Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University."— Presentation transcript:

1 1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University

2 2 Project Goals To Build Reliable and Robust Software Systems by 1) Integrating Systems Engineering with Formal Verification techniques 2) Enabling Model Checking of Realistic Software Systems

3 3 Outline Lecture 1, part 1 Motivation Model Checking Lecture 1, part 2 State/Event-based software model checking Lecture 2 Component Substitutability

4 4 Outline Lecture 1, part 1 Motivation Model Checking Lecture 1, part 2 State/Event-based software model checking Lecture 2 Component Substitutability

5 5 Motivation Goal: Build reliable computer systems - Secure and safe execution - Predictable designs (no unexpected behaviors) Applications: embedded systems in avionics, space, robotics, electro-mechanical engineering, etc.

6 6 Motivation Approach: Integrate Validation and Verification with Systems Engineering –Reasoning about system designs during their construction –Design for verification

7 7 ComFoRT: Component Formal Reasoning Framework SYSTEM ENGINEERING FORMAL VERIFICATION High-level Specification System Design MODEL CHECKER Formal Model Temporal Properties BUG FOUND DESIGN CORRECT OUT OF RESOURCES X

8 8 CCL Modeling Language A CCL system is a parallel composition of individual sequential programs, P = p 1 || … || p n, Sample commands of CCL programs: Assignments: x: = exp | x := any{exp 1, …, exp n } Communication: : Generate e i (ID,exp) - Event generation Receive e i (ID,x) - Event consumption Compounds: if then else, while do od, switch

9 9 Sample CCL state model State Action State State Transition Message Type

10 10 Outline Motivation Model Checking State/Event-based software model checking Component Substitutability

11 11 Temporal Logic Model Checking Systems are modeled by finite state machines. Properties are written in propositional temporal logic. Verification procedure is an exhaustive search of the state space of the design. Diagnostic counterexamples

12 12 What is Model Checking? Does model M satisfy a property P ? (written M |= P) What is “M”? What is “P”? What is “satisfy”?

13 13 What is “M”? States: valuations to all variables Initial states: subset of states Arcs: transitions between states Atomic Propositions: e.g. x = 5, y = true Observation (color): Valuation to all atomic propositions State Transition Graph or Kripke Model abab bcbc c

14 14 Model of Computation Infinite Computation Tree a b bcbc c c abab c abab bcbc c State Transition Graph Unwind State Graph to obtain Infinite Tree. A trace is an infinite sequence of states.

15 15 What is “P”? Syntax: What are the property formulas? Semantics: What does it mean for model M to satisfy formula P? Formulas: - Atomic propositions: properties of states - (Linear) Temporal Logic Specifications: properties of traces.

16 16 Specification (Property) Examples:Safety (mutual exclusion): no two processes can be at the critical section at the same time Liveness (absence of starvation): every request will be eventually granted Linear Time Logic (LTL) [Pnueli 77]: logic of temporal sequences.   next (  ):  holds in the next state eventually(  ):  holds eventually always( ): holds from now on  until  :  holds until  holds 

17 17 NASA Robot Controller System v EEF

18 18 Modeling of the NASA Robot Controller System EndEffector Arm ||

19 19 Examples of the Robot Control Properties Safety Operation: If the EndEffector reaches an undesired position, then the program terminates prior to a new move of the EndEffector AfterAlwaysUntil(undesired_position =1,ee_reference=1,abort_var=1) Configuration Validity Check: If an instance of EndEffector is in the “FollowingDesiredTrajectory” state, then the instance of the corresponding Arm class is in the ‘Valid” state Always((ee_reference=1) ->(arm_status=1) Control Termination: Eventually the robot control terminates EventuallyAlways(abort_var=1)

20 20 What is “satisfy”? M satisfies P if all the reachable states satisfy P Different Algorithms to check if M |= P. - Explicit State Space Exploration For example: Invariant checking Algorithm. 1.Start at the initial states and explore the states of M using DFS or BFS. 2.In any state, if P is violated then print an “error trace”. 3.If all reachable states have been visited then say “yes”.

21 21 State Space Explosion Problem: Size of the state graph can be exponential in size of the program (both in the number of the program variables and the number of program components) M = M 1 || … || M n If each M i has just 2 local states, potentially 2 n global states Research Directions: State space reduction

22 22 State Space Explosion Principal Approaches to State Space Reduction: Abstraction (elimination of details irrelevant to verification of a property) Compositional reasoning (reasoning about parts of the system) Symbolic Verification (BDDs represent state transition diagrams more efficiently) Partial Order Reduction (reduction of number of states that must be enumerated) Other (symmetry, cone of influence reduction, ….)

23 23 Systems engineering and model checking Principal Approach Component-based system design Compositional reasoning (reasoning about parts of the system)

24 24 Components Compositional reasoning reduces reasoning about entire system to reasoning about individual parts -Decompose the model: M = M1 || M2 -Partition global properties into local properties: P= P1  P2 -Show that M1 |= P1 and M2 |= P2 Component-based design - Library of verified components  predictable designs

Download ppt "1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Modeling Software Systems Lecture 2 Book: Chapter 4.

Modeling Software Systems Lecture 2 Book: Chapter 4.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,

Model Checking for an Executable Subset of UML Fei Xie 1, Vladimir Levin 2, and James C. Browne 1 1 Dept. of Computer Sciences, UT at Austin 2 Bell Laboratories,
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification

Similar presentations

Ads by Google