FAIRNESS FOR INFINITE STATE SYSTEMS

Similar documents
Fairness for Infinite-State Systems

Computation Tree Logic

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Overview. overview / 357

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Automata-Theoretic Model Checking of Reactive Systems

Finite-State Model Checking

Verification Using Temporal Logic

Model Checking with CTL. Presented by Jason Simas

Model for reactive systems/software

LTL and CTL. Lecture Notes by Dhananjay Raju

Model Checking: An Introduction

An Introduction to Temporal Logics

Computation Tree Logic (CTL)

Model Checking Algorithms

ESE601: Hybrid Systems. Introduction to verification

Chapter 5: Linear Temporal Logic

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Timo Latvala. March 7, 2004

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

The State Explosion Problem

Alan Bundy. Automated Reasoning LTL Model Checking

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Introduction to Formal Verification Methods Exercise 4

Abstractions and Decision Procedures for Effective Software Model Checking

Safety and Liveness Properties

MODEL CHECKING. Arie Gurfinkel

Modal and Temporal Logics

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

From Liveness to Promptness

Computer-Aided Program Design

Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

Chapter 4: Computation tree logic

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Lecture 16: Computation Tree Logic (CTL)

Algorithmic verification

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Timo Latvala. February 4, 2004

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

3-Valued Abstraction-Refinement

Formal Verification of Mobile Network Protocols

Axiomatic Semantics. Operational semantics. Good for. Not good for automatic reasoning about programs

IC3 and Beyond: Incremental, Inductive Verification

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Lecture Notes on Software Model Checking

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Predicate Abstraction: A Tutorial

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Methods for Software Verification. Andrea Corradini Gian Luigi Ferrari. Second Semester 6 CFU

Course Runtime Verification

Chapter 3: Linear temporal logic

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

CTL Model Checking. Wishnu Prasetya.

Lecture Notes on Model Checking

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Testing with model checkers: A survey

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Computation Tree Logic

Model Checking Games for a Fair Branching-Time Temporal Epistemic Logic

T Reactive Systems: Temporal Logic LTL

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Safety and Liveness. Thread Synchronization: Too Much Milk. Critical Sections. A Really Cool Theorem

Computation Tree Logic

Towards Algorithmic Synthesis of Synchronization for Shared-Memory Concurrent Programs

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

An Informal introduction to Formal Verification

SFM-11:CONNECT Summer School, Bertinoro, June 2011

1 The decision problem for First order logic

LTL Model Checking. Wishnu Prasetya.

SAT-Based Verification with IC3: Foundations and Demands

Temporal Logic Model Checking

Reasoning about Time and Reliability

Model Checking. Boris Feigin March 9, University College London

Chapter 6: Computation Tree Logic

Linear Temporal Logic and Büchi Automata

Büchi Automata and Linear Temporal Logic

Benefits of Interval Temporal Logic for Specification of Concurrent Systems

QBF Encoding of Temporal Properties and QBF-based Verification

Lecture 2 Automata Theory

Basics of Linear Temporal Proper2es

PSPACE-completeness of LTL/CTL model checking

Linear-time Temporal Logic

CPSC 421: Tutorial #1

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Transcription:

FAIRNESS FOR INFINITE STATE SYSTEMS Heidy Khlaaf University College London 1

FORMAL VERIFICATION Formal verification is the process of establishing whether a system satisfies some requirements (properties), using formal methods of mathematics. 2

FORMAL VERIFICATION Not to be confused with testing! Testing can only show the presence of errors, not their absence. -E. Dijkstra 3

FORMAL VERIFICATION Cambridge University study: Global cost of debugging software up to $312 billion annually. On average, software developers spend 50% of their programming time finding and fixing bugs. 4

lock-brake system. 5 FORMAL VERIFICATION Toyota recalled more than 400,000 hybrid vehicles in 2010. The cars had a software glitch, which would cause a lag in the anti-

FORMAL VERIFICATION In1998, Nasa s Mars Climate Orbiter was lost in space. Engineers failed to make a simple conversion from English units to metric. Estimated cost is $655 million. 6

MODEL CHECKING One approach is model checking, which consists of the exhaustive exploration of a system s mathematical model. Finite-State Systems: Hardware. Infinite-State Systems: Software (Undecidable). 7

MODEL CHECKING Check whether a system s model meets a given specification. Safety: Something bad never happens. Liveness: Something good eventually happens. Fairness: Ensuring if a resource is requested infinitely often, then it is granted infinitely often. 8

TEMPORAL LOGIC Used as a specification language as it encompasses safety, liveness, fairness, etc. Logic reasoning about propositions qualified in terms of time. Most commonly used sub-logics are CTL (computational-tree logic) and LTL (linear-time logic). 9

CTL VS. LTL CTL LTL 10

CTL Reasoning about sets of states. Reasoning about non-deterministic (branching) programs. φ ::= α α φ φ φ φ AXφ AFφ A[φWφ] EXφ EGφ E[φUφ] A φ All: φ has to hold on all paths starting from all initial states. E φ Exists: there exists at least one path starting from all initial states where φ holds. 11

CTL X φ Next: φ has to hold at the next state. G φ Globally: φ has to hold on the all states along a path. F φ Finally: φ eventually has to hold. φ1 U φ2 Until: φ1 has to hold at least until at some position φ2 holds. φ2 must be verified in the future. φ1 W φ2 Weak until: φ1 has to hold until φ2 holds. 12

LTL Reasoning about sets of paths. Reasoning about concurrent programs. ψ ::= α ψ ψ ψ ψ Gψ Fψ [ψwψ] [ψuψ]. Properties expressed in the universal fragment of CTL ( CTL) are easier to prove than LTL properties. 13

FAIRNESS Executions are fair if a system enters a state infinitely often, and takes every possible transition from that state. e.g. If a process requests a resource infinitely often, then it must be granted infinitely often (resource starvation). 14

FAIRNESS LTL Can naturally express fairness: GF p GF q. Path based property not expressible in CTL. But when proving state-based CTL properties, we must often use fairness to model path-based assumptions about the environment. When reasoning about concurrent environments, fairness is used to abstract away the scheduler. 15

EMPLOYING FAIRNESS Introduce the first known tool for symbolically proving fair-ctl properties of infinite-state programs. Solution is based on a reduction to existing techniques for fairness- free CTL model checking. Use prophecy variables in the reduction for the purpose of symbolically partitioning fair from unfair executions. Prophecy variables are nondeterministic variables whose values are defined in terms of current program state and future behavior. 16

FAIR TERMINATION 1 PPBlockInits(); 2 while (i < Pdolen) { 3 DName = PPMakeDeviceName( ); 4 if (!DName) { break; } 5 RtlInitUnicodeString(&deviceName, DName); 6 status = IoCreateDevice( ); 7 if (STATUS_SUCCESS!= status) { 8 Pdo[i] = NULL; 9 if (STATUS_OBJECT_NAME_COLLISION == status) { 10 ExFreePool(DName); 11 num++; 12 continue; 13 } 14 break; 15 } else { 16 i++; 17 } 18 } 19 num = 0; 20 PPUnblockInits(); 17

FAIR TERMINATION 1 2 : m>0 m Õ = m 2 1 : m Æ 0 This transition system (modeling assumptions about the environment) clearly contains a non-terminating execution. However, if we only allow fair executions, then it is fair-terminating given that there exists no infinite fair paths such that if τ 1 occurs infinitely often then so does τ 2. Termination can be expressed in terms of CTL (a branching time logic) as AFAX false, but fairness cannot be expressed in CTL. 18

FAIRNESS A transition system M = (S, S 0, R, L) and a fairness condition Ω = (p,q) where p,q S. An infinite path π is unfair under Ω if states from p occur infinitely often along π but states from q occur finitely often. Otherwise, π is fair. Bridges the gap between trace-based and state-based reasoning, allowing us to prove fair-ctl. 19

FAIR CTL - THE IDEA Fair CTL model checking restricts the checks to only fair paths: 1. M, si = Ω+ Aφ iff φ holds in ALL fair paths. 2. M, si = Ω+ Eφ iff φ holds in one or more fair paths. Idea: Reduce fair CTL to fairness-free CTL via prophecy variables. Use the prophecy to encode a partition of fair from unfair paths. 20

FAIR CTL - THE IDEA Fair((S, S 0,R,L),(p, q)), (S,S 0,R,L ) where S R = S N = {((s, n), (s Õ,n Õ )) (s, s Õ ) œ R} Q a ( p n Õ Æ n) (p n Õ <n) S 0 = S 0 N q L (s, n) =L(s) R b n is decreased whenever a transition imposing p is taken. Since n N, n cannot decrease infinitely often, enforcing the eventual invalidation of the transition p n < n. R Ω would only allow a transition to proceed if q holds or p n n holds. That is, either q occurs infinitely often or p will occur finitely often. 21

TRANSFORMATION R 0 = R [ {(s, s) 8s 0.(s, s 0 ) /2 R} L 0 (s) = ( L(s) [ {t}, L(s), if 8s 0.(s, s 0 ) /2 R otherwise Fair(M,Ω) can include finite paths that are prefixes of unfair infinite paths due to the wrong estimation of the number of p-s until q. We have to ensure that these paths do not interfere with the validity of our model checking procedure. We distinguish between finite paths that occur in M and those introduced by our reduction. Add a self-loop with proposition t to mark all original valid termination states. 22

TRANSFORMATION Term(,t)::= Term(' 1 ^ ' 2,t)::=Term(' 1,t) ^ Term(' 2,t) Term(' 1 _ ' 2,t)::=Term(' 1,t) _ Term(' 2,t) Term(AX',t)::=t _ AX(Term(',t)) Term(AF',t)::=AFTerm(',t) Term(A[' 1 W' 2 ],t)::=a[term(' 1,t) W Term(' 2,t)] Term(EX',t)::= t ^ EX(Term(',t)) Term(EG',t)::=EGTerm(',t) Term(E[' 1 U' 2 ],t)::=e[term(' 1,t) U Term(' 2,t)] Adjust the CTL specification to accommodate for this change. M = Ω+ φ Term(M, t) = Ω+ Term(φ, t) 23

FAIR TERMINATION - REVISITED 1 2 : m>0 r m Õ = m 2 1 : m Æ 0 r 3 : t r (b) r : { ( 1 n Õ Æ n) ( 1 n Õ <n) 2 } n Ø 0 CTL property AF (t AX false). Strong fairness constraint Ω = (τ1, τ2). 24

ECTL s 1 s 0 r, p s 1 p s 2 p s 3 p m 0 m 1 m 2 m 3 M, m 0 = Ω+ EG( p EF r) for Ω = (p,q). From s i there is a unique path that eventually reaches s 0, where it satisfies r, and then continues to s 1, where p does not hold. The paths which satisfy EG( p EF r) are fair. However, system does not hold under Fair(M,Ω). 25

FAIR CTL As long as a new prophecy variable is introduced for each temporal subformula, the reduction can still be applied. Recurse over each sub-formula, and add a non-termination (Eφ) or termination (Aφ) clause, allowing us to ignore finite paths that are prefixes of unfair infinite-paths. Apply our reduction Fair(M, Ω) and run with φ on an existing CTL model checker which returns an assertion a characterizing the states in which φ holds. Eφ n 0. a Aφ n 0. a 26

FAIR CTL 1 let FairCTL(M,, ') : assertion = 2 3 match(') with 4 Q ' 1 OP ' 2 5 ' 1 bool OP ' 2! 6 a '1 = FairCTL(M,, ' 1 ); 7 a '2 = FairCTL(M,, ' 2 ) 8 Q OP ' 1! 9 a '1 = FairCTL(M,, ' 1 ) 10! 11 a '1 = 12 13 match(') with 14 E ' 1 U' 2! 15 ' 0 = E[a '1 U(a '2 ^ term)] 16 E G' 1! 17 ' 0 = EG(a '1 ^ term) 18 E X' 1! 19 ' 0 = EX(a '1 ^ term) 20 A ' 1 W' 2! 21 ' 0 = A[a '1 W(a '2 _ term)] 22 23 A F' 1! 24 ' 0 = AF(a '1 _ term) 25 A X' 1! 26 ' 0 = AX(a '1 _ term) 27 ' 1 bool OP ' 2! 28 ' 0 = a '1 bool OP a '2 29! 30 ' 0 = a '1 31 32 M 0 = Fair(M, ) 33 a = CTL(M 0, ' 0 ) 34 35 match(') with 36 E ' 0! 37 return 9n 0. a 38 A ' 0! 39 return 8n 0. a 40! 41 return a FairCTL(M,Ω,φ) employs an existing CTL model checker and the reduction Fair(M, Ω). An assertion characterizing the states in which φ holds under the fairness constraint Ω is returned. 27

EXPERIMENTS Program LOC Property FC Time(s) Result Windows Device Driver 1 20 AG(PPBlockInits() ) Yes. 14.43 X AFPPUnblockInits()) Windows Device Driver 1 20 AG(PPBlockInits() ) No. 2.16 AFPPUnblockInits()) Windows Device Driver 1 20 AG(PPBlockInits() ) Yes. 10.11 + bug AFPPUnblockInits()) Bakery 37 AG(Noncritical ) No. 16.43 X AFCritical) Bakery 37 AG(Noncritical ) Yes. 2.98 AFCritical) Bakery + bug 37 AG(Noncritical ) No. 12.48 AFCritical) Windows Device Driver 2 374 AG(KeAcquireSpinLock() ) Yes. 18.84 X AFKeReleaseSpinLock()) Windows Device Driver 2 374 AG(KeAcquireSpinLock() ) No. 14.12 AFKeReleaseSpinLock) Windows Device Driver 2 374 AG(KeAcquireSpinLock() ) Yes. 18.94 + bug AFKeRelaseSpinLock()) Windows Device Driver 3 58 AF(KeEnCriticalRegion() ) Yes. 12.58 EGKeExCriticalRegion()) Windows Device Driver 3 58 AF(KeEnCriticalRegion() ) No. 9.62 X EGKeExCriticalRegion) Fig. 11: Windows Device Driver 1 uses the fairness constraint 28

RECAP Introduced the first known method for symbolically proving fair-ctl properties of (infinite-state) integer programs. Solution is based on a reduction which allows the use and integration with any off-the-shelf CTL tool Use prophecy variables in the reduction for the purpose of symbolically partitioning fair from unfair executions. Implemented as an extension to T2, a CTL model checker which returns assertions characterizing the states in which a property holds. 29

QUESTIONS? 30

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback