Finite State Automaton Transitions System makes one step from one - PowerPoint PPT Presentation

CISC853: Contents 1. A few words about concurrency CISC422/853: Formal Methods 2. Modeling: How to describe behaviour of a software system? in Software Engineering: ° finite automata 3. Intro to 2 software model checkers Computer-Aided Verification ° Bogor (Santos group at Kansas State University) ° Spin (G. Holzmann at JPL) Topic 2: Modeling, or 4. Model checking I How to Describe Behaviour of Software Systems? ° algorithms for basic exploration 5. Specifying: How to express properties of a software system? Juergen Dingel ° assertions, invariants, safety and liveness properties Jan, 2009 ° Linear temporal logic (LTL) and Buechi automata 6. Model checking II Spin Book: ° algorithms for checking properties • Appendix A (pages: 553 – 560) 7. Overview of Software Model Checking tools • Chapter 6 (pages: 127 – 133) CISC422/853, Winter 2009 1 CISC422/853, Winter 2009 2 Two Views On Software Two Views On Software (Cont’d) � Static � Dynamic • Describe the structure of a single state (snap shot) • Describe how the system evolves, that is, which executions it can exhibit ° Which objects exist? • Could use ° How are they related? • Example: ° activity diagrams, sequence diagrams, collaboration diagrams, but they don’t contain enough information for our purposes ° UML class diagrams ° Turing machines, but they contain too much information 0..2 children key • Will use finite state automata root Tree TreeNode Key 0..1 1 content 1 0..1 val List ListNode Value head 1 next 0..1 • They do not describe behaviour CISC422/853, Winter 2009 3 CISC422/853, Winter 2009 4

Finite State Automaton Transitions � System makes one step from one state to another A finite state automaton (machine) is a tuple A finite state automaton (machine) is a tuple � Transitions can be enabled ... (S, S 0 , L, δ , F) (S, S 0 , L, δ , F) • transition (s i , l, s i+1 ) is enabled in state s i, iff (s i , l, s i+1 ) ∈ δ where where � ... or disabled S is a finite set of states S is a finite set of states • transition (s i , l, s i+1 ) is disabled in state s i iff (s i , l, s i+1 ) ∉δ is a set of distinguished initial states with S 0 ⊆ S S 0 S 0 is a set of distinguished initial states with S 0 ⊆ S � Transition labels can contain information about, e.g., L is a finite set of labels L is a finite set of labels • which process is carrying out the transition is a set of transitions with δ ⊆ (S × L × S) δ is a set of transitions with δ ⊆ (S × L × S) δ • how much time the transition is taking (Timed automata) is a set of final states with F ⊆ S F is a set of final states with F ⊆ S F • how likely it is that the transition is taken (probabilistic automata, Markov processes) Example: l 0 • an instruction (e.g., guard, assignment, input, output) s 2 l 1 l 0 s 0 s 4 s 1 s 1 s 0 s 2 l 2 s 3 start stop CISC422/853, Winter 2009 5 CISC422/853, Winter 2009 6 Non-determinism Runs and (Standard) Acceptance A run (a.k.a., execution, trace) σ of an FSA (S, S 0 , L, δ , A run (a.k.a., execution, trace) σ of an FSA (S, S 0 , L, δ , An FSA (S, S 0 , L, δ , F) is deterministic iff An FSA (S, S 0 , L, δ , F) is deterministic iff F) is a possibly infinite sequence of transitions F) is a possibly infinite sequence of transitions ∀ s,s 1 ,s 2 ∈ S. ∀ s,s 1 ,s 2 ∈ S. (s 0 , l 0 , s 1 )(s 1 , l 1 , s 2 )(s 2 , l 2 , s 3 )… (s 0 , l 0 , s 1 )(s 1 , l 1 , s 2 )(s 2 , l 2 , s 3 )… ∀ l ∈ L. ∀ l ∈ L. such that ∀ 0 ≤ i<| σ |. (s i , l i , s i+1 ) ∈ δ. such that ∀ 0 ≤ i<| σ |. (s i , l i , s i+1 ) ∈ δ. (s, l, s 1 ) ∈ δ Æ (s, l, s 2 ) ∈ δ ⇒ s 1 =s 2 (s, l, s 1 ) ∈ δ Æ (s, l, s 2 ) ∈ δ ⇒ s 1 =s 2 An ω -run is an infinite run. An ω -run is an infinite run. An FSA is non-deterministic iff it’s not deterministic. An FSA is non-deterministic iff it’s not deterministic. � Non-determinism is useful to A accepting run of an FSA (S, S 0 , L, δ , F) is a finite run A accepting run of an FSA (S, S 0 , L, δ , F) is a finite run • model concurrent computations (s 0 , l 0 , s 1 )(s 1 , l 1 , s 2 )(s 2 , l 2 , s 3 )…(s n-1 , l n −1 ,s n ) (s 0 , l 0 , s 1 )(s 1 , l 1 , s 2 )(s 2 , l 2 , s 3 )…(s n-1 , l n −1 ,s n ) ° to abstract from particular scheduling policies such that s 0 ∈ S 0 and s n ∈ F. such that s 0 ∈ S 0 and s n ∈ F. • model incompletely specified inputs or environments ° to abstract from particular inputs or environments “An accepting run is a run that ends in a final state” • write test harnesses At this point, accepting runs are always finite! CISC422/853, Winter 2009 7 CISC422/853, Winter 2009 8

Reachable States Words and Languages A word w of an FSA A is the sequence of labels l 0 l 1 l 2 … l n of A word w of an FSA A is the sequence of labels l 0 l 1 l 2 … l n of The reachable states (a.k.a., state space) of an FSA A is The reachable states (a.k.a., state space) of an FSA A is an accepting run (s 0 , l 0 , s 1 )(s 1 , l 1 , s 2 )(s 2 , l 2 , s 3 )…(s n-1 , l n −1 ,s n ) an accepting run (s 0 , l 0 , s 1 )(s 1 , l 1 , s 2 )(s 2 , l 2 , s 3 )…(s n-1 , l n −1 ,s n ) the set of all states along every run of A from an initial the set of all states along every run of A from an initial of A. of A. state. state. “All states s to which there is a path from s 0 ∈ S 0 to s” The language L(A) of an FSA A is the set of words of A: The language L(A) of an FSA A is the set of words of A: Example: L(A) = { w | w is word of A} L(A) = { w | w is word of A} The FSA l 0 Example: s 2 l 1 L(A 1 ) = l 0 A 1 = start run ((pre-empt run) * (block unblock) * ) * stop s 0 s 4 s 1 l 2 s 3 Theorem: FSAs = has reachable states {s 0 , s 1 , s 2 , s 3 } regular expressions = regular languages CISC422/853, Winter 2009 9 CISC422/853, Winter 2009 10 Asynchronous Composition Example: Asynchronous Composition (1) The a synchronous composition of 2 FSAs A and B is an B The a synchronous composition of 2 FSAs A and B is an A sing FSA A||B such that A||B = (S, S 0 , L, δ , F) s 0 FSA A||B such that A||B = (S, S 0 , L, δ , F) t 0 t 1 where where drink eat dance S is the Cartesian product A.S × B.S S is the Cartesian product A.S × B.S S 0 is { (a 0 , b 0 ) ∈ S | a 0 ∈ A.S 0 Æ b 0 ∈ B.S 0 } s 1 S 0 is { (a 0 , b 0 ) ∈ S | a 0 ∈ A.S 0 Æ b 0 ∈ B.S 0 } A || B L is the union A.L ∪ B.L L is the union A.L ∪ B.L sing δ is {((a 1 , b), l, (a 2 , b)) ∈ S × L × S | (a 1 ,l,a 2 ) ∈ A. δ } ∪ (s 0 ,t 0 ) (s 0 ,t 1 ) δ is {((a 1 , b), l, (a 2 , b)) ∈ S × L × S | (a 1 ,l,a 2 ) ∈ A. δ } ∪ dance {((a, b 1 ), l, (a, b 2 )) ∈ S × L × S | (b 1 ,l,b 2 ) ∈ B. δ } {((a, b 1 ), l, (a, b 2 )) ∈ S × L × S | (b 1 ,l,b 2 ) ∈ B. δ } drink eat drink eat F is {(s 1 , s 2 ) ∈ S | s 1 ∈ A.F Ç s 2 ∈ B.F} F is {(s 1 , s 2 ) ∈ S | s 1 ∈ A.F Ç s 2 ∈ B.F} sing (s 1 ,t 1 ) where A.S denotes the set of states of FSA A etc Æ would result In a (s 1 ,t 0 ) stronger acceptance dance condition CISC422/853, Winter 2009 11 CISC422/853, Winter 2009 12

Example: Asynchronous Composition (2) Asynchronous Composition (Cont’d) � Form of parallel composition that allows each process to A s 2 move completely independently of other processes x%2!=0 Æ x>1? B x=1? � Models our intuition about parallel or distributed processes s 0 t 0 t 1 executing at different speeds x:=3x+1 x:=x/2 x%2=0? � Introduces possibility of unfair executions, that is, executions s 1 in which, after some finite amount time, a process not A || B (s 2 ,t 1 ) (s 2 ,t 0 ) executed anymore (e.g., P 1 P 2 P 1 P 2 P 1 P 1 P 1 … ) x=1 • Only infinite executions can be unfair (more on fairness later) x=1 x%2!=0 Æ x>1? (s 0 ,t 0 ) (s 0 ,t 1 ) x:=3x+1 � Related concepts: • asynchronous communication: x:=x/2 x:=x/2 ° process can send w/o having to block until a matching receive is executed x%2=0? x%2=0? q E.g., communication channel is implemented as a buffer x%2!=0 Æ x<1? ° Examples: Unix sockets, email (s 1 ,t 1 ) (s 1 ,t 0 ) x:=3x+1 • asynchronous circuits CISC422/853, Winter 2009 13 CISC422/853, Winter 2009 14 Synchronous Composition Example: Synchronous Composition The synchronous composition of 2 FSAs A and B is an FSA B The synchronous composition of 2 FSAs A and B is an FSA A one two viol A ⊗ B such that A ⊗ B = (S, S 0 , L, δ , F) s 0 A ⊗ B such that A ⊗ B = (S, S 0 , L, δ , F) t 0 t 1 t 3 t 2 viol where where !(x%2) drink S is A.S × B.S S is A.S × B.S S 0 is { (a 0 , b 0 ) ∈ S | a 0 ∈ A.S 0 Æ b 0 ∈ B.S 0 } S 0 is { (a 0 , b 0 ) ∈ S | a 0 ∈ A.S 0 Æ b 0 ∈ B.S 0 } A ⊗ B L is A.L × B.L L is A.L × B.L B is { ( (s,t), (l 1 ,l 2 ), (s’,t’) ) ∈ S × L × S | (drink,one) (drink,two) (drink,viol) δ is { ( (s,t), (l 1 ,l 2 ), (s’,t’) ) ∈ S × L × S | δ x=3x+1 (s, l 1 , s’) ∈ A. δ Æ (t, l 2 , t’) ∈ B. δ } (s, l 1 , s’) ∈ A. δ Æ (t, l 2 , t’) ∈ B. δ } s 0 t 0 (drink,viol) s 0 t 1 S 0 t 3 s 0 t 2 !(x%2) F is {(s 1 , s 2 ) ∈ S | s 1 ∈ A.F Ç s 2 ∈ B.F} F is {(s 1 , s 2 ) ∈ S | s 1 ∈ A.F Ç s 2 ∈ B.F} CISC422/853, Winter 2009 15 CISC422/853, Winter 2009 16