Diagram-based Formalisms for the Verication of. Reactive Systems. Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas E.

Similar documents
Verifying Temporal Properties of Reactive Systems: A STeP Tutorial *

7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing-

Our decision procedure has been implemented as part of the Stanford Temporal Prover, STeP [2], a system which supports the computer-aided verication o

{},{a},{a,c} {},{c} {c,d}

for Propositional Temporal Logic with Since and Until Y. S. Ramakrishna, L. E. Moser, L. K. Dillon, P. M. Melliar-Smith, G. Kutty

2 Real-Time Systems Real-time systems will be modeled by timed transition systems [7, 15]. A timed transition system S = hv; ; ; T ; L; Ui consists of

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

The TLA + proof system

Formal Verification of the Ricart-Agrawala Algorithm

Linear Temporal Logic and Büchi Automata

Electronic Notes in Theoretical Computer Science 18 (1998) URL: 8 pages Towards characterizing bisim

Abstractions and Decision Procedures for Effective Software Model Checking

Wojciech Penczek. Polish Academy of Sciences, Warsaw, Poland. and. Institute of Informatics, Siedlce, Poland.

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

2 PLTL Let P be a set of propositional variables. The set of formulae of propositional linear time logic PLTL (over P) is inductively dened as follows

Real-Time Logics: Fictitious Clock as an Abstraction of Dense Time Jean-Francois Raskin and Pierre-Yves Schobbens Computer

of model-checking algorithms for ltl always lagged several years behind their rst introduction for the ctl logic. The rst model-checking algorithms we

Transition Predicate Abstraction and Fair Termination

Model Checking Real-Time Properties. of Symmetric Systems? E. Allen Emerson and Richard J. Treer. Computer Sciences Department and

The Polyranking Principle

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Automata-based Verification - III

In this paper, we take a new approach to explaining Shostak's algorithm. We rst present a subset of the original algorithm, in particular, the subset

of concurrent and reactive systems is now well developed [2] as well as a deductive methodology for proving their properties [3]. Part of the reason f

In a second part, we concentrate on interval models similar to the traditional ITL models presented in [, 5]. By making various assumptions about time

Predicate Abstraction in Protocol Verification


IC3 and Beyond: Incremental, Inductive Verification

Splitting a Default Theory. Hudson Turner. University of Texas at Austin.

State-Space Exploration. Stavros Tripakis University of California, Berkeley

On Controllability and Normality of Discrete Event. Dynamical Systems. Ratnesh Kumar Vijay Garg Steven I. Marcus

SAT-Based Verification with IC3: Foundations and Demands

Automata-based Verification - III

Compositionality in SLD-derivations and their abstractions Marco Comini, Giorgio Levi and Maria Chiara Meo Dipartimento di Informatica, Universita di

Model Checking and Transitive-Closure Logic? Abstract. We give a linear-time algorithm to translate any formula

On Reducing Linearizability to State Reachability 1

Model Checking. Boris Feigin March 9, University College London

Transition Predicate Abstraction and Fair Termination

The State Explosion Problem

Model checking the basic modalities of CTL with Description Logic

1 Introduction Synchronous languages are rapidly gaining popularity as a high-level programming paradigm for a variety of safety-critical and real-tim

Extending Statecharts with Temporal Logic. A. Sowmya and S. Ramesh

From Duration Calculus. (Extended Abstract) zu Kiel, Preuerstr. 1-9, D Kiel, Germany.

Understanding IC3. Aaron R. Bradley. ECEE, CU Boulder & Summit Middle School. Understanding IC3 1/55

Exhaustive Classication of Finite Classical Probability Spaces with Regard to the Notion of Causal Up-to-n-closedness

Boolean Algebra and Propositional Logic

What Good Are Digital Clocks? y. Abstract. Real-time systems operate in \real," continuous time

2 Ralph J. R. Back, Qiwen. Xu systems with respect to total correctness. Reactive renement of action systems was investigated by Back [4] basing on th

Temporal Logic of Actions

Circular Compositional Reasoning about Liveness

IC3: Where Monolithic and Incremental Meet

Model Checking: An Introduction

CS256/Winter 2009 Lecture #6. Zohar Manna

SPN 2003 Preliminary Version. Translating Hybrid Petri Nets into Hybrid. Automata 1. Dipartimento di Informatica. Universita di Torino

1 Introduction. 2 First Order Logic. 3 SPL Syntax. 4 Hoare Logic. 5 Exercises

540 IEEE TRANSACTIONS ON AUTOMATIC CONTROL, VOL. 43, NO. 4, APRIL Algorithmic Analysis of Nonlinear Hybrid Systems

FORMALIZATION AND VERIFICATION OF PROPERTY SPECIFICATION PATTERNS. Dmitriy Bryndin

The Underlying Semantics of Transition Systems

Operational and Logical Semantics. for Polling Real-Time Systems? Vaandrager 1. Abstract. PLC-Automata are a class of real-time automata suitable

02 Propositional Logic

Boolean Algebra and Propositional Logic

Extending temporal logic with!-automata Thesis for the M.Sc. Degree by Nir Piterman Under the Supervision of Prof. Amir Pnueli Department of Computer

HyTech: A Model Checker for Hybrid Systems y. Thomas A. Henzinger Pei-Hsin Ho Howard Wong-Toi

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Scalable and Accurate Verification of Data Flow Systems. Cesare Tinelli The University of Iowa

Ranking Verification Counterexamples: An Invariant guided approach

Formal Verification of Mobile Network Protocols

of acceptance conditions (nite, looping and repeating) for the automata. It turns out,

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Computability and Complexity

Collecting Statistics over Runtime Executions

A Formal Approach to Modeling and Model Transformations in Software Engineering

Mathematik / Informatik

Computer-Aided Program Design

From its very inception, one fundamental theme in automata theory is the quest for understanding the relative power of the various constructs of the t

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Lecture 14 - P v.s. NP 1

and equal to true, encoded by 1, or present and equal to false, encoded by?1. The solutions of a polynomial are composed events. ILTS naturally posses

Synchronizing Multiagent Plans. using. Froduald Kabanza. Universite de Sherbrooke

Collecting Statistics Over Runtime Executions

COMP3151/9151 Foundations of Concurrency Lecture 4

Ranking Abstraction as Companion to Predicate Abstraction

A Preference Semantics. for Ground Nonmonotonic Modal Logics. logics, a family of nonmonotonic modal logics obtained by means of a

T Reactive Systems: Temporal Logic LTL

Verifying Randomized Distributed Algorithms with PRISM

Verification Constraint Problems with Strengthening

Liveness in Timed and Untimed Systems. Abstract. and its timed version have been used successfully, but have focused on safety conditions and

Unbounded, Fully Symbolic Model Checking of Timed Automata using Boolean Methods

a cell is represented by a triple of non-negative integers). The next state of a cell is determined by the present states of the right part of the lef

SAT Solvers: Theory and Practice

Quantum logics with given centres and variable state spaces Mirko Navara 1, Pavel Ptak 2 Abstract We ask which logics with a given centre allow for en

INSTITUT FÜR INFORMATIK

A Proof of Burns N-Process Mutual Exclusion. Algorithm using Abstraction. Cambridge, MA USA.

Tableau Calculus for Local Cubic Modal Logic and it's Implementation MAARTEN MARX, Department of Articial Intelligence, Faculty of Sciences, Vrije Uni

Computability and Complexity

Timo Latvala. February 4, 2004

Lecture 10: Gentzen Systems to Refinement Logic CS 4860 Spring 2009 Thursday, February 19, 2009

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Transcription:

In CADE-1 Workshop on Visual Reasoning, New Brunswick, NJ, July 1996. Diagram-based Formalisms for the Verication of Reactive Systems Anca Browne, Luca de Alfaro, Zohar Manna, Henny B. Sipma and Tomas E. Uribe anca luca manna sipma uribe@cs.stanford.edu Computer Science Department, Stanford University Stanford, CA. 9405 Abstract Graphical formalisms are an increasingly important component of our research on the specication and verication of reactive systems. We briey describe diagram-based verication methods we have developed for verifying temporal properties of innite-state reactive systems, as well as for the incremental analysis and renement of systems and specications. 1 Introduction Reactive systems have an ongoing interaction with their environment. They include distributed and concurrent algorithms, hardware systems, and control programs. Linear-time temporal logic has proved to be a convenient language for expressing safety, progress and response properties of reactive systems [MP91, MP95]. We are interested in the formal verication of temporal properties of reactive systems by deductive and algorithmic means. The classical approach for verifying temporal properties of reactive systems is based on verication rules, which reduce the system validity of a temporal property to the general validity of a set of rst-order verication conditions. While this methodology is complete, relative to the underlying rst-order reasoning, the proofs do not always reect an intuitive understanding of the system and its specication; without this intuition, the proofs can be dicult to construct. We address the need for a more intuitive approach to verication by using diagram-based formalisms. Our diagrams are graphs whose vertices are labeled with rst-order formulas (assertions), representing sets of system states, and whose edges represent possible system transitions. In the following, we give an overview of three diagram-based formalisms for the verication of temporal properties of systems, which correspond to dierent methods of proof construction. Verication diagrams (Section 2) correspond to a completed, direct proof, and oer a compact representation of the necessary verication conditions. Deductive model checking (Section ) uses the diagram representation to conduct an exhaustive search for a counterexample, giving a semi-automatic (but incomplete) proof procedure. Fairness diagrams (Section 4) represent abstractions of the system, used for the gradual construction of a proof by stepwise diagram transformations. Some features shared by these formalisms are: Diagrams (or sequences of diagrams) are formal proof objects, which succinctly represent a set of verication conditions that replaces a combination of textual verication rules. This research was supported in part by the National Science Foundation under grant CCR-92-2226, the Advanced Research Projects Agency under NASA grant NAG2-892, the United States Air Force Oce of Scientic Research under grant F49620-9-1-019, the Department of the Army under grant DAAH04-95-1-017, and a gift from Intel Corporation.

The graphical nature of diagrams makes them easier to construct and understand than textbased proofs and specications. Diagrams can describe and verify innite-state systems using a nite and often compact representation. The construction of a diagram can be incremental, starting from a high-level outline and then lling in details as necessary. The diagrams for a given system can serve as documentation; they can also be re-used when similar proofs are carried out for similar systems, or when a system is rened. The verication conditions are local to the diagram; failed verication conditions point to missing edges or nodes, or possible bugs in the system. The necessary global properties of diagrams can be proved algorithmically. For details on our verication framework, see [MP91, MP95]. denitions and notation used in the following presentation. Appendix A summarizes the 2 Verication Diagrams Verication Diagrams, introduced by Manna and Pnueli [MP94], provide a graphical representation of the direct proof of temporal properties. A verication diagram is a directed graph, where nodes are labeled with assertions and edges are labeled with transitions. A single node can be selected as terminal, and should have not outgoing edges. Edges can be single, double or solid. Each transition can label at most one kind of edge leaving a given node. A set of verication conditions is associated with a diagram as follows: If transition labels a single edge departing a node labeled ', reaching nodes labeled f' 1 ; : : :; ' k g, the verication condition associated with ' and is f'g f' _ ' 1 _ : : : _ ' k g; for double or solid edges, which must be labeled by just and compassionate transitions respectively, the verication condition is f'g f' 1 _ : : : _ ' k g. If does not label an outgoing edge from a node labeled ', the verication condition f'g f'g is generated. If labels a double edge, the verication condition '! enabled() is generated; for solid edges, the verication condition is 0 ('!1 (:' _ enabled())). An invariance diagram is one with no terminal node; if its nodes are labeled by f' 1 ; : : :; ' n g and all of its associated verication conditions are valid, then the property 0 0 1 m_ m_ @( ' j )! 0 ( ' j ) A j=1 is valid over the given system S. Other classes of diagrams can be used to prove general safety or response properties [MP94]. We have implemented verication diagrams as part of the STeP (Stanford Temporal Prover) system [BBC + 96], which includes an X-windows diagram editor. A verication diagram rule in STeP takes a temporal property ' and a diagram, checks that the diagram is well-formed with respect to ', and generates the corresponding set of verication conditions as subgoals. In our experience, diagrams are the most convenient method available in STeP for the deductive verication of complex properties of large systems. For large diagrams, a hierarchical mechanism is provided, where given nodes can be bound to sub-diagrams that are separately specied. j=1 2

at `4 s = 1 `4 ' 8 : at `2 `2 ' 7 : at ` ` ' 6 : at m 4 m 4 ' 5 : at m 5 m 5 ' 4 : at m 6 m 6 ' : at m 0::2 ^ s = 1 m 2? ' 2 : at m ^ s = 1 ' 1 : s = 2 m `4 ' 0 : at `5?? To make diagrams more succinct, we use encapsulation conventions, based on those of Statecharts [Har87]. The assertion labeling a compound node is added, as a conjunct, to its subnodes. Edges leaving (entering) a compound node are interpreted as leaving (entering) all of its subnodes. These graphical abbreviations greatly increase the readability of diagrams, and make them easier to draw. This chain diagram proves that0 (at `2!1 at `5) is valid for the mux-pet program of Figure 1. ' 0 is the terminal node, with no outgoing edges. Double edges are be labeled with helpful transitions, which must be just. The diagram must be acyclic, and every non-terminal node should have a double edge departing from it (m 2 labels a single edge). Transitions that do not label any outgoing edge must (if taken) stay within the given node. The helpful transitions must be taken since they are just and proved to be continuously enabled at the given nodes. (Compassion does not play a role in this example.) Thus, any computation that starts at node ' 8 must progress down the diagram until reaching ' 0. In STeP, this diagram generates 8 verication conditions. All are automatically proven to be valid, given automatically generated local invariants [BBM95]. chain diagrams generalize to rank diagrams, where an unbounded number of steps may be necessary to reach the terminal node. The acyclicity requirement is dropped, and replaced by ranking functions, which dene a well-founded order that is always decreased by the helpful transitions. Verication diagrams can be adapted to parameterized (N-component) designs [MP94], as well as realtime and hybrid systems [MP96]. Generalized and Modular Verication Diagrams: Similarly to verication rules, each class of Verication Diagrams in [MP94] is tailored to a particular class of temporal properties. Generalized Verication Diagrams [BMS95] extend the framework to arbitrary temporal formulas. The validity of an arbitrary temporal formula ' for a given system S can be established by constructing an appropriate generalized verication diagram. A set of rst-order verication conditions associated with the diagram establishes that the set of computations of S, L(S), is a subset of L( ), the computations represented by the diagram. This set is then shown to be a subset of L('), the sequences satisfying the temporal formula '. Generalized verication diagrams oer a complete verication methodology: if an FTS S satises a formula ' then there is always a diagram such that L(S) L( ) L(') [BMS95].

Modular Verication Diagrams [BMS96] allow the combination of several generalized verication diagrams into a single proof. The combined set represents the intersection of the languages described by each diagram. In this way, individual diagrams can be kept small, and diagrams can be re-used more conveniently. Modular verication diagrams can verify a class of properties equivalent to!-automata, a strictly larger class than the properties that can be proved by regular verication diagrams or verication rules. Deductive Model Checking In a direct proof by verication diagram, the nal, complete diagram must be constructed by the user. We have recently developed alternative, complementary verication formalisms where the proof is obtained incrementally through a set of transformations, combining deductive and algorithmic tools. Given a linear-time temporal logic formula ', the formula tableau for ' is a nite directed graph that represents all the models of ' (see e.g. [KMMP9]). Model checking veries a system property ' by checking the emptiness of the product graph between the transition graph of S and the tableau for :'. Since the state-space of the system needs to be generated explicitly, this approach is limited to nite-state systems only. (Symbolic model checking using BDDs [BCM + 92] is similarly restricted to the nite-state case.) We have generalized this classical model checking procedure to operate on an abstraction of the product graph, using rst-order assertions to represent possibly innite sets of states [SUM96]. This results in an interactive model checking procedure, where the user can choose the manner in which an abstraction of the state-space is explored. The resulting graphical representation is quite similar to verication diagrams; nodes are labeled by assertions, and edges are labeled by sets of transitions that can possibly move the system from one abstract state to the next. However, the goal now is to show that the corresponding set of computations is empty. If this is not the case, a counterexample can be produced, provided that appropriate formulas are proved valid. This approach combines some of the advantages of deductive and algorithmic verication: the process is goal-directed and incremental, and can handle innite-state systems. User input can direct the search for a counterexample and help rule out large portions of the search space before they are expanded to the state level, combating the state-space explosion problem common in model checking. The main graphical challenge is to present the abstracted state-space in a way where the user can easily choose what to do next. 4 Fairness Diagrams Fairness diagrams [dam96] are graphical abstractions of system behavior, and can combine the direct and indirect proof approaches above. The diagram represents the possible system states and transitions; the progress and response properties of the system are encoded by fairness constraints, which generalize the usual notions of fairness. Given a system and a temporal specication, a proof begins with an initial fairness diagram that directly corresponds to the system. This diagram is then transformed into one which corresponds directly to the specication, or which can be shown to satisfy it by purely algorithmic methods. The transformations on fairness diagrams represent elementary system analysis steps. A rst class of transformations relies on the construction of simulation relations between diagrams, and enables the study of the system's safety properties. A second class of transformations study progress 4

and response properties, modifying or adding fairness constraints. Each transformation is justied by a set of rst-order verication conditions that relate the two diagrams. The combined set of transformations is complete for proving general temporal properties of reactive systems (again, relative to rst-order reasoning). Diagram transformations allow a exible style of proof construction. The system can be studied incrementally as well as modularly. Dierent system components can be studied separately and then expressed as sub-diagrams that represent their relevant properties. Note that while stepwise transformations facilitate the gradual construction of a proof, the proof itself is a more complex formal object when compared to a verication diagram, since it consists of a sequence of diagram transformations and their associated verication conditions. As in standard deductive verication, all our formalisms can use previously proven properties and automatically generated invariants [BBM95] in the course of a proof. Furthermore, propagation and approximation mechanisms similar to those used in the assertion graphs of [BBM95] can be adapted to our diagrams as well, resulting in more automatic verication tools. References [BBC + 96] [BBM95] [BCM + 92] [BMS95] N. Bjrner, A. Browne, E. Chang, M. Colon, A. Kapur, Z. Manna, H.B. Sipma, and T.E. Uribe. STeP: Deductive-algorithmic verication of reactive and real-time systems. In Proc. 8 th Intl. Conference on Computer Aided Verication. Springer-Verlag, July 1996. N. Bjrner, A. Browne, and Z. Manna. Automatic generation of invariants and intermediate assertions. In 1 st Intl. Conf. on Principles and Practice of Constraint Programming, volume 976 of LNCS, pages 589{62. Springer-Verlag, September 1995. J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill, and J. Hwang. Symbolic model checking: 10 20 states and beyond. Information and Computation, 98(2):142{170, 1992. A. Browne, Z. Manna, and H.B. Sipma. Generalized verication diagrams. In 15th Conference on the Foundations of Software Technology and Theoretical Computer Science, volume 1026 of LNCS, pages 484{498, December 1995. [BMS96] A. Browne, Z. Manna, and H.B. Sipma. Modular verication diagrams. Technical report, Computer Science Department, Stanford University, 1996. [dam96] L. de Alfaro and Z. Manna. Temporal verication by diagram transformations. In Proc. 8 th Intl. Conference on Computer Aided Verication, July 1996. [Har87] D. Harel. Statecharts: A visual formalism for complex systems. Sci. Comp. Prog., 8:21{274, 1987. [KMMP9] Y. Kesten, Z. Manna, H. McGuire, and A. Pnueli. A decision algorithm for full propositional temporal logic. In C. Courcoubetis, editor, Proc. 5 th Intl. Conference on Computer Aided Verication, volume 697 of LNCS, pages 97{109. Springer-Verlag, 199. [MP91] [MP94] [MP95] [MP96] [SUM96] Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems: Specication. Springer-Verlag, New York, 1991. Z. Manna and A. Pnueli. Temporal verication diagrams. In Proc. Int. Symp. on Theoretical Aspects of Computer Software, volume 789 of LNCS, pages 726{765. Springer-Verlag, 1994. Z. Manna and A. Pnueli. Temporal Verication of Reactive Systems: Safety. Springer-Verlag, New York, 1995. Z. Manna and A. Pnueli. Clocked transition systems. Technical Report STAN-CS-TR-96-1566, Department of Computer Science, Stanford University, April 1996. H.B. Sipma, T.E. Uribe, and Z. Manna. Deductive model checking. In Proc. 8 th Intl. Conference on Computer Aided Verication. Springer-Verlag, July 1996. 5

A Background: Fair Transition Systems and Deductive Verication Specifying Systems and Properties: We represent reactive systems as fair transition systems. A fair transition system is given by a set of variables V, an initial condition, and a set of transitions T. A nite set of system variables V V determines the possible states of the system. is an assertion over the system variables. Each transition is described by its transition relation (~x; ~x 0 ), an assertion over the system variables ~x and a set of primed variables ~x 0 indicating their next-state values. We dene f'g f g def = ('(~x) ^ (~x; ~x 0 ))! ( x ~ 0 ), and enabled() def = 9~x 0 : (~x; ~x 0 ). A computation of S is an innite sequence of states s 0 ; s 1 ; : : :, where s 0 must satisfy and for every s i there is a transition 2 T such that (s i ; s i+1 ) satisfy (and we say that is taken). The transitions in T can be optionally designated as just or compassionate. Just (or weakly fair) transitions cannot be continuously enabled without ever being taken. Compassionate (or strongly fair) transitions cannot be enabled innitely often without being taken. local y 1 ; y 2 : boolean where y 1 = y 2 = F 2 s : [1::2] 2 `0: 2 while T do m 0 `1: noncritical 2: while T do m 1 : noncritical `2: y 1 := T m 2 : y 2 := T P 1 :: `: s := 1 jj P 2 :: m : s := 2 6 6`4: await :y 2 or s = 2 77 6 6m 4 : await :y 1 or s = 1 77 4 4`5: critical 55 4 4m 5 : critical 55 `6: y 1 := F m 6 : y 2 := F Figure 1: Peterson's algorithm for mutual exclusion (mux-pet) Figure 1 shows program mux-pet, which implements Peterson's mutual exclusion algorithm, in the Simple Programming Language (SPL) of [MP95]. Such programs can be naturally translated into corresponding fair transition systems. 1 To each process corresponds a control variable. For mux-pet, the control variables for P 1 and P 2 range over locations f`0; : : :; `6g and fm 0 ; : : :; m 6 g, Assertions at m i ; at `j indicate that control resides at i; j. All transitions are assumed to be just, except for those associated with the noncritical statements. Specications are expressed as formulas in linear-time temporal logic. Assertions, or stateformulas, are rst-order formulas with no temporal operators, and can include quantiers. Temporal formulas are constructed from assertions, boolean connectives, and the usual future (0 ;1 ;2 ; U ; W ) and past (; ; ; B ; S ) temporal operators. For instance, the formula 0 :(at `5 ^ at m 5 ) expresses mutual exclusion for mux-pet. Deductive Verication: Verication rules reduce the validity of a given temporal property over a given system S to the general validity of a set of rst-order verication conditions. For example, the general invariance rule, which can prove a property of the form 0 p for an assertion p, requires nding a strengthened assertion ' such that the following verication conditions are valid: (1) '! p, (2)! ' (that is, ' holds initially), and () f'g f'g for each transition 2 S (that is, ' is preserved by all transitions). Other verication rules are available for proving dierent classes of temporal properties [MP95]. 1 The STeP system [BBC + 96] parses SPL programs into fair transition systems, or can take transition systems directly as input. 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback