Fundamentals of Software Engineering

Similar documents
Fundamentals of Software Engineering

Software Engineering using Formal Methods

Lecture 9 verifying temporal logic

Quick Start Guide. June 3, 2012

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Formal Verification by Model Checking

Introduction to Promela and SPIN. LACL, Université Paris 12

The Model Checker SPIN

INF5140: Specification and Verification of Parallel Systems

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Algorithmic Software Verification

Formal verification of contracts for synchronous software components using NuSMV

Formal Verification of Software

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Software Quality Exercise 1

Testing LTL Formula Translation into Büchi Automata

Software Model Checking: Theory and Practice

Automata-based Verification - I

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

Introduction to Software Verification

tutorial: hardware and software model checking

Model Checking based Software Verification

CISC422/853: Formal Methods

Stylianos Basagiannis

Formal Verification and Linear-time Model Checking

A Classification of Model Checking-based Verification Approaches for Software Models

T Reactive Systems: Introduction and Finite State Automata

Temporal Logics. Computation Tree Logic

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

Software Verification and Testing. Lecture Notes: Temporal Logics

Model Checking: An Introduction

Software Modeling and Verification


Model Checking LTL Properties over C Programs with Bounded Traces

User s Guide. Version 5.0

Development of dynamically evolving and self-adaptive software. 1. Background

Validated Templates for Specification of Complex LTL Formulas

Model Checking of Software

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

TEACHING MODEL CHECKING TO UNDERGRADUATES

introduction to program monitoring

Static Program Transformations for Efficient Software Model Checking

Formal techniques for embedded safety critical systems

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

LTL Model Checking with Logic Based Petri Nets

Software safety - DEF-STAN 00-55

Runtime Verification for Real-Time Automotive Embedded Software

A Logic Approach for LTL System Modification

Overview of Lecture 3. Model Checking with SPIN. First attempt (revisited) Linear Temporal Logic (LTL) CDP #3

Specification and Analysis of Contracts Lecture 1 Introduction

The Model Checker SPIN

Rigorous Software Development CSCI-GA

Unified Static and Runtime Verification of Object-Oriented Software

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Digital Design Verification

The Course.

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

Handout #1: Mathematical Reasoning

Program Synthesis is a Game

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

Concepts of Concurrent Computation

SECTION 10-2 Mathematical Induction

INF5140: Specification and Verification of Parallel Systems

Lecture Notes on Linear Search

Automata-Based Verification of Temporal Properties on Running Programs

An Approach to Dependable Embedded Software Development

Applying Model Checking to Destructive Testing and Analysis of Software System

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

An LTL Specification and Verification of a Mobile Teleconferencing System

Fabio Massacci Ida Siahaan

Gates & Boolean Algebra. Boolean Operators. Combinational Logic. Introduction

An Approach to Model Checking Ada Programs

VeriTech - A Framework for Translating among Model Description Notations

Fabio Patrizi DIS Sapienza - University of Rome

Lecture 8: Safety and Liveness Properties

Research Article Towards Support for Software Model Checking: Improving the Efficiency of Formal Specifications

Using the Theory of Reals in. Analyzing Continuous and Hybrid Systems

Verifying Real-Time Embedded Software by Means of Automated State-based Online Testing and the SPIN Model Checker Application to RTEdge Models

Model Checking II Temporal Logic Model Checking

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

SpinRCP The Eclipse Rich Client Platform Integrated Development Environment for the Spin Model Checker

5544 = = = Now we have to find a divisor of 693. We can try 3, and 693 = 3 231,and we keep dividing by 3 to get: 1

MODEL CHECKING CONCURRENT AND REAL-TIME SYSTEMS: THE PAT APPROACH. LIU YANG (B.Sc. (Hons.), NUS)

Munich University of Technology Department of Informatics. Diploma Thesis. in Informatics

Borne inférieure de circuit : une application des expanders

Introduction to formal semantics -

Informatique Fondamentale IMA S8

Constructing Automata from Temporal Logic Formulas : A Tutorial

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

Datavetenskapligt Program (kandidat) Computer Science Programme (master)

Formal Specification and Verification

VSE II - Hybrid Automata to Express Realtime Properties

Access Control Based on Dynamic Monitoring for Detecting Software Malicious Behaviours

Service Specification and Validation for the Intelligent Network 1

A Classification of Model Checking-Based Verification Approaches for Software Models

A First Investigation of Sturmian Trees

Fixed-Point Logics and Computation

Transcription:

Fundamentals of Software Engineering Model Checking with Temporal Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner Hähnle (Chalmers University of Technology, Gothenburg, Sweden) Ina Schaefer FSE 1

Model Checking with Spin model name.pml correctness properties SPIN -a verifier pan.c C compiler executable verifier pan either or random/ interactive / simulation guided failing run model.trail errors: 0 Ina Schaefer FSE 2

Stating Correctness Properties model name.pml correctness properties Correctness properties can be stated within, or outside, the model. Ina Schaefer FSE 3

Stating Correctness Properties model name.pml correctness properties Correctness properties can be stated within, or outside, the model. stating properties within model using assertion statements Ina Schaefer FSE 4

Stating Correctness Properties model name.pml correctness properties Correctness properties can be stated within, or outside, the model. stating properties within model using assertion statements meta labels end labels accept labels progress labels Ina Schaefer FSE 5

Stating Correctness Properties model name.pml correctness properties Correctness properties can be stated within, or outside, the model. stating properties within model using assertion statements meta labels end labels accept labels progress labels stating properties outside model using never claims temporal logic formulas Ina Schaefer FSE 6

Stating Correctness Properties model name.pml correctness properties Correctness properties can be stated within, or outside, the model. stating properties within model using assertion statements meta labels end labels accept labels progress labels stating properties outside model using never claims temporal logic formulas (today s main topic) Ina Schaefer FSE 7

Stating Correctness Properties model name.pml correctness properties Correctness properties can be stated within, or outside, the model. stating properties within model using assertion statements meta labels end labels accept labels (briefly) progress labels stating properties outside model using never claims (briefly) temporal logic formulas (today s main topic) Ina Schaefer FSE 8

Preliminaries 1. accept labels in Promela Büchi automata 2. fairness Ina Schaefer FSE 9

Preliminaries 1: Acceptance Cycles Definition (Accept Location) A location marked with an accept label of the form acceptxxx: is called an accept location. Ina Schaefer FSE 10

Preliminaries 1: Acceptance Cycles Definition (Accept Location) A location marked with an accept label of the form acceptxxx: is called an accept location. Accept locations can be used to specify cyclic behavior. Ina Schaefer FSE 11

Preliminaries 1: Acceptance Cycles Definition (Accept Location) A location marked with an accept label of the form acceptxxx: is called an accept location. Accept locations can be used to specify cyclic behavior. Definition (Acceptance Cycle) A run which infinitely often passes through an accept location is called an acceptance cycle. Ina Schaefer FSE 12

Preliminaries 1: Acceptance Cycles Definition (Accept Location) A location marked with an accept label of the form acceptxxx: is called an accept location. Accept locations can be used to specify cyclic behavior. Definition (Acceptance Cycle) A run which infinitely often passes through an accept location is called an acceptance cycle. Acceptance cycles are mainly used in never claims (see below), to define forbidden behavior of infinite kind. Ina Schaefer FSE 13

Preliminaries 2: Fairness Does the following Promela model necessarily terminate? byte n = 0; bool flag = f a l s e ; active proctype P() { do :: flag - > break; :: e l s e -> n = 5 - n; od } active proctype Q() { flag = true } Ina Schaefer FSE 14

Preliminaries 2: Fairness Does the following Promela model necessarily terminate? byte n = 0; bool flag = f a l s e ; active proctype P() { do :: flag - > break; :: e l s e -> n = 5 - n; od } active proctype Q() { flag = true } Termination guaranteed only if scheduling is (weakly) fair! Ina Schaefer FSE 15

Preliminaries 2: Fairness Does the following Promela model necessarily terminate? byte n = 0; bool flag = f a l s e ; active proctype P() { do :: flag - > break; :: e l s e -> n = 5 - n; od } active proctype Q() { flag = true } Termination guaranteed only if scheduling is (weakly) fair! Definition (Weak Fairness) A run is called weakly fair iff the following holds: each continuously executable statement is executed eventually. Ina Schaefer FSE 16

Model Checking of Temporal Properties many correctness properties not expressible by assertions Ina Schaefer FSE 17

Model Checking of Temporal Properties many correctness properties not expressible by assertions today: model checking of properties formulated in temporal logic Ina Schaefer FSE 18

Model Checking of Temporal Properties many correctness properties not expressible by assertions today: model checking of properties formulated in temporal logic Remark: in this course, temporal logic is synonymous to linear temporal logic (LTL) Ina Schaefer FSE 19

Beyond Assertions Assertions only talk about the state at their own location in the code. Ina Schaefer FSE 20

Beyond Assertions Assertions only talk about the state at their own location in the code. Example: mutual exclusion expressed by adding assertion into each critical section. critical ++; assert ( critical <= 1 ); critical - -; Ina Schaefer FSE 21

Beyond Assertions Assertions only talk about the state at their own location in the code. Example: mutual exclusion expressed by adding assertion into each critical section. critical ++; assert ( critical <= 1 ); critical - -; Drawbacks: no separation of concerns (model vs. correctness property) Ina Schaefer FSE 22

Beyond Assertions Assertions only talk about the state at their own location in the code. Example: mutual exclusion expressed by adding assertion into each critical section. critical ++; assert ( critical <= 1 ); critical - -; Drawbacks: no separation of concerns (model vs. correctness property) changing assertions is error prone (easily out of synch) Ina Schaefer FSE 23

Beyond Assertions Assertions only talk about the state at their own location in the code. Example: mutual exclusion expressed by adding assertion into each critical section. critical ++; assert ( critical <= 1 ); critical - -; Drawbacks: no separation of concerns (model vs. correctness property) changing assertions is error prone (easily out of synch) easy to forget assertions: correctness property might be violated at unexpected locations Ina Schaefer FSE 24

Beyond Assertions Assertions only talk about the state at their own location in the code. Example: mutual exclusion expressed by adding assertion into each critical section. critical ++; assert ( critical <= 1 ); critical - -; Drawbacks: no separation of concerns (model vs. correctness property) changing assertions is error prone (easily out of synch) easy to forget assertions: correctness property might be violated at unexpected locations many interesting properties not expressible via assertions Ina Schaefer FSE 25

Temporal Correctness Properties properties more conveniently expressed as global properties, rather than assertions: Ina Schaefer FSE 26

Temporal Correctness Properties properties more conveniently expressed as global properties, rather than assertions: Mutual Exclusion critical <= 1 holds throughout the run Ina Schaefer FSE 27

Temporal Correctness Properties properties more conveniently expressed as global properties, rather than assertions: Mutual Exclusion critical <= 1 holds throughout the run Array Index within Bounds (given array a of length len) 0 <= i <= len-1 holds throughout the run Ina Schaefer FSE 28

Temporal Correctness Properties properties more conveniently expressed as global properties, rather than assertions: Mutual Exclusion critical <= 1 holds throughout the run Array Index within Bounds (given array a of length len) 0 <= i <= len-1 holds throughout the run properties impossible to express via assertions: Ina Schaefer FSE 29

Temporal Correctness Properties properties more conveniently expressed as global properties, rather than assertions: Mutual Exclusion critical <= 1 holds throughout the run Array Index within Bounds (given array a of length len) 0 <= i <= len-1 holds throughout the run properties impossible to express via assertions: Absence of Deadlock If some processes try to enter their critical section, eventually one of them does so. Ina Schaefer FSE 30

Temporal Correctness Properties properties more conveniently expressed as global properties, rather than assertions: Mutual Exclusion critical <= 1 holds throughout the run Array Index within Bounds (given array a of length len) 0 <= i <= len-1 holds throughout the run properties impossible to express via assertions: Absence of Deadlock If some processes try to enter their critical section, eventually one of them does so. Absence of Starvation If one process tries to enter its critical section, eventually that process does so. Ina Schaefer FSE 31

Temporal Correctness Properties properties more conveniently expressed as global properties, rather than assertions: Mutual Exclusion critical <= 1 holds throughout the run Array Index within Bounds (given array a of length len) 0 <= i <= len-1 holds throughout the run properties impossible to express via assertions: Absence of Deadlock If some processes try to enter their critical section, eventually one of them does so. Absence of Starvation If one process tries to enter its critical section, eventually that process does so. all these are temporal properties Ina Schaefer FSE 32

Temporal Correctness Properties properties more conveniently expressed as global properties, rather than assertions: Mutual Exclusion critical <= 1 holds throughout the run Array Index within Bounds (given array a of length len) 0 <= i <= len-1 holds throughout the run properties impossible to express via assertions: Absence of Deadlock If some processes try to enter their critical section, eventually one of them does so. Absence of Starvation If one process tries to enter its critical section, eventually that process does so. all these are temporal properties use temporal logic Ina Schaefer FSE 33

Boolean Temporal Logic talking about numerical variables (like in critical <= 1 or 0 <= i <= len-1) requires variation of propositional temporal logic which we call Boolean temporal logic: Boolean expressions (over Promela variables), rather than propositions, form basic building blocks of the logic Ina Schaefer FSE 34

Boolean Temporal Logic over Promela Set For BTL of Boolean Temporal Formulas (simplified) all global Promela variables and constants of type bool/bit are For BTL Ina Schaefer FSE 35

Boolean Temporal Logic over Promela Set For BTL of Boolean Temporal Formulas (simplified) all global Promela variables and constants of type bool/bit are For BTL if e1 and e2 are numerical Promela expressions, then all of e1==e2, e1!=e2, e1<e2, e1<=e2, e1>e2, e1>=e2 are For BTL Ina Schaefer FSE 36

Boolean Temporal Logic over Promela Set For BTL of Boolean Temporal Formulas (simplified) all global Promela variables and constants of type bool/bit are For BTL if e1 and e2 are numerical Promela expressions, then all of e1==e2, e1!=e2, e1<e2, e1<=e2, e1>e2, e1>=e2 are For BTL if P is a process and l is a label in P, then P@l is For BTL (P@l reads P is at l ) Ina Schaefer FSE 37

Boolean Temporal Logic over Promela Set For BTL of Boolean Temporal Formulas (simplified) all global Promela variables and constants of type bool/bit are For BTL if e1 and e2 are numerical Promela expressions, then all of e1==e2, e1!=e2, e1<e2, e1<=e2, e1>e2, e1>=e2 are For BTL if P is a process and l is a label in P, then P@l is For BTL (P@l reads P is at l ) if φ and ψ are formulas For BTL, then all of are For BTL! φ, φ && ψ, φ ψ, φ > ψ, φ < > ψ [ ]φ, <>φ, φ U ψ Ina Schaefer FSE 38

Semantics of Boolean Temporal Logic A run σ through a Promela model M is a chain of states L 0, I 0 L 1, I 1 L 2, I 2 L 3, I 3 L 4, I 4 L j maps each running process to its current location counter. From L j to L j+1, only one of the location counters has advanced (exception: channel rendezvous). I j maps each variable in M to its current value. Ina Schaefer FSE 39

Semantics of Boolean Temporal Logic A run σ through a Promela model M is a chain of states L 0, I 0 L 1, I 1 L 2, I 2 L 3, I 3 L 4, I 4 L j maps each running process to its current location counter. From L j to L j+1, only one of the location counters has advanced (exception: channel rendezvous). I j maps each variable in M to its current value. Arithmetic and relational expressions are interpreted in states as expected; e.g. L j, I j = x<y iff I j (x) < I j (y) Ina Schaefer FSE 40

Semantics of Boolean Temporal Logic A run σ through a Promela model M is a chain of states L 0, I 0 L 1, I 1 L 2, I 2 L 3, I 3 L 4, I 4 L j maps each running process to its current location counter. From L j to L j+1, only one of the location counters has advanced (exception: channel rendezvous). I j maps each variable in M to its current value. Arithmetic and relational expressions are interpreted in states as expected; e.g. L j, I j = x<y iff I j (x) < I j (y) L j, I j = P@l iff L j (P) is the location labeled with l Ina Schaefer FSE 41

Semantics of Boolean Temporal Logic A run σ through a Promela model M is a chain of states L 0, I 0 L 1, I 1 L 2, I 2 L 3, I 3 L 4, I 4 L j maps each running process to its current location counter. From L j to L j+1, only one of the location counters has advanced (exception: channel rendezvous). I j maps each variable in M to its current value. Arithmetic and relational expressions are interpreted in states as expected; e.g. L j, I j = x<y iff I j (x) < I j (y) L j, I j = P@l iff L j (P) is the location labeled with l Evaluating other formulas For BTL in runs σ: see previous lecture. Ina Schaefer FSE 42

Boolean Temporal Logic Support in Spin Spin supports Boolean temporal logic Ina Schaefer FSE 43

Boolean Temporal Logic Support in Spin Spin supports Boolean temporal logic but Ina Schaefer FSE 44

Boolean Temporal Logic Support in Spin Spin supports Boolean temporal logic but arithmetic operators (+,-,*,/,...), relational operators (==,!=,<,<=,...), label operators (@) cannot appear directly in TL formulas given to Spin Ina Schaefer FSE 45

Boolean Temporal Logic Support in Spin Spin supports Boolean temporal logic but arithmetic operators (+,-,*,/,...), relational operators (==,!=,<,<=,...), label operators (@) cannot appear directly in TL formulas given to Spin instead Boolean expressions must be abbreviated using #define Ina Schaefer FSE 46

Safety Properties formulas of the form [ ]φ are called safety properties Ina Schaefer FSE 47

Safety Properties formulas of the form [ ]φ are called safety properties state that something good, φ, is guaranteed throughout each run Ina Schaefer FSE 48

Safety Properties formulas of the form [ ]φ are called safety properties state that something good, φ, is guaranteed throughout each run special case: [ ] ψ states that something bad, ψ, never happens Ina Schaefer FSE 49

Safety Properties formulas of the form [ ]φ are called safety properties state that something good, φ, is guaranteed throughout each run special case: [ ] ψ states that something bad, ψ, never happens example: [](critical <= 1) Ina Schaefer FSE 50

Safety Properties formulas of the form [ ]φ are called safety properties state that something good, φ, is guaranteed throughout each run special case: [ ] ψ states that something bad, ψ, never happens example: [](critical <= 1) it is guaranteed throughout each run that at most one process visits its critical section Ina Schaefer FSE 51

Safety Properties formulas of the form [ ]φ are called safety properties state that something good, φ, is guaranteed throughout each run special case: [ ] ψ states that something bad, ψ, never happens example: [](critical <= 1) it is guaranteed throughout each run that at most one process visits its critical section or equivalently: more than one process visiting its critical section will never happen Ina Schaefer FSE 52

Applying Temporal Logic to Critical Section Problem We want to verify [](critical<=1) as correctness property of: active proctype P() { do :: /* non - critical activity */ atomic {! incriticalq ; incriticalp = true } critical ++; /* critical activity */ critical - -; incriticalp = f a l s e od } /* similarly for process Q */ Ina Schaefer FSE 53

Model Checking a Safety Property with jspin 1. add #define mutex (critical <= 1) to Promela file 2. open Promela file 3. enter []mutex in LTL text field 4. select Translate to create a never claim, corresponding to the negation of the formula 5. ensure Safety is selected 6. select Verify 7. (if necessary) select Stop to terminate too long verification Ina Schaefer FSE 54

Never Claims a never claim tries to show the user wrong it defines, in terms of Promela, all violations of correctness property it is semantically equivalent to the negation of correctness property jspin adds the negation for you using Spin directly, you have to add the negation yourself accept labels in never claims mark accepting states in the sense of Büchi automata Ina Schaefer FSE 55

Model Checking Promela wrt. Temporal Logic Theory behind Spin: 1. represent the interleaving of all processes as a single automaton (one one process advances in each step), called M Ina Schaefer FSE 56

Model Checking Promela wrt. Temporal Logic Theory behind Spin: 1. represent the interleaving of all processes as a single automaton (one one process advances in each step), called M 2. Construct Büchi automaton (never claim) N C φ for negation of formula φ Ina Schaefer FSE 57

Model Checking Promela wrt. Temporal Logic Theory behind Spin: 1. represent the interleaving of all processes as a single automaton (one one process advances in each step), called M 2. Construct Büchi automaton (never claim) N C φ for negation of formula φ 3. If L ω (M) L ω (N C φ ) = then φ holds in M, otherwise we have a counterexample. Ina Schaefer FSE 58

Model Checking Promela wrt. Temporal Logic Theory behind Spin: 1. represent the interleaving of all processes as a single automaton (one one process advances in each step), called M 2. Construct Büchi automaton (never claim) N C φ for negation of formula φ 3. If L ω (M) L ω (N C φ ) = then φ holds in M, otherwise we have a counterexample. 4. To check L ω (M) L ω (N C φ ) construct intersection automaton (both automata advance in each step) and search for accepting run. Ina Schaefer FSE 59

Model Checking a Safety Property with Spin directly Command Line Execution make sure #define mutex (critical <= 1) is in safety1.pml > spin -a -f!([] mutex ) safety1. pml > gcc -DSAFETY - o pan pan. c >./ pan Ina Schaefer FSE 60

Liveness Properties formulas of the form <>φ are called liveness properties Ina Schaefer FSE 61

Liveness Properties formulas of the form <>φ are called liveness properties state that something good, φ, eventually happens in each run Ina Schaefer FSE 62

Liveness Properties formulas of the form <>φ are called liveness properties state that something good, φ, eventually happens in each run example: <>csp (with csp a variable only true in the critical section of P) Ina Schaefer FSE 63

Liveness Properties formulas of the form <>φ are called liveness properties state that something good, φ, eventually happens in each run example: <>csp (with csp a variable only true in the critical section of P) in each run, process P visits its critical section eventually Ina Schaefer FSE 64

Applying Temporal Logic to Starvation Problem We want to verify <>csp as correctness property of: active proctype P() { do :: /* non - critical activity */ atomic {! incriticalq ; incriticalp = true } csp = true ; /* critical activity */ csp = f a l s e ; incriticalp = f a l s e od } /* similarly for process Q */ /* here using csq */ Ina Schaefer FSE 65

Model Checking a Liveness Property with jspin 1. open Promela file 2. enter <>csp in LTL text field 3. select Translate to create a never claim, corresponding to the negation of the formula 4. ensure that Acceptance is selected (Spin will search for accepting cycles through the never claim) 5. for the moment uncheck Weak Fairness (see discussion below) 6. select Verify Ina Schaefer FSE 66

Verification Fails Verification fails. Why? Ina Schaefer FSE 67

Verification Fails Verification fails. Why? The liveness property on one process had no chance. Not even weak fairness was switched on! Ina Schaefer FSE 68

Model Checking Liveness with Weak Fairness! Always switch Weak Fairness on when checking for liveness! 1. open Promela file 2. enter <>csp in LTL text field 3. select Translate to create a never claim, corresponding to the negation of the formula 4. ensure that Acceptance is selected (Spin will search for accepting cycles through the never claim) 5. ensure Weak Fairness is checked 6. select Verify Ina Schaefer FSE 69

Model Checking Lifeness with Spin directly Command Line Execution > spin -a -f!<>csp liveness1. pml > gcc -o pan pan.c >./ pan -a -f Ina Schaefer FSE 70

Verification Fails Verification fails again. Why? Ina Schaefer FSE 71

Verification Fails Verification fails again. Why? Weak fairness is still too weak. Ina Schaefer FSE 72

Verification Fails Verification fails again. Why? Weak fairness is still too weak. Note that!incriticalq is not continuously executable! Ina Schaefer FSE 73

Temporal MC Without Ghost Variables We want to verify mutual exclusion without using ghost variables #define mutex!(p@cs && Q@cs) bool incriticalp = f a l s e, incriticalq = f a l s e ; active proctype P() { do :: atomic {! incriticalq ; incriticalp = true } cs: /* critical activity */ incriticalp = f a l s e od } /* similarly for process Q */ /* with same label cs: */ Ina Schaefer FSE 74

Temporal MC Without Ghost Variables We want to verify mutual exclusion without using ghost variables #define mutex!(p@cs && Q@cs) bool incriticalp = f a l s e, incriticalq = f a l s e ; active proctype P() { do :: atomic {! incriticalq ; incriticalp = true } cs: /* critical activity */ incriticalp = f a l s e od } /* similarly for process Q */ /* with same label cs: */ Verify []mutex with jspin. Ina Schaefer FSE 75

Liveness again revisit fair.pml try to prove termination Ina Schaefer FSE 76

Literature for this Lecture Ben-Ari Chapter 5 Ina Schaefer FSE 77

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information