Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Slide 2 H. Schlingloff, SS2012: SWV 2 Recap: while-Programs whileProg ::= skip | V=T | {whileProg; whileProg} | if (FOL - ) whileProg else whileProg | while (FOL - ) whileProg { 1 ||... || n } await (b) ; Variables are over arbitrary (maybe infinite) domains finite-state systems: all variables are on finite domain (e.g. boolean, short, uint8)
Slide 3 H. Schlingloff, SS2012: SWV 2 Semantics of (parallel) while-Programs A state of the program consists of an assignment of values to variables, and a set of program counters (depending on the number of parallel components), syntactically represented by a parallel program SOS-rules for parallel programs if (U,I,V) ⊨ b and ( , V) * (skip,V’), then (await (b) , V) (skip,V’) if ( 1, V) ( 1 ’,V’), then ({ 1 || 2 }, V) ({ 1 ’ || 2 },V’) if ( 2, V) ( 2 ’,V’), then ({ 1 || 2 }, V) ({ 1 || 2 ’},V’) ({skip || skip}, V) (skip,V)
Slide 4 H. Schlingloff, SS2012: SWV 2 Modeling of Computation Concepts Parallel while-programs are just one specific computation paradigm. Choices include Discrete vs. continuous systems Concurrent vs. distributed Shared memory vs. message passing Asynchronous vs. synchronous execution Asynchronous vs. synchronous communication Mutual “simulation” of concepts is possible
Slide 5 H. Schlingloff, SS2012: SWV 2 Some Concrete Formalisms Labelled transition systems recap SOS: program semantics = set of transitions state = (program counter(s), variable valuation) transition = (state, instruction, state) LTS=( , S, , S 0 ) - is a nonempty finite alphabet - S is a nonempty finite set of states - S S is the transition relation - S 0 S is the set of initial states remark: sometimes a pseudo state s 0 S is used instead of S 0 S; sometimes there is only a single initial state s 0 S an LTS is an “automaton without acceptance”
Slide 6 H. Schlingloff, SS2012: SWV 2 Termination and Nontermination For while-programs, nontermination was considered to be an error For reactive systems (e.g., an operating system), termination may be an error LTS’s may or may not terminate – if they do not terminate they describe an infinite computation Termination = reaching a state with no outgoing transitions Nontermination = endless loop “eager” semantics – if there is an enabled transition it must be taken It can be shown that there are infinite computations which cannot be described by a finite LTS Büchi acceptance condition – theory of automata on infinite words
Slide 7 H. Schlingloff, SS2012: SWV 2 Example An LTS for (a+b)((abb) +ab)
Slide 8 H. Schlingloff, SS2012: SWV 2 LTS’s and while-Programs The semantics of a while-program is an LTS Can LTS’s be “simulated” by a while-program? LTS=( , S, , S 0 ) = { state = some s S 0 ; while ( s (state)) state = some s (state); } Remarks this is a template, not a concrete while-program nondeterminism could be simulated by parallelism existential quantifier to be replaced by finite disjunction In which sense is this construction “correct”?
Slide 9 H. Schlingloff, SS2012: SWV 2 Simple state machines E: set of events, C: set of conditions, A: set of actions a simple state machine is an LTS where =2 E C 2 A ; that is, each label (e, c, a) consists of - a set e of input events: the triggers - a condition c: the guard - a set of actions a: the effect of the transition graphically: S S’ e[c]/a
Slide 10 H. Schlingloff, SS2012: SWV 2 Example A state machine (transducer) for ASCII-conversion
Slide 11 H. Schlingloff, SS2012: SWV 2 Example
Slide 12 H. Schlingloff, SS2012: SWV 2 Parallel transition system / state machine T=(T 1,...,T n ) all state sets must be pairwise disjoint Global TS associated with parallel TS: T=( , S, , S 0 ), where = i S=S 1 ... S n S 0 =S 10 ... S n0 ((s 1,...,s n ), a, (s 1 ’,...,s n ’)) iff for all T i, - if a i, then (s i, a, s i ’) i, and - if a i, then s i ’= s i Complexity (size of this construction)? Correctness???