Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für.

Published byBrendan Gordon Modified over 8 years ago

Similar presentations

Presentation on theme: "Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für."— Presentation transcript:

1 Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für offene Kommunikationssysteme FOKUS

2 Slide 2 H. Schlingloff, WS2015: SWV 2 Worum geht‘s... Software für sicherheitskritische Systeme  Flugzeuge, Bahnsignalisierung, Airbags, … Methoden der Verifikation  „automatisierte Korrektheitsbeweise“ Statische Analyse Modellprüfung (Model Checking) Temporale Logik von Programmen

3 Slide 3 H. Schlingloff, WS2015: SWV 2 Plan for the Winter Introduction Modeling of systems Temporal logics (LTL, CTL, CTL*) Simulations and bisimulations Model checking Symbolic representations (BDDs) Abstraction and refinement (CEGAR) Real time (UPPAAL)

4 Slide 4 H. Schlingloff, WS2015: SWV 2 Plan for the Winter Introduction Modeling of systems Temporal logics (LTL, CTL, CTL*) Simulations and bisimulations Model checking Symbolic representations (BDDs) Abstraction and refinement (CEGAR) Real time (UPPAAL)

5 Slide 5 H. Schlingloff, WS2015: SWV 2 Recap: while-Programs whileProg ::= skip | V=T | {whileProg; whileProg} | if (FOL - ) whileProg else whileProg | while (FOL - ) whileProg  {  1 ||... ||  n }  await (b)  ; Variables are over arbitrary (maybe infinite) domains finite-state systems: all variables are on finite domain (e.g. boolean, short, uint8)

6 Slide 6 H. Schlingloff, WS2015: SWV 2 Semantics of (parallel) while-Programs A state of the program consists of  an assignment of values to variables, and  a set of program counters (depending on the number of parallel components), syntactically represented by a parallel program SOS-rules for parallel programs  if (U,I,V) ⊨ b and ( , V)  * (skip,V’), then (await (b) , V)  (skip,V’)  if (  1, V)  (  1 ’,V’), then ({  1 ||  2 }, V)  ({  1 ’ ||  2 },V’) if (  2, V)  (  2 ’,V’), then ({  1 ||  2 }, V)  ({  1 ||  2 ’},V’) ({skip || skip}, V)  (skip,V)

7 Slide 7 H. Schlingloff, WS2015: SWV 2 Modeling of Computation Concepts Parallel while-programs are just one specific computation paradigm. Choices include Discrete vs. continuous systems Concurrent vs. distributed Shared memory vs. message passing Asynchronous vs. synchronous execution Asynchronous vs. synchronous communication Mutual “simulation” of concepts is possible

8 Slide 8 H. Schlingloff, WS2015: SWV 2 Some Concrete Formalisms Labelled transition systems  recap SOS: program semantics = set of transitions state = (program counter(s), variable valuation) transition = (state, instruction, state)  LTS=( , S, , S 0 ) -  is a nonempty finite alphabet - S is a nonempty finite set of states -   S    S is the transition relation - S 0  S is the set of initial states remark: sometimes a pseudo state s 0  S is used instead of S 0  S; sometimes there is only a single initial state s 0  S  an LTS is an “automaton without acceptance”

9 Slide 9 H. Schlingloff, WS2015: SWV 2 Termination and Nontermination For while-programs, nontermination was considered to be an error For reactive systems (e.g., an operating system), termination may be an error LTS’s may or may not terminate – if they do not terminate they describe an infinite computation  Termination = reaching a state with no outgoing transitions  Nontermination = endless loop  “eager” semantics – if there is an enabled transition it must be taken It can be shown that there are infinite computations which cannot be described by a finite LTS  Büchi acceptance condition – theory of automata on infinite words

10 Slide 10 H. Schlingloff, WS2015: SWV 2 Example An LTS for (a+b)((abb)  +ab)

11 Slide 11 H. Schlingloff, WS2015: SWV 2 LTS’s and while-Programs The semantics of a while-program is an LTS Can LTS’s be “simulated” by a while-program?  LTS=( , S, , S 0 )   = { state = some s  S 0 ; while (  s   (state)) state = some s   (state); } Remarks  this is a template, not a concrete while-program  nondeterminism could be simulated by parallelism  existential quantifier to be replaced by finite disjunction In which sense is this construction “correct”?

12 Slide 12 H. Schlingloff, WS2015: SWV 2 Simple state machines  E: set of events, C: set of conditions, A: set of actions  a simple state machine is an LTS where  =2 E  C  2 A ; that is, each label (e, c, a) consists of - a set e of input events: the triggers - a condition c: the guard - a set of actions a: the effect of the transition  graphically: S S’ e[c]/a

13 Slide 13 H. Schlingloff, WS2015: SWV 2 Example A state machine (transducer) for ASCII-conversion

14 Slide 14 H. Schlingloff, WS2015: SWV 2 Example

15 Slide 15 H. Schlingloff, WS2015: SWV 2 Parallel transition system / state machine  T=(T 1,...,T n )  all state sets must be pairwise disjoint Global TS associated with parallel TS: T=( , S, , S 0 ), where   =  i  S=S 1 ...  S n  S 0 =S 10 ...  S n0  ((s 1,...,s n ), a, (s 1 ’,...,s n ’))   iff for all T i, - if a   i, then (s i, a, s i ’)   i, and - if a   i, then s i ’= s i Complexity (size of this construction)? Correctness???

16 Slide 16 H. Schlingloff, WS2015: SWV 2 Correctness T=(T 1,...,T n ), T =T 1 ...  T n Intuitively: T accepts/generates exactly those sequences which are accepted/generated by all T i  projection of run onto the alphabet of a transition system:  =  1  2  3...  |T i =if (  1  i ) then  1 (  2  3...)|T i else (  2  3...)|T i  Show: T acc  iff  i (T i acc  | T i )  can also be used as a definition

17 Slide 17 H. Schlingloff, WS2015: SWV 2 Parallel State Machines Parallel state machine  T=(T 1,...,T n ),  i =2 E  C  2 A What is the global state machine associated with a parallel state machine? (“flattening”)  synchronization by common e[c]/a is not an option  possible choices: synchronize or compete on common input events (triggers)?  what if an effect contains sending of a trigger? (“run-to-completion-semantics”: tedious formalization)

18 Slide 18 H. Schlingloff, WS2015: SWV 2 Example

19 Slide 19 H. Schlingloff, WS2015: SWV 2 Introducing Data Simple state machines  E: set of events, C: set of conditions, A: set of actions  a simple state machine is an LTS where  =2 E  C  2 A Extended state machine: Assume a first-order signature ( D, F, R ) with finite domains D and a set V of program variables on these domains. An ESM is a simple state machine where  a guard is a quantifier-free first-order formula on ( D, F, R ) and V  an action is an assignment V=T - Attention: the effect of a transition is a set of actions! Parallel execution introduces nondeterminism.

20 Slide 20 H. Schlingloff, WS2015: SWV 2 Example

21 Slide 21 H. Schlingloff, WS2015: SWV 2 Introducing Hierarchies In a UML state machine, a state may contain other states  powerful abstraction concept  semantics can be tedious

22 Slide 22 H. Schlingloff, WS2015: SWV 2 Introducing Visibility Scopes A state machine can be part of a class or module  all variables are visible within the module only  modules may be nested Classes or modules can be parameterized  instances of classes are objects

23 Slide 23 H. Schlingloff, WS2015: SWV 2 Introducing Fairness LTSs cannot specify that something will eventually happen  only maximal sequences are accepted (terminating or infinite) want to express that in infinite runs, certain states must occur infinitely often Just LTS=(LTS,J), where J=(J 1,...,J m ), J i  S (justice requirements)  for each J i  J each infinite run must contain infinitely many s  J i Fair LTS=(LTS,F), where F=(F 1,...,F m ), F i =(P i,Q i ), P i  S, Q i  S (compassion requirements)  for each F i  F and each infinite run it holds that if it contains infinitely many s  P i, then it also contains infinitely many s  Q i Cf. automata theory: Büchi- and Rabin-acceptance

24 Slide 24 H. Schlingloff, WS2015: SWV 2 Example: Peterson’s Mutual Exclusion {t=0; x=0; y=0; {  0: while(true){NC1: skip;  1: x=1;  2: t=1;  3: await(t==0  y==0); C1: skip;  4: x=0;} || {  0: while(true){NC2: skip;  1: y=1;  2: t=0;  3: await(t==1  x==0); C2: skip;  4: y=0;} }

25 Slide 25 H. Schlingloff, WS2015: SWV 2 Summary: Finite State Modeling Concepts We discussed  (parallel) while-Programs with finite domains  Labeled transition systems  Simple state machines  Parallel transition systems / state machines  UML state machines  Object-oriented concepts  Fairness Constraints (justice, compassion) Mutual simulation possible  but may be tedious; cross-compiler technology

26 Slide 26 H. Schlingloff, WS2015: SWV 2 Plan for the Winter Introduction Modeling of systems Temporal logics (LTL, CTL, CTL*) Simulations and bisimulations Model checking Symbolic representations (BDDs) Abstraction and refinement (CEGAR) Real time (UPPAAL)

27 Slide 27 H. Schlingloff, WS2015: SWV 2 Temporal Logic An extension of propositional logic to reason about sequences (executions) Derived from modal logic  “linguistic modality: expression of how the world might or should be. This includes expressions of necessity, permissibility and probability, and negations of these” (Wikipedia)  avoids the use of (logical) variables and quantification: “necessarily p” instead of “under all circumstances x, p holds at x” Temporal modalities “always” and “sometime”  “always p” instead of “for all future time points x, p holds at x”  “sometime p” instead of “for some future time points x, p holds at x”  always p  not sometime not p not always p  sometime not p

28 Slide 28 H. Schlingloff, WS2015: SWV 2 Linear versus Branching Time Several variants of temporal logic have been proposed  state-, transition-, or interval-based  linear or branching time  modal, star-free, or regular  propositional or first order ... Standardized notations like IEEE 1850 PSL exist Linear vs. branching: two ways to consider time in a computation  the set of executions versus  the execution tree of a program

29 Slide 29 H. Schlingloff, WS2015: SWV 2 Recap: Syntax & Semantics of FOL

30 Slide 30 H. Schlingloff, WS2015: SWV 2 Syntax & Semantics of Modal Logic

31 Slide 31 H. Schlingloff, WS2015: SWV 2 Special Relations

32 Slide 32 H. Schlingloff, WS2015: SWV 2 Until and Unless

33 Slide 33 H. Schlingloff, WS2015: SWV 2 Since

34 Slide 34 H. Schlingloff, WS2015: SWV 2 LTL Expressively equivalent to FOL (<) on linear orders Arguably more intuitive to use

35 Slide 35 H. Schlingloff, WS2015: SWV 2 CTL

36 Slide 36 H. Schlingloff, WS2015: SWV 2

37 Slide 37 H. Schlingloff, WS2015: SWV 2 Kripke models = LTS branching time – possibility properties linear time – fairness properties CTL* subsumes both CTL and LTL

Download ppt "Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für."

Similar presentations

Model Checking Lecture 1.

Model Checking Lecture 1.
Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für.

Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
27.5.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
3.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt.
10.6.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
29.4.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
15.7.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.

Similar presentations

Ads by Google