Model Checking with Automata An Overview

Similar documents
T Reactive Systems: Kripke Structures and Automata

Timo Latvala. January 28, 2004

Model checking Timber program. Paweł Pietrzak

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

Formal Methods in Software Engineering. Lecture 07

4/6/2011. Model Checking. Encoding test specifications. Model Checking. Encoding test specifications. Model Checking CS 4271

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

Distributed Systems Programming (F21DS1) Formal Verification

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

Formal Methods for Software Development

Network Protocol Design and Evaluation

Sérgio Campos, Edmund Clarke

Linear Temporal Logic. Model Checking and. Based on slides developed by Natasha Sharygina. Carnegie Mellon University.

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

SPIN part 2. Verification with LTL. Jaime Ramos. Departamento de Matemática, Técnico, ULisboa

LTL Reasoning: How It Works

Double Header. Two Lectures. Flying Boxes. Some Key Players: Model Checking Software Model Checking SLAM and BLAST

INF5140: Specification and Verification of Parallel Systems

Model Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

THE MODEL CHECKER SPIN

Model-Checking Concurrent Systems. The Model Checker Spin. The Model Checker Spin. Wolfgang Schreiner

Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking

Verifying C & C++ with ESBMC

Model-Checking Concurrent Systems

Automata-Theoretic LTL Model Checking. Emptiness of Büchi Automata

[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION

Formal Verification by Model Checking

Logic Model Checking

INF672 Protocol Safety and Verification. Karthik Bhargavan Xavier Rival Thomas Clausen

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis II

The SPIN Model Checker

Software Model Checking: Theory and Practice

Formal Specification and Verification

Negations in Refinement Type Systems

The Spin Model Checker : Part I/II

Proving the Correctness of Distributed Algorithms using TLA

CS 510/13. Predicate Abstraction

Design and Analysis of Distributed Interacting Systems

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

Distributed Systems Programming (F21DS1) SPIN: Formal Analysis I

Temporal Refinement Using SMT and Model Checking with an Application to Physical-Layer Protocols

The Maude LTL Model Checker and Its Implementation

Scenario Graphs Applied to Security (Summary Paper)

Parallel Model Checking of ω-automata

Cover Page. The handle holds various files of this Leiden University dissertation

Computer Lab 1: Model Checking and Logic Synthesis using Spin (lab)

Overview of SRI s. Lee Pike. June 3, 2005 Overview of SRI s. Symbolic Analysis Laboratory (SAL) Lee Pike

CS 267: Automated Verification. Lecture 13: Bounded Model Checking. Instructor: Tevfik Bultan

The ComFoRT Reasoning Framework

The UPPAAL Model Checker. Julián Proenza Systems, Robotics and Vision Group. UIB. SPAIN

Model Checking. Dragana Cvijanovic

Finite State Verification. CSCE Lecture 21-03/28/2017

Finite State Verification. CSCE Lecture 14-02/25/2016

Formal Methods in Software Development

On Nested Depth First Search

Patrick Trentin Formal Methods Lab Class, March 03, 2017

Model Checking of Hierarchical State Machines

Having a BLAST with SLAM

Having a BLAST with SLAM

Automated Reasoning. Model Checking with SPIN (II)

More on Verification and Model Checking

Tool demonstration: Spin

Introduction & Formal Methods

State-Based Techniques For Designing, Verifying And Debugging Message Passing Systems

Formal Verification: Practical Exercise Model Checking with NuSMV

Thread Synchronization: Too Much Milk

Discrete Mathematics Lecture 4. Harper Langston New York University

Semaphores. May 10, Mutual exclusion with shared variables is difficult (e.g. Dekker s solution).

Specification and Analysis of Real-Time Systems Using Real-Time Maude

University of Nevada, Las Vegas Computer Science 456/656 Fall 2016

Automatic Software Verification

Ashish Sabharwal Computer Science and Engineering University of Washington, Box Seattle, Washington

Rafael Mota Gregorut. Synthesising formal properties from statechart test cases

Proving liveness. Alexey Gotsman IMDEA Software Institute

Seminar Software Quality and Safety

Building Graphical Promela Models using UPPAAL GUI

Timed Automata: Semantics, Algorithms and Tools

Distributed Memory LTL Model Checking

Formal Verification of Control Software: A Case Study

Leveraging DTrace for runtime verification

Lecture 2. Decidability and Verification

Safety and liveness for critical sections

Verification of Concurrent Programs, Part I: The Temporal Framework

Verifying Temporal Properties via Dynamic Program Execution. Zhenhua Duan Xidian University, China

Lecture 9: Reachability

Property Specifications

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

The SPIN Model Checker

Software Model Checking. From Programs to Kripke Structures

Specification and Analysis of Contracts Tutorial

System Debugging and Verification : A New Challenge. Center for Embedded Computer Systems University of California, Irvine

Formal Methods for Software Development

Linear-Time Model Checking: Automata Theory in Practice

Summary of Course Coverage

AsmL Specification and Verification of Lamport s Bakery Algorithm

Model-Driven Verifying Compilation of Synchronous Distributed Applications

Lecture 2: Symbolic Model Checking With SAT

Part II. Hoare Logic and Program Verification. Why specify programs? Specification and Verification. Code Verification. Why verify programs?

Context-Switch-Directed Verification in DIVINE

Transcription:

Model Checking with Automata An Overview Vanessa D Carson Control and Dynamical Systems, Caltech Doyle Group Presentation, 05/02/2008 VC 1

Contents Motivation Overview Software Verification Techniques Model Checking System Modeling Specification Modeling Verification Next Lecture Doyle Group Presentation, 05/02/2008 VC 2

Motivation Software bugs are hard to find Example: Mars Polar Lander 1999 Study Martian weather, climate, water and C0 2 levels Last telemetry sent prior to atmospheric entry Potential software/hardware error Logic for engine cutoff that engaged when lander legs were deployed ~40 m above ground Some vibration caused sensors to trip engine cut-off Input and its effects on state not considered appropriately Software systems are complex Multiple processes running concurrently sensors, planners, actuators complexity of process interleavings reasoning about distributed systems Interested in systems that do not halt Assure that system behaves as intended Doyle Group Presentation, 05/02/2008 VC 3

Techniques in Software Verification Software Testing Simulation and Testing Formal Verification Deductive Verification Model Checking Inject Inputs Simulation Or Implementation Observe outputs System Model System Model + System Spec Deductive Verification Proof methods Model Checking Algorithmic methods Proof in Logical Calculus YES/NO Proving coverage Rarely possible to check all software interactions Tools: Code coverage tools, parsers, random testing Complex systems => large models DV: Length of proof/expertise MC: physical limitations Tools: Isabelle, HOL, ACL2,PVS (DV), SPIN (MC) Doyle Group Presentation, 05/02/2008 VC 4

Concurrency and Shared Variables Two processes P 0 and P 1 executing on a single core CPU P 0 P 1 P 0 and P 1 are loaded into the processor and executed one at a time according to a schedule Processor Scheduler P 0 OS process P 1 P 0 Determines what process to put into context based on some scheduling algorithm P 0 and P 1 may share some memory and may read and write to it Memory P 0 Var=100 writebuf= xy OSVar= root P 1 Var=50 Shared variable between process P0 and P1 Doyle Group Presentation, 05/02/2008 VC 5

Concurrency Issues P 0 while True do getsciencedata(sciencedata); writetobuffer(writebuff, sciencedata); writetofile(writebuff, sciencefile); clearbuffer(writebuff); end while; P 0 writes science data to sciencefile Science Data Overwritten! P 1 while True do getspacecrafthealthdata(healthdata); writetobuffer( writebuff, healthdata); writetofile(writebuff, healthfile); clearbuffer(writebuff); end while; P 1 writes spacecraft health data to healthfile Doyle Group Presentation, 05/02/2008 VC 6

Model Checking Process System Model Specification Modeling: Convert a design to a formalism accepted by a model checker Verification MODEL CHECKER YES Specification Met NO Counterexample Found Specification: State the properties that the design must satisfy Verification: Verify correctness of specification with respect to the model Verification is performed automatically by an exhaustive search of the state space of the system Doyle Group Presentation, 05/02/2008 VC 7

System Modeling System Model Specification Verification MODEL CHECKER YES Specification Met NO Counterexample Found Doyle Group Presentation, 05/02/2008 VC 8

Modeling with Finite State Automata int x = 13; x = x/2 while (x == 13) { x = x + 2; x = 13 x = x+2 while (x > 0) { s0 s1 s2 s3 x > 0 x = x/2; } } x <= 0 Doyle Group Presentation, 05/02/2008 VC 9

Reasoning about Program Execution The automaton A An execution of A x = x/2 s1 s2 s3 s0 x = 13 x = x+2 s1 s2 s3 x > 0 x <= 0 s0 s3 s2 s2 s3 A run of the automaton r = s0 s1 s2s3 s2s3 s2s3 s2s3 s0 13 15 7 3 1 0 s0 Doyle Group Presentation, 05/02/2008 VC 10

Modeling with Büchi Automata Most concurrent systems do not to halt during normal execution Decide on acceptance of ongoing, potentially infinite executions OS schedulers, control software Require Finite State Automata over infinite words A Büchi automaton is a finite state automaton that accepts infinite runs Doyle Group Presentation, 05/02/2008 VC 11

Büchi Automaton Language a Two state Büchi automaton A s0 s1 Initial and accepting state s 0 Accepts infinite number of symbol a a b b L(A) ={set of w-words over {a,b} with infinitely many a s} L(A) = {(b*a) w } Doyle Group Presentation, 05/02/2008 VC 12

Mutual Exclusion P 0 P 1 Memory P 0 Var=100 writebuf= xy OSVar= root P 1 Var=50 Problem P 0 alters the variable writebuf over some execution steps P 1 gets triggered while P 0 is in the process of overwriting variable writebuf writebuf is in an inconsistent and unpredictable state Solution Avoid simultaneous use of a common resource Divide code into critical sections to protect shared data Mutual exclusion algorithms exist Lamport s Bakery, Peterson s, Doyle Group Presentation, 05/02/2008 VC 13

Mutual Exclusion Example P 0 ::l 0 : while True do NC 0 : wait(turn = 0); CR 0 : turn := 1; end while; l 0 P 1 ::l 1 : while True do NC 1 : wait(turn = 1); CR 1 : turn := 0; end while; l 1 Problem Description Two asynchronous processes P 0 and P 1 P 0 and P 1 share a variable turn P 0 and P 1 can not be in their critical section at the same time P 0 shall eventually enter into its critical region Model variables of interest Shared variable state Location of execution with program counter Doyle Group Presentation, 05/02/2008 VC 14

Program Translation Manna, Pnueli (1995) Program translation formula takes a sequential program and transforms to a first order formula that represents the set of transitions of the program The initial states of each process P I are described by the formula Apply translation procedure C, then for each process P i Doyle Group Presentation, 05/02/2008 VC 15

Mutex Model P 0 has lock P 1 has lock P 0 ::l 0 : while True do NC 0 : wait(turn = 0); CR 0 : turn := 1; end while; l 0 P 1 ::l 1 : while True do NC 1 : wait(turn = 1); CR 1 : turn := 0; end while; l 1 Note: This is a Kripke Model Kripke => Büchi transformation exists Doyle Group Presentation, 05/02/2008 VC 16

Mutex Büchi Model P 0 has lock P 1 has lock s0 s1 r1 r0 s2 r2 s3 s4 r4 r3 s5 s7 r6 r5 s6 r7 Doyle Group Presentation, 05/02/2008 VC 17

Specification System Model Specification Verification MODEL CHECKER YES Specification Met NO Counterexample Found Doyle Group Presentation, 05/02/2008 VC 18

Modeling Specifications Goal: Model desirable properties of a system as correctness claims Proving essential logical correctness properties independent of Execution speeds relative speeds of of processes, instruction execution time Probability of occurrence of events packet loss, failure of external device Two types of correctness claims [Lamport 1983, Pnueli 1995] Safety set of properties the system may not violate State properties: Claims about reachable/unreachable states System invariant: holds in every reachable state Process assertion: holds in specific reachable states Liveness set of properties the system must satisfy Path properties: Claims about feasible/unfeasible executions Several techniques available LTL, Propositional Logic, Büchi Automata Doyle Group Presentation, 05/02/2008 VC 19

LTL Specification Commonly used LTL formulas Safety Liveness Doyle Group Presentation, 05/02/2008 VC 20

Mutual Exclusion Example P 0 ::l 0 : while True do NC 0 : wait(turn = 0); CR 0 : turn := 1; end while; l 0 P 1 ::l 1 : while True do NC 1 : wait(turn = 1); CR 1 : turn := 0; end while; l 1 Problem Description Two asynchronous processes P 0 and P 1 P 0 and P 1 share a variable turn P 0 and P 1 can not be in their critical section at the same time P 0 shall eventually enter into its critical region Model variables of interest Shared variable state Location of execution with program counter Doyle Group Presentation, 05/02/2008 VC 21

Mutex Specification Both processes can not simultaneously be in their critical regions The process P 0 will eventually enter its critical region x0 x1 y0 y1 TRUE TRUE Mutual Exclusion Property Liveness Property For every temporal logic formula there exists a Büchi automaton that accepts precisely those runs that satisfy the formula Doyle Group Presentation, 05/02/2008 VC 22

Properties of Büchi Automata Closed under intersection and complementation There exists an automaton that accepts exactly the intersection of the languages of a set of automata There exists an automaton that recognizes the complement of the language of the given automaton Language emptiness is decidable Whether the set of accepting runs is empty The verification problem is equivalent to an emptiness test for an intersection product of Büchi automata Doyle Group Presentation, 05/02/2008 VC 23

Verification System Model Specification Verification MODEL CHECKER YES Specification Met NO Counterexample Found Doyle Group Presentation, 05/02/2008 VC 24

Verification Condition Goal: Verify that all possible behaviors of the model of the system A satisfy the specification S If I is empty, then A satisfies S If I is not empty, then A can violate S, and I contains at least one complete counterexample that proves it Possible executions Invalid Executions Executions that are possible and invalid Doyle Group Presentation, 05/02/2008 VC 25

Complementing the Specification LTL Specification Büchi Automata Specification x0 x1 TRUE y0 y1 Taking the negation Taking the complement TRUE x0 x1 TRUE y0 y1 Doyle Group Presentation, 05/02/2008 VC 26 TRUE

Union of Complement Specification Goal: Construct an automaton that recognizes the union of languages of both automata x0 x1 i0 TRUE y0 y1 TRUE Doyle Group Presentation, 05/02/2008 VC 27

Intersection Of Automata Goal: Construct an automaton that recognizes the intersection of languages of both automata System Model A Complement of Specification, S i0 x0 y0 x1 y1 TR UE TRUE Doyle Group Presentation, 05/02/2008 VC 28

Partial Representations of Intersection Automaton i0, s0 x0, s1 y0,s1 x1,s0 x0, s2 y0,s2 x1,s1 x0, s3 x0, s4 y0,s3 y0,s5 y0,s4 x1,s2 x0, s5 x0, s6 x1,s3 x1,s4 x0, s7 y1,s6 y1,r2 No initial conditions to sub-automaton Doyle Group Presentation, 05/02/2008 VC 29

Mutex Büchi Model/Spec x0 x1 i0 y0 s s 0 1 TRUE r1 r0 y1 TR UE s 2 r2 s 3 s 4 r4 r3 s 5 s 7 r6 r5 s 6 r7 Doyle Group Presentation, 05/02/2008 VC 30

Verification of Mutual Exclusion x1,s0 x1,s1 x1,s2 Any state of the form (x1,sk) is not reachable from any initial state The transition to x1 implies both critical regions have been entered simultaneously x1,s3 x1,s4 The system satisfies the mutual exclusion property Checking non-emptiness of Büchi automaton B is equivalent to finding a strongly connected component that is reachable from an initial state and contains an accepting state Doyle Group Presentation, 05/02/2008 VC 31

Partial Representations of Intersection Automaton i0, s0 x0, s1 y0,s1 x1,s0 x0, s2 y0,s2 x1,s1 x0, s3 x0, s4 y0,s3 y0,s5 y0,s4 x1,s2 x0, s5 x0, s6 x1,s3 x1,s4 x0, s7 y1,s6 y1,r2 No initial conditions to sub-automaton Doyle Group Presentation, 05/02/2008 VC 32

Verification of Liveness Property i0, s0 x0, s1 y0,s1 Tarjan s DFS algorithm for finding strongly connected components x0, s2 y0,s2 O(num states + num transitions) Double DFS x0, s3 x0, s4 y0,s3 y0,s4 Found accepting run that has an accepting state with cycle back to itself x0, s5 x0, s6 y0,s5 Counterexample found <i0,s0><y0,s1><y0,s2><y0,s3>* x0, s7 y1,s6 The system does not satisfy the absence of starvation property Doyle Group Presentation, 05/02/2008 VC 33

Note on Automaton Unwinding i0, s0 i0, s0 y0,s1 y0,s2 Unwinding operation y0,s3 y0,s1 y0,s2 y0,s3 y0,s4 y0,s4 y0,s5 y0,s3 y0,s3 y0,s5 y0,s5 y1,s6 y1,s6 y0,s3 y0,s5 Automaton Computational Path Doyle Group Presentation, 05/02/2008 VC 34

Next Time State space reduction Abstractions Partial Order Reduction Compositional Reasoning Symbolic Model Checking Doyle Group Presentation, 05/02/2008 VC 35

References Clarke, EM Model Checking, 1999 Holzman, G The SPIN Model Checker, 2003 Sipser, M, Introduction to the Theory of Computation, 2005 Doyle Group Presentation, 05/02/2008 VC 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback