Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright 2001-2004, Matt Dwyer, John Hatcliff,

Published byPamela Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright 2001-2004, Matt Dwyer, John Hatcliff,"— Presentation transcript:

1 CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright 2001-2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

2 CIS 842: Spec Basics and Observables 2 Objectives To understand the goals and basic approach to specifying sequencing properties To understand the different classes of sequencing properties and the algorithmic techniques that can be used to check them

3 CIS 842: Spec Basics and Observables 3 Outline What is a sequencing specification? What kinds of sequencing specifications are commonly used? Safety properties Liveness properties In depth on safety properties How to specify them Examples How to check them

4 CIS 842: Spec Basics and Observables 4 What is a Sequencing Specification? We’ve seen specifications that are about individual program states e.g., assertions, invariants Sometimes we want to reason about the relationship between multiple states Must one state always precede another? Does seeing one state preclude the possibility of subsequently seeing another? We need to shift our thinking from states to paths in the state space

5 CIS 842: Spec Basics and Observables 5 Paths (Traces) Recall that the system’s executions can be viewed as a tree. We want to determine the set of paths in that tree that match a given pattern.

6 CIS 842: Spec Basics and Observables 6 Paths (Traces) Consider the pattern: a 1.* is followed by a *.1

7 CIS 842: Spec Basics and Observables 7 Paths (Traces) Here are all the states that immediately follow a 1.*

8 CIS 842: Spec Basics and Observables 8 Paths (Traces) Here are all the states that immediately follow a *.1

9 CIS 842: Spec Basics and Observables 9 Paths (Traces) Here are both 1.* and *.1 successor states (with black indicating both)

10 CIS 842: Spec Basics and Observables 10 Paths (Traces) Do all paths conform to the pattern: a 1.* is followed by a *.1

11 CIS 842: Spec Basics and Observables 11 Paths (Traces) Some paths obviously match the pattern

12 CIS 842: Spec Basics and Observables 12 Paths (Traces) For others it is more interesting can the 1.* follow a *.1? what if the 1.* and *.1 coincide?

13 CIS 842: Spec Basics and Observables 13 Paths (Traces) For still others we can’t tell yet will we ever see a 1.*? if not, then does the property hold?

14 CIS 842: Spec Basics and Observables 14 Paths (Traces) For still others we can’t tell yet will we ever see a subsequent *.1?

15 CIS 842: Spec Basics and Observables 15 We need … A language for describing sequencing patterns There are many such languages with different strengths and weaknesses An algorithm for exhaustively considering whether all paths match the pattern Currently we’ve only seen the exhaustive consideration of individual states

16 CIS 842: Spec Basics and Observables 16 A classic distinction … Safety properties “nothing bad ever happens” are violated by a finite path prefix that ends in a bad thing are fundamentally about the history of a computation up to a point Liveness properties “something good eventually happens” are violated by infinite path suffixes on which the good thing never happens are fundamentally about the future of a computation from a point onward

17 CIS 842: Spec Basics and Observables 17 Examples A use of a variable must be preceded by a definition When a file is opened it must subsequently be closed You cannot shift from drive to reverse without passing through neutral No pair of adjacent dining philosophers can be eating at the same time The program will eventually terminate The program is free of deadlock

18 CIS 842: Spec Basics and Observables 18 Examples A use of a variable must be preceded by a definition -- Safety When a file is opened it must subsequently be closed -- Liveness You cannot shift from drive to reverse without passing through neutral -- Safety No pair of adjacent dining philosophers can be eating at the same time -- Safety The program will eventually terminate -- Liveness The program is free of deadlock -- Safety

19 CIS 842: Spec Basics and Observables 19 For You To Do Think of three more properties Classify them as safety or liveness How many observations are being made in the properties Try to think of at least one positive property i.e., saying what the system can do … and one negative property i.e., saying what the system cannot do Is an invariant a safety or liveness property?

20 CIS 842: Spec Basics and Observables 20 Expressing Safety Properties Let’s simplify things to start with … We can observe the location of a BIR-lite thread, e.g., thread MAIN() { loc open: live {} do { … } goto run; loc run: live {} Name observables as a pair e.g, MAIN:open, MAIN:run Such an observable is true when the named thread enters the named location

21 CIS 842: Spec Basics and Observables 21 Regular Expressions Regular expressions can be used to specify safety properties Symbols are observables – MAIN:open Basic Operators Concatenation – e ; e Disjunction – e | e Closure – e* Grouping – (e)

22 CIS 842: Spec Basics and Observables 22 Regular Expressions Some Useful Derived Operators Option – e? Positive closure – e+ Finite closure – e^k Any symbol –. Symbol sets – [e, f, …] Symbol exclusion – [- e, f, …]

23 CIS 842: Spec Basics and Observables 23 Example thread MAIN() { loc open: live {} do { // open } goto run; loc run: live {} do { // run, call close } goto close; loc close: live {} do { // close } goto open; }

24 CIS 842: Spec Basics and Observables 24 A property Opens and closes happen in matching pairs Positive specification (MAIN:open; MAIN:close)* Negative specification (i.e., violation) MAIN:close;.* |.*; Main:open; Main:open;.* |.*; Main:close; Main:close;.*

25 CIS 842: Spec Basics and Observables 25 Example system TwoDiningPhilosophers { boolean fork1; boolean fork2; thread Philosopher1() { loc pickup1: live {} when !fork1 do { fork1 := true; } goto pickup2; loc pickup2: live {} when !fork2 do { fork2 := true; } goto eating; loc eating: live {} do {} goto drop2; loc drop2: live {} do { fork2 := false; } goto drop1; loc drop1: live {} do { fork1 := false; } goto pickup1; } thread Philosopher2() {…} }

26 CIS 842: Spec Basics and Observables 26 A property Whenever philosopher 1 is eating, philosopher 2 cannot eat, until philosopher 1 drops his first fork Positive specification [- P1:eating]*; (P1:eating; [- P2:eating]*; P1:drop1)* Negative specification (i.e., violation).*; P1:eating; [- P1:drop1]; P2.eating;.*

27 CIS 842: Spec Basics and Observables 27 For You To Do Make up an alphabet and specify the following properties as regular expressions A use of a variable must be preceded by a definition You cannot shift from drive to reverse without passing through neutral Give positive and negative formulations

28 CIS 842: Spec Basics and Observables 28 Checking Safety Properties Think of it as a language problem Program generates a language of strings over observables (each path generates a string) – L(P) Property generates a (regular) language – L(S) Test the languages against each other Language containment – L(P) L(S) Non-empty language intersection -- L(P) L(S) Interchangeable due to complementation of finite- state automata

29 CIS 842: Spec Basics and Observables 29 Checking Safety Properties Two basic approaches Both require a deterministic finite-state automaton for the violation of the property Easy to get via complementation and standard RE->DFA algorithms Instrument the program with property Check reachability in the product of the program and property

30 CIS 842: Spec Basics and Observables 30 Instrumentation Assertions instrument the program They are inserted at specific points They perform tests of program state They render an immediate verdict that is determined completely locally The same approach can be applied for safety properties Instrumentation determines a partial verdict Need a mechanism for communicating between different parts of the instrumentation

31 CIS 842: Spec Basics and Observables 31 Example boolean fork1, fork2; thread Philosopher1() { loc pickup1: live {} when !fork1 do { fork1 := true; } goto pickup2; loc pickup2: live {} when !fork2 do { fork2 := true; } goto eating; loc eating: live {} do {} goto drop2; loc drop2: live {} do { fork2 := false; } goto drop1; loc drop1: live {} do { fork1 := false; } goto pickup1; } Consider the property: a philosopher must pickup a fork before dropping it e.g., [- P1.pickup1]*; P1:drop1;.*

32 CIS 842: Spec Basics and Observables 32 Example boolean fork1, fork2; thread Philosopher1() { loc pickup1: live {} when !fork1 do { // record that a pickup of 1 happened fork1 := true; } goto pickup2; loc pickup2: live {} when !fork2 do { fork2 := true; } goto eating; loc eating: live {} do {} goto drop2; loc drop2: live {} do { fork2 := false; } goto drop1; loc drop1: live {} do { // check that a pickup of 1 happened fork1 := false; } goto pickup1; }

33 CIS 842: Spec Basics and Observables 33 Example boolean fork1, fork2, sawpickup; thread Philosopher1() { loc pickup1: live {} when !fork1 do { sawpickup := true; fork1 := true; } goto pickup2; loc pickup2: live {} when !fork2 do { fork2 := true; } goto eating; loc eating: live {} do {} goto drop2; loc drop2: live {} do { fork2 := false; } goto drop1; loc drop1: live {} do { assert(sawpickup); fork1 := false; } goto pickup1; } Does this capture the correctness property?

34 CIS 842: Spec Basics and Observables 34 Instrumentation Approach Works well when you only want to check conditions at specific points What if you want to exclude some action from a region of program execution? [- P1:eating]*; (P1:eating; [- P2:eating]*; P1:drop1)* Need to use invariants

35 CIS 842: Spec Basics and Observables 35 Example boolean fork1, fork2, p1eating; thread Philosopher1() { loc pickup1: live {} when !fork1 do { fork1 := true; } goto pickup2; loc pickup2: live {} when !fork2 do { fork2 := true; } goto eating; loc eating: live {} do { p1eating := true; } goto drop2; loc drop2: live {} do { fork2 := false; } goto drop1; loc drop1: live {} do { fork1 := false; p1eating := false; } goto pickup1; } Same instrumentation for Philosopher2 Check invariant: p1eating -> !p2eating

36 CIS 842: Spec Basics and Observables 36 Instrumentation Approach No change to the checking algorithm! Safety checking has been compiled to assertion checking Additional property state variables increase cost Instrumenting programs is Laborious – must identify all points that are related to the property (may be conditional on data) Error prone – lack of instrumentation at a state change (false error), lack of instrumentation at a state check (missed error) Property specific – must be done for each property Automate it!!

37 CIS 842: Spec Basics and Observables 37 For You To Do Pick your favorite BIR-lite program Develop two safety properties for it Instrument the program with those properties Check them with Bogor

38 CIS 842: Spec Basics and Observables 38 Product Reachability Next time

Download ppt "CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright 2001-2004, Matt Dwyer, John Hatcliff,"

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Model Checking and Testing combined

Model Checking and Testing combined
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Chapter Three: Closure Properties for Regular Languages

Chapter Three: Closure Properties for Regular Languages
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Copyright 2003-04, Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.

C O N T E X T - F R E E LANGUAGES ( use a grammar to describe a language) 1.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Concurrency: safety & liveness properties1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 14 Safety and.

Concurrency: safety & liveness properties1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 14 Safety and.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Safety and Liveness. Defining Programs Variables with respective domain –State space of the program Program actions –Guarded commands Program computation.

Safety and Liveness. Defining Programs Variables with respective domain –State space of the program Program actions –Guarded commands Program computation.
Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.

Lecture 2: Reasoning with Distributed Programs Anish Arora CSE 6333.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Similar presentations

Ads by Google