1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of...
-
Upload
michael-arnold -
Category
Documents
-
view
219 -
download
0
Transcript of 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of...
![Page 1: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/1.jpg)
1
Softrare Reliability Methods
Prof. Doron A. PeledBar Ilan University,IsraelAndUniveristy of warwick,UK
Version 2008
![Page 2: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/2.jpg)
2
Some related books:
Also:Mainly:
http://www.dcs.warwick.ac.uk/~doron
![Page 3: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/3.jpg)
3
Goal: software reliability
Use software engineering methodologies to develop the code.
Use formal methods during code development
![Page 4: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/4.jpg)
4
What are formal methods?
Techniques for analyzing systems, based on some mathematics.
This does not mean that the user must be a mathematician.
Some of the work is done in an informal way, due to complexity.
![Page 5: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/5.jpg)
5
Examples for FM
Deductive verification:Using some logical formalism, prove formally that the software satisfies its specification.
Model checking:Use some software to automatically check that the software satisfies its specification.
Testing:Check executions of the software according to some coverage scheme.
![Page 6: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/6.jpg)
6
Typical situation:
Boss: Mark, I want that the new internet marketing software will be flawless. OK?
Mark: Hmmm. Well, ..., Aham, Oh! Ah??? Where do I start?
Bob: I have just the solution for you. It would solve everything.
![Page 7: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/7.jpg)
7
Some concerns
Which technique? Which tool? Which experts? What limitations? What methodology? At which points? How expensive? How many people?
Needed expertise. Kind of training. Size limitations. Exhaustiveness. Reliability. Expressiveness. Support.
![Page 8: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/8.jpg)
8
Badmouth
Formal methods can only be used by mathematicians.
The verification process is itself prone to errors, so why bother?
Using formal methods will slow down the project.
![Page 9: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/9.jpg)
9
Some answers...
Formal methods can only be used by mathematicians.
Wrong. They are based on some math but the user should not care.
The verification process is itself prone to errors, so why bother?
We opt to reduce the errors, not eliminate them.Using formal methods will slow down the
project.Maybe it will speed it up, once errors are found
earlier.
![Page 10: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/10.jpg)
10
Some exaggerations
Automatic verification can always find errors.
Deductive verification can show that the software is completely safe.
Testing is the only industrial practical method.
![Page 11: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/11.jpg)
11
Our approach
Learn several methods (deductive verification, model checking, testing process algebra).
Learn advantages and limitations, in order to choose the right methods and tools.
Learn how to combine existing methods.
![Page 12: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/12.jpg)
12
Emphasis
The process:Selecting the tools, Modeling,Verification, Locating errors.
Use of tools:Hands on. PVS, SPIN
Visual notation:Statecharts, MSCs, UML.
![Page 13: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/13.jpg)
13
Some emphasis
The process of selecting and using formal methods.
The appropriate notation. In particular, visual notation.
Hands-on experience with tools.
![Page 14: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/14.jpg)
14
The unbearable easiness of grading
During class, choose some small project in groups, e.g.,Explore some examples using tools.Implementing a simple algorithm.Dealing with new material.
or covering advanced subject.- Office presentation (1 hour).- Written description (2-3 pages +
computer output or 6-10 pages).- Class presentation (0.5-1.5 hours per
group).
![Page 15: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/15.jpg)
15
Example topics
Project:Verify some example
using some tools.Communication
protocols.Mutual exclusion.
Advanced topics:Abstractions.Reductions.Partitions.Static analysis.Verifying pushdown
automata.Verifying security
protocols.
![Page 16: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/16.jpg)
16
Where do we start?
Boss: Mark, can you verify this for me?
Mark: OK, first I have to ...
![Page 17: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/17.jpg)
17
Things to do
Check the kind ofsoftware to analyze.
Choose methods and tools.
Express system properties.
Model the software.
Apply methods.Obtain verification
results.Analyze results.Identify errors.Suggest correction.
![Page 18: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/18.jpg)
18
Different types of software
Sequential.Concurrent.Distributed.Reactive.Protocols.Abstract algorithms.Finite state.
![Page 19: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/19.jpg)
19
Specification:Informal, textual, visual
The value of x will be between 1 and 5, until some point where it will become 7. In any case it will never be negative.
(1<=x<=5 U (x=7/\ [] x>=0))
1<=x<=5 X=7
X>=0
![Page 20: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/20.jpg)
20
Verification methods
Finite state machines. Apply model checking.
Apply deductive verification (theorem proving).
Program too big, too complicated.Apply testing techniques.
Apply a combination of the above!
![Page 21: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/21.jpg)
21
Modeling
Use the program text.Translate to a programming language
embedded in some proof system.Translate to some notation (transition
system).Translate to finite automata.Use visual notation.Special case: black box system.
![Page 22: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/22.jpg)
22
Modeling Software Systems for Analysis
(Book: Chapter 4)
![Page 23: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/23.jpg)
23
Modelling and specification for verification and validation
How to specify what the software is supposed to do?
Can we use the UML model or parts of it?
How to model it in a way that allows us to check it?
![Page 24: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/24.jpg)
24
Systems of interest Sequential systems. Concurrent systems (multi-threaded).
1. Distributive systems.2. Reactive systems.3. Embedded systems
(software + hardware).
![Page 25: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/25.jpg)
25
Sequential systems.
Perform some computational task. Have some initial condition, e.g.,0in A[i] integer.
Have some final assertion, e.g., 0in-1 A[i]A[i+1].(What is the problem with this spec?)
Are supposed to terminate.
![Page 26: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/26.jpg)
26
Concurrent Systems
Involve several computation agents.Termination may indicate an abnormal
event (interrupt, strike).May exploit diverse computational
power.May involve remote components.May interact with users (Reactive).May involve hardware components
(Embedded).
![Page 27: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/27.jpg)
27
Problems in modeling systems Representing concurrency:
- Allow one transition at a time, or- Allow coinciding transitions.
Granularity of transitions. Assignments and checks? Application of methods?
Global (all the system) or local (one thread at a time) states.
![Page 28: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/28.jpg)
28
Modeling.The states based model.
V={v0,v1,v2, …} - a set of variables, over some domain.
p(v0, v1, …, vn) - a parametrized assertion, e.g.,
v0=v1+v2 /\ v3>v4. A state is an assignment of values to the program
variables. For example: s=<v0=1,v1=3,v3=7,…,v18=2>
For predicate (first order assertion) p:p(s) is p under the assignment s.Example: p is x>y /\ y>z. s=<x=4, y=3, z=5>.Then we have 4>3 /\ 3>5, which is false.
![Page 29: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/29.jpg)
29
State space
The state space of a program is the set of all possible states for it.
For example, if V={a, b, c} and the variables are over the naturals, then the state space includes: <a=0,b=0,c=0>,<a=1,b=0,c=0>, <a=1,b=1,c=0>,<a=932,b=5609,c=6658>…
![Page 30: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/30.jpg)
30
Atomic Transitions
Each atomic transition represents a small piece of code such that no smaller piece of code is observable.
Is a:=a+1 atomic? In some systems, e.g., when a is a
register and the transition is executed using an inc command.
![Page 31: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/31.jpg)
31
Non atomicity
Execute the following when a=0 in two concurrent processes:
P1:a=a+1 P2:a=a+1 Result: a=2. Is this always the
case?
Consider the actual translation:
P1:load R1,a inc R1 store R1,aP2:load R2,a inc R2 store R2,a a may be also 1.
![Page 32: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/32.jpg)
32
Scenario
P1:load R1,a
inc R1
store R1,a
P2:load R2,a inc R2 store R2,a
a=0
R1=0
R2=0
R1=1
R2=1
a=1
a=1
![Page 33: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/33.jpg)
33
Representing transitions
Each transition has two parts: The enabling condition: a predicate. The transformation: a multiple assignment.
For example:a>b (c,d ):=(d,c )This transition can be executed in states where a>b. The result of executing it isswitching the value of c with d.
![Page 34: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/34.jpg)
34
Initial condition
A predicate I. The program can
start from states s such that I (s) holds.
For example:I (s)=a >b /\ b >c.
![Page 35: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/35.jpg)
35
A transition system
A (finite) set of variables V over some domain.
A set of states . A (finite) set of transitions T, each
transition e t has an enabling condition e, and a transformation t.
An initial condition I.
![Page 36: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/36.jpg)
36
Example
V={a, b, c, d, e}. : all assignments of natural
numbers for variables in V. T={c >0(c,e):=(c -1,e +1),
d >0(d,e):=(d -1,e +1)} I: c =a /\ d =b /\ e =0 What does this transition system
do?
![Page 37: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/37.jpg)
37
The interleaving model
An execution is a maximal finite or infinite sequence of states s0, s1, s2, …That is: finite if nothing is enabled from the last state.
The first state s0 satisfies the initial condition, I.e., I (s0).
Moving from one state si to its successor si+1 is by executing a transition et: e (si), i.e., si satisfies e. si+1 is obtained by applying t to si.
![Page 38: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/38.jpg)
38
Example:
s0=<a=2, b=1, c=2, d=1, e=0>
s1=<a=2, b=1, c=1, d=1, e=1>
s2=<a=2, b=1, c=1, d=0, e=2>
s3=<a=2, b=1 ,c=0, d=0, e=3>
T={c>0(c,e):=(c -1,e +1),
d>0(d,e):=(d-1,e+1)}
I: c=a /\ d=b /\ e=0
![Page 39: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/39.jpg)
39
L0:While True do NC0:wait(Turn=0); CR0:Turn=1endwhile ||L1:While True do NC1:wait(Turn=1); CR1:Turn=0endwhile
T0:PC0=L0PC0:=NC0T1:PC0=NC0/\Turn=0 PC0:=CR0T2:PC0=CR0 (PC0,Turn):=(L0,1)T3:PC1=L1PC1=NC1T4:PC1=NC1/\Turn=1 PC1:=CR1T5:PC1=CR1 (PC1,Turn):=(L1,0) Initially: PC0=L0/\PC1=L1
The transitions
Is this the only reasonable way to model this program?
![Page 40: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/40.jpg)
40
The state graph:Successor relation between reachable states.
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1T0 T0T3 T3
T1 T4T3
T0 T3
T0
T0 T4T1 T3
T2
T2
T5
T5
![Page 41: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/41.jpg)
41
Some important points
Reachable states: obtained from an initial state through a sequence of enabled transitions.
Executions: the set of maximal paths (finite or terminating in a node where nothing is enabled).
Nondeterministic choice: when more than a single transition is enabled at a given state. We have a nondeterministic choice when at least one node at the state graph has more than one successor.
![Page 42: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/42.jpg)
42
Always ¬(PC0=CR0/\PC1=CR1)(Mutual exclusion)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 43: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/43.jpg)
43
Always if Turn=0 then at some point Turn=1
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 44: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/44.jpg)
44
Always if Turn=0 then at some point Turn=1
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 45: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/45.jpg)
45
Interleaving semantics:Execute one transition at a time.
Turn=0L0,L1
Turn=0L0,NC1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=1L0,CR1
Turn=1L0,NC1
Need to check the property
for every possible interleaving!
![Page 46: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/46.jpg)
46
Interleaving semantics
Turn=0L0,L1
Turn=0L0,NC1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=1L0,CR1
Turn=1L0,NC1
Turn=0L0,L1
Turn=0L0,NC1
![Page 47: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/47.jpg)
47
L0:While True do NC0:wait(Turn=0); CR0:Turn=1endwhile ||L1:While True do NC1:wait(Turn=1); CR1:Turn=0endwhile
T0:PC0=L0PC0:=NC0T1:PC0=NC0/\Turn=0PC0:=CR0T1’:PC0=NC0/\Turn=1PC0:=NC0T2:PC0=CR0(PC0,Turn):=(L0,1)
T3:PC1==L1PC1=NC1T4:PC1=NC1/\Turn=1PC1:=CR1T4’:PC1=NC1/\Turn=0PC1:=NC1T5:PC1=CR1(PC1,Turn):=(L1,0)
Initially: PC0=L0/\PC1=L1
Busy waiting
![Page 48: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/48.jpg)
48
Always when Turn=0 then at some point Turn=1
Now it does not hold!(Red subgraph generates a counterexample execution.)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1T4’ T1’
![Page 49: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/49.jpg)
49
Combinatorial explosion
V1:=1
V1:=3
V1:=2
Vn:=1
Vn:=3
Vn:=2…
How many states?
![Page 50: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/50.jpg)
50
Global states
3n states
v1=1,v2=1…vn=1
v1=2,v2=1…vn=1 v1=1,v2=1…vn=2…
v1=3,v2=1…vn=1 …
…
v1=1,v2=1…vn=3
![Page 51: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/51.jpg)
51
Specification Formalisms
(Book: Chapter 5)
![Page 52: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/52.jpg)
52
Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct. Spec. of reasonable size. Effective.
Check that there are no contradictions. Check that the spec. is implementable. Check that the implementation satisfies spec.
Expressive. May be used to generate initial code.Specifying the implementation or its
properties?
![Page 53: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/53.jpg)
53
A transition system
A (finite) set of variables V. A set of states . A (finite) set of transitions T, each transition
et has an enabling condition e and a
transformation t. An initial condition I. Denote by R(s, s’) the fact that s’ is a
successor of s.
![Page 54: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/54.jpg)
54
The interleaving model
An execution is a finite or infinite sequence of states s0, s1, s2, …
The initial state satisfies the initial condition, I.e., I (s0).
Moving from one state si to si+1 is by executing a transition et: e(si), I.e., si satisfies e. si+1 is obtained by applying t to si.
Lets assume all sequences are infinite by extending finite ones by “stuttering” the last state.
![Page 55: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/55.jpg)
55
Temporal logic
Dynamic, speaks about several “worlds” and the relation between them.
Our “worlds” are the states in an execution.
There is a linear relation between them, each two sequences in our execution are ordered.
Interpretation: over an execution, later over all executions.
![Page 56: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/56.jpg)
56
LTL: Syntax
::= () | ¬ | /\ \/ U |O | p
“box”, “always”, “forever”“diamond”, “eventually”,
“sometimes”O “nexttime”U“until”Propositions p, q, r, … Each represents some
state property (x>y+1, z=t, at_CR, etc.)
![Page 57: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/57.jpg)
57
Semantics over suffixes of execution
O
U
![Page 58: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/58.jpg)
58
Can discard some operators
Instead of <>p, write true U p. Instead of []p, we can write
¬(<>¬p),or ¬(true U ¬p).Because []p=¬¬[]p.¬[]p means it is not true that p holds forever, or at some point ¬p holds or <>¬p.
![Page 59: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/59.jpg)
59
Combinations
[]<>p “p will happen infinitely often”
<>[]p “p will happen from some point forever”.
([]<>p) ([]<>q) “If p happens infinitely often, then q also happens infinitely often”.
![Page 60: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/60.jpg)
60
Some relations: [](/\)=([])/\([]) But <>(/\)(<>)/\(<>)
<>(\/)=(<>)\/(<>) But [](\/)([])\/([])
![Page 61: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/61.jpg)
61
What about
([]<>)/\([]<>)=[]<>(/\)?
([]<>)\/([]<>)=[]<>(\/)?
(<>[])/\(<>[])=<>[](/\)?
(<>[])\/(<>[])=<>[](\/)?
No, just
Yes!!!Yes!!!
No, just
![Page 62: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/62.jpg)
62
Formal semantic definition Let be a sequence s0 s1 s2 … Let i be a suffix of : si si+1 si+2 … (0 = ) i |= p, where p a proposition, if si|=p. i |= /\ if i |= and i |= . i |= \/ if i |= or i |= . i |= ¬ if it is not the case that i |= . i |= <> if for some ji, j |= . i |= [] if for each ji, j |= . i |= U if for some ji, j|=
and for each ik<j, k |=.
![Page 63: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/63.jpg)
63
Then we interpret: For a state:
s|=p as in propositional logic. For an execution:|= is interpreted over a sequence, as in previous slide.
For a system/program:P|=holds if |= for every sequence of P.
![Page 64: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/64.jpg)
64
Spring Example
s1 s3s2
pull
release
releaseextended
malfunction
extended
r0 = s1 s2 s1 s2 s1 s2 s1 …
r1 = s1 s2 s3 s3 s3 s3 s3 …
r2 = s1 s2 s1 s2 s3 s3 s3 …
…
![Page 65: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/65.jpg)
65
LTL satisfaction by a single sequence
malfunction
s1 s3s2pull
release
releaseextende
dextended
r2 = s1 s2 s1 s2 s3 s3 s3 …
r2 |= extended ??
r2 |= O extended ??
r2 |= O O extended ??
r2 |= <> extended ??
r2 |= [] extended ??
r2 |= <>[] extended ??
r2 |= ¬ <>[] extended ??
r2 |= (¬extended) U malfunction ??
r2 |= [](¬extended->O extended) ??
![Page 66: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/66.jpg)
66
LTL satisfaction by a system
malfunction
s1 s3s2pull
release
releaseextende
dextended
P |= extended ??
P |= O extended ??
P |= O O extended ??
P |= <> extended ??
P|= [] extended ??
P |= <>[] extended ??
P |= ¬ <>[] extended ??
P |= (¬extended) U malfunction ??
P |= [](¬extended->O extended) ??
![Page 67: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/67.jpg)
67
More specifications
[] (PC0=NC0 <> PC0=CR0) [] (PC0=NC0 U Turn=0) Try at home:
- The processes alternate in entering their critical sections.- Each process enters its critical section infinitely often.
![Page 68: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/68.jpg)
68
Proof system ¬<>p<-->[]¬p [](pq)([]p[]q) []p(p/\O[]p) O¬p<-->¬Op [](pOp)(p[]p) (pUq)<-->(q\/(p/\
O(pUq))) (pUq)<>q
+ propositional logic axiomatization.
+ proof rule: _p_ []p
![Page 69: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/69.jpg)
69
Traffic light example
Green Yellow Red Always has exactly one light:
[](¬(gr/\ye)/\¬(ye/\re)/\¬(re/\gr)/\(gr\/ye\/re))Correct change of color:
[]((grU ye)\/(yeU re)\/(reU gr))
![Page 70: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/70.jpg)
70
Another kind of traffic light
GreenYellowRedYellowFirst attempt:
[](((gr\/re) U ye)\/(ye U (gr\/re)))
Correct specification:[]( (gr(gr U (ye /\ ( ye U re ))))
/\(re(re U (ye /\ ( ye U gr ))))
/\(ye(ye U (gr \/ re))))
Needed only when wecan start with yellow
![Page 71: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/71.jpg)
71
Properties of sequential programs
init-when the program starts and satisfies the initial condition.
finish-when the program terminates and nothing is enabled.
Partial correctness: init/\[](finish) Termination: init/\<>finish Total correctness: init/\<>(finish/\ ) Invariant: init/\[]
![Page 72: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/72.jpg)
72
Automata over finite words A=<, S, , I, F> (finite) - the alphabet. S (finite) - the states. S x x S - the transition relation. I S - the starting states. F S - the accepting states.
a
a
b
bs0 s1
![Page 73: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/73.jpg)
73
The transition relation
(s0, a, s0) (s0, b, s1) (s1, a, s0) (s1, b, s1)
a
a
b
bs0 s1
![Page 74: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/74.jpg)
74
A run over a word A word over , e.g., abaab. A sequence of states, e.g. s0 s0 s1 s0 s0 s1. Starts with an initial state. Follows the transition relation (si, ci , si+1). Accepting if ends at accepting state.
a
a
b
bs0 s1
![Page 75: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/75.jpg)
75
The language of an automaton
The words that are accepted by the automaton.
Includes aabbba, abbbba. Does not include abab, abbb. What is the language?
a
a
b
bs0 s1
![Page 76: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/76.jpg)
76
Nondeterministic automaton
Transitions: (s0,a ,s0), (s0,b ,s0), (s0,a ,s1),(s1,a ,s1).
What is the language of this automaton?
a,b aas0
s1
![Page 77: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/77.jpg)
77
Equivalent deterministic automaton
b
a
as0 s1
b
a,b a as0 s1
![Page 78: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/78.jpg)
78
Automata over infinite words Similar definition. Runs on infinite words over . Accepts when an accepting state
occurs infinitely often in a run.
a
a
b
bs0 s1
![Page 79: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/79.jpg)
79
Automata over infinite words Consider the word abababab… There is a run s0s0s1s0s1s0s1 … This run in accepting, since s0
appears infinitely many times.
a
a
b
bs0 s1
![Page 80: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/80.jpg)
80
Other runs For the word bbbbb… the run is
s0 s1 s1 s1 s1… and is not accepting. For the word aaabbbbb …, the
run is s0 s0 s0 s0 s1 s1 s1 s1 … What is the run for ababbabbb …?
a
a
b
bs0 s1
![Page 81: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/81.jpg)
81
Nondeterministic automaton
What is the language of this automaton? What is the LTL specification if
b -- PC0=CR0, a =¬b?
•Can you find a deterministic automaton with same language?
•Can you prove there is no such deterministic automaton?
a,b a as0 s1
![Page 82: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/82.jpg)
82
No deterministic automaton for (a+b)*aω
In a deterministic automaton there is one run for each word.
After some sequence of a’s, i.e., aaa…a must reach some accepting state.
Now add b, obtaining aaa…ab. After some more a’s, i.e., aaa…abaaa…a must
reach some accepting state. Now add b, obtaining aaa…abaaa…ab. Continuing this way, one obtains a run that
has infinitely many b’s but reaches an accepting state(in a finite automaton, at least one would repeat) infinitely often.
![Page 83: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/83.jpg)
83
Specification using Automata
Let each letter correspond to some propositional property.
Example: a -- P0 enters critical section, b -- P0 does not enter section.
[]<>PC0=CR0
a
a
b
bs0 s1
![Page 84: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/84.jpg)
84
Mutual Exclusion
a -- PC0=CR0/\PC1=CR1 b -- ¬(PC0=CR0/\PC1=CR1) c -- true []¬(PC0=CR0/\PC1=CR1)
b a cs0 s1
![Page 85: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/85.jpg)
85
L0:While True do NC0:wait(Turn=0); CR0:Turn=1endwhile ||L1:While True do NC1:wait(Turn=1); CR1:Turn=0endwhile
T0:PC0=L0PC0=NC0T1:PC0=NC0/\Turn=0 PC0:=CR0T2:PC0=CR0 (PC0,Turn):=(L0,1)T3:PC1==L1PC1=NC1T4:PC1=NC1/\Turn=1 PC1:=CR1T5:PC1=CR1 (PC1,Turn):=(L1,0)
Initially: PC0=L0/\PC1=L1
Apply now to our program:
![Page 86: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/86.jpg)
86
The state space
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 87: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/87.jpg)
87
[]¬(PC0=CR0/\PC1=CR1)(Mutual exclusion)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 88: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/88.jpg)
88
[](Turn=0 <>Turn=1)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 89: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/89.jpg)
89
Interleaving semantics:Execute one transition at a time.
Turn=0L0,L1
Turn=0L0,NC1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=1L0,CR1
Turn=1L0,NC1
Need to check the property
for every possible interleaving!
![Page 90: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/90.jpg)
90
[](Turn=0 <>Turn=1)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 91: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/91.jpg)
91
Correctness condition
We want to find a correctness condition for a model to satisfy a specification.
Language of a model: L(Model) Language of a specification:
L(Spec).
We need: L(Model) L(Spec).
![Page 92: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/92.jpg)
92
Correctness
All sequences
Sequences satisfying Spec
Program executions
![Page 93: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/93.jpg)
93
Incorrectness
All sequences
Sequences satisfying Spec
Program executions
Counter
examples
![Page 94: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/94.jpg)
94
Automatic Verification
(Book: Chapter 6)
![Page 95: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/95.jpg)
95
How can we check the model?
The model is a graph. The specification should refer the
the graph representation. Apply graph theory algorithms.
![Page 96: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/96.jpg)
96
What properties can we check?
Invariant: a property that needs to hold in each state.
Deadlock detection: can we reach a state where the program is blocked?
Dead code: does the program have parts that are never executed.
![Page 97: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/97.jpg)
97
How to perform the checking?
Apply a search strategy (Depth first search, Breadth first search).
Check states/transitions during the search.
If property does not hold, report counter example!
![Page 98: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/98.jpg)
98
If it is so good, why learn deductive verification methods?
Model checking works only for finite state systems. Would not work with Unconstrained integers. Unbounded message queues. General data structures:
queues trees stacks
parametric algorithms and systems.
![Page 99: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/99.jpg)
99
The state space explosion
Need to represent the state space of a program in the computer memory. Each state can be as big as the entire
memory! Many states:
Each integer variable has 2^32 possibilities. Two such variables have 2^64 possibilities.
In concurrent protocols, the number of states usually grows exponentially with the number of processes.
![Page 100: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/100.jpg)
100
If it is so constrained, is it of any use?
Many protocols are finite state. Many programs or procedure are finite
state in nature. Can use abstraction techniques.
Sometimes it is possible to decompose a program, and prove part of it by model checking and part by theorem proving.
Many techniques to reduce the state space explosion.
![Page 101: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/101.jpg)
101
Depth First Search
Program DFSFor each s such that
Init(s) dfs(s)end DFS
Procedure dfs(s)for each s’ such
that R(s,s’) do
If new(s’) then dfs(s’)
end dfs.
![Page 102: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/102.jpg)
102
Start from an initial state
q3
q4
q2
q1
q5
q1
q1
Stack:
Hash table:
![Page 103: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/103.jpg)
103
Continue with a successor
q3
q4
q2
q1
q5
q1 q2
q1
q2
Stack:
Hash table:
![Page 104: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/104.jpg)
104
One successor of q2.
q3
q4
q2
q1
q5
q1 q2 q4
q1
q2
q4
Stack:
Hash table:
![Page 105: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/105.jpg)
105
Backtrack to q2 (no new successors for q4).
q3
q4
q2
q1
q5
q1 q2 q4
q1
q2
Stack:
Hash table:
![Page 106: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/106.jpg)
106
Backtracked to q1
q3
q4
q2
q1
q5
q1 q2 q4
q1
Stack:
Hash table:
![Page 107: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/107.jpg)
107
Second successor to q1.
q3
q4
q2
q1
q5
q1 q2 q4 q3
q1
q3
Stack:
Hash table:
![Page 108: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/108.jpg)
108
Backtrack again to q1.
q3
q4
q2
q1
q5
q1 q2 q4 q3
q1
Stack:
Hash table:
![Page 109: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/109.jpg)
109
How can we check properties with DFS?
Invariants: check that all reachable statessatisfy the invariant property. If not, showa path from an initial state to a bad state.
Deadlocks: check whether a state where noprocess can continue is reached.
Dead code: as you progress with the DFS, mark all the transitions that are executed at least once.
![Page 110: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/110.jpg)
110
The state graph:Successor relation between states.
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 111: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/111.jpg)
111
¬(PC0=CR0/\PC1=CR1) is an invariant!
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 112: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/112.jpg)
112
Want to do more!
Want to check more properties. Want to have a unique algorithm to
deal with all kinds of properties. This is done by writing specification
in more complicated formalisms. We will see that in the next lecture.
![Page 113: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/113.jpg)
113
[](Turn=0 <>Turn=1)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 114: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/114.jpg)
114
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
init
New initial stateConvert graph into Buchi automaton
![Page 115: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/115.jpg)
115
Turn=0L0,L1
Turn=1L0,L1
init
•Propositions are attached to incoming nodes.
•All nodes are accepting.
Turn=1L0,L1
Turn=0L0,L1
![Page 116: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/116.jpg)
116
Correctness condition
We want to find a correctness condition for a model to satisfy a specification.
Language of a model: L(Model) Language of a specification:
L(Spec).
We need: L(Model) L(Spec).
![Page 117: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/117.jpg)
117
Correctness
All sequences
Sequences satisfying Spec
Program executions
![Page 118: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/118.jpg)
118
How to prove correctness?
Show that L(Model) L(Spec). Equivalently: ______
Show that L(Model) L(Spec) = Ø. Also: can obtain Spec by
translating from LTL!
![Page 119: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/119.jpg)
119
What do we need to know?
How to intersect two automata? How to complement an
automaton? How to translate from LTL to an
automaton?
![Page 120: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/120.jpg)
120
Intersecting M1=(S1,,T1,I1,A1) and M2=(S2,,T2,I2,S2)
Run the two automata in parallel. Each state is a pair of states: S1 x S2
Initial states are pairs of initials: I1 x I2
Acceptance depends on first component: A1 x S2
Conforms with transition relation:(x1,y1)-a->(x2,y2) whenx1-a->x2 and y1-a->y2.
![Page 121: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/121.jpg)
121
Example (all states of second automaton accepting!)
a
bct0 t1
a
a
b,c
b,cs0 s1
States: (s0,t0), (s0,t1), (s1,t0), (s1,t1).
Accepting: (s0,t0), (s0,t1). Initial: (s0,t0).
![Page 122: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/122.jpg)
122
a
bct0 t1
a
a
b,c
b,cs0 s1
s0,t0
s0,t1
s1,t1
s1,t0b
b
a
c
a
c
![Page 123: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/123.jpg)
123
More complicated when A2S2
a
b
ct0 t1
a
a
b,cb,cs0 s1
Should we have acceptance when both components accepting? I.e., {(s0,t1)}?
No, consider (ba)
It should be accepted, but never passes that state.
s0,t0
s0,t1
s1,t1
b
a
c
a
c
![Page 124: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/124.jpg)
124
More complicated when A2S2
a
b
ct0 t1
a
a
b,cb,cs0 s1
Should we have acceptance when at least one components is accepting? I.e., {(s0,t0),(s0,t1),(s1,t1)}?No, consider b c
It should not be accepted, but here will loop through (s1,t1)
s0,t0
s0,t1
s1,t1
b
c
a
c
a
![Page 125: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/125.jpg)
125
Intersection - general case
q0 q2
q3q1
q0,q3 q1,q3q1,q2
a a, c
c
c, bb
c
c
b
a
![Page 126: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/126.jpg)
126
Version 0: to catch q0
Version 1: to catch q2
q0,q3 q1,q3q1,q2
q0,q3 q1,q3q1,q2
Move when see accepting of left (q0)
Move when see accepting of right (q2)
Version 0
Version 1
c
c
c
c
b
a
b
a
![Page 127: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/127.jpg)
127
Version 0: to catch q0
Version 1: to catch q2
q0,q3 q1,q3q1,q2
q0,q3 q1,q3q1,q2
Move when see accepting of left (q0)
Move when see accepting of right (q2)
Version 0
Version 1
c
c
c
c
b
a
b
a
![Page 128: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/128.jpg)
128
Make an accepting state in one of the version according to a component accepting state
q0,q3,0 q1,q3,0q1,q2,0
q0,q3,1 q1,q3 ,1q1,q2 ,1
Version 1
Version 0
c
c
c
c
b
ab
a
![Page 129: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/129.jpg)
129
How to check for emptiness?
s0,t0
s0,t1
s1,t1
b
a
c
a
c
![Page 130: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/130.jpg)
130
Emptiness...
Need to check if there exists an accepting run (passes through an accepting state infinitely often).
![Page 131: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/131.jpg)
131
Strongly Connected Component (SCC)
A set of states with a path between each pair of them.
Can use Tarjan’s DFS algorithm for finding maximal SCC’s.
![Page 132: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/132.jpg)
132
Finding accepting runs
If there is an accepting run, then at least one accepting state repeats on it forever.
Look at a suffix of this run where all the states appear infinitely often.
These states form a strongly connected component on the automaton graph, including an accepting state.
Find a component like that and form an accepting cycle including the accepting state.
![Page 133: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/133.jpg)
133
Equivalently...
A strongly connected component: a set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.
![Page 134: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/134.jpg)
134
How to complement?
Complementation is hard! Can ask for the negated property (the
sequences that should never occur). Can translate from LTL formula to
automaton A, and complement A. But:can translate ¬ into an automaton directly!
![Page 135: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/135.jpg)
135
Model Checking under Fairness
Express the fairness as a property φ.To prove a property ψ under fairness,model check φψ.
Fair (φ)
Bad (¬ψ) Program
Counter
example
![Page 136: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/136.jpg)
136
Model Checking under Fairness
Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either it contains on occurrence of a
transition from P, or it contains a state where P is
disabled.
![Page 137: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/137.jpg)
137
Translating from logic to automata
(Book: Chapter 6)
![Page 138: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/138.jpg)
138
Why translating?
Want to write the specification in some logic.
Want model-checking tools to be able to check the specification automatically.
![Page 139: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/139.jpg)
139
Generalized Büchi automata
Acceptance condition F is a setF={f1 , f2 , … , fn } where each fi is a set of states.
To accept, a run needs to pass infinitely often through a state from every set fi .
![Page 140: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/140.jpg)
140
Translating into simple Büchi automaton
q0 q2q1
q0 q2q1
Version 0
Version 1
c
c
c
c
b
a
b
a
![Page 141: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/141.jpg)
141
Translating into simple Büchi automaton
q0 q2q1
q0 q2q1
Version 0
Version 1
c
c
c
c
b
b
a
![Page 142: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/142.jpg)
142
Translating into simple Büchi automaton
q0 q2q1
q0 q2q1
Version 0
Version 1
c
c
c
c
b
a
b
a
![Page 143: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/143.jpg)
143
Preprocessing
Convert into normal form, where negation only applies to propositional variables.
¬[] becomes <>¬. ¬<> becomes [] ¬. What about ¬ ( U )? Define operator R such that
¬ ( U ) = (¬) R (¬), ¬ ( R ) = (¬) U (¬).
![Page 144: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/144.jpg)
144
Semantics of pR q
p
qqq qq qq
q
q qqq
¬p¬p¬p
¬p ¬p ¬p ¬p ¬p ¬p ¬p ¬p¬p
¬p
![Page 145: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/145.jpg)
145
Replace ¬true by false, and ¬false by true.
Replace ¬ ( \/ ) by (¬) /\ (¬) and ¬ ( /\ ) by (¬) \/ (¬)
![Page 146: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/146.jpg)
146
Eliminate implications, <>, []
Replace -> by (¬ ) \/ . Replace <> by (true U ). Replace [] by (false R ).
![Page 147: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/147.jpg)
147
Example
Translate ( []<>P ) ( []<>Q ) Eliminate implication ¬( []<>P ) \/ ( []<>Q ) Eliminate [], <>:
¬( false R ( true U P ) ) \/ ( false R ( true U Q ) )
Push negation inwards:(true U (false R ¬ P ) ) \/ ( false R ( true U Q ) )
![Page 148: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/148.jpg)
148
The data structure
Incoming
New Old
NextName
![Page 149: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/149.jpg)
149
The main idea
U = \/ ( /\ O ( U ) ) R = /\ ( \/ O ( R ) ) This separates the formulas to two
parts:one holds in the current state, and the otherin the next state.
![Page 150: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/150.jpg)
150
How to translate?
Take one formula from “New” and add it to “Old”.
According to the formula, either Split the current node into two, or Evolve the node into a new version.
![Page 151: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/151.jpg)
151
Splitting
Incoming
New Old
Next
Incoming
New Old
Next
Incoming
New Old
Next
Copy incoming edges, update other field.
![Page 152: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/152.jpg)
152
Evolving
Incoming
New Old
Next
Incoming
New Old
Next
Copy incoming edges, update other field.
![Page 153: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/153.jpg)
153
Possible cases:
U , split: Add to New, add U to Next. Add to New.Because U = \/ ( /\ O (U )).
R , split: Add to New. Add to New, R to Next.Because R = /\ ( \/ O ( R )).
![Page 154: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/154.jpg)
154
More cases:
\/ , split: Add to New. Add to New.
/\ , evolve: Add to New.
O , evolve: Add to Next.
![Page 155: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/155.jpg)
155
How to start?
Incoming
New Old
Next
init
aU(bUc)
![Page 156: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/156.jpg)
156
Incoming
init
aU(bUc)
Incoming Incoming
aU(bUc)aU(bUc) bUc
aU(bUc)
a
init init
![Page 157: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/157.jpg)
157
Incoming
aU(bUc)bUc
init initIncoming Incoming
aU(bUc)aU(bUc) c
(bUc)
bbUc bUc
![Page 158: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/158.jpg)
158
When to stop splitting?
When “New” is empty. Then compare against a list of existing
nodes “Nodes”: If such a with same “Old”, “Next” exists,
just add the incoming edges of the new versionto the old one.
Otherwise, add the node to “Nodes”. Generate a successor with “New” set to “Next” of father.
![Page 159: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/159.jpg)
159
Incoming
a,aU(bUc)
aU(bUc)
init
Incoming
aU(bUc)
Creating a successor node.
When we enter to Nodes a new node (with different Old or Next than any other node), we start a new node by copying Next to New, and making an edge to the new successor.
![Page 160: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/160.jpg)
160
How to obtain the automaton?
There is an edge from node X to Y labeled with propositions P (negated or non negated), if X is in the incoming list of Y, and Y has propositions P in field “Old”.
Initial node is init.
Incoming
New Old
Next
X
Node Y
a, b, ¬c
![Page 161: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/161.jpg)
161
The resulted nodes.
a, aU(bUc) b, bUc, aU(bUc) c, bUc, aU(bUc)
b, bUc c, bUc
![Page 162: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/162.jpg)
162
a, aU(bUc) b, bUc, aU(bUc) c, bUc, aU(bUc)
b, bUc c, bUc
All nodes with incoming edge from “init”.
Initial nodes
![Page 163: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/163.jpg)
163
Include only atomic propositions
Init
a
b
c
cb
![Page 164: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/164.jpg)
164
Acceptance conditions
Use “generalized Buchi automata”, wherethere are several acceptance sets f1, f2, …, fn, and each accepted infinite sequence must include at least one state from each set infinitely often.
Each set corresponds to a subformula of form U. Guarantees that it is never the case that U holds forever, without .
![Page 165: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/165.jpg)
165
Accepting w.r.t. bU c
a, aU(bUc) b, bUc, aU(bUc) c, bUc, aU(bUc)
b, bUc c, bUc
All nodes with c, or without bUc.
![Page 166: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/166.jpg)
166
Acceptance w.r.t. aU (bU c)
a, aU(bUc) b, bUc, aU(bUc) c, bUc, aU(bUc)
b, bUc c, bUc
All nodes with bUc or without aU(bUc).
![Page 167: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/167.jpg)
167
The SPIN System
![Page 168: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/168.jpg)
168
What is SPIN?
Model-checker. Based on automata theory. Allows LTL or automata
specification Efficient (on-the-fly model
checking, partial order reduction). Developed in Bell Laboratories.
![Page 169: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/169.jpg)
169
Documentation
Paper: The model checker SPIN,G.J. Holzmann, IEEE Transactions on Software Engineering, Vol 23, 279-295.
Web: http://www.spinroot.com
![Page 170: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/170.jpg)
170
The language of SPIN
The expressions are from C. The communication is from CSP. The constructs are from Guarded
Command.
![Page 171: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/171.jpg)
171
Expressions
Arithmetic: +, -, *, /, % Comparison: >, >=, <, <=, ==,
!= Boolean: &&, ||, ! Assignment: = Increment/decrement: ++, --
![Page 172: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/172.jpg)
172
Declaration
byte name1, name2=4, name3; bit b1,b2,b3; short s1,s2; int arr1[5];
![Page 173: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/173.jpg)
173
Message types and channels
mtype = {OK, READY, ACK} mtype Mvar = ACK
chan Ng=[2] of {byte, byte, mtype}, Next=[0] of {byte}Ng has a buffer of 2, each message consists of two bytes and an enumerable type (mtype).Next is used with handshake message passing.
![Page 174: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/174.jpg)
174
Sending and receiving a message
Channel declaration:
chan qname=[3] of {mtype, byte, byte}
In sender:
qname!tag3(expr1, expr2)or equivalently:qname!tag3, expr1, expr2
In Receiver:
qname?tag3(var1,var2)
![Page 175: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/175.jpg)
175
Defining an array of channels
Channel declaration: chan qname=[3] of {mtype, byte,
byte}defines a channel with buffer size 3.
chan comm[5]=[0] of {byte, byte}defines an array of channels (indexed 0 to 4. Communication is synchronous (handshaking), meaning that the sender waits for the receiver.
![Page 176: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/176.jpg)
176
Condition
if:: x%2==1 -> z=z*y; x--:: x%2==0 -> y=y*y; x=x/2fi
If more than one guard is enabled: a nondeterministic choice.
If no guard is enabled: the process waits (until a guard becomes enabled).
![Page 177: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/177.jpg)
177
Looping
do:: x>y -> x=x-y:: y>x -> y=y-x:: else breakod;
Normal way to terminate a loop: with break. (or goto).
As in condition, we may have a nondeterministic loop or have to wait.
![Page 178: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/178.jpg)
178
Processes
Definition of a process: proctype prname (byte Id; chan Comm){ statements}
Activation of a process:run prname (7, Con[1]);
![Page 179: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/179.jpg)
179
init process is the root of activating all others
init { statements }init {byte I=0; atomic{do ::I<10 -> run prname(I, chan[I]);
I=I+1 ::I=10 -> break; od}}atomic allows performing several actions as
one atomic step.
![Page 180: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/180.jpg)
180
Exmaples of Mutual exclusion
Reference:A. Ben-Ari, Principles of Concurrent
and Distributed Programs, Prentice-Hall 1990.
![Page 181: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/181.jpg)
181
General structure
loop
Non_Critical_Section;
TR:Pre_Protocol; CR:Critical_Section; Post_protocol;end loop;
Propositions:inCRi, inTRi.
![Page 182: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/182.jpg)
182
Properties
loop
Non_Critical_Section;
TR:Pre_Protocol; CR:Critical_Section; Post_protocol;end loop;
Assumption:~<>[]inCRiRequirements:[]~(inCR0/\inCR1)[](inTRi<>inCRi)Not assuming:[]<>inTRi
![Page 183: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/183.jpg)
183
Turn:bit:=1;
task P0 is
begin
loop
Non_Critical_Sec;
Wait Turn=0;
Critical_Sec;
Turn:=1;
end loop
end P0.
task P1 is
begin
loop
Non_Critical_Sec;
Wait Turn=1;
Critical_Sec;
Turn:=0;
end loop
end P1.
![Page 184: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/184.jpg)
184
Translating into SPIN
#define critical (incrit[0] ||incrit[1])
byte turn=0, incrit[2]=0;proctype P (bool id){ do :: 1 -> do :: 1 -> skip :: 1 -> break od;
try:do ::turn==id -> break od; cr:incrit[id]=1; incrit[id]=0; turn=1-turn od}init { atomic{ run P(0); run P(1) } }
![Page 185: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/185.jpg)
185
The leader election algorithm
A directed ring of computers. Each has a unique value. Communication is from left to right.
Find out which value is the greatest.
![Page 186: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/186.jpg)
186
Example
7
2
312
9
4
![Page 187: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/187.jpg)
187
Informal description:
Initially, all the processes are active.
A process that finds out it does not represent a value that can be maximal turns to be passive.
A passive process just transfers values from left to right.
![Page 188: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/188.jpg)
188
More description
The algorithm executes in phases. In each phase, each process first sends
itscurrent value to the right.
Each process, when receiving the first value from its left compares it to its current value. If same: this is the maximum. Tell others. Not same: send current value again to left.
![Page 189: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/189.jpg)
189
Continued
When receiving the second value: compare the three values received. These are values of the process itself. of the left active process. of the second active process on the left.
If the left active process has greatest value among three, then keep this value. Otherwise, become passive.
![Page 190: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/190.jpg)
190
7
2
312
9
4
3
2
9
7
4
12
![Page 191: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/191.jpg)
191
7
2
312
9
4
3, 7
2, 9
9, 4
7, 2
4, 12
12, 3
![Page 192: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/192.jpg)
192
7
2
312
9
4
3, 7
2, 9
9, 4
7, 2
4, 12
12, 3
![Page 193: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/193.jpg)
193
9
7
12
![Page 194: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/194.jpg)
194
9
7
12
12, 7
7, 9
9, 12
![Page 195: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/195.jpg)
195
12
![Page 196: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/196.jpg)
196
send(1, my_number);state:=active;when
received(1,number) do
if state=active then if number!=max then send(2, number); neighbor:=number; else (max is
greatest, send to all processes); end if; else send(1,number); end if;end do;
when received(2,number) do
if state=active then if neighbor>number
and neighbor>max then
max:=neighbor; send(1, neighbor); else state:=passive; end if; else send(2, number); end if;end do;
![Page 197: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/197.jpg)
197
Now, translate into SPIN (Promela) code
![Page 198: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/198.jpg)
198
Running SPIN
Can download and implement (for free) using www.spinroot.com
Available in our system. Graphical interface: xspin
![Page 199: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/199.jpg)
199
Homework: check properties
There is never more than one maximal value found.
A maximal value is eventually found.
From the time a maximal value is found, we continue to have one maximal value.
There is no maximal value until a moment where there is one such value, and from there, there is exactly one value until the end.
The maximal value is always 5.
![Page 200: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/200.jpg)
200
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2; end end critical section 2 c2:=1; turn:=1 end.
boolean c1 initially 1;
boolean c2 initially 1;
integer (1..2) turn initially 1;
![Page 201: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/201.jpg)
201
Project
Model in Spin Specify properties Do model checking Can this work without fairness? What to do with fairness?
![Page 202: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/202.jpg)
202
Modeling issues
Book: chapters 4.12, 5.4, 8.4, 10.1
![Page 203: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/203.jpg)
203
Fairness
(Book: Chapter 4.12, 8.3, 8.4)
![Page 204: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/204.jpg)
204
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1;
c1:=0; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end critical section 2 c2:=1; turn:=1 end.
boolean c1 initially 1;
boolean c2 initially 1;
integer (1..2) turn initially 1;
![Page 205: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/205.jpg)
205
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1;
c1:=0; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end critical section 2 c2:=1; turn:=1 end.
boolean c1 initially 1;
boolean c2 initially 1;
integer (1..2) turn initially 1;
c1=c2=0,turn=1
![Page 206: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/206.jpg)
206
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1;
c1:=0; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end critical section 2 c2:=1; turn:=1 end.
boolean c1 initially 1;
boolean c2 initially 1;
integer (1..2) turn initially 1;
c1=c2=0,turn=1
![Page 207: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/207.jpg)
207
Dekker’s algorithm
P1::while true do begin non-critical section 1 c1:=0; while c2=0 do begin if turn=2 then begin c1:=1; wait until turn=1;
c1:=0; end end critical section 1 c1:=1; turn:=2 end.
P2::while true do begin non-critical section 2 c2:=0; while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end critical section 2 c2:=1; turn:=1 end.
P1 waits for P2 to set c2 to 1 again.Since turn=1 (priority for P1), P2 is ready to do that. But never gets the chance, since P1 is constantly active checking c2 in its while loop.
c1=c2=0,turn=1
![Page 208: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/208.jpg)
208
0:START P10:START P1
11:c1:=111:c1:=1
12:true12:true
13:end13:end2:c1:=02:c1:=0
8:c2=0?8:c2=0?
7:turn=2?7:turn=2?
6:c1:=06:c1:=0
3:c1:=13:c1:=1
11:turn:=211:turn:=2
10:c1:=110:c1:=1
9:critical-19:critical-1
4:no-op4:no-op
5:turn=2?5:turn=2?
nono
nono
nono
nonoyesyes
yesyes
yesyes
yesyes
0:START P20:START P2
11:c2:=111:c2:=1
12:true12:true
13:end13:end2:c2:=02:c2:=0
8:c1=0?8:c1=0?
7:turn=1?7:turn=1?
6:c2:=06:c2:=0
3:c2:=13:c2:=1
11:turn:=111:turn:=1
10:c2:=110:c2:=1
9:critical-29:critical-2
4:no-op4:no-op
5:turn=1?5:turn=1?
nono
nono
nono
nonoyesyes
yesyes
yesyes
yesyes
Initially:
turn=1
![Page 209: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/209.jpg)
209
What went wrong? The execution is unfair to P2.
It is not allowed a chance to execute.
Such an execution is due to the interleaving model (just picking an enabled transition).
If it did, it would continue and set c2 to 0, which would allow P1 to progress.
Fairness = excluding some of the executions in the interleaving model, which do not correspond to actual behavior of the system.
while c1=0 do begin if turn=1 then begin c2:=1; wait until turn=2;
c2:=0; end end
![Page 210: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/210.jpg)
210
Recall:The interleaving model An execution is a finite or infinite sequence of states s0, s1,
s2, … The initial state satisfies the initial condition, I.e., I (s0). Moving from one state si to si+1 is by executing a transition
et: e(si), I.e., si satisfies e. si+1 is obtained by applying t to si.
Now: consider only “fair” executions. Fairness constrains sequences that are considered to be executions.
Fair executions
Sequences Executions
![Page 211: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/211.jpg)
211
Some fairness definitions Weak transition fairness:
It cannot happen that a transition is enabled indefinitely, but is never executed.
Weak process fairness: It cannot happen that a process is enabled indefinitely, but non of its transitions is ever executed
Strong transition fairness:If a transition is infinitely often enabled, it will get executed.
Strong process fairness:If at least one transition of a process is infinitely often enabled, a transition of this process will be executed.
![Page 212: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/212.jpg)
212
How to use fairness constraints? Assume in the negative that some
property (e.g., termination) does not hold, because of some transitions or processes prevented from execution.
Show that such executions are impossible, as they contradict fairness assumption.
We sometimes do not know in reality which fairness constraint is guaranteed.
![Page 213: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/213.jpg)
213
Example
P1::x=1 P2: do :: y==0 ->
if :: true
:: x==1 -> y=1 fi
od
Initially: x=0; y=0;
In order for the loop to terminate (in a deadlock !) we need P1 to execute the assignment. But P1 may never execute, since P2 is in a loop executing true. Consequently, x==1 never holds, and y is never assigned a 1.
pc1=l0(pc1,x):=(l1,1) /* x=1 */
pc2=r0/\y=0pc2=r1 /* y==0*/
pc2=r1pc2=r0 /* true */
pc2=r1/\x=1(pc2,y):=(r0,1) /* x==1 y:=1 */
![Page 214: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/214.jpg)
214
Weak transition fairness
P1::x=1P2: do :: y==0 ->
if :: true
:: x==1 -> y=1
fi od
Initially: x=0; y=0;
Under weak transition fairness, P1 would assign 1 to x, but this does not guarantee that 1 is assigned to y and thus the P2 loop will terminates, since the transition for checking x==1 is not continuously enabled (program counter not always there).
Weak process fairness only guarantees P1 to execute, but P2 can still choose the true guard.Strong process fairness: same.
![Page 215: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/215.jpg)
215
Strong transition fairness
P1::x=1 P2: do :: y==0 ->
if :: true
:: x==1 -> y=1 fi
od
Initially: x=0; y=0;
Under strong transition fairness, P1 would assign 1 to x. If the execution was infinite, the transition checking x==1 was infinitely often enabled. Hence it would be eventually selected. Then assigning y=1, the main loop is not enabled anymore.
![Page 216: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/216.jpg)
216
Specifying fairness conditions
Express properties over an alternating sequence of states and transitions:s0 1 s1 1 s2 …
Use transition predicates exec.
![Page 217: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/217.jpg)
217
Some fairness definitions
Weak transition fairness:
/\ T (<>[]en []<>exec).
Equivalently: /\aT ¬<>[](en /\¬exec)
Weak process fairness:
/\Pi (<>[]enPi []<>execPi ) Strong transition fairness:
/\ T ([]<>en []<>exec )
Strong process fairness:
/\Pi ([]<>enPi []<>execPi )
exec is executed.
execPi some transition of Pi is executed.
en is enabled.
enPi some transition of process Pi is enabled.
enPi = \/ Pi en
execPi = \/ Pi exec
![Page 218: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/218.jpg)
218
“Weaker fairness condition”
A is weaker than B if B A.(Means A has more executions than B.)
Consider the executions L(A) and L(B). Then L(B) L(A).
If an execution is strong {process/transition} fair, then it is also weak {process/transition} fair.
There are fewer strong {process,transition} fair executions.
Strongtransitionfair execs
Weakprocess
fair execs
Weaktransitionfair execs
Strongprocess
fair execs
![Page 219: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/219.jpg)
219
Fairness is an abstraction; no scheduler can guarantee exactly all fair executions!
Initially: x=0, y=0P1::x=1
||P2::do
:: x==0 -> y=y+1 :: x==1 -> break od
x=0,y=0
x=0,y=1x=1,y=0
x=1,y=1x=0,y=2
x=1,y=2Under fairness assumption (any of the four defined),P1 will execute the assignment, and consequently, P2 will terminate. All executions are finite and there are infinitely many of them, and infinitely many states. Thus, an execution tree (the state space) will potentially look like the one on the right, but with infinitely many states, finite branching and only finite sequences. But according to König’s Lemma there is no such tree!
![Page 220: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/220.jpg)
220
Model Checking under fairness
Instead of verifying that the program satisfies , verify it satisfies fair
Problem: may be inefficient. Also fairness formula may involves special arrangement for specifying what exec means.
May specialize model checking algorithm instead.
![Page 221: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/221.jpg)
221
Model Checking under Fairness
Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either it contains on occurrence of a
transition from P, or it contains a state where P is
disabled. Weak transition fairness: similar. Strong fairness: much more difficult
algorithm.
![Page 222: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/222.jpg)
222
Abstractions
(Book: Chapter 10.1)
![Page 223: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/223.jpg)
223
Problems with software analysis
Many possible outcomes and interactions.
Not manageable by an algorithm (undecideable, complex).
Requires a lot of practice and ingenuity (e.g., finding invariants).
![Page 224: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/224.jpg)
224
More problems
Testing methods fail to cover potential errors. Deductive verification techniques require
too much time, mathematical expertise, ingenuity.
Model checking requires a lot of time/space and may introduce modeling errors.
![Page 225: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/225.jpg)
225
How to alleviate the complexity?
Abstraction Compositionality Partial Order Reduction Symmetry
![Page 226: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/226.jpg)
226
Abstraction
Represent the program using a smaller model.
Pay attention to preserving the checked properties.
Do not affect the flow of control.
![Page 227: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/227.jpg)
227
Main idea
Use smaller data objects.
x:= f(m)y:=g(n)if x*y>0 then … else …x, y never used again.
![Page 228: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/228.jpg)
228
How to abstract?
Assign values {-1, 0, 1} to x and y. Based on the following connection:
sgn(x) = 1 if x>0, 0 if x=0, and -1 if x<0.sgn(x)*sgn(y)=sgn(x*y).
![Page 229: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/229.jpg)
229
Abstraction mapping
S - states, I - initial states. L(s) - labeling.
R(S,S) - transition relation. h(s) maps s into its abstract image.
Full model -h Abstract model I(s) I(h(s)) R(s, t) R(h(s),h(t)) L(h(s))=L(s)
![Page 230: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/230.jpg)
230
Traffic light example
go
stop
stop
![Page 231: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/231.jpg)
231
go
stop
stop
go
stop
![Page 232: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/232.jpg)
232
What do we preserve?
go
stop
stop
go
stop
Every execution of the full model can be simulated by an execution of the reduced one.
Every LTL property that holds in the reduced model hold in the full one.
But there can be properties holding for the original model but not the abstract one.
![Page 233: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/233.jpg)
233
Preserved: [](go->O stop)
go
stop
stop
go
stop
Not preserved:
[]<>go
Counterexamples need to be checked.
![Page 234: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/234.jpg)
234
Symmetry
A permutation is a one-one and onto function p:AA.For example, 13, 24, 31, 45, 52.
One can combine permutations, e.g.,p1: 13, 21, 32p2: 12, 21, 33p1@p2: 13, 22, 31
A set of permutations with @ is called a symmetry group.
![Page 235: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/235.jpg)
235
Using symmetry in analysis
Want to find some symmetry group suchthat for each permutation p in it,R(s,t) if and only if R(p(s), p(t))and L(p(s))=L(s).
Let K(s) be all the states that can be permuted to s. This is a set of states such that each one can be permuted to the other.
![Page 236: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/236.jpg)
236
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
init
![Page 237: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/237.jpg)
237
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
init
The quotient model
![Page 238: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/238.jpg)
238
Homework: what is preserved in the following buffer abstraction? What is not preserved?
e
empty
quasi
full
q
q
q
f
![Page 239: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/239.jpg)
239
BDD representation
![Page 240: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/240.jpg)
240
Computation Tree Logic. . .
. . .
. . .
. . .
p p
p
. . .
. . .
. . .
. . .
EG p
p p p p
p
p p
AF p
![Page 241: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/241.jpg)
241
Computation Tree Logic
q q
q
p
. . .
. . .
. . .
. . .
p
q
p
. . .
. . .
. . .
. . .
E pUq
p
A pUq
![Page 242: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/242.jpg)
242
Example formulas
CTL formulas: mutual exclusion: AG ( cs1
cs2) non starvation: AG (request
AF grant) “sanity” check: EF request
![Page 243: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/243.jpg)
243
Model Checking M |= f[Clarke, Emerson, Sistla 83]
The Model Checking algorithm works iterativelyon subformulas of f , from simpler subformulas to more complex ones
When checking subformula g of f we assume that all subformulas of g have already been checked
For subformula g, the algorithm returns the set of states that satisfy g ( Sg ) The algorithm has time complexity: O(|M||f|)
![Page 244: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/244.jpg)
244
Model checking f = EF g
Given a model M= < S, I, R, L >and Sg the sets of states satisfying g in M
procedure CheckEF (Sg )
Q := emptyset; Q’ := Sg ;while Q Q’ do Q := Q’; Q’ := Q { s | s' [ R(s,s’)
Q(s’) ] }end whileSf := Q ; return(Sf )
![Page 245: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/245.jpg)
245
g
g
g
f
f
f
f
f
f
f
Example: f = EF g
![Page 246: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/246.jpg)
246
Model checking f = EG g
CheckEG gets M= < S, I, R, L > and Sg
and returns Sf
procedure CheckEG (Sg)
Q := S ; Q’ := Sg ;
while Q Q’ do Q := Q’; Q’ := Q { s | s' [ R(s,s’) Q(s’) ] }end whileSf := Q ; return(Sf )
![Page 247: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/247.jpg)
247
g
g
g
g
g
g
Example: f = EG g
![Page 248: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/248.jpg)
248
Symbolic model checking[Burch, Clarke, McMillan, Dill 1990]
If the model is given explicitly (e.g. by adjacent
matrix) then only systems with about ten Boolean
variables (~1000 states) can be handledSymbolic model checking uses Binary Decision Diagrams ( BDDs )to represent the model and sets of states. It
can handle systems with hundreds of Boolean variables.
![Page 249: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/249.jpg)
249
Binary decision diagrams (BDDs) [Bryant 86]
Data structure for representing Boolean functions
Often concise in memory Canonical representation Boolean operations on BDDs can
be done in polynomial time in the BDD size
![Page 250: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/250.jpg)
250
Assume that states in model M are encoded by {0,1}n and described by Boolean variables v1...vn
Sf can be represented by a BDD over v1...vn
R (a set of pairs of states (s,s’) ) can be represented by a BDD over v1...vn v1’...vn’
BDDs in model checking
![Page 251: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/251.jpg)
251
BDD definition A tree representation of a Boolean
formula. Each leaf represents 0 (false) or 1 (true). Each internal leaf represents a node. If we follow a path in the tree and go
from a node left (low) on 0 and right (high) on 1, we obtain a leaf that corresponds to the value of the formula under this truth assignment.
![Page 252: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/252.jpg)
252
Examplea
b c
c c b b
)a/\(b\/¬c)¬)/\(a/\(b/\c)(
0 0 0 11 1 0 1
![Page 253: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/253.jpg)
253
OBDD: there is some fixed appearance order between variables, e.g., a<b<c
)a/\(b\/¬c)¬)/\(a/\(b/\c)(
a
b b
c c c c
0 0 0 11 0 1 1
![Page 254: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/254.jpg)
254
In reduced form: combine all leafs with same values, all isomorphic subgraph.
a
b b
c c c c
)a/\(b\/¬c)¬)/\(a/\(b/\c)(
0 0 0 11 0 1 1
In addition, remove nodes with identical children (low(x)=high(x)).
![Page 255: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/255.jpg)
255
In reduced form: combine all leafs with same values, all isomorphic subgraph.
a
b b
c c c c
)a/\(b\/¬c)¬)/\(a/\(b/\c)(
0 1
In addition, remove (shortcut) nodes with identical children (low(x)=high(x)).Apply bottom up until not possible.
![Page 256: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/256.jpg)
256
In reduced form: combine all leafs with same values, all isomorphic subgraph.
a
b b
c c c c
)a/\(b\/¬c)¬)/\(a/\(b/\c)(
0 1
In addition, remove (shortcut) nodes with identical children (low(x)=high(x)).
![Page 257: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/257.jpg)
257
In reduced form: combine all leafs with same values, all isomorphic subgraph.
a
b b
c c
)a/\(b\/¬c)¬)/\(a/\(b/\c)(
0 1
In addition, remove (shortcut) nodes with identical children (low(x)=high(x)).
![Page 258: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/258.jpg)
258
Example, even parity, 3 bits
a
b b
c c c c
1 0 0 01 1 1 0
![Page 259: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/259.jpg)
259
Apply reducea
b b
c c c c
01
![Page 260: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/260.jpg)
260
Apply reducea
b b
c c c c
01
![Page 261: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/261.jpg)
261
Apply reducea
b b
c c c
01
![Page 262: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/262.jpg)
262
Apply reducea
b b
c c c
01
![Page 263: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/263.jpg)
263
Apply reducea
b b
c c
01
![Page 264: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/264.jpg)
264
f[0/x], f[1/x] (“restrict” algorithm)
Obtain the replacement of a variable x by 0 or 1, in formula f, respectively.
For f[0/x], incoming edges to node x are redirected to low(x), and x is removed.
For f[1/x], incoming edges to node x are redirected to high(x), and x is removed.
Then we reduce the OBBD.
![Page 265: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/265.jpg)
265
Calculate x x= [0/x]\/[1/x] Thus, we apply “restrict” twice to
and then “apply” the disjunction.
![Page 266: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/266.jpg)
266
Shannon expansion of Boolean expression f. f=(¬x/\f[0/x])\/(x/\f[1/x]) Thus, f#g, for some logical operator #
is f#g=(¬x/\f#g [0/x])\/(x/\f#g [1/x])= (¬x/\f [0/x]#g [0/x])\/(x/\f [1/x]#g[1/x])
![Page 267: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/267.jpg)
267
Now compute f#g recursively:
Let rf be the root of the OBDD for f, and rg be the root of the OBDD for g.
If rf and rg are terminals, then apply rf#rg and put the result.
If both roots are same node (say x), then create a low edge to low(rf)#low(rg), and a high edge to high(rf)#high(rg).
If rf is x and rg is y, and x<y, there is no x node in g, so g=g[0/x]=g[1/x]. So we create a low edge to low(rf)#g and a high edge to high(rf)#g. The symmetric case is handled similarly.
We reduce.
![Page 268: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/268.jpg)
268
Same subgraphs are not needed to be explored again (use memoising, i.e., dynamic programming, complexity: exponential 2xmultiplications of sizes.
R1,S1
R6,S5
R2,S3 R3,S2
R3,S3 R4,S3
R5,S4
R6,S3
R4,S3
R4,S3
R5,S4 R6,S5
R6,S5
R6,S4
R6,S5
R5,S4 R6,S5
x
z
t
z
y
x
t
0 1 0 1
R1
R3
R2
R5
R6
R4
S1
S3
S2
S4 S5
x
z
z tt
tt
y
![Page 269: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/269.jpg)
269
Same subgraphs are not needed to be explored again (use memoising,
i.e., dynamic programming, complexity: exponential 2xmultiplications of sizes.
R1,S1
R6,S5
R2,S3 R3,S2
R3,S3 R4,S3
R5,S4
R6,S3
R4,S3
R4,S3
R5,S4 R6,S5
R6,S5
R6,S4
R6,S5
R5,S4 R6,S5
x
z
t
z
y
x
y
0 1 0 1
R1
R3
R2
R5
R6
R4
S1
S3
S2
S4 S5
x
z
z tt
tt
y
![Page 270: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/270.jpg)
270
Symbolic Model Checking Characterize CTL formulas using fixpoints. AF= \/AX AF EF= EX EF Z.EX Z AG= /\AX A G EG= EX EG Z.EX Z AU = \/(/\AXU) EU = (EXU) Z.(EXZ) AR = /\(\/AXR) ER = (EXR) Z.(EXZ)
![Page 271: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/271.jpg)
271
Representing the successor relation formula R A relation between the current state and the
next state can be represented as a BDD with prime variables representing the variables at next states.
For example:p/\¬q/\r/\¬p’/\q’/\r’ says that the current state satisfies p/\¬q/\r and the next state satisfies ¬p/\q/\r. (typically, for one transition, represented as a Boolean relation).
If ti represents this relation for transition i, we can
write for the entire code R=\/i ti.
![Page 272: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/272.jpg)
272
Calculating (Z) for (Z)=EX Z Z is a BDD. Rename variables in Z by their primed
version to obtain BDD Z’. Calculate the BDD R/\Z’. Let y1’…yn’ be the primed variables,
Then calculate the BDD T=y1’… yn’ R/\Z’ to remove primed variables.
Calculate the BDD T.
![Page 273: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/273.jpg)
273
Model checking Z (least fixed point)For example, = EX ZFor formulas with main operator .
procedure Check LFP ()Q :=False; Q’ := (Q) ;while Q Q’ do Q := Q’; Q’ := (Q) ;end whilereturn(Q)
![Page 274: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/274.jpg)
274
Model checking Z (Greatest fixed point)For example, = (EX Z)For formulas with main operator .
procedure Check GFP ()Q :=True; Q’ := (Q) ;while Q Q’ do Q := Q’; Q’ := (Q) ;end whilereturn(Q)
![Page 275: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/275.jpg)
275
Program verification: flowchart programs
(Book: chapter 7)
![Page 276: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/276.jpg)
276
History
Verification of flowchart programs: Floyd, 1967 Hoare’s logic: Hoare, 1969 Linear Temporal Logic: Pnueli, Krueger, 1977 Model Checking: Clarke & Emerson, 1981
![Page 277: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/277.jpg)
277
Program Verification
Predicate (first order) logic. Partial correctness, Total correctness Flowchart programs Invariants, annotated programs Well founded ordering (for
termination) Hoare’s logic
![Page 278: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/278.jpg)
278
Predicate (first order logic)
Variables, functions, predicates
Terms
Formulas (assertions)
![Page 279: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/279.jpg)
279
Signature
Variables: v1, x, y18Each variable represents a value of some given
domain (int, real, string, …). Function symbols: f(_,_), g2(_), h(_,_,_).Each function has an arity (number of
paramenters), a domain for each parameter, and a range.
f:int*int->int (e.g., addition), g:real->real (e.g., square root)
A constant is a predicate with arity 0. Relation symbols: R(_,_), Q(_).Each relation has an arity, and a domain for each
parameter.R : real*real (e.g., greater than).Q : int (e.g., is a prime).
![Page 280: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/280.jpg)
280
Terms
Terms are objects that have values. Each variable is a term. Applying a function with arity n to n
terms results in a new term.Examples: v1, 5.0, f(v1,5.0),
g2(f(v1,5.0))
More familiar notation: sqr(v1+5.0)
![Page 281: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/281.jpg)
281
Formulas
Applying predicates to terms results in a formula.
R(v1,5.0), Q(x)More familiar notation: v1>5.0 One can combine formulas with the
boolean operators (and, or, not, implies).
R(v1,5.0)->Q(x)x>1 -> x*x>x One can apply existentail and universal
quantification to formulas.x Q(X) x1 R(x1,5.0) x y R(x,y)
![Page 282: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/282.jpg)
282
A model, A proofs
A model gives a meaning (semantics) to a first order formula: A relation for each relation symbol. A function for each function symbol. A value for each variable.
An important concept in first order logic is that of a proof. We assume the ability to prove that a formula holds for a given model.
Example proof rule (MP) :
![Page 283: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/283.jpg)
283
Flowchart programs
Input variables: X=x1,x2,…,xlProgram variables: Y=y1,y2,…,ymOutput variables: Z=z1,z2,…,zn
start
haltY=f(X)
Z=h(X,Y)
![Page 284: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/284.jpg)
284
Assignments and tests
Y=g(X,Y) t(X,Y)FT
![Page 285: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/285.jpg)
285
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Initial condition
Initial condition: the values for the input variables for which the program must work.
x1>=0 /\ x2>0
FT
![Page 286: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/286.jpg)
286
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
The input-output claim
The relation between the values of the input and the output variables at termination.
x1=z1*x2+z2 /\ 0<=z2<x2
FT
![Page 287: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/287.jpg)
287
Partial correctness, Termination, Total correctness
Partial correctness: if the initial condition holds and the program terminates then the input-output claim holds.
Termination: if the initial condition holds, the program terminates.
Total correctness: if the initial condition holds, the program terminates and the input-output claim holds.
![Page 288: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/288.jpg)
288
Subtle point:
The program ispartially correct
withrespect tox1>=0/\x2>=0and totally correctwith respect tox1>=0/\x2>0
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
T F
![Page 289: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/289.jpg)
289
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
Annotating a scheme
Assign an assertion for each pair of nodes. The assertion expresses the relation between the variable when the program counter is located between these nodes.
A
B
C D
E
FT
![Page 290: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/290.jpg)
290
Invariants Invariants are assertions that hold at each state
throughout the execution of the program. One can attach an assertion to a particular
location in the code:e.g., at(B) (B).This is also an invariant; in other locations, at(B) does not hold hence the implication holds.
If there is an assertion attached to each location, (A), (B), (C), (D), (E), then their disjunction is also an invariant: (A)\/(B)\/(C)\/(D)\/(E)(since location is always at one of these locations).
![Page 291: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/291.jpg)
291
Annotating a scheme with invariants
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2Notice: (A) is the initial
condition, Eis the input-output condition.
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
FT
A) Is the precondition of (y1,y2)=(0,x1) and B) is its postcondition
![Page 292: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/292.jpg)
292
Preliminary:Relativizing assertions
(B) : x1= y1 * x2 + y2 /\ y2 >= 0Relativize B) w.r.t. the assignment,
obtaining B) [Y\g(X,Y)]e(B) expressed w.r.t. variables at
A.) (B)A =x1=0 * x2 + x1 /\ x1>=0Think about two sets of variables,
before={x, y, z, …} after={x’,y’,z’…}.
Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after by substitution.
Here: x1’=y1’ * x2’ + y2’ /\ y2’>=0 /\x1’=x1 /\ x2’=x2 /\ y1’=0 /\ y2’=x1now eliminate x1’, x2’, y1’, y2’.
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 293: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/293.jpg)
293
Preliminary:Relativizing assertions
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
A):
(B)A
(B)
Y=g(X,Y)
Y=g(X,Y)
![Page 294: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/294.jpg)
294
Verification conditions: assignment
A) B)A
where B)A = B)[Y\g(X,Y)]
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0
B)A=x1=0*x2+x1 /\
x1>=0
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 295: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/295.jpg)
295
(y1,y2)=(y1+1,y2-x2)
Second assignment
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
B): x1=y1*x2+y2 /\ y2>=0
B)C: x1=(y1+1)*x2+y2-x2 /\ y2-x2>=0
C
B
![Page 296: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/296.jpg)
296
(z1,z2)=(y1,y2)
Third assignment
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
E):x1=z1*x2+z2 /\ 0<=z2<x2
E)D:
x1=y1*x2+y2 /\ 0<=y2<x2
E
D
![Page 297: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/297.jpg)
297
Verification conditions: tests
B) /\ t(X,Y) C)B) /\¬t(X,Y) D)
B): x1=y1*x2+y2 /\y2>=0
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2
D):x1=y1*x2+y2 /\ y2>=0 /\ y2<x2
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
![Page 298: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/298.jpg)
298
Verification conditions: tests
y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
t(X,Y)¬t(X,Y)
B)
C)
![Page 299: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/299.jpg)
299
Partial correctness proof:An induction on length of execution
B)
B)
D)
C)
Initially, states satisfy the initial conditions.
Then, passing from one set of states to another, we preserve the invariants at the appropriate location.
We prove: starting with a state satisfying the initial conditions, if are at a point in the execution, the invariant there holds.
Not a proof of termination!
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
A)
no
no
yes
yes
T F
![Page 300: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/300.jpg)
300
Exercise: prove partial correctness
Initial condition: x>=0
Input-output claim:
z=x!
start
halt
(y1,y2)=(0,1)
y1=x
(y1,y2)=(y1+1,(y1+1)*y2) z=y2
TF
![Page 301: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/301.jpg)
301
What have we achieved?
For each statement S that appears between points X and Y we showed that if the control is in X when (X) holds (the precondition of S) and S is executed, then (Y) (the postcondition of S) holds.
Initially, we know that (A) holds. The above two conditions can be combined into
an induction on the number of statements that were executed: If after n steps we are at point X, then (X)
holds.
![Page 302: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/302.jpg)
302
Another example
(A) : x>=0
(F) : z^2<=x<(z+1)^2
z is the biggest numberthat is not greaterthan sqrt x.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 303: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/303.jpg)
303
Some insight
1+3+5+…+(2n+1)=(n+1)^2
y2 accumulates theabove sum, untilit is bigger than x.
y3 ranges over oddnumbers 1,3,5,…
y1 is n-1.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 304: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/304.jpg)
304
Invariants
It is sufficient to have one invariant for every loop(cycle in the program’sgraph).
We will have(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 305: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/305.jpg)
305
Obtaining (B)
By backwards substitution in (C).
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 306: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/306.jpg)
306
Check assignment condition
(A)=x>=0(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1(B) relativized is 0^2<=x /\ 0+1=(0+1)^2 /\ 1=2*0+1Simplified: x>=0
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 307: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/307.jpg)
307
Obtaining (D)
By backwards substitution in
(B).
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\ y3=2*y1+1
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 308: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/308.jpg)
308
Checking
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(C)/\y2<=x) (D)
(D)=(y1+1)^2<=x /\ y2+y3+2=(y1+2)^2 /\ y3+2=2*(y1+1)+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 309: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/309.jpg)
309
y1^2<=x /\
y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\ y2+y3+2=(y1+2)^2
/\ y3+2=2*(y1+1)+1
y1^2<=x /\
y2=(y1+1)^2 /\
y3=2*y1+1 /\y2<=x (y1+1)^2<=x /\
y2+y3+2=(y1+2)^2 /\
y3+2=2*(y1+1)+1
![Page 310: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/310.jpg)
310
Not finished!
Still needs to:
Calculate (E) bysubstituting backwardsfrom (F).
Check that(C)/\y2>x(E)
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 311: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/311.jpg)
311
Exercise: prove partial correctness. Initially: x1>0/\x2>0. At termination: z1=gcd(x1,x2).
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
![Page 312: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/312.jpg)
312
Annotation of program with invariants
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
z1=gcd(x1,x2)
x1>0 /\ x2>0
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
y1=gcd(x1,x2)
A
B
D
EF
G
H
![Page 313: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/313.jpg)
313
Part 1
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(A)= x1>0 /\ x2>0
(B)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0 A
B
D
EF
G
H
(B)’rel= gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0 (A)
(B)’rel
![Page 314: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/314.jpg)
314
Part 2a
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(D)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2 A
B
D
EF
G
H
(B)/\¬(y1=y2) (D)
![Page 315: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/315.jpg)
315
Part 2b
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(G)= y1=gcd(x1,x2)
A
B
D
EF
G
H
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(B)/\(y1=y2) (G)
![Page 316: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/316.jpg)
316
Part 3
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(D)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1y2
(E)=gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
(F)=(gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
A
B
D
EF
G
H
(D)/\(y1>y2) (F)
(D)/\¬(y1>y2) (E)
![Page 317: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/317.jpg)
317
Part 4
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
x1>0 /\ x2>0
(B)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
(E)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1<y2
(F)= gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0/\y1>y2
A
B
D
EF
G
H
(B)’rel1=gcd(y1,y2-y1)=gcd(x1,x2)/\y1>0/\y2-y1>0(B)’rel2=gcd(y1-y2,y2)=gcd(x1,x2)/\y1-y2>0/\y2>0
(E) (B)’rel1 (F) (B)’rel2
![Page 318: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/318.jpg)
318
Annotation of program with invariants
halthalt
startstart
(y1,y2)=(x1,x2)(y1,y2)=(x1,x2)
z1=y1z1=y1
y1=y2F
T
y1>y2y1>y2
y2=y2-y1y2=y2-y1y1=y1-y2y1=y1-y2
TF
(H)= z1=gcd(x1,x2)
(G)= y1=gcd(x1,x2)
A
B
D
EF
G
H
(H)’rel= y1=gcd(x1,x2)
(G) (H)’rel2
![Page 319: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/319.jpg)
319
Proving termination
![Page 320: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/320.jpg)
320
Well-founded sets
Partially ordered set (W,<): If a<b and b<c then a<c (transitivity). If a<b then not b<a (asymmetry). Not a<a (irreflexivity).
Well-founded set (W,<): Partially ordered. No infinite decreasing chain a1>a2>a3>…
![Page 321: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/321.jpg)
321
Examples for well founded sets Natural numbers with the bigger than
relation. Finite sets with the set inclusion relation. Strings with the substring relation. Tuples with alphabetic order:
(a1,b1)>(a2,b2) iff a1>a2 or [a1=a2 and b1>b2].
(a1,b1,c1)>(a2,b2,c2) iff a1>a2 or [a1=a2 and b1>b2] or [a1=a2 and b1=b2 and c1>c2].
![Page 322: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/322.jpg)
322
Why does the program terminate
y2 starts as x1. Each time the loop is
executed, y2 is decremented.
y2 is natural number The loop cannot be
entered again when y2<x2.
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 323: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/323.jpg)
323
Proving termination
Choose a well-founded set (W,<). Attach a function u(N) to each
point N. Annotate the flowchart with
invariants, and prove their consistency conditions.
Prove that (N) (u(N) in W).
![Page 324: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/324.jpg)
324
How not to stay in a loop?
Show that u(M)>=u(N)’rel.
At least once in each loop, show that u(M)>u(N).
S
M
N
TN
M
![Page 325: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/325.jpg)
325
How not to stay in a loop?
For stmt: (M)(u(M)>=u(N)’rel)
Relativize since we need to compare values not syntactic expressions.
For test (true side):((M)/\test)(u(M)>=u(N))
For test (false side):((M)/\
¬test)(u(M)>=u(L))
stmt
M
N
test
N
M
true
L
false
![Page 326: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/326.jpg)
326
What did we achieve?
There are finitely many control points. The value of the function u cannot
increase. If we return to the same control point,
the value of u must decrease (its a loop!).
The value of u can decrease only a finite number of times.
![Page 327: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/327.jpg)
327
Why does the program terminate
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2
W: naturals> : greater than
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 328: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/328.jpg)
328
Recall partial correctness annotation
A): x1>=0 /\ x2>=0B): x1=y1*x2+y2 /\
y2>=0C): x1=y1*x2+y2 /\
y2>=0 /\ y2>=x2D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2E):x1=z1*x2+z2 /\ 0<=z2<x2
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 329: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/329.jpg)
329
Strengthen for termination
A): x1>=0 /\ x2>0B): x1=y1*x2+y2 /\
y2>=0/\x2>0C): x1=y1*x2+y2 /\
y2>=0/\y2>=x2/\x2>0D):x1=y1*x2+y2 /\
y2>=0 /\ y2<x2/\x2>0E):x1=z1*x2+z2 /\ 0<=z2<x2
start
halt
(y1,y2)=(0,x1)
y2>=x2
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
A
B
C D
E
falsetrue
![Page 330: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/330.jpg)
330
Strengthen for termination
A): x1>=0 /\ x2>0 u(A)>=0B): x1=y1*x2+y2 /\ y2>=0/\
x2>0u(B)>=0C): x1=y1*x2+y2 /\y2>=0
/\y2>=x2/\x2>0u(c)>=0D):x1=y1*x2+y2 /\ y2>=0 /\
y2<x2/\x2>0u(D)>=0E):x1=z1*x2+z2 /\ 0<=z2<x2u(E)>=0This proves that u(M) is natural for
each point M.
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2
![Page 331: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/331.jpg)
331
We shall show:
u(A)=x1u(B)=y2u(C)=y2u(D)=y2u(E)=z2A)u(A)>=u(B)’relB)u(B)>=u(C)C)u(C)>u(B)’relB)u(B)>=u(D)D)u(D)>=u(E)’re
l
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 332: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/332.jpg)
332
Proving decrement
C): x1=y1*x2+y2 /\ y2>=0 /\ y2>=x2/\x2>0
u(C)=y2u(B)=y2u(B)’rel=y2-x2
C) y2>y2-x2(notice that C) x2>0)
start
halt
(y1,y2)=(y1+1,y2-x2) (z1,z2)=(y1,y2)
(y1,y2)=(0,x1)
A
B
D
E
falsey2>=x2
C
true
![Page 333: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/333.jpg)
333
Integer square prog.
(C)=y1^2<=x /\ y2=(y1+1)^2 /\ y3=2*y1+1
(B)=y1^2<=x /\ y2+y3=(y1+1)^2 /\y3=2*y1+1
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 334: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/334.jpg)
334
u(A)=x+1u(B)=x-y2+1u(C)=max(0,x-y2+1)u(D)=x-y2+1u(E)=u(F)=0u(A)>=u(B)’relu(B)>u(C)’relu(C)>=u(D)u(C)>=u(E)u(D)>=u(B)’relNeed some invariants,i.e., y2<=x/\y3>0at points B and D,and y3>0 at point C.
start
(y1,y2,y3)=(0,0,1)
A
halt
y2>x
(y1,y3)=(y1+1,y3+2) z=y1
B
C
D
F
truefalse
E
y2=y2+y3
![Page 335: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/335.jpg)
335
Program VerificationUsing Hoare’s Logic
Hoare triple is of the form{Precondition} Prog-segment {Postcondition}
It expresses partial correctness: if the segment starts with a state satisfying the precondition and it terminates, the final state satisfies the postscondition.
The idea is that one can decompose the proof of the program into smaller and smaller segments, depending on its structure.
![Page 336: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/336.jpg)
336
While programs
Assignments y:=e Composition S1; S2 If-then-else if t then S1 else S2 fi While while e do S od
![Page 337: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/337.jpg)
337
Greatest common divisor
{x1>0/\x2>0}y1:=x1;y2:=x2;while ¬(y1=y2) do if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fiod{y1=gcd(x1,x2)}
![Page 338: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/338.jpg)
338
Why it works?
Suppose that y1,y2 are both positive integers. If y1>y2 then gcd(y1,y2)=gcd(y1-y2,y2) If y2>y1 then gcd(y1,y2)=gcd(y1,y2-y1) If y1=y2 then gcd(y1,y2)=y1=y2
![Page 339: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/339.jpg)
339
Assignment axiom
{p[e/y] } y:=e {p}
For example:{y+5=10} y:=y+5 {y=10}{y+y<z} x:=y {x+y<z}{2*(y+5)>20} y:=2*(y+5) {y>20}Justification: write p with y’ instead of y,
and add the conjunct y’=e. Next, eliminate y’ by replacing y’ by e.
![Page 340: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/340.jpg)
340
Why axiom works backwards?
{p} y:=t {?}Strategy: write p and the conjunct y=t, where
y’ replaces y in both p and t. Eliminate y’.This y’ represents value of y before the
assignment.{y>5} y:=2*(y+5) {? } {p} y:=t { y’ (p[y’/y] /\ t[y’/y]=y) }y’>5 /\ y=2*(y’+5) y>20
![Page 341: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/341.jpg)
341
Composition rule
{p} S1 {r }, {r} S2 {q }
{p} S1;S2 {q}For example: if the antecedents are1. {x+1=y+2} x:=x+1 {x=y+2}2. {x=y+2} y:=y+2 {x=y}Then the consequent is {x+1=y+2} x:=x+1; y:=y+2 {x=y}
![Page 342: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/342.jpg)
342
More examples
{p} S1 {r}, {r} S2 {q} {p} S1;S2 {q}{x1>0/\x2>0} y1:=x1
{gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}
{gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0} y2:=x2
___{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}____
{x1>0/\x2>0} y1:=x1 ; y2:=x2 {gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0}
![Page 343: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/343.jpg)
343
If-then-else rule
{p/\t} S1 {q}, {p/\¬t} S2 {q}
{p} if t then S1 else S2 fi {q}For example: p is gcd(y1,y2)=gcd(x1,x2) /\y1>0/\y2>0/\¬(y1=y2)t is y1>y2S1 is y1:=y1-y2S2 is y2:=y2-y1q is gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0
![Page 344: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/344.jpg)
344
While rule
{p/\t} S {p} {p} while t do S od {p/\¬t}Example:p is {gcd(y1,y2)=gcd(x1,x2)/\y1>0/\y2>0}t is ¬ (y1=y2)S is if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fi
![Page 345: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/345.jpg)
345
Consequence rules
Strengthen a precondition rp, {p } S {q } {r } S {q } Weaken a postcondition {p } S {q }, qr {p } S {r }
![Page 346: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/346.jpg)
346
Use of first consequence rule
Want to prove{x1>0/\x2>0} y1:=x1
{gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}By assignment rule:{gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0}
y1:=x1 {gcd(x1,x2)=gcd(y1,x2)/\y1>0/\x2>0}
x1>0/\x2>0 gcd(x1,x2)=gcd(x1,x2)/\x1>0/\x2>0
![Page 347: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/347.jpg)
347
Combining program
{x1>0 /\ x2>0} y1:=x1; y2:=x1;{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0} while S do if e then S1 else S2 fi od{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\
y1=y2}Combine the above using concatenation
rule!
![Page 348: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/348.jpg)
348
Not completely finished
{x1>0/\x2>0} y1:=x1; y2:=x1; while ¬(y1=y2) do if e then S1 else S2 fi od{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\
y1=y2}But we wanted to prove:{x1>0/\x1>0} Prog {y1=gcd(x1,x2)}
![Page 349: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/349.jpg)
349
Use of second consequence rule
{x1>0/\x2>0} Prog{gcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\
y1=y2}And the implicationgcd(x1,x2)=gcd(y1,y2)/\y1>0/\y2>0/\y1=y2 y1=gcd(x1,x2)Thus,{x1>0/\x2>0} Prog {y1=gcd(x1,x2)}
![Page 350: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/350.jpg)
350
Annotating a while program
{x1>0/\x2>0}y1:=x1; {gcd(x1,x2)=gcd(y1,x2
) /\y1>0/\x2>0}y2:=x2; {gcd(x1,x2)=gcd(y1,y2
) /\y1>0/\y2>0}
while ¬(y1=y2) do{gcd(x1,x2)=gcd(y1,y2)/\
y1>0/\y2>0/\¬(y1=y2)}
if y1>y2 then y1:=y1-y2 else y2:=y2-y1 fiod{y1=gcd(x1,x2)}
![Page 351: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/351.jpg)
351
While rule
{p/\e} S {p} {p} while e do S od {p/\¬e}
![Page 352: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/352.jpg)
352
Consequence rules
Strengthen a precondition rp, {p} S {q} {r} S {q} Weaken a postcondition {p} S {q}, qr {p} S {r}
![Page 353: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/353.jpg)
353
Soundness
Hoare logic is sound in the sense thateverything that can be proved is correct!
This follows from the fact that each axiomand proof rule preserves soundness.
![Page 354: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/354.jpg)
354
Completeness
A proof system is called complete if every
correct assertion can be proved.
Propositional logic is complete. No deductive system for the
standard arithmetic can be complete (Godel).
![Page 355: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/355.jpg)
355
And for Hoare’s logic?
Let S be a program and p its precondition.
Then {p} S {false} means that S never terminates when started from p. This is undecideable. Thus, Hoare’s logic cannot be complete.
![Page 356: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/356.jpg)
356
Weakest prendition, Strongest postcondition
For an assertion p and code S, let post(p,S) be the strongest assertion such that {p}S{post(p,S) }
That is, if {p}S{q} then post(p,S)q. For an assertion q and code S, let
pre(S,q) be the weakest assertion such that {pre(S,q)}S{q}
That is, if {p}S{q} then ppre(S,q).
![Page 357: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/357.jpg)
357
Relative completeness
Suppose that either post(p,S) exists for each p, S, or pre(S,q) exists for each S, q.
Some oracle decides on pure implications.Then each correct Hoare triple can be proved.What does that mean? The weakness of theproof system stem from the weakness of the
(FO) logic, not of Hoare’s proof system.
![Page 358: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/358.jpg)
358
Extensions
Many extensions for Hoare’s proof rules:
Total correctness Arrays Subroutines Concurrent programs Fairness
![Page 359: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/359.jpg)
359
Proof rule for total correctnessSimilar idea to Floyd’s termination: Well foundedness
{p/\t/\f=z} S {p/\f<z}, p(f>=0) {p} while t do S od {p/\¬t}
wherez - an int. variable, not appearing in
p,t,e,S.f - an int. expression.
![Page 360: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/360.jpg)
360
Verification with Array Variables
Book: Chapter 7.2
![Page 361: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/361.jpg)
361
The problem
Using array variables can lead to complication:
{x[1]=1/\x[2]=3} x[x[1]]:=2
{x[x[1]]=2} No!!!Why?Because the assignment changes x[1] as
well. Now it is also 2, and x[x[1]], which is x[2] is 3 and not 2!
![Page 362: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/362.jpg)
362
What went wrong?
Take the postcondition {x[x[1]]=2} and substitute 2 instead of x[x[1]].
We obtain {2=2} (which is equivalent to {true}).
Now, (x[1]=1/\x[2]=3) 2=2. So we may wrongly conclude that
the above Hoare triple is correct.
![Page 363: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/363.jpg)
363
How to fix this?
`Backward substitution’ should be done with arrays as complete elements.
Define (x; e1: e2) : an array like x, with value at the index e1 changed to e2.
(x; e1: e2)[e3]=e2 if e1=e3 x[e3] otherwise
(x; e1: e2)[e3]=if (e1=e3, e2, x[e3])
![Page 364: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/364.jpg)
364
Solved the problem?
How to deal with if(φ, e1, e2)?Suppose that formula ψ contains this
expression.Replace if(φ, e1, e2) by new variable v
in ψ.The original formula ψ is equivalent to: (φ/\ ψ[e1/v])\/(¬φ/\ ψ[e2/v])
![Page 365: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/365.jpg)
365
Returning to our case
Our postcondition is {x[x[1]]=2}. The assignment x[x[1]]:=2 causes the
substitution in the postcondition ofthe (array) variable x by a new array, which is (x; x[1] : 2), resulting in
{x[x[1]]=2}
(x; x[1] : 2)[(x; x[1] : 2)[1]] = 2
![Page 366: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/366.jpg)
366
Are we done?
Not yet. It remains to Convert the array form into an if form. Get rid of the if form.
Will not be done in class. All we say is that we obtain an
expression that is not implied by the precondition x[1]=1/\x[2]=3.
![Page 367: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/367.jpg)
367
Proof checking with PVSBook: Chapter 3
![Page 368: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/368.jpg)
368
A Theory
Name: THEORY BEGIN Definitions (types,
variables, constants)
Axioms Lemmas
(conjectures, theorems)
END Name
![Page 369: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/369.jpg)
369
Group theory
(*, e), where * is the operator and e the unity element.
Associativity (G1): (x*y)*z=x*(y*z).
Unity (G2): (x*e)=x
Right complement (G3):
x y x*y=e.
Want to prove: x y y*x=e.
![Page 370: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/370.jpg)
370
Informal proof
Choose x arbitrarily.By G3, there exists y
s.t.(1) x*y=e.By G3, we have z s.t.(2) y*z=e.y*x=(y*x)*e (by
G2) =(y*x)*(y*z) (by
(2))
=y*(x*(y*z)) (by G1)
=y*((x*y)*z) (by G1) =y*(e*z) (by (1)) =(y*e)*z (by G1) =y*z (by
(G2)) =e (by (2))
![Page 371: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/371.jpg)
371
Example: groups
Group: THEORY BEGIN element: TYPE unit: element *: [element, element-
> element] < some axioms>
left:CONJECTURE FORALL (x: element): EXISTS (y: element): y*x=unitEND Group
![Page 372: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/372.jpg)
372
Axioms
associativity: AXIOM FORALL (x, y, z:element): (x*y)*z=x*(y*z)
unity: AXIOM FORALL (x:element): x*unit=x
complement: AXIOM FORALL(x:element): EXISTS (y:element): x*y=unity
![Page 373: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/373.jpg)
373
Skolemization
Corresponds to choosing some arbitrary constant and proving “without loss of generality”.
Want to prove (…/\…)(…\/x(x)\/…).
Choose a new constant x’. Prove (…/\…)(…\/(x’)\/…).
![Page 374: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/374.jpg)
374
Skolemization
Corresponds to choosing some unconstrained arbitrary constant when one is known to exist.
Want to prove (…/\x(x)/\…)(…\/…).
Choose a new constant x’. Prove (…/\(x’)/\…)(…\/…).
![Page 375: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/375.jpg)
375
Skolem in PVS
(skolem 2 (“a1” “b2” “c7”)) (skolem -3 (“a1” “_” “c7”)) (skolem! -3)
invents new constants, e.g., for x will invent x!1, x!2, … when applied repeatedly.
![Page 376: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/376.jpg)
376
Instantiation
Corresponds to restricting the generality.
Want to prove (…/\x(x)/\…) (…\/…).
Choose a some term t. Prove (…/\(t)/\…)(…\/…).
![Page 377: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/377.jpg)
377
Instantiation
Corresponds to proving the existence of an element by showing an evidence.
Want to prove (…/\…)(…\/x(x)\/…).
Choose some term t. Prove (…/\…)(…\/(t)\/…).
![Page 378: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/378.jpg)
378
Instantiating in PVS
(inst -1 “x*y” “a” “b+c”) (inst 2 “a” “_” “x”)
![Page 379: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/379.jpg)
379
Other useful rules
(replace -1 (-1 2 3))Formula -1 is of the form le=ri. Replace any occurrence of le by ri in lines -1, 2, 3.
(replace -1 (-1 2 3) RL)Similar, but replace ri by le instead.
(assert), (assert -) (assert +) (assert 7) Apply algebraic simplification.
(lemma “<axiom-name>”) - add axiom as additional antecedent.
![Page 380: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/380.jpg)
380
![Page 381: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/381.jpg)
381
Why testing?
Reduce design/programming errors. Can be done during development,
before production/marketing. Practical, simple to do. Check the real thing, not a model. Scales up reasonably. Being state of the practice for
decades.
![Page 382: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/382.jpg)
382
Part 1: Testing of black box finite state machine
Know:
Transition relation
Size or bound on size
Wants to know:
In what state we started?
In what state we are?
Transition relation
Conformance
Satisfaction of a temporal property
![Page 383: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/383.jpg)
383
Finite automata (Mealy machines)
S - finite set of states. (size n)- set of inputs. (size d)O - set of outputs, for each transition.(s0 S - initial state). δ S S - transition relation (deterministic but
sometimes not defined for each input per each state). S O - output on edges.
Notation: δ(s,a1a2..an)= δ(… (δ(δ(s,a1),a2) … ),an)(s,a1a2..an)= (s,a1)(δ(s,a1),a2)…(δ(… δ(δ(s,a1),a2) … ),an)
![Page 384: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/384.jpg)
384
Finite automata (Mealy machines)
S - finite set of states. (size n)– set of inputs. (size d)O – set of outputs, for each
transition.(s0 S - initial state). δ S S - transition relation. S O – output on edge.
S={s1, s2, s3 }, {a, b }, O={0,1 }.
δ(s1,a)=s3 (also s1=a=>s3),δ(s1,b)=s2,(also s1=b=>s2)…(s1,a)=0 , (s1,b)=1,…δ(s1,ab)=s1, (s1,ab)=01
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
![Page 385: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/385.jpg)
385
Why deterministic machines?
Otherwise no amount of experiments would guarantee anything.
If dependent on some parameter (e.g., temperature), we can determinize, by taking parameter as additional input.
We still can model concurrent system. It means just that the transitions are deterministic.
All kinds of equivalences are unified into language equivalence.
Also: connected machine (otherwise we may never get to the completely separate parts).
![Page 386: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/386.jpg)
386
Determinism
When the black box is nondeterministic, we might never test some choices.
b/1a/1
a/1
![Page 387: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/387.jpg)
387
Preliminaries: separating sequences
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
Start with one block containing all states {s1, s2, s3}.
A set of sequences X such that if we execute them from different states, at least one of them will give a different output sequence.
s≠t µX (s, µ )≠(s, µ )
![Page 388: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/388.jpg)
388
A: separate to blocks of states with different output.
s1
s3
s2
a/0b/1
b/0
b/1
a/0
a/0
The states are separated into {s1, s3}, {s2} using the string b.
But s1 and s3 have the same outputs to same inputs.
![Page 389: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/389.jpg)
389
Repeat B : Separate blocks based on input that cause moving to different blocks.
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
Separate first block using b to three singleton blocks obtaining separation sequence bb.Separating sequences: b, bb.Max rounds: n-1, sequences: n-1, length: n-1.
If string x separated blocks B1, B2, and letter a splits part of block C to move to B1 and part to B2, then ax separates C into C1, C2, accordingly.
![Page 390: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/390.jpg)
390
Want to know the state of the machine (at end): Homing sequence.
After firning homing sequence, we know in what state we are by observing outputs.
Find a sequence µ such thatδ(s, µ )≠δ(t, µ ) (s, µ )≠(s, µ )
So, given an input µ that is executed from state s, we look at a table of outputs and according to a table, know in which state r we are.
![Page 391: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/391.jpg)
391
Homing sequence
Algorithm: Put all the states in one block (initially we do not know what is the current state).
Then repeatedly separate blocks, as long as they are not singletons, as follows:
Take a non singleton block, append a distinguishing sequence µ that separates at least two states in that block.
Update each block to the states after executing µ. (Blocks may not be disjoint, its not a partition!)
Max length of sequence: (n-1)2 (Lower bound: n(n-1)/2.)
![Page 392: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/392.jpg)
392
Example (homing sequence)
s1
s3
s2
a/0b/1 b/0
b/1
a/0
a/0
{s1, s2, s3}
{s1, s2} {s3}
{s1} {s2} {s3}
b
b1 0
011
1
On input b and output 1, we still don’t know if we were in s1 or s3, i.e., if we are currently in s2 or s1. So separate these cases with another b.
![Page 393: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/393.jpg)
393
Synchronizing sequence
One sequence takes the machine to the same final state, regardless of the initial state or the outputs.That is: find a sequence µ such that for each states s, t,
δ(s, µ )=δ(t, µ ) Not every machine has a
synchronizing sequence. Can be checked whether
exists and if so, can be found in polynomial time.
a/1
b/1
a/0b/0b/1
a/0
![Page 394: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/394.jpg)
394
Algorithm for synchronizing sequeneces
s1
s2 s3
a/1
b/1
a/0b/0b/1
a/0
Construct a graph with ordered pairs of nodes (s,t) such that (s,t )=a=>(s’,t’ ) when s=a=>s’, t=a=>t’.(Ignore self loops, e.g., on (s2,s2).)s1,s1
s2,s2
s3,s3
s1,s2
s2,s3 s1,s3
b b
b
b
b
baa
a
![Page 395: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/395.jpg)
395
Algorithm continues (2)There is an input
sequence from both s≠t to some r iff there is a path in this graph from (s,t ) to (r,r ).
There is a synchronization sequence iff some node (r,r ) is reachable from every pair of distinct nodes.
In this case it is (s2,s2 ).
s1,s1
s2,s2
s3,s3
s1,s2
s2,s3 s1,s3
b b
b
b
b
baa
a
![Page 396: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/396.jpg)
396
Algorithm continues (3)Notation:δ(S,x)=
{t |sS,δ(s,x)=t }1. i=1; S1=S
2. Take some nodes s≠tSi, and find a shortest path labeled xi to some (r,r ).
3. i=i+1; Si:=δ(Si-1,x ). If |Si |>1,goto 2., else goto 3.
4. Concatenate x1x2…xk.
s1,s1
s2,s2
s3,s3
s1,s2
s2,s3 s1,s3
b b
b
b
b
baa
a
Number of sequences ≤ n-1.Each of length ≤ n(n-1)/2.Overall O(n(n-1)2/2).
![Page 397: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/397.jpg)
397
Example:
(s2,s3)=a=>(s2,s2)
x1:=a
δ({s1,s2,s3},a)={s1,s2}
(s1,s2)=ba=>(s2,s2)
x2:=ba
δ({s1,s2},ba)={s2}
So x1x2=aba is a synchronization sequence, bringing every state into state s2.
s1,s1
s2,s2
s3,s3
s1,s2
s2,s3 s1,s3
b b
b
b
b
baa
a
![Page 398: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/398.jpg)
398
State identification: Want to know in which state the
system has started (was reset to).
Can be a preset distinguishing sequence (fixed), or a tree (adaptive).
May not exist (PSPACE complete to check if preset exists, polynomial for adaptive).
Best known algorithm: exponential length for preset, polynomial for adaptive [LY].
![Page 399: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/399.jpg)
399
Sometimes cannot identify initial state
b/1a/1 s1
s3
s2
a/1
b/0
b/1
a/1
Start with a:in case of being in s1 or s3 we’ll move to s1 and cannot distinguish.Start with b:In case of being in s1 or s2 we’ll move to s2 and cannot distinguish.The kind of experiment we do affects what we can
distinguish. Much like the Heisenberg principle in Physics.
![Page 400: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/400.jpg)
400
So…
We’ll assume resets from now on!
![Page 401: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/401.jpg)
401
Conformance testing Unknown deterministic finite state system B. Known: n states and alphabet . An abstract model C of B. C satisfies all the
properties we want from B. C has m states. Check conformance of B and C. Another version: only a bound n on the number of
states l is known.
![Page 402: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/402.jpg)
402
Check conformance with a given state machine
Black box machine has no more states than specification machine (errors are mistakes in outputs, mistargeted edges).
Specification machine is reduced, connected, deterministic. Machine resets reliably to a single initial state (or use homing
sequence).
s1
s3
s2
a/1
b/0
b/1
a/1
?=
a/1
b/1
![Page 403: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/403.jpg)
403
Conformance testing [Ch,V]
a/1
b/1
Cannot distinguish if reduced or not.
a/1
b/1
a/1
b/1
a/1
b/1a/1
b/1
![Page 404: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/404.jpg)
404
Conformance testing (cont.)
ab b
a
a
a
a b
b
b
a
Need: bound on number of states of B.
a
![Page 405: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/405.jpg)
405
Preparation: Construct a spanning tree, and separating sequences
b/1a/1 s1
s3
s2
a/1
b/0
b/1
a/1
s1
s2s3
b/1a/1
Given an initial state, we can reach any state of the automaton.
![Page 406: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/406.jpg)
406
How the algorithm works?According to the spanning
tree, force a sequence of inputs to go to each state.
1. From each state, perform the distinguishing sequences.
2. From each state, make a single transition, check output, and use distinguishing sequences to check that in correct target state.
s1
s2s3
b/1a/1
Rese
t
Rese
t
Distinguishing sequences
![Page 407: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/407.jpg)
407
Comments1. Checking the different distinguishing
sequences (m-1 of them) means each time resetting and returning to the state under experiment.
2. A reset can be performed to a distinguished state through a homing sequence. Then we can perform a sequence that brings us to the distinguished initial state.
3. Since there are no more than m states, and according to the experiment, no less than m states, there are m states exactly.
4. Isomorphism between the transition relation is found, hence from minimality the two automata recognize the same languages.
![Page 408: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/408.jpg)
408
Combination lock automaton
Assume accepting states. Accepts only words with a specific suffix
(cdab in the example).
s1 s2 s3 s4 s5
bdc a
Any other input
![Page 409: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/409.jpg)
409
When only a bound on size of black box is known…
Black box can “pretend” to behave as a specification automaton for a long time, then upon using the right combination, make a mistake.
b/1a/1s1
s3
s2
a/1
b/0
b/1
a/1
b/1
Pretends to be s3
Pretends to be s1
a/1
![Page 410: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/410.jpg)
410
Conformance testing algorithm [VC]
The worst that can happen is a combination lock automaton that behaves differently only in the last state. The length of it is the difference between the size n of the black box and the specification m.
Reach every state on the spanning tree and check every word of length n-m+1 or less. Check that after the combination we are at the state we are supposed to be, using the distinguishing sequences.
No need to check transitions: already included in above check.
Complexity: m2 n dn-m+1
Probabilistic complexity: Polynomial.
Distinguishing sequences
s1
s2s3
b/1a/1
Words of length n-m+1
Rese
t
Rese
t
![Page 411: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/411.jpg)
411
Model Checking Finite state description of a system B. LTL formula . Translate into an automaton P. Check whether L(B ) L(P )=. If so, S satisfies . Otherwise, the intersection
includes a counterexample. Repeat for different properties.
![Page 412: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/412.jpg)
412
Buchi automata (-automata)
S - finite set of states. (B has l n states) S0 S - initial states. (P has m states) - finite alphabet. (contains p letters) S S - transition relation. F S - accepting states.Accepting run: passes a state in F infinitely often.
System automata: F=S, deterministic, one initial state.
Property automaton: not necessarily deterministic.
![Page 413: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/413.jpg)
413
Example: check a
a, aa
a<>a
![Page 414: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/414.jpg)
414
Example: check <>a
a
a
a
a
<>a
![Page 415: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/415.jpg)
415
Example: check <>a
Use automatic translation algorithms, e.g., [Gerth,Peled,Vardi,Wolper 95]
a
a
a, a<>a
![Page 416: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/416.jpg)
416
System
c b
a
![Page 417: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/417.jpg)
417
Every element in the product is a counter example for the checked property.
c b
a
a
a
a
a
s1 s2
s3 q2
q1
s1,q1
s1,q2 s3,q2
s2,q1a
b
c
aAcceptance isdetermined byautomaton P.
<>a
![Page 418: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/418.jpg)
418
Model Checking / Testing Given Finite state
system B. Transition relation of B
known. Property represent by
automaton P. Check if L(B ) L(P )=. Graph theory or BDD
techniques. Complexity: polynomial.
Unknown Finite state system B.
Alphabet and number of states of B or upper bound known.
Specification given as an abstract system C.
Check if B C. Complexity: polynomial
if number states known. Exponential otherwise.
![Page 419: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/419.jpg)
419
Black box checking [PVY]
Outputs: {0,1} (for enabled/disabled)
Property represent by automaton P.
Check if L(B ) L(P )=. Graph theory techniques.
Unknown Finite state system B.
Alphabet and Upper bound on Number of states of B known.
Complexity: exponential.
![Page 420: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/420.jpg)
420
Experiments
aa
bb cc
reset
a
a
b
b
c
c
try ba
a
b
b
c
c
try c
(Output 1+ progress)
(Output 0=stay)
![Page 421: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/421.jpg)
421
Simpler problem: deadlock?
Nondeterministic algorithm:guess a path of length n from the initial state to a deadlock state.Linear time, logarithmic space.
Deterministic algorithm:systematically try paths of length n, one after the other (and use reset), until deadlock is reached.Exponential time, linear space.
![Page 422: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/422.jpg)
422
Deadlock complexity
Nondeterministic algorithm:Linear time, logarithmic space.
Deterministic algorithm:Exponential (pn-1) time, linear space.
Lower bound: Exponential time (usecombination lock automata).
How does this conform with what we know about complexity theory?
![Page 423: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/423.jpg)
423
Modeling black box checking
Cannot model using Turing machines: not all the information about B is given. Only certain experiments are allowed.
We learn the model as we make the experiments.
Can use the model of games of incomplete information.
![Page 424: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/424.jpg)
424
Games of incomplete information
Two players: player, player (here, deterministic). Finitely many configurations C. Including:
Initial Ci , Winning : W+ and W- . An equivalence relation on C (the player cannot
distinguish between equivalent states). Labels L on moves (try a, reset, success, fail). The player has the moves labeled the same from
configurations that are equivalent. Deterministic strategy for the player: will lead to a
configuration in W+ W-. Cannot distinguish between equivalent configurations.
Nondeterministic strategy: Can distinguish between equivalent configurations..
![Page 425: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/425.jpg)
425
Modeling BBC as games
Each configuration contains an automaton and its current state (and more).
Moves of the player are labeled withtry a, reset... Moves of the -player withsuccess, fail.
c1 c2 when the automata in c1 and c2 would respond in the same way to the experiments so far.
![Page 426: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/426.jpg)
426
A naive strategy for BBC Learn first the structure of the black box. Then apply the intersection. Enumerate automata with n states
(without repeating isomorphic automata). For a current automata and new automata,
construct a distinguishing sequence. Only one of them survives.
Complexity: O((n+1)p (n+1)/n!)
![Page 427: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/427.jpg)
427
On-the-fly strategy Systematically (as in the deadlock
case), find two sequences v1 and v2 of length <=m n.
Applying v1 to P brings us to a state t that is accepting.
Applying v2 to P brings us back to t. Apply v1 v2
n to B. If this succeeds,there is a cycle in the intersection labeled with v2, with t as the P (accepting) component.
Complexity: O(n2p2mnm).
v1
v2
![Page 428: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/428.jpg)
428
Learning an automaton
Use Angluin’s algorithm for learning an automaton.
The learning algorithm queries whether some strings are in the automaton B.
It can also conjecture an automaton Mi and asks for a counterexample.
It then generates an automaton with more states Mi+1 and so forth.
![Page 429: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/429.jpg)
429
A strategy based on learning
Start the learning algorithm. Queries are just experiments to B. For a conjectured automaton Mi ,
check if Mi P =
If so, we check conformance of Mi with B ([VC] algorithm).
If nonempty, it contains some v1 v2 .
We test B with v1 v2n. If this succeeds:
error, otherwise, this is a counterexample for Mi .
![Page 430: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/430.jpg)
430
Complexity l - actual size of B. n - an upper bound of size of B. d - size of alphabet. Lower bound: reachability is similar to deadlock. O(l 3 d l + l 2mn) if there is an error. O(l 3 d l + l 2 n d n-l+1+ l 2mn) if there is no error.If n is not known, check while time allows. Probabilistic complexity: polynomial.
![Page 431: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/431.jpg)
431
Some experiments
Basic system written in SML (by Alex Groce, CMU).
Experiment with black box using Unix I/O.
Allows model-free model checking of C code with inter-process communication.
Compiling tested code in SML with BBC program as one process.
![Page 432: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/432.jpg)
432
Part 2: Software testing(Book: chapter 9)
Testing is not about showing that there are no errors in the program.
Testing cannot show that the program performs its intended goal correctly.
So, what is software testing?Testing is the process of executing the
program in order to find errors.A successful test is one that finds an
error.
![Page 433: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/433.jpg)
433
Some software testing stages
Unit testing – the lowest level, testing some procedures.
Integration testing – different pieces of code. System testing – testing a system as a whole. Acceptance testing – performed by the
customer. Regression testing – performed after updates. Stress testing – checking the code under
extreme conditions. Mutation testing – testing the quality of the
test suite.
![Page 434: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/434.jpg)
434
Some drawbacks of testing
There are never sufficiently many test cases.
Testing does not find all the errors. Testing is not trivial and requires
considerable time and effort. Testing is still a largely informal task.
![Page 435: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/435.jpg)
435
Black-Box (data-driven, input-output) testing
The testing is not based on the structure of the program (which is unknown).
In order to ensure correctness, every possible input needs to be tested - this is impossible!
The goal: to maximize the number of errors found.
![Page 436: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/436.jpg)
436
testing
Is based on the internal structure of the program.
There are several alternative criterions for checking “enough” paths in the program.
Even checking all paths (highly impractical) does not guarantee finding all errors (e.g., missing paths!)
![Page 437: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/437.jpg)
437
Some testing principles
A programmer should not test his/her own program. One should test not only that the program does
what it is supposed to do, but that it does not do what it is not supposed to.
The goal of testing is to find errors, not to show that the program is errorless.
No amount of testing can guarantee error-free program.
Parts of programs where a lot of errors have already been found are a good place to look for more errors.
The goal is not to humiliate the programmer!
![Page 438: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/438.jpg)
438
Inspections and Walkthroughs
Manual testing methods. Done by a team of people. Performed at a meeting
(brainstorming). Takes 90-120 minutes. Can find 30%-70% of
errors.
![Page 439: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/439.jpg)
439
Code Inspection
Team of 3-5 people. One is the moderator.
He distributes materials and records the errors.
The programmer explains the program line by line.
Questions are raised. The program is
analyzed w.r.t. a checklist of errors.
![Page 440: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/440.jpg)
440
Checklist for inspections
Data declarationAll variables
declared?Default values
understood?Arrays and strings
initialized?Variables with similar
names?Correct initialization?
Control flowEach loop terminates?DO/END statements
match?
Input/outputOPEN statements
correct?Format specification
correct?End-of-file case
handled?
![Page 441: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/441.jpg)
441
Walkthrough
Team of 3-5 people. Moderator, as
before. Secretary, records
errors. Tester, play the role
of a computer on some test suits on paper and board.
![Page 442: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/442.jpg)
442
Selection of test cases (for white-box testing)
The main problem is to select a good coverage
criterion. Some options are: Cover all paths of the program. Execute every statement at least once. Each decision has a true or false value at
least once. Each condition is taking each truth value at
least once. Check all possible combinations of conditions
in each decision.
![Page 443: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/443.jpg)
443
Cover all the paths of the program
Infeasible.Consider the flow
diagram on the left.It corresponds to a
loop.The loop body has 5
paths.If the loops executes
20times there are 5^20
different paths!May also be
unbounded!
![Page 444: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/444.jpg)
444
How to cover the executions?
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
Choose values for A,B,X. Value of X may change, depending on A,B. What do we want to cover? Paths?
Statements? Conditions?
![Page 445: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/445.jpg)
445
Statement coverageExecute every statement at least once
By choosingA=2,B=0,X=3each statement will
be chosen.The case where the
tests fail is not checked!
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
Now x=1.5
![Page 446: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/446.jpg)
446
Decision coverage (if, while checks)Each decision has a true and false outcome at least once.
Can be achieved using A=3,B=0,X=3 A=2,B=1,X=1
Problem: Does not test individual conditions. E.g., when X>1 is erroneous in second decision.
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 447: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/447.jpg)
447
Decision coverage
A=3,B=0,X=3 IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
Now x=1
![Page 448: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/448.jpg)
448
Decision coverage
A=2,B=1,X=1
The case where A1 and the case where x>1 where not checked!
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2)|(X>1) THEN X=X+1; END;
![Page 449: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/449.jpg)
449
Condition coverageEach condition has a true and false value at least once.
For example: A=1,B=0,X=3 A=2,B=1,X=0
lets each condition be true and false once.
Problem:covers only the path where the first test fails and the second succeeds.
IF (A>1) (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 450: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/450.jpg)
450
Condition coverage
A=1,B=0,X=3 IF (A>1) (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 451: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/451.jpg)
451
Condition coverage
A=2,B=1,X=0
Did not check the first THEN part at all!!!
Can use condition+decision coverage.
IF (A>1) (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 452: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/452.jpg)
452
Multiple Condition CoverageTest all combinations of all conditions in each test.
A>1,B=0 A>1,B≠0 A1,B=0 A1,B≠0 A=2,X>1 A=2,X1 A≠2,X>1 A≠2,X1
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
![Page 453: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/453.jpg)
453
A smaller number of cases: A=2,B=0,X=4 A=2,B=1,X=1 A=1,B=0,X=2 A=1,B=1,X=1Note the X=4 in the firstcase: it is due to the factthat X changes beforebeing used!
IF (A>1) & (B=0) THEN X=X/A; END;
IF (A=2) | (X>1) THEN X=X+1; END;
Further optimization: not all combinations.For C /\ D, check (C, D), (C, D), (C, D).For C \/ D, check (C, D), (C, D), (C, D).
![Page 454: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/454.jpg)
454
Preliminary:Relativizing assertions(Book: Chapter 7)
(B) : x1= y1 * x2 + y2 /\ y2 >= 0Relativize B) w.r.t. the assignment
becomes B) [Y\g(X,Y)]e(B) expressed w.r.t. variables at
A.) (B)A =x1=0 * x2 + x1 /\ x1>=0
Think about two sets of variables,before={x, y, z, …} after={x’,y’,z’…}.
Rewrite (B) using after, and the assignment as a relation between the set of variables. Then eliminate after.
Here: x1’=y1’ * x2’ + y2’ /\ y2’>=0 /\x1=x1’ /\ x2=x2’ /\ y1’=0 /\ y2’=x1now eliminate x1’, x2’, y1’, y2’.
(y1,y2)=(0,x1)
A
B
A
B
(y1,y2)=(0,x1)
Y=g(X,Y)
![Page 455: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/455.jpg)
455
Verification conditions: tests
C) B)= t(X,Y) /\C)D) B)=t(X,Y) /\D)
B)= D) /\ y2x2y2>=x2
B
C
D
B
C
Dt(X,Y)
FT
FT
![Page 456: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/456.jpg)
456
How to find values for coverage?
•Put true at end of path.
•Propagate path backwards.
•On assignment, relativize expression.
•On “yes” edge of decision, add decision as conjunction.
•On “no” edge, add negation of decision as conjunction.
•Can be more specific when calculating condition with multiple condition coverage.
A>1 & B=0
A=2 | X>1
X=X+1
X=X/Ano
no
yes
yes
true
true
![Page 457: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/457.jpg)
457
How to find values for coverage?
A>1 & B=0
A=2 | X>1
X=X+1
X=X/Ano
no
yes
yes
true
true
A≠2 /\ X>1
(A≠2 /\ X/A>1) /\ (A>1 & B=0)
A≠2 /\ X/A>1Need to find a
satisfying assignment:
A=3, X=6, B=0
Can also calculate path condition forwards.
![Page 458: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/458.jpg)
458
How to cover a flow chart? Cover all nodes, e.g., using search
strategies: DFS, BFS. Cover all paths (usually impractical). Cover each adjacent sequence of N nodes. Probabilistic testing. Using random number
generator simulation. Based on typical use. Chinese Postman: minimize edge traversal
Find minimal number of times time to travel each edge using linear programming or dataflow algorithms.
![Page 459: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/459.jpg)
459
Test cases based on data-flow analysis
Partition the program into pieces of code with a single entry/exit point.
For each piece find which variables are set/used/tested.
Various covering criteria: from each set to
each use/test From each set to
some use/test.
X:=3
z:=z+x
x>y
t>y
![Page 460: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/460.jpg)
460
Test case design for black box testing: how to find a good test suite? Equivalence partition Boundary value
analysis
![Page 461: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/461.jpg)
461
Equivalence partition
Goals: Find a small number of test cases. Cover as much possibilities as you can.
Try to group together inputs for which the program is likely to behave the same.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
![Page 462: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/462.jpg)
462
Example: A legal variable
Begins with A-Z Contains [A-Z0-9] Has 1-6 characters.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
Starting char
Chars
Length
Starts A-Z Starts other
[A-Z0-9] Has others
1-6 chars 0 chars, >6 chars
1 2
3 4
56 7
![Page 463: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/463.jpg)
463
Equivalence partition (cont.)
Add a new test case until all valid equivalence classes have been covered. A test case can cover multiple such classes.
Add a new test case until all invalid equivalence class have been covered. Each test case can cover only one such class.
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
![Page 464: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/464.jpg)
464
Example
AB36P (1,3,5) 1XY12 (2) A17#%X (4)
Specificationcondition
Valid equivalenceclass
Invalid equivalenceclass
Starting char
Chars
Length
Starts A-Z Starts other
[A-Z0-9] Has others
1-6 chars 0 chars, >6 chars
1 2
3 4
56 7
(6) VERYLONG (7)
![Page 465: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/465.jpg)
465
Boundary value analysis
In every element class, select values that are closed to the boundary. If input is within range -1.0 to +1.0,
select values -1.001, -1.0, -0.999, 0.999, 1.0, 1.001.
If needs to read N data elements, check with N-1, N, N+1. Also, check with N=0.
![Page 466: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/466.jpg)
466
For Unit Testing
Write “drivers”, which replaces procedures calling the code.
Write “stubs”, which replaces procedures called by the code.
Tested unit
Driver
StubStubStub
Driver
![Page 467: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/467.jpg)
467
package bucket;import java.util.*;import java.math.*;public class BugBucketSort{ public static void main(String[] args) { Random r = new Random(100); r.nextInt(100); LinkedList<Integer> ls = new LinkedList<Integer>(); for (int j = 0; j < 10; j++) ls.push(r.nextInt(100)); System.out.println(ls); bucketSort(ls); } public static void bucketSort(LinkedList<Integer> ls) { LinkedList<HashMap<Integer,Integer>> la = new LinkedList<HashMap<Integer,Integer>>(); for (int i = 0 ; i<11; i++) la.add(new HashMap<Integer,Integer>()); System.out.println("\nValues in the array: "+la.size()); for (int j = 0; j < ls.size(); j++) { la.get((int)ls.get(j)/10).put((int)ls.get(j)%10, ls.get(j)); } System.out.println("\nThe ordered array is:"); System.out.print("["); for (int i = 0; i < la.size(); i++) for (int k = 1; k < 10; k++) { if(la.get(i).containsKey(k)) System.out.print(la.get(i).get(k)+" "); } System.out.println("]"); }}
Bucket sort:With bugs!!
![Page 468: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/468.jpg)
468
package bucket;import java.util.*;import java.math.*;public class BucketSort{ public static void main(String[] args) { Random r = new Random(100); r.nextInt(100); LinkedList<Integer> ls = new LinkedList<Integer>(); for (int j = 0; j < 10; j++) ls.push(r.nextInt(100)); System.out.println(ls);// System.out.println((int) 17 / 5); bucketSort(ls); } public static void bucketSort(LinkedList<Integer> ls) { LinkedList<HashMap<Integer,Integer>> la = new LinkedList<HashMap<Integer,Integer>>(); for (int i = 0 ; i<10; i++) la.add(new HashMap<Integer,Integer>()); System.out.println("\nValues in the array: "+la.size()); for (int j = 0; j < ls.size(); j++) { la.get((int)ls.get(j)/10).put((int)ls.get(j)%10, ls.get(j)); } System.out.println("\nThe ordered array is:"); System.out.print("["); for (int i = 0; i < la.size(); i++) for (int k = 0; k < 10; k++) { if(la.get(i).containsKey(k)) System.out.print(la.get(i).get(k)+" "); } System.out.println("]"); }}
Bucket sort:Without bugs!!
![Page 469: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/469.jpg)
469
class MergeSortAlgorithm{ public static int [] mergeSort(int array[])
{ int loop;int rightIndex = 0;int [] leftArr = new int[array.length / 2];int [] rightArr = new int[(array.length - array.length) / 2];if (array.length <= 1)
return array;for (loop = 0 ; loop < leftArr.length ; ++loop)
leftArr[loop] = array[loop];for (; rightIndex < rightArr.length ; ++loop)
rightArr[rightIndex++] = array[loop];mergeSort(leftArr);
rightArr = mergeSort(rightArr);array = merge(leftArr,rightArr);return array; }
public static int [] merge(int [] leftArr , int [] rightArr){ int [] newArray = new int[leftArr.length + rightArr.length];
int leftIndex = 0; int rightIndex = 0; int newArrayIndex = 0;while (leftIndex < leftArr.length && rightIndex < rightArr.length){ if (leftArr[leftIndex] < rightArr[rightIndex])
newArray[newArrayIndex] = leftArr[leftIndex++];newArray[newArrayIndex] = rightArr[rightIndex++];}
while (rightIndex < rightArr.length) newArray[newArrayIndex++] = rightArr[rightIndex++];
while (leftIndex < leftArr.length) newArray[newArrayIndex++] = leftArr[leftIndex++];
return newArray;}public static void print(int [] arr , String caller){ int loop;
for (loop = 0 ; loop < arr.length ; ++loop) System.out.println("caller " + caller + " : " + arr[loop]);}public static void main(String [] args){ int []originalArray = {1,5,4,3,7};
print(originalArray,"before"); originalArray = mergeSort(originalArray);print(originalArray,"after"); }}
![Page 470: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/470.jpg)
470
class MergeSortAlgorithm{ public static int [] mergeSort(int array[])
{ int loop;int rightIndex = 0;int [] leftArr = new int[array.length / 2];int [] rightArr = new int[(array.length - array.length) / 2]; // BUGif (array.length <= 1)
return array;for (loop = 0 ; loop < leftArr.length ; ++loop)
leftArr[loop] = array[loop];for (; rightIndex < rightArr.length ; ++loop)
rightArr[rightIndex++] = array[loop];mergeSort(leftArr); // BUGrightArr = mergeSort(rightArr);array = merge(leftArr,rightArr);return array; }
public static int [] merge(int [] leftArr , int [] rightArr){ int [] newArray = new int[leftArr.length + rightArr.length];
int leftIndex = 0; int rightIndex = 0; int newArrayIndex = 0;while (leftIndex < leftArr.length && rightIndex < rightArr.length){ if (leftArr[leftIndex] < rightArr[rightIndex])
newArray[newArrayIndex] = leftArr[leftIndex++];newArray[newArrayIndex] = rightArr[rightIndex++]; //
TWO BUGS}while (rightIndex < rightArr.length) newArray[newArrayIndex++] =
rightArr[rightIndex++];while (leftIndex < leftArr.length) newArray[newArrayIndex++] =
leftArr[leftIndex++];return newArray;}
public static void print(int [] arr , String caller){ int loop;
for (loop = 0 ; loop < arr.length ; ++loop) System.out.println("caller " + caller + " : " + arr[loop]);}public static void main(String [] args){ int []originalArray = {1,5,4,3,7};
print(originalArray,"before"); originalArray = mergeSort(originalArray);print(originalArray,"after"); }}
![Page 471: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/471.jpg)
471
Test case generation based on LTL specification
CompilerModel
CheckerPath condition
calculation
First orderinstantiator
Testmonitoring
Transitions
Path
Flowchart
LTLAut
![Page 472: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/472.jpg)
472
Goals
Verification of software. Compositional verification. Only a unit of code. Parametrized verification. Generating test cases.
A path found with some truth assignment satisfying the path condition. In deterministic code, this assignment guarantees to derive the execution of the path.
In nondeterministic code, this is one of the possibilities.Can transform the code to force replying the path.
![Page 473: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/473.jpg)
473
Divide and Conquer Intersect property automatonproperty automaton with the
flow chartflow chart, regardless of the statements and program variables expressions.
Add assertions from the property automaton to further restrict the path condition.
Calculate path conditions for sequences found in the intersection.
Calculate path conditions on-the-fly. Backtrack when condition is false.Thus, advantage to forward calculation of path conditions (incrementally).
![Page 474: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/474.jpg)
474
Spec:¬at l2U (at l2/\ ¬at l2/\(¬at l2U at l2))
¬at l2
at l2
¬at l2
at l2
l2:x:=x+z
l3:x<t
l1:…
l2:x:=x+z
l3:x<t
l2:x:=x+z
XX==
![Page 475: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/475.jpg)
475
Spec: ¬at l2U (at l2/\ xy /\
(¬at l2/\(¬at l2U at l2 /\ x2y )))
¬at l2
at l2/\xy
¬at l2
at l2/\x2y
l2:x:=x+z
l3:x<t
l1:…
l2:x:=x+z
l3:x<t
l2:x:=x+z
XX==
xy
x2y
![Page 476: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/476.jpg)
476
Example: GCD
l1:x:=a
l5:y:=z
l4:x:=y
l3:z:=x rem y
l2:y:=b
l6:z=0?yesn
o
l0
l7
![Page 477: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/477.jpg)
477
Example: GCD
l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0?yesn
o
Oops…with an error (l4 and l5 were switched).
l0
l7
![Page 478: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/478.jpg)
478
Why use Temporal specification
Temporal specification for sequential software?
Deadlock? Liveness? – No! Captures the tester’s intuitionintuition about the
location of an error:“I think a problem may occur when the program runs through the main while loop twice, then the if condition holds, while t>17.”
![Page 479: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/479.jpg)
479
Example: GCD
l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0?yesn
o
l0
l7
a>0/\b>0/\at l0 /\at l7
at l0/\a>0/\b>0
at l7
![Page 480: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/480.jpg)
480
Example: GCD
l1:x:=a
l5:x:=y
l4:y:=z
l3:z:=x rem y
l2:y:=b
l6:z=0?yesn
o
l0
l7
a>0/\b>0/\at l0/\at l7
Path 1: l0l1l2l3l4l5l6l7a>0/\b>0/\a rem b=0
Path 2: l0l1l2l3l4l5l6l3l4l5l6l7 a>0/\b>0/\a rem b0
![Page 481: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/481.jpg)
481
Potential explosion
Bad point: potential explosion
Good point: may be chopped on-the-fly
![Page 482: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/482.jpg)
482
![Page 483: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/483.jpg)
483
![Page 484: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/484.jpg)
484
![Page 485: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/485.jpg)
485
![Page 486: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/486.jpg)
486
![Page 487: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/487.jpg)
487
![Page 488: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/488.jpg)
488
![Page 489: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/489.jpg)
489
![Page 490: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/490.jpg)
490
![Page 491: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/491.jpg)
491
![Page 492: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/492.jpg)
492
![Page 493: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/493.jpg)
493
![Page 494: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/494.jpg)
494
![Page 495: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/495.jpg)
495
![Page 496: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/496.jpg)
496
Drivers and Stubs Driver: represents the
program or procedure that called our checked unit.
Stub: represents a procedure called by our checked unit.
In our approach: replace both of them with a formula representing the effect the missing code has on the program variables.
Integrate the driver and stub specification into the calculation of the path condition.
l1:x:=a
l5:x:=y
l4:y:=z
l3:z’=x rem y/\x’=x/\y’=x
l2:y:=b
l6:z=0?yesn
o
l0
l7
![Page 497: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/497.jpg)
497
Process Algebra
(Book: Chapter 8)
![Page 498: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/498.jpg)
498
The Main Issue
Q: When are two models equivalent?
A: When they satisfy different properties.
Q: Does this mean that the models have different executions?
![Page 499: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/499.jpg)
499
What is process algebra? An abstract description for
nondeterministic and concurrent systems.
Focuses on the transitions observed rather than on the states reached.
Main correctness criterion: conformance between two models.
Uses: system refinement, model checking, testing.
![Page 500: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/500.jpg)
500
Different models may have the same set of executions!
aa a
b b cc
a-insert coin, b-press pepsi, c-press pepsi-light
d-obtain pepsi, e-obtain pepsi-light
dd ee
![Page 501: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/501.jpg)
501
Actions: Act={a,b,c,d}{}.Agents: E, E’, F, F1, F2, G1, G2, …
E
E’
G2G1
F1 F2
F
aa a
b b cc
Agent E may evolve into agent E’.
Agent F may evolve into F1 or F2.
dd ee
![Page 502: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/502.jpg)
502
Events.
E
E’
G2G1
F1 F2
F
aa a
b b cc
E—aE’, F—aF1, F—aF2, F1—aG1,
F2—aG2. G1—F, G1—F.
![Page 503: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/503.jpg)
503
Actions and co-actions
For each action a, except for , there is a co-action a. a and a interact (a input, a output).The coaction of a is a.
G2G1
F1 F2
Fa a
b c
E
E’
a
b c
![Page 504: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/504.jpg)
504
Notation
a.E – execute a, then continue according to E.E+F – execute according to E or to F.E||F – execute E and F in parallel.
E
G H
F
a
b c
a.(b+c)(actually, a.((b.0)+(c.0))
E—aFF—bGF—cH
0 – deadlock/termination.
![Page 505: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/505.jpg)
505
Conventions
“.” has higher priority than “+”. “.0” or “.(0||0||…||0)” is omitted.
![Page 506: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/506.jpg)
506
CCS - calculus of concurrent systems [Milner]. Syntax
a,b,c, … actions, A, B, C - agents. a,b,c, coactions of a,b,c. -silent action. nil - terminate. a.E - execute a, then behave like E. + - nondeterministic choice. || - parallel composition. \L - restriction: cannot use letters of L. [f] - apply mapping function f between
between letters.
![Page 507: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/507.jpg)
507
Semantics (proof rule and axioms).Structural Operational Semantics SOS
a.p –a p p—ap’ |-- p+q –a p’ q—aq’ |-- p+q –a q’ p—ap’ |-- p|q –a p’|q q—aq’ |-- p|q –a p|q’ p—ap’, q—aq’ |-- p|q – p’|q’ p—ap’ , a R |-- p\L –a p’\R p—ap’ |-- p[m]—m(a)p’[m]
![Page 508: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/508.jpg)
508
Action Prefixing
a.E—aE (Axiom)
Thus, a.(b.(c||c)+d)—a(b.(c||c)+d).
![Page 509: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/509.jpg)
509
Choice
E—aE’ F—aF’ (E+F)—aE’ (E+F)—aF’
b.(c||c)—b(c||c).Thus,
(b.(c||c)+e)—b(c||c).
If E—aE’ and F—aF’, then E+F has a nondeterministic choice.
![Page 510: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/510.jpg)
510
Concurrent Composition
E—aE’ F—aF’ E||F—aE’||F E||F—aE||F’
E—aE’, F—aF’ ———————— E||F—E’||F’
c—c0, c—c0, c||c—0||0, c||c—c0||c, c||c—cc||0.
![Page 511: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/511.jpg)
511
Restriction
E—aE’, a, a R —————————
E\R –aE’\RIn this case: allows only
internal interaction of c.c||c—0||0 c||c—c0||c c||c—cc||0(c||c) \ {c}—(0||0) \{c}
![Page 512: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/512.jpg)
512
Relabeling
E—aE’ ———— E[m] –m(a)E’[m]
No axioms/rules for agent 0.
![Page 513: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/513.jpg)
513
Examples
a.E||b.F
a.E||FE||b.F
E||F
b
b
a
a
![Page 514: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/514.jpg)
514
Derivations
(0||0)
a.(b.(c||c)+d)
b.(c||c)+d
(c||c) 0
(0||c) (c||0)
a
b d
c
cc
c
![Page 515: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/515.jpg)
515
Modeling binary variable
C0=is_0? . C0 + set_1 . C1 + set_0 . C0
C1=is_1? . C1 + set_0 . C0 + set_1 . C1
C0 C1
set_1
set_0
set_0
is_0?
set_1
is_1?
![Page 516: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/516.jpg)
516
Equational Definition
E=a.(b..E+c..E) E—aE’, A=EF=a.b..F+a.c..F A—aE’
G2G1
F1 F2
Fa a
b c
E
E’
a
b c
![Page 517: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/517.jpg)
517
Trace equivalence:Systems have same finite sequences.
Same traces
Fa a
b b
E
a
b c c
E=a.(b+c) F=(a.b)+a.(b+c)
![Page 518: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/518.jpg)
518
Failures: comparing also what wecannot do after a finite sequence.
Fa a
b b
E
a
b c c
Failure of agent E: (σ, X), where after executing σ from E, none of the events in X is enabled.Agent F has failure (a, {c}), which is not a failure of E.
![Page 519: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/519.jpg)
519
Simulation equivalence
Relation over set of agents S. RSS. E R F If E’ R F’ and E’—aE’’, then there
exists F’’, F’—aF’’, and E’’ R F’’.
E
c d
b b
aaF
c d
b b
a
![Page 520: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/520.jpg)
520
Simulation equivalence
Relation over set of agents S. RSS. E R F If E’ R F’ and E’—aE’’, then there exists F’’,
F’—aF’’, and E’’ R F’’.
E
c d
b b
aaF
c d
b b
a
![Page 521: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/521.jpg)
521
Here, simulation works only in one direction. No equivalence!
Relation over set of agents S. RSS. E R F If E’ R F’ and E’—aE’’, then there exists F’’,
F’—aF’’, and E’’ R F’’.
E
c d
b b
aaF
c d
b b
a
want to establish
symmetricallynecessarily
problem!!!
![Page 522: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/522.jpg)
522
Simulation equivalentbut not failure equivalent
Left agent a.b+a has a failure (a,{b}).
E
b
aaF
b
a
![Page 523: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/523.jpg)
523
Bisimulation: same relation simulates in both directions
Not in this case: different simulation relations.
E
b
aaF
b
a
![Page 524: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/524.jpg)
524
Hierarchy of equivalences
Bisimulation
Trace
FailureSimulation
![Page 525: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/525.jpg)
525
Example:
A=a.((b.nil)+(c.d.A))
B=(a.(b.nil))+(a.c.d.B)
a b
c
ds0
s1 s2
s3 a
d
b
ac
t0
t1
t4
t2
t3
![Page 526: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/526.jpg)
526
Bisimulation between G1 and G2
Let N= N1 U N2
A relation R : N1 x N2 is a bisumulation ifIf (m,n) in R then1. If m—am’ then n’:n—an’ and (m’,n’) in R2. If n—an’ then m’:m—am’ and (m’,n’) in R.
Other simulation relations are possible, I.e., m=a=> m’ when m—…—a—m’.
![Page 527: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/527.jpg)
527
Algorithm for bisimulation:
Partition N into blocks B1B2…Bn=N. Initially: one block, containing all of N. Repeat until no change:
Choose a block Bi and a letter a. If some of the transitions of Bi move to some block Bj and some not, partition Bi accordingly.
At the end: Structures bisimilar if initial states of two structures are in same blocks.
![Page 528: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/528.jpg)
528
Correctness of algorithm
Invariant: if (m,n) in R then m and n remain in the same block throughout the algorithm.
Termination: can split only a finite number of times.
![Page 529: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/529.jpg)
529
Example:
a b
c
ds0
s1 s2
s3 a
d
b
ac
t0
t1
t4
t2
t3{s0,t0},{s1,s2,s3,t1,t2,t3,t4} split on b
{s0,t0},{s1,t1},{s0,s2,s3,t2,t3,t4}
![Page 530: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/530.jpg)
530
Example:a b
c
ds0
s1 s2
s3 a
d
b
ac
t0
t1
t4
t2
t3
{s0,t0},{s1,t1},{s2,s3,t2,t3,t4} split on c
{s0,t0},{s1},{t1},{s2,s3,t2,t3,t4}
![Page 531: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/531.jpg)
531
Example:
{s0,t0},{s1},{t1},{s2,s3,t2,t3,t4} split on c
{s0,t0},{s1},{t1},{t4},{s2,s3,t2,t3}
a b
c
ds0
s1 s2
s3 a
d
b
ac
t0
t1
t4
t2
t3
![Page 532: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/532.jpg)
532
Example:
{s0,t0},{s1},{t1},{t4},{s2,s3,t2,t3} split on d
{s0,t0},{s1},{t1},{t4},{s3, t3},{s2,t2}
a b
c
ds0
s1 s2
s3 a
d
b
ac
t0
t1
t4
t2
t3
![Page 533: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/533.jpg)
533
Example:
{s0,t0},{s1},{t1},{t4},{s2,t2},{s3,t3} split on a
{s0},{t0},{s1},{t1},{t4},{s3, t3},{s2,t2}
a b
c
ds0
s1 s2
s3 a
d
b
ac
t0
t1
t4
t2
t3
![Page 534: 1 Softrare Reliability Methods Prof. Doron A. Peled Bar Ilan University, Israel And Univeristy of warwick, UK Version 2008.](https://reader038.fdocuments.us/reader038/viewer/2022103015/55160d9f55034694308b5192/html5/thumbnails/534.jpg)
534
Example:
{s0},{t0},{s1},{t1},{t4},{s2,s3,t2,t3} split on d
{s0},{t0},{s1},{t1},{t4},{s3},{t3},{s2,t2}
a b
c
d
s0
s1 s2
s3a
d
b
ac
t0
t1
t4
t2
t3