applications of formal verification...late fault recovery is expensive [“extra time saves...
TRANSCRIPT
![Page 1: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/1.jpg)
KIT – INSTITUT FUR THEORETISCHE INFORMATIK
Applications of Formal VerificationFormal Software Design: Modelling in Event-B
Bernhard Beckert · Mattias Ulbrich | SS 2019
KIT – University of the State of Baden-Wurttemberg and National Large-scale Research Center of the Helmholtz Association
![Page 2: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/2.jpg)
Literatur
Jean-Raymond Abrial:Modelling in Event-BSystem and SoftwareEnginieeringCambridge University Press,2010
BJean-Raymond Abrial:The B-Book:Assigning programsto meaningsCambridge University Press,1996
Beckert, Ulbrich – Applications of Formal Verification SS 2019 2/96
![Page 3: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/3.jpg)
Abstraction and Refinement –Introduction
Beckert, Ulbrich – Applications of Formal Verification SS 2019 3/96
![Page 4: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/4.jpg)
Late fault recovery is expensive
[“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990]
Goal: Detectfaults here!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 4/96
![Page 5: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/5.jpg)
Late fault recovery is expensive
[“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990]
Goal: Detectfaults here!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 4/96
![Page 6: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/6.jpg)
Reasons for system faults
Systems are inherently complex
Unconsidered situations, corner cases
Ambiguous natural language requirements
Component interplay
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 5/96
![Page 7: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/7.jpg)
Reasons for system faults
Systems are inherently complex
Unconsidered situations, corner cases
Ambiguous natural language requirements
Component interplay
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 5/96
![Page 8: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/8.jpg)
Reasons for system faults
Systems are inherently complex
Unconsidered situations, corner cases
Ambiguous natural language requirements
Component interplay
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 5/96
![Page 9: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/9.jpg)
Reasons for system faults
Systems are inherently complex
Unconsidered situations, corner cases
Ambiguous natural language requirements
Component interplay
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 5/96
![Page 10: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/10.jpg)
Reasons for system faults
Systems are inherently complex
Unconsidered situations, corner cases
Ambiguous natural language requirements
Component interplay
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 5/96
![Page 11: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/11.jpg)
Abstraction
The only tool to master complexity isabstraction.
CLIFF JONES
Beckert, Ulbrich – Applications of Formal Verification SS 2019 6/96
![Page 12: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/12.jpg)
Abstraction and Refinement
AbstractionAbstract
Concrete
Refinement
Beckert, Ulbrich – Applications of Formal Verification SS 2019 7/96
![Page 13: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/13.jpg)
Abstraction and Refinement
Abstraction
Abstract
Concrete
Refinement
Beckert, Ulbrich – Applications of Formal Verification SS 2019 7/96
![Page 14: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/14.jpg)
Abstraction and Refinement
Abstraction
Abstract
Concrete
Refinement
Beckert, Ulbrich – Applications of Formal Verification SS 2019 7/96
![Page 15: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/15.jpg)
Abstraction and Refinement
Abstraction
Abstract
Concrete
Refinement
Beckert, Ulbrich – Applications of Formal Verification SS 2019 7/96
![Page 16: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/16.jpg)
Abstraction and Refinement
AbstractionAbstract
Concrete
Refinement
Beckert, Ulbrich – Applications of Formal Verification SS 2019 7/96
![Page 17: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/17.jpg)
Abstraction
Abstractionreduce system complexitywithout removing important propertiesmake the model susceptible to formal analysis
and the inverse
Refinementenrich abstract model with detailsintroduce a new particular aspectiterative process: add complexity in a stepwise fashion
Beckert, Ulbrich – Applications of Formal Verification SS 2019 8/96
![Page 18: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/18.jpg)
Abstraction in Engineering
Abstraction is an important tool in engineering
Established means of abstractionMechanical engineering: BLUEPRINTS
Electrical engineering: DATASHEETS
CIRCUIT DIAGRAMS
Architecture: FLOOR PLANS
. . .
Abstract descriptions remove unnecessary details,concentrate on one aspect
Beckert, Ulbrich – Applications of Formal Verification SS 2019 9/96
![Page 19: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/19.jpg)
Datasheet – AbstractionExtracts from datasheet for an IC with four NAND gates
Aspect Behaviour
refined to
Aspect Geometry
refined to
Beckert, Ulbrich – Applications of Formal Verification SS 2019 10/96
![Page 20: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/20.jpg)
Datasheet – AbstractionExtracts from datasheet for an IC with four NAND gates
Aspect Behaviour
refined to
Aspect Geometry
refined to
Beckert, Ulbrich – Applications of Formal Verification SS 2019 10/96
![Page 21: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/21.jpg)
Datasheet – AbstractionExtracts from datasheet for an IC with four NAND gates
Aspect Behaviour
refined to
Aspect Geometry
refined to
Beckert, Ulbrich – Applications of Formal Verification SS 2019 10/96
![Page 22: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/22.jpg)
Datasheet – AbstractionExtracts from datasheet for an IC with four NAND gates
Aspect Behaviour
refined to
Aspect Geometry
refined to
Beckert, Ulbrich – Applications of Formal Verification SS 2019 10/96
![Page 23: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/23.jpg)
Schematic Diagram vs. PCB Layout
Aspect“Behaviour”preserved
Beckert, Ulbrich – Applications of Formal Verification SS 2019 11/96
![Page 24: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/24.jpg)
Schematic Diagram vs. PCB Layout
Aspect“Behaviour”preserved
Beckert, Ulbrich – Applications of Formal Verification SS 2019 11/96
![Page 25: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/25.jpg)
Beck diagrams (1931)
Aspect“Route planning”is preserved
Beckert, Ulbrich – Applications of Formal Verification SS 2019 12/96
![Page 26: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/26.jpg)
Beck diagrams (1931)
Aspect“Route planning”is preserved
Beckert, Ulbrich – Applications of Formal Verification SS 2019 12/96
![Page 27: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/27.jpg)
Property preservation
Abstraction with focus on particular aspectSystem properties w.r.t. that aspect must also hold in theabstraction.
Refinement with focus on particular aspectProperties of abstract model w.r.t. that aspect must be inheritedby the refined model.
That’s what we will formally provein the next sections.
Examples:Abstraction: “The shortest tube travel from Liverpool St. toWestminster has 8 stops and 2 changes.”Refinement: Abstract : Input “a = 1” gives output “b = 1”Concrete: High voltage on pin A gives high voltage on pin B
Beckert, Ulbrich – Applications of Formal Verification SS 2019 13/96
![Page 28: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/28.jpg)
Property preservation
Abstraction with focus on particular aspectSystem properties w.r.t. that aspect must also hold in theabstraction.
Refinement with focus on particular aspectProperties of abstract model w.r.t. that aspect must be inheritedby the refined model. That’s what we will formally prove
in the next sections.
Examples:Abstraction: “The shortest tube travel from Liverpool St. toWestminster has 8 stops and 2 changes.”Refinement: Abstract : Input “a = 1” gives output “b = 1”Concrete: High voltage on pin A gives high voltage on pin B
Beckert, Ulbrich – Applications of Formal Verification SS 2019 13/96
![Page 29: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/29.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstraction
reduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a technique
reduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 30: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/30.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a technique
reduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 31: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/31.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a technique
reduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 32: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/32.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a technique
reduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 33: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/33.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a technique
reduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 34: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/34.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a technique
reduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 35: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/35.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a techniquereduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 36: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/36.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a techniquereduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 37: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/37.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a techniquereduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 38: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/38.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a techniquereduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 39: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/39.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a techniquereduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 40: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/40.jpg)
“Conceptual” vs “Technical” AbstractionTwo areas of abstraction and refinement in formal methods:
Conceptual abstractionreduce complexity for more comprehensibilityfocus on a particular system aspectprovided by designer/developerrefinement introduces new aspect
Abstraction as a techniquereduce complexity to enhance performance/reach of a toolabstract from given predicates to uninterpreted predicatescomputed automaticallyrefinement driven by failed proofs(Counter-Example Guided Abstraction Refinement, CEGAR)
That’s what we will lookinto in the next sections.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 14/96
![Page 41: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/41.jpg)
Event-B –Introduction
Beckert, Ulbrich – Applications of Formal Verification SS 2019 15/96
![Page 42: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/42.jpg)
Event-B
EventB is a formalism for modelling and reasoning aboutdiscrete systems.
for their structure (how can their state be described) andfor their behaviour (how can the evolution of their state bedescribed)
Models are formulated using set theory
Event-based evolution of the original B Method
Tool-support:RODIN – deductive verification, theorem prover: proofsPro-B – model checking, animator: counterexamples
Beckert, Ulbrich – Applications of Formal Verification SS 2019 16/96
![Page 43: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/43.jpg)
Central Concepts
Variables and EventsVariables model the current state within the state space.Events describe operations to model the system behaviour
Invariantsproperties to be maintained by systemformal proof obligations to show that
RefinementBehaviour of refining model is compatible with abstractmodelformal proof obligation to show thatHence, invariants of abstract model are inherited byconcrete model
Beckert, Ulbrich – Applications of Formal Verification SS 2019 17/96
![Page 44: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/44.jpg)
Central Concepts
Variables and EventsVariables model the current state within the state space.Events describe operations to model the system behaviour
Invariantsproperties to be maintained by systemformal proof obligations to show that
RefinementBehaviour of refining model is compatible with abstractmodelformal proof obligation to show thatHence, invariants of abstract model are inherited byconcrete model
Beckert, Ulbrich – Applications of Formal Verification SS 2019 17/96
![Page 45: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/45.jpg)
Contexts and Machines
Event-B modelssystems state evolution over time, triggered by events
Event-B models consist of contexts and machines:
ContextsStatic, rigid, constant parts that do not change over time.
MachinesDynamic, volatile, evolving parts that do change over time.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 18/96
![Page 46: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/46.jpg)
Contexts and MachinesEvent-B models consist of contexts and machines:
ContextsCarrier sets (ground types, universes, “urelements”)Constants (state-independent symbols, rigid symbols)Axioms (formulas valid by stipulation)Theorems (formulas proved valid)
MachinesContext references (which symbols are available)Variables (state-dependent symbols, non-rigid symbols,program variables)Invariants (formulas true in every reachable system state)Events (state transition descriptions)
(Explanations or alternative names in parens)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 19/96
![Page 47: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/47.jpg)
Contexts and MachinesEvent-B models consist of contexts and machines:
ContextsCarrier sets (ground types, universes, “urelements”)Constants (state-independent symbols, rigid symbols)Axioms (formulas valid by stipulation)Theorems (formulas proved valid)
MachinesContext references (which symbols are available)Variables (state-dependent symbols, non-rigid symbols,program variables)Invariants (formulas true in every reachable system state)Events (state transition descriptions)
(Explanations or alternative names in parens)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 19/96
![Page 48: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/48.jpg)
Contexts and MachinesEvent-B models consist of contexts and machines:
ContextsCarrier sets (ground types, universes, “urelements”)Constants (state-independent symbols, rigid symbols)Axioms (formulas valid by stipulation)Theorems (formulas proved valid)
MachinesContext references (which symbols are available)Variables (state-dependent symbols, non-rigid symbols,program variables)Invariants (formulas true in every reachable system state)Events (state transition descriptions)
(Explanations or alternative names in parens)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 19/96
![Page 49: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/49.jpg)
Contexts and MachinesEvent-B models consist of contexts and machines:
ContextsCarrier sets (ground types, universes, “urelements”)Constants (state-independent symbols, rigid symbols)Axioms (formulas valid by stipulation)Theorems (formulas proved valid)
MachinesContext references (which symbols are available)Variables (state-dependent symbols, non-rigid symbols,program variables)Invariants (formulas true in every reachable system state)Events (state transition descriptions)
(Explanations or alternative names in parens)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 19/96
![Page 50: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/50.jpg)
Contexts and MachinesEvent-B models consist of contexts and machines:
ContextsCarrier sets (ground types, universes, “urelements”)Constants (state-independent symbols, rigid symbols)Axioms (formulas valid by stipulation)Theorems (formulas proved valid)
MachinesContext references (which symbols are available)Variables (state-dependent symbols, non-rigid symbols,program variables)Invariants (formulas true in every reachable system state)Events (state transition descriptions)
(Explanations or alternative names in parens)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 19/96
![Page 51: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/51.jpg)
Contexts and MachinesEvent-B models consist of contexts and machines:
ContextsCarrier sets (ground types, universes, “urelements”)Constants (state-independent symbols, rigid symbols)Axioms (formulas valid by stipulation)Theorems (formulas proved valid)
MachinesContext references (which symbols are available)Variables (state-dependent symbols, non-rigid symbols,program variables)Invariants (formulas true in every reachable system state)Events (state transition descriptions)
(Explanations or alternative names in parens)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 19/96
![Page 52: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/52.jpg)
Contexts and MachinesEvent-B models consist of contexts and machines:
ContextsCarrier sets (ground types, universes, “urelements”)Constants (state-independent symbols, rigid symbols)Axioms (formulas valid by stipulation)Theorems (formulas proved valid)
MachinesContext references (which symbols are available)Variables (state-dependent symbols, non-rigid symbols,program variables)Invariants (formulas true in every reachable system state)Events (state transition descriptions)
(Explanations or alternative names in parens)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 19/96
![Page 53: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/53.jpg)
Contexts and MachinesEvent-B models consist of contexts and machines:
ContextsCarrier sets (ground types, universes, “urelements”)Constants (state-independent symbols, rigid symbols)Axioms (formulas valid by stipulation)Theorems (formulas proved valid)
MachinesContext references (which symbols are available)Variables (state-dependent symbols, non-rigid symbols,program variables)Invariants (formulas true in every reachable system state)Events (state transition descriptions)
(Explanations or alternative names in parens)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 19/96
![Page 54: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/54.jpg)
Introduction by Example
Students and Exams – RequirementsR1 Every student must take a final exam in a subject of their
choice.
R2 They can have attempts without yet failing or passing.
R3 Eventually they can pass or fail, but never both.
Ü Identify the context, the state and the events according tothe requirements R1–R3.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 20/96
![Page 55: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/55.jpg)
Introduction by Example
Students and Exams – RequirementsR1 Every student must take a final exam in a subject of their
choice.
R2 They can have attempts without yet failing or passing.
R3 Eventually they can pass or fail, but never both.
Ü Identify the context, the state and the events according tothe requirements R1–R3.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 20/96
![Page 56: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/56.jpg)
Introduction by Example
Students and Exams – RequirementsR1 Every student must take a final exam in a subject of their
choice.
R2 They can have attempts without yet failing or passing.
R3 Eventually they can pass or fail, but never both.
Ü Identify the context, the state and the events according tothe requirements R1–R3.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 20/96
![Page 57: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/57.jpg)
Introduction by Example
Students and Exams – RequirementsR1 Every student must take a final exam in a subject of their
choice.
R2 They can have attempts without yet failing or passing.
R3 Eventually they can pass or fail, but never both.
Ü Identify the context, the state and the events according tothe requirements R1–R3.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 20/96
![Page 58: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/58.jpg)
Introduction by Example
Students and Exams – RequirementsR1 Every student must take a final exam in a subject of their
choice.
R2 They can have attempts without yet failing or passing.
R3 Eventually they can pass or fail, but never both.
Ü Identify the context, the state and the events according tothe requirements R1–R3.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 20/96
![Page 59: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/59.jpg)
Introduction by Example
Students and Exams – RequirementsR1 Every student must take a final exam in a subject of their
choice.
R2 They can have attempts without yet failing or passing.
R3 Eventually they can pass or fail, but never both.
Ü Identify the context, the state and the events according tothe requirements R1–R3.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 20/96
![Page 60: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/60.jpg)
Exam Context
CONTEXT ExamCtxt
SETSSTUDENT // see requirement R1SUBJECT
CONSTANTSmaths physics siblings
AXIOMSmaths ∈ SUBJECT // type of variablesphysics ∈ SUBJECTmaths 6= physics // constants could have same valuesiblings ⊆ STUDENT × STUDENT // function type∀s · s ∈ STUDENT ⇒ (s 7� s) 6∈ siblings // irreflexive// . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 21/96
![Page 61: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/61.jpg)
Exam Context
CONTEXT ExamCtxt
SETSSTUDENT // see requirement R1SUBJECT
CONSTANTSmaths physics siblings
AXIOMSmaths ∈ SUBJECT // type of variablesphysics ∈ SUBJECTmaths 6= physics // constants could have same valuesiblings ⊆ STUDENT × STUDENT // function type∀s · s ∈ STUDENT ⇒ (s 7� s) 6∈ siblings // irreflexive// . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 21/96
![Page 62: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/62.jpg)
Exam Context
CONTEXT ExamCtxt
SETSSTUDENT // see requirement R1SUBJECT
CONSTANTSmaths physics siblings
AXIOMSmaths ∈ SUBJECT // type of variablesphysics ∈ SUBJECTmaths 6= physics // constants could have same valuesiblings ⊆ STUDENT × STUDENT // function type∀s · s ∈ STUDENT ⇒ (s 7� s) 6∈ siblings // irreflexive// . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 21/96
![Page 63: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/63.jpg)
Exam Context
CONTEXT ExamCtxt
SETSSTUDENT // see requirement R1SUBJECT
CONSTANTSmaths physics siblings
AXIOMSmaths ∈ SUBJECT // type of variablesphysics ∈ SUBJECT
maths 6= physics // constants could have same valuesiblings ⊆ STUDENT × STUDENT // function type∀s · s ∈ STUDENT ⇒ (s 7� s) 6∈ siblings // irreflexive// . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 21/96
![Page 64: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/64.jpg)
Exam Context
CONTEXT ExamCtxt
SETSSTUDENT // see requirement R1SUBJECT
CONSTANTSmaths physics siblings
AXIOMSmaths ∈ SUBJECT // type of variablesphysics ∈ SUBJECTmaths 6= physics // constants could have same value
siblings ⊆ STUDENT × STUDENT // function type∀s · s ∈ STUDENT ⇒ (s 7� s) 6∈ siblings // irreflexive// . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 21/96
![Page 65: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/65.jpg)
Exam Context
CONTEXT ExamCtxt
SETSSTUDENT // see requirement R1SUBJECT
CONSTANTSmaths physics siblings
AXIOMSmaths ∈ SUBJECT // type of variablesphysics ∈ SUBJECTmaths 6= physics // constants could have same valuesiblings ⊆ STUDENT × STUDENT // function type
∀s · s ∈ STUDENT ⇒ (s 7� s) 6∈ siblings // irreflexive// . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 21/96
![Page 66: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/66.jpg)
Exam Context
CONTEXT ExamCtxt
SETSSTUDENT // see requirement R1SUBJECT
CONSTANTSmaths physics siblings
AXIOMSmaths ∈ SUBJECT // type of variablesphysics ∈ SUBJECTmaths 6= physics // constants could have same valuesiblings ⊆ STUDENT × STUDENT // function type∀s · s ∈ STUDENT ⇒ (s 7� s) 6∈ siblings // irreflexive// . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 21/96
![Page 67: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/67.jpg)
Exam Machine
MACHINE ExamAbstract
SEES ExamCtxt
VARIABLESpassed failed
INVARIANTSpassed ⊆ STUDENT failed ⊆ STUDENTpassed ∩ failed = ∅ //R3
EVENTSINITIALISATION = . . .ATTEMPTEXAM = . . . //R2PASSEXAM = . . . //R3FAILEXAM = . . . //R3
Beckert, Ulbrich – Applications of Formal Verification SS 2019 22/96
![Page 68: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/68.jpg)
Exam Machine
MACHINE ExamAbstractSEES ExamCtxt
VARIABLESpassed failed
INVARIANTSpassed ⊆ STUDENT failed ⊆ STUDENTpassed ∩ failed = ∅ //R3
EVENTSINITIALISATION = . . .ATTEMPTEXAM = . . . //R2PASSEXAM = . . . //R3FAILEXAM = . . . //R3
Beckert, Ulbrich – Applications of Formal Verification SS 2019 22/96
![Page 69: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/69.jpg)
Exam Machine
MACHINE ExamAbstractSEES ExamCtxt
VARIABLESpassed failed
INVARIANTSpassed ⊆ STUDENT failed ⊆ STUDENTpassed ∩ failed = ∅ //R3
EVENTSINITIALISATION = . . .ATTEMPTEXAM = . . . //R2PASSEXAM = . . . //R3FAILEXAM = . . . //R3
Beckert, Ulbrich – Applications of Formal Verification SS 2019 22/96
![Page 70: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/70.jpg)
Exam Machine
MACHINE ExamAbstractSEES ExamCtxt
VARIABLESpassed failed
INVARIANTSpassed ⊆ STUDENT failed ⊆ STUDENT
passed ∩ failed = ∅ //R3
EVENTSINITIALISATION = . . .ATTEMPTEXAM = . . . //R2PASSEXAM = . . . //R3FAILEXAM = . . . //R3
Beckert, Ulbrich – Applications of Formal Verification SS 2019 22/96
![Page 71: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/71.jpg)
Exam Machine
MACHINE ExamAbstractSEES ExamCtxt
VARIABLESpassed failed
INVARIANTSpassed ⊆ STUDENT failed ⊆ STUDENTpassed ∩ failed = ∅ //R3
EVENTSINITIALISATION = . . .ATTEMPTEXAM = . . . //R2PASSEXAM = . . . //R3FAILEXAM = . . . //R3
Beckert, Ulbrich – Applications of Formal Verification SS 2019 22/96
![Page 72: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/72.jpg)
Exam Machine
MACHINE ExamAbstractSEES ExamCtxt
VARIABLESpassed failed
INVARIANTSpassed ⊆ STUDENT failed ⊆ STUDENTpassed ∩ failed = ∅ //R3
EVENTSINITIALISATION = . . .ATTEMPTEXAM = . . . //R2PASSEXAM = . . . //R3FAILEXAM = . . . //R3
Beckert, Ulbrich – Applications of Formal Verification SS 2019 22/96
![Page 73: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/73.jpg)
Exam Machine (2)
MACHINE ExamAbstractVARIABLES passed failed . . .
EVENTSINITIALISATION =
failed := ∅passed := ∅
PASSEXAM =ANY s gradeWHERE s ∈ STUDENT ∧ grade ≤ 4THEN passed := passed ∪ {s}
FAILEXAM =ANY s gradeWHERE s ∈ STUDENT ∧ grade > 4THEN failed := failed ∪ {s}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 23/96
![Page 74: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/74.jpg)
Exam Machine (2)
MACHINE ExamAbstractVARIABLES passed failed . . .
EVENTSINITIALISATION =
failed := ∅passed := ∅
PASSEXAM =ANY s gradeWHERE s ∈ STUDENT ∧ grade ≤ 4THEN passed := passed ∪ {s}
FAILEXAM =ANY s gradeWHERE s ∈ STUDENT ∧ grade > 4THEN failed := failed ∪ {s}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 23/96
![Page 75: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/75.jpg)
Exam Machine (2)
MACHINE ExamAbstractVARIABLES passed failed . . .
EVENTSINITIALISATION =
failed := ∅passed := ∅
PASSEXAM =ANY s gradeWHERE s ∈ STUDENT ∧ grade ≤ 4THEN passed := passed ∪ {s}
FAILEXAM =ANY s gradeWHERE s ∈ STUDENT ∧ grade > 4THEN failed := failed ∪ {s}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 23/96
![Page 76: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/76.jpg)
Invariant violated
MACHINE ExamAbstractVARIABLES passed failedINVARIANTS passed ∩ failed = ∅ . . .
EVENTSPASSEXAM =
ANY s gradeWHERE s ∈ STUDENT ∧ grade ≤ 4THEN passed := passed ∪ {s}
FAILEXAM =ANY s gradeWHERE s ∈ STUDENT ∧ grade > 4THEN failed := failed ∪ {s}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 24/96
![Page 77: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/77.jpg)
Invariant violated
MACHINE ExamAbstractVARIABLES passed failedINVARIANTS passed ∩ failed = ∅ . . .
EVENTSPASSEXAM =
ANY s gradeWHERE s ∈ STUDENT \ (failed ∪ passed) ∧ grade ≤ 4THEN passed := passed ∪ {s}
FAILEXAM =ANY s gradeWHERE s ∈ STUDENT \ (failed ∪ passed) ∧ grade > 4THEN failed := failed ∪ {s}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 24/96
![Page 78: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/78.jpg)
Underspecified model
EVENTSPASSEXAM =
ANY s grade WHERE grade ≤ 4 ∧ s ∈ . . .THEN passed := passed ∪ {s}
FAILEXAM =ANY s grade WHERE grade > 4 ∧ s ∈ . . .THEN failed := failed ∪ {s}
ATTEMPTEXAM =ANY s grade WHERE grade ∈ N ∧ s ∈ . . .THEN skip
Additional requirementR4 Any student may attempt the exam three times and
ultimately fails if the fourth attempt is unsuccessful.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 25/96
![Page 79: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/79.jpg)
Underspecified model
EVENTSPASSEXAM =
ANY s grade WHERE grade ≤ 4 ∧ s ∈ . . .THEN passed := passed ∪ {s}
FAILEXAM =ANY s grade WHERE grade > 4 ∧ s ∈ . . .THEN failed := failed ∪ {s}
ATTEMPTEXAM =ANY s grade WHERE grade ∈ N ∧ s ∈ . . .THEN skip
Additional requirementR4 Any student may attempt the exam three times and
ultimately fails if the fourth attempt is unsuccessful.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 25/96
![Page 80: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/80.jpg)
Refinement Exams (1)
MACHINE RefinedExams REFINES ExamsAbstract
VARIABLES passed attemptsINVARIANTS
attempts ∈ STUDENT → N // typing for attemptsfailed = {s · attempts(s) = 4} // coupling invariant
EVENTSINITIALISATION = REFINES INITIALISATION
passed := ∅attempts := {s · s ∈ STUDENT | (s 7�0)}
EXAMULTIMATEFAIL = REFINES EXAMFAIL . . .EXAMMISSED = REFINES EXAMATTEMPT . . .EXAMPASSED = REFINES EXAMPASSED . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 26/96
![Page 81: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/81.jpg)
Refinement Exams (1)
MACHINE RefinedExams REFINES ExamsAbstractVARIABLES passed attempts
INVARIANTSattempts ∈ STUDENT → N // typing for attemptsfailed = {s · attempts(s) = 4} // coupling invariant
EVENTSINITIALISATION = REFINES INITIALISATION
passed := ∅attempts := {s · s ∈ STUDENT | (s 7�0)}
EXAMULTIMATEFAIL = REFINES EXAMFAIL . . .EXAMMISSED = REFINES EXAMATTEMPT . . .EXAMPASSED = REFINES EXAMPASSED . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 26/96
![Page 82: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/82.jpg)
Refinement Exams (1)
MACHINE RefinedExams REFINES ExamsAbstractVARIABLES passed attemptsINVARIANTS
attempts ∈ STUDENT → N // typing for attemptsfailed = {s · attempts(s) = 4} // coupling invariant
EVENTSINITIALISATION = REFINES INITIALISATION
passed := ∅attempts := {s · s ∈ STUDENT | (s 7�0)}
EXAMULTIMATEFAIL = REFINES EXAMFAIL . . .EXAMMISSED = REFINES EXAMATTEMPT . . .EXAMPASSED = REFINES EXAMPASSED . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 26/96
![Page 83: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/83.jpg)
Refinement Exams (1)
MACHINE RefinedExams REFINES ExamsAbstractVARIABLES passed attemptsINVARIANTS
attempts ∈ STUDENT → N // typing for attemptsfailed = {s · attempts(s) = 4} // coupling invariant
EVENTSINITIALISATION = REFINES INITIALISATION
passed := ∅attempts := {s · s ∈ STUDENT | (s 7�0)}
EXAMULTIMATEFAIL = REFINES EXAMFAIL . . .EXAMMISSED = REFINES EXAMATTEMPT . . .EXAMPASSED = REFINES EXAMPASSED . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 26/96
![Page 84: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/84.jpg)
Refinement Exams (1)
MACHINE RefinedExams REFINES ExamsAbstractVARIABLES passed attemptsINVARIANTS
attempts ∈ STUDENT → N // typing for attemptsfailed = {s · attempts(s) = 4} // coupling invariant
EVENTSINITIALISATION = REFINES INITIALISATION
passed := ∅attempts := {s · s ∈ STUDENT | (s 7�0)}
EXAMULTIMATEFAIL = REFINES EXAMFAIL . . .EXAMMISSED = REFINES EXAMATTEMPT . . .EXAMPASSED = REFINES EXAMPASSED . . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 26/96
![Page 85: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/85.jpg)
Refinement Exams (2)
. . .EVENTS
EXAMULTIMATEFAIL = REFINES EXAMFAIL
ANY s gradeWHERE ... ∧ grade > 4 ∧ attempts(s) = 3THEN
attempts(s) := attempts(s) + 1
EXAMMISSED = REFINES EXAMATTEMPT
ANY s gradeWHERE ... ∧ grade > 4 ∧ attempts(s) < 3THEN
attempts(s) := attempts(s) + 1. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 27/96
![Page 86: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/86.jpg)
Refinement Exams (3)
This refinment takes now also R4 into account.
Refinement preserves invariants! Every possible event of RefinedExams is a possible event
in ExamsAbstract⇒ Every invariant of ExamsAbstract is also an invariant of
RefinedExams
We will come back to this more formally ...
Beckert, Ulbrich – Applications of Formal Verification SS 2019 28/96
![Page 87: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/87.jpg)
Set Theory –Equipment for formal modelling
Beckert, Ulbrich – Applications of Formal Verification SS 2019 29/96
![Page 88: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/88.jpg)
Set theory – a universal modellinglanguage
Not only used in Event-B.
Set theory also used for modelling in ...ZObject-Z, Z++(classical) BEvent-BAlloy. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 30/96
![Page 89: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/89.jpg)
Set Theory
Formal language in Event-B modelsTyped First Order Set Theory with Additional Theories
Every term in Event-B has a unqiue type.
Types are part of the syntax of Event-B and some expressionsare syntactically forbidden:
maths ∈ failed is syntactially invalid.
(remember: math ∈ SUBJECT , failed ⊆ STUDENT )
“You can’t compare apples and oranges.”
Beckert, Ulbrich – Applications of Formal Verification SS 2019 31/96
![Page 90: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/90.jpg)
Set Theory
Formal language in Event-B modelsTyped First Order Set Theory with Additional Theories
sets are objects in the logic
first order axioms define the semantics of sets
quantification over sets is allowed
quantification over predicates, functions is not allowed
(Foundation is a typed Zermelo-Fraenkel axiomatisation)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 32/96
![Page 91: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/91.jpg)
Set Theory
Formal language in Event-B modelsTyped First Order Set Theory with Additional Theories
sets are objects in the logic
first order axioms define the semantics of sets
quantification over sets is allowed
quantification over predicates, functions is not allowed
(Foundation is a typed Zermelo-Fraenkel axiomatisation)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 32/96
![Page 92: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/92.jpg)
Set Theory
Formal language in Event-B modelsTyped First Order Set Theory with Additional Theories
sets are objects in the logic
first order axioms define the semantics of sets
quantification over sets is allowed
quantification over predicates, functions is not allowed
(Foundation is a typed Zermelo-Fraenkel axiomatisation)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 32/96
![Page 93: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/93.jpg)
Set Theory
Formal language in Event-B modelsTyped First Order Set Theory with Additional Theories
sets are objects in the logic
first order axioms define the semantics of sets
quantification over sets is allowed
quantification over predicates, functions is not allowed
(Foundation is a typed Zermelo-Fraenkel axiomatisation)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 32/96
![Page 94: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/94.jpg)
Set Theory
Formal language in Event-B modelsTyped First Order Set Theory with Additional Theories
sets are objects in the logic
first order axioms define the semantics of sets
quantification over sets is allowed
quantification over predicates, functions is not allowed
(Foundation is a typed Zermelo-Fraenkel axiomatisation)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 32/96
![Page 95: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/95.jpg)
Set Theory
Formal language in Event-B modelsTyped First Order Set Theory with Additional Theories
There are additional theories with fixed semanticsintegers
more theories (datatypes) can be added by user(an extension to the system)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 33/96
![Page 96: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/96.jpg)
Types
1 BOOL and Z are types
2 Every carrier set declared in a CONTEXT is a type.
3 If T is a type then P(T ) is a type.Semantics: P(T ) is the set of all subsets of T (powerset).
4 If T1,T2 are types then T1 × T2 is a type.Semantics: T1 × T2 is the set of all ordered pairs (a,b) witha ∈ T1 and b ∈ T2 (Cartesian produt).
Every expression E has a unqiue type τ(E).
Beckert, Ulbrich – Applications of Formal Verification SS 2019 34/96
![Page 97: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/97.jpg)
Types
1 BOOL and Z are types
2 Every carrier set declared in a CONTEXT is a type.
3 If T is a type then P(T ) is a type.Semantics: P(T ) is the set of all subsets of T (powerset).
4 If T1,T2 are types then T1 × T2 is a type.Semantics: T1 × T2 is the set of all ordered pairs (a,b) witha ∈ T1 and b ∈ T2 (Cartesian produt).
Every expression E has a unqiue type τ(E).
Beckert, Ulbrich – Applications of Formal Verification SS 2019 34/96
![Page 98: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/98.jpg)
Types
1 BOOL and Z are types
2 Every carrier set declared in a CONTEXT is a type.
3 If T is a type then P(T ) is a type.Semantics: P(T ) is the set of all subsets of T (powerset).
4 If T1,T2 are types then T1 × T2 is a type.Semantics: T1 × T2 is the set of all ordered pairs (a,b) witha ∈ T1 and b ∈ T2 (Cartesian produt).
Every expression E has a unqiue type τ(E).
Beckert, Ulbrich – Applications of Formal Verification SS 2019 34/96
![Page 99: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/99.jpg)
Types
1 BOOL and Z are types
2 Every carrier set declared in a CONTEXT is a type.
3 If T is a type then P(T ) is a type.Semantics: P(T ) is the set of all subsets of T (powerset).
4 If T1,T2 are types then T1 × T2 is a type.Semantics: T1 × T2 is the set of all ordered pairs (a,b) witha ∈ T1 and b ∈ T2 (Cartesian produt).
Every expression E has a unqiue type τ(E).
Beckert, Ulbrich – Applications of Formal Verification SS 2019 34/96
![Page 100: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/100.jpg)
Types
1 BOOL and Z are types
2 Every carrier set declared in a CONTEXT is a type.
3 If T is a type then P(T ) is a type.Semantics: P(T ) is the set of all subsets of T (powerset).
4 If T1,T2 are types then T1 × T2 is a type.Semantics: T1 × T2 is the set of all ordered pairs (a,b) witha ∈ T1 and b ∈ T2 (Cartesian produt).
Every expression E has a unqiue type τ(E).
Beckert, Ulbrich – Applications of Formal Verification SS 2019 34/96
![Page 101: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/101.jpg)
Types (2)
Set theory needs not be typed: Everything can be viewed a set.
Reasons to introduce types:some specification errors may be detected as syntax errors(even before the verification has started)
avoid Russell’s paradox
Russell’s paradoxAssume that the expression {s | φ} for any formula φ denotes aset. Let R := {s | s 6∈ s}.One observes: R ∈ R ⇐⇒ R 6∈ R (This crushed naive set theory in early 1900s.)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 35/96
![Page 102: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/102.jpg)
Types (2)
Set theory needs not be typed: Everything can be viewed a set.
Reasons to introduce types:some specification errors may be detected as syntax errors(even before the verification has started)
avoid Russell’s paradox
Russell’s paradoxAssume that the expression {s | φ} for any formula φ denotes aset. Let R := {s | s 6∈ s}.
One observes: R ∈ R ⇐⇒ R 6∈ R (This crushed naive set theory in early 1900s.)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 35/96
![Page 103: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/103.jpg)
Types (2)
Set theory needs not be typed: Everything can be viewed a set.
Reasons to introduce types:some specification errors may be detected as syntax errors(even before the verification has started)
avoid Russell’s paradox
Russell’s paradoxAssume that the expression {s | φ} for any formula φ denotes aset. Let R := {s | s 6∈ s}.One observes: R ∈ R ⇐⇒ R 6∈ R
(This crushed naive set theory in early 1900s.)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 35/96
![Page 104: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/104.jpg)
Types (2)
Set theory needs not be typed: Everything can be viewed a set.
Reasons to introduce types:some specification errors may be detected as syntax errors(even before the verification has started)
avoid Russell’s paradox
Russell’s paradoxAssume that the expression {s | φ} for any formula φ denotes aset. Let R := {s | s 6∈ s}. Not allowed with types.One observes: R ∈ R ⇐⇒ R 6∈ R (This crushed naive set theory in early 1900s.)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 35/96
![Page 105: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/105.jpg)
Sets
Constructors for sets:empty set ∅ : P(S)
set extension { . . . } : S∗ → P(S)example: {1,2} : P(Z)carrier sets C : P(C)example: STUDENT : P(STUDENT )
powerset P(·) : P(S)→ P(P(S))example: P({1,2}) = {∅, {1}, {2}, {1,2}} : P(Z)product · × · : P(S)× P(T )→ P(S × T )example: BOOL× {1} = {{true,1}, {false,1}} : P(BOOL× Z)set comprehension {x · ϕ | e}formula ϕ, term e : T , result of type P(T )example: {x · x ≥ 2 | x ∗ x} = {4,9,16, . . .}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 36/96
![Page 106: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/106.jpg)
Sets
Constructors for sets:empty set ∅ : P(S)
set extension { . . . } : S∗ → P(S)example: {1,2} : P(Z)
carrier sets C : P(C)example: STUDENT : P(STUDENT )
powerset P(·) : P(S)→ P(P(S))example: P({1,2}) = {∅, {1}, {2}, {1,2}} : P(Z)product · × · : P(S)× P(T )→ P(S × T )example: BOOL× {1} = {{true,1}, {false,1}} : P(BOOL× Z)set comprehension {x · ϕ | e}formula ϕ, term e : T , result of type P(T )example: {x · x ≥ 2 | x ∗ x} = {4,9,16, . . .}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 36/96
![Page 107: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/107.jpg)
Sets
Constructors for sets:empty set ∅ : P(S)
set extension { . . . } : S∗ → P(S)example: {1,2} : P(Z)carrier sets C : P(C)example: STUDENT : P(STUDENT )
powerset P(·) : P(S)→ P(P(S))example: P({1,2}) = {∅, {1}, {2}, {1,2}} : P(Z)product · × · : P(S)× P(T )→ P(S × T )example: BOOL× {1} = {{true,1}, {false,1}} : P(BOOL× Z)set comprehension {x · ϕ | e}formula ϕ, term e : T , result of type P(T )example: {x · x ≥ 2 | x ∗ x} = {4,9,16, . . .}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 36/96
![Page 108: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/108.jpg)
Sets
Constructors for sets:empty set ∅ : P(S)
set extension { . . . } : S∗ → P(S)example: {1,2} : P(Z)carrier sets C : P(C)example: STUDENT : P(STUDENT )
powerset P(·) : P(S)→ P(P(S))example: P({1,2}) = {∅, {1}, {2}, {1,2}} : P(Z)
product · × · : P(S)× P(T )→ P(S × T )example: BOOL× {1} = {{true,1}, {false,1}} : P(BOOL× Z)set comprehension {x · ϕ | e}formula ϕ, term e : T , result of type P(T )example: {x · x ≥ 2 | x ∗ x} = {4,9,16, . . .}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 36/96
![Page 109: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/109.jpg)
Sets
Constructors for sets:empty set ∅ : P(S)
set extension { . . . } : S∗ → P(S)example: {1,2} : P(Z)carrier sets C : P(C)example: STUDENT : P(STUDENT )
powerset P(·) : P(S)→ P(P(S))example: P({1,2}) = {∅, {1}, {2}, {1,2}} : P(Z)product · × · : P(S)× P(T )→ P(S × T )example: BOOL× {1} = {{true,1}, {false,1}} : P(BOOL× Z)
set comprehension {x · ϕ | e}formula ϕ, term e : T , result of type P(T )example: {x · x ≥ 2 | x ∗ x} = {4,9,16, . . .}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 36/96
![Page 110: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/110.jpg)
Sets
Constructors for sets:empty set ∅ : P(S)
set extension { . . . } : S∗ → P(S)example: {1,2} : P(Z)carrier sets C : P(C)example: STUDENT : P(STUDENT )
powerset P(·) : P(S)→ P(P(S))example: P({1,2}) = {∅, {1}, {2}, {1,2}} : P(Z)product · × · : P(S)× P(T )→ P(S × T )example: BOOL× {1} = {{true,1}, {false,1}} : P(BOOL× Z)set comprehension {x · ϕ | e}formula ϕ, term e : T , result of type P(T )example: {x · x ≥ 2 | x ∗ x} = {4,9,16, . . .}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 36/96
![Page 111: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/111.jpg)
Relations
Relations are sets of pairs (tuples).
All relations: E1↔ E2 := P(E1 × E2)
Pairs (E1 7�E2) : τ(E1)× τ(E2)
Domain of a relation dom(R)dom(R) = {x , y · (x 7� y) ∈ R | x}example: dom(E1 × E2) = E1
if E2 6= ∅
Range of a relation ran(R)ran(R) = {x , y · (x 7� y) ∈ R | y}example: ran(E1 × E2) = E2
if E1 6= ∅
can be nested: (E1↔ E2)↔ E3 for a ternary relation etc.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 37/96
![Page 112: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/112.jpg)
Relations
Relations are sets of pairs (tuples).
All relations: E1↔ E2 := P(E1 × E2)
Pairs (E1 7�E2) : τ(E1)× τ(E2)
Domain of a relation dom(R)dom(R) = {x , y · (x 7� y) ∈ R | x}example: dom(E1 × E2) = E1
if E2 6= ∅
Range of a relation ran(R)ran(R) = {x , y · (x 7� y) ∈ R | y}example: ran(E1 × E2) = E2
if E1 6= ∅
can be nested: (E1↔ E2)↔ E3 for a ternary relation etc.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 37/96
![Page 113: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/113.jpg)
Relations
Relations are sets of pairs (tuples).
All relations: E1↔ E2 := P(E1 × E2)
Pairs (E1 7�E2) : τ(E1)× τ(E2)
Domain of a relation dom(R)dom(R) = {x , y · (x 7� y) ∈ R | x}example: dom(E1 × E2) = E1
if E2 6= ∅
Range of a relation ran(R)ran(R) = {x , y · (x 7� y) ∈ R | y}example: ran(E1 × E2) = E2
if E1 6= ∅
can be nested: (E1↔ E2)↔ E3 for a ternary relation etc.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 37/96
![Page 114: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/114.jpg)
Relations
Relations are sets of pairs (tuples).
All relations: E1↔ E2 := P(E1 × E2)
Pairs (E1 7�E2) : τ(E1)× τ(E2)
Domain of a relation dom(R)dom(R) = {x , y · (x 7� y) ∈ R | x}example: dom(E1 × E2) = E1
if E2 6= ∅
Range of a relation ran(R)ran(R) = {x , y · (x 7� y) ∈ R | y}example: ran(E1 × E2) = E2
if E1 6= ∅
can be nested: (E1↔ E2)↔ E3 for a ternary relation etc.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 37/96
![Page 115: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/115.jpg)
Relations
Relations are sets of pairs (tuples).
All relations: E1↔ E2 := P(E1 × E2)
Pairs (E1 7�E2) : τ(E1)× τ(E2)
Domain of a relation dom(R)dom(R) = {x , y · (x 7� y) ∈ R | x}example: dom(E1 × E2) = E1
if E2 6= ∅
Range of a relation ran(R)ran(R) = {x , y · (x 7� y) ∈ R | y}example: ran(E1 × E2) = E2
if E1 6= ∅
can be nested: (E1↔ E2)↔ E3 for a ternary relation etc.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 37/96
![Page 116: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/116.jpg)
Relations
Relations are sets of pairs (tuples).
All relations: E1↔ E2 := P(E1 × E2)
Pairs (E1 7�E2) : τ(E1)× τ(E2)
Domain of a relation dom(R)dom(R) = {x , y · (x 7� y) ∈ R | x}example: dom(E1 × E2) = E1
if E2 6= ∅
Range of a relation ran(R)ran(R) = {x , y · (x 7� y) ∈ R | y}example: ran(E1 × E2) = E2
if E1 6= ∅
can be nested: (E1↔ E2)↔ E3 for a ternary relation etc.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 37/96
![Page 117: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/117.jpg)
Relations
Relations are sets of pairs (tuples).
All relations: E1↔ E2 := P(E1 × E2)
Pairs (E1 7�E2) : τ(E1)× τ(E2)
Domain of a relation dom(R)dom(R) = {x , y · (x 7� y) ∈ R | x}example: dom(E1 × E2) = E1 if E2 6= ∅
Range of a relation ran(R)ran(R) = {x , y · (x 7� y) ∈ R | y}example: ran(E1 × E2) = E2 if E1 6= ∅
can be nested: (E1↔ E2)↔ E3 for a ternary relation etc.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 37/96
![Page 118: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/118.jpg)
Kinds of relations
All relations E1↔ E2 R
dom ran
All surjections E1↔→ E2 (ran(R) = E2) R
dom ran
All total relations E1←↔ E2 (dom(R) = E1) R
dom ran
All total surjections E1↔↔ E2
Beckert, Ulbrich – Applications of Formal Verification SS 2019 38/96
![Page 119: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/119.jpg)
Kinds of relations
All relations E1↔ E2 R
dom ran
All surjections E1↔→ E2 (ran(R) = E2) R
dom ran
All total relations E1←↔ E2 (dom(R) = E1) R
dom ran
All total surjections E1↔↔ E2
Beckert, Ulbrich – Applications of Formal Verification SS 2019 38/96
![Page 120: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/120.jpg)
Kinds of relations
All relations E1↔ E2 R
dom ran
All surjections E1↔→ E2 (ran(R) = E2) R
dom ran
All total relations E1←↔ E2 (dom(R) = E1) R
dom ran
All total surjections E1↔↔ E2
Beckert, Ulbrich – Applications of Formal Verification SS 2019 38/96
![Page 121: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/121.jpg)
Kinds of relations
All relations E1↔ E2 R
dom ran
All surjections E1↔→ E2 (ran(R) = E2) R
dom ran
All total relations E1←↔ E2 (dom(R) = E1) R
dom ran
All total surjections E1↔↔ E2
Beckert, Ulbrich – Applications of Formal Verification SS 2019 38/96
![Page 122: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/122.jpg)
Functional relationsObservationEvery function f ∈ A→ B can be understood as the relation
{x · x ∈ A | x 7� f (x) } ∈ A↔ B
Partial functions E1 7→ E2 ⊆ E1↔ E2(∀x , y , z · x 7� y ∈ R ∧ x 7� z ∈ R ⇒ y = z) (∗)
R
dom ran
Total functions E1→ E2E1→ E2 = (E1 7→ E2) ∩ (E1←↔ E2)(both partial function and total relation)
R
dom ran
Injections E1 7� E2(∗) ∧ (∀x , y , z · x 7� z ∈ R ∧ y 7� z ∈ R ⇒ x = y )
R
dom ran
Beckert, Ulbrich – Applications of Formal Verification SS 2019 39/96
![Page 123: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/123.jpg)
Functional relationsObservationEvery function f ∈ A→ B can be understood as the relation
{x · x ∈ A | x 7� f (x) } ∈ A↔ B
Partial functions E1 7→ E2 ⊆ E1↔ E2(∀x , y , z · x 7� y ∈ R ∧ x 7� z ∈ R ⇒ y = z) (∗)
R
dom ran
Total functions E1→ E2E1→ E2 = (E1 7→ E2) ∩ (E1←↔ E2)(both partial function and total relation)
R
dom ran
Injections E1 7� E2(∗) ∧ (∀x , y , z · x 7� z ∈ R ∧ y 7� z ∈ R ⇒ x = y )
R
dom ran
Beckert, Ulbrich – Applications of Formal Verification SS 2019 39/96
![Page 124: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/124.jpg)
Functional relationsObservationEvery function f ∈ A→ B can be understood as the relation
{x · x ∈ A | x 7� f (x) } ∈ A↔ B
Partial functions E1 7→ E2 ⊆ E1↔ E2(∀x , y , z · x 7� y ∈ R ∧ x 7� z ∈ R ⇒ y = z) (∗)
R
dom ran
Total functions E1→ E2E1→ E2 = (E1 7→ E2) ∩ (E1←↔ E2)(both partial function and total relation)
R
dom ran
Injections E1 7� E2(∗) ∧ (∀x , y , z · x 7� z ∈ R ∧ y 7� z ∈ R ⇒ x = y )
R
dom ran
Beckert, Ulbrich – Applications of Formal Verification SS 2019 39/96
![Page 125: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/125.jpg)
Functional relations (2)
Intersection of relation classes give new classes:
Total injections E1� E2 = (E1→ E2) ∩ (E1 7� E2)
Partial surjections E1 7� E2 = (E1 7→ E2) ∩ (E1↔→ E2)
Total surjections E1� E2 = (E1→ E2) ∩ (E1 7� E2)
Bijections E1�� E2 = (E1� E2) ∩ (E1� E2)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 40/96
![Page 126: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/126.jpg)
Example: File system
CONTEXT FileSystemCtx
SETS OBJECTCONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,parentINVARIANTS
tree ∈ dirs↔ (files ∪ dirs)//most directories (but root) have a parent directory :
parent ∈ dirs 7→ dirs//more precise
parent ∈ (dirs \ {root})→ dirs
Beckert, Ulbrich – Applications of Formal Verification SS 2019 41/96
![Page 127: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/127.jpg)
Example: File system
CONTEXT FileSystemCtxSETS OBJECT
CONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,parentINVARIANTS
tree ∈ dirs↔ (files ∪ dirs)//most directories (but root) have a parent directory :
parent ∈ dirs 7→ dirs//more precise
parent ∈ (dirs \ {root})→ dirs
Beckert, Ulbrich – Applications of Formal Verification SS 2019 41/96
![Page 128: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/128.jpg)
Example: File system
CONTEXT FileSystemCtxSETS OBJECTCONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,parentINVARIANTS
tree ∈ dirs↔ (files ∪ dirs)//most directories (but root) have a parent directory :
parent ∈ dirs 7→ dirs//more precise
parent ∈ (dirs \ {root})→ dirs
Beckert, Ulbrich – Applications of Formal Verification SS 2019 41/96
![Page 129: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/129.jpg)
Example: File system
CONTEXT FileSystemCtxSETS OBJECTCONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,parent
INVARIANTStree ∈ dirs↔ (files ∪ dirs)//most directories (but root) have a parent directory :
parent ∈ dirs 7→ dirs//more precise
parent ∈ (dirs \ {root})→ dirs
Beckert, Ulbrich – Applications of Formal Verification SS 2019 41/96
![Page 130: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/130.jpg)
Example: File system
CONTEXT FileSystemCtxSETS OBJECTCONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,parentINVARIANTS
tree ∈ dirs↔ (files ∪ dirs)
//most directories (but root) have a parent directory :parent ∈ dirs 7→ dirs//more precise
parent ∈ (dirs \ {root})→ dirs
Beckert, Ulbrich – Applications of Formal Verification SS 2019 41/96
![Page 131: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/131.jpg)
Example: File system
CONTEXT FileSystemCtxSETS OBJECTCONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,parentINVARIANTS
tree ∈ dirs↔ (files ∪ dirs)//most directories (but root) have a parent directory :
parent ∈ dirs 7→ dirs
//more preciseparent ∈ (dirs \ {root})→ dirs
Beckert, Ulbrich – Applications of Formal Verification SS 2019 41/96
![Page 132: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/132.jpg)
Example: File system
CONTEXT FileSystemCtxSETS OBJECTCONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,parentINVARIANTS
tree ∈ dirs↔ (files ∪ dirs)//most directories (but root) have a parent directory :
parent ∈ dirs 7→ dirs//more precise
parent ∈ (dirs \ {root})→ dirs
Beckert, Ulbrich – Applications of Formal Verification SS 2019 41/96
![Page 133: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/133.jpg)
Relational operations
Relational application ·[·] : P(S × T )× P(S)→ P(T )R[A] = {x , y · x 7� y ∈ R ∧ x ∈ A | y}
R
dom ran
A R[A]
BR[B]=∅
Functional application ·(·) : P(S × T )× S → T
x = f (e) ⇐⇒ e 7� x ∈ f{
f (e)}= f[{e}]
Problem: What if f [{e}] is not a one-element set?Solution: Well-definedness needs to be proved
1 f ∈ S 7→ T (not an arbitrary relation in S↔ T )2 e ∈ dom(f )
everytime a functional application is used.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 42/96
![Page 134: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/134.jpg)
Relational operations
Relational application ·[·] : P(S × T )× P(S)→ P(T )R[A] = {x , y · x 7� y ∈ R ∧ x ∈ A | y}
R
dom ran
A R[A]
BR[B]=∅
Functional application ·(·) : P(S × T )× S → T
x = f (e) ⇐⇒ e 7� x ∈ f{
f (e)}= f[{e}]
Problem: What if f [{e}] is not a one-element set?Solution: Well-definedness needs to be proved
1 f ∈ S 7→ T (not an arbitrary relation in S↔ T )2 e ∈ dom(f )
everytime a functional application is used.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 42/96
![Page 135: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/135.jpg)
Relational operations
Relational application ·[·] : P(S × T )× P(S)→ P(T )R[A] = {x , y · x 7� y ∈ R ∧ x ∈ A | y}
R
dom ran
A R[A]
BR[B]=∅
Functional application ·(·) : P(S × T )× S → T
x = f (e) ⇐⇒ e 7� x ∈ f{
f (e)}= f[{e}]
Problem: What if f [{e}] is not a one-element set?Solution: Well-definedness needs to be proved
1 f ∈ S 7→ T (not an arbitrary relation in S↔ T )2 e ∈ dom(f )
everytime a functional application is used.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 42/96
![Page 136: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/136.jpg)
Relational operations
Relational application ·[·] : P(S × T )× P(S)→ P(T )R[A] = {x , y · x 7� y ∈ R ∧ x ∈ A | y}
Functional application ·(·) : P(S × T )× S → T
x = f (e) ⇐⇒ e 7� x ∈ f{
f (e)}= f[{e}]
Problem: What if f [{e}] is not a one-element set?Solution: Well-definedness needs to be proved
1 f ∈ S 7→ T (not an arbitrary relation in S↔ T )2 e ∈ dom(f )
everytime a functional application is used.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 42/96
![Page 137: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/137.jpg)
Relational operations
Relational application ·[·] : P(S × T )× P(S)→ P(T )R[A] = {x , y · x 7� y ∈ R ∧ x ∈ A | y}
Functional application ·(·) : P(S × T )× S → T
x = f (e) ⇐⇒ e 7� x ∈ f{
f (e)}= f[{e}]
Problem: What if f [{e}] is not a one-element set?
Solution: Well-definedness needs to be proved1 f ∈ S 7→ T (not an arbitrary relation in S↔ T )2 e ∈ dom(f )
everytime a functional application is used.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 42/96
![Page 138: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/138.jpg)
Relational operations
Relational application ·[·] : P(S × T )× P(S)→ P(T )R[A] = {x , y · x 7� y ∈ R ∧ x ∈ A | y}
Functional application ·(·) : P(S × T )× S → T
x = f (e) ⇐⇒ e 7� x ∈ f{
f (e)}= f[{e}]
Problem: What if f [{e}] is not a one-element set?Solution: Well-definedness needs to be proved
1 f ∈ S 7→ T (not an arbitrary relation in S↔ T )2 e ∈ dom(f )
everytime a functional application is used.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 42/96
![Page 139: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/139.jpg)
RestrictionsConceptLimit the domain or range of a relation to a subset.
AC− R
AC RA
R
dom ran
AC R := {x , y · x 7� y ∈ R ∧ x ∈ A | x 7� y} ⊆ RAC− R := {x , y · x 7� y ∈ R ∧ x 6∈ A | x 7� y} ⊆ R
R B B := {x , y · x 7� y ∈ R ∧ y ∈ B | x 7� y} ⊆ RR B− B := {x , y · x 7� y ∈ R ∧ y 6∈ B | x 7� y} ⊆ R
Relational application: R[A] = ran(AC R)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 43/96
![Page 140: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/140.jpg)
RestrictionsConceptLimit the domain or range of a relation to a subset.
AC− R
AC R
AR
dom ran
AC R := {x , y · x 7� y ∈ R ∧ x ∈ A | x 7� y} ⊆ RAC− R := {x , y · x 7� y ∈ R ∧ x 6∈ A | x 7� y} ⊆ R
R B B := {x , y · x 7� y ∈ R ∧ y ∈ B | x 7� y} ⊆ RR B− B := {x , y · x 7� y ∈ R ∧ y 6∈ B | x 7� y} ⊆ R
Relational application: R[A] = ran(AC R)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 43/96
![Page 141: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/141.jpg)
RestrictionsConceptLimit the domain or range of a relation to a subset.
AC− R
AC RAR
dom ran
AC R := {x , y · x 7� y ∈ R ∧ x ∈ A | x 7� y} ⊆ RAC− R := {x , y · x 7� y ∈ R ∧ x 6∈ A | x 7� y} ⊆ R
R B B := {x , y · x 7� y ∈ R ∧ y ∈ B | x 7� y} ⊆ RR B− B := {x , y · x 7� y ∈ R ∧ y 6∈ B | x 7� y} ⊆ R
Relational application: R[A] = ran(AC R)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 43/96
![Page 142: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/142.jpg)
RestrictionsConceptLimit the domain or range of a relation to a subset.
AC− R
AC RAR
dom ran
AC R := {x , y · x 7� y ∈ R ∧ x ∈ A | x 7� y} ⊆ RAC− R := {x , y · x 7� y ∈ R ∧ x 6∈ A | x 7� y} ⊆ R
R B B := {x , y · x 7� y ∈ R ∧ y ∈ B | x 7� y} ⊆ RR B− B := {x , y · x 7� y ∈ R ∧ y 6∈ B | x 7� y} ⊆ R
Relational application: R[A] = ran(AC R)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 43/96
![Page 143: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/143.jpg)
RestrictionsConceptLimit the domain or range of a relation to a subset.
AC− R
AC RAR
dom ran
AC R := {x , y · x 7� y ∈ R ∧ x ∈ A | x 7� y} ⊆ RAC− R := {x , y · x 7� y ∈ R ∧ x 6∈ A | x 7� y} ⊆ R
R B B := {x , y · x 7� y ∈ R ∧ y ∈ B | x 7� y} ⊆ RR B− B := {x , y · x 7� y ∈ R ∧ y 6∈ B | x 7� y} ⊆ R
Relational application: R[A] = ran(AC R)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 43/96
![Page 144: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/144.jpg)
Override
R C− S := ((dom S)C− R) ∪ S
x 7� y ∈ R C− S ⇐⇒
{x 7� y ∈ S if x ∈ dom(S)
x 7� y ∈ R if x 6∈ dom(S)
“Clear” dom(S) in R and “replace” by S.
Special case: f ∈ A→ B,g ∈ A 7→B implies f C− g ∈ A→ Bf C− {x 7� y} updates function f in one place x
Caution: C− and C− are different symbolsSyntax sometimes ⊕ instead of C−Compare Updates in Dynamic Logic for KeY.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 44/96
![Page 145: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/145.jpg)
Override
R C− S := ((dom S)C− R) ∪ S
x 7� y ∈ R C− S ⇐⇒
{x 7� y ∈ S if x ∈ dom(S)
x 7� y ∈ R if x 6∈ dom(S)
“Clear” dom(S) in R and “replace” by S.Special case: f ∈ A→ B,g ∈ A 7→B implies f C− g ∈ A→ B
f C− {x 7� y} updates function f in one place x
Caution: C− and C− are different symbolsSyntax sometimes ⊕ instead of C−Compare Updates in Dynamic Logic for KeY.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 44/96
![Page 146: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/146.jpg)
Override
R C− S := ((dom S)C− R) ∪ S
x 7� y ∈ R C− S ⇐⇒
{x 7� y ∈ S if x ∈ dom(S)
x 7� y ∈ R if x 6∈ dom(S)
“Clear” dom(S) in R and “replace” by S.Special case: f ∈ A→ B,g ∈ A 7→B implies f C− g ∈ A→ Bf C− {x 7� y} updates function f in one place x
Caution: C− and C− are different symbolsSyntax sometimes ⊕ instead of C−Compare Updates in Dynamic Logic for KeY.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 44/96
![Page 147: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/147.jpg)
Override
R C− S := ((dom S)C− R) ∪ S
x 7� y ∈ R C− S ⇐⇒
{x 7� y ∈ S if x ∈ dom(S)
x 7� y ∈ R if x 6∈ dom(S)
“Clear” dom(S) in R and “replace” by S.Special case: f ∈ A→ B,g ∈ A 7→B implies f C− g ∈ A→ Bf C− {x 7� y} updates function f in one place x
Caution: C− and C− are different symbols
Syntax sometimes ⊕ instead of C−Compare Updates in Dynamic Logic for KeY.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 44/96
![Page 148: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/148.jpg)
Override
R C− S := ((dom S)C− R) ∪ S
x 7� y ∈ R C− S ⇐⇒
{x 7� y ∈ S if x ∈ dom(S)
x 7� y ∈ R if x 6∈ dom(S)
“Clear” dom(S) in R and “replace” by S.Special case: f ∈ A→ B,g ∈ A 7→B implies f C− g ∈ A→ Bf C− {x 7� y} updates function f in one place x
Caution: C− and C− are different symbolsSyntax sometimes ⊕ instead of C−
Compare Updates in Dynamic Logic for KeY.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 44/96
![Page 149: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/149.jpg)
Override
R C− S := ((dom S)C− R) ∪ S
x 7� y ∈ R C− S ⇐⇒
{x 7� y ∈ S if x ∈ dom(S)
x 7� y ∈ R if x 6∈ dom(S)
“Clear” dom(S) in R and “replace” by S.Special case: f ∈ A→ B,g ∈ A 7→B implies f C− g ∈ A→ Bf C− {x 7� y} updates function f in one place x
Caution: C− and C− are different symbolsSyntax sometimes ⊕ instead of C−Compare Updates in Dynamic Logic for KeY.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 44/96
![Page 150: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/150.jpg)
Forward composition
x 7� y ∈ R ; S ⇐⇒ ∃z · x 7� z ∈ R ∧ z 7� y ∈ S
x 7� y is in the composition R ; S if there is a transmittingelement z with both x 7� z ∈ R and z 7� y ∈ S.
xz
y
R ; S
R S
(There is also backward composition R ◦ S = S ; R)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 45/96
![Page 151: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/151.jpg)
Forward composition
x 7� y ∈ R ; S ⇐⇒ ∃z · x 7� z ∈ R ∧ z 7� y ∈ S
x 7� y is in the composition R ; S if there is a transmittingelement z with both x 7� z ∈ R and z 7� y ∈ S.
xz
yR ; S
R S
(There is also backward composition R ◦ S = S ; R)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 45/96
![Page 152: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/152.jpg)
Forward composition
x 7� y ∈ R ; S ⇐⇒ ∃z · x 7� z ∈ R ∧ z 7� y ∈ S
x 7� y is in the composition R ; S if there is a transmittingelement z with both x 7� z ∈ R and z 7� y ∈ S.
xz
yR ; S
R S
(There is also backward composition R ◦ S = S ; R)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 45/96
![Page 153: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/153.jpg)
Example: File system
CONTEXT FileSystemCtxSETS OBJECTCONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,depthINVARIANTS
tree ∈ dirs↔ (files ∪ dirs) ∧ depth ∈ dirs → N ∧
∀d ·((depth(d) > 0⇒ depth[tree[{d}]] = {depth(d)− 1})
∧ (depth(d) = 0⇒ {d}C tree B− files = ∅))
Beckert, Ulbrich – Applications of Formal Verification SS 2019 46/96
![Page 154: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/154.jpg)
Example: File system
CONTEXT FileSystemCtxSETS OBJECTCONSTANTS files,dirs, rootAXIOMS files ⊆ OBJECT ,dirs ⊆ OBJECT ,
root ∈ dirs, files ∩ dirs = ∅
MACHINE FileSystem SEES FileSystemCtxVARIABLES tree,depthINVARIANTS
tree ∈ dirs↔ (files ∪ dirs) ∧ depth ∈ dirs → N ∧∀d ·
((depth(d) > 0⇒ depth[tree[{d}]] = {depth(d)− 1})
∧ (depth(d) = 0⇒ {d}C tree B− files = ∅))
Beckert, Ulbrich – Applications of Formal Verification SS 2019 46/96
![Page 155: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/155.jpg)
Event-B –Events
Beckert, Ulbrich – Applications of Formal Verification SS 2019 47/96
![Page 156: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/156.jpg)
Machine (systematic)
MACHINE name
SEES context
VARIABLES vars
INVARIANTS inv(vars)
EVENTS. . .
END
The symbols in context can be used in inv even if notmentioned explicitly.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 48/96
![Page 157: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/157.jpg)
Events
EVENT M
// the following are the parameters,// the input signals, nondeterministic choices
ANY prms
// the preconditions, conditions on the input valuesWHERE guard(vars,prms)
// evolution of the program variables when the event “fires”THEN
actionsEND
There is one more contruct (WITH) that we omit here.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 49/96
![Page 158: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/158.jpg)
Actions (Generalised Substitutions)
Deterministic actions“Assignment” x := tVariable x and term t must have same type (τ(t) = τ(x))After event, x has value of expression t
Example:
THENx := yy := x
END // swaps values of variables x , y .
Unmentioned variable z does not change.
Remember the updates in KeY: {x := y‖y := x} has same effects.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 50/96
![Page 159: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/159.jpg)
Actions (Generalised Substitutions)
Deterministic actions“Assignment” x := tVariable x and term t must have same type (τ(t) = τ(x))After event, x has value of expression t
Example:
THENx := yy := x
END // swaps values of variables x , y .
Unmentioned variable z does not change.
Remember the updates in KeY: {x := y‖y := x} has same effects.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 50/96
![Page 160: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/160.jpg)
Actions (Generalised Substitutions)
Deterministic actions“Assignment” x := tVariable x and term t must have same type (τ(t) = τ(x))After event, x has value of expression t
Example:
THENx := yy := x
END // swaps values of variables x , y .
Unmentioned variable z does not change.
Remember the updates in KeY: {x := y‖y := x} has same effects.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 50/96
![Page 161: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/161.jpg)
Actions (Generalised Substitutions)
Deterministic actions“Assignment” x := tVariable x and term t must have same type (τ(t) = τ(x))After event, x has value of expression t
Example:
THENx := yy := x
END // swaps values of variables x , y .
Unmentioned variable z does not change.
Remember the updates in KeY: {x := y‖y := x} has same effects.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 50/96
![Page 162: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/162.jpg)
Actions (Generalised Substitutions)
Deterministic actions“Assignment” x := tVariable x and term t must have same type (τ(t) = τ(x))After event, x has value of expression t
Example:
THENx := yy := x
END // swaps values of variables x , y .
Unmentioned variable z does not change.
Remember the updates in KeY: {x := y‖y := x} has same effects.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 50/96
![Page 163: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/163.jpg)
Actions (Generalised Substitutions)
Nondeterministic actionsx :| ϕ means “choose x such that ϕ”
Actions can have more than one resolutionϕ is called the before-after-predicate (BAP)variables without tick: before-statevariables with tick: after-state.
Example:
x , y :| x ′ = y ′ ∧ y ′ > y
After the action x and y are equal and y is strictly greater thanbefore the action.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 51/96
![Page 164: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/164.jpg)
Actions (Generalised Substitutions)
Nondeterministic actionsx :| ϕ means “choose x such that ϕ”
Actions can have more than one resolutionϕ is called the before-after-predicate (BAP)variables without tick: before-statevariables with tick: after-state.
Example:
x , y :| x ′ = y ′ ∧ y ′ > y
After the action x and y are equal and y is strictly greater thanbefore the action.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 51/96
![Page 165: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/165.jpg)
Actions (Generalised Substitutions)
Nondeterministic actionsx :| ϕ means “choose x such that ϕ”
Actions can have more than one resolutionϕ is called the before-after-predicate (BAP)variables without tick: before-statevariables with tick: after-state.
Example:
x , y :| x ′ = y ′ ∧ y ′ > y
After the action x and y are equal and y is strictly greater thanbefore the action.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 51/96
![Page 166: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/166.jpg)
Actions (Generalised Substitutions)
Nondeterministic actionsx :| ϕ means “choose x such that ϕ”
Actions can have more than one resolutionϕ is called the before-after-predicate (BAP)variables without tick: before-statevariables with tick: after-state.
Example:
x , y :| x ′ = y ′ ∧ y ′ > y
After the action x and y are equal and y is strictly greater thanbefore the action.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 51/96
![Page 167: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/167.jpg)
Actions (Generalised Substitutions)
Nondeterministic actionsx :| ϕ means “choose x such that ϕ”
Actions can have more than one resolutionϕ is called the before-after-predicate (BAP)variables without tick: before-statevariables with tick: after-state.
Example:
x , y :| x ′ = y ′ ∧ y ′ > y
After the action x and y are equal and y is strictly greater thanbefore the action.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 51/96
![Page 168: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/168.jpg)
Actions (Generalised Substitutions)
Nondeterministic actionsx :| ϕ means “choose x such that ϕ”
Actions can have more than one resolutionϕ is called the before-after-predicate (BAP)variables without tick: before-statevariables with tick: after-state.
Example:
x , y :| x ′ = y ′ ∧ y ′ > y
After the action x and y are equal and y is strictly greater thanbefore the action.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 51/96
![Page 169: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/169.jpg)
Actions (Generalised Substitutions)
Normal formEvery action can be defined as a before-after-predicate
bap(vars, vars′,prms)
with1 vars the machines variables before the action2 vars′ the machine variables after the action3 prms the parameters of the event
x := t is short for x :| x ′ = tx :∈ S is short for x :| x ′ ∈ S
Beckert, Ulbrich – Applications of Formal Verification SS 2019 52/96
![Page 170: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/170.jpg)
Initialisation
Values of the machine in the beginning?
Initial values defined by the special event INITIALISATION.
before-after-predicate bapinit and guard grdinit must notrefer to vars,there is no “before-state”.
After the first state, only normal events trigger.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 53/96
![Page 171: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/171.jpg)
Initialisation
Values of the machine in the beginning?
Initial values defined by the special event INITIALISATION.
before-after-predicate bapinit and guard grdinit must notrefer to vars,there is no “before-state”.
After the first state, only normal events trigger.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 53/96
![Page 172: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/172.jpg)
Initialisation
Values of the machine in the beginning?
Initial values defined by the special event INITIALISATION.
before-after-predicate bapinit and guard grdinit must notrefer to vars,there is no “before-state”.
After the first state, only normal events trigger.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 53/96
![Page 173: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/173.jpg)
Initialisation
Values of the machine in the beginning?
Initial values defined by the special event INITIALISATION.
before-after-predicate bapinit and guard grdinit must notrefer to vars,there is no “before-state”.
After the first state, only normal events trigger.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 53/96
![Page 174: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/174.jpg)
Machine Semantics
Machine variables vars := v1, ..., vk with types T = T1× ...× Tk .
A state σ ∈ T is a vector, variable assignment.
A trace is a sequence of states σ0, σ1, . . . such that
first state σ0 is result of the initialisation eventevery state σi results from an event which operates on σi−1(for every i > 0).
σ0 σ1 σ2 σ3 σ4
init evt1 evt2 evt3 evt4 evt5. . .
The semantics of a machine M is the set of all traces possiblefor M.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 54/96
![Page 175: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/175.jpg)
Event Parameters
Sources for indeterminismindeterministic choices in bap’s (cf. :∈, :|)event parameters
Event parameter may model:content of messages passed aroundindeterministic user inputunpredictable environment actionsa number, amount of data to operate with. . .
Technically event parameters can be removed and replaced byexistential quantifiers.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 55/96
![Page 176: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/176.jpg)
Semantics (more formally)
State space: T = T1 × . . .× Tk
Trace: t ∈ N→ Twith
∃prmsinit · grdinit(prmsinit) ∧ bapinit(t(0),prmsinit)
For n ∈ N1, there is e ∈ EVENTS such that∃prmse · grde(t(i − 1),prmse) ∧ bape(t(i − 1), t(i),prmse)
Partial, finite trace trace: t ∈ 0..n→ T
Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 56/96
![Page 177: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/177.jpg)
Semantics (more formally)
State space: T = T1 × . . .× Tk
Trace: t ∈ N→ T
with
∃prmsinit · grdinit(prmsinit) ∧ bapinit(t(0),prmsinit)
For n ∈ N1, there is e ∈ EVENTS such that∃prmse · grde(t(i − 1),prmse) ∧ bape(t(i − 1), t(i),prmse)
Partial, finite trace trace: t ∈ 0..n→ T
Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 56/96
![Page 178: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/178.jpg)
Semantics (more formally)
State space: T = T1 × . . .× Tk
Trace: t ∈ N→ Twith
∃prmsinit · grdinit(prmsinit) ∧ bapinit(t(0),prmsinit)
For n ∈ N1, there is e ∈ EVENTS such that∃prmse · grde(t(i − 1),prmse) ∧ bape(t(i − 1), t(i),prmse)
Partial, finite trace trace: t ∈ 0..n→ T
Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 56/96
![Page 179: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/179.jpg)
Semantics (more formally)
State space: T = T1 × . . .× Tk
Trace: t ∈ N→ Twith
∃prmsinit · grdinit(prmsinit) ∧ bapinit(t(0),prmsinit)
For n ∈ N1, there is e ∈ EVENTS such that∃prmse · grde(t(i − 1),prmse) ∧ bape(t(i − 1), t(i),prmse)
Partial, finite trace trace: t ∈ 0..n→ T
Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 56/96
![Page 180: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/180.jpg)
Semantics (more formally)
State space: T = T1 × . . .× Tk
Trace: t ∈ N→ Twith
∃prmsinit · grdinit(prmsinit) ∧ bapinit(t(0),prmsinit)
For n ∈ N1, there is e ∈ EVENTS such that∃prmse · grde(t(i − 1),prmse) ∧ bape(t(i − 1), t(i),prmse)
Partial, finite trace trace: t ∈ 0..n→ T
Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 56/96
![Page 181: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/181.jpg)
Semantics (more formally)
State space: T = T1 × . . .× Tk
Trace: t ∈ N→ Twith
∃prmsinit · grdinit(prmsinit) ∧ bapinit(t(0),prmsinit)
For n ∈ N1, there is e ∈ EVENTS such that∃prmse · grde(t(i − 1),prmse) ∧ bape(t(i − 1), t(i),prmse)
Partial, finite trace trace: t ∈ 0..n→ T
Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 56/96
![Page 182: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/182.jpg)
Semantics (more formally)
State space: T = T1 × . . .× Tk
Trace: t ∈ N→ Twith
∃prmsinit · grdinit(prmsinit) ∧ bapinit(t(0),prmsinit)
For n ∈ N1, there is e ∈ EVENTS such that∃prmse · grde(t(i − 1),prmse) ∧ bape(t(i − 1), t(i),prmse)
Partial, finite trace trace: t ∈ 0..n→ T
Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 56/96
![Page 183: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/183.jpg)
Invariants
SAFETY: Do all states reachable by M satisfy inv?
bad state
All states Tinv
The red trace violates the invariant in two states.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 57/96
![Page 184: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/184.jpg)
Proof Obligation INV
To show that inv(vars) is an invariant for machine M,one proves for every event:
InvariantsGuards of the eventBefore-after-predicate of the thevent
⇒modified invariant
Beckert, Ulbrich – Applications of Formal Verification SS 2019 58/96
![Page 185: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/185.jpg)
Proof Obligation INV
To show that inv(vars) is an invariant for machine M,one proves:
1 ∀prms, vars′·grdinit(prms) ∧ bapinit(vars′,prms)→ inv(vars′)
(Invariant initally valid)
2 ∀prms, vars, vars′·inv(vars) ∧ grde(vars,prms) ∧
bape(vars, vars′,prms)→ inv(vars′)for every event e in M.(Events preserve invariant)
Note: Proof Obligation INV is a sufficient criterion, but notnecessary. Necessary for inductive invariants.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 59/96
![Page 186: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/186.jpg)
Proof Obligation INV
To show that inv(vars) is an invariant for machine M,one proves:
1 ∀prms, vars′·grdinit(prms) ∧ bapinit(vars′,prms)→ inv(vars′)
(Invariant initally valid)
2 ∀prms, vars, vars′·inv(vars) ∧ grde(vars,prms) ∧
bape(vars, vars′,prms)→ inv(vars′)for every event e in M.(Events preserve invariant)
Note: Proof Obligation INV is a sufficient criterion, but notnecessary. Necessary for inductive invariants.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 59/96
![Page 187: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/187.jpg)
Proof Obligation INV
To show that inv(vars) is an invariant for machine M,one proves:
1 ∀prms, vars′·grdinit ∧ bapinit → inv
(Invariant initally valid)
2 ∀prms, vars, vars′·inv ∧ grde ∧
bape → inv ′
for every event e in M.(Events preserve invariant)
Note: Proof Obligation INV is a sufficient criterion, but notnecessary. Necessary for inductive invariants.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 59/96
![Page 188: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/188.jpg)
Proof Obligation INV
To show that inv(vars) is an invariant for machine M,one proves:
1 ∀prms, vars′·grdinit ∧ bapinit → inv
(Invariant initally valid)
2 ∀prms, vars, vars′·inv ∧ grde ∧
bape → inv ′
for every event e in M.(Events preserve invariant)
Note: Proof Obligation INV is a sufficient criterion, but notnecessary. Necessary for inductive invariants.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 59/96
![Page 189: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/189.jpg)
Inductive Invariant
MACHINE IndInvVARIABLES x INVARIANTS x ∈ Z x ≥ 0EVENTS
INITIALISATION =x := 2
STEP =x := 2 ∗ (x − 1)
There is only one trace:
(2,2,2,2, . . .)
invariant is fulfilled.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 60/96
![Page 190: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/190.jpg)
Inductive Invariant – Won’t prove
Proof obligation INV for event STEP
inv(x) ∧ grd(x) ∧ bap(x , x ′) → inv(x ′)
x ≥ 0 ∧ x ′ = 2 ∗ (x − 1) → x ′ ≥ 0 This is not valid! Invariant is not inductive.
Counter-example: x = 0, x ′ = −2
All states Tinv
Reachable states
Beckert, Ulbrich – Applications of Formal Verification SS 2019 61/96
![Page 191: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/191.jpg)
Inductive Invariant – Won’t prove
Proof obligation INV for event STEP
inv(x) ∧ grd(x) ∧ bap(x , x ′) → inv(x ′)x ≥ 0 ∧ x ′ = 2 ∗ (x − 1) → x ′ ≥ 0
This is not valid! Invariant is not inductive. Counter-example: x = 0, x ′ = −2
All states Tinv
Reachable states
Beckert, Ulbrich – Applications of Formal Verification SS 2019 61/96
![Page 192: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/192.jpg)
Inductive Invariant – Won’t prove
Proof obligation INV for event STEP
inv(x) ∧ grd(x) ∧ bap(x , x ′) → inv(x ′)x ≥ 0 ∧ x ′ = 2 ∗ (x − 1) → x ′ ≥ 0
This is not valid! Invariant is not inductive. Counter-example: x = 0, x ′ = −2
All states Tinv
Reachable states
Beckert, Ulbrich – Applications of Formal Verification SS 2019 61/96
![Page 193: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/193.jpg)
Inductive Invariant – Won’t prove
Proof obligation INV for event STEP
inv(x) ∧ grd(x) ∧ bap(x , x ′) → inv(x ′)x ≥ 0 ∧ x ′ = 2 ∗ (x − 1) → x ′ ≥ 0
This is not valid! Invariant is not inductive. Counter-example: x = 0, x ′ = −2
All states Tinv
Reachable states
Beckert, Ulbrich – Applications of Formal Verification SS 2019 61/96
![Page 194: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/194.jpg)
Feasibility Proof Obligation FIS
Show that every action is feasible if the guard is true:
InvariantsGuards of the event
⇒∃v ′ · before-after-predicate
Beckert, Ulbrich – Applications of Formal Verification SS 2019 62/96
![Page 195: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/195.jpg)
Feasibility Proof Obligation FIS
The action of an event is is possible if guard is true.
∀vars,prms · grde(vars,prms)→ ∃vars′ · bap(vars, vars′,prms)
Deterministic action: x := t. . . nothing to show
Indeterministic action: x :∈ S. . . show that S 6= ∅
Indeterministic action: x :| ϕ. . . show satisfiability of ϕ
Thus impossible evolutions like x :| false or x :∈ ∅ are avoided
Beckert, Ulbrich – Applications of Formal Verification SS 2019 63/96
![Page 196: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/196.jpg)
Deadlock Freedom DLKF
Recap:Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Proof ObligationThere is always an event that can trigger:
∀vars · inv(vars)⇒∨
event e∈M
∃prms · grde(vars,prms)
Again, this is sufficient not necessary.(The invariant may be too weak to imply deadlock freedom)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 64/96
![Page 197: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/197.jpg)
Deadlock Freedom DLKF
Recap:Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Proof ObligationThere is always an event that can trigger:
∀vars · inv(vars)⇒∨
event e∈M
∃prms · grde(vars,prms)
Again, this is sufficient not necessary.(The invariant may be too weak to imply deadlock freedom)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 64/96
![Page 198: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/198.jpg)
Deadlock Freedom DLKF
Recap:Deadlock: no event e can be triggered, i.e.∀prmse · ¬grde(t(n),prmse) for all events e.
Proof ObligationThere is always an event that can trigger:
∀vars · inv(vars)⇒∨
event e∈M
∃prms · grde(vars,prms)
Again, this is sufficient not necessary.(The invariant may be too weak to imply deadlock freedom)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 64/96
![Page 199: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/199.jpg)
Event-B –Refinement
Beckert, Ulbrich – Applications of Formal Verification SS 2019 65/96
![Page 200: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/200.jpg)
Refinement in Event-B
MACHINE AbstractVARIABLES xINVARIANTS x ≥ 0
EVENTS INCREASE =x :| x ′ ≥ x
MACHINE RefinedREFINES Abstract
VARIABLES x
EVENTS NEXTVAL =REFINES INCREASE
x := 5 ∗ x2 + 3 ∗ x
Beckert, Ulbrich – Applications of Formal Verification SS 2019 66/96
![Page 201: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/201.jpg)
Refinement in Event-B
MACHINE AbstractVARIABLES xINVARIANTS x ≥ 0
EVENTS INCREASE =x :| x ′ ≥ x
MACHINE RefinedREFINES Abstract
VARIABLES x
EVENTS NEXTVAL =REFINES INCREASE
x := 5 ∗ x2 + 3 ∗ x
Beckert, Ulbrich – Applications of Formal Verification SS 2019 66/96
![Page 202: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/202.jpg)
Refinement in Event-B
MACHINE AbstractVARIABLES xINVARIANTS x ≥ 0
EVENTS INCREASE =x :| x ′ ≥ x
MACHINE RefinedREFINES Abstract
VARIABLES x
EVENTS NEXTVAL =REFINES INCREASE
x := 5 ∗ x2 + 3 ∗ x
Beckert, Ulbrich – Applications of Formal Verification SS 2019 66/96
![Page 203: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/203.jpg)
Refinement in Event-B
MACHINE AbstractVARIABLES xINVARIANTS x ≥ 0
EVENTS INCREASE =x :| x ′ ≥ x
MACHINE RefinedREFINES Abstract
VARIABLES x
EVENTS NEXTVAL =REFINES INCREASE
x := 5 ∗ x2 + 3 ∗ x
Beckert, Ulbrich – Applications of Formal Verification SS 2019 66/96
![Page 204: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/204.jpg)
Refinement in Event-B
MACHINE AbstractVARIABLES xINVARIANTS x ≥ 0
EVENTS INCREASE =x :| x ′ ≥ x
MACHINE RefinedREFINES Abstract
VARIABLES x
EVENTS NEXTVAL =REFINES INCREASE
x := 5 ∗ x2 + 3 ∗ x
Beckert, Ulbrich – Applications of Formal Verification SS 2019 66/96
![Page 205: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/205.jpg)
Refinement in Event-B
MACHINE AbstractVARIABLES xINVARIANTS x ≥ 0
EVENTS INCREASE =x :| x ′ ≥ x
MACHINE RefinedREFINES Abstract
VARIABLES x
EVENTS NEXTVAL =REFINES INCREASE
x := 5 ∗ x2 + 3 ∗ x
Beckert, Ulbrich – Applications of Formal Verification SS 2019 66/96
![Page 206: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/206.jpg)
Refinement in Event-B
MACHINE AbstractVARIABLES xINVARIANTS x ≥ 0
EVENTS INCREASE =x :| x ′ ≥ x
MACHINE RefinedREFINES Abstract
VARIABLES x
EVENTS NEXTVAL =REFINES INCREASE
x := 5 ∗ x2 + 3 ∗ x
Beckert, Ulbrich – Applications of Formal Verification SS 2019 66/96
![Page 207: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/207.jpg)
Refining Machines
MACHINE Abstract
SEES ContextVARIABLES varsAINVARIANTS
invA(varsA)EVENTS
INITIALISATION = . . .EVTA = . . .
END
MACHINE RefinedREFINES Abstract
SEES ContextVARIABLES varsRINVARIANTS
invR(varsA, varsR)EVENTS
INITIALISATION = . . .EVTR =
REFINES EVTA . . .END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 67/96
![Page 208: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/208.jpg)
Machines as Relations
Every machine M defines:a state space SM spanned by the types of varsM
the initialisation IM ⊆ SM
the transition relations EM;evt ∈ SM ↔ SM (for event evt)
DetailsSM = τ(v1)× . . .× τ(vk ) (with varsM = v1, . . . , vk )
IM(p) = {s ∈ SM | grdinit(p) ∧ bapinit(s′,p)}IM =
⋃p
IM(p)
EM;evt(p) = {(s 7� s′) | grdevt(s,p) ∧ bapevt(s, s′,p)}EM;evt =
⋃p
EM;evt(p)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 68/96
![Page 209: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/209.jpg)
Machines as Relations
Every machine M defines:a state space SM spanned by the types of varsM
the initialisation IM ⊆ SM
the transition relations EM;evt ∈ SM ↔ SM (for event evt)
DetailsSM = τ(v1)× . . .× τ(vk ) (with varsM = v1, . . . , vk )
IM(p) = {s ∈ SM | grdinit(p) ∧ bapinit(s′,p)}
IM =⋃p
IM(p)
EM;evt(p) = {(s 7� s′) | grdevt(s,p) ∧ bapevt(s, s′,p)}EM;evt =
⋃p
EM;evt(p)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 68/96
![Page 210: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/210.jpg)
Machines as Relations
Every machine M defines:a state space SM spanned by the types of varsM
the initialisation IM ⊆ SM
the transition relations EM;evt ∈ SM ↔ SM (for event evt)
DetailsSM = τ(v1)× . . .× τ(vk ) (with varsM = v1, . . . , vk )
IM(p) = {s ∈ SM | grdinit(p) ∧ bapinit(s′,p)}IM =
⋃p
IM(p)
EM;evt(p) = {(s 7� s′) | grdevt(s,p) ∧ bapevt(s, s′,p)}EM;evt =
⋃p
EM;evt(p)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 68/96
![Page 211: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/211.jpg)
Machines as Relations
Every machine M defines:a state space SM spanned by the types of varsM
the initialisation IM ⊆ SM
the transition relations EM;evt ∈ SM ↔ SM (for event evt)
DetailsSM = τ(v1)× . . .× τ(vk ) (with varsM = v1, . . . , vk )
IM(p) = {s ∈ SM | grdinit(p) ∧ bapinit(s′,p)}IM =
⋃p
IM(p)
EM;evt(p) = {(s 7� s′) | grdevt(s,p) ∧ bapevt(s, s′,p)}
EM;evt =⋃p
EM;evt(p)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 68/96
![Page 212: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/212.jpg)
Machines as Relations
Every machine M defines:a state space SM spanned by the types of varsM
the initialisation IM ⊆ SM
the transition relations EM;evt ∈ SM ↔ SM (for event evt)
DetailsSM = τ(v1)× . . .× τ(vk ) (with varsM = v1, . . . , vk )
IM(p) = {s ∈ SM | grdinit(p) ∧ bapinit(s′,p)}IM =
⋃p
IM(p)
EM;evt(p) = {(s 7� s′) | grdevt(s,p) ∧ bapevt(s, s′,p)}EM;evt =
⋃p
EM;evt(p)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 68/96
![Page 213: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/213.jpg)
Simple Refinement – Definition
Every trace of the refined machine R isa trace of the abstract machine A.
Definition: Simple RefinementLet R,A be two machines with the same state space S.R is called a refinement of A if
1 IR ⊆ IA and
2 ER;evtR ⊆ EA;evtA for each event
(evtR is the event in R that refines event evtA from A)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 69/96
![Page 214: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/214.jpg)
Simple Refinement – Definition
Every trace of the refined machine R isa trace of the abstract machine A.
Definition: Simple RefinementLet R,A be two machines with the same state space S.R is called a refinement of A if
1 IR ⊆ IA and2 ER;evtR ⊆ EA;evtA for each event
(evtR is the event in R that refines event evtA from A)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 69/96
![Page 215: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/215.jpg)
Simple Refinement – Definition
Every trace of the refined machine R isa trace of the abstract machine A.
Definition: Simple RefinementLet R,A be two machines with the same state space S.R is called a refinement of A if
1 IR ⊆ IA and2 ER;evtR ⊆ EA;evtA for each event
(evtR is the event in R that refines event evtA from A)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 69/96
![Page 216: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/216.jpg)
Loss of behaviour
Why is this problematic?
MACHINE A . . .EVENTemergencyStop =WHERE true THEN heavyMachine := stopEND
refined by
MACHINE R . . .EVENTemergencyStop = REFINES emergencyStopWHERE false THEN heavyMachine := stopEND
ER;evt = ∅ =⇒ R refines A
Beckert, Ulbrich – Applications of Formal Verification SS 2019 70/96
![Page 217: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/217.jpg)
Loss of behaviour
Why is this problematic?
MACHINE A . . .EVENTemergencyStop =WHERE true THEN heavyMachine := stopEND
refined by
MACHINE R . . .EVENTemergencyStop = REFINES emergencyStopWHERE false THEN heavyMachine := stopEND
ER;evt = ∅ =⇒ R refines A
Beckert, Ulbrich – Applications of Formal Verification SS 2019 70/96
![Page 218: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/218.jpg)
Loss of behaviour
Why is this problematic?
MACHINE A . . .EVENTemergencyStop =WHERE true THEN heavyMachine := stopEND
refined by
MACHINE R . . .EVENTemergencyStop = REFINES emergencyStopWHERE false THEN heavyMachine := stopEND
ER;evt = ∅ =⇒ R refines A
Beckert, Ulbrich – Applications of Formal Verification SS 2019 70/96
![Page 219: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/219.jpg)
Loss of behaviour
Every trace for A has a refining trace for R.
More preciselyFor every trace in A with triggered events evtA,1,evtA,2, . . .,there is a trace in R with triggered events evtR,1,evtR,2, . . . andevtR;i refines evtA;i .
Definition: Lockfree RefinementLet R,A be two machines with the same state space S.R is called a lockfree refinement of A if
1 IR ⊆ IA2 IR 6= ∅3 ER;evtR ⊆ EA;evtA for each event4 dom(EA;evtA) ⊆ dom(ER;evtR ) for each event
Beckert, Ulbrich – Applications of Formal Verification SS 2019 71/96
![Page 220: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/220.jpg)
Loss of behaviour
Every trace for A has a refining trace for R.
More preciselyFor every trace in A with triggered events evtA,1,evtA,2, . . .,there is a trace in R with triggered events evtR,1,evtR,2, . . . andevtR;i refines evtA;i .
Definition: Lockfree RefinementLet R,A be two machines with the same state space S.R is called a lockfree refinement of A if
1 IR ⊆ IA2 IR 6= ∅3 ER;evtR ⊆ EA;evtA for each event4 dom(EA;evtA) ⊆ dom(ER;evtR ) for each event
Beckert, Ulbrich – Applications of Formal Verification SS 2019 71/96
![Page 221: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/221.jpg)
Loss of behaviour
Every trace for A has a refining trace for R.
More preciselyFor every trace in A with triggered events evtA,1,evtA,2, . . .,there is a trace in R with triggered events evtR,1,evtR,2, . . . andevtR;i refines evtA;i .
Definition: Lockfree RefinementLet R,A be two machines with the same state space S.R is called a lockfree refinement of A if
1 IR ⊆ IA
2 IR 6= ∅3 ER;evtR ⊆ EA;evtA for each event4 dom(EA;evtA) ⊆ dom(ER;evtR ) for each event
Beckert, Ulbrich – Applications of Formal Verification SS 2019 71/96
![Page 222: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/222.jpg)
Loss of behaviour
Every trace for A has a refining trace for R.
More preciselyFor every trace in A with triggered events evtA,1,evtA,2, . . .,there is a trace in R with triggered events evtR,1,evtR,2, . . . andevtR;i refines evtA;i .
Definition: Lockfree RefinementLet R,A be two machines with the same state space S.R is called a lockfree refinement of A if
1 IR ⊆ IA2 IR 6= ∅
3 ER;evtR ⊆ EA;evtA for each event4 dom(EA;evtA) ⊆ dom(ER;evtR ) for each event
Beckert, Ulbrich – Applications of Formal Verification SS 2019 71/96
![Page 223: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/223.jpg)
Loss of behaviour
Every trace for A has a refining trace for R.
More preciselyFor every trace in A with triggered events evtA,1,evtA,2, . . .,there is a trace in R with triggered events evtR,1,evtR,2, . . . andevtR;i refines evtA;i .
Definition: Lockfree RefinementLet R,A be two machines with the same state space S.R is called a lockfree refinement of A if
1 IR ⊆ IA2 IR 6= ∅3 ER;evtR ⊆ EA;evtA for each event
4 dom(EA;evtA) ⊆ dom(ER;evtR ) for each event
Beckert, Ulbrich – Applications of Formal Verification SS 2019 71/96
![Page 224: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/224.jpg)
Loss of behaviour
Every trace for A has a refining trace for R.
More preciselyFor every trace in A with triggered events evtA,1,evtA,2, . . .,there is a trace in R with triggered events evtR,1,evtR,2, . . . andevtR;i refines evtA;i .
Definition: Lockfree RefinementLet R,A be two machines with the same state space S.R is called a lockfree refinement of A if
1 IR ⊆ IA2 IR 6= ∅3 ER;evtR ⊆ EA;evtA for each event4 dom(EA;evtA) ⊆ dom(ER;evtR ) for each event
Beckert, Ulbrich – Applications of Formal Verification SS 2019 71/96
![Page 225: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/225.jpg)
Coupling
More general notion of refinementWhat if abstract machine A and refinement R have differentstate spaces SA and SR?
Ü Couple abstract and refined state space.
C ∈ SR ↔ SA Coupling invariant / Gluing invariant
Example
MACHINE AbstractFileSysVARIABLES openFilesINVARIANTS
openFiles ⊆ FILES
MACHINE RefinedFileSysVARIABLES openModesINVARIANTS
openModes ⊆FILES ×MODES
C = {r 7�a | a = dom(r)} = {f ,m · (f 7�m) 7�m}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 72/96
![Page 226: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/226.jpg)
Coupling
More general notion of refinementWhat if abstract machine A and refinement R have differentstate spaces SA and SR?
Ü Couple abstract and refined state space.
C ∈ SR ↔ SA Coupling invariant / Gluing invariant
Example
MACHINE AbstractFileSysVARIABLES openFilesINVARIANTS
openFiles ⊆ FILES
MACHINE RefinedFileSysVARIABLES openModesINVARIANTS
openModes ⊆FILES ×MODES
C = {r 7�a | a = dom(r)} = {f ,m · (f 7�m) 7�m}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 72/96
![Page 227: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/227.jpg)
Coupling
More general notion of refinementWhat if abstract machine A and refinement R have differentstate spaces SA and SR?
Ü Couple abstract and refined state space.
C ∈ SR ↔ SA Coupling invariant / Gluing invariant
Example
MACHINE AbstractFileSysVARIABLES openFilesINVARIANTS
openFiles ⊆ FILES
MACHINE RefinedFileSysVARIABLES openModesINVARIANTS
openModes ⊆FILES ×MODES
C = {r 7�a | a = dom(r)} = {f ,m · (f 7�m) 7�m}
Beckert, Ulbrich – Applications of Formal Verification SS 2019 72/96
![Page 228: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/228.jpg)
Coupling
More general notion of refinementWhat if abstract machine A and refinement R have differentstate spaces SA and SR?
Ü Couple abstract and refined state space.
C ∈ SR ↔ SA Coupling invariant / Gluing invariant
Example
MACHINE AbstractFileSysVARIABLES openFilesINVARIANTS
openFiles ⊆ FILES
MACHINE RefinedFileSysVARIABLES openModesINVARIANTS
openModes ⊆FILES ×MODES
C = {r 7�a | a = dom(r)} = {f ,m · (f 7�m) 7�m}Beckert, Ulbrich – Applications of Formal Verification SS 2019 72/96
![Page 229: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/229.jpg)
Refinement – Coupling
Sensible to assume C a total relation:
C ∈ SR ←↔ SA
Often, coupling is a total function:
C ∈ SR → SA
Define one abstraction for any detailed state.BUT sometimes, several possible abstractions perconcrete state sensible.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 73/96
![Page 230: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/230.jpg)
Refinement – Coupled Traces
σ0 σ1 σ2 σ3 σ4initA evtA1 evtA2 evtA3 evtA4 evtA5
. . .
χ0 χ1 χ2 χ3 χ4initR evtR1 evtR2 evtR3 evtR4 evtR5
. . .
Refinement: R refines AFor every concrete trace (χ0, χ1, . . .) of R with events(evtR
1 ,evtR2 , ...) there exists an abstract trace (σ0, σ1, . . .) with
events (evtA1 ,evtA
2 , . . .) such that1 χi 7�σi ∈ C for all i ∈ N2 evtR
i refines event evtAi .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 74/96
![Page 231: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/231.jpg)
Refinement – Coupled Traces
σ0 σ1 σ2 σ3 σ4initA evtA1 evtA2 evtA3 evtA4 evtA5
. . .
χ0 χ1 χ2 χ3 χ4initR evtR1 evtR2 evtR3 evtR4 evtR5
. . .
C C C C C
Refinement: R refines AFor every concrete trace (χ0, χ1, . . .) of R with events(evtR
1 ,evtR2 , ...) there exists an abstract trace (σ0, σ1, . . .) with
events (evtA1 ,evtA
2 , . . .) such that1 χi 7�σi ∈ C for all i ∈ N2 evtR
i refines event evtAi .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 74/96
![Page 232: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/232.jpg)
Refinement – Coupled Traces
σ0 σ1 σ2 σ3 σ4initA evtA1 evtA2 evtA3 evtA4 evtA5
. . .
χ0 χ1 χ2 χ3 χ4initR evtR1 evtR2 evtR3 evtR4 evtR5
. . .
C C C C C
Refinement: R refines AFor every concrete trace (χ0, χ1, . . .) of R with events(evtR
1 ,evtR2 , ...) there exists an abstract trace (σ0, σ1, . . .) with
events (evtA1 ,evtA
2 , . . .) such that
1 χi 7�σi ∈ C for all i ∈ N2 evtR
i refines event evtAi .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 74/96
![Page 233: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/233.jpg)
Refinement – Coupled Traces
σ0 σ1 σ2 σ3 σ4initA evtA1 evtA2 evtA3 evtA4 evtA5
. . .
χ0 χ1 χ2 χ3 χ4initR evtR1 evtR2 evtR3 evtR4 evtR5
. . .
C C C C C
Refinement: R refines AFor every concrete trace (χ0, χ1, . . .) of R with events(evtR
1 ,evtR2 , ...) there exists an abstract trace (σ0, σ1, . . .) with
events (evtA1 ,evtA
2 , . . .) such that1 χi 7�σi ∈ C for all i ∈ N
2 evtRi refines event evtA
i .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 74/96
![Page 234: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/234.jpg)
Refinement – Coupled Traces
σ0 σ1 σ2 σ3 σ4initA evtA1 evtA2 evtA3 evtA4 evtA5
. . .
χ0 χ1 χ2 χ3 χ4initR evtR1 evtR2 evtR3 evtR4 evtR5
. . .
C C C C C
Refinement: R refines AFor every concrete trace (χ0, χ1, . . .) of R with events(evtR
1 ,evtR2 , ...) there exists an abstract trace (σ0, σ1, . . .) with
events (evtA1 ,evtA
2 , . . .) such that1 χi 7�σi ∈ C for all i ∈ N2 evtR
i refines event evtAi .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 74/96
![Page 235: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/235.jpg)
Refinement – Definition
Definition: RefinementLet R,A be two machines with state spaces SR,SA.Let C ∈ SR ↔ RA be the coupling invariant.R is called a refinement of A modulo C if
1 IR ⊆ C−1[IA] and2 ER;evtR ⊆ C ; EA;evtA ; C−1 for each event.
(∀x , y · x 7� y ∈ R−1 ⇔ y 7� x ∈ R, inverse relation)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 75/96
![Page 236: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/236.jpg)
Refinement – Definition
Definition: RefinementLet R,A be two machines with state spaces SR,SA.Let C ∈ SR ↔ RA be the coupling invariant.R is called a refinement of A modulo C if
1 IR ⊆ C−1[IA] and
2 ER;evtR ⊆ C ; EA;evtA ; C−1 for each event.
(∀x , y · x 7� y ∈ R−1 ⇔ y 7� x ∈ R, inverse relation)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 75/96
![Page 237: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/237.jpg)
Refinement – Definition
Definition: RefinementLet R,A be two machines with state spaces SR,SA.Let C ∈ SR ↔ RA be the coupling invariant.R is called a refinement of A modulo C if
1 IR ⊆ C−1[IA] and2 ER;evtR ⊆ C ; EA;evtA ; C−1 for each event.
(∀x , y · x 7� y ∈ R−1 ⇔ y 7� x ∈ R, inverse relation)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 75/96
![Page 238: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/238.jpg)
Refinement – Path subsumption
σn σn+1evtA
χn χn+1evtR
C C
⊆
ER;evtR ⊆ C ; EA;evtA ; C−1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 76/96
![Page 239: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/239.jpg)
Refinement – Path subsumption
σn σn+1evtA
χn χn+1evtR
C C
⊆
ER;evtR ⊆ C ; EA;evtA ; C−1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 76/96
![Page 240: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/240.jpg)
Refinement – Path subsumption
σn σn+1evtA
χn χn+1evtR
C C
⊆
ER;evtR ⊆ C ; EA;evtA ; C−1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 76/96
![Page 241: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/241.jpg)
Refinement – Path subsumption
σn σn+1evtA
χn χn+1evtR
C C
⊆
ER;evtR ⊆ C ; EA;evtA ; C−1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 76/96
![Page 242: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/242.jpg)
Refinement – Path subsumption
σn σn+1evtA
χn χn+1evtR
C C
⊆
ER;evtR ⊆ C ; EA;evtA ; C−1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 76/96
![Page 243: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/243.jpg)
Specifying Coupling
The coupling invariant is specified aspart of the invariant of the refining machine.
The invariant of a refinement is allowed to refer to variables ofits abstraction.
Example (from slide 72)
MACHINE AbstractFileSysVARIABLES openFilesINVARIANTS
openFiles ⊆ FILES
MACHINE RefinedFileSysVARIABLES openModesINVARIANTS
openModes ⊆FILES ×MODES
openFiles =dom(openModes)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 77/96
![Page 244: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/244.jpg)
Specifying Coupling
The coupling invariant is specified aspart of the invariant of the refining machine.
The invariant of a refinement is allowed to refer to variables ofits abstraction.
Example (from slide 72)
MACHINE AbstractFileSysVARIABLES openFilesINVARIANTS
openFiles ⊆ FILES
MACHINE RefinedFileSysVARIABLES openModesINVARIANTS
openModes ⊆FILES ×MODES
openFiles =dom(openModes)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 77/96
![Page 245: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/245.jpg)
Specifying Coupling
The coupling invariant is specified aspart of the invariant of the refining machine.
The invariant of a refinement is allowed to refer to variables ofits abstraction.
Example (from slide 72)
MACHINE AbstractFileSysVARIABLES openFilesINVARIANTS
openFiles ⊆ FILES
MACHINE RefinedFileSysVARIABLES openModesINVARIANTS
openModes ⊆FILES ×MODES
openFiles =dom(openModes)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 77/96
![Page 246: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/246.jpg)
Specifying Coupling
The coupling invariant is specified aspart of the invariant of the refining machine.
The invariant of a refinement is allowed to refer to variables ofits abstraction.
Example (from slide 72)
MACHINE AbstractFileSysVARIABLES openFilesINVARIANTS
openFiles ⊆ FILES
MACHINE RefinedFileSysVARIABLES openModesINVARIANTS
openModes ⊆FILES ×MODES
openFiles =dom(openModes)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 77/96
![Page 247: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/247.jpg)
Proof Obligation GRD
Proof that event guard in refinement is stronger than inabstract machine.=⇒ Abstraction is enabled when refinement is.
Abstract invariantsConcrete invariantsConcrete event guard
=⇒Abstract event guard
∀varsA, varsR ·
invA(varsA) ∧ invR(varsA, varsR) ∧ grdR(varsR)
⇒ grdA(varsA)
(Version w/o parameters, see literature for full version)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 78/96
![Page 248: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/248.jpg)
Proof Obligation GRD
Proof that event guard in refinement is stronger than inabstract machine.=⇒ Abstraction is enabled when refinement is.
Abstract invariantsConcrete invariantsConcrete event guard
=⇒Abstract event guard
∀varsA, varsR ·
invA(varsA) ∧ invR(varsA, varsR) ∧ grdR(varsR)
⇒ grdA(varsA)
(Version w/o parameters, see literature for full version)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 78/96
![Page 249: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/249.jpg)
Proof Obligation SIM
Show that refined action simulates abstract actions
Abstract invariantsConcrete invariantsConcrete event guardConcrete before-after-predicate
=⇒Abstract before-after-predicate
Rem ER;evtR ⊆ C ; EA;evtA ; C−1
Obs The coupling invariant is only used for the before-state notfor the after-state.
? Why?! Already proven condition INV implies invariant for
after-state.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 79/96
![Page 250: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/250.jpg)
Proof Obligation SIM
Show that refined action simulates abstract actions
Abstract invariantsConcrete invariantsConcrete event guardConcrete before-after-predicate
=⇒Abstract before-after-predicate
Rem ER;evtR ⊆ C ; EA;evtA ; C−1
Obs The coupling invariant is only used for the before-state notfor the after-state.
? Why?! Already proven condition INV implies invariant for
after-state.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 79/96
![Page 251: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/251.jpg)
Proof Obligation SIM
Show that refined action simulates abstract actions
Abstract invariantsConcrete invariantsConcrete event guardConcrete before-after-predicate
=⇒Abstract before-after-predicate
Rem ER;evtR ⊆ C ; EA;evtA ; C−1
Obs The coupling invariant is only used for the before-state notfor the after-state.
? Why?! Already proven condition INV implies invariant for
after-state.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 79/96
![Page 252: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/252.jpg)
Proof Obligation SIM
Show that refined action simulates abstract actions
Abstract invariantsConcrete invariantsConcrete event guardConcrete before-after-predicate
=⇒Abstract before-after-predicate
Rem ER;evtR ⊆ C ; EA;evtA ; C−1
Obs The coupling invariant is only used for the before-state notfor the after-state.
? Why?
! Already proven condition INV implies invariant forafter-state.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 79/96
![Page 253: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/253.jpg)
Proof Obligation SIM
Show that refined action simulates abstract actions
Abstract invariantsConcrete invariantsConcrete event guardConcrete before-after-predicate
=⇒Abstract before-after-predicate
Rem ER;evtR ⊆ C ; EA;evtA ; C−1
Obs The coupling invariant is only used for the before-state notfor the after-state.
? Why?! Already proven condition INV implies invariant for
after-state.Beckert, Ulbrich – Applications of Formal Verification SS 2019 79/96
![Page 254: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/254.jpg)
Event-B has more ...
Things not covered in these slides:
Witnesses for parameters dropped in refinements
Termination issues (variants)
Extended/Not extended events
Event merging
Sequential refinement
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 80/96
![Page 255: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/255.jpg)
Event-B has more ...
Things not covered in these slides:
Witnesses for parameters dropped in refinements
Termination issues (variants)
Extended/Not extended events
Event merging
Sequential refinement
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 80/96
![Page 256: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/256.jpg)
Event-B has more ...
Things not covered in these slides:
Witnesses for parameters dropped in refinements
Termination issues (variants)
Extended/Not extended events
Event merging
Sequential refinement
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 80/96
![Page 257: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/257.jpg)
Event-B has more ...
Things not covered in these slides:
Witnesses for parameters dropped in refinements
Termination issues (variants)
Extended/Not extended events
Event merging
Sequential refinement
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 80/96
![Page 258: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/258.jpg)
Event-B has more ...
Things not covered in these slides:
Witnesses for parameters dropped in refinements
Termination issues (variants)
Extended/Not extended events
Event merging
Sequential refinement
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 80/96
![Page 259: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/259.jpg)
Event-B has more ...
Things not covered in these slides:
Witnesses for parameters dropped in refinements
Termination issues (variants)
Extended/Not extended events
Event merging
Sequential refinement
. . .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 80/96
![Page 260: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/260.jpg)
Byzantine Agreement –A case study verified with Event-B
Based on:Roman Krenicky and Mattias Ulbrich. Deductive Verification of a ByzantineAgreement Protocol. Technical report (2010-7). Karlsruhe Institute ofTechnology, Department of Informatics, 2010
Beckert, Ulbrich – Applications of Formal Verification SS 2019 81/96
![Page 261: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/261.jpg)
Byzantine Generals
“When shall we attack?”
agree on atime even in thepresence of traitors
Beckert, Ulbrich – Applications of Formal Verification SS 2019 82/96
![Page 262: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/262.jpg)
Byzantine Generals
“When shall we attack?”
agree on atime even in thepresence of traitors
Beckert, Ulbrich – Applications of Formal Verification SS 2019 82/96
![Page 263: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/263.jpg)
Byzantine Generals
“When shall we attack?”
agree on atime even in thepresence of traitors
messages
Beckert, Ulbrich – Applications of Formal Verification SS 2019 82/96
![Page 264: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/264.jpg)
Byzantine Generals
“When shall we attack?”
agree on atime even in thepresence of traitors
messages
Beckert, Ulbrich – Applications of Formal Verification SS 2019 82/96
![Page 265: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/265.jpg)
Application in Avionics
“Which componentsare operative?”
C2
C1
C2
C3
C4
agree on the setof operative componentseven in the presence offaulty components
Beckert, Ulbrich – Applications of Formal Verification SS 2019 83/96
![Page 266: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/266.jpg)
Application in Avionics
“Which componentsare operative?”
C2
C1
C2
C3
C4
agree on the setof operative componentseven in the presence offaulty components
Beckert, Ulbrich – Applications of Formal Verification SS 2019 83/96
![Page 267: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/267.jpg)
Application in Avionics
“Which componentsare operative?”
C2
C1
C2
C3
C4
agree on the setof operative componentseven in the presence offaulty components
Beckert, Ulbrich – Applications of Formal Verification SS 2019 83/96
![Page 268: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/268.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
11
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 269: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/269.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
11
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 270: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/270.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
11
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 271: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/271.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
11
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 272: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/272.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
1
1
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 273: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/273.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
11
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 274: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/274.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
1
1
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 275: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/275.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
11
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 276: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/276.jpg)
Explanation by Example
C1
C2
C3
C4
1
2
3
1
2
3
1
11
2,1
3,1
22
3
3
1,3,2
2,1,3
3,1,2
CONSENSUS!
Beckert, Ulbrich – Applications of Formal Verification SS 2019 84/96
![Page 277: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/277.jpg)
Example Run 2
C1
C2
C3
C4
1
X
X
Round 0
1
1
X1
Round 11
1
Round 2
1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 85/96
![Page 278: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/278.jpg)
Example Run 2
C1
C2
C3
C4
1
X
X
Round 0
1
1
X1
Round 11
1
Round 2
1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 85/96
![Page 279: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/279.jpg)
Example Run 2
C1
C2
C3
C4
1
X
X
Round 0
1
1
X1
Round 11
1
Round 2
1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 85/96
![Page 280: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/280.jpg)
Example Run 2
C1
C2
C3
C4
1
X
X
Round 0
1
1
X1
Round 1
1
1
Round 2
1
Beckert, Ulbrich – Applications of Formal Verification SS 2019 85/96
![Page 281: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/281.jpg)
Byzantine Agreement Algorithm
Verification Goals:
Validity If the transmitter tt is non-faulty, then all non-faultyreceivers agree on the value sent by tt .
Agreement Any two non-faulty receivers agree on the valueassigned to tt .
Beckert, Ulbrich – Applications of Formal Verification SS 2019 86/96
![Page 282: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/282.jpg)
Byzantine Agreement Algorithm
Round 0: Transmitter sends signed message to all receivers.
Round n: Component receive messages, verify signatures,sign messages and pass them on.
GOAL: Prove that this algorithm has the “validity” and“agreement” properties.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 87/96
![Page 283: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/283.jpg)
Byzantine Agreement Algorithm
Round 0: Transmitter sends signed message to all receivers.
Round n: Component receive messages, verify signatures,sign messages and pass them on.
GOAL: Prove that this algorithm has the “validity” and“agreement” properties.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 87/96
![Page 284: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/284.jpg)
Byzantine Agreement Algorithm
Round 0: Transmitter sends signed message to all receivers.
Round n: Component receive messages, verify signatures,sign messages and pass them on.
GOAL: Prove that this algorithm has the “validity” and“agreement” properties.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 87/96
![Page 285: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/285.jpg)
Verification
QuoteWe know of no area in computer scienceor mathematics in which informal reaso-ning is more likely to lead to errors than inthe study of this type of algorithm.
Taken from: The Byzantine Generals ProblemLeslie Lamport, Robert Shostak, and Marshall PeaseACM Transactions on Programming Languages and SystemsVolume 4, pp. 383–401,1982.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 88/96
![Page 286: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/286.jpg)
Context for Byzantine Agreement
CONTEXT ContextSETS
MODULE
VALUE
CONSTANTS
faulty , transmitter ,V0
AXIOMS
faulty ⊆ MODULE
transmitter ∈ MODULE
V0 ∈ VALUE
finite(faulty)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 89/96
![Page 287: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/287.jpg)
Context for Byzantine Agreement
CONTEXT ContextSETS
MODULE
VALUE
CONSTANTS
faulty , transmitter ,V0
AXIOMS
faulty ⊆ MODULE
transmitter ∈ MODULE
V0 ∈ VALUE
finite(faulty)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 89/96
![Page 288: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/288.jpg)
Context for Byzantine Agreement
CONTEXT ContextSETS
MODULE
VALUE
CONSTANTSfaulty , transmitter ,V0
AXIOMS
faulty ⊆ MODULE
transmitter ∈ MODULE
V0 ∈ VALUE
finite(faulty)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 89/96
![Page 289: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/289.jpg)
Context for Byzantine Agreement
CONTEXT ContextSETS
MODULE
VALUE
CONSTANTSfaulty , transmitter ,V0
AXIOMSfaulty ⊆ MODULE
transmitter ∈ MODULE
V0 ∈ VALUE
finite(faulty)END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 89/96
![Page 290: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/290.jpg)
First machine
MACHINE MessagesSEES Context
VARIABLES
INVARIANTS
ty mess : messages ⊆ MODULE ×MODULE × VALUE
ty round : round ∈ Nty collected : collected ∈ MODULE → P(VALUE)
. . .
messages messages being sent in the current roundround the number of the current round
collected values observed in previous rounds
Beckert, Ulbrich – Applications of Formal Verification SS 2019 90/96
![Page 291: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/291.jpg)
First machine
MACHINE MessagesSEES Context
VARIABLES messages, round , collected
INVARIANTS
ty mess : messages ⊆ MODULE ×MODULE × VALUE
ty round : round ∈ Nty collected : collected ∈ MODULE → P(VALUE)
. . .
messages messages being sent in the current roundround the number of the current round
collected values observed in previous rounds
Beckert, Ulbrich – Applications of Formal Verification SS 2019 90/96
![Page 292: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/292.jpg)
First machine
MACHINE MessagesSEES Context
VARIABLES messages, round , collected
INVARIANTSty mess : messages ⊆ MODULE ×MODULE × VALUE
ty round : round ∈ Nty collected : collected ∈ MODULE → P(VALUE)
. . .
messages messages being sent in the current round
round the number of the current roundcollected values observed in previous rounds
Beckert, Ulbrich – Applications of Formal Verification SS 2019 90/96
![Page 293: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/293.jpg)
First machine
MACHINE MessagesSEES Context
VARIABLES messages, round , collected
INVARIANTSty mess : messages ⊆ MODULE ×MODULE × VALUE
ty round : round ∈ N
ty collected : collected ∈ MODULE → P(VALUE)
. . .
messages messages being sent in the current roundround the number of the current round
collected values observed in previous rounds
Beckert, Ulbrich – Applications of Formal Verification SS 2019 90/96
![Page 294: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/294.jpg)
First machine
MACHINE MessagesSEES Context
VARIABLES messages, round , collected
INVARIANTSty mess : messages ⊆ MODULE ×MODULE × VALUE
ty round : round ∈ Nty collected : collected ∈ MODULE → P(VALUE)
. . .
messages messages being sent in the current roundround the number of the current round
collected values observed in previous rounds
Beckert, Ulbrich – Applications of Formal Verification SS 2019 90/96
![Page 295: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/295.jpg)
First machine (2)
messages messages being sent in the current round
round the number of the current round
collected values observed in previous rounds
MACHINE Messages SEES Context
VARIABLES messages, round , collected
INVARIANTS...
EVENTS
Initialisation = ...
EVENT ROUND =act1 : round := round + 1act2 : messages :∈ P(MODULE
\ {transmitter}
× MODULE × VALUE)act3 : collected := λm · collected(m) ∪
{v | (s,m, v) ∈ messages}
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 91/96
![Page 296: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/296.jpg)
First machine (2)
messages messages being sent in the current round
round the number of the current round
collected values observed in previous rounds
MACHINE Messages SEES Context
VARIABLES messages, round , collected
INVARIANTS...
EVENTS
Initialisation = ...
EVENT ROUND =act1 : round := round + 1act2 : messages :∈ P(MODULE
\ {transmitter}
× MODULE × VALUE)act3 : collected := λm · collected(m) ∪
{v | (s,m, v) ∈ messages}
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 91/96
![Page 297: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/297.jpg)
First machine (2)
messages messages being sent in the current round
round the number of the current round
collected values observed in previous rounds
MACHINE Messages SEES Context
VARIABLES messages, round , collected
INVARIANTS...
EVENTS
Initialisation = ...
EVENT ROUND =act1 : round := round + 1act2 : messages :∈ P(MODULE
\ {transmitter}
× MODULE × VALUE)act3 : collected := λm · collected(m) ∪
{v | (s,m, v) ∈ messages}
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 91/96
![Page 298: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/298.jpg)
First machine (2)
messages messages being sent in the current round
round the number of the current round
collected values observed in previous rounds
MACHINE Messages SEES Context
VARIABLES messages, round , collected
INVARIANTS...
EVENTS
Initialisation = ...
EVENT ROUND =act1 : round := round + 1act2 : messages :∈ P(MODULE
\ {transmitter}
× MODULE × VALUE)act3 : collected := λm · collected(m) ∪
{v | (s,m, v) ∈ messages}
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 91/96
![Page 299: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/299.jpg)
First machine (2)
messages messages being sent in the current round
round the number of the current round
collected values observed in previous rounds
MACHINE Messages SEES Context
VARIABLES messages, round , collected
INVARIANTS...
EVENTS
Initialisation = ...
EVENT ROUND =act1 : round := round + 1act2 : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)act3 : collected := λm · collected(m) ∪
{v | (s,m, v) ∈ messages}
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 91/96
![Page 300: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/300.jpg)
First machine (2)
messages messages being sent in the current round
round the number of the current round
collected values observed in previous rounds
MACHINE Messages SEES Context
VARIABLES messages, round , collected
INVARIANTS...
EVENTS
Initialisation = ...
EVENT ROUND =act1 : round := round + 1act2 : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)act3 : collected := λm · collected(m) ∪
{v | (s,m, v) ∈ messages}
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 91/96
![Page 301: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/301.jpg)
First machine (2)
messages messages being sent in the current round
round the number of the current round
collected values observed in previous rounds
MACHINE Messages SEES Context
VARIABLES messages, round , collected
INVARIANTS...
EVENTS
Initialisation = ...
EVENT ROUND =act1 : round := round + 1act2 : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)act3 : collected := λm · collected(m) ∪ {v | (s,m, v) ∈ messages}
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 91/96
![Page 302: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/302.jpg)
First refinement: signed messages
All messages are signed in a trustworthy manner:No forgery possible =⇒ Consider only relayed messages.
round k : s rv
round k + 1: r nv
Beckert, Ulbrich – Applications of Formal Verification SS 2019 92/96
![Page 303: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/303.jpg)
First refinement: signed messages
All messages are signed in a trustworthy manner:No forgery possible =⇒ Consider only relayed messages.
round k : s rv
round k + 1: r nv
Beckert, Ulbrich – Applications of Formal Verification SS 2019 92/96
![Page 304: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/304.jpg)
First refinement: signed messages
All messages are signed in a trustworthy manner:No forgery possible =⇒ Consider only relayed messages.
round k : s rv
round k + 1: r nv
Beckert, Ulbrich – Applications of Formal Verification SS 2019 92/96
![Page 305: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/305.jpg)
Signed messages (2)
round k : s rv
round k + 1: r nv
MACHINE SignedMessages REFINES Messages
VARIABLES messages, round, collected
INVARIANTSval1:∀s, r , v · (s, r , v) ∈ messages ⇒ v ∈ collected(transmitter)val2: ∀n · collected(n) ⊆ collected(transmitter)
EVENTS
EVENTROUND REFINES ROUND =act1, act3 as aboveact2: messages :∈ P
({(r , n, v) | (s, r , v) ∈ messages
})
was : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 93/96
![Page 306: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/306.jpg)
Signed messages (2)
round k : s rv
round k + 1: r nv
MACHINE SignedMessages REFINES Messages
VARIABLES messages, round, collected
INVARIANTSval1:∀s, r , v · (s, r , v) ∈ messages ⇒ v ∈ collected(transmitter)val2: ∀n · collected(n) ⊆ collected(transmitter)
EVENTS
EVENTROUND REFINES ROUND =act1, act3 as aboveact2: messages :∈ P
({(r , n, v) | (s, r , v) ∈ messages
})
was : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 93/96
![Page 307: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/307.jpg)
Signed messages (2)
round k : s rv
round k + 1: r nv
MACHINE SignedMessages REFINES Messages
VARIABLES messages, round, collected
INVARIANTSval1:∀s, r , v · (s, r , v) ∈ messages ⇒ v ∈ collected(transmitter)val2: ∀n · collected(n) ⊆ collected(transmitter)
EVENTS
EVENTROUND REFINES ROUND =act1, act3 as aboveact2: messages :∈ P
({(r , n, v) | (s, r , v) ∈ messages
})was : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 93/96
![Page 308: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/308.jpg)
Signed messages (2)
round k : s rv
round k + 1: r nv
MACHINE SignedMessages REFINES Messages
VARIABLES messages, round, collected
INVARIANTSval1:∀s, r , v · (s, r , v) ∈ messages ⇒ v ∈ collected(transmitter)val2: ∀n · collected(n) ⊆ collected(transmitter)
EVENTS
EVENTROUND REFINES ROUND =act1, act3 as aboveact2: messages :∈ P
({(r , n, v) | (s, r , v) ∈ messages
})was : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 93/96
![Page 309: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/309.jpg)
Signed messages (2)
round k : s rv
round k + 1: r nv
MACHINE SignedMessages REFINES Messages
VARIABLES messages, round, collected
INVARIANTSval1:∀s, r , v · (s, r , v) ∈ messages ⇒ v ∈ collected(transmitter)val2: ∀n · collected(n) ⊆ collected(transmitter)
EVENTS
EVENTROUND REFINES ROUND =act1, act3 as aboveact2: messages :∈ P
({(r , n, v) | (s, r , v) ∈ messages
})was : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 93/96
![Page 310: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/310.jpg)
Signed messages (2)
round k : s rv
round k + 1: r nv
MACHINE SignedMessages REFINES Messages
VARIABLES messages, round, collected
INVARIANTSval1:∀s, r , v · (s, r , v) ∈ messages ⇒ v ∈ collected(transmitter)val2: ∀n · collected(n) ⊆ collected(transmitter)
EVENTS
EVENTROUND REFINES ROUND =act1, act3 as aboveact2: messages :∈ P
({(r , n, v) | (s, r , v) ∈ messages
})was : messages :∈ P(MODULE \ {transmitter} × MODULE × VALUE)
END
Beckert, Ulbrich – Applications of Formal Verification SS 2019 93/96
![Page 311: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/311.jpg)
Refinement Tower
covered so far
sees
sees
sees
sees
def. ext.
def. ext.
def. ext.
MessagesContext
MessagesSigned
History
Guarantees
GuaranteesTechHybridGuaranteesHybridContext
HybridGuaranteesTechRoundless
SM
VotingContext ValueTables
ValueTablesTechZAModuleList
Beckert, Ulbrich – Applications of Formal Verification SS 2019 94/96
![Page 312: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/312.jpg)
Refinement Tower
covered so far
sees
sees
sees
sees
def. ext.
def. ext.
def. ext.
MessagesContext
MessagesSigned
History
Guarantees
GuaranteesTechHybridGuaranteesHybridContext
HybridGuaranteesTechRoundless
SM
VotingContext ValueTables
ValueTablesTechZAModuleList
Beckert, Ulbrich – Applications of Formal Verification SS 2019 94/96
![Page 313: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/313.jpg)
Refinement Tower
covered so far
sees
sees
sees
sees
def. ext.
def. ext.
def. ext.
MessagesContext
MessagesSigned
History
Guarantees
GuaranteesTechHybridGuaranteesHybridContext
HybridGuaranteesTechRoundless
SM
VotingContext ValueTables
ValueTablesTechZAModuleList
Changes message representation:msgs ⊆ MODULE×MODULE×P(MODULE)×VALUE
Beckert, Ulbrich – Applications of Formal Verification SS 2019 94/96
![Page 314: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/314.jpg)
Refinement Tower
covered so far
sees
sees
sees
sees
def. ext.
def. ext.
def. ext.
MessagesContext
MessagesSigned
History
Guarantees
GuaranteesTechHybridGuaranteesHybridContext
HybridGuaranteesTechRoundless
SM
VotingContext ValueTables
ValueTablesTechZAModuleList
non-faulty modules behave well:
r 6∈ faulty ∧ (s, r , h, v) ∈ msgs =⇒∀n ·
(n 6∈ h =⇒ (r , n, h ∪ {r}, v) ∈ msgs′
)
Beckert, Ulbrich – Applications of Formal Verification SS 2019 94/96
![Page 315: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/315.jpg)
Refinement Tower
covered so far
sees
sees
sees
sees
def. ext.
def. ext.
def. ext.
MessagesContext
MessagesSigned
History
Guarantees
GuaranteesTechHybridGuaranteesHybridContext
HybridGuaranteesTechRoundless
SM
VotingContext ValueTables
ValueTablesTechZAModuleList
hybrid fault model:
faulty = arbFault ∪ symFaulty
arbFaulty ∩ symFaulty = ∅
Beckert, Ulbrich – Applications of Formal Verification SS 2019 94/96
![Page 316: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/316.jpg)
Refinement Tower
covered so far
sees
sees
sees
sees
def. ext.
def. ext.
def. ext.
MessagesContext
MessagesSigned
History
Guarantees
GuaranteesTechHybridGuaranteesHybridContext
HybridGuaranteesTechRoundless
SM
VotingContext ValueTables
ValueTablesTechZAModuleList
new event structure:
PROCESS EVENT refines SKIP
modifies internal data structures (invisible to abstractmachine) and
ROUND SWITCH refines ROUND
reproduces the effect of a round change from the in-ternal data.
An implementation would refine PROCESS EVENT.
Beckert, Ulbrich – Applications of Formal Verification SS 2019 94/96
![Page 317: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/317.jpg)
Refinement Tower
covered so far
sees
sees
sees
sees
def. ext.
def. ext.
def. ext.
MessagesContext
MessagesSigned
History
Guarantees
GuaranteesTechHybridGuaranteesHybridContext
HybridGuaranteesTechRoundless
SM
VotingContext ValueTables
ValueTablesTechZAModuleList
Beckert, Ulbrich – Applications of Formal Verification SS 2019 94/96
![Page 318: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/318.jpg)
Agreement!
In machine Guarantees:
round ≥ card(faulty) + 1 =⇒(∀n,m·n /∈ faulty ∧m /∈ faulty ⇒
collected(n) = collected(m))
In machine HybridGuarantees:
round ≥ card(arbFaulty) + 1 =⇒(∀n,m·n /∈ faulty ∧m /∈ faulty ⇒
collected(n) = collected(m))
Beckert, Ulbrich – Applications of Formal Verification SS 2019 95/96
![Page 319: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/319.jpg)
Agreement!
In machine Guarantees:
round ≥ card(faulty) + 1 =⇒(∀n,m·n /∈ faulty ∧m /∈ faulty ⇒
collected(n) = collected(m))
In machine HybridGuarantees:
round ≥ card(arbFaulty) + 1 =⇒(∀n,m·n /∈ faulty ∧m /∈ faulty ⇒
collected(n) = collected(m))
Beckert, Ulbrich – Applications of Formal Verification SS 2019 95/96
![Page 320: Applications of Formal Verification...Late fault recovery is expensive [“Extra Time Saves Money”, W. Knuffel, Computer Language, 1990] Goal: Detect faults here! Beckert, Ulbrich](https://reader033.vdocuments.net/reader033/viewer/2022041922/5e6c4cd8f537694101544259/html5/thumbnails/320.jpg)
Verification Effort
NumbersSize: 4 contexts, 12 machines, 106 invariantsLabour: approx. 4 person monthsProofs: 322 proof obligationsAutomation: 74/322, 23%
Beckert, Ulbrich – Applications of Formal Verification SS 2019 96/96