types of formal specifications for assertions concurrent
play

Types of Formal Specifications for Assertions Concurrent and - PowerPoint PPT Presentation

Oct 07, 2022 •6 likes •226 views

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

  1. Outline � Formal specifications CISC422/853: Formal Methods � Types of formal specifications: in Software Engineering: • assertions • invariants Computer-Aided Verification • safety and liveness properties � How to express safety properties: Topic 7: Specifying, or How to Describe How the System Should (or Should • FSAs, regular expressions, Never Claims Not) Behave � How to express liveness properties: • progress labels, Buechi Automata, Never Claims, Linear Juergen Dingel Temporal Logic, Computation Tree Logic Feb, 2009 � How to manage the complexity of specifications: Readings: • specification patterns • Spin book: Chapter 4 (Defining Correctness Claims), Chapter 6 (Automata and Logic) CISC422/853, Winter 2009 Specifying • Course notes on CTL 2 (Formal) Specifications Observables � What is a specification? � “Atomic propositions” used in a specification � What is a formal specification? � In BIR • global and local variables (in their scope) � Properties of good formal specifications? • existential (anonymous) thread program counter • As precise and detailed as necessary, and as abstract (i.e., unconstraining) as possible Property.existsThread(t, loc5) � In PROMELA • Consistent • Correct (internally, externally) • global and local variables � Why use formal specifications? • end-states, progress states, and accept states ° needed for expression of liveness (progress) properties • Unambiguous ° E.g., non-progress through reserved boolean variable np_ • Sometimes more succinct (false in s iff at least one process is at a control flow state marked • Amenable to automatic analysis with a progress label) ° more on these later • process ids through reserved variable _pid CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 3 4

  2. Types of Formal Specifications for Assertions Concurrent and Reactive Systems � Assertions � Express a property of observables at particular Example: location � Invariants thread T() { thread T() { � Most basic formal specification; already used by � Safety properties ... ... John von Neumann in 1947 loc loc7: � Liveness properties loc loc7: � In BIR and Promela: assert(b); when b do { when b do { � What kind of correctness claim does an assertion ... make, that is, what does it mean if there is ... assert(x> y); • no assertion violation?: assert(x> y); ... “No matter along which path control has reached the ... location of the assertion, the boolean expression in } } the assertion evaluates to true at that location” ... • an assertion violation?: ... } “There is at least one execution such that the boolean } expression in the assertion does not evaluate to true at that location” CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 5 6 Example 2: Checking Mutual Exclusion Example 1: Simple Race Condition Using Assertions � Does protocol below ensure mutual exclusion and deadlock freedom? � How can we check this using Bogor or Spin? syst em syst em M M uxTr y uxTr y { syst em syst em M M uxTr y uxTr y { bool ean bool ean f l ag1; l ag1; bool ean f l ag1; bool ean l ag1; bool ean f l ag2; bool ean l ag2; bool ean bool ean f l ag2; l ag2; t hr ead T1 ( ) { t hr ead T1 ( ) { t hr ead T2 ( ) { t hr ead T2 ( ) { t hr ead T1 ( ) { t hr ead T1 ( ) { t hr ead T2 ( ) { t hr ead T2 ( ) { l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: do { f l ag1 : = t r ue; } got o do { f l ag1 : = t r ue; } got o l oc2; l oc2; do { f l ag2 : = t r ue; } got o do { f l ag2 : = t r ue; } got o l oc2; l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o l oc2; l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: when ( ! f l ag2) do { } got o when ( ! f l ag2) do { } got o l oc3; l oc3; when ( ! f l ag1) do { } got o when ( ! f l ag1) do { } got o l oc3; l oc3; when ( ! f l ag2) do { } got o when ( ! f l ag2) do { } got o l oc3; l oc3; when ( ! f l ag1) do { } got o when ( ! f l ag1) do { } got o l oc3; l oc3; l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: do { } got o l oc4; do { } got o l oc4; do { } got o l oc4; do { } got o l oc4; do { } got o do { } got o l oc4; l oc4; do { } got o do { } got o l oc4; l oc4; critical regions critical regions l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: do { f l ag1 : = f al se; } got o do { f l ag1 : = f a l se; } got o l oc0; l oc0; do { f l ag2 : = f al se; } got o do { f l ag2 : = f a l se; } got o l oc0; l oc0; do { f l ag1 : = f al se; } got o do { f l ag1 : = f a l se; } got o l oc0; l oc0; do { f l ag2 : = f al se; } got o do { f l ag2 : = f a l se; } got o l oc0; l oc0; } } } } [Source: spinroot.com] CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 7 8

  3. Example 2: Checking Mutual Exclusion Assertions in Java Using Assertions (Cont’d) To check mutual exclusion, instrument protocol as follows: � Java 1.4 also supports assertions syst em syst em M M uxTr y uxTr y { � What does it mean if a Java assertion is syst em syst em M M uxTr y uxTr y { bool ean bool ean f l ag1; f l ag1; bool ean f l ag1; bool ean f l ag1; bool ean f l ag2; bool ean f l ag2; bool ean f l ag2; bool ean f l ag2; • violated? i nt i nt c; i nt i nt c; • not violated? t hr ead T2 ( ) { t hr ead T2 ( ) { t hr ead T1 ( ) { t hr ead T1 ( ) { t hr ead T2 ( ) { t hr ead T2 ( ) { t hr ead T1 ( ) { t hr ead T1 ( ) { l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: � What’s the difference between assertions in l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: do { f l ag1 : = t r ue; } got o l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o do { f l ag2 : = t r ue; } got o l oc2; l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o l oc2; Bogor/Spin and Java? l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: when ( ! f l ag1) do { } got o l oc3; when ( ! f l ag1) do { } got o l oc3; when ( ! f l ag2) do { } got o when ( ! f l ag2) do { } got o l oc3; l oc3; when ( ! f l ag1) do { } got o l oc3; when ( ! f l ag1) do { } got o l oc3; when ( ! f l ag2) do { } got o when ( ! f l ag2) do { } got o l oc3; l oc3; l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: do { do { c : = c+1; asser t ( c==1) ; c : = c+1; asser t ( c==1) ; } } do { do { c : = c+1; asser t ( c==1) ; c : = c+1; asser t ( c==1) ; } } do { c : = c+1; asser t ( c==1) ; } do { c : = c+1; asser t ( c==1) ; } do { c : = c+1; asser t ( c==1) ; } do { c : = c+1; asser t ( c==1) ; } got o got o l oc4; l oc4; got o l oc4; got o l oc4; got o got o l oc4; l oc4; got o l oc4; got o l oc4; critical regions critical regions l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: do { c : = c- 1; do { c : = c- 1; f l ag2 : = f al se; } f l ag2 : = f al se; } do { do { c : = c- 1; c : = c- 1; f l ag1 : = f al se; } f l ag1 : = f al se; } do { c : = c- 1; do { c : = c- 1; f l ag2 : = f al se; } f l ag2 : = f al se; } do { c : = c- 1; do { c : = c- 1; f l ag1 : = f al se; } f l ag1 : = f al se; } got o got o l oc0; l oc0; got o got o l oc0; l oc0; got o l oc0; got o l oc0; got o l oc0; got o l oc0; } } } } What about deadlock freedom? CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 9 10 Invariants Multiplication Example � Express property of observables that holds at every Consider a simple program with a loop invariant location � What kind of correctness claim does an invariant // assume parameters m and n // assume parameters m and n make, that is, what does it mean if there is count := m; count := m; output := 0; output := 0; • no invariant violation?: “At all locations along all executions of the system, the property // loop invariant: m * n = = output + (count * n) // loop invariant: m * n = = output + (count * n) holds” while (count > 0) do { while (count > 0) do { • an invariant violation?: output := output + n; output := output + n; count := count – 1; “There is at least one location along an execution such that the count := count – 1; } property does not hold at that location” } � How do invariants compare to • assertions? • “loop invariants” in Hoare Logic? [Source: CIS842 @ KSU] CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 11 12

Recommend

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and debugging Largely based on material from University of Washington CSE 331 Good programs, broken programs? Goal: program works (does not fail) Need:

540 views • 32 slides
Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For the system user: specification captures the properties of the system the user can rely on. For the system developer: specification captures all the

297 views • 26 slides
Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis

Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis

Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 4. Formal specifications: LTL, CTL 2018 1 / 37 State (reachability) graph of

1.14k views • 94 slides
Setting Specifications How and Where to Control Karin Sewerin on behalf of EBE MedImmune

Setting Specifications How and Where to Control Karin Sewerin on behalf of EBE MedImmune

Setting Specifications How and Where to Control Karin Sewerin on behalf of EBE MedImmune September 9, 2011 Specifications Presentation outline Monitoring of Critical Quality Attributes (CQAs) Testing Types of testing Types of

468 views • 21 slides
Formal and Incremental Verification of SysML Specifications for the Design of Component-Based

Formal and Incremental Verification of SysML Specifications for the Design of Component-Based

Formal and Incremental Verification of SysML Specifications for the Design of Component-Based Systems Oscar Carrillo Dpartement dInformatique des Systmes Complexes (DISC), Femto-ST UMR 6174 CNRS Encadrement : Hassan Mountassir et Samir

972 views • 65 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa Cruz joint work with: Cormac Flanagan (University of California, Santa Cruz) March 25, 2007 Assertions / Refinement Types The role of assertions in

386 views • 37 slides
On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive Systems Mika Katara, Reino Kurki-Suonio and Tommi Mikkonen Institute of Software Systems Tampere University of Technology Finland Outline 1.

1.03k views • 21 slides
1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

Assertions assertions communicate assumptions about the state of the program, and stop processing if they turn out to be false very often comments are statements about the state Assertions the program should be in but assertions can

61 views • 3 slides
Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi

Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi

Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi & Nobuko Yoshida VeTSS PhD school / FMATS workshop Microsoft Research Cambridge, 25 September 2018 Problem Introduction Calculus Types

870 views • 57 slides
Lessons learned Techniques Limitations of formal specifications Cost of technical staff

Lessons learned Techniques Limitations of formal specifications Cost of technical staff

CRIM Lessons learned Techniques Limitations of formal specifications Cost of technical staff training Ease of communication between different system stakeholders by using object- oriented modeling techniques and OMT as notational

302 views • 9 slides
Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien Signoles 2 1 TrustInSoft 2 CEA LIST, Software Reliability and Security Laboratory LOPSTR 2017, Namur, Belgium 1 Code Analysis Tools Effective enough

575 views • 35 slides
Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a

Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a

Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a contract n Specifying what each method does q Specify it in a comment before method's header n Precondition q What is assumed to be true

625 views • 33 slides
Learning to Specify soundly Suresh Jagannathan Joint work with He Zhu, Stephen Magill, and

Learning to Specify soundly Suresh Jagannathan Joint work with He Zhu, Stephen Magill, and

Learning to Specify soundly Suresh Jagannathan Joint work with He Zhu, Stephen Magill, and Gustavo Petri Goal + Verification Program Specifications Conditions Types Assertions Contracts Pre/Post Loop Invariants Spec Spec

482 views • 33 slides
Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like

Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like

Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like constraints: Recall: state IN {'IA', 'MN', 'WI', 'MI', 'IL'} But can reference all tables Defined by: CREATE ASSERTION <name>

552 views • 30 slides
Concurrent Types as Engineering Principles for Large Distributed Systems http://mrg.doc.ic.ac.uk/

Concurrent Types as Engineering Principles for Large Distributed Systems http://mrg.doc.ic.ac.uk/

Concurrent Types as Engineering Principles for Large Distributed Systems http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 Open Problems The way to organise software is increasingly based on communications (Cloud

692 views • 53 slides
Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran

Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran

Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran einnec Xavier Thirioux Universit e de Toulouse, France Institut de Recherche en Informatique de Toulouse { mauran,queinnec,thirioux } @enseeiht.fr

606 views • 19 slides
Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan

Concurrent Datatype Verification 01 Concurrent Datatype Verification Verifying lock free data types using CSP and FDR Jonathan Lawrence jonathan.lawrence@cs.ox.ac.uk Concurrent Datatype Verification 02 Introduction Case study using

618 views • 27 slides
Creol as formal model for distributed, concurrent objects Martin Steffen IfI UiO Flacos, Malta

Creol as formal model for distributed, concurrent objects Martin Steffen IfI UiO Flacos, Malta

Creol as formal model for distributed, concurrent objects Martin Steffen IfI UiO Flacos, Malta 27. November 2008 Structure [0] Creol Distributed Communication in Creol Basic Language Constructs Open semantics and observable interface

615 views • 32 slides
Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert

Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert

Comparative Study of Eight Formal Specifications of the Message Authenticator Algorithm Hubert Garavel Lina Marsso Inria Grenoble LIG Universit Grenoble Alpes http://convecs.inria.fr Outline The Message Authenticator Algorithm (MAA)

741 views • 39 slides
A concurrent programming language with refined session types Juliana Franco and Vasco T.

A concurrent programming language with refined session types Juliana Franco and Vasco T.

Introduction Donation Server The SePi language Final remarks and Future work A concurrent programming language with refined session types Juliana Franco and Vasco T. Vasconcelos LaSIGE, University of Lisbon, Portugal September 23, 2013 A

470 views • 23 slides
On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order

On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order

On Congruence Property of Scope Equivalence for Concurrent Programs with Higher-Order Communication Masaki Murakami Okayama University JAPAN A Formal Model of Concurrent Systems the model presented here is a translation of asynchronous

847 views • 31 slides
Spark verification features Continued Paul Jackson School of Informatics University of

Spark verification features Continued Paul Jackson School of Informatics University of

Spark verification features Continued Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Executability of assertions Virtually all Spark assertions are executable. Are issues with quantifiers: Each

512 views • 9 slides
Where Are We? How to model systems CISC422/853: Formal Methods Theoretically : FSAs in

Where Are We? How to model systems CISC422/853: Formal Methods Theoretically : FSAs in

Where Are We? How to model systems CISC422/853: Formal Methods Theoretically : FSAs in Software Engineering: Practically : BIR, PROMELA How to express properties Computer-Aided Verification Assertions, invariants

196 views • 9 slides

More recommend