CS:5810 Formal Methods in Software...
Transcript of CS:5810 Formal Methods in Software...
![Page 1: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/1.jpg)
CaseStudy:HotelLockSystem
Copyright 2007-17 Laurence Pilard, and Cesare Tinelli. Produced by Cesare Tinelli from notes originally written by Laurence Pilard at the University of Iowa. These notes are copyrighted materials and may not be used in other course settings outside of the University of Iowa in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holder.
CS:5810FormalMethodsinSoftwareEngineering
![Page 2: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/2.jpg)
Acknowledgments
ThesenotesarebasedonanAlloyexampleinthefollowingbook:
[Jack06] DanielJackson.Softwareabstractions–Logic,Language,andAnalysis.TheMITpress,2006.
2CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 3: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/3.jpg)
TheTask
• ModelinAlloythedisposablecardkeysystem usedinmosthotelsforlockingandunlockingguestrooms
• Thesystemusesrecordablelocks, whichpreventpreviousguestsfromenteringaroomonceitshasbeenre-assigned
• Wewillmodelbothstaticanddynamicaspects ofthesystem
3CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 4: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/4.jpg)
ProblemDescription[Jack06]“[…] the hotel issues a new key to the next occupant, which recodes the lock, so that previous keys will no longer work.
The lock is a simple, stand-alone unit […] with a memory holding the current key combination.
A hardware device […] [within the lock] generates a sequence of pseudorandom numbers.”
4CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 5: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/5.jpg)
ProblemDescription[Jack06]“The lock is opened either by the current key combination, or by its successor;
if a key with the successor is inserted, the successor is made to be the current combination, so that the old combination will no longer be accepted.
This scheme requires no communication between the front desk and the door lock.”
5CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 6: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/6.jpg)
ProblemDescription[Jack06]“By synchronizing the front desk and the door locks initially, and by using the same pseudorandom generator,
the front desk can keep its records of the current combinations in step with the doors themselves.”
6CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 7: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/7.jpg)
SignaturesandFields
7
Signatures:Time,Key,Room,Guest,FrontDesk
n Key referstothekey combination storedinthemagneticstripofthe card
n FrontDesk storesatanytimeamappingn betweeneachroomanditsmostrecentkeycombination(ifany),and
n betweeneachroomanditscurrentguest
CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 8: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/8.jpg)
SignaturesandFields
8
n Room referstotheroomlock
n Eachroom(lock)hasn an associatedsetofpossiblekeys,andn exactlyonecurrentkeyatatime
n Eachkeybelongstoatmostoneroom
n Eachguesthaszeroor morekeysatanytime
CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 9: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/9.jpg)
SignaturesandFieldsmodule hotelopen util/ordering [Time] as TOopen util/ordering [Key] as KO
}
9CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 10: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/10.jpg)
SignaturesandFieldsmodule hotelopen util/ordering [Time] as TOopen util/ordering [Key] as KO
sig Key {}sig Time {}
sig Room {keys: set Key,currentKey: Key one -> Time
}
sig Guest {keys: Key -> Time
}
one sig FrontDesk {lastKey: (Room -> lone Key) -> Time,occupant: Room -> Guest -> Time
}
10CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 11: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/11.jpg)
RoomConstraint
• Eachkeybelongstoatmostoneroom
fact {
all k: Key | lone keys.k
}
11CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 12: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/12.jpg)
NewKeyGeneration
Givenakeyk andasetks ofkeys,thefunctionnextKey returnsthesmallestkey(inthekeyordering)inks thatfollowsk.
fun nextKey [k: Key, ks: set Key]: set Key
{
KO/min [KO/nexts[k] & ks]
}
12CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 13: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/13.jpg)
InitialStatemodule examples/hotelopen util/ordering [Time] as TOopen util/ordering [Key] as KO
sig Key {}sig Time {}
sig Room {keys: set Key,currentKey: Key one -> Time
}
sig Guest {keys: Key -> Time
}
one sig FrontDesk {lastKey: (Room -> lone Key) -> Time,occupant: Room -> Guest -> Time
}
13
No constraints
No rooms are occupied
the record of each room’s key at the front desk is synchronized with the current combination of the lock itself
No guests have keys
CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 14: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/14.jpg)
HotelOperations:InitialStatepred init [t: Time] {
-- no guests have keysno Guest.keys.t
-- the roster at the front desk shows-- no room as occupiedno FrontDesk.occupant.t
-- the record of each room’s key at the-- front desk is synchronized with the-- current combination of the lock itself
all r: Room | r.(FrontDesk.lastKey.t) = r.currentKey.t
}
14CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 15: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/15.jpg)
HotelOperations: GuestEntrypred entry [ g: Guest, r: Room, k: Key,
t, t': Time ]
• Preconditions:– Thekeyusedtoopenthelockisoneofthekeystheguest isholding
• PreandPostConditions:– Thekeyonthecard
• eithermatchesthelock’scurrentkey,andthelock remainsunchanged(notanewguest),or
• matchesitssuccessor,andthelockisadvanced(newguest)
• Frameconditions:– nochangestothestateof otherrooms,ortothesetofkeysheldbyguests,ortotherecordsatthefrontdesk
15CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 16: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/16.jpg)
HotelOperations: GuestEntrypred entry[ g:Guest, r:Room, k:Key, t,t’:Time ] {-- the key used to open the lock is one of-- the keys the guest is holdingk in g.keys.t-- pre and post conditions
let ck = r.currentKey |-- not a new guest(k = ck.t and ck.t' = ck.t) or-- new guest(k = nextKey[ck.t, r.keys] and ck.t' = k)
-- frame conditionsnoFrontDeskChange[t, t’]noRoomChangeExcept[r, t, t’]
noGuestChangeExcept[none, t, t’]} 16CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 17: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/17.jpg)
FrameConditionPredicatespred noFrontDeskChange [t,t': Time] {
FrontDesk.lastKey.t = FrontDesk.lastKey.t'FrontDesk.occupant.t = FrontDesk.occupant.t'
}
pred noRoomChangeExcept [rs: set Room, t,t': Time]{
all r: Room - rs |r.currentKey.t = r.currentKey.t'
}
pred noGuestChangeExcept [gs: set Guest, t,t': Time] {
all g: Guest - gs | g.keys.t = g.keys.t'}
17CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 18: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/18.jpg)
HotelOperations:Check-outpred checkout [ g: Guest, t,t': Time ]
• Preconditions:– theguestoccupies oneormorerooms
• Postconditions:– theguest’sroomsbecomeavailable
• Frameconditions:– Nothingchangesbuttheoccupant relation
18CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 19: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/19.jpg)
HotelOperations:Check-outone sig FrontDesk {
lastKey: (Room -> lone Key) -> Time,occupant: Room -> Guest -> Time
}
pred checkout [ g: Guest, t,t': Time ]{
let occ = FrontDesk.occupant | {-- the guest occupies one or more roomssome (occ.t).g-- the guest’s rooms become availableocc.t' = occ.t – (Room -> g)
}-- frame conditionFrontDesk.lastKey.t = FrontDesk.lastKey.t'noRoomChangeExcept[none, t, t’]noGuestChangeExcept[none, t, t’]
}
19CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 20: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/20.jpg)
HotelOperations:Check-inpred checkin [ g: Guest, r: Room, k: Key
t, t': Time ]
• Preconditions:– theroom isavailable– theinputkeyisthesuccessorofthelastkeyinthesequenceassociatedtothe room
• Postconditions:– theguestholdstheinputkeyandbecomesthenewoccupantofthe room
– the inputkeybecomestheroom’scurrentkey• Frameconditions:
– Nothingchangesbuttheoccupantrelationandthe guest’srelations
20CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 21: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/21.jpg)
HotelOperations:Check-inpred checkin [ g: Guest, r: Room, k: Key, t,t': Time ] {
let occ = FrontDesk.occupant |
let lk = FrontDesk.lastKey | {-- the room has no current occupantno r.occ.t-- the input key is the successor of the last key in -- the sequence associated to the roomk = nextKey[r.lk.t, r.keys]-- the guest becomes the new occupant of the roomocc.t' = occ.t + r->g -- the guest holds the input key g.keys.t' = g.keys.t + k-- the input key becomes the room’s current keylk.t' = lk.t ++ r->k
}noRoomChangeExcept[none, t, t’]noGuestChangeExcept[g, t, t’]
}
21CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 22: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/22.jpg)
Tracegeneration
• Thefirsttimestep satisfies theinitialization conditions
• Any pairof consecutive timestepsarerelated by– anentryoperation,or– acheck-in operation,or– acheck-out operation
22CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 23: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/23.jpg)
Tracegenerationpred trans[t,t’: Time] { some g: Guest, r: Room, k: Key |entry[g, r, k, t, t’] orcheckin[g, r, k, t, t’] orcheckout[g, t, t’]
}
fact Traces {init[TO/first]all t: Time - TO/last |let t' = TO/next[t] |trans[t, t’]
} 23CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 24: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/24.jpg)
Analysis• Let’s checkifunauthorized entriesarepossible:– Ifaguest g enters roomr at timet,andthefrontdeskrecordsshowr asoccupied at that time,then gmustbearecorded occupantofr.
assert noBadEntry {all t: Time, r: Room, g: Guest, k: Key | let t' = TO/next[t] |let o = r.FrontDesk.occupant.t |
(entry[g, r, k, t, t’] and some o)implies g in o
}
24CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 25: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/25.jpg)
Analysischeck noBadEntry for 3
but 2 Room, 2 Guest, 5 Time
• It is enough tocheckforproblem already with just 2guests and 2rooms
• Time’s scopemustbe at least5because at least4timestepsareneeded toexecute each operationonce.
• Thereis acounter-example (see filehotel1.als)25CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 26: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/26.jpg)
T0:InitialState
Initially,thecurrentkeyofRoom isKey0,whichisalsoreflectedinthefrontdesk’srecord
26CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 27: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/27.jpg)
T1:CheckinOperation
Guest1 checksintoRoom andreceiveskeyKey1;theoccupancyrosteratthefrontdeskisupdatedaccordingly; Key1 isrecordedasthelastkeyassignedtoRoom
27CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 28: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/28.jpg)
T2:CheckoutOperation
Guest1 checksout,andtheoccupancyrosteriscleared
28CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 29: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/29.jpg)
T3:CheckinOperation
Guest0 checksintoRoom andreceiveskeyKey2;theoccupancyrosteratthefrontdeskisupdatedaccordingly; Key2 isrecorderasthelastkeyassignedtoRoom
29CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 30: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/30.jpg)
T4:EnterOperation
Guest1 presentsKey1 tothelockofRoom,andisadmitted
30CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 31: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/31.jpg)
Necessary RestrictionTheremustbe nointervening operation between aguest’s check-inand roomentry.
fact noIntervening {all t: Time - TO/last |
let t’ = TO/next [t] |let t’’ = TO/next [t’] |
all g: Guest, r: Room, k: Key |checkin[g, r, k, t, t’] implies(entry[g, r, k, t’, t’’] orno t’’
) }
31CS:5810 -- Formal Methods in Software Engineering Fall 2017
![Page 32: CS:5810 Formal Methods in Software Engineeringhomepage.cs.uiowa.edu/~tinelli/classes/181/Fall17/... · • There is a counter-example (seefile hotel1.als) CS:5810 -- Formal Methods](https://reader033.fdocuments.us/reader033/viewer/2022060523/60530cb4d93de67ea303b7bb/html5/thumbnails/32.jpg)
Analysis
• We checkonceagain:check noBadEntry for 3
but 2 Room, 2 Guest, 5 Time
– Nocounter-example (see filehotel2.als)
• Forgreater confidence,we increase thescope:check noBadEntry for 5
but 3 Room, 3 Guest, 9 Time
– Nocounter-examples
32CS:5810 -- Formal Methods in Software Engineering Fall 2017