types of formal specifications for assertions concurrent
play

Types of Formal Specifications for Assertions Concurrent and - PowerPoint PPT Presentation

Oct 07, 2022 •6 likes •226 views

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

  1. Outline � Formal specifications CISC422/853: Formal Methods � Types of formal specifications: in Software Engineering: • assertions • invariants Computer-Aided Verification • safety and liveness properties � How to express safety properties: Topic 7: Specifying, or How to Describe How the System Should (or Should • FSAs, regular expressions, Never Claims Not) Behave � How to express liveness properties: • progress labels, Buechi Automata, Never Claims, Linear Juergen Dingel Temporal Logic, Computation Tree Logic Feb, 2009 � How to manage the complexity of specifications: Readings: • specification patterns • Spin book: Chapter 4 (Defining Correctness Claims), Chapter 6 (Automata and Logic) CISC422/853, Winter 2009 Specifying • Course notes on CTL 2 (Formal) Specifications Observables � What is a specification? � “Atomic propositions” used in a specification � What is a formal specification? � In BIR • global and local variables (in their scope) � Properties of good formal specifications? • existential (anonymous) thread program counter • As precise and detailed as necessary, and as abstract (i.e., unconstraining) as possible Property.existsThread(t, loc5) � In PROMELA • Consistent • Correct (internally, externally) • global and local variables � Why use formal specifications? • end-states, progress states, and accept states ° needed for expression of liveness (progress) properties • Unambiguous ° E.g., non-progress through reserved boolean variable np_ • Sometimes more succinct (false in s iff at least one process is at a control flow state marked • Amenable to automatic analysis with a progress label) ° more on these later • process ids through reserved variable _pid CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 3 4

  2. Types of Formal Specifications for Assertions Concurrent and Reactive Systems � Assertions � Express a property of observables at particular Example: location � Invariants thread T() { thread T() { � Most basic formal specification; already used by � Safety properties ... ... John von Neumann in 1947 loc loc7: � Liveness properties loc loc7: � In BIR and Promela: assert(b); when b do { when b do { � What kind of correctness claim does an assertion ... make, that is, what does it mean if there is ... assert(x> y); • no assertion violation?: assert(x> y); ... “No matter along which path control has reached the ... location of the assertion, the boolean expression in } } the assertion evaluates to true at that location” ... • an assertion violation?: ... } “There is at least one execution such that the boolean } expression in the assertion does not evaluate to true at that location” CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 5 6 Example 2: Checking Mutual Exclusion Example 1: Simple Race Condition Using Assertions � Does protocol below ensure mutual exclusion and deadlock freedom? � How can we check this using Bogor or Spin? syst em syst em M M uxTr y uxTr y { syst em syst em M M uxTr y uxTr y { bool ean bool ean f l ag1; l ag1; bool ean f l ag1; bool ean l ag1; bool ean f l ag2; bool ean l ag2; bool ean bool ean f l ag2; l ag2; t hr ead T1 ( ) { t hr ead T1 ( ) { t hr ead T2 ( ) { t hr ead T2 ( ) { t hr ead T1 ( ) { t hr ead T1 ( ) { t hr ead T2 ( ) { t hr ead T2 ( ) { l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: do { f l ag1 : = t r ue; } got o do { f l ag1 : = t r ue; } got o l oc2; l oc2; do { f l ag2 : = t r ue; } got o do { f l ag2 : = t r ue; } got o l oc2; l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o l oc2; l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: when ( ! f l ag2) do { } got o when ( ! f l ag2) do { } got o l oc3; l oc3; when ( ! f l ag1) do { } got o when ( ! f l ag1) do { } got o l oc3; l oc3; when ( ! f l ag2) do { } got o when ( ! f l ag2) do { } got o l oc3; l oc3; when ( ! f l ag1) do { } got o when ( ! f l ag1) do { } got o l oc3; l oc3; l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: do { } got o l oc4; do { } got o l oc4; do { } got o l oc4; do { } got o l oc4; do { } got o do { } got o l oc4; l oc4; do { } got o do { } got o l oc4; l oc4; critical regions critical regions l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: do { f l ag1 : = f al se; } got o do { f l ag1 : = f a l se; } got o l oc0; l oc0; do { f l ag2 : = f al se; } got o do { f l ag2 : = f a l se; } got o l oc0; l oc0; do { f l ag1 : = f al se; } got o do { f l ag1 : = f a l se; } got o l oc0; l oc0; do { f l ag2 : = f al se; } got o do { f l ag2 : = f a l se; } got o l oc0; l oc0; } } } } [Source: spinroot.com] CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 7 8

  3. Example 2: Checking Mutual Exclusion Assertions in Java Using Assertions (Cont’d) To check mutual exclusion, instrument protocol as follows: � Java 1.4 also supports assertions syst em syst em M M uxTr y uxTr y { � What does it mean if a Java assertion is syst em syst em M M uxTr y uxTr y { bool ean bool ean f l ag1; f l ag1; bool ean f l ag1; bool ean f l ag1; bool ean f l ag2; bool ean f l ag2; bool ean f l ag2; bool ean f l ag2; • violated? i nt i nt c; i nt i nt c; • not violated? t hr ead T2 ( ) { t hr ead T2 ( ) { t hr ead T1 ( ) { t hr ead T1 ( ) { t hr ead T2 ( ) { t hr ead T2 ( ) { t hr ead T1 ( ) { t hr ead T1 ( ) { l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: � What’s the difference between assertions in l oc l oc0: l oc l oc0: l oc l oc0: l oc l oc0: do { f l ag1 : = t r ue; } got o l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o do { f l ag2 : = t r ue; } got o l oc2; l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag1 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o l oc2; do { f l ag2 : = t r ue; } got o l oc2; Bogor/Spin and Java? l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: l oc l oc2: when ( ! f l ag1) do { } got o l oc3; when ( ! f l ag1) do { } got o l oc3; when ( ! f l ag2) do { } got o when ( ! f l ag2) do { } got o l oc3; l oc3; when ( ! f l ag1) do { } got o l oc3; when ( ! f l ag1) do { } got o l oc3; when ( ! f l ag2) do { } got o when ( ! f l ag2) do { } got o l oc3; l oc3; l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: l oc l oc3: do { do { c : = c+1; asser t ( c==1) ; c : = c+1; asser t ( c==1) ; } } do { do { c : = c+1; asser t ( c==1) ; c : = c+1; asser t ( c==1) ; } } do { c : = c+1; asser t ( c==1) ; } do { c : = c+1; asser t ( c==1) ; } do { c : = c+1; asser t ( c==1) ; } do { c : = c+1; asser t ( c==1) ; } got o got o l oc4; l oc4; got o l oc4; got o l oc4; got o got o l oc4; l oc4; got o l oc4; got o l oc4; critical regions critical regions l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: l oc l oc4: do { c : = c- 1; do { c : = c- 1; f l ag2 : = f al se; } f l ag2 : = f al se; } do { do { c : = c- 1; c : = c- 1; f l ag1 : = f al se; } f l ag1 : = f al se; } do { c : = c- 1; do { c : = c- 1; f l ag2 : = f al se; } f l ag2 : = f al se; } do { c : = c- 1; do { c : = c- 1; f l ag1 : = f al se; } f l ag1 : = f al se; } got o got o l oc0; l oc0; got o got o l oc0; l oc0; got o l oc0; got o l oc0; got o l oc0; got o l oc0; } } } } What about deadlock freedom? CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 9 10 Invariants Multiplication Example � Express property of observables that holds at every Consider a simple program with a loop invariant location � What kind of correctness claim does an invariant // assume parameters m and n // assume parameters m and n make, that is, what does it mean if there is count := m; count := m; output := 0; output := 0; • no invariant violation?: “At all locations along all executions of the system, the property // loop invariant: m * n = = output + (count * n) // loop invariant: m * n = = output + (count * n) holds” while (count > 0) do { while (count > 0) do { • an invariant violation?: output := output + n; output := output + n; count := count – 1; “There is at least one location along an execution such that the count := count – 1; } property does not hold at that location” } � How do invariants compare to • assertions? • “loop invariants” in Hoare Logic? [Source: CIS842 @ KSU] CISC422/853, Winter 2009 Specifying CISC422/853, Winter 2009 Specifying 11 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and

Reasoning about Programs (and bugs) A brief interlude on specifications, assertions, and debugging Largely based on material from University of Washington CSE 331 Good programs, broken programs? Goal: program works (does not fail) Need:

540 views • 32 slides
Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For

Specifications and formal program development in-the-large What are specifications for? For the system user: specification captures the properties of the system the user can rely on. For the system developer: specification captures all the

297 views • 26 slides
Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis

Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis

Lecture 4. Formal specifications: LTL, CTL ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 4. Formal specifications: LTL, CTL 2018 1 / 37 State (reachability) graph of

1.14k views • 94 slides
Setting Specifications How and Where to Control Karin Sewerin on behalf of EBE MedImmune

Setting Specifications How and Where to Control Karin Sewerin on behalf of EBE MedImmune

Setting Specifications How and Where to Control Karin Sewerin on behalf of EBE MedImmune September 9, 2011 Specifications Presentation outline Monitoring of Critical Quality Attributes (CQAs) Testing Types of testing Types of

468 views • 21 slides
Formal and Incremental Verification of SysML Specifications for the Design of Component-Based

Formal and Incremental Verification of SysML Specifications for the Design of Component-Based

Formal and Incremental Verification of SysML Specifications for the Design of Component-Based Systems Oscar Carrillo Dpartement dInformatique des Systmes Complexes (DISC), Femto-ST UMR 6174 CNRS Encadrement : Hassan Mountassir et Samir

972 views • 65 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa

Type Reconstruction for General Refinement Types Kenn Knowles University of California, Santa Cruz joint work with: Cormac Flanagan (University of California, Santa Cruz) March 25, 2007 Assertions / Refinement Types The role of assertions in

386 views • 37 slides
On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive

On the Horizontal Dimension of Software Architecture in Formal Specifications of Reactive Systems Mika Katara, Reino Kurki-Suonio and Tommi Mikkonen Institute of Software Systems Tampere University of Technology Finland Outline 1.

1.03k views • 21 slides
1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

1 Java assert statement Java assert (cont.) an assert statement can be placed anywhere you

Assertions assertions communicate assumptions about the state of the program, and stop processing if they turn out to be false very often comments are statements about the state Assertions the program should be in but assertions can

61 views • 3 slides
Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi

Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi

Effpi concurrent programming with dependent behavioural types Alceste Scalas with Elias Benussi & Nobuko Yoshida VeTSS PhD school / FMATS workshop Microsoft Research Cambridge, 25 September 2018 Problem Introduction Calculus Types

870 views • 57 slides
Lessons learned Techniques Limitations of formal specifications Cost of technical staff

Lessons learned Techniques Limitations of formal specifications Cost of technical staff

CRIM Lessons learned Techniques Limitations of formal specifications Cost of technical staff training Ease of communication between different system stakeholders by using object- oriented modeling techniques and OMT as notational

302 views • 9 slides
Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien

Context Generation from Formal Specifications for C Analysis Tools Michele Alberti 1 Julien Signoles 2 1 TrustInSoft 2 CEA LIST, Software Reliability and Security Laboratory LOPSTR 2017, Namur, Belgium 1 Code Analysis Tools Effective enough

575 views • 35 slides
Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a

Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a

Assertions, pre/post- conditions Assertions: Section 4.2 in Savitch (p. 239) Programming as a contract n Specifying what each method does q Specify it in a comment before method's header n Precondition q What is assumed to be true

625 views • 33 slides
Learning to Specify soundly Suresh Jagannathan Joint work with He Zhu, Stephen Magill, and

Learning to Specify soundly Suresh Jagannathan Joint work with He Zhu, Stephen Magill, and

Learning to Specify soundly Suresh Jagannathan Joint work with He Zhu, Stephen Magill, and Gustavo Petri Goal + Verification Program Specifications Conditions Types Assertions Contracts Pre/Post Loop Invariants Spec Spec

482 views • 33 slides
Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like

Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like

Assertions and Triggers Rose-Hulman Institute of Technology Curt Clifton Assertions Like constraints: Recall: state IN {'IA', 'MN', 'WI', 'MI', 'IL'} But can reference all tables Defined by: CREATE ASSERTION <name>

552 views • 30 slides
Concurrent Types as Engineering Principles for Large Distributed Systems http://mrg.doc.ic.ac.uk/

Concurrent Types as Engineering Principles for Large Distributed Systems http://mrg.doc.ic.ac.uk/

Concurrent Types as Engineering Principles for Large Distributed Systems http://mrg.doc.ic.ac.uk/ Nobuko Yoshida Imperial College London 1 Open Problems The way to organise software is increasingly based on communications (Cloud

692 views • 53 slides
Complexity, periodicity, and expansiveness Van Cyr Northwestern University June 4, 2013

Complexity, periodicity, and expansiveness Van Cyr Northwestern University June 4, 2013

Complexity, periodicity, and expansiveness Van Cyr Northwestern University June 4, 2013 University of Crete Van Cyr Complexity, periodicity, and expansiveness Introduction A =finite set, X = A Z d . For , X , d ( , ) = 2 min

918 views • 63 slides
Cop and Robber Game and Hyperbolicity J. Chalopin 1 V. Chepoi 1 . Papasoglu 2 T. Pecatte 3 P 1 LIF

Cop and Robber Game and Hyperbolicity J. Chalopin 1 V. Chepoi 1 . Papasoglu 2 T. Pecatte 3 P 1 LIF

Cop and Robber Game and Hyperbolicity J. Chalopin 1 V. Chepoi 1 . Papasoglu 2 T. Pecatte 3 P 1 LIF , CNRS & Aix-Marseille Universit 2 Mathematical Institute, University of Oxford 3 NS de Lyon Sminaire GAC 23 fvrier 2017

726 views • 55 slides
Side conditions and revisionism David Asper o University of East Anglia 4th Arctic Set Theory

Side conditions and revisionism David Asper o University of East Anglia 4th Arctic Set Theory

Side conditions and revisionism David Asper o University of East Anglia 4th Arctic Set Theory Workshop Kilpisj arvi, January 2019 Apologies if you have heard this before. Special apologies to Vincenzo. Apologies if you have heard this

851 views • 49 slides
The variety of nuclear implicative semilattices is locally finite Guram Bezhanishvili, Nick

The variety of nuclear implicative semilattices is locally finite Guram Bezhanishvili, Nick

The variety of nuclear implicative semilattices is locally finite Guram Bezhanishvili, Nick Bezhanishvili, David Gabelaia, Silvio Ghilardi, Mamuka Jibladze Wednesday, June 28 TACL2017, Prague 1 / 29 , ,

1.08k views • 70 slides
Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and

Polynomial-Time Algorithms for the Subset Feedback Vertex Set Problem on Interval Graphs and Permutation Graphs Charis Papadopoulos Spyridon Tzimas 21st International Symposium on Fundamentals of Computation Theory - FCT 2017 Bordeaux, France,

1.5k views • 103 slides
Efficient Flooding in Ad Hoc Networks Seminar: Pervasive Computing (SS 2004) Frank Radmacher

Efficient Flooding in Ad Hoc Networks Seminar: Pervasive Computing (SS 2004) Frank Radmacher

Efficient Flooding in Ad Hoc Networks Seminar: Pervasive Computing (SS 2004) Frank Radmacher Frank Radmacher, July 15, 2004 Betreuer: Stefan Penz Efficient Flooding in Ad Hoc Networks - p. 1/27 References [1] Sze-Yao Ni, Yu-Chee Tseng, Yuh

666 views • 52 slides
Computer Graphics (CS 543) Lecture 12b: Rasterization: Line Drawing Prof Emmanuel Agu Computer

Computer Graphics (CS 543) Lecture 12b: Rasterization: Line Drawing Prof Emmanuel Agu Computer

Computer Graphics (CS 543) Lecture 12b: Rasterization: Line Drawing Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Rasterization Rasterization generates set of fragments Implemented by graphics hardware

527 views • 23 slides
An Algorithm to Design Prescribed Length Codes for Single-Tracked Shaft Encoders IEEE

An Algorithm to Design Prescribed Length Codes for Single-Tracked Shaft Encoders IEEE

Problem Solution Comments An Algorithm to Design Prescribed Length Codes for Single-Tracked Shaft Encoders IEEE International Conference on Mechatronics 2009 B. Balle , E. Ventura, J. M. Fuertes Universitat Politcnica de Catalunya April 17,

410 views • 16 slides

More recommend