Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.

Similar presentations


Presentation on theme: "1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008."— Presentation transcript:

1 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008

2 2 Some related books: Also:Mainly:

3 3 Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development

4 4 What are formal methods? Techniques for analyzing systems, based on some mathematics. This does not mean that the user must be a mathematician. Some of the work is done in an informal way, due to complexity.

5 5 Examples for FM Deductive verification: Using some logical formalism, prove formally that the software satisfies its specification. Model checking: Use some software to automatically check that the software satisfies its specification. Testing: Check executions of the software according to some coverage scheme.

6 6 Typical situation: Boss: Mark, I want that the new internet marketing software will be flawless. OK? Mark: Hmmm. Well,..., Aham, Oh! Ah??? Where do I start? Bob: I have just the solution for you. It would solve everything.

7 7 Some concerns Which technique? Which tool? Which experts? What limitations? What methodology? At which points? How expensive? How many people? Needed expertise. Kind of training. Size limitations. Exhaustiveness. Reliability. Expressiveness. Support.

8 8 Badmouth Formal methods can only be used by mathematicians. The verification process is itself prone to errors, so why bother? Using formal methods will slow down the project.

9 9 Some answers... Formal methods can only be used by mathematicians. Wrong. They are based on some math but the user should not care. The verification process is itself prone to errors, so why bother? We opt to reduce the errors, not eliminate them. Using formal methods will slow down the project. Maybe it will speed it up, once errors are found earlier.

10 10 Some exaggerations Automatic verification can always find errors. Deductive verification can show that the software is completely safe. Testing is the only industrial practical method.

11 11 Our approach Learn several methods (deductive verification, model checking, testing process algebra). Learn advantages and limitations, in order to choose the right methods and tools. Learn how to combine existing methods.

12 12 Emphasis The process: Selecting the tools, Modeling, Verification, Locating errors. Use of tools: Hands on. PVS, SPIN Visual notation: Statecharts, MSCs, UML.

13 13 Some emphasis The process of selecting and using formal methods. The appropriate notation. In particular, visual notation. Hands-on experience with tools.

14 14 The unbearable easiness of grading During class, choose some small project in groups, e.g., Explore some examples using tools. Implementing a simple algorithm. Dealing with new material. or covering advanced subject. - Office presentation (1 hour). - Written description (2-3 pages + computer output or 6-10 pages). - Class presentation ( hours per group).

15 15 Example topics Project: Verify some example using some tools. Communication protocols. Mutual exclusion. Advanced topics: Abstractions. Reductions. Partitions. Static analysis. Verifying pushdown automata. Verifying security protocols.

16 16 Where do we start? Boss: Mark, can you verify this for me? Mark: OK, first I have to...

17 17 Things to do Check the kind of software to analyze. Choose methods and tools. Express system properties. Model the software. Apply methods. Obtain verification results. Analyze results. Identify errors. Suggest correction.

18 18 Different types of software Sequential. Concurrent. Distributed. Reactive. Protocols. Abstract algorithms. Finite state.

19 19 Specification: Informal, textual, visual The value of x will be between 1 and 5, until some point where it will become 7. In any case it will never be negative. (1 =0)) 1<=x<=5 X=7 X>=0

20 20 Verification methods Finite state machines. Apply model checking. Apply deductive verification (theorem proving). Program too big, too complicated. Apply testing techniques. Apply a combination of the above!

21 21 Modeling Use the program text. Translate to a programming language embedded in some proof system. Translate to some notation (transition system). Translate to finite automata. Use visual notation. Special case: black box system.

22 22 Modeling Software Systems for Analysis (Book: Chapter 4)

23 23 Modelling and specification for verification and validation How to specify what the software is supposed to do? Can we use the UML model or parts of it? How to model it in a way that allows us to check it?

24 24 Systems of interest Sequential systems. Concurrent systems (multi-threaded). 1. Distributive systems. 2. Reactive systems. 3. Embedded systems (software + hardware).

25 25 Sequential systems. Perform some computational task. Have some initial condition, e.g., 0 i n A[i] integer. Have some final assertion, e.g., 0 i n-1 A[i] A[i+1]. (What is the problem with this spec?) Are supposed to terminate.

26 26 Concurrent Systems Involve several computation agents. Termination may indicate an abnormal event (interrupt, strike). May exploit diverse computational power. May involve remote components. May interact with users (Reactive). May involve hardware components (Embedded).

27 27 Problems in modeling systems Representing concurrency: - Allow one transition at a time, or - Allow coinciding transitions. Granularity of transitions. Assignments and checks? Application of methods? Global (all the system) or local (one thread at a time) states.

28 28 Modeling. The states based model. V={v 0,v 1,v 2, …} - a set of variables, over some domain. p(v 0, v 1, …, v n ) - a parametrized assertion, e.g., v 0 =v 1 +v 2 /\ v 3 >v 4. A state is an assignment of values to the program variables. For example: s= For predicate (first order assertion) p: p(s) is p under the assignment s. Example: p is x>y /\ y>z. s=. Then we have 4>3 /\ 3>5, which is false.

29 29 State space The state space of a program is the set of all possible states for it. For example, if V={a, b, c} and the variables are over the naturals, then the state space includes:,,, …

30 30 Atomic Transitions Each atomic transition represents a small piece of code such that no smaller piece of code is observable. Is a:=a+1 atomic? In some systems, e.g., when a is a register and the transition is executed using an inc command.

31 31 Non atomicity Execute the following when a=0 in two concurrent processes: P 1 :a=a+1 P 2 :a=a+1 Result: a=2. Is this always the case? Consider the actual translation: P 1 :load R1,a inc R1 store R1,a P 2 :load R2,a inc R2 store R2,a a may be also 1.

32 32 Scenario P 1 :load R1,a inc R1 store R1,a P 2 :load R2,a inc R2 store R2,a a=0 R1=0 R2=0 R1=1 R2=1 a=1

33 33 Representing transitions Each transition has two parts: The enabling condition: a predicate. The transformation: a multiple assignment. For example: a>b (c,d ):=(d,c ) This transition can be executed in states where a>b. The result of executing it is switching the value of c with d.

34 34 Initial condition A predicate I. The program can start from states s such that I (s) holds. For example: I (s)=a >b /\ b >c.

35 35 A transition system A (finite) set of variables V over some domain. A set of states. A (finite) set of transitions T, each transition e t has an enabling condition e, and a transformation t. An initial condition I.

36 36 Example V={a, b, c, d, e}. : all assignments of natural numbers for variables in V. T={c >0 (c,e):=(c -1,e +1), d >0 (d,e):=(d -1,e +1)} I: c =a /\ d =b /\ e =0 What does this transition system do?

37 37 The interleaving model An execution is a maximal finite or infinite sequence of states s 0, s 1, s 2, … That is: finite if nothing is enabled from the last state. The first state s 0 satisfies the initial condition, I.e., I (s 0 ). Moving from one state s i to its successor s i+1 is by executing a transition e t: e (s i ), i.e., s i satisfies e. s i+1 is obtained by applying t to s i.

38 38 Example: s0= s1= s2= s3= T={c>0 (c,e):=(c -1,e +1), d>0 (d,e):=(d-1,e+1)} I: c=a /\ d=b /\ e=0

39 39 L0:While True do NC0:wait(Turn=0); CR0:Turn=1 endwhile || L1:While True do NC1:wait(Turn=1); CR1:Turn=0 endwhile T0:PC0=L0 PC0:=NC0 T1:PC0=NC0/\Turn=0 PC0:=CR0 T2:PC0=CR0 (PC0,Turn):=(L0,1) T3:PC1=L1 PC1=NC1 T4:PC1=NC1/\Turn=1 PC1:=CR1 T5:PC1=CR1 (PC1,Turn):=(L1,0) Initially: PC0=L0/\PC1=L1 The transitions Is this the only reasonable way to model this program?

40 40 The state graph:Successor relation between reachable states. Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1 T0 T3 T1 T4 T3 T0T3 T0 T4 T1T3 T2 T5

41 41 Some important points Reachable states: obtained from an initial state through a sequence of enabled transitions. Executions: the set of maximal paths (finite or terminating in a node where nothing is enabled). Nondeterministic choice: when more than a single transition is enabled at a given state. We have a nondeterministic choice when at least one node at the state graph has more than one successor.

42 42 Always ¬(PC0=CR0/\PC1=CR1) (Mutual exclusion) Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

43 43 Always if Turn=0 then at some point Turn=1 Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

44 44 Always if Turn=0 then at some point Turn=1 Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

45 45 Interleaving semantics: Execute one transition at a time. Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=1 L0,CR1 Turn=1 L0,NC1 Need to check the property for every possible interleaving!

46 46 Interleaving semantics Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=1 L0,CR1 Turn=1 L0,NC1 Turn=0 L0,L1 Turn=0 L0,NC1

47 47 L0:While True do NC0:wait(Turn=0); CR0:Turn=1 endwhile || L1:While True do NC1:wait(Turn=1); CR1:Turn=0 endwhile T0:PC0=L0 PC0:=NC0 T1:PC0=NC0/\Turn=0 PC0:=CR0 T1:PC0=NC0/\Turn=1 PC0:=NC0 T2:PC0=CR0 (PC0,Turn):=(L0,1) T3:PC1==L1 PC1=NC1 T4:PC1=NC1/\Turn=1 PC1:=CR1 T4:PC1=NC1/\Turn=0 PC1:=NC1 T5:PC1=CR1 (PC1,Turn):=(L1,0) Initially: PC0=L0/\PC1=L1 Busy waiting

48 48 Always when Turn=0 then at some point Turn=1 Now it does not hold! (Red subgraph generates a counterexample execution.) Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1 T4 T1

49 49 Combinatorial explosion V 1 :=1 V 1 :=3 V 1 :=2 V n :=1 V n :=3 V n :=2 … How many states?

50 50 Global states 3 n states v 1 =1,v 2 =1…v n =1 v 1 =2,v 2 =1…v n =1v 1 =1,v 2 =1…v n =2 … v 1 =3,v 2 =1…v n =1 … … v 1 =1,v 2 =1…v n =3

51 51 Specification Formalisms (Book: Chapter 5)

52 52 Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct. Spec. of reasonable size. Effective. Check that there are no contradictions. Check that the spec. is implementable. Check that the implementation satisfies spec. Expressive. May be used to generate initial code. Specifying the implementation or its properties?

53 53 A transition system A (finite) set of variables V. A set of states. A (finite) set of transitions T, each transition e t has an enabling condition e and a transformation t. An initial condition I. Denote by R(s, s) the fact that s is a successor of s.

54 54 The interleaving model An execution is a finite or infinite sequence of states s 0, s 1, s 2, … The initial state satisfies the initial condition, I.e., I (s 0 ). Moving from one state s i to s i+1 is by executing a transition e t: e(s i ), I.e., s i satisfies e. s i+1 is obtained by applying t to s i. Lets assume all sequences are infinite by extending finite ones by stuttering the last state.

55 55 Temporal logic Dynamic, speaks about several worlds and the relation between them. Our worlds are the states in an execution. There is a linear relation between them, each two sequences in our execution are ordered. Interpretation: over an execution, later over all executions.

56 56 LTL: Syntax ::= ( ) | ¬ | /\ \/ U |O | p box, always, forever diamond, eventually, sometimes O nexttime U until Propositions p, q, r, … Each represents some state property (x>y+1, z=t, at_CR, etc.)

57 57 Semantics over suffixes of execution O U

58 58 Can discard some operators Instead of <>p, write true U p. Instead of []p, we can write ¬(<>¬p), or ¬(true U ¬p). Because []p=¬¬[]p. ¬[]p means it is not true that p holds forever, or at some point ¬p holds or <>¬p.

59 59 Combinations []<>p p will happen infinitely often <>[]p p will happen from some point forever. ([]<>p) ([]<>q) If p happens infinitely often, then q also happens infinitely often.

60 60 Some relations: []( /\ )=([] )/\([] ) But <>( /\ ) (<> )/\(<> ) <>( \/ )=(<> )\/(<> ) But []( \/ ) ([] )\/([] )

61 61 What about ([]<> )/\([]<> )=[]<>( /\ )? ([]<> )\/([]<> )=[]<>( \/ )? (<>[] )/\(<>[] )=<>[]( /\ )? (<>[] )\/(<>[] )=<>[]( \/ )? No, just Yes!!! No, just

62 62 Formal semantic definition Let be a sequence s 0 s 1 s 2 … Let i be a suffix of : s i s i+1 s i+2 … ( 0 = ) i |= p, where p a proposition, if s i |=p. i |= /\ if i |= and i |=. i |= \/ if i |= or i |=. i |= ¬ if it is not the case that i |=. i |= <> if for some j i, j |=. i |= [] if for each j i, j |=. i |= U if for some j i, j |= and for each i k

63 63 Then we interpret: For a state: s|=p as in propositional logic. For an execution: |= is interpreted over a sequence, as in previous slide. For a system/program: P|= holds if |= for every sequence of P.

64 64 Spring Example s1s1 s3s3 s2s2 pull release extended malfunction extended r 0 = s 1 s 2 s 1 s 2 s 1 s 2 s 1 … r 1 = s 1 s 2 s 3 s 3 s 3 s 3 s 3 … r 2 = s 1 s 2 s 1 s 2 s 3 s 3 s 3 … …

65 65 LTL satisfaction by a single sequence malfunction s1s1 s3s3 s2s2 pull release extended r 2 = s 1 s 2 s 1 s 2 s 3 s 3 s 3 … r 2 |= extended ?? r 2 |= O extended ?? r 2 |= O O extended ?? r 2 |= <> extended ?? r 2 |= [] extended ?? r 2 |= <>[] extended ?? r 2 |= ¬ <>[] extended ?? r 2 |= (¬extended) U malfunction ?? r 2 |= [](¬extended->O extended) ??

66 66 LTL satisfaction by a system malfunction s1s1 s3s3 s2s2 pull release extended P |= extended ?? P |= O extended ?? P |= O O extended ?? P |= <> extended ?? P|= [] extended ?? P |= <>[] extended ?? P |= ¬ <>[] extended ?? P |= (¬extended) U malfunction ?? P |= [](¬extended->O extended) ??

67 67 More specifications [] (PC0=NC0 <> PC0=CR0) [] (PC0=NC0 U Turn=0) Try at home: - The processes alternate in entering their critical sections. - Each process enters its critical section infinitely often.

68 68 Proof system ¬<>p []¬p [](p q) ([]p []q) []p (p/\O[]p) O¬p ¬Op [](p Op) (p []p) (pUq) (q\/(p/\O(pUq))) (pUq) <>q + propositional logic axiomatization. + proof rule: _p_ []p

69 69 Traffic light example Green Yellow Red Always has exactly one light: [](¬(gr/\ye)/\¬(ye/\re)/\¬(re/\gr)/\(gr\/ye\/re)) Correct change of color: []((grU ye)\/(yeU re)\/(reU gr))

70 70 Another kind of traffic light Green Yellow Red Yellow First attempt: [](((gr\/re) U ye)\/(ye U (gr\/re))) Correct specification: []( (gr (gr U (ye /\ ( ye U re )))) /\(re (re U (ye /\ ( ye U gr )))) /\(ye (ye U (gr \/ re)))) Needed only when we can start with yellow

71 71 Properties of sequential programs init-when the program starts and satisfies the initial condition. finish-when the program terminates and nothing is enabled. Partial correctness: init/\[](finish ) Termination: init/\<>finish Total correctness: init/\<>(finish/\ ) Invariant: init/\[]

72 72 Automata over finite words A= (finite) - the alphabet. S (finite) - the states. S x x S - the transition relation. I S - the starting states. F S - the accepting states. a a b bs0s0 s1s1

73 73 The transition relation (s 0, a, s 0 ) (s 0, b, s 1 ) (s 1, a, s 0 ) (s 1, b, s 1 ) a a b bs0s0 s1s1

74 74 A run over a word A word over, e.g., abaab. A sequence of states, e.g. s 0 s 0 s 1 s 0 s 0 s 1. Starts with an initial state. Follows the transition relation (s i, c i, s i+1 ). Accepting if ends at accepting state. a a b bs0s0 s1s1

75 75 The language of an automaton The words that are accepted by the automaton. Includes aabbba, abbbba. Does not include abab, abbb. What is the language? a a b bs0s0 s1s1

76 76 Nondeterministic automaton Transitions: (s 0,a,s 0 ), (s 0,b,s 0 ), (s 0,a,s 1 ),(s 1,a,s 1 ). What is the language of this automaton? a,b a as0s0 s1s1

77 77 Equivalent deterministic automaton b a as0s0 s1s1 b a,b a a s0s0 s1s1

78 78 Automata over infinite words Similar definition. Runs on infinite words over. Accepts when an accepting state occurs infinitely often in a run. a a b bs0s0 s1s1

79 79 Automata over infinite words Consider the word abababab… There is a run s 0 s 0 s 1 s 0 s 1 s 0 s 1 … This run in accepting, since s 0 appears infinitely many times. a a b bs0s0 s1s1

80 80 Other runs For the word bbbbb… the run is s 0 s 1 s 1 s 1 s 1 … and is not accepting. For the word aaabbbbb …, the run is s 0 s 0 s 0 s 0 s 1 s 1 s 1 s 1 … What is the run for ababbabbb …? a a b bs0s0 s1s1

81 81 Nondeterministic automaton What is the language of this automaton? What is the LTL specification if b -- PC0=CR0, a =¬b? Can you find a deterministic automaton with same language? Can you prove there is no such deterministic automaton? a,b a a s0s0 s1s1

82 82 No deterministic automaton for (a+b)*a ω In a deterministic automaton there is one run for each word. After some sequence of as, i.e., aaa…a must reach some accepting state. Now add b, obtaining aaa…ab. After some more as, i.e., aaa…abaaa…a must reach some accepting state. Now add b, obtaining aaa…abaaa…ab. Continuing this way, one obtains a run that has infinitely many bs but reaches an accepting state (in a finite automaton, at least one would repeat) infinitely often.

83 83 Specification using Automata Let each letter correspond to some propositional property. Example: a -- P0 enters critical section, b -- P0 does not enter section. []<>PC0=CR0 a a b bs0s0 s1s1

84 84 Mutual Exclusion a -- PC0=CR0/\PC1=CR1 b -- ¬(PC0=CR0/\PC1=CR1) c -- true []¬(PC0=CR0/\PC1=CR1) b a c s0s0 s1s1

85 85 L0:While True do NC0:wait(Turn=0); CR0:Turn=1 endwhile || L1:While True do NC1:wait(Turn=1); CR1:Turn=0 endwhile T0:PC0=L0 PC0=NC0 T1:PC0=NC0/\Turn=0 PC0:=CR0 T2:PC0=CR0 (PC0,Turn):=(L0,1) T3:PC1==L1 PC1=NC1 T4:PC1=NC1/\Turn=1 PC1:=CR1 T5:PC1=CR1 (PC1,Turn):=(L1,0) Initially: PC0=L0/\PC1=L1 Apply now to our program:

86 86 The state space Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

87 87 []¬(PC0=CR0/\PC1=CR1) (Mutual exclusion) Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

88 88 [](Turn=0 <>Turn=1) Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

89 89 Interleaving semantics: Execute one transition at a time. Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=1 L0,CR1 Turn=1 L0,NC1 Need to check the property for every possible interleaving!

90 90 [](Turn=0 <>Turn=1) Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

91 91 Correctness condition We want to find a correctness condition for a model to satisfy a specification. Language of a model: L(Model) Language of a specification: L(Spec). We need: L(Model) L(Spec).

92 92 Correctness All sequences Sequences satisfying Spec Program executions

93 93 Incorrectness All sequences Sequences satisfying Spec Program executions Counter examples

94 94 Automatic Verification (Book: Chapter 6)

95 95 How can we check the model? The model is a graph. The specification should refer the the graph representation. Apply graph theory algorithms.

96 96 What properties can we check? Invariant: a property that needs to hold in each state. Deadlock detection: can we reach a state where the program is blocked? Dead code: does the program have parts that are never executed.

97 97 How to perform the checking? Apply a search strategy (Depth first search, Breadth first search). Check states/transitions during the search. If property does not hold, report counter example!

98 98 If it is so good, why learn deductive verification methods? Model checking works only for finite state systems. Would not work with Unconstrained integers. Unbounded message queues. General data structures: queues trees stacks parametric algorithms and systems.

99 99 The state space explosion Need to represent the state space of a program in the computer memory. Each state can be as big as the entire memory! Many states: Each integer variable has 2^32 possibilities. Two such variables have 2^64 possibilities. In concurrent protocols, the number of states usually grows exponentially with the number of processes.

100 100 If it is so constrained, is it of any use? Many protocols are finite state. Many programs or procedure are finite state in nature. Can use abstraction techniques. Sometimes it is possible to decompose a program, and prove part of it by model checking and part by theorem proving. Many techniques to reduce the state space explosion.

101 101 Depth First Search Program DFS For each s such that Init(s) dfs(s) end DFS Procedure dfs(s) for each s such that R(s,s) do If new(s) then dfs(s) end dfs.

102 102 Start from an initial state q3q3 q4q4 q2q2 q1q1 q5q5 q1q1 q1q1 Stack: Hash table:

103 103 Continue with a successor q3q3 q4q4 q2q2 q1q1 q5q5 q 1 q 2 q1q2q1q2 Stack: Hash table:

104 104 One successor of q 2. q3q3 q4q4 q2q2 q1q1 q5q5 q 1 q 2 q 4 q1q2q4q1q2q4 Stack: Hash table:

105 105 Backtrack to q 2 (no new successors for q 4 ). q3q3 q4q4 q2q2 q1q1 q5q5 q 1 q 2 q 4 q1q2q1q2 Stack: Hash table:

106 106 Backtracked to q 1 q3q3 q4q4 q2q2 q1q1 q5q5 q 1 q 2 q 4 q1q1 Stack: Hash table:

107 107 Second successor to q 1. q3q3 q4q4 q2q2 q1q1 q5q5 q 1 q 2 q 4 q 3 q1q3q1q3 Stack: Hash table:

108 108 Backtrack again to q 1. q3q3 q4q4 q2q2 q1q1 q5q5 q 1 q 2 q 4 q 3 q1q1 Stack: Hash table:

109 109 How can we check properties with DFS? Invariants: check that all reachable states satisfy the invariant property. If not, show a path from an initial state to a bad state. Deadlocks: check whether a state where no process can continue is reached. Dead code: as you progress with the DFS, mark all the transitions that are executed at least once.

110 110 The state graph:Successor relation between states. Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

111 111 ¬ (PC0=CR0/\PC1=CR1) is an invariant! Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

112 112 Want to do more! Want to check more properties. Want to have a unique algorithm to deal with all kinds of properties. This is done by writing specification in more complicated formalisms. We will see that in the next lecture.

113 113 [](Turn=0 <>Turn=1) Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1

114 114 Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1 init New initial state Convert graph into Buchi automaton

115 115 Turn=0 L0,L1 Turn=1 L0,L1 init Propositions are attached to incoming nodes. All nodes are accepting. Turn=1 L0,L1 Turn=0 L0,L1

116 116 Correctness condition We want to find a correctness condition for a model to satisfy a specification. Language of a model: L(Model) Language of a specification: L(Spec). We need: L(Model) L(Spec).

117 117 Correctness All sequences Sequences satisfying Spec Program executions

118 118 How to prove correctness? Show that L(Model) L(Spec). Equivalently: ______ Show that L(Model) L(Spec) = Ø. Also: can obtain Spec by translating from LTL!

119 119 What do we need to know? How to intersect two automata? How to complement an automaton? How to translate from LTL to an automaton?

120 120 Intersecting M 1 =(S 1,,T 1,I 1,A 1 ) and M 2 =(S 2,,T 2,I 2,S 2 ) Run the two automata in parallel. Each state is a pair of states: S 1 x S 2 Initial states are pairs of initials: I 1 x I 2 Acceptance depends on first component: A 1 x S 2 Conforms with transition relation: (x 1,y 1 )-a->(x 2,y 2 ) when x 1 -a->x 2 and y 1 -a->y 2.

121 121 Example (all states of second automaton accepting!) a b ct0t0 t1t1 a a b,c s0s0 s1s1 States: (s 0,t 0 ), (s 0,t 1 ), (s 1,t 0 ), (s 1,t 1 ). Accepting: (s 0,t 0 ), (s 0,t 1 ). Initial: (s 0,t 0 ).

122 122 a b c t0t0 t1t1 a a b,c s0s0 s1s1 s 0,t 0 s 0,t 1 s 1,t 1 s 1,t 0 b b a c a c

123 123 More complicated when A 2 S 2 a b ct0t0 t1t1 a a b,c s0s0 s1s1 Should we have acceptance when both components accepting? I.e., {(s 0,t 1 )}? No, consider (ba) It should be accepted, but never passes that state. s 0,t 0 s 0,t 1 s 1,t 1 b a c a c

124 124 More complicated when A 2 S 2 a b ct0t0 t1t1 a a b,c s0s0 s1s1 Should we have acceptance when at least one components is accepting? I.e., {(s 0,t 0 ),(s 0,t 1 ),(s 1,t 1 )}? No, consider b c It should not be accepted, but here will loop through (s 1,t 1 ) s 0,t 0 s 0,t 1 s 1,t 1 b c a c a

125 125 Intersection - general case q0q0 q2q2 q3q3 q1q1 q 0,q3q 1,q 3 q1,q2q1,q2 a a, c c c, b b c c b a

126 126 Version 0: to catch q 0 Version 1: to catch q 2 q 0,q 3 q 1,q 3 q1,q2q1,q2 q 0,q 3 q 1,q 3 q 1,q 2 Move when see accepting of left (q 0 )Move when see accepting of right (q 2 ) Version 0 Version 1 c c c c b a b a

127 127 Version 0: to catch q 0 Version 1: to catch q 2 q 0,q 3 q 1,q 3 q1,q2q1,q2 q 0,q 3 q 1,q 3 q 1,q 2 Move when see accepting of left (q 0 )Move when see accepting of right (q 2 ) Version 0 Version 1 c c c c b a b a

128 128 Make an accepting state in one of the version according to a component accepting state q 0,q 3,0 q 1,q 3,0q 1,q 2,0 q 0,q 3,1q 1,q 3,1 q 1,q 2,1 Version 1 Version 0 c c c c b a b a

129 129 How to check for emptiness? s 0,t 0 s 0,t 1 s 1,t 1 b a c a c

130 130 Emptiness... Need to check if there exists an accepting run (passes through an accepting state infinitely often).

131 131 Strongly Connected Component (SCC) A set of states with a path between each pair of them. Can use Tarjans DFS algorithm for finding maximal SCCs.

132 132 Finding accepting runs If there is an accepting run, then at least one accepting state repeats on it forever. Look at a suffix of this run where all the states appear infinitely often. These states form a strongly connected component on the automaton graph, including an accepting state. Find a component like that and form an accepting cycle including the accepting state.

133 133 Equivalently... A strongly connected component: a set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.

134 134 How to complement? Complementation is hard! Can ask for the negated property (the sequences that should never occur). Can translate from LTL formula to automaton A, and complement A. But: can translate ¬ into an automaton directly!

135 135 Model Checking under Fairness Express the fairness as a property φ. To prove a property ψ under fairness, model check φ ψ. Fair (φ) Bad (¬ψ)Program Counter example

136 136 Model Checking under Fairness Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either it contains on occurrence of a transition from P, or it contains a state where P is disabled.

137 137 Translating from logic to automata (Book: Chapter 6)

138 138 Why translating? Want to write the specification in some logic. Want model-checking tools to be able to check the specification automatically.

139 139 Generalized Büchi automata Acceptance condition F is a set F={f 1, f 2, …, f n } where each f i is a set of states. To accept, a run needs to pass infinitely often through a state from every set f i.

140 140 Translating into simple Büchi automaton q0q0 q2q2 q1q1 q0q0 q2q2 q1q1 Version 0 Version 1 c c c c b a b a

141 141 Translating into simple Büchi automaton q0q0 q2q2 q1q1 q0q0 q2q2 q1q1 Version 0 Version 1 c c c c b b a

142 142 Translating into simple Büchi automaton q0q0 q2q2 q1q1 q0q0 q2q2 q1q1 Version 0 Version 1 c c c c b a b a

143 143 Preprocessing Convert into normal form, where negation only applies to propositional variables. ¬[] becomes <>¬. ¬<> becomes [] ¬. What about ¬ ( U )? Define operator R such that ¬ ( U ) = (¬ ) R (¬ ), ¬ ( R ) = (¬ ) U (¬ ).

144 144 Semantics of pR q p qqqqqqq q qq qqqq ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p ¬p¬p

145 145 Replace ¬ true by false, and ¬ false by true. Replace ¬ ( \/ ) by ( ¬ ) /\ ( ¬ ) and ¬ ( /\ ) by ( ¬ ) \/ ( ¬ )

146 146 Eliminate implications, <>, [] Replace -> by ( ¬ ) \/. Replace <> by (true U ). Replace [] by (false R ).

147 147 Example Translate ( []<>P ) ( []<>Q ) Eliminate implication ¬( []<>P ) \/ ( []<>Q ) Eliminate [], <>: ¬( false R ( true U P ) ) \/ ( false R ( true U Q ) ) Push negation inwards: (true U (false R ¬ P ) ) \/ ( false R ( true U Q ) )

148 148 The data structure Incoming NewOld Next Name

149 149 The main idea U = \/ ( /\ O ( U ) ) R = /\ ( \/ O ( R ) ) This separates the formulas to two parts: one holds in the current state, and the other in the next state.

150 150 How to translate? Take one formula from New and add it to Old. According to the formula, either Split the current node into two, or Evolve the node into a new version.

151 151 Splitting Incoming New Old Next Incoming New Old Next Incoming New Old Next Copy incoming edges, update other field.

152 152 Evolving Incoming New Old Next Incoming New Old Next Copy incoming edges, update other field.

153 153 Possible cases: U, split: Add to New, add U to Next. Add to New. Because U = \/ ( /\ O ( U )). R, split: Add to New. Add to New, R to Next. Because R = /\ ( \/ O ( R )).

154 154 More cases: \/, split: Add to New. /\, evolve: Add to New. O, evolve: Add to Next.

155 155 How to start? Incoming NewOld Next init aU(bUc)

156 156 Incoming init aU(bUc) Incoming aU(bUc) bUcbUc a init

157 157 Incoming aU(bUc)bUcbUc init Incoming aU(bUc) c (bUc) b bUcbUcbUcbUc

158 158 When to stop splitting? When New is empty. Then compare against a list of existing nodes Nodes: If such a with same Old, Next exists, just add the incoming edges of the new version to the old one. Otherwise, add the node to Nodes. Generate a successor with New set to Next of father.

159 159 Incoming a,aU(bUc) aU(bUc) init Incoming aU(bUc) Creating a successor node. When we enter to Nodes a new node (with different Old or Next than any other node), we start a new node by copying Next to New, and making an edge to the new successor.

160 160 How to obtain the automaton? There is an edge from node X to Y labeled with propositions P (negated or non negated), if X is in the incoming list of Y, and Y has propositions P in field Old. Initial node is init. Incoming NewOld Next X Node Y a, b, ¬c

161 161 The resulted nodes. a, aU(bUc) b, bUc, aU(bUc)c, bUc, aU(bUc) b, bUcc, bUc

162 162 a, aU(bUc) b, bUc, aU(bUc)c, bUc, aU(bUc) b, bUcc, bUc All nodes with incoming edge from init. Initial nodes

163 163 Include only atomic propositions Init a b c cb

164 164 Acceptance conditions Use generalized Buchi automata, where there are several acceptance sets f 1, f 2, …, f n, and each accepted infinite sequence must include at least one state from each set infinitely often. Each set corresponds to a subformula of form U. Guarantees that it is never the case that U holds forever, without.

165 165 Accepting w.r.t. bU c a, aU(bUc) b, bUc, aU(bUc)c, bUc, aU(bUc) b, bUcc, bUc All nodes with c, or without bUc.

166 166 Acceptance w.r.t. aU (bU c) a, aU(bUc) b, bUc, aU(bUc)c, bUc, aU(bUc) b, bUcc, bUc All nodes with bUc or without aU(bUc).

167 167 The SPIN System

168 168 What is SPIN? Model-checker. Based on automata theory. Allows LTL or automata specification Efficient (on-the-fly model checking, partial order reduction). Developed in Bell Laboratories.

169 169 Documentation Paper: The model checker SPIN, G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23, Web:

170 170 The language of SPIN The expressions are from C. The communication is from CSP. The constructs are from Guarded Command.

171 171 Expressions Arithmetic: +, -, *, /, % Comparison: >, >=, <, <=, ==, != Boolean: &&, ||, ! Assignment: = Increment/decrement: ++, --

172 172 Declaration byte name1, name2=4, name3; bit b1,b2,b3; short s1,s2; int arr1[5];

173 173 Message types and channels mtype = {OK, READY, ACK} mtype Mvar = ACK chan Ng=[2] of {byte, byte, mtype}, Next=[0] of {byte} Ng has a buffer of 2, each message consists of two bytes and an enumerable type (mtype). Next is used with handshake message passing.

174 174 Sending and receiving a message Channel declaration: chan qname=[3] of {mtype, byte, byte} In sender: qname!tag3(expr1, expr2) or equivalently: qname!tag3, expr1, expr2 In Receiver: qname?tag3(var1,var2)

175 175 Defining an array of channels Channel declaration: chan qname=[3] of {mtype, byte, byte} defines a channel with buffer size 3. chan comm[5]=[0] of {byte, byte} defines an array of channels (indexed 0 to 4. Communication is synchronous (handshaking), meaning that the sender waits for the receiver.

176 176 Condition if :: x%2==1 -> z=z*y; x-- :: x%2==0 -> y=y*y; x=x/2 fi If more than one guard is enabled: a nondeterministic choice. If no guard is enabled: the process waits (until a guard becomes enabled).

177 177 Looping do :: x>y -> x=x-y :: y>x -> y=y-x :: else break od; Normal way to terminate a loop: with break. (or goto). As in condition, we may have a nondeterministic loop or have to wait.

178 178 Processes Definition of a process: proctype prname (byte Id; chan Comm) { statements } Activation of a process: run prname (7, Con[1]);

179 179 init process is the root of activating all others init { statements } init {byte I=0; atomic{do ::I run prname(I, chan[I]); I=I+1 ::I=10 -> break; od}} atomic allows performing several actions as one atomic step.

180 180 Exmaples of Mutual exclusion Reference: A. Ben-Ari, Principles of Concurrent and Distributed Programs, Prentice-Hall 1990.

181 181 General structure loop Non_Critical_Section ; TR:Pre_Protocol; CR:Critical_Section; Post_protocol; end loop; Propositions: inCRi, inTRi.

182 182 Properties loop Non_Critical_Section ; TR:Pre_Protocol; CR:Critical_Section; Post_protocol; end loop; Assumption: ~<>[]inCRi Requirements: []~(inCR0/\inCR1) [](inTRi <>inCRi) Not assuming: []<>inTRi

183 183 Turn:bit:=1; task P0 is begin loop Non_Critical_Sec; Wait Turn=0; Critical_Sec; Turn:=1; end loop end P0. task P1 is begin loop Non_Critical_Sec; Wait Turn=1; Critical_Sec; Turn:=0; end loop end P1.

184 184 Translating into SPIN #define critical (incrit[0] ||incrit[1]) byte turn=0, incrit[2]=0; proctype P (bool id) { do :: 1 -> do :: 1 -> skip :: 1 -> break od; try:do ::turn==id -> break od; cr:incrit[id]=1; incrit[id]=0; turn=1-turn od} init { atomic{ run P(0); run P(1) } }

185 185 The leader election algorithm A directed ring of computers. Each has a unique value. Communication is from left to right. Find out which value is the greatest.

186 186 Example

187 187 Informal description: Initially, all the processes are active. A process that finds out it does not represent a value that can be maximal turns to be passive. A passive process just transfers values from left to right.

188 188 More description The algorithm executes in phases. In each phase, each process first sends its current value to the right. Each process, when receiving the first value from its left compares it to its current value. If same: this is the maximum. Tell others. Not same: send current value again to left.

189 189 Continued When receiving the second value: compare the three values received. These are values of the process itself. of the left active process. of the second active process on the left. If the left active process has greatest value among three, then keep this value. Otherwise, become passive.

190

191 , 7 2, 9 9, 4 7, 2 4, 12 12, 3

192 , 7 2, 9 9, 4 7, 2 4, 12 12, 3

193

194 , 7 7, 9 9, 12

195 195 12

196 196 send(1, my_number); state:=active; when received(1,number) do if state=active then if number!=max then send(2, number); neighbor:=number; else (max is greatest, send to all processes); end if; else send(1,number); end if; end do; when received(2,number) do if state=active then if neighbor>number and neighbor>max then max:=neighbor; send(1, neighbor); else state:=passive; end if; else send(2, number); end if; end do;

197 197 Now, translate into SPIN (Promela) code

198 198 Running SPIN Can download and implement (for free) using Available in our system. Graphical interface: xspin

199 199 Homework: check properties There is never more than one maximal value found. A maximal value is eventually found. From the time a maximal value is found, we continue to have one maximal value. There is no maximal value until a moment where there is one such value, and from there, there is exactly one value until the end. The maximal value is always 5.

200 200 Dekkers algorithm P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1; end end critical section 1 c1:=1; turn:=2 end. P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2; end end critical section 2 c2:=1; turn:=1 end. boolean c1 initially 1; boolean c2 initially 1; integer (1..2) turn initially 1;

201 201 Project Model in Spin Specify properties Do model checking Can this work without fairness? What to do with fairness?

202 202 Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1

203 203 Fairness (Book: Chapter 4.12, 8.3, 8.4)

204 204 Dekkers algorithm P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1; c1:=0; end end critical section 1 c1:=1; turn:=2 end. P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2; c2:=0; end end critical section 2 c2:=1; turn:=1 end. boolean c1 initially 1; boolean c2 initially 1; integer (1..2) turn initially 1;

205 205 Dekkers algorithm P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1; c1:=0; end end critical section 1 c1:=1; turn:=2 end. P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2; c2:=0; end end critical section 2 c2:=1; turn:=1 end. boolean c1 initially 1; boolean c2 initially 1; integer (1..2) turn initially 1; c1=c2=0, turn=1

206 206 Dekkers algorithm P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1; c1:=0; end end critical section 1 c1:=1; turn:=2 end. P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2; c2:=0; end end critical section 2 c2:=1; turn:=1 end. boolean c1 initially 1; boolean c2 initially 1; integer (1..2) turn initially 1; c1=c2=0, turn=1

207 207 Dekkers algorithm P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1; c1:=0; end end critical section 1 c1:=1; turn:=2 end. P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2; c2:=0; end end critical section 2 c2:=1; turn:=1 end. P1 waits for P2 to set c2 to 1 again. Since turn=1 (priority for P1), P2 is ready to do that. But never gets the chance, since P1 is constantly active checking c2 in its while loop. c1=c2=0, turn=1

208 208 0:START P1 11:c1:=1 12:true 13:end 2:c1:=0 8:c2=0? 7:turn=2? 6:c1:=0 3:c1:=1 11:turn:=2 10:c1:=1 9:critical-1 4:no-op 5:turn=2? no no no noyes yes yes yes 0:START P2 11:c2:=1 12:true 13:end 2:c2:=0 8:c1=0? 7:turn=1? 6:c2:=0 3:c2:=1 11:turn:=1 10:c2:=1 9:critical-2 4:no-op 5:turn=1? no no no noyes yes yes yes Initially: turn=1

209 209 What went wrong? The execution is unfair to P2. It is not allowed a chance to execute. Such an execution is due to the interleaving model (just picking an enabled transition). If it did, it would continue and set c2 to 0, which would allow P1 to progress. Fairness = excluding some of the executions in the interleaving model, which do not correspond to actual behavior of the system. while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2; c2:=0; end end

210 210 Recall: The interleaving model An execution is a finite or infinite sequence of states s 0, s 1, s 2, … The initial state satisfies the initial condition, I.e., I (s 0 ). Moving from one state s i to s i+1 is by executing a transition e t: e(s i ), I.e., s i satisfies e. s i+1 is obtained by applying t to s i. Now: consider only fair executions. Fairness constrains sequences that are considered to be executions. Fair executions Sequences Executions

211 211 Some fairness definitions Weak transition fairness: It cannot happen that a transition is enabled indefinitely, but is never executed. Weak process fairness: It cannot happen that a process is enabled indefinitely, but non of its transitions is ever executed Strong transition fairness: If a transition is infinitely often enabled, it will get executed. Strong process fairness: If at least one transition of a process is infinitely often enabled, a transition of this process will be executed.

212 212 How to use fairness constraints? Assume in the negative that some property (e.g., termination) does not hold, because of some transitions or processes prevented from execution. Show that such executions are impossible, as they contradict fairness assumption. We sometimes do not know in reality which fairness constraint is guaranteed.

213 213 Example P1::x=1 P2: do :: y==0 -> if :: true :: x==1 -> y=1 fi od Initially: x=0; y=0; In order for the loop to terminate (in a deadlock !) we need P1 to execute the assignment. But P1 may never execute, since P2 is in a loop executing true. Consequently, x==1 never holds, and y is never assigned a 1. pc1=l0 (pc1,x):=(l1,1) /* x=1 */ pc2=r0/\y=0 pc2=r1 /* y==0*/ pc2=r1 pc2=r0 /* true */ pc2=r1/\x=1 (pc2,y):=(r0,1) /* x==1 y:=1 */

214 214 Weak transition fairness P1::x=1 P2: do :: y==0 -> if :: true :: x==1 -> y=1 fi od Initially: x=0; y=0; Under weak transition fairness, P1 would assign 1 to x, but this does not guarantee that 1 is assigned to y and thus the P2 loop will terminates, since the transition for checking x==1 is not continuously enabled (program counter not always there). Weak process fairness only guarantees P1 to execute, but P2 can still choose the true guard. Strong process fairness: same.

215 215 Strong transition fairness P1::x=1P2: do :: y==0 -> if :: true :: x==1 -> y=1 fi od Initially: x=0; y=0; Under strong transition fairness, P1 would assign 1 to x. If the execution was infinite, the transition checking x==1 was infinitely often enabled. Hence it would be eventually selected. Then assigning y=1, the main loop is not enabled anymore.

216 216 Specifying fairness conditions Express properties over an alternating sequence of states and transitions: s 0 1 s 1 1 s 2 … Use transition predicates exec.

217 217 Some fairness definitions Weak transition fairness: /\ T (<>[]en []<>exec ). Equivalently: /\ a T ¬<>[](en /\¬exec ) Weak process fairness: /\ Pi (<>[]en Pi []<>exec Pi ) Strong transition fairness: /\ T ([]<>en []<>exec ) Strong process fairness: /\ Pi ([]<>en Pi []<>exec Pi ) exec is executed. exec Pi some transition of Pi is executed. en is enabled. en Pi some transition of process Pi is enabled. en Pi = \/ Pi en exec Pi = \/ Pi exec

218 218 Weaker fairness condition A is weaker than B if B A. (Means A has more executions than B.) Consider the executions L(A) and L(B). Then L(B) L(A). If an execution is strong {process/transition} fair, then it is also weak {process/transition} fair. There are fewer strong {process,transition} fair executions. Strong transition fair execs Weak process fair execs Weak transition fair execs Strong process fair execs

219 219 Fairness is an abstraction; no scheduler can guarantee exactly all fair executions! Initially: x=0, y=0 P1::x=1 || P2::do :: x==0 -> y=y+1 :: x==1 -> break od x=0,y=0 x=0,y=1 x=1,y=0 x=1,y=1 x=0,y=2 x=1,y=2 Under fairness assumption (any of the four defined), P1 will execute the assignment, and consequently, P2 will terminate. All executions are finite and there are infinitely many of them, and infinitely many states. Thus, an execution tree (the state space) will potentially look like the one on the right, but with infinitely many states, finite branching and only finite sequences. But according to Königs Lemma there is no such tree!

220 220 Model Checking under fairness Instead of verifying that the program satisfies, verify it satisfies fair Problem: may be inefficient. Also fairness formula may involves special arrangement for specifying what exec means. May specialize model checking algorithm instead.

221 221 Model Checking under Fairness Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either it contains on occurrence of a transition from P, or it contains a state where P is disabled. Weak transition fairness: similar. Strong fairness: much more difficult algorithm.

222 222 Abstractions (Book: Chapter 10.1)

223 223 Problems with software analysis Many possible outcomes and interactions. Not manageable by an algorithm (undecideable, complex). Requires a lot of practice and ingenuity (e.g., finding invariants).

224 224 More problems Testing methods fail to cover potential errors. Deductive verification techniques require too much time, mathematical expertise, ingenuity. Model checking requires a lot of time/space and may introduce modeling errors.

225 225 How to alleviate the complexity? Abstraction Compositionality Partial Order Reduction Symmetry

226 226 Abstraction Represent the program using a smaller model. Pay attention to preserving the checked properties. Do not affect the flow of control.

227 227 Main idea Use smaller data objects. x:= f(m) y:=g(n) if x*y>0 then … else … x, y never used again.

228 228 How to abstract? Assign values {-1, 0, 1} to x and y. Based on the following connection: sgn(x) = 1 if x>0, 0 if x=0, and -1 if x<0. sgn(x)*sgn(y)=sgn(x*y).

229 229 Abstraction mapping S - states, I - initial states. L(s) - labeling. R(S,S) - transition relation. h(s) maps s into its abstract image. Full model -h Abstract model I(s) I(h(s)) R(s, t) R(h(s),h(t)) L(h(s))=L(s)

230 230 Traffic light example go stop

231 231 go stop go stop

232 232 What do we preserve? go stop go stop Every execution of the full model can be simulated by an execution of the reduced one. Every LTL property that holds in the reduced model hold in the full one. But there can be properties holding for the original model but not the abstract one.

233 233 Preserved: [](go->O stop) go stop go stop Not preserved: []<>go Counterexamples need to be checked.

234 234 Symmetry A permutation is a one-one and onto function p:A A. For example, 1 3, 2 4, 3 1, 4 5, 5 2. One can combine permutations, e.g., p1: 1 3, 2 1, 3 2 p2: 1 2, 2 1, , 2 2, 3 1 A set of permutations is called a symmetry group.

235 235 Using symmetry in analysis Want to find some symmetry group such that for each permutation p in it, R(s,t) if and only if R(p(s), p(t)) and L(p(s))=L(s). Let K(s) be all the states that can be permuted to s. This is a set of states such that each one can be permuted to the other.

236 236 Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,CR1 Turn=1 L0,NC1 Turn=1 NC0,NC1 Turn=1 NC0,L1 Turn=1 L0,L1 init

237 237 Turn=0 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=0 CR0,NC1 Turn=0 NC0,NC1 Turn=0 CR0,L1 init The quotient model

238 238 Homework: what is preserved in the following buffer abstraction? What is not preserved? e empty quasi full q q q f

239 239 BDD representation

240 240 Computation Tree Logic... pp p EG p pppp p pp AF p

241 241 Computation Tree Logic qq q p... p q p E pUq p A pUq

242 242 Example formulas CTL formulas: mutual exclusion: AG ( cs 1 cs 2 ) non starvation: AG (request AF grant) sanity check: EF request

243 243 Model Checking M |= f [Clarke, Emerson, Sistla 83] The Model Checking algorithm works iteratively on subformulas of f, from simpler subformulas to more complex ones When checking subformula g of f we assume that all subformulas of g have already been checked For subformula g, the algorithm returns the set of states that satisfy g ( S g ) The algorithm has time complexity: O(|M| |f|)

244 244 Model checking f = EF g Given a model M= and S g the sets of states satisfying g in M procedure CheckEF (S g ) Q := emptyset; Q := S g ; while Q Q do Q := Q; Q := Q { s | s' [ R(s,s) Q(s) ] } end while S f := Q ; return(S f )

245 245 g g g f f f f f f f Example: f = EF g

246 246 Model checking f = EG g CheckEG gets M= and S g and returns S f procedure CheckEG (S g ) Q := S ; Q := S g ; while Q Q do Q := Q; Q := Q { s | s' [ R(s,s) Q(s) ] } end while S f := Q ; return(S f )

247 247 g g g g g g Example: f = EG g

248 248 Symbolic model checking [Burch, Clarke, McMillan, Dill 1990] If the model is given explicitly (e.g. by adjacent matrix) then only systems with about ten Boolean variables (~1000 states) can be handled Symbolic model checking uses Binary Decision Diagrams ( BDDs ) to represent the model and sets of states. It can handle systems with hundreds of Boolean variables.

249 249 Binary decision diagrams (BDDs) [Bryant 86] Data structure for representing Boolean functions Often concise in memory Canonical representation Boolean operations on BDDs can be done in polynomial time in the BDD size

250 250 Assume that states in model M are encoded by {0,1} n and described by Boolean variables v 1...v n S f can be represented by a BDD over v 1...v n R (a set of pairs of states (s,s) ) can be represented by a BDD over v 1...v n v 1...v n BDDs in model checking

251 251 BDD definition A tree representation of a Boolean formula. Each leaf represents 0 (false) or 1 (true). Each internal leaf represents a node. If we follow a path in the tree and go from a node left (low) on 0 and right (high) on 1, we obtain a leaf that corresponds to the value of the formula under this truth assignment.

252 252 Example a bc ccbb (a/\(b\/ ¬ c))\/(¬a/\(b/\c))

253 253 OBDD: there is some fixed appearance order between variables, e.g., a

254 254 In reduced form: combine all leafs with same values, all isomorphic subgraph. a bb cccc (a/\(b\/ ¬ c))\/(¬a/\(b/\c)) In addition, remove nodes with identical children (low(x)=high(x)).

255 255 In reduced form: combine all leafs with same values, all isomorphic subgraph. a bb cccc (a/\(b\/ ¬ c))\/(¬a/\(b/\c)) 0 1 In addition, remove (shortcut) nodes with identical children (low(x)=high(x)). Apply bottom up until not possible.

256 256 In reduced form: combine all leafs with same values, all isomorphic subgraph. a bb cccc (a/\(b\/ ¬ c))\/(¬a/\(b/\c)) 0 1 In addition, remove (shortcut) nodes with identical children (low(x)=high(x)).

257 257 In reduced form: combine all leafs with same values, all isomorphic subgraph. a bb cc (a/\(b\/ ¬ c))\/(¬a/\(b/\c)) 0 1 In addition, remove (shortcut) nodes with identical children (low(x)=high(x)).

258 258 Example, even parity, 3 bits a bb cccc

259 259 Apply reduce a bb cccc 01

260 260 Apply reduce a bb c cc c 01

261 261 Apply reduce a bb ccc 01

262 262 Apply reduce a bb c c c 01

263 263 Apply reduce a bb c c 01

264 264 f[0/x], f[1/x] (restrict algorithm) Obtain the replacement of a variable x by 0 or 1, in formula f, respectively. For f[0/x], incoming edges to node x are redirected to low(x), and x is removed. For f[1/x], incoming edges to node x are redirected to high(x), and x is removed. Then we reduce the OBBD.

265 265 Calculate x x = [0/x]\/ [1/x] Thus, we apply restrict twice to and then apply the disjunction.

266 266 Shannon expansion of Boolean expression f. f=( ¬x/\f[0/x])\/(x/\f[1/x]) Thus, f#g, for some logical operator # is f #g =( ¬x/\f#g [0/x])\/(x/\f#g [1/x])= ( ¬x/\f [0/x]#g [0/x])\/(x/\f [1/x]#g[1/x])

267 267 Now compute f#g recursively: Let r f be the root of the OBDD for f, and r g be the root of the OBDD for g. If r f and r g are terminals, then apply r f #r g and put the result. If both roots are same node (say x), then create a low edge to low(r f )#low(r g ), and a high edge to high(r f )#high(r g ). If r f is x and r g is y, and x

268 268 Same subgraphs are not needed to be explored again (use memoising, i.e., dynamic programming, complexity: exponential 2xmultiplications of sizes. R 1,S 1 R 6,S 5 R 2,S 3 R 3,S 2 R 3,S 3 R 4,S 3 R 5,S 4 R 6,S 3 R 4,S 3 R 5,S 4 R 6,S 5 R 6,S 4 R 6,S 5 R 5,S 4 R 6,S 5 x z t z y x t R1R1 R3R3 R2R2 R5R5 R6R6 R4R4 S1S1 S3S3 S2S2 S4S4 S5S5 x z z t t t t y

269 269 Same subgraphs are not needed to be explored again (use memoising, i.e., dynamic programming, complexity: exponential 2xmultiplications of sizes. R 1,S 1 R 6,S 5 R 2,S 3 R 3,S 2 R 3,S 3 R 4,S 3 R 5,S 4 R 6,S 3 R 4,S 3 R 5,S 4 R 6,S 5 R 6,S 4 R 6,S 5 R 5,S 4 R 6,S 5 x z t z y x y R1R1 R3R3 R2R2 R5R5 R6R6 R4R4 S1S1 S3S3 S2S2 S4S4 S5S5 x z z t t t t y

270 270 Symbolic Model Checking Characterize CTL formulas using fixpoints. AF = \/AX AF EF = EX EF Z. EX Z AG = /\AX A G EG = EX EG Z. EX Z A U = \/( /\AX U ) E U = ( EX U ) Z. ( EXZ) A R = /\( \/AX R ) E R = ( EX R ) Z. ( EXZ)

271 271 Representing the successor relation formula R A relation between the current state and the next state can be represented as a BDD with prime variables representing the variables at next states. For example: p/\¬q/\r/\¬p/\q/\r says that the current state satisfies p/\¬q/\r and the next state satisfies ¬p/\q/\r. (typically, for one transition, represented as a Boolean relation). If t i represents this relation for transition i, we can write for the entire code R= \/ i t i.

272 272 Calculating (Z) for (Z)= EX Z Z is a BDD. Rename variables in Z by their primed version to obtain BDD Z. Calculate the BDD R/\Z. Let y 1 …y n be the primed variables, Then calculate the BDD T= y 1 … y n R/\Z to remove primed variables. Calculate the BDD T.

273 273 Model checking Z (least fixed point) For example, = EX Z For formulas with main operator. procedure Check LFP ( ) Q :=False; Q := (Q) ; while Q Q do Q := Q; Q := (Q) ; end while return(Q)

274 274 Model checking Z (Greatest fixed point) For example, = ( EX Z) For formulas with main operator. procedure Check GFP ( ) Q :=True; Q := (Q) ; while Q Q do Q := Q; Q := (Q) ; end while return(Q)

275 275 Program verification: flowchart programs (Book: chapter 7)

276 276 History Verification of flowchart programs: Floyd, 1967 Hoares logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981

277 277 Program Verification Predicate (first order) logic. Partial correctness, Total correctness Flowchart programs Invariants, annotated programs Well founded ordering (for termination) Hoares logic

278 278 Predicate (first order logic) Variables, functions, predicates Terms Formulas (assertions)

279 279 Signature Variables: v1, x, y18 Each variable represents a value of some given domain (int, real, string, …). Function symbols: f(_,_), g2(_), h(_,_,_). Each function has an arity (number of paramenters), a domain for each parameter, and a range. f:int*int->int (e.g., addition), g:real->real (e.g., square root) A constant is a predicate with arity 0. Relation symbols: R(_,_), Q(_). Each relation has an arity, and a domain for each parameter. R : real*real (e.g., greater than). Q : int (e.g., is a prime).

280 280 Terms Terms are objects that have values. Each variable is a term. Applying a function with arity n to n terms results in a new term. Examples: v1, 5.0, f(v1,5.0), g2(f(v1,5.0)) More familiar notation: sqr(v1+5.0)

281 281 Formulas Applying predicates to terms results in a formula. R(v1,5.0), Q(x) More familiar notation: v1>5.0 One can combine formulas with the boolean operators (and, or, not, implies). R(v1,5.0)->Q(x) x>1 -> x*x>x One can apply existentail and universal quantification to formulas. x Q(X) x1 R(x1,5.0) x y R(x,y)

282 282 A model, A proofs A model gives a meaning (semantics) to a first order formula: A relation for each relation symbol. A function for each function symbol. A value for each variable. An important concept in first order logic is that of a proof. We assume the ability to prove that a formula holds for a given model. Example proof rule (MP) :

283 283 Flowchart programs Input variables: X=x1,x2,…,xl Program variables: Y=y1,y2,…,ym Output variables: Z=z1,z2,…,zn start halt Y=f(X) Z=h(X,Y)

284 284 Assignments and tests Y=g(X,Y)t(X,Y) FT

285 285 start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) Initial condition Initial condition: the values for the input variables for which the program must work. x1>=0 /\ x2>0 F T

286 286 start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) The input-output claim The relation between the values of the input and the output variables at termination. x1=z1*x2+z2 /\ 0<=z2

287 287 Partial correctness, Termination, Total correctness Partial correctness: if the initial condition holds and the program terminates then the input-output claim holds. Termination: if the initial condition holds, the program terminates. Total correctness: if the initial condition holds, the program terminates and the input-output claim holds.

288 288 Subtle point: The program is partially correct with respect to x1>=0/\x2>=0 and totally correct with respect to x1>=0/\x2>0 start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) T F

289 289 start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) Annotating a scheme Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes. A B CD E FT

290 290 Invariants Invariants are assertions that hold at each state throughout the execution of the program. One can attach an assertion to a particular location in the code: e.g., at(B) (B). This is also an invariant; in other locations, at(B) does not hold hence the implication holds. If there is an assertion attached to each location, (A), (B), (C), (D), (E), then their disjunction is also an invariant: (A)\/ (B)\/ (C)\/ (D)\/ (E) (since location is always at one of these locations).

291 291 Annotating a scheme with invariants A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E F T A) Is the precondition of (y1,y2)=(0,x1) and B) is its postcondition

292 292 Preliminary: Relativizing assertions (B) : x1= y1 * x2 + y2 /\ y2 >= 0 Relativize B) w.r.t. the assignment, obtaining B) [Y\g(X,Y)] e (B) expressed w.r.t. variables at A.) (B) A = x1=0 * x2 + x1 /\ x1>=0 Think about two sets of variables, before={x, y, z, …} after={x,y,z…}. Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after by substitution. Here: x1=y1 * x2 + y2 /\ y2>=0 /\ x1=x1 /\ x2=x2 /\ y1=0 /\ y2=x1 now eliminate x1, x2, y1, y2. (y1,y2)=(0,x1) A B A B Y=g(X,Y)

293 293 Preliminary: Relativizing assertions (y1,y2)=(0,x1) A B A B A): (B) A (B) Y=g(X,Y)

294 294 Verification conditions: assignment A) B) A where B) A = B)[Y\g(X,Y)] A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 B) A = x1=0*x2+x1 /\ x1>=0 (y1,y2)=(0,x1) A B A B Y=g(X,Y)

295 295 (y1,y2)=(y1+1,y2-x2) Second assignment C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 B): x1=y1*x2+y2 /\ y2>=0 B) C : x1=(y1+1)*x2+y2- x2 /\ y2-x2>=0 C B

296 296 (z1,z2)=(y1,y2) Third assignment D):x1=y1*x2+y2 /\ y2>=0 /\ y2

297 297 Verification conditions: tests B) /\ t(X,Y) C) B) /\¬t(X,Y) D) B): x1=y1*x2+y2 /\y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2=x2 B C D B C D t(X,Y) F T FT

298 298 Verification conditions: tests y2>=x2 B C D B C D t(X,Y) F T FT ¬t(X,Y) B) C)

299 299 Partial correctness proof: An induction on length of execution B) D) C) Initially, states satisfy the initial conditions. Then, passing from one set of states to another, we preserve the invariants at the appropriate location. We prove: starting with a state satisfying the initial conditions, if are at a point in the execution, the invariant there holds. Not a proof of termination! start halt (y1,y2)=(0,x1) y2>=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E A) no yes TF

300 300 Exercise: prove partial correctness Initial condition: x>=0 Input-output claim: z=x! start halt (y1,y2)=(0,1) y1=x (y1,y2)=(y1+1,(y1+1)*y2)z=y2 TF

301 301 What have we achieved? For each statement S that appears between points X and Y we showed that if the control is in X when (X) holds (the precondition of S) and S is executed, then (Y) (the postcondition of S) holds. Initially, we know that (A) holds. The above two conditions can be combined into an induction on the number of statements that were executed: If after n steps we are at point X, then (X) holds.

302 302 Another example (A) : x>=0 (F) : z^2<=x<(z+1)^2 z is the biggest number that is not greater than sqrt x. start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

303 303 Some insight …+(2n+1)=(n+1)^2 y2 accumulates the above sum, until it is bigger than x. y3 ranges over odd numbers 1,3,5,… y1 is n-1. start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

304 304 Invariants It is sufficient to have one invariant for every loop (cycle in the programs graph). We will have (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

305 305 Obtaining (B) By backwards substitution in (C). (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

306 306 Check assignment condition (A)=x>=0 (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 (B) relativized is 0^2<=x /\ 0+1=(0+1)^2 /\ 1=2*0+1 Simplified: x>=0 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

307 307 Obtaining (D) By backwards substitution in (B). (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1 (D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

308 308 Checking (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 (C)/\y2<=x) (D) (D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

309 309 y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1 y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1

310 310 Not finished! Still needs to: Calculate (E) by substituting backwards from (F). Check that (C)/\y2>x (E) start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2)z=y1 B C D F truefalse E y2=y2+y3

311 311 Exercise: prove partial correctness. Initially: x1>0/\x2>0. At termination: z1=gcd(x1,x2). halt start (y1,y2)=(x1,x2) z1=y1 y1=y2 FT y1>y2 y2=y2-y1 y1=y1-y2 TF

312 312 Annotation of program with invariants halt start (y1,y2)=(x1,x2) z1=y1 y1=y2 F T y1>y2 y2=y2-y1 y1=y1-y2 TF z1=gcd(x1,x2) x1>0 /\ x2>0 gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0 gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0/\y1 y2 gcd(y1,y2)=gcd(x1,x2)/\ y1>0/\y2>0/\y10/\y2>0/\y1>y2 y1=gcd(x1,x2) A B D E F G H

313 313 Part 1 halt start (y1,y2)=(x1,x2) z1=y1 y1=y2 F T y1>y2 y2=y2-y1 y1=y1-y2 TF (A)= x1>0 /\ x2>0 (B)=gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0 A B D E F G H (B)rel= gcd(x1,x2)=gcd(x1,x2)/\ x1>0/\x2>0 (A) (B)rel

314 314 Part 2a halt start (y1,y2)=(x1,x2) z1=y1 y1=y2 F T y1>y2 y2=y2-y1 y1=y1-y2 TF (B)= gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0 (D)=gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0/\y1 y2 A B D E F G H (B)/\ ¬(y1=y2) (D)

315 315 Part 2b halt start (y1,y2)=(x1,x2) z1=y1 y1=y2 F T y1>y2 y2=y2-y1 y1=y1-y2 TF (G)= y1=gcd(x1,x2) A B D E F G H (B)= gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0 (B)/\ (y1=y2) (G)

316 316 Part 3 halt start (y1,y2)=(x1,x2) z1=y1 y1=y2 F T y1>y2 y2=y2-y1 y1=y1-y2 TF (D)= gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0/\y1 y2 (E)=gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0/\y10/\y2>0/\y1>y2 A B D E F G H (D)/\ (y1>y2) (F) (D)/\ ¬(y1>y2) (E)

317 317 Part 4 halt start (y1,y2)=(x1,x2) z1=y1 y1=y2 F T y1>y2 y2=y2-y1 y1=y1-y2 TF x1>0 /\ x2>0 (B)= gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0 (E)= gcd(y1,y2)=gcd(x1,x2)/\ y1>0/\y2>0/\y10/\y2>0/\y1>y2 A B D E F G H (B)rel1= gcd(y1,y2-y1)=gcd(x1,x2) /\y1>0/\y2-y1>0 (B)rel2= gcd(y1-y2,y2)=gcd(x1,x2) /\y1-y2>0/\y2>0 (E) (B)rel1 (F) (B)rel2

318 318 Annotation of program with invariants halt start (y1,y2)=(x1,x2) z1=y1 y1=y2 F T y1>y2 y2=y2-y1 y1=y1-y2 TF (H)= z1=gcd(x1,x2) (G)= y1=gcd(x1,x2) A B D E F G H (H)rel= y1=gcd(x1,x2) (G) (H)rel2

319 319 Proving termination

320 320 Well-founded sets Partially ordered set (W,<): If aa2>a3>…

321 321 Examples for well founded sets Natural numbers with the bigger than relation. Finite sets with the set inclusion relation. Strings with the substring relation. Tuples with alphabetic order: (a1,b1)>(a2,b2) iff a1>a2 or [a1=a2 and b1>b2]. (a1,b1,c1)>(a2,b2,c2) iff a1>a2 or [a1=a2 and b1>b2] or [a1=a2 and b1=b2 and c1>c2].

322 322 Why does the program terminate y2 starts as x1. Each time the loop is executed, y2 is decremented. y2 is natural number The loop cannot be entered again when y2=x2 C true

323 323 Proving termination Choose a well-founded set (W,<). Attach a function u(N) to each point N. Annotate the flowchart with invariants, and prove their consistency conditions. Prove that (N) (u(N) in W).

324 324 How not to stay in a loop? Show that u(M)>=u(N)rel. At least once in each loop, show that u(M)>u(N). S M N T N M

325 325 How not to stay in a loop? For stmt: (M) (u(M)>=u(N)rel) Relativize since we need to compare values not syntactic expressions. For test (true side): ( (M)/\test) (u(M)>=u(N)) For test (false side): ( (M)/\¬test) (u(M)>=u(L)) stmt M N test N M true L false

326 326 What did we achieve? There are finitely many control points. The value of the function u cannot increase. If we return to the same control point, the value of u must decrease (its a loop!). The value of u can decrease only a finite number of times.

327 327 Why does the program terminate u(A)=x1 u(B)=y2 u(C)=y2 u(D)=y2 u(E)=z2 W: naturals > : greater than start halt (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) (y1,y2)=(0,x1) A B D E false y2>=x2 C true

328 328 Recall partial correctness annotation A): x1>=0 /\ x2>=0 B): x1=y1*x2+y2 /\ y2>=0 C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2 D):x1=y1*x2+y2 /\ y2>=0 /\ y2=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E false true

329 329 Strengthen for termination A): x1>=0 /\ x2>0 B): x1=y1*x2+y2 /\ y2>=0/\x2>0 C): x1=y1*x2+y2 /\ y2>=0/\y2>=x2/\x2>0 D):x1=y1*x2+y2 /\ y2>=0 /\ y2 0 E):x1=z1*x2+z2 /\ 0<=z2=x2 (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) A B CD E falsetrue

330 330 Strengthen for termination A): x1>=0 /\ x2>0 u(A)>=0 B): x1=y1*x2+y2 /\ y2>=0/\x2>0 u(B)>=0 C): x1=y1*x2+y2 /\y2>=0 /\y2>=x2/\x2>0 u(c)>=0 D):x1=y1*x2+y2 /\ y2>=0 /\ y2 0 u(D)>=0 E):x1=z1*x2+z2 /\ 0 =0 This proves that u(M) is natural for each point M. u(A)=x1 u(B)=y2 u(C)=y2 u(D)=y2 u(E)=z2

331 331 We shall show: u(A)=x1 u(B)=y2 u(C)=y2 u(D)=y2 u(E)=z2 A) u(A)>=u(B)rel B) u(B)>=u(C) C) u(C)>u(B)rel B) u(B)>=u(D) D) u(D)>=u(E)rel start halt (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) (y1,y2)=(0,x1) A B D E false y2>=x2 C true

332 332 Proving decrement C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2/\x2>0 u(C)=y2 u(B)=y2 u(B)rel=y2-x2 C) y2>y2-x2 (notice that C) x2>0) start halt (y1,y2)=(y1+1,y2-x2)(z1,z2)=(y1,y2) (y1,y2)=(0,x1) A B D E false y2>=x2 C true

333 333 Integer square prog. (C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 (B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\y3=2*y1+1 start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2) z=y1 B C D F truefalse E y2=y2+y3

334 334 u(A)=x+1 u(B)=x-y2+1 u(C)=max(0,x-y2+1) u(D)=x-y2+1 u(E)=u(F)=0 u(A)>=u(B)rel u(B)>u(C)rel u(C)>=u(D) u(C)>=u(E) u(D)>=u(B)rel Need some invariants, i.e., y2 0 at points B and D, and y3>0 at point C. start (y1,y2,y3)=(0,0,1) A halt y2>x (y1,y3)=(y1+1,y3+2) z=y1 B C D F truefalse E y2=y2+y3

335 335 Program Verification Using Hoares Logic Hoare triple is of the form {Precondition} Prog-segment {Postcondition} It expresses partial correctness: if the segment starts with a state satisfying the precondition and it terminates, the final state satisfies the postscondition. The idea is that one can decompose the proof of the program into smaller and smaller segments, depending on its structure.

336 336 While programs Assignments y:=e Composition S1; S2 If-then-else if t then S1 else S2 fi While while e do S od

337 337 Greatest common divisor {x1>0/\x2>0} y1:=x1; y2:=x2; while ¬(y1=y2) do if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi od {y1=gcd(x1,x2)}

338 338 Why it works? Suppose that y1,y2 are both positive integers. If y1>y2 then gcd(y1,y2)=gcd(y1-y2,y2) If y2>y1 then gcd(y1,y2)=gcd(y1,y2-y1) If y1=y2 then gcd(y1,y2)=y1=y2

339 339 Assignment axiom {p[e/y] } y:=e {p} For example: {y+5=10} y:=y+5 {y=10} {y+y20} y:=2*(y+5) {y>20} Justification: write p with y instead of y, and add the conjunct y=e. Next, eliminate y by replacing y by e.

340 340 Why axiom works backwards? {p} y:=t {?} Strategy: write p and the conjunct y=t, where y replaces y in both p and t. Eliminate y. This y represents value of y before the assignment. {y>5} y:=2*(y+5) {? } {p} y:=t { y (p[y/y] /\ t[y/y]=y) } y>5 /\ y=2*(y+5) y>20

341 341 Composition rule {p} S1 {r }, {r} S2 {q } {p} S1;S2 {q} For example: if the antecedents are 1. {x+1=y+2} x:=x+1 {x=y+2} 2. {x=y+2} y:=y+2 {x=y} Then the consequent is {x+1=y+2} x:=x+1; y:=y+2 {x=y}

342 342 More examples {p} S1 {r}, {r} S2 {q} {p} S1;S2 {q} {x1>0/\x2>0} y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} y2:=x2 ___{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}____ {x1>0/\x2>0} y1:=x1 ; y2:=x2 {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}

343 343 If-then-else rule {p/\t} S1 {q}, {p/\¬t} S2 {q} {p} if t then S1 else S2 fi {q} For example: p is gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0/\¬(y1=y2) t is y1>y2 S1 is y1:=y1-y2 S2 is y2:=y2-y1 q is gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0

344 344 While rule {p/\t} S {p} {p} while t do S od {p/\¬t} Example: p is {gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0} t is ¬ (y1=y2) S is if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi

345 345 Consequence rules Strengthen a precondition r p, {p } S {q } {r } S {q } Weaken a postcondition {p } S {q }, q r {p } S {r }

346 346 Use of first consequence rule Want to prove {x1>0/\x2>0} y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} By assignment rule: {gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0} y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} x1>0/\x2>0 gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0

347 347 Combining program {x1>0 /\ x2>0} y1:=x1; y2:=x1; {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0} while S do if e then S1 else S2 fi od {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2} Combine the above using concatenation rule!

348 348 Not completely finished {x1>0/\x2>0} y1:=x1; y2:=x1; while ¬(y1=y2) do if e then S1 else S2 fi od {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2} But we wanted to prove: {x1>0/\x1>0} Prog {y1=gcd(x1,x2)}

349 349 Use of second consequence rule {x1>0/\x2>0} Prog {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2} And the implication gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2 y1=gcd(x1,x2) Thus, {x1>0/\x2>0} Prog {y1=gcd(x1,x2)}

350 350 Annotating a while program {x1>0/\x2>0} y1:=x1; {gcd(x1,x2)=gcd(y1,x2) /\y1>0/\x2>0} y2:=x2; {gcd(x1,x2)=gcd(y1,y2) /\y1>0/\y2>0} while ¬(y1=y2) do {gcd(x1,x2)=gcd(y1,y2)/\ y1>0/\y2>0/\¬(y1=y2)} if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi od {y1=gcd(x1,x2)}

351 351 While rule {p/\e} S {p} {p} while e do S od {p/\¬e}

352 352 Consequence rules Strengthen a precondition r p, {p} S {q} {r} S {q} Weaken a postcondition {p} S {q}, q r {p} S {r}

353 353 Soundness Hoare logic is sound in the sense that everything that can be proved is correct! This follows from the fact that each axiom and proof rule preserves soundness.

354 354 Completeness A proof system is called complete if every correct assertion can be proved. Propositional logic is complete. No deductive system for the standard arithmetic can be complete (Godel).

355 355 And for Hoares logic? Let S be a program and p its precondition. Then {p} S {false} means that S never terminates when started from p. This is undecideable. Thus, Hoares logic cannot be complete.

356 356 Weakest prendition, Strongest postcondition For an assertion p and code S, let post(p,S) be the strongest assertion such that {p}S{post(p,S) } That is, if {p}S{q} then post(p,S) q. For an assertion q and code S, let pre(S,q) be the weakest assertion such that {pre(S,q)}S{q} That is, if {p}S{q} then p pre(S,q).

357 357 Relative completeness Suppose that either post(p,S) exists for each p, S, or pre(S,q) exists for each S, q. Some oracle decides on pure implications. Then each correct Hoare triple can be proved. What does that mean? The weakness of the proof system stem from the weakness of the (FO) logic, not of Hoares proof system.

358 358 Extensions Many extensions for Hoares proof rules: Total correctness Arrays Subroutines Concurrent programs Fairness

359 359 Proof rule for total correctness Similar idea to Floyds termination: Well foundedness {p/\t/\f=z} S {p/\f =0) {p} while t do S od {p/\¬t} where z - an int. variable, not appearing in p,t,e,S. f - an int. expression.

360 360 Verification with Array Variables Book: Chapter 7.2

361 361 The problem Using array variables can lead to complication: {x[1]=1/\x[2]=3} x[x[1]]:=2 {x[x[1]]=2} No!!! Why? Because the assignment changes x[1] as well. Now it is also 2, and x[x[1]], which is x[2] is 3 and not 2!

362 362 What went wrong? Take the postcondition {x[x[1]]=2} and substitute 2 instead of x[x[1]]. We obtain {2=2} (which is equivalent to {true}). Now, (x[1]=1/\x[2]=3) 2=2. So we may wrongly conclude that the above Hoare triple is correct.

363 363 How to fix this? `Backward substitution should be done with arrays as complete elements. Define (x; e1: e2) : an array like x, with value at the index e1 changed to e2. (x; e1: e2)[e3]=e2 if e1=e3 x[e3] otherwise (x; e1: e2)[e3]=if (e1=e3, e2, x[e3])

364 364 Solved the problem? How to deal with if(φ, e1, e2)? Suppose that formula ψ contains this expression. Replace if(φ, e1, e2) by new variable v in ψ. The original formula ψ is equivalent to: (φ/\ ψ[e1/v])\/(¬φ/\ ψ[e2/v])

365 365 Returning to our case Our postcondition is {x[x[1]]=2}. The assignment x[x[1]]:=2 causes the substitution in the postcondition of the (array) variable x by a new array, which is (x; x[1] : 2), resulting in {x[x[1]]=2} (x; x[1] : 2)[(x; x[1] : 2)[1]] = 2

366 366 Are we done? Not yet. It remains to Convert the array form into an if form. Get rid of the if form. Will not be done in class. All we say is that we obtain an expression that is not implied by the precondition x[1]=1/\x[2]=3.

367 367 Proof checking with PVS Book: Chapter 3

368 368 A Theory Name: THEORY BEGIN Definitions (types, variables, constants) Axioms Lemmas (conjectures, theorems) END Name

369 369 Group theory (*, e), where * is the operator and e the unity element. Associativity (G1): (x*y)*z=x*(y*z). Unity (G2): (x*e)=x Right complement (G3): x y x*y=e. Want to prove: x y y*x=e.

370 370 Informal proof Choose x arbitrarily. By G3, there exists y s.t. (1) x*y=e. By G3, we have z s.t. (2) y*z=e. y*x=(y*x)*e (by G2) =(y*x)*(y*z) (by (2)) =y*(x*(y*z)) (by G1) =y*((x*y)*z) (by G1) =y*(e*z) (by (1)) =(y*e)*z (by G1) =y*z (by (G2)) =e (by (2))

371 371 Example: groups Group: THEORY BEGIN element: TYPE unit: element *: [element, element-> element] left:CONJECTURE FORALL (x: element): EXISTS (y: element): y*x=unit END Group

372 372 Axioms associativity: AXIOM FORALL (x, y, z:element): (x*y)*z=x*(y*z) unity: AXIOM FORALL (x:element): x*unit=x complement: AXIOM FORALL(x:element): EXISTS (y:element): x*y=unity

373 373 Skolemization Corresponds to choosing some arbitrary constant and proving without loss of generality. Want to prove (…/\…) (…\/ x (x)\/…). Choose a new constant x. Prove (…/\…) (…\/ (x)\/…).

374 374 Skolemization Corresponds to choosing some unconstrained arbitrary constant when one is known to exist. Want to prove (…/\ x (x)/\…) (…\/…). Choose a new constant x. Prove (…/\ (x)/\…) (…\/…).

375 375 Skolem in PVS (skolem 2 (a1 b2 c7)) (skolem -3 (a1 _ c7)) (skolem! -3) invents new constants, e.g., for x will invent x!1, x!2, … when applied repeatedly.

376 376 Instantiation Corresponds to restricting the generality. Want to prove (…/\ x (x)/\…) (…\/…). Choose a some term t. Prove (…/\ (t)/\…) (…\/…).

377 377 Instantiation Corresponds to proving the existence of an element by showing an evidence. Want to prove (…/\…) (…\/ x (x)\/…). Choose some term t. Prove (…/\…) (…\/ (t)\/…).

378 378 Instantiating in PVS (inst -1 x*y a b+c) (inst 2 a _ x)

379 379 Other useful rules (replace -1 (-1 2 3)) Formula -1 is of the form le=ri. Replace any occurrence of le by ri in lines -1, 2, 3. (replace -1 (-1 2 3) RL) Similar, but replace ri by le instead. (assert), (assert -) (assert +) (assert 7) Apply algebraic simplification. (lemma ) - add axiom as additional antecedent.

380 380

381 381 Why testing? Reduce design/programming errors. Can be done during development, before production/marketing. Practical, simple to do. Check the real thing, not a model. Scales up reasonably. Being state of the practice for decades.

382 382 Part 1: Testing of black box finite state machine Know: Transition relation Size or bound on size Wants to know: In what state we started? In what state we are? Transition relation Conformance Satisfaction of a temporal property

383 383 Finite automata (Mealy machines) S - finite set of states. (size n) - set of inputs. (size d) O - set of outputs, for each transition. (s 0 S - initial state). δ S S - transition relation (deterministic but sometimes not defined for each input per each state). S O - output on edges. Notation: δ(s,a 1 a 2..a n )= δ(… (δ(δ(s,a 1 ),a 2 ) … ),a n ) (s,a 1 a 2..a n )= (s,a 1 ) (δ(s,a 1 ),a 2 )… (δ(… δ(δ(s,a 1 ),a 2 ) … ),a n )

384 384 Finite automata (Mealy machines) S - finite set of states. (size n) – set of inputs. (size d) O – set of outputs, for each transition. (s 0 S - initial state). δ S S - transition relation. S O – output on edge. S={s 1, s 2, s 3 }, {a, b }, O={0,1 }. δ(s 1,a)=s 3 (also s 1 =a=>s 3 ), δ(s 1,b)=s 2,(also s 1 =b=>s 2 )… (s 1,a)=0, (s 1,b)=1,… δ(s 1,ab)=s 1, (s 1,ab)=01 s1s1 s3s3 s2s2 a/0 b/1 b/0 b/1 a/0

385 385 Why deterministic machines? Otherwise no amount of experiments would guarantee anything. If dependent on some parameter (e.g., temperature), we can determinize, by taking parameter as additional input. We still can model concurrent system. It means just that the transitions are deterministic. All kinds of equivalences are unified into language equivalence. Also: connected machine (otherwise we may never get to the completely separate parts).

386 386 Determinism When the black box is nondeterministic, we might never test some choices. b/1 a/1

387 387 Preliminaries: separating sequences s1s1 s3s3 s2s2 a/0 b/1 b/0 b/1 a/0 Start with one block containing all states {s 1, s 2, s 3 }. A set of sequences X such that if we execute them from different states, at least one of them will give a different output sequence. st µ X (s, µ ) (s, µ )

388 388 A: separate to blocks of states with different output. s1s1 s3s3 s2s2 a/0 b/1 b/0 b/1 a/0 The states are separated into {s 1, s 3 }, {s 2 } using the string b. But s 1 and s 3 have the same outputs to same inputs.

389 389 Repeat B : Separate blocks based on input that cause moving to different blocks. s1s1 s3s3 s2s2 a/0 b/1 b/0 b/1 a/0 Separate first block using b to three singleton blocks obtaining separation sequence bb. Separating sequences: b, bb. Max rounds: n-1, sequences: n-1, length: n-1. If string x separated blocks B 1, B 2, and letter a splits part of block C to move to B 1 and part to B 2, then ax separates C into C 1, C 2, accordingly.

390 390 Want to know the state of the machine (at end): Homing sequence. After firning homing sequence, we know in what state we are by observing outputs. Find a sequence µ such that δ(s, µ )δ(t, µ ) (s, µ ) (s, µ ) So, given an input µ that is executed from state s, we look at a table of outputs and according to a table, know in which state r we are.

391 391 Homing sequence Algorithm: Put all the states in one block (initially we do not know what is the current state). Then repeatedly separate blocks, as long as they are not singletons, as follows: Take a non singleton block, append a distinguishing sequence µ that separates at least two states in that block. Update each block to the states after executing µ. (Blocks may not be disjoint, its not a partition!) Max length of sequence: (n-1) 2 (Lower bound: n(n-1)/2.)

392 392 Example (homing sequence) s1s1 s3s3 s2s2 a/0 b/1 b/0 b/1 a/0 {s 1, s 2, s 3 } {s 1, s 2 } {s 3 } {s 1 } {s 2 } {s 3 } b b On input b and output 1, we still dont know if we were in s 1 or s 3, i.e., if we are currently in s 2 or s 1. So separate these cases with another b.

393 393 Synchronizing sequence One sequence takes the machine to the same final state, regardless of the initial state or the outputs. That is: find a sequence µ such that for each states s, t, δ(s, µ )=δ(t, µ ) Not every machine has a synchronizing sequence. Can be checked whether exists and if so, can be found in polynomial time. a/1 b/1 a/0 b/0b/1 a/0

394 394 Algorithm for synchronizing sequeneces s1s1 s2s2 s3s3 a/1 b/1 a/0 b/0b/1 a/0 Construct a graph with ordered pairs of nodes (s,t) such that (s,t )=a=>(s,t ) when s=a=>s, t=a=>t. (Ignore self loops, e.g., on (s 2,s 2 ).) s 1,s 1 s 2,s 2 s 3,s 3 s 1,s 2 s 2,s 3 s 1,s 3 bb b b b b a a a

395 395 Algorithm continues (2) There is an input sequence from both st to some r iff there is a path in this graph from (s,t ) to (r,r ). There is a synchronization sequence iff some node (r,r ) is reachable from every pair of distinct nodes. In this case it is (s 2,s 2 ). s 1,s 1 s 2,s 2 s 3,s 3 s 1,s 2 s 2,s 3 s 1,s 3 b b b b b b a a a

396 396 Algorithm continues (3) Notation:δ(S,x)= {t | s S,δ(s,x)=t } 1. i=1; S 1 =S 2. Take some nodes st S i, and find a shortest path labeled x i to some (r,r ). 3. i=i+1; S i :=δ(S i-1,x ). If |S i |>1,goto 2., else goto Concatenate x 1 x 2 …x k. s 1,s 1 s 2,s 2 s 3,s 3 s 1,s 2 s 2,s 3 s 1,s 3 b b b b b b a a a Number of sequences n-1. Each of length n(n-1)/2. Overall O(n(n-1) 2 /2).

397 397 Example: (s 2,s 3 )=a=>(s 2,s 2 ) x 1 :=a δ({s 1,s 2,s 3 },a)={s 1,s 2 } (s 1,s 2 )=ba=>(s 2,s 2 ) x 2 :=ba δ({s 1,s 2 },ba)={s 2 } So x 1 x 2 =aba is a synchronization sequence, bringing every state into state s 2. s 1,s 1 s 2,s 2 s 3,s 3 s 1,s 2 s 2,s 3 s 1,s 3 b b b b b b a a a

398 398 State identification: Want to know in which state the system has started (was reset to). Can be a preset distinguishing sequence (fixed), or a tree (adaptive). May not exist (PSPACE complete to check if preset exists, polynomial for adaptive). Best known algorithm: exponential length for preset, polynomial for adaptive [LY].

399 399 Sometimes cannot identify initial state b/1 a/1 s1s1 s3s3 s2s2 b/0 b/1 a/1 Start with a: in case of being in s 1 or s 3 well move to s 1 and cannot distinguish. Start with b: In case of being in s 1 or s 2 well move to s 2 and cannot distinguish. The kind of experiment we do affects what we can distinguish. Much like the Heisenberg principle in Physics.

400 400 So… Well assume resets from now on!

401 401 Conformance testing Unknown deterministic finite state system B. Known: n states and alphabet. An abstract model C of B. C satisfies all the properties we want from B. C has m states. Check conformance of B and C. Another version: only a bound n on the number of states l is known.

402 402 Check conformance with a given state machine Black box machine has no more states than specification machine (errors are mistakes in outputs, mistargeted edges). Specification machine is reduced, connected, deterministic. Machine resets reliably to a single initial state (or use homing sequence). s1s1 s3s3 s2s2 a/1 b/0 b/1 a/1 ?=?= b/1

403 403 Conformance testing [Ch,V] a/1 b/1 Cannot distinguish if reduced or not. a/1 b/1 a/1 b/1 a/1 b/1 a/1 b/1

404 404 Conformance testing (cont.) a bb a a a a b b b a Need: bound on number of states of B. a

405 405 Preparation: Construct a spanning tree, and separating sequences b/1 a/1 s1s1 s3s3 s2s2 b/0 b/1 a/1 s1s1 s2s2 s3s3 b/1a/1 Given an initial state, we can reach any state of the automaton.

406 406 How the algorithm works? According to the spanning tree, force a sequence of inputs to go to each state. 1. From each state, perform the distinguishing sequences. 2. From each state, make a single transition, check output, and use distinguishing sequences to check that in correct target state. s1s1 s2s2 s3s3 b/1a/1 Reset Distinguishing sequences

407 407 Comments 1. Checking the different distinguishing sequences (m-1 of them) means each time resetting and returning to the state under experiment. 2. A reset can be performed to a distinguished state through a homing sequence. Then we can perform a sequence that brings us to the distinguished initial state. 3. Since there are no more than m states, and according to the experiment, no less than m states, there are m states exactly. 4. Isomorphism between the transition relation is found, hence from minimality the two automata recognize the same languages.

408 408 Combination lock automaton Assume accepting states. Accepts only words with a specific suffix (cdab in the example). s1s1 s2s2 s3s3 s4s4 s5s5 bdca Any other input

409 409 When only a bound on size of black box is known… Black box can pretend to behave as a specification automaton for a long time, then upon using the right combination, make a mistake. b/1 a/1 s1s1 s3s3 s2s2 b/0 b/1 a/1 b/1 Pretends to be s 3 Pretends to be s 1 a/1

410 410 Conformance testing algorithm [VC] The worst that can happen is a combination lock automaton that behaves differently only in the last state. The length of it is the difference between the size n of the black box and the specification m. Reach every state on the spanning tree and check every word of length n-m+1 or less. Check that after the combination we are at the state we are supposed to be, using the distinguishing sequences. No need to check transitions: already included in above check. Complexity: m 2 n d n-m+1 Probabilistic complexity: Polynomial. Distinguishing sequences s1s1 s2s2 s3s3 b/1a/1 Words of length n-m+1 Reset

411 411 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B ) L(P )=. If so, S satisfies. Otherwise, the intersection includes a counterexample. Repeat for different properties.

412 412 Buchi automata ( -automata) S - finite set of states. (B has l n states) S 0 S - initial states. (P has m states) - finite alphabet. (contains p letters) S S - transition relation. F S - accepting states. Accepting run: passes a state in F infinitely often. System automata: F=S, deterministic, one initial state. Property automaton: not necessarily deterministic.

413 413 Example: check a a, a a a <> a

414 414 Example: check <> a a a a a <> a

415 415 Example: check <>a Use automatic translation algorithms, e.g., [Gerth,Peled,Vardi,Wolper 95] a a a, a <> a

416 416 System cb a

417 417 Every element in the product is a counter example for the checked property. cb a a a a a s1s1 s2s2 s3s3 q2q2 q1q1 s 1,q 1 s 1,q 2 s 3,q 2 s 2,q 1 a b c a Acceptance is determined by automaton P. <> a

418 418 Model Checking / Testing Given Finite state system B. Transition relation of B known. Property represent by automaton P. Check if L(B ) L(P )=. Graph theory or BDD techniques. Complexity: polynomial. Unknown Finite state system B. Alphabet and number of states of B or upper bound known. Specification given as an abstract system C. Check if B C. Complexity: polynomial if number states known. Exponential otherwise.

419 419 Black box checking [PVY] Outputs: {0,1} (for enabled/disabled) Property represent by automaton P. Check if L(B ) L(P )=. Graph theory techniques. Unknown Finite state system B. Alphabet and Upper bound on Number of states of B known. Complexity: exponential.

420 420 Experiments aa bb cc reset a a b b c c try b a a b b c c try c (Output 1+ progress) (Output 0 =stay)

421 421 Simpler problem: deadlock? Nondeterministic algorithm: guess a path of length n from the initial state to a deadlock state. Linear time, logarithmic space. Deterministic algorithm: systematically try paths of length n, one after the other (and use reset), until deadlock is reached. Exponential time, linear space.

422 422 Deadlock complexity Nondeterministic algorithm: Linear time, logarithmic space. Deterministic algorithm: Exponential (p n-1 ) time, linear space. Lower bound: Exponential time (use combination lock automata). How does this conform with what we know about complexity theory?

423 423 Modeling black box checking Cannot model using Turing machines: not all the information about B is given. Only certain experiments are allowed. We learn the model as we make the experiments. Can use the model of games of incomplete information.

424 424 Games of incomplete information Two players: player, player (here, deterministic). Finitely many configurations C. Including: Initial C i, Winning : W + and W -. An equivalence relation on C (the player cannot distinguish between equivalent states). Labels L on moves (try a, reset, success, fail). The player has the moves labeled the same from configurations that are equivalent. Deterministic strategy for the player: will lead to a configuration in W + W -. Cannot distinguish between equivalent configurations. Nondeterministic strategy: Can distinguish between equivalent configurations..

425 425 Modeling BBC as games Each configuration contains an automaton and its current state (and more). Moves of the player are labeled with try a, reset... Moves of the -player with success, fail. c 1 c 2 when the automata in c 1 and c 2 would respond in the same way to the experiments so far.

426 426 A naive strategy for BBC Learn first the structure of the black box. Then apply the intersection. Enumerate automata with n states (without repeating isomorphic automata). For a current automata and new automata, construct a distinguishing sequence. Only one of them survives. Complexity: O((n+1) p (n+1) /n!)

427 427 On-the-fly strategy Systematically (as in the deadlock case), find two sequences v 1 and v 2 of length <=m n. Applying v 1 to P brings us to a state t that is accepting. Applying v 2 to P brings us back to t. Apply v 1 v 2 n to B. If this succeeds, there is a cycle in the intersection labeled with v 2, with t as the P (accepting) component. Complexity: O(n 2 p 2mn m). v1v1 v2v2

428 428 Learning an automaton Use Angluins algorithm for learning an automaton. The learning algorithm queries whether some strings are in the automaton B. It can also conjecture an automaton M i and asks for a counterexample. It then generates an automaton with more states M i+1 and so forth.

429 429 A strategy based on learning Start the learning algorithm. Queries are just experiments to B. For a conjectured automaton M i, check if M i P = If so, we check conformance of M i with B ([VC] algorithm). If nonempty, it contains some v 1 v 2. We test B with v 1 v 2 n. If this succeeds: error, otherwise, this is a counterexample for M i.

430 430 Complexity l - actual size of B. n - an upper bound of size of B. d - size of alphabet. Lower bound: reachability is similar to deadlock. O(l 3 d l + l 2 mn) if there is an error. O(l 3 d l + l 2 n d n-l+1 + l 2 mn) if there is no error. If n is not known, check while time allows. Probabilistic complexity: polynomial.

431 431 Some experiments Basic system written in SML (by Alex Groce, CMU). Experiment with black box using Unix I/O. Allows model-free model checking of C code with inter-process communication. Compiling tested code in SML with BBC program as one process.

432 432 Part 2: Software testing (Book: chapter 9) Testing is not about showing that there are no errors in the program. Testing cannot show that the program performs its intended goal correctly. So, what is software testing? Testing is the process of executing the program in order to find errors. A successful test is one that finds an error.

433 433 Some software testing stages Unit testing – the lowest level, testing some procedures. Integration testing – different pieces of code. System testing – testing a system as a whole. Acceptance testing – performed by the customer. Regression testing – performed after updates. Stress testing – checking the code under extreme conditions. Mutation testing – testing the quality of the test suite.

434 434 Some drawbacks of testing There are never sufficiently many test cases. Testing does not find all the errors. Testing is not trivial and requires considerable time and effort. Testing is still a largely informal task.

435 435 Black-Box (data-driven, input-output) testing The testing is not based on the structure of the program (which is unknown). In order to ensure correctness, every possible input needs to be tested - this is impossible! The goal: to maximize the number of errors found.

436 436 testing Is based on the internal structure of the program. There are several alternative criterions for checking enough paths in the program. Even checking all paths (highly impractical) does not guarantee finding all errors (e.g., missing paths!)

437 437 Some testing principles A programmer should not test his/her own program. One should test not only that the program does what it is supposed to do, but that it does not do what it is not supposed to. The goal of testing is to find errors, not to show that the program is errorless. No amount of testing can guarantee error-free program. Parts of programs where a lot of errors have already been found are a good place to look for more errors. The goal is not to humiliate the programmer!

438 438 Inspections and Walkthroughs Manual testing methods. Done by a team of people. Performed at a meeting (brainstorming). Takes minutes. Can find 30%-70% of errors.

439 439 Code Inspection Team of 3-5 people. One is the moderator. He distributes materials and records the errors. The programmer explains the program line by line. Questions are raised. The program is analyzed w.r.t. a checklist of errors.

440 440 Checklist for inspections Data declaration All variables declared? Default values understood? Arrays and strings initialized? Variables with similar names? Correct initialization? Control flow Each loop terminates? DO/END statements match? Input/output OPEN statements correct? Format specification correct? End-of-file case handled?

441 441 Walkthrough Team of 3-5 people. Moderator, as before. Secretary, records errors. Tester, play the role of a computer on some test suits on paper and board.

442 442 Selection of test cases (for white-box testing) The main problem is to select a good coverage criterion. Some options are: Cover all paths of the program. Execute every statement at least once. Each decision has a true or false value at least once. Each condition is taking each truth value at least once. Check all possible combinations of conditions in each decision.

443 443 Cover all the paths of the program Infeasible. Consider the flow diagram on the left. It corresponds to a loop. The loop body has 5 paths. If the loops executes 20 times there are 5^20 different paths! May also be unbounded!

444 444 How to cover the executions? IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END; Choose values for A,B,X. Value of X may change, depending on A,B. What do we want to cover? Paths? Statements? Conditions?

445 445 Statement coverage Execute every statement at least once By choosing A=2,B=0,X=3 each statement will be chosen. The case where the tests fail is not checked! IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END; Now x=1.5

446 446 Decision coverage (if, while checks) Each decision has a true and false outcome at least once. Can be achieved using A=3,B=0,X=3 A=2,B=1,X=1 Problem: Does not test individual conditions. E.g., when X>1 is erroneous in second decision. IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END;

447 447 Decision coverage A=3,B=0,X=3 IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END; Now x=1

448 448 Decision coverage A=2,B=1,X=1 The case where A 1 and the case where x>1 where not checked! IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2)|(X>1) THEN X=X+1; END;

449 449 Condition coverage Each condition has a true and false value at least once. For example: A=1,B=0,X=3 A=2,B=1,X=0 lets each condition be true and false once. Problem:covers only the path where the first test fails and the second succeeds. (A>1) IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END;

450 450 Condition coverage A=1,B=0,X=3 (A>1) IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END;

451 451 Condition coverage A=2,B=1,X=0 Did not check the first THEN part at all!!! Can use condition+decision coverage. (A>1) IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END;

452 452 Multiple Condition Coverage Test all combinations of all conditions in each test. A>1,B=0 A>1,B0 A 1,B=0 A 1,B0 A=2,X>1 A=2,X 1 A2,X>1 A2,X 1 IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END;

453 453 A smaller number of cases: A=2,B=0,X=4 A=2,B=1,X=1 A=1,B=0,X=2 A=1,B=1,X=1 Note the X=4 in the first case: it is due to the fact that X changes before being used! IF (A>1) & (B=0) THEN X=X/A; END; IF (A=2) | (X>1) THEN X=X+1; END; Further optimization: not all combinations. For C /\ D, check (C, D), ( C, D), (C, D). For C \/ D, check ( C, D), ( C, D), (C, D).

454 454 Preliminary:Relativizing assertions (Book: Chapter 7) (B) : x1= y1 * x2 + y2 /\ y2 >= 0 Relativize B) w.r.t. the assignment becomes B) [Y\g(X,Y)] e ( B) expressed w.r.t. variables at A.) (B) A = x1=0 * x2 + x1 /\ x1>=0 Think about two sets of variables, before={x, y, z, …} after={x,y,z…}. Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after. Here: x1=y1 * x2 + y2 /\ y2>=0 /\ x1=x1 /\ x2=x2 /\ y1=0 /\ y2=x1 now eliminate x1, x2, y1, y2. (y1,y2)=(0,x1) A B A B Y=g(X,Y)

455 455 Verification conditions: tests C) B)= t(X,Y) /\ C) D) B)= t(X,Y) /\ D) B)= D) /\ y2 x2 y2>=x2 B C D B C D t(X,Y) F T FT

456 456 How to find values for coverage? Put true at end of path. Propagate path backwards. On assignment, relativize expression. On yes edge of decision, add decision as conjunction. On no edge, add negation of decision as conjunction. Can be more specific when calculating condition with multiple condition coverage. A>1 & B=0 A=2 | X>1 X=X+1 X=X/A no yes true

457 457 How to find values for coverage? A>1 & B=0 A=2 | X>1 X=X+1 X=X/A no yes true A2 /\ X>1 (A2 /\ X/A>1) /\ (A>1 & B=0) A2 /\ X/A>1 Need to find a satisfying assignment: A=3, X=6, B=0 Can also calculate path condition forwards.

458 458 How to cover a flow chart? Cover all nodes, e.g., using search strategies: DFS, BFS. Cover all paths (usually impractical). Cover each adjacent sequence of N nodes. Probabilistic testing. Using random number generator simulation. Based on typical use. Chinese Postman: minimize edge traversal Find minimal number of times time to travel each edge using linear programming or dataflow algorithms.

459 459 Test cases based on data-flow analysis Partition the program into pieces of code with a single entry/exit point. For each piece find which variables are set/used/tested. Various covering criteria: from each set to each use/test From each set to some use/test. X:=3 z:=z+x x>y t>y

460 460 Test case design for black box testing: how to find a good test suite? Equivalence partition Boundary value analysis

461 461 Equivalence partition Goals: Find a small number of test cases. Cover as much possibilities as you can. Try to group together inputs for which the program is likely to behave the same. Specification condition Valid equivalence class Invalid equivalence class

462 462 Example: A legal variable Begins with A-Z Contains [A-Z0-9] Has 1-6 characters. Specification condition Valid equivalence class Invalid equivalence class Starting char Chars Length Starts A-ZStarts other [A-Z0-9]Has others 1-6 chars0 chars, >6 chars

463 463 Equivalence partition (cont.) Add a new test case until all valid equivalence classes have been covered. A test case can cover multiple such classes. Add a new test case until all invalid equivalence class have been covered. Each test case can cover only one such class. Specification condition Valid equivalence class Invalid equivalence class

464 464 Example AB36P (1,3,5) 1XY12 (2) A17#%X (4) Specification condition Valid equivalence class Invalid equivalence class Starting char Chars Length Starts A-ZStarts other [A-Z0-9]Has others 1-6 chars0 chars, >6 chars (6) VERYLONG (7)

465 465 Boundary value analysis In every element class, select values that are closed to the boundary. If input is within range -1.0 to +1.0, select values , -1.0, , 0.999, 1.0, If needs to read N data elements, check with N-1, N, N+1. Also, check with N=0.

466 466 For Unit Testing Write drivers, which replaces procedures calling the code. Write stubs, which replaces procedures called by the code. Tested unit Driver Stub Driver

467 467 package bucket; import java.util.*; import java.math.*; public class BugBucketSort { public static void main(String[] args) { Random r = new Random(100); r.nextInt(100); LinkedList ls = new LinkedList (); for (int j = 0; j < 10; j++) ls.push(r.nextInt(100)); System.out.println(ls); bucketSort(ls); } public static void bucketSort(LinkedList ls) { LinkedList > la = new LinkedList >(); for (int i = 0 ; i<11; i++) la.add(new HashMap ()); System.out.println("\nValues in the array: "+la.size()); for (int j = 0; j < ls.size(); j++) { la.get((int)ls.get(j)/10).put((int)ls.get(j)%10, ls.get(j)); } System.out.println("\nThe ordered array is:"); System.out.print("["); for (int i = 0; i < la.size(); i++) for (int k = 1; k < 10; k++) { if(la.get(i).containsKey(k)) System.out.print(la.get(i).get(k)+" "); } System.out.println("]"); } Bucket sort: With bugs!!

468 468 package bucket; import java.util.*; import java.math.*; public class BucketSort { public static void main(String[] args) { Random r = new Random(100); r.nextInt(100); LinkedList ls = new LinkedList (); for (int j = 0; j < 10; j++) ls.push(r.nextInt(100)); System.out.println(ls); // System.out.println((int) 17 / 5); bucketSort(ls); } public static void bucketSort(LinkedList ls) { LinkedList > la = new LinkedList >(); for (int i = 0 ; i<10; i++) la.add(new HashMap ()); System.out.println("\nValues in the array: "+la.size()); for (int j = 0; j < ls.size(); j++) { la.get((int)ls.get(j)/10).put((int)ls.get(j)%10, ls.get(j)); } System.out.println("\nThe ordered array is:"); System.out.print("["); for (int i = 0; i < la.size(); i++) for (int k = 0; k < 10; k++) { if(la.get(i).containsKey(k)) System.out.print(la.get(i).get(k)+" "); } System.out.println("]"); }} Bucket sort: Without bugs!!

469 469 class MergeSortAlgorithm { public static int [] mergeSort(int array[]) { int loop; int rightIndex = 0; int [] leftArr = new int[array.length / 2]; int [] rightArr = new int[(array.length - array.length) / 2]; if (array.length <= 1) return array; for (loop = 0 ; loop < leftArr.length ; ++loop) leftArr[loop] = array[loop]; for (; rightIndex < rightArr.length ; ++loop) rightArr[rightIndex++] = array[loop]; mergeSort(leftArr); rightArr = mergeSort(rightArr); array = merge(leftArr,rightArr); return array; } public static int [] merge(int [] leftArr, int [] rightArr) { int [] newArray = new int[leftArr.length + rightArr.length]; int leftIndex = 0; int rightIndex = 0; int newArrayIndex = 0; while (leftIndex < leftArr.length && rightIndex < rightArr.length) { if (leftArr[leftIndex] < rightArr[rightIndex]) newArray[newArrayIndex] = leftArr[leftIndex++]; newArray[newArrayIndex] = rightArr[rightIndex++];} while (rightIndex < rightArr.length) newArray[newArrayIndex++] = rightArr[rightIndex++]; while (leftIndex < leftArr.length) newArray[newArrayIndex++] = leftArr[leftIndex++]; return newArray;} public static void print(int [] arr, String caller) { int loop; for (loop = 0 ; loop < arr.length ; ++loop) System.out.println("caller " + caller + " : " + arr[loop]);} public static void main(String [] args) { int []originalArray = {1,5,4,3,7}; print(originalArray,"before"); originalArray = mergeSort(originalArray); print(originalArray,"after"); }}

470 470 class MergeSortAlgorithm { public static int [] mergeSort(int array[]) { int loop; int rightIndex = 0; int [] leftArr = new int[array.length / 2]; int [] rightArr = new int[(array.length - array.length) / 2]; // BUG if (array.length <= 1) return array; for (loop = 0 ; loop < leftArr.length ; ++loop) leftArr[loop] = array[loop]; for (; rightIndex < rightArr.length ; ++loop) rightArr[rightIndex++] = array[loop]; mergeSort(leftArr); // BUG rightArr = mergeSort(rightArr); array = merge(leftArr,rightArr); return array; } public static int [] merge(int [] leftArr, int [] rightArr) { int [] newArray = new int[leftArr.length + rightArr.length]; int leftIndex = 0; int rightIndex = 0; int newArrayIndex = 0; while (leftIndex < leftArr.length && rightIndex < rightArr.length) { if (leftArr[leftIndex] < rightArr[rightIndex]) newArray[newArrayIndex] = leftArr[leftIndex++]; newArray[newArrayIndex] = rightArr[rightIndex++]; // TWO BUGS} while (rightIndex < rightArr.length) newArray[newArrayIndex++] = rightArr[rightIndex++]; while (leftIndex < leftArr.length) newArray[newArrayIndex++] = leftArr[leftIndex++]; return newArray;} public static void print(int [] arr, String caller) { int loop; for (loop = 0 ; loop < arr.length ; ++loop) System.out.println("caller " + caller + " : " + arr[loop]);} public static void main(String [] args) { int []originalArray = {1,5,4,3,7}; print(originalArray,"before"); originalArray = mergeSort(originalArray); print(originalArray,"after"); }}

471 471 Test case generation based on LTL specification Compiler Model Checker Path condition calculation First order instantiator Test monitoring Transitions Path Flow chart LTL Aut

472 472 Goals Verification of software. Compositional verification. Only a unit of code. Parametrized verification. Generating test cases. A path found with some truth assignment satisfying the path condition. In deterministic code, this assignment guarantees to derive the execution of the path. In nondeterministic code, this is one of the possibilities. Can transform the code to force replying the path.

473 473 Divide and Conquer property automaton flow chart Intersect property automaton with the flow chart, regardless of the statements and program variables expressions. Add assertions from the property automaton to further restrict the path condition. Calculate path conditions for sequences found in the intersection. Calculate path conditions on-the-fly. Backtrack when condition is false. Thus, advantage to forward calculation of path conditions (incrementally).

474 474 Spec: ¬at l 2 U (at l 2 /\ ¬at l 2 /\(¬at l 2 U at l 2 )) ¬ at l 2 at l 2 ¬ at l 2 at l 2 l 2 :x:=x+z l 3 :x

475 475 Spec: ¬at l 2 U (at l 2 /\ x y /\ (¬at l 2 /\(¬at l 2 U at l 2 /\ x 2 y ))) ¬ at l 2 at l 2 /\ x y ¬ at l 2 at l 2 /\ x 2 y l 2 :x:=x+z l 3 :x

476 476 Example: GCD l 1 :x:=a l 5 :y:=z l 4 :x:=y l 3 :z:=x rem y l 2 :y:=b l 6 :z=0? yesno l0l0 l7l7

477 477 Example: GCD l 1 :x:=a l 5 :x:=y l 4 :y:=z l 3 :z:=x rem y l 2 :y:=b l 6 :z=0? yesno Oops … with an error (l4 and l5 were switched). l0l0 l7l7

478 478 Why use Temporal specification Temporal specification for sequential software? Deadlock? Liveness? – No! intuition Captures the testers intuition about the location of an error: I think a problem may occur when the program runs through the main while loop twice, then the if condition holds, while t>17.

479 479 Example: GCD l 1 :x:=a l 5 :x:=y l 4 :y:=z l 3 :z:=x rem y l 2 :y:=b l 6 :z=0? yesno l0l0 l7l7 a>0/\b>0/\at l 0 /\ at l 7 at l 0 /\ a>0/\ b>0 at l 7

480 480 Example: GCD l 1 :x:=a l 5 :x:=y l 4 :y:=z l 3 :z:=x rem y l 2 :y:=b l 6 :z=0? yesno l0l0 l7l7 a>0/\b>0/\at l 0 /\ at l 7 Path 1: l 0 l 1 l 2 l 3 l 4 l 5 l 6 l 7 a>0/\b>0/\a rem b=0 Path 2: l 0 l 1 l 2 l 3 l 4 l 5 l 6 l 3 l 4 l 5 l 6 l 7 a>0/\b>0/\a rem b 0

481 481 Potential explosion Bad point: potential explosion Good point: may be chopped on-the-fly

482 482

483 483

484 484

485 485

486 486

487 487

488 488

489 489

490 490

491 491

492 492

493 493

494 494

495 495

496 496 Drivers and Stubs Driver: represents the program or procedure that called our checked unit. Stub: represents a procedure called by our checked unit. In our approach: replace both of them with a formula representing the effect the missing code has on the program variables. Integrate the driver and stub specification into the calculation of the path condition. l 1 :x:=a l 5 :x:=y l 4 :y:=z l 3 :z =x rem y /\x =x/\y =x l 2 :y:=b l 6 :z=0? yesno l0l0 l7l7

497 497 Process Algebra (Book: Chapter 8)

498 498 The Main Issue Q: When are two models equivalent? A: When they satisfy different properties. Q: Does this mean that the models have different executions?

499 499 What is process algebra? An abstract description for nondeterministic and concurrent systems. Focuses on the transitions observed rather than on the states reached. Main correctness criterion: conformance between two models. Uses: system refinement, model checking, testing.

500 500 Different models may have the same set of executions! a aa b bc c a-insert coin, b-press pepsi, c-press pepsi-light d-obtain pepsi, e-obtain pepsi-light d d ee

501 501 Actions: Act={a,b,c,d} { }. Agents: E, E, F, F1, F2, G1, G2, … E E G2G2 G1G1 F1F1 F2F2 F a aa b bc c Agent E may evolve into agent E. Agent F may evolve into F 1 or F 2. d d ee

502 502 Events. E E G2G2 G1G1 F1F1 F2F2 F a aa b bc c Ea E, Fa F 1, Fa F 2, F1a G 1, F 2a G 2. G 1 F, G 1 F.

503 503 Actions and co-actions For each action a, except for, there is a co- action a. a and a interact (a input, a output). The coaction of a is a. G2G2 G1G1 F1F1 F2F2 F aa bc E E a bc

504 504 Notation a.E – execute a, then continue according to E. E+F – execute according to E or to F. E||F – execute E and F in parallel. E GH F a bc a.(b+c) (actually, a.((b.0)+(c.0)) Ea F Fb G Fc H 0 – deadlock/termination.

505 505 Conventions. has higher priority than +..0 or.(0||0||…||0) is omitted.

506 506 CCS - calculus of concurrent systems [Milner]. Syntax a,b,c, … actions, A, B, C - agents. a,b,c, coactions of a,b,c. -silent action. nil - terminate. a.E - execute a, then behave like E. + - nondeterministic choice. || - parallel composition. \L - restriction: cannot use letters of L. [f] - apply mapping function f between between letters.

507 507 Semantics (proof rule and axioms). Structural Operational Semantics SOS a.p –a p pa p |-- p+q –a p qa q |-- p+q –a q pa p |-- p|q –a p|q qa q |-- p|q –a p|q pa p, qa q |-- p|q – p|q pa p, a R |-- p\L –a p\R pa p |-- p[m]m(a) p[m]

508 508 Action Prefixing a.Ea E (Axiom) Thus, a.(b.(c||c)+d)a (b.(c||c)+d).

509 509 Choice Ea E Fa F (E+F)a E (E+F)a F b.(c||c)b (c||c). Thus, (b.(c||c)+e)b (c||c). If Ea E and Fa F, then E+F has a nondeterministic choice.

510 510 Concurrent Composition Ea E Fa F E||Fa E||F Ea E, Fa F E||F E||F cc 0, cc 0, c||c 0||0, c||cc 0||c, c||cc c||0.

511 511 Restriction Ea E, a, a R E\R –a E\R In this case: allows only internal interaction of c. c||c 0||0 c||cc 0||c c||cc c||0 (c||c) \ {c} (0||0) \{c}

512