Validation of Critical Systems Christiano Braga Instituto de - - PowerPoint PPT Presentation
2nd School of Theoretical Computer Science and Formal Methods Validation of Critical Systems Christiano Braga Instituto de Computao with Rewriting Logic in Maude Universidade Federal Fluminense s 0 n 1 n 2 start s 1 s 5 t 1 n 2 n 1 t 2 s 2
2nd School of Theoretical Computer Science and Formal Methods
with Rewriting Logic in Maude
Christiano Braga
Instituto de Computação Universidade Federal Fluminense
2nd School of Theoretical Computer Science and Formal Methods
with Rewriting Logic in Maude
Christiano Braga
Instituto de Computação Universidade Federal Fluminense
n1n2 start s0 t1n2 s1 n1t2 s5 c1n2 s2 t1t2 s3 n1c2 s6 c1t2 s4 t1c2 s7
3
❖ that shared resources should properly managed? ❖ how to convert from English units to the metric system? ❖ that coercing a 64-bit number into a 16-bit one implies loss of information? ❖ that static typing helps in the composition of software components? ❖ that one should be thorough and precise in early stages of the software development? ❖ that commands (in any formal language) should be well-formed? ❖ that security is an essential aspect of networked software components? ❖ that the functions a software implements should remain functions after 100 hours of the system
execution?
❖ that division is a partial function? ❖ that we should specify our algorithms before implementing them? ❖ that we should specify our processes before implementing them?
4
❖ Therac-25 software, overdoses of radiation because of a race condition, several deaths between
1985 and 1987?
❖ Mars Climate Orbiter, crashed, unit conversion error, $125M? ❖ Ariane 5 Flight 501, exploded, coercion error, $8B? ❖ UK's EDS Child Support System, component incompatibility, $1B? ❖ Heathrow Terminal 5 luggage system, system shutdown, over 500 flights canceled? ❖ Mariner 1 Spacecraft, self-destructed, command ill-formed, $18B? ❖ Morris Worm, coding error, crashed thousands of computers, $100M? ❖ U.S. Patriot missile defense system, failed, 28 soldiers killed? ❖ Pentium FDIV bug, cost $475M to Intel? ❖ Knight's stock trading algorithms, erratic trades, $440M in 30 min.? ❖ NOAA-19 Satellite, poor manhandling, $135M?
race condition
5
❖ How to specify a component? ❖ How to specify the properties a component should
❖ How to make sure that a component has the desired
❖ Theory of computation to the
rescue: automata theory!
❖ Example: a mutual exclusion
protocol
6
n1n2 start s0 t1n2 s1 n1t2 s5 c1n2 s2 t1t2 s3 n1c2 s6 c1t2 s4 t1c2 s7
❖ Logic to the rescue: logics of
change!
❖ Example: Temporal logic
7
Safety properties specify that “nothing bad” ever happens. Liveness properties are such that “something good” happens from time to time.
❖ Logic to the rescue: logics of
change!
❖ Example: Temporal logic
8
G means “always” and F denotes “eventually”. Formulae are interpreted on Kripke structures, which are essentially graphs, and so are LTS!
K = (W, R)
Kripke graphs LTS
❖ Logic to the rescue: model checking! ❖ Automatically, by the way!
9
Is formula satisfiable in model M starting at state s0?
ϕ
model checking
❖ If a property does not hold, a counter-example is produced.
10
n1n2 start s0 t1n2 s1 n1t2 s5 c1n2 s2 t1t2 s3 n1c2 s6 c1t2 s4 t1c2 s7
11
Liveness fails…
12
Fixing liveness
n1n2 start s0 t1n2 s1 n1t2 s5 c1n2 s2 t1t2 s3 n1c2 s6 c1t2 s4 t1t2 s8 t1c2 s7
13
❖ The structure (or ``data type'') where theories are
❖ Modal logics, where temporal logics form a subclass. ❖ Substructural logics, where different forms to
❖ Rewriting logic, a computational logic that may
14
❖ A logic to reason on concurrent systems. ❖ The state of a system is denoted by a term in a suitable
❖ Computations are deductions in the given rewrite
❖ Reflexivity
15
t t
❖ Transitivity
t1 t2 t3
❖ Equality
16
u = u0 v = v0
❖ Congruence
17
f t2 t1 t3 t4 f t0
2
t0
1
t0
3
t0
4
Back to MUTEX
❖ Replacement
18
t t2 t1 t3 t4 t0 t0
2
t0
1
t0
3
t0
4
19
❖ A specification language and a system. ❖ Maude is an implementation of Rewriting Logic, such
❖ Deductions in RWL correspond to rewrites in Maude.
20
mod MUTEX is pr NAT . sort Proc Conf System . subsort Proc < Conf .
(…)
Types (or sorts) for process state, configuration (set) of processes and a system of processes. The sort Proc is included in the sort of configuration
21
mod MUTEX is pr NAT . sort Proc Conf System . subsort Proc < Conf .
Processes, configurations of processes and System are declared with (constructor) operators. Configurations are constructed with associative, commutative (juxtaposition) operator, with empty as its identity operation.
22
mod MUTEX is pr NAT . sort Proc Conf System . subsort Proc < Conf .
This operator is necessary to control de congruence rule. More on this when we discuss the rule-based specification of the behavior of the protocol.
23
mod MUTEX is pr NAT . sort Proc Conf System . subsort Proc < Conf .
Predicates inCrit? and dup? are auxiliary
24
var C : Conf . vars N M : Nat . cmb { C } : System if not dup?(C) . eq dup?(idle(N) idle(N) C) = true . eq dup?(idle(N) try(N) C) = true . eq dup?(idle(N) critical(N) C) = true . eq dup?(try(N) critical(N) C) = true . eq dup?(C) = false [owise] . eq inCrit?(critical(N) C) = true . eq inCrit?(C) = false [owise] .
(Conditional) membership equations allow for the specification of partiality. Operator {_} is partial: terms of sort System are only those such that this equation hold.
25
var C : Conf . vars N M : Nat . cmb { C } : System if not dup?(C) . eq dup?(idle(N) idle(N) C) = true . eq dup?(idle(N) try(N) C) = true . eq dup?(idle(N) critical(N) C) = true . eq dup?(try(N) critical(N) C) = true . eq dup?(C) = false [owise] . eq inCrit?(critical(N) C) = true . eq inCrit?(C) = false [owise] .
Predicate dup? checks if a process configuration has (at least) one repeated process id, denoted by a natural number.
26
var C : Conf . vars N M : Nat . cmb { C } : System if not dup?(C) . eq dup?(idle(N) idle(N) C) = true . eq dup?(idle(N) try(N) C) = true . eq dup?(idle(N) critical(N) C) = true . eq dup?(try(N) critical(N) C) = true . eq dup?(C) = false [owise] . eq inCrit?(critical(N) C) = true . eq inCrit?(C) = false [owise] .
Predicate inCrit? checks if there exists a process in the critical session. This predicate is used in the specification
27
(…) rl [try] : idle(N) => try(N) . rl [leaves] : critical(N) => idle(N) . crl [enter] : { try(N) C } => { critical(N) C } if not inCrit?(C) . endm
As opposed to equations, rules may have a non- deterministic and non-terminating behavior.
28
rl [try] : idle(N) => try(N) . rl [leaves] : critical(N) => idle(N) . crl [enter] : { try(N) C } => { critical(N) C } if not inCrit?(C) . endm
Rules try and leaves may be applied anywhere in the process configuration, that is, any process may change from idle to try or from critical to idle simultaneously or one at the time. anywhere
29
rl [try] : idle(N) => try(N) . rl [leaves] : critical(N) => idle(N) . crl [enter] : { try(N) C } => { critical(N) C } if not inCrit?(C) . endm
Rule enter, on the other hand, requires that no process is in the critical session. Therefore, it is defined at system level and not at configuration level. system
30
========================================== rewrite [5] in MODEL-CHECK-MUTEX : {idle(0) idle(1)} . rewrites: 38 in 0ms cpu (0ms real) (535211 rewrites/second} result System: {idle(0) critical(1)}
The rewrite command simplifies a given term, using first the equations and then the rules, n steps, using a depth-first search traverse strategy on the rewrite tree.
31
========================================== search in MODEL-CHECK-MUTEX : {idle(0) idle(1)} =>* {C critical(N)} . Solution 1 (state 3) states: 4 rewrites: 22 in 0ms cpu (12ms real) (78014 rewrites/second) C --> idle(1) N --> 0 Solution 2 (state 5) states: 6 rewrites: 35 in 0ms cpu (12ms real) (83135 rewrites/second) C --> idle(0) N --> 1 Solution 3 (state 6) states: 7 rewrites: 45 in 0ms cpu (12ms real) (84427 rewrites/second) C --> try(1) N --> 0 Solution 4 (state 7) states: 8 rewrites: 66 in 0ms cpu (12ms real) (97345 rewrites/second) C --> try(0) N --> 1 No more solutions.
The search command traverses the rewrite tree using a breadth- first strategy and returns the (terms) which match a given
example, it provides solutions where a process is in the critical session.
32
❖ We need to associate Kripke structures to rewrite
The models in M, s0 | = ϕ.
33
A rewrite theory R, with a distinguished kind (a lattice of sorts) k and a set of state-propositions Π is interpreted as a Kripke structure K. A formula ϕ in temporal logic is then interpreted in K given an initial state denoted by the equivalence class of a term t.
34
mod MODEL-CHECK-MUTEX is ex MODEL-CHECKER . pr MUTEX . subsort System < State .
vars N M : Nat . var C : Conf . eq { critical(N) critical(M) C } |= race-condition = true . eq { try(N) C } |= trying(N) = true . eq { critical(N) C } |= inCritical(N) = true . eq safety = [] ~ <> race-condition . eq liveness(N) = [] (trying(N) -> <> inCritical(N)) . eq initial = { idle(0) idle(1) idle(2) } . (…)
Module MODEL-CHECKER defines all the elements
35
mod MODEL-CHECK-MUTEX is ex MODEL-CHECKER . pr MUTEX . subsort System < State .
vars N M : Nat . var C : Conf . eq { critical(N) critical(M) C } |= race-condition = true . eq { try(N) C } |= trying(N) = true . eq { critical(N) C } |= inCritical(N) = true . eq safety = [] ~ <> race-condition . eq liveness(N) = [] (trying(N) -> <> inCritical(N)) . eq initial = { idle(0) idle(1) idle(2) } . (…)
…including a sort State that must be contain the sort for states where the temporal formulae will be interpreted.
36
mod MODEL-CHECK-MUTEX is ex MODEL-CHECKER . pr MUTEX . subsort System < State .
vars N M : Nat . var C : Conf . eq { critical(N) critical(M) C } |= race-condition = true . eq { try(N) C } |= trying(N) = true . eq { critical(N) C } |= inCritical(N) = true . eq safety = [] ~ <> race-condition . eq liveness(N) = [] (trying(N) -> <> inCritical(N)) . eq initial = { idle(0) idle(1) idle(2) } . (…)
We must specify state-propositions that will used in the temporal formulae specifying the properties to be checked, …
37
mod MODEL-CHECK-MUTEX is ex MODEL-CHECKER . pr MUTEX . subsort System < State .
vars N M : Nat . var C : Conf . eq { critical(N) critical(M) C } |= race-condition = true . eq { try(N) C } |= trying(N) = true . eq { critical(N) C } |= inCritical(N) = true . eq safety = [] ~ <> race-condition . eq liveness(N) = [] (trying(N) -> <> inCritical(N)) . eq initial = { idle(0) idle(1) idle(2) } . (…)
… such as safety or liveness.
38
mod MODEL-CHECK-MUTEX is ex MODEL-CHECKER . pr MUTEX . subsort System < State .
vars N M : Nat . var C : Conf . eq { critical(N) critical(M) C } |= race-condition = true . eq { try(N) C } |= trying(N) = true . eq { critical(N) C } |= inCritical(N) = true . eq safety = [] ~ <> race-condition . eq liveness(N) = [] (trying(N) -> <> inCritical(N)) . eq initial = { idle(0) idle(1) idle(2) } . (…)
Equations specify in which states a proposition holds.
39
mod MODEL-CHECK-MUTEX is ex MODEL-CHECKER . pr MUTEX . subsort System < State .
vars N M : Nat . var C : Conf . eq { critical(N) critical(M) C } |= race-condition = true . eq { try(N) C } |= trying(N) = true . eq { critical(N) C } |= inCritical(N) = true . eq safety = [] ~ <> race-condition . eq liveness(N) = [] (trying(N) -> <> inCritical(N)) . eq initial = { idle(0) idle(1) idle(2) } . (…)
May also specify the properties to be model checked…
40
mod MODEL-CHECK-MUTEX is ex MODEL-CHECKER . pr MUTEX . subsort System < State .
vars N M : Nat . var C : Conf . eq { critical(N) critical(M) C } |= race-condition = true . eq { try(N) C } |= trying(N) = true . eq { critical(N) C } |= inCritical(N) = true . eq safety = [] ~ <> race-condition . eq liveness(N) = [] (trying(N) -> <> inCritical(N)) . eq initial = { idle(0) idle(1) idle(2) } . (…)
… and the initial state.
41
========================================== reduce in MODEL-CHECK-MUTEX : modelCheck(initial, safety) . rewrites: 104 in 0ms cpu (0ms real) (395437 rewrites/second) result Bool: true Safety holds! true
42
========================================== reduce in MODEL-CHECK-MUTEX : modelCheck(initial, liveness(0)) . rewrites: 61 in 0ms cpu (0ms real) (286384 rewrites/second) result ModelCheckResult: counterexample({{idle(0) idle(1)},'try}, {{idle(1) try(0)},'try} {{try(0) try(1)},'enter} {{try(0) critical(1)},'leaves}) Liveness does not, as a cycle is found where the property does not hold:
{idle(1) try(0)} -> {try(0) try(1)} -> {try(0) critical(1)} -> {idle(1) try(0)} …
counterexample
43
(…) rl [leaves] : critical(N) => idle(N) . crl [try-critical] : { idle(N) try(M) C } => { try(N) critical(M) C } if not inCrit?(C) . crl [idle-critical] : { idle(N) try(M) C } => { idle(N) critical(M) C } if not inCrit?(C) . endm
If there is a process trying to enter the critical session, then it must be given preference.
44
========================================== reduce in MODEL-CHECK-MUTEX : modelCheck(initial, liveness(0)) . reduce in MODEL-CHECK-MUTEX-WITH-LIVENESS : modelCheck(initial, liveness(0)) . rewrites: 16 in 0ms cpu (0ms real) (100628 rewrites/second) result Bool: true
Liveness now holds!
true
45
❖ So far we have exploited the state space explicitly, both
❖ In the Rewriting Logic approach to validation of critical
❖ One such theory is narrowing, which allows for the
46
❖ Variables in rewrite rules are universally quantified.
❖ Narrowing rules admit existentially quantified variables.
❖ In rewriting modulo narrowing, we combine universally
47
mod MUTEX is pr NAT . sorts ConfProc Critical System .
var C : ConfProc . vars N M : Nat . var P : Critical . rl [try] : { idle(N) C | P } => { try(N) C | P } [narrowing] . rl [leaves] : { C | critical(N) } => { idle(N) C | none } [narrowing] . rl [enter] : { try(N) C | none } => { C | critical(N) } [narrowing] . endm
The system state now has an “attribute" that specifies which process is in the critical section, if any.
48
mod MUTEX is pr NAT . sorts ConfProc Critical System .
var C : ConfProc . vars N M : Nat . var P : Critical . rl [try] : { idle(N) C | P } => { try(N) C | P } [narrowing] . rl [leaves] : { C | critical(N) } => { idle(N) C | none } [narrowing] . rl [enter] : { try(N) C | none } => { C | critical(N) } [narrowing] . endm
The structure of the new configurations allows us to specify unconditional rules, a requirement to have them labeled as narrowing rules, that is, rules that will be applied in the narrowing process.
49
narrow [3, 1] in MUTEX : {C try(N) | none} =>* {C':TryOrIdle | critical(N)} . Solution 1 rewrites: 2 in 0ms cpu (0ms real) (4938 rewrites/second) state: {%3:TryOrIdle try(%2:Nat) | critical(%1:Nat)} C':TryOrIdle --> %3:TryOrIdle try(%2:Nat) N --> %1:Nat Solution 2 rewrites: 3 in 0ms cpu (0ms real) (6550 rewrites/second) state: {%2:TryOrIdle | critical(%1:Nat)} C':TryOrIdle --> %2:TryOrIdle N --> %1:Nat No more solutions. rewrites: 3 in 0ms cpu (0ms real) (5882 rewrites/second)
The narrowing command queries the state space for a process configuration that has a process trying to enter the critical section and ends in a configuration where the given process is in the critical section.
50
narrow [3, 1] in MUTEX : {C try(N) | none} =>* {C':TryOrIdle | critical(N)} . Solution 1 rewrites: 2 in 0ms cpu (0ms real) (4938 rewrites/second) state: {%3:TryOrIdle try(%2:Nat) | critical(%1:Nat)} C':TryOrIdle --> %3:TryOrIdle try(%2:Nat) N --> %1:Nat Solution 2 rewrites: 3 in 0ms cpu (0ms real) (6550 rewrites/second) state: {%2:TryOrIdle | critical(%1:Nat)} C':TryOrIdle --> %2:TryOrIdle N --> %1:Nat No more solutions. rewrites: 3 in 0ms cpu (0ms real) (5882 rewrites/second)
The first solution denotes a situation where process %1:Nat entered the critical session and there is a process %2:Nat which is trying to enter it.
51
narrow [3, 1] in MUTEX : {C try(N) | none} =>* {C':TryOrIdle | critical(N)} . Solution 1 rewrites: 2 in 0ms cpu (0ms real) (4938 rewrites/second) state: {%3:TryOrIdle try(%2:Nat) | critical(%1:Nat)} C':TryOrIdle --> %3:TryOrIdle try(%2:Nat) N --> %1:Nat Solution 2 rewrites: 3 in 0ms cpu (0ms real) (6550 rewrites/second) state: {%2:TryOrIdle | critical(%1:Nat)} C':TryOrIdle --> %2:TryOrIdle N --> %1:Nat No more solutions. rewrites: 3 in 0ms cpu (0ms real) (5882 rewrites/second)
In the second solution, process %1:Nat entered the critical session and the configuration when it happens in any possible combination of processes trying to enter the critical session or idle processes.
52
❖ Two dimensions of critical systems are concurrency,
❖ Our model of choice is hybrid automata.
53
❖ Hybrid automata (HA) allows us to model both discrete and
continuous behavior.
❖ Discrete behavior is modeled with a finite state-transition system. ❖ Continuous behavior is modeled by means of ordinary differential
equations.
❖ In linear HA, constraints over continuous variables are
affine: where ai is an integer or real constant, xi is a continuous variables and ~ denotes a binary predicate.
a1x1 + a2x2 + . . . anxn ∼ a0
Joint work with André Metelo and Diego Brandão Specification and Validation of Cyber-Physical Systems project
54
x:= x x:= x
Joint work with André Metelo and Diego Brandão Specification and Validation of Cyber-Physical Systems project
55
56
(tmod RESERVOIR is protecting POSRAT-TIME-DOMAIN . sort HosePos .
vars x1 x2 : NNegRat . var R : Time . crl [moveright] : left,x1,x2 => right,x1,x2 if x2 <= r2 . crl [moveleft] : right,x1,x2 => left,x1,x2 if x1 <= r1 . crl [tick-right] : {right, x1, x2} => {right, x1 - (v1 * R), x2 + ((w - v2) * R)} in time R if x1 > r1 [nonexec] . crl [tick-left] : {left, x1, x2} => {left, x1 + ((w - v1) * R), x2 - (v2 * R)} in time R if x2 > r2 [nonexec] . endtm)
Chooses positive rational numbers to represent time.
57
(tmod RESERVOIR is protecting POSRAT-TIME-DOMAIN . sort HosePos .
vars x1 x2 : NNegRat . var R : Time . crl [moveright] : left,x1,x2 => right,x1,x2 if x2 <= r2 . crl [moveleft] : right,x1,x2 => left,x1,x2 if x1 <= r1 . crl [tick-right] : {right, x1, x2} => {right, x1 - (v1 * R), x2 + ((w - v2) * R)} in time R if x1 > r1 [nonexec] . crl [tick-left] : {left, x1, x2} => {left, x1 + ((w - v1) * R), x2 - (v2 * R)} in time R if x2 > r2 [nonexec] . endtm)
Models the system state as a triple whose first component is the hose position, the second component is fluid column height for reservoir #1, and the third component denotes the fluid column height for reservoir #2.
58
(tmod RESERVOIR is protecting POSRAT-TIME-DOMAIN . sort HosePos .
vars x1 x2 : NNegRat . var R : Time . crl [moveright] : left,x1,x2 => right,x1,x2 if x2 <= r2 . crl [moveleft] : right,x1,x2 => left,x1,x2 if x1 <= r1 . crl [tick-right] : {right, x1, x2} => {right, x1 - (v1 * R), x2 + ((w - v2) * R)} in time R if x1 > r1 [nonexec] . crl [tick-left] : {left, x1, x2} => {left, x1 + ((w - v1) * R), x2 - (v2 * R)} in time R if x2 > r2 [nonexec] . endtm)
Models discrete, untimed, behavior.
59
(tmod RESERVOIR is protecting POSRAT-TIME-DOMAIN . sort HosePos .
vars x1 x2 : NNegRat . var R : Time . crl [moveright] : left,x1,x2 => right,x1,x2 if x2 <= r2 . crl [moveleft] : right,x1,x2 => left,x1,x2 if x1 <= r1 . crl [tick-right] : {right, x1, x2} => {right, x1 - (v1 * R), x2 + ((w - v2) * R)} in time R if x1 > r1 [nonexec] . crl [tick-left] : {left, x1, x2} => {left, x1 + ((w - v1) * R), x2 - (v2 * R)} in time R if x2 > r2 [nonexec] . endtm)
Models continuous, timed, behavior.
60
rewrites: 12102 in 15ms cpu (15ms real) (802732 rewrites/second) Timed search in TEST {right,30,30} =>* {S:System} in time <= 4 and with mode default time increase 1 : Solution 1 S:System --> right,30,30 ; TIME_ELAPSED:Time --> 0 Solution 2 S:System --> right,25,35 ; TIME_ELAPSED:Time --> 1 Solution 3 S:System --> right,20,40 ; TIME_ELAPSED:Time --> 2 Solution 4 S:System --> right,15,45 ; TIME_ELAPSED:Time --> 3 Solution 5 S:System --> left,15,45 ; TIME_ELAPSED:Time --> 3 Solution 6 S:System --> left,20,40 ; TIME_ELAPSED:Time --> 4 No more solutions
61
(tmod MODEL-CHECK-RESERVOIR is including TIMED-MODEL-CHECKER . protecting RESERVOIR .
var H : HosePos . vars x1 x2 : NNegRat . ceq {H, x1, x2} |= macondo = true if (x1 <= r1) and (x2 <= r2) . ceq {H, x1, x2} |= one-down = true if (x1 <= r1) or (x2 <= r2) . endtm)
Extends MODEL-CHECKER module with Real-Time Maude sorts, also subsorting State with Real-Time Maude GlobalSystem.
62
(tmod MODEL-CHECK-RESERVOIR is including TIMED-MODEL-CHECKER . protecting RESERVOIR .
var H : HosePos . vars x1 x2 : NNegRat . ceq {H, x1, x2} |= macondo = true if (x1 <= r1) and (x2 <= r2) . ceq {H, x1, x2} |= one-down = true if (x1 <= r1) or (x2 <= r2) . endtm)
Declares two state propositions: macondo states that both reservoirs are below their lower bound while
is down.
63
rewrites: 6039 in 7ms cpu (8ms real) (755158 rewrites/second) Untimed model check {right,30,30} |=u ~[]<> macondo in TEST with mode default time increase 1 Result Bool : true rewrites: 6283 in 6ms cpu (6ms real) (976986 rewrites/second) Untimed model check {right,30,30} |=u ~[]<> one-down in TEST with mode default time increase 1 Result ModelCheckResult : counterexample(nil,{{right,30,30} ,'tick-right}{{right,25,35} ,'tick-right}{{ right,20,40} ,'tick-right}{{right,15,45} ,'moveleft}{{left,15,45} ,'tick-left}{ {left,20,40} ,'tick-left}{{left,25,35} ,'tick-left}{{left,30,30} ,'tick-left}{{ left,35,25} ,'tick-left}{{left,40,20} ,'tick-left}{{left,45,15} ,'moveright}{{ right,45,15} ,'tick-right}{{right,40,20} ,'tick-right}{{right,35,25} , 'tick-right})
It is never the case that both reservoirs are simultaneously below or equal to their lower bounds.
true
64
rewrites: 6039 in 7ms cpu (8ms real) (755158 rewrites/second) Untimed model check {right,30,30} |=u ~[]<> macondo in TEST with mode default time increase 1 Result Bool : true rewrites: 6283 in 6ms cpu (6ms real) (976986 rewrites/second) Untimed model check {right,30,30} |=u ~[]<> one-down in TEST with mode default time increase 1 Result ModelCheckResult : counterexample(nil,{{right,30,30} ,'tick-right}{{right,25,35} ,'tick-right}{{ right,20,40} ,'tick-right}{{right,15,45} ,'moveleft}{{left,15,45} ,'tick-left}{ {left,20,40} ,'tick-left}{{left,25,35} ,'tick-left}{{left,30,30} ,'tick-left}{{ left,35,25} ,'tick-left}{{left,40,20} ,'tick-left}{{left,45,15} ,'moveright}{{ right,45,15} ,'tick-right}{{right,40,20} ,'tick-right}{{right,35,25} , 'tick-right})
One of the reservoirs may be eventually reach its lower bound.
true
65
(tmod RESERVOIR is (…) crl [move-hose] : hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S => hose(W, M) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S if (Xm <= Lm) and (N =/= M) and (Xn >= Ln) . crl [tick] : {hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > S} => {hose(W, N) fill(< N | thr: (Ln, Un), hth: Xn, RAn >, W, T) drain(S, T)} in time T if not refill?(S) and Xn <= Un [nonexec] . endtm)
The reservoirs are now represented as records, identified by a Natural number, with lower and upper thresholds, the fluid column height and flow ratio.
66
(tmod RESERVOIR is (…) crl [move-hose] : hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S => hose(W, M) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S if (Xm <= Lm) and (N =/= M) and (Xn >= Ln) . crl [tick] : {hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > S} => {hose(W, N) fill(< N | thr: (Ln, Un), hth: Xn, RAn >, W, T) drain(S, T)} in time T if not refill?(S) and Xn <= Un [nonexec] . endtm)
And the system configuration is represented as a set of reservoirs and a hose.
67
(tmod RESERVOIR is (…) crl [move-hose] : hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S => hose(W, M) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S if (Xm <= Lm) and (N =/= M) and (Xn >= Ln) . crl [tick] : {hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > S} => {hose(W, N) fill(< N | thr: (Ln, Un), hth: Xn, RAn >, W, T) drain(S, T)} in time T if not refill?(S) and Xn <= Un [nonexec] . ndtm)
This variable represents the system without the hose and reservoirs N and M.
68
(tmod RESERVOIR is (…) crl [move-hose] : hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S => hose(W, M) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S if (Xm <= Lm) and (N =/= M) and (Xn >= Ln) . crl [tick] : {hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > S} => {hose(W, N) fill(< N | thr: (Ln, Un), hth: Xn, RAn >, W, T) drain(S, T)} in time T if not refill?(S) and Xn <= Un [nonexec] . endtm)
There is a single rule that chooses to which reservoir the hose must be moved to. It moves the hose to a reservoir different from the current one, as long as the current one has not reached its lower bound and the target one needs the hose.
69
(tmod RESERVOIR is (…) crl [move-hose] : hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S => hose(W, M) < N | thr: (Ln, Un), hth: Xn, RAn > < M | thr: (Lm, Um), hth: Xm, RAm > S if (Xm <= Lm) and (N =/= M) and (Xn >= Ln) . crl [tick] : {hose(W, N) < N | thr: (Ln, Un), hth: Xn, RAn > S} => {hose(W, N) fill(< N | thr: (Ln, Un), hth: Xn, RAn >, W, T) drain(S, T)} in time T if not refill?(S) and Xn <= Un [nonexec] . endtm)
The timed rule simply specifies that the reservoir that hose is positioned on will continue to be filled and the remaining ones will continue to be drained, all at their own flow rate, as long as there isn’t a reservoir, different from the current one, needing fluid.
70
❖ We have seen that critical systems require rigorous
❖ State-exploration validation techniques, such as search
❖ Rewriting logic and its implementation in the Maude
2nd School of Theoretical Computer Science and Formal Methods
with Rewriting Logic in Maude
Christiano Braga
Instituto de Computação Universidade Federal Fluminense
n1n2 start s0 t1n2 s1 n1t2 s5 c1n2 s2 t1t2 s3 n1c2 s6 c1t2 s4 t1c2 s7
2nd School of Theoretical Computer Science and Formal Methods
with Rewriting Logic in Maude
Christiano Braga
Instituto de Computação Universidade Federal Fluminense