Introduction to Forml Verifiction Is the system correct? Aniello Murno Università degli studi di Noli Federico II Dirtimento di Scienze Fisiche Sezione di Informtic 22 Mggio, 2006 1 2 Design Comlexity Mesuring SW Comlexity Source Lines of Code (SLOC) Mesures how mny lines (sttements) in rogrm Useful s mesure of softwre comlexity SOME SLOC Estimtes: NASA Sce Shuttle flight Control Sun Solris (1999-2000) Microsoft Windows 3.1 (1992) Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows 2000 Microsoft Windows XP (2002) Red Ht Linux 6.2 (2000) Red Ht Linux 7.1 (2001) 420 thousnd (shuttle) + 1.4 million (ground) 7-8 Million 3 Million 15 Million 18 Million 20 Million 40 Million 20 Million 30 Million Exonentil Growth douling of trnsistors every coule of yers 3 Sources: D. Wheeler, More Thn A Giguck: Estimting GNU/Linux s Size, htt://www.dewheeler.com/sloc/; Wikiedi ( wikiedi.org). 4 1
System Filure Sfety Money Notle exmles of system filure System Relese Mrket reuttion 5 6 In Decemer 1996, the Arine 5 rocket exloded 40 seconds fter tke off. Cost : $400 million softwre filure 7 Mrs, Decemer 3, 1999 Crshed due to uninitilized vrile 8 2
Pentium 4 Bugs Brekdown Intel Pentium chi, relesed in 1994 roduced error in floting oint division Therc-25 Accident : A softwre filure cused wrong dosges of x-rys. Cost: Humn Loss. Cost : $475 million 9 10 Checking System Correctness Interctive theorem roving: Formulte system correctness s theorem in suitle logic Requires mnul roofs My require to test severl cses Testing: Run the system on select inuts My require to test lrge mount of dt Used only t n dvnced hse of roject Systems re Unrelile 11 12 3
Another Aroch: Forml verifiction Forml Verifiction: System A mthemticl model M Desired ehvior A forml secifiction ψ Correctness A forml technique to check tht M meets ψ Advntges: Aly to system models Using them t very erly stge of roject Bsed on roust mthemticl theories System nlysis relies on the solution of some decision rolems: Rechility Automt emtiness nd continment Stisfiility of logic formuls Model checking Outline of the tlk Model Checking Discrete System Model Temorl logics (LTL, CTL, CTL*) Stisfiility of temorl logic formuls Automt-theoretic roch to solve the model checking nd the stisfiility rolems Automt on infinite ojects Module checking Discrete Module Temorl logics Module checking nd gmes 13 14 Model Checking Let S e finite-stte system nd P its desired ehvior S lelled stte-trnsition grh (utomton) M P temorl logic formul ψ An exmle A scheduler should e designed so tht jos of two users re not rinted simultneously, nd whenever user sends jo, the jo is rinted eventully. The system hs the required ehvior M stisfies ψ 15 Build mthemticl model of the system: wht re ossile ehviors? Write correctness requirements in secifiction lnguge: wht re desirle ehviors? Model Checking: (Automticlly) check tht the model stisfies the secifiction 16 4
An Automt-theoretic Aroch to System Verifiction [Vrdi nd Woler] Let A descrie the system S Let ψ descrie the secifiction of S nd B ψ ccet the comuttions tht violte ψ S is correct with resect to ψ if Wht we need? L(A) L(B ψ ) = Efficient system secifiction Efficient utomt closed under intersection Efficiently decidle emtiness rolem 17 Decision Prolems in Forml Verifiction SYSTEM MODEL Discrete Automt Automt on on infinite Timed Automt ojects SYSTEM VERIFIER Model-checking REQUIREMENTS Gmes Module Checking Automt Stisfiility Temorl Logic, Rel time temorl logic N Y o es Automt-theoretic Aroch 18 Finite Automt on Finite Words A = < Σ, Q, Q 0, δ, F > with F Q q1 q2 Finite Automt on Infinite Words A = < Σ, Q, Q 0, δ, F > q1 q2 A run r of A on finite words σ is finite sequence of sttes. A ccets word σ if there exists run r of A on σ ending in finl stte. A ccets the lnguge of the regulr exression ε + (+)* 19 F my (or my not) e suset of Q A run r on n ω-word σ is n ω-sequence of sttes. A run r is cceting if the sttes occurring infinitely mny times in r (Inf(r)) stisfies F. Büchi condition: F is set of finl sttes (F Q ) nd run is cceting if Inf(r) F. As Buchi utomton, A ccets the ω-lnguge (*) ω. 20 5
Automt on Infinite Trees A infinite (inry) tree is function t : {0,1}* Σ Elements in {0,1}* re nodes Emty word ε is the root 00 01 10 11 Tree Automt A=< Σ, Q, Q 0, δ, F > δ - Trnsition reltion on trees F - Accetnce condition. A run of tree utomt over tree is lso tree where lels re elements of Q in ccordnce with δ nd the root is lelled with n initil stte. 21 22 δ(q 0,)={(q 1,q 3 ), (q 2,q 4 )} tree t Exmle. q 0 q 12 q 34 run r(t) A tree t is cceted y A if there exists run r(t) of A on t such tht ll ths π of r(t) infinitely often stisfy F Temorl Logic SYSTEM MODEL SYSTEM ANALYSIS Discrete Automt Timed Automt Model-checking Gmes Module Checking REQUIREMENTS Stisfiility Automt Temorl logic Logic, Rel time temorl logic L(A) : Lnguge cceted y A 23 24 6
Temorl Logic Correctness requirements for oen (rective) systems Mostly used: LTL (Liner Temorl Logic) [Pnueli 1977] CTL (Brnching Temorl Logic) [Emerson nd Clrke 1982] CTL* (Full Brnching Temorl Logic) [Emerson nd Hlern 1986] Temorl logic (LTL) A logicl nottion tht llows to: secify reltions in time conveniently exress finite control roerties Syntx ϕ:= ϕ ϕ ϕ ϕ ϕ Xϕ Fϕ Gϕ ϕ U ϕ Temorl oertors X t the next time F eventully G henceforth U q until q Semntics: G: X: U q: q 25 26 Tyes of temorl roerties A rnching time temorl logic: CTL [Emerson nd Clrke 1982] Sfety (nothing d hens) Syntx ϕ:= ϕ ϕ ϕ Xϕ Xϕ ϕuϕ ϕuϕ G ~(ck1 & ck2) G (req U ck) Liveness G (req F ck) mutul exclusion req must hold until ck (something good hens) if req, eventully ck where is n tomic roosition Semntics: with resect to 2 AP -lelled tree T U q Exmle: Uq Firness GF req GF ck if infinitely often req, infinitely often ck 27 Some revitions F= True U G = F F= True U G = F q 28 7
Exmle: trffic light controller Secifictions S E Gurntee no collisions N Sfety (no collisions) Liveness G (E_Go (N_Go S_Go)); G ( N_Go N_Green F N_Go); G ( S_Go S_Green F S_Go); G ( E_Go E_Green F E_Go); Gurntee eventul service 29 30 Decision rolems in Temorl Logics Stisfiility Given CTL formul φ, is there tree stisfying φ? Exmles: U q is stisfile G( ) is not stisfile Given CTL formul φ, it is ossile to uild BTA A φ (genertor for CTL) with O(2 φ ) sttes cceting ll infinite trees tht stisfy φ [Vrdi e Woler 1986] A CTL formul φ is stisfile iff L(Aφ) Φ. The emtiness rolem for BTA is LOGSPACE-comlete for PTIME [Vrdi nd Woler 1986] The stisfiility rolem cn e solved in exonentil time q q 31 Decision Prolems Using Automt Model Checking Given system S nd secifiction φ, using tree t s model of S, we determine whether t stisfy φ (t φ). Automt-theoretic roch: using n utomton A S s model of S nd n utomton A φ descriing the comlementtion of φ, S is correct with resect to φ iff L(A S ) L(A φ ) = Φ 32 8
Comlexity Results Clss LTL CTL CTL* Model Checking PSce-Comlete [1] Liner Time [3] PSce-Comlete [2] Stisfiility PSce-Comlete [1] EXPTime-Comlete 2EXPTime-Comlete [4,5] 1. [Sistl nd Clrke 1984] 4. [Emerson, Sistl 1984] 2. [Emerson nd Lei 1985] 5. [Emerson nd Jutl 1988] 3. [Clrke, Emerson, nd Sistl 1986] 33 9