- 86 Views
- Uploaded on
- Presentation posted in: General

Software Verification 2 Automated Verification

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Software Verification 2Automated Verification

Prof. Dr. Holger Schlingloff

Institut für Informatik der Humboldt Universität

and

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

- LTS=(, S, , S0)
- is a nonempty finite alphabet
- S is a nonempty finite set of states
- S S is the transition relation
- S0 S is the set of initial states
remark: sometimes a pseudo state s0S is used instead of S0S;sometimes there is only a single initial state s0S

- state = (program counter(s), variable valuation)transition = (state, instruction, state)
- S0 can be written as a predicate on variables and pc’s
- init: (pc== x==0 y<=5 ...)

- can be written as a predicate on current and next variables
- : ((pc== x‘==x+1) (pc== x‘==x+2) ...)

next(state):= case

inp=0: state;

inp=50 & state=s0: s50;

inp=50 & state=s50: s0;

esac;

((inp==0 state‘==state)

(inp==50 state=s0 state‘== s50)

(inp==50 state=s50 state‘==s0) )

((inp==0 state‘==state)

(inp==50 (state=s0 state‘== s50 )

(state=s50 state‘== s0 )

)

)

- Parallel transition system / state machine
- T=(T1,...,Tn)
- all state sets must be pairwise disjoint

- Global TS associated with parallel TS: T=(, S, , S0), where
- = i
- S=S1 ... Sn
- S0=S10 ... Sn0
- ((s1,...,sn), a, (s1’,...,sn’)) iff for all Ti,
- if a i, then (si, a, si’) i, and
- if a i, then si’= si

- Complexity (size of this construction)? Correctness???

- T=(T1,...,Tn), T =T1 ... Tn

- projection of run onto the alphabet of a transition system: =123...|Ti =if (1i) then 1 (23...)|Ti else (23...)|Ti
- Show: T acc iffi (Ti acc | Ti )
- can also be used as a definition

- Parallel state machine
- T=(T1,...,Tn), i=2E C 2A

- What is the global state machine associated with a parallel state machine? (“flattening”)
- synchronization by common e[c]/a is not an option
- possible choices: synchronize or compete on common input events (triggers)?
- what if an effect contains sending of a trigger?
(“run-to-completion-semantics”: tedious formalization)

- Simple state machines
- E: set of events, C: set of conditions, A: set of actions
- a simple state machine is an LTS where =2E C 2A

- Extended state machine: Assume a first-order signature (D, F, R) with finite domains D and a set V of program variables on these domains. An ESM is a simple state machine where
- a guard is a quantifier-free first-order formula on (D, F, R) and V
- an action is an assignment V=T
- Attention: the effect of a transition is a set of actions!Parallel execution introduces nondeterminism.

- In a UML state machine, a state may contain other states
- powerful abstraction concept
- semantics can be tedious

- A state machine can be part of a class or module
- all variables are visible within the module only
- modules may be nested

- Classes or modules can be parameterized
- instances of classes are objects

- LTSs cannot specify that something will eventually happen
- only maximal sequences are accepted (terminating or infinite)

- want to express that in infinite runs, certain states must occur infinitely often
- Just LTS=(LTS,J), where J=(J1,...,Jm), JiS(justice requirements)
- for each JiJ each infinite run must contain infinitely many sJi

- Fair LTS=(LTS,F), where F=(F1,...,Fm), Fi=(Pi,Qi), PiS, QiS(compassion requirements)
- for each FiF and each infinite run it holds that if it contains infinitely many sPi, then it also contains infinitely many sQi

- Cf. automata theory: Büchi- and Rabin-acceptance

{t=0; x=0; y=0;

{0:while(true){NC1: skip; 1:x=1; 2:t=1;

3:await(t==0 y==0); C1: skip;

4:x=0;}

||

{0:while(true){NC2: skip; 1:y=1; 2:t=0;

3:await(t==1 x==0); C2: skip;

4:y=0;}

}

- We discussed
- (parallel) while-Programs with finite domains
- Labeled transition systems
- Simple state machines
- Parallel transition systems / state machines
- UML state machines
- Object-oriented concepts
- Fairness Constraints (justice, compassion)

- Mutual simulation possible
- but may be tedious; cross-compiler technology