Add to collection(s) Add to saved
  1. Science
  2. Physics
  3. Electricity And Magnetism
  4. Magnetism

Model Checking

advertisement

Model Checking

Model Checking

 Used in studying behaviors of reactive systems

 Typically involves three steps:

 Create a finite state model (FSM) of the system design

 Specify critical correctness properties

 Validate the model w/r to the specifications

Create a FSM

 FSM languages

 focus on expressing concurrency, synchronization, and communication

 abstract details of internal computations

 must be precise and unambiguous (formally defined syntax and semantics)

 We will use Promela for giving system descriptions

Specify correctness properties

 Safety properties:

Nothing “bad” ever happens

 Formalized using state invariants

 execution never reaches a “bad” state

 Liveness properties:

Something “good” eventually happens

 Formalized using temporal logic

 special logic for describing sequences

Validate the model

“Execute” the model to test it

 simulate executions of the system

 check satisfaction of safety properties along simulated executions

 Exhaustive analysis

 generate reachability graph to verify safety and liveness properties

 Generate counterexamples to illustrate failures

Home Heating System

Example properties

 Pump is never on unless Burner is also on

 Whenever Sensor calls resp-temp(LOW) , eventually Controller becomes all-on

Reachability Graph

Graph of global states that can be

“reached” during execution global state contains a state for each concurrent “process” transitions show how an event or action transforms the global state

Analyze global state space to verify safety properties

Analyze paths through the RG to verify liveness properties

Promela

 The system description language of SPIN

 Designed for modeling data communication protocols

 System described as a collection of concurrent processes

 Processes communicate and synchronize via message channels and global variables

Promela

 Specify macro definitions

#define signal 0

 Declare symbolic constants mtype = { ON, OFF, LOW, OK }

 Declare a synchronous message channel chan pump_in = [0] of { mtype }

Promela

 Create a process instance active proctype pump ( ) { statements }

 Send a message pump_in!ON

 Receive a message pump_in?ON

Promela version of HHS

Promela version of HHS

Promela version of HHS

SPIN simulation of HHS

SPIN automatically generates sequence diagrams to represent executions

 random guided interactive

Automates tracing between system views

 sequence diagram

Promela description state diagram textual execution traces

Verification of a safety property

 Pump is never on unless Burner is also on

Verification of a liveness property

 Whenever Sensor calls resp-temp(LOW) , eventually

Controller becomes all-on

Verification of a liveness property

Related documents
spin-slides - University of Waterloo
spin-slides - University of Waterloo
Test Review Ch 6 - Alta Physics Wikispace
Test Review Ch 6 - Alta Physics Wikispace
Team 04: Green to Clean Cost Analysis January Trip Distribution Design
Team 04: Green to Clean Cost Analysis January Trip Distribution Design
Download
advertisement