CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Bogor-Simulation: Executing (Simulating) Concurrent Systems in Bogor Copyright.

Slides:

Advertisements

Similar presentations

PLEASE CLICK. Once you have logged in you will be greeted with your Home Page See the Administration Section in the lower left The Course Files tab is.

Advertisements

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Introducing BLAST Software Verification John Gallagher CS4117.

Introduction to Flowcharting

Module 20 Troubleshooting Common SQL Server 2008 R2 Administrative Issues.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

Logic Based LSC Consistency Testing Presenter: Anup Niroula.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.

DEBUGGERS For CS302 Data Structures Course Slides prepared by TALHA OZ (most of the text is from

(C)opyright 2003 Scott/Jones Publishers Introduction to Flowcharting A Supplement to Starting Out with C++, 4th Edition by Tony Gaddis Scott/Jones Publishers.

1 CSE 142 Lecture Notes Interactive Programs with Scanner Chapter 4 Suggested reading: Suggested self-checks: Section 4.10 #1-4 These lecture.

Programming For Nuclear Engineers Lecture 12 MATLAB (3) 1.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Software Engineering 2003 Jyrki Nummenmaa 1 CASE Tools CASE = Computer-Aided Software Engineering A set of tools to (optimally) assist in each.

Enrolment Services – Class Scheduling Fall 2014 Course Combinations.

1 VeriSoft A Tool for the Automatic Analysis of Concurrent Reactive Software Represents By Miller Ofer.

Ch 101 Chapter 10 Introduction to Batch Files. Ch 102 Overview A batch file is a text file that contains an ordered series of commands.

Foundations of Software Testing Chapter 5: Test Selection, Minimization, and Prioritization for Regression Testing Last update: September 3, 2007 These.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright , Matt Dwyer, John Hatcliff,

Institute e-Austria in Timisoara 1 Author: prep. eng. Calin Jebelean Verification of Communication Protocols using SDL ( )

Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.

Introduction to Eclipse CSC 216 Lecture 3 Ed Gehringer Using (with permission) slides developed by— Dwight Deugo Nesa Matic

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Basics and Observables Copyright , Matt Dwyer, John Hatcliff,

Dynamic Analysis of Multithreaded Java Programs Dr. Abhik Roychoudhury National University of Singapore.

Testing and Debugging Version 1.0. All kinds of things can go wrong when you are developing a program. The compiler discovers syntax errors in your code.

1 Debugging: Catching Bugs ( II ) Ying Wu Electrical Engineering & Computer Science Northwestern University EECS 230 Lectures.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,

Conditions. Objectives  Understanding what altering the flow of control does on programs and being able to apply thee to design code  Look at why indentation.

Finding Feasible Counter-examples when Model Checking Abstracted Java Programs Corina S. Pasareanu, Matthew B. Dwyer (Kansas State University) and Willem.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.

Looping and Counting Lecture 3 Hartmut Kaiser

CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.

CMP-MX21: Lecture 5 Repetitions Steve Hordley. Overview 1. Repetition using the do-while construct 2. Repetition using the while construct 3. Repetition.

CIS 842: Specification and Verification of Reactive Systems Lecture SPIN-Soldiers: Soldiers Case Study Copyright , Matt Dwyer, John Hatcliff,

1 SEEM3460 Tutorial Compiling and Debugging C programs.

Mobile Programming Lecture 3 Debugging. Lecture 2 Review What widget would you use to allow the user to enter o a yes/no value o a range of values from.

CIS 842: Specification and Verification of Reactive Systems Lecture ADM: Course Administration Copyright , Matt Dwyer, John Hatcliff, Robby. The.

1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.

CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,

Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.

Software Construction Lecture 19 Software Testing-2.

T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Craps Game Application Introducing Random-Number Generation and Enum.

Lecture 4 Introduction to Promela. Promela and Spin Promela - process meta language G. Holzmann, Bell Labs (Lucent) C-like language + concurrency dyamic.

 Control Flow statements ◦ Selection statements ◦ Iteration statements ◦ Jump statements.

Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.

CSE 311 Foundations of Computing I Lecture 28 Computability: Other Undecidable Problems Autumn 2011 CSE 3111.

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

Dayu Zhang 9/10/2014 Lab03. Outline Brief Review of the 4 Steps in Hello.cpp Example Understand endl and \n Understand Comment Programming Exercise -

CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Depth-Bounded: Depth-Bounded Depth-first Search Copyright 2004, Matt Dwyer, John.

Banaras Hindu University. A Course on Software Reuse by Design Patterns and Frameworks.

© 2011 Pearson Education, publishing as Addison-Wesley Chapter 1: Computer Systems Presentation slides for Java Software Solutions for AP* Computer Science.

Copyright 2010 by Pearson Education APCS Building Java Programs Chapter 1 Lecture 1-1: Introduction; Basic Java Programs reading:

Debugging and Testing Hussein Suleman March 2007 UCT Department of Computer Science Computer Science 1015F.

The Joy of Breaking Code Testing Logic and Case Selection

CIS 842: Specification and Verification of Reactive Systems

Eclipse Navigation & Usage.

Controlling execution - iteration

Games with Chance Other Search Algorithms

Testing UW CSE 160 Spring 2018.

How to Run a Java Program

Over-Approximating Boolean Programs with Unbounded Thread Creation

Debugging Taken from notes by Dr. Neil Moore

Debugging Taken from notes by Dr. Neil Moore

CMPE212 – Reminders Assignment 2 due today, 7pm.

The Bogor Model Checking Framework

Presentation transcript:

CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Bogor-Simulation: Executing (Simulating) Concurrent Systems in Bogor Copyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

CIS 842: INTRO: Bogor Simulation 2 Objectives Understand how a model-checker’s random simulation and user-guided simulation mode can be applied to explore paths through a system’s computation tree. Be able to apply Bogor in both random simulation mode and user-guided simulation mode.

CIS 842: INTRO: Bogor Simulation 3 Outline Bogor random simulation mode Bogor user-guided simulation mode

CIS 842: INTRO: Bogor Simulation 4 system SumToN { const PARAM { N = 3 }; typealias byte int wrap (0,255); byte x; byte t1; byte t2; thread Thread1() { loc loc0: when x != 0 do { t1 := x; } goto loc1; loc loc1: do { t2 := x; } goto loc2; loc loc2: do { x := t1 + t2; } goto loc0; } SumToN thread Thread2() { loc loc0: when x != 0 do { t1 := x; } goto loc1; loc loc1: do { t2 := x; } goto loc2; loc loc2: do { x := t1 + t2; } goto loc0; } thread Thread0() { loc loc0: do { x := 1; } goto loc1; loc loc1: do { assert (x != PARAM.N); } return; }

CIS 842: INTRO: Bogor Simulation 5 Assessment Even though this is a very small system, it is already tedious for us to try to find a violating trace. Bogor can act as a simulator to help us find a violating trace. Bogor simulates in two ways: random simulation user-guided simulation Same as many other model-checkers (e.g., Spin).bir Bogor (simulation mode) user interaction

CIS 842: INTRO: Bogor Simulation 6 Random Simulation At choice points, Bogor randomly chooses one of the enabled transitions. In a random simulation, Bogor randomly chooses a branch at a choice point.

CIS 842: INTRO: Bogor Simulation 7 Guided Simulation In a guided simulation, Bogor asks the user which transition to take at a choice point. At choice points, Bogor asks user which transition to take.

CIS 842: INTRO: Bogor Simulation 8 For You To Do… Pause the lecture… The computation tree for the SumToN example depicted on earlier slides is five levels deep. Extend the diagram to six levels. Download the file sumton.bir from the examples page. Run Bogor in random simulation mode. Edit sumton.bir and change the assertion to x != 1. Do you understand Bogor’s output? Was Bogor able to find a violating trace? Why/why-not? Edit sumton.bir and change the assertion to x != 3. Run Bogor in random simulation mode several times. Do you understand Spin’s output? Was Bogor able to find a violating trace each time? Edit sumton.bir and change the assertion to x != 5. Using Bogor in guided simulation mode, construct a trace that leads to an assertion violation. Is this the shortest trace that leads to a violation? How can you be sure? Edit sumton.bir and change the assertion to x != 7. Using Bogor in guided simulation mode, construct a trace that leads to an assertion violation. Is this the shortest trace that leads to a violation? How can you be sure?

CIS 842: INTRO: Bogor Simulation 9 Assessment Bogor in random simulation mode… sometimes it can find an error e.g., when assertion read x != 1 most of the time it won’t find an error e.g., when assertion read x != 3 in this case, Bogor runs forever, and you can notice the overflow error messages associated with the variables of type byte

CIS 842: INTRO: Bogor Simulation 10 Assessment Bogor in guided simulation mode… the user can guide Bogor to the error but this requires that the user already know or at least have a good idea about how the error can occur! tedious and error prone infeasible on all but very short traces cannot be used in practice to obtain an exhaustive search of all possible traces can be useful in practice if the user simply wants to explore the behavior, e.g., of a particularly troublesome section of code

CIS 842: INTRO: Bogor Simulation 11 On To Exhaustive Exploration… Bogor’s randon simulation isn’t that useful for finding bugs only explores one execution trace Bogor’s guided simulation is only useful on short traces where the user already has a good idea of how a property violation might arise only feasible to explore a few execution traces The main strength of Bogor is its automatic exhaustive search capabilities this is why people use model-checkers! this is what this course is all about