Presentation is loading. Please wait.

Presentation is loading. Please wait.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Similar presentations


Presentation on theme: "Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella."— Presentation transcript:

1

2 Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella

3 Introducing FV What is formal verification? –Establishing properties of system designs using mathematical methods Why use formal methods? –Safety Critical Systems –High Bug Costs Why Hardware? –High bug costs –Greater reliability requiered by costumers –Feaseable (more or less)

4 Introducing FV How is it done? The method consists of a Model and a Property. The Method’s output is an assurance that the property holds or a counter-example p P always holds Counter- example

5 Defining a Model Definitions –State - snapshot of the values of variables at a particular instant of time. –Finite state system - a system which has a finite number of different states. –Transition – the ordered pair –Computation - is an infinite sequence of states where each state is obtained from the previous by a transition

6 Defining a Model Intuition –A State – (0,1) –A Finite state system – {(0,0),(0,1),(1,0),(1,1)} –A Transition – –A Computation Reset inc 01

7 Kripke Structure Let AP be a set of atomic propositions A Kripke structure M over AP is a tuple M=(S,S 0,R,L) where, –S is a finite set of states –S 0  S, the set of initial states –R  S x S, is a transition relation that must be total, i.e., for every state s in S there is a state s’ in S such that R(s,s’). –L is a function that labels each state with the set of all atomic proposition in AP that are true in that state. A path in M from s is an infinite sequence of states  = s 0 s 1 s 2,… such that s o =s, and R(s i,s i+1 ) holds for all i>=0.

8 Defining a Model M=(S,S 0,R,L) S ={s0,s1,s2,s3} S 0 = {(0,0)} (system starts with Reset) R = {,,... } L = {(s0,(0,0)),(s1,(0,1)),(s2,(1,0)),(s3,(1,1))} Reset inc 01 s0 s2 s3 s1

9 Verifica basata sul modello  |    |=  K |= 

10

11

12 4/12/ CTL Temporal operators are immediately preceded by a path quantifier The following are a complete set ¬p, p  q, AX p, EX p, A( p U q), E( p U q) Others can be derived –EF p  E(true U P) –AF p  A(true U p) –EG p  ¬ AF ¬ p –AG p  ¬ EF ¬p

13 4/12/ Minimal set of CTL Formulas Full set of operators –Boolean: ¬, , , ,  –temporal:E, A, X, F, G, U, W Minimal set sufficient to express any CTL formula –Boolean:¬,  –temporal:E, X, U Examples: f  g = ¬(¬f  ¬g), F f = true U f, A (f ) = ¬E(¬f ) G f = f Ufalse

14 4/12/ Minimal set of CTL Formulas

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32 Model Checking Example Traffic light controller (simplified) R1 G2 Y1 R2 G1 R2 R1 Y2 C ’+ T ’ C T C T ’ C ’+ T C = car sensor T = timer G1 R2 Y1 R2 R1 G2 G1 R2 Y1 R2 R1 G2 R1 Y2 R1 G2 G1 R2R1 Y2R1 G2 R1 Y2 G2 Y2 R2 G1 Y1 R1 C C Timer T sensor Road 2 Road 1

33 Traffic light controller - Model Checking Model Checking task: check – safety condition – fairness conditions Safety condition: no green lights on both roads at the same time A G ¬ (G1  G2 ) Fairness condition: eventually one road has green light E F (G1  G2) R1 G2 Y1 R2 G1 R2 R1 Y2 C ’+T ’ C T C T ’ C ’+T

34 Checking the Safety Condition A G ¬ (G1  G2) = ¬ E F (G1  G2) S(G1  G2 ) = S(G1)  S(G2) = {1}  {3} =  S(EF (G1  G2 )) =  S(¬ EF (G1  G2 )) = ¬  = {1, 2, 3, 4} Each state is included in {1,2,3,4}  the safety condition is true (for each state) 2 R1 G2 Y1 R2 G1 R2 R1 Y

35 Checking the Fairness Condition E F (G1  G2 ) = E(true U (G1  G2 ) ) S(G1  G2 ) = S(G1)  S(G2) = {1}  {3} = {1,3} S(EF (G1  G2 )) = {1,2,3,4} (going backward from {1,3}, find predecessors) Since {1,2,3,4} contains all states, the condition is true for all the states

36 Another Check (E X) 2 (Y1) = E X (E X (Y1)) (starting at S 1 =G1R2, is there a path s.t. Y1 is true in 2 steps ?) S (Y1) = {2} S (EX (Y1)) = {1} (predecessor of 2) S (EX (EX(Y1)) = {1,4} (predecessors of 1) R1 G2 Y1 R2 G1 R2 R1 Y Property E X 2 (Y1) is true for states {1,4}, hence true

37 Explicit Model Checking - complexity CTL model checking is linear in the size of the formula and the size of the structure M Not a good news: –what if you have states? –Number of states grows exponentially with number of variables –Explicit model checking limited to … 10 9 states Symbolic model checking can do much better

38

39

40

41

42

43


Download ppt "Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella."

Similar presentations


Ads by Google