FFC0FFE000FFFFFFC0007FF FFF80003FFFFF00000FFFFC000001FFE000022217EA027>I<7F81FE00FFC7FF80FFDFFF E0FFFFFFF0FFFFFFF8FFF83FF8FFE00FFCFFC00FFEFFC007FEFFC007FEFFC007FEFFC003 FFFFC003FFFFC003FFFFC003FFFFC003FFFFC003FFFFC003FFFFC003FFFFC003FFFFC003 FFFFC003FFFFC007FEFFC007FEFFC007FEFFC00FFCFFE01FFCFFF03FF8FFFFFFF0FFFFFF E0FFDFFFC0FFCFFF00FFC3FC00FFC00000FFC00000FFC00000FFC00000FFC00000FFC000 00FFC00000FFC00000FFC00000FFC00000FFC00000FFC00000FFC000007F800000202F7C A028>I<7F0078FF81F8FF83F8FF87F8FF8FF8FF9FF8FFBFF8FFBF80FFFC00FFF800FFF0 00FFE000FFE000FFC000FFC000FFC000FFC000FFC000FFC000FFC000FFC000FFC000FFC0 00FFC000FFC000FFC000FFC000FFC000FFC000FFC000FFC000FFC0007F800015217CA01B >114 D<00FFC00003FFFC000FFFFF001FFFFF003FFFFF003FFFFF003F807E007F000E00 7F0006007F0000007F8000007FF000007FFF80003FFFE0003FFFF0001FFFFC000FFFFE00 07FFFE0003FFFF0000FFFF00000FFF800000FF8000003F8060003F8078003F807E003F80 FF807F00FFFFFF00FFFFFE00FFFFFE003FFFFC000FFFF00000FFC00019217EA01E>I<03 FC000007FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE00007F FFFC00FFFFFE00FFFFFE00FFFFFE007FFFFC0007FE000007FE000007FE000007FE000007 FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE000007 FE000007FE000007FE000007FE000007FE000007FE000007FE000007FE010007FE030007 FF0F8003FFFF8003FFFF0001FFFE0000FFF800007F8000192A7FA91D>I119 D<7F0000FEFF8001FEFFC003FE7FC003 FE7FE003FC7FE007FC3FE007FC3FF007F81FF00FF81FF80FF80FF80FF00FF81FF007FC1F F007FC1FF007FE1FE003FE3FE003FE3FE001FE3FC001FF3FC000FF3FC000FF7F8000FF7F 80007F7F80007FFF00003FFF00003FFF00001FFE00001FFE00001FFE00000FFC00000FFC 000007FC000007F8000007F8000007F8000007F000000FF000000FF000001FE000401FE0 00F07FC000FFFFC000FFFF8000FFFF0000FFFE00007FF800001FE000001F2F7EA024> 121 D E end %%EndProlog %%BeginSetup %%Feature: *Resolution 300dpi TeXDict begin %%EndSetup %%Page: 1 1 1 0 bop Black Black Black 52 67 a Fz(V)n(erifying)25 b(Systems)g(with)h(Integer)g(Constraints)h(and)f(Bo)r(olean)394 158 y(Predicates:)34 b(A)26 b(Comp)r(osite)h(App)n(roach)339 254 y Fy(T)l(ev\014k)16 b(Bultan)152 b(Richa)o(rd)16 b(Gerb)q(er)149 b(Christopher)16 b(League)685 313 y Fx(Depa)o(rtment)f (of)e(Computer)h(Science)779 371 y(Universit)o(y)g(of)f(Ma)o(ryland)709 429 y(College)h(P)o(a)o(rk,)f(MD)h(20742,)e(USA)641 487 y Fw(f)p Fy(bultan,rich,league)p Fw(g)p Fy(@cs.umd.edu)p Black -75 642 a Fv(Abstract)-75 725 y Fu(Sym)o(b)q(olic)21 b(mo)q(del)e(c)o(hec)o(king)h(has)e(pro)o(v)o(ed)h(highly)i(successful) f(for)-75 766 y(large)14 b(\014nite-state)h(systems,)e(in)i(whic)o(h)f (states)f(can)h(b)q(e)g(compactly)-75 808 y(enco)q(ded)22 b(using)f(binary)h(decision)h(diagrams)f(\(BDDs\))f(or)f(their)-75 849 y(v)n(arian)o(ts.)30 b(The)18 b(inheren)o(t)g(limitation)i(of)d (this)h(approac)o(h)g(is)g(that)-75 891 y(it)d(cannot)h(b)q(e)f (applied)i(to)e(systems)g(with)h(an)f(in\014nite)i(n)o(um)o(b)q(er)f (of)-75 932 y(states)d({)g(ev)o(en)h(those)f(with)h(a)f(single)i(un)o (b)q(ounded)g(in)o(teger.)-75 998 y(Alternativ)o(ely)m(,)27 b(w)o(e)22 b(recen)o(tly)i(prop)q(osed)g(a)e(mo)q(del)i(c)o(hec)o(k)o (er)f(for)-75 1040 y(in)o(teger-based)e(systems)e(that)g(uses)g (Presburger)h(constrain)o(ts)g(as)-75 1081 y(the)f(underlying)i(state)e (represen)o(tation.)35 b(While)21 b(this)e(approac)o(h)-75 1123 y(easily)e(v)o(eri\014ed)f(some)f(subtle,)h(in\014nite-state)h (concurrency)g(prob-)-75 1164 y(lems,)h(it)f(pro)o(v)o(ed)h (ine\016cien)o(t)h(in)e(its)h(treatmen)o(t)f(of)f(Bo)q(olean)j(and)-75 1206 y(\(unordered\))g(en)o(umerated)f(t)o(yp)q(es)g({)f(whic)o(h)i(p)q (ossess)f(no)g(natural)-75 1247 y(mapping)d(to)e(the)g(Euclidean)j(co)q (ordinate)e(space.)-75 1313 y(In)h(this)i(pap)q(er)f(w)o(e)f(describ)q (e)i(a)e(mo)q(del)i(c)o(hec)o(k)o(er)f(whic)o(h)g(com)o(bines)-75 1354 y(the)22 b(strengths)h(of)e(b)q(oth)i(approac)o(hes.)45 b(W)m(e)22 b(use)g(a)g(comp)q(osite)-75 1396 y(mo)q(del,)g(in)f(whic)o (h)g(a)f(form)o(ula's)g(v)n(aluations)j(are)d(enco)q(ded)h(in)f(a)-75 1437 y(mixed)h(BDD-Presburger)g(form,)g(dep)q(ending)h(on)d(the)h(v)n (ariables)-75 1479 y(used.)36 b(W)m(e)19 b(demonstrate)h(our)g(tec)o (hnique's)h(e\013ectiv)o(eness)g(on)e(a)-75 1520 y(non)o(trivial)d (requiremen)o(ts)f(sp)q(eci\014cation,)h(whic)o(h)f(includes)g(a)f (mix-)-75 1562 y(ture)f(of)g(Bo)q(oleans,)h(in)o(tegers)h(and)e(en)o (umerated)h(t)o(yp)q(es.)-75 1671 y Fv(1)56 b(In)n(tro)r(duction)-75 1754 y Fu(Sym)o(b)q(olic)21 b(mo)q(del)e(c)o(hec)o(king)h(has)e(pro)o (v)o(ed)h(highly)i(successful)f(for)-75 1796 y(v)o(erifying)h(large)g (\014nite-state)g(systems)f([12,)f(20].)36 b(This)21 b(success)-75 1837 y(is)15 b(partially)j(due)d(to)g(the)f(adv)o(en)o(t) i(of)e(inno)o(v)n(ativ)o(e)j(data)e(structures)-75 1879 y(lik)o(e)d(Binary)g(Decision)h(Diagrams)g(\(or)d(BDDs\),)i(whic)o(h)f (can)g(enco)q(de)-75 1920 y(h)o(uge)h(sets)g(of)f(bit-v)o(ector)h (states)g(in)g(a)f(highly)j(compact)e(format)f([9].)-75 1962 y(A)19 b(fortunate)g(consequence)i(of)e(the)g(BDD)g(structure)h (is)g(that)f(it)-75 2003 y(immediately)h(supp)q(orts)e(e\016cien)o(t)f (Bo)q(olean-algeb)q(rai)q(c)i(op)q(erators)-75 2045 y(\(e.g.,)11 b(conjunction,)i(negation,)g(etc.\))j({)c(whic)o(h)g(also)g(happ)q(en)h (to)e(b)q(e)-75 2086 y(the)i(main)h(op)q(erators)g(used)g(in)g(sym)o(b) q(olic)h(mo)q(del)f(c)o(hec)o(king.)p Black -75 2116 401 2 v -6 2155 a(This)27 b(researc)o(h)g(is)g(supp)q(orted)h(in)f (part)f(b)o(y)h(ONR)f(gran)o(t)-75 2196 y(N00014-94-10228)13 b(and)f(NSF)f(Y)m(oung)g(In)o(v)o(estigator)i(Aw)o(ard)e(CCR-)-75 2238 y(9357850.)p Black 1025 642 a(Unfortunately)m(,)20 b(none)g(of)e(the)g(BDD-based)i(tec)o(hniques)h(can)e(b)q(e)1025 683 y(used)13 b(for)g(p)q(oten)o(tially)j(in\014nite-state)f(systems)f ({)e(ev)o(en)i(those)f(with)1025 725 y(just)21 b(one)i(un)o(b)q(ounded) h(in)o(teger.)44 b(BDDs)23 b(enco)q(de)g(all)g(underly-)1025 766 y(ing)c(datat)o(yp)q(es)h(as)f(Bo)q(olean)h(v)n(ariables;)k(hence) 19 b(all)h(BDD-based)1025 808 y(mo)q(del)e(c)o(hec)o(k)o(ers)h(inheren) o(tly)h(require)f(the)f(underlying)j(t)o(yp)q(es)d(to)1025 849 y(b)q(e)13 b(b)q(ounded.)1025 915 y(Recen)o(tly)m(,)24 b(w)o(e)c(prop)q(osed)j(a)e(mo)q(del)h(c)o(hec)o(k)o(er)g(for)f (general)h(in)o(te-)1025 956 y(ger)f(based)h(systems,)h(whic)o(h)g (uses)e(Presburger)i(constrain)o(ts)g(as)1025 998 y(its)15 b(underlying)j(state)d(represen)o(tation)i([11].)22 b(As)15 b(with)g(BDDs)h(for)1025 1039 y(Bo)q(olean)11 b(arra)o(ys,)g (Presburger)g(constrain)o(ts)h(can)e(compactly)i(repre-)1025 1081 y(sen)o(t)h(h)o(uge)h(\(ev)o(en)f(un)o(b)q(ounded\))j(sets)d(of)g (in)o(teger)h(states)f(o)o(v)o(er)g(m)o(ul-)1025 1122 y(tiple)i(dimensions.)23 b(Sp)q(eci\014cally)m(,)17 b(our)d(mo)q(del)h (c)o(hec)o(k)o(er)g(represen)o(ts)1025 1164 y(sets)j(of)h(state-v)n (aluations)j(using)e(unions)h(of)d(con)o(v)o(ex)i(p)q(olytop)q(es,)1025 1205 y(eac)o(h)c(of)g(whic)o(h)g(is)h(formed)f(b)o(y)g(a\016ne)h (constrain)o(ts)g(o)o(v)o(er)g(the)f(sys-)1025 1247 y(tem's)i(v)n (ariables.)37 b(And)19 b(lik)o(e)h(BDDs,)h(this)f(represen)o(tation)h (also)1025 1288 y(a\013ords)f(e\016cien)o(t)f(tec)o(hniques)i(for)e (carrying)h(out)g(p)q(ertinen)o(t)g(set-)1025 1330 y(theoretic)c(op)q (erations)h(\(w)o(e)d(use)i(a)f(Presburger)h(solv)o(er)h(called)g(the) 1025 1371 y(Omega)c(library)i([19,)d(21)q(])g(for)h(this)h(purp)q (ose\).)1025 1437 y(While)e(man)o(y)f(mo)q(del)h(c)o(hec)o(king)g (queries)h(are)d(undecidabl)q(e)j(for)e(gen-)1025 1478 y(eral)16 b(in\014nite-state)i(theories,)g(w)o(e)d(often)h(app)q(eal)h (to)f(conserv)n(ativ)o(e)1025 1520 y(appro)o(ximation)e(tec)o(hniques,) f(man)o(y)f(of)g(whic)o(h)g(guaran)o(tee)g(con)o(v)o(er-)1025 1561 y(gence)17 b(b)o(y)h(allo)o(wing)h(false)f(negativ)o(es.)31 b(With)18 b(this)g(approac)o(h)g(w)o(e)1025 1603 y(w)o(ere)13 b(able)i(to)f(easily)i(v)o(erify)e(some)h(non)o(trivial)h (in\014nite-state)h(pro-)1025 1645 y(grams)9 b(from)g(the)g (concurrency)i(literature.)17 b(These)9 b(programs)h(\(and)1025 1686 y(their)g(asso)q(ciated)h(form)o(ulas\))g(are)f(the)g(t)o(yp)q(e)g (usually)i(analyzed)f(with)1025 1728 y(hand)k(pro)q(ofs,)f(due)h(to)f (the)g(subtle)h(w)o(a)o(y)f(their)h(in\014nite-state)h(v)n(ari-)1025 1769 y(ables)e(in\015uence)h(their)f(con)o(trol)g(\015o)o(w.)1025 1835 y(Ho)o(w)o(ev)o(er,)c(our)h(Presburger)g(tec)o(hnique)h(pro)o(v)o (ed)g(ill-suited)h(for)d(han-)1025 1876 y(dling)j(Bo)q(olean)h(and)f (\(unordered\))g(en)o(umerated)g(t)o(yp)q(es.)k(When)c(all)1025 1918 y(state)j(sets)g(are)g(represen)o(ted)h(as)f(Presburger)i (constrain)o(t)f(expres-)1025 1959 y(sions,)e(all)g(Bo)q(olean)g(v)n (ariables)i(end)d(up)g(getting)h(mapp)q(ed)g(to)f(in)o(te-)1025 2001 y(gers)h({)g(whic)o(h)h(ends)f(up)h(b)q(eing)g(extremely)h(w)o (asteful.)23 b(Since)17 b(pro-)1025 2042 y(grams)12 b(usually)i (include)h(man)o(y)d(suc)o(h)h(v)n(ariables,)h(and)f(since)g(mo)q(del) 1025 2084 y(c)o(hec)o(k)o(ers)21 b(often)f(generate)h(large)h(sets)e (of)g(states,)i(this)g(w)o(astage)1025 2125 y(quic)o(kly)h(adds)f(up)g (to)f(a)h(ma)r(jor)f(obstacle.)44 b(Also,)23 b(while)g(b)q(oth)1025 2167 y(Bo)q(olean)13 b(and)g(Presburger)g(logics)h(a\013ord)e(compact)h (enco)q(dings)h(for)1025 2208 y(sets)j(of)g(v)n(aluations)i(formed)e(o) o(v)o(er)h(their)g(op)q(erators,)g(there)g(is)f(no)1025 2250 y(natural)h(mapping)i(b)q(et)o(w)o(een)d(them)h(whic)o(h)g (preserv)o(es)h(this)f(com-)1025 2291 y(pactness.)23 b(Consider,)16 b(for)f(example,)h(a)f(set)g(of)g(a\016ne)g(constrain)o (ts)1025 2333 y(o)o(v)o(er)h Ft(n)g Fu(in)o(tegers,)i(whic)o(h)f (compactly)h(describ)q(es)g(all)f(states)g(lying)1025 2374 y(within)12 b(some)g Ft(n)p Fu(-dimensional)j(p)q(olytop)q(e.)j (The)11 b(b)q(ene\014t)h(of)g(this)g(en-)1025 2416 y(co)q(ding)h (extends)f(directly)h(from)f(the)f(expressiv)o(eness)j(of)d(the)h (arith-)1025 2457 y(metic)g(inequali)q(t)o(y)j(op)q(erators)e({)g(whic) o(h)g(are)g(useless)h(o)o(v)o(er)e(2-v)n(alued)1025 2499 y(domains)h(lik)o(e)g(Bo)q(oleans,)h(and)f(marginally)i(less)d(so)g (for)g(small)i(en)o(u-)1025 2540 y(merated)h(t)o(yp)q(es)h(lik)o(e)g Fs(f)p Ft(r)q(ed;)7 b(g)q(r)q(een;)g(bl)q(ue)p Fs(g)p Fu(.)24 b(Unfortunately)m(,)16 b(these)1025 2582 y(are)11 b(exactly)i(the)e(datat)o(yp)q(es)i(often)f(used)g(for)f(describing)j (mo)q(des)e(in)1025 2623 y(requiremen)o(ts)i(sp)q(eci\014cations.)1025 2689 y(In)i(this)i(pap)q(er)f(w)o(e)f(describ)q(e)i(our)f(solution)i (to)e(this)g(problem,)i(in)p Black 965 3011 a(1)p Black eop %%Page: 2 2 2 1 bop Black Black -75 42 a Fu(the)19 b(form)g(of)g(a)g(mo)q(del)h(c)o (hec)o(k)o(er)f(whic)o(h)h(com)o(bines)h(the)e(relativ)o(e)-75 83 y(strengths)e(of)g(b)q(oth)g(BDDs)g(and)g(Presburger)h(form)o(ulas.) 28 b(Sp)q(ecif-)-75 125 y(ically)m(,)21 b(w)o(e)c(use)h(a)g(comp)q (osite)h(mo)q(del)g(to)e(represen)o(t)i(a)f(form)o(ula's)-75 166 y(v)n(aluations)h({)d(whic)o(h)i(are)e(enco)q(ded)i(using)g(tuples) f(of)f(BDDs)i(and)-75 208 y(a\016ne)e(constrain)o(ts,)h(dep)q(ending)i (on)c(the)h(v)n(ariables)i(app)q(earing)g(in)-75 249 y(the)13 b(sub-form)o(ulas.)-75 315 y(The)k(k)o(ey)g(to)f(our)h(framew) o(ork)g(rests)g(on)g(some)g(fundamen)o(tal)h(ob-)-75 356 y(serv)n(ations.)43 b(Giv)o(en)22 b(a)f(system)h(whose)f(state)g (transformations)-75 398 y(\(and)k(requiremen)o(ts\))h(exclude)h(\(1\)) d(arbitrary)i(functions)g(o)o(v)o(er)-75 439 y(mixed)21 b(t)o(yp)q(es,)h(and)e(\(2\))g(t)o(yp)q(e-co)q(ersions)i(\(e.g.,)e(to)g (allo)o(w)h(using)-75 481 y(Bo)q(oleans)15 b(in)f(arithmetic)h(op)q (erators\),)f(w)o(e)f(\(a\))g(orthogonally)j(par-)-75 522 y(tition)i(the)e(system's)h(state-space)g(in)o(to)g(sets)f(of)g (conjuncts,)i(eac)o(h)-75 564 y(of)f(whic)o(h)i(con)o(tain)g(a)e(Bo)q (olean)j(part)e(and)g(an)g(in)o(teger)g(part;)i(\(b\))-75 605 y(manipulate)14 b(a)e(Bo)q(olean)i(state)e(and)g(its)h (transformation)g(indep)q(en-)-75 647 y(den)o(tly)m(,)h(without)h(in)o (terference)f(from)g(the)f(in)o(teger)i(part)e(\(and)h(vice)-75 688 y(v)o(ersa\);)d(and)f(also)h(\(c\))e(use)i(seman)o(tically)h(sound) f(rules)g(for)e(handling)-75 730 y(the)k(logical)j(connectiv)o(es)e (that)g(in)o(v)o(olv)o(e)h(m)o(ultiple)g(t)o(yp)q(es.)-75 795 y(In)g(formal)g(terms,)g(this)h(partitioning)i(allo)o(ws)e (pre-image)g(compu-)-75 837 y(tations)j(to)e(distribute)i(across)f(the) g(conjunction)h(op)q(erator.)31 b(W)m(e)-75 878 y(exploit)15 b(this)f(prop)q(ert)o(y)f(in)h(our)f(implemen)o(tation)q(,)i(whic)o(h)f (is)f(struc-)-75 920 y(tured)j(in)h(a)e(la)o(y)o(ered)i(class)g (hierarc)o(h)o(y)m(.)26 b(The)16 b(foundation)h(is)f(com-)-75 961 y(p)q(osed)h(of)f(t)o(w)o(o)f(large)i(libraries)i(for)d(enco)q (ding)i(t)o(yp)q(e-sp)q(eci\014c)g(con-)-75 1003 y(strain)o(ts,)11 b(and)f(their)g(asso)q(ciated)h(set-theoretic)g(op)q(erations.)17 b(While)-75 1045 y(b)q(oth)j(share)f(a)g(similar)i(API,)e(one)g(of)g (them)g(\(our)g(BDD)h(imple-)-75 1086 y(men)o(tation\))c(is)e(used)h (exclusiv)o(ely)j(for)13 b(Bo)q(olean)j(and)f(en)o(umerated)-75 1128 y(t)o(yp)q(es,)d(while)g(the)f(other)g(is)h(the)f(Omega)g(library) m(,)i(used)f(for)e(in)o(teger-)-75 1169 y(v)n(alued)21 b(v)n(ariables)g(and)f(their)g(constrain)o(ts.)37 b(A)o(t)18 b(the)h(next)h(lev)o(el)-75 1211 y(is)h(our)f(comp)q(osite-mo)q(del)i (library)m(,)i(whic)o(h)c(handles)i(op)q(erations)-75 1252 y(o)o(v)o(er)11 b(mixed-t)o(yp)q(e)i(constrain)o(ts)g(\(e.g.,)d (set-inclusion)q(,)j(in)o(tersection,)-75 1294 y(etc.\);)18 b(in)g(turn,)g(these)f(op)q(erations)i(in)o(v)o(ok)o(e)f(their)g(relev) n(an)o(t)g(t)o(yp)q(e-)-75 1335 y(sp)q(eci\014c)j(coun)o(terparts)f(to) g(help)g(carry)g(out)f(the)h(desired)g(e\013ect.)-75 1377 y(A)o(t)e(the)h(topmost)h(lev)o(el)g(is)g(the)f(mo)q(del)h(c)o (hec)o(k)o(er's)f(class)h(library)m(,)-75 1418 y(whic)o(h)12 b(imp)q(orts)h(the)f(comp)q(osite-mo)q(del)i(op)q(erations,)f(and)f (exp)q(orts)-75 1460 y(functions)f(for)e(parsing,)j(comp)q(osition,)g (reac)o(habilit)o(y)g(analysis,)h(and)-75 1501 y(liv)o(eness)e(tests.) 16 b(Our)10 b(approac)o(h)g(to)g(mixed)g(constrain)o(ts)h({)e(and)h (their)-75 1543 y(orthogonal)15 b(implemen)o(tation)q(s)h({)d(will)i (hop)q(efully)g(allo)o(w)g(us)e(to)g(ex-)-75 1584 y(pand)h(to)f (additional)j(datat)o(yp)q(es)e(in)g(the)f(future.)-75 1650 y(In)21 b(the)f(sequel,)k(w)o(e)c(demonstrate)i(our)e(results)i (using)g(an)f(\\en-)-75 1691 y(hanced")14 b(v)o(ersion)g(of)f(a)f(kno)o (wn)h(SCR)g(sp)q(eci\014cation,)j(whic)o(h)d(states)-75 1733 y(the)26 b(requiremen)o(ts)h(for)f(a)f(reactor's)h(w)o(ater)f (pressure)i(system)-75 1774 y([7,)9 b(16)q(,)g(18)q(].)15 b(The)10 b(underlying)j(mo)q(del)f(con)o(tains)f(a)f(go)q(o)q(d)h (mixture)h(of)-75 1816 y(Bo)q(oleans,)18 b(un)o(b)q(ounded)g(in)o (tegers)f(and)f(en)o(umerated)h(t)o(yp)q(es,)g(eac)o(h)-75 1857 y(of)h(whic)o(h)g(retain)h(their)g(exact)f(seman)o(tic)h(in)o (terpretation)h(in)f(our)-75 1899 y(comp)q(osite)c(mo)q(del)f(c)o(hec)o (k)o(er.)k(Sp)q(eci\014call)q(y)m(,)e(this)e(means)g(that)f(dur-)-75 1940 y(ing)h(automated)f(analysis)i(c)o(hec)o(ks,)e(imp)q(ortan)o(t)h (in)o(teger)f(v)n(alues)h(get)-75 1982 y(propagated)d(through)f(the)g (system's)f(transitions)j({)d(along)h(with)g(the)-75 2023 y(relev)n(an)o(t)17 b(\(b)q(ounded\))h(v)n(alues)g(for)e(mo)q(des) h(and)f(conditions.)30 b(This)-75 2065 y(allo)o(ws)10 b(us)g(to)f(fully)h(in)o(terpret)g(in)o(teger-v)n(alued)i(functions)e (and)g(pred-)-75 2106 y(icates)15 b(app)q(earing)i(in)e(an)g(SCR)g(sp)q (eci\014cation;)i(hence,)f(the)e(mo)q(del)-75 2148 y(c)o(hec)o(k)o(er)g (automatically)i(deduces)e(inferences)g(suc)o(h)g(as:)47 2224 y(\(temp)d Ft(>)f Fu(High)24 b Fs( )-6 b(!)24 b Fu(Alarm)q(\))85 2266 y Fs(!)g Fu(\()p Fs(9)13 b Fu(x)e Ft(<)f Fu(0)h(::)f(temp)f(+)f(x)j(=)g(High)h Fs(!)f Fu(Alarm\))p Ft(:)-75 2344 y Fu(With)17 b(this)g(capabilit)o(y)m(,)i(w)o(e)c(need)i (not)f(map)g(SCR)g(in)o(teger)h(predi-)-75 2385 y(cates)d(to)f(Bo)q (olean)i(literals)h(\(e.g.,)d(as)g(in)i([3,)e(4,)g(5,)g(13]\);)g(moreo) o(v)o(er,)-75 2427 y(for)f(our)h(mo)q(del)g(c)o(hec)o(k)o(er)g(this)g (t)o(yp)q(e)f(of)g(inference)i(comes)e(at)h(no)f(ad-)-75 2468 y(ditional)i(cost.)i(Finally)m(,)e(our)d(framew)o(ork)g(allo)o(ws) h(us)f(to)g(test)g(mixed)-75 2510 y(in)o(teger-Bo)q(olean)18 b(en)o(vironmen)o(tal)h(h)o(yp)q(otheses.)26 b(These)16 b(tests)g(in-)-75 2551 y(v)o(olv)o(e)c(queries)g(on)f(p)q(ossible)j (feedbac)o(k)d(relationship)q(s)j(b)q(et)o(w)o(een)d(v)n(al-)-75 2593 y(ues)k(con)o(v)o(ey)o(ed)i(to)e(actuators)h(\(i.e.,)f(\\con)o (trolled)i(v)n(ariables"\))h(and)-75 2634 y(subsequen)o(t)c(samples)f (on)g(sensors)g(\(i.e.,)e(\\monitored)j(v)n(ariables"\).)-75 2700 y(There)20 b(has)g(b)q(een)g(signi\014can)o(t)i(w)o(ork)e(in)g (using)h(mo)q(del)g(c)o(hec)o(king)1025 42 y(to)15 b(v)o(erify)h (tabular-st)o(yle)i(SCR)e(requiremen)o(ts.)26 b(In)15 b([5])g(A)o(tlee)h(and)1025 83 y(Gannon)e(mapp)q(ed)h(queries)g(ab)q (out)f(SCR)g(mo)q(de-transition)i(tables)1025 125 y(to)g(the)h(MCB)f (mo)q(del)i(c)o(hec)o(k)o(er,)f(whic)o(h)h(uses)f(explicit)i(state)e (en)o(u-)1025 166 y(meration)d(as)g(its)g(underlying)i(represen)o (tation.)21 b(Later,)13 b(A)o(tlee)h(and)1025 208 y(Buc)o(kley)20 b(impro)o(v)o(ed)g(this)f(pro)q(cess,)h(b)o(y)f(using)h(SMV)f([4)o(])f (for)h(the)1025 249 y(same)14 b(purp)q(ose.)23 b(Since)16 b(SMV)f(is)g(a)f Fr(symb)n(olic,)g(BDD-b)n(ase)n(d)f(mo)n(del)1025 291 y(che)n(cker)p Fu(,)k(it)i(generates)h(more)e(e\016cien)o(t)i(enco) q(dings)h(of)d(the)h(SCR)1025 332 y(state)11 b(space,)h(whic)o(h)g(mak) o(es)g(it)g(p)q(ossible)h(to)f(c)o(hec)o(k)f(larger)i(systems.)1025 374 y(The)g(same)h(to)q(ol)h(w)o(as)e(also)i(used)f(to)g(analyze)h (parts)f(of)f(the)h(RSML)1025 415 y(sp)q(eci\014cation)21 b(of)e(the)g(TCAS)f(I)q(I)g(system)i([3].)34 b(The)18 b(main)i(di\016-)1025 457 y(cult)o(y)13 b(in)h(using)g(SMV)f(for)f(c)o (hec)o(king)i(requiremen)o(ts)h(sp)q(eci\014cations)1025 498 y(seems)c(to)h(b)q(e)g(that)f(ev)o(ery)h(v)n(ariable)i(gets)e (represen)o(ted)h(in)f(the)g(same)1025 540 y(sym)o(b)q(olic)19 b(format,)e(namely)h(BDDs.)30 b(This)18 b(can)f(easily)i(result)f(in) 1025 581 y(ine\016cien)o(t)f(enco)q(dings)g(of)e(totally-ordered)i(v)n (ariables;)i(moreo)o(v)o(er,)1025 623 y(the)10 b(resulting)i(n)o(um)o (b)q(er)f(of)f(BDD)h(no)q(des)g(\(not)f(to)g(men)o(tion)h(their)g(in-) 1025 664 y(heren)o(t)f(\014niteness\))h(often)f(mak)o(es)h(v)o (eri\014cation)h(un)o(tenable,)g(at)e(least)1025 706 y(without)j(h)o(uman-guided)j(abstractions.)1025 771 y(In)e([13],)g(Chan)h Fr(et)g(al.)21 b Fu(rep)q(ort)15 b(that)g(represen)o(ting)i(in)o(tegers)e(using)1025 813 y(bit)o(wise)20 b(BDD)f(represen)o(tations)i(is)e(not)h(e\016cien)o(t)f (when)g(the)g(in-)1025 854 y(put)14 b(system)g(con)o(tains)i (non-linear)g(constrain)o(ts.)21 b(They)14 b(presen)o(t)h(a)1025 896 y(tec)o(hnique)g(in)g(whic)o(h)g(\(b)q(oth)f(linear)i(and)f (non-linear\))h(constrain)o(ts)1025 937 y(are)d(mapp)q(ed)h(to)g(BDD)g (v)n(ariables)h(\(similar)h(represen)o(tations)f(w)o(ere)1025 979 y(also)g(used)h(in)f([4,)f(5]\).)22 b(These)15 b(constrain)o(ts)h (are)f(used)g(for)g(sp)q(ecify-)1025 1020 y(ing)h(guarding)i (conditions)h(of)c(transitions.)28 b(A)15 b(constrain)o(t)j(solv)o(er) 1025 1062 y(is)h(used)h(during)h(mo)q(del)f(c)o(hec)o(king)h (computations)g(\(in)f(conjunc-)1025 1103 y(tion)e(with)g(SMV\))f(to)g (prune)h(infeasible)i(com)o(binations)g(of)d(these)1025 1145 y(constrain)o(ts.)j(Although)c(this)e(tec)o(hnique)i(is)e(capable) h(of)f(handling)1025 1186 y(non-linear)e(constrain)o(ts,)h(it)e(is)g (restricted)h(to)e(systems)h(where)g(tran-)1025 1228 y(sitions)17 b(are)e(either)h Fr(data-memoryless)c Fu(\(i.e.,)j(next)g (state)h(v)n(alue)g(of)1025 1269 y(a)d(data)g(v)n(ariable)j(do)q(es)e (not)f(dep)q(end)i(on)e(its)h(curren)o(t)g(state)f(v)n(alue\),)1025 1311 y(or)18 b Fr(data-invarian)o(t)e Fu(\(i.e.,)k(data)f(v)n(ariables) i(remain)f(unc)o(hanged\).)1025 1352 y(Hence,)c(ev)o(en)h(a)f (transition)j(whic)o(h)e(incremen)o(ts)h(a)e(v)n(ariable)i(\(i.e.,)1025 1394 y Ft(x)1047 1378 y Fq(0)1076 1394 y Fu(=)h Ft(x)12 b Fu(+)g(1\))18 b(is)g(ruled)h(out.)32 b(It)18 b(is)h(rep)q(orted)f(in) h([13])f(that)g(this)1025 1436 y(restriction)g(is)f(partly)g(motiv)n (ated)h(b)o(y)e(the)h(seman)o(tics)g(of)g(RSML,)1025 1477 y(and)e(it)h(allo)o(ws)h(mo)q(deling)g(of)e(a)h(signi\014can)o(t)i (p)q(ortion)f(of)e(TCAS)f(I)q(I)1025 1519 y(system.)1025 1584 y(In)23 b([7])g(Bharadw)o(a)r(j)i(and)f(Heitmey)o(er)h(used)f(the) g(SPIN)g(mo)q(del)1025 1626 y(c)o(hec)o(k)o(er)e(to)h(analyze)h(b)q (eha)o(viors)g(of)e(SCR)h(sp)q(eci\014cations)i(as)e(a)1025 1667 y(whole,)15 b(including)i(all)f(conditions)h(and)e(ev)o(en)o(ts,)g (as)g(w)o(ell)g(as)f(mo)q(de)1025 1709 y(transition)21 b(tables.)37 b(But)19 b(since)i(SPIN)e(relies)i(on)e(a)h (\014nite-state)1025 1750 y(mo)q(del)12 b(\(lik)o(e)g(SMV\),)e(it)i (can)f(not)g(c)o(hec)o(k)h(systems)f(with)g(un)o(b)q(ounded)1025 1792 y(v)n(ariables.)18 b(And)11 b(indeed,)i(in)f(most)f(of)g(the)g(ab) q(o)o(v)o(emen)o(tioned)j(w)o(ork,)1025 1833 y(abstraction)e(tec)o (hniques)h(w)o(ere)d(used)i(to)e(simplify)k(the)c(systems)i(b)q(e-)1025 1875 y(ing)f(analyzed.)18 b(Although)12 b(w)o(e)e(b)q(eliev)o(e)i(that) f(abstraction)h(is)f(b)q(ound)1025 1916 y(to)k(pla)o(y)i(a)e(k)o(ey)h (role)g(in)g(an)o(y)g(automated)h(analysis)g(tec)o(hnique,)h(in)1025 1958 y(some)c(cases)g(it)h(can)f(b)q(e)g(a)o(v)o(oided)i(b)o(y)e(using) i(sym)o(b)q(olic)g(represen)o(ta-)1025 1999 y(tions)i Fr(which)f(c)n(an)g(c)n(aptur)n(e)f(the)h(inher)n(ent)f(pr)n(op)n (erties)g(of)h(the)g(un-)1025 2041 y(derlying)f(typ)n(es)p Fu(.)29 b(Under)19 b(certain)g(situations,)i(using)e(arithmetic)1025 2082 y(constrain)o(ts)g(pro)o(vides)h(an)e(opp)q(ortunit)o(y)i(to)e(in) o(v)o(estigate)i(general)1025 2124 y(prop)q(erties)13 b(of)e(in)o(teger)i(v)n(ariables,)h(without)f(abstracting)g(their)g(b)q (e-)1025 2165 y(ha)o(vior)h(or)f(b)q(ounding)j(their)d(domains.)1025 2231 y(Other)33 b(state-enco)q(dings)k(ha)o(v)o(e)d(b)q(een)g(explored) i(for)e(mo)q(del)1025 2272 y(c)o(hec)o(king)15 b(in)g(v)n(arious)h (domains,)f(and)g(w)o(e)f(note)g(some)g(of)g(these)g(ef-)1025 2314 y(forts)j(here.)31 b(F)m(or)17 b(example)i(Alur)g Fr(et)e(al.)30 b Fu(used)18 b(arithmetic)i(con-)1025 2355 y(strain)o(ts)15 b(on)g(real)h(v)n(ariables)h(to)d(c)o(hec)o(k)h (prop)q(erties)i(of)d(h)o(ybrid)j(sys-)1025 2397 y(tems)f([1,)g(2)q(].) 27 b(Other)17 b(recen)o(t)g(results)h(deal)g(with)f(analyzing)j(par-) 1025 2439 y(ticular)15 b(systems,)e(e.g.,)g(for)g(systems)h(with)g(FIF) o(O)f(queues)h(\(Queue)1025 2480 y(Decision)19 b(Diagrams)f([8]\),)f (for)f(sim)o(ultaneous)k(con)o(trol/datapath)1025 2522 y(v)o(eri\014cation)12 b(in)f(VLSI)f(domains)i(\(Binary)f(Momen)o(t)g (Diagrams)g([10])1025 2563 y(and)g(Hybrid)h(Decision)h(Diagrams)f ([15]\),)e(etc.)17 b(Again,)11 b(our)g(prelim-)1025 2605 y(inary)16 b(results)g(suggest)h(that)e(w)o(e)g(could)h(p)q(oten)o (tially)j(com)o(bine)d(all)1025 2646 y(these)c(sym)o(b)q(olic)j (represen)o(tations)f(in)f(one)g(comp)q(osite)h(represen)o(ta-)1025 2688 y(tion.)p Black Black eop %%Page: 3 3 3 2 bop Black Black Black Black Black Black Black 161 28 a Fp(Constan)o(ts:)263 b Fo(min)p Fn(,)11 b Fo(low)p Fn(,)f Fo(high)p Fn(,)h Fo(toohigh)p Fn(,)e Fo(max)h Fn(:)16 b(In)o(teger)161 67 y Fp(Monitored)e(V)m(ariables:)75 b Fo(WP1,)17 b(WP2,)f(WP3)p Fn(:)e(In)o(teger;)613 106 y Fo(Block,)i(Reset)10 b Fn(:)15 b Fm(f)d Fo(On,)k(Off)11 b Fm(g)161 146 y Fp(Con)o(trolled)j(v)n(ariables:)83 b Fo(Inject,)16 b(Damp)10 b Fn(:)15 b Fm(f)d Fo(On)17 b(Off)10 b Fm(g)161 185 y Fp(T)m(erms:)329 b Fo(Overridden)9 b Fn(:)15 b(Bo)q(olean)161 225 y Fp(Mo)q(de)f(Class:)234 b Fo(Pressure)9 b Fn(:)16 b Fm(f)11 b Fo(TooLow)p Fn(,)f Fo(Low)p Fn(,)g Fo(High)p Fn(,)g Fo(TooHigh)g Fm(g)p Fn(;)161 264 y Fp(Initial)k(Conditions:)128 b Fo(Block,)16 b(Reset,)f(Inject,)h(Damp)10 b Fn(=)i Fo(Off)p Fn(;)613 304 y Fo(Overridden)d Fn(=)j Fo(False)p Fn(;)613 343 y Fo(Pressure)d Fn(=)k Fo(Low)p Fn(;)613 383 y Fo(low)e Fl(<)h Fo(WP1)p Fn(,)f Fo(WP2)p Fn(,)f Fo(WP3)h Fl(<)h Fo(high)p Fn(;)613 422 y Fo(min)f Fl(<)h Fo(low)f Fl(<)h Fo(high)f Fl(<)h Fo(toohigh)d Fl(<)j Fo(max)p Fn(;)p 58 452 1823 2 v 57 505 2 53 v 92 493 a(CTLo)o(w)257 474 y Fk(def)264 493 y Fn(=)58 b(\()p Fo(WP1)p Fn(,)10 b Fo(WP2)h Fl(<)h Fo(low)p Fn(\))e(OR)j(\()p Fo(WP1)p Fn(,)d Fo(WP3)h Fl(<)h Fo(low)p Fn(\))e(OR)i(\()p Fo(WP2)p Fn(,)f Fo(WP3)f Fl(<)i Fo(low)p Fn(\))p 1879 505 V 57 557 V 118 545 a(CLo)o(w)257 526 y Fk(def)264 545 y Fn(=)58 b(\()p Fo(low)10 b Fm(\024)j Fo(WP1)p Fn(,)d Fo(WP2)h Fl(<)h Fo(high)p Fn(\))e(OR)i(\()p Fo(low)f Fm(\024)h Fo(WP1)p Fn(,)e Fo(WP3)h Fl(<)h Fo(high)p Fn(\))e(OR)i(\()p Fo(low)f Fm(\024)h Fo(WP2)p Fn(,)e Fo(WP3)h Fl(<)h Fo(high)p Fn(\))p 1879 557 V 57 609 V 108 598 a(CHigh)257 578 y Fk(def)264 598 y Fn(=)58 b(\()p Fo(high)10 b Fm(\024)i Fo(WP1)p Fn(,)f Fo(WP2)f Fl(<)j Fo(toohigh)p Fn(\))c(OR)j(\()p Fo(high)e Fm(\024)i Fo(WP1)p Fn(,)e Fo(WP3)h Fl(<)h Fo(toohigh)p Fn(\))d(OR)k(\()p Fo(high)d Fm(\024)i Fo(WP2)p Fn(,)e Fo(WP3)h Fl(<)h Fo(toohigh)p Fn(\))p 1879 609 V 57 662 V 83 650 a(CTHigh)257 631 y Fk(def)264 650 y Fn(=)58 b(\()p Fo(toohigh)9 b Fm(\024)j Fo(WP1)p Fn(,)f Fo(WP2)p Fn(\))f(OR)i(\()p Fo(toohigh)d Fm(\024)j Fo(WP1)p Fn(,)f Fo(WP3)p Fn(\))f(OR)i(\()p Fo(toohigh)d Fm(\024)k Fo(WP2)p Fn(,)d Fo(WP3)p Fn(\))p 1879 662 V 58 664 1823 2 v 175 685 700 2 v 174 725 2 40 v 200 713 a Fp(Old)j(Mo)q(de)p 404 725 V 50 w(Ev)o(en)o(t)p 630 725 V 123 w(New)g(Mo)q(de)p 874 725 V 175 726 700 2 v 174 766 2 40 v 281 754 a Fn({)p 404 766 V 130 w Fo(@T\(CTLow\))p 630 766 V 65 w(TooLow)p 874 766 V 175 767 700 2 v 174 807 2 40 v 281 795 a Fn({)p 404 807 V 130 w Fo(@T\(CLow\))p 630 807 V 83 w(Low)p 874 807 V 175 808 700 2 v 174 848 2 40 v 281 836 a Fn({)p 404 848 V 130 w Fo(@T\(CHigh\))p 630 848 V 65 w(High)p 874 848 V 175 850 700 2 v 174 889 2 40 v 281 877 a Fn({)p 404 889 V 130 w Fo(@T\(CTHigh\))p 630 889 V 47 w(TooHigh)p 874 889 V 175 891 700 2 v 925 682 850 2 v 924 721 2 40 v 1005 709 a Fp(Mo)q(de)p 1186 721 V 315 w(Ev)o(en)o(ts)p 1774 721 V 925 723 850 2 v 924 762 2 40 v 1020 751 a Fo(High)p 1186 762 V 204 w Fn(F)m(alse)p 1482 762 V 167 w Fo(@T\(InMode)o(\))p 1774 762 V 925 764 850 2 v 924 803 2 40 v 950 792 a(TooLow,)i(Low,)p 1186 803 V 66 w(@T\(Block=O)o (n\))p 1482 803 V 64 w(@T\(InMode\))8 b Fn(OR)p 1774 803 V 924 843 V 994 831 a Fo(TooHigh)p 1186 843 V 91 w(WHEN)16 b(Reset=Off)p 1482 843 V 62 w(@T\(Reset=O)o(n\))p 1774 843 V 925 845 850 2 v 925 853 V 924 892 2 40 v 969 880 a Fn(Ov)o(erridden)p 1186 892 V 155 w(T)m(rue)p 1482 892 V 219 w(F)m(alse)p 1774 892 V 925 894 850 2 v 163 935 770 2 v 162 975 2 40 v 225 963 a Fp(Mo)q(de)p 388 975 V 238 w(Conditions)p 932 975 V 163 976 770 2 v 162 1016 2 40 v 188 1004 a Fo(Low,)g(High,)p 388 1016 V 100 w Fn(T)m(rue)p 614 1016 V 197 w(F)m(alse)p 932 1016 V 162 1055 V 214 1043 a Fo(TooHigh)p 388 1055 V 614 1055 V 932 1055 V 163 1057 770 2 v 162 1096 2 40 v 223 1084 a(TooLow)p 388 1096 V 83 w(Overridden)p 614 1096 V 46 w Fn(NOT)d Fo(Overridden)p 932 1096 V 163 1098 770 2 v 163 1106 V 162 1146 2 40 v 223 1134 a(Inject)p 388 1146 V 145 w(Off)p 614 1146 V 226 w(On)p 932 1146 V 163 1147 770 2 v 982 935 806 2 v 981 975 2 40 v 1062 963 a Fp(Mo)q(de)p 1243 975 V 256 w(Conditions)p 1787 975 V 982 976 806 2 v 981 1016 2 40 v 1007 1004 a Fo(TooLow,)i(Low,)p 1243 1016 V 101 w Fn(T)m(rue)p 1469 1016 V 197 w(F)m(alse)p 1787 1016 V 981 1055 V 1078 1043 a Fo(High)p 1243 1055 V 1469 1055 V 1787 1055 V 982 1057 806 2 v 981 1096 2 40 v 1051 1084 a(TooHigh)p 1243 1096 V 92 w(Overridde)o(n)p 1469 1096 V 47 w Fn(NOT)e Fo(Overridden)p 1787 1096 V 982 1098 806 2 v 982 1106 V 981 1146 2 40 v 1078 1134 a(Damp)p 1243 1146 V 180 w(Off)p 1469 1146 V 227 w(On)p 1787 1146 V 982 1147 806 2 v Black 397 1260 a Fj(Figure)h(1:)20 b(SCR)14 b(Sp)q(eci\014cation)f(of)h(the)h(Safet)o(y)g(Injection)d (System.)p Black Black -75 1392 a Fu(The)j(remainder)i(of)d(this)i(pap) q(er)g(is)g(organized)h(as)e(follo)o(ws.)24 b(First,)-75 1434 y(w)o(e)11 b(in)o(tro)q(duce)i(our)e(motiv)n(ating)i(SCR)e (example,)i(and)f(explain)h(ho)o(w)-75 1475 y(w)o(e)i(enhanced)h(its)g (b)q(eha)o(vior)h(to)e(mak)o(e)g(the)g(v)o(eri\014cation)j(problem)-75 1517 y(more)g(c)o(hallenging.)34 b(Then,)19 b(w)o(e)f(discuss)h(our)f (comp)q(osite)h(mo)q(del)-75 1558 y(represen)o(tation,)13 b(and)f(sho)o(w)g(ho)o(w)f(w)o(e)g(translate)h(the)g(SCR)f(require-)-75 1600 y(men)o(ts)19 b(in)o(to)g(our)g(underlyin)q(g)i(transition)g (language.)36 b(Next,)20 b(w)o(e)-75 1641 y(sho)o(w)12 b(ho)o(w)g(our)g(sym)o(b)q(olic)i(mo)q(del)f(c)o(hec)o(k)o(er)g(w)o (orks)f(in)g(general,)i(and)-75 1683 y(also)k(the)e(results)i(it)f(ac)o (hiev)o(ed)i(for)d(the)h(SCR)f(sp)q(eci\014cation)q(.)30 b(W)m(e)-75 1724 y(conclude)15 b(with)f(some)f(remarks)h(on)f(the)h (results,)g(and)g(outline)h(our)-75 1766 y(future)e(researc)o(h)h (directions.)-75 1891 y Fv(2)56 b(An)19 b(Example:)j(Safet)n(y)d (Injection)9 1949 y(System)-75 2036 y Fu(As)13 b(an)h(example,)h(w)o(e) f(analyze)h(the)f(requiremen)o(ts)h(for)e(a)h(reactor's)-75 2077 y(co)q(oling)22 b(system;)i(this)d(example)h(w)o(as)e(adapted)h (from)f(previous)-75 2119 y(sp)q(eci\014cations)f(in)d([7,)f(16,)g(18)q (])g({)g(and)h(in)h(fact,)e(w)o(e)g(tak)o(e)h(a)g(sup)q(er-)-75 2160 y(set)f(of)f(these)h(requiremen)o(ts,)i(as)e(w)o(ell)g(as)g(add)g (a)g(few)f(of)h(our)g(o)o(wn.)-75 2202 y(The)e(target)h(application)j (is)d(called)h(an)f(\\Engineered)i(Safet)o(y)e(F)m(ea-)-75 2243 y(ture)i(Actuation)g(System,")h(for)e(a)g(PWR)h(Nuclear)g(P)o(o)o (w)o(er)g(Plan)o(t.)-75 2285 y(It)f(basically)j(functions)e(as)g(a)f (feedbac)o(k)h(lo)q(op:)22 b(its)16 b(sensors)g(moni-)-75 2326 y(tor)c(the)h(co)q(olan)o(t)h(system's)f(w)o(ater)f(pressure)h (via)h(three)f(redundan)o(t)-75 2368 y(c)o(hannels.)25 b(When)16 b(the)g(pressure)g(is)f(determined)i(to)e(fall)h(b)q(elo)o(w) g(a)-75 2409 y(certain)e(threshold,)g(the)e(pro)q(cessor)i(con)o(v)o (eys)f(signals)i(to)e(pressure-)-75 2451 y(con)o(trol)i(actuators)g (with)f(the)g(ob)r(jectiv)o(e)h(of)f(increasing)j(it)d(\(this)h(is)-75 2492 y(called)g(\\safet)o(y)e(injection"\).)20 b(Ho)o(w)o(ev)o(er,)12 b(the)i(op)q(erator)f(ma)o(y)h(use)f(a)-75 2534 y(man)o(ual)f(con)o (trol)g(\(called)h(the)e(\\blo)q(c)o(k")h(switc)o(h\))f(to)g(o)o(v)o (erride)h(safet)o(y)-75 2575 y(injection)g(during)f(normal)g(start-up)f (or)g(co)q(ol-do)o(wn)h(phases.)17 b(More-)-75 2617 y(o)o(v)o(er)11 b(\(as)g(in)h([7]\),)e(the)h(op)q(erator)h(also)f(has)h(a)f(\\reset)g (switc)o(h,")g(whic)o(h)-75 2658 y(results)h(in)g(the)f(con)o(troller)h (program)g(clearing)h(an)o(y)e(state)g(triggered)-75 2700 y(b)o(y)i(outstanding)j(\\blo)q(c)o(k")e(signals.)1025 1392 y(In)g([16])h(and)g([7])f(this)i(sp)q(eci\014cation)h(is)f (rendered)g(using)g(the)f(SCR)1025 1434 y(tabular)d(notation)g({)e (although)j(the)d(system)h(giv)o(en)h(in)g([7)o(])e(uses)i(only)1025 1475 y(one)e(pressure)g(sensor.)17 b(Here,)10 b(w)o(e)f(adapt)h(the)g (original)j(three-sensor)1025 1517 y(system)g(to)f(the)h(st)o(yle)h(of) f(requiremen)o(ts)h(in)g([7],)e(assuming)i(that)f(an)1025 1558 y(action)19 b(is)f(tak)o(en)h(when)f(t)o(w)o(o)g(out)g(of)g(three) g(sensors)h(agree)f(on)h(a)1025 1600 y(condition.)1025 1665 y(Additionally)n(,)k(w)o(e)c(ha)o(v)o(e)i(complicated)h(the)e (system)g(somewhat,)1025 1707 y(b)o(y)d(adding)j(an)d(actuator)h (called)i(\\damp,")f(whic)o(h)f(is)g(similar)i(to)1025 1748 y(\\safet)o(y)10 b(inection")i({)e(but)g(con)o(v)o(eys)h(the)f (opp)q(osite)h(meaning.)18 b(When)1025 1790 y(a)12 b(\\damp")h(signal)i (is)e(sen)o(t,)f(it)h(means)g(that)g(incoming)h(w)o(ater)f(pres-)1025 1832 y(sure)f(is)h(getting)g(to)q(o)g(high,)g(and)g(that)f(the)h(co)q (olan)o(t)g(system)g(should)1025 1873 y(start)g(reducing)i(it.)i (Again,)d(the)f(\\blo)q(c)o(k")i(signal)g(can)f(disable)h(this)1025 1915 y(condition)g(\(whic)o(h)f(the)f(reset)g(button)h(can)f(also)h (clear\).)1025 1980 y(The)19 b(SCR)g(requiremen)o(ts)i(notation)g(is)e (used)h(to)f(sp)q(ecify)i(plan)o(t-)1025 2022 y(con)o(troller)16 b(systems;)f(it)g(giv)o(es)h(the)f(c)o(hoice)g(of)g(sp)q(ecifying)h(a)f (state-)1025 2063 y(c)o(hange)e(explicitly)j(\(via)d(ev)o(en)o(ts\),)g (or)g(implicitly)j(\(via)d(curren)o(t)g(v)n(al-)1025 2105 y(uations)19 b(of)e(of)g(other)h(conditions\).)33 b(In)17 b(SCR,)h(a)f(system's)h(en)o(vi-)1025 2146 y(ronmen)o(t)d(is)g (abstracted)h(as)e(a)h(set)g(of)f(monitored)i(and)g(con)o(trolled)1025 2188 y(state)9 b(v)n(ariables,)j(corresp)q(onding)g(to)d(the)g(sensors) h(and)g(actuators)g(in)1025 2229 y(a)h(con)o(trol-theoretic)i(setting.) 18 b(Based)12 b(on)g(the)f(v)n(alues)i(con)o(v)o(ey)o(ed)f(on)1025 2271 y(the)i(monitored)h(v)n(ariables,)h(the)e(system)g(can)h(c)o (hange)f(its)h(in)o(ternal)1025 2312 y(state)e({)g(and)g(send)h(out)f (signals)i(on)f(the)f(con)o(trolled)i(v)n(ariables.)1025 2378 y(SCR)10 b(uses)g(three)g(basic)h(constructs)g(to)f(represen)o(t)g (soft)o(w)o(are)g(b)q(eha)o(v-)1025 2419 y(ior:)22 b(mo)q(des,)16 b(terms)f(and)h(conditions.)27 b(A)15 b Fr(mo)n(de)g(class)e Fu(is)j(just)f(an)1025 2461 y(en)o(umerated)10 b(t)o(yp)q(e,)f (denoting)i(an)f(in)o(ternal)g(state)f(of)g(the)g(con)o(troller.)1025 2502 y(Eac)o(h)16 b(class)h(has)f(an)h(exclusivit)o(y)i(relation)f(b)q (et)o(w)o(een)e(its)g(v)n(alues)i({)1025 2544 y(but)d(man)o(y)h (classes)h(can)f(b)q(e)f(activ)o(e)i(sim)o(ultaneously)n(.)26 b(Mo)q(des)17 b(are)1025 2585 y(usually)e(describ)q(ed)g(b)q(eha)o (vioriall)q(y)m(,)g(in)f(a)f(table)h(denoting)g(curren)o(t-)1025 2627 y(state/next-state)d(transitions,)h(lab)q(elled)i(b)o(y)c (conditions)j(that)d(trig-)1025 2668 y(ger)i(the)g(state-c)o(hange.)18 b(A)11 b Fr(term)h Fu(is)h(an)o(y)f(function)i(of)e(mo)q(des,)g(v)n (ari-)p Black Black eop %%Page: 4 4 4 3 bop Black Black Black Black Black -65 2 2069 2 v -66 199 2 198 v -15 29 a Fp(Constan)o(ts:)169 b Fl(min)p Fn(,)12 b Fl(max)p Fn(,)f Fl(low)q Fn(,)h Fl(hig)q(h)p Fn(,)g Fl(toohig)q(h;)7 b(bound)p Fn(:)16 b(in)o(teger)33 b Fl(min)11 b(<)f(low)h(<)f(hig)q(h)h(<)f(toohig)q(h)g(<)h(max)-15 69 y Fp(V)m(ariables:)182 b Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(2)p Fl(;)g(w)q(p)p Fn(3:)16 b(in)o(teger)343 108 y Fl(B)r(lock)q(;)5 b(Reset;)i(I)s(nj)r(ect;)f(D)q(amp;)f(O)q(v)q (er)o(;)i(T)e(Low)q(;)g(Low)q(;)h(H)s(ig)q(h;)f(T)g(H)s(ig)q(h)p Fn(:)15 b(b)q(o)q(olean)-15 148 y Fp(Initial)e(Condition:)51 b Fl(low)11 b Fm(\024)f Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(2)p Fl(;)h(w)q(p)p Fn(3)j Fl(<)h(hig)q(h)f Fm(^)e(:)p Fl(B)r(lock)h Fm(^)g(:)p Fl(Reset)g Fm(^)f(:)p Fl(I)s(nj)r(ect)h Fm(^)g(:)p Fl(D)q(amp)f Fm(^)g(:)p Fl(O)q(v)q(er)-15 187 y Fp(Ev)o(en)o(ts:)p 2003 199 V -66 797 2 598 v 102 226 a Fl(e)118 232 y Fi(T)t(Low)213 226 y Fn(:)50 b Fl(RT)5 b(Low)j Fm(^)g Fl(T)d(Low)525 215 y Fq(0)543 226 y Fm(^)j(:)p Fl(Low)666 215 y Fq(0)685 226 y Fm(^)f(:)p Fl(H)s(ig)q(h)822 215 y Fq(0)840 226 y Fm(^)h(:)p Fl(T)d(H)s(ig)q(h)1004 215 y Fq(0)1022 226 y Fm(^)i Fl(F)e(easible)p Fm(^)273 266 y Fl(F)g(O)q(v)q(er)k Fm(^)f Fl(F)d(I)s(nj)r(ect)k Fm(^)e Fl(F)e(I)s(nj)r(ect)711 254 y Fq(0)731 266 y Fm(^)j Fl(F)d(D)q(amp)i Fm(^)h Fl(F)d(D)q(amp)1052 254 y Fq(0)136 326 y Fl(e)152 332 y Fi(Low)213 326 y Fn(:)50 b Fl(RLow)9 b Fm(^)e Fl(Low)473 314 y Fq(0)493 326 y Fm(^)g(:)p Fl(T)e(Low)641 314 y Fq(0)659 326 y Fm(^)j(:)p Fl(H)s(ig)q(h)797 314 y Fq(0)815 326 y Fm(^)f(:)p Fl(T)e(H)s(ig)q(h)978 314 y Fq(0)996 326 y Fm(^)j Fl(F)d(easible)p Fm(^)273 366 y Fl(F)g(O)q(v)q(er)k Fm(^)f Fl(F)d(I)s(nj)r(ect)k Fm(^)e Fl(F)e(I)s(nj)r(ect)711 354 y Fq(0)731 366 y Fm(^)j Fl(F)d(D)q(amp)i Fm(^)h Fl(F)d(D)q(amp)1052 354 y Fq(0)111 426 y Fl(e)127 432 y Fi(H)r(ig)q(h)213 426 y Fn(:)50 b Fl(RH)s(ig)q(h)7 b Fm(^)h Fl(H)s(ig)q(h)503 414 y Fq(0)522 426 y Fm(^)f(:)p Fl(T)e(Low)670 414 y Fq(0)688 426 y Fm(^)j(:)p Fl(Low)811 414 y Fq(0)830 426 y Fm(^)f(:)p Fl(T)e(H)s(ig)q(h)993 414 y Fq(0)1011 426 y Fm(^)i Fl(F)e(easible)p Fm(^)273 465 y Fl(F)g(O)q(v)q(er)k Fm(^)f Fl(F)d(I)s(nj)r(ect)k Fm(^)e Fl(F)e(I)s(nj)r(ect)711 453 y Fq(0)731 465 y Fm(^)j Fl(F)d(D)q(amp)i Fm(^)h Fl(F)d(D)q(amp)1052 453 y Fq(0)89 525 y Fl(e)105 531 y Fi(T)t(H)r(ig)q(h)213 525 y Fn(:)50 b Fl(RT)5 b(H)s(ig)q(h)i Fm(^)g Fl(T)e(H)s(ig)q(h)554 514 y Fq(0)573 525 y Fm(^)i(:)p Fl(T)e(Low)721 514 y Fq(0)739 525 y Fm(^)j(:)p Fl(Low)862 514 y Fq(0)880 525 y Fm(^)g(:)p Fl(H)s(ig)q(h)1018 514 y Fq(0)1036 525 y Fm(^)g Fl(F)d(easible)p Fm(^)273 565 y Fl(F)g(O)q(v)q(er)k Fm(^)f Fl(F)d(I)s(nj)r(ect)k Fm(^)e Fl(F)e(I)s(nj)r(ect)711 553 y Fq(0)731 565 y Fm(^)j Fl(F)d(D)q(amp)i Fm(^)h Fl(F)d(D)q(amp)1052 553 y Fq(0)33 625 y Fl(e)49 631 y Fi(N)s(oC)r(hang)q(e)213 625 y Fn(:)50 b(\(\()p Fl(C)r(T)5 b(Low)421 613 y Fq(0)440 625 y Fm(^)i Fl(C)r(T)e(Low)q Fn(\))j Fm(_)f Fn(\()p Fl(C)r(Low)752 613 y Fq(0)772 625 y Fm(^)g Fl(C)r(Low)q Fn(\))h Fm(_)g Fn(\()p Fl(C)r(H)s(ig)q(h)1074 613 y Fq(0)1093 625 y Fm(^)f Fl(C)r(H)s(ig)q(h)p Fn(\))h Fm(_)f Fn(\()p Fl(C)r(T)e(H)s(ig)q(h)1435 613 y Fq(0)1454 625 y Fm(^)i Fl(C)r(T)e(H)s(ig)q(h)p Fn(\)\))p Fm(^)273 664 y Fl(F)g(easible)k Fm(^)e Fl(F)e(O)q(v)q(er)10 b Fm(^)d Fl(F)e(I)s(nj)r(ect)k Fm(^)e Fl(F)e(I)s(nj)r(ect)883 653 y Fq(0)904 664 y Fm(^)i Fl(F)e(D)q(amp)j Fm(^)f Fl(F)e(D)q(amp)1224 653 y Fq(0)-15 725 y Fl(e)1 731 y Fi(B)q(lock)q(O)q(r)q(Reset)213 725 y Fn(:)50 b(\(\()p Fl(B)r(lock)392 713 y Fq(0)412 725 y Fn(=)10 b Fm(:)p Fl(B)r(lock)f Fm(^)e Fl(Reset)691 713 y Fq(0)712 725 y Fn(=)k Fl(Reset)p Fn(\))d Fm(_)f Fn(\()p Fl(Reset)993 713 y Fq(0)1015 725 y Fn(=)j Fm(:)p Fl(Reset)e Fm(^)f Fl(B)r(lock)1294 713 y Fq(0)1315 725 y Fn(=)j Fl(B)r(lock)q Fn(\)\))p Fm(^)273 764 y Fl(F)5 b(O)q(v)q(er)k Fm(^)f Fl(F)d(I)s(nj)r(ect)k Fm(^)e Fl(F)e(I)s(nj)r(ect) 711 752 y Fq(0)731 764 y Fm(^)j Fl(F)d(D)q(amp)i Fm(^)h Fl(F)d(D)q(amp)1052 752 y Fq(0)p 2003 797 V -66 1689 2 893 v -15 837 a Fl(C)r(T)g(Low)115 818 y Fk(def)122 837 y Fn(=)17 b Fl(w)q(p)p Fn(1)p Fl(;)6 b(w)q(p)p Fn(2)j Fl(<)h(low)f Fm(_)f Fl(w)q(p)p Fn(1)p Fl(;)d(w)q(p)p Fn(3)k Fl(<)i(low)e Fm(_)e Fl(w)q(p)p Fn(2)p Fl(;)e(w)q(p)p Fn(3)10 b Fl(<)g(low)-15 890 y(C)r(Low)89 871 y Fk(def)96 890 y Fn(=)18 b Fl(low)11 b Fm(\024)f Fl(w)q(p)p Fn(1)p Fl(;)c(w)q(p)p Fn(2)j Fl(<)h(hig)q(h)f Fm(_)e Fl(low)k Fm(\024)f Fl(w)q(p)p Fn(1)p Fl(;)c(w)q(p)p Fn(3)j Fl(<)h(hig)q(h)f Fm(_)e Fl(low)k Fm(\024)f Fl(w)q(p)p Fn(2)p Fl(;)c(w)q(p)p Fn(3)j Fl(<)h(hig)q(h)-15 942 y(C)r(H)s(ig)q(h)104 923 y Fk(def)111 942 y Fn(=)18 b Fl(hig)q(h)10 b Fm(\024)g Fl(w)q(p)p Fn(1)p Fl(;)c(w)q(p)p Fn(2)j Fl(<)h(toohig)q(h)f Fm(_)e Fl(hig)q(h)j Fm(\024)h Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(3)k Fl(<)i(toohig)q(h)d Fm(_)f Fl(hig)q(h)k Fm(\024)f Fl(w)q(p)p Fn(2)p Fl(;)5 b(w)q(p)p Fn(3)10 b Fl(<)g(toohig)q(h)-15 995 y(C)r(T)5 b(H)s(ig)q(h)129 975 y Fk(def)136 995 y Fn(=)18 b Fl(toohig)q(h)10 b Fm(\024)h Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(2)i Fm(_)h Fl(toohig)q(h)i Fm(\024)g Fl(w)q(p)p Fn(1)p Fl(;)c(w)q(p)p Fn(3)h Fm(_)g Fl(toohig)q(h)k Fm(\024)f Fl(w)q(p)p Fn(2)p Fl(;)5 b(w)q(p)p Fn(3)-15 1047 y Fl(C)r(T)g(Low)105 1035 y Fq(0)126 1028 y Fk(def)133 1047 y Fn(=)18 b Fl(w)q(p)p Fn(1)240 1035 y Fq(0)250 1047 y Fl(;)6 b(w)q(p)p Fn(2)328 1035 y Fq(0)349 1047 y Fl(<)k(low)f Fm(_)e Fl(w)q(p)p Fn(1)541 1035 y Fq(0)552 1047 y Fl(;)f(w)q(p)p Fn(3)630 1035 y Fq(0)650 1047 y Fl(<)11 b(low)e Fm(_)e Fl(w)q(p)p Fn(2)843 1035 y Fq(0)854 1047 y Fl(;)f(w)q(p)p Fn(3)932 1035 y Fq(0)952 1047 y Fl(<)k(low)-15 1100 y(C)r(Low)79 1088 y Fq(0)100 1080 y Fk(def)108 1100 y Fn(=)17 b Fl(low)11 b Fm(\024)f Fl(w)q(p)p Fn(1)315 1088 y Fq(0)326 1100 y Fl(;)c(w)q(p)p Fn(2)404 1088 y Fq(0)424 1100 y Fl(<)11 b(hig)q(h)d Fm(_)g Fl(low)j Fm(\024)f Fl(w)q(p)p Fn(1)735 1088 y Fq(0)746 1100 y Fl(;)5 b(w)q(p)p Fn(3)823 1088 y Fq(0)844 1100 y Fl(<)10 b(hig)q(h)f Fm(_)e Fl(low)k Fm(\024)f Fl(w)q(p)p Fn(2)1154 1088 y Fq(0)1165 1100 y Fl(;)c(w)q(p)p Fn(3)1243 1088 y Fq(0)1263 1100 y Fl(<)11 b(hig)q(h)-15 1152 y(C)r(H)s(ig)q(h)94 1140 y Fq(0)115 1133 y Fk(def)122 1152 y Fn(=)18 b Fl(hig)q(h)10 b Fm(\024)g Fl(w)q(p)p Fn(1)346 1140 y Fq(0)357 1152 y Fl(;)c(w)q(p)p Fn(2)435 1140 y Fq(0)456 1152 y Fl(<)k(toohig)q(h)e Fm(_)g Fl(hig)q(h)i Fm(\024)g Fl(w)q(p)p Fn(1)829 1140 y Fq(0)840 1152 y Fl(;)c(w)q(p)p Fn(3)918 1140 y Fq(0)938 1152 y Fl(<)11 b(toohig)q(h)d Fm(_)f Fl(hig)q(h)k Fm(\024)f Fl(w)q(p)p Fn(2)1312 1140 y Fq(0)1323 1152 y Fl(;)5 b(w)q(p)p Fn(3)1400 1140 y Fq(0)1421 1152 y Fl(<)10 b(toohig)q(h)-15 1205 y(C)r(T)5 b(H)s(ig)q(h)120 1193 y Fq(0)140 1185 y Fk(def)148 1205 y Fn(=)17 b Fl(toohig)q(h)11 b Fm(\024)f Fl(w)q(p)p Fn(1)419 1193 y Fq(0)430 1205 y Fl(;)5 b(w)q(p)p Fn(2)507 1193 y Fq(0)526 1205 y Fm(_)i Fl(toohig)q(h)k Fm(\024)f Fl(w)q(p)p Fn(1)784 1193 y Fq(0)795 1205 y Fl(;)5 b(w)q(p)p Fn(3)872 1193 y Fq(0)891 1205 y Fm(_)i Fl(toohig)q(h)k Fm(\024)f Fl(w)q(p)p Fn(2)1149 1193 y Fq(0)1160 1205 y Fl(;)5 b(w)q(p)p Fn(3)1237 1193 y Fq(0)-15 1257 y Fl(RT)g(Low)114 1238 y Fk(def)121 1257 y Fn(=)18 b Fl(C)r(T)5 b(Low)286 1245 y Fq(0)305 1257 y Fm(^)i(:)p Fl(C)r(T)e(Low)36 b(RLow)619 1238 y Fk(def)626 1257 y Fn(=)18 b Fl(C)r(Low)765 1245 y Fq(0)785 1257 y Fm(^)7 b(:)p Fl(C)r(Low)-15 1309 y(RH)s(ig)q(h)103 1290 y Fk(def)110 1309 y Fn(=)18 b Fl(C)r(H)s(ig)q(h)264 1298 y Fq(0)283 1309 y Fm(^)8 b(:)p Fl(C)r(H)s(ig)q(h)35 b(RT)5 b(H)s(ig)q(h)627 1290 y Fk(def)634 1309 y Fn(=)18 b Fl(C)r(T)5 b(H)s(ig)q(h)814 1298 y Fq(0)832 1309 y Fm(^)j(:)p Fl(C)r(T)d(H)s(ig)q(h)-15 1362 y(F)g(easible)127 1343 y Fk(def)135 1362 y Fn(=)17 b(\()p Fl(w)q(p)p Fn(1)7 b Fm(\000)i Fl(bound)i Fm(\024)f Fl(w)q(p)p Fn(1)499 1350 y Fq(0)520 1362 y Fm(\024)g Fl(w)q(p)p Fn(1)d(+)i Fl(bound)p Fn(\))f Fm(^)g Fn(\()p Fl(w)q(p)p Fn(2)f Fm(\000)h Fl(bound)j Fm(\024)f Fl(w)q(p)p Fn(2)1126 1350 y Fq(0)1147 1362 y Fm(\024)g Fl(w)q(p)p Fn(2)e(+)g Fl(bound)p Fn(\))p Fm(^)185 1401 y Fn(\()p Fl(w)q(p)p Fn(3)f Fm(\000)i Fl(bound)i Fm(\024)f Fl(w)q(p)p Fn(3)505 1390 y Fq(0)526 1401 y Fm(\024)g Fl(w)q(p)p Fn(3)d(+)i Fl(bound)p Fn(\))f Fm(^)g Fn(\()p Fl(min)i Fm(\024)g Fl(w)q(p)p Fn(1)1000 1390 y Fq(0)1011 1401 y Fl(;)c(w)q(p)p Fn(2)1089 1390 y Fq(0)1099 1401 y Fl(;)g(w)q(p)p Fn(3)1177 1390 y Fq(0)1198 1401 y Fm(\024)k Fl(max)p Fn(\))-15 1454 y Fl(F)5 b(O)q(v)q(er)101 1435 y Fk(def)108 1454 y Fn(=)18 b(\()p Fl(O)q(v)q(er)246 1442 y Fq(0)265 1454 y Fm(^)7 b Fl(B)r(lock)387 1442 y Fq(0)406 1454 y Fm(^)h Fl(B)r(lock)g Fm(^)f(:)p Fl(Reset)h Fm(^)g Fn(\()p Fl(T)d(Low)j Fm(_)f Fl(Low)j Fm(_)d Fl(T)e(H)s(ig)q(h)p Fn(\)\))p Fm(_)162 1493 y Fn(\()p Fm(:)p Fl(O)q(v)q(er)279 1482 y Fq(0)297 1493 y Fm(^)j Fn(\(\()p Fl(Reset)445 1482 y Fq(0)464 1493 y Fm(^)f Fl(Reset)p Fn(\))h Fm(_)g Fn(\()p Fl(T)d(Low)744 1482 y Fq(0)762 1493 y Fm(^)19 b Fl(T)5 b(Low)q Fn(\))i Fm(_)h Fn(\()p Fl(Low)1032 1482 y Fq(0)1051 1493 y Fm(^)f(:)p Fl(Low)q Fn(\))h Fm(_)f Fn(\()p Fl(H)s(ig)q(h)1322 1482 y Fq(0)1341 1493 y Fm(^)g(:)p Fl(H)s(ig)q(h)p Fn(\))g Fm(_)g Fn(\()p Fl(T)e(ooH)s(ig)q(h)1686 1482 y Fq(0)1704 1493 y Fm(^)20 b Fl(T)5 b(ooH)s(ig)q(h)p Fn(\)\)\))p Fm(_)162 1533 y Fn(\()p Fl(O)q(v)q(er)255 1521 y Fq(0)276 1533 y Fn(=)10 b Fl(O)q(v)q(er)f Fm(^)f Fn(\()p Fm(:)p Fn(\()p Fl(B)r(lock)575 1521 y Fq(0)592 1533 y Fm(^)g Fl(B)r(lock)g Fm(^)g(:)p Fl(Reset)g Fm(^)f Fn(\()p Fl(T)e(Low)j Fm(_)g Fl(Low)h Fm(_)e Fl(H)s(ig)q(h)h Fm(_)f Fl(T)e(H)s(ig)q(h)p Fn(\)\))p Fm(_)162 1572 y(:)p Fn(\(\()p Fl(Reset)302 1560 y Fq(0)320 1572 y Fm(^)j Fl(Reset)p Fn(\))g Fm(_)f Fn(\()p Fl(T)e(Low)600 1560 y Fq(0)619 1572 y Fm(^)19 b Fl(T)5 b(Low)q Fn(\))i Fm(_)g Fn(\()p Fl(Low)888 1560 y Fq(0)907 1572 y Fm(^)h(:)p Fl(Low)q Fn(\))f Fm(_)g Fn(\()p Fl(H)s(ig)q(h)1178 1560 y Fq(0)1197 1572 y Fm(^)g(:)p Fl(H)s(ig)q(h)p Fn(\))g Fm(_)h Fn(\()p Fl(T)d(H)s(ig)q(h)1509 1560 y Fq(0)1527 1572 y Fm(^)19 b Fl(T)5 b(H)s(ig)q(h)p Fn(\)\)\)\))-15 1625 y Fl(F)g(I)s(nj)r(ect)121 1605 y Fk(def)129 1625 y Fn(=)17 b(\()p Fm(:)p Fl(I)s(nj)r(ect)8 b Fm(^)g Fn(\()p Fl(T)d(Low)j Fm(^)f Fl(O)q(v)q(er)j Fm(_)d Fl(Low)i Fm(_)e Fl(H)s(ig)q(h)h Fm(_)f Fl(T)e(H)s(ig)q(h)p Fn(\)\))i Fm(_)g Fn(\()p Fl(I)s(nj)r(ect)i Fm(^)e Fn(\()p Fl(T)e(Low)j Fm(^)g(:)p Fl(O)q(v)q(er)q Fn(\)\))-15 1677 y Fl(F)d(D)q(amp)119 1658 y Fk(def)127 1677 y Fn(=)17 b(\()p Fm(:)p Fl(D)q(amp)7 b Fm(^)g Fn(\()p Fl(T)e(Low)j Fm(_)g Fl(Low)h Fm(_)e Fl(H)s(ig)q(h)h Fm(_)f Fl(T)e(H)s(ig)q(h)j Fm(^)f(:)p Fl(O)q(v)q(er)q Fn(\)\))g Fm(_)g Fn(\()p Fl(D)q(amp)h Fm(^)f Fn(\()p Fl(T)e(H)s(ig)q(h)i Fm(^)g(:)p Fl(O)q(v)q(er)q Fn(\)\))p 2003 1689 V -65 1691 2069 2 v -75 1804 a Fj(Figure)k(2:)19 b(Ev)o(en)o(t-Action)11 b(Language)i(Represen)o(tation)f(of)g(the)g (Safet)o(y)h(Injection)d(System)i(Requiremen)o(ts)h(Sp)q (eci\014cations.)p Black -75 1936 a Fu(ables,)k(constan)o(ts,)h(op)q (erators,)f(etc.)25 b({)16 b(i.e.,)g(a)g(function)h(built)h(up)-75 1977 y(o)o(v)o(er)12 b(the)f(other)h(sym)o(b)q(ols)h(in)g(an)f(SCR)f (sp)q(eci\014cation.)20 b(A)11 b Fr(c)n(ondition)-75 2019 y Fu(is)h(just)f(a)h(term)f(whic)o(h)h(ev)n(aluates)h(to)e(T)m (rue)h(or)f(F)m(alse,)h(based)g(on)g(the)-75 2060 y(presen)o(t)i (state's)f(v)n(aluation.)-75 2126 y(The)e(SCR)g(sp)q(eci\014cation)i (of)e(our)g(safet)o(y)g(injection)h(system)g(is)f(giv)o(en)-75 2167 y(in)i(Figure)h(1.)j(The)12 b(monitored)i(v)n(ariables)h Fh(WP1,)j(WP2,)g(WP3)11 b Fu(mo)q(del)-75 2209 y(the)k(readings)i(from) e(three)h(w)o(ater)f(pressure)h(sensors.)25 b(The)15 b(mo)q(de)-75 2250 y(class)g Fh(Pressure)c Fu(denotes)k(the)f(con)o (troller's)h(state,)f(dep)q(enden)o(t)i(on)-75 2292 y(the)k(other)g (conditions)j(of)d(the)g(system.)38 b(Note)20 b(that)g(it)h(ranges)-75 2333 y(o)o(v)o(er)16 b Fh(TooLow,)h(Low,)h(High,)g(TooHigh)12 b Fu({)k(since)h(w)o(e)e(also)i(include)-75 2375 y(an)c(\\unsafe")h(mo) q(de)g(for)f(o)o(v)o(erly-high)i(pressure.)-75 2440 y(Sensor)j(v)n (alues)g(c)o(hange)g(b)q(et)o(w)o(een)f(t)o(w)o(o)f(constan)o(ts)i Fh(min)d Fu(and)j Fh(max)p Fu(.)-75 2482 y(Other)12 b(constan)o(ts)i({) e Fh(low)p Fu(,)f Fh(high)p Fu(,)f Fh(toohigh)g Fu({)i(indicate)j(the)d (critical)-75 2523 y(pressure)g(lev)o(els)g(to)e(whic)o(h)i(the)f (system)g(reacts.)16 b(W)m(ater)11 b(pressure)h(is)-75 2565 y(assumed)j(to)e(b)q(e)h(dangerously)i(lo)o(w)e(when)g(it)g(is)g (b)q(et)o(w)o(een)g Fh(min)f Fu(and)-75 2606 y Fh(low)p Fu(,)d(and)j(to)q(o)f(high)i(when)e(it)g(ranges)h(b)q(et)o(w)o(een)f Fh(toohigh)d Fu(and)k Fh(max)p Fu(.)-75 2648 y(The)h(ob)r(jectiv)o(e)i (is)f(to)g(main)o(tain)h(the)f(pressure)h(b)q(et)o(w)o(een)e Fh(low)g Fu(and)-75 2689 y Fh(high)p Fu(.)1025 1936 y(If)c(at)g(least)i (t)o(w)o(o)e(out)h(of)g(three)g(sensors)g(detect)g(a)g(drop)h(in)f(the) g(w)o(ater)1025 1977 y(pressure)k(b)q(elo)o(w)h(the)f(constan)o(t)h Fh(low)p Fu(,)e(this)i(causes)f(the)h(system)f(to)1025 2019 y(en)o(ter)j(the)g(mo)q(de)h Fh(TooLow)d Fu({)i(and)h(to)g(start)f (safet)o(y)h(injection)h(\(if)1025 2060 y(it)d(is)g(not)h(o)o(v)o (erridden\).)31 b(The)16 b(analogous)k(logic)e(holds)h(for)e(when)1025 2102 y(pressure)c(gets)h(to)q(o)f(high.)1025 2167 y(W)m(e)k(sho)o(w)g (the)g(explicit)i(transition)h(tables)e(for)f(mo)q(de)g Fh(Pressure)1025 2209 y Fu(and)10 b(term)f Fh(Overridde)o(n)p Fu(.)j(As)d(for)h(the)f(con)o(trolled)j(v)n(ariables)f Fh(Inject)1025 2250 y Fu(and)k Fh(Damp)p Fu(,)e(their)j(state-c)o (hanges)g(are)f(stated)g(implicit)o(y)m(,)j(via)e(con-)1025 2292 y(dition)f(tables.)22 b(In)14 b(these)g(tables,)h Fh(@T\(InMode\))10 b Fu(denotes)15 b(that)g(the)1025 2333 y(system)c(en)o(ters)g(the)g(corresp)q(onding)j(mo)q(de)d(\(i.e.,) g(the)g(mo)q(de)g(sho)o(wn)1025 2375 y(on)i(the)g(left-hand-side)i(of)e (the)g(corresp)q(onding)j(column\).)1025 2440 y(Note)g(that)g(the)h (system)g(is)g(considered)h Fh(Overridden)13 b Fu(when)j(it)h(is)1025 2482 y(blo)q(c)o(k)o(ed)h(in)f(particular)i(mo)q(des)e(\(as)f(w)o(ell)h (as)g(not)g(reset\).)27 b(As)16 b(for)1025 2523 y Fh(Inject)p Fu(,)f(the)i(condition)j(table)e(states)f(that)g(it)h(can)f(only)i(b)q (e)e(ac-)1025 2565 y(tuated)i(when)f(the)h(system)g(is)g(in)g(mo)q(de)g Fh(TooLow)d Fu(and)k(it)e(is)i(not)1025 2606 y(o)o(v)o(erriden.)e(The) 13 b(conditions)j(for)c Fh(Damp)g Fu(are)h(analogous.)1025 2672 y(The)h(seman)o(tics)i(of)f(SCR)g(is)g(de\014ned)h(in)g([18].)21 b(An)15 b(imp)q(ortan)o(t)h(re-)p Black Black eop %%Page: 5 5 5 4 bop Black Black -75 42 a Fu(striction)16 b(of)e(the)h(mo)q(del)g (is)g(the)g(One)f(Input)h(Assumption,)h(whic)o(h)-75 83 y(states)10 b(that)f(only)i(one)f(monitored)h(v)n(ariable)g(can)f(c) o(hange)g(at)g(a)f(time.)-75 125 y(F)m(or)k(the)g(SCR)g(sp)q (eci\014cation)i(giv)o(en)g(in)e(Figure)h(1)f(w)o(e)g(assume)g(that)-75 166 y(at)h(an)o(y)g(giv)o(en)h(time,)g(either)g Fh(Block)c Fu(or)j Fh(Reset)e Fu(can)i(toggle,)h(or)f(the)-75 208 y(w)o(ater)j(pressure)i(readings)g(c)o(hange.)32 b(Ho)o(w)o(ev)o(er,)19 b(w)o(e)e(assume)h(the)-75 249 y(pressure)f(sensors)h(are)e(read)h(in)g (on)g(a)f(v)o(ector)h({)f(hence,)h(w)o(e)f(treat)-75 291 y(them)d(as)g(one)h(input.)-75 356 y(W)m(e)f(also)g(place)h(en)o (vironmen)o(tal)h(constrain)o(ts)f(on)f(the)g(\015uctuations)-75 398 y(of)18 b(the)h(pressure)h(readings,)h(as)e(in)g([7].)33 b(Here,)20 b(w)o(e)e(ensure)h(that)-75 439 y(readings)c(can)e(c)o (hange)h(within)h(a)e(certain)h(range,)f Fs(\006)g Fh(bound)p Fu(.)-75 505 y(Note)e(that)h(in)h(the)e(sp)q(eci\014cation)k(giv)o(en)e (in)f(Figure)h(1)f(v)n(alues)h(of)e(the)-75 546 y(constan)o(ts)16 b Fh(min)p Fu(,)d Fh(max)p Fu(,)g Fh(low)p Fu(,)g Fh(high)p Fu(,)g Fh(toohigh)p Fu(,)f(and)j Fh(bound)d Fu(are)j(un-)-75 588 y(sp)q(eci\014ed.)j(These)11 b(constan)o(ts)g(can)g(tak)o(e)g(an)o (y)g(in)o(teger)h(v)n(alue)f(as)g(long)-75 629 y(as)16 b(they)g(satisfy)g(the)g(ordering)i Fh(min)c Ft(<)h Fh(low)g Ft(<)g Fh(high)f Ft(<)h Fh(toohigh)-75 671 y Ft(<)c Fh(max)p Fu(.)k(Our)d(represen)o(tation)h(of)e(the)h(system,)g(whic)o(h)g(is)g (describ)q(ed)-75 712 y(b)q(elo)o(w,)21 b(lea)o(v)o(es)f(these)g (constan)o(ts)g(as)f(unsp)q(eci\014ed.)38 b(Hence,)21 b(an)o(y)-75 754 y(prop)q(ert)o(y)14 b(w)o(e)e(v)o(erify)i(is)f(v)n (alid)h(for)f(an)o(y)g(p)q(ossible)i(in)o(terpretation)h(of)-75 795 y(these)d(constan)o(ts.)-75 957 y Fv(3)56 b(Mo)r(dels)18 b(and)h(Prop)r(erties)-75 1050 y Fu(W)m(e)9 b(use)g(an)g(ev)o(en)o (t-action)i(language)g(as)e(our)g(syn)o(tax)h(for)e(concurren)o(t)-75 1092 y(systems,)21 b(with)e(a)g(seman)o(tics)h(de\014ned)g(in)g(terms)f (of)f(states)i(and)-75 1133 y(transition)e(relations.)29 b(A)16 b(concurren)o(t)h(system)f Ft(C)j Fu(=)d(\()p Ft(V)r(;)7 b(I)s(;)e(E)r Fu(\))17 b(is)-75 1175 y(represen)o(ted)10 b(b)o(y)f(\(1\))g(a)g(\014nite)h(set)f(of)g(data)g(and)h(con)o(trol)g (v)n(ariables)h Ft(V)e Fu(;)-75 1216 y(\(2\))k(an)g(initial)j (condition)f Ft(I)s Fu(,)d(whic)o(h)i(sp)q(eci\014es)g(the)f(starting)h (states)-75 1258 y(of)f(the)g(program;)h(and)f(\(3\))g(a)g(\014nite)h (set)f(of)g(ev)o(en)o(ts)h Ft(E)r Fu(,)f(where)g(eac)o(h)-75 1299 y(ev)o(en)o(t)d(is)g(considered)h(atomic)f([22].)16 b(A)9 b(system)g(state)h(is)g(determined)-75 1341 y(b)o(y)19 b(the)f(v)n(alues)h(of)f(its)h(data)g(and)g(con)o(trol)g(v)n(ariables,) i(where)e(w)o(e)-75 1382 y(assume)14 b(that)g(the)g(domain)h(of)e(eac)o (h)h(v)n(ariable)i(is)e(a)f(coun)o(table)j(set.)-75 1424 y(Eac)o(h)e(ev)o(en)o(t)h(de\014nes)g(a)f(transformation)h(on)f(the)g (v)n(ariables)j(of)c(the)-75 1465 y(program.)-75 1531 y(Giv)o(en)i(a)f(system)g Ft(C)h Fu(=)d(\()p Ft(V)r(;)7 b(I)s(;)f(E)r Fu(\))14 b(in)g(our)g(ev)o(en)o(t)h(action)g(language,) -75 1572 y(w)o(e)9 b(mo)q(del)i(it)f(as)f(an)h(in\014nite)i(transition) g(system)e Ft(M)k Fu(=)d(\()p Ft(S;)6 b(I)s(;)g(X)q(;)g(L)p Fu(\),)-75 1614 y(where)18 b Ft(S)i Fu(is)e(the)g(set)g(of)g(states,)h Ft(I)h Fu(is)e(the)g(set)g(of)g(initial)i(states,)-75 1655 y Ft(X)13 b Fs(\022)e Ft(S)e Fs(\002)d Ft(S)14 b Fu(is)f(the)f(transition)i(relation)g(\(deriv)o(ed)f(from)f(the)g(set)g (of)-75 1697 y(ev)o(en)o(ts)i Ft(E)r Fu(\),)f(and)h Ft(L)d Fu(:)g Ft(S)g Fs(\002)e Ft(S)r(F)16 b Fs(!)c(f)p Ft(tr)q(ue;)6 b(f)t(al)q(se)p Fs(g)14 b Fu(is)f(the)h(v)n(aluation)-75 1739 y(function)c(for)f(state)g(form)o(ulas)h(o)o(v)o(er)g(the)f (program's)g(v)n(ariables.)18 b(\(W)m(e)-75 1780 y(de\014ne)12 b(the)g(set)f(of)g(state)h(form)o(ulas)g Ft(S)r(F)17 b Fu(b)q(elo)o(w.\))g(The)12 b(set)f(of)g(states)-75 1822 y Ft(S)21 b Fu(is)e(obtained)i(b)o(y)e(taking)h(Cartesian)f(pro)q (duct)h(of)e(domains)j(of)-75 1863 y(all)f(program)f(v)n(ariables;)24 b(hence,)c(eac)o(h)f(state)f(corresp)q(onds)j(to)d(a)-75 1905 y(v)n(aluation)d(of)e(all)i(the)e(v)n(ariables)i(of)e(the)g (program.)-75 1970 y(Ev)o(ery)19 b(ev)o(en)o(t)h Ft(e)g Fs(2)g Ft(E)h Fu(de\014nes)f(a)f(binary)i(relation)g(on)e(the)g(pro-) -75 2012 y(gram's)f(states,)g Ft(X)211 2016 y Fi(e)246 2012 y Fs(\022)g Ft(S)c Fs(\002)d Ft(S)r Fu(,)19 b(suc)o(h)f(that)g (when)g(\()p Ft(s;)5 b(s)778 1996 y Fq(0)789 2012 y Fu(\))19 b Fs(2)e Ft(X)898 2016 y Fi(e)915 2012 y Fu(,)-75 2053 y Ft(s)g Fu(and)h Ft(s)57 2037 y Fq(0)85 2053 y Fu(denote)g(program's)g (states)g(b)q(efore)g(and)g(after)f(the)g(ex-)-75 2095 y(ecution)j(of)f(ev)o(en)o(t)h Ft(e)p Fu(,)f(resp)q(ectiv)o(ely)m(.)38 b(W)m(e)19 b(use)g Fj(domain)o Fu(\()p Ft(e)p Fu(\))g(and)-75 2136 y Fj(range)q Fu(\()p Ft(e)p Fu(\))d(to)g(denote)h(the)f(domain)i (and)f(range)g(of)g(ev)o(en)o(t)f Ft(e)p Fu(,)h(i.e.,)-75 2178 y Fj(domain)o Fu(\()p Ft(e)p Fu(\))h(=)g Fs(f)p Ft(s)h Fu(:)f Fs(9)p Fu(\()p Ft(s;)6 b(s)355 2162 y Fq(0)366 2178 y Fu(\)[\()p Ft(s;)f(s)459 2162 y Fq(0)471 2178 y Fu(\))18 b Fs(2)g Ft(X)580 2182 y Fi(e)596 2178 y Fu(])p Fs(g)g Fu(and)g Fj(range)q Fu(\()p Ft(e)p Fu(\))g(=)-75 2219 y Fs(f)p Ft(s)-38 2203 y Fq(0)-9 2219 y Fu(:)f Fs(9)p Fu(\()p Ft(s;)6 b(s)108 2203 y Fq(0)119 2219 y Fu(\)[\()p Ft(s;)g(s)213 2203 y Fq(0)224 2219 y Fu(\))17 b Fs(2)g Ft(X)331 2223 y Fi(e)348 2219 y Fu(])p Fs(g)p Fu(.)29 b(The)17 b(global)i(transition)g(relation)-75 2261 y(is)d Ft(X)g Fu(=)59 2233 y Fg(W)91 2272 y Fi(e)p Fq(2)p Fi(E)158 2261 y Ft(X)190 2265 y Fi(e)207 2261 y Fu(.)23 b(Note)15 b(that)g(w)o(e)f(use)i(an)f(in)o(terlea)o(ving)j(mo)q(del,)-75 2302 y(where)12 b(eac)o(h)h(transition)h(represen)o(ts)f(execution)h (of)e(a)g(single)i(ev)o(en)o(t,)-75 2344 y(i.e.,)f(only)h(one)f(ev)o (en)o(t)h(can)f(o)q(ccur)h(at)e(a)h(time.)-75 2409 y(See)20 b(Figure)g(2,)g(in)g(whic)o(h)h(w)o(e)d(giv)o(e)i(the)g(represen)o (tation)h(of)e(the)-75 2451 y(safet)o(y)12 b(injection)j(system)d(in)h (our)g(ev)o(en)o(t-action)h(language.)19 b(W)m(e)12 b(do)-75 2492 y(not)k(view)h(this)g(notation)h(as)e(a)h(source)g(language)h({)e (rather,)h(it)g(is)-75 2534 y(a)f(lo)o(w-lev)o(el)i(description)g(of)e (a)g(set)g(of)f(transformations)j(b)q(et)o(w)o(een)-75 2575 y(states.)j(After)13 b(compilation)q(,)k(our)d(analyzer)i(uses)f (these)f(transfor-)-75 2617 y(mations)i(to)f(ev)n(aluate)i(v)n(alidit)o (y)g(of)e(temp)q(oral)h(expressions.)25 b(Note)-75 2658 y(that)10 b(if)g(a)g(v)n(ariable)h Ft(v)g Fu(is)f(not)g(men)o(tioned)i (in)e(the)g(action)h(of)e(an)h(ev)o(en)o(t,)-75 2700 y(then)j(that)h(ev)o(en)o(t)f(do)q(es)h(not)f(c)o(hange)h(its)f(v)n (alue,)h(i.e.,)f Ft(v)735 2684 y Fq(0)757 2700 y Fu(=)d Ft(v)q Fu(.)1025 42 y(Using)16 b(the)f(formal)h(seman)o(tics)h(of)e (SCR)g(requiremen)o(ts)i(sp)q(eci\014ca-)1025 83 y(tions)12 b(giv)o(en)h(in)g([18],)e(an)o(y)i(sp)q(eci\014cation)h(in)f(SCR)f (notation)h(can)g(b)q(e)1025 125 y(automatically)i(con)o(v)o(erted)f (to)f(our)g(ev)o(en)o(t-action)i(language)f({)f(and)1025 166 y(an)o(y)j(theorems)g(w)o(e)g(pro)o(v)o(e)g(v)n(alid)i(in)e(our)h (mo)q(del)g(will)g(b)q(e)f(true)g(for)1025 208 y(the)d(original)i(SCR)f (requiremen)o(ts.)1025 273 y(W)m(e)g(use)h(Bo)q(olean)h(v)n(ariables)h (to)d(enco)q(de)i(unordered)g(en)o(umerated)1025 315 y(SCR)9 b(v)n(ariables.)18 b(Note)8 b(that)i(w)o(e)e(could)j(actually)g (enco)q(de)f Fh(Pressure)1025 356 y Fu(using)15 b(t)o(w)o(o)f(Bo)q (olean)i(v)n(ariables,)h(but)e(for)f(clarit)o(y)i(of)e(presen)o(tation) 1025 398 y(w)o(e)9 b(use)h(four.)16 b(W)m(e)10 b(also)h(de\014ne)g(sev) o(eral)g(form)o(ulas)g(as)f(abbreviations)1025 439 y(of)k(complicated)j (expressions)g({)e(for)g(example,)h(to)f(c)o(hange)h(condi-)1025 481 y(tions,)h(to)e(ev)n(aluate)j(v)o(oting)f(of)e(sensors,)i(etc.)25 b(Note)16 b(that)g(form)o(u-)1025 522 y(las)f Ft(F)5 b(I)s(nj)r(ect)14 b Fu(and)i Ft(F)5 b(D)q(amp)15 b Fu(de\014ne)h(the)f (seman)o(tics)h(of)f(condition)1025 564 y(tables)j(for)e Fh(Inject)f Fu(and)i Fh(Damp)p Fu(,)f(resp)q(ectiv)o(ely;)21 b(similarly)f Ft(F)5 b(O)q(v)q(er)1025 605 y Fu(de\014nes)14 b(the)f(seman)o(tics)h(of)f(the)g(ev)o(en)o(t)g(table)h(for)f Fh(Overridden)o Fu(.)1025 671 y(As)e(in)i(the)g(SCR)f(requiremen)o(ts)i (w)o(e)e(use)g(the)g(One)h(Input)f(Assump-)1025 712 y(tion,)19 b(whic)o(h)g(yields)h(6)e(ev)o(en)o(ts)h(sp)q(ecifying)h(the)e(b)q(eha) o(vior)i(of)e(the)1025 754 y(system.)28 b(A)o(t)16 b(an)o(y)h(time)g (only)h(one)f(of)g(the)g(follo)o(wing)i(can)e(o)q(ccur:)1025 795 y Ft(B)r(l)q(ock)c Fu(or)g Ft(Reset)g Fu(ma)o(y)g(toggle;)h(or)f(v) n(alues)i(of)e Ft(w)q(p)p Fu(1)p Ft(;)6 b(w)q(p)p Fu(2)p Ft(;)g(w)q(p)p Fu(3)13 b(ma)o(y)1025 837 y(c)o(hange)19 b(within)i(a)e(range)g Fs(\006)p Ft(bound)p Fu(.)35 b(\(Note)19 b(ho)o(w)o(ev)o(er)g(that)g(this)1025 878 y(range)d(is)g(not)g(sp)q (eci\014ed)i(in)e(adv)n(ance.\))27 b(Again,)17 b(w)o(e)e(assume)i(that) 1025 920 y(all)d(three)f(pressure)h(readings)h(are)e(up)q(dated)h(at)f (the)g(same)h(time.)1025 986 y(In)e(ev)o(en)o(t)h Ft(e)1191 990 y Fi(T)t(Low)1274 986 y Fu(,)f(v)n(ariables)j Ft(w)q(p)p Fu(1)p Ft(;)6 b(w)q(p)p Fu(2)p Ft(;)g(w)q(p)p Fu(3)13 b(ma)o(y)f(c)o(hange)i(v)n(alues,)1025 1027 y(and)i(this)g(ma)o(y)g (cause)h(a)e(c)o(hange)i(in)g(system)f(state.)25 b(Sp)q(eci\014cally)n (,)1025 1069 y(if)19 b(the)g(previous)j(v)o(oting)e(outcome)g(did)g (not)g(detect)g(a)f(pressure)1025 1110 y(reading)e(of)e Fh(TooLow)f Fu({)h(and)i(no)o(w)f(it)g(do)q(es)g({)g(then)g(the)g(ev)o (en)o(t)g(can)1025 1152 y(\014re,)21 b(causing)h(c)o(hanges)g(in)f (other)f(v)n(ariables)j(to)q(o.)39 b(This)21 b(corre-)1025 1193 y(sp)q(onds)f(to)f(the)g(action)i(of)e(SCR)g(ev)o(en)o(t)g Fh(@T\(CTLow\))p Fu(;)f(as)i(in)g(the)1025 1235 y(original)c(sp)q (eci\014cation,)h(the)d(v)n(alue)h(of)e(the)h(mo)q(de)g(class)h Fh(Pressure)1025 1276 y Fu(c)o(hanges)21 b(from)e Fh(Low)g Fu(to)h Fh(TooLow)p Fu(.)36 b(Ev)o(en)o(ts)20 b Ft(e)1721 1280 y Fi(Low)1796 1276 y Fs(\000)13 b Ft(e)1857 1280 y Fi(T)t(H)r(ig)q(h)1973 1276 y Fu(b)q(e-)1025 1318 y(ha)o(v)o(e)f (similarly)m(,)j(whereas)d Ft(e)1438 1322 y Fi(N)s(oC)r(hang)q(e)1602 1318 y Fu(represen)o(ts)h(the)f(transitions)1025 1359 y(where)d(w)o(ater)f(pressure)i(conditions)i(remain)e(static.)16 b(Finally)m(,)c(ev)o(en)o(t)1025 1401 y Ft(e)1043 1405 y Fi(B)q(lock)q(O)q(r)q(Reset)1253 1401 y Fu(de\014nes)f(the)f(c)o (hanges)h(in)g(the)f(system)g(en)o(tities)i(when)1025 1442 y(one)h(of)g(the)g(v)n(ariables)i Ft(B)r(l)q(ock)e Fu(or)g Ft(Reset)g Fu(c)o(hanges.)1025 1549 y Fv(3.1)55 b(Comp)r(osite)17 b(F)-5 b(orm)n(ulas)1025 1626 y Fu(W)m(e)12 b(no)o(w)f(de\014ne)i(the)f(set)g(of)g Fr(c)n(omp)n(osite)e(formulas)p Fu(,)h(whic)o(h)h(serv)o(e)h(as)1025 1667 y(the)i(basic)h(building)j (blo)q(c)o(ks)d(of)f(our)h(logic.)24 b(Comp)q(osite)17 b(form)o(ulas)1025 1709 y(are)c(de\014ned)h(b)o(y)f(the)g(follo)o(wing) i(grammar:)1085 1775 y Ft(F)73 b Fu(::=)40 b(\()p Ft(F)5 b Fu(\))13 b Fs(j)f Ft(F)i Fs(^)8 b Ft(F)18 b Fs(j)12 b(:)p Ft(F)17 b Fs(j)c Ft(tr)q(ue)g Fs(j)f Ft(f)t(al)q(se)h Fs(j)f Ft(F)1867 1760 y Fi(B)1894 1775 y Fs(j)g Ft(F)1947 1760 y Fi(I)1085 1833 y Ft(F)1115 1817 y Fi(B)1183 1833 y Fu(::=)40 b Fj(b)q(o)q(olv)n(ar)1085 1891 y Ft(F)1115 1875 y Fi(I)1183 1891 y Fu(::=)g Ft(E)1305 1875 y Fi(I)1334 1891 y Fs(\024)11 b Ft(E)1405 1875 y Fi(I)1435 1891 y Fs(j)i(9)p Fj(in)o(tv)n(ar)f Ft(F)1636 1875 y Fi(I)1085 1949 y Ft(E)1115 1933 y Fi(I)1183 1949 y Fu(::=)40 b(\()p Ft(E)1320 1933 y Fi(I)1338 1949 y Fu(\))13 b Fs(j)g Ft(E)1420 1933 y Fi(I)1446 1949 y Fu(+)c Ft(E)1515 1933 y Fi(I)1545 1949 y Fs(j)k Fj(in)o(tv)n(ar)f Fs(j)g Fj(in)o(tcons)1025 2014 y Fu(Here,)h(the)h(terminals)h Fj(b)q(o)q(olv)n(ar)f Fu(and)h Fj(in)o(tv)n(ar)e Fu(represen)o(t)h(Bo)q(olean)1025 2055 y(and)g(in)o(teger)i(v)n(ariables)g(resp)q(ectiv)o(ely)h({)d (while)i(the)e(terminal)i Fj(in)o(t-)1025 2097 y(cons)11 b Fu(denotes)j(an)f(arbitrary)g(in)o(teger)h(constan)o(t.)k(Using)13 b(this)g(base)1025 2138 y(language,)j(w)o(e)f(can)g(easily)h(represen)o (t)g(form)o(ulas)g(including)i Ft(<)p Fu(,)c(=,)1025 2180 y Fs(_)p Fu(,)e Fs(8)p Fu(,)g(as)i(w)o(ell)f(as)h(m)o(ultiplicati) q(on)i(b)o(y)d(a)g(constan)o(t.)1025 2245 y(W)m(e)h(reason)i(ab)q(out)f (a)g(program)g Ft(C)j Fu(b)o(y)d(using)h(the)f(comp)q(osite)h(for-)1025 2287 y(m)o(ulas)11 b(whic)o(h)f(range)h(o)o(v)o(er)f Ft(C)s Fu('s)g(program)h(v)n(ariables.)18 b(W)m(e)10 b(call)h(these)1025 2328 y Ft(C)s Fu('s)i Fj(state-form)o(ulas)p Fu(,)g(or)h Ft(S)r(F)5 b Fu(.)18 b(F)m(or)13 b(example,)i(one)f(of)f (the)g(prop-)1025 2370 y(erties)g(that)g(the)h(safet)o(y)f(injection)h (system)g(should)h(satisfy)f(is:)p Black Black 1101 2445 a(Whenev)o(er)f Fh(Pressure)c Fu(is)j Fh(TooLow)d Fu(then)j(either)g Fh(WP1)p Fu(,)e Fh(WP2)1101 2487 y Ft(<)j Fh(low)p Fu(,)e(or)i Fh(WP1)p Fu(,)f Fh(WP3)f Ft(<)i Fh(low)p Fu(,)e(or)i Fh(WP2)p Fu(,)f Fh(WP3)f Ft(<)i Fh(low)p Fu(.)1025 2563 y(W)m(e)k(can)h(represen)o(t)g(this)h(in)f(our)g(mo)q(del)h(b)o(y)f (asserting)h(that)f(the)1025 2604 y(follo)o(wing)d(form)o(ula)e(should) i(sta)o(y)f(in)o(v)n(arian)o(t)h(o)o(v)o(er)e(all)h(executions:)1139 2667 y Ft(T)5 b(Low)11 b Fs(!)42 b Fu(\()p Ft(w)q(p)p Fu(1)p Ft(;)6 b(w)q(p)p Fu(2)11 b Ft(<)f(l)q(ow)f Fs(_)f Ft(w)q(p)p Fu(1)p Ft(;)e(w)q(p)p Fu(3)11 b Ft(<)g(l)q(ow)1330 2708 y Fs(_)i Ft(w)q(p)p Fu(2)p Ft(;)6 b(w)q(p)p Fu(3)k Ft(<)h(l)q(ow)q Fu(\))p Ft(:)p Black Black eop %%Page: 6 6 6 5 bop Black Black -75 42 a Fu(This)13 b(comp)q(osite)g(form)o(ula)g (uses)g(terms)f(from)f(the)h(safet)o(y)g(injection)-75 83 y(system)h(giv)o(en)i(in)e(Figure)i(2.)-75 149 y(Three)10 b(crucial)i(restrictions)g(are)d(placed)j(on)e(ho)o(w)g(comp)q(osite)h (terms)-75 190 y(can)f(b)q(e)h(used:)16 b(\(1\))10 b(Bo)q(oleans)i (cannot)f(b)q(e)f(co)q(erced)h(to)f(in)o(tegers,)i(and)-75 232 y(used)k(in)g(arithmetic)h(op)q(erations)g(\(i.e.,)e(+)g(and)h Fs(\024)p Fu(\);)g(\(2\))f(lik)o(ewise,)-75 273 y(in)o(teger)h(v)n (ariables)i(cannot)e(b)q(e)f(co)q(erced)h(in)o(to)g(Bo)q(olean)h(v)n (ariables;)-75 315 y(and)j(\(3\))f(the)g(only)i(function)f(sym)o(b)q (ol)h(allo)o(w)o(ed)g(is)f(the)f(additiv)o(e)-75 356 y(op)q(erator.)-75 422 y(The)13 b(imp)q(ortance)j(of)d(\(1\)-\(2\))g (will)i(b)q(e)f(understo)q(o)q(d)h(shortly)m(.)k(Stip-)-75 463 y(ulation)d(\(3\))e(means)h(that)f(the)h(set)f(of)f(closed)j(form)o (ulas)f(is)g(expres-)-75 505 y(siv)o(ely)f(equiv)n(alen)o(t)h(to)d(the) g Fr(Pr)n(esbur)n(ger)f(arithmetic)f Fu({)i(a)h(\014rst-order)-75 546 y(theory)19 b(for)f(whic)o(h)i(v)n(alidit)o(y)h(and)e (satis\014abili)q(t)o(y)i(is)e(decidable)j(in)-75 588 y(\014nite)12 b(time.)17 b(Hence,)12 b(giv)o(en)g(a)f(state)h(form)o (ula)g Ft(f)i Fs(2)c Ft(S)r(F)5 b Fu(,)12 b(and)g(a)f(pro-)-75 629 y(gram)g(state)h Ft(s)f Fu(w)o(e)f(can)i(decide)g(if)g Ft(s)e Fs(j)-6 b Fu(=)10 b Ft(f)15 b Fu({)c(b)o(y)g(simply)j (substituting)-75 671 y(the)f(free)g(v)n(ariables)j(in)e(f)f(b)o(y)h (their)g(v)n(alues)g(in)g Ft(s)p Fu(,)f(and)h(c)o(hec)o(king)h(the)-75 712 y(result)c(with)f(a)g(Presburger)h(decision)h(pro)q(cedure.)17 b(Note)10 b(that)g(while)-75 754 y(the)17 b(w)o(orst-case)f(time)i(b)q (ound)g(can)f(b)q(e)g(prohibitiv)o(e)i(for)e(deciding)-75 795 y(general)h(Presburger)g(form)o(ulas,)g(those)f(that)g(arise)g(in)h (our)f(prob-)-75 837 y(lem)e(domain)h(are)f(relativ)o(ely)i(inexp)q (ensiv)o(e)h(to)c(solv)o(e)i({)e(since)i(they)-75 878 y(t)o(ypically)g(p)q(ossess)f(a)f(small)h(n)o(um)o(b)q(er)f(of)g (constrain)o(ts,)h(and)f(do)g(not)-75 920 y(con)o(tain)j(m)o(ultiple)i (lev)o(els)f(of)d(alternating)k(quan)o(ti\014ers.)28 b(W)m(e)16 b(ha)o(v)o(e)-75 961 y(found)11 b(that)f(the)g(Omega)g (library)h([19,)f(21])f(can)i(easily)g(handle)h(these)-75 1003 y(t)o(yp)q(es)h(of)f(constrain)o(ts,)h(when)g(purely)g(in)o (teger-v)n(alued)i(expressions)-75 1045 y(are)e(in)o(v)o(olv)o(ed.)-75 1156 y Fv(3.2)56 b(T)-5 b(emp)r(oral)16 b(Prop)r(erties)-75 1233 y Fu(W)m(e)d(use)g(four)g(CTL-st)o(yle)g(mo)q(dal)h(op)q(erators)g (as)e(the)h(basis)h(for)f(our)-75 1275 y(temp)q(oral)i(logic)h({)e(the) h(\\quan)o(ti\014ed-next-state")i(op)q(erators)e(\()p Fs(9\015)-75 1316 y Fu(and)j Fs(8\015)p Fu(\),)h(and)f(\\quan)o (ti\014ed-ev)o(en)o(tual)q(i)q(t)o(y")i(op)q(erators)e(\()p Fs(9)p Ff(3)f Fu(and)-75 1358 y Fs(8)p Ff(3)p Fu(\).)23 b(Th)o(us,)16 b(the)f(logic)j(w)o(e)c(use)i(to)g(reason)g(ab)q(out)g(a) g(program)g(is)-75 1399 y(generated)e(o)o(v)o(er)f(the)g(set)87 1481 y Fs(f)p Ft(f)h Fs(2)c Ft(S)r(F)q(;)20 b Fs(9\015)p Ft(;)f Fs(8\015)p Ft(;)h Fs(9)p Ff(3)p Ft(;)e Fs(8)p Ff(3)p Ft(;)f Fs(^)p Ft(;)i Fs(_)p Ft(;)f Fs(:g)p Ft(:)-75 1562 y Fu(As)12 b(usual,)i(quan)o(ti\014ed-in)o(v)n(ari)q(an)o(t)h(op)q (erators)f(can)e(easily)j(b)q(e)d(repre-)-75 1604 y(sen)o(ted)i(as)f Fs(9)p Ff(2)p Ft(f)i Fu(=)10 b Fs(:8)p Ff(3)p Fs(:)p Ft(f)t Fu(,)h(and)i Fs(8)p Ff(2)p Ft(f)i Fu(=)c Fs(:9)p Ff(3)p Fs(:)p Ft(f)t Fu(,)f(resp)q(ectiv)o(ely)m(.)-75 1669 y(The)h(seman)o(tics)i(of)e(a)h(temp)q(oral)h(form)o(ula)f(is)g (de\014ned)h(on)f(the)g(paths)-75 1711 y(of)i(a)f(program's)i (transition)h(system,)e Ft(M)i Fu(=)c(\()p Ft(S;)7 b(I)s(;)e(X)q(;)h(L) p Fu(\).)19 b(A)14 b(path)-75 1752 y(\()p Ft(s)-42 1756 y Fk(0)-25 1752 y Ft(;)6 b(s)10 1756 y Fk(1)27 1752 y Ft(;)g(s)62 1756 y Fk(2)80 1752 y Ft(;)g(:)g(:)g(:)o Fu(\))11 b(is)h(a)f(\(\014nite)i(or)e(in\014nite\))i(sequence)f(of)f (states,)h(suc)o(h)-75 1794 y(that)h(for)f(eac)o(h)h(successiv)o(e)i (pair)f(of)e(states)h(\()p Ft(s)594 1798 y Fi(i)607 1794 y Ft(;)6 b(s)642 1798 y Fi(i)p Fk(+1)694 1794 y Fu(\))k Fs(2)g Ft(X)s Fu(.)17 b(Unlik)o(e)-75 1835 y(Clark)o(e)11 b Fr(et)g(al.)e Fu([14)q(],)h(w)o(e)g(do)h(not)f(require)i(the)f (transition)h(relation)h Ft(X)-75 1877 y Fu(to)g(b)q(e)g(total.)18 b(Rather,)13 b(the)g(seman)o(tics)h(is)g(de\014ned)g(using)h(maximal) -75 1918 y(paths)j([6])e(\(as)h(opp)q(osed)i(to)e(in\014nite)i (paths\).)30 b(A)17 b(maximal)i(path)-75 1960 y(is)e(one)f(whic)o(h)h (is)f(either)h(in\014nite,)i(or)d(it)g(ends)h(with)f(a)g(state)g(that) -75 2001 y(has)d(no)h(successors.)k(The)13 b(seman)o(tics)h(of)f(the)g (temp)q(oral)h(op)q(erators)-75 2043 y(can)g(then)h(b)q(e)f(de\014ned)h (on)f(a)g(program's)g(transition)i(system)e Ft(M)j Fu(=)-75 2084 y(\()p Ft(S;)6 b(I)s(;)g(X)q(;)g(L)p Fu(\),)12 b(as)h(sho)o(wn)h (in)g(T)m(able)f(1.)-75 2150 y(If)e(all)j(the)e(initial)i(states)f(of)e (a)h(program)h(satisfy)g(a)f(temp)q(oral)h(prop-)-75 2192 y(ert)o(y)m(,)h(then)g(w)o(e)g(sa)o(y)g(that)g(the)g(program)h (itself)g(satis\014es)h(the)e(prop-)-75 2233 y(ert)o(y)m(.)26 b(F)m(ormally)m(,)18 b(giv)o(en)f(a)f(temp)q(oral)i(form)o(ula)f Ft(f)i Fu(and)e(transition)-75 2275 y(system)10 b Ft(M)15 b Fu(=)c(\()p Ft(S;)6 b(I)s(;)g(X)q(;)f(L)p Fu(\),)10 b Ft(M)15 b Fs(j)-6 b Fu(=)10 b Ft(f)k Fu(if)c(and)g(only)h(if)g Fs(8)p Ft(s)f Fs(2)h Ft(I)s Fu([)p Ft(s)f Fs(j)-6 b Fu(=)9 b Ft(f)t Fu(].)-75 2340 y(Using)k(our)f(temp)q(oral)g(logic,)i(w)o(e)d (can)h(sp)q(ecify)g(the)g(prop)q(ert)o(y)h(of)e(the)-75 2382 y(safet)o(y)i(injection)i(system)e(men)o(tioned)i(ab)q(o)o(v)o(e)f (as)f(follo)o(ws:)7 2462 y Fs(8)p Ff(2)p Fu(\()p Ft(T)5 b(Low)12 b Fs(!)42 b Fu(\()p Ft(w)q(p)p Fu(1)p Ft(;)6 b(w)q(p)p Fu(2)11 b Ft(<)f(l)q(ow)f Fs(_)f Ft(w)q(p)p Fu(1)p Ft(;)e(w)q(p)p Fu(3)11 b Ft(<)f(l)q(ow)263 2504 y Fs(_)i Ft(w)q(p)p Fu(2)p Ft(;)6 b(w)q(p)p Fu(3)11 b Ft(<)g(l)q(ow)q Fu(\)\))p Ft(:)-75 2586 y Fu(Some)i(other)h(prop)q (erties)g(of)f(the)g(system)h(are:)157 2667 y Fs(8)p Ff(2)p Fu(\(\()p Ft(Reset)9 b Fs(^)f(:)p Ft(H)s(ig)q(h)p Fu(\))j Fs(!)g(:)p Ft(O)q(v)q(er)q Fu(\))157 2708 y Fs(8)p Ff(2)p Fu(\(\()p Ft(Reset)e Fs(^)f Ft(T)d(Low)q Fu(\))11 b Fs(!)g Ft(I)s(nj)r(ect)p Fu(\))p Black Black Black 1049 2 951 2 v 1048 41 2 40 v 1074 29 a Fl(s)f Fm(j)-6 b Fn(=)11 b Fl(f)141 b Fn(i\013)49 b Fl(L)p Fn(\()p Fl(s;)6 b(f)t Fn(\))j(=)h Fl(tr)q(ue)p Fn(,)i(where)f Fl(f)j Fm(2)9 b Fl(S)r(F)p 1999 41 V 1049 43 951 2 v 1048 82 2 40 v 1074 70 a(s)h Fm(j)-6 b Fn(=)11 b Fm(:)p Fl(f)117 b Fn(i\013)49 b Fl(s)10 b Fm(6j)-6 b Fn(=)10 b Fl(f)p 1999 82 V 1049 84 951 2 v 1048 123 2 40 v 1074 111 a(s)g Fm(j)-6 b Fn(=)11 b Fl(f)g Fm(^)c Fl(g)82 b Fn(i\013)49 b Fl(s)10 b Fm(j)-6 b Fn(=)10 b Fl(f)16 b Fn(and)10 b Fl(s)g Fm(j)-6 b Fn(=)11 b Fl(g)p 1999 123 V 1049 125 951 2 v 1048 164 2 40 v 1074 153 a(s)f Fm(j)-6 b Fn(=)11 b Fl(f)g Fm(_)c Fl(g)82 b Fn(i\013)49 b Fl(s)10 b Fm(j)-6 b Fn(=)10 b Fl(f)16 b Fn(or)11 b Fl(s)f Fm(j)-6 b Fn(=)10 b Fl(g)p 1999 164 V 1049 166 951 2 v 1048 205 2 40 v 1074 194 a(s)1090 199 y Fk(0)1118 194 y Fm(j)-6 b Fn(=)10 b Fm(8)c(\015)i Fl(f)54 b Fn(i\013)49 b(for)11 b(all)g(maximal)e(paths) h(\()p Fl(s)1753 199 y Fk(0)1771 194 y Fl(;)5 b(s)1802 199 y Fk(1)1820 194 y Fl(;)h(s)1852 199 y Fk(2)1869 194 y Fl(;)g(:)g(:)f(:)p Fn(\),)p 1999 205 V 1048 245 V 1380 233 a(with)11 b(length)f Fm(\025)h Fn(2,)g Fl(s)1661 238 y Fk(1)1688 233 y Fm(j)-6 b Fn(=)10 b Fl(f)p 1999 245 V 1049 247 951 2 v 1048 286 2 40 v 1074 274 a(s)1090 279 y Fk(0)1118 274 y Fm(j)-6 b Fn(=)10 b Fm(9)d(\015)h Fl(f)54 b Fn(i\013)49 b(for)11 b(some)f(maximal)g(path)g(\()p Fl(s)1779 279 y Fk(0)1796 274 y Fl(;)c(s)1828 279 y Fk(1)1845 274 y Fl(;)g(s)1877 279 y Fk(2)1895 274 y Fl(;)f(:)h(:)g(:)p Fn(\),)p 1999 286 V 1048 325 V 1380 314 a(with)11 b(length)f Fm(\025)h Fn(2,)g Fl(s)1661 319 y Fk(1)1688 314 y Fm(j)-6 b Fn(=)10 b Fl(f)p 1999 325 V 1049 327 951 2 v 1048 367 2 40 v 1074 355 a(s)1090 360 y Fk(0)1118 355 y Fm(j)-6 b Fn(=)10 b Fm(8)p Fe(3)p Fl(f)76 b Fn(i\013)49 b(for)11 b(all)g(maximal)e(paths)h(\()p Fl(s)1753 360 y Fk(0)1771 355 y Fl(;)5 b(s)1802 360 y Fk(1)1820 355 y Fl(;)h(s)1852 360 y Fk(2)1869 355 y Fl(;)g(:)g(:)f(:)p Fn(\),)p 1999 367 V 1048 406 V 1380 394 a(there)10 b(exists)h(an)g Fl(i)p Fn(,)g Fl(s)1666 399 y Fi(i)1690 394 y Fm(j)-6 b Fn(=)10 b Fl(f)p 1999 406 V 1049 408 951 2 v 1048 447 2 40 v 1074 435 a(s)1090 440 y Fk(0)1118 435 y Fm(j)-6 b Fn(=)10 b Fm(9)p Fe(3)p Fl(f)77 b Fn(i\013)49 b(for)11 b(some)f(maximal)g(path)g(\()p Fl(s)1779 440 y Fk(0)1796 435 y Fl(;)c(s)1828 440 y Fk(1)1845 435 y Fl(;)g(s)1877 440 y Fk(2)1895 435 y Fl(;)f(:)h(:)g(:)p Fn(\),)p 1999 447 V 1048 487 V 1380 475 a(there)k(exists)h(an)g Fl(i)p Fn(,)g Fl(s)1666 480 y Fi(i)1690 475 y Fm(j)-6 b Fn(=)10 b Fl(f)p 1999 487 V 1049 488 951 2 v Black 1106 601 a Fj(T)l(able)k(1:)20 b(Seman)o(tics)14 b(of)h(T)l(emp)q(oral)f(Op)q (erators.)p Black Black Black Black Black 1031 667 988 2 v 1030 707 2 40 v 1056 695 a Fd(Symbolic)f(Opera)n(tions)p 2018 707 V 1031 708 988 2 v 1030 1068 2 360 v Black Black 1056 777 a Fl(F)g Fm(^)7 b Fl(G)24 b Fn(conjunction)9 b(of)i(Presburger/BDD/)o(Composit)o(e)e(form)o(ulas)1056 817 y Fl(F)k Fm(_)7 b Fl(G)24 b Fn(disjunction)9 b(of)i (Presburger/BDD/Com)o(p)q(o)o(site)d(form)o(ulas)1056 856 y Fm(:)p Fl(F)71 b Fn(negation)10 b(of)h(Presburger/BDD/)o (Composit)o(e)e(form)o(ulas)1056 896 y Fl(F)1083 884 y Fq(\000)p Fk(1)1173 896 y Fn(in)o(v)o(erse)h(of)i(Presburger/BD)o (D/Composi)o(te)d(relation)g(F)1056 935 y Fl(F)c Fn([)p Fl(G)p Fn(])43 b(restrict)10 b(domain)g(of)h(Presburger/BDD/)o(Comp)q (o)o(site)1173 975 y(relation)f Fl(F)17 b Fn(to)11 b (Presburger/BDD/Com)o(p)q(o)o(site)d(form)o(ula)1173 1014 y Fl(G)13 b Fn(and)d(return)g(the)h(range)f(of)h(the)g(result)p 2018 1068 V 1031 1069 988 2 v 1025 1184 a Fj(Figure)27 b(3:)46 b(Sym)o(b)q(olic)26 b(Presburger/BDD/Comp)q(osite)1025 1226 y(Op)q(erations.)p Black 1025 1365 a Fu(whic)o(h)12 b(basically)j(state)d(that)g(the)h(follo)o(wing)h(are)e(in)o(v)n(arian) o(ts)i(of)e(the)1025 1406 y(system:)p Black Black 1101 1496 a(1:)17 b(\()p Fh(Reset)11 b Fu(=)i Fh(On)f Fs(^)g Fh(Pressure)e Fs(6)p Fu(=)i Fh(High)g Fu(\))1232 1537 y Fs(!)h(:)g Fh(Overridde)o(n)1101 1579 y Fu(2:)k(\()p Fh(Reset)11 b Fu(=)i Fh(On)f Fs(^)g Fh(Pressure)e Fu(=)i Fh(TooLow)f Fu(\))1232 1620 y Fs(!)i Fh(Inject)e Fu(=)i Fh(On)1025 1737 y Fv(4)56 b(Sym)n(b)r(olic)16 b(Represen)n(tations)1025 1822 y Fu(Comp)q(osite)e(form)o(ulas)g({)f(and)h(their)g(corresp)q (onding)i(set-theoretic)1025 1863 y(in)o(terpretations)i({)f(giv)o(e)g (us)g(a)f(con)o(v)o(enien)o(t)i(w)o(a)o(y)f(to)f(sym)o(b)q(olicall)q(y) 1025 1905 y(enco)q(de)e(sets)h(of)e(program)i(states.)20 b(W)m(e)14 b(can)h(also)g(use)f(this)h(enco)q(d-)1025 1946 y(ing)10 b(to)f(represen)o(t)h(the)f(program's)h(underlying)i (transition)f(relation.)1025 1988 y(If)16 b(w)o(e)h(assume)g(that)h (all)g(ev)o(en)o(ts)g(are)f(represen)o(table)i(as)e(comp)q(os-)1025 2029 y(ite)d(form)o(ulas)h(\(whic)o(h)g(prev)o(en)o(ts)g(us,)f(for)g (example,)h(from)f(de\014ning)1025 2071 y(m)o(ultiplicati)q(on)f (within)e(a)f(single)i(ev)o(en)o(t\),)f(then)f Ft(X)1758 2075 y Fi(e)1785 2071 y Fu(\(the)g(transition)1025 2112 y(relation)k(of)f(ev)o(en)o(t)g Ft(e)p Fu(\))f(is)i(represen)o(table)g (as)f(a)g(comp)q(osite)h(form)o(ula.)1025 2154 y(This)d(results)h(in)f Fs(j)p Ft(E)r Fs(j)f Fu(form)o(ulas,)i(whic)o(h)g(together)f(sym)o(b)q (olicall)q(y)j(en-)1025 2195 y(co)q(de)f(the)g(transition)i(relation)g Ft(X)s Fu(.)1025 2261 y(Recall)c(that)e(comp)q(osite)i(state-sets)f (and)g(transition)i(relations)f(usu-)1025 2302 y(ally)f(p)q(osses)g(b)q (oth)f(Bo)q(olean)i(and)f(in)o(teger)f(parts)h({)f(whic)o(h)g(w)o(e)g (enco)q(de)1025 2344 y(separately)m(,)15 b(and)f(whose)h(set-theoretic) g(and)f(Bo)q(olean)i(op)q(erations)1025 2385 y(are)h(carried)i(out)g (in)f(a)g(t)o(yp)q(e-sp)q(eci\014c)i(manner.)32 b(Hence,)19 b(w)o(e)e(use)1025 2427 y(sp)q(ecialized)g(pro)q(cedures)e(to)f(\(1\))g (decomp)q(ose)i(sets)e(of)g(states)g(\(and)1025 2468 y(transitions\);)19 b(\(2\))d(pro)q(cess)g(them)g(b)o(y)g(their)h(resp) q(ectiv)o(e)h(libraries;)1025 2510 y(and)13 b(to)g(\(3\))g(assem)o(ble) h(the)f(results,)h(and)g(giv)o(e)g(the)f(righ)o(t)h(seman)o(tic)1025 2551 y(in)o(terpretation)h(to)e(them.)1025 2617 y(In)18 b(carrying)j(out)e(these)g(op)q(erations,)j(the)d(comp)q(osite-mo)q (del)j(li-)1025 2658 y(brary)13 b(in)o(teracts)h(with)f(t)o(w)o(o)f (underlying)k(libraries,)f(whose)e(k)o(ey)g(ex-)1025 2700 y(p)q(orted)k(op)q(erations)h(are)e(de\014ned)i(in)f(Figure)g(3.) 27 b(W)m(e)16 b(refer)g(in)o(ter-)p Black Black eop %%Page: 7 7 7 6 bop Black Black -75 42 a Fu(ested)17 b(readers)g(to)g([19])f(for)h (relev)n(an)o(t)h(bac)o(kground)g(on)f(the)g(Pres-)-75 83 y(burger)c(solv)o(er,)g(and)g(to)f([9,)f(20])h(for)g(details)i(on)e (ho)o(w)g(general)i(BDD)-75 125 y(form)o(ulas)g(are)e(manipulated)k (\(ho)o(w)o(ev)o(er)c(the)h(BDD)g(library)i(w)o(e)d(use)-75 166 y(is)j(our)g(o)o(wn\).)21 b(The)14 b(comp)q(osite)i(library)h(exp)q (orts)e(the)g(same)f(func-)-75 208 y(tions)e(for)f(comp)q(osite)i(form) o(ulas,)f(and)g(these,)g(in)g(turn,)g(are)f(used)h(b)o(y)-75 249 y(the)h(mo)q(del)h(c)o(hec)o(k)o(er's)g(algorithms.)-75 357 y Fv(4.1)56 b(Comp)r(osite)16 b(State)i(Represen)n(tations)-75 434 y Fu(Giv)o(en)e(a)f(system)g Ft(C)i Fu(=)d(\()p Ft(V)r(;)7 b(I)s(;)e(E)r Fu(\),)16 b(w)o(e)e(partition)j(the)e(set)g(of)g(v)n (ari-)-75 480 y(ables)g Ft(V)23 b Fu(in)o(to)15 b(t)o(w)o(o)e(classes)j Ft(V)21 b Fu(=)12 b Ft(V)459 464 y Fi(I)486 480 y Fs([)d Ft(V)552 464 y Fi(B)578 480 y Fu(,)14 b(with)g Ft(V)722 464 y Fi(I)749 480 y Fs(\\)9 b Ft(V)815 464 y Fi(B)853 480 y Fu(=)k Fs(;)p Fu(,)-75 522 y(where)j Ft(V)70 506 y Fi(I)104 522 y Fu(is)g(the)g(set)g(of)g(in)o(teger)h(v)n(ariables)i (and)d Ft(V)725 506 y Fi(B)767 522 y Fu(is)h(the)f(set)-75 563 y(of)f(Bo)q(olean)j(v)n(ariables.)27 b(Constrain)o(ts)17 b(strictly)g(o)o(v)o(er)f(v)n(ariables)i(in)-75 605 y Ft(V)-44 589 y Fi(I)-10 605 y Fu(are)e(enco)q(ded)i(using)g(Presburger) f(form)o(ulas)h({)e(whereas)h(con-)-75 646 y(strain)o(ts)12 b(formed)g(exclusiv)o(ely)i(o)o(v)o(er)d(v)n(ariables)j(in)e Ft(V)690 630 y Fi(B)728 646 y Fu(are)f(enco)q(ded)-75 688 y(using)j(BDDs.)j(\(Curren)o(tly)c(w)o(e)f(treat)g(ordered)h(en)o (umerated)h(t)o(yp)q(es)-75 729 y(as)c(in)o(tegers,)h(and)f(unordered)h (en)o(umerated)g(t)o(yp)q(es)f(as)g(Bo)q(olean)h(v)o(ec-)-75 771 y(tors.\))-75 841 y(Let)h(the)g(Bo)q(olean)h(v)n(ariables)h Ft(V)393 825 y Fi(B)430 841 y Fu(=)d Fs(f)p Ft(v)510 825 y Fi(B)509 848 y Fk(1)536 841 y Ft(;)6 b(:)g(:)g(:)h(;)f(v)642 825 y Fi(B)641 848 y(m)670 841 y Fs(g)p Fu(,)11 b(and)i(the)f(in)o(te-) -75 888 y(ger)j(v)n(ariables)i Ft(V)183 872 y Fi(I)214 888 y Fu(=)d Fs(f)p Ft(v)297 872 y Fi(I)296 894 y Fk(1)315 888 y Ft(;)6 b(:)g(:)g(:)g(;)g(v)420 872 y Fi(I)419 894 y(n)440 888 y Fs(g)p Fu(.)22 b(Consider)16 b(the)f(state)g Ft(s)f Fs(2)f Ft(S)r Fu(,)-75 929 y(suc)o(h)h(that)131 1028 y Ft(s)d Fu(=)f(\()228 982 y Fi(m)220 993 y Fg(^)215 1072 y Fi(j)q Fk(=1)274 1028 y Ft(v)294 1010 y Fi(B)293 1035 y(j)331 1028 y Fu(=)h Ft(s)390 1010 y Fi(B)390 1035 y(j)416 1028 y Fu(\))450 993 y Fg(^)506 1028 y Fu(\()538 982 y Fi(n)526 993 y Fg(^)521 1072 y Fi(j)q Fk(=1)580 1028 y Ft(v)600 1010 y Fi(I)599 1035 y(j)628 1028 y Fu(=)g Ft(s)687 1010 y Fi(I)687 1035 y(j)704 1028 y Fu(\))-75 1151 y(where)16 b(all)h(the)f Ft(s)182 1135 y Fi(B)182 1158 y(j)208 1151 y Fu('s)f(are)h(Bo)q(olean)i(constan)o(ts,)f(and)f (the)g Ft(s)815 1135 y Fi(I)815 1158 y(j)833 1151 y Fu('s)f(are)-75 1200 y(in)o(teger)f(constan)o(ts.)19 b(W)m(e)13 b(use)h(the)f(notation) i Ft(s)p Fs(j)612 1191 y Fc(n)631 1200 y Ft(V)662 1184 y Fi(B)701 1200 y Fu(to)e(denote)h(the)-75 1246 y(restriction)j(of)f Ft(s)f Fu(to)g(the)h(v)n(ariables)i(in)e Ft(V)549 1230 y Fi(B)576 1246 y Fu(;)g(similarly)m(,)j Ft(s)p Fs(j)792 1237 y Fc(n)810 1246 y Ft(V)841 1230 y Fi(I)874 1246 y Fu(de-)-75 1293 y(notes)13 b(the)h(restriction)g(of)f Ft(s)g Fu(to)g Ft(V)428 1277 y Fi(I)445 1293 y Fu(:)32 1392 y Ft(s)p Fs(j)53 1381 y Fc(n)71 1392 y Ft(V)102 1374 y Fi(B)139 1392 y Fu(=)193 1345 y Fi(m)185 1356 y Fg(^)180 1435 y Fi(j)q Fk(=1)239 1392 y Ft(v)259 1374 y Fi(B)258 1398 y(j)296 1392 y Fu(=)d Ft(s)354 1374 y Fi(B)354 1398 y(j)496 1392 y Ft(s)p Fs(j)517 1381 y Fc(n)536 1392 y Ft(V)567 1374 y Fi(I)595 1392 y Fu(=)652 1345 y Fi(n)640 1356 y Fg(^)635 1435 y Fi(j)q Fk(=1)694 1392 y Ft(v)714 1374 y Fi(I)713 1398 y(j)743 1392 y Fu(=)g Ft(s)801 1374 y Fi(I)801 1398 y(j)-75 1514 y Fu(Note)17 b(that)h Ft(s)p Fs(j)131 1505 y Fc(n)150 1514 y Ft(V)181 1499 y Fi(B)224 1514 y Fu(and)h Ft(s)p Fs(j)325 1505 y Fc(n)343 1514 y Ft(V)374 1499 y Fi(I)409 1514 y Fu(implicitl)q(y)i (de\014ne)d(sets)g(of)f(states)-75 1556 y({)j(since)h(the)g(v)n (ariables)h(remo)o(v)o(ed)f(are)f(no)o(w)h(considered)h(\\don't)-75 1598 y(cares.")-75 1663 y(F)m(or)12 b(example,)h(t)o(w)o(o)f(states)g (for)g(the)g(safet)o(y)g(injection)i(system)f(from)-75 1705 y(Figure)h(2)f(are:)-34 1791 y Fl(s)-18 1796 y Fk(1)42 1791 y Fn(=)42 b Fl(w)q(p)p Fn(1)9 b(=)h(950)19 b Fm(^)g Fl(w)q(p)p Fn(2)9 b(=)h(930)19 b Fm(^)7 b Fl(w)q(p)p Fn(3)j(=)g(890)h Fm(^)111 1830 y(:)p Fl(B)r(lock)19 b Fm(^)h(:)p Fl(Reset)f Fm(^)g(:)p Fl(I)s(nj)r(ect)h Fm(^)f(:)p Fl(D)q(amp)11 b Fm(^)111 1870 y(:)p Fl(O)q(v)q(er)d Fm(^)g(:)p Fl(T)d(Low)19 b Fm(^)h Fl(Low)g Fm(^)g(:)p Fl(H)s(ig)q(h)f Fm(^)g(:)p Fl(T)5 b(H)s(ig)q(h)-34 1951 y(s)-18 1956 y Fk(2)42 1951 y Fn(=)42 b Fl(w)q(p)p Fn(1)9 b(=)h(910)19 b Fm(^)g Fl(w)q(p)p Fn(2)9 b(=)h(850)19 b Fm(^)g Fl(w)q(p)p Fn(3)10 b(=)g(930)h Fm(^)111 1990 y Fl(B)r(lock)20 b Fm(^)f(:)p Fl(Reset)h Fm(^)f(:)p Fl(I)s(nj)r(ect)h Fm(^)f(:)p Fl(D)q(amp)11 b Fm(^)111 2030 y(:)p Fl(O)q(v)q(er)20 b Fm(^)f(:)p Fl(T)5 b(Low)20 b Fm(^)f Fl(Low)i Fm(^)e(:)p Fl(H)s(ig)q(h)g Fm(^)g(:)p Fl(T)5 b(H)s(ig)q(h)-75 2134 y Fu(where)17 b(as)h(usual,)h Fs(:)p Ft(v)f Fu(denotes)g Ft(v)h Fu(=)f Ft(f)t(al)q(se)p Fu(,)g(and)g Ft(v)g Fu(means)g Ft(v)h Fu(=)-75 2176 y Ft(tr)q(ue)p Fu(.)d(W)m(e)9 b(partition)j(the)d (set)h(of)f(v)n(ariables)i(for)e(the)h(safet)o(y)f(injection)-75 2217 y(system)k(as)h(follo)o(ws:)-16 2295 y Ft(V)15 2279 y Fi(I)83 2295 y Fu(=)41 b Fs(f)p Ft(w)q(p)p Fu(1)p Ft(;)7 b(w)q(p)p Fu(2)p Ft(;)f(w)q(p)p Fu(3)p Fs(g)-16 2340 y Ft(V)15 2324 y Fi(B)83 2340 y Fu(=)41 b Fs(f)p Ft(B)r(l)q(ock)q(;)6 b(Reset;)g(I)s(nj)r(ect;)f(D)q(amp;)h(O)q(v)q(er)o(;)h(T)e(Low)q(;)154 2382 y(Low)q(;)h(H)s(ig)q(h;)g(T)f(H)s(ig)q(h)p Fs(g)-75 2458 y Fu(where)13 b(t)o(w)o(o)g(example)h(restricted)g(states)f(are:) -2 2521 y Fl(s)14 2526 y Fk(1)31 2521 y Fm(j)33 2512 y Fc(n)52 2521 y Fl(V)81 2509 y Fi(I)148 2521 y Fn(=)42 b Fl(s)233 2526 y Fk(1)251 2521 y Fm(j)253 2512 y Fc(n)272 2521 y Fm(f)p Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(2)p Fl(;)g(w)q(p)p Fn(3)p Fm(g)148 2560 y Fn(=)42 b Fl(w)q(p)p Fn(1)10 b(=)g(950)j Fm(^)g Fl(w)q(p)p Fn(2)c(=)i(930)h Fm(^)h Fl(w)q(p)p Fn(3)d(=)g(890)-2 2630 y Fl(s)14 2635 y Fk(2)31 2630 y Fm(j)33 2621 y Fc(n)52 2630 y Fl(V)81 2618 y Fi(B)148 2630 y Fn(=)42 b Fl(B)r(lock)15 b Fm(^)e(:)p Fl(Reset)h Fm(^)f(:)p Fl(I)s(nj)r(ect)h Fm(^)f(:)p Fl(D)q(amp)6 b Fm(^)217 2669 y(:)p Fl(O)q(v)q(er)15 b Fm(^)e(:)p Fl(T)5 b(Low)14 b Fm(^)f Fl(Low)i Fm(^)f(:)p Fl(H)s(ig)q(h)5 b Fm(^)217 2709 y(:)p Fl(T)g(H)s(ig)q(h:)1025 107 y Fu(W)m(e)12 b(extend)h(v)n(ariable)i(restriction)f(o)o(v)o(er)f(\(sym)o(b)q(olic\)) h(sets)e(of)h(states)1025 149 y(and)h(relations)i(as)f(follo)o(ws.)21 b(Let)14 b Ft(Q)g Fu(b)q(e)g(a)h(set)f(of)f(states)i(in)g Ft(S)r Fu(,)f(and)1025 190 y(let)f Ft(R)g Fu(b)q(e)g(an)o(y)h(relation) h(o)o(v)o(er)e Ft(S)e Fs(\002)e Ft(S)r Fu(.)17 b(Then)1210 273 y Ft(Q)p Fs(j)1243 262 y Fc(n)1262 273 y Ft(V)1293 255 y Fi(B)1361 252 y Fk(def)1367 273 y Fu(=)1453 238 y Fg(_)1444 317 y Fi(s)p Fq(2)p Fi(Q)1510 273 y Ft(s)p Fs(j)1531 262 y Fc(n)1550 273 y Ft(V)1581 255 y Fi(B)1211 414 y Ft(R)p Fs(j)1243 403 y Fc(n)1262 414 y Ft(V)1293 396 y Fi(B)1361 393 y Fk(def)1367 414 y Fu(=)1482 379 y Fg(_)1444 460 y Fk(\()p Fi(s;s)1495 453 y Fc(0)1506 460 y Fk(\))p Fq(2)p Fi(R)1562 414 y Fu(\()p Ft(s)p Fs(j)1598 403 y Fc(n)1617 414 y Ft(V)1647 396 y Fi(B)1682 414 y Fs(^)8 b Ft(s)1734 396 y Fq(0)1746 414 y Fs(j)1749 403 y Fc(n)1767 414 y Ft(V)1798 396 y Fi(B)1825 414 y Fu(\))1025 536 y(The)k(in)o(teger)h(restrictions,)i Ft(Q)p Fs(j)1472 527 y Fc(n)1491 536 y Ft(V)1522 520 y Fi(I)1552 536 y Fu(and)e Ft(R)p Fs(j)1658 527 y Fc(n)1677 536 y Ft(V)1708 520 y Fi(I)1725 536 y Fu(,)f(are)h(de\014ned)h(simi-)1025 577 y(larly)m(.)1025 643 y(W)m(e)i(use)h(restriction)i(to)d(manipulate) k(comp)q(osite)e(form)o(ulas)f(with)1025 685 y(their)c(suitable)h(t)o (yp)q(e-sp)q(eci\014c)g(functions,)g(as)e(de\014ned)i(in)f(Figure)g(3.) 1025 726 y(T)m(o)f(accomplish)j(this,)f(w)o(e)e(con)o(v)o(ert)h(all)i (comp)q(osite)f(state)f(form)o(ulas)1025 768 y Ft(Q)d Fs(\022)h Ft(S)k Fu(to)e(a)g(t)o(yp)q(e-sp)q(eci\014c)i(disjunctiv)o(e) h(form,)c(as)h(follo)o(ws:)1382 876 y Ft(Q)e Fu(=)1467 823 y Fi(n)1486 829 y Fb(Q)1467 840 y Fg(_)1464 919 y Fi(i)p Fk(=1)1514 876 y Fu(\()p Ft(q)1547 858 y Fi(I)1546 882 y(i)1573 876 y Fs(^)d Ft(q)1625 858 y Fi(B)1624 882 y(i)1652 876 y Fu(\))1025 982 y(where)13 b Ft(n)1159 986 y Fi(Q)1198 982 y Fu(denotes)h(the)f(n)o(um)o(b)q(er)h(of)f (disjuncts)i(needed.)j(By)13 b(de\014-)1025 1023 y(nition,)h(w)o(e)f (ha)o(v)o(e)1177 1096 y Ft(q)1195 1081 y Fi(I)1194 1103 y(i)1213 1096 y Fs(j)1216 1087 y Fc(n)1234 1096 y Ft(V)1265 1081 y Fi(I)1325 1096 y Fu(=)41 b Ft(q)1414 1081 y Fi(I)1413 1103 y(i)1168 1142 y Ft(q)1186 1126 y Fi(I)1185 1149 y(i)1204 1142 y Fs(j)1207 1133 y Fc(n)1226 1142 y Ft(V)1257 1126 y Fi(B)1325 1142 y Fu(=)g Ft(tr)q(ue)1573 1096 y(q)1591 1081 y Fi(B)1590 1103 y(i)1618 1096 y Fs(j)1621 1087 y Fc(n)1639 1096 y Ft(V)1670 1081 y Fi(B)1738 1096 y Fu(=)g Ft(q)1827 1081 y Fi(B)1826 1103 y(i)1581 1142 y Ft(q)1599 1126 y Fi(B)1598 1149 y(i)1626 1142 y Fs(j)1629 1133 y Fc(n)1648 1142 y Ft(V)1679 1126 y Fi(I)1738 1142 y Fu(=)g Ft(tr)q(ue)1365 1205 y(q)1383 1189 y Fi(I)1382 1212 y(i)1410 1205 y Fs(^)8 b Ft(q)1462 1189 y Fi(B)1461 1212 y(i)1505 1205 y Fu(=)17 b(\()p Ft(q)1585 1189 y Fi(I)1584 1212 y(i)1603 1205 y Fs(j)1606 1196 y Fc(n)1625 1205 y Ft(V)1656 1189 y Fi(I)1673 1205 y Fu(\))9 b Fs(^)f Fu(\()p Ft(q)1764 1189 y Fi(B)1763 1212 y(i)1791 1205 y Fs(j)1794 1196 y Fc(n)1813 1205 y Ft(V)1843 1189 y Fi(B)1870 1205 y Fu(\))1025 1276 y(Hence,)k(w)o(e)h(get)1288 1349 y Ft(s)e Fs(2)f Ft(q)1371 1333 y Fi(I)1370 1356 y(i)1450 1349 y Fs(\()-6 b(\))53 b Ft(s)p Fs(j)1594 1340 y Fc(n)1612 1349 y Ft(V)1643 1333 y Fi(I)1672 1349 y Fs(2)10 b Ft(q)1726 1333 y Fi(I)1725 1356 y(i)1288 1394 y Ft(s)h Fs(2)f Ft(q)1371 1378 y Fi(B)1370 1401 y(i)1450 1394 y Fs(\()-6 b(\))53 b Ft(s)p Fs(j)1594 1385 y Fc(n)1612 1394 y Ft(V)1643 1378 y Fi(B)1680 1394 y Fs(2)10 b Ft(q)1734 1378 y Fi(B)1733 1401 y(i)p Black 1976 1371 a Fu(\(1\))p Black 1025 1472 a(These)i(prop)q(erties)h(are)f(satis\014ed)i(b)o(y)e (ha)o(ving)i(the)e Ft(q)1782 1457 y Fi(B)1781 1479 y(i)1809 1472 y Fu('s)g(formed)g(ex-)1025 1514 y(clusiv)o(ely)h(o)o(v)o(er)f(Bo) q(olean)h(v)n(ariables)g(and)f(logical)h(connectiv)o(es,)g(and)1025 1555 y(the)18 b Ft(q)1114 1540 y Fi(I)1113 1562 y(i)1132 1555 y Fu('s)g(con)o(taining)j(in)o(teger)e(v)n(ariables)h(and)f (constan)o(ts,)h(arith-)1025 1597 y(metic)13 b(op)q(erators)h(and)g (inequalitie)q(s)i({)d(as)g(w)o(ell)h(as)f(logical)i(connec-)1025 1638 y(tiv)o(es.)1025 1704 y(Recall)d(that)f(our)g(logic)h(do)q(es)g Fr(not)d Fu(allo)o(w)j(functions)h(\(or)d(predicates\))1025 1746 y(with)g Fr(b)n(oth)f Fu(Bo)q(olean)j(and)f(in)o(teger)g(argumen)o (ts.)17 b(Hence,)11 b(suc)o(h)g(a)f(dis-)1025 1787 y(junctiv)o(e)k (form)g(can)g(b)q(e)g(obtained)i(for)d(an)o(y)h(comp)q(osite)i(term,)d (and)1025 1829 y(in)i(fact)g(there)g(ma)o(y)f(b)q(e)h(man)o(y)h(w)o(a)o (ys)f(of)f(decomp)q(osing)j(a)e(form)o(ula)1025 1870 y Ft(Q)d Fu(in)o(to)i(the)f(v)n(arious)h(disjuncts.)19 b(W)m(e)12 b(are)h(curren)o(tly)i(in)o(v)o(estigating)1025 1912 y(metho)q(ds)e(to)g(\014nd)h(the)f(most)g(e\016cien)o(t)h (represen)o(tation.)1025 2019 y Fv(4.2)55 b(Logical)18 b(Op)r(erations)g(on)g(Comp)r(osite)1152 2077 y(Represen)n(tations)1025 2154 y Fu(Assume)e(that)h(w)o(e)f(ha)o(v)o(e)i(t)o(w)o(o)e(state)h (sets)f Ft(P)22 b Fu(and)17 b Ft(Q)g Fu(represen)o(ted)1025 2195 y(sym)o(b)q(olically)f(as)1194 2303 y Ft(P)f Fu(=)1278 2255 y Fi(n)1297 2261 y Fb(P)1278 2268 y Fg(_)1275 2347 y Fi(i)p Fk(=1)1331 2303 y Ft(p)1350 2286 y Fi(I)1350 2310 y(i)1376 2303 y Fs(^)8 b Ft(p)1429 2286 y Fi(B)1429 2310 y(i)1494 2303 y Fu(and)40 b Ft(Q)11 b Fu(=)1679 2250 y Fi(n)1698 2256 y Fb(Q)1680 2268 y Fg(_)1676 2347 y Fi(i)p Fk(=1)1732 2303 y Ft(q)1750 2286 y Fi(I)1749 2310 y(i)1777 2303 y Fs(^)d Ft(q)1829 2286 y Fi(B)1828 2310 y(i)1025 2417 y Fu(where)i(eac)o(h)h Ft(p)1236 2401 y Fi(B)1236 2424 y(i)1272 2417 y Fu(and)g Ft(q)1362 2401 y Fi(B)1361 2424 y(i)1399 2417 y Fu(is)g(represen)o(ted)h(in)f(a)f(BDD) h(format,)g(while)1025 2458 y(eac)o(h)k Ft(p)1132 2442 y Fi(I)1132 2465 y(i)1164 2458 y Fu(and)h Ft(q)1259 2442 y Fi(I)1258 2465 y(i)1291 2458 y Fu(is)g(represen)o(ted)g(in)f (Presburger)h(form.)22 b(No)o(w)14 b(w)o(e)1025 2500 y(explain)h(ho)o(w)e(to)g(com)o(bine)h Ft(P)k Fu(and)13 b Ft(Q)h Fu(using)g(logical)h(connectiv)o(es.)1025 2565 y(The)d(simplest)j(comp)q(osite)g(op)q(eration)g(is)e(disjunction:)1210 2673 y Ft(P)g Fs(_)8 b Ft(Q)j Fu(=)g(\()1382 2624 y Fi(n)1401 2630 y Fb(P)1382 2638 y Fg(_)1379 2717 y Fi(i)p Fk(=1)1435 2673 y Ft(p)1454 2655 y Fi(I)1454 2680 y(i)1480 2673 y Fs(^)d Ft(p)1533 2655 y Fi(B)1533 2680 y(i)1560 2673 y Fu(\))21 b Fs(_)8 b Fu(\()1648 2620 y Fi(n)1667 2626 y Fb(Q)1649 2638 y Fg(_)1645 2717 y Fi(i)p Fk(=1)1701 2673 y Ft(q)1719 2655 y Fi(I)1718 2680 y(i)1746 2673 y Fs(^)g Ft(q)1798 2655 y Fi(B)1797 2680 y(i)1825 2673 y Fu(\))p Black Black eop %%Page: 8 8 8 7 bop Black Black -75 42 a Fu(Note)14 b(that)g(righ)o(t)h(hand)g (side)g(is)f(in)h(the)f(sym)o(b)q(olic)i(form)e(w)o(e)g(w)o(an)o(t,)-75 83 y(so)e(w)o(e)g(do)h(not)f(ha)o(v)o(e)h(to)f(do)g(an)o(y)h(pro)q (cessing,)h(i.e.,)e(w)o(e)g(just)g(app)q(end)-75 125 y(the)i(t)o(w)o(o)e(disjunction)k(represen)o(tations,)g(whic)o(h)e(is)g (our)g(comp)q(osite)-75 166 y(sym)o(b)q(olic)h(form.)-75 232 y(Conjunction)g(is)e(computationall)q(y)j(more)d(exp)q(ensiv)o(e:) 117 342 y Ft(P)g Fs(^)8 b Ft(Q)j Fu(=)279 289 y Fi(n)298 295 y Fb(P)322 289 y Fi(;n)350 295 y Fb(Q)305 307 y Fg(_)271 386 y Fi(i)p Fk(=1)p Fi(;j)q Fk(=1)383 342 y Fu(\()p Ft(p)417 325 y Fi(I)417 349 y(i)443 342 y Fs(^)d Ft(q)495 325 y Fi(I)494 349 y(j)513 342 y Fu(\))h Fs(^)f Fu(\()p Ft(p)605 325 y Fi(B)605 349 y(i)640 342 y Fs(^)g Ft(q)692 325 y Fi(B)691 349 y(j)719 342 y Fu(\))-75 456 y(Using)13 b(the)e(distributi)q(v)o(e)j(prop)q(erties)g(of)d(Bo)q(olean)j (algebra,)f(w)o(e)e(can)-75 498 y(compute)f(all)h(the)e(p)q(ertinen)o (t)i(disjuncts)g({)e(y)o(et)g(w)o(e)g(ma)o(y)g(end)h(up)g(with)-75 539 y Ft(n)-52 543 y Fi(P)-19 539 y Fs(\002)e Ft(n)42 543 y Fi(Q)80 539 y Fu(disjuncts,)14 b(whic)o(h)f(w)o(e)f(ha)o(v)o(e)h (to)g(compute)g(b)o(y)g(tra)o(v)o(ersing)-75 581 y(the)g(disjunctiv)o (e)i(represen)o(tations)h(of)c Ft(P)18 b Fu(and)c Ft(Q)p Fu(.)-75 647 y(Finally)m(,)h(complemen)o(t)g(is)e(the)g(most)g(exp)q (ensiv)o(e)i(op)q(eration)52 757 y Fs(:)p Ft(Q)c Fu(=)159 722 y Fg(_)213 704 y Fi(n)232 710 y Fb(Q)213 722 y Fg(^)208 801 y Fi(j)q Fk(=1)267 757 y Fs(:)p Ft(q)310 761 y Fi(j)365 757 y Fu(where)25 b Ft(q)505 761 y Fi(j)533 757 y Fu(=)10 b Ft(q)591 739 y Fi(I)590 764 y(j)622 757 y Fu(or)j Ft(q)686 761 y Fi(j)713 757 y Fu(=)e Ft(q)772 739 y Fi(B)771 764 y(j)-75 871 y Fu(Note)k(that)g(w)o(e)f(can)i(arrange)g(the)f(terms)g (in)g(the)g(righ)o(t)h(hand)g(side)-75 913 y(so)11 b(that)h(the)f (result)h(will)h(b)q(e)e(in)h(our)g(sym)o(b)q(olic)h(form.)j (Complemen-)-75 954 y(tation)i(of)e(a)g(set)h Ft(Q)f Fu(with)h Ft(n)348 958 y Fi(Q)391 954 y Fu(disjuncts)h(ma)o(y)m(,)f(in) g(fact,)g(create)f(a)-75 996 y(set)c(with)h(2)90 980 y Fi(n)109 986 y Fb(Q)148 996 y Fu(disjuncts)g(in)g(the)g(w)o(orst)f (case)g({)g(ho)o(w)o(ev)o(er)h(it)f(is)h(v)o(ery)-75 1037 y(lik)o(ely)h(that)f(most)f(of)g(these)g(will)i(b)q(e)e(empt)o(y)m (.)17 b(Hence,)12 b(w)o(e)f(build)k Fs(:)p Ft(Q)-75 1079 y Fu(in)j(an)f(incremen)o(tal)j(manner)d(so)h(that)f(w)o(e)g(try)g(to)g (minimize)i(the)-75 1120 y(n)o(um)o(b)q(er)f(of)f(disjuncts)i (generated.)30 b(W)m(e)17 b(do)h(this)g(b)o(y)f(testing)i(for)-75 1162 y(emptiness)e(on)f(the)f(\015y)m(,)h(while)h(w)o(e)e(are)h (computing)h(the)f(conjunc-)-75 1203 y(tions.)-75 1269 y(During)g(mo)q(del)e(c)o(hec)o(king)i(op)q(erations,)g(the)e(n)o(um)o (b)q(er)g(of)g(disjuncts)-75 1310 y(in)j(a)f(comp)q(osite)h(form)o(ula) g(can)f(easily)i(increase.)28 b(As)15 b(w)o(e)h(sho)o(w)o(ed)-75 1352 y(ab)q(o)o(v)o(e,)c(applying)i(the)d(disjunction)j(op)q(eration)f (is)f(relativ)o(ely)i(c)o(heap)-75 1393 y({)k(y)o(et)h(it)g(can)g (still)h(linearly)h(increase)f(a)e(form)o(ula's)i(complexit)o(y)m(.)-75 1435 y(And)h(this)h(problem)g(gets)f(w)o(orse)g(when)g(applying)i (conjunction)-75 1476 y(\(with)c(quadratic)i(gro)o(wth\))e(and)g(ev)o (en)g(more)g(so)g(with)h(negation)-75 1518 y(\(and)14 b(its)f(w)o(orst-case)g(exp)q(onen)o(tial)j(gro)o(wth\).)h(W)m(e)c (note,)g(ho)o(w)o(ev)o(er,)-75 1560 y(that)18 b(eac)o(h)g(of)g(the)g (constituen)o(t)i(datat)o(yp)q(e)f(libraries)h({)e(b)q(oth)h(for)-75 1601 y(BDDs)f(and)g(for)f(Presburger)h(arithmetic)h({)f(are)f(quite)h (adept)g(at)-75 1643 y(simplifying)h(constrain)o(ts)e(in)f(their)g(o)o (wn)g(formats.)24 b(\(W)m(e)15 b(use)h(sev-)-75 1684 y(eral)e(kno)o(wn)g(algorithms)i(for)e(reducing)h(in)o(teger)g (constrain)o(ts,)g(and)-75 1726 y(for)d(minimizing)j(the)d(complexit)o (y)i(of)d(BDD)i(represen)o(tations\).)18 b(So,)-75 1767 y(for)13 b(comp)q(osite)i(mo)q(dels)g(the)e(c)o(hallenge)j(lies)e(in)h (merging)f(as)g(man)o(y)-75 1809 y(terms)f(as)h(p)q(ossible)h(in)o(to)g (a)e(single-t)o(yp)q(e)i(format,)e(and)h(still)h(retain-)-75 1850 y(ing)f(the)f(seman)o(tics)h(of)e(the)h(original)i(form)o(ula.)j (T)m(o)12 b(do)h(this)h(w)o(e)e(use)-75 1892 y(some)h(simple)i (reduction)g(rules.)j(Giv)o(en)c(a)f(comp)q(osite)h(form)o(ula)210 1969 y Ft(Q)d Fu(=)f(\()p Ft(q)324 1952 y Fi(I)323 1976 y Fk(1)351 1969 y Fs(^)e Ft(q)403 1952 y Fi(B)402 1976 y Fk(1)430 1969 y Fu(\))g Fs(_)g Fu(\()p Ft(q)520 1952 y Fi(I)519 1976 y Fk(2)547 1969 y Fs(^)g Ft(q)599 1952 y Fi(B)598 1976 y Fk(2)626 1969 y Fu(\))-75 2042 y(w)o(e)13 b(ha)o(v)o(e)g(the)g(follo)o(wing)i(prop)q(erties:)260 2118 y Ft(q)278 2102 y Fi(I)277 2125 y Fk(1)307 2118 y Fu(=)10 b Ft(q)365 2102 y Fi(I)364 2125 y Fk(2)425 2118 y Fs(!)42 b Ft(Q)11 b Fu(=)f Ft(q)604 2102 y Fi(I)603 2125 y Fk(1)631 2118 y Fs(^)e Fu(\()p Ft(q)698 2102 y Fi(B)697 2125 y Fk(1)733 2118 y Fs(_)g Ft(q)785 2102 y Fi(B)784 2125 y Fk(2)812 2118 y Fu(\))242 2176 y Ft(q)260 2160 y Fi(B)259 2183 y Fk(1)298 2176 y Fu(=)i Ft(q)356 2160 y Fi(B)355 2183 y Fk(2)425 2176 y Fs(!)42 b Ft(Q)11 b Fu(=)f(\()p Ft(q)619 2160 y Fi(I)618 2183 y Fk(1)646 2176 y Fs(_)e Ft(q)698 2160 y Fi(I)697 2183 y Fk(2)716 2176 y Fu(\))h Fs(^)f Ft(q)792 2160 y Fi(B)791 2183 y Fk(1)23 2234 y Ft(q)41 2218 y Fi(I)40 2240 y Fk(1)70 2234 y Fs(\022)j Ft(q)129 2218 y Fi(I)128 2240 y Fk(2)172 2234 y Fu(and)27 b Ft(q)278 2218 y Fi(I)277 2240 y Fk(1)307 2234 y Fs(\022)10 b Ft(q)365 2218 y Fi(I)364 2240 y Fk(2)425 2234 y Fs(!)42 b Ft(Q)11 b Fu(=)f Ft(q)604 2218 y Fi(I)603 2240 y Fk(2)631 2234 y Fs(^)e Ft(q)683 2218 y Fi(B)682 2240 y Fk(2)-75 2308 y Fu(Note)13 b(that)g(in)g(all)h(three)f(cases)h (w)o(e)e(can)h(reduce)h(the)f(form)o(ula)h(from)-75 2349 y(t)o(w)o(o)g(disjuncts)i(to)e(one.)21 b(Hence,)15 b(to)f(simplify)j(a) d(general)i(comp)q(os-)-75 2391 y(ite)i(form)o(ula)g(w)o(e)e(\(1\))h(c) o(hec)o(k)h(all)g(pairs)g(for)f(the)g(three)h(conditions)-75 2432 y(listed)d(ab)q(o)o(v)o(e,)g(and)f(\(2\))g(merge)g(the)g (appropriate)i(disjuncts)f(when)-75 2474 y(a)e(condition)j(is)d (satis\014ed.)-75 2582 y Fv(4.3)56 b(Comp)r(osite)16 b(T)-5 b(ransitions)-75 2658 y Fu(The)12 b(syn)o(tax)h(of)g(a)f (program's)h(ev)o(en)o(ts)g(can)f(b)q(e)h(written)g(in)g(an)f(arbi-)-75 2700 y(trary)e(w)o(a)o(y)f({)g(as)h(long)h(as)e(it)h(adheres)g(to)g (the)f(rules)i(of)e(our)h(comp)q(osite)1025 42 y(logic.)18 b(Ho)o(w)o(ev)o(er)13 b(when)g(our)g(pre-pro)q(cessor)h(compiles)h(a)d (program,)1025 83 y(its)f(ev)o(en)o(ts)g(get)g(decomp)q(osed)i(in)o(to) f(a)f(disjunctiv)o(e)i(form)e({)f(i.e.,)h(they)1025 125 y(are)g(represen)o(ted)i(exactly)f(lik)o(e)h(comp)q(osite)g(state)f (represen)o(tations.)1025 190 y(In)f(the)g(sequel)h(w)o(e)f(assume)h (that)f(all)h(ev)o(en)o(ts)g(are)f Fr(syntactic)n(al)q(ly)d Fu(rep-)1025 232 y(resen)o(ted)13 b(in)h(disjunctiv)o(e)i(form,)c (since)j(they)e(are)g(ev)o(en)o(tually)j(com-)1025 273 y(piled)h(in)o(to)g(that)f(form.)25 b(Hence,)17 b(for)e(ev)o(ery)i(ev)o (en)o(t)f Ft(e)p Fu(,)g(w)o(e)f(assume)1025 315 y(that)d(w)o(e)g(can)h (write)f Ft(X)1362 319 y Fi(e)1391 315 y Fu(as)h Ft(X)1470 319 y Fi(e)1497 315 y Fu(=)d Ft(X)1572 299 y Fi(I)1569 321 y(e)1597 315 y Fs(\\)d Ft(X)1665 299 y Fi(B)1662 321 y(e)1691 315 y Fu(,)12 b(where)g Ft(X)1859 299 y Fi(I)1856 321 y(e)1889 315 y Fu(is)h(repre-)1025 356 y(sen)o(table)f(as)e(a)h(Presburger)h(form)o(ula)f(on)g(v)n(ariables)i Ft(V)1815 340 y Fi(I)1833 356 y Fu(,)d(and)i(where)1025 398 y Ft(X)1060 382 y Fi(B)1057 404 y(e)1104 398 y Fu(is)20 b(represen)o(table)h(as)e(a)h(BDD)f(form)o(ula)h(on)g(v)n(ariables)h Ft(V)1988 382 y Fi(B)2014 398 y Fu(.)1025 439 y(Then)14 b(w)o(e)g(can)g(sym)o(b)q(olicall)q(y)j(enco)q(de)f(the)e(transition)i (relation)g Ft(X)1025 481 y Fu(as:)1271 526 y Ft(X)e Fu(=)1365 491 y Fg(_)1357 570 y Fi(e)p Fq(2)p Fi(E)1423 526 y Ft(X)1455 530 y Fi(e)1482 526 y Fu(=)1531 491 y Fg(_)1522 570 y Fi(e)p Fq(2)p Fi(E)1582 526 y Fu(\()p Ft(X)1632 508 y Fi(I)1629 533 y(e)1657 526 y Fs(^)9 b Ft(X)1727 508 y Fi(B)1724 533 y(e)1752 526 y Fu(\))p Ft(:)1025 627 y Fu(where,)j(similar)j(to)e(comp)q(osite)i(state)e (represen)o(tations)i(w)o(e)e(ha)o(v)o(e)1160 713 y Ft(X)1195 697 y Fi(I)1192 720 y(e)1213 713 y Fs(j)1216 704 y Fc(n)1234 713 y Ft(V)1265 697 y Fi(I)1325 713 y Fu(=)41 b Ft(X)1431 697 y Fi(I)1428 720 y(e)1152 758 y Ft(X)1187 743 y Fi(I)1184 765 y(e)1204 758 y Fs(j)1207 749 y Fc(n)1226 758 y Ft(V)1257 743 y Fi(B)1325 758 y Fu(=)g Ft(tr)q(ue)1573 713 y(X)1608 697 y Fi(B)1605 720 y(e)1634 713 y Fs(j)1637 704 y Fc(n)1655 713 y Ft(V)1686 697 y Fi(B)1754 713 y Fu(=)h Ft(X)1861 697 y Fi(B)1858 720 y(e)1581 758 y Ft(X)1616 743 y Fi(B)1613 765 y(e)1642 758 y Fs(j)1645 749 y Fc(n)1664 758 y Ft(V)1695 743 y Fi(I)1754 758 y Fu(=)g Ft(tr)q(ue)1333 822 y(X)1368 806 y Fi(I)1365 828 y(e)1394 822 y Fs(^)8 b Ft(X)1463 806 y Fi(B)1460 828 y(e)1505 822 y Fu(=)17 b Ft(X)1587 806 y Fi(I)1584 828 y(e)1604 822 y Fs(j)1607 813 y Fc(n)1626 822 y Ft(V)1657 806 y Fi(I)1683 822 y Fs(^)8 b Ft(X)1752 806 y Fi(B)1749 828 y(e)1778 822 y Fs(j)1781 813 y Fc(n)1800 822 y Ft(V)1831 806 y Fi(B)1857 822 y Ft(:)1025 908 y Fu(This)i(means)h(that)f(similar)j(to)d(the)g(prop)q(ert)o(y)h(\(1\))f (for)g(the)h(state)f(rep-)1025 949 y(resen)o(tations,)15 b(for)e(all)i(states)e Ft(s)h Fu(and)g Ft(s)1596 933 y Fq(0)1607 949 y Fu(,)f(and)h(transition)i(relations)1025 991 y Ft(X)1057 995 y Fi(e)1086 991 y Fu(w)o(e)c(ha)o(v)o(e:)1127 1073 y(\()p Ft(s)p Fs(j)1163 1064 y Fc(n)1182 1073 y Ft(V)1213 1058 y Fi(I)1230 1073 y Ft(;)6 b(s)1265 1058 y Fq(0)1277 1073 y Fs(j)1280 1064 y Fc(n)1298 1073 y Ft(V)1329 1058 y Fi(I)1347 1073 y Fu(\))11 b Fs(2)f Ft(X)1444 1058 y Fi(I)1441 1080 y(e)1461 1073 y Fs(j)1464 1064 y Fc(n)1483 1073 y Ft(V)1514 1058 y Fi(I)1584 1073 y Fs(\()-6 b(\))52 b Fu(\()p Ft(s;)6 b(s)1774 1058 y Fq(0)1785 1073 y Fu(\))11 b Fs(2)f Ft(X)1882 1058 y Fi(I)1879 1080 y(e)1092 1119 y Fu(\()p Ft(s)p Fs(j)1128 1110 y Fc(n)1147 1119 y Ft(V)1178 1103 y Fi(B)1204 1119 y Ft(;)c(s)1239 1103 y Fq(0)1250 1119 y Fs(j)1253 1110 y Fc(n)1272 1119 y Ft(V)1303 1103 y Fi(B)1330 1119 y Fu(\))k Fs(2)g Ft(X)1426 1103 y Fi(B)1423 1125 y(e)1452 1119 y Fs(j)1455 1110 y Fc(n)1474 1119 y Ft(V)1505 1103 y Fi(B)1584 1119 y Fs(\()-6 b(\))52 b Fu(\()p Ft(s;)6 b(s)1774 1103 y Fq(0)1785 1119 y Fu(\))11 b Fs(2)f Ft(X)1882 1103 y Fi(B)1879 1125 y(e)p Black 1976 1095 a Fu(\(2\))p Black 1025 1227 a(No)o(w)17 b(w)o(e)g(state)g(the)h(fundamen)o(tal)h(prop)q(ert)o(y)g(whic)o(h)f (enables)i(us)1025 1268 y(to)15 b(manipulate)j(in)o(teger)f(and)g(Bo)q (olean)g(parts)f(separately)i(in)e(our)1025 1310 y(mo)q(del)e(c)o(hec)o (k)o(er:)1219 1393 y(\()p Ft(X)1269 1375 y Fi(B)1266 1399 y(e)1303 1393 y Fs(^)9 b Ft(X)1373 1375 y Fi(I)1370 1399 y(e)1390 1393 y Fu(\)[)p Ft(q)1434 1375 y Fi(B)1469 1393 y Fs(^)f Ft(q)1521 1375 y Fi(I)1539 1393 y Fu(])1219 1458 y(=)1340 1423 y Fg(_)1260 1506 y Fi(s)1275 1499 y Fb(B)1299 1506 y Fq(^)p Fi(s)1335 1499 y Fb(I)1351 1506 y Fq(2)p Fi(q)1387 1499 y Fb(B)1411 1506 y Fq(^)p Fi(q)1447 1499 y Fb(I)1464 1458 y Fu(\()p Ft(X)1514 1440 y Fi(B)1511 1465 y(e)1548 1458 y Fs(^)g Ft(X)1617 1440 y Fi(I)1614 1465 y(e)1635 1458 y Fu(\)[)p Ft(s)1679 1440 y Fi(B)1713 1458 y Fs(^)g Ft(s)1765 1440 y Fi(I)1783 1458 y Fu(])p Black 182 w(\(3\))p Black 1219 1571 a(=)1340 1536 y Fg(_)1260 1619 y Fi(s)1275 1612 y Fb(B)1299 1619 y Fq(^)p Fi(s)1335 1612 y Fb(I)1351 1619 y Fq(2)p Fi(q)1387 1612 y Fb(B)1411 1619 y Fq(^)p Fi(q)1447 1612 y Fb(I)1470 1571 y Ft(X)1505 1553 y Fi(B)1502 1578 y(e)1531 1571 y Fu([)p Ft(s)1560 1553 y Fi(B)1594 1571 y Fs(^)h Ft(s)1647 1553 y Fi(I)1664 1571 y Fu(])f Fs(^)g Ft(X)1752 1553 y Fi(I)1749 1578 y(e)1770 1571 y Fu([)p Ft(s)1799 1553 y Fi(B)1833 1571 y Fs(^)g Ft(s)1885 1553 y Fi(I)1903 1571 y Fu(])p Black 62 w(\(4\))p Black 1219 1684 a(=)1340 1648 y Fg(_)1260 1732 y Fi(s)1275 1725 y Fb(B)1299 1732 y Fq(^)p Fi(s)1335 1725 y Fb(I)1351 1732 y Fq(2)p Fi(q)1387 1725 y Fb(B)1411 1732 y Fq(^)p Fi(q)1447 1725 y Fb(I)1470 1684 y Ft(X)1505 1666 y Fi(B)1502 1691 y(e)1531 1684 y Fu([)p Ft(s)1560 1666 y Fi(B)1586 1684 y Fu(])g Fs(^)g Ft(X)1674 1666 y Fi(I)1671 1691 y(e)1692 1684 y Fu([)p Ft(s)1721 1666 y Fi(I)1738 1684 y Fu(])p Black 227 w(\(5\))p Black 1219 1797 a(=)1340 1761 y Fg(_)1260 1845 y Fi(s)1275 1838 y Fb(B)1299 1845 y Fq(2)p Fi(q)1335 1838 y Fb(B)1359 1845 y Fq(^)p Fi(s)1395 1838 y Fb(I)1411 1845 y Fq(2)p Fi(q)1447 1838 y Fb(I)1470 1797 y Ft(X)1505 1779 y Fi(B)1502 1803 y(e)1531 1797 y Fu([)p Ft(s)1560 1779 y Fi(B)1586 1797 y Fu(])g Fs(^)g Ft(X)1674 1779 y Fi(I)1671 1803 y(e)1692 1797 y Fu([)p Ft(s)1721 1779 y Fi(I)1738 1797 y Fu(])p Black 227 w(\(6\))p Black 1219 1910 a(=)1288 1874 y Fg(_)1260 1958 y Fi(s)1275 1951 y Fb(B)1299 1958 y Fq(2)p Fi(q)1335 1951 y Fb(B)1359 1910 y Fu(\()1395 1874 y Fg(_)1374 1958 y Fi(s)1389 1951 y Fb(I)1405 1958 y Fq(2)p Fi(q)1441 1951 y Fb(I)1464 1910 y Ft(X)1499 1892 y Fi(B)1496 1916 y(e)1525 1910 y Fu([)p Ft(s)1554 1892 y Fi(B)1580 1910 y Fu(])g Fs(^)g Ft(X)1668 1892 y Fi(I)1665 1916 y(e)1686 1910 y Fu([)p Ft(s)1715 1892 y Fi(I)1732 1910 y Fu(]\))p Black 218 w(\(7\))p Black 1219 2023 a(=)j(\()1303 1987 y Fg(_)1275 2071 y Fi(s)1290 2064 y Fb(B)1314 2071 y Fq(2)p Fi(q)1350 2064 y Fb(B)1380 2023 y Ft(X)1415 2005 y Fi(B)1412 2029 y(e)1441 2023 y Fu([)p Ft(s)1470 2005 y Fi(B)1496 2023 y Fu(]\))d Fs(^)h Fu(\()1600 1987 y Fg(_)1580 2071 y Fi(s)1595 2064 y Fb(I)1611 2071 y Fq(2)p Fi(q)1647 2064 y Fb(I)1670 2023 y Ft(X)1705 2005 y Fi(I)1702 2029 y(e)1722 2023 y Fu([)p Ft(s)1751 2005 y Fi(I)1768 2023 y Fu(]\))p Black 182 w(\(8\))p Black 1219 2131 a(=)i Ft(X)1295 2113 y Fi(B)1292 2138 y(e)1321 2131 y Fu([)p Ft(q)1350 2113 y Fi(B)1376 2131 y Fu(])d Fs(^)g Ft(X)1464 2113 y Fi(I)1461 2138 y(e)1482 2131 y Fu([)p Ft(q)1511 2113 y Fi(I)1528 2131 y Fu(])p Black 437 w(\(9\))p Black 1025 2214 a(Step)j(\(3\))f(follo)o(ws)i(from) e(the)h(de\014nition)j(of)c(relational)k(function)e(ap-)1025 2261 y(plication.)19 b(Step)11 b(\(4\))g(holds)i(b)q(ecause)f(of)f(the) h(fact)e(that)i Ft(s)1861 2245 y Fi(B)1892 2261 y Fs(^)5 b Ft(s)1941 2245 y Fi(I)1969 2261 y Fu(is)12 b(a)1025 2302 y(single)g(state;)f(hence)g(this)g(is)g(just)f(conjuncting)i(t)o (w)o(o)e(functions)i(on)f(a)1025 2344 y(single)k(elemen)o(t.)k(Steps)14 b(\(5\))f(and)h(\(6\))f(follo)o(w)i(from)e(prop)q(erties)i(\(2\))1025 2385 y(and)e(\(1\),)g(resp)q(ectiv)o(ely)m(.)20 b(Step)14 b(\(8\))f(basically)k(pushes)d(through)h(the)1025 2427 y(existen)o(tial)f(quan)o(ti\014cation)i(for)c(b)q(oth)h(the)f(Bo)q (olean)i(and)f(the)f(in)o(te-)1025 2468 y(ger)f(parts.)16 b(This)c(is)g(sound)g(since)h(w)o(e)d(kno)o(w)i(that)f Ft(X)1793 2452 y Fi(B)1790 2475 y(e)1830 2468 y Fu(is)h(a)f(form)o(ula) 1025 2510 y(constructed)18 b(only)h(on)f(Bo)q(olean)h(v)n(ariables,)i (and)d(the)g(analogous)1025 2551 y(prop)q(ert)o(y)13 b(holds)i(for)e Ft(X)1376 2535 y Fi(I)1373 2558 y(e)1393 2551 y Fu(.)1025 2617 y(This)j(prop)q(ert)o(y)g(basically)j(states)d (that)g(the)f(image)i(computation)1025 2658 y(for)11 b(the)i(in)o(teger)g(and)g(Bo)q(olean)g(parts)g(are)f(orthogonal,)i (and)f(hence)1025 2700 y(they)g(can)g(b)q(e)h(computed)g(separately)m (.)p Black Black eop %%Page: 9 9 9 8 bop Black Black Black Black Black 4 2 844 2 v 3 43 2 42 v 54 31 a Ft(f)15 b Fs(2)10 b Ft(S)r(F)101 b Fu(:)8 b Fa(Return)p Fu(\()p Ft(f)t Fu(\))p 846 43 V 3 85 V 54 72 a Ft(f)15 b Fu(=)10 b Fs(:)p Ft(f)173 76 y Fk(1)275 72 y Fu(:)e Fa(Return)p Fu(\()p Fs(:)p Ft(f)495 76 y Fk(1)511 72 y Fu(\))p 846 85 V 3 126 V 54 114 a Ft(f)15 b Fu(=)10 b Ft(f)147 118 y Fk(1)173 114 y Fs(^)e Ft(f)226 118 y Fk(2)275 114 y Fu(:)g Fa(Return)p Fu(\()p Ft(f)469 118 y Fk(1)494 114 y Fs(^)g Ft(f)547 118 y Fk(2)564 114 y Fu(\))p 846 126 V 3 168 V 54 155 a Ft(f)15 b Fu(=)10 b Ft(f)147 159 y Fk(1)173 155 y Fs(_)e Ft(f)226 159 y Fk(2)275 155 y Fu(:)g Fa(Return)p Fu(\()p Ft(f)469 159 y Fk(1)494 155 y Fs(_)g Ft(f)547 159 y Fk(2)564 155 y Fu(\))p 846 168 V 3 209 V 54 197 a Ft(f)15 b Fu(=)10 b Fs(9)f(\015)g Ft(f)224 201 y Fk(1)275 197 y Fu(:)f Fa(Return)p Fu(\()p Fj(pre)p Fu(\()p Ft(f)547 201 y Fk(1)564 197 y Fu(\)\))p 846 209 V 3 251 V 54 238 a Ft(f)15 b Fu(=)10 b Fs(8)f(\015)g Ft(f)224 242 y Fk(1)275 238 y Fu(:)f Fa(Return)p Fu(\()p Fs(:)p Fj(pre)o Fu(\()p Fs(:)p Ft(f)598 242 y Fk(1)615 238 y Fu(\)\))p 846 251 V 3 292 V 54 280 a Ft(f)15 b Fu(=)10 b Fs(9)p Ff(3)p Ft(f)199 284 y Fk(1)275 280 y Fu(:)e Ft(Q)324 284 y Fk(0)352 280 y Fu(=)i Ft(f)411 284 y Fk(1)p 846 292 V 3 334 V 294 321 a Ft(Q)324 325 y Fi(i)p Fk(+1)386 321 y Fu(=)h Ft(Q)457 325 y Fi(i)479 321 y Fs(_)d Fj(pre)p Fu(\()p Ft(Q)621 325 y Fi(i)634 321 y Fu(\))p 846 334 V 3 375 V 294 363 a Fa(Return)p Fu(\()p Ft(Q)480 367 y Fi(n)501 363 y Fu(\))13 b(when)g Ft(Q)659 367 y Fi(n)691 363 y Fu(=)e Ft(Q)762 367 y Fi(n)p Fk(+1)p 846 375 V 3 417 V 54 404 a Ft(f)k Fu(=)10 b Fs(8)p Ff(3)p Ft(f)199 408 y Fk(1)275 404 y Fu(:)e Ft(Q)324 408 y Fk(0)352 404 y Fu(=)i Ft(f)411 408 y Fk(1)p 846 417 V 3 458 V 144 446 a Ft(Q)174 450 y Fi(i)p Fk(+1)236 446 y Fu(=)28 b Ft(Q)324 450 y Fi(i)346 446 y Fs(_)8 b Fu(\()p Fj(pre)p Fu(\()p Ft(Q)503 450 y Fi(i)516 446 y Fu(\))h Fs(^)f Fu(\()p Fs(:)p Fj(pre)o Fu(\()p Fs(:)p Ft(Q)748 450 y Fi(i)761 446 y Fu(\)\)\))p 846 458 V 3 500 V 294 487 a Fa(Return)p Fu(\()p Ft(Q)480 491 y Fi(n)501 487 y Fu(\))13 b(when)g Ft(Q)659 491 y Fi(n)691 487 y Fu(=)e Ft(Q)762 491 y Fi(n)p Fk(+1)p 846 500 V 4 501 844 2 v Black 65 615 a Fj(Figure)j(4:)20 b(Comp)q(osite)15 b(Mo)q(del)f(Chec)o(k)o(er.)p Black Black -75 750 a Fv(5)56 b(Comp)r(osite)17 b(Mo)r(del)g(Chec)n(k)n(er) -75 834 y Fu(T)m(o)c(sym)o(b)q(olicall)q(y)j(compute)f(the)e(temp)q (oral)i(op)q(erators,)f(w)o(e)f(de\014ne)-75 875 y(a)h(function)i Fj(pre)d Fu(:)g(2)229 859 y Fi(S)264 875 y Fs(!)g Fu(2)334 859 y Fi(S)357 875 y Fu(,)h(called)i(the)e Fr(pr)n(e)n(c)n(ondition)e (function)p Fu(,)-75 917 y(whic)o(h,)k(giv)o(en)g(a)f(set)g(of)g (states,)g(returns)g(all)i(the)e(states)g(that)g(can)-75 958 y(reac)o(h)j(this)g(set)f(in)h(one)f(step)h(\(i.e.)29 b(after)17 b(execution)i(of)e(a)g(single)-75 1000 y(ev)o(en)o(t\):)72 1096 y Fj(pre)p Fu(\()p Ft(Q)p Fu(\))218 1075 y Fk(def)224 1096 y Fu(=)30 b Fs(f)p Ft(s)11 b Fu(:)f Fs(9)p Ft(s)392 1078 y Fq(0)403 1096 y Fu([)p Ft(s)432 1078 y Fq(0)454 1096 y Fs(2)g Ft(Q)f Fs(^)f Fu(\()p Ft(s;)e(s)631 1078 y Fq(0)642 1096 y Fu(\))k Fs(2)h Ft(X)s Fu(])p Fs(g)p Ft(:)-75 1178 y Fu(Using)g(the)f(sym)o(b)q(olic)i(op)q(erations)g(in)f (Figure)g(3)g(w)o(e)e(ha)o(v)o(e)i Fj(pre)p Fu(\()p Ft(Q)p Fu(\))g(=)-75 1219 y Ft(X)-40 1203 y Fq(\000)p Fk(1)1 1219 y Fu([)p Ft(Q)p Fu(],)16 b(assuming)j(that)d(w)o(e)g(ha)o(v)o(e)h (a)g(sym)o(b)q(olic)h(represen)o(tation)-75 1261 y(for)11 b(the)h(o)o(v)o(erall)h(transition)h(relation)f Ft(X)s Fu(.)j(Moreo)o(v)o(er,)c(w)o(e)f(can)h(sym-)-75 1302 y(b)q(olicall)q(y)j(compute)e Fj(pre)f Fu(with)g(resp)q(ect)h(to)f(our) g(ev)o(en)o(t)h(decomp)q(osi-)-75 1344 y(tion)f(and)f(the)f(sym)o(b)q (olic)j(represen)o(tation)g(of)d Ft(Q)h Fu(=)666 1316 y Fg(W)698 1321 y Fi(n)717 1327 y Fb(Q)698 1354 y Fi(i)p Fk(=1)756 1344 y Ft(q)774 1328 y Fi(I)773 1351 y(i)796 1344 y Fs(^)t Ft(q)844 1328 y Fi(B)843 1351 y(i)870 1344 y Fu(,)f(as)-75 1385 y(follo)o(ws.)20 b(These)14 b(inferences)i(mak)o (e)e(use)g(of)f(the)h(results)h(dev)o(elop)q(ed)-75 1427 y(in)f(the)f(previous)i(section.)7 1546 y Fj(pre)p Fu(\()p Ft(Q)p Fu(\))42 b(=)252 1511 y Fg(_)244 1590 y Fi(e)p Fq(2)p Fi(E)309 1546 y Ft(X)344 1528 y Fq(\000)p Fk(1)341 1553 y Fi(e)385 1546 y Fu([)p Ft(Q)p Fu(])10 b(=)509 1511 y Fg(_)501 1590 y Fi(e)p Fq(2)p Fi(E)566 1546 y Ft(X)601 1528 y Fq(\000)p Fk(1)598 1553 y Fi(e)642 1546 y Fu([)656 1493 y Fi(n)675 1499 y Fb(Q)656 1511 y Fg(_)653 1590 y Fi(i)p Fk(=1)709 1546 y Ft(q)727 1528 y Fi(I)726 1553 y(i)753 1546 y Fs(^)f Ft(q)806 1528 y Fi(B)805 1553 y(i)832 1546 y Fu(])172 1681 y(=)252 1645 y Fg(_)244 1725 y Fi(e)p Fq(2)p Fi(E)312 1628 y(n)331 1634 y Fb(Q)313 1645 y Fg(_)309 1724 y Fi(i)p Fk(=1)365 1681 y Ft(X)400 1663 y Fq(\000)p Fk(1)397 1688 y Fi(e)441 1681 y Fu([)p Ft(q)470 1663 y Fi(I)469 1688 y(i)496 1681 y Fs(^)f Ft(q)548 1663 y Fi(B)547 1688 y(i)575 1681 y Fu(])172 1816 y(=)252 1780 y Fg(_)244 1859 y Fi(e)p Fq(2)p Fi(E)312 1763 y(n)331 1769 y Fb(Q)313 1780 y Fg(_)309 1859 y Fi(i)p Fk(=1)359 1816 y Fu(\(\()p Ft(X)424 1798 y Fi(I)421 1822 y(e)441 1816 y Fu(\))456 1798 y Fq(\000)p Fk(1)506 1816 y Fs(^)g Fu(\()p Ft(X)590 1798 y Fi(B)587 1822 y(e)616 1816 y Fu(\))631 1798 y Fq(\000)p Fk(1)672 1816 y Fu(\)[)p Ft(q)716 1798 y Fi(I)715 1822 y(i)742 1816 y Fs(^)g Ft(q)794 1798 y Fi(B)793 1822 y(i)821 1816 y Fu(])172 1950 y(=)252 1915 y Fg(_)244 1994 y Fi(e)p Fq(2)p Fi(E)312 1897 y(n)331 1903 y Fb(Q)313 1915 y Fg(_)309 1993 y Fi(i)p Fk(=1)359 1950 y Fu(\()p Ft(X)409 1932 y Fi(I)406 1957 y(e)426 1950 y Fu(\))441 1932 y Fq(\000)p Fk(1)482 1950 y Fu([)p Ft(q)511 1932 y Fi(I)510 1957 y(i)529 1950 y Fu(])g Fs(^)g Fu(\()p Ft(X)632 1932 y Fi(B)629 1957 y(e)658 1950 y Fu(\))673 1932 y Fq(\000)p Fk(1)714 1950 y Fu([)p Ft(q)743 1932 y Fi(B)742 1957 y(i)770 1950 y Fu(])-75 2095 y(No)o(w,)14 b(using)i(the)f(function)g Fj(pre)g Fu(and)g(sym)o(b)q(olic)i(op)q (erations)f Fs(^)p Fu(,)e Fs(_)-75 2136 y Fu(and)20 b Fs(:)p Fu(,)g(w)o(e)f(construct)h(a)f(mo)q(del)h(c)o(hec)o(king)h(pro)q (cedure)g(for)e(our)-75 2178 y(temp)q(oral)14 b(logic,)h(as)e(sho)o(wn) h(in)g(Figure)g(4.)j(Giv)o(en)e(a)e(program)h(and)-75 2219 y(a)i(temp)q(oral)i(logic)g(form)o(ula,)g(the)e(mo)q(del)h(c)o (hec)o(k)o(er)g(will)h(\(attempt)-75 2261 y(to\))11 b(sym)o(b)q (olicall)q(y)j(compute)e(the)g(set)f(of)g(program)h(states)g(that)f (sat-)-75 2302 y(isfy)20 b(the)f(input)i(form)o(ula)f({)g(and)g(the)f (pro)q(cedure)i(will)g(yield)g(an)-75 2344 y(exact)15 b(answ)o(er)h(if)f(it)g(con)o(v)o(erges.)24 b(Note)15 b(that)g(this)h(pro)q(cedure)h(is)e(a)-75 2385 y(partial-function,)h (i.e.,)c(it)h(is)g(not)g(guaran)o(teed)h(to)f(terminate.)k(The)-75 2427 y(con)o(v)o(ergence)h(dep)q(ends)g(on)f(the)g(structure)h(of)e (the)h(program)h(and)-75 2468 y(the)e(form)o(ula)h({)e(whic)o(h)i(w)o (as)e(fortunately)j(the)e(case)g(for)f(our)h(SCR)-75 2510 y(requiremen)o(ts)f(sp)q(eci\014cation.)-75 2575 y(Ho)o(w)o(ev)o(er,)k(w)o(e)f(ha)o(v)o(e)h(also)h(dev)o(elop)q(ed)g (some)f(conserv)n(ativ)o(e)h(tec)o(h-)-75 2617 y(niques)f(whic)o(h)e (often)g(w)o(ork)g(when)g(exact)g(results)h(are)f(unobtain-)-75 2658 y(able.)h(F)m(or)11 b(lac)o(k)i(of)e(space)h(w)o(e)g(do)g(not)g (presen)o(t)g(them)g(here;)g(instead)-75 2700 y(the)h(reader)h(is)f (referred)g(to)g([11].)1025 42 y Fv(6)56 b(Exp)r(erim)o(en)n(tal)16 b(Results)1025 125 y Fu(Tw)o(o)d(prop)q(erties)j(of)d(the)i(safet)o(y)f (injection)i(system)e(v)o(eri\014ed)i(in)e([7])1025 166 y(are:)1200 200 y(\(P1\))39 b Fs(8)p Ff(2)p Fu(\(\()p Ft(Reset)8 b Fs(^)g(:)p Ft(H)s(ig)q(h)p Fu(\))j Fs(!)g(:)p Ft(O)q(v)q(er)q Fu(\))1200 241 y(\(P2\))39 b Fs(8)p Ff(2)p Fu(\(\()p Ft(Reset)8 b Fs(^)g Ft(T)d(Low)q Fu(\))11 b Fs(!)g Ft(I)s(nj)r(ect)p Fu(\))1025 298 y(W)m(e)i(v)o(eri\014ed)h (these)g(prop)q(erties)g(on)g(the)f(system)h(mo)q(del)g(presen)o(ted) 1025 340 y(in)k(Figures)h(1)f(and)g(2.)32 b(\(P1\))17 b(and)i(\(P2\))f(required)h(2.71)f(seconds)1025 381 y(and)13 b(2.58)h(seconds,)g(resp)q(ectiv)o(ely)m(,)h(as)e(run)h(on)f(a)g(Sun)h (Ultra.)k(Note)1025 423 y(that,)9 b(our)h(safet)o(y)g(injection)h (system)f(is)g(signi\014can)o(tly)j(more)c(compli-)1025 464 y(cated)h(than)h(that)f(in)h([7];)f(in)i(fact,)e(it)g(mo)q(dels)i (the)e(three-w)o(a)o(y)g(v)o(oting)1025 506 y(sc)o(heme)15 b(as)f(originall)q(y)k(sp)q(eci\014ed)e(in)g([16].)21 b(This)16 b(complicates)h(the)1025 547 y(transition)h(system)e (considerably)n(,)j(since)e(the)f(actions)i(are)e(tak)o(en)1025 589 y(b)o(y)f(a)g(ma)r(jorit)o(y)h(v)o(ote)f(on)h(three)f(di\013eren)o (t)i(readings)f({)f(whic)o(h)h(can)1025 630 y(range)h(o)o(v)o(er)g(the) g(en)o(tire)h(space)g(of)f(in)o(tegers.)30 b(Indeed,)18 b(note)g(that)1025 672 y(the)f(system)h(w)o(e)f(c)o(hec)o(k)g(\(Figure) i(2\))e(is)h(un)o(b)q(ounded)i(in)e(most)f(di-)1025 713 y(mensions,)12 b(since)f(the)g(limit)h(constan)o(ts)g Fs(f)p Ft(min;)6 b(l)q(ow)q(;)f(hig)q(h;)i(toohig)q(h;)1025 755 y(max)p Fs(g)14 b Fu(remain)h(unsp)q(eci\014ed.)23 b(Hence,)14 b(an)o(y)h(prop)q(ert)o(y)g(w)o(e)f(c)o(hec)o(k)g(is)1025 796 y(pro)o(v)o(ed)e(for)g Fr(any)e Fu(concrete)j(v)n(alues,)g(pro)o (vided)h(they)e(satisfy)h(the)f(or-)1025 838 y(dering)k Ft(min)f(<)g(l)q(ow)g(<)g(hig)q(h)h(<)f(toohig)q(h)f(<)h(max)p Fu(.)24 b(One)16 b(cannot)1025 879 y(c)o(hec)o(k)h(suc)o(h)g(a)g (system)g(with)g(a)f(\014nite-state)i(mo)q(del)g(c)o(hec)o(k)o(er)f (lik)o(e)1025 921 y(SMV)c(or)g(SPIN,)f(without)i(using)h(some)e (abstraction)i(tec)o(hniques.)1025 987 y(W)m(e)37 b(also)h(w)o(an)o (ted)g(to)f(determine)i(whether)f(mo)q(de)g(class)1025 1028 y Fh(Pressure)7 b Fu(is)k(a)g(correct)g(abstraction)i(of)d(the)h (w)o(ater)g(pressure)h(read-)1025 1070 y(ings.)17 b(This)10 b(can)h(b)q(e)f(sho)o(wn)h(b)o(y)g(c)o(hec)o(king)g(the)g(follo)o(wing) h(four)e(prop-)1025 1111 y(erties:)1239 1144 y(\(P3\))39 b Fs(8)p Ff(2)p Fu(\()p Ft(C)s(T)5 b(Low)23 b Fs(\()-6 b(\))21 b Ft(T)5 b(Low)q Fu(\))1239 1186 y(\(P4\))39 b Fs(8)p Ff(2)p Fu(\()p Ft(C)s(Low)22 b Fs(\()-6 b(\))22 b Ft(Low)q Fu(\))1239 1227 y(\(P5\))39 b Fs(8)p Ff(2)p Fu(\()p Ft(C)s(H)s(ig)q(h)22 b Fs(\()-6 b(\))22 b Ft(H)s(ig)q(h)p Fu(\))1239 1269 y(\(P6\))39 b Fs(8)p Ff(2)p Fu(\()p Ft(C)s(T)5 b(H)s(ig)q(h)23 b Fs(\()-6 b(\))22 b Ft(T)5 b(H)s(ig)q(h)p Fu(\))1025 1326 y(where)19 b(the)i(v)o(oting)g(tec)o(hnique)h(in)o(tro) q(duces)f(the)g(follo)o(wing)h(con-)1025 1368 y(strain)o(ts:)1048 1457 y Fl(C)r(T)5 b(Low)1225 1438 y Fk(def)1232 1457 y Fn(=)49 b Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(2)10 b Fl(<)g(low)21 b Fm(_)7 b Fl(w)q(p)p Fn(1)p Fl(;)f(w)q(p)p Fn(3)j Fl(<)h(low)j Fm(_)1308 1497 y Fl(w)q(p)p Fn(2)p Fl(;)5 b(w)q(p)p Fn(3)10 b Fl(<)g(low)1048 1549 y(C)r(Low)1225 1530 y Fk(def)1232 1549 y Fn(=)49 b Fl(low)11 b Fm(\024)f Fl(w)q(p)p Fn(1)p Fl(;)c(w)q(p)p Fn(2)j Fl(<)h(hig)q(h)j Fm(_)1308 1589 y Fl(low)e Fm(\024)f Fl(w)q(p)p Fn(1)p Fl(;)c(w)q(p)p Fn(3)j Fl(<)h(hig)q(h)j Fm(_)1308 1628 y Fl(low)e Fm(\024)f Fl(w)q(p)p Fn(2)p Fl(;)c(w)q(p)p Fn(3)j Fl(<)h(hig)q(h)1048 1681 y(C)r(H)s(ig)q(h)1225 1661 y Fk(def)1232 1681 y Fn(=)49 b Fl(hig)q(h)11 b Fm(\024)f Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(2)10 b Fl(<)g(toohig)q(h)i Fm(_)1308 1720 y Fl(hig)q(h)f Fm(\024)f Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(3)10 b Fl(<)g(toohig)q(h)i Fm(_)1308 1759 y Fl(hig)q(h)f Fm(\024)f Fl(w)q(p)p Fn(2)p Fl(;)5 b(w)q(p)p Fn(3)10 b Fl(<)g(toohig)q(h)1048 1812 y(C)r(T)5 b(H)s(ig)q(h)1225 1793 y Fk(def)1232 1812 y Fn(=)49 b Fl(toohig)q(h)10 b Fm(\024)h Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(2)19 b Fm(_)8 b Fl(toohig)q(h)i Fm(\024)g Fl(w)q(p)p Fn(1)p Fl(;)5 b(w)q(p)p Fn(3)12 b Fm(_)1308 1851 y Fl(toohig)q(h)e Fm(\024)h Fl(w)q(p)p Fn(2)p Fl(;)5 b(w)q(p)p Fn(3)1025 1954 y Fu(The)14 b(mo)q(del)h(c)o(hec)o(k)o(er)g(v) o(eri\014ed)h(these)e(\(P3\)-\(P6\))g(in)h(16.22,)g(35.54,)1025 1995 y(35.39)10 b(and)h(15.94)g(seconds,)g(resp)q(ectiv)o(ely)m(.)19 b(Some)10 b(other)h(prop)q(erties)1025 2037 y(w)o(e)h(tried)i(w)o(ere) 1287 2102 y(\(P7\))38 b Fs(8)p Ff(2)p Fu(\()p Ft(I)s(nj)r(ect)10 b Fs(!)h Ft(T)5 b(Low)q Fu(\))1287 2143 y(\(P8\))38 b Fs(8)p Ff(2)p Fu(\()p Ft(D)q(amp)11 b Fs(!)h Ft(T)5 b(H)s(ig)q(h)p Fu(\))1025 2217 y(whic)o(h)19 b(w)o(ere)f(successfully)j(v)o(eri\014ed) f(in)f(1.52)f(and)i(1.60)e(seconds,)1025 2258 y(resp)q(ectiv)o(ely)m(.) 1025 2368 y Fv(7)56 b(Conclusions)1025 2451 y Fu(W)m(e)9 b(presen)o(ted)i(a)e(comp)q(osite)i(mo)q(del)g(c)o(hec)o(k)o(er)f(whic) o(h)h(com)o(bines)g(the)1025 2492 y(relativ)o(e)k(strengths)g(of)f(t)o (w)o(o)f(di\013eren)o(t)j(sym)o(b)q(olic)g(represen)o(tations:)1025 2534 y(BDDs)e(and)h(Presburger)h(form)o(ulas.)21 b(W)m(e)14 b(applied)j(this)e(tec)o(hnique)1025 2575 y(to)e(a)h(non-trivial)i(SCR) e(requiremen)o(ts)h(sp)q(eci\014cation,)h(whic)o(h)f(con-)1025 2617 y(tains)k(man)o(y)g(b)q(o)q(olean)i(and)e(en)o(umerated)h(v)n (ariables,)i(as)d(w)o(ell)h(as)1025 2658 y(m)o(ultiple)f(un)o(b)q (ounded)h(in)o(tegers.)30 b(In)17 b(situations)j(lik)o(e)e(these,)h (the)1025 2700 y(extra)9 b(o)o(v)o(erhead)i(in)o(v)o(olv)o(ed)h(in)f (pro)q(cessing)g(the)f(comp)q(osite)h(mo)q(del)g(is)p Black Black eop %%Page: 10 10 10 9 bop Black Black -75 42 a Fu(w)o(ell)13 b(w)o(orth)g(the)g(time)g (sp)q(en)o(t.)k(In)c(fact,)f(our)h(\014rst)g(in)o(teger-orien)o(ted)-75 83 y(to)q(ol)j(\(exclusiv)o(ely)i(limited)g(to)d(Presburger)h (constrain)o(ts\))h(quic)o(kly)-75 125 y(ran)d(out)g(of)f(memory)h (when)g(sub)r(jected)h(to)f(this)g(same)g(SCR)g(sp)q(ec-)-75 166 y(i\014cation)20 b({)f(when)f(all)i(the)e(b)q(o)q(oleans)j(w)o(ere) d(mapp)q(ed)h(to)f(in)o(teger)-75 208 y(v)n(ariables.)37 b(On)18 b(the)h(other)g(hand,)i(it)f(w)o(ould)f(b)q(e)g(imp)q(ossibl)q (e)i(to)-75 249 y(v)n(alidate)e(our)e(system)g(mo)q(del)h(in)g(a)f (\014nite-state)h(mo)q(del)g(c)o(hec)o(k)o(er,)-75 291 y(without)h(either)f(b)q(ounding)j(the)d(pressure-reading)i(domains,)g (or)-75 332 y(using)14 b(some)g(other)f(abstraction.)-75 398 y(The)j(SCR)h(example)g(w)o(e)f(selected)i(w)o(as)e(an)g(extended)i (v)o(ersion)g(of)-75 439 y(those)13 b(rep)q(orted)f(in)h([7,)f(16])g (and)g([18],)g(and)g(w)o(e)g(w)o(ere)g(able)h(to)f(c)o(hec)o(k)-75 481 y(v)n(arious)18 b(prop)q(erties)g(of)e(the)h(sp)q(eci\014cation.)30 b(W)m(e)16 b(v)o(eri\014ed)i(sev)o(eral)-75 522 y(of)d(system's)h(in)o (trinsic)i(in)o(v)n(arian)o(ts)g(\(whic)o(h)e(had)g(b)q(een)h (previously)-75 564 y(c)o(hec)o(k)o(ed)e(on)f(abstractions)i(of)e(the)g (mo)q(del\);)h(and)g(w)o(e)f(v)o(eri\014ed)h(sev-)-75 605 y(eral)k(new)g(prop)q(erties)h(as)e(w)o(ell,)j(ha)o(ving)f(to)e(do) h(with)g(additional)-75 647 y(features)c(w)o(e)f(added.)22 b(Ho)o(w)o(ev)o(er,)14 b(w)o(e)g(b)q(eliev)o(e)i(what)f(distinguishes) -75 688 y(our)20 b(results)h(is)f(not)g(necessarily)i(the)e(prop)q (erties)h(themselv)o(es)g({)-75 730 y(but)e(rather,)i(that)e(they)h(w)o (ere)e(pro)o(v)o(ed)i(for)f(un)o(b)q(ounded)i(in)o(teger)-75 771 y(v)n(ariables,)d(o)o(v)o(er)e(an)h(un)o(b)q(ounded)h(state)e (space.)26 b(In)15 b(other)h(w)o(ords,)-75 813 y(the)c(in)o(v)n(arian)o (ts)j(w)o(ere)d(pro)o(v)o(ed)h(as)f Fr(the)n(or)n(ems)f Fu(in)o(trinsic)k(to)d(the)g(basic)-75 854 y(SCR)d(mo)q(del)i(itself,)f (without)g(b)q(eing)h(constrained)g(b)o(y)f(abstractions.)-75 896 y(This)h(is)g(unlik)o(e)h(most)e(previous)i(e\013orts)f(in)o(v)o (olving)i(mo)q(del)f(c)o(hec)o(king)-75 937 y(of)h(requiremen)o(ts)h (sp)q(eci\014cations)q(.)-75 1003 y(W)m(e)g(are)g(extending)i(this)f(w) o(ork)f(in)h(v)n(arious)g(directions.)22 b(First,)15 b(w)o(e)-75 1045 y(plan)j(to)e(include)j(other)e(sym)o(b)q(olic)i (represen)o(tations)g(as)e(w)o(ell,)h(in-)-75 1086 y(cluding)f(real)d (v)n(ariables,)j(queues,)e(and)g(the)f(lik)o(e.)22 b(W)m(e)14 b(b)q(eliev)o(e)i(the)-75 1128 y(decomp)q(osition)g(metho)q(ds)e(w)o(e) e(describ)q(ed)j(here)e(will)h(generalize)h(to)-75 1169 y(these)e(other)h(datat)o(yp)q(es.)-75 1235 y(Also,)25 b(note)e(that)g(the)g(mo)q(del)h(c)o(hec)o(k)o(er)f(presen)o(ted)h(is)f (a)g(semi-)-75 1276 y(decision)13 b(pro)q(cedure,)e(and)g(is)g(not)g (guaran)o(teed)h(to)e(con)o(v)o(erge.)17 b(Ho)o(w-)-75 1318 y(ev)o(er,)11 b(for)f(systems)h(ranging)h(o)o(v)o(er)e(pure)h(in)o (teger)h(domains,)g(w)o(e)e(ha)o(v)o(e)-75 1359 y(already)j(dev)o(elop) q(ed)g(tec)o(hniques)h(whic)o(h)e(mak)o(e)f(automatic)i(conser-)-75 1401 y(v)n(ativ)o(e)g(appro)o(ximations)q(,)h(and)f(are)f(guaran)o (teed)i(to)e(con)o(v)o(erge)h(\(but)-75 1442 y(ma)o(y)d(rep)q(ort)f (false)i(negativ)o(es\).)17 b(W)m(e)9 b(are)h(no)o(w)f(applying)k (these)c(tec)o(h-)-75 1484 y(niques)15 b(to)e(the)g(comp)q(osite)h(mo)q (dels)g(as)g(w)o(ell.)-75 1549 y(Finally)m(,)19 b(w)o(e)c(w)o(ould)i (lik)o(e)h(to)e(test)g(the)g(mo)q(del)h(c)o(hec)o(k)o(er)f(presen)o (ted)-75 1591 y(in)d(this)f(pap)q(er)h(on)f(larger)g(systems,)h(and)f (determine)h(its)f(feasibilit)o(y)-75 1632 y(for)h(c)o(hec)o(king)j (\\industrial-stren)q(gth")h(examples.)j(W)m(e)14 b(think)h(that)-75 1674 y(using)i(v)n(arious)h(abstraction)f(tec)o(hniques)h({)e(in)h (conjunction)h(with)-75 1715 y(some)9 b(h)o(uman-guided)j(in)o (teraction)f({)f(w)o(e)e(should)j(b)q(e)f(able)g(to)f(attac)o(k)-75 1757 y(these)k(signi\014can)o(tl)q(y)j(larger)e(systems.)-75 1877 y Fv(References)p Black -56 1953 a Fu([1])p Black 20 w(R.)j(Alur,)i(C.)d(Courcoub)q(etis,)k(N.)d(Halb)o(w)o(ac)o(hs,)i (T.)d(A.)g(Hen-)5 1994 y(zinger,)g(P)m(.)e(H.)g(Ho,)g(X.)g(Nicollin,)j (A.)d(Oliv)o(ero,)i(J.)d(Sifakis,)k(S.)5 2036 y(Y)m(o)o(vine.)36 b(The)19 b(algorithmic)i(analysis)h(of)d(h)o(ybrid)h(systems.)5 2077 y Fr(The)n(or)n(etic)n(al)12 b(Computer)h(Scienc)n(e)p Fu(,)d(138\(1\):3{34,)j(1995.)p Black -56 2146 a([2])p Black 20 w(R.)h(Alur,)g(T.)f(A.)f(Henzinger,)j(and)f(P)m(.)f(Ho.)19 b(Automatic)14 b(sym-)5 2188 y(b)q(olic)19 b(v)o(eri\014cation)g(of)e (em)o(b)q(edded)h(systems.)29 b Fr(IEEE)17 b(T)m(r)n(ans-)5 2229 y(actions)10 b(on)h(Softwar)n(e)g(Engine)n(ering)p Fu(,)c(22\(3\):181{201,)13 b(Marc)o(h)5 2271 y(1996.)p Black -56 2340 a([3])p Black 20 w(R.)e(J.)f(Anderson,)h(P)m(.)f(Beame,) h(S.)g(Burns,)g(W.)g(Chan,)g(F.)f(Mo)q(d-)5 2382 y(ugno,)i(D.)e (Notkin,)i(and)f(J.)f(D.)h(Reese.)i(Mo)q(del)f(c)o(hec)o(king)g(large)5 2423 y(soft)o(w)o(are)19 b(sp)q(eci\014cations)q(.)38 b(In)19 b Fr(Pr)n(o)n(c)n(e)n(e)n(dings)e(of)h(the)h(F)m(ourth)5 2465 y(A)o(CM)11 b(SIGSOFT)f(symp)n(osium)f(on)g(the)h(F)m(oundation)o (s)d(of)j(Soft-)5 2506 y(war)n(e)k(Engine)n(ering)p Fu(,)c(pages)j (156{166,)h(Octob)q(er)g(1996.)p Black -56 2575 a([4])p Black 20 w(J.)f(M.)g(A)o(tlee,)g(and)h(M.)e(A.)h(Buc)o(kley)m(.)18 b(A)13 b(logic-mo)q(del)j(seman-)5 2617 y(tics)h(for)e(SCR)g(soft)o(w)o (are)h(requiremen)o(ts.)26 b(In)15 b Fr(Pr)n(o)n(c)n(e)n(e)n(dings)e (of)5 2658 y(the)g(1996)e(International)f(Symp)n(osium)h(on)h(Softwar)n (e)g(T)m(esting)5 2700 y(and)h(A)o(nalysis)e(\(ISST)m(A)h('96\))g Fu(pages)h(280-292.)p Black 1044 42 a([5])p Black 20 w(J.)24 b(M.)h(A)o(tlee,)j(and)e(J.)e(Gannon.)54 b(State-Based)26 b(Mo)q(del)1105 83 y(Chec)o(king)13 b(of)e(Ev)o(en)o(t-Driv)o(en)i (System)f(Requiremen)o(ts.)k Fr(IEEE)1105 125 y(T)m(r)n(ansactions)23 b(on)i(Softwar)n(e)g(Engine)n(ering)p Fu(,)h(19\(1\):24{40,)1105 166 y(Jan)o(uary)14 b(1993.)p Black 1044 230 a([6])p Black 20 w(A.)9 b(Arnold.)14 b(Finite)d(transition)i(systems:)j(seman)o (tics)11 b(of)f(com-)1105 272 y(m)o(unicating)15 b(Systems.)j(New)12 b(Jersey)m(,)h(1994,)g(Pren)o(tice)h(Hall.)p Black 1044 336 a([7])p Black 20 w(R.)j(Bharadw)o(a)r(j,)h(and)g(C.)e(Heitmey)o (er.)30 b(V)m(erifying)18 b(SCR)f(re-)1105 377 y(quiremen)o(ts)k(sp)q (eci\014cations)h(using)f(state)e(exploration.)38 b(In)1105 419 y Fr(Pr)n(o)n(c)n(e)n(e)n(dings)9 b(of)j(First)f(A)o(CM)i(SIGPLAN)d (Workshop)g(on)h(A)o(u-)1105 460 y(tomatic)h(A)o(nalysis)f(of)i (Softwar)n(e)p Fu(,)e(Jan)i(1997.)p Black 1044 524 a([8])p Black 20 w(B.)18 b(Boigelot,)j(and)d(P)m(.)g(Go)q(defroid.)33 b(Sym)o(b)q(olic)20 b(v)o(eri\014cation)1105 566 y(of)d(comm)o (unication)j(proto)q(cols)f(with)f(in\014nite)i(state)d(spaces)1105 607 y(using)i(QDDs.)32 b(In)18 b Fr(Pr)n(o)n(c)n(e)n(e)n(dings)d(of)j (the)f(8th)g(Internationa)o(l)1105 649 y(Confer)n(enc)n(e)9 b(on)h(Computer)h(A)o(ide)n(d)e(V)m(eri\014c)n(ation)f(\(CA)l(V)j ('96\))p Fu(.)p Black 1044 713 a([9])p Black 20 w(R.)e(E.)g(Bry)o(an)o (t.)j(Graph-based)f(algorithms)g(for)e(b)q(o)q(olean)j(func-)1105 754 y(tion)k(manipulation.)25 b Fr(IEEE)15 b(T)m(r)n(ansactions)d(on)i (Computers)p Fu(,)1105 796 y(35\(8\):677-691.)p Black 1025 860 a([10])p Black 20 w(R.)f(E.)g(Bry)o(an)o(t)h(,)f(and)g(Y.)g (Chen.)18 b(V)m(eri\014cation)d(of)e(arithmetic)1105 901 y(functions)19 b(with)e(binary)i(momen)o(t)e(diagrams.)31 b(In)17 b Fr(Pr)n(o)n(c)n(e)n(e)n(d-)1105 943 y(ings)c(of)g(the)g(32nd) f(A)o(CM/IEEE)i(Design)e(A)o(utomation)f(Con-)1105 984 y(fer)n(enc)n(e)p Fu(.)g(IEEE)i(Computer)g(So)q(ciet)o(y)h(Press,)f (June)h(1995.)p Black 1025 1048 a([11])p Black 20 w(T.)g(Bultan,)i(R.)f (Gerb)q(er,)g(and)h(W.)e(Pugh.)24 b(Sym)o(b)q(olic)17 b(mo)q(del)1105 1090 y(c)o(hec)o(king)27 b(of)d(in\014nite)k(state)d (systems)g(using)i(Presburger)1105 1131 y(arithmetic.)47 b(In)22 b Fr(Pr)n(o)n(c)n(e)n(e)n(dings)e(of)i(the)f(9th)h (Internationa)o(l)1105 1173 y(Confer)n(enc)n(e)9 b(on)h(Computer)h(A)o (ide)n(d)e(V)m(eri\014c)n(ation)f(\(CA)l(V)j('97\))p Fu(,)1105 1214 y(LNCS)i(1254,)g(pages)h(400{411.)p Black 1025 1278 a([12])p Black 20 w(J.)e(R.)i(Burc)o(h,)f(E.)g(M.)g(Clark)o (e,)h(K.)f(L.)f(McMillan,)k(D.)d(L.)g(Dill,)1105 1320 y(and)d(L.)g(H.)f(Hw)o(ang.)i(Sym)o(b)q(olic)h(mo)q(del)f(c)o(hec)o (king:)17 b(10)1886 1304 y Fk(20)1929 1320 y Fu(states)1105 1361 y(and)h(b)q(ey)o(ond.)32 b(In)17 b Fr(Pr)n(o)n(c.)h(of)f(the)g (5th)g(A)o(nnual)e(IEEE)j(Sym-)1105 1403 y(p)n(osium)c(on)g(L)n(o)n (gic)g(in)h(Computer)f(Scienc)n(e)p Fu(,)e(pages)k(428{439,)1105 1444 y(1990.)p Black 1025 1508 a([13])p Black 20 w(W.)9 b(Chan,)h(R.)f(Anderson,)h(P)m(.)f(Beame,)h(and)g(D.)f(Notkin.)i(Com-) 1105 1550 y(bining)16 b(Constrain)o(t)f(Solving)h(and)e(Sym)o(b)q(olic) i(Mo)q(del)f(Chec)o(k-)1105 1591 y(ing)e(for)f(a)g(Class)g(of)g (Systems)h(with)f(Non-linear)i(Constrain)o(ts.)1105 1633 y(In)i Fr(Pr)n(o)n(c)n(e)n(e)n(dings)e(of)i(the)f(9th)h(Internationa)o (l)e(Confer)n(enc)n(e)g(on)1105 1674 y(Computer)j(A)o(ide)n(d)e(V)m (eri\014c)n(ation)f(\(CA)l(V)j('97\))p Fu(,)f(LNCS)h(1254,)1105 1716 y(pages)d(316{327.)p Black 1025 1780 a([14])p Black 20 w(E.)j(M.)g(Clark)o(e,)h(E.)f(A.)f(Emerson,)j(and)f(A.)e(P)m(.)h (Sistla.)31 b(Au-)1105 1821 y(tomatic)19 b(v)o(eri\014cation)h(of)d (\014nite-state)i(concurren)o(t)g(systems)1105 1863 y(using)c(temp)q (oral)f(logic)h(sp)q(eci\014cations.)20 b Fr(A)o(CM)14 b(T)m(r)n(ansactions)1105 1904 y(on)c(Pr)n(o)n(gr)n(amming)g(L)n (anguages)f(and)h(Systems)p Fu(,)e(8\(2\):244{263,)1105 1946 y(April)14 b(1986.)p Black 1025 2010 a([15])p Black 20 w(E.)f(Clark)o(e,)h(X.)f(Zhao.)20 b(W)m(ord)14 b(lev)o(el)h(sym)o(b) q(olic)h(mo)q(del)f(c)o(hec)o(k-)1105 2051 y(ing:)23 b(A)15 b(new)h(approac)o(h)g(for)g(v)o(erifying)h(arithmetic)g (circuits.)1105 2093 y(T)m(ec)o(hnical)12 b(Rep)q(ort)f(CMU-CS-95-161,) f(Sc)o(ho)q(ol)i(of)e(Computer)1105 2134 y(Science,)k(Carnegie)g (Mellon)h(Univ)o(ersit)o(y)m(,)f(Ma)o(y)g(1995.)p Black 1025 2198 a([16])p Black 20 w(P)m(.)i(J.)h(Courtois)h(and)f(D.)g(L.)g (P)o(arnas.)30 b(Do)q(cumen)o(tation)19 b(for)1105 2240 y(safet)o(y)c(critical)i(soft)o(w)o(are.)23 b(In)15 b Fr(Pr)n(o)n(c)n(e)n(e)n(dings)d(of)j(the)g(15th)f(In-)1105 2281 y(ternational)c(Confer)n(enc)n(e)i(on)g(Softwar)n(e)h(Engine)n (ering)p Fu(,)c(pages)1105 2323 y(315{323,)14 b(Ma)o(y)f(1993.)p Black 1025 2387 a([17])p Black 20 w(P)m(.)f(Go)q(defroid,)i(and)f(D.)f (Long.)17 b(Sym)o(b)q(olic)e(proto)q(col)f(v)o(eri\014ca-)1105 2428 y(tion)e(with)g(queue)g(BDDs.)i(In)e Fr(Pr)n(o)n(c)n(e)n(e)n (dings)d(of)i(the)g(11th)g(Sym-)1105 2470 y(p)n(osium)16 b(on)h(L)n(o)n(gic)g(in)g(Computer)g(Scienc)n(e)p Fu(,)f(198{206,)j (July)1105 2511 y(1996.)p Black 1025 2575 a([18])p Black 20 w(C.)11 b(L.)g(Heitmey)o(er,)i(R.)e(D.)h(Je\013ords,)g(and)h(B.)e (G.)h(Laba)o(w.)j(Au-)1105 2617 y(tomated)f(Consistency)h(Chec)o(king)g (of)e(Requiremen)o(ts)j(Sp)q(eci-)1105 2658 y(\014cations.)24 b Fr(A)o(CM)16 b(T)m(r)n(ansactions)c(on)j(Softwar)n(e)f(Engine)n (ering)1105 2700 y(and)e(Metho)n(dolo)n(gy)p Fu(,)e(5\(3\):231{261,)k (July)f(1996.)p Black Black eop %%Page: 11 11 11 10 bop Black Black Black -75 42 a Fu([19])p Black 20 w(W.)31 b(Kelly)m(,)36 b(V.)30 b(Maslo)o(v,)36 b(W.)30 b(Pugh,)36 b(E.)30 b(Rosser,)35 b(T.)5 83 y(Shp)q(eisman)d(and)e(D.)g (W)m(onnacott.)67 b(The)29 b(Omega)h(Li-)5 125 y(brary)d(\(v)o(ersion)f (1.00\))g(in)o(terface)g(guide.)55 b(Av)n(ailable)28 b(at)5 166 y Ft(<)p Fu(h)o(ttp://www.cs.umd.edu/pro)r(jects/omega)p Ft(>)p Fu(.)p Black -75 224 a([20])p Black 20 w(K.)23 b(L.)f(McMillan.)50 b(Sym)o(b)q(olic)25 b(mo)q(del)g(c)o(hec)o(king.)48 b(Mas-)5 266 y(sac)o(h)o(usetts,)14 b(1993,)f(Klu)o(w)o(er)h(Academic)g (Publishers.)p Black -75 324 a([21])p Black 20 w(W.)k(Pugh.)33 b(The)18 b(Omega)g(test:)26 b(a)18 b(fast)g(and)h(practical)h(in-)5 365 y(teger)15 b(programming)h(algorithm)g(for)d(dep)q(endence)j (analysis.)5 407 y Fr(Communic)n(ations)11 b(of)h(the)g(A)o(CM)p Fu(,)g(8:102{104,)h(August)g(1992.)p Black -75 465 a([22])p Black 20 w(A.)g(Uda)o(y)o(a)g(Shank)n(ar.)19 b(An)13 b(in)o(tro)q(duction)j(to)d(assertional)i(rea-)5 506 y(soning)j(for)e(concurren)o(t)g(systems.)26 b Fr(A)o(CM)17 b(Computing)d(Sur-)5 548 y(veys)p Fu(,)e(25\(3\):225{262,)i(Septem)o(b) q(er)g(1993.)p Black Black eop %%Trailer end userdict /end-hook known{end-hook}if %%EOF