Micromodels of Software Formal Methods in Verification of Computer Systems Jeremy Johnson

Outline Semantic Entailment Model checking Given a set of formulas , is  ⊨  valid  encodes requirements and  as a property that all valid implementations should have Undecidable Model checking Given a formula  and a matching model M determine whether M ⊨l  holds Requirements encoded in model Fixes too many implementation choices

Outline Combination Small scope hypothesis Alloy (alloy.mit.edu) Set of models (bounded size) Negative answer provides counter example Positive answer gives confidence Small scope hypothesis Negative answers tend to occur in small models Alloy (alloy.mit.edu)

Models Let F be a set of functions and P a set of predicates. A model M for (F,P) consists of A non-empty set A [universe] of concrete values For each nullary f  F an element of A = fM For each n-ary f  F a function fM : An  A For each n-ary P  P a subset PM  An

Satisfaction Given a model M for (F,P) and given an environment l : var  A the satisfaction relation M ⊨l  P(t1,…,tn)  (a1,…,an) and M ⊨l  iff (a1,…,an)  RM M ⊨l x  iff M ⊨l [x  a] holds for all a  A M ⊨l x  iff M ⊨l [x  a] holds for some a  A

Satisfaction Given a model M for (F,P) and given an environment l : var  A the satisfaction relation M ⊨l  M ⊨l  iff M ⊨l  does not hold M ⊨l 1  2 iff M ⊨l 1 and M ⊨l 2 holds M ⊨l 1  2 iff M ⊨l 1 or M ⊨l 2 holds M ⊨l 1  2 iff M ⊨l 2 holds whenever M ⊨l 1 holds

Semantic Entailment Let  be a set of formulas (possibly infinite) and  be a formula from predicate calculus  ⊨  holds iff for all models M and lookup tables l, whenever M ⊨l  holds for all  then M ⊨l  holds as well  is satisfiable iff there is some model M and lookup table l such that M ⊨l  holds  is valid iff M ⊨l  holds for all models M and lookup tables l

Example 1 F = {i} and P = {R,F} i a constant function, R binary and F unary predicates Model – A set of states, initial state i, state transitions R, final states F A = {a,b,c} iM = a RM = {(a,a),(a,b),(a,c),(b,c), (c,c)} FM = {b,c}

Example 1 y R(i,y) F(i) x y z (R(x,y)  R(x,z)  y = z ) x y R(x,y)

Software Micromodels Want description M of all compliant implementations Mi of some software system. Given a property  Assertion checking: does  hold in all implementations Mi  M Consistency checking: does  hold in some implementations Mi  M

Alloy (alloy.mit.edu) “Alloy is a language for describing structures and a tool for exploring them. It has been used in a wide range of applications from finding holes in security mechanisms to designing telephone switching networks.” Declarative (language based on logic) Bounded queries Implemented using SAT solver Illustrate by describing concrete models of state machines (example 1) and checking assertion that “final states are not initial states) and consistency there are state machines that contain a non-final state that is deadlocked

Alloy Implementation module AboutStateMachines sig State {} -- simple states sig StateMachine { -- composite state machines A : set State, -- set of states of a state machine i : A, -- initial state of a state machine F : set A, -- set of final states of a state machine R : A -> A -- transition relation of a state machine }

Alloy Implementation -- E.G. assertion checking -- Claim that final states are never initial: false. assert FinalNotInitial { all M : StateMachine | no M.i & M.F } check FinalNotInitial for 3 but 1 StateMachine S0 S1 (F) S2 (I,F) R

Alloy Implementation -- E.G. consistency checking -- Is there a three-state machine with a non-final deadlock? True. pred AGuidedSimulation(M : StateMachine, s : M.A) { no s.(M.R) not s in M.F # M.A = 3 } run AGuidedSimulation for 3 but 1 StateMachine S0 S1 (F) R R S2 (I)

Example 2 F = {alma} and P = {loves} P is a binary predicates, alma constant function Model – A set of states, A = {a,b,c} almaM = a lovesM = {(a,a),(b,a),(c,a)}

Example 2 almaM = a lovesM = {(a,a),(b,a),(c,a)} lovesM’ = {(b,a),(c,b)} Does the model satisfy None of Alma’s lovers’ lovers love her xy (loves(x,alma)  loves(y,x)   loves(y,alma)

Alloy Implementation R module AboutAlma sig Person {} sig SoapOpera { cast : set Person, alma : cast, loves : cast -> cast } assert OfLovers { all S : SoapOpera | all x, y : S.cast | S.alma in x.(S.loves) && x in y.(S.loves) => not S.alma in y.(S.loves) check OfLovers for 2 but 1 SoapOpera Person0 Alma Person1 R

Underspecified System Add the following constaint Fact NoSelfLove { all S : SoapOpera, p : S.cast | not p in p.(S.loves) } No there are no counter examples Increase the number of persons to 3 provides the smallest counter example check OfLovers for 3 but 1 SoapOpera

Exercise Install alloy Go through the tutorial (file system example) Study package dependency example from section 2.7 of the text www.cs.bham.ac.uk/research/projects/lics Look under ancillary materials Note that code is for an older version of alloy and some changes are necessary