1 / 14

Software Verification 2 Automated Verification

Software Verification 2 Automated Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Recap: LTS. LTS=( , S, , S 0 )  is a nonempty finite alphabet

gerda
Download Presentation

Software Verification 2 Automated Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Software Verification 2Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

  2. Recap: LTS • LTS=(, S, , S0) •  is a nonempty finite alphabet • S is a nonempty finite set of states •   S    S is the transition relation • S0  S is the set of initial states remark: sometimes a pseudo state s0S is used instead of S0S;sometimes there is only a single initial state s0S • state = (program counter(s), variable valuation)transition = (state, instruction, state) • S0 can be written as a predicate on variables and pc’s • init: (pc==  x==0  y<=5  ...) •  can be written as a predicate on current and next variables • : ((pc==  x‘==x+1)  (pc== x‘==x+2)  ...)

  3. Boolean Equivalences next(state):= case inp=0 : state; inp=50 & state=s0 : s50; inp=50 & state=s50 : s0; esac; ( (inp==0  state‘==state)  (inp==50  state=s0  state‘== s50)  (inp==50  state=s50  state‘==s0) ) ( (inp==0  state‘==state)  (inp==50  (state=s0  state‘== s50 )  (state=s50  state‘== s0 ) ) )

  4. Parallel transition system / state machine • T=(T1,...,Tn) • all state sets must be pairwise disjoint • Global TS associated with parallel TS: T=(, S, , S0), where • = i • S=S1 ...  Sn • S0=S10 ... Sn0 • ((s1,...,sn), a, (s1’,...,sn’))   iff for all Ti, • if a  i, then (si, a, si’)  i, and • if a  i, then si’= si • Complexity (size of this construction)? Correctness???

  5. Correctness • T=(T1,...,Tn), T =T1 ...  Tn • Intuitively: T accepts/generates exactly those sequences which are accepted/generated by all Ti • projection of run onto the alphabet of a transition system: =123...|Ti =if (1i) then 1 (23...)|Ti else (23...)|Ti • Show: T acc  iffi (Ti acc | Ti ) • can also be used as a definition

  6. Parallel State Machines • Parallel state machine • T=(T1,...,Tn), i=2E  C  2A • What is the global state machine associated with a parallel state machine? (“flattening”) • synchronization by common e[c]/a is not an option • possible choices: synchronize or compete on common input events (triggers)? • what if an effect contains sending of a trigger? (“run-to-completion-semantics”: tedious formalization)

  7. Example

  8. Introducing Data • Simple state machines • E: set of events, C: set of conditions, A: set of actions • a simple state machine is an LTS where =2E  C  2A • Extended state machine: Assume a first-order signature (D, F, R) with finite domains D and a set V of program variables on these domains. An ESM is a simple state machine where • a guard is a quantifier-free first-order formula on (D, F, R) and V • an action is an assignment V=T • Attention: the effect of a transition is a set of actions!Parallel execution introduces nondeterminism.

  9. Example

  10. Introducing Hierarchies • In a UML state machine, a state may contain other states • powerful abstraction concept • semantics can be tedious

  11. Introducing Visibility Scopes • A state machine can be part of a class or module • all variables are visible within the module only • modules may be nested • Classes or modules can be parameterized • instances of classes are objects

  12. Introducing Fairness • LTSs cannot specify that something will eventually happen • only maximal sequences are accepted (terminating or infinite) • want to express that in infinite runs, certain states must occur infinitely often • Just LTS=(LTS,J), where J=(J1,...,Jm), JiS(justice requirements) • for each JiJ each infinite run must contain infinitely many sJi • Fair LTS=(LTS,F), where F=(F1,...,Fm), Fi=(Pi,Qi), PiS, QiS(compassion requirements) • for each FiF and each infinite run it holds that if it contains infinitely many sPi, then it also contains infinitely many sQi • Cf. automata theory: Büchi- and Rabin-acceptance

  13. Example: Peterson’s Mutual Exclusion {t=0; x=0; y=0; {0:while(true){NC1: skip; 1:x=1; 2:t=1; 3:await(t==0  y==0); C1: skip; 4:x=0;} || {0:while(true){NC2: skip; 1:y=1; 2:t=0; 3:await(t==1  x==0); C2: skip; 4:y=0;} }

  14. Summary: Finite State Modeling Concepts • We discussed • (parallel) while-Programs with finite domains • Labeled transition systems • Simple state machines • Parallel transition systems / state machines • UML state machines • Object-oriented concepts • Fairness Constraints (justice, compassion) • Mutual simulation possible • but may be tedious; cross-compiler technology

More Related