Design and implementation of
embedded formal verification assistants in the .NET framework
Ondrej RysavyBrno University of Technology, CZ
Rotor RFP II Capstone Workshop September 19-21, 2005 @ Redmond, US
2
Overview
Motivations Goals and the Scope Container-Concept-Algorithms approach Design principles Implementation issues Example Progress and future work
3
Introduction
Using formal methods is the acceptable approach for ensuring the development of more reliable systems. (http://www.fmeurope.org)
Why not used more extensively? Many reasons:
They’re expensive. Need to adapt the methods for particular kind of
applications. Need an easy way to specialize the tools. Tools are not only efficient algorithms, but also editors,
wizards, proof assistants, and other support tools.
4
The Goal
An experimental implementation of class library for .NET that would have the following properties: To collect well-known algorithms for MC and logical
reasoning in a class library designed in a uniform style To support the development of specialized tools by using
generic algorithms To exploit the advantages of .NET architecture To be extensible, efficient, manageable, and easy to use
library
5
What algorithms ?
Existing tools use various specialized versions of the common algorithms
Model Checking algorithms: Explicit state search – direct labeling procedure Automata theoretic – product operation, emptiness checking,
on-the-fly modifications, partial reductions Symbolic based on BDD library …
Logics: Sat solver for PL Simplification procedures Syntactic rules, rewriting …
6
.NET
First implementations had been done in .NET version 1.x. Redesigned and implemented for .NET 2.x, mainly
because we wanted to use generics. We mainly use C#, C++ and F# as implementation
languages. We wanted to follow as much as possible the rules of
Design guidelines for Cass Library Developers and the
spirit of .NET class libraries naming conventions, interface design, enumerators,
common design patterns, etc.
7
Library model
Algorithm-oriented library Efficient generic algorithms Container-Concept-Algorithm model
Container is an implementation of a concrete
data structure used as an input, output or
internal data in an algorithm Concept is a definition of properties of a
container needed by an algorithm
8
Algorithm oriented library
AlgorithmProblem Solution
Configuration
Concept
Container Reference
Procedure
9
Algorithm oriented library
AlgorithmProblem Solution
Configuration
Concept
Container Reference
Procedure
10
Algorithm oriented library
AlgorithmProblem Solution
Configuration
Concept
Container Reference
Procedure
11
Mapping CCA to .NET
The mapping is quite straightforward for object-oriented implementation languages:
CCA Model .NET
Algorithm Class
Concept Interface
Container Class
Procedure Method
Reference Class or Value type
Solution Interface/Class
Problem Interface/Class
Configuration Interface/Class
12
Container –Concept – Algorithm model
The purpose of CCA model is to allow us to write efficient
algorithms An algorithm defines a collection of concepts that each
container has to necessary meet A concept is a collection of properties or operations Container is in general a user defined object, but we have
also some predefined ones An algorithm works in an environment that supports all
other stuffs needed – internal concepts, provided through
problem definition and/or configuration set.
13
An efficiency note 1
Algorithms often create and use some auxiliary data For the efficiency reason one must also to provide
implementations for these internal data User provided all these implementations can arbitrary
customize and optimized them as needed We represent an internal data in the same way as input
data, through the concept notion. Sometimes it is not clearly separated what is the problem
specification and what is the internal concept.
14
The use of internal concepts
A trivial example:
ArrayList<term> sat;
ArrayList<term> sat0;
sat = new ArrayList();
sat0 = GetAllTerms();
while(!sat0.Equals(sat))
{
sat0 = new ArrayList(sat);
foreach(term t in sat0)
{
if(Satisfied(t))
sat.Add(t);
}
}
ISet<term> sat;
ISet<term> sat0;
sat = termSet.Empty();
sat0 = GetAllTerms();
while(!sat0.Equals(sat))
{
sat0 = sat.Copy();
foreach(term t in sat0)
{
if(Satisfied(t))
sat.Add(t);
}
}
15
The internal concepts
Configuration
Problem
AlgorithmInput-concepts Output-concepts
Internal-concepts
Input-conceptsOutput-concepts
Internal-concepts
Problem
AlgorithmInput-concepts Output-concepts
Internal-concepts
16
The internal concepts
Configuration
Problem
AlgorithmInput-concepts Output-concepts
Internal-concepts
Input-conceptsOutput-concepts
Internal-concepts
Problem
AlgorithmInput-concepts Output-concepts
Internal-concepts
17
The internal concepts
Configuration
Problem
AlgorithmInput-concepts Output-concepts
Internal-concepts
Input-conceptsOutput-concepts
Internal-concepts
Problem
AlgorithmInput-concepts Output-concepts
Internal-concepts
18
Containers
As the name suggests a container usually models a
containment structure. Contrary to STL, we consider container in a slightly broader
sense: Generic Set, State machine, Expressions, Formula,
Path, Trace, Inference Tree, ... Containers provide concepts, it is convenient that they
provides only the concepts they are able to implement
efficiently. A library provides some predefined basic containers or
special broader usable containers.
19
An efficiency note 2
Containers consists of items and we often need to work with these items.
How to represents these items ? As concepts – too weight in many situation, it can raise
to significant overhead and loss of performance As unspecified types – no restriction on the concrete
implementation (or possibly very general ones)
interface IState<LABEL>
{
bool InitState { get; }
ISet<IState> AdjancentStates { get; }
LABEL Label { get; }
}
interface IStateMachine<LABEL, STATE>
{
STATE InitState();
ISet<STATE> GetAdjancentStates(STATE s);
LABEL GetLabel(STATE s);
}
A
C
B
D
4 states vs.
4.106 states
class StateMachine :
IStateMachine<int, int>
{
int GetLabel(int s) {
return states[s].label; }
}
class State : IState<int, int>
{
private:
int stateId;
StateMachine *machine;
}
20
References and iterators are of “unknown types”
The concepts are parameterized with
these types. It brings also the flexibility besides the
mentioned efficiency.
+GetAtomValue(in term : Term) : Atom+GetLeftSubterm(in term : Term) : Term+GetRightSubterm(in term : Term) : Term+GetSubterm(in term : Term) : Term+GetTermType() : LtlTermType
ILtlFormula
Term, Atom
+Atom+Not+Or+And+Imply+Equiv+X+G+F+U+R+W
«enumeration»LtlTermType
// F# implementation of Termtype 'a Term = | True | False | Atom of 'a | Not of 'a Term | And of 'a Term * 'a Term | Or of 'a Term * 'a Term | Imply of 'a Term * 'a Term | Equiv of 'a Term * 'a Term | X of 'a Term | F of 'a Term | G of 'a Term | U of 'a Term * 'a Term | W of 'a Term * 'a Term | R of 'a Term * 'a Termwith ...end
// C# implementation of Termclass Term<T> { private LtlTermType typ; private Term<T> subterms[2]; private T atom; ... }
21
SolutionProblem
Architecture example
Labelling algorithmC#StateMachine
C++, STL
CtlFormulaF#
Custom AllocatorC++
State CollectionC++, STL
Labelling algorithm
Formula
Automaton Set of States
Formula
.NET GC
22
SolutionProblem
Architecture example
Labelling algorithmC#StateMachine
C++, STL
CtlFormulaF#
Custom AllocatorC++
State CollectionC++, STL
Labelling algorithm
Formula
Automaton Set of States
Formula
.NET GC
23
GC Internal Tables
An efficiency note 3
Creating each item in a container as GC object may be very expensive. The present model allows the programmer implementing the container to
take more optimal approach, e.g. array of values. As C++ can work with memory in the “classical style” it is still possible to
write containers with custom memory management model.
ObjectHeader
TypeHandle
ObjectFields
4B
4B
+
24
Example: The Labeling algorithm [1]
Formula CTL is defined by the abstract syntax:
f ::= p | f * f | f + f | !f | f -> f | f <-> f
| AG f | AF f | AX f | EG f | EF f | EX f | f AU g | f EU g
Automaton A = (S, T, L)
S –set of states
T ⊆ S × S – transition relation
L: S → 2AP - labeling of states with a set of atomic
propositions (AP) satisfied in the
state
Labeling algorithm is a function
Fun : A × F → 2S
Container
Concepts
Container
Concepts
Algorithm
25
Example: The Labeling algorithm [2]
Labeling Algorithm
Automaton
Ctl Formula
State Set
State
Term
Atom
State Set Factory
State Labeling
Algorithm Reference Concept
26
Example: The Labeling algorithm [2]
Labeling Algorithm
Automaton
Ctl Formula
State Set
State
Term
Atom
State Set Factory
State Labeling
Algorithm Reference Concept
27
Example: The Labeling algorithm [2]
Labeling Algorithm
Automaton
Ctl Formula
State Set
State
Term
Atom
State Set Factory
State Labeling
Algorithm Reference Concept
28
Example: The Labeling algorithm [3]public interface ILabellingProblem<State, Term, Atom> : IProblem{ ICtlFormula<Term, Atom> Formula { get; } IAutomatonStateBackward<State> Automaton { get; } ILabeledStates<State, Atom> StateLabelling { get; }}
public class LabellingAlgorithm<State, Term, Atom> : IAlgorithm{ public static LabellingAlgorithm<State, Term, Atom> Create(ILabellingConfiguration configuration); public ILabellingSolution<State, Term, Atom> Solve(ILabellingProblem problem); ...}
public interface ILabellingConfiguration<State, Term, Atom> : IConfiguration{ ISetFactory<State> StateSetFactory { get; } bool ComputeAllOperators{ get; }}
public interface ILabellingSolution<State, Term, Atom> : ISolution{ ICtlFormula<Term, Atom> Formula { get; } ISet<State> States { get; }}
29
Example: The Labeling algorithm [3]public interface ILabellingProblem<State, Term, Atom> : IProblem{ ICtlFormula<Term, Atom> Formula { get; } IAutomatonStateBackward<State> Automaton { get; } ILabeledStates<State, Atom> StateLabelling { get; }}
public class LabellingAlgorithm<State, Term, Atom> : IAlgorithm{ public static LabellingAlgorithm<State, Term, Atom> Create(ILabellingConfiguration configuration); public ILabellingSolution<State, Term, Atom> Solve(ILabellingProblem problem); ...}
public interface ILabellingConfiguration<State, Term, Atom> : IConfiguration{ ISetFactory<State> StateSetFactory { get; } bool ComputeAllOperators{ get; }}
public interface ILabellingSolution<State, Term, Atom> : ISolution{ ICtlFormula<Term, Atom> Formula { get; } ISet<State> States { get; }}
30
Example: The Labeling algorithm [3]public interface ILabellingProblem<State, Term, Atom> : IProblem{ ICtlFormula<Term, Atom> Formula { get; } IAutomatonStateBackward<State> Automaton { get; } ILabeledStates<State, Atom> StateLabelling { get; }}
public class LabellingAlgorithm<State, Term, Atom> : IAlgorithm{ public static LabellingAlgorithm<State, Term, Atom> Create(ILabellingConfiguration configuration); public ILabellingSolution<State, Term, Atom> Solve(ILabellingProblem problem); ...}
public interface ILabellingConfiguration<State, Term, Atom> : IConfiguration{ ISetFactory<State> StateSetFactory { get; } bool ComputeAllOperators{ get; }}
public interface ILabellingSolution<State, Term, Atom> : ISolution{ ICtlFormula<Term, Atom> Formula { get; } ISet<State> States { get; }}
31
Example: The Labeling algorithm [3]public interface ILabellingProblem<State, Term, Atom> : IProblem{ ICtlFormula<Term, Atom> Formula { get; } IAutomatonStateBackward<State> Automaton { get; } ILabeledStates<State, Label> StateLabelling { get; }}
public class LabellingAlgorithm<State, Term, Atom> : IAlgorithm{ public static LabellingAlgorithm<State, Term, Atom> Create(ILabellingConfiguration configuration); public ILabellingSolution<State, Term, Atom> Solve(ILabellingProblem problem); ...}
public interface ILabellingConfiguration<State, Term, Atom> : IConfiguration{ ISetFactory<State> StateSetFactory { get; } bool ComputeAllOperators{ get; }}
public interface ILabellingSolution<State, Term, Atom> : ISolution{ ICtlFormula<Term, Atom> Formula { get; } ISet<State> States { get; }}
32
Project progress and future work
Design the model and the basic architecture, Develop an infrastructure for the project Implementation of the foundations Implementation of several selected algorithms, and basic
containers Polish the implementation and make it available online Complete the documentation throughout the library Evaluation and comparison of the efficiency of the
implementation of algorithms Intensive testing Further development of the library
Future Present Past
33
Links
The official project website: http://vutbrmsr.sourceforge.net/ Other (related) projects:
Orbital library (JAVA)http://www.functologic.com/orbital/
BOOST C++ librarieshttp://www.boost.org/
Carnegie Mellon Univ. Model-Checking toolshttp://www.cs.cmu.edu/~modelcheck/code.htm
Common Framework Initiative for algebraic specification and development http://www.brics.dk/Projects/CoFI/
Community Z Toolshttp://czt.sourceforge.net/
Formal Methods Projects page at FM Libraryhttp://vl.fmnet.info/projects/
Math.NEThttp://nmath.sourceforge.net
JavaDD library http://javaddlib.sourceforge.net/
Top Related