PSL Model Checking and Run-time Verification via Testers

Transcription

1 PSL Model Checking and Run-time Verification via Testers Formal Methods 2006 Aleksandr Zaks and Amir Pnueli New York University

2 Introduction Motivation (Why PSL?) A new property specification language, PSL (also known as IEEE P1850 PSL), has been proposed and accepted by a wide variety of companies. PSL is a language for the specification, verification, and testing of hardware design. PSL combines the power of LTL and regular expressions. expressiveness matches NBA. [ Example: ψ = {aa} b ( c) ] Resulting PSL Model Checking and Run-time Verification via Testers 1

3 Introduction Motivation (Why Testers?) A temporal tester can be viewed as a (non-deterministic) transducer that outputs a boolean value which is 1 iff the corresponding temporal formula holds at the current position. While acceptors, such as Büchi automata, do not compose, testers do. T [ϕ] T [ψ] p q T [p U q] Composition of testers for T [p U q], T [ϕ], and T [ψ] to form T [ϕ U ψ]. PSL Model Checking and Run-time Verification via Testers 2

4 PSL PSL Syntax and Semantics (1/2) The logic PSL is defined with respect to a non-empty set of atomic propositions P and a given set of boolean expressions B over P. Sequential Extended Regular Expressions (SEREs) Every boolean expression b B is an SERE. If r, r 1, and r 2 are SEREs, then the following are SEREs: r 1 ; r 2 concatenation r 1 r 2 or r[ ] consecutive repetition r 1 : r 2 (sequence fusion) r 1 && r 2 (length-matching and ) PSL Model Checking and Run-time Verification via Testers 3

5 PSL PSL Syntax and Semantics (2/2) The semantics of PSL is defined with respect to finite and infinite words over Σ = 2 P {, }. We denote an empty, finite, or infinite word from Σ Σ ω by v. We use v i..j to denote the corresponding sub-word of v and v to represent the word obtained by replacing every with a and vice versa. v ϕ v ϕ v ϕ ψ v ϕ and v ψ v b v = 0 or v 0 = b v X!ϕ v > 1 and v 1.. ϕ v [ϕ U ψ] k < v s.t. v k.. ψ, and j < k, v j.. ϕ v r ϕ j < v s.t. v 0..j r, v j.. ϕ and much more: clocks, abort, branching,... PSL Model Checking and Run-time Verification via Testers 4

6 Our Model Just Discrete Systems (JDS) A JDS D = (V, Θ, R, J, F) consists of: V : A finite set of system variables. A state of the system D provides a typeconsistent interpretation of the system variables V. For a state s and a system variable v V, we denote the value assigned to v by the state s by s[v]. Θ: The initial condition. R(V, V ): The transition relation, which is an assertion that relates the values of the variables in V interpreted by a state s to the values of the variables V in an R-successor state s. J : A set of justice (weak fairness) requirements. For every J J, an infinite computation must include infinitely many states satisfying J. F: The termination condition, which is an assertion specifying the set of final states. PSL Model Checking and Run-time Verification via Testers 5

7 LTL Testers Testers A tester for a formula ϕ is a JDS T ϕ which has a distinguished boolean variable x ϕ such that: For every computation σ : s 0, s 1, s 2,..., of T ϕ and every position i 0, s i [x ϕ ] = 1 iff σ i.. = ϕ For every sequence of σ : s 0, s 1, s 2,...,, there is a corresponding computation σ : s 0, s 1, s 2,..., of T ϕ such that, for each i, s i and s i agree on the interpretation of all ϕ-variables. Intuitively, a tester should be able to correctly interpret x ϕ for any given sequence. Otherwise, the first condition can be trivially satisfied by a JDS that has no computations. PSL Model Checking and Run-time Verification via Testers 6

8 LTL Testers T ( p) = A Tester for V : {p, x ϕ } Θ : 1 R(V, V ) : x ϕ = p J : F : x ϕ p (X!p) It follows almost immediately from the construction that T ( tester for p: p) is indeed a good The soundness of the T ( p) is guaranteed by the transition relation with the exception that we still have a freedom to incorrectly interpret x ϕ at the very last state. This case is handled separately by insisting that every final state must interpret x ϕ as false. The completeness follows from the fact that we do not restrict P variables by the transition relation, and we can always interpret x ϕ properly, by either matching p or setting it to false in the last state. PSL Model Checking and Run-time Verification via Testers 7

9 LTL Testers T (p U q) = A Tester for p U q V : {p, q, x ϕ } Θ : 1 R(V, V ) : x ϕ = ( q (p x ϕ ) ) J : q x ϕ F : x ϕ = q Unlike the previous tester, T (p U q) has a non-empty justice set. A technical reason is that the transition relation allows x ϕ to be continuously set to true without having a single state that actually satisfies q. The situation is ruled out by the justice requirement. PSL Model Checking and Run-time Verification via Testers 8

10 LTL Testers A Tester Recipe Another way to explain the justice requirement is that R ϕ expansion formula for the U (strong until) operator, namely represents an p U q ( q (p [p U q]) ). In general, a good first step when building a tester is to start with an expansion formula. However, the expansion formula alone is usually not sufficient for a proper tester. Indeed, consider the operator W(weak until), defined as p W q (true U p) p U q, which has exactly the same expansion formula, namely p W q ( q (p [p W q]) ). We use justice to differentiate between the two operators. PSL Model Checking and Run-time Verification via Testers 9

11 LTL Testers Building a Tester for an Arbitrary LTL Formula ϕ To build a tester T ϕ : If ϕ is a basic formula ( p or p U q) use the tester construction from the previous slides. Boolean connectives and propositions can be handled in a straightforward way. Otherwise, let ψ be an innermost sub-formula of ϕ. Build a tester T ψ for ψ, with the output variable x ψ. Inductively, build a tester T ϕ[ψ/xψ ] for ϕ[ψ/x ψ ]. T ϕ = T ϕ[ψ/xψ ] T ψ, where denotes synchronous composition. PSL Model Checking and Run-time Verification via Testers 10

12 LTL Testers A tester for ϕ = true U ( [b 1 U b 2 ] b 3 U [b 1 U b 2 ]) We start by identifying ψ = b 1 U b 2 to be the innermost formula and building the corresponding tester T b1 Ub 2. Assume that z is the output variable of the tester T b1 Ub 2. Let α = ϕ[b 1 U b 2 /z]. Note we can perform the substitution twice but there is no need for two testers, which can result in significant savings. After the substitution we obtain α = true U ( z (b 3 U z)). We proceed in similar fashion and build two more testers T z and T b3 Uz with the output variables x and y. After substitutions we obtain a formula β = true U [x y]. Since x y is just a boolean expression, the formula satisfies the condition of the base case and with one more step we finish the construction. The final result can be expressed as: T ϕ = T β T z T b3 Uz T b1 Ub 2, where x ϕ = x β. PSL Model Checking and Run-time Verification via Testers 11

13 LTL Testers Model Checking M for ϕ Construct a tester T ϕ for ϕ. Check if M T ϕ has a (fair) computation, such that s 0 [x ϕ ] = 0. PSL Model Checking and Run-time Verification via Testers 12

14 PSL Testers Building a Tester for ϕ = r ψ v r ψ j < v s.t. v 0..j r, v j.. ψ Our Plan: Build a tester for ψ. Build a grammar for r. Define expansion formula for the operator. Apply double representation approach introduced by Satoru Miyano and Takeshi Hayashi in Alternating Finite Automata on ω-words to define justice requirements. For simplicity, assume that r = {pq}[ ]. The general case is left as an exercise for the reader. PSL Model Checking and Run-time Verification via Testers 13

15 PSL Testers A Tester for ϕ = {pq}[ ] x ψ v {pq}[ ] x ψ j < v s.t. v 0..j {pq}[ ], v j = x ψ The associated right-linear grammar for the SERE {pq}[ ] is given by: V 1 pv 2 V 2 q qv 1 Note that V 1 x ψ p [ V 2 x ψ ] and V 2 x ψ (q x ψ ) (q [ V 1 x ψ ]). V ϕ : {p, q, x ϕ, x ψ, X 1, X 2, Y 1, Y 2 } Θ ϕ : 1 (X 1 = (p X 2)) (X 2 = (q x ψ ) (q X 1)) T ϕ : R ϕ (V, V ) : (Y 1 (p Y 2)) (Y 2 (q x ψ ) (q Y 1)) x ϕ = X 1 J ϕ : { Y 1 Y 2, X 1 = Y 1 X 2 = Y 2 } F ϕ : (X 1 = false) (X 2 = q x ψ ) PSL Model Checking and Run-time Verification via Testers 14

16 Run-time Monitoring with Testers Run-time Monitoring with Testers Assume a reactive system D and a PSL formula ϕ, which formalizes a property that D should satisfy. In order to test the conjecture that D satisfies ϕ, we construct a program M, to which we refer as a monitor, that observes individual behaviors of D. Behaviors of D are fed to the monitor state by state. After observing the finite sequence σ : s 0,..., s k for some k 0, we expect the monitor to be able to answer a subset of the following questions: 1. Does σ satisfy the formula ϕ? 2. Is ϕ negatively determined by σ? That is, is it the case that σ η = ϕ for all finite or infinite completions η. 3. Is ϕ positively determined by σ? That is, is it the case that σ η = ϕ for all finite or infinite completions η? 4. Is ϕ σ monitorable? That is, is it the case that there exists a finite η such that ϕ is positively or negatively determined by σ η. If D is expected to run forever then it is useless to continue monitoring after observing σ such that ϕ is not σ monitorable. PSL Model Checking and Run-time Verification via Testers 15

17 Conclusion Conclusion Our main contribution is extending LTL testers, introduced by Y. Kesten, A. Pnueli, and L. Raviv, to handle full PSL. Our construction is optimal. The size of a tester is exponential in the size of a given formula as long as all grammars are linear for their respective SEREs. The closest work to ours is Automata Construction for PSL by Bustan D., Fisman D. and Havlicek J.. They show how to build a Büchi automaton for a given PSL formula (via alternating Büchi automata). A surprising fact is that we can convert our tester to an automaton that is exactly the same as one produced via alternating automata. We just need to apply a standard conversion from GNBA (Generalized Nondeterministic Büchi Automata) to NBA, and pessimize the resulting automata. It is still advantageous to use testers. For example, a user can manually optimize a tester for a sub-formula and use it everywhere it is needed. PSL Model Checking and Run-time Verification via Testers 16