Intrductin t Mdels and Prperties Cmputer Science and Artificial Intelligence Labratry MIT Armand Slar-Lezama Nv 23, 2015 Nvember 23, 2015 1
Recap Prperties Prperties f variables Prperties at prgram pints Prperties at prgram pints Prperties f executin traces Flexible N Yes N Yes Push-buttn Yes N Yes Yes 2
Mdel Checking Tday Hardware Mdel Checking - part f the standard tlkit fr hardware design Intel has used it fr prductin chips since Pentium 4 Fr the Intel Cre i7, mst pre-silicn validatin was dne thrugh frmal methds (i.e. Mdel Checking + Therem Prving) - many cmmercial prducts IBM RuleBase, Synpsys Magellan, Sftware Mdel Checking - Static driver verifier nw a cmmercial Micrsft prduct - Java PathFinder used t verify cde fr mars rver This desn t mean Mdel Checking is a slved prblem - Far frm it 3
Mdel Checking Genesis The paper that started it all - Clarke and Emersn, Design and Synthesis f Synchrnizatin Skeletns using branching time tempral lgic Prf Cnstructin is Unnecessary in the case f finite state cncurrent systems and can be replaced by a mdel-theretic apprach which will mechanically determine if the system meets a specificatin expressed in prpsitinal tempral lgic 4
Intellectual Rts Tw imprtant develpments preceded this paper - Verificatin thrugh exhaustive explratin f finite state mdels G. V. Bchmann and J. Gecsei, A unified methd fr the specificatin and verificatin f prtcls, Prc. IFIP Cngress 1977 - Develpment f Linear Tempral Lgic and its applicatin t specifying system prperties A. Pnueli, The tempral semantics f cncurrent prgrams. 1977 5
Mdel Checking The mdel checking apprach (as characterized by Emersn) - Start with a prgram that defines a finite state graph M - Search M fr patterns that tell yu whether a specificatin f hlds - Pattern specificatin is flexible - The methd is efficient in the sizes f M and hpefully als f - The methd is algrithmic 6
S what exactly is a mdel? Remember ur friend? - What des this mean? x y x The statement abve can be established thrugh lgical deductin Aximatic semantics and type thery are deductive The prgram, tgether with the desired prperties make a therem We use deductin t prve the therem - What abut this; is it true? x + y == 5 We can nt really establish this thrugh deductin We can say whether it s true r false under a given mdel [x=3, y=2] x + y == 5 Yu have seen this symbl t - In peratinal semantics, the variable assignments were the mdel - The prgram behavir was the therem we were trying t prve under a given mdel 7
Basic Ntins f Mdel Thery Cnsider the fllwing sentence: - S := The class tday was awesme Is this sentence true r false? - that depends What class is the class? What day is tday? We can give this sentence an Interpretatin - I := The class is 6.820, Tday is Tuesday Nv 22 When an interpretatin I makes S true we say that - I satisfies S - I is a mdel f S - 8
The mdel checking prblem We are interested in deciding whether fr the special case where - I is a Kripke structure - S is a tempral lgic frmula Tday yu get t learn what each f these things are But the high level idea is: - Unlike aximatic semantics, where the prgram was part f the therem, - The prgram will nw be the mdel Well, nt the prgram directly, but rather a kripke structure representing the prgram 9
Kripke Structures as Mdels Kripke structure is a FSM with labels Kripke structure = (S, S0, R, L) - S = finite set f states - S0 S = set f initial states - R S x S = transitin relatin - L :S 2 AP = labels each state with a set f atmic prpsitins 10
Micrwave Example - S = {s 1, s 2, s 3, s 4 } - S0={s 1 } - R = { (s 1,s 2 ), (s 2,s 1 ), (s 1,s 4 ), (s 4,s 2 ), (s 2,s 3 ), (s 3,s 2 ), (s 3,s 3 )} s 4 start s 1 clse dr clse dr -clse -start -cking pen dr s 2 clse -start -cking - L(s 1 )={-clse, -start, -cking} - L(s 2 )={clse, -start, -cking} -clse start -cking start finish - L(s 3 )={clse, start, cking} - L(s 4 )={-clse, start, -cking} Can the micrwave ck with the dr pen? cking s 3 clse start cking 11
Kripke structures describe cmputatins A Kripke structure can describe an infinite prcess - We can interpret it as an infinite tree s1 s 1 -clse -start -cking s4 s2 start pen dr s2 s1 s3 clse dr s1 s3 s4 s2 s3 s2 s 4 clse dr s 2 clse -start -cking -clse start -cking start finish s4 s2 s3 s2 s2 s1 s3 - We need a language t describe prperties f paths dwn the cmputatin tree cking s 3 clse start cking 12
Linear Tempral Lgic Let π be a sequence f states in a path dwn the tree - π := s 0, s 1, s 2, - Let π i be a subsequence starting at i We are ging t define a lgic t describe prperties ver paths 13
Prperties ver states State Frmulas - Can be established as true r false n a given state - If p ϵ {AP} then p is a state frmula - if f and g are state frmulas, s are (f and g), (nt f), (f r g) - Ex. (nt clsed and cking) 14
Fr paths Path frmulas - a state frmula p is als a path frmula p(π i ) := p(s i ) - blean peratins n path frmulas are path frmulas f and g(π i ) := f(π i ) and g(π i ) - path quantifiers G f (π i ) := glbally f (π i ) = frall k>= i f (π k ) (may abbreviate as ) F f (π i ) := eventually f (π i ) = exists k>= i f (π k ) (may abbreviate as ) X f (π i ) := next f (π i ) = f (π i+1 ) (may abbreviate as ) f U g (π i ) := f until g = exists k >= i s.t. g(π k ) and f(π j ) fr i<=j<k Given a frumula f and a path π, - if f(π) is true, we say that 15
Examples If yu submit yur hmewrk (submit) yu eventually get a grade back (grade) - G (submit => F grade) Yu shuld get yur grade befre yu submit the next hmewrk - G (submit X submit U grade ) What s wrng with G submit submit U grade? If assignment i was submitted befre drp date, yu shuld get yur grade befre drp date - G submit i F drpdate ( G grade i F drpdate ) - and G (submit => F grade) 16
MIT OpenCurseWare http://cw.mit.edu 6.820 Fundamentals f Prgram Analysis Fall 2015 Fr infrmatin abut citing these materials r ur Terms f Use, visit: http://cw.mit.edu/terms.