Software Modeling and Verification

Similar documents
Development of dynamically evolving and self-adaptive software. 1. Background

Formal Verification and Linear-time Model Checking

Algorithmic Software Verification

A Logic Approach for LTL System Modification

Model Checking II Temporal Logic Model Checking

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Model Checking: An Introduction

A Propositional Dynamic Logic for CCS Programs

Formal Verification by Model Checking

Temporal Logics. Computation Tree Logic

Software Verification and Testing. Lecture Notes: Temporal Logics

T Reactive Systems: Introduction and Finite State Automata

Introduction to Software Verification

Fixed-Point Logics and Computation

Testing LTL Formula Translation into Büchi Automata

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

A computational model for MapReduce job flow

From Workflow Design Patterns to Logical Specifications

Automata-based Verification - I

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

Formal Verification of Software

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Static Program Transformations for Efficient Software Model Checking

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

HECTOR a software model checker with cooperating analysis plugins. Nathaniel Charlton and Michael Huth Imperial College London

Schedule. Logic (master program) Literature & Online Material. gic. Time and Place. Literature. Exercises & Exam. Online Material

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Automated Route Planning for Milk-Run Transport Logistics with the NuSMV Model Checker

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

CHAPTER 7 GENERAL PROOF SYSTEMS

Foundational Proof Certificates

Validated Templates for Specification of Complex LTL Formulas

A first step towards modeling semistructured data in hybrid multimodal logic

Development of global specification for dynamically adaptive software

Model Checking based Software Verification

Which Semantics for Neighbourhood Semantics?

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

CS510 Software Engineering

MODEL CHECKING CONCURRENT AND REAL-TIME SYSTEMS: THE PAT APPROACH. LIU YANG (B.Sc. (Hons.), NUS)

CS Master Level Courses and Areas COURSE DESCRIPTIONS. CSCI 521 Real-Time Systems. CSCI 522 High Performance Computing

Combining Software and Hardware Verification Techniques

Semantics and Verification of Software

Model Checking LTL Properties over C Programs with Bounded Traces

Plan-Space Search. Searching for a Solution Plan in a Graph of Partial Plans


Lecture 13 of 41. More Propositional and Predicate Logic

Software Engineering using Formal Methods

Fabio Patrizi DIS Sapienza - University of Rome

The Course.

CSE 459/598: Logic for Computer Scientists (Spring 2012)

Goal-Driven Adaptable Software Architecture for UAVs

Algebraic Recognizability of Languages

Language-oriented Software Development and Rewriting Logic

CISC422/853: Formal Methods

Coverability for Parallel Programs

Concurrent Programming

Fundamentals of Software Engineering

Formal verification of contracts for synchronous software components using NuSMV

Optimizing Description Logic Subsumption

A Classification of Model Checking-based Verification Approaches for Software Models

LTL Model Checking with Logic Based Petri Nets

Software Model Checking. Equivalence Hierarchy

Verifying Specifications with Proof Scores in CafeOBJ

Formal Engineering for Industrial Software Development

Software Model Checking: Theory and Practice

Introducing Formal Methods. Software Engineering and Formal Methods

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Path Querying on Graph Databases

Trading Security with Quality of Experience

MetaGame: An Animation Tool for Model-Checking Games

Eastern Washington University Department of Computer Science. Questionnaire for Prospective Masters in Computer Science Students

Summary Last Lecture. Automated Reasoning. Outline of the Lecture. Definition sequent calculus. Theorem (Normalisation and Strong Normalisation)

tutorial: hardware and software model checking

Business Process Verification: The Application of Model Checking and Timed Automata

Formal Specification and Verification

Computational Logic and Cognitive Science: An Overview

TEACHING MODEL CHECKING TO UNDERGRADUATES

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

Modular Verification of Dynamically Adaptive Systems

Model-Checking Verification for Reliable Web Service

Formal Verification of Computer Systems - (INFO-F-412)

Universität Stuttgart Fakultät Informatik, Elektrotechnik und Informationstechnik

Quick Start Guide. June 3, 2012

Institut für Parallele und Verteilte Systeme. Abteilung Anwendersoftware. Universität Stuttgart Universitätsstraße 38 D Stuttgart

Handout #1: Mathematical Reasoning

Software Engineering. How does software fail? Terminology CS / COE 1530

How To Write Intuitionistic Logic

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

XML Data Integration

A Framework for the Semantics of Behavioral Contracts

Runtime Verification for Real-Time Automotive Embedded Software

2 Temporal Logic Model Checking

Rigorous Software Development CSCI-GA

Professional Organization Checklist for the Computer Science Curriculum Updates. Association of Computing Machinery Computing Curricula 2008

Bisimulation and Logical Preservation for Continuous-Time Markov Decision Processes

Chapter 4: Architecture for Performance Monitoring of Complex Information Technology (IT) Infrastructures using Petri Net

ICECCS 08/Workshop «UML&AADL 2008», April, 2, 2008

Process Modelling from Insurance Event Log

An Approach to Dependable Embedded Software Development

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

Transcription:

Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015

Algorithmic verification Correctness problem Is the software/hardware system correct with respect to the expected requirements? Hard to determine whenever the system is reactive

Hardness: what does it mean? Sequentiality vs. Concurrency A sequential program is like a black box taking some inputs and providing appropriate outputs, deterministically (e.g., sort algorithm) A reactive system: interacts with the environment, nondeterministically does not necessarily terminate may be composed of concurrent, interacting components Interactions cause an exponential explosion of the possible behaviors, concurrency and communication introduce new issues (e.g., deadlock and starvation) Example: operating systems

A formal approach to verification: why? Formal methods With respect to simulation and testing they provide rigorous answers They are supported by automated tools Foundational ingredients: formal (automata or state-transition based) models and (algebraic) languages for describing reactive systems logics for expressing properties of reactive systems behavioral relations for arguing about correctness

State-transition systems State... describes a configuration of the system in a given instant of time... may be labeled with additional information, like a formal statement specifying the conditions that hold in the state Transition... describes a state change due to the execution of a given event... may be labeled with additional information, like the name of the action representing the executed event

Kripke structure Definition Let AP be a set of atomic propositions A Kripke structure is a tuple where S is a finite set of states K = (S, S 0, R, L) S 0 S is the set of initial states R S S is a total transition relation L : S 2 AP is a labeling function that associates each state with the subset of atomic propositions that are true in that state

Modeling reactive systems through Kripke structures First-order logic representation What does AP represent? Let V = {v 1,..., v n } be the set of system variables Let D 1,..., D n be the corresponding (finite) domains An atomic proposition has the form v i = d i, with d i D i, 1 i n A valuation maps each v i to a value in D i, 1 i n Hence, a state s represents a valuation (it can be expressed as a conjunction of atomic propositions) The transition relation R is a mapping from valuations to valuations (it can be expressed as a disjunctive normal form)

Graphical representation Example s 0 s 2 x=0 x=1 s=idle x=0 s=wait s 3 s=ask x=2 s=busy Example of Kripke structure (S, S 0, R, L) s 1 V = {x, s} S 0 = {x = 0 s = i} R is such that: (x = 0 s = i x = 1 s = a) R (x = 1 s = a x = 0 s = w) R (x = 1 s = a x = 2 s = b) R (x = 0 s = w x = 2 s = b) R (x = 2 s = b x = 1 s = b) R (x = 2 s = b x = 2 s = a) R L is such that: L(s 0) = {x = 0 s = i} L(s 1) = {x = 1 s = a} L(s 2) = {x = 0 s = w} L(s 3) = {x = 2 s = b}

Kripke structures and logics Definition For any Kripke structure M = (S, S 0, R, L) and formula ψ of any logic: Sat(ψ) = {s S s = ψ} M = ψ iff S 0 Sat(ψ) Example Note: it could be that M = ψ and M = ψ

Kripke structures and logics Temporal logics Modal operators are added to classical logics for reasoning about time Well-formed formulas specify properties of computations The process of checking the model against the property is called model checking Example Along a computation... a predicate is always true the system will eventually satisfy a predicate the system exhibits a certain behavior until a predicate holds Which properties? Safety (bad things will not happen), Liveness (good things will eventually happen), Security (cheats will not happen), Reliability (faults may happen, but without negative effects)

Computation tree Definition For any Kripke structure M = (S, S 0, R, L) and s S, the computation tree for M starting at s is a tree such that: the root of the tree is s the nodes of the tree are states in S there exists an arc from node s to node s in the tree if and only if (s, s ) R

Graphical representation Example Kripke structure Finite prefix of the computation tree rooted at s 0 s 0 s 0 x=0 x=1 s=idle s=ask s 1 s 1 s 2 x=0 s=wait s 3 x=2 s=busy s 2 s 3 s 3 s 1 s 3..................

Modal operators of temporal logics Temporal operators X (next)... F (eventually)... G (always)... U (until)...

Temporal logics: two flavors Expressiveness Shall the logic abstract from the branching structure of the computation tree? If yes, each computation is considered in isolation...... at each instant of time, only one future is possible (linear time) If not, a branching notion of time is considered... at each instant of time, there may be several different possible futures

Linear Temporal Logic: syntax Definition (LTL grammar) ϕ true p ϕ ϕ ϕ Xϕ Fϕ Gϕ ϕuϕ Note: p is any atomic proposition

Linear Temporal Logic: semantics Definition The satisfaction relation = for computations π = s 0, s 1,..., s i,... of a Kripke structure M = (S, S 0, R, L) is defined by: a 1 π = true always holds 2 π = p iff p L(π[0]) 3 π = ϕ iff π = ϕ 4 π = ϕ 1 ϕ 2 iff π = ϕ 1 or π = ϕ 2 5 π = X ϕ iff π 1 = ϕ 6 π = F ϕ iff k 0. M, π k = ϕ 7 π = G ϕ iff k 0. M, π k = ϕ 8 π = ϕ 1 U ϕ 2 iff there exists k 0 such that π k = ϕ 2 and for all 0 j < k it holds that π j = ϕ 1 Finally, s = ϕ iff π = ϕ for all π such that π[0] = s a Note: π[i] = s i and π i = s i,...

Computation Tree Logic: syntax Definition (CTL grammar) Note: p is any atomic proposition ϕ true p ϕ ϕ ϕ E φ A φ φ Xϕ Fϕ Gϕ ϕuϕ

Computation Tree Logic: semantics Definition 1 s = p iff p L(s) 2 s = φ iff s = φ 3 s = φ 1 φ 2 iff s = φ 1 or s = φ 2 4 s = E φ iff there is a path π starting from s such that π = φ 5 s = A φ iff for every path π starting from s it holds that π = φ 6 π = X φ iff π[1] = φ 7 π = φ 1 U φ 2 iff there exists k 0 such that π[k] = φ 2 and for all 0 j < k it holds that π[j] = φ 1

Temporal Logics: properties of operators Expressiveness Duality F ψ true U ψ G ψ F ψ A ψ E ψ X ψ X ψ F ψ G ψ G ψ F ψ

Temporal Logics: equivalence Definition A CTL formula ϕ is equivalent to a LTL formula ϕ (ϕ ϕ ) if for all Kripke structures M: Results about equivalence M = ϕ iff M = ϕ Given a CTL formula ϕ and the LTL formula ϕ obtained by eliminating any path quantifier from ϕ, we have: 1 either ϕ ϕ 2 or there does not exist any LTL formula equivalent to ϕ CTL and LTL are incomparable: 1 the CTL formula A G (E F p) cannot be expressed in LTL 2 the LTL formula F G p cannot be expressed in CTL

Why LTL cannot express A G (E F p) Proof. Assume, by contradiction, ϕ A G (E F p) such that ϕ is a LTL formula M M p M = A G (E F p), hence M = ϕ Hence, since the computations of M are a subset of those of M, it must hold M = ϕ, which is absurd!

Why CTL cannot express F G p Example M p p M = F G p, but M = A F A G p... why?

Why CTL cannot express F G p Example M p p M = F G p, but M = A F A G p... why? states satisfying p

Why CTL cannot express F G p Example M p p M = F G p, but M = A F A G p... why? states satisfying A G p

Why CTL cannot express F G p Example M p p M = F G p, but M = A F A G p... why? states satisfying A F A G p

Property specification Some formula schema LTL CTL Reachability M = G p M = E F p Unreachability G p A G p (Safety) Conditional reachability q U p A (q U p) Extended reachability No A G E F p Composite reachability F(q X p) No Liveness G(q F p) A G(q A F p) Unconditional fairness G F p A G A F p Strong fairness G F p G F q No Weak fairness F G p G F q No

Model checking Problem Given a Kripke structure M = (S, S 0, R, L) and a temporal logic formula f, compute the set: {s S M, s = f } M satisfies f if S 0 is included in the set above

CTL based model checking Definition (Model checking algorithm) Define labels(s) to be the set of subformulas of f which are true in s Initialization labels(s) = L(s) i = 1 Repeat 1 take each subformula of f with i 1 nested CTL operators 2 add each of these subformulas to labels(s) for each s in which the subformula holds 3 increment i Until all the subformulas of f, including f itself, are processed Then, M, s = f iff f labels(s)

Processing subformulas of f Labeling rules By induction on the structure of the subformulas: 1 atomic proposition p: do not add any label! 2 g 1 : label any state that is not labeled with g 1 3 g 1 g 2 : label any state that is labeled either with g 1 or with g 2 4 E X g 1 : label any state that has some successor labeled with g 1 5 E(g 1 U g 2 ): find all states labeled with g 2 from each of these states, follow backwards the paths along states labeled with g 1 each state that can be reached by such paths is labeled 6 g = E G g 1 (by exercise)

Tool support Some model checker SPIN NuSMV PRISM Some examples toy concurrent systems (dining philosophers, sleeping barber,... ) concurrent programs (semantic mapping from programming languages to Kripke structures) real-world complex systems (real-time automotive software, communication protocols, trust and security systems,... )

References Christel Baier and Joost-Peter Katoen: Principles of Model Checking, The MIT Press, 2008 Michael Huth and Mark Ryan: Logic in Computer Science - Modelling and Reasoning about Systems, Cambridge University Press, 2004

Increasing the abstraction level: process algebra What is an algebra?... is any mathematical structure formed by a set of elements together with a collection of operations on these elements and such that the axioms given for the operators are satisfied Example Three operations: +, ;, Seven axioms (equational laws) expressing basic commutativity, associativity, idempotency, and distributivity: P Q = Q P where {+, } P (Q R) = (P Q) R where {+, ;, } P + P = P (P + Q); R = P; R + Q; R Any mathematical structure with these operations satisfying these laws is an algebra

Increasing the abstraction level: process algebra From algebra to process algebra Define an algebra over a set of elements describing processes A process...... refers to the behavior of a system... is the ordered set of events characterizing the behavior

Calculi for describing processes Actions represent system activities at a certain level of abstraction can be visible and invisible from the viewpoint of the external environment Operators Map operators ( +, ;, ) to primitives for process specification (alternative external/internal choice among actions, sequential composition of actions, parallel composition of processes possibly communicating synchronously/asynchronously)

Semantics: labeled transition systems Interpretation of operators Example Define a formal semantics for operators: P a P P+Q a P a Q Q P+Q a Q If process P can evolve into process P when executing an action a we write: a P P The action relation describes the process as a labeled transition system (LTS) where the states represent processes and the transitions represent the execution of events

Example: a producer-consumer system Example ProdCons 0/2 ProdCons 1/2 ProdCons 2/2 def = deposit. ProdCons 1/2 def = deposit. ProdCons 2/2 + withdraw. ProdCons 0/2 def = withdraw. ProdCons 1/2 ProdCons 0/2 deposit withdraw ProdCons 1/2 deposit withdraw ProdCons 2/2

Formal verification How to verify system specifications LTSs representing the semantics of processes can be model checked Process terms can be compared through behavioral equivalences... why?...... comparison between specifications at different abstraction levels (top-down modeling)... substitutivity

Usability Even more user-friendly Define on top of process algebra an architectural description language (ADL) that is easy-to-use and without (almost any) mathematics Map ADL to process algebra (PA) Three abstraction levels: ADL PA LTS What can be mechanized: mappings and verification

References Alessandro Aldini, Marco Bernardo, Flavio Corradini: A Process Algebraic Approach to Software Architecture Design, Springer, 2010.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information