Software Verification 2Automated Verification

Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität

and

Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Slide 2H. Schlingloff, SS2012: SWV 2

Recap: LTS

• LTS=(, S, , S0) is a nonempty finite alphabet S is a nonempty finite set of states S S is the transition relation S0 S is the set of initial states

remark: sometimes a pseudo state s0S is used instead of S0S;sometimes there is only a single initial state s0S

• state = (program counter(s), variable valuation)transition = (state, instruction, state)

• S0 can be written as a predicate on variables and pc’s init: (pc== x==0 y<=5 ...)

can be written as a predicate on current and next variables : ((pc== x‘==x+1) (pc== x‘==x+2) ...)

12.4.2012

Slide 3H. Schlingloff, SS2012: SWV 2

Boolean Equivalences

next(state):= caseinp=0 : state;inp=50 & state=s0 : s50;inp=50 & state=s50 : s0;

esac;

( (inp==0 state‘==state) (inp==50 state=s0 state‘== s50) (inp==50 state=s50 state‘==s0) )

( (inp==0 state‘==state) (inp==50 (state=s0 state‘== s50 )

(state=s50 state‘== s0 ))

)12.4.2012

Slide 4H. Schlingloff, SS2012: SWV 2

• Parallel transition system / state machine T=(T1,...,Tn) all state sets must be pairwise disjoint

• Global TS associated with parallel TS: T=(, S, , S0), where

= i

S=S1 ... Sn

S0=S10 ... Sn0

((s1,...,sn), a, (s1’,...,sn’)) iff for all Ti,

- if a i, then (si, a, si’) i, and

- if a i, then si’= si

• Complexity (size of this construction)? Correctness???

19.4.2012

Slide 5H. Schlingloff, SS2012: SWV 2

Correctness

• T=(T1,...,Tn), T =T1 ... Tn

• Intuitively: T accepts/generates exactly those sequences which are accepted/generated by all Ti

projection of run onto the alphabet of a transition system: =123...|Ti =if (1i) then 1 (23...)|Ti else (23...)|Ti

Show: T acc iff i (Ti acc | Ti ) can also be used as a definition

12.4.2012

Slide 6H. Schlingloff, SS2012: SWV 2

Parallel State Machines

• Parallel state machine T=(T1,...,Tn), i=2E C 2A

• What is the global state machine associated with a parallel state machine? (“flattening”) synchronization by common e[c]/a is not an option possible choices: synchronize or compete on

common input events (triggers)? what if an effect contains sending of a trigger?

(“run-to-completion-semantics”: tedious formalization)

19.4.2012

Slide 7H. Schlingloff, SS2012: SWV 2

Example

12.4.2012

Slide 8H. Schlingloff, SS2012: SWV 2

Introducing Data

• Simple state machines E: set of events, C: set of conditions, A: set of actions a simple state machine is an LTS where =2E C

2A

• Extended state machine: Assume a first-order signature (D, F, R) with finite domains D and a set V of program variables on these domains. An ESM is a simple state machine where a guard is a quantifier-free first-order formula on (D,

F, R) and V an action is an assignment V=T

- Attention: the effect of a transition is a set of actions!Parallel execution introduces nondeterminism.

19.4.2012

Slide 9H. Schlingloff, SS2012: SWV 2

Example

12.4.2012

Slide 10H. Schlingloff, SS2012: SWV 2

Introducing Hierarchies

• In a UML state machine, a state may contain other states powerful abstraction concept semantics can be tedious

19.4.2012

Slide 11H. Schlingloff, SS2012: SWV 2

Introducing Visibility Scopes

•A state machine can be part of a class or module all variables are visible within the module

only modules may be nested

•Classes or modules can be parameterized instances of classes are objects

12.4.2012

Slide 12H. Schlingloff, SS2012: SWV 2

Introducing Fairness

• LTSs cannot specify that something will eventually happen only maximal sequences are accepted (terminating or infinite)

• want to express that in infinite runs, certain states must occur infinitely often

• Just LTS=(LTS,J), where J=(J1,...,Jm), JiS(justice requirements) for each JiJ each infinite run must contain infinitely many sJi

• Fair LTS=(LTS,F), where F=(F1,...,Fm), Fi=(Pi,Qi), PiS, QiS(compassion requirements) for each FiF and each infinite run it holds that if it contains

infinitely many sPi, then it also contains infinitely many sQi

• Cf. automata theory: Büchi- and Rabin-acceptance12.4.2012

Slide 13H. Schlingloff, SS2012: SWV 2

Example: Peterson’s Mutual Exclusion

{t=0; x=0; y=0;{0: while(true){NC1: skip; 1: x=1; 2: t=1;

3: await(t==0 y==0); C1: skip; 4: x=0;}

||{0: while(true){NC2: skip; 1: y=1; 2: t=0;

3: await(t==1 x==0); C2: skip; 4: y=0;}

}

12.4.2012

Slide 14H. Schlingloff, SS2012: SWV 2

Summary: Finite State Modeling Concepts

• We discussed (parallel) while-Programs with finite domains Labeled transition systems Simple state machines Parallel transition systems / state machines UML state machines Object-oriented concepts Fairness Constraints (justice, compassion)

• Mutual simulation possible but may be tedious; cross-compiler technology

19.4.2012