04 - Introduction To Formal Methods - 221215

Introduction to Formal Methods Dr-Ing.
Abderahman KRIOUILE
Contents
• Need for Formal Methods
• Formal Methods Definition
• Formal Modeling
• Temporal logics
• Model Checking
• CADP toolbox
linkedin.com/in/akriouile @A_KRIOUILE Dr. Abderahman KRIOUILE - Introduction to Formal Methods - ENSIAS 2015/2016 2
Example: Modeling using LTSs Peterson Algorithm

• Mutual exclusion problem var d0 : bool := false -- redden by P1, written by P0
– We consider 2 processes P0 and P1 sharing a var d1 : bool := false -- redden by P0, written by P1
var t ϵ {0, 1} := 0 -- redden/written by P0 and P1
memory
loop forever -- P0 loop forever – P1
– Can we ensure the mutual exclusion of the access { snc0 } { snc1 }
to the memory ? d0= true d1= true
t := 0 t := 1
• Several solutions “at software level” was wait (d1 = false or t=1) wait (d0 = false or t=0)
{ debutsc0 } { debutsc1 }
proposed to implement the mutual exclusion { finsc0 } { finsc1 }
(Peterson, Dekker, Knuth, etc.) d0=false
end loop
d1=false
end loop
G. L. Peterson. Myths about the mutual exclusion problem.

Information Processing Letters 12(3):115-116, June 13, 1981
Dr. Abderahman KRIOUILE - Introduction to Formal Methods - ENSIAS 2015/2016 3 Dr. Abderahman KRIOUILE - Introduction to Formal Methods - ENSIAS 2015/2016 4
Peterson: P0 and P1 Automata Peterson: d0, d1 and t Automata
P0 automaton: P1 automaton: d0 automaton: d1 automaton:

d0 := false ? d0 := false ?
1 snc0 1 snc1
d0 := false d1 := false
7 2 7 2 false false
finsc0 d0 := true finsc1 d1 := true d0 := false d0 := true d0 := false d0 := true
6 3 6 3 true true
debutsc0 t :=0 debutsc1 t :=1
d1 := false ? d0 := false ?
t automaton: t :=1
5 4 5 4
t :=0 ? 0 1 t :=1 ?
t=1? t=0?
t=0
ENSIAS Systèmes Embarqués et Mobiles 2015/2016 1

Introduction to Formal Methods Dr-Ing. Abderahman KRIOUILE
Peterson: System Architecture Peterson: System Architecture (2)

• There are several ways to express the
d0
d0 := false d0 := false ? architecture as an automate product, depending
snc0
d0 := true
snc1
on the order of assembling automata
debutsc0 t=1 ? t=1 debutsc1
P0 t P1
finsc0 t=0 t=0? finsc1 (P0 ⊗Ø P1) ⊗{d0:=false, (d0 ⊗Ø d1 ⊗Ø t)
d1 := true d0=true,
d1 := false ? d1 := false t := 0 …}
d1
((P0 ⊗Ø P1) ⊗{d0:=false, (d0 ⊗Ø d1)) ⊗{t := 0, t)

• Synchronized actions : “d0 := false”, “d0 := true”, … d0=true, t := 1,
…} …}
• Non-synchronized actions: snc0, debutsc0, …
Construction of the product automate Peterson: Product Automaton

• Adopted Method: exhaustive stat enumeration • S = { F , T } x { F , T } x { 0 , 1 } x { 1..7 } x { 1..7 }
– Construction of the stat space by forward exploring • A = {snc0, snc1, …, “d0=true”, …}
starting by the initial state.
– Transitions are generated from transition od each • s0 = < F, F, 0, 1, 1 > = FF011
automate • T=
FF011
– When a new stat is attained, we verify if this stat snc0 snc1
already known. If it is the case return to the FF021 FF012
d0:=T snc1 snc0 d1:=T
existent state
VF031 FF022 FV013
– Different strategies to explore: breadth-first, depth- t:=0 snc1 d0:=T d1:=T snc0 t:=1
first, guided by a criteria. VF041 VF032 FV023 FF114
Example: Peterson Algorithm in LNT

Remarks
(1/3)
• The Product automaton of the system is fined module Peterson is
process D [R, W : bool] is
|S| ≤ 2 × 2 × 2 × 7 × 7 = 392
var b : bool in
• In general, the set of accessible states from the b := false;
initial state is very small compared to the loop
Cartesian product of the variable values (i.e., select R (b) [] W (?b) end select
forbidden transitions) end loop
end var
• Peterson : ~50 states, ~110 transitions end process
• Automated tools are used to construct the […]
product automaton and to explore the transitions

Example: Peterson Algorithm in LNT Example: Peterson Algorithm in LNT

process P [Wm, Rn: bool, RT, WT: nat, NCS: none, CS: nat] (m: nat) is process Main [NCS : none, CS : nat] is
var dn : bool, t : nat in hide R0, W0, R1, W1 : bool, RT, WT : nat in
loop NCS; Wm (true); WT (m); par R0, W0, R1, W1, RT, WT in
par
loop wait in
P [W0, R1, RT, WT, NCS, CS] (0)
Rn (?dn); || P [W1, R0, RT, WT, NCS, CS] (1)
RT (?t); end par
if not (dn) or (t != m) then ||
CS (m); Wm (false); break wait par
end if T [RT, WT]
|| D [R0, W0]
end loop
|| D [R1, W1]
end loop
end par
end var end par
end process end hide
end process
end module
Verification Different kind of choices

• Once the product automation is generated, • External choice (the environment decides
several properties can be verified automatically which branch will be taken)
• For Peterson algorithm: a b The proposed branch by the environment will be
– No deadlock: each state has at least one successor chosen (if a and b proposed, ND choice)
– Mutual exclusion: for i,j ∈ {0,1} not debutsci to
debutscj unless finsci
• Internal choice (the system decide)
– No starvation (pas de famine): no process can
monopolize the critical section a a if the environment propose a, the system will
choose non-deterministically
– Independent progress: each process can have access
to the critical section if the other processes
LTS Comparison Strong Bisimulation

• Due to ND, make attention when comparing 2 • Two state s1 an s2 are bisimilar (s1 ≈ s2) iff:
LTS – For each s1-l->s1’, there is s2’ with s2-l->s2’ and
a a
• A1= a A2= L(A1)={a.b, a.c} s1’ and s2’ are strong bisimilar
b c b c L(A2)={a.b, a.c} – For each s2-l->s2’, there is s1’ with s1-l->s1’ and
• A1 and A2 have a different behavior in s1’ and s2’ are strong bisimilar
practice. • If one condition: simulation
• The equivalence of language is not sufficient • Remark: a bisimulation is more restrictive than
for parallelism theory: more strong two mutual simulations
equivalence are proposed (bisimulations)

Strong Bisimulation: example Double Simulation: example

• ∀ s-l->s’, (∃ t’) such that t-l->t’ et s’ ≈ t’ • Definition: s simulate t (s ~ t) iff
• ∀ t-l->t’, (∃ s’) such that s-l->s’ et s’ ≈ t’ • ∀ t-l->t’, (∃ s’) such that s-l->s’ et s’ ~ t’
s0 t0 s0 t0
a a a a a a
t1 t1’ t1 t1’
s1 c s1 c
b b c b b c
s2 s3 t2 t3 s2 s3 t2 t3
• We have: s2 ≈ t2 and s3 ≈ t3
• We have: s3~t3, s2~t2, s1~t1, s1~t1’ and s0~t0
• We have not: s1 ≈ t1, s1 ≈ t1’ et s0 ≈ t0 t2~s2 and t3~s3
• We have not: t1~s1, t1’~s1 and t0~s0
Double Simulation: Exercise Strong Bisimulation: Exercise

• Definition: s simulate t (s ~ t) iff • s ≈ t iff
• ∀ t-l->t’, (∃ s’) such that s-l->s’ et s’ ~ t’ – ∀ s-l->s’, (∃ t’) such that t-l->t’ et s’ ≈ t’
s0
– ∀ t-l->t’, (∃ s’) such that s-l->s’ et s’ ≈ t’
t0
a a a s0 t0
t1 t1’
s1 a a a
b c b c c t1 t1’
s1 c
s2 s3 t2 t3 b b c c
s2 s3 t2 t3
• We have: s3~t3, s2~t2, s1~t1, s1~t1’ and s0~t0
t2~s2, t3~s3, t1~s1 and t0~s0 • We have: s1 ≈ t1, s2 ≈ t2 and s3 ≈ t3
• We have not: t1’~s1 • We have not: s1 ≈ t1’ et s0 ≈ t0
What is model checking?

“Model checking is the method by which a
desired behavioral property of a reactive
system is verified over a given system (the
model) through exhaustive enumeration
(explicit or implicit) of all the states reachable
by the system and the behaviors that traverse
MODEL CHECKING through them.”
Amir Pnueli
Foreword to Model Checking
[Clarke-Grumberg-Peled-00]

Basic Model Checking Flow
p TEMPORAL LOGICS
q
A Temporal Logic can express Temporal Logic

• “an event A is always possible” • Formalism for describing evolutions of
• “an event A will eventually happen” program states over (logical) time
– Atomic propositions over states
• “an event A is always possible until an event B – Propositional logic operators (or, and, not …)
happens” – Tense operators (neXt, Until, Previous, Since,
Once, …)
Numerous temporal logics were proposed in the – Interpreted on state spaces
literature. • High-level specification style:
abstraction and modularity
Two principal families Linear time logics

Linear time logics VS Branching time logics • LTL operators are evaluated over sets of paths
Traces Vs Branching • over infinite, linear sequences of states:
“s[0] -> s[1] -> ... -> s[t] -> s[t + 1] -> ...”,
– s[t] expresses the tth state of a sequence

Linear time logics Linear time logics

• LTL temporal operators
– “Finally” (or “future”): “F p” is true in s[t] iff
p is true in some s[t’] with t’ > t
– “Globally” (or “always”): “G p” is true in s[t] iff
p is true in all s[t’] with t’ > t
– “Next”: “X p” is true in s[t] iff p is true in s[t + 1]
– “Until”: “p U q” is true in s[t] iff
q is true in some state s[t’] with t’ > t and
p is true in all states s[t”] with t < t” < t’
Branching time logics Branching time logics

• Considers a tree-like structured model of time
• Future is not determined;
there are different paths in the future
• CTL operators are evaluated over trees
• Every temporal operator (F; G; X; U) is preceded by a
path quantifier (A or E)
• A expresses universal modalities (or necessity) (AF;
AG; AX; AU)
• E expresses existential modalities (or possibility) (EF;
EG; EX; EU)
Linear-time vs branching-time State-based vs action-based

Other Temporal logics Acknowledgements

• Handling “data” or not Some of the material presented in these slides is courtesy of the
following people, listed in alphabetical order:
• Handling “time” or not
• Pham Ngoc Hung
• Handling “probability” or not
• Frédéric Lang
• …
• Radu Mateescu
• Laurence Pierre
• Wendelin Serwe
• David R. Wright

04 - Introduction To Formal Methods - 221215

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

04 - Introduction To Formal Methods - 221215

Uploaded by

Copyright:

Available Formats

Introduction to Formal Methods Dr-Ing.

Example: Modeling using LTSs Peterson Algorithm

G. L. Peterson. Myths about the mutual exclusion problem.

Peterson: P0 and P1 Automata Peterson: d0, d1 and t Automata

P0 automaton: P1 automaton: d0 automaton: d1 automaton:

ENSIAS Systèmes Embarqués et Mobiles 2015/2016 1

Peterson: System Architecture Peterson: System Architecture (2)

((P0 ⊗Ø P1) ⊗{d0:=false, (d0 ⊗Ø d1)) ⊗{t := 0, t)

Construction of the product automate Peterson: Product Automaton

Example: Peterson Algorithm in LNT

ENSIAS Systèmes Embarqués et Mobiles 2015/2016 2

Example: Peterson Algorithm in LNT Example: Peterson Algorithm in LNT

Verification Different kind of choices

LTS Comparison Strong Bisimulation

ENSIAS Systèmes Embarqués et Mobiles 2015/2016 3

Strong Bisimulation: example Double Simulation: example

Double Simulation: Exercise Strong Bisimulation: Exercise

What is model checking?

ENSIAS Systèmes Embarqués et Mobiles 2015/2016 4

Basic Model Checking Flow

A Temporal Logic can express Temporal Logic

Two principal families Linear time logics

ENSIAS Systèmes Embarqués et Mobiles 2015/2016 5

Linear time logics Linear time logics

Branching time logics Branching time logics

Linear-time vs branching-time State-based vs action-based

ENSIAS Systèmes Embarqués et Mobiles 2015/2016 6

Other Temporal logics Acknowledgements

ENSIAS Systèmes Embarqués et Mobiles 2015/2016 7

You might also like