![Page 1: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/1.jpg)
VCC Case Study: Single-lane Bridge Problem
Summer School on Software Engineering and Verification (SSSEV)July 17-27, Moscow, Russia
Mentors: Stephan TobiesJohn Wickerson
Formal2Normal team: Andrey Dereza * Anatoliy Gorbenko ** Lyubov Reva ** Leanid Vaitsekhovich*** Oleg Illiashenko ** Oleksii Starov**_________________________________________________________
* - Caddiesoft, Ukraine** - National Aerospace University “KhAI”, Ukraine*** - Brest State Technical University, Belarus
![Page 2: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/2.jpg)
Abstract
The project is devoted to VCC case study development.
A system under study: a real-time system that controls traffic on a single-lane bridge
The purpose of the project: to demonstrate feasibility and usefulness of VCC tool to compare different implementations and annotation
techniques Our approach:
to employ a stepwise (refined-based) development and verification
2
![Page 3: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/3.jpg)
Single-lane bridge
© J.-R. Abrial. Modeling in Event-B: System and Software Engineering 3
![Page 4: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/4.jpg)
Single-lane bridge: System requirements FUN-1 The system is controlling cars on a bridge between
the mainland and an island
FUN-2 The number of cars on the bridge and the island is limited
FUN-3 The bridge is a single-line. Cars can move in a one way or the other, not both at the same time
EQP-1 The system has two traffic lights with two colours: green and red
EQP-2 The traffic lights control the entrance to the bridge at both ends of it
EQP-3 Cars are not supposed to pass on a red traffic light, only on a green one
EQP-4 The system is equipped with four car sensors each with two states: on or off
EQP-5 The sensors are used to detect the presence of cars entering or leaving the bridge
4
![Page 5: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/5.jpg)
Abstract model
Invariants n >= 0 n <= d
Events driveOut driveInto
ISLAND
LAND
driveOut
driveInton
MA
X_C
OU
NT
FUN-1 The system is controlling cars on a bridge between the mainland and an island
FUN-2 The number of cars on the bridge and the island is limited
5
![Page 6: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/6.jpg)
Step-wise developmentRequirement Refinement Implementation’s and VCC’s features
Variables Structure Threads
FUN-1 Abstractmodel
√ √ √
FUN-2 Abstractmodel
√ √ O
FUN-3 REF-1 √ √ O
EQP-1 REF-2 - √ O
EQP-2 REF-2 - √ O
EQP-3 REF-2 - √ O
EQP-4 REF-3 - O O
EQP-5 REF-3 - O O
6
![Page 7: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/7.jpg)
VCC implementation using Variables #include <vcc.h>
#include <stdio.h>#include <stdlib.h>#include <assert.h>
#define MAX_COUNT 100
int driveInto(unsigned *pn) _(requires (*pn) >= 0 && (*pn) <= MAX_COUNT) _(writes pn) _(ensures (*pn) >= 0 && (*pn) <= MAX_COUNT){ if ((*pn) < MAX_COUNT) { (*pn)++; return 1; } return 0;}
int driveOut(unsigned *pn) _(requires (*pn) >= 0 && (*pn) <= MAX_COUNT) _(writes pn) _(ensures (*pn) >= 0 && (*pn) <= MAX_COUNT){ if ((*pn) > 0) { (*pn)--; return 1; } return 0;}
7
![Page 8: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/8.jpg)
VCC implementation using Structure #include <vcc.h>#include <stdio.h>#include <stdlib.h>#include <assert.h>
#define MAX_COUNT 100
typedef struct _parkingIsland { // count of cars on the island unsigned n; _(invariant \this->n >= 0 && \this->n <= MAX_COUNT) // can be extended
} ParkingIsland;
void parkingInit(ParkingIsland *p) _(writes \extent(p)) _(ensures \wrapped(p)) { p->n = 0; _(wrap p)}
int driveInto(ParkingIsland *p) _(updates p){ if (p->n < MAX_COUNT) { _(unwrapping p){ p->n++; } return 1; } return 0;}
int driveOut(ParkingIsland *p) _(updates p){ if (p->n > 0) { _(unwrapping p){ p->n--; } return 1; } return 0;}
8
![Page 9: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/9.jpg)
Simulationunsigned n; // counter of cars on the islandint main() _(writes &n){ n = 0; unsigned waitingCars = 0;
// testing int roadIsBusy; for (unsigned i = 0; i < 1000; ++i) _(invariant waitingCars <= i && i <= 1000) _(invariant n >= 0 && n <= MAX_COUNT) { // one car pass for each iteration roadIsBusy = 0;
// in if (rand() & 1) { // normal distribution may be more natural waitingCars++; if (driveInto(&n)) { waitingCars--; roadIsBusy = 1; } } else if (waitingCars) { // do not think about the cars speed if (driveInto(&n)) { waitingCars--; roadIsBusy = 1; } }
// out if (!roadIsBusy && rand() & 1) { driveOut(&n); }
_(assert n >= 0) _(assert n <= MAX_COUNT)
#ifndef VERIFY // runtime check assert(n >= 0); assert(n <= MAX_COUNT);
// output for state printf("%3d >==< %3d\n", n, waitingCars);#endif
}
return 0;}
9
![Page 10: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/10.jpg)
Refinement 1
Invariants a, n, b >= 0 a + n + b <= MAX_COUNT (a = 0) (b = 0)
ISLAND
LAND
m_out
m_innM
AX
_CO
UN
T
i_out
i_in ab
BRIDGE
Events m_out m_in i_in i_out
10
![Page 11: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/11.jpg)
VCC Implementation Using Structure #include <vcc.h>#include <stdio.h>#include <stdlib.h>#include <assert.h>
#define MAX_COUNT 100
typedef struct _parkingIsland { unsigned n; unsigned a; unsigned b; unsigned w; _(invariant n >= 0 && a >= 0 && b >= 0) _(invariant n + a + b <= MAX_COUNT) _(invariant a == 0 || b == 0) } ParkingIsland;
void parkingInit(ParkingIsland *p) _(writes \extent(p)) _(ensures \wrapped(p)){ p->n = p->a = p->b = p->w = 0; _(wrap p)}
int i_in(ParkingIsland *p) _(updates p){ if (p->a > 0) { _(unwrapping p){ p->a--; p->n++; } return 1; } return 0;}int i_out(ParkingIsland *p) _(updates p){ if (p->a == 0 && p->n > 0) { _(unwrapping p){ p->n--; p->b++; } return 1; } return 0;}
int m_in(ParkingIsland *p) _(updates p){ if (p->b > 0) { _(unwrapping p){ p->b--; } return 1; } return 0;}int m_out(ParkingIsland *p) _(updates p){ if (p->b == 0 && p->n+p->a < MAX_COUNT) { _(unwrapping p){ p->a++; } return 1; } else { _(unwrapping p){ _(unchecked)p->w++; }return 0; } }
11
![Page 12: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/12.jpg)
SimulationParkingIsland pIsland; // parking on the island object
void main() _(writes \extent(&pIsland)){ parkingInit(&pIsland); // testing for (unsigned i = 0; i < 1000; ++i) _(writes &pIsland)// FIXME: why?! _(invariant \wrapped(&pIsland)) { if (rand() & 1) i_out(&pIsland); if (rand() & 1) m_out(&pIsland);
// temporary, to have more representative data if (i % 3 == 0) { i_in(&pIsland); m_in(&pIsland); }
_(assert \wrapped(&pIsland)) #ifndef VERIFY // runtime check assert(pIsland.n >= 0); assert(pIsland.a >= 0); assert(pIsland.b >= 0); assert(pIsland.w >= 0); assert(pIsland.n + pIsland.a <= MAX_COUNT); assert(!(pIsland.a && pIsland.b));
// output for state printf("%3d >= ( %3d-> <-%3d ) =< %3d\n", pIsland.n, pIsland.b, pIsland.a, pIsland.w);#endif }}
97 >= ( 0-> <-3 ) =< 236 97 >= ( 0-> <-3 ) =< 237 97 >= ( 0-> <-3 ) =< 237 98 >= ( 0-> <-2 ) =< 238 98 >= ( 0-> <-2 ) =< 239 98 >= ( 0-> <-2 ) =< 240 99 >= ( 0-> <-1 ) =< 240 99 >= ( 0-> <-1 ) =< 241 99 >= ( 0-> <-1 ) =< 241100 >= ( 0-> <-0 ) =< 241 99 >= ( 1-> <-0 ) =< 242 99 >= ( 1-> <-0 ) =< 243 99 >= ( 0-> <-0 ) =< 244 99 >= ( 0-> <-0 ) =< 244 98 >= ( 1-> <-0 ) =< 245 97 >= ( 1-> <-0 ) =< 246 96 >= ( 2-> <-0 ) =< 247 96 >= ( 2-> <-0 ) =< 248
12
![Page 13: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/13.jpg)
Refinement 2
Invariants a, n, b >= 0 a + n + b <= MAX_COUNT (a = 0) (b = 0) il_tl xor ml_tl …
Events ML_out ML_in IN_in IN_out
13
ISLAND
LAND
ML_out
ML_innM
AX
_CO
UN
T
IL_out
IL_in ab
BRIDGE ml_tl
il_tl
![Page 14: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/14.jpg)
VCC implementation elements#include <vcc.h>#include <stdio.h>#include <stdlib.h>#include <assert.h>
#define MAX_COUNT 1000#define LIGHT_DELAY 10#define SPEED_DELAY 10
typedef struct _trafficLight { unsigned light_i; unsigned light_m; unsigned delay;} TrafficLight;
typedef struct _parkingIsland { TrafficLight tl; unsigned n; unsigned a; unsigned b; unsigned w; // main invariants _(invariant n >= 0 && a >= 0 && b >= 0) _(invariant n + a + b <= MAX_COUNT) _(invariant a == 0 || b == 0) // traffic lights _(invariant tl.light_i == 0 || tl.light_i == 1) _(invariant tl.light_m == 0 || tl.light_m == 1) _(invariant (a + n < MAX_COUNT && b == 0 && a != 0) ==> tl.light_i == 1) _(invariant (a == 0 && b != 0) ==> tl.light_m == 1)} ParkingIsland;
void updateLights(ParkingIsland *pi) _(writes pi) _(writes &pi->tl.delay) _(writes &pi->tl.light_i) _(writes &pi->tl.light_m){ if (pi->a == 0 && pi->b == 0) { _(unchecked)pi->tl.delay--; if (pi->tl.delay == 0) { pi->tl.light_i = !pi->tl.light_i; pi->tl.light_m = !pi->tl.light_m; pi->tl.delay = LIGHT_DELAY; } } else { pi->tl.delay = LIGHT_DELAY; if (pi->a) { pi->tl.light_i = 0; pi->tl.light_m = 1; } else { pi->tl.light_i = 1; pi->tl.light_m = 0; } }}
14
![Page 15: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/15.jpg)
VCC implementation (next - atomic)#include <vcc.h>#include <stdio.h>#include <stdlib.h>#include <assert.h>#include "atomic.h"
#define MAX_COUNT 100
typedef struct _parkingIsland { volatile unsigned n; _(invariant n == \old(n) || n == \old(n) + 1 || n == \old(n) - 1) _(invariant \this->n >= 0 && \this->n <= MAX_COUNT)} ParkingIsland;
// todo
int driveInto(ParkingIsland *p){ _(atomic p) { // todo }
// todo}
15
![Page 16: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/16.jpg)
Lessons learned
If assertion involves a variable used in a cycle above, there should be a cycle’s invariant concerns this variable => Could be implemented in VCC
Usage of structures simplifies assertions. But hierarchy of structures sophisticates proof
16
![Page 17: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/17.jpg)
Conclusion
Sometimes VСС requires assertions which are redundant
The complexity of the annotations depends on implementation features
To use VCC in an effective way it is necessary to work out a special coding style
17
![Page 18: VCC Case Study: Single-lane Bridge Problem Summer School on Software Engineering and Verification (SSSEV) July 17-27, Moscow, Russia Mentors: Stephan Tobies](https://reader035.vdocuments.site/reader035/viewer/2022062423/5697bf821a28abf838c85c6f/html5/thumbnails/18.jpg)
Any questions?
18