formal software design with alloy and electrum overview - - PowerPoint PPT Presentation

▶

Oct 30, 2022 323 likes •656 views

Julien Brunel, David Chemouil, Alcino Cunha, Eunsuk Kang, Nuno Macedo formal software design with alloy and electrum overview Universidade do Minho & INESC TEC ONERA DTIS & Universit fdrale de Toulouse Carnegie Mellon University

SLIDE 1

Julien Brunel, David Chemouil, Alcino Cunha, Eunsuk Kang, Nuno Macedo

formal software design with alloy and electrum

verview

Universidade do Minho & INESC TEC ONERA DTIS & Université fédérale de Toulouse Carnegie Mellon University 3rd World Congress on Formal Methods, Porto, Portugal, October 2019

SLIDE 2

introduction

SLIDE 3

formal software design with alloy and electrum / introduction 3 / 31

formal software design

A sofware design is a high-level abstraction of a desired system A programming language is not adequate for analyzing and exploring designs The language of mathematics, logic, is a much better alternative Leslie Lamport “If you’re not writing a program, don’t use a programming language”

SLIDE 4

formal software design with alloy and electrum / introduction 4 / 31

typical analyses

Elicit requirements or structural constraints over a design Simulate a design to understand it Check consistency of requirements Check that some structural, invariant or temporal properties hold Alloy and Electrum Alloy is great for the structural aspects, but has limitations for behavioral design Electrum extends Alloy to overcome some of these limitations

SLIDE 5

examples

SLIDE 6

formal software design with alloy and electrum / examples 6 / 31

distributed social network

Explore design alternatives What distributed data model and replication strategy to use?

SLIDE 7

formal software design with alloy and electrum / examples 7 / 31

leader election in a ring

Verify the correctness of the protocol: One leader will be elected

SLIDE 8

formal software design with alloy and electrum / examples 8 / 31

hybrid ertms/etcs level 3

Verify the design of a railway traffic management system: Assigned movement authorities are safe

SLIDE 9

formal software design with alloy and electrum / examples 9 / 31

chord distributed hash-table

Explore variants of the protocol and verify correctness: If joins and failures cease, the network will eventually become a ring

SLIDE 10

an overview with the trash example

SLIDE 11

formal software design with alloy and electrum / an overview with the trash example 11 / 31

trash

Design a trash such that: A deleted file can still be restored if the trash is not emptied

SLIDE 12

formal software design with alloy and electrum / an overview with the trash example 12 / 31

tasks

Design the structure and behavior (operations) Validate this design by simulation Elicit and verify expected properties

SLIDE 13

formal software design with alloy and electrum / an overview with the trash example 13 / 31

transition systems

SLIDE 14

formal software design with alloy and electrum / an overview with the trash example 14 / 31

from transition systems to sets of traces

Electrum Linear model of time: sets of infinite traces (a.k.a instances) Intentional specification: formulas

SLIDE 15

formal software design with alloy and electrum / an overview with the trash example 15 / 31

state

A state is an assignment of values to variables In abstract design, it is useful to rely on standard mathematical structures Alloy and Electrum Values are sets and relations Inhabited by (tuples of) uninterpreted atoms

SLIDE 16

formal software design with alloy and electrum / an overview with the trash example 16 / 31

trash state

var sig File {} var sig Trash in File {}

SLIDE 17

formal software design with alloy and electrum / an overview with the trash example 17 / 31

a pattern for behavior formulas

fact init { ... } fact transitions { always (event1 or event2 or ...) }

The specification of every event typically involves:

◮ Guard - a state formula that checks if the event can occur ◮ Effect - a formula with primes specifying how some state variables change ◮ Frame - a formula with primes stating what does not change

SLIDE 18

formal software design with alloy and electrum / an overview with the trash example 18 / 31

trash behavior

fact init { no Trash } fact transitions { always ( // delete file (some f: File | f not in Trash and Trash' = Trash + f and File' = File) or // restore file ... or // empty trash ... ) }

SLIDE 19

formal software design with alloy and electrum / an overview with the trash example 19 / 31

trash behavior refactored

pred delete[f : File] { f not in Trash Trash' = Trash + f File' = File } pred restore[f : File] { ... } pred empty { ... } fact init { no Trash } fact transitions { always ( (some f: File | delete[f] or restore[f]) or empty ) }

SLIDE 20

formal software design with alloy and electrum / an overview with the trash example 20 / 31

simulation

Models include analysis commands A run command asks for an instance (checking the consistency of the facts) Further instances can be obtained by an interactive exploration mode akin to simulation All commands have a scope that bounds the size of the signatures The default is 3, but can be changed with the for keyword

SLIDE 21

formal software design with alloy and electrum / an overview with the trash example 21 / 31

SLIDE 22

formal software design with alloy and electrum / an overview with the trash example 22 / 31

trash behavior fixed

pred delete[f : File] { ... } pred restore[f : File] { ... } pred empty { ... } pred do_nothing { Trash' = Trash File' = File } fact init { no Trash } fact transitions { always ( (some f: File | delete[f] or restore[f]) or empty or do_nothing ) }

SLIDE 23

formal software design with alloy and electrum / an overview with the trash example 23 / 31

assertions

In Electrum, the same first order temporal logic is used for

◮ modeling ◮ specification of expected properties – assertions

The latter can be enclosed in named assert paragraphs

SLIDE 24

formal software design with alloy and electrum / an overview with the trash example 24 / 31

example assertions

assert restoreAfterDelete {

- Every restored file was once deleted

always (all f : File | restore[f] implies once delete[f]) } assert deleteAll {

- If the trash contains all files and is emptied
- then no files will ever exist afterwards

always ((File in Trash and empty) implies always no File) }

SLIDE 25

formal software design with alloy and electrum / an overview with the trash example 25 / 31

verification

check commands are used to verify assertions

The verification is fully automatic, but limited to the specified scope The set of counter-examples can also be explored like instances

SLIDE 26

formal software design with alloy and electrum / an overview with the trash example 26 / 31

SLIDE 27

formal software design with alloy and electrum / an overview with the trash example 27 / 31

fixed assertion

assert deleteAll {

- If the trash contains all files and is emptied
- then no files will ever exist afterwards

always ((File in Trash and empty) implies after (always no File)) }

SLIDE 28

utline

SLIDE 29

formal software design with alloy and electrum / outline 29 / 31

utline of the tutorial

Session Time Topic 1 9:00 Overview 10:00 Coffee break 2 10:30 Relational logic 3 11:30 Analysis 12:30 Lunch 4 14:00 Temporal logic 15:30 Coffee break 5 16:00 Methodology and tips 6 17:00 Alloy4Fun

SLIDE 30

formal software design with alloy and electrum / outline 30 / 31

useful info, download links, exercises

https://haslab.github.io/TRUST/tutorial.html

SLIDE 31

formal software design with alloy and electrum / outline 31 / 31