MODEL CHECKING. Arie Gurfinkel

Similar documents
CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Model Checking with CTL. Presented by Jason Simas

Model Checking: An Introduction

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

3-Valued Abstraction-Refinement

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Model for reactive systems/software

Lecture 16: Computation Tree Logic (CTL)

Abstractions and Decision Procedures for Effective Software Model Checking

Model checking the basic modalities of CTL with Description Logic

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Lecture 2: Symbolic Model Checking With SAT

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Computation Tree Logic

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Overview. overview / 357

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Finite-State Model Checking

Chapter 6: Computation Tree Logic

Temporal Logic Model Checking

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Chapter 4: Computation tree logic

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Alan Bundy. Automated Reasoning LTL Model Checking

Computation Tree Logic

Model Checking. Boris Feigin March 9, University College London

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Linear Temporal Logic and Büchi Automata

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Computation Tree Logic

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

CS357: CTL Model Checking (two lectures worth) David Dill

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Formal Verification of Mobile Network Protocols

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

The State Explosion Problem

Verification Using Temporal Logic

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

A Brief Introduction to Model Checking

Modal and Temporal Logics

Computation Tree Logic (CTL)

FAIRNESS FOR INFINITE STATE SYSTEMS

Computer Aided Verification

Linear-time Temporal Logic

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Automata-Theoretic Model Checking of Reactive Systems

Algorithmic verification

Testing with model checkers: A survey

Topics in Verification AZADEH FARZAN FALL 2017

Computer-Aided Program Design

CTL Model Checking. Wishnu Prasetya.

Linear-Time Logic. Hao Zheng

Timo Latvala. February 4, 2004

Part I. Principles and Techniques

Model Checking & Program Analysis

ESE601: Hybrid Systems. Introduction to verification

An Introduction to Temporal Logics

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Automata-based Verification - III

Lecture Notes on Software Model Checking

Exploiting resolution proofs to speed up LTL vacuity detection for BMC

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

SAT in Formal Hardware Verification

Automata-based Verification - III

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

LTL and CTL. Lecture Notes by Dhananjay Raju

Chapter 5: Linear Temporal Logic

Revising Specifications with CTL Properties using Bounded Model Checking

SAT-Based Explicit LTL Reasoning

T Reactive Systems: Temporal Logic LTL

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Theorem Proving beyond Deduction

Modelling and Analysing Variability in Product Families

State-Space Exploration. Stavros Tripakis University of California, Berkeley

A Symbolic Approach to Safety LTL Synthesis

EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Counterexample-Guided Abstraction Refinement

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

Bounded Model Checking

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Description Logics. Deduction in Propositional Logic. franconi. Enrico Franconi

Introduction to Model Checking

Model checking for LTL (= satisfiability over a finite-state program)

Binary Decision Diagrams and Symbolic Model Checking

Model Checking Algorithms

Reasoning about Strategies: From module checking to strategy logic

Course Runtime Verification

Transcription:

1 MODEL CHECKING Arie Gurfinkel

2 Overview Kripke structures as models of computation CTL, LTL and property patterns CTL model-checking and counterexample generation State of the Art Model-Checkers

3 SW/HW Artifact Correct? Correctness properties Model Extraction Translation Abstraction Finite Model Temporal logic Model Checker Yes/No + Counter-example

4 Models: KripkeStructures Conventional state machines K = (V, S, s 0, I, R) V is a (finite) set of atomic propositions Sis a (finite) set of states s 0 Sis a start state I: S 2 V is a labelling function that maps each state to the set of propositional variables that hold in it That is, I(S) is a set of interpretations specifying which propositions are true in each state R S S is a transition relation s 0 s 2 req req, busy busy s 1 s 3

5 Propositional Variables Fixed set of atomic propositions, e.g, {p, q, r} Atomic descriptions of a system Printer is busy There are currently no requested jobs for the printer Conveyer belt is stopped Do not involve time!

6 Modal Logic Extends propositional logicwith modalities to qualify propositions it is raining rain it will rain tomorrow rain it is raining in all possible futures it might rain tomorrow rain it is raining in some possible futures Modal logic formulas are interpreted over a collection of possible worlds connected by an accessibility relation Temporal logic is a modal logic that adds temporal modalities: next, always, eventually, and until

7 Computation Tree Logic (CTL) CTL: Branching-time propositional temporal logic Model -a tree of computation paths S1 S2 S1 S2 S1 S3 S3 S2 S1 S3 S1 S3 S2 S1 S3 Kripke Structure Tree of computation

8 CTL: Computation Tree Logic Propositional temporal logic with explicit quantification over possible futures Syntax: True and False are CTL formulas; propositional variables are CTL formulas; If and ψare CTL formulae, then so are:, ψ, ψ EX : holds in some next state EF : along some path, holds in a future state E[U ψ] : along some path, holds until ψholds EG : along some path, holds in every state Universal quantification: AX, AF, A[U ψ], AG

9 Examples: EX and AX EX (exists next) AX (all next)

10 Examples: EG and AG EG (exists global) AG (all global)

11 Examples: EF and AF EF (exists future) AF (all future)

12 Examples: EU and AU E[U ψ](exists until) A[U ψ](all until)

13 CTL Examples Properties that hold: (AX busy)(s 0 ) (EG busy)(s 3 ) A (requbusy)(s 0 ) s 0 req req, busy s 1 E (requ busy) (s 1 ) AG (req AF busy) (s 0 ) Properties that fail: s 2 busy s 3 (AX(req busy))(s 3 )

14 Some Statements To Express An elevator can remain idle on the third floor with its doors closed EF (state=idle floor=3 doors=closed) When a request occurs, it will eventually be acknowledged AG (request AF acknowledge) A process is enabled infinitely often on every computation path AG AF enabled A process will eventually be permanently deadlocked AF AG deadlock Action sprecedes pafter q A[ qu (q A[ pu s])] Note: hard to do correctly. See later on helpful techniques

15 Semantics of CTL K,s means that formula is true in state s. Kis often omitted since we always talk about the same Kripke structure E.g., s p q π= π 0 π 1 is a path π 0 is the current state (root) π i+1 is a successor state ofπ i. Then, AX = π π 1 AG = π i π i AF = π i π i A[U ψ] = π i π i ψ j0 ji π j E[U ψ] = π i π i ψ j0 ji π j EX = π π 1 EG = π i π i EF = π i π i

16 Relationship Between CTL Operators AX= EX AF= EG EF= AG AF= A[true U ] EF= E[true U ] AG = AX AG EG = EX EG AF = AX AF EF = EX EF A [false U ] = E[false U ] = A[U ψ] = E[ ψu ( ψ)] EG ψ A[U ψ] = ψ ( AX A[U ψ]) E[U ψ] = ψ ( EX E[U ψ]) A[W ψ] = E[ ψu ( ψ)] (weak until) E[U ψ] = A[ ψw ( ψ)]

17 Adequate Sets Def.A set of connectives is adequate if all connectives can be expressed using it. e.g., {, } is adequate for propositional logic: a b= ( a b) Theorem.The set of operators {false,, } together with EX, EG, and EU is adequate for CTL e.g., AF (a AX b) = EG (a AX b) = EG ( a EX b) EU describes reachability EG non-termination (presence of infinite behaviours)

18 Universal and Existential CTL A CTL formula is in ACTL if it uses only universal temporal connectives (AX, AF, AU, AG) with negation applied to the level of atomic propositions Also called universal CTL formulas e.g.,a [pu AX q] ECTL: uses only existential temporal connectives (EX, EF, EU, EG) with negation applied to the level of atomic propositions Also called existential CTL formulas e.g.,e [pu EX q] CTL formulas not in ECTL ACTL are called mixed e.g.,e [pu AX q] and A [pu EX q]

19 Safety and Liveness Safety: Something bad will never happen AG bad e.g., mutual exclusion: no two processes are in their critical section at once Safety = if false then there is a finite counterexample Liveness: Something good will always happen AG AF good e.g., every request is eventually serviced Liveness = if false then there is an infinite counterexample Every universal temporal logic formula can be decomposed into a conjunction of safety and liveness

20 Linear Temporal Logic (LTL) For reasoning about complete traces through the system S1 S2 S1 S1 S2 S1 S2 S1 S2 S1 S2 S3 S3 S1 S2 S3 S3 S3 S1 S2 S3 S1 S2 S1 S2 S3 S3 S1 Allows to make statements about a trace

21 LTL Syntax If is an atomic propositional formula, it is a formula in LTL If and ψare LTL formulas, so are ψ, ψ,, U ψ(until), X (next), F(eventually), G (always) Interpretation: over computations π: ω 2 V which assigns truth values to the elements of Vat each time instant π X π G π F iff π 1 iff i π i iff i π i π U ψiff i π i ψ j0 ji π j Here, π i is the i thstate on a path

22 Properties of LTL X = X F = trueu G = F G = X G F = X F W ψ= G (U ψ) (weak until) A property holds in a model if it holds on every path starting from the initial state

23 Expressing Properties in LTL Good for safety (G ) and liveness (F) properties Express: When a request occurs, it will eventually be acknowledged G (request F acknowledge) Each path contains infinitely many q s G F q At most a finite number of states in each path satisfy q(or property q eventually stabilizes) F G q Action sprecedes pafter q [ qu (q [ pu s])] Note: hard to do correctly. See later on helpful techniques

24 Comparison between LTL and CTL Syntactically: LTL is simpler than CTL Semantically: incomparable! CTL formula AG EF (always can reach) is not expressible in LTL LTL formula F G (eventually always) is not expressible in CTL What about AF AG? Has different interpretation on the following state machine: AF AG is false F G is true The logic CTL* is a super-set of both CTL and LTL LTL and CTL coincide if the model has only one path!

25 Property Patterns: Motivation Temporal properties are not always easy to write or read e.g., G ((q r F r) (p ( r U (s r)) U r) Meaning: ptriggers sbetween q(e.g., end of system initialization) and r(start of system shutdown) Many properties are specifiable in both CTL and LTL e.g., Action qmust respond to action p: CTL: AG (p AF q) LTL: G (p F q) e.g., Action sprecedes pafter q CTL: A[ qu (q A[ pu s])] LTL: [ qu (q [ pu s])]

26 Pattern Hierarchy http://patterns.projects.cis.ksu.edu/ Specifying and reusing property specifications Absence: A condition does not occur within a scope Existence: A condition must occur within a scope Universality: A condition occurs throughout a scope Response: A condition must always be followed by another within a scope Precedence: A condition must always be preceded by another within a scope

27 Pattern Hierarchy: Scopes Scopes of interest over which the condition is evaluated

28 Using the System: Example Property There should be a dequeue()between an enqueue()and an empty() Propositions: deq, enq, em Pattern: existence (of deq) Scope: between (events: enq, em) Look up (Sexists between Qand R) Result CTL: AG (Q R A[ RW (S R)]) LTL: G (Q R ( RW (S R))) CTL: AG (enq em A[ emw (deq em)]) LTL: G (enq em ( emw (deq em)))

29 CTL Model-Checking Inputs: Kripke structure K CTL formula Assumptions: The Kripke structure is finite Finite length of a CTL formula Algorithm: Working outwards towards Label states of Kwith sub-formulas of that are satisfied these states Output states labeled with Example: EX EG (p E[pU q])

30 CTL Model-Checking (EX, EU) EX Label a state EX if any of its successors is labeled with ψ ψ ψ ψ E [Uψ] Label a state E[Uψ] if it is labeled with ψ Until there is no change label a state with E[Uψ] if it is labeled with and has a successor labeled withe[u ψ] ψ ψ ψ ψ

31 CTL Model-Checking (EG) EG Label every node labeled with by EG Until there is no change remove label EG from any state that does not have successors labeled by EG

32 Counterexamples Explain why the property fails to hold to disprove that holds on all elements ofs, produce a single elements S s.t. holds ons. counterexamples are restricted to universally-quantified formulas counterexamples are paths (trees) from initial state illustrating the failure of property AG req s 0 req req, busy s 1 req busy s 0 s 3 AF req AX req s 2 busy s 3 s 0 req req, busy s s 3 1 busy

33 Generating Counterexamples (EX, EG) Negate the prop. and express using EX, EU, EG e.g., AG ( AF ψ) becomes EF( EG ψ) EX : find a successor state labeled with EG : follow successors labeled with EG until a loop is found

34 Generating Counterexamples (EU) E[U ψ]: remove all states that are not labeled with either or ψ.then, find a path to ψ This procedure works only for universal properties AX AG ( AF ψ) etc.

35 State Explosion How fast do Kripkestructures grow? Composing linear number of structures yields exponential growth! How to deal with this problem? Symbolic model checking with efficient data structures (BDDs, SAT). Do not need to represent and manipulate the model explicitly Abstraction Abstract away variables in the model which are not relevant to the formula being checked Partial order reduction (for asynchronous systems) Several interleavingsof component traces may be equivalent as far as satisfaction of the formula to be checked is concerned Composition Break the verification problem down into several simpler verification problems

36 Model-Checking Techniques (Symbolic) BDD Express transition relation by a formula, represented as BDD. Manipulate these to compute logical operations and fixpoints Based on very fast decision diagram packages (e.g., CUDD) SAT Expand transition relation a fixed number of steps (e.g., loop unrolling), resulting in a formula For this unrolling, check whether the property holds Continue increasing the unrolling until error is found, resources are exhausted, or diameter of the problem is reached Based on very fast SAT solvers

37 Model-Checking Techniques (Explicit State) Model checking as partial graph exploration In practice: Compute part of the reachable state-space, with clever techniques for state storage (e.g., Bit-state hashing) and path pruning (partialorder reduction) Checkreachability(X, U) properties on-the-fly, as state-space is being computed Check non-termination(g) properties by finding an accepting cycle in the graph

38 Pros and Cons of Model-Checking Often cannot express full requirements Instead check several smaller properties Few systems can be checked directly Must generally abstract Works better for certain types of problems Very useful for control-centered concurrent systems Avionics software Hardware Communication protocols Not very good at data-centered systems User interfaces, databases

39 Pros and Cons (Cont d) Largely automatic and fast Better suited for debugging rather than assurance Testing vs model-checking Usually, find more problems by exploring allbehaviours of a downscaledsystem than by testing some behaviours of the full system

40 Some State of the Art Model-Checkers SMV, NuSMV, Cadence SMV CTL and LTL model-checkers Based on symbolic decision diagrams or SAT solvers Mostly for hardware and other models Spin LTL model-checker Explicit state exploration Mostly for communication protocols CBMC, SatAbs, CPAChecker, UFO Combine Model Checking and Abstraction Work directly on the source code (mostly C) Control-dependent properties of programs (buffer overflow, API usage, etc.)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback