Presentation is loading. Please wait.

Presentation is loading. Please wait.

Micromodels of Software

Published bySylvia Tacey Modified over 9 years ago

Similar presentations

Presentation on theme: "Micromodels of Software"— Presentation transcript:

1 Micromodels of Software
Formal Methods in Verification of Computer Systems Jeremy Johnson

2 Outline Semantic Entailment Model checking
Given a set of formulas , is  ⊨  valid  encodes requirements and  as a property that all valid implementations should have Undecidable Model checking Given a formula  and a matching model M determine whether M ⊨l  holds Requirements encoded in model Fixes too many implementation choices

3 Outline Combination Small scope hypothesis Alloy (alloy.mit.edu)
Set of models (bounded size) Negative answer provides counter example Positive answer gives confidence Small scope hypothesis Negative answers tend to occur in small models Alloy (alloy.mit.edu)

4 Models Let F be a set of functions and P a set of predicates. A model M for (F,P) consists of A non-empty set A [universe] of concrete values For each nullary f  F an element of A = fM For each n-ary f  F a function fM : An  A For each n-ary P  P a subset PM  An

5 Satisfaction Given a model M for (F,P) and given an environment l : var  A the satisfaction relation M ⊨l  P(t1,…,tn)  (a1,…,an) and M ⊨l  iff (a1,…,an)  RM M ⊨l x  iff M ⊨l [x  a] holds for all a  A M ⊨l x  iff M ⊨l [x  a] holds for some a  A

6 Satisfaction Given a model M for (F,P) and given an environment l : var  A the satisfaction relation M ⊨l  M ⊨l  iff M ⊨l  does not hold M ⊨l 1  2 iff M ⊨l 1 and M ⊨l 2 holds M ⊨l 1  2 iff M ⊨l 1 or M ⊨l 2 holds M ⊨l 1  2 iff M ⊨l 2 holds whenever M ⊨l 1 holds

7 Semantic Entailment Let  be a set of formulas (possibly infinite) and  be a formula from predicate calculus  ⊨  holds iff for all models M and lookup tables l, whenever M ⊨l  holds for all  then M ⊨l  holds as well  is satisfiable iff there is some model M and lookup table l such that M ⊨l  holds  is valid iff M ⊨l  holds for all models M and lookup tables l

8 Example 1 F = {i} and P = {R,F}
i a constant function, R binary and F unary predicates Model – A set of states, initial state i, state transitions R, final states F A = {a,b,c} iM = a RM = {(a,a),(a,b),(a,c),(b,c), (c,c)} FM = {b,c}

9 Example 1 y R(i,y) F(i) x y z (R(x,y)  R(x,z)  y = z )
x y R(x,y)

10 Software Micromodels Want description M of all compliant implementations Mi of some software system. Given a property  Assertion checking: does  hold in all implementations Mi  M Consistency checking: does  hold in some implementations Mi  M

11 Alloy (alloy.mit.edu) “Alloy is a language for describing structures and a tool for exploring them. It has been used in a wide range of applications from finding holes in security mechanisms to designing telephone switching networks.” Declarative (language based on logic) Bounded queries Implemented using SAT solver Illustrate by describing concrete models of state machines (example 1) and checking assertion that “final states are not initial states) and consistency there are state machines that contain a non-final state that is deadlocked

12 Alloy Implementation module AboutStateMachines sig State {} -- simple states sig StateMachine { -- composite state machines A : set State, -- set of states of a state machine i : A, -- initial state of a state machine F : set A, -- set of final states of a state machine R : A -> A -- transition relation of a state machine }

13 Alloy Implementation -- E.G. assertion checking -- Claim that final states are never initial: false. assert FinalNotInitial { all M : StateMachine | no M.i & M.F } check FinalNotInitial for 3 but 1 StateMachine S0 S1 (F) S2 (I,F) R

14 Alloy Implementation -- E.G. consistency checking -- Is there a three-state machine with a non-final deadlock? True. pred AGuidedSimulation(M : StateMachine, s : M.A) { no s.(M.R) not s in M.F # M.A = 3 } run AGuidedSimulation for 3 but 1 StateMachine S0 S1 (F) R R S2 (I)

15 Example 2 F = {alma} and P = {loves}
P is a binary predicates, alma constant function Model – A set of states, A = {a,b,c} almaM = a lovesM = {(a,a),(b,a),(c,a)}

16 Example 2 almaM = a lovesM = {(a,a),(b,a),(c,a)}
lovesM’ = {(b,a),(c,b)} Does the model satisfy None of Alma’s lovers’ lovers love her xy (loves(x,alma)  loves(y,x)   loves(y,alma)

17 Alloy Implementation R
module AboutAlma sig Person {} sig SoapOpera { cast : set Person, alma : cast, loves : cast -> cast } assert OfLovers { all S : SoapOpera | all x, y : S.cast | S.alma in x.(S.loves) && x in y.(S.loves) => not S.alma in y.(S.loves) check OfLovers for 2 but 1 SoapOpera Person0 Alma Person1 R

18 Underspecified System
Add the following constaint Fact NoSelfLove { all S : SoapOpera, p : S.cast | not p in p.(S.loves) } No there are no counter examples Increase the number of persons to 3 provides the smallest counter example check OfLovers for 3 but 1 SoapOpera

19 Exercise Install alloy Go through the tutorial (file system example)
Study package dependency example from section 2.7 of the text Look under ancillary materials Note that code is for an older version of alloy and some changes are necessary

Download ppt "Micromodels of Software"

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 2.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 2.
Verification of DSMLs Using Graph Transformation: A Case Study with Alloy Zekai Demirezen 1, Marjan Mernik 1,2, Jeff Gray 1, Barrett Bryant 1 1 Department.

Verification of DSMLs Using Graph Transformation: A Case Study with Alloy Zekai Demirezen 1, Marjan Mernik 1,2, Jeff Gray 1, Barrett Bryant 1 1 Department.
Example: Binary Adder We want to construct a finite state machine that will add two numbers. The input is two binary numbers, (xn…x1x0)2 and (yn…y1y0)2.

Example: Binary Adder We want to construct a finite state machine that will add two numbers. The input is two binary numbers, (xn…x1x0)2 and (yn…y1y0)2.
Introducing JavaScript

Introducing JavaScript
Global States.

Global States.
– Seminar in Software Engineering Cynthia Disenfeld

– Seminar in Software Engineering Cynthia Disenfeld
Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.

Finding bugs: Analysis Techniques & Tools Symbolic Execution & Constraint Solving CS161 Computer Security Cho, Chia Yuan.
Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
One Dimensional Arrays

One Dimensional Arrays
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Alloy Vatche Ishakian Boston University- CS511 March/24/2008 Contributors: Andrei Lapets, Michalis Potamias, Mark Reynolds.

Alloy Vatche Ishakian Boston University- CS511 March/24/2008 Contributors: Andrei Lapets, Michalis Potamias, Mark Reynolds.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.

1 Programming Languages (CS 550) Lecture Summary Functional Programming and Operational Semantics for Scheme Jeremy R. Johnson.
Answer Set Programming Overview Dr. Rogelio Dávila Pérez Profesor-Investigador División de Posgrado Universidad Autónoma de Guadalajara

Answer Set Programming Overview Dr. Rogelio Dávila Pérez Profesor-Investigador División de Posgrado Universidad Autónoma de Guadalajara
So What Does it All Mean? Geospatial Semantics and Ontologies Dr Kristin Stock.

So What Does it All Mean? Geospatial Semantics and Ontologies Dr Kristin Stock.

Similar presentations

Ads by Google