Presentation is loading. Please wait.

Presentation is loading. Please wait.

Instructor: Rajeev Alur

Published byCuthbert Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Instructor: Rajeev Alur"— Presentation transcript:

1 Instructor: Rajeev Alur alur@cis.upenn.edu
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

2 CIS 540 Spring 2015; Lecture Feb 4
Requirements Requirement: Desirable property of the executions of the system Informal: Either implicit, or stated in English in documents Formal: Stated explicitly in a mathematically precise manner High assurance / safety-critical systems: Formal requirements Model/design/system meets the requirements if every execution satisfies all the requirements Clear separation between requirements (what needs to be implemented) and system (how it is implemented) Verification problem: Given a requirement j and a system/model C, prove/disprove that the system C satisfies the requirement j CIS 540 Spring 2015; Lecture Feb 4

3 CIS 540 Spring 2015; Lecture Feb 4
Safety Requirements A safety requirement states that a system always stays within “good’ states (i.e. a nothing bad ever happens) Leader election: it is never the case that two nodes consider them to be leaders Collision avoidance: Distance between two cars is always greater than some minimum threshold Different class of requirements: Liveness System eventually attains its goal Leader election: Each node eventually makes a decision Cruise controller: Actual speed eventually equals desired speed Formalization and analysis techniques for safety and liveness differ significantly, so let us first focus on safety CIS 540 Spring 2015; Lecture Feb 4

4 CIS 540 Spring 2015; Lecture Feb 4
Transition Systems States + Initial states + Transitions between states CIS 540 Spring 2015; Lecture Feb 4

5 Definition of Transition System
Syntax: a transition system T has a set S of (typed) state variables Initialization Init for state variables Transition description Trans given by code to update state vars Semantics: Set QS of states Set [Init] of initial states (this is a subset of QS) Set [Trans] of transitions, subset of QS x QS Synchronous reactive components, programs, and more generally systems, all have an underlying transition system CIS 540 Spring 2015; Lecture Feb 4

6 Switch Transition System
(press=0 & x<10)  x:=x+1 (press=0) ? (press=1) ? State variables: {off, on} mode, int x int x:=0 off on (press=1 | x>=10)  x:=0 Initialization: mode = off; x = 0 (off,0) (on, 56) Transitions: (off,n) -> (off,n); (off,n) -> (on,n); (on,n) -> (on,n+1) if n<10; (on,n) -> (off,0) (on, 2) (on, 0) (on, 3) (off, 17) (on, 17) Input/output variables become local Values for input vars chosen nondeterministically CIS 540 Spring 2015; Lecture Feb 4

7 Euclid’s GCD Algorithm
Classical program to compute greatest common divisor of (non-negative) input numbers m and n (x>0 & y>0)  if (x>y) then x:=x-y else y:=y-x nat x:=m; y:=n loop stop ~ (x>0 & y>0)  if (x=0) then x:=y CIS 540 Spring 2015; Lecture Feb 4

8 CIS 540 Spring 2015; Lecture Feb 4
Reachable States off on int x:=0 (press=0) ? (press=1) ? (press=0 & x<10)  x:=x+1 (press=1 | x>=10)  x:=0 (on, 56) (off,0) (on, 0) (on, 1) (on, 10) (off, 17) (on, 17) CIS 540 Spring 2015; Lecture Feb 4

9 Reachable States of Transition Systems
A state s of a transition system is reachable if there is an execution starting in an initial state and ending in the state s CIS 540 Spring 2015; Lecture Feb 4

10 CIS 540 Spring 2015; Lecture Feb 4
Invariants (on, 56) (off,0) (on, 0) (on, 1) (on, 10) (off, 17) (off, 10) (on, 17) Property of a transition system: Boolean-valued expression j over state variables Property j is an invariant of T if every reachable state satisfies j Examples of invariants: (x <= 10); ( x <= 50); ( mode= off -> x=0 ) Examples of properties that are not invariants: (x < 10); (mode=off) CIS 540 Spring 2015; Lecture Feb 4

11 CIS 540 Spring 2015; Lecture Feb 4
Invariants Express desired safety requirement as property j of state variables If j is an invariant then the system is safe If j is not an invariant, then some state satisfying ~j is reachable (execution leading to such a state is counterexample) Leader election: (rn = N -> idn = max P), P : set of identifiers of all nodes Euclid’s GCD Program: (mode=stop -> x = gcd(m,n)) CIS 540 Spring 2015; Lecture Feb 4

12 CIS 540 Spring 2015; Lecture Feb 4
Formal Verification Model/Program Verifier yes/proof no/bug Requirement Grand challenge: Automate verification as much as possible ! CIS 540 Spring 2015; Lecture Feb 4

13 CIS 540 Spring 2015; Lecture Feb 4
Analysis Techniques Dynamic Analysis (runtime) Execute the system, possibly multiple times with different inputs Check if every execution meets the desired requirement Static Analysis (design time) Analyze the source code or the model for possible bugs Trade-offs Dynamic analysis is incomplete, but accurate (checks real system, and bugs discovered are real bugs Static analysis can catch design bugs early ! Many static analysis techniques are not scalable (solution: analyze approximate versions, can lead to false warnings) CIS 540 Spring 2015; Lecture Feb 4

14 Invariant Verification
Simulation Simulate the model, possibly multiple times with different inputs Easy to implement, scalable, but no correctness guarantees Proof based Construct a proof that system satisfies the invariant Requires manual effort (partial automation possible) State-space analysis (Model checking) Algorithm explores “all” reachable states to check invariants Not scalable, but current tools can analyze many real-world designs (relies on many interesting theoretical advances) CIS 540 Spring 2015; Lecture Feb 4

15 CIS 540 Spring 2015; Lecture Feb 4
Proving Invariants Given a transition system (S, Init, Trans), and a property j, prove that all reachable states of T satisfy j Inductive definition of reachable states All initial states are reachable using 0 transitions If a state s is reachable in k transitions and (s,t) is a transition, then the state t is reachable in (k+1) transitions Reachable = Reachable in n transitions, for some n Prove: for all n, states reachable in n transitions satisfy j Base case: Show that all initial states satisfy j Inductive case: Assume that a state s satisfies j Show that if (s,t) is a transition then t must satisfy j CIS 540 Spring 2015; Lecture Feb 4

16 Recap: Inductive Proofs
To show that a statement P holds for all numbers n, Base case: Prove that P holds for n=0 Assume that P holds for an arbitrary number k Prove (using the assumption) that the statement holds for k+1 Example statement: For all n, ( … + n) = n(n+1)/2 CIS 540 Spring 2015; Lecture Feb 4

17 CIS 540 Spring 2015; Lecture Feb 4
Inductive Invariant A property j is an inductive invariant of transition system T if Every initial state of T satisfies j If a state satisfies j and (s,t) is a transition of T, then t must satisfy j If j is an inductive invariant, then all reachable states of T must satisfy j, and thus, it is an invariant CIS 540 Spring 2015; Lecture Feb 4

18 Proving Inductive Invariant Example (1)
Consider transition system T given by State variable int x, initialized to 0 Transition description given by “if (x < m) then x:=x+1” Is the property j : (0 <= x <= m) an inductive invariant of T ? Base case: Consider initial state (x=0). Check that it satisfies j Inductive case: Consider an arbitrary state s, suppose s(x) = a Assume that s satisfies j, that is, assume 0 <= a <=m Consider the state t obtained by executing a transition from s If a < m then t(x) = a+1, else t(x) = a In either case, 0 <= t(x) <= m So t satisfies the property j, and the proof is complete CIS 540 Spring 2015; Lecture Feb 4

19 Proving Inductive Invariant Example (2)
Consider transition system T given by State variables int x, y; x is initially 0, y is initially m Transition description given by “if (x < m) then {x:=x+1; y:=y-1}” Is the property j : (0 <= y <= m) an inductive invariant of T ? Base case: Consider initial state (x=0,y=m). Check that it satisfies j Inductive case: Consider an arbitrary state s with x=a and y=b Assume that s satisfies j, that is, assume 0 <= b <=m Consider the state t obtained by executing a transition from s If a < m then t(y) = b-1, else t(y) = b Can we conclude that 0 <= t(y) <= m ? No! The proof fails! In fact, j is not an inductive invariant of T! CIS 540 Spring 2015; Lecture Feb 4

20 CIS 540 Spring 2015; Lecture Feb 4
Why did the proof fail? Consider the state s with x=0 and y=0 State s satisfies j: (0<=y <=m) Executing a transition from s leads to state t with x=1 and y=-1 State t does not satisfy j ! The state s in above argument is not reachable! Cause of failure: The property j did not capture corelation between the variables x and y Solution: Inductive Strengthening! Consider property y: (0 <= y <= m) & (x+y = m) The property y implies property j While j is not inductive invariant, y is! It follows that all reachable states must satisfy j CIS 540 Spring 2015; Lecture Feb 4

21 Proving Inductive Invariant Example (3)
Consider transition system T given by State variables int x, y; x is initially 0, y is initially m Transition description given by “if (x < m) then {x:=x+1; y:=y-1}” Property y : (0 <= y <= m) & (x+y = m) Base case: Consider initial state (x=0,y=m). Check that it satisfies y Inductive case: Consider an arbitrary state s with x=a and y=b Assume that s satisfies y, that is, assume 0 <= b <=m and a+b =m Consider the state t obtained by executing a transition from s If a < m then t(x) = a+1 and t(y) = b-1, else t(x)=a and t(y)=b But if a<m, since a+b=m holds, b >0, and thus b-1 >=0 In either case, the condition (0<= t(y) <=m & t(x)+t(y)=m) holds! Conclusion: Property y is an inductive invariant! CIS 540 Spring 2015; Lecture Feb 4

22 Proof Rule for Proving Invariants
To establish that a property j is an invariant of transition system T Find another property y such that y implies j (that is, a state satisfying y must satisfy j) y is an inductive invariant Show that every initial state satisfies y Assume that a state s satisfies y. Consider a state t such that (s,t) is a transition. Show that t must satisfy y This is a sound and complete strategy for establishing invariants Sound means this is a correct proof technique Complete: If j is an invariant, then there must exist some inductive strengthening y satisfying above conditions CIS 540 Spring 2015; Lecture Feb 4

23 CIS 540 Spring 2015; Lecture Feb 4
Inductive Invariants Initial States Property j Reachable States Strengthening y CIS 540 Spring 2015; Lecture Feb 4

24 CIS 540 Spring 2015; Lecture Feb 4
Correctness of GCD (x>0 & y>0)  if (x>y) then x:=x-y else y:=y-x nat x:=m; y:=n loop stop ~ (x>0 & y>0)  if (x=0) then x:=y Property j : gcd(x,y) = gcd (m,n) Verify that this property is indeed an inductive invariant! Captures the core logic of the program: Even though x and y are updated at every step, their gcd stays unchanged When switching to “stop”, if x is 0, then gcd(0,y) is y; if y=0, then gcd(x,0)=x, and thus x=gcd(m,n) upon switching to stop Note that (mode=stop -> y=gcd(m,n)) is invariant, but not inductive CIS 540 Spring 2015; Lecture Feb 4

25 Muddy Childrens Puzzle
There are some kids playing in a muddy pond. Their teacher walks by and says “some of you have mud on your forehead”. Each kid can look around and see which of other kids have muddy foreheads, but cannot see his/her own forehead. The teacher says “raise your hand if you know that you have muddy forehead”. Nobody raises their hands. The teacher repeats the same question, and it continues like that. If k kids have muddy foreheads, then after the teacher has asked the question k times, exactly those kids with muddy foreheads raise their hands. CIS 540 Spring 2015; Lecture Feb 4

26 Muddy Childrens Reasoning
Claim: For all n, if exactly n kids have muddy foreheads, then (1) for first n-1 rounds nobody raises their hands and (2) after n rounds, exactly those kids with muddy foreheads raise their hands. Proof by induction. Base case: Show the claim for n=1 Inductive hypothesis: Assume the claim for n=k Inductive case: Show the claim for n=k+1 Note: We want to prove (2), but it cannot be proved on its own. Proving (1) and (2) together is akin to inductive strengthening CIS 540 Spring 2015; Lecture Feb 4

Download ppt "Instructor: Rajeev Alur"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Chapter Six Algorithms. 2 Algorithms An algorithm is an abstract strategy for solving a problem and is often expressed in English A function is the.

1 Chapter Six Algorithms. 2 Algorithms An algorithm is an abstract strategy for solving a problem and is often expressed in English A function is the.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.

Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.
CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.

CSE115/ENGR160 Discrete Mathematics 04/12/11 Ming-Hsuan Yang UC Merced 1.
Induction Sections 41. and 4.2 of Rosen Fall 2008 CSCE 235 Introduction to Discrete Structures Course web-page: cse.unl.edu/~cse235 Questions:

Induction Sections 41. and 4.2 of Rosen Fall 2008 CSCE 235 Introduction to Discrete Structures Course web-page: cse.unl.edu/~cse235 Questions:
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Induction Sections 4.1 and 4.2 of Rosen Fall 2010

Induction Sections 4.1 and 4.2 of Rosen Fall 2010
Describing Syntax and Semantics

Describing Syntax and Semantics
School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

School of Computer ScienceG53FSP Formal Specification1 Dr. Rong Qu Introduction to Formal Specification

Similar presentations

Ads by Google