Algorithmic Software Verification II. Modeling using FSA

Finite state machines FSM = ( , X, {D x } {x  X}, Q, Q_in,, δ )  finite set of actions X finite set of variables D x domain of x, for each x in X Q finite set of states Q_in  Q set of initial states For each q  Q, (q) is a function that maps each x in X to an element in D x δ  Q x  x Q transition relation

Extended Finite state machines EFSM = ( , X, {D x } {x  X}, L, L_in, G_in, δ )  finite set of actions X finite set of variables D x domain of x, for each x in X L finite set of control locations L_in  Q set of initial locations; G_in predicate over X  transition relation: l -- a, g(X), A(X)  l’ where a is in . g(X) – guard A(X) – assgn

Kripke structure FSM where D x = { T, F }. Each state is hence of the form (l, v), where v: X  {T, F}

Reachability in FSMs is in O(n) Given FSM M, a target set T, call DFS(q_in) DFS ( q ) Add q to Set_of_Visited_States; for each q’ such that q –a  q’ do if q’ is in T, print “Target found” ; halt. else if q’ is not in Set_of_Visited_States DFS(q’)

Model checking FSMs Given FSM M and specification FSM S, Is every behaviour of M a behaviour of S? L(M)  L(S) Solvable in Pspace / Linear in M and exponential in S.

Product FSMs M 1 = (  1, X 1, {D x } {x  X1}, Q 1, Q_in 1, δ 1 ) M 2 = (  2, X 2, {D x } {x  X2}, Q 2, Q_in 2, δ 2 ) where X 1 and X 2 are disjoint M = M 1 x M 2 (  1   2, X 1  X 2, {D x } {x  X1}  {D x } {x  X2}, Q 1 x Q 2, Q_in 1 x Q_in 2, δ) (q1, q2 ) --a  (q1’, q2’) iff q1 –a  q1’ and q2 –a  q2’ a   1   2 q1 –a  q1’ and q2=q2’ a   1 q2 –a  q2’ and q2=q2’ a   2

Homework I 3 cannibals and 3 missionaries are on the left side of a river. There is 1 boat that can carry two people. (The boat of course needs to be ferried by at least one person). If at any point, there are more cannibals than missionaries on one bank, the cannibals eat the missionaries. 1. Model all the possibilities of movement between the banks using an EFSM. The EFSM should have at least two locations, one for the configurations where the boat is on the left bank, and one for configurations where it is on the right. Also, model it such that checking whether all of them can get safely across to the right side reduces to reachability in the model.

Homework I 2.Model the same situation now using component machines… one for each cannibal, one for each missionary, and one for the boat. Aim for a clean model that is simple and scalable (i.e. easily changeable if one wants more missionaries/cannibals). (Forget solving the puzzle using reachability).