Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Cheng/Dillon-Software Cheng/Dillon-Software Engineering: Formal MethodsEngineering: Formal Methods

Model CheckingModel Checking

Cheng/Dillon-Software Engineering: Model CheckingCheng/Dillon-Software Engineering: Model Checking

Model CheckingModel Checking

Used in studying behaviors of reactive systems

Typically involves three steps: Create a finite state model (FSM) of the

system design Specify critical correctness properties Validate the model w/r to the specifications


Create a FSMCreate a FSM

FSM languages focus on expressing concurrency, synchronization, and

communication

abstract details of internal computations

must be precise and unambiguous (formally defined syntax and

semantics)

We will use Promela for giving system descriptions


Specify correctness propertiesSpecify correctness properties

Safety properties: Nothing “bad” ever happens

Formalized using state invariants execution never reaches a “bad” state

Liveness properties: Something “good” eventually happens

Formalized using temporal logic

special logic for describing sequences


Validate the modelValidate the model

“Execute” the model to test it simulate executions of the system

check satisfaction of safety properties along simulated

executions

Exhaustive analysis

generate reachability graph to verify safety and liveness

properties

Generate counterexamples to illustrate failures


Home Heating SystemHome Heating System


Example propertiesExample properties

Pump is never on unless Burner is also on

Whenever Sensor calls resp-temp(LOW), eventually Controller becomes all-on


Reachability GraphReachability Graph

Graph of global states that can be “reached” during execution

global state contains a state for each concurrent “process”transitions show how an event or action transforms the global state

Analyze global state space to verify safety propertiesAnalyze paths through the RG to verify liveness properties


PromelaPromela

The system description language of SPIN Designed for modeling data communication

protocols System described as a collection of

concurrent processes Processes communicate and synchronize via

message channels and global variables


PromelaPromela

Specify macro definitions

#define signal 0

Declare symbolic constants mtype = { ON, OFF, LOW, OK }

Declare a synchronous message channel chan pump_in = [0] of { mtype }


PromelaPromela

Create a process instance

active proctype pump ( ) { statements }

Send a message pump_in!ON

Receive a message pump_in?ON


Promela version of HHSPromela version of HHS


SPIN simulation of HHSSPIN simulation of HHS

SPIN automatically generates sequence diagrams to represent executions

random guided interactive

Automates tracing between system views sequence diagram Promela description state diagram textual execution traces


Verification of a safety propertyVerification of a safety property

Pump is never on unless Burner is also on


Verification of a liveness propertyVerification of a liveness property

Whenever Sensor calls resp-temp(LOW), eventually Controller becomes all-on


Verification of a liveness propertyVerification of a liveness property

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Documents

Transcript of Cheng/Dillon-Software Engineering: Formal Methods Model Checking.