teaching transition systems
play

Teaching Transition Systems and Formal Specifications with TLA + - PowerPoint PPT Presentation

Jul 09, 2023 •399 likes •606 views

Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu Philippe Mauran einnec Xavier Thirioux Universit e de Toulouse, France Institut de Recherche en Informatique de Toulouse { mauran,queinnec,thirioux } @enseeiht.fr

  1. Teaching Transition Systems and Formal Specifications with TLA + Philippe Qu´ Philippe Mauran einnec Xavier Thirioux Universit´ e de Toulouse, France Institut de Recherche en Informatique de Toulouse { mauran,queinnec,thirioux } @enseeiht.fr August 27, 2012 .

  2. Context and Objectives Course Contents Feedback Outline 1 Context and Objectives 2 Course Contents Transition Systems Formal Specifications 3 Feedback General Feedback Tools Comparison and Limitations 2 / 19

  3. Context and Objectives Course Contents Feedback Academic Context INPT/ENSEEIHT 2nd and 3rd years of a French engineer school Equivalent to a European master’s degree Somewhat like a American master’s degree Students’ background Rather strict selection of students (selective admission) Correct mathematics bases (functions, set operations, elementary logic) Mandatory courses Two diploma Computer science and applied mathematics (80 students, since 2005) Computer science and networking (15 students, since 2010). 3 / 19

  4. Context and Objectives Course Contents Feedback Research Context All members of the teaching unit belong to IRIT/ACADIE team Focus: methods and tools to verify and certify distributed embedded critical systems. Domain-specific modeling, proven transformation Synchronous and asynchronous modeling and verification Distributed Real-time Embedded systems Tools: Coq, TLA + , Petri nets, AADL. . . 4 / 19

  5. Context and Objectives Course Contents Feedback Objectives Primary objective Introduction to formal methods: formal specification, formal development, formal verification Secondary objectives Make it practicable Experiment We teach formal methods rather than TLA + , just as we teach object oriented design rather than Java, or operating systems rather than Unix. 5 / 19

  6. Context and Objectives Transition Systems Course Contents Formal Specifications Feedback Outline 1 Context and Objectives 2 Course Contents Transition Systems Formal Specifications 3 Feedback General Feedback Tools Comparison and Limitations 6 / 19

  7. Context and Objectives Transition Systems Course Contents Formal Specifications Feedback Transition Systems Contents Specification, modeling, and validation of systems, especially concurrent and distributed systems. State transition systems Temporal logics: LTL, CTL Verification methods: model checking, axiomatic proofs Emphasis on modeling and refinement rather than proofs. 7 / 19

  8. Context and Objectives Transition Systems Course Contents Formal Specifications Feedback Organization 15 lessons of 1h45: 9 lectures with exercises, and 6 assisted labs. 1 Transition systems (1 lecture) 2 TLA + expressions and actions (2 lectures, 2 labs) 3 Fairness (1 lecture) 4 LTL logic, CTL logic, properties (2 lectures, 1 lab) 5 Modeling and verification of concurrent and distributed algorithms (3 lectures, 3 labs) Note: we start purely formal (e.g. TS = � S , R ⊆ S × S � , traces. . . ) before going more concrete (e.g. symbolic representation with variables, executions). 8 / 19

  9. Context and Objectives Transition Systems Course Contents Formal Specifications Feedback Formal Specifications Contents Labeled transition systems with observable and unobservable events Simulation and bisimulation relations Mainly with CCS (Calculus of Communicating Systems) Formal refinement in open systems 9 / 19

  10. Context and Objectives Transition Systems Course Contents Formal Specifications Feedback In-House Framework to Verify Refinement Module-like code with game semantics A client’s action chooses which procedure to invoke and the value of its input parameter. The client must comply with the procedure precondition . Then the module’s action realizes the procedure by changing its internal state and setting the output value. Game semantics: alternation between an arbitrary client’s action and a corresponding module’s action. Win: Finite game: the client has no possible move or infinite game (the module always answers to the client) 10 / 19

  11. Context and Objectives Transition Systems Course Contents Formal Specifications Feedback Refinement verification Refinement Another (more concrete) client/module TLA + implementation which must ensure: The client’s actions are less constraining: the abstract client’s actions simulate the concrete client’s actions; Conversely, the concrete module’s actions simulate the abstract module’s actions. 11 / 19

  12. Context and Objectives General Feedback Course Contents Tools Feedback Comparison and Limitations Outline 1 Context and Objectives 2 Course Contents Transition Systems Formal Specifications 3 Feedback General Feedback Tools Comparison and Limitations 12 / 19

  13. Context and Objectives General Feedback Course Contents Tools Feedback Comparison and Limitations General Feedback (Transition Systems) Fairness is difficult Major stumbling block Easier by introducing trace semantics and temporal logics (LTL, CTL): fairness is a trace filter Fairness on named actions ends being understood, fairness on an arbitrary transition predicate is never understood Non-determinism is difficult x ′ ∈ S : “who chooses the value?”, “how is it chosen?” It helps that TLA + actions are predicates. LTL/CTL LTL is easy and rather intuitive, CTL is not. 13 / 19

  14. Context and Objectives General Feedback Course Contents Tools Feedback Comparison and Limitations General Feedback (TLA + approach) Proofs + Axiomatic proofs are manageable with regard to invariants. − Liveness formal proofs are too complex. ⇒ an automatic verifier helps a lot. Checked properties and specification The difference between checked properties (i.e. invariants, leadsto) and module specification (i.e. actions) is not clear: students want the checked properties to behave like constraints on the module (especially the usual TypeInvariant ). The term specification used in TLA + doesn’t help: students are used to a dichotomy specification = expected properties / implementation = realization. 14 / 19

  15. Context and Objectives General Feedback Course Contents Tools Feedback Comparison and Limitations Tools TLC Historically, only TLC is used. + An essential tool for students to experiment + Its trace is sufficient to deal with the invalidation of a safety property. Giving the shortest invalid trace helps a lot. ∼ ok but less easy for the invalidation of a liveness property. Unfortunately not always the shortest prefix or shortest cycle. ∼ Slow − Initially, students use TLC as a debugger: quickly write something, run TLC, patch, restart, and so on. − Some students are never completely autonomous 15 / 19

  16. Context and Objectives General Feedback Course Contents Tools Feedback Comparison and Limitations Other Tools Other TLA + tools TLA + Toolbox: experiment is planned for 2012 Better integration between source code, errors and trace TLA + Proof System: not planned Another course teaches checking and assisted proof environments (notably Coq and Why) PlusCal: out of scope Our goal is to teach transition systems and formal specification. A missing tool: a type checker A basic type checker would help with regard to typos or minor errors (extension of tlasany ?): Hasty cut-and-paste with wrong variable name Wrong operator (e.g. ∈ instead of ⊆ ) 16 / 19

  17. Context and Objectives General Feedback Course Contents Tools Feedback Comparison and Limitations Comparison Other attempts were done with: Unity (Chandy & Misra): description language ok, unfortunately no tools (small in-house tool to check safety properties via weakest precondition computation) Promela: Spin is really fast but Promela is a too low level modeling language (no set or sequence) B method: somewhat complex, Atelier B hard to master, buggy (at the time) Petri nets: highly specialized 17 / 19

  18. Context and Objectives General Feedback Course Contents Tools Feedback Comparison and Limitations Limitations Only small models and simple algorithms are studied. (e.g. distributed mutual exclusion, Dijkstra’s self-stabilizing algorithm) Small state space models. An experiment with a long lasting homework has failed: students are not autonomous enough to follow a rigorous methodology (each step must be given) + stopping blocks with some TLC errors. Lack of industrial case studies: to our knowledge, none of our graduates has ever used TLA + for his job (excluding academics). However formal specifications and formal approaches are used in critical domains (e.g. avionics, satellites). 18 / 19

  19. Context and Objectives General Feedback Course Contents Tools Feedback Comparison and Limitations Conclusion By first teaching transition systems and transition predicates, TLA + is correctly seen as a specification language, not a programming one. The theory of transition systems offers a pure and simple formal description, while TLA + offers an expressive language to describe these systems. Basic TLA + is simple enough to be quickly understood (actions, sets and functions): its standard mathematical notation helps. Complex notions (e.g. fairness, non-determinism) are expressible and accessible. Tools (TLC) are essential to our success. ⇒ TLA + is a definite help in teaching formal methods. 19 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

JOIN THE TEAM YOUR TRANSITION M L A INTO TEACHING E E T G E E H & T U N N I

JOIN THE TEAM YOUR TRANSITION M L A INTO TEACHING E E T G E E H & T U N N I

R I W E C O L JOIN THE TEAM YOUR TRANSITION M L A INTO TEACHING E E T G E E H & T U N N I O I J V E R S I T Y E R C T E N Whether experienced within teaching or assessing or just starting a new career,

253 views • 6 slides
1 Transition Systems Basic safety problems We can recursively define Given transition system T

1 Transition Systems Basic safety problems We can recursively define Given transition system T

Transition systems, temporal logic, Outline of this mini-course refinement notions Lecture 1 : Monday, June 23 Examples of hybrid systems, modeling formalisms Lecture 2 : Monday, June 23 Transitions systems, temporal logic, refinement notions

192 views • 7 slides
Interview Preparation FOR TEACHING & NON-TEACHING JOBS Career Development Centre 2013

Interview Preparation FOR TEACHING & NON-TEACHING JOBS Career Development Centre 2013

Interview Preparation FOR TEACHING & NON-TEACHING JOBS Career Development Centre 2013 Transition to Teaching Issues, Trends & Tips MARCH 2011 MARCH 2012 A Unique Job Search process This is the (hiring) trend we are seeing with

763 views • 44 slides
Transition: One Student, Many Systems By: Liz Shawl June 16, 2020 What was your first job? How

Transition: One Student, Many Systems By: Liz Shawl June 16, 2020 What was your first job? How

Transition: One Student, Many Systems By: Liz Shawl June 16, 2020 What was your first job? How did you get it? What is Transition? 1. Student-centered services or activities aimed at increasing community inclusion and post-high school

573 views • 36 slides
YEAR 6 TRANSITION WELCOME TO PERINS April 2019 Welcome Steve Jones - Headteacher Transition

YEAR 6 TRANSITION WELCOME TO PERINS April 2019 Welcome Steve Jones - Headteacher Transition

YEAR 6 TRANSITION WELCOME TO PERINS April 2019 Welcome Steve Jones - Headteacher Transition Process Lex Western- Assistant Headteacher Tutor groups Teaching Groups Induction day 26/6 Jackie Harrison - Guidance Manager Uniform Tutors

278 views • 23 slides
Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition

Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition

Quantitative Quantitative Quantitative Quantitative Modal Modal Transition Transition Systems Systems Kim Guldstrand Larsen Aalborg University Aalborg University, DENMARK The Early Days Edinburgh 83-85 Milner Symposium, Kim

661 views • 47 slides
The real story of English language teaching in Syrian high schools and the bumpy transition into

The real story of English language teaching in Syrian high schools and the bumpy transition into

The real story of English language teaching in Syrian high schools and the bumpy transition into the university level BATOUL KHOJA AND DEBASISH MOHAPATRA DEPARTMENT OF ENGLISH AND FOREIGN LANGUAGES TEZPUR UNIVERSITY ASSAM INDIA Part 1

673 views • 38 slides
Med-TSO Mediterranean Transmission System Operators ENERGY TRANSITION & POWER SYSTEMS

Med-TSO Mediterranean Transmission System Operators ENERGY TRANSITION & POWER SYSTEMS

Med-TSO Mediterranean Transmission System Operators ENERGY TRANSITION & POWER SYSTEMS INTEGRATION Angelo Ferrante Secretary General Pathways to regional energy transition in the Mediterranean area - Abu Dhabi, 9 September 2019 Med-TSO

621 views • 13 slides
Teaching old type systems Teaching old type systems new tricks with type providers new tricks

Teaching old type systems Teaching old type systems new tricks with type providers new tricks

Teaching old type systems Teaching old type systems new tricks with type providers new tricks with type providers Tomas Petricek Tomas Petricek University of Kent and The Alan Turing Institute http://tomasp.net tomas@tomasp.net @tomaspetricek

839 views • 38 slides
RESUR GAM What is the Just Energy Transition? Just transition was a set of practices lived by

RESUR GAM What is the Just Energy Transition? Just transition was a set of practices lived by

A dis isruptors view of f th the ju just energy tr transition Presentation to Nedbank/EE Publishing seminar Unlocking the Just Energy Transition 7 May 2019 RESUR GAM What is the Just Energy Transition? Just transition was a set of

445 views • 9 slides
Modelling and Verification Timed Automata: A Formalism for Real-time Systems Labelled transition

Modelling and Verification Timed Automata: A Formalism for Real-time Systems Labelled transition

Timed Transition Systems Timed Automata Networks of Timed Automata Equivalence Checking Problems Regions and Region Graph Modelling and Verification Timed Automata: A Formalism for Real-time Systems Labelled transition systems with time

1.21k views • 62 slides
Introduction to labelled transition systems Jos Proena HASLab - INESC TEC Universidade do

Introduction to labelled transition systems Jos Proena HASLab - INESC TEC Universidade do

Introduction to labelled transition systems Jos Proena HASLab - INESC TEC Universidade do Minho Braga, Portugal February, 2016 LTS Basic definitions Process algebra Behavioural equivalences Similarity Bisimilarity Reactive systems

1.39k views • 39 slides
Labelled Transition Systems Lu s Soares Barbosa Architecture & Calculi Course Unit

Labelled Transition Systems Lu s Soares Barbosa Architecture & Calculi Course Unit

Labelled Transition Systems Lu s Soares Barbosa Architecture & Calculi Course Unit Universidade do Minho Architecture & Calculi Labelled Transition Systems Behavioural equivalences Composition Introduction to the Architecture

997 views • 36 slides
Further Experience with Teaching Distributed Systems to Undergraduates Gregory M. Kapfhammer

Further Experience with Teaching Distributed Systems to Undergraduates Gregory M. Kapfhammer

Further Experience with Teaching Distributed Systems to Undergraduates Gregory M. Kapfhammer Department of Computer Science Allegheny College http : // cs . allegheny . edu / gkapfham / Further Experience with Teaching Distributed Systems to

165 views • 12 slides
Cultivating Gospel Healthy Systems Christians in Teaching 5-5-18 Think Systems, Watch

Cultivating Gospel Healthy Systems Christians in Teaching 5-5-18 Think Systems, Watch

Cultivating Gospel Healthy Systems Christians in Teaching 5-5-18 Think Systems, Watch Process, Ask Questions All schools/ministries/organizations/families are systems Calm System vs. Anxious System Grace-based Blame-based Process

290 views • 27 slides
Labelled transition systems Labelled transition systems are relations of the form a Q P

Labelled transition systems Labelled transition systems are relations of the form a Q P

Introduction Directed Bigraphs RPO and IPO Algebra Applications Introduction Directed Bigraphs RPO and IPO Algebra Applications Labelled transition systems Labelled transition systems are relations of the form a Q P From

415 views • 9 slides
Sequential Binary Search Manuel Carro manuel.carro@upm.es IMDEA Software Institute &

Sequential Binary Search Manuel Carro manuel.carro@upm.es IMDEA Software Institute &

Sequential Binary Search Manuel Carro manuel.carro@upm.es IMDEA Software Institute & Universidad Polit ecnica de Madrid Rodin and refinement . . . . . . . . . . . . . . . . t. 37 Search specification . . . . . . . . . . . . . . . . . .

1.02k views • 58 slides
Continuous gesture control of audio and visual media Nicolas Rasamimanana, Bruno Zamborlin,

Continuous gesture control of audio and visual media Nicolas Rasamimanana, Bruno Zamborlin,

Continuous gesture control of audio and visual media Nicolas Rasamimanana, Bruno Zamborlin, Frdric Bevilacqua, Norbert Schnell, Fabrice Gudy IRCAM, CNRS - STMS, Real Time Musical Interactions Team 1 Place Igor Stravinsky, 75004 Paris,

292 views • 13 slides
HOW V VIRTUAL BEC ECOMES R REA EAL Find structural form with Karamba. Form-finding with

HOW V VIRTUAL BEC ECOMES R REA EAL Find structural form with Karamba. Form-finding with

HOW V VIRTUAL BEC ECOMES R REA EAL Find structural form with Karamba. Form-finding with Large deformations ( G_01.2) FO FORM-FIND NDING NG identifies the process of designing optimal structural shapes by means of experimental tools

577 views • 15 slides
Vitrification and Vitrous Materials Zafar Iqbal pakistan Vitrifica(on Turning

Vitrification and Vitrous Materials Zafar Iqbal pakistan Vitrifica(on Turning

Vitrification and Vitrous Materials Zafar Iqbal pakistan Vitrifica(on Turning a substance into glass Immobiliza(on of waste by conversion into a glass.

369 views • 34 slides
Prts r r sr

Prts r r sr

Prts r r sr ts r r rrst

394 views • 6 slides
Polarized Rewriting and Tableaux in B Set Theory SETS 2018 Olivier Hermant CRI, MINES ParisTech,

Polarized Rewriting and Tableaux in B Set Theory SETS 2018 Olivier Hermant CRI, MINES ParisTech,

Polarized Rewriting and Tableaux in B Set Theory SETS 2018 Olivier Hermant CRI, MINES ParisTech, PSL Research University June 5, 2018 O. Hermant (MINES ParisTech) Polarized Tableaux Modulo in B June 5, 2018 1 / 17 Introduction Assumes

408 views • 29 slides
LECTURE 3. How well do we understand excited 0 + states in

LECTURE 3. How well do we understand excited 0 + states in

LECTURE 3. How well do we understand excited 0 + states in nuclei? John L. Wood School of Physics Georgia InsQtute of Technology, Atlanta

898 views • 51 slides
From om R Respon onse to P o Prevention on Clean Air Act (CAA) Amendments of 1990 General

From om R Respon onse to P o Prevention on Clean Air Act (CAA) Amendments of 1990 General

From om R Respon onse to P o Prevention on Clean Air Act (CAA) Amendments of 1990 General Duty Clause (Section 112(r)(1)) EPA Risk Management Program (Section 112(r)(7)) OSHA Process Safety Management (PSM) Established Chemical

739 views • 15 slides

More recommend