Finite-State Model Checking

Similar documents
Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Sanjit A. Seshia EECS, UC Berkeley

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Compositional Reasoning

Model Checking: An Introduction

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Model for reactive systems/software

Introduction to Embedded Systems

Lecture 16: Computation Tree Logic (CTL)

Algorithmic verification

Temporal Logic Model Checking

Model Checking with CTL. Presented by Jason Simas

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Equivalence Checking of Sequential Circuits

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

T Reactive Systems: Temporal Logic LTL

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Chapter 4: Computation tree logic

Formal Verification of Mobile Network Protocols

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Abstractions and Decision Procedures for Effective Software Model Checking

Model checking the basic modalities of CTL with Description Logic

Introduction to Embedded Systems

Model Checking. Boris Feigin March 9, University College London

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Automata-Theoretic Model Checking of Reactive Systems

Crash course Verification of Finite Automata CTL model-checking

Timo Latvala. February 4, 2004

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

FAIRNESS FOR INFINITE STATE SYSTEMS

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Verification Using Temporal Logic

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Computer-Aided Program Design

CS357: CTL Model Checking (two lectures worth) David Dill

Alan Bundy. Automated Reasoning LTL Model Checking

MODEL CHECKING. Arie Gurfinkel

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Homework 2: Temporal logic

An Introduction to Temporal Logics

Automata-based Verification - III

3-Valued Abstraction-Refinement

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Integrating Induction and Deduction for Verification and Synthesis

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Models for Efficient Timed Verification

The State Explosion Problem

Lecture Notes on Software Model Checking

From Liveness to Promptness

Computation Tree Logic

Bridging the Gap between Reactive Synthesis and Supervisory Control

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Using Patterns and Composite Propositions to Automate the Generation of LTL Specifications

Chapter 3: Linear temporal logic

Generating Linear Temporal Logic Formulas for Pattern-Based Specifications

Computer Aided Verification

Linear Temporal Logic (LTL)

LTL Model Checking. Wishnu Prasetya.

Automata-based Verification - III

Lecture 2: Symbolic Model Checking With SAT

Equivalence of DFAs and NFAs

Binary Decision Diagrams and Symbolic Model Checking

Logic Model Checking

PSPACE-completeness of LTL/CTL model checking

Timo Latvala. March 7, 2004

Part I. Principles and Techniques

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Computation Tree Logic

ESE601: Hybrid Systems. Introduction to verification

A Context Dependent Equivalence Relation Between Kripke Structures (Extended abstract)

Chapter 6: Computation Tree Logic

Introduction to Formal Verification Methods Exercise 4

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Topics in Verification AZADEH FARZAN FALL 2017

/633 Introduction to Algorithms Lecturer: Michael Dinitz Topic: NP-Completeness I Date: 11/13/18

Computation Tree Logic

Introduction to Embedded Systems

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Testing with model checkers: A survey

Computation Tree Logic (CTL)

Transition Systems and Linear-Time Properties

EECS 219C: Computer-Aided Verification Boolean Satisfiability Solving III & Binary Decision Diagrams. Sanjit A. Seshia EECS, UC Berkeley

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Logic-Based Modeling in Systems Biology

Distributed Algorithms (CAS 769) Dr. Borzoo Bonakdarpour

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Transcription:

EECS 219C: Computer-Aided Verification Intro. to Model Checking: Models and Properties Sanjit A. Seshia EECS, UC Berkeley Finite-State Model Checking G(p X q) Temporal logic q p FSM Model Checker Yes, property satisfied no p q Model generation System description (RTL, source code, gates, etc.) S. A. Seshia 2 1

Today s Lecture G(p X q) Temporal logic q p FSM Model Checker Yes, property satisfied no p q Model generation System description (RTL, source code, gates, etc.) S. A. Seshia 3 1. Open 2. Closed 2 Kinds of Systems What s the difference between the two? S. A. Seshia 4 2

Verifying Closed Systems Assumes we have models of System Environment (a good enough one) Overall model is the composition of the system with its environment This will be the topic for most of this course S. A. Seshia 5 Questions addressed in this lecture What is a model? How to compose two models together? How to express properties of a model? S. A. Seshia 6 3

Modeling Finite-State Machines Remember, it s a closed system i.e., no inputs Common representation: (S, S 0, R) Why do we need a transition relation and not just a transition function? Representation in practice: (V, S 0, R) S. A. Seshia 7 Kripke Structure Alternative way of representing closed finite-state models (S, S 0, R, L) S set of states S 0 set of initial states R transition relation must be total: for every state s, there exists state s, s.t. R(s,s ) L labeling function labels a state with a set of atomic propositions (think of these as colors ) S. A. Seshia 8 4

Example of Kripke Structure S 0 S 1 S 2 S 3 Why should we use Kripke structures? S. A. Seshia 9 Why Kripke Structures? Representation is independent of stateencoding Captures notion of observability to relate to actual executions an observer might not be able to read all state variables S. A. Seshia 10 5

Composition Typically the overall system is specified as a set of modules, and the environment Assume we have a Kripke structure for each There are two basic ways of constructing the overall Kripke structure Synchronous composition Asynchronous composition S. A. Seshia 11 How to Compose? Synchronous Composition All components in the system change their state variables simultaneously Asynchronous Composition At each time point, one component changes its state Which form of composition exhibits more behaviors? S. A. Seshia 12 6

Synchronous Product Given two Kripke structures M1 = (S1, s1 0, R1, L1) M2 = (S2, s2 0, R2, L2) Sync. Product is M = (S, s 0, R, L) S S1 x S2 s 0 = (s1 0, s2 0 ) R = R1 R2 L(s1, s2) = (L1(s1), L2(s2)) S. A. Seshia 13 Asynchronous Product Given two Kripke structures M1 = (S1, s1 0, R1, L1) M2 = (S2, s2 0, R2, L2) Async. Product is M = (S, s 0, R, L) S S1 x S2 s 0 = (s1 0, s2 0 ) R(s) = ( R1(s1,s1 ) s2 = s2) ( R2(s2,s2 ) s1 = s1) L(s1, s2) = (L1(s1), L2(s2)) S. A. Seshia 14 7

Recap We re verifying closed systems Modeled as Kripke structures (S, S 0, R, L) Represents the product of the system with its environment S. A. Seshia 15 Specifying Properties Ideally, want a complete specification Implementation must be equivalent to the specification w.r.t. observable state In practice, only have partial specifications Specify some good behaviors and some bad behaviors S. A. Seshia 16 8

What s a Behavior? Define in terms of states and transitions A sequence of states, starting with an initial state s 0 s 1 s 2 such that R(s i, s i+1 ) is true Also called run, or (computation) path Trace: sequence of observable parts of states Sequence of state labels S. A. Seshia 17 Safety vs. Liveness Safety property something bad must not happen E.g.: system should not crash finite-length error trace Liveness property something good must happen E.g.: every packet sent must be received at its destination infinite-length error trace S. A. Seshia 18 9

Examples: Safety or Liveness? 1. No more than one processor (in a multi-processor system) should have a cache line in write mode 2. The grant signal must be asserted at some time after the request signal is asserted 3. Every request signal must receive an acknowledge and the request should stay asserted until the acknowledge signal is received S. A. Seshia 19 Temporal Logic A logic for specifying properties over time E.g., Behavior of a finite-state system We will study propositional temporal logic Other temporal logics exist: e.g., real-time temporal logic S. A. Seshia 21 10

Atomic State Property (Label) A Boolean formula over state variables We will denote each unique Boolean formula by a distinct color a name such as p, q, req req &!ack S. A. Seshia 22 Globally (Always) p: G p G p is true for a computation path if p holds at all states (points of time) along the path p = Suppose G p holds along the path below starting at s 0 0 1 2... S. A. Seshia 23 11

Eventually p: F p F p is true for a path if p holds at some state along that path p = Does F p holds for the following examples?... 0 1 2... S. A. Seshia 24 Next p: X p X p is true along a path starting in state s i (suffix of the main path) if p holds in the next state s i+1 p = Suppose X p holds along the path starting at state s 2... 0 1 2 S. A. Seshia 25 12

Nesting of Formulas p need not be just a Boolean formula. It can be a temporal logic formula itself! p = X p holds for all suffixes of a path How do we draw this? How can we write this in temporal logic? Write down formal definitions of Gp, Fp, Xp S. A. Seshia 26 Notation Sometimes you ll see alternative notation in the literature: G F X S. A. Seshia 27 13

Examples: What do they mean? G F p F G p G( p F q ) F( p (X X q) ) S. A. Seshia 28 p Until q: p U q p U q is true along a path starting at s if q is true in some state reachable from s p is true in all states from s until q holds p = q = Suppose p U q holds for the path below... 0 1 2 S. A. Seshia 29 14

Temporal Operators & Relationships G, F, X, U: All express properties along paths Can you express G p purely in terms of F, p, and Boolean operators? How about G and F in terms of U and Boolean operators? What about X in terms of G, F, U, and Boolean operators? S. A. Seshia 30 Examples in Temporal Logic 1. No more than one processor (in a 2-processor system) should have a cache line in write mode wr 1 / wr 2 are respectively true if processor 1 / 2 has the line in write mode 2. The grant signal must be asserted at some time after the request signal is asserted Signals: grant, req 3. Every request signal must receive an acknowledge and the request should stay asserted until the acknowledge signal is received Signals: req, ack S. A. Seshia 31 15

Linear Temporal Logic What we ve seen so far are properties expressed over a single computation path or run LTL S. A. Seshia 33 Temporal Logic Flavors Linear Temporal Logic Computation Tree Logic Properties expressed over a tree of all possible executions Where does this tree come from? S. A. Seshia 34 16

Labelled State Transition Graph p q p q q r r q r r Kripke structure p q r r... Infinite Computation Tree S. A. Seshia 35 Temporal Logic Flavors Linear Temporal Logic (LTL) Computation Tree Logic (CTL, CTL*) Properties expressed over a tree of all possible executions CTL* gives more expressiveness than LTL CTL is a subset of CTL* that is easier to verify than arbitrary CTL* S. A. Seshia 36 17

Computation Tree Logic (CTL*) Introduce two new operators A and E called Path quantifiers Corresponding properties hold in states (not paths) A p : Property p holds along all computation paths starting from the state where A p holds E p : Property p holds along at least one path starting from the state where E p holds Example: The grant signal must always be asserted some time after the request signal is asserted A G (req A F grant) Notation: A sometimes written as, E as S. A. Seshia 37 CTL Every F, G, X, U must be immediately preceded by either an A or a E E.g., Can t write A (FG p) LTL is just like having an A on the outside S. A. Seshia 38 18

Why CTL? Verifying LTL properties turns out to be computationally harder than CTL But LTL is more intuitive to write Complexity of model checking Exponential in the size of the LTL expression linear for CTL For both, model checking is linear in the size of the state graph S. A. Seshia 39 CTL as a way to approximate LTL AG EF p is weaker than G F p Good for finding bugs... p AF AG p is stronger than F G p p p Good for verifying correctness... Why? And what good is this approximation? S. A. Seshia 40 19

More CTL From any state, it is possible to get to the reset state along some path A G ( E F reset ) S. A. Seshia 41 CTL vs. LTL Summary Have different expressive powers Overall: LTL is easier for people to understand, hence more commonly used in property specification languages S. A. Seshia 42 20

Some Remarks on Temporal Logic The vast majority of properties are safety properties Liveness properties are useful abstractions of more complicated safety properties (such as real-time response constraints) S. A. Seshia 43 (Absence of) Deadlock An oft-cited property, especially people building distributed / concurrent systems Can you express it in terms of a property of the state graph (graph of all reachable states)? a CTL property? a LTL property? S. A. Seshia 44 21

Summary What we ve done so far: Modeling with Kripke structures Sync/Async Composition Properties in Temporal Logic, LTL, CTL, CTL* S. A. Seshia 45 22

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback