Add to collection(s) Add to saved
  1. Math
  2. Advanced Math
  3. Logic

micromodel

advertisement 
Micromodels of Software
Formal Methods in Verification of
Computer Systems
Jeremy Johnson
Outline
1. Semantic Entailment
•
•
•
Given a set of formulas , is  ⊨  valid
 encodes requirements and  as a property
that all valid implementations should have
Undecidable
2. Model checking
•
•
•
Given a formula  and a matching model M
determine whether M ⊨l  holds
Requirements encoded in model
Fixes too many implementation choices
Outline
1. Combination
•
•
•
Set of models (bounded size)
Negative answer provides counter example
Positive answer gives confidence
2. Small scope hypothesis
•
Negative answers tend to occur in small
models
3. Alloy (alloy.mit.edu)
Models
• Let F be a set of functions and P a set of
predicates. A model M for (F,P) consists of
• A non-empty set A [universe] of concrete
values
• For each nullary f  F an element of A = fM
• For each n-ary f  F a function fM : An  A
• For each n-ary P  P a subset PM  An
Satisfaction
• Given a model M for (F,P) and given an
environment l : var  A the satisfaction
relation M ⊨l 
• P(t1,…,tn)  (a1,…,an) and M ⊨l  iff (a1,…,an)
 RM
• M ⊨l x  iff M ⊨l [x  a] holds for all a  A
• M ⊨l x  iff M ⊨l [x  a] holds for some a
A
Satisfaction
• Given a model M for (F,P) and given an
environment l : var  A the satisfaction
relation M ⊨l 
•
•
•
•
M ⊨l  iff M ⊨l  does not hold
M ⊨l 1  2 iff M ⊨l 1 and M ⊨l 2 holds
M ⊨l 1  2 iff M ⊨l 1 or M ⊨l 2 holds
M ⊨l 1  2 iff M ⊨l 2 holds whenever M
⊨l 1 holds
Semantic Entailment
• Let  be a set of formulas (possibly
infinite) and  be a formula from
predicate calculus
•  ⊨  holds iff for all models M and lookup
tables l, whenever M ⊨l  holds for all 
then M ⊨l  holds as well
•  is satisfiable iff there is some model M and
lookup table l such that M ⊨l  holds
•  is valid iff M ⊨l  holds for all models M
and lookup tables l
Example 1
• F = {i} and P = {R,F}
• i a constant function, R binary and F unary
predicates
• Model – A set of states, initial state i, state
transitions R, final states F
• A = {a,b,c}
• iM = a
• RM = {(a,a),(a,b),(a,c),(b,c), (c,c)}
• FM = {b,c}
Example 1
• y R(i,y)
• F(i)
• x y z (R(x,y)  R(x,z)  y = z )
• x y R(x,y)
Software Micromodels
• Want description M of all compliant
implementations Mi of some software
system.
• Given a property 
• Assertion checking: does  hold in all
implementations Mi  M
• Consistency checking: does  hold in some
implementations Mi  M
Alloy (alloy.mit.edu)
• “Alloy is a language for describing structures and a tool for
exploring them. It has been used in a wide range of
applications from finding holes in security mechanisms to
designing telephone switching networks.”
• Declarative (language based on logic)
• Bounded queries
• Implemented using SAT solver
• Illustrate by describing concrete models of state machines
(example 1) and checking assertion that “final states are
not initial states) and consistency there are state
machines that contain a non-final state that is deadlocked
Alloy Implementation
module AboutStateMachines
sig State {}
-- simple states
sig StateMachine { -- composite state machines
A : set State, -- set of states of a state machine
i : A,
}
-- initial state of a state machine
F : set A,
-- set of final states of a state machine
R : A -> A
-- transition relation of a state machine
Alloy Implementation
-- E.G. assertion checking
-- Claim that final states are never initial: false.
assert FinalNotInitial {
all M : StateMachine | no M.i & M.F
} check FinalNotInitial for 3 but 1 StateMachine
S0
R
S1
S2
(F)
(I,F)
Alloy Implementation
-- E.G. consistency checking
-- Is there a three-state machine with a non-final deadlock? True.
pred AGuidedSimulation(M : StateMachine, s : M.A) {
no s.(M.R)
not s in M.F
# M.A = 3
} run AGuidedSimulation for 3 but 1 StateMachine
S0
R
S2
(I)
S1
(F)
R
Example 2
• F = {alma} and P = {loves}
• P is a binary predicates, alma constant
function
• Model – A set of states,
• A = {a,b,c}
• almaM = a
• lovesM = {(a,a),(b,a),(c,a)}
Example 2
• almaM = a
• lovesM = {(a,a),(b,a),(c,a)}
• lovesM’ = {(b,a),(c,b)}
• Does the model satisfy
• None of Alma’s lovers’ lovers love her
• xy (loves(x,alma)  loves(y,x) 
 loves(y,alma)
Alloy Implementation
module AboutAlma
sig Person {}
sig SoapOpera {
cast : set Person,
alma : cast,
loves : cast -> cast
Person0
Alma
}
assert OfLovers {
all S : SoapOpera |
all x, y : S.cast |
S.alma in x.(S.loves) && x in y.(S.loves) =>
not S.alma in y.(S.loves)
}
check OfLovers for 2 but 1 SoapOpera
R
Person1
Underspecified System
• Add the following constaint
•
Fact NoSelfLove { all S : SoapOpera, p : S.cast |
not p in p.(S.loves) }
• No there are no counter examples
• Increase the number of persons to 3
provides the smallest counter example
• check OfLovers for 3 but 1 SoapOpera
Exercise
• Install alloy
• Go through the tutorial (file system
example)
• Study package dependency example from
section 2.7 of the text
• www.cs.bham.ac.uk/research/projects/lics
• Look under ancillary materials
• Note that code is for an older version of alloy
and some changes are necessary
Related documents
NiTiNOL Nickel Titanium Naval Ordnance Laboratory
NiTiNOL Nickel Titanium Naval Ordnance Laboratory
This individual must possess strong organizational, interpersonal
This individual must possess strong organizational, interpersonal
Review - mvhs
Review - mvhs
Depth-profile of texture and residual stresses in near
Depth-profile of texture and residual stresses in near
12/4-5/2007 Braze Wetting tests on Molybdenum
12/4-5/2007 Braze Wetting tests on Molybdenum
Comma Splice Worksheet - Wilson
Comma Splice Worksheet - Wilson
Assignment-chap8
Assignment-chap8
Download
advertisement