1. No category

T - Institut für Informatik

Software Verification 2
Automated Verification
Prof. Dr. Holger Schlingloff
Institut für Informatik der Humboldt Universität
and
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Recap: LTS
• LTS=(, S, , S0)




 is a nonempty finite alphabet
S is a nonempty finite set of states
  S    S is the transition relation
S0  S is the set of initial states
remark: sometimes a pseudo state s0S is used instead of S0S;
sometimes there is only a single initial state s0S
• state = (program counter(s), variable valuation)
transition = (state, instruction, state)
• S0 can be written as a predicate on variables and pc’s
 init: (pc==  x==0  y<=5  ...)
•  can be written as a predicate on current and next variables
 : ((pc==  x‘==x+1)  (pc==  x‘==x+2)  ...)
H. Schlingloff, SS2012: SWV 2
12.4.2012
Slide 2
Boolean Equivalences
next(state):= case
inp=0
inp=50 & state=s0
inp=50 & state=s50
esac;
: state;
: s50;
: s0;
(
(inp==0  state‘==state) 
(inp==50  state=s0

state‘== s50) 
(inp==50  state=s50 
state‘==s0) )
(
(inp==0  state‘==state) 
(inp==50  (state=s0
 state‘== s50 ) 
(state=s50  state‘== s0 )
)
)
H. Schlingloff, SS2012: SWV 2
12.4.2012
Slide 3
• Parallel transition system / state machine
•
•
 T=(T1,...,Tn)
 all state sets must be pairwise disjoint
Global TS associated with parallel TS: T=(, S, , S0), where
 = i
 S=S1 ...  Sn
 S0=S10 ... Sn0
 ((s1,...,sn), a, (s1’,...,sn’))   iff for all Ti,
- if a  i, then (si, a, si’)  i, and
- if a  i, then si’= si
Complexity (size of this construction)? Correctness???
H. Schlingloff, SS2012: SWV 2
19.4.2012
Slide 4
Correctness
• T=(T1,...,Tn), T =T1 ...  Tn
• Intuitively: T accepts/generates exactly those
sequences which are accepted/generated by all Ti
 projection of run onto the alphabet of a transition system:
=123...
|Ti =if (1i) then 1 (23...)|Ti else (23...)|Ti
 Show: T acc  iff i (Ti acc | Ti )
 can also be used as a definition
H. Schlingloff, SS2012: SWV 2
12.4.2012
Slide 5
Parallel State Machines
• Parallel state machine
 T=(T1,...,Tn), i=2E  C  2A
• What is the global state machine associated with a
parallel state machine? (“flattening”)
 synchronization by common e[c]/a is not an option
 possible choices: synchronize or compete on common
input events (triggers)?
 what if an effect contains sending of a trigger?
(“run-to-completion-semantics”: tedious formalization)
H. Schlingloff, SS2012: SWV 2
19.4.2012
Slide 6
Example
H. Schlingloff, SS2012: SWV 2
12.4.2012
Slide 7
Introducing Data
• Simple state machines
•
 E: set of events, C: set of conditions, A: set of actions
 a simple state machine is an LTS where =2E  C  2A
Extended state machine: Assume a first-order signature (D,
F, R) with finite domains D and a set V of program
variables on these domains. An ESM is a simple state
machine where
 a guard is a quantifier-free first-order formula on (D, F,
R) and V
 an action is an assignment V=T
- Attention: the effect of a transition is a set of actions!
Parallel execution introduces nondeterminism.
H. Schlingloff, SS2012: SWV 2
19.4.2012
Slide 8
Example
H. Schlingloff, SS2012: SWV 2
12.4.2012
Slide 9
Introducing Hierarchies
• In a UML state machine, a state may contain other states
 powerful abstraction concept
 semantics can be tedious
H. Schlingloff, SS2012: SWV 2
19.4.2012
Slide 10
Introducing Visibility Scopes
• A state machine can be part of a class or
module
 all variables are visible within the module only
 modules may be nested
• Classes or modules can be parameterized
 instances of classes are objects
H. Schlingloff, SS2012: SWV 2
12.4.2012
Slide 11
Introducing Fairness
• LTSs cannot specify that something will eventually happen
 only maximal sequences are accepted (terminating or infinite)
• want to express that in infinite runs, certain states must occur
•
infinitely often
Just LTS=(LTS,J), where J=(J1,...,Jm), JiS
(justice requirements)
 for each JiJ each infinite run must contain infinitely many sJi
• Fair LTS=(LTS,F), where F=(F1,...,Fm), Fi=(Pi,Qi), PiS, QiS
(compassion requirements)
 for each FiF and each infinite run it holds that if it contains infinitely
many sPi, then it also contains infinitely many sQi
• Cf. automata theory: Büchi- and Rabin-acceptance
H. Schlingloff, SS2012: SWV 2
12.4.2012
Slide 12
Example: Peterson’s Mutual Exclusion
{t=0; x=0; y=0;
{0: while(true){NC1: skip; 1: x=1; 2: t=1;
3: await(t==0  y==0); C1: skip;
4: x=0;}
||
{0: while(true){NC2: skip; 1: y=1; 2: t=0;
3: await(t==1  x==0); C2: skip;
4: y=0;}
}
H. Schlingloff, SS2012: SWV 2
12.4.2012
Slide 13
Summary: Finite State Modeling Concepts
• We discussed







(parallel) while-Programs with finite domains
Labeled transition systems
Simple state machines
Parallel transition systems / state machines
UML state machines
Object-oriented concepts
Fairness Constraints (justice, compassion)
• Mutual simulation possible
 but may be tedious; cross-compiler technology
H. Schlingloff, SS2012: SWV 2
19.4.2012
Slide 14

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz