Design and Analysis of Distributed Interacting Systems

Size: px

Start display at page:

Download "Design and Analysis of Distributed Interacting Systems"

Bruno Cannon
6 years ago
Views:

1 Design nd Anlysis of Distriuted Intercting Systems Lecture 6 LTL Model Checking Prof. Dr. Joel Greenyer My 16, 2013

2 Some Book References (1) C. Bier, J.-P. Ktoen: Principles of Model Checking. The MIT Press, E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

John Wiley & Sons, 2nd Edition, 2006. B. Bérrd, M. Bidoit, A. Finkel, F.

3 Some Book References (2) J. Mgee, J. Krmer: Concurrency: Stte Models nd Jv Progrms. John Wiley & Sons, 2nd Edition, B. Bérrd, M. Bidoit, A. Finkel, F. Lroussinie, A. Petit, L. Petrucci, Ph. Schnoeelen, P. McKenzie: Systems nd Softwre Verifiction Model-Checking Techniques. Springer-Verlg,

Simultion. Vieweg+Teuner Verlg, 2009. G.J.

4 Some Book References (3) Stephn Kleuker: Formle Modelle der Softwreentwicklung: Model- Checking, Verifiktion, Anlyse und Simultion. Vieweg+Teuner Verlg, G.J. Holzmnn: The SPIN model checker - Primer nd Reference Mnul. Addison Wesley,

Axel vn Lmsweerde: Requirements Engineering: From System

5 Some Book References (4) Klus Pohl: Requirements Engineering. dpunkt.verlg GmH, 2nd edition, Axel vn Lmsweerde: Requirements Engineering: From System Gols to UML Models to Softwre Specifictions. John Wiley & Sons,

6 Lst Time: Promel nd Spin mtype = {press, hold}; chn c = [0] of { mtype }; ctive proctype switch(){ RELEASED: if :: c!press; goto PRESSED fi; PRESSED: if :: c!hold; goto PRESSED :: goto RELEASED fi; } (this is possile pttern to model stte mchines in Promel) ctive proctype light(){ OFF: if :: c?press; goto LOW fi; LOW: if :: c?press; goto OFF :: c?hold; goto HIGH fi; HIGH: if :: c?press; goto OFF :: c?hold; goto LOW fi; } 6

7 Spin Verifiction more Techniclly... 1 yte x, y; 2 ctive proctype mini(){ 3 do 4 :: (x < 2) -> 5 x++ 6 :: (y < 2) -> 7 y++ 8 :: else -> 9 rek 10 od 11 } Promel model C progrm Output -4:-4:-4 1:1:17 2:1:23 3:0:0 4:1:17 5:0:4 6:1:21 7:1:23 Spin settings Error Trce 7

8 Spin Models nd Kripke Structures A Spin model cn e trnslted to Kripke Structure dt types, chnnels, mx. no. of processes is finite Spin cn do n exhustive nlysis of the corresponding KS Spin constructs KS on-the-fly, i.e., sometimes it finds results without constructing the complete KS 1 yte x, y; 2 ctive proctype mini(){ 3 do 4 :: (x < 2) -> 5 x++ 6 :: (y < 2) -> 7 y++ 8 :: else -> 9 rek 10 od 11 } (_, 3, 0, 0) x<2 y<2 (0, 5, 0, 0) (0, 7, 0, 0) x++ y++ (0, 3, 1, 0) (0, 3, 0, 1)... x<2 y<2 (0, 5, 0, 1)... (0, 7, 0, 1)... 8

9 ... #define trinoncrossing 3 #define croncrossing 2... Assertions ctive proctype trin(){ yte stte;... } ctive proctype cr(){ yte stte;... } during the exhustive stte spce explortion during model checking, ll possile interlevings of the other processes nd executing this ssertion will e checked when is this ssertion executed? ctive proctype Inv(){ ssert(!(trin:stte == trinoncrossing && cr:stte == croncrossing)) } 9

10 Verify LTL Properties mtype = {press, hold}; chn c = [0] of { mtype }; ctive proctype switch(){ RELEASED: if :: c!press; goto PRESSED fi; PRESSED: if :: c!hold; goto PRESSED :: goto RELEASED fi; } [] stnds for G (lwys), <> stnds for F (eventully),! is ctive proctype light(){ OFF: if :: c?press; goto LOW fi; LOW: if :: c?press; goto OFF :: c?hold; goto HIGH fi; HIGH: if :: c?press; goto OFF :: c?hold; goto LOW fi; } ltl p0 {[]<> light@low} ltl p1 {[]<> light@high} 10

11 Never-Clim Sequence of Boolen expressions over vriles in the model tht must never hppen Simple exmple: yte x = 3; ctive proctype P(){ x = 1; } never{ x == 3; x == 1 } The never-clim reches its end nd the verifiction will thus report violtion. 11

12 Never-Clim... ctive proctype light(){ OFF: if :: c?press; goto LOW fi; LOW: if :: c?press; goto OFF :: c?hold; goto HIGH fi; HIGH: if :: c?press; goto OFF :: c?hold; goto LOW fi; } never { true; light@low; true; light@high; } I didn't explin this thoroughly. 12

13 Never-Clims Why should I other? If I know how to specify interesting properties in LTL, why should I other progrmming never-clims? Spin checks LTL properties y first converting them to neverclims understnding never-clims helps understnding how Spin checks LTL properties Never-clims re more verose thn LTL formule, ut they re lso more powerful e.g., you cn count (up to finite numers) in never-clims 13

14 The Never Clim Checking Process Initilizing glol vriles Initilize init nd ctive processes [never-clim terminted] counter-exmple found Initilize locl process vriles [never-clim not terminted] [model cnnot mke step] [never-clim cn mke step] never-clim mkes step [never-clim cnnot mke step] no counter-exmple model mkes step [model cn mke step] [no cceptcycle found] [ccept-cycle found] counter-exmple found dopted from: Stephn Kleuker: Formle Modelle der Softwreentwicklung: Model-Checking, Verifiktion, Anlyse und Simultion. Vieweg+Teuner Verlg,

15 model mkes step ctive proctype light(){ OFF: if :: c?press; goto LOW fi; LOW: if :: c?press; goto OFF :: c?hold; goto HIGH fi; HIGH: if :: c?press; goto OFF :: c?hold; goto LOW fi; } Never-Clim never { true; light@low; true; light@high; } 4. model mkes step (switch@released, not shown here) 6. model mkes step (light@high) 1. true cn lwys mke step (light@off) 3. Cn now mke this step 5. Mkes step 7. Mkes step nd termintes, never clim violted. 15

16 Another Never-Clim Exmple Lels of the form ccept[-za-z0-9_]* mrk cceptnce cycles it must not e possile to visit these lels infinitely often Wht is specified here? Non-determinisit choice rememer: ll possiilities will e explored during verifiction run. T0_init: if :: (! light@low) -> goto ccept_s4 :: true -> goto T0_init fi; ccept_s4: if :: (! light@low) -> goto ccept_s4 fi; } 16

17 Design nd Anlysis of Distriuted Intercting Systems Lecture 6 LTL Model Checking Prof. Dr. Joel Greenyer My 16, 2013

18 Model-Checking modify Model (Kripke structure) flse + counter exmple (how the specifiction cn e violted) Model Checking true Specifiction (LTL) 18

19 Automt-sed LTL Model Checking There re different techniques for checking LTL properties i.e. checking whether M φ One is sed on Büchi Automt (BA) utomt tht ccept infinite words Approch: (Be M Kripke structure over AP) iff iff iff iff M φ L(M) L(φ) L(M) ((2 AP ) ω \ L(φ)) = L(M) L( φ) = L(B M B φ ) = Wht we need: 1. Checking emptyness of the lnguge ccepted y BA 2. Product construction for BAs 3. Represent KS s BA 4. Represent LTL formul s BA 19

20 Agend 1. Introduce Büchi Automt 2. Checking emptyness of the lnguge ccepted y BA 3. Product construction for BAs 4. Represent KS s BA 5. Represent LTL formul s BA 20

21 Büchi Automt A Büchi utomton is tuple BA = (Q, Σ, T, I, F) in which Q is finite, non-empty set of sttes Σ is finite lphet T Q Σ Q is trnsition reltion I Q is set of initil stte F Q is set of finl sttes (lso clled ccepting sttes) (Syntcticlly the sme s finite-stte utomton) An infinite word π Σ ω is ccepted y BA iff the BA hs corresponding run ( pth strting from n initil stte), tht infinitely often visits finl sttes. Such run is lso clled n ccepting run Exmple: Infinitely often, Σ = {, } 21

22 Büchi Automt There re other kinds of utomt for infinite words Rin utomt Muller utomt Street utomt they ll ccept the clss of ω-regulr lnguges Note: Not ll lnguges ccepted y non-deterministic Büchi utomton re ccepted y deterministic one exmple: words with finitely mny s cnnot e represented y deterministic BA, 22

23 Agend 1. Introduce Büchi Automt ( ) 2. Checking emptyness of the lnguge ccepted y BA 3. Product construction for BAs 4. Represent KS s BA 5. Represent LTL formul s BA 23

24 Checking Emptyness An ccepting run must visit t lest one ccepting stte infinitely often How do we determine the existence of n ccepting run? An ccepting stte must thus pper in cycle rechle from strt stte. 24

25 Find Accepting Runs SCC-Bsed Approch Compute ll strongly connected components (SCCs) Check whether non-trivil SCC contins n ccepting stte nd whether it is rechle from strt stte Def.: Sttes C Q form strongly connected component iff for ll q, q' C: q is rechle from q' There is no C' C for which this is true (C is mximl) An SCC is trivil iff C = 1 nd for q C: (q, σ, q) T, σ Σ non-trivil SCCs? Trjn's lgorithm, liner in the size of the grph, rechiliy s well, thus overll: Ο( Q + T ) 25

26 Find Accepting Runs Another Ide: DFS Strt depth first serch from n initil stte of the BA rememer DFS: uses stck for cktrcking when from stte q n edge is found to stte q' tht is currently on the stck, cycle is found the cycle is long the sttes on the stck from of q' to q If one of these sttes is ccepting, there is n ccepting run long the stte on the stck, nd then repeting in the cycle An edge to stte on the stck is clled ckwrd edge If DFS finds no ckwrd edges, then the BA is cyclic Prolem: When we find cycle, we must lwys check if it contins n ccepting stte this is expensive, we re not nymore liner in the size of the utomton. 26

27 Find Accepting Runs Nested DFS Ide: Two DFSs, clled lue (outer) nd red (inner) DFS ech DFS visits stte t most once, coloring it lue/red Strt lue DFS from strt stte if lue DFS finds n ccepting stte q, strt red DFS from q if red DFS finds non-empty pth from q to q, report cycle, n ccepting run is found: current stck of lue DFS + cycle otherwise continue lue DFS (from q) 27

28 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 28

29 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 29

30 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 30

31 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 31

32 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 32

33 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 33

34 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 34

35 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 35

36 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; 36

37 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 37

38 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 38

39 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 39

40 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 40

41 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 41

42 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 42

43 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 43

44 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 44

45 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 45

46 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 46

47 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 47

48 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 48

49 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 49

50 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; seed 50

51 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; report cycle! q' = seed 51

52 Find Accepting Runs Nested DFS procedure nested_dfs(ba ) forll q 0 I cll dfs_lue(q 0 ); procedure dfs_lue (Stte q) q.lue := true; if q'.lue then cll dfs_lue(q'); if q F then seed := q; cll dfs_red(q); seed procedure dfs_red (Stte q) q.red := true; if q'.red then cll dfs_red(q'); else if q' = seed then report cycle; lterntive: report cycle erlier, when dfs_red() encounters stte tht is on dfs_lue() stck requires extr dt structure for tht stck. 52

53 SCC-sed- vs. Nested DFS Approch SCC-sed pproch: finds shorter ccepting runs why is this good? Good ecuse these re the counter-exmples tht help us understnd how property is violted Nested DFS pproch: etter suited for on-the-fly emptyness checks BA is constructed while exploring it ccepting runs my e found efore whole BA is explored/constructed Spin uses modified version of the Nested DFS lgorithm see: G. J. Holzmnn, D. A. Peled, nd M. Ynnkkis. On nested depth first serch. In Proc. 2nd SPIN Workshop, pges 23 32, Further work on efficient emptyness checking see: A. Giser, S. Schwoon: Comprison of Algorithms for Checking Emptiness on Büchi Automt. Proc. of Workshop on Mthemticl nd Engineering Methods in Computer Science, MEMICS

54 Agend 1. Introduce Büchi Automt ( ) 2. Checking emptyness of the lnguge ccepted y BA ( ) 3. Product construction for BAs 4. Represent KS s BA 5. Represent LTL formul s BA 54

55 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y visited ccepting stte of first BA visiting lso ccepting stte of second BA reset counter keep vlue of counter from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

56 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1 off r 2 q 1 off q 2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

57 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,? r 1 off r 2 q 1 off q 2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

58 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

59 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

60 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 r 2,q 1,2,? from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

61 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 r 2,q 1,2 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

62 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 1 off r 2 q 1 off q 2 ll sttes with 2 s the third r 2,q 1,2 component re ccepting from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

63 Product Construction for BA Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) Building n utomton B 1 B 2 tht ccepts L(B 1 ) L(B 2 ): B 1 B 2 = (Q 1 Q 2 {0, 1, 2}, Σ, T, I 1 I 2 {0}, Q 1 Q 2 {2}) we hve ((r i, q j, x), σ, (r m, q n, y)) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 x = 0 nd r m F 1, then y = 1 r 1,q 1,0 x = 1 nd q n F 2, then y = 2 x = 2 then y = 0 otherwise x = y r 1,q 2,1 r 2,q 1,0 r 1 off r 2 q 1 off q 2 r 2,q 1,2 r 1,q 2,0 from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

64 Agend 1. Introduce Büchi Automt ( ) 2. Checking emptyness of the lnguge ccepted y BA ( ) 3. Product construction for BAs ( ) 4. Represent KS s BA 5. Represent LTL formul s BA 64

65 Represent Kripke Structure s Büchi Automton This is quite simple n exmple: {p, q} {p} {p, q} off {p} {p} {p,q} {q} {q} {p,q} from E. Clrke, O. Grumerg, D. Peled: Model Checking. MIT Press,

66 Specil Cse for BA Product Construction Product construction cn e simplified if ll sttes of one utomton re ccepting In the cse ll sttes of the utomton of the modeled system re ccepting Given two BA B 1 = (Q 1, Σ, T 1, I 1, F 1 ) nd B 2 = (Q 2, Σ, T 2, I 2, F 2 ) if F 1 = Q 1, then B 1 B 2 is defined s follows: B 1 B 2 = (Q 1 Q 2, Σ, T, I 1 I 2, Q 1 F 2 ) we hve ((r i, q j ), σ, (r m, q n )) T iff (r i, σ, r j ) T 1 nd (q m, σ, q n ) T 2 ccepting where second utomton is ccepting oth utomt gree on trnsition, s usul 66

67 Agend 1. Introduce Büchi Automt ( ) 2. Checking emptyness of the lnguge ccepted y BA ( ) 3. Product construction for BAs ( ) 4. Represent KS s BA ( ) 5. Represent LTL formul s BA next time (in two weeks) 67

68 ICSE nd SEAMS

69 Our Pper t SEAMS chnge in requirements or environment ssumptions Specifiction S is implemented y (ssumption or requirement MSDs dded or removed) updtle sttes Specifiction S' utomted synthesis dded updte trnsitions current controller (c) removed trnsitions remins of the current controller ( c-prt ) dded controller for implementing S' ( c'-prt ) dynmiclly updting controller see 69

Formal Methods in Software Engineering

Formal Methods in Software Engineering Forml Methods in Softwre Engineering Lecture 09 orgniztionl issues Prof. Dr. Joel Greenyer Decemer 9, 2014 Written Exm The written exm will tke plce on Mrch 4 th, 2015 The exm will tke 60 minutes nd strt