Formal Specification and Verification Formal specification - PowerPoint PPT Presentation

Formal Specification and Verification – Formal specification – Temporal logic 12.06.2012 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1

Formal specification • Specification for program/system • Specification for properties of program/system Verification tasks: Check that the specification of the program/system has the required properties. 2

Formal specification • Specification languages for describing programs/processes/systems Model based specification transition systems, abstract state machines, timed automata last time Axiom-based specification algebraic specification last time Declarative specifications logic based languages (Prolog) functional languages, λ -calculus (Scheme, Haskell, OCaml, ...) rewriting systems (very close to algebraic specification): ELAN, SPIKE, ... • Specification languages for properties of programs/processes/systems Temporal logic 3

More complex specifications and specification languages • Languages for describing various processes • Languages based on Set theory (OZ, B) • Languages for describing durations • Complex languages 4

CSP Communicating Sequential Processes, or CSP, is a language for describing processes and patterns of interaction between them. It is supported by an elegant, mathematical theory, a set of proof tools, and an extensive literature. 5

CSP Communicating Sequential Processes, or CSP, is a language for describing processes and patterns of interaction between them. It is supported by an elegant, mathematical theory, a set of proof tools, and an extensive literature. • Each process: transition system • Operations on processes: sequential, parallel composition efects on states 6

CSP General idea: Given: • Set of event names • Process: behaviour pattern of an object (insofar as it can be described in terms of the limited set of events selected as its alphabet) 7

CSP Example: Events: insert-coin, get-sprite, get-beer 8

CSP Prefix: P = a → Q ( a then Q ) where a is an event and Q a process After event a , process P behaves like process Q 9

CSP: Example A simple vending machine which consumes one coin before breaking ( insert - coin → STOP ) 10

CSP: Example A simple vending machine that successfully serves two customers before breaking ( insert - coint → ( get - sprite → ( insert - coin → ( get - beer → STOP )))) 11

CSP Example: (recursive definitions) Consider the simplest possible everlasting object, a clock which never does anything but tick (the act of winding is deliberately ignored) Events ( CLOCK ) = { tick } Consider next an object that behaves exactly like the clock, except that it first emits a single tick ( tick → CLOCK ) The behaviour of this object is indistinguishable from that of the original clock. This reasoning leads to formulation of the equation CLOCK = ( tick → CLOCK ) This can be regarded as an implicit definition of the behaviour of the clock. 11

Modular Specifications: CSP-OZ-DC (COD) COD [Hoenicke,Olderog’02] allows us to specify in a modular way: • the control flow of a system using Communicating Sequential Processes (CSP) • the state space and its change using Object-Z (OZ) • (dense) real-time constraints over durations of events using the Duration Calculus (DC) 12

Interface } {z Example: Controller for line track (RBC) | } CSP part {z RBC method enter : [ s 1? : Segment ; t 0? : Train ; t 1? : Train ; t 2? : Train ] method leave : [ ls ? : Segment ; lt ? : Train ] (Leave) (Leave) (Enter) (Enter) local chan alloc , req , updPos , updSpd | } (Speed) c c = (( enter → main ) State 2 = (( alloc → State 3) CSP main 2 1 ( leave → main ) ( enter → State 2) ✷ ✷ Data classes ( updSpd → State 1)) ( leave → State 2)) ✷ ✷ c c State 1 = (( enter → State 1) State 3 = (( enter → State 3) {z (Request) (Position) ( leave → State 1) ( leave → State 3) ✷ ✷ ✷ ( req → State 2)) ✷ ( updPos → main )) SegmentData TrainData train : Segment → Train [Train on segment] segm : Train → Segment [Train segment] | 4 3 req : Segment → Z [Requested by train] next : Train → Train [Next train] (Allocation) alloc : Segment → Z [Allocated by train] spd : Train → R [Speed] pos : Train → R [Current position] } (Enter) (Enter) prev : Train → Train [Prev. train] (Leave) (Leave) Init A sd : SegmentData t : Train Γ train ( segm ( t )) = t OZ A td : TrainData t : Train Γ next ( prev ( t )) = t A t : Train Γ prev ( next ( t )) = t A A t : Train Γ tid ( t ) > 0 t : Train Γ0 ≤ pos ( t ) ≤ length ( segm ( t )) State and Init schema A A t 1, t 2 : Train | t 1 � = t 2Γ tid ( t 1) � = tid ( t 2) t : Train Γ0 ≤ spd ( t ) ≤ lmax ( segm ( t )) A A t : Train Γ alloc ( segm ( t )) = tid ( t ) s : Segment Γ prevs ( nexts ( s )) = s A A t : Train Γ alloc ( nexts ( segm ( t ))) = tid ( t ) s : Segment Γ nexts ( prevs ( s )) = s A ∨ length ( segm ( t )) − bd ( spd ( t )) > pos ( t ) s : Segment Γ sid ( s ) > 0 A A s : Segment Γ segm ( train ( s )) = s s : Segment Γ sid ( nexts ( s )) > sid ( s ) {z A s 1, s 2 : Segment | s 1 � = s 2Γ sid ( s 1) � = sid ( s 2) A s : Segment | s � = snil Γ length ( s ) > d + gmax · ∆ t A s : Segment | s � = snil Γ0 < lmax ( s ) ∧ lmax ( s ) ≤ gmax A s : Segment Γ lmax ( s ) ≥ lmax ( prevs ( s )) − decmax · ∆ t A s 1, s 2 : Segment Γ tid ( incoming ( s 1)) � = tid ( train ( s 2)) effect updSpd ∆( spd ) A t : Train | pos ( t ) < length ( segm ( t )) − d ∧ spd ( t ) − decmax · ∆ t > 0 Γmax { 0, spd ( t ) − decmax · ∆ t } ≤ spd ′ ( t ) ≤ lmax ( segm ( t )) A t : Train | pos ( t ) ≥ length ( segm ( t )) − d ∧ alloc ( nexts ( segm ( t ))) = tid ( t ) Γmax { 0, spd ( t ) − decmax · ∆ t } ≤ spd ′ ( t ) ≤ min { lmax ( segm ( t )), lmax ( nexts ( segm ( t ))) } A | t : Train | pos ( t ) ≥ length ( segm ( t )) − d ∧ ¬ alloc ( nexts ( segm ( t ))) = tid ( t ) Γ spd ′ ( t ) = max { 0, spd ( t ) − decmax · ∆ t } } . . . pdate rules 13 {z

Example: Controller for line track (RBC) CSP part: specifies the processes and their interdependency. The RBC system passes repeatedly through four phases, modeled by events: (Leave) (Leave) (Enter) (Enter) (Speed) • updSpd (speed update) 2 1 • req (request update) (Request) (Position) • alloc (allocation update) 4 3 • updPos (position update) (Allocation) (Enter) (Enter) (Leave) (Leave) Between these events, trains may leave or enter the track (at specific segments), modeled by the events leave and enter. 14

Example: Controller for line track (RBC) CSP part: specifies the processes and their interdependency. The RBC system passes repeatedly through four phases, modeled by events with corresponding COD schemata: CSP: − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − method enter : [ s 1? : Segment ; t 0? : Train ; t 1? : Train ; t 2? : Train ] method leave : [ ls ? : Segment ; lt ? : Train ] local chan alloc , req , updPos , updSpd main c State 1 c State 2 c State 3 c =(( updSpd → State 1) =(( req → State 2) =(( alloc → State 3) =(( updPos → main ) ✷ ( leave → main ) ✷ ( leave → State 1) ✷ ( leave → State 2) ✷ ( leave → State 3) ✷ ( enter → main )) ✷ ( enter → State 1)) ✷ ( enter → State 2)) ✷ ( enter → State 3)) − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − − 15

Example: Controller for line track (RBC) OZ part. Consists of data classes, axioms, the Init schema, update rules. 16

Example: Controller for line track (RBC) OZ part. Consists of data classes, axioms, the Init schema, update rules. • 1. Data classes declare function symbols that can change their values during runs of the system Data structures: train: trains • 2-sorted pointers segm: segments SegmentData TrainData train : Segment → Train segm : Train → Segment [Train on segment] [Train segment] req : Segment → Z [Requested by train] next : Train → Train [Next train] alloc : Segment → Z spd : Train → R [Speed] [Allocated by train] pos : Train → R [Current position] prev : Train → Train [Prev. train] 9

Example: Controller for line track (RBC) OZ part. Consists of data classes, axioms, the Init schema, update rules. • 1. Data classes declare function symbols that can change their values during runs of the system, and are used in the OZ part of the specification. • 2. Axioms: define properties of the data structures and system parameters which do not change • gmax : R (the global maximum speed), • decmax : R (the maximum deceleration of trains), • d : R (a safety distance between trains), • Properties of the data structures used to model trains/segments 10