The Kind 2 Model Checker Adrien Champion Alain Mebsout Christoph - - PowerPoint PPT Presentation
The Kind 2 Model Checker Adrien Champion Alain Mebsout Christoph Sticksel Cesare Tinelli Kind 2 is for safety analysis Reactive System Model Kind 2 (Lustre) State Transition System h s , I ( s ) , T ( s , s 0 ) i Safety Property
Adrien Champion Christoph Sticksel Alain Mebsout Cesare Tinelli
Kind 2
Reactive System Model (Lustre) Safety Property (Extension of Lustre) State Transition System
hs, I(s), T(s, s0)i
Proof Certificate Counter- example
safe unsafe P
BMC k-induction IC3 invariant discovery SMT SMT SMT SMT Supervisor
Component-level invariant discovery Assume-guarantee contracts
node max (x:real) returns (m:real); let m = x -> if x > pre x then x else pre x; tel node avg (x,y:real) returns (a:real); (*@contract assume x <= y; guarantee x <= a and a <= y; *) let a = (x + y) / 2.0; tel node sav (x:real) returns (s:real); (*@contract assume x > 0.0 and x > pre x; guarantee s <= max(x); *) let s = avg(x -> pre s, x); tel
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
1 2 3 4
1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
l 1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
l 1 2 3 4
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
Bottom-up verification of contracts of nodes one at a time Abstract behavior of components to their contract and refine with implementation only on failure.
l 1 2 3 4
LFSC script contains
Independently checkable
SMT proofs SMT proofs SMT proofs
Φ | = P Φk ∧ T k | = Φ0 I ∧ T k | = Φ ⇤Φ ⇤P
Download or try it out at http://kind.cs.uiowa.edu/ Ongoing and Future Work
1 10 100 1000 10000 100 200 300 400 500 600 700 800 Time in s Number of benchmarks solved Kind 2 (866 solved) jKind (863 solved) NuXmv (842 solved) PKind (780 solved) Zustre (845 solved)