1. Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

2. Slide 2 H. Schlingloff, SS2012: SWV 2 Recap: LTS LTS=( , S, , S 0 )   is a nonempty finite alphabet  S is a nonempty finite set of states    S    S is the transition relation  S 0  S is the set of initial states remark: sometimes a pseudo state s 0  S is used instead of S 0  S; sometimes there is only a single initial state s 0  S state = (program counter(s), variable valuation) transition = (state, instruction, state) S 0 can be written as a predicate on variables and pc’s  init: (pc==   x==0  y<=5 ...)  can be written as a predicate on current and next variables   : ((pc==   x‘==x+1)  (pc==   x‘==x+2) ...) 12.4.2012

3. Slide 3 H. Schlingloff, SS2012: SWV 2 Boolean Equivalences next(state):= case inp=0: state; inp=50 & state=s0: s50; inp=50 & state=s50: s0; esac; ((inp==0  state‘==state)  (inp==50  state=s0  state‘== s50)  (inp==50  state=s50  state‘==s0) ) ((inp==0  state‘==state)  (inp==50  (state=s0  state‘== s50 )  (state=s50  state‘== s0 ) ) 12.4.2012

4. Slide 4 H. Schlingloff, SS2012: SWV 2 Parallel transition system / state machine  T=(T 1,...,T n )  all state sets must be pairwise disjoint Global TS associated with parallel TS: T=( , S, , S 0 ), where   =  i  S=S 1 ...  S n  S 0 =S 10 ...  S n0  ((s 1,...,s n ), a, (s 1 ’,...,s n ’))   iff for all T i, - if a   i, then (s i, a, s i ’)   i, and - if a   i, then s i ’= s i Complexity (size of this construction)? Correctness??? 19.4.2012

5. Slide 5 H. Schlingloff, SS2012: SWV 2 Correctness T=(T 1,...,T n ), T =T 1 ...  T n Intuitively: T accepts/generates exactly those sequences which are accepted/generated by all T i  projection of run onto the alphabet of a transition system:  =  1  2  3...  |T i =if (  1  i ) then  1 (  2  3...)|T i else (  2  3...)|T i  Show: T acc  iff  i (T i acc  | T i )  can also be used as a definition 12.4.2012

6. Slide 6 H. Schlingloff, SS2012: SWV 2 Parallel State Machines Parallel state machine  T=(T 1,...,T n ),  i =2 E  C  2 A What is the global state machine associated with a parallel state machine? (“flattening”)  synchronization by common e[c]/a is not an option  possible choices: synchronize or compete on common input events (triggers)?  what if an effect contains sending of a trigger? (“run-to-completion-semantics”: tedious formalization) 19.4.2012

7. Slide 7 H. Schlingloff, SS2012: SWV 2 Example 12.4.2012

8. Slide 8 H. Schlingloff, SS2012: SWV 2 Introducing Data Simple state machines  E: set of events, C: set of conditions, A: set of actions  a simple state machine is an LTS where  =2 E  C  2 A Extended state machine: Assume a first-order signature ( D, F, R ) with finite domains D and a set V of program variables on these domains. An ESM is a simple state machine where  a guard is a quantifier-free first-order formula on ( D, F, R ) and V  an action is an assignment V=T - Attention: the effect of a transition is a set of actions! Parallel execution introduces nondeterminism. 19.4.2012

9. Slide 9 H. Schlingloff, SS2012: SWV 2 Example 12.4.2012

10. Slide 10 H. Schlingloff, SS2012: SWV 2 Introducing Hierarchies In a UML state machine, a state may contain other states  powerful abstraction concept  semantics can be tedious 19.4.2012

11. Slide 11 H. Schlingloff, SS2012: SWV 2 Introducing Visibility Scopes A state machine can be part of a class or module  all variables are visible within the module only  modules may be nested Classes or modules can be parameterized  instances of classes are objects 12.4.2012

12. Slide 12 H. Schlingloff, SS2012: SWV 2 Introducing Fairness LTSs cannot specify that something will eventually happen  only maximal sequences are accepted (terminating or infinite) want to express that in infinite runs, certain states must occur infinitely often Just LTS=(LTS,J), where J=(J 1,...,J m ), J i  S (justice requirements)  for each J i  J each infinite run must contain infinitely many s  J i Fair LTS=(LTS,F), where F=(F 1,...,F m ), F i =(P i,Q i ), P i  S, Q i  S (compassion requirements)  for each F i  F and each infinite run it holds that if it contains infinitely many s  P i, then it also contains infinitely many s  Q i Cf. automata theory: Büchi- and Rabin-acceptance 12.4.2012

13. Slide 13 H. Schlingloff, SS2012: SWV 2 Example: Peterson’s Mutual Exclusion {t=0; x=0; y=0; {  0: while(true){NC1: skip;  1: x=1;  2: t=1;  3: await(t==0  y==0); C1: skip;  4: x=0;} || {  0: while(true){NC2: skip;  1: y=1;  2: t=0;  3: await(t==1  x==0); C2: skip;  4: y=0;} } 12.4.2012

14. Slide 14 H. Schlingloff, SS2012: SWV 2 Summary: Finite State Modeling Concepts We discussed  (parallel) while-Programs with finite domains  Labeled transition systems  Simple state machines  Parallel transition systems / state machines  UML state machines  Object-oriented concepts  Fairness Constraints (justice, compassion) Mutual simulation possible  but may be tedious; cross-compiler technology 19.4.2012