PSL Model Checking and Run-time Verification via Testers

Similar documents
Chapter 5: Linear Temporal Logic

A Hierarchy for Accellera s Property Specification Language

Linear Temporal Logic and Büchi Automata

Structural Contradictions

From Liveness to Promptness

Timo Latvala. March 7, 2004

Theoretical Foundations of the UML

Symbolic Model Checking Property Specification Language*

The Safety Simple Subset

T Reactive Systems: Temporal Logic LTL

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Timo Latvala. February 4, 2004

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

From Liveness to Promptness

Temporal Logic Made Practical

Alan Bundy. Automated Reasoning LTL Model Checking

Automata theory. An algorithmic approach. Lecture Notes. Javier Esparza

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

ECE473 Lecture 15: Propositional Logic

Chapter 3: Linear temporal logic

Computer-Aided Program Design

Course Runtime Verification

A Sound and Complete Deductive System for CTL* Verification

Chapter 5: Linear Temporal Logic

Synthesis of Designs from Property Specifications

Augmenting a Regular Expression-Based Temporal Logic with Local Variables

On simulations and bisimulations of general flow systems

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Advanced Automata Theory 7 Automatic Functions

Linear-Time Logic. Hao Zheng

Chapter 4: Computation tree logic

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear:

The State Explosion Problem

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Automata-based Verification - III

On Regular Temporal Logics with Past

Revisiting Synthesis of GR(1) Specifications

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

LTL is Closed Under Topological Closure

Lecture Notes on Emptiness Checking, LTL Büchi Automata

An Introduction to Temporal Logics

Automata Construction for PSL

Temporal Logic and Fair Discrete Systems

Effective Synthesis of Asynchronous Systems from GR(1) Specifications

Automata-Theoretic Model Checking of Reactive Systems

Büchi Automata and Linear Temporal Logic

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

a Hebrew University b Weizmann Institute c Rice University

Automata-based Verification - III

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Automata, Logic and Games: Theory and Application

Lecture Notes on Inductive Definitions

Chapter 6: Computation Tree Logic

Linear-time Temporal Logic

Automata on Infinite words and LTL Model Checking

Synthesis of Reactive(1) Designs

Model Checking of Safety Properties

Lecture Notes on Inductive Definitions

Classes and conversions

Extending temporal logic with!-automata Thesis for the M.Sc. Degree by Nir Piterman Under the Supervision of Prof. Amir Pnueli Department of Computer

Applied Automata Theory

2. Elements of the Theory of Computation, Lewis and Papadimitrou,

On the Succinctness of Nondeterminizm

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

On the Characterization of Until as a Fixed Point Under Clocked Semantics

Chapter 5: Linear Temporal Logic

Sanjit A. Seshia EECS, UC Berkeley

First-order resolution for CTL

Büchi Automata and their closure properties. - Ajith S and Ankit Kumar

Guest lecturer: Mark Reynolds, The University of Western Australia. May 7, 2014

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Canonical Calculi: Invertibility, Axiom expansion and (Non)-determinism

Introduction to Logic in Computer Science: Autumn 2006

Regular Linear Temporal Logic

The algorithmic analysis of hybrid system

Temporal Logic Model Checking

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Automata, Logic and Games: Theory and Application

Foundations of Informatics: a Bridging Course

LTL and CTL. Lecture Notes by Dhananjay Raju

Bridging the Gap Between Fair Simulation and Trace Inclusion

From Monadic Second-Order Definable String Transformations to Transducers

Model Checking Algorithms

Lecture 11 Safety, Liveness, and Regular Expression Logics

The Expressiveness of Metric Temporal Logic II:

DESCRIPTIONAL COMPLEXITY OF NFA OF DIFFERENT AMBIGUITY

Syntax and Semantics of Propositional Linear Temporal Logic

Propositional and Predicate Logic - IV

October 6, Equivalence of Pushdown Automata with Context-Free Gramm

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Lecture 9 Synthesis of Reactive Control Protocols

An Introduction to Modal Logic III

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

Minimization of Tree Automata

Impartial Anticipation in Runtime-Verification

First-Order Logic. Chapter Overview Syntax

Lecture 16: Computation Tree Logic (CTL)

Transcription:

PSL Model Checking and Run-time Verification via Testers Formal Methods 2006 Aleksandr Zaks and Amir Pnueli New York University

Introduction Motivation (Why PSL?) A new property specification language, PSL (also known as IEEE P1850 PSL), has been proposed and accepted by a wide variety of companies. PSL is a language for the specification, verification, and testing of hardware design. PSL combines the power of LTL and regular expressions. expressiveness matches NBA. [ Example: ψ = {aa} b ( c) ] Resulting PSL Model Checking and Run-time Verification via Testers 1

Introduction Motivation (Why Testers?) A temporal tester can be viewed as a (non-deterministic) transducer that outputs a boolean value which is 1 iff the corresponding temporal formula holds at the current position. While acceptors, such as Büchi automata, do not compose, testers do. T [ϕ] T [ψ] p q T [p U q] Composition of testers for T [p U q], T [ϕ], and T [ψ] to form T [ϕ U ψ]. PSL Model Checking and Run-time Verification via Testers 2

PSL PSL Syntax and Semantics (1/2) The logic PSL is defined with respect to a non-empty set of atomic propositions P and a given set of boolean expressions B over P. Sequential Extended Regular Expressions (SEREs) Every boolean expression b B is an SERE. If r, r 1, and r 2 are SEREs, then the following are SEREs: r 1 ; r 2 concatenation r 1 r 2 or r[ ] consecutive repetition r 1 : r 2 (sequence fusion) r 1 && r 2 (length-matching and ) PSL Model Checking and Run-time Verification via Testers 3

PSL PSL Syntax and Semantics (2/2) The semantics of PSL is defined with respect to finite and infinite words over Σ = 2 P {, }. We denote an empty, finite, or infinite word from Σ Σ ω by v. We use v i..j to denote the corresponding sub-word of v and v to represent the word obtained by replacing every with a and vice versa. v ϕ v ϕ v ϕ ψ v ϕ and v ψ v b v = 0 or v 0 = b v X!ϕ v > 1 and v 1.. ϕ v [ϕ U ψ] k < v s.t. v k.. ψ, and j < k, v j.. ϕ v r ϕ j < v s.t. v 0..j r, v j.. ϕ and much more: clocks, abort, branching,... PSL Model Checking and Run-time Verification via Testers 4

Our Model Just Discrete Systems (JDS) A JDS D = (V, Θ, R, J, F) consists of: V : A finite set of system variables. A state of the system D provides a typeconsistent interpretation of the system variables V. For a state s and a system variable v V, we denote the value assigned to v by the state s by s[v]. Θ: The initial condition. R(V, V ): The transition relation, which is an assertion that relates the values of the variables in V interpreted by a state s to the values of the variables V in an R-successor state s. J : A set of justice (weak fairness) requirements. For every J J, an infinite computation must include infinitely many states satisfying J. F: The termination condition, which is an assertion specifying the set of final states. PSL Model Checking and Run-time Verification via Testers 5

LTL Testers Testers A tester for a formula ϕ is a JDS T ϕ which has a distinguished boolean variable x ϕ such that: For every computation σ : s 0, s 1, s 2,..., of T ϕ and every position i 0, s i [x ϕ ] = 1 iff σ i.. = ϕ For every sequence of σ : s 0, s 1, s 2,...,, there is a corresponding computation σ : s 0, s 1, s 2,..., of T ϕ such that, for each i, s i and s i agree on the interpretation of all ϕ-variables. Intuitively, a tester should be able to correctly interpret x ϕ for any given sequence. Otherwise, the first condition can be trivially satisfied by a JDS that has no computations. PSL Model Checking and Run-time Verification via Testers 6

LTL Testers T ( p) = A Tester for V : {p, x ϕ } Θ : 1 R(V, V ) : x ϕ = p J : F : x ϕ p (X!p) It follows almost immediately from the construction that T ( tester for p: p) is indeed a good The soundness of the T ( p) is guaranteed by the transition relation with the exception that we still have a freedom to incorrectly interpret x ϕ at the very last state. This case is handled separately by insisting that every final state must interpret x ϕ as false. The completeness follows from the fact that we do not restrict P variables by the transition relation, and we can always interpret x ϕ properly, by either matching p or setting it to false in the last state. PSL Model Checking and Run-time Verification via Testers 7

LTL Testers T (p U q) = A Tester for p U q V : {p, q, x ϕ } Θ : 1 R(V, V ) : x ϕ = ( q (p x ϕ ) ) J : q x ϕ F : x ϕ = q Unlike the previous tester, T (p U q) has a non-empty justice set. A technical reason is that the transition relation allows x ϕ to be continuously set to true without having a single state that actually satisfies q. The situation is ruled out by the justice requirement. PSL Model Checking and Run-time Verification via Testers 8

LTL Testers A Tester Recipe Another way to explain the justice requirement is that R ϕ expansion formula for the U (strong until) operator, namely represents an p U q ( q (p [p U q]) ). In general, a good first step when building a tester is to start with an expansion formula. However, the expansion formula alone is usually not sufficient for a proper tester. Indeed, consider the operator W(weak until), defined as p W q (true U p) p U q, which has exactly the same expansion formula, namely p W q ( q (p [p W q]) ). We use justice to differentiate between the two operators. PSL Model Checking and Run-time Verification via Testers 9

LTL Testers Building a Tester for an Arbitrary LTL Formula ϕ To build a tester T ϕ : If ϕ is a basic formula ( p or p U q) use the tester construction from the previous slides. Boolean connectives and propositions can be handled in a straightforward way. Otherwise, let ψ be an innermost sub-formula of ϕ. Build a tester T ψ for ψ, with the output variable x ψ. Inductively, build a tester T ϕ[ψ/xψ ] for ϕ[ψ/x ψ ]. T ϕ = T ϕ[ψ/xψ ] T ψ, where denotes synchronous composition. PSL Model Checking and Run-time Verification via Testers 10

LTL Testers A tester for ϕ = true U ( [b 1 U b 2 ] b 3 U [b 1 U b 2 ]) We start by identifying ψ = b 1 U b 2 to be the innermost formula and building the corresponding tester T b1 Ub 2. Assume that z is the output variable of the tester T b1 Ub 2. Let α = ϕ[b 1 U b 2 /z]. Note we can perform the substitution twice but there is no need for two testers, which can result in significant savings. After the substitution we obtain α = true U ( z (b 3 U z)). We proceed in similar fashion and build two more testers T z and T b3 Uz with the output variables x and y. After substitutions we obtain a formula β = true U [x y]. Since x y is just a boolean expression, the formula satisfies the condition of the base case and with one more step we finish the construction. The final result can be expressed as: T ϕ = T β T z T b3 Uz T b1 Ub 2, where x ϕ = x β. PSL Model Checking and Run-time Verification via Testers 11

LTL Testers Model Checking M for ϕ Construct a tester T ϕ for ϕ. Check if M T ϕ has a (fair) computation, such that s 0 [x ϕ ] = 0. PSL Model Checking and Run-time Verification via Testers 12

PSL Testers Building a Tester for ϕ = r ψ v r ψ j < v s.t. v 0..j r, v j.. ψ Our Plan: Build a tester for ψ. Build a grammar for r. Define expansion formula for the operator. Apply double representation approach introduced by Satoru Miyano and Takeshi Hayashi in Alternating Finite Automata on ω-words to define justice requirements. For simplicity, assume that r = {pq}[ ]. The general case is left as an exercise for the reader. PSL Model Checking and Run-time Verification via Testers 13

PSL Testers A Tester for ϕ = {pq}[ ] x ψ v {pq}[ ] x ψ j < v s.t. v 0..j {pq}[ ], v j = x ψ The associated right-linear grammar for the SERE {pq}[ ] is given by: V 1 pv 2 V 2 q qv 1 Note that V 1 x ψ p [ V 2 x ψ ] and V 2 x ψ (q x ψ ) (q [ V 1 x ψ ]). V ϕ : {p, q, x ϕ, x ψ, X 1, X 2, Y 1, Y 2 } Θ ϕ : 1 (X 1 = (p X 2)) (X 2 = (q x ψ ) (q X 1)) T ϕ : R ϕ (V, V ) : (Y 1 (p Y 2)) (Y 2 (q x ψ ) (q Y 1)) x ϕ = X 1 J ϕ : { Y 1 Y 2, X 1 = Y 1 X 2 = Y 2 } F ϕ : (X 1 = false) (X 2 = q x ψ ) PSL Model Checking and Run-time Verification via Testers 14

Run-time Monitoring with Testers Run-time Monitoring with Testers Assume a reactive system D and a PSL formula ϕ, which formalizes a property that D should satisfy. In order to test the conjecture that D satisfies ϕ, we construct a program M, to which we refer as a monitor, that observes individual behaviors of D. Behaviors of D are fed to the monitor state by state. After observing the finite sequence σ : s 0,..., s k for some k 0, we expect the monitor to be able to answer a subset of the following questions: 1. Does σ satisfy the formula ϕ? 2. Is ϕ negatively determined by σ? That is, is it the case that σ η = ϕ for all finite or infinite completions η. 3. Is ϕ positively determined by σ? That is, is it the case that σ η = ϕ for all finite or infinite completions η? 4. Is ϕ σ monitorable? That is, is it the case that there exists a finite η such that ϕ is positively or negatively determined by σ η. If D is expected to run forever then it is useless to continue monitoring after observing σ such that ϕ is not σ monitorable. PSL Model Checking and Run-time Verification via Testers 15

Conclusion Conclusion Our main contribution is extending LTL testers, introduced by Y. Kesten, A. Pnueli, and L. Raviv, to handle full PSL. Our construction is optimal. The size of a tester is exponential in the size of a given formula as long as all grammars are linear for their respective SEREs. The closest work to ours is Automata Construction for PSL by Bustan D., Fisman D. and Havlicek J.. They show how to build a Büchi automaton for a given PSL formula (via alternating Büchi automata). A surprising fact is that we can convert our tester to an automaton that is exactly the same as one produced via alternating automata. We just need to apply a standard conversion from GNBA (Generalized Nondeterministic Büchi Automata) to NBA, and pessimize the resulting automata. It is still advantageous to use testers. For example, a user can manually optimize a tester for a sub-formula and use it everywhere it is needed. PSL Model Checking and Run-time Verification via Testers 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback