Modelling systems, and model extraction from software

Size: px
Start display at page:

Download "Modelling systems, and model extraction from software"

Transcription

1 Modelling systems, and model extraction from software [Automated Reasoning, 2013/2014 1b Lecture 2] Doina Bucur Nov 2013

2 Summary In this lecture... Modelling computing systems Reactive systems Kripke structures. Definition and intuition Modeling hardware, software, and protocols Digital circuits: synchronous and asynchronous Extracting models from software (sequential or concurrent) Communication protocols Modelling with Promela Historical and bibliographical notes Assignment You learn to model various systems (software and hardware) in an automaton-like formalism of states and transitions called transition system, and to extract a model from software. The checking of the model against a state property is then immediate: you simply browse through all the states of the model and check your property. We apply this manual model checking to mutual exclusion algorithms. The assignments then move you towards using Spin to automatize this. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

3 Modelling computing systems Reactive systems Systems may be categorized: In what regards form of system implementation: software, hardware (logic circuits, ASICs, etc.). In what regards system behaviour and its complexity: deterministic or nondeterministic terminating or not terminating synchronous or asynchronous lazy or real-time sequential or concurrent transformational or reactive. Doina Bucur Modelling systems, and model extraction from software Nov / 25

4 Modelling computing systems Reactive systems Reactive systems A transformational computation is not interruptible (below left, represented as an input/output black box). A reactive system interacts with the environment; input events may arrive at all times (right, as a black cactus ). Reactive includes transformational. S S A reactive system may be any combination of (non)terminating, (not) concurrent, (a)synchronous, etc. Examples: concurrent software, device drivers, networked machines, social humans, etc.; i.e., most complex systems. The modelling formalism you see here suits reactive systems. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

5 Modelling computing systems Reactive systems Modelling a reactive system...is by writing: Its internal state at any given time; this state describes the current values stored in all memory (stack, heap, registers), plus the program counter. What this state will transition into, given an incoming event. For this, it is standard to use a variation of finite-state automata called Kripke structures. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

6 Modelling computing systems Kripke structures. Definition and intuition Kripke structures Definition (Kripke structure) A Kripke structure M over a set of atomic propositions AP is a tuple M = (S, S 0, T, L) where S is a finite set of states, or state space; S 0 S is the subset of initial states; T S S is a transition relation. T should be total: s S, s S so that T (s, s ); L : S P(AP) is a function labelling each state with a subset of atomic propositions which are true in that state. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

7 Modelling computing systems Kripke structures. Definition and intuition A simple example: from code to Kripke structure l0 int x = y = 0; l1 while (true) l2 x = (x+1) mod 3, y = x+1; State s S is a valuation of V = {x, y}; note that I left out the program counter to keep the example simple. Call the domain of both variables D. Then, S D D. In s 0, x = 0, y = 0. AP expresses variable valuations. A transition α T encodes an atomic assignment. l2 is atomic here. Match the transitions to statements in the original program! α α 0 1 s 0 s 1 s 2 {x=0,y=0} {x=1,y=2} α 3 α 2 s 3 {x=2,y=3} {x=0,y=1} Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

8 Modelling computing systems Kripke structures. Definition and intuition Some intuition behind this formalism S must be finite. This is not an artificial limitation of the model: in all information systems, D may be large (think 64-bit data types, in which case the size of D is 2 64 ), but is finite. (Digital systems never allow variables to have the full set of values from N, Z, R.) For a correct model, transitions must represent atomic system statements. Deciding on atomicity takes knowledge of the language, compiler, scheduler: Basic assignments in high-level languages may be atomic. However, machine-language translations may have finer grain. atomic {code} constructs, if available, make code atomic. Disabling interrupts in sequential low-level code makes the code atomic. T having to be total is an artificial (but harmless) feature of the model. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

9 Modelling computing systems Kripke structures. Definition and intuition...and some intuition behind model checking s 0 {x=0,y=0} In this simple example: suppose you want to know whether α α 0 1 s 1 {x=1,y=2} α 3 s 3 {x=0,y=1} y eventually becomes equal to 3 x and y can ever be equal to 1 at the same time y is always greater than or equal to x the program terminates s 2 α 2 {x=2,y=3} the program can hit a deadlock the program has an overflow You can answer all these by searching through the model. This is what an automated model checker also does. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

10 Modelling computing systems Kripke structures. Definition and intuition An equivalent logic representation for Kripke structures As per definition, the information is in state labels: α α 0 1 s 0 s 1 s 2 {x=0,y=0} {x=1,y=2} α 3 α 2 s 3 {x=2,y=3} {x=0,y=1} In this equivalent predicate-logic form, the same information is on transitions instead: A state is a conjunctive formula: s 0 (x = 0) (y = 0). Transitions, also: α i (x = (x + 1) mod 3) (y = (x + 1)), i = Primed variables represent next-state variables. Close to the program execution. A next state s 1 is the conjunction of the previous state s 0 and the transition α 0 : s 1 = s 0 α 0. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

11 Modelling computing systems Kripke structures. Definition and intuition Paths in Kripke structures A path π from state s in a Kripke structure is an infinite sequence of states π = s 0 s 1 s 2... so that s 0 = s and (s i, s i+1 ) T, i 0. π i is the suffix of π starting at s i. Clearly, infinite paths exist in finite-state machines. Later, we see temporal properties, e.g., only after x becomes 1, y can become greater than x. For these, we will examine paths. You can now imagine that the complexity of model checking increases with: the number of states in the model how expressive the property is Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

12 Modeling hardware, software, and protocols Digital circuits: synchronous and asynchronous A synchronous circuit These are called sequential circuits: the output depends on current and past inputs. They include memory (flip-flops): Q becomes equal to D only after a clock pulse. This is a fragment of CPU design. Three boolean variables, D = {0, 1}, S = D D D; say all start equal to 0. At each transition, the bits change, e.g., b 0 b 0, synchronously; The single transition is the conjunction of these changes: ( b 0 b 0 ) ( b 1 b 0 b 1 ) ( b 2 (b 0 b 1 ) b 2 ) b2 D Q clk b1 D Q clk b0 D Q clk Modulo-8 counter. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

13 Modeling hardware, software, and protocols Digital circuits: synchronous and asynchronous An asynchronous circuit These are called combinatorial circuits: the output depends solely on the current input (no memory, no notion of time, no means of synchronization). They are constructed with logic gates. Three boolean inputs, V = {b 0, b 1, b 2, }, D = {0, 1}, S D D D; At each transition, the bits change independently by b 0 b 0, etc; these changes may interleave; The transition is a disjunction of these changes: ( b 0 b 0 ) ( b 1 b 0 b 1 ) ( b 2 (b 0 b 1 ) b 2 ) b2 b1 b0 b2 b1 b0 Incrementing circuit. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

14 Modeling hardware, software, and protocols Extracting models from software (sequential or concurrent) Sequential software You can automatically translate a program into a transition system. x = y = 0; z = *; /* z is not initialized */ while (true) x = (x+1) mod 3, y = x+1; One method: Generate the control-flow graph (CFG) from program source. Then, start with the initial state, and add a transition (and a new state) for each program statement. 0,0,* 1,2,* (CFG) 2,3,* 0,1,* (Kripke structure) Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

15 Modeling hardware, software, and protocols Extracting models from software (sequential or concurrent) Sequential software A formal method: Start by giving the entry point to each basic program statement a label l; the program counter will get these values: l1 l2 l3 /* start with x = y = 0, z uninitialized */ while (true) x = (x+1) mod 3, y = x+1; Then, we define a top-down translation Tr(l 1 P l 3 ) for the program P in predicate-logic form: while loop: Tr(l 1 while(true) {l 2 P 2 } l 3 ) is the disjunction (pc = l 1 ) (pc = l 2 ) same(x, y, z) Tr(l 2 P 2 l 1 ) assignment: Tr(l 2 x = (x+1) mod 3, y = x+1; l 1 ) is the conjunction (pc = l 2 ) (x = (x + 1)mod 3) (y = x + 1) same(z) (pc = l 1 ) Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

16 Modeling hardware, software, and protocols Extracting models from software (sequential or concurrent) Generalizing Tr(S) Tr(l x=y; l ) (pc = l) (x = y) (pc = l ) same(v \ {x}) Tr(l if(b) {l 1 P 1 } else {l 2 P 2 } l ) (pc = l) (b) (pc = l 1 ) same(v) (pc = l) ( b) (pc = l 2 ) same(v) Tr(l 1 P 1 l ) Tr(l 2 P 2 l ) Tr(l while(b) {l 1 P 1 } l ) (pc = l) (b) (pc = l 1 ) same(v) (pc = l) ( b) (pc = l ) same(v) Tr(l 1 P 1 l) Tr(l 1 P 1 l 2 P 2 l ) Tr(l 1 P 1 l 2 ) Tr(l 2 P 2 l ) This is what a software model checker will do to acquire a formal model. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

17 Modeling hardware, software, and protocols Extracting models from software (sequential or concurrent) Concurrent software Concurrency simply means interleaving the transitions of the sequential programs (as for asynchronous circuits). Processes share variables. Take the concurrent program P l (P 1 P 2... P n ) l, where: The program counters pc i form a set PC. The sets of variables each process can access are V 1, V 2,... V n ; their union is V. Add start/end labels l i and l i for each process P i. Essentially, Tr(l P l ) is: n i=1 ( Tr(li P i l i ) same(v \ V i ) same(pc \ pc i ) ) (excluding a first and last formula starting and ending all processes) Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

18 Modeling hardware, software, and protocols Extracting models from software (sequential or concurrent) A mutual exclusion example Have P 0 P 1 symmetric processes, where P 0 : l0 while (true) nc0 wait_until(turn=0); /* busy waiting */ cr0 turn = 1; l0 and symmetric for P 1 (any 0 becomes 1 and vice versa). Consider both initial states. P 0 is represented as predicate logic (below), then as Kripke structure (right). Tr(l 0 P 0 l 0 ) (pc 0 = l 0 ) (pc 0 = nc 0) same(turn) (pc 0 = nc 0 ) (turn = 0) (pc = cr 0 ) same(turn) (pc 0 = nc 0 ) (turn = 0) (pc = nc 0 ) same(turn) (pc 0 = cr 0 ) (turn = 1) (pc 0 = l 0) pc 0 =l 0 turn=0 pc 0 =nc 0 turn=0 pc 0 =cr 0 turn=0 pc 0 =l 0 turn=1 pc 0 =nc 0 turn=1 Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

19 Modeling hardware, software, and protocols Extracting models from software (sequential or concurrent)...then, P 0 P 1 is: pc 0 =l0 pc 1 =l 1 turn=0 pc 0 =l 0 pc 1 =l 1 turn=1 pc 0 =l 0 pc 1 =nc 1 turn=0 pc 0 =nc0 pc 1 =l 1 turn=0 pc 0 =l 0 pc 1 =nc 1 turn=1 pc 0 =nc 0 pc 1 =l 1 turn=1 pc 0 =nc 0 pc 1 =nc 1 pc 0 =cr 0 pc 1 =l 1 turn=0 turn=0 pc 0 =l 0 pc 1 =cr 1 turn=1 pc 0 =nc 0 pc 1 =nc 1 turn=1 pc 0 =cr 0 pc 1 =nc 1 turn=0 pc 0 =nc 0 pc 1 =cr 1 turn=1 Here you see why modelling program counters is useful. Check visually: Does this program ensure mutual exclusion? Can a process be denied forever entrance to its critical region? Why? If you find hard to answer the Why?, try labelling all your graph s transitions, so that you can match transitions to the original code. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

20 Modeling hardware, software, and protocols Communication protocols Communication with channels A communication protocol is nothing but a concurrent program. The model includes: Channels c to send on and receive from; these are modelled like shared variables; Sending constant m on c is c!m; this is like an assignment c = m; Receiving variable x on c is c?x; this is also like an assignment x = c; This send/receive can be synchronous or asynchronous (i.e. buffered). Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

21 Modeling hardware, software, and protocols Modelling with Promela Modelling with Promela High-level language; features from the Communicating Sequential Processes (CSP, C. A. R. Hoare) logic, and C. You have: processes and typed data variables, including inter-process communication channels with sophisticated operations; control-flow similar to that of C; a form of macro called inline (no functions); channels may model either asynchronous or synchronous communication, and may include a buffer; a great way to model busy-waiting on a condition: (a == b) is a statement blocking the process until a equals b;...and many quirky features. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

22 Historical and bibliographical notes Historical notes The term reactive systems has been coined in On the Development of Reactive Systems, David Harel and Amir Pnueli, in NATO Advanced Study Institute (ASI) Series, Vol. F13, Logics and Models of Concurrent Systems, Springer-Verlag The term black cactus, also. Unfolding programs into transition systems has been used for verification of programs since the 70s, e.g. Formal verification of Parallel Programs, R. M. Keller, in Comm. ACM, 19(7), Doina Bucur Modelling systems, and model extraction from software Nov / 25

23 Historical and bibliographical notes Bibliographical notes The content in this lecture covers Ch. 2, Modeling Systems, from Model Checking, E. M. Clarke, O. Grumberg, D. A. Peled. For getting a grip with Spin, go for Ch. 2 Building Verification Models, Ch. 3 An Overview of Promela, Ch. 18 Overview of Spin Options, Ch. 19 Overview of Pan Options, from The Spin Model Checker, G. J. Holzmann. Alternatives: the Spin manual spinroot.com/spin/man/manual.html,../index.html,../roadmap.html. You may also read on the topic from Ch. 2, Modelling Concurrent Systems, from Principles of Model Checking, C. Baier, J.-P. Katoen. Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

24 Assignment Assignment (40%) Do the exercises at from [1.a] to [1.f]. Dig through the manual pages for info. (10%) Go back to the mutual exclusion on slides Answer the Why? question on slide 19. (50%) (a) Model Peterson s mutual exclusion algorithm (with two processes) as a Kripke structure; you find the algorithm on Wikipedia. Compact the algorithm as much as possible before you start, and make the threads loop infinitely. Then, visually check on the model the Wikipedia statements under Mutual exclusion (P0 and P1 can never be in the critical section at the same time) and Bounded waiting. (b) Finally, fire up SPIN, find an implementation of this (peterson.pml in SPIN s sources already contains an assertion for mutual exclusion), and check that with an exhaustive search. Decode the output and compare the size of this state space with the one above. Then, prove whether mutual exclusion is still insured without the second wait condition (on turn), and simulate the error trace to see why it fails. See for some graphical entertainment. Yes, you can model Peterson with two processes in 30 states (even fewer!). Doina Bucur (d.bucur@rug.nl) Modelling systems, and model extraction from software Nov / 25

25 Assignment Assignment administration Handing in: in the lab session or electronically by ; either way, before the end of Wed next week (Nov 27). Grading: this is worth 15% of your Practical grade (and 9% of the final grade). Doina Bucur Modelling systems, and model extraction from software Nov / 25

Formal Verification by Model Checking

Formal Verification by Model Checking Formal Verification by Model Checking Natasha Sharygina Carnegie Mellon University Guest Lectures at the Analysis of Software Artifacts Class, Spring 2005 1 Outline Lecture 1: Overview of Model Checking

More information

Automata-based Verification - I

Automata-based Verification - I CS3172: Advanced Algorithms Automata-based Verification - I Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2006 Supporting and Background Material Copies of key slides (already

More information

Model Checking: An Introduction

Model Checking: An Introduction Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI

More information

T-79.186 Reactive Systems: Introduction and Finite State Automata

T-79.186 Reactive Systems: Introduction and Finite State Automata T-79.186 Reactive Systems: Introduction and Finite State Automata Timo Latvala 14.1.2004 Reactive Systems: Introduction and Finite State Automata 1-1 Reactive Systems Reactive systems are a class of software

More information

Temporal Logics. Computation Tree Logic

Temporal Logics. Computation Tree Logic Temporal Logics CTL: definition, relationship between operators, adequate sets, specifying properties, safety/liveness/fairness Modeling: sequential, concurrent systems; maximum parallelism/interleaving

More information

Software Modeling and Verification

Software Modeling and Verification Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system

More information

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary Today s Agenda Quiz 4 Temporal Logic Formal Methods in Software Engineering 1 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 2 1 Buchi Automata

More information

The Model Checker SPIN

The Model Checker SPIN The Model Checker SPIN Author: Gerard J. Holzmann Presented By: Maulik Patel Outline Introduction Structure Foundation Algorithms Memory management Example/Demo SPIN-Introduction Introduction SPIN (Simple(

More information

Model Checking based Software Verification

Model Checking based Software Verification Model Checking based Software Verification 18.5-2006 Keijo Heljanko Keijo.Heljanko@tkk.fi Department of Computer Science and Engineering Helsinki University of Technology http://www.tcs.tkk.fi/~kepa/ 1/24

More information

INF5140: Specification and Verification of Parallel Systems

INF5140: Specification and Verification of Parallel Systems INF5140: Specification and Verification of Parallel Systems Lecture 7 LTL into Automata and Introduction to Promela Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2007 Gerardo

More information

Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

More information

Fundamentals of Software Engineering

Fundamentals of Software Engineering Fundamentals of Software Engineering Model Checking with Temporal Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner

More information

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification Introduction Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification Advanced Topics in Software Engineering 1 Concurrent Programs Characterized by

More information

Software Engineering using Formal Methods

Software Engineering using Formal Methods Software Engineering using Formal Methods Model Checking with Temporal Logic Wolfgang Ahrendt 24th September 2013 SEFM: Model Checking with Temporal Logic /GU 130924 1 / 33 Model Checking with Spin model

More information

A Logic Approach for LTL System Modification

A Logic Approach for LTL System Modification A Logic Approach for LTL System Modification Yulin Ding and Yan Zhang School of Computing & Information Technology University of Western Sydney Kingswood, N.S.W. 1797, Australia email: {yding,yan}@cit.uws.edu.au

More information

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system? 5. LTL, CTL Last part: Alloy logic language, static/dynamic models SAT solvers Today: Temporal Logic (LTL, CTL) Verified Software Systems 1 Overview How can we model check of a program or system? Modeling

More information

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN Acknowledgments Introduction to SPIN Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck Ralf Huuck COMP 4152 1 Ralf Huuck COMP 4152 2 PROMELA/SPIN PROMELA (PROcess MEta

More information

Lecture 9 verifying temporal logic

Lecture 9 verifying temporal logic Basics of advanced software systems Lecture 9 verifying temporal logic formulae with SPIN 21/01/2013 1 Outline for today 1. Introduction: motivations for formal methods, use in industry 2. Developing models

More information

Algorithmic Software Verification

Algorithmic Software Verification Algorithmic Software Verification (LTL Model Checking) Azadeh Farzan What is Verification Anyway? Proving (in a formal way) that program satisfies a specification written in a logical language. Formal

More information

(Refer Slide Time: 00:01:16 min)

(Refer Slide Time: 00:01:16 min) Digital Computer Organization Prof. P. K. Biswas Department of Electronic & Electrical Communication Engineering Indian Institute of Technology, Kharagpur Lecture No. # 04 CPU Design: Tirning & Control

More information

Lecture 8: Synchronous Digital Systems

Lecture 8: Synchronous Digital Systems Lecture 8: Synchronous Digital Systems The distinguishing feature of a synchronous digital system is that the circuit only changes in response to a system clock. For example, consider the edge triggered

More information

Real Time Programming: Concepts

Real Time Programming: Concepts Real Time Programming: Concepts Radek Pelánek Plan at first we will study basic concepts related to real time programming then we will have a look at specific programming languages and study how they realize

More information

introduction to program monitoring

introduction to program monitoring introduction to program monitoring CS 119 part II beyond assert and print course website http://www.runtime-verification.org/course09 action standing order: sell when price drops more than 2% within 1

More information

tutorial: hardware and software model checking

tutorial: hardware and software model checking tutorial: hardware and software model checking gerard holzmann and anuj puri { gerard anuj } @research.bell-labs.com Bell Labs, USA outline introduction (15 mins) theory and algorithms system modeling

More information

Formal Languages and Automata Theory - Regular Expressions and Finite Automata -

Formal Languages and Automata Theory - Regular Expressions and Finite Automata - Formal Languages and Automata Theory - Regular Expressions and Finite Automata - Samarjit Chakraborty Computer Engineering and Networks Laboratory Swiss Federal Institute of Technology (ETH) Zürich March

More information

Informatique Fondamentale IMA S8

Informatique Fondamentale IMA S8 Informatique Fondamentale IMA S8 Cours 1 - Intro + schedule + finite state machines Laure Gonnord http://laure.gonnord.org/pro/teaching/ Laure.Gonnord@polytech-lille.fr Université Lille 1 - Polytech Lille

More information

Formal Verification of Software

Formal Verification of Software Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification

More information

http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86

http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 Atlantic Electronic http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 AUTOMATED RECOGNITION OF STUTTER INVARIANCE OF LTL FORMULAS Jeffrey Dallien 1 and Wendy

More information

A New Paradigm for Synchronous State Machine Design in Verilog

A New Paradigm for Synchronous State Machine Design in Verilog A New Paradigm for Synchronous State Machine Design in Verilog Randy Nuss Copyright 1999 Idea Consulting Introduction Synchronous State Machines are one of the most common building blocks in modern digital

More information

Model Checking II Temporal Logic Model Checking

Model Checking II Temporal Logic Model Checking 1/32 Model Checking II Temporal Logic Model Checking Edmund M Clarke, Jr School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 2/32 Temporal Logic Model Checking Specification Language:

More information

Formal verification of contracts for synchronous software components using NuSMV

Formal verification of contracts for synchronous software components using NuSMV Formal verification of contracts for synchronous software components using NuSMV Tobias Polzer Lehrstuhl für Informatik 8 Bachelorarbeit 13.05.2014 1 / 19 Problem description and goals Problem description

More information

CAs and Turing Machines. The Basis for Universal Computation

CAs and Turing Machines. The Basis for Universal Computation CAs and Turing Machines The Basis for Universal Computation What We Mean By Universal When we claim universal computation we mean that the CA is capable of calculating anything that could possibly be calculated*.

More information

To design digital counter circuits using JK-Flip-Flop. To implement counter using 74LS193 IC.

To design digital counter circuits using JK-Flip-Flop. To implement counter using 74LS193 IC. 8.1 Objectives To design digital counter circuits using JK-Flip-Flop. To implement counter using 74LS193 IC. 8.2 Introduction Circuits for counting events are frequently used in computers and other digital

More information

Combining Software and Hardware Verification Techniques

Combining Software and Hardware Verification Techniques Formal Methods in System Design, 21, 251 280, 2002 c 2002 Kluwer Academic Publishers. Manufactured in The Netherlands. Combining Software and Hardware Verification Techniques ROBERT P. KURSHAN VLADIMIR

More information

The ProB Animator and Model Checker for B

The ProB Animator and Model Checker for B The ProB Animator and Model Checker for B A Tool Description Michael Leuschel and Michael Butler Department of Electronics and Computer Science University of Southampton Highfield, Southampton, SO17 1BJ,

More information

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl Model checking test models Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl February 14, 2014 Abstract This thesis is about model checking testing models. These testing

More information

The Course. http://www.cse.unsw.edu.au/~cs3153/

The Course. http://www.cse.unsw.edu.au/~cs3153/ The Course http://www.cse.unsw.edu.au/~cs3153/ Lecturers Dr Peter Höfner NICTA L5 building Prof Rob van Glabbeek NICTA L5 building Dr Ralf Huuck NICTA ATP building 2 Plan/Schedule (1) Where and When Tuesday,

More information

6.080/6.089 GITCS Feb 12, 2008. Lecture 3

6.080/6.089 GITCS Feb 12, 2008. Lecture 3 6.8/6.89 GITCS Feb 2, 28 Lecturer: Scott Aaronson Lecture 3 Scribe: Adam Rogal Administrivia. Scribe notes The purpose of scribe notes is to transcribe our lectures. Although I have formal notes of my

More information

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students Eastern Washington University Department of Computer Science Questionnaire for Prospective Masters in Computer Science Students I. Personal Information Name: Last First M.I. Mailing Address: Permanent

More information

Static Analysis. Find the Bug! 15-654: Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Static Analysis. Find the Bug! 15-654: Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled Static Analysis 15-654: Analysis of Software Artifacts Jonathan Aldrich 1 Find the Bug! Source: Engler et al., Checking System Rules Using System-Specific, Programmer-Written Compiler Extensions, OSDI

More information

Formal Verification and Linear-time Model Checking

Formal Verification and Linear-time Model Checking Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging

More information

Counters and Decoders

Counters and Decoders Physics 3330 Experiment #10 Fall 1999 Purpose Counters and Decoders In this experiment, you will design and construct a 4-bit ripple-through decade counter with a decimal read-out display. Such a counter

More information

Digital Logic Design. Basics Combinational Circuits Sequential Circuits. Pu-Jen Cheng

Digital Logic Design. Basics Combinational Circuits Sequential Circuits. Pu-Jen Cheng Digital Logic Design Basics Combinational Circuits Sequential Circuits Pu-Jen Cheng Adapted from the slides prepared by S. Dandamudi for the book, Fundamentals of Computer Organization and Design. Introduction

More information

Test Case Generation for Ultimately Periodic Paths Joint work with Saddek Bensalem Hongyang Qu Stavros Tripakis Lenore Zuck Accepted to HVC 2007 How to find the condition to execute a path? (weakest precondition

More information

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL University of Texas at El Paso DigitalCommons@UTEP Departmental Technical Reports (CS) Department of Computer Science 8-1-2007 Using Patterns and Composite Propositions to Automate the Generation of Complex

More information

ETEC 2301 Programmable Logic Devices. Chapter 10 Counters. Shawnee State University Department of Industrial and Engineering Technologies

ETEC 2301 Programmable Logic Devices. Chapter 10 Counters. Shawnee State University Department of Industrial and Engineering Technologies ETEC 2301 Programmable Logic Devices Chapter 10 Counters Shawnee State University Department of Industrial and Engineering Technologies Copyright 2007 by Janna B. Gallaher Asynchronous Counter Operation

More information

Asynchronous Counters. Asynchronous Counters

Asynchronous Counters. Asynchronous Counters Counters and State Machine Design November 25 Asynchronous Counters ENGI 25 ELEC 24 Asynchronous Counters The term Asynchronous refers to events that do not occur at the same time With respect to counter

More information

CPU Organisation and Operation

CPU Organisation and Operation CPU Organisation and Operation The Fetch-Execute Cycle The operation of the CPU 1 is usually described in terms of the Fetch-Execute cycle. 2 Fetch-Execute Cycle Fetch the Instruction Increment the Program

More information

Quick Start Guide. June 3, 2012

Quick Start Guide. June 3, 2012 The ERIGONE Model Checker Quick Start Guide Mordechai (Moti) Ben-Ari Department of Science Teaching Weizmann Institute of Science Rehovot 76100 Israel http://stwww.weizmann.ac.il/g-cs/benari/ June 3, 2012

More information

150127-Microprocessor & Assembly Language

150127-Microprocessor & Assembly Language Chapter 3 Z80 Microprocessor Architecture The Z 80 is one of the most talented 8 bit microprocessors, and many microprocessor-based systems are designed around the Z80. The Z80 microprocessor needs an

More information

CS311 Lecture: Sequential Circuits

CS311 Lecture: Sequential Circuits CS311 Lecture: Sequential Circuits Last revised 8/15/2007 Objectives: 1. To introduce asynchronous and synchronous flip-flops (latches and pulsetriggered, plus asynchronous preset/clear) 2. To introduce

More information

CHAPTER 11: Flip Flops

CHAPTER 11: Flip Flops CHAPTER 11: Flip Flops In this chapter, you will be building the part of the circuit that controls the command sequencing. The required circuit must operate the counter and the memory chip. When the teach

More information

LTL Model Checking with Logic Based Petri Nets

LTL Model Checking with Logic Based Petri Nets LTL Model Checking with Logic Based Petri Nets Tristan M. Behrens and Jürgen Dix IfI Technical Report Series IfI-07-04 Impressum Publisher: Institut für Informatik, Technische Universität Clausthal Julius-Albert

More information

A Framework for the Semantics of Behavioral Contracts

A Framework for the Semantics of Behavioral Contracts A Framework for the Semantics of Behavioral Contracts Ashley McNeile Metamaxim Ltd, 48 Brunswick Gardens, London W8 4AN, UK ashley.mcneile@metamaxim.com Abstract. Contracts have proved a powerful concept

More information

Static Program Transformations for Efficient Software Model Checking

Static Program Transformations for Efficient Software Model Checking Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major

More information

Sources: On the Web: Slides will be available on:

Sources: On the Web: Slides will be available on: C programming Introduction The basics of algorithms Structure of a C code, compilation step Constant, variable type, variable scope Expression and operators: assignment, arithmetic operators, comparison,

More information

Let s put together a Manual Processor

Let s put together a Manual Processor Lecture 14 Let s put together a Manual Processor Hardware Lecture 14 Slide 1 The processor Inside every computer there is at least one processor which can take an instruction, some operands and produce

More information

Introduction to Promela and SPIN. LACL, Université Paris 12

Introduction to Promela and SPIN. LACL, Université Paris 12 Introduction to Promela and SPIN LACL, Université Paris 12 Promela = Process Meta Language A specification language! No programming language! Used for system description : Specify an abstraction of the

More information

Take-Home Exercise. z y x. Erik Jonsson School of Engineering and Computer Science. The University of Texas at Dallas

Take-Home Exercise. z y x. Erik Jonsson School of Engineering and Computer Science. The University of Texas at Dallas Take-Home Exercise Assume you want the counter below to count mod-6 backward. That is, it would count 0-5-4-3-2-1-0, etc. Assume it is reset on startup, and design the wiring to make the counter count

More information

Introduction to Software Verification

Introduction to Software Verification Introduction to Software Verification Orna Grumberg Lectures Material winter 2013-14 Lecture 4 5.11.13 Model Checking Automated formal verification: A different approach to formal verification Model Checking

More information

COMP 250 Fall 2012 lecture 2 binary representations Sept. 11, 2012

COMP 250 Fall 2012 lecture 2 binary representations Sept. 11, 2012 Binary numbers The reason humans represent numbers using decimal (the ten digits from 0,1,... 9) is that we have ten fingers. There is no other reason than that. There is nothing special otherwise about

More information

6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008

6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 MIT OpenCourseWare http://ocw.mit.edu 6.080 / 6.089 Great Ideas in Theoretical Computer Science Spring 2008 For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.

More information

Model-Checking Verification for Reliable Web Service

Model-Checking Verification for Reliable Web Service Model-Checking Verification for Reliable Web Service Shin NAKAJIMA Hosei University and PRESTO, JST nkjm@i.hosei.ac.jp Abstract Model-checking is a promising technique for the verification and validation

More information

EE 42/100 Lecture 24: Latches and Flip Flops. Rev B 4/21/2010 (2:04 PM) Prof. Ali M. Niknejad

EE 42/100 Lecture 24: Latches and Flip Flops. Rev B 4/21/2010 (2:04 PM) Prof. Ali M. Niknejad A. M. Niknejad University of California, Berkeley EE 100 / 42 Lecture 24 p. 1/20 EE 42/100 Lecture 24: Latches and Flip Flops ELECTRONICS Rev B 4/21/2010 (2:04 PM) Prof. Ali M. Niknejad University of California,

More information

Reading 13 : Finite State Automata and Regular Expressions

Reading 13 : Finite State Automata and Regular Expressions CS/Math 24: Introduction to Discrete Mathematics Fall 25 Reading 3 : Finite State Automata and Regular Expressions Instructors: Beck Hasti, Gautam Prakriya In this reading we study a mathematical model

More information

Development of dynamically evolving and self-adaptive software. 1. Background

Development of dynamically evolving and self-adaptive software. 1. Background Development of dynamically evolving and self-adaptive software 1. Background LASER 2013 Isola d Elba, September 2013 Carlo Ghezzi Politecnico di Milano Deep-SE Group @ DEIB 1 Requirements Functional requirements

More information

HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London HECTOR a software model checker with cooperating analysis plugins Nathaniel Charlton and Michael Huth Imperial College London Introduction HECTOR targets imperative heap-manipulating programs uses abstraction

More information

Software Model Checking: Theory and Practice

Software Model Checking: Theory and Practice Software Model Checking: Theory and Practice Lecture: Specification Checking - LTL Model Checking Copyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are

More information

Algorithm & Flowchart & Pseudo code. Staff Incharge: S.Sasirekha

Algorithm & Flowchart & Pseudo code. Staff Incharge: S.Sasirekha Algorithm & Flowchart & Pseudo code Staff Incharge: S.Sasirekha Computer Programming and Languages Computers work on a set of instructions called computer program, which clearly specify the ways to carry

More information

Specification and Analysis of Contracts Lecture 1 Introduction

Specification and Analysis of Contracts Lecture 1 Introduction Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.

More information

Logic in Computer Science: Logic Gates

Logic in Computer Science: Logic Gates Logic in Computer Science: Logic Gates Lila Kari The University of Western Ontario Logic in Computer Science: Logic Gates CS2209, Applied Logic for Computer Science 1 / 49 Logic and bit operations Computers

More information

Concurrent Programming

Concurrent Programming Concurrent Programming Principles and Practice Gregory R. Andrews The University of Arizona Technische Hochschule Darmstadt FACHBEREICH INFCRMATIK BIBLIOTHEK Inventar-Nr.:..ZP.vAh... Sachgebiete:..?r.:..\).

More information

Fabio Patrizi DIS Sapienza - University of Rome

Fabio Patrizi DIS Sapienza - University of Rome Fabio Patrizi DIS Sapienza - University of Rome Overview Introduction to Services The Composition Problem Two frameworks for composition: Non data-aware services Data-aware services Conclusion & Research

More information

Memory Elements. Combinational logic cannot remember

Memory Elements. Combinational logic cannot remember Memory Elements Combinational logic cannot remember Output logic values are function of inputs only Feedback is needed to be able to remember a logic value Memory elements are needed in most digital logic

More information

Understanding Verilog Blocking and Non-blocking Assignments

Understanding Verilog Blocking and Non-blocking Assignments Understanding Verilog Blocking and Non-blocking Assignments International Cadence User Group Conference September 11, 1996 presented by Stuart HDL Consulting About the Presenter Stuart has over 8 years

More information

Registers & Counters

Registers & Counters Objectives This section deals with some simple and useful sequential circuits. Its objectives are to: Introduce registers as multi-bit storage devices. Introduce counters by adding logic to registers implementing

More information

TDT 4260 lecture 11 spring semester 2013. Interconnection network continued

TDT 4260 lecture 11 spring semester 2013. Interconnection network continued 1 TDT 4260 lecture 11 spring semester 2013 Lasse Natvig, The CARD group Dept. of computer & information science NTNU 2 Lecture overview Interconnection network continued Routing Switch microarchitecture

More information

Using reverse circuit execution for efficient parallel simulation of logic circuits

Using reverse circuit execution for efficient parallel simulation of logic circuits Using reverse circuit execution for efficient parallel simulation of logic circuits Kalyan Perumalla *, Richard Fujimoto College of Computing, Georgia Tech, Atlanta, Georgia, USA ABSTRACT A novel technique

More information

Counters & Shift Registers Chapter 8 of R.P Jain

Counters & Shift Registers Chapter 8 of R.P Jain Chapter 3 Counters & Shift Registers Chapter 8 of R.P Jain Counters & Shift Registers Counters, Syllabus Design of Modulo-N ripple counter, Up-Down counter, design of synchronous counters with and without

More information

Regular Expressions and Automata using Haskell

Regular Expressions and Automata using Haskell Regular Expressions and Automata using Haskell Simon Thompson Computing Laboratory University of Kent at Canterbury January 2000 Contents 1 Introduction 2 2 Regular Expressions 2 3 Matching regular expressions

More information

COMPUTER SCIENCE TRIPOS

COMPUTER SCIENCE TRIPOS CST.98.5.1 COMPUTER SCIENCE TRIPOS Part IB Wednesday 3 June 1998 1.30 to 4.30 Paper 5 Answer five questions. No more than two questions from any one section are to be answered. Submit the answers in five

More information

Digital Systems Based on Principles and Applications of Electrical Engineering/Rizzoni (McGraw Hill

Digital Systems Based on Principles and Applications of Electrical Engineering/Rizzoni (McGraw Hill Digital Systems Based on Principles and Applications of Electrical Engineering/Rizzoni (McGraw Hill Objectives: Analyze the operation of sequential logic circuits. Understand the operation of digital counters.

More information

Module 3: Floyd, Digital Fundamental

Module 3: Floyd, Digital Fundamental Module 3: Lecturer : Yongsheng Gao Room : Tech - 3.25 Email : yongsheng.gao@griffith.edu.au Structure : 6 lectures 1 Tutorial Assessment: 1 Laboratory (5%) 1 Test (20%) Textbook : Floyd, Digital Fundamental

More information

Introduction. What is an Operating System?

Introduction. What is an Operating System? Introduction What is an Operating System? 1 What is an Operating System? 2 Why is an Operating System Needed? 3 How Did They Develop? Historical Approach Affect of Architecture 4 Efficient Utilization

More information

A Propositional Dynamic Logic for CCS Programs

A Propositional Dynamic Logic for CCS Programs A Propositional Dynamic Logic for CCS Programs Mario R. F. Benevides and L. Menasché Schechter {mario,luis}@cos.ufrj.br Abstract This work presents a Propositional Dynamic Logic in which the programs are

More information

Digital Design Verification

Digital Design Verification Digital Design Verification Course Instructor: Debdeep Mukhopadhyay Dept of Computer Sc. and Engg. Indian Institute of Technology Madras, Even Semester Course No: CS 676 1 Verification??? What is meant

More information

A Classification of Model Checking-based Verification Approaches for Software Models

A Classification of Model Checking-based Verification Approaches for Software Models A Classification of Model Checking-based Verification Approaches for Software Models Petra Brosch, Sebastian Gabmeyer, Martina Seidl Sebastian Gabmeyer Business Informatics Group Institute of Software

More information

Enforcing Security Policies. Rahul Gera

Enforcing Security Policies. Rahul Gera Enforcing Security Policies Rahul Gera Brief overview Security policies and Execution Monitoring. Policies that can be enforced using EM. An automata based formalism for specifying those security policies.

More information

Chapter 2 Logic Gates and Introduction to Computer Architecture

Chapter 2 Logic Gates and Introduction to Computer Architecture Chapter 2 Logic Gates and Introduction to Computer Architecture 2.1 Introduction The basic components of an Integrated Circuit (IC) is logic gates which made of transistors, in digital system there are

More information

Software safety - DEF-STAN 00-55

Software safety - DEF-STAN 00-55 Software safety - DEF-STAN 00-55 Where safety is dependent on the safety related software (SRS) fully meeting its requirements, demonstrating safety is equivalent to demonstrating correctness with respect

More information

CS101 Lecture 26: Low Level Programming. John Magee 30 July 2013 Some material copyright Jones and Bartlett. Overview/Questions

CS101 Lecture 26: Low Level Programming. John Magee 30 July 2013 Some material copyright Jones and Bartlett. Overview/Questions CS101 Lecture 26: Low Level Programming John Magee 30 July 2013 Some material copyright Jones and Bartlett 1 Overview/Questions What did we do last time? How can we control the computer s circuits? How

More information

Doina Bucur. Temporal Monitors for

Doina Bucur. Temporal Monitors for Doina Bucur / Temporal Monitors for 1 Application area: wireless sensor/actuator systems running TinyOS, a best-effort, asynchronous embedded OS In summary: 2 Application area: wireless sensor/actuator

More information

Turing Machines: An Introduction

Turing Machines: An Introduction CIT 596 Theory of Computation 1 We have seen several abstract models of computing devices: Deterministic Finite Automata, Nondeterministic Finite Automata, Nondeterministic Finite Automata with ɛ-transitions,

More information

Model Checking of Software

Model Checking of Software Model Checking of Software Patrice Godefroid Bell Laboratories, Lucent Technologies SpecNCheck Page 1 August 2001 A Brief History of Model Checking Prehistory: transformational programs and theorem proving

More information

VeriTech - A Framework for Translating among Model Description Notations

VeriTech - A Framework for Translating among Model Description Notations Software Tools for Technology Transfer manuscript No. (will be inserted by the editor) VeriTech - A Framework for Translating among Model Description Notations Orna Grumberg and Shmuel Katz Computer Science

More information

2 Temporal Logic Model Checking

2 Temporal Logic Model Checking Bounded Model Checking Using Satisfiability Solving Edmund Clarke 1, Armin Biere 2, Richard Raimi 3, and Yunshan Zhu 4 1 Computer Science Department, CMU, 5000 Forbes Avenue Pittsburgh, PA 15213, USA,

More information

Model Checking LTL Properties over C Programs with Bounded Traces

Model Checking LTL Properties over C Programs with Bounded Traces Noname manuscript No. (will be inserted by the editor) Model Checking LTL Properties over C Programs with Bounded Traces Jeremy Morse 1, Lucas Cordeiro 2, Denis Nicole 1, Bernd Fischer 1,3 1 Electronics

More information

Division of Mathematical Sciences

Division of Mathematical Sciences Division of Mathematical Sciences Chair: Mohammad Ladan, Ph.D. The Division of Mathematical Sciences at Haigazian University includes Computer Science and Mathematics. The Bachelor of Science (B.S.) degree

More information

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm Introduction to Formal Methods Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm Outline Introduction Formal Specification Formal Verification Model Checking Theorem Proving Introduction Good papers to

More information

Model Checking Distributed Software

Model Checking Distributed Software Model Checking Distributed Software Sagar Chaki September 19, 2014 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Model Checking and Me 1997 : Ed visits IIT Kharagpur Just

More information