Systems Software Verification Summer School Chapter 4 Proving

  • Slides: 14
Download presentation
Systems Software Verification Summer School Chapter 4 Proving properties Manos Kapritsos, University of Michigan

Systems Software Verification Summer School Chapter 4 Proving properties Manos Kapritsos, University of Michigan Jon Howell, VMWare Research Rob Johnson, VMWare Research

SAFETY PROPERTY Safety property (a. k. a. invariant): a property that always holds State

SAFETY PROPERTY Safety property (a. k. a. invariant): a property that always holds State machine representation An execution S 0 S 1 S 2 S 3 S 4

EXAMPLE: CRAWLER Crawler starts at (0, 5) • It can move 1 step north

EXAMPLE: CRAWLER Crawler starts at (0, 5) • It can move 1 step north or 1 step south-east • Can it ever fall in the manhole? • predicate Init(s: Variables) { && s. x == 0 && s. y == 5 { ρ=3 predicate Move. North(s: Variables, s': Variables) { && s'. x == s. x && s'. y == s. y + 1 { predicate Move. South. East(s: Variables, s': Variables) { && s'. x == s. x + 1 && s'. y == s. y - 1 {

PROVING INVARIANTS Proof by induction Prove it holds on the first state • Prove

PROVING INVARIANTS Proof by induction Prove it holds on the first state • Prove it holds during a S 0 S 2 S 3 transition. S 1 S 4 P P • P P P Init(s) ==> P(s) && Next(s, s’) ==> P(s’)

PROVING THE CRAWLER predicate Init(s: Variables) { && s. x == 0 && s.

PROVING THE CRAWLER predicate Init(s: Variables) { && s. x == 0 && s. y == 5 { predicate Move. North(s: Variables, s': Variables) { && s'. x == s. x && s'. y == s. y + 1 { Init(s) ==> P(s) && Next(s, s’) ==> P(s’) predicate Move. South. East(s: Variables, s': Variables) { && s'. x == s. x + 1 && s'. y == s. y - 1 { predicate In. Manhole(s: Variables) { s. x*s. x + s. y*s. y <= 3*3 { Safety property: !In. Manhole(s) ρ=3

INDUCTIVE INVARIANTS Safety property (a. k. a. invariant): a property that always holds S

INDUCTIVE INVARIANTS Safety property (a. k. a. invariant): a property that always holds S 0 S 1 S 2 S 3 S 4 P P P : m e l b o r p The ! e v i t c u d n i e b t o n y a m P Property Init(s) ==> P(s) && Next(s, s’) ==> P(s’)

INVARIANTS VS INDUCTIVE INVARIANTS All states Reachable states Inductive invariant Safe states (property P

INVARIANTS VS INDUCTIVE INVARIANTS All states Reachable states Inductive invariant Safe states (property P holds)

PROVING SAFETY WITH INDUCTIVE INVARIANTS Ind. Inv(s) ==> P(s) S 0 S 1 S

PROVING SAFETY WITH INDUCTIVE INVARIANTS Ind. Inv(s) ==> P(s) S 0 S 1 S 2 S 3 S 4 Inv Inv Inv Init(s) ==> Ind. Inv(s) && Next(s, s’) ==> Ind. Inv(s’)

PROVING THE CRAWLER • Can the crawler ever fall in the manhole? ρ=3

PROVING THE CRAWLER • Can the crawler ever fall in the manhole? ρ=3

PROVING THE CRAWLER • Can the crawler ever fall in the manhole? ρ=3

PROVING THE CRAWLER • Can the crawler ever fall in the manhole? ρ=3

PROVING THE CRAWLER • Can the crawler ever fall in the manhole? Reachable states

PROVING THE CRAWLER • Can the crawler ever fall in the manhole? Reachable states ρ=3

PROVING THE CRAWLER • Can the crawler ever fall in the manhole? Inductive invariant

PROVING THE CRAWLER • Can the crawler ever fall in the manhole? Inductive invariant ρ=3

EXAMPLE: LOCK SERVER Client 1 Server Client 2 Safety property: Both clients cannot hold

EXAMPLE: LOCK SERVER Client 1 Server Client 2 Safety property: Both clients cannot hold the lock at the same time

EXAMPLE: LOCK SERVER S: 0 C 1: 1 C 2: 1 S: 1 C

EXAMPLE: LOCK SERVER S: 0 C 1: 1 C 2: 1 S: 1 C 1: 1 C 2: 0 S: 1 C 1: 1 C 2: 1 All states S: 1 C 1: 0 C 2: 1 Safe states S: 0 C 1: 0 C 2: 1 S: 1 C 1: 0 C 2: 0 S: 0 C 1: 1 C 2: 0 Reachable states S: 0 C 1: 0 C 2: 0 Inductive invariant