Software Verification 2 Automated Verification

1 / 14

# Software Verification 2 Automated Verification - PowerPoint PPT Presentation

Software Verification 2 Automated Verification. Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik. Recap: LTS. LTS=( , S, , S 0 )  is a nonempty finite alphabet

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about ' Software Verification 2 Automated Verification' - gerda

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### Software Verification 2Automated Verification

Prof. Dr. Holger Schlingloff

Institut für Informatik der Humboldt Universität

and

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Recap: LTS
• LTS=(, S, , S0)
•  is a nonempty finite alphabet
• S is a nonempty finite set of states
•   S    S is the transition relation
• S0  S is the set of initial states

remark: sometimes a pseudo state s0S is used instead of S0S;sometimes there is only a single initial state s0S

• state = (program counter(s), variable valuation)transition = (state, instruction, state)
• S0 can be written as a predicate on variables and pc’s
• init: (pc==  x==0  y<=5  ...)
•  can be written as a predicate on current and next variables
• : ((pc==  x‘==x+1)  (pc== x‘==x+2)  ...)
Boolean Equivalences

next(state):= case

inp=0 : state;

inp=50 & state=s0 : s50;

inp=50 & state=s50 : s0;

esac;

( (inp==0  state‘==state) 

(inp==50  state=s0  state‘== s50) 

(inp==50  state=s50  state‘==s0) )

( (inp==0  state‘==state) 

(inp==50  (state=s0  state‘== s50 ) 

(state=s50  state‘== s0 )

)

)

Parallel transition system / state machine

• T=(T1,...,Tn)
• all state sets must be pairwise disjoint
• Global TS associated with parallel TS: T=(, S, , S0), where
• = i
• S=S1 ...  Sn
• S0=S10 ... Sn0
• ((s1,...,sn), a, (s1’,...,sn’))   iff for all Ti,
• if a  i, then (si, a, si’)  i, and
• if a  i, then si’= si
• Complexity (size of this construction)? Correctness???
Correctness
• T=(T1,...,Tn), T =T1 ...  Tn
• Intuitively: T accepts/generates exactly those sequences which are accepted/generated by all Ti
• projection of run onto the alphabet of a transition system: =123...|Ti =if (1i) then 1 (23...)|Ti else (23...)|Ti
• Show: T acc  iffi (Ti acc | Ti )
• can also be used as a definition
Parallel State Machines
• Parallel state machine
• T=(T1,...,Tn), i=2E  C  2A
• What is the global state machine associated with a parallel state machine? (“flattening”)
• synchronization by common e[c]/a is not an option
• possible choices: synchronize or compete on common input events (triggers)?
• what if an effect contains sending of a trigger?

(“run-to-completion-semantics”: tedious formalization)

Introducing Data
• Simple state machines
• E: set of events, C: set of conditions, A: set of actions
• a simple state machine is an LTS where =2E  C  2A
• Extended state machine: Assume a first-order signature (D, F, R) with finite domains D and a set V of program variables on these domains. An ESM is a simple state machine where
• a guard is a quantifier-free first-order formula on (D, F, R) and V
• an action is an assignment V=T
• Attention: the effect of a transition is a set of actions!Parallel execution introduces nondeterminism.
Introducing Hierarchies
• In a UML state machine, a state may contain other states
• powerful abstraction concept
• semantics can be tedious
Introducing Visibility Scopes
• A state machine can be part of a class or module
• all variables are visible within the module only
• modules may be nested
• Classes or modules can be parameterized
• instances of classes are objects
Introducing Fairness
• LTSs cannot specify that something will eventually happen
• only maximal sequences are accepted (terminating or infinite)
• want to express that in infinite runs, certain states must occur infinitely often
• Just LTS=(LTS,J), where J=(J1,...,Jm), JiS(justice requirements)
• for each JiJ each infinite run must contain infinitely many sJi
• Fair LTS=(LTS,F), where F=(F1,...,Fm), Fi=(Pi,Qi), PiS, QiS(compassion requirements)
• for each FiF and each infinite run it holds that if it contains infinitely many sPi, then it also contains infinitely many sQi
• Cf. automata theory: Büchi- and Rabin-acceptance
Example: Peterson’s Mutual Exclusion

{t=0; x=0; y=0;

{0:while(true){NC1: skip; 1:x=1; 2:t=1;

3:await(t==0  y==0); C1: skip;

4:x=0;}

||

{0:while(true){NC2: skip; 1:y=1; 2:t=0;

3:await(t==1  x==0); C2: skip;

4:y=0;}

}

Summary: Finite State Modeling Concepts
• We discussed
• (parallel) while-Programs with finite domains
• Labeled transition systems
• Simple state machines
• Parallel transition systems / state machines
• UML state machines
• Object-oriented concepts
• Fairness Constraints (justice, compassion)
• Mutual simulation possible
• but may be tedious; cross-compiler technology