Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.

Published byArchibald Skinner Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The."— Presentation transcript:

1

2 CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

3 Software is... …one of the most complex man made artifacts “It’s different [from other engineering disciplines] in that we take on novel tasks every time. The number of times [civil engineers] make mistakes is very small. And at first you think, what’s wrong with us? It’s because it’s like we’re building the first skyscraper every time.” -- Bill Gates (Microsoft, 1992) “I believe the [spreadsheet product] I’m working on now is far more complex than a 747 (jumbo jet airliner)” -- Chris Peters (Microsoft, 1992)

4 Goal: Increase Software Reliability Trends: Size, complexity, concurrency, distributed Cost of software engineer………………………. Cost of CPU cycle……………………………….. Future: Automated Fault Detection

5 Reasoning About Concurrent Systems is Hard class Job extends Thread { Container objref; Object x; public Job incr () { synchronized (objref) { objref.counter = objref.counter + 1; } return this; } public void setref(Container o) { objref = o; } public void run() { for (i=0;i++;i<3) { incr(); } class Container { public int counter; } class Apprentice { public static void main(String[] args) { Container c1 = new Container(); Container c2 = new Container(); Job j1 = new Job(); Job j2 = new Job(); j1.setref(c2); j2.setref(c1); j1.start(); j2.start(); j1.setref(c1); } Does the value of counter ever decrease? Source: J.S. Moore, George Porter “Proving Properties of Java Threads”.

6 The Dream Program Requirement Checker OK Error trace or void add(Object o) { buffer[head] = o; head = (head+1)%size; } Object take() { … tail=(tail+1)%size; return buffer[tail]; } Property 1: … Property 2: … …

7 Model Checking OK Error trace or Finite-state model Temporal logic formula Model Checker  Line 5: … Line 12: … Line 15:… Line 21:… Line 25:… Line 27:… … Line 41:… Line 47:…

8 Spin Example proctype A(chan in, out) { byte mt; /* message data */ bit vr; L1: mt = (mt+1%MAX); out!mt,1; goto L2; L2: in?vr; if :: (vr == 1) goto L1 :: (vr == 0) goto L3 :: printf(“Error”); goto L5 fi; L3: out!mt,1; goto L2; L4: in?vr; if :: goto L1; :: printf(“Error”); goto L5 fi; L5: out!mt,0; goto L4 } L1 L4 L2 L3 L5 ?b1 ?err ?b0 ?b1!a1 ?a1 ?b0 ?err !a0 Fragment of Alternating Bit Protocol

9 Explicit State Model-checking L1L4 L2 L3 L5 ?b1 ?err ?b0 ?b1!a1 ?a1 ?b0 ?err !a0 Fragment of Alternating Bit Protocol [L1, (mt1, vr1), ….] PendingSeen Before Implementation Explored State-Space (computation tree) Conceptual View

10 Explicit State Model-checking L1L4 L2 L3 L5 ?b1 ?err ?b0 ?b1!a1 ?a1 ?b0 ?err !a0 Fragment of Alternating Bit Protocol [L2, (mt2, vr2), ….] Explored State-Space (computation tree) PendingSeen Before Implementation Conceptual View [L1, (mt1, vr1), ….]

11 Explicit State Model-checking L1L4 L2 L3 L5 ?b1 ?err ?b0 ?b1!a1 ?a1 ?b0 ?err !a0 Fragment of Alternating Bit Protocol [L3, (mt3, vr3), ….] Explored State-Space (computation tree) PendingSeen Before Implementation Conceptual View [L1, (mt1, vr1), ….] [L2, (mt2, vr2), ….] [L5, (mt5, vr5), ….] [L1, (mt1’, vr1’),..]

12 Explicit State Model-checking [L3, (mt3, vr3), ….] Explored State-Space (computation tree) PendingSeen Before Implementation Conceptual View [L1, (mt1, vr1), ….] [L2, (mt2, vr2), ….] [L5, (mt5, vr5), ….] [L3, (mt3, vr3), ….] L1L4 L2 L3 L5 ?b1 ?err ?b0 ?b1!a1 ?a1 ?b0 ?err !a0 Fragment of Alternating Bit Protocol [L1, (mt1’, vr1’),..]

13 Explicit State Model-checking [L3, (mt3, vr3), ….] Explored State-Space (computation tree) PendingSeen Before Implementation Conceptual View [L1, (mt1, vr1), ….] [L2, (mt2, vr2), ….] [L3, (mt3, vr3), ….] [L5, (mt5, vr5), ….] L1L4 L2 L3 L5 ?b1 ?err ?b0 ?b1!a1 ?a1 ?b0 ?err !a0 Fragment of Alternating Bit Protocol [L1, (mt1’, vr1’),..]

14 Why Try to Use Model Checking for Software? In contrast to testing, gives complete coverage by exhaustively exploring all paths in system, It’s been used for years with good success in hardware and protocol design Automatically check, e.g., – –invariants, simple safety & liveness properties – –absence of dead-lock and live-lock, – –complex event sequencing properties, “Between the window open and the window close, button X can be pushed at most twice.” This suggests that model-checking can complement existing software quality assurance techniques.

15 In this course... You will study various tools and techniques for debugging and verifying properties of concurrent systems (software, in particular). –Spin: system designed for verifying protocols based on communicating FSA –Bandera: tool set for checking concurrent Java software that compiles Java to Spin, dSpin, etc. –JPF: model-checker that works directly on Java bytecodes

16 In this course... You will learn the basic algorithms and data structures used in a model-checker –You will program several versions of a model- checker for a simple programming language –Small programming assignments using OCAML – a dialect of ML (you will learn OCAML by yourself during the course). –You will study the formal semantics of various abstraction and slicing techniques used for software model-checking

17 In this course... In a project component, you will apply Bandera and other model-checking engines (e.g., Spin, dSpin, JPF) to check properties of medium-size Java systems. –Formalize system requirements in Bandera’s specification language –Identity appropriate code units and test harnesses for to be used in checking –Perform abstractions and other model-reduction techniques required for obtaining a tractable model –Write multiple documents describing each phase of the project

18 Summary Software is becoming pervasive and very complex Model-checking is a promising technique for modeling, debugging, and verifying properties of concurrent systems We will learn the basic principles of explicit state model-checking and methods for applying it effectively to real-world concurrent software Explore current research topics that may impact the future of software model-checking

Download ppt "CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.

Formal Methods and Testing Goal: software reliability Use software engineering methodologies to develop the code. Use formal methods during code development.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,

Carnegie Mellon University Java PathFinder and Model Checking of Programs Guillaume Brat, Dimitra Giannakopoulou, Klaus Havelund, Mike Lowry, Phil Oh,
ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.

ESP: A Language for Programmable Devices Sanjeev Kumar, Yitzhak Mandelbaum, Xiang Yu, Kai Li Princeton University.
1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.

1 Concurrency Specification. 2 Outline 4 Issues in concurrent systems 4 Programming language support for concurrency 4 Concurrency analysis - A specification.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.
CSEP590 – Model Checking and Software Verification University of Washington Department of Computer Science and Engineering Summer 2003.

CSEP590 – Model Checking and Software Verification University of Washington Department of Computer Science and Engineering Summer 2003.
Software Design & Development Year 12. Structure of the Course Development and Impact of Software Solutions Development and Impact of Software Solutions.

Software Design & Development Year 12. Structure of the Course Development and Impact of Software Solutions Development and Impact of Software Solutions.
Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.

Course Summary. © Katz, 2003 Formal Specifications of Complex Systems-- Real-time 2 Topics (1) Families of specification methods, evaluation criteria.
Chapter 1: An Overview of Computers and Programming Languages J ava P rogramming: From Problem Analysis to Program Design, From Problem Analysis to Program.

Chapter 1: An Overview of Computers and Programming Languages J ava P rogramming: From Problem Analysis to Program Design, From Problem Analysis to Program.
SE curriculum in CC2001 made by IEEE and ACM: Overview and Ideas for Our Work Katerina Zdravkova Institute of Informatics

SE curriculum in CC2001 made by IEEE and ACM: Overview and Ideas for Our Work Katerina Zdravkova Institute of Informatics

Similar presentations

Ads by Google