Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Methods in software development

Published byGitta Koenig Modified over 5 years ago

Similar presentations

Presentation on theme: "Formal Methods in software development"— Presentation transcript:

1 Formal Methods in software development
a.y.2017/2018 Prof. Anna Labella 4/13/2019

2 Exercises 4/13/2019

3 Exercises 4/13/2019

4 Modelling a system and checking it
Temporal logics at work 4/13/2019

5 Example: mutual exclusion
We have two concurrent processes sharing a resource This means that for each of them there is a critical phase A process can stay indefinitely in its non critical phase At any time a process can ask to enter its critical phase The two processes are not supposed to alternate 4/13/2019

6 Example: mutual exclusion
The solution must satisfy: Mutual exclusion: the two processes cannot be in their critical state together Progress: each of them cannot stay in its critical phase forever 4/13/2019

7 Example: mutual exclusion
The evolution of a single process n t c n t c …….. n for “non-critical” t for “trying to access” c for “critical” 4/13/2019

8 The first modeling attempt
4/13/2019

9 Esxpressivity of LTL safety G ( c1 c2) true
liveness G (ti Fci) false s0s1s3s7s1s3s7…. 4/13/2019

10 Expressivity of LTL Non-blocking AG(n1 EX t1)
For every state satisfying n1 there is a successor satisfying t1 4/13/2019

11 Expressivity of LTL no strict sequencing: processes need not enter their critical section in strict sequence G ( c1 ( c1W ( c1(c1W c2) )) false s0s5s3s4s5s3s4…. 4/13/2019

12 The second attempt But we cannot model the fact that a process can stay for a while In its critical section 4/13/2019

13

14

15

16

17

18 Model Checking Example
Traffic light controller (simplified) G2 Y2 R2 G1 Y1 R1 C Timer T sensor Road 2 Road 1 R1 G2 Y1 R2 G1 R2 R1 Y2 C ’+ T ’ C T C T ’ C ’+ T G1 R2 Y1 R2 R1 G2 R1 Y2 C = car sensor T = timer

19 Traffic light controller - Model Checking
Model Checking task: check safety condition fairness conditions Safety condition: no green lights on both roads at the same time A G ¬ (G1  G2 ) Fairness condition: eventually one road has green light E F (G1  G2) R1 G2 Y1 R2 G1 R2 R1 Y2 C ’+T ’ C T C T ’ C ’+T

20 Checking conditions We can associate with each formula the set of states satisfying it

21 Checking the Safety Condition
A G ¬ (G1  G2) = ¬ E F (G1G2) S(G1  G2 ) = S(G1)  S(G2) = {1}{3} =  S(EF (G1  G2 )) =  S(¬ EF (G1  G2 )) = ¬ = {1, 2, 3, 4} 2 R1 G2 Y1 R2 G1 R2 R1 Y2 1 3 4 Each state is included in {1,2,3,4}  the safety condition is true (for each state)

22 Checking the Fairness Condition
E F (G1  G2 ) = E(true U (G1  G2 ) ) S(G1  G2 ) = S(G1)S(G2) = {1}  {3} = {1,3} S(EF (G1  G2 )) = {1,2,3,4} (going backward from {1,3}, find predecessors) 1 3 4 2 3 1 Since {1,2,3,4} contains all states, the condition is true for all the states

23 Another Check R1 G2 Y1 R2 G1 R2 R1 Y2 1 3 4 2 (E X)2 (Y1) = E X (E X (Y1)) (starting at S1=G1R2, is there a path s.t. Y1 is true in 2 steps ?) S (Y1) = {2} S (EX (Y1)) = {1} (predecessor of 2) S (EX (EX(Y1)) = {1,4} (predecessors of 1) Property E X2 (Y1) is true for states {1,4}, hence true

24 Explicit Model Checking - complexity
CTL model checking is linear in the size of the formula and the size of the structure M Not a good news: what if you have 1050 states? Number of states grows exponentially with number of variables Explicit model checking limited to … 109 states Symbolic model checking can do much better

25 Mutual exclusion again (in CTL)
AG(c1c2) safety AG(t1AFc1) liveness

26 Mutual exclusion again (in CTL)
Lack of fairness may result into a violation of liveness The problem is solved by using CTL with fairness i.e. by restricting ourselves to fair paths In LTL GF f or GFy GFf but not in CTL

27

28

29 Exercises 4/13/2019

Download ppt "Formal Methods in software development"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Process Synchronization Continued 7.2 The Critical-Section Problem.

Process Synchronization Continued 7.2 The Critical-Section Problem.
CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.

CH7 discussion-review Mahmoud Alhabbash. Q1 What is a Race Condition? How could we prevent that? – Race condition is the situation where several processes.
卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.

卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Similar presentations

Ads by Google