model checking raise specifications

Click here to load reader

Post on 04-Feb-2022

1 views

Category:

Documents

0 download

Embed Size (px)

TRANSCRIPT

UNU-IIST Report No. 331 T
Model checking RAISE specifications
November 2006
UNU-IIST and UNU-IIST Reports
UNU-IIST (United Nations University International Institute for Software Technology) is a Research and Training Centre of the United Nations University (UNU). It is based in Macao, and was founded in 1991. It started operations in July 1992. UNU-IIST is jointly funded by the government of Macao and the governments of the People’s Republic of China and Portugal through a contribution to the UNU Endowment Fund. As well as providing two-thirds of the endowment fund, the Macao authorities also supply UNU-IIST with its office premises and furniture and subsidise fellow accommodation.
The mission of UNU-IIST is to assist developing countries in the application and development of software tech- nology.
UNU-IIST contributes through its programmatic activities:
1. Advanced development projects, in which software techniques supported by tools are applied,
2. Research projects, in which new techniques for software development are investigated,
3. Curriculum development projects, in which courses of software technology for universities in developing coun- tries are developed,
4. University development projects, which complement the curriculum development projects by aiming to strengthen all aspects of computer science teaching in universities in developing countries,
5. Schools and Courses, which typically teach advanced software development techniques,
6. Events, in which conferences and workshops are organised or supported by UNU-IIST, and
7. Dissemination, in which UNU-IIST regularly distributes to developing countries information on international progress of software technology.
Fellows, who are young scientists and engineers from developing countries, are invited to actively participate in all these projects. By doing the projects they are trained.
At present, the technical focus of UNU-IIST is on formal methods for software development. UNU-IIST is an internationally recognised center in the area of formal methods. However, no software technique is universally applicable. We are prepared to choose complementary techniques for our projects, if necessary.
UNU-IIST produces a report series. Reports are either Research R , Technical T , Compendia C or Adminis-
trative A . They are records of UNU-IIST activities and research and development achievements. Many of the reports are also published in conference proceedings and journals.
Please write to UNU-IIST at P.O. Box 3058, Macao or visit our home page: http://www.iist.unu.edu, if you would like to know more about UNU-IIST and its report series.
G. M. Reed, Director
P.O. Box 3058
Abstract
This report presents the basic foundations for the verification by means of model checking techniques of formal specifications expressed in RAISE.
During this work, third party model checkers are briefly discussed and analysed for suitability under two main criteria: (a) syntactic/semantic restrictions imposed by the model checker’s language and (b) the applied representation technique for the system (i.e. symbolic or explicit).
Then, the selection of Symbolic Analysis Laboratory (SAL) as the model checking tool is justified and all RAISE syntactic constructions are analysed for transformation into SAL. Foundations for the semantic preservation during the translation are provided in the cases where the justification is not a trivial one.
Finally, the design of extensions to RAISE to define transition systems and to support temporal logic formulas is described and the tool that implements the first version of the described translation procedure is also reported.
Juan Ignacio Perna is a member of the Computer Science Department at Universidad Nacional de San Luis, Argentina. He was a Fellow at UNU-IIST from March 2005 to December 2005.
Chris George joined UNU-IIST as a Senior Research Fellow on 1 September 1994, and is currently Associate Director. He is one of the main contributors to RAISE, particularly the RAISE method, and that remains his main research interest. Before coming to UNU-IIST he worked for companies in the UK and Denmark.
Copyright c© 2006 by UNU-IIST
Contents i
1 Introduction 1
2 Deciding the Model Checking approach 5 2.1 Main existing model checkers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1 SPIN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.1.2 SMV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.1.3 SAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2.1.4 Translating RSL to SAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3 Translation issues 27 3.1 Syntactic issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
3.1.1 Declarations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 3.1.2 Class expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.1.3 Object expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 3.1.4 Type expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 3.1.5 Value expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.2 Define before use rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 3.3 Solving the circular dependencies among SAL contexts . . . . . . . . . . . . . . . . . . . . 48 3.4 Bindings in functions’ signature/arguments . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.5 The RSL Maximal-type approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 3.6 RSL extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.6.1 Transition systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 3.6.2 Temporal logic and temporal properties . . . . . . . . . . . . . . . . . . . . . . . . 54
3.7 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.7.1 Recursion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.7.2 Implicitly defined values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4 Extensions to the tool 64 4.1 Model checking confidence conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 4.2 Detecting confidence condition violations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 4.3 The simple CC version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 4.4 Imperative and concurrent style . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
5 Conclusions 77
A An applicative example of the lift example in SAL 79
B Operator precedence in the translator 89
Report No. 331, November 2006 UNU-IIST, P.O. Box 3058, Macao
Chapter 1
Presentation of the current work
Formal methods can be defined as mathematically based techniques for the specification, development and verification of software and hardware systems. The approach is especially relevant in high-integrity systems, for example where safety or security is important, to help ensure that errors are not introduced into the development process. Formal methods are particularly effective early in development at the requirements and specification levels, but can be used for a completely formal development of an imple- mentation (e.g., a program). In this sense, the Rigorous Approach to Industrial Software Engineering (RAISE) is a “formal specification language that aims at providing a sound notation (with a semantics and a proof system) for capturing requirements and expressing the functionality of software”[18].
Regarding the goal of software components/systems verification, there have been several approaches, mainly differing in the degree of involvement of the user and the completeness and soundness of the assertions that they allow to deduce. In particular, testing, deductive verification and model checking can be mentioned as the main techniques within the field. Briefly speaking, “simulation and testing both involve making experiments before deploying the system in the field...” [13], while deductive verification normally refers to “the use of axioms and proof rules to prove the correctness of critical systems” [13].
Model checking, on the other hand, is a method to algorithmically verify formal systems. This is achieved by verifying if the model, often deriving from a hardware or software design, satisfies a formal specifica- tion. The specification is often written as temporal logic formulas. The model is usually expressed as a transition system, i.e directed graph consisting of nodes (or vertices) and edges. A set of atomic proposi- tions is associated with each node. The nodes represent states of a system, the edges represent possible transitions which may alter the state, while the atomic propositions represent the basic properties that hold at a point of execution. Formally stated, the problem can described as follows: given a desired property, expressed as a temporal logic formula p, and a model M with initial state s, decide if M, s |= p.
In this context, the main advantage of model checking over other approaches is the much higher degree of automation achieved (almost no human interaction is needed in order to verify properties in the system). On the other hand, as the model checking technique is based in the calculation (and some times, also the representation) of all possible reachable states by the system under study, it suffers from the state explosion problem (i.e. the size of the computation increases exponentially with respect to the size of the
1
2 Introduction
original problem).
As the state explosion problem is a major limitation for the applicability of model checking in real problems (due to their complexity and size), several techniques have been developed to cope with this issue. In particular, symbolic model checking [30] and abstraction [16, 12] are the most used ones. Symbolic model checking tries to solve the state explosion problem by avoiding the construction of an explicit representation of the system by using boolean formulas to implicitly represent the system under analysis. Abstraction, on the other hand, is more complex for automation, but is essentially based on system simplification (either manually or, in some cases, automatically) by increasing the level of abstraction used for describing the system.
Regarding RAISE, specifications several tools for its verification are already available such as code gen- erators to several languages in order to run the specification’s code [43, 3]; test cases [8] (including test coverage analysis and mutation testing) and a translator to PVS [9] so important properties or invariants from the specification can be proved correct. There is, however, no support for Model Check- ing, even considering the fact that, in the case of RAISE, software is specified in a step-wise way [19]. In particular, the development process (following the RAISE development method) is carried out as a sequence of steps, starting from the specification of the system at a high level of abstraction and progress- ing by successively adding details towards a more concrete (and thereby closer to the implementation) specification. This way of development (getting closer to the implementation by decreasing the level of abstraction) is particularly suitable for model checking because it allows the verification of properties in early stages in the development process, where an abstract level description is obtained “for free” with the specification (actually, the specification itself is the abstract description of the system under study). Once verified, the RAISE development process warranties the preservation of the properties until the actual implementation of the system.
The main objective of this report is, then, the construction of a semantic framework and a tool that uses it to enable the application of the Model Checking technique to specifications written in the RAISE language (RSL).
State of the art
In the context of formal or rigorous methods for software development, several attempts have been made to incorporate Model Checking techniques given the advantage that software specifications are, essentially, abstractions of the desired system. In particular, there have been several approaches to the incorporation of model checking techniques in order to verify whether a given property is preserved throughout the whole development process or at a certain abstraction stage.
Some well known examples of the incorporation of model checking functionality into formal languages can be found in relation to the CSP [20, 4] process algebra [14]. In particular, a number of tools for analysing and understanding systems described using CSP have been produced over the years. Early tool imple- mentations used a variety of machine-readable syntaxes for CSP, making input files written for different tools incompatible. However, most CSP tools have now standardised on the machine-readable dialect of CSP devised by Bryan Scattergood, sometimes referred to as CSPM [38]. The CSPM dialect of CSP possesses a formally defined operational semantics, which includes an embedded functional programming language.
The most well-known CSP tool is probably Failures/Divergence Refinement 2 (FDR2) [29], which is a
Report No. 331, November 2006 UNU-IIST, P.O. Box 3058, Macao
Introduction 3
commercial product developed by Formal Systems Europe Ltd. FDR2 is often described as a model checker, but is technically a refinement checker, in that it converts two CSP process expressions into labelled transition systems, and then determines whether one of the processes is a refinement of the other within some specified semantic model (traces, failures, or failures/divergence). This refinement-based approach is particularly suitable when trying to verify the stepwise development of systems, but it has, however, obvious disadvantages over other temporal-logic-based approaches, where the specification of temporal properties is done in a more natural way. This issue was covered by Leusche et al in [27] by first (unsuccessfully) exploring the possibility of translating CSP into the SPIN [23] model checker and then, by providing a semantic framework to express temporal properties inside CSP, allowing the encoding of LTL properties behind a specially kind of refinement testing (performed using FDR). For this approach to be effectively applicable, the FDR tool must modified in order to allow it to automatically translate the LTL formulas in the CSP extension into an encoding based on refinement. This approach is incompatible with the goal of this report if the significant syntactic and semantic differences between RAISE applicative language and CSP are taken into account. It is, in particular, not clear how to extract the process-like description from RAISE specifications, making it hard to state the specification in the way required by FDR.
Another important case (because it uses the different approach of translating the specification into a model checking language) is the one developed by Smith and Wildman regarding Model Checking Z [1, 2] specifications [40]. In this work, the authors adopt a blocking semantics for the operations1 and present a whole set of mathematical libraries in order to provide support for sets, relations, functions (encoded as relations and thus, providing support for partial functions), sequences and bags. Under this approach, schemes are translated using SAL’s MODULES and channel interactions among them are modelled using INPUT and OUTPUT variables. As RAISE is much closer to Z than to CSP, this seems to be an important model to follow with the aim of adding model checking functionality to the RAISE language. There are, however, two main disadvantages in this approach:
• Performance. Even though the encoding functions as relations allows a straightforward translation of partial functions, this implementation is extremely inefficient when compared with the perfor- mance of SAL’s regular functions.
• Predicate-based encoding. The approach taken to translate most Z constructions is based on pred- icates, i.e. boolean expressions that take an extra argument and return true if the that argument correspond with the actual result of the application of that function. This approach is totally unsuitable for modelling RAISE applicative constructs.
Regarding Z, there have also been other efforts to translate it into languages such as PVS [41] and Isabelle/HOL [25] but these tools are proof languages, not suitable for temporal logic verification and, thus, not comparable with the present work2. A similar approach has also been used for Z extensions such as CSP-OZ, CSP-Z and Object-Z but using FDR as the target language in the translation. Given the fact that FDR’s input language is quite expressive, this approach allows a straightforward translation of most Z predicates (sequences and sequence operations for example). As mentioned above, FDR is not a temporal logic model checker but a refinement checker. Thus, for a given model M, the temporal logic
1As…