Focus of the Course Overview of the Course Semantics and Verification 2005 Transition systems and CCS. Strong and weak bisimilarity, bisimulation games. Study of mathematical models for the formal description and analysis Lecture 1 of programs. Hennessy-Milner logic and bisimulation. Tarski’s fixed-point theorem. Particular focus on parallel and reactive systems. Hennessy-Milner logic with recursively defined formulae. Timed automata and their semantics. Verification tools and implementation techniques underlying them. Lecturer: Jiri Srba B2-203, srba@cs.aau.dk Binary decision diagrams and their use in verification. Assistant: Bjørn Haagensen B2-205, bh@cs.aau.dk Two mini projects. Lecture 1 () Semantics and Verification 2005 1 / 28 Lecture 1 () Semantics and Verification 2005 2 / 28 Lecture 1 () Semantics and Verification 2005 3 / 28 Mini Projects Lectures Tutorials Regularly before each lecture. Two guest lectures (G. Behrmann, K. G. Larsen). Verification of a communication protocol in CWB. Supervised peer learning. Ask questions. Verification of an algorithm for mutual exclusion in UPPAAL. Two classrooms, work in groups of 2 or 3 people. Take your own notes. Print out the exercise list , bring literature and your notes. Pensum dispensation. Read the recommended literature as soon as possible after the lecture. Feedback from teaching assistant on your request. Star exercises (*) (part of the exam). Lecture 1 () Semantics and Verification 2005 4 / 28 Lecture 1 () Semantics and Verification 2005 5 / 28 Lecture 1 () Semantics and Verification 2005 6 / 28
Exam Literature Hints Check regularly the course web-page. Individual and oral. On-line literature. Anonymous feedback form on the course web-page. Preparation time (star exercises). Compendiums (2004 + 2005, 141 kr). Attend and actively participate during tutorials. Pensum dispensation. Best Reader Competition with award! Take your own notes. Lecture 1 () Semantics and Verification 2005 7 / 28 Lecture 1 () Semantics and Verification 2005 8 / 28 Lecture 1 () Semantics and Verification 2005 9 / 28 Aims of the Course Classical View Reactive systems Characterization of a Classical Program Present a general theory of reactive systems and its applications. Program transforms an input into an output. Design. What about: Specification. Operating systems? Denotational semantics: Verification (possibly automatic and compositional). Communication protocols? a meaning of a program is a partial function Control programs? states ֒ → states Mobile phones? 1 Give the students practice in modelling parallel systems in a formal Vending machines? Nontermination is bad! framework. In case of termination, the result is unique. 2 Give the students skills in analyzing behaviours of reactive systems. 3 Introduce algorithms and tools based on the modelling formalisms. Is this all we need? Lecture 1 () Semantics and Verification 2005 10 / 28 Lecture 1 () Semantics and Verification 2005 11 / 28 Lecture 1 () Semantics and Verification 2005 12 / 28
Reactive systems Analysis of Reactive Systems The Need for a Theory Characterization of a Reactive System Reactive System is a system that computes by reacting to stimuli from Questions Conclusion its environment. How can we develop (design) a system that ”works”? We need formal/systematic methods (tools), otherwise ... How do we analyze (verify) such a system? Key Issues: Intel’s Pentium-II bug in floating-point division unit communication and interaction Ariane-5 crash due to a conversion of 64-bit real to 16-bit integer parallelism Mars Pathfinder Fact of Life ... Even short parallel programs may be hard to analyze. Nontermination is good! The result (if any) does not have to be unique. Lecture 1 () Semantics and Verification 2005 13 / 28 Lecture 1 () Semantics and Verification 2005 14 / 28 Lecture 1 () Semantics and Verification 2005 15 / 28 Classical vs. Reactive Computing How to Model Reactive Systems Labelled Transition System Definition A labelled transition system (LTS) is a triple Question a ( Proc , Act , { − →| a ∈ Act } ) where Classical Reactive/Parallel What is the most abstract view of a reactive system (process)? Proc is a set of states (or processes ), interaction no yes nontermination undesirable often desirable Act is a set of labels (or actions ), and unique result yes no a for every a ∈ Act , − → ⊆ Proc × Proc is a binary relation on states semantics states ֒ → states ? Answer called the transition relation . A process performs an action and becomes another process. → s ′ meaning that ( s , s ′ ) ∈ a a We will use the infix notation s − − → . Sometimes we distinguish the initial (or start ) state. Lecture 1 () Semantics and Verification 2005 16 / 28 Lecture 1 () Semantics and Verification 2005 17 / 28 Lecture 1 () Semantics and Verification 2005 18 / 28
Sequencing, Nondeterminism and Parallelism Binary Relations Closures Definition Let R , R ′ and R ′′ be binary relations on a set A . A binary relation R on a set A is a subset of A × A . LTS explicitly focuses on interaction . Reflexive Closure R ⊆ A × A R ′ is the reflexive closure of R if and only if LTS can also describe: Sometimes we write x R y instead of ( x , y ) ∈ R . 1 R ⊆ R ′ , sequencing ( a ; b ) 2 R ′ is reflexive, and choice (nondeterminism) ( a + b ) 3 R ′ is the smallest relation that satisfies the two conditions above, i.e., Properties limited notion of parallelism (by using interleaving) ( a | | b ) for any relation R ′′ : R is reflexive if ( x , x ) ∈ R for all x ∈ A if R ⊆ R ′′ and R ′′ is reflexive, then R ′ ⊆ R ′′ . R is symmetric if ( x , y ) ∈ R implies that ( y , x ) ∈ R for all x , y ∈ A R is transitive if ( x , y ) ∈ R and ( y , z ) ∈ R implies that ( x , z ) ∈ R for all x , y , z ∈ A Lecture 1 () Semantics and Verification 2005 19 / 28 Lecture 1 () Semantics and Verification 2005 20 / 28 Lecture 1 () Semantics and Verification 2005 21 / 28 Closures Closures Labelled Transition Systems – Notation Let R , R ′ and R ′′ be binary relations on a set A . Let R , R ′ and R ′′ be binary relations on a set A . a Let ( Proc , Act , { − →| a ∈ Act } ) be an LTS. Symmetric Closure Transitive Closure a → to the elements of Act ∗ R ′ is the symmetric closure of R if and only if R ′ is the transitive closure of R if and only if we extend − a − → = � − → 1 R ⊆ R ′ , 1 R ⊆ R ′ , a ∈ Act → ∗ is the reflexive and transitive closure of − 2 R ′ is symmetric, and 2 R ′ is transitive, and − → a � a 3 R ′ is the smallest relation that satisfies the two conditions above, i.e., 3 R ′ is the smallest relation that satisfies the two conditions above, i.e., − → and s − → s for any relation R ′′ : reachable states for any relation R ′′ : if R ⊆ R ′′ and R ′′ is symmetric, then R ′ ⊆ R ′′ . if R ⊆ R ′′ and R ′′ is transitive, then R ′ ⊆ R ′′ . Lecture 1 () Semantics and Verification 2005 22 / 28 Lecture 1 () Semantics and Verification 2005 23 / 28 Lecture 1 () Semantics and Verification 2005 24 / 28
How to Describe LTS? Calculus of Communicating Systems Process Algebra Basic Principle 1 Define a few atomic processes (modelling the simplest process CCS Syntax Semantics − → behaviour). Process algebra called “Calculus of Communicating Systems”. unknown entity known entity 2 Define compositionally new operations (building more complex process behaviour from simple ones). what (denotational) or − → programming language Insight of Robin Milner (1989) how (operational) it computes Example Concurrent (parallel) processes have an algebraic structure. 1 atomic instruction: assignment (e.g. x:=2 and x:=x+2) − → Labelled Transition Systems ??? 2 new operators: P 1 op P 2 ⇒ P 1 op P 2 CCS ◮ sequential composition ( P 1 ; P 2 ) ◮ parallel composition ( P 1 | | P 2 ) Now e.g. (x:=1 | | x:=2); x:=x+2; (x:=x-1 | | x:=x+5) is a process. Lecture 1 () Semantics and Verification 2005 25 / 28 Lecture 1 () Semantics and Verification 2005 26 / 28 Lecture 1 () Semantics and Verification 2005 27 / 28 CCS Basics (Sequential Fragment) Nil (or 0) process (the only atomic process) action prefixing ( a . P ) names and recursive definitions ( def =) nondeterministic choice (+) This is Enough to Describe Sequential Processes Any finite LTS can be (up to isomorphism) described by using the operations above. Lecture 1 () Semantics and Verification 2005 28 / 28
Recommend
More recommend
