Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary



Similar documents
Formal Verification by Model Checking

tutorial: hardware and software model checking

Algorithmic Software Verification

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Software Model Checking: Theory and Practice

Software Engineering using Formal Methods

Fundamentals of Software Engineering

The Model Checker SPIN

Lecture 9 verifying temporal logic

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Testing LTL Formula Translation into Büchi Automata

Formal Verification of Software

T Reactive Systems: Introduction and Finite State Automata

Feature Specification and Automated Conflict Detection

Development of dynamically evolving and self-adaptive software. 1. Background

INF5140: Specification and Verification of Parallel Systems

Introduction to Promela and SPIN. LACL, Université Paris 12

Formal Verification and Linear-time Model Checking

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Model Checking LTL Properties over C Programs with Bounded Traces

A Classification of Model Checking-based Verification Approaches for Software Models

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

CISC422/853: Formal Methods

Software Modeling and Verification

Combining Software and Hardware Verification Techniques

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Validated Templates for Specification of Complex LTL Formulas

Temporal Logics. Computation Tree Logic

ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear:

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

Model Checking II Temporal Logic Model Checking

Model Checking: An Introduction

Reading 13 : Finite State Automata and Regular Expressions

Turing Machines: An Introduction

Automata-based Verification - I

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

LTL Model Checking with Logic Based Petri Nets

Deterministic Finite Automata

Model Checking based Software Verification

Software Quality Exercise 1

Software Verification and Testing. Lecture Notes: Temporal Logics

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

Formal Languages and Automata Theory - Regular Expressions and Finite Automata -

Automata on Infinite Words and Trees

Software safety - DEF-STAN 00-55

Regular Expressions and Automata using Haskell

Stylianos Basagiannis

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

Formal Verification Toolkit for Requirements and Early Design Stages

Iterated Dynamic Belief Revision. Sonja Smets, University of Groningen. website:

From Workflow Design Patterns to Logical Specifications

The Trip Scheduling Problem

Traditional Software Development. Model Requirements and JAVA Programs. Formal Verification & Validation. What is a state?

Automata and Formal Languages

Specification and Analysis of Contracts Lecture 1 Introduction

Finite Automata. Reading: Chapter 2

Finite Automata. Reading: Chapter 2

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Formal verification of contracts for synchronous software components using NuSMV

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Constructing Automata from Temporal Logic Formulas : A Tutorial

each college c i C has a capacity q i - the maximum number of students it will admit

Program Synthesis is a Game

Workflow Management Models and ConDec

Compiler Construction

Pushdown Automata. place the input head on the leftmost input symbol. while symbol read = b and pile contains discs advance head remove disc from pile

Institut für Parallele und Verteilte Systeme. Abteilung Anwendersoftware. Universität Stuttgart Universitätsstraße 38 D Stuttgart

The Course.

Software Model Checking: Theory and Practice

CHAPTER 7 GENERAL PROOF SYSTEMS

Introduction to Software Verification

Chapter II. Controlling Cars on a Bridge

Verification of hybrid dynamical systems

Verifying Real-Time Embedded Software by Means of Automated State-based Online Testing and the SPIN Model Checker Application to RTEdge Models

VeriTech - A Framework for Translating among Model Description Notations

Reliability Guarantees in Automata Based Scheduling for Embedded Control Software

Transcription:

Today s Agenda Quiz 4 Temporal Logic Formal Methods in Software Engineering 1 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 2 1

Buchi Automata The SPIN model checker is based on the theory of Buchi automata (or ω-automata). Buchi automata does not only accept finite executions but also infinite executions. SPIN does not only formalize correctness properties as Buchi automata, but also uses it to describe the system behavior. Formal Methods in Software Engineering 3 Temporal Logic Temporal logic allows time-related properties to be formally specified without introducing the explicit notion of time. SPIN uses Linear Temporal Logic (LTL), which allows to specify properties that must be satisfied by all program executions. Question: Why don t we use Buchi automata to specify correctness properties? Formal Methods in Software Engineering 4 2

The Magic The verification of a PROMELA model in SPIN consists of the following steps: Build an automaton to represent the system behavior For each correctness property, build an automaton to represent its negation Compute the intersection of the system automaton and each property automaton Formal Methods in Software Engineering 5 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 6 3

FSA A finite state automaton is a tuple (S, s 0, L, T, F), where S is a finite set of states s 0 is a distinguished initial state, s 0 S L is a finite set of labels T is a set of transitions, T (S L S) F is a set of final states, T Formal Methods in Software Engineering 7 Determinism An FSA is deterministic, if the successor state of each transition is uniquely defined by the source state and the transition label. Many automata we will encounter are nondeterministic, which however can be easily determinized. Formal Methods in Software Engineering 8 4

Run A run of an FSA (S, s 0, L, T, F) is an ordered, possibly infinite, set of transitions { (s 0, l 0, s 1 ), (s 1, l 1, s 2 ), (s 2, l 2, s 3 ),... } such that i, i 0 (s i, l i, s i+1 ) T Note that frequently, we will only refer to the sequence of states or transitions of a run. Formal Methods in Software Engineering 9 Accepting Run A run is accepted by an FSA if and only if it terminates at a final state. Formally, an accepting run of an FSA (S, s 0, L, T, F) is a finite run in which the final transition has the property that s n F. Formal Methods in Software Engineering 10 5

Example idle start ready suspended run execute stop end unblock block waiting { start, run, block, unblock, stop } Formal Methods in Software Engineering 11 Infinite Runs Many systems have infinite runs, i.e., they do not necessarily terminate, such as a thread scheduler, a web server, or a telephone switch. An infinite run is often called an ω-run. A classic FSA only accepts finite runs, not ω-runs. Formal Methods in Software Engineering 12 6

Buchi Acceptance Intuitively, an infinite run is accepted if and only if the run visits some final state infinitely often. Formally, an ω-run σ of FSA (S, s 0, L, T, F) is accepting if s f, s f F s f σ ω, where σ ω is the set of states that appear infinitely often in σ. Formal Methods in Software Engineering 13 Example idle start ready suspended run execute stop end unblock block waiting { start, run, { suspended, run }* } Formal Methods in Software Engineering 14 7

Stutter Extension The stutter extension of finite run σ with final state s n is the ω-run σ, (s n, ε, s n ) ω, i.e., the final state persists forever by repeating the null action ε. This extension allows Buchi acceptance to be applied to finite runs, i.e., a finite run is accepted by a Buchi automaton if and only if its final state is in the set of accepting states. Formal Methods in Software Engineering 15 Decidability Issues Two properties of Büchi automata in particular are of interest and are both decidable: language emptiness: are there any accepting runs? language intersection: are there any runs that are accepted by 2 or more automata? Spin s model checking algorithm is based on these two checks Spin determines if the intersection of the languages of a property automaton and a system automaton is empty Formal Methods in Software Engineering 16 8

Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 17 Temporal Logic Temporal logic allows one to reason about temporal properties of system executions, without introducing the notion of time explicitly. The dominant logic used in software verification is LTL, whose formulas are evaluated over a single execution. Formal Methods in Software Engineering 18 9

LTL A well-formed LTL formula is built from state formula and temporal operators: All state formulas are well-formed LTL formulas. If p and q are well-formed LTL formulas, then p U q, p U q, apple p, p, and X p are also well-formed LTL formulas. Formal Methods in Software Engineering 19 Notations σ = f : LTL formula f holds for ω-run σ σ i : the i-th element of σ σ[i] : the suffix of σ that starts at the i-th element Formal Methods in Software Engineering 20 10

LTL Operators (1) Weak Until - U σ[i] = (p U q) σ i = q (σ i = p σ[i+1] = (p U q)) Strong Until - U σ[i] = (p U q) σ[i] = (p U q) j, j i, σ j = q σ[i] p U q s0 si p si+1 p sj q Formal Methods in Software Engineering 21 LTL Operators (2) always (apple) : σ = apple p σ = (p U false) eventuality ( ) : σ = q σ = (true U q) next (X) : σ = X p σ i+1 = p σ apple p s0 s1 s2 s3 s4 p p p p p σ q s0 s1 s2 sk q σ X p s0 s1 s2 s3 s4 p Formal Methods in Software Engineering 22 11

LTL Example (1) Consider how to express the informal requirement that p implies q. In other words, p causes q. [] ((p -> X (<> q)) <> p) Formal Methods in Software Engineering 23 LTL Example (2) Consider a traffic light. The lights keep changing in the following order: green -> yellow -> red -> green Use a LTL formula to specify that from a state where the light is green the green color continues until it changes to yellow? Formal Methods in Software Engineering 24 12

Frequently Used Formulas invariance : apple p guarantee : p response : p q precedence : p q U r recurrence (progress) : apple p stability (non-progress) : apple p correlation : p q Formal Methods in Software Engineering 25 Valuation Sequence Let P be the set of all state formulas in a given LTL formula. Let V be the set of valuations, i.e., all possible truth assignments, of these formulas. Then, we can associate each run σ with a sequence of valuations V(σ), denoting the truth assignments of all the state formulas at each state. σ p U q s0 s1 s2 s3 s4 p: true true true false false q: false false false false true Formal Methods in Software Engineering 26 13

LTL and ω-automata (1) For every LTL formula, there exists an equivalent Buchi automaton, i.e., one that accepts precisely those runs that satisfy the formula. SPIN provides a separate parser that translates an LTL formula to a never claim. Formal Methods in Software Engineering 27 LTL and ω-automata (2) $ spin f <> [] p never { /* <>[]p */ T0_init: if :: ((p)) -> goto accept_s4 :: (1) -> goto T0_init fi; accept_s4: if :: ((p)) -> goto accept_s4 fi; } true p p s 0 s 1 Formal Methods in Software Engineering 28 14

LTL and ω-automata (3) $ spin f! <> [] p never { /*!<>[]p */ T0_init: if :: (! ((p))) -> goto accept_s9 :: (1) -> goto T0_init fi; accept_s9: if :: (1) -> goto T0_init fi; } true!p s 0 s 1 true Formal Methods in Software Engineering 29 Example (1) int x = 100; active proctype A () { do :: x % 2 -> x = 3 *x + 1 od } active proctype B () { do ::! (x % 2) -> x = x / 2 od } Formal Methods in Software Engineering 30 15

Example (2) Prove that x can never become negative, and also never exceed its initial value. Prove that the value of x always eventually returns to 1. Formal Methods in Software Engineering 31 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 32 16

Summary Unlike classic FSA, which only accepts finite runs, ω-automata accepts both finite and infinite runs. LTL can be used to specify properties that must be satisfied by all the system executions. An LTL formula can be translated to an equivalent ω-automata. Formal Methods in Software Engineering 33 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information