Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.

Published byJohn Townsend Modified over 8 years ago

Similar presentations

Presentation on theme: "6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development."— Presentation transcript:

1 6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development

2 6/12/2016 2 Specification, verification and logics A framework for modelling systems A specification language for describing properties to be verified A verification method to ascertain whether the description of the system satisfies the properties [H-R ch.3]

3 6/12/2016 3 Possibilities Proof-based Degree of automation Full A priori Model based One property A posteriori

4 6/12/2016 4 Model Checking automatic Based on a builded model Verifying satisfiability of properties A posteriori provides a counterexample Concurrent systems Reactive systems Temporal aspects

5 6/12/2016 5 Γ |-- φ Γ |= φ M |= φ We are dealing with

6 6/12/2016 6 Γ |-- φ Γ |= φ M |= φ We are dealing with

7 6/12/2016 7 Γ |-- φ Γ |= φ M |= φ We are dealing with

8 6/12/2016 8 Temporal logic Let us want to express the following properties If a file is requested to be printed, eventually it will be printed After an amount a of time, x will begin to work  x ((file(x)  requested(x))  y (y≥a  print(x,y))  y (y≥a  works(x)) The constant a as well as the variable y, of type “time”

9 6/12/2016 9 One could use typed variables and first order logic making a distinction between temporal and dominion references Or one can use modal operators Temporal logic  x ((file(x)  requested(x))  F print(x)) G works(x)) F means eventually G means always

10 6/12/2016 10 Some hypotheses on temporal structure Discrete/ Continuous Linear / Branching

11 6/12/2016 11 Linear time temporal logic: LTL (syntax)  ::=T |  | p | (  ) | (  ) | (  ) | (  ) | (X  ) | (F  ) | (G  ) | (X  ) | (  U  ) | (  W  ) F “eventually” G “always” X “next step” U “until” W “until possibly”

12 6/12/2016 12 LTL: semantics Operators not connectives

13 6/12/2016 13 LTL: semantics Satisfiability: We are dealing with a path intended as an infinite series of states M, s |=  if the path starting from s satisfys  States or paths? States are starting points of paths suffixes of paths are still paths

14 6/12/2016 14 Semantics  |=   O-----O-----O-----O-----O ,  ’  …

15 6/12/2016 15 Semantics of G and F Semantics of G:  |= G p Semantics of F:  |= F p  O-----O-----O-----O-----O p p p p p  O-----O-----O-----O-----O p

16 6/12/2016 16 Semantics a modal formula can be true or false in a path in this trace: O-----O-----O-----O-----O------….. pq p¬q p¬q pq pq … p ∨ ¬q true: is true in the first state of the trace X¬q true, because q is false in the second state XXq false, because q is false in the third state Gp true, because p is true in all states Gq false, because q is not true in all states (it is true only in some states )

17 6/12/2016 17 Semantics in the same trace: O-----O-----O-----O-----O------….. pq p¬q p¬q pq pq … GFq true: for all states of the sequence, there is some future point where q is true pU¬q true: p is true until ¬q becomes true; (in the first state p is true, then ¬q becomes true) X(pU¬q) false: in the next state, q is false but p not (yet) true qUXXq true: in the first state q is true, in the second state XXq is true (because y is true two states later) G(pUXXq) not straightforward to check: all states have to be checked for qUXXq in turn, check XXq in all states

18 6/12/2016 18 Semantics of X and U Semantics of X:  |= X p Semantics of U:  |= p U q  1 |= p1 |= p  j |= p j |= p  i |= q i |= q 

19 LTL: equivalences

20 6/12/2016 20 LTL: what does hold (exercises) G (  )  (G  G  ) G   F  G  X  X  F  G  F  X(  ) ≅ X  X 

21 6/12/2016 21 LTL: reductions (transitivity on paths) G   GG  while GG   G  is always valid

22 6/12/2016 22 LTL An internal induction rule w.r.t. time   X  G(   X  ) (   G  )

23 6/12/2016 23 LTL: definability F  ≅ T U  “eventually” G  ≅  W  “always”  U  ≅ (  W  )  (F  ) “until”  W  ≅ (  U  )  (G  ) “until possibly”

24 6/12/2016 24 LTL “ next ” operator

25 6/12/2016 25 LTL: what is expressible

26 6/12/2016 26 LTL: what is expressible

27 LTL: what is not expressible 6/12/2016 27

28 6/12/2016 28 LTL Characterising linear time ,    G ((  G  )  (G  ))  (G  G  ) Lefthand holds, righthand does not

29 6/12/2016 29 Linear time and Branching time Linear : only one possible future in a moment –Look at individual computations Branching: may split to different courses depending on possible futures –Look at the tree of computations s0 s1 s3 s0 s2 s0 s1... s0s2s3s1... s0 s1s0... s0 s1... s0 s2 s3 s1

30 6/12/2016 30 Semantics: transition systems LTS: Automata without terminal states Kripke structures  S  S Abstract models: states and transitions

31 6/12/2016 31 Computation Trees: labelled TS State transition structure (Kripke Model) Infinite computation tree for initial state s 1 a b a ac s1s1 s3s3 s1s1 s2s2 a b

32 6/12/2016 32 Operators and Quantifiers State operators –G a :a holds globally –F a :a holds eventually –X a :a holds at the next state –a U b:a holds until b holds –a W b:a holds until b possibly holds –Path quantifiers –E: along at least one path (there exists …) –A:along all paths (for all …)

33 6/12/2016 33 CTL Temporal operators must be immediately preceded by a path quantifier

34 6/12/2016 34 Typical CTL Formulas E F ( start  ¬ ready ) –eventually a state is reached where start holds and ready does not hold A G ( req  A F ack ) –any time request occurs, it will be eventually acknowledged A G ( E F restart ) –from any state it is possible to get to the restart state

35 6/12/2016 35 CTL semantics E X (f) –true in state s if f is true in some successor of s (there exists a next state of s for which f holds) A X (f) –true in state s if f is true for all successors of s (for all next states of s f is true) E G (f) – true in s if f holds in every state along some path emanating from s (there exists a path ….) A G (f) –true in s if f holds in every state along all paths emanating from s (for all paths ….globally )

36 6/12/2016 36 Basic CTL Formulas - cont ’d E F (g) –there exists a path which eventually contains a state in which g is true A F (g) –for all paths, eventually there is state in which g holds E F, A F are special case of E [f U g], A [f U g] –E F (g) = E [ true U g ], A F (g) = A [ true U g ] f U g (f until g) –true if there is a state in the path where g holds, and at every previous state f holds

37 6/12/2016 37 CTL Operators - examples s o |= E F g g soso soso g g g s o |= A F g s o |= E G g gsoso g g s o |= A G g soso g g g g gg

38 6/12/2016 38 Minimal set of CTL Formulas Full set of operators –Boolean: ¬, , , ,  –temporal:E, A, X, F, G, U, W Minimal set sufficient to express any CTL formula –Boolean:¬,  –temporal:E, X, U Examples: f  g = ¬(¬f  ¬g), F f = true U f, A (f ) = ¬E(¬f )

Download ppt "6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.

卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Similar presentations

Ads by Google