compositional verification of plc software using horn
play

Compositional Verification of PLC Software using Horn Clauses and - PowerPoint PPT Presentation

Nov 05, 2022 •550 likes •1.75k views

Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction Dimitri Bohlender | Stefan Kowalewski WODES 2018, June 1, 2018 Introduction CHC-based Verification Conclusion Outline Introduction CHC-based Verification

  1. Introduction CHC-based Verification Conclusion Motivation Mode Spaces in Model-Checking 0 “Idle” req && !m !(req && !m) DiagCode =0x0000 1 4 h.data:=in ReqHandler( 2 ReqHandler( h.data, h.data, h.DiagCode, “Processing” DiagCode h.DiagCode, h.res =0x8000 h.res ) ) 3 5 out:=h.res out:=h.res 6 “Error” DiagCode m:=req =0xC001 7 Figure: Main CFA of example Figure: Mode space of ReqHandler ◮ Requests are processed in ≤ two execution cycles? ⇒ On request, “Processing” mode is reached in a single cycle Compositional Verification of PLC Software using CHCs and Mode Abstraction 4 / 15 D. Bohlender | S. Kowalewski

  2. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  3. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  4. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  5. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  6. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  7. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  8. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  9. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  10. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  11. Introduction CHC-based Verification Conclusion Motivation Requirements Towards Formalism & Model Checker ◮ Compositional reasoning ◮ Integrates with abstraction (no cloning or inlining) of calls (call summaries) Example Example ◮ Let f1:FB; f2:FB; ◮ Consider abs( x ) = y ◮ Reason about FB( . . . ) ◮ Use summary ◮ Avoid f1( . . . ) , f2( . . . ) and y ≥ 0 instruction cloning ◮ Until details needed ◮ Constrained Horn Clauses (CHCs) meet these ◮ Uniform formalism for symbolic model checking of software Compositional Verification of PLC Software using CHCs and Mode Abstraction 5 / 15 D. Bohlender | S. Kowalewski

  12. Introduction CHC-based Verification Conclusion Constrained Horn Clauses Constrained Horn Clauses ◮ Special case of Satisfiability Modulo Theories (SMT) Definition Given sets of variables V , function symbols F , and predicates P , a Constrained Horn Clause (CHC) is a formula ∀V p 1 ( � X 1 ) ∧ · · · ∧ p k ( � → h ( � X k ) ∧ ϕ X ) , k ≥ 0 , � �� � � �� � body head where ◮ � X i , � X ⊆ V are possibly empty vectors of variables ◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of p i exists Compositional Verification of PLC Software using CHCs and Mode Abstraction 6 / 15 D. Bohlender | S. Kowalewski

  13. Introduction CHC-based Verification Conclusion Constrained Horn Clauses Constrained Horn Clauses ◮ Special case of Satisfiability Modulo Theories (SMT) Definition Given sets of variables V , function symbols F , and predicates P , a Constrained Horn Clause (CHC) is a formula ∀V p 1 ( � X 1 ) ∧ · · · ∧ p k ( � → h ( � X k ) ∧ ϕ X ) , k ≥ 0 , � �� � � �� � body head where ◮ � X i , � X ⊆ V are possibly empty vectors of variables ◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of p i exists Compositional Verification of PLC Software using CHCs and Mode Abstraction 6 / 15 D. Bohlender | S. Kowalewski

  14. Introduction CHC-based Verification Conclusion Constrained Horn Clauses Constrained Horn Clauses ◮ Special case of Satisfiability Modulo Theories (SMT) Definition Given sets of variables V , function symbols F , and predicates P , a Constrained Horn Clause (CHC) is a formula ∀V p 1 ( � X 1 ) ∧ · · · ∧ p k ( � → h ( � X k ) ∧ ϕ X ) , k ≥ 0 , � �� � � �� � body head where ◮ � X i , � X ⊆ V are possibly empty vectors of variables ◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of p i exists Compositional Verification of PLC Software using CHCs and Mode Abstraction 6 / 15 D. Bohlender | S. Kowalewski

  15. Introduction CHC-based Verification Conclusion Constrained Horn Clauses Constrained Horn Clauses ◮ Special case of Satisfiability Modulo Theories (SMT) Definition Given sets of variables V , function symbols F , and predicates P , a Constrained Horn Clause (CHC) is a formula ∀V p 1 ( � X 1 ) ∧ · · · ∧ p k ( � → h ( � X k ) ∧ ϕ X ) , k ≥ 0 , � �� � � �� � body head where ◮ � X i , � X ⊆ V are possibly empty vectors of variables ◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of p i exists Compositional Verification of PLC Software using CHCs and Mode Abstraction 6 / 15 D. Bohlender | S. Kowalewski

  16. Introduction CHC-based Verification Conclusion Constrained Horn Clauses Constrained Horn Clauses ◮ Special case of Satisfiability Modulo Theories (SMT) Definition Given sets of variables V , function symbols F , and predicates P , a Constrained Horn Clause (CHC) is a formula ∀V p 1 ( � X 1 ) ∧ · · · ∧ p k ( � → h ( � X k ) ∧ ϕ X ) , k ≥ 0 , � �� � � �� � body head where ◮ � X i , � X ⊆ V are possibly empty vectors of variables ◮ ϕ is a constraint over F and V ◮ CHCs satisfiable if satisfying interpretation of p i exists Compositional Verification of PLC Software using CHCs and Mode Abstraction 6 / 15 D. Bohlender | S. Kowalewski

  17. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Concept For each block type A with signature VarTypes , add a predicate p A : Loc × VarTypes × Loc × VarTypes → B � �� � � �� � source target ◮ Will define transitive reachability within A ⇒ Observable semantics of procedure captured by , � , � X ′ ) p A ( l entry X, l exit ���� � �� � const const ◮ Solving CHC � finding over-approximating summary of A Compositional Verification of PLC Software using CHCs and Mode Abstraction 7 / 15 D. Bohlender | S. Kowalewski

  18. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Concept For each block type A with signature VarTypes , add a predicate p A : Loc × VarTypes × Loc × VarTypes → B � �� � � �� � source target ◮ Will define transitive reachability within A ⇒ Observable semantics of procedure captured by , � , � X ′ ) p A ( l entry X, l exit ���� � �� � const const ◮ Solving CHC � finding over-approximating summary of A Compositional Verification of PLC Software using CHCs and Mode Abstraction 7 / 15 D. Bohlender | S. Kowalewski

  19. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Concept For each block type A with signature VarTypes , add a predicate p A : Loc × VarTypes × Loc × VarTypes → B � �� � � �� � source target ◮ Will define transitive reachability within A ⇒ Observable semantics of procedure captured by , � , � X ′ ) p A ( l entry X, l exit ���� � �� � const const ◮ Solving CHC � finding over-approximating summary of A Compositional Verification of PLC Software using CHCs and Mode Abstraction 7 / 15 D. Bohlender | S. Kowalewski

  20. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Concept For each block type A with signature VarTypes , add a predicate p A : Loc × VarTypes × Loc × VarTypes → B � �� � � �� � source target ◮ Will define transitive reachability within A ⇒ Observable semantics of procedure captured by , � , � X ′ ) p A ( l entry X, l exit ���� � �� � const const ◮ Solving CHC � finding over-approximating summary of A Compositional Verification of PLC Software using CHCs and Mode Abstraction 7 / 15 D. Bohlender | S. Kowalewski

  21. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Transition Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � 0 req && !m !(req && !m) 1 4 Transitive Reachability: h.data:=in ReqHandler( p Main ( l, � X, 1 , � 2 X ′ ) ReqHandler( h.data, h.data, h.DiagCode, ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � ) h.DiagCode, h.res h.res ) → p Main ( l, � X, 2 , � X ′′ ) ) 3 5 out:=h.res out:=h.res 6 m:=req 7 Compositional Verification of PLC Software using CHCs and Mode Abstraction 8 / 15 D. Bohlender | S. Kowalewski

  22. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Transition Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � 0 req && !m !(req && !m) 1 4 Transitive Reachability: h.data:=in ReqHandler( p Main ( l, � X, 1 , � 2 X ′ ) ReqHandler( h.data, h.data, h.DiagCode, ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � ) h.DiagCode, h.res h.res ) → p Main ( l, � X, 2 , � X ′′ ) ) 3 5 out:=h.res out:=h.res 6 m:=req 7 Compositional Verification of PLC Software using CHCs and Mode Abstraction 8 / 15 D. Bohlender | S. Kowalewski

  23. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Transition Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � 0 req && !m !(req && !m) 1 4 Transitive Reachability: h.data:=in ReqHandler( p Main ( l, � X, 1 , � 2 X ′ ) ReqHandler( h.data, h.data, h.DiagCode, ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � ) h.DiagCode, h.res h.res ) → p Main ( l, � X, 2 , � X ′′ ) ) 3 5 out:=h.res out:=h.res 6 m:=req 7 Compositional Verification of PLC Software using CHCs and Mode Abstraction 8 / 15 D. Bohlender | S. Kowalewski

  24. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Transition Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � 0 req && !m !(req && !m) 1 4 Transitive Reachability: h.data:=in ReqHandler( p Main ( l, � X, 1 , � 2 X ′ ) ReqHandler( h.data, h.data, h.DiagCode, ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � ) h.DiagCode, h.res h.res ) → p Main ( l, � X, 2 , � X ′′ ) ) 3 5 out:=h.res out:=h.res 6 m:=req 7 Compositional Verification of PLC Software using CHCs and Mode Abstraction 8 / 15 D. Bohlender | S. Kowalewski

  25. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Transition Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � 0 req && !m !(req && !m) 1 4 Transitive Reachability: h.data:=in ReqHandler( p Main ( l, � X, 1 , � 2 X ′ ) ReqHandler( h.data, h.data, h.DiagCode, ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � ) h.DiagCode, h.res h.res ) → p Main ( l, � X, 2 , � X ′′ ) ) 3 5 out:=h.res out:=h.res 6 m:=req 7 Compositional Verification of PLC Software using CHCs and Mode Abstraction 8 / 15 D. Bohlender | S. Kowalewski

  26. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Transition Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � 0 req && !m !(req && !m) 1 4 Transitive Reachability: h.data:=in ReqHandler( p Main ( l, � X, 1 , � 2 X ′ ) ReqHandler( h.data, h.data, h.DiagCode, ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � ) h.DiagCode, h.res h.res ) → p Main ( l, � X, 2 , � X ′′ ) ) 3 5 out:=h.res out:=h.res 6 m:=req 7 Compositional Verification of PLC Software using CHCs and Mode Abstraction 8 / 15 D. Bohlender | S. Kowalewski

  27. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Call Variables instances: � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � �� � � X h . . . Transitive Reachability (& call summary): p Main ( l, � X, 2 , � X ′ ) 2 ReqHandler( X ′ \ � h.data, ∧ p ReqHandler (0 , � h , 42 , � h ) ∧ id ( � X ′ X ′′ X ′ h ) h.DiagCode, ∧ S ReqHandler ( � h , � X ′ X ′′ h.res h ) ) 3 → p Main ( l, � X, 3 , � X ′′ ) . . . Compositional Verification of PLC Software using CHCs and Mode Abstraction 9 / 15 D. Bohlender | S. Kowalewski

  28. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Call Variables instances: � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � �� � � X h . . . Transitive Reachability (& call summary): p Main ( l, � X, 2 , � X ′ ) 2 ReqHandler( X ′ \ � h.data, ∧ p ReqHandler (0 , � h , 42 , � h ) ∧ id ( � X ′ X ′′ X ′ h ) h.DiagCode, ∧ S ReqHandler ( � h , � X ′ X ′′ h.res h ) ) 3 → p Main ( l, � X, 3 , � X ′′ ) . . . Compositional Verification of PLC Software using CHCs and Mode Abstraction 9 / 15 D. Bohlender | S. Kowalewski

  29. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Call Variables instances: � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � �� � � X h . . . Transitive Reachability (& call summary): p Main ( l, � X, 2 , � X ′ ) 2 ReqHandler( X ′ \ � h.data, ∧ p ReqHandler (0 , � h , 42 , � h ) ∧ id ( � X ′ X ′′ X ′ h ) h.DiagCode, ∧ S ReqHandler ( � h , � X ′ X ′′ h.res h ) ) 3 → p Main ( l, � X, 3 , � X ′′ ) . . . Compositional Verification of PLC Software using CHCs and Mode Abstraction 9 / 15 D. Bohlender | S. Kowalewski

  30. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Call Variables instances: � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � �� � � X h . . . Transitive Reachability (& call summary): p Main ( l, � X, 2 , � X ′ ) 2 ReqHandler( X ′ \ � h.data, ∧ p ReqHandler (0 , � h , 42 , � h ) ∧ id ( � X ′ X ′′ X ′ h ) h.DiagCode, ∧ S ReqHandler ( � h , � X ′ X ′′ h.res h ) ) 3 → p Main ( l, � X, 3 , � X ′′ ) . . . Compositional Verification of PLC Software using CHCs and Mode Abstraction 9 / 15 D. Bohlender | S. Kowalewski

  31. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Call Variables instances: � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � �� � � X h . . . Transitive Reachability (& call summary): p Main ( l, � X, 2 , � X ′ ) 2 ReqHandler( X ′ \ � h.data, ∧ p ReqHandler (0 , � h , 42 , � h ) ∧ id ( � X ′ X ′′ X ′ h ) h.DiagCode, ∧ S ReqHandler ( � h , � X ′ X ′′ h.res h ) ) 3 → p Main ( l, � X, 3 , � X ′′ ) . . . Compositional Verification of PLC Software using CHCs and Mode Abstraction 9 / 15 D. Bohlender | S. Kowalewski

  32. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Encoding a Call Variables instances: � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � �� � � X h . . . Transitive Reachability (& call summary): p Main ( l, � X, 2 , � X ′ ) 2 ReqHandler( X ′ \ � h.data, ∧ p ReqHandler (0 , � h , 42 , � h ) ∧ id ( � X ′ X ′′ X ′ h ) h.DiagCode, ∧ S ReqHandler ( � h , � X ′ X ′′ h.res h ) ) 3 → p Main ( l, � X, 3 , � X ′′ ) . . . Compositional Verification of PLC Software using CHCs and Mode Abstraction 9 / 15 D. Bohlender | S. Kowalewski

  33. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Checking Safety Specifications 0 req && !m !(req && !m) ◮ Does safety property safe ( � X ) 1 4 h.data:=in hold at the end of every cycle? ReqHandler( 2 ReqHandler( h.data, ⇒ Yes, if adding h.data, h.DiagCode, h.DiagCode, h.res p Main (0 , � X, 7 , � X ′ ) → safe ( � X ′ ) h.res ) ) 3 5 keeps CHCs satisfiable out:=h.res out:=h.res 6 ◮ Violated, if unsatisfiable m:=req 7 10 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  34. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Checking Safety Specifications 0 req && !m !(req && !m) ◮ Does safety property safe ( � X ) 1 4 h.data:=in hold at the end of every cycle? ReqHandler( 2 ReqHandler( h.data, ⇒ Yes, if adding h.data, h.DiagCode, h.DiagCode, h.res p Main (0 , � X, 7 , � X ′ ) → safe ( � X ′ ) h.res ) ) 3 5 keeps CHCs satisfiable out:=h.res out:=h.res 6 ◮ Violated, if unsatisfiable m:=req 7 10 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  35. Introduction CHC-based Verification Conclusion Modelling of PLC Software with CHCs Checking Safety Specifications 0 req && !m !(req && !m) ◮ Does safety property safe ( � X ) 1 4 h.data:=in hold at the end of every cycle? ReqHandler( 2 ReqHandler( h.data, ⇒ Yes, if adding h.data, h.DiagCode, h.DiagCode, h.res p Main (0 , � X, 7 , � X ′ ) → safe ( � X ′ ) h.res ) ) 3 5 keeps CHCs satisfiable out:=h.res out:=h.res 6 ◮ Violated, if unsatisfiable m:=req 7 10 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  36. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Approximating the Mode-Space Idea: ◮ Procedure’s complexity needs to be low w.r.t. CHC-solving ⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure: 1. Use global VSA to approximate all variables’ values 2. For each function block type, e.g. ReqHandler 2.1 For each computed mode-value, e.g. { 0 , 0x8000 , 0xC001 } • Keep global VSA values but fix mode, e.g. set DiagCode=0 • Compute block’s single-cycle VSA • Interpret resulting mode-values as targets, e.g. { 0 , 0x8000 } 11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  37. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Approximating the Mode-Space Idea: ◮ Procedure’s complexity needs to be low w.r.t. CHC-solving ⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure: 1. Use global VSA to approximate all variables’ values 2. For each function block type, e.g. ReqHandler 2.1 For each computed mode-value, e.g. { 0 , 0x8000 , 0xC001 } • Keep global VSA values but fix mode, e.g. set DiagCode=0 • Compute block’s single-cycle VSA • Interpret resulting mode-values as targets, e.g. { 0 , 0x8000 } 11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  38. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Approximating the Mode-Space Idea: ◮ Procedure’s complexity needs to be low w.r.t. CHC-solving ⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure: 1. Use global VSA to approximate all variables’ values 2. For each function block type, e.g. ReqHandler 2.1 For each computed mode-value, e.g. { 0 , 0x8000 , 0xC001 } • Keep global VSA values but fix mode, e.g. set DiagCode=0 • Compute block’s single-cycle VSA • Interpret resulting mode-values as targets, e.g. { 0 , 0x8000 } 11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  39. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Approximating the Mode-Space Idea: ◮ Procedure’s complexity needs to be low w.r.t. CHC-solving ⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure: 1. Use global VSA to approximate all variables’ values 2. For each function block type, e.g. ReqHandler 2.1 For each computed mode-value, e.g. { 0 , 0x8000 , 0xC001 } • Keep global VSA values but fix mode, e.g. set DiagCode=0 • Compute block’s single-cycle VSA • Interpret resulting mode-values as targets, e.g. { 0 , 0x8000 } 11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  40. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Approximating the Mode-Space Idea: ◮ Procedure’s complexity needs to be low w.r.t. CHC-solving ⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure: 1. Use global VSA to approximate all variables’ values 2. For each function block type, e.g. ReqHandler 2.1 For each computed mode-value, e.g. { 0 , 0x8000 , 0xC001 } • Keep global VSA values but fix mode, e.g. set DiagCode=0 • Compute block’s single-cycle VSA • Interpret resulting mode-values as targets, e.g. { 0 , 0x8000 } 11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  41. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Approximating the Mode-Space Idea: ◮ Procedure’s complexity needs to be low w.r.t. CHC-solving ⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure: 1. Use global VSA to approximate all variables’ values 2. For each function block type, e.g. ReqHandler 2.1 For each computed mode-value, e.g. { 0 , 0x8000 , 0xC001 } • Keep global VSA values but fix mode, e.g. set DiagCode=0 • Compute block’s single-cycle VSA • Interpret resulting mode-values as targets, e.g. { 0 , 0x8000 } 11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  42. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Approximating the Mode-Space Idea: ◮ Procedure’s complexity needs to be low w.r.t. CHC-solving ⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure: 1. Use global VSA to approximate all variables’ values 2. For each function block type, e.g. ReqHandler 2.1 For each computed mode-value, e.g. { 0 , 0x8000 , 0xC001 } • Keep global VSA values but fix mode, e.g. set DiagCode=0 • Compute block’s single-cycle VSA • Interpret resulting mode-values as targets, e.g. { 0 , 0x8000 } 11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  43. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Approximating the Mode-Space Idea: ◮ Procedure’s complexity needs to be low w.r.t. CHC-solving ⇒ Adapt value-set analysis (VSA) to determine mode-transitions Procedure: 1. Use global VSA to approximate all variables’ values 2. For each function block type, e.g. ReqHandler 2.1 For each computed mode-value, e.g. { 0 , 0x8000 , 0xC001 } • Keep global VSA values but fix mode, e.g. set DiagCode=0 • Compute block’s single-cycle VSA • Interpret resulting mode-values as targets, e.g. { 0 , 0x8000 } 11 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  44. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  45. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  46. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  47. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  48. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  49. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  50. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  51. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  52. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  53. Introduction CHC-based Verification Conclusion Mode-Space as Call Summary Mode-Space as Call Summary ◮ Mode-space constrains possible transitions “Idle” ⇒ Yields call summary S ReqHandler ( � X h , � DiagCode X ′ h ) : =0x0000 ( h . DiagCode = 0 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0x8000 ) “Processing” ∧ ( h . DiagCode = 0x8000 → h . DiagCode ′ = 0 DiagCode =0x8000 ∨ h . DiagCode ′ = 0xC001 ) ∧ ( h . DiagCode = 0xC001 → h . DiagCode ′ = 0 ∨ h . DiagCode ′ = 0xC001 ) “Error” DiagCode =0xC001 ◮ Add to encoding of each call of ReqHandler 12 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  54. Introduction CHC-based Verification Conclusion Experiments Benchmarks ◮ Two groups of PLC programs from PLCopen Safety library • elementary modules implementing safety concepts (23 specs) • user examples composed of elementary ones (17 specs) ◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR) 13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  55. Introduction CHC-based Verification Conclusion Experiments Benchmarks ◮ Two groups of PLC programs from PLCopen Safety library • elementary modules implementing safety concepts (23 specs) • user examples composed of elementary ones (17 specs) ◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR) 13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  56. Introduction CHC-based Verification Conclusion Experiments Benchmarks ◮ Two groups of PLC programs from PLCopen Safety library • elementary modules implementing safety concepts (23 specs) • user examples composed of elementary ones (17 specs) ◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR) 13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  57. Introduction CHC-based Verification Conclusion Experiments Benchmarks ◮ Two groups of PLC programs from PLCopen Safety library • elementary modules implementing safety concepts (23 specs) • user examples composed of elementary ones (17 specs) ◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR) 13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  58. Introduction CHC-based Verification Conclusion Experiments Benchmarks ◮ Two groups of PLC programs from PLCopen Safety library • elementary modules implementing safety concepts (23 specs) • user examples composed of elementary ones (17 specs) ◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR) 13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  59. Introduction CHC-based Verification Conclusion Experiments Benchmarks ◮ Two groups of PLC programs from PLCopen Safety library • elementary modules implementing safety concepts (23 specs) • user examples composed of elementary ones (17 specs) ◮ Elementary modules exhibit mode-semantics via DiagCode ◮ We check invariants taken or derived from PLCopen ◮ CHC-solving via Z3’s Property Directed Reachability (PDR) 13 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  60. Introduction CHC-based Verification Conclusion Experiments Results 10 3 PDR + Mode Abstraction 10 2 10 1 10 0 10 0 10 1 10 2 10 3 PDR Figure: Time [s] spent on verification of each task 14 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  61. Introduction CHC-based Verification Conclusion Concluding Remarks Summary ◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable • compositional characterisation and reasoning • uniform characterisation of program, spec & abstraction ◮ Experiments suggest that • mode-abstraction may help significantly • overall, mode-abstraction overhead is negligble 15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  62. Introduction CHC-based Verification Conclusion Concluding Remarks Summary ◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable • compositional characterisation and reasoning • uniform characterisation of program, spec & abstraction ◮ Experiments suggest that • mode-abstraction may help significantly • overall, mode-abstraction overhead is negligble 15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  63. Introduction CHC-based Verification Conclusion Concluding Remarks Summary ◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable • compositional characterisation and reasoning • uniform characterisation of program, spec & abstraction ◮ Experiments suggest that • mode-abstraction may help significantly • overall, mode-abstraction overhead is negligble 15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  64. Introduction CHC-based Verification Conclusion Concluding Remarks Summary ◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable • compositional characterisation and reasoning • uniform characterisation of program, spec & abstraction ◮ Experiments suggest that • mode-abstraction may help significantly • overall, mode-abstraction overhead is negligble 15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  65. Introduction CHC-based Verification Conclusion Concluding Remarks Summary ◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable • compositional characterisation and reasoning • uniform characterisation of program, spec & abstraction ◮ Experiments suggest that • mode-abstraction may help significantly • overall, mode-abstraction overhead is negligble 15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  66. Introduction CHC-based Verification Conclusion Concluding Remarks Summary ◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable • compositional characterisation and reasoning • uniform characterisation of program, spec & abstraction ◮ Experiments suggest that • mode-abstraction may help significantly • overall, mode-abstraction overhead is negligble 15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  67. Introduction CHC-based Verification Conclusion Concluding Remarks Summary ◮ Logic control applications exhibit mode-semantics ◮ Mode-space contains global information ◮ Approximate mode-abstraction possible via VSA ◮ CHCs enable • compositional characterisation and reasoning • uniform characterisation of program, spec & abstraction ◮ Experiments suggest that • mode-abstraction may help significantly • overall, mode-abstraction overhead is negligble 15 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  68. Appendix References Related Work Related Tools & Techniques Mode-Abstraction: ◮ Predicate abstraction [GS97] ◮ Abstract-domain selection based on variable usage [Ape+13] Recent years: ◮ Decoupling Language Details from Verifier Implementations ◮ Modular structure & off-the-shelf components Intermediate Verification Language: ◮ B OOGIE [Lei08] • used by SMACK [RE14] • checked by C ORRAL [LQL12] ◮ Constrained Horn Clauses (CHCs) [Bjø+15] • used by S EA H ORN [Gur+15] • checked by S PACER [KGC14] or Z3 [MB08] 16 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  69. Appendix References Typical Logic Control Applications PLCopen Safety Application SF_Equivalent SF_EmergencyStop InputDevice1_active Activate Ready Activate Ready S1_S_EStopIn_1 S_ChannelA S_EquivalentOut S_EStopIn S_EStopOut S_EStopOut Error_EStop1 S1_S_EStopIn_2 S_ChannelB Error Error_Equiv1 FALSE S_StartReset Error S_DiscrepancyTime DiagCode Diag_Equiv1 DiagCode Diag_EStop1 T#10ms FALSE S_AutoReset S0_Reset Reset SF_ESPE AND InputDevice2_active Activate Ready S2_S_ESPE_In S_ESPE_In S_ESPE_Out FALSE S_StartReset Error Error_ESPE1 DiagCode Diag_ESPE1 FALSE S_AutoReset S0_Reset Reset SF_SafeStop1 Ready Activate AND S_StopIn S_Stopped S_Stopped S_EStopOut AxisID_1 AxisID Error Error_SafeStop1 T#100ms MonitoringTime DiagCode Diag_SafeStop1 S3_Drive_Reset Reset Single Cycle 17 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  70. Appendix References Typical Logic Control Applications Typical Block Specification !Activate Idle 0 DiagCode=0 1 Ready=FALSE Activate Ready=TRUE !S_ChannelNC 1 & S_ChannelNO !S_ChannelNC Init Error 3 1 DiagCode=0x8001 DiagCode=0xC003 S_ChannelNC & S_ChannelNO !S_ChannelNC 3 !S_ChannelNC & S_ChannelNO & S_ChannelNO e 2 m S_ChannelNO i T y d c e s n !S_ChannelNO a p p a e l & !S_ChannelNC r e c s 1 i 2 D 2 2 1 O C N & N O l l Error 1/2 C N e From Active l e N n Wait for NO Wait for NC e n l n DiagCode=0xC001 n n Wait e a n a DiagCode=0x8004 DiagCode=0x8014 n h a h | DiagCode=0xC002 n C DiagCode=0x8005 h C _ a _ C S h S _ C ! 1 1 _ S & S ! 3 3 DiscrepancyTime DiscrepancyTime S_ChannelNC elapsed elapsed S_AntivalentOut=FALSE S_AntivalentOut=TRUE 2 !S_ChannelNC | S_ChannelNO Safety Output !S_ChannelNO Enabled 1 DiagCode=0x8000 18 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  71. Appendix References Encoding Details Intuition for Logical Characterisation ◮ Reason about program semantics by leveraging Satisfiability Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables � x > y + 1 � = x > y + 1 Statement Formula over pre- & post variables instances � x ′ = y + 1 � � y ′ = y � � x := y + 1 � = ∧ Procedure Predicate over pre- & post variables instances � � � x ≥ 0 → x ′ = x � � x < 0 → x ′ = − x � abs( x, x ′ ) = ∨ Unclear Characterisation of procedures with loops 19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  72. Appendix References Encoding Details Intuition for Logical Characterisation ◮ Reason about program semantics by leveraging Satisfiability Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables � x > y + 1 � = x > y + 1 Statement Formula over pre- & post variables instances � x ′ = y + 1 � � y ′ = y � � x := y + 1 � = ∧ Procedure Predicate over pre- & post variables instances � � � x ≥ 0 → x ′ = x � � x < 0 → x ′ = − x � abs( x, x ′ ) = ∨ Unclear Characterisation of procedures with loops 19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  73. Appendix References Encoding Details Intuition for Logical Characterisation ◮ Reason about program semantics by leveraging Satisfiability Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables � x > y + 1 � = x > y + 1 Statement Formula over pre- & post variables instances � x ′ = y + 1 � � y ′ = y � � x := y + 1 � = ∧ Procedure Predicate over pre- & post variables instances � � � x ≥ 0 → x ′ = x � � x < 0 → x ′ = − x � abs( x, x ′ ) = ∨ Unclear Characterisation of procedures with loops 19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  74. Appendix References Encoding Details Intuition for Logical Characterisation ◮ Reason about program semantics by leveraging Satisfiability Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables � x > y + 1 � = x > y + 1 Statement Formula over pre- & post variables instances � x ′ = y + 1 � � y ′ = y � � x := y + 1 � = ∧ Procedure Predicate over pre- & post variables instances � � � x ≥ 0 → x ′ = x � � x < 0 → x ′ = − x � abs( x, x ′ ) = ∨ Unclear Characterisation of procedures with loops 19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  75. Appendix References Encoding Details Intuition for Logical Characterisation ◮ Reason about program semantics by leveraging Satisfiability Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables � x > y + 1 � = x > y + 1 Statement Formula over pre- & post variables instances � x ′ = y + 1 � � y ′ = y � � x := y + 1 � = ∧ Procedure Predicate over pre- & post variables instances � � � x ≥ 0 → x ′ = x � � x < 0 → x ′ = − x � abs( x, x ′ ) = ∨ Unclear Characterisation of procedures with loops 19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  76. Appendix References Encoding Details Intuition for Logical Characterisation ◮ Reason about program semantics by leveraging Satisfiability Modulo Theories (SMT) solving ⇒ Characterise semantics via first order logic formulae Condition Formula over the program’s variables � x > y + 1 � = x > y + 1 Statement Formula over pre- & post variables instances � x ′ = y + 1 � � y ′ = y � � x := y + 1 � = ∧ Procedure Predicate over pre- & post variables instances � � � x ≥ 0 → x ′ = x � � x < 0 → x ′ = − x � abs( x, x ′ ) = ∨ Unclear Characterisation of procedures with loops 19 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  77. Appendix References Encoding Details Encoding the Running Example Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � Reachability facts & rules: 0 req && !m !(req && !m) ◮ Initial configuration reachable 1 4 init ( � X ) → p Main (0 , � X, 0 , � X ) h.data:=in ReqHandler( 2 ReqHandler( h.data, ◮ Transitive reachability h.data, h.DiagCode, h.DiagCode, h.res p Main ( l, � X, 1 , � X ′ ) h.res ) ) ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � 5 3 ) out:=h.res out:=h.res 6 → p Main ( l, � X, 2 , � X ′′ ) m:=req 7 20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  78. Appendix References Encoding Details Encoding the Running Example Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � Reachability facts & rules: 0 req && !m !(req && !m) ◮ Initial configuration reachable 1 4 init ( � X ) → p Main (0 , � X, 0 , � X ) h.data:=in ReqHandler( 2 ReqHandler( h.data, ◮ Transitive reachability h.data, h.DiagCode, h.DiagCode, h.res p Main ( l, � X, 1 , � X ′ ) h.res ) ) ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � 5 3 ) out:=h.res out:=h.res 6 → p Main ( l, � X, 2 , � X ′′ ) m:=req 7 20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  79. Appendix References Encoding Details Encoding the Running Example Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � Reachability facts & rules: 0 req && !m !(req && !m) ◮ Initial configuration reachable 1 4 init ( � X ) → p Main (0 , � X, 0 , � X ) h.data:=in ReqHandler( 2 ReqHandler( h.data, ◮ Transitive reachability h.data, h.DiagCode, h.DiagCode, h.res p Main ( l, � X, 1 , � X ′ ) h.res ) ) ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � 5 3 ) out:=h.res out:=h.res 6 → p Main ( l, � X, 2 , � X ′′ ) m:=req 7 20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  80. Appendix References Encoding Details Encoding the Running Example Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � Reachability facts & rules: 0 req && !m !(req && !m) ◮ Initial configuration reachable 1 4 init ( � X ) → p Main (0 , � X, 0 , � X ) h.data:=in ReqHandler( 2 ReqHandler( h.data, ◮ Transitive reachability h.data, h.DiagCode, h.DiagCode, h.res p Main ( l, � X, 1 , � X ′ ) h.res ) ) ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � 5 3 ) out:=h.res out:=h.res 6 → p Main ( l, � X, 2 , � X ′′ ) m:=req 7 20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  81. Appendix References Encoding Details Encoding the Running Example Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � Reachability facts & rules: 0 req && !m !(req && !m) ◮ Initial configuration reachable 1 4 init ( � X ) → p Main (0 , � X, 0 , � X ) h.data:=in ReqHandler( 2 ReqHandler( h.data, ◮ Transitive reachability h.data, h.DiagCode, h.DiagCode, h.res p Main ( l, � X, 1 , � X ′ ) h.res ) ) ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � 5 3 ) out:=h.res out:=h.res 6 → p Main ( l, � X, 2 , � X ′′ ) m:=req 7 20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  82. Appendix References Encoding Details Encoding the Running Example Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � Reachability facts & rules: 0 req && !m !(req && !m) ◮ Initial configuration reachable 1 4 init ( � X ) → p Main (0 , � X, 0 , � X ) h.data:=in ReqHandler( 2 ReqHandler( h.data, ◮ Transitive reachability h.data, h.DiagCode, h.DiagCode, h.res p Main ( l, � X, 1 , � X ′ ) h.res ) ) ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � 5 3 ) out:=h.res out:=h.res 6 → p Main ( l, � X, 2 , � X ′′ ) m:=req 7 20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

  83. Appendix References Encoding Details Encoding the Running Example Variables instances: ◮ � X = ( req , in , m, h . data , h . DiagCode , h . res , out ) � req ′ , in ′ , m ′ , h . data ′ , h . DiagCode ′ , h . res ′ , out ′ � X ′ = ◮ � Reachability facts & rules: 0 req && !m !(req && !m) ◮ Initial configuration reachable 1 4 init ( � X ) → p Main (0 , � X, 0 , � X ) h.data:=in ReqHandler( 2 ReqHandler( h.data, ◮ Transitive reachability h.data, h.DiagCode, h.DiagCode, h.res p Main ( l, � X, 1 , � X ′ ) h.res ) ) ∧ h . data ′′ = in ′ ∧ id ( X ′ \ � h . data ′ � 5 3 ) out:=h.res out:=h.res 6 → p Main ( l, � X, 2 , � X ′′ ) m:=req 7 20 / 15 Compositional Verification of PLC Software using CHCs and Mode Abstraction D. Bohlender | S. Kowalewski

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification

Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification

Viktor Vafeiadis Software Analysis &amp; Verification Full functional verification Compilers , concurrent programs , theorem provers Program equivalence / Compositional reasoning Compositional compiler verification

266 views • 3 slides
Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash

Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash

Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard 2 1 Technische Universit at Braunschweig, Germany 2 Kungliga Tekniska H ogskolan, Stockholm, Sweden Deduction at Scale 2011 Schlo

662 views • 26 slides
Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on Horn Clauses for Verification

Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on Horn Clauses for Verification

Horn Binary Serialization Analysis HCVS 2016 3rd Workshop on Horn Clauses for Verification and Synthesis Gabriele Paganelli https://gapag.noblogs.org/ gapag@distruzione.org Length Type Data CRC 0 3 4 7 8 N N+1 N+4 Type

502 views • 33 slides
Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory

Compositional Software Model Checking Dan R. Ghica Oxford University Computing Laboratory October 18, 2002 Outline of talk program verification issues the semantic challenge programming languages the logical challenge

854 views • 38 slides
COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction)

COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction)

COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction) Mykola (Nikolaj) S. Nikitchenko Taras Shevchenko National University of Kyiv Linz, JKU, November 08-19, 2012 1 Contents Introduction

783 views • 40 slides
About the Course Software Testing &amp; Verification Course Software Testing &amp; Verification

About the Course Software Testing &amp; Verification Course Software Testing &amp; Verification

About the Course Software Testing &amp; Verification Course Software Testing &amp; Verification 2019/20 Wishnu Prasetya &amp; Gabriele Keller Why do we care? 1. Because we want to deliver quality products! 2. Because poor quality, including

493 views • 16 slides
Theoretical Foundations of the UML Lecture 5+6: Compositional Message Sequence Graphs

Theoretical Foundations of the UML Lecture 5+6: Compositional Message Sequence Graphs

Theoretical Foundations of the UML Lecture 5+6: Compositional Message Sequence Graphs Joost-Pieter Katoen Lehrstuhl fr Informatik 2 Software Modeling and Verification Group moves.rwth-aachen.de/teaching/ss-20/fuml/ May 4, 2020 Joost-Pieter

1.24k views • 59 slides
0 Lecture 5+6: Compositional Message Sequence Graphs Joost-Pieter Katoen Lehrstuhl fr

0 Lecture 5+6: Compositional Message Sequence Graphs Joost-Pieter Katoen Lehrstuhl fr

Theoretical Foundations of the UML 0 Lecture 5+6: Compositional Message Sequence Graphs Joost-Pieter Katoen Lehrstuhl fr Informatik 2 Software Modeling and Verification Group moves.rwth-aachen.de/teaching/ss-20/fuml/ May 4, 2020 Be BEE

901 views • 52 slides
Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) Local State Space Construction for Compositional

1.12k views • 50 slides
Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard

Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard

Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard 2 1 Technische Universit at Braunschweig, Germany 2 Kungliga Tekniska H ogskolan, Stockholm, Sweden Formal Methods for Components and Objects

270 views • 25 slides
Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem Penninckx, Bart Jacobs, Frank Piessens Department of Computer Science, KU Leuven, Belgium DRADS 2014 Table of Contents Introduction Requirements

660 views • 45 slides
Compositional Verification of Security Properties for Embedded Execution Platforms Christoph

Compositional Verification of Security Properties for Embedded Execution Platforms Christoph

Compositional Verification of Security Properties for Embedded Execution Platforms Christoph Baumann , Oliver Schwarz , Mads Dam KTH Royal Institute of Technology, Stockholm, Sweden RISE.SICS, Kista, Sweden cbaumann@kth.se

903 views • 65 slides
Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017

Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017

Overview Definitions Algorithm References Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017 Karsten Fix Learning minimal separating DFA for Compositional Verification Overview Definitions

525 views • 35 slides
Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion -

Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion -

Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion - Israel Institute of Technology March 21, 2011 Standard Aspect Model Pointcuts determine the places where aspects should be woven. Aspect

464 views • 20 slides
Removing Unnecessary Variables from Horn Clause Verification Conditions E. De Angelis (1), F.

Removing Unnecessary Variables from Horn Clause Verification Conditions E. De Angelis (1), F.

Removing Unnecessary Variables from Horn Clause Verification Conditions E. De Angelis (1), F. Fioravanti (1) A. Pettorossi (2), M. Proietti (3) (1) DEC, University G. dAnnunzio of Chieti-Pescara, Italy (2) DICII, University of Rome

591 views • 21 slides
Constrained Horn Clauses as a Basis of Automatic Program Verification: The Higher-order Case

Constrained Horn Clauses as a Basis of Automatic Program Verification: The Higher-order Case

Constrained Horn Clauses as a Basis of Automatic Program Verification: The Higher-order Case Luke Ong (Joint with Toby Cathcart Burn and Steven Ramsay) University of Oxford IFIP WG2.2 Meeting, 18-20 September 2017, Bordeaux Luke Ong

1.08k views • 41 slides
Prt s r st

Prt s r st

Prt s r st s t t r r r sttt r rt

442 views • 41 slides
when fourier siirvs: fourier-based testing for families of distributions Clment Canonne 1 ,

when fourier siirvs: fourier-based testing for families of distributions Clment Canonne 1 ,

when fourier siirvs: fourier-based testing for families of distributions Clment Canonne 1 , Ilias Diakonikolas, 2 and Alistair Stewart 2 March 19, 2018 Stanford University 1 and University of Southern California 2 background, context, and

1.24k views • 102 slides
Ad hoc and Sensor Networks Chapter 13a: Protocols for dependable data transport Holger Karl

Ad hoc and Sensor Networks Chapter 13a: Protocols for dependable data transport Holger Karl

Ad hoc and Sensor Networks Chapter 13a: Protocols for dependable data transport Holger Karl Computer Networks Group Universitt Paderborn Overview Dependability requirements Delivering single packets Delivering blocks of packets

816 views • 44 slides
1 &amp; 2 Samuel Series Lesson #081 January 24, 2017 Dean Bible Ministries

1 &amp; 2 Samuel Series Lesson #081 January 24, 2017 Dean Bible Ministries

1 &amp; 2 Samuel Series Lesson #081 January 24, 2017 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. F AITH C ONQUERS F EAR 1 Samuel 21:1015; Psalm 56:513 Psa. 56:4, In God (I will praise His word), in God I

513 views • 26 slides
Tolerance induc-on combining T-cell deple-on and pos4ransplant

Tolerance induc-on combining T-cell deple-on and pos4ransplant

Tolerance induc-on combining T-cell deple-on and pos4ransplant cyclophosphamide in non-abla-ve haploiden-cal HSCT Franco Aversa University of Parma 1st CUNEO

365 views • 20 slides
The Session Initiation Protocol (SIP) Common Log Format (CLF) n Joint work with ... Tricha

The Session Initiation Protocol (SIP) Common Log Format (CLF) n Joint work with ... Tricha

Vijay K. Gurbani &lt;vkg@bell-labs.com&gt; Computer Systems and Security Research Bell Laboratories/Alcatel-Lucent Oct. 03, 2010 The Session Initiation Protocol (SIP) Common Log Format (CLF) n Joint work with ... Tricha Anjali

684 views • 25 slides
The Session Initiation Protocol (SIP) Stack: A look under the hood of VoIP Vijay K. Gurbani,

The Session Initiation Protocol (SIP) Stack: A look under the hood of VoIP Vijay K. Gurbani,

This is a placeholder image only. Please select an image to reflect the content of your PPT presentation. Visit our approved corporate photography collection on the MarCom Store at: https://all.alcatel-lucent.com/marcomstore/ UAC Transaction

629 views • 28 slides
GUT &amp; leptogenesis a predictive class of models Michele Frigerio (IFAE, UAB, Barcelona)

GUT &amp; leptogenesis a predictive class of models Michele Frigerio (IFAE, UAB, Barcelona)

GUT &amp; leptogenesis a predictive class of models Michele Frigerio (IFAE, UAB, Barcelona) MF, P.Hosteins, S.Lavignac and A.Romanino, NPB 806 (2009) 84 L.Calibbi, MF, S.Lavignac and A.Romanino, JHEP 0912 (2009) 057 Galileo Galilei

985 views • 64 slides

More recommend