Presentation is loading. Please wait.

Presentation is loading. Please wait.

VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies.

Published byRoland Mosley Modified over 9 years ago

Similar presentations

Presentation on theme: "VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies."— Presentation transcript:

1 VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies John Wickerson Formal2Normal team: Andrey Dereza * Anatoliy Gorbenko ** Lyubov Reva ** Leanid Vaitsekhovich*** Oleg Illiashenko ** Oleksii Starov** _________________________________________________________ * - Caddiesoft, Ukraine ** - National Aerospace University “KhAI”, Ukraine *** - Brest State Technical University, Belarus

2 Abstract The project is devoted to VCC case study development. A system under study:  a real-time system that controls traffic on a single-lane bridge The purpose of the project:  to demonstrate feasibility and usefulness of VCC tool  to compare different implementations and annotation techniques Our approach:  to employ a stepwise (refined-based) development and verification 2

3 Single-lane bridge © J.-R. Abrial. Modeling in Event-B: System and Software Engineering 3

4 Single-lane bridge: System requirements FUN-1 The system is controlling cars on a bridge between the mainland and an island FUN-2 The number of cars on the bridge and the island is limited FUN-3 The bridge is a single-line. Cars can move in a one way or the other, not both at the same time EQP-1 The system has two traffic lights with two colours: green and red EQP-2 The traffic lights control the entrance to the bridge at both ends of it EQP-3 Cars are not supposed to pass on a red traffic light, only on a green one EQP-4 The system is equipped with four car sensors each with two states: on or off EQP-5 The sensors are used to detect the presence of cars entering or leaving the bridge 4

5 Abstract model Invariants  n >= 0  n <= d Events  driveOut  driveInto FUN-1 The system is controlling cars on a bridge between the mainland and an island FUN-2 The number of cars on the bridge and the island is limited 5

6 Step-wise development Requirement RefinementImplementation’s and VCC’s features Variables Structure Threads FUN-1 Abstract model √ √ √ FUN-2 Abstract model √ √ O FUN-3 REF-1 √ √ O EQP-1 REF-2 - √ O EQP-2 REF-2 - √ O EQP-3 REF-2 - √ O EQP-4 REF-3 - O O EQP-5 REF-3 - O O 6

7 VCC implementation using Variables #include #define MAX_COUNT 100 int driveInto(unsigned *pn) _(requires (*pn) >= 0 && (*pn) <= MAX_COUNT) _(writes pn) _(ensures (*pn) >= 0 && (*pn) <= MAX_COUNT) { if ((*pn) < MAX_COUNT) { (*pn)++; return 1; } return 0; } int driveOut(unsigned *pn) _(requires (*pn) >= 0 && (*pn) <= MAX_COUNT) _(writes pn) _(ensures (*pn) >= 0 && (*pn) <= MAX_COUNT) { if ((*pn) > 0) { (*pn)--; return 1; } return 0; } 7

8 VCC implementation using Structure #include #define MAX_COUNT 100 typedef struct _parkingIsland { // count of cars on the island unsigned n; _(invariant \this->n >= 0 && \this->n <= MAX_COUNT) // can be extended } ParkingIsland; void parkingInit(ParkingIsland *p) _(writes \extent(p)) _(ensures \wrapped(p)) { p->n = 0; _(wrap p) } int driveInto(ParkingIsland *p) _(updates p) { if (p->n < MAX_COUNT) { _(unwrapping p){ p->n++; } return 1; } return 0; } int driveOut(ParkingIsland *p) _(updates p) { if (p->n > 0) { _(unwrapping p){ p->n--; } return 1; } return 0; } 8

9 Simulation unsigned n; // counter of cars on the island int main() _(writes &n) { n = 0; unsigned waitingCars = 0; // testing int roadIsBusy; for (unsigned i = 0; i < 1000; ++i) _(invariant waitingCars <= i && i <= 1000) _(invariant n >= 0 && n <= MAX_COUNT) { // one car pass for each iteration roadIsBusy = 0; // in if (rand() & 1) { // normal distribution may be more natural waitingCars++; if (driveInto(&n)) { waitingCars--; roadIsBusy = 1; } else if (waitingCars) { // do not think about the cars speed if (driveInto(&n)) { waitingCars--; roadIsBusy = 1; } // out if (!roadIsBusy && rand() & 1) { driveOut(&n); } _(assert n >= 0) _(assert n <= MAX_COUNT) #ifndef VERIFY // runtime check assert(n >= 0); assert(n <= MAX_COUNT); // output for state printf("%3d >==< %3d\n", n, waitingCars); #endif } return 0; } 9

10 Refinement 1 Invariants  a, n, b >= 0  a + n + b <= MAX_COUNT  (a = 0)  (b = 0) Events  m_out  m_in  i_in  i_out 10

11 VCC Implementation Using Structure #include #define MAX_COUNT 100 typedef struct _parkingIsland { unsigned n; unsigned a; unsigned b; unsigned w; _(invariant n >= 0 && a >= 0 && b >= 0) _(invariant n + a + b <= MAX_COUNT) _(invariant a == 0 || b == 0) } ParkingIsland; void parkingInit(ParkingIsland *p) _(writes \extent(p)) _(ensures \wrapped(p)) { p->n = p->a = p->b = p->w = 0; _(wrap p) } int i_in(ParkingIsland *p) _(updates p) { if (p->a > 0) { _(unwrapping p){ p->a--; p->n++; } return 1; } return 0; } int i_out(ParkingIsland *p) _(updates p) { if (p->a == 0 && p->n > 0) { _(unwrapping p){ p->n--; p->b++; } return 1; } return 0; } int m_in(ParkingIsland *p) _(updates p) { if (p->b > 0) { _(unwrapping p){ p->b--; } return 1; } return 0; } int m_out(ParkingIsland *p) _(updates p) { if (p->b == 0 && p->n+p->a < MAX_COUNT) { _(unwrapping p){ p->a++; } return 1; } else { _(unwrapping p){ _(unchecked)p->w++; } return 0; } } 11

12 Simulation ParkingIsland pIsland; // parking on the island object void main() _(writes \extent(&pIsland)) { parkingInit(&pIsland); // testing for (unsigned i = 0; i < 1000; ++i) _(writes &pIsland)// FIXME: why?! _(invariant \wrapped(&pIsland)) { if (rand() & 1) i_out(&pIsland); if (rand() & 1) m_out(&pIsland); // temporary, to have more representative data if (i % 3 == 0) { i_in(&pIsland); m_in(&pIsland); } _(assert \wrapped(&pIsland)) #ifndef VERIFY // runtime check assert(pIsland.n >= 0); assert(pIsland.a >= 0); assert(pIsland.b >= 0); assert(pIsland.w >= 0); assert(pIsland.n + pIsland.a <= MAX_COUNT); assert(!(pIsland.a && pIsland.b)); // output for state printf("%3d >= ( %3d-> <-%3d ) =< %3d\n", pIsland.n, pIsland.b, pIsland.a, pIsland.w); #endif } 97 >= ( 0-> <-3 ) =< 236 97 >= ( 0-> <-3 ) =< 237 98 >= ( 0-> <-2 ) =< 238 98 >= ( 0-> <-2 ) =< 239 98 >= ( 0-> <-2 ) =< 240 99 >= ( 0-> <-1 ) =< 240 99 >= ( 0-> <-1 ) =< 241 100 >= ( 0-> <-0 ) =< 241 99 >= ( 1-> <-0 ) =< 242 99 >= ( 1-> <-0 ) =< 243 99 >= ( 0-> <-0 ) =< 244 98 >= ( 1-> <-0 ) =< 245 97 >= ( 1-> <-0 ) =< 246 96 >= ( 2-> <-0 ) =< 247 96 >= ( 2-> <-0 ) =< 248 12

13 Refinement 2 Invariants  a, n, b >= 0  a + n + b <= MAX_COUNT  (a = 0)  (b = 0)  il_tl xor ml_tl  … Events  ML_out  ML_in  IN_in  IN_out 13

14 VCC implementation elements #include #define MAX_COUNT 1000 #define LIGHT_DELAY 10 #define SPEED_DELAY 10 typedef struct _trafficLight { unsigned light_i; unsigned light_m; unsigned delay; } TrafficLight; typedef struct _parkingIsland { TrafficLight tl; unsigned n; unsigned a; unsigned b; unsigned w; // main invariants _(invariant n >= 0 && a >= 0 && b >= 0) _(invariant n + a + b <= MAX_COUNT) _(invariant a == 0 || b == 0) // traffic lights _(invariant tl.light_i == 0 || tl.light_i == 1) _(invariant tl.light_m == 0 || tl.light_m == 1) _(invariant (a + n tl.light_i == 1) _(invariant (a == 0 && b != 0) ==> tl.light_m == 1) } ParkingIsland; void updateLights(ParkingIsland *pi) _(writes pi) _(writes &pi->tl.delay) _(writes &pi->tl.light_i) _(writes &pi->tl.light_m) { if (pi->a == 0 && pi->b == 0) { _(unchecked)pi->tl.delay--; if (pi->tl.delay == 0) { pi->tl.light_i = !pi->tl.light_i; pi->tl.light_m = !pi->tl.light_m; pi->tl.delay = LIGHT_DELAY; } else { pi->tl.delay = LIGHT_DELAY; if (pi->a) { pi->tl.light_i = 0; pi->tl.light_m = 1; } else { pi->tl.light_i = 1; pi->tl.light_m = 0; } 14

15 VCC implementation (next - atomic) #include #include "atomic.h" #define MAX_COUNT 100 typedef struct _parkingIsland { volatile unsigned n; _(invariant n == \old(n) || n == \old(n) + 1 || n == \old(n) - 1) _(invariant \this->n >= 0 && \this->n <= MAX_COUNT) } ParkingIsland; // todo int driveInto(ParkingIsland *p) { _(atomic p) { // todo } // todo } 15

16 Lessons learned If assertion involves a variable used in a cycle above, there should be a cycle’s invariant concerns this variable => Could be implemented in VCC Usage of structures simplifies assertions. But hierarchy of structures sophisticates proof 16

17 Conclusion Sometimes VСС requires assertions which are redundant The complexity of the annotations depends on implementation features To use VCC in an effective way it is necessary to work out a special coding style 17

18 Any questions? 18

Download ppt "VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies."

Similar presentations

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.

Using SMT solvers for program analysis Shaz Qadeer Research in Software Engineering Microsoft Research.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
C Module System C and Data Structures Baojian Hua

C Module System C and Data Structures Baojian Hua
Ch. 7 Process Synchronization (1/2) 2015-04-17. 7.I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.

Ch. 7 Process Synchronization (1/2) I Background F Producer - Consumer process :  Compiler, Assembler, Loader, · · · · · · F Bounded buffer.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 24 Slide 1 Critical Systems Validation 2.
Introduction to LUSTRE 22c181 Spring 2008. Background Developed in 1980’s at Verimag (Fr) Currently used by Estrel Technologies in Scade development tools.

Introduction to LUSTRE 22c181 Spring Background Developed in 1980’s at Verimag (Fr) Currently used by Estrel Technologies in Scade development tools.
26.8.2004 Model Checking C++ Daniel Kroening. 26.8.2004 Daniel Kroening 2 Warning! No new research in this talk Talk is about doing existing stuff for.

Model Checking C++ Daniel Kroening Daniel Kroening 2 Warning! No new research in this talk Talk is about doing existing stuff for.
Concurrency.

Concurrency.
Cleanroom Engineering and the B-Method: A Comparison Drew Connelly.

Cleanroom Engineering and the B-Method: A Comparison Drew Connelly.
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.

K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond, WA part 0 Summer School on Logic and Theorem-Proving in Programming.
Department of Electrical and Computer Engineering Texas A&M University College Station, TX 77843-3128 Abstract 4-Level Elevator Controller Lessons Learned.

Department of Electrical and Computer Engineering Texas A&M University College Station, TX Abstract 4-Level Elevator Controller Lessons Learned.
Lecture 7 Model Development and Model Verification.

Lecture 7 Model Development and Model Verification.
Apr 26th, 2006 Solving Generic Role Assignment Exactly Christian Frank and Kay Römer ETH Zurich, Switzerland.

Apr 26th, 2006 Solving Generic Role Assignment Exactly Christian Frank and Kay Römer ETH Zurich, Switzerland.
Chapter 1 Principles of Programming and Software Engineering.

Chapter 1 Principles of Programming and Software Engineering.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.

© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Pointers Example Use int main() { int *x; int y; int z; y = 10; x = &y; y = 11; *x = 12; z = 15; x = &z; *x = 5; z = 8; printf(“%d %d %d\n”, *x, y, z);

Pointers Example Use int main() { int *x; int y; int z; y = 10; x = &y; y = 11; *x = 12; z = 15; x = &z; *x = 5; z = 8; printf(“%d %d %d\n”, *x, y, z);
Client Server Model and Software Design TCP/IP allows a programmer to establish communication between two application and to pass data back and forth.

Client Server Model and Software Design TCP/IP allows a programmer to establish communication between two application and to pass data back and forth.
Design Synopsys System Verilog API Donations to Accellera João Geada.

Design Synopsys System Verilog API Donations to Accellera João Geada.
Refinement, reusable libraries, instantiable classes K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Joint work.

Refinement, reusable libraries, instantiable classes K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond Joint work.

Similar presentations

Ads by Google