formal verification by model checking
play

Formal Verification by Model Checking Jonathan Aldrich Carnegie - PDF document

Jan 19, 2024 •49 likes •289 views

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain:

  1. Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 15-413: Introduction to Software Engineering Fall 2005 3 Formal Verification by Model Checking Domain: Continuously operating concurrent systems (e.g. operating systems, hardware controllers and network protocols) • Ongoing, reactive semantics • Non-terminating, infinite computations • Manifest non-determinism Instrument: Temporal logic [Pnueli 77] is a formalism for reasoning about behavior of reactive systems 4 1

  2. Temporal Logic Model Checking [Clarke,Emerson 81][Queille,Sifakis 82] • Systems are modeled by finite state machines • Properties are written in propositional temporal logic • Verification procedure is an exhaustive search of the state space of the design • Diagnostic counterexamples 5 Temporal Logic Model Checking Finite State Machine Preprocessor Property Model Checker True or Counterexample 6 2

  3. What is Model Checking? Does model M satisfy a property P ? (written M |= P) What is “M”? What is “P”? What is “satisfy”? 7 What is “M”? States: valuations to all variables a b Initial states: subset of states Arcs: transitions between states Atomic Propositions: b c c e.g. x = 5, y = true State Transition Graph or Kripke Model 8 3

  4. What is “M”? M = 〈 S , S 0 , R , L 〉 Kripke structure: S – finite set of states S 0 ⊆ S – set of initial states R ⊆ S × S – set of arcs L : S → 2 AP – mapping from states to a set of atomic propositions 9 Model of Computation a b a b b c c a b c c b c c State Transition Graph Infinite Computation Tree Unwind State Graph to obtain Infinite Tree. A trace is an infinite sequence of states. 10 4

  5. Semantics a b a b b c c a b c c b c c State Transition Graph Infinite Computation Tree The semantics of a FSM is a set of traces . Semantics of the composition of FSMs is the intersection of traces of individual FSMs. 11 What is “P”? Different kinds of temporal logics Syntax: What are the formulas in the logic? Semantics: What does it mean for model M to satisfy formula P ? Formulas: - Atomic propositions: properties of states - Temporal Logic Specifications: properties of traces. 12 5

  6. Computation Tree Logics Examples: Safety (mutual exclusion): no two processes can be at a critical section at the same time Liveness (absence of starvation): every request will be eventually granted Temporal logics differ according to how they handle branching in the underlying computation tree. In a linear temporal logic (LTL), operators are provided for describing system behavior along a single computation path. In a branching-time logic (CTL), the temporal operators quantify over the paths that are possible from a given state. 13 Computation Tree Logics Formulas are constructed from path quantifiers and temporal operators: 1. Path Quantifiers: • A – ‘’for every path’’ • E – ‘’there exists a path’’ 2. Temporal Operator: X α α α - α α α α α holds next time • F α α - α α α α α α holds sometime in the future • α - α G α α α α holds globally in the future α α • α U β - α α α α α α α holds until β holds • 14 6

  7. Formulas over States and Paths • State formulas – Describe a property of a state in a model M – If p ∈ AP , then p is a state formula – If f and g are state formulas, then ¬ f , f ∧ g and f ∨ g are state formulas – If f is a path formula, then E f and A f are state formulas • Path formulas – Describe a property of an infinite path through a model M – If f is a state formula, then f is also a path formula – If f and g are path formulas, then ¬ f , f ∧ g , f ∨ g , X f , F f , G f , and f U g are path formulas 15 Notation • A path π in M is an infinite sequence of states s 0 , s 1 ,… such that for every i ≥ 0, ( s i , s i+1 ) ∈ R • π i denotes the suffix of π starting at s i • If f is a state formula, M , s ⊨ f means that f holds at state s in the Kripke structure M • If f is a path formula, M , π ⊨ f means that f holds along path π in the Kripke structure M 16 7

  8. Semantics of Formulas M , s ⊨ p ⇔ p ∈ L ( s ) M , π ⊨ f ⇔ π = s… ∧ M , s ⊨ f M , s ⊨ ¬ f ⇔ M , s ⊭ f M , π ⊨ ¬ g ⇔ M , π ⊭ g M , s ⊨ f 1 ∧ f 2 ⇔ M , s ⊨ f 1 ∧ M , s ⊨ f 2 M , π ⊨ g 1 ∧ g 2 ⇔ M , π ⊨ g 1 ∧ M , π ⊨ g 2 M , s ⊨ f 1 ∨ f 2 ⇔ M , s ⊨ f 1 ∨ M , s ⊨ f 2 M , π ⊨ g 1 ∨ g 2 ⇔ M , π ⊨ g 1 ∨ M , π ⊨ g 2 ⇔ M , π 1 ⊨ g M , s ⊨ E g 1 ⇔ ∃ π = s… | M , π ⊨ g 1 M , π ⊨ X g ⇔ ∃ k ≥ 0 | M , π k ⊨ g M , s ⊨ A g 1 ⇔ ∀ π = s… M , π ⊨ g 1 M , π ⊨ F g ⇔ ∀ k ≥ 0 | M , π k ⊨ g M , π ⊨ G g ⇔ ∃ k ≥ 0 | M , π k ⊨ g 2 M , π ⊨ g 1 U g 2 ∧ ∀ 0 ≤ j<k M , π j ⊨ g 1 17 The Logic LTL Linear Time Logic (LTL) [Pnueli 77]: logic of temporal sequences. Has form A f where f is a path formula which has no path quantifiers ( A or E ) α : α • α α α α α α holds in the current state α α α α α : α • AX α α α α α α holds in the next state α α α α γ : γ • AF γ γ γ γ holds eventually γ γ γ γ γ γ • AG λ λ : λ λ holds from now on λ λ λ λ λ λ λ λ λ λ λ λ λ λ λ λ λ λ λ λ • A ( α α U β α α β β ) : α β α α holds until β α β holds β β α α α α α α α α β β β β 18 8

  9. The Logic CTL In a branching-time logic (CTL), the temporal operators quantify over the paths that are possible from a given state (s 0 ). Requires each temporal operator ( X , F , G , and U ) to be preceded by a path quantifier ( A or E ). c c c c c c c c c M, s 0 ⊨ AF c M, s 0 ⊨ AG c c c c c M, s 0 ⊨ EF c M, s 0 ⊨ EG c 19 Typical CTL Formulas EF ( Started ∧ ¬ ����� ������������������������������������������ �������� ���������� • ������ �������������� AG � ��� ⇒ AF ��� ������������ ��������� ������������������������������ � ������������� � AG � �����!������ ��� DeviceEnabled always holds on every computation path. • AG ( EF Restart ): from any state it is possible to get to the Restart state. 20 9

  10. Announcements • Please email your Stack.java file to Marwan for Assignment 8 part 4 – This will help with the grading 21 Trivia • AG ( EF p ) cannot be expressed in LTL – Reset property: from every state it is possible to get to p a • But there might be paths where you never get to p – Different from A ( GF p ) • Along each possible path, for each state in the path, there b p is a future state where p holds • Counterexample: ababab… 22 10

  11. Trivia • A ( FG p ) cannot be expressed in CTL – Along all paths, one eventually s 0 reaches a point where p p always holds from then on • But at some points in some paths where p always holds, there might be a diverging s 1 s 2 path where p does not hold b p – Different from AF(AG p ) • Along each possible path there exists a state such that p always holds from then on • Counterexample: the path that stays in s 0 23 LTL Conventions • Often leave the initial A implicit • G is sometimes written ⎕ • F is sometimes written ♢ 24 11

  12. Linear vs. branching-time logics some advantages of LTL some advantages of BT logics • LTL properties are preserved • BT allows expression of some under “abstraction”: i.e., if M useful properties like ‘reset’. “approximates” a more complex • CTL, a limited fragment of the model M ’, by introducing more more complete BT logic CTL*, paths, then can be model checked in time M� � ψ ⇒ M ’ � ψ linear in the formula size (as well as in the transition system). • “counterexamples” for LTL are But formulas are usually far simpler: consisting of single executions (rather than trees). smaller than system models, so this isn’t as important as it may • The automata-theoretic approach first seem. to LTL model checking is simpler Some BT logics, like µ -calculus • (no tree automata involved). and CTL, are well-suited for the • anecdotally, it seems most kind of fixed-point computation properties people are interested in scheme used in symbolic model are linear-time properties. checking. 25 CTL Model Checking Theorem: Any CTL formula can be expressed in terms of ¬ , ∨ , • EX , EU , and EG . – F p = true U p – A [x U y] = ¬ ( EG ¬ y ∨ E [ ¬ y U ¬ (x ∨ y)]) – AX p = ¬ EX ¬ p – AG p = ¬ EF ¬ p • Model checking: determine which states of M satisfy f • Algorithm – Consider all subformulas of f , in order of depth of nesting – Initially, label each state with the atomic subformulas that are true in that state – For each formula, use information about the states where the immediate subformulas are true to label states with the new formula 26 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 Formal Verification by Model Checking Domain:

380 views • 13 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking AG (Start AF Heat)

307 views • 20 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides
Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 ,

Formal Verification of P Systems with Active Membranes through Model Checking Florentin Ipate 1 , Raluca Lefticaru 1 , Ignacio Prez-Hurtado 2 , Mario J. Prez-Jimnez 2 , Cristina Tudose 1 1 University of Pitesti 2 University of Sevilla

578 views • 23 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

706 views • 56 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal

CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal

CS6480: Model Checking and TLC Robbert van Renesse Cornell University What is formal verification? Does so&amp;ware correctly implement a specifica3on? Does so&amp;ware have desired proper3es (safety, liveness, other)? Is a par3cular

1.25k views • 47 slides
Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal

Spark verification features Paul Jackson School of Informatics University of Edinburgh Formal Verification Spring 2018 Adding specification information to programs Verification concerns checking whether some model (or program) has desired

476 views • 22 slides
Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of

Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of

Formal Verification using Parity Games Mathias N. Justesen DTU Compute, Technical University of Denmark (DTU) Overview Background Many problems within formal verification can be reduced to solving parity games Model checking (Stirling,

794 views • 64 slides
Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification

Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification

Introduction Modeling Specification Algorithms Conclusions Formal Verification, Model Checking Radek Pel anek Introduction Modeling Specification Algorithms Conclusions Motivation Formal Methods: Motivation examples of what can go

986 views • 74 slides
Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal

Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal

Alpine Verification Meeting 2013, FBK, Trento, Italy. Optimization Techniques For Craig Interpolant Compaction In Unbounded Model Checking Danilo Vendraminetto PhD student at Formal Methods Group, Politecnico di Torino, Torino, Italy. Before

880 views • 40 slides
VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking

VTSA10 Summer School, Luxembourg, September 2010 Introduction Probabilistic model checking Model checking Automated formal verification for finite-state models Finite-state model System Result Model checker e.g. SMV, Spin Counter-

776 views • 58 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides
Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of

Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of

Probabilistic Model Checking Michaelmas Term 2011 Dr. Dave Parker Department of Computer Science University of Oxford Probabilistic Model Checking Formal verification and analysis of systems that exhibit probabilistic

821 views • 40 slides
Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and

Model Checking Continuous-Time Markov Chains Joost-Pieter Katoen Software Modeling and Verification Group RWTH Aachen University associated to University of Twente, Formal Methods and Tools Lecture at Quantitative Model Checking School, March

672 views • 66 slides
Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge Academic year

1.15k views • 48 slides
Temporal Logic and Model Checking Model mathematical structure extracted from hardware or

Temporal Logic and Model Checking Model mathematical structure extracted from hardware or

Temporal Logic and Model Checking Model mathematical structure extracted from hardware or software Temporal logic provides a language for specifying functional properties Model checking checks whether a given property holds

1.56k views • 131 slides
Model Checking and Predicate Abstrac5on CSE 501 Spring

Model Checking and Predicate Abstrac5on CSE 501 Spring

Model Checking and Predicate Abstrac5on CSE 501 Spring 15 1 With slides from Emina Torlak (507) Course Outline Sta5c analysis Language design Program

813 views • 52 slides
Lecture 3 Linear Temporal Logic (LTL) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu

Lecture 3 Linear Temporal Logic (LTL) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu

Lecture 3 Linear Temporal Logic (LTL) Richard M. Murray Nok Wongpiromsarn Ufuk Topcu California Institute of Technology AFRL, 24 April 2012 Outline Principles of Model Syntax and semantics of LTL Checking , Specifying properties in

472 views • 21 slides
Computation Tree Logic (CTL) Fazle Rabbi University of Oslo, Oslo, Norway Bergen University

Computation Tree Logic (CTL) Fazle Rabbi University of Oslo, Oslo, Norway Bergen University

Computation Tree Logic (CTL) Fazle Rabbi University of Oslo, Oslo, Norway Bergen University College, Bergen, Norway fazlr@student.matnat.uio.no, Fazle.Rabbi@hib.no May 30, 2015 Fazle Rabbi et al. (UiO, HiB) Computation Tree Logic May 30,

507 views • 25 slides
NuSMV and Symbolic Model Checking A. Cimatti, M. Pistore, and M. Roveri NuSMV Project Sep 1,

NuSMV and Symbolic Model Checking A. Cimatti, M. Pistore, and M. Roveri NuSMV Project Sep 1,

NuSMV and Symbolic Model Checking A. Cimatti, M. Pistore, and M. Roveri NuSMV and Symbolic Model Checking A. Cimatti, M. Pistore, and M. Roveri NuSMV Project Sep 1, 2002 Trento (Italy) NuSMV Project, Sep 1, 2002, Trento (Italy) 1

1.24k views • 105 slides
3 COMP 1 5 9 3 Algorithmic Verification Timed CTL and TCTL C Dr. Liam OConnor CSE, UNSW

3 COMP 1 5 9 3 Algorithmic Verification Timed CTL and TCTL C Dr. Liam OConnor CSE, UNSW

&lt;latexit

485 views • 30 slides
A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas

A Crash Course on A Crash Course on Temporal Specifications Temporal Specifications [Kansas State] John Hatcliff Work on specification patterns by Matthew Dwyer, Jay Corbett, and George Avrunin http://www.cis.ksu.edu/santos/bandera

303 views • 29 slides

More recommend