Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Similar documents
Computation Tree Logic (CTL) & Basic Model Checking Algorithms

The State Explosion Problem

Finite-State Model Checking

Model Checking: An Introduction

Model for reactive systems/software

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Alan Bundy. Automated Reasoning LTL Model Checking

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Automata-Theoretic Model Checking of Reactive Systems

Algorithmic verification

Chapter 4: Computation tree logic

Chapter 6: Computation Tree Logic

Model Checking. Boris Feigin March 9, University College London

Abstractions and Decision Procedures for Effective Software Model Checking

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

FAIRNESS FOR INFINITE STATE SYSTEMS

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Reasoning about Time and Reliability

An Introduction to Temporal Logics

LTL and CTL. Lecture Notes by Dhananjay Raju

ESE601: Hybrid Systems. Introduction to verification

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Lecture 16: Computation Tree Logic (CTL)

PSL Model Checking and Run-time Verification via Testers

Formal Verification of Mobile Network Protocols

Computational Logic and the Quest for Greater Automation

Using Patterns and Composite Propositions to Automate the Generation of LTL Specifications

CS477 Formal Software Dev Methods

Verification Using Temporal Logic

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

On simulations and bisimulations of general flow systems

An Introduction to Hybrid Systems Modeling

Computer Science and Logic A Match Made in Heaven

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Causality in Concurrent Systems

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

Computation Tree Logic

Ranking Verification Counterexamples: An Invariant guided approach

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Course Runtime Verification

Computer-Aided Program Design

A Brief Introduction to Model Checking

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Benefits of Interval Temporal Logic for Specification of Concurrent Systems

SFM-11:CONNECT Summer School, Bertinoro, June 2011

Modal and Temporal Logics

Final Exam /614 Bug Catching: Automated Program Verification Matt Fredrikson André Platzer. December 17, 2017

Automata-based Verification - III

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

A Hierarchy for Accellera s Property Specification Language

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Seamless Model Driven Development and Tool Support for Embedded Software-Intensive Systems

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Reasoning about Equilibria in Game-like Concurrent Systems

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Topics in Verification AZADEH FARZAN FALL 2017

IC3 and Beyond: Incremental, Inductive Verification

Linear Temporal Logic (LTL)

Reasoning about Strategies: From module checking to strategy logic

Model checking the basic modalities of CTL with Description Logic

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

COMP3151/9151 Foundations of Concurrency Lecture 4

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Timo Latvala. March 7, 2004

Automata-based Verification - III

- Introduction to propositional, predicate and higher order logics

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Peter Wood. Department of Computer Science and Information Systems Birkbeck, University of London Automata and Formal Languages

Automata Theory and Formal Grammars: Lecture 1

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

Software Verification

Logic Model Checking

Slicing Petri Nets. Astrid Rakow. Department für Informatik, Univeristät Oldenburg

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Neighborhood Semantics for Modal Logic Lecture 5

Lecture 4: Proposition, Connectives and Truth Tables

Let s now begin to formalize our analysis of sequential machines Powerful methods for designing machines for System control Pattern recognition Etc.

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL Specifications

Compositional Reasoning

Part I. Principles and Techniques

Chapter 5: Linear Temporal Logic

Syntax of propositional logic. Syntax tree of a formula. Semantics of propositional logic (I) Subformulas

Hidden Markov Models, I. Examples. Steven R. Dunbar. Toy Models. Standard Mathematical Models. Realistic Hidden Markov Models.

Towards Inference and Learning in Dynamic Bayesian Networks using Generalized Evidence

Deterministic Finite Automata. Non deterministic finite automata. Non-Deterministic Finite Automata (NFA) Non-Deterministic Finite Automata (NFA)

Valentin Goranko Stockholm University. ESSLLI 2018 August 6-10, of 29

Transcription:

Formal Verification Lecture 1: Introduction to Model Checking and Temporal Logic¹ Jacques Fleuriot jdf@inf.ed.ac.uk ¹Acknowledgement: Adapted from original material by Paul Jackson, including some additions by Bob Atkey.

Formal Verification (in a nutshell) Create a formal model of some system of interest Hardware Communication protocol Software, esp. concurrent software

Formal Verification (in a nutshell) Create a formal model of some system of interest Hardware Communication protocol Software, esp. concurrent software Describe formally a specification that we desire the model to satisfy

Formal Verification (in a nutshell) Create a formal model of some system of interest Hardware Communication protocol Software, esp. concurrent software Describe formally a specification that we desire the model to satisfy Check the model satisfies the specification theorem proving (usually interactive but not necessarily) Model checking

Introduction to Model Checking Specifications as Formulas, Programs as Models Programs are abstracted as Finite State Machines Formulas are in Temporal Logic

Interpretation = Formula The relationship between interpretations M and formulas ϕ: M = ϕ We say M models ϕ. Questions we can ask:

Interpretation = Formula The relationship between interpretations M and formulas ϕ: M = ϕ We say M models ϕ. Questions we can ask: 1. For a fixed ϕ, is M = ϕ true for all M? Validity of ϕ This can be done via proof in a theorem prover e.g. Isabelle.

Interpretation = Formula The relationship between interpretations M and formulas ϕ: M = ϕ We say M models ϕ. Questions we can ask: 1. For a fixed ϕ, is M = ϕ true for all M? Validity of ϕ This can be done via proof in a theorem prover e.g. Isabelle. 2. For a fixed ϕ, is M = ϕ true for some M? Satisfiability

Interpretation = Formula The relationship between interpretations M and formulas ϕ: M = ϕ We say M models ϕ. Questions we can ask: 1. For a fixed ϕ, is M = ϕ true for all M? Validity of ϕ This can be done via proof in a theorem prover e.g. Isabelle. 2. For a fixed ϕ, is M = ϕ true for some M? Satisfiability 3. For a fixed (class of) M, what ϕs make M = ϕ true? Theory discovery / Learning from Data / Generalisation Not in this course

Interpretation = Formula The relationship between interpretations M and formulas ϕ: M = ϕ We say M models ϕ. Questions we can ask: 1. For a fixed ϕ, is M = ϕ true for all M? Validity of ϕ This can be done via proof in a theorem prover e.g. Isabelle. 2. For a fixed ϕ, is M = ϕ true for some M? Satisfiability 3. For a fixed (class of) M, what ϕs make M = ϕ true? Theory discovery / Learning from Data / Generalisation Not in this course 4. For a fixed M and P, is it the case that M = ϕ? Model Checking

Model Checking At a high level, many tasks can be rephrased as model checking. Interpretations M = Formulas ϕ Task sequences of tokens = grammars parsing database tables = SQL queries query execution email texts = spam rules spam detection sequences of letters = dictionary spellchecking audio data = acoustic/lang. model speech recognition finite state machines = temporal logic specification checking Details differ widely, but question of is this data consistent with this statement? (and to what degree?) is extremely common. Historically, Model Checking usually refers to the last one. This is the one we will cover over the next few lectures.

Uses of Model Checking Model Checking has been used to: Check Microsoft Windows device drivers for bugs The Static Driver Verifier tool The SPIN tool (http://spinroot.com): http://spinroot.com/spin/success.html Flood control barrier control software Call processing software at Lucent Parts of Mars Science Laboratory, Deep Space 1, Cassini, the Mars Exploration Rovers, Deep Impact PEPA (Performance Evaluation Process Algebra) http://www.dcs.ed.ac.uk/pepa/ Multiprocessor systems Biological systems

Model Checking Models A model of some system has: A finite set of states A subset of states considered as the initial states A transition relation which, given a state, describes all states that can be reached in one time step. Good for Software, sequential and concurrent Digital hardware Communication protocols Refinements of this setup can handle: Infinite state spaces, Continuous state spaces, Continuous time, Probabilistic Transitions. Good for hybrid (i.e., discrete and continuous) and control systems.

Model Checking Models Models are always abstractions of reality.

Model Checking Models Models are always abstractions of reality. We must choose what to model and what not to model

Model Checking Models Models are always abstractions of reality. We must choose what to model and what not to model There will limitations forced by the formalism e.g., here we are limited to finite state models

Model Checking Models Models are always abstractions of reality. We must choose what to model and what not to model There will limitations forced by the formalism e.g., here we are limited to finite state models There will be things we do not understand sufficiently to model e.g., people

Model Checking Models Models are always abstractions of reality. We must choose what to model and what not to model There will limitations forced by the formalism e.g., here we are limited to finite state models There will be things we do not understand sufficiently to model e.g., people In the words of the The Cure s Pictures of You: I ve been looking so long at these pictures of you That I almost believe that they re real I ve been living so long with my pictures of you That I almost believe that the pictures are All I can feel

Model Checking Models Models are always abstractions of reality. We must choose what to model and what not to model There will limitations forced by the formalism e.g., here we are limited to finite state models There will be things we do not understand sufficiently to model e.g., people In the words of the The Cure s Pictures of You: I ve been looking so long at these pictures of you That I almost believe that they re real I ve been living so long with my pictures of you That I almost believe that the pictures are All I can feel Do not do this: the pictures are not real.

Model Checking Models La trahison des images by René Magritte taken from a University of Alabama site, Approaches to Modernism : http://www.tcf.ua.edu/classes/jbutler/t311/modernism.htm. Licensed under Fair use via Wikipedia - http://en.wikipedia.org/wiki/file: MagrittePipe.jpg#mediaviewer/File:MagrittePipe.jpg

Model Checking Specifications We are interested in specifying behaviours of systems over time. Use Temporal Logic

Model Checking Specifications We are interested in specifying behaviours of systems over time. Use Temporal Logic Specifications are built from: 1. Primitive properties of individual states e.g., is on, is off, is active, is reading ; 2. propositional connectives,,, ; 3. and temporal connectives: e.g., At all times, the system is not simultaneously reading and writing. If a request signal is asserted at some time, a corresponding grant signal will be asserted within 10 time units.

Model Checking Specifications We are interested in specifying behaviours of systems over time. Use Temporal Logic Specifications are built from: 1. Primitive properties of individual states e.g., is on, is off, is active, is reading ; 2. propositional connectives,,, ; 3. and temporal connectives: e.g., At all times, the system is not simultaneously reading and writing. If a request signal is asserted at some time, a corresponding grant signal will be asserted within 10 time units. The exact set of temporal connectives differs across temporal logics. Logics can differ in how they treat time: Linear time vs. Branching time These differ in reasoning about non-determinism.

Non-determinism In general, system descriptions are non-deterministic. A system is non-deterministic when, from some state there are multiple alternative next states to which the system could transition. Non-determinism is good for: Modelling alternative inputs to the system from its environment (External non-determinism) Under-specifying the model, allowing it to capture many possible system implementations (Internal non-determinism)

Linear vs. Branching Time Linear Time Considers paths (sequences of states) If system is non-deterministic, many paths for each initial state Questions of the form: For all paths, does some path property hold? Does there exist a path such that some path property holds?

Linear vs. Branching Time Linear Time Considers paths (sequences of states) If system is non-deterministic, many paths for each initial state Questions of the form: For all paths, does some path property hold? Does there exist a path such that some path property holds? Branching Time Considers tree of possible future states from each initial state If system is non-deterministic from some state, tree forks Questions can become more complex, e.g., For all states reachable from an initial state, does there exist an onwards path to a state satisfying some property? Most-basic branching-time logic (CTL) is complementary to most-basic linear-time logic (LTL) Richer branching-time logic (CTL ) incorporates CTL and LTL.

A Taste of LTL Syntax LTL = Linear(-time) Temporal Logic Assume some set Atom of atomic propositions Syntax of LTL formulas ϕ: ϕ ::= p ϕ ϕ ϕ ϕ ϕ ϕ ϕ Xϕ Fϕ Gϕ ϕuϕ where p Atom. Pronunciation: Xϕ next ϕ Fϕ Future ϕ Gϕ Globally ϕ ϕuψ ϕ Until ψ Other common connectives: W (weak until), R (release). Precedence high-to-low: (X, F, G, ), (U), (, ),

A Taste of LTL Informal Semantics LTL formulas are evaluated at a position i along a path π through the system (a path is a sequence of states connected by transitions) An atomic p holds if p is true for the state at position i. The propositional connectives,,, have their usual meanings. Meaning of LTL connectives: Xϕ holds if ϕ holds at the next position; Fϕ holds if there exists a future position where ϕ holds; Gϕ holds if, for all future positions, ϕ holds; ϕuψ holds if there is a future position where ψ holds, and ϕ holds for all positions prior to that. This will be made more formal in the next lecture.

A Taste of LTL Examples 1. G invariant invariant is true for all future positions

A Taste of LTL Examples 1. G invariant invariant is true for all future positions 2. G (read write) In all future positions, it is not the case that read and write

A Taste of LTL Examples 1. G invariant invariant is true for all future positions 2. G (read write) In all future positions, it is not the case that read and write 3. G(request Fgrant) At every position in the future, a request implies that there exists a future point where grant holds.

A Taste of LTL Examples 1. G invariant invariant is true for all future positions 2. G (read write) In all future positions, it is not the case that read and write 3. G(request Fgrant) At every position in the future, a request implies that there exists a future point where grant holds. 4. G(request (request U grant)) At every position in the future, a request implies that there exists a future point where grant holds, and request holds up until that point.

A Taste of LTL Examples 1. G invariant invariant is true for all future positions 2. G (read write) In all future positions, it is not the case that read and write 3. G(request Fgrant) At every position in the future, a request implies that there exists a future point where grant holds. 4. G(request (request U grant)) At every position in the future, a request implies that there exists a future point where grant holds, and request holds up until that point. 5. G F enabled In all future positions, there is a future position where enabled holds.

A Taste of LTL Examples 1. G invariant invariant is true for all future positions 2. G (read write) In all future positions, it is not the case that read and write 3. G(request Fgrant) At every position in the future, a request implies that there exists a future point where grant holds. 4. G(request (request U grant)) At every position in the future, a request implies that there exists a future point where grant holds, and request holds up until that point. 5. G F enabled In all future positions, there is a future position where enabled holds. 6. F G enabled There is a future position, from which all future positions have enabled holding.

Summary Introduction to Model Checking (H&R 3.1, 3.2) The Model Checking problem Informal introduction to LTL Next time: Formal introduction to LTL.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback