Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Methods in software development

Published byYanti Irawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Formal Methods in software development"— Presentation transcript:

1 Formal Methods in software development
a.a.2016/2017 Prof.Anna Labella 4/4/2019

2 From automata to reactive systems
They are supposed to go on forever as Communication protocols Operative systems Command and control devices 4/4/2019

3 Non determinism vs determinism Synchronous vs asynchronous
Their features Communication Observability Non determinism vs determinism Synchronous vs asynchronous 4/4/2019

4 Example: a recorder off memory tape play dn up ={up, dn}
S={off, tape, memory, play} ={(off,dn,tape), (tape,up,off), (tape,dn,memory), (memory,up,off), (memory,dn,play), (play,dn,tape), (play,up,off)} S0={off} 4/4/2019

5 Parallel transition systems
Parallel transition system T=(T1,…,Tn) each Ti is a transition system SiSj= interleaving semantics on its private alphabet, each Ti can make an independent move synchronization is via common events example: power switch and camcorder mode 4/4/2019

6 Example T=(switch, camera) {pwr_fail, pwr_res} are private to camera
but_hi but_lo dn up off on dn, pwr_res up, pwr_fail memory tape play switch camera T=(switch, camera) {pwr_fail, pwr_res} are private to camera synchronization alphabet {up,dn} how big is the state space? 4/4/2019

7 The global transition system T associated
with a parallel transition system (T1,…,Tn) is defined as T=(, S, , S0), where = i S= S1 … Sn S0 = S1,0 … Sn,0, and ((s1,…,sn),a,(s1‘,…,sn‘)) iff for all Ti if ai, then ((s i),a,(s i‘))i, and if ai, then s i=s i‘. If a is the result of a synchronisation of ((s i),ai,(s i‘))i and ((sji),aj,(s j‘))j, then then s k=s k‘ for all k≠i,j 4/4/2019

8 Labeled transition systems
TS=(,S, , S0), where  a non empty finite alphabet S a non empty finite set of states  S    S is a transition relation, S0 S is the set of initial states Similar to a nondeterministic finite state automaton, with possibly more than one initial state, but without terminal states Similar to a labeled Kripke model as we have seen in temporal logic 4/4/2019

9 A state is identified through the possibilities it offers to go on
A transition system generates (finite or infinite) words w0w1w2... iff there are states s0s1s2s3... s.t. s0  S0 and (si,wi,si+1)   A state is identified through the possibilities it offers to go on termination and deadlock 4/4/2019

10 Process Equivalences Sameness of behaviour = equivalence of states
Many process equivalences have been proposed For instance: q1 ~ q2 iff q1 and q2 have the same paths, or q1 and q2 may always refuse the same interactions, or q1 and q2 pass the same tests, or q1 and q2 satisfy the same temporal formulas, or q1 and q2 have identical branching structure CCS: Focus on bisimulation equivalence 4/4/2019

11 Finite State Automata Coffee machine A1: Coffee machine A2:
1€ Coffee machine A1: Coffee machine A2: Are the two machines ”the same”? 1€ tea coffee 1€ 1€ 1€ tea coffee 4/4/2019

12 Bisimulation Equivalence
Intuition: q1 ~ q2 iff q1 and q2 have same branching structure Idea: Find relation which will relate two states with the same transition structure, and make sure the relation is preserved Example: q1 q2 a a a c b b c b c 4/4/2019

13 Strong Bisimulation Equivalence
Given: Labelled transition system T = (Q,,R) Looking for a relation S  Q  Q on states S is a strong bisimulation relation if whenever q1 S q2 then: q1  q1’ implies q2  q2’ for some q2’ such that q1’ S q2’ q2  q2’ implies q1  q1’ for some q1’ such that q1’ S q2’ q1 and q2 are strongly bisimilar iff q1 S q2 for some strong bisimulation relation S q1  q2: q1 and q2 are strongly bisimilar 4/4/2019

14 Exercise Does q0 ~ p0 hold? q1 p0 a b a a q0 p1 a b b a q2 p2 a a
4/4/2019

15 Exercise Does q0 ~ p0 hold? q0 p0 a a a q1 q2 p1 b c b c q3 q4 p2 p3
4/4/2019

16 Weak Transitions What to do about internal activity?
: Transition label for activity which is not externally visible q  q’ iff q = q0  q1  ...  qn = q’, n  0 q  q’ iff q  q’ q  q’ iff q  q1  q2  q’ (  ) Beware that  =  (non-standard notation) Observational equivalence, v.1.0: Bisimulation equivalence with  in place of  Let q1  q2 iff q1 ~ q2 with  in place of  4/4/2019

17 Observational Equivalence
Let S  Q  Q. The relation S is a weak bisimulation relation if whenever q1 S q2 then: q1  q1’ implies q2  q2’ for some q2’ such that q1’ S q2’ q2  q2’ implies q1  q1’ for some q1’ such that q1’ S q2’ q1 and q2 are observationally equivalent, or weakly bisimulation equivalent, if q1 S q2 for some weak bisimulation relation S q1  q2: q1 and q2 are observationally equivalent/weakly bisimilar 4/4/2019

18 Exercises a a a a a c a b a b a c c 4/4/2019

19 Exercises b b a a b All three are inequivalent a 4/4/2019

20 Bisimulations Strong Weak Branching 4/4/2019

21 Bisimulations Strong If a process/state can do a move,
then the other one can do the same and viceversa. a a a b b c b c b c 4/4/2019

22 Bisimulations weak A process can go through (non equivalent,
non consecutive) states with invisible moves Trying to simulate the other one. a a a c b c b b 4/4/2019

23 Bisimulations branching A process can go through different
(equivalent) states with invisible moves while the other does not move, but has the same possibilities. a a b b a b c b c 4/4/2019

24 Proving Equivalences The bisimulation proof method:
To establish P  Q: Identify a relation S such that P S Q Prove that S is a weak bisimulation relation This is the canonical method There are other methods for process verification: Equational reasoning Temporal logic specification/proof/model checking 4/4/2019

25 Bisimilarity as a maximal fixed point
Let us take Q  Q to start with, then calculate F(Q  Q) ={ (q1,q2) | q1  q1’ implies q2  q2’ and viceversa}. By iterating the procedure, we obtain a decreasing chain …F4(Q  Q)  F3(Q  Q)  F2(Q  Q)  F(Q  Q) We can apply Tarski’s theorem and obtain a maximal fixed point S  Q  Q. The relation S is a strong bisimulation. The same holds for weak bisimulation relation defining F(Q  Q) ={ (q1,q2) | q1  q1’ implies q2  q2’ and viceversa} 4/4/2019

26 4/4/2019

27 4/4/2019

28 4/4/2019

Download ppt "Formal Methods in software development"

Similar presentations

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Timed Automata.

Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
4/25/20151 Metodi formali nello sviluppo software a.a.2013/2014 Prof.Anna Labella.

4/25/20151 Metodi formali nello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Behavioral Equivalence Hossein Hojjat Formal Lab University of Tehran.

Behavioral Equivalence Hossein Hojjat Formal Lab University of Tehran.
29.4.2008 Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.
Courtesy Costas Busch - RPI1 Non Deterministic Automata.

Courtesy Costas Busch - RPI1 Non Deterministic Automata.
Conformance Simulation Relation ( ) Let and be two automata over the same alphabet simulates () if there exists a simulation relation such that Note that.

Conformance Simulation Relation ( ) Let and be two automata over the same alphabet simulates () if there exists a simulation relation such that Note that.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.

Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Nondeterminism.

CSC 3130: Automata theory and formal languages Andrej Bogdanov The Chinese University of Hong Kong Nondeterminism.
ESE601: Hybrid Systems Introduction to verification Spring 2006.

ESE601: Hybrid Systems Introduction to verification Spring 2006.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
*Department of Computing Science University of Newcastle upon Tyne **Institut für Informatik, Universität Augsburg Canonical Prefixes of Petri Net Unfoldings.

*Department of Computing Science University of Newcastle upon Tyne **Institut für Informatik, Universität Augsburg Canonical Prefixes of Petri Net Unfoldings.
REGULAR LANGUAGES.

REGULAR LANGUAGES.
SDS Foil no 1 Process Algebra Process Algebra – calculating with behaviours.

SDS Foil no 1 Process Algebra Process Algebra – calculating with behaviours.
Pushdown Automata (PDAs)

Pushdown Automata (PDAs)
Reactive systems – general

Reactive systems – general
2G1516 Formal Methods2005 Mads Dam IMIT, KTH 1 CCS: Operational Semantics And Process Algebra Mads Dam Reading: Peled 8.3, 8.4, 8.6 – rest of ch. 8.

2G1516 Formal Methods2005 Mads Dam IMIT, KTH 1 CCS: Operational Semantics And Process Algebra Mads Dam Reading: Peled 8.3, 8.4, 8.6 – rest of ch. 8.

Similar presentations

Ads by Google