Program Synthesis is a Game

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Program Synthesis is a Game"

Transcription

1 Program Synthesis is a Game Barbara Jobstmann CNRS/Verimag, Grenoble, France

2 Outline Synthesis using automata- based game theory. MoBvaBon, comparison with MC and LTL. Basics Terminology Reachability/Safety games 3. Büchi/coBüchi, Generalized ReacBvity- games 4. Generalized ReacBvity- approach

3 Analyze, Verify, and Synthesize Synthesis System ImplementaBon Algorithm How VerificaBon SpecificaBon ProperBes Model What Analysis Synthesis translates a high- level system descripbon into an executable implementabon Benefits: implementabon and reward for wribng specs (no double effort) Techniques vary depending on specificabon language and target implementabon. 3

4 Today What systems/programs would we like to synthesize? What specificabons do we assume? Crash- course on how to verify that program (of this type) sabsfies spec Idea of program repair/synthesis using games Basic games 4

5 ReacBve Systems Synthesis Systems (e.g., servers) Interact with environment Infinite durabon (non- terminabng) Finite data (or data abstracbons) Control- oriented VerificaBon Specifica(ons Set of good behaviors (a language) Temporal logic (which includes safety and liveness) data Analysis [Z. Manna and A. Pnueli. The Temporal Logic of ReacBve and Concurrent Systems., 99] [N. Halbwachs. Synchronous Programming of ReacBve Systems. 993] Bme 5

6 Example: Hardware ARM s AMBA AHB bus High performance on- chip bus (connects mulbple devices) Sends data from masters to clients Data, Address, and Control signals Arbiter part of bus (determines control signals) Up to 6 masters and 6 clients 6

7 Examples: AMBA AHB standard

8 Example: Linear- Temporal Logic E.g., When a locked unspecified length burst starts, a new access does not start unbl the current master (i) releases the bus by lowering HBUSREQi. Formal specificabon: E.g., for all masters i: always((hmastlock and HBURST=INCR and START and HMASTER=i) (not START un(l not HBUSREQi)) Time progresses with clock Bck 8

9 Example: Concurrent Sooware unsigned int got_lock = 0; while(*) { if (*) { lock(); got_lock++; if (got_lock!= 0) { unlock(); got_lock--; lock() {LOCK:=; unlock() {LOCK:=0; Specifica(ons P: do not acquire a lock twice P: do not call unlock without holding the lock 9

10 Example: Concurrent Sooware unsigned int got_lock = 0; : while(*) { : if (*) { 3: lock(); 4: got_lock++; 5: if (got_lock!= 0) { 6: unlock(); 7: got_lock--; Time progresses with change of line lock() lock: {LOCK:=; unlock() unlock: {LOCK:=0; Specifica(ons P: do not acquire a lock twice P: do not call unlock without holding the lock P: always( line=lock implies next( line!=lock w- un(l line=unlock )) P: ( line!=unlock w- un(l line=lock )) and always( line=unlock implies next( line!=unlock w- un(l line=lock )) 0

11 How to verify a ReacBve System? Core algorithm for linear- Bme temporal logic:. Source code auto/manual transibon system (FSM). SpecificaBon auto/manual monitor violabons 3. Check if model has a violabng trace product of trans. system and monitor check for exists of a trace in product (empbness)

12 Source Code unsigned int got_lock = 0; : while(*) { : if (*) { 3: lock(); 4: got_lock++; 5: if (got_lock!= 0) { 6: unlock(); 7: got_lock--; lock() lock: {LOCK:=; unlock() unlock: {LOCK:=0;

13 Step : TransiBon System int[0,,] got_lock = 0; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock++; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock--; 8:! Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=lock,gl=0 l=4, gl=0 l=5, gl=0 l=, gl=. l=5, gl= l=6, gl= l=, gl= l=, gl= l=3, gl= l=lock,gl= l=4, gl= l=5, gl= l=6, gl= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= l=8, gl=0.. 3

14 SpecificaBon P: do not acquire a lock twice P: do not call unlock without holding the lock P: always( line=lock implies next(line!=lock w- Un(l line=unlock)) P: ( line!=unlock w- un(l line=lock )) and always( line=unlock implies next( line!=unlock w- un(l line=lock )) 4

15 Linear- Time Temporal Logic [Pnueli77] Syntax: Atomic proposibons, e.g., line=, line!=, got_lock=0 Boolean operators: not, and, or, implies, Temporal operators: next (ϕ) ϕ un(l ϕ ϕ holds in the next step ϕ holds unbl at some point ϕ holds Used in industrial spec languages PSL/SVA Can express many interesbng properbes, e.g., mutual exclusion, deadlock freedom, terminabon 5

16 Linear- Time Temporal Logic SemanBcs defined with respect to infinite traces in each step atomic proposibons holds or not E.g., line=, got_lock line= line= got_lock.. Given a finite set of atomic proposition AP, a trace (or word) w over AP is an infinite sequence of truth assignments to AP, i.e., w ( AP ) ω. 6

17 Linear- Time Temporal Logic SemanBcs next (ϕ) ϕ holds in the next step ϕ.. ϕ un(l ϕ ϕ holds unbl at some point ϕ holds ϕ ϕ ϕ ϕ ϕ.... System S sabsfies/models ϕ, if all its behaviors sabsfy ϕ 7

18 Linear- Time Temporal Logic Many useful abbreviabons true = p or not p false = not true eventually(ϕ) = true un(l ϕ always(ϕ) = not (eventually(not ϕ)) ϕ w- un(l ϕ = (ϕ un(l ϕ ) or always(ϕ ) before, release, Other syntax: next:,x, unbl: U, eventually:, F, always:,g, w- unbl: W 8

19 How to verify a ReacBve System? Core algorithm for linear- Bme temporal logic:. Source code auto/manual transibon system (FSM). SpecificaBon auto/manual monitor violabons 3. Check if model has a violabng trace product of trans. system and monitor check for exists of a trace in product (empbness) 9

20 Step : Monitor for ViolaBons P: always( line=lock implies next( line!=lock w- un(l line=unlock )) = not eventually( line=lock and next( line!=unlock un(l line=lock )) line!=unlock line=lock line=lock 3 s: non- determinisbc choice s: no edge with line=unlock Automaton accepts trace/behavior is a blue state is visited infinitely ooen (Büchi ) Why do we track bad and not good behaviors? L(S) L(ϕ): forall w: w L(S) w L(ϕ) exists w: w L(S) w L( ϕ) 0

21 Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl=0. l=, gl= l=3, gl= l=lock,gl=0 l=lock,gl= l=4, gl=0 l=4, gl= l=5, gl=0 l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl=0.. line=lock line=lock 3

22 Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl=0. l=, gl= l=3, gl= l=lock,gl=0 l=4, gl=0 l=4, gl=0 l=lock,gl= l=4, gl= l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=6, gl= unlock, unlock, l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl=0.. line=lock line=lock 3

23 Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl= l=, gl=0. l=, gl= l=, gl= l=3, gl= l=3, gl= l=lock,gl=0 l=lock,gl= l=lock,gl= l=4, gl=0 l=4, gl=0 l=4, gl= l=4, gl= l=4, gl= 3 l=5, gl=0 l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=6, gl= unlock, unlock, l=unlock,gl= l=7, gl=0 l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl=0.. line=lock line=lock 3 Recall, we want to show a violabon: 3

24 Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl= l=, gl=0. l=, gl= l=, gl= l=3, gl= l=3, gl= l=lock,gl=0 l=lock,gl= l=lock,gl= l=4, gl=0 l=4, gl=0 l=4, gl= l=4, gl= l=4, gl= 3 l=5, gl=0 l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=6, gl= unlock, unlock, l=unlock,gl= l=7, gl=0 l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl=0.. line=lock line=lock Recall, we want to show a violabon: non- determinism in transibon system and in monitor pull in the same direc(on (both can be used to violate property) 3 4

25 Demo 5

26 Demo line = line = line = 5 line = 7 line = line = line = 3 line = lock line = 4 line = 5 line = 7 line = line = line = 3 line = lock 6

27 Source Code int[0,,] got_lock = 0; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock++; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock--; 8:! line = line = line = 5 line = 7 line = line = line = 3 line = lock line = 4 line = 5 line = 7 line = line = line = 3 line = lock 7

28 How to verify a ReacBve System? Core algorithm for linear- Bme temporal logic:. Source code auto/manual transibon system (FSM). SpecificaBon auto/manual monitor violabons 3. Check if model has a violabng trace product of trans. system and monitor check for exists of a trace in product (empbness) But how to repair it? 8

29 How to repair a ReacBve System?. Add freedom (choice for the system, allowed ways to modify system). Source code a/m transibon system (game) 3. SpecificaBon a/m monitor acceptance 4. Check if we can find system choices s.t. model is accepted by monitor product of trans. system and monitor search for winning strategy in game 9

30 Step : Freedom int[0,,] got_lock = 0; int[0,,] freedom; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom; 8:! (We can also extend to fault localizabon) 30

31 Step : Game int[0,,] got_lock = 0; int[0,,] freedom; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom; 8:! Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=lock,gl=0 l=, gl=. l=, gl= l=, gl= l=3, gl= l=lock,gl= l=4, gl=0 f= f=0 l=4, gl= f=0 f= f= l=5, gl=0 l=5, gl= l=6, gl= l=5, gl= l=6, gl= f=0 f= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= f= l=8, gl=0.. 3

32 Step : Game int[0,,] got_lock = 0; int[0,,] freedom; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom; 8:! Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=lock,gl=0 l=, gl=. l=, gl= l=, gl= l=3, gl= l=lock,gl= l=4, gl=0 f= f=0 l=4, gl= f=0 f= f= l=5, gl=0 l=5, gl= l=6, gl= l=5, gl= l=6, gl= f=0 f= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= f= l=8, gl=0.. Two types of non- determinism! 3

33 Step : Game int[0,,] got_lock = 0; int[0,,] freedom; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom; 8:! Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=lock, gl=0 l=4, gl=0 l=7, gl=0 l=8, gl=0 l=, gl=. l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=, gl= l=, gl= l=3, gl= l=lock, gl= l=4, gl= f=0 f= f= l=5, gl=0 f=0 f= f= f= f=0 Two types of non- determinism! l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=.. 33

34 Step 3: Monitor for Acceptance P: always( line=lock implies next( line!=lock w- un(l line=unlock )) line!=lock line=lock line!=lock & line!=unlock line=unlock line=lock Since game has two types of non- determinism, we need to be careful with non- determinism in monitor. 34

35 Problem with Nondeterminism Coffee machine is correct if there is no water or if buwon is pressed machine serves coffee: eventually always(not water) or always(pressed implies eventually coffee) and always(not water implies not coffee) w=0 w= or c=0 p= and (w= or c=0) c=0 or w= OK p=0 and w= or c=0 OK c= and w= (Coffee machine wins if it visits a blue state infinitely ooen) 35

36 Step 3: Det. Monitor for Acceptance P: always( line=lock implies next( line!=lock w- un(l line=unlock )) line!=lock line=lock line!=lock & line!=unlock 3 line=unlock line=lock Classical approach: make it determinisbc (more powerful acceptance required) 36

37 Step 3: Product TS for got_lock in {0, DeterminisBc automaton l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l!=lock l=lock l!=lock & l!=unlock l=4, gl=0 l=4, gl=0 0 0 l=5, gl=0 l=5, gl= 0 l=6, gl= 0 l=unlock, gl= l=unlock l=lock 3 l=7, gl=0 l=7, gl= l=8, gl=0. 37

38 Step 3: Produce l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 0 0 l=5, gl=0 0 0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl=.. l=5, gl= l=6, gl= l=unlock, gl= 0 0 l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= 3 l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 38

39 Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 39

40 Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 40

41 Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 4

42 Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=lock, gl=0 l=, gl= l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= 4

43 Step 4: Winning Strategy l=, gl=0 l=, gl= In general: strategy is funcbon of program and monitor state l=, gl=0 l=lock, gl=0 l=4, gl=0 0 l=5, gl=0 0 0 l=7, gl=0 l=, gl= l=lock, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=4, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= Strategy to Repair: if (l=4 & gl=0 & s=) freedom:=0 if (l=4 & gl= & s=) freedom:= if (l=4 & gl=0 & s=0) freedom:= if (l=7 & gl=0 & s=) freedom:=0 if (l=7 & gl= & s=) freedom:=0.. freedom := f(l,gl,s) if (line=4) freedom := (gl=) (s=) if (line=7) freedom := 0 l=8, gl=0 l=8, gl= What we actually do: merge states before picking the strategy 43

44 Step 4: Winning Strategy l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= l=5, gl=0 l=5, gl= 0 0 l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= 44

45 Step 4: Winning Strategy l=, gl=0 l=, gl=0 l=, gl= l=, gl= l=lock, gl=0 l=lock, gl=0 (line=4): freedom= (line=7): freedom= 0 l=4, gl=0 l=5, gl=0 0 0 l=7, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=8, gl=0 l=8, gl= 45

46 Repaired Program unsigned int got_lock = 0; : while(*) { : if (*) { 3: lock(); 4: got_lock = ; 5: if (got_lock!= 0) { 6: unlock(); 7: got_lock = 0; lock() lock: {LOCK=; unlock() unlock: {LOCK=0; 46

47 Demo Monitor: FREEDOM: 47

48 Demo 48

49 Program Repair Program Finite- state program Game Game TS: program with freedom Solve game Monitor Monitor TS: Winning condibon (Simple) Strategy SpecificaBon Correct Program with Bloem, Griesmayer, Staber in CAV 005, CHARME 005 (+ext to fault localizabon)

50 Classical Controller Synthesis FSM + freedom + monitor IniBally defined for invariants Game Game TS + winning cond. Solve game (Simple) Strategy Correct Program Ramadge, Wonham 87, Book by Cassandras, Lafortune 99/07

51 Synthesis from Temporal Logics Game Solve game Monitor + interface definibon Monitor TS: Winning condibon (Simple) Strategy SpecificaBon Correct Program Church (96), Büchi/Landweber (969, games), Rabin (97, trees), Pnueli/Rosner (989, LTL)

52 Program Synthesis Program Game FSM + freedom Game TS Solve game Monitor Monitor TS: Winning condibon (Simple) Strategy SpecificaBon Correct Program Modern Controller Synthesis, see overview papers by Walukiewicz et al., Ruwen & Girault,

53 Issues? Program How to abstract? FSM + freedom Game Game TS Size? Solve game How to solve efficiently? How to construct efficiently? How to specify? Monitor SpecificaBon LTL Monitor TS: Winning condibon How expressive? Size? Related research areas: How to map PL, AV, Control Theory, back? Game and Automata Theory (Simple) Strategy QuanBtaBve Program Synthesis Correct Program How to pick a strategy?

54 Issues with Monitor for LTL DeterminizaBon construcbon (Safra s) EXP worst case complexity LTL is very succinct How to construct efficiently? Monitor Monitor TS: Winning condibon How expressive? Size?

55 Some SoluBons Concentrate on subsets (different types of games) Ramadge, Wonham (Proc IEEE 89) Asarin, Maler, Pnueli, Sifakis (SSC 98) Alur, La Torre (LICS'0) Alur, Madhusudan, Nam (BMC'03, STTT'05) Wallmeier, Hüwer, Thomas (CIAA'03) Harding, Ryan, Schobbens (TACAS'05) Jobstmann, Bloem (CAV 05) Piterman, Pnueli, Sa'ar (VMCAI'06) (base of our work on synthesizing AMBA) OpBmize or avoid determinzabon construcbon Althoff, Thomas, Wallmeier (CIAA'05,TCS'06) Piterman (), Piterman, Henzinger (CSL'06) Kupferman, Vardi (FOCS'05) Kupferman, Piterman, Vardi (CAV'06) Schewe, Finkbeiner (ATVA'07), Filiot, Jin, Raskin (CAV'09) Symbolic representabon (e.g., using BDDs) Safety, Reachability Büchi, co- Büchi Det. generators for several subsets Safety+ using SAT, QBF, and BDDs Request- Response Work with nondet. automaton IdenBfied syntacbc subset Generalized ReacBvity- (GR- ) Implemented Safra Improved Safra, Good- for- game Bounded Synthesis (using co- Büchi)

56 Next Basic of automata- based game theory terminology reachability/safety, Buchi/co- Buchi games InteresBng games for LTL synthesis Generalized Buchi, ReacBvity- games Generalized ReacBvity- (GR- ) games Why is GR- good? (back to synthesis) 56

Reactive Synthesis - Hands-on Exercise

Reactive Synthesis - Hands-on Exercise Reactive Synthesis - Hands-on Exercise Lectures: Moshe Vardi Hands-on exercise: Rüdiger Ehlers ExCAPE Expeditions in Computer Augmented Program Engineering 13 th June 2013 Exercise: Rüdiger Ehlers (UCB/Cornell)

More information

Algorithmic Software Verification

Algorithmic Software Verification Algorithmic Software Verification (LTL Model Checking) Azadeh Farzan What is Verification Anyway? Proving (in a formal way) that program satisfies a specification written in a logical language. Formal

More information

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system? 5. LTL, CTL Last part: Alloy logic language, static/dynamic models SAT solvers Today: Temporal Logic (LTL, CTL) Verified Software Systems 1 Overview How can we model check of a program or system? Modeling

More information

Model Checking: An Introduction

Model Checking: An Introduction Announcements Model Checking: An Introduction Meeting 2 Office hours M 1:30pm-2:30pm W 5:30pm-6:30pm (after class) and by appointment ECOT 621 Moodle problems? Fundamentals of Programming Languages CSCI

More information

Doomsday Equilibria for Games on Graphs

Doomsday Equilibria for Games on Graphs Doomsday Equilibria for Games on Graphs Krishnendu Chatterjee Laurent Doyen IST Austria LSV, ENS Cachan & CNRS Emmanuel Filiot Jean-François Raskin Université Libre de ruxelles U.L.. Two-player games on

More information

T-79.186 Reactive Systems: Introduction and Finite State Automata

T-79.186 Reactive Systems: Introduction and Finite State Automata T-79.186 Reactive Systems: Introduction and Finite State Automata Timo Latvala 14.1.2004 Reactive Systems: Introduction and Finite State Automata 1-1 Reactive Systems Reactive systems are a class of software

More information

Formal Verification by Model Checking

Formal Verification by Model Checking Formal Verification by Model Checking Natasha Sharygina Carnegie Mellon University Guest Lectures at the Analysis of Software Artifacts Class, Spring 2005 1 Outline Lecture 1: Overview of Model Checking

More information

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary Today s Agenda Quiz 4 Temporal Logic Formal Methods in Software Engineering 1 Automata and Logic Introduction Buchi Automata Linear Time Logic Summary Formal Methods in Software Engineering 2 1 Buchi Automata

More information

Temporal Logics. Computation Tree Logic

Temporal Logics. Computation Tree Logic Temporal Logics CTL: definition, relationship between operators, adequate sets, specifying properties, safety/liveness/fairness Modeling: sequential, concurrent systems; maximum parallelism/interleaving

More information

Lecture 9 verifying temporal logic

Lecture 9 verifying temporal logic Basics of advanced software systems Lecture 9 verifying temporal logic formulae with SPIN 21/01/2013 1 Outline for today 1. Introduction: motivations for formal methods, use in industry 2. Developing models

More information

Software Engineering using Formal Methods

Software Engineering using Formal Methods Software Engineering using Formal Methods Model Checking with Temporal Logic Wolfgang Ahrendt 24th September 2013 SEFM: Model Checking with Temporal Logic /GU 130924 1 / 33 Model Checking with Spin model

More information

Formal Verification and Linear-time Model Checking

Formal Verification and Linear-time Model Checking Formal Verification and Linear-time Model Checking Paul Jackson University of Edinburgh Automated Reasoning 21st and 24th October 2013 Why Automated Reasoning? Intellectually stimulating and challenging

More information

Introduction to Software Verification

Introduction to Software Verification Introduction to Software Verification Orna Grumberg Lectures Material winter 2013-14 Lecture 4 5.11.13 Model Checking Automated formal verification: A different approach to formal verification Model Checking

More information

Fundamentals of Software Engineering

Fundamentals of Software Engineering Fundamentals of Software Engineering Model Checking with Temporal Logic Ina Schaefer Institute for Software Systems Engineering TU Braunschweig, Germany Slides by Wolfgang Ahrendt, Richard Bubel, Reiner

More information

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole

Context-Bounded Model Checking of LTL Properties for ANSI-C Software. Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition

More information

Automata-based Verification - I

Automata-based Verification - I CS3172: Advanced Algorithms Automata-based Verification - I Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2006 Supporting and Background Material Copies of key slides (already

More information

A Logic Approach for LTL System Modification

A Logic Approach for LTL System Modification A Logic Approach for LTL System Modification Yulin Ding and Yan Zhang School of Computing & Information Technology University of Western Sydney Kingswood, N.S.W. 1797, Australia email: {yding,yan}@cit.uws.edu.au

More information

Repair of Boolean Programs with an Application to C

Repair of Boolean Programs with an Application to C Repair of Boolean Programs with an Application to C Andreas Griesmayer 1, Roderick Bloem 1, and Byron Cook 2 1 Graz University of Technology 2 Microsoft Research Abstract. We show how to find and fix faults

More information

introduction to program monitoring

introduction to program monitoring introduction to program monitoring CS 119 part II beyond assert and print course website http://www.runtime-verification.org/course09 action standing order: sell when price drops more than 2% within 1

More information

On Recognizable Timed Languages FOSSACS 2004

On Recognizable Timed Languages FOSSACS 2004 On Recognizable Timed Languages Oded Maler VERIMAG Grenoble France Amir Pnueli NYU and Weizmann New York and Rehovot USA FOSSACS 2004 Nutrition Facts Classical (Untimed) Recognizability Timed Languages

More information

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications Sayantan Das Prasenjit Basu Ansuman Banerjee Pallab Dasgupta P.P. Chakrabarti Department of Computer Science & Engineering

More information

Model Checking II Temporal Logic Model Checking

Model Checking II Temporal Logic Model Checking 1/32 Model Checking II Temporal Logic Model Checking Edmund M Clarke, Jr School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 2/32 Temporal Logic Model Checking Specification Language:

More information

Formal Specification and Verification

Formal Specification and Verification Formal Specification and Verification Stefan Ratschan Katedra číslicového návrhu Fakulta informačních technologíı České vysoké učení technické v Praze 2. 5. 2011 Stefan Ratschan (FIT ČVUT) PI-PSC 4 2.

More information

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems On the Modeling and Verification of Security-Aware and Process-Aware Information Systems 29 August 2011 What are workflows to us? Plans or schedules that map users or resources to tasks Such mappings may

More information

Model Checking based Software Verification

Model Checking based Software Verification Model Checking based Software Verification 18.5-2006 Keijo Heljanko Keijo.Heljanko@tkk.fi Department of Computer Science and Engineering Helsinki University of Technology http://www.tcs.tkk.fi/~kepa/ 1/24

More information

Formal Verification of Software

Formal Verification of Software Formal Verification of Software Sabine Broda Department of Computer Science/FCUP 12 de Novembro de 2014 Sabine Broda (DCC-FCUP) Formal Verification of Software 12 de Novembro de 2014 1 / 26 Formal Verification

More information

Fabio Patrizi DIS Sapienza - University of Rome

Fabio Patrizi DIS Sapienza - University of Rome Fabio Patrizi DIS Sapienza - University of Rome Overview Introduction to Services The Composition Problem Two frameworks for composition: Non data-aware services Data-aware services Conclusion & Research

More information

Model Checking of Software

Model Checking of Software Model Checking of Software Patrice Godefroid Bell Laboratories, Lucent Technologies SpecNCheck Page 1 August 2001 A Brief History of Model Checking Prehistory: transformational programs and theorem proving

More information

The Model Checker SPIN

The Model Checker SPIN The Model Checker SPIN Author: Gerard J. Holzmann Presented By: Maulik Patel Outline Introduction Structure Foundation Algorithms Memory management Example/Demo SPIN-Introduction Introduction SPIN (Simple(

More information

On Omega-Languages Defined by Mean-Payoff Conditions

On Omega-Languages Defined by Mean-Payoff Conditions On Omega-Languages Defined by Mean-Payoff Conditions Rajeev Alur 1, Aldric Degorre 2, Oded Maler 2, Gera Weiss 1 1 Dept. of Computer and Information Science, University of Pennsylvania, USA {alur, gera}@cis.upenn.edu

More information

Beyond Hyper-Minimisation Minimising DBAs and DPAs is NP-Complete

Beyond Hyper-Minimisation Minimising DBAs and DPAs is NP-Complete Beyond Hyper-Minimisation Minimising DBAs and DPAs is NP-Complete Sven Schewe University of Liverpool Abstract In this paper we study the problem of minimising deterministic automata over finite and infinite

More information

Mechanizing the Powerset Construction for Restricted Classes of ω-automata

Mechanizing the Powerset Construction for Restricted Classes of ω-automata Mechanizing the Powerset Construction for Restricted Classes of ω-automata Christian Dax 1, Jochen Eisinger 2, Felix Klaedtke 1 1 ETH Zurich 2 Albert-Ludwigs-University of Freiburg ATVA 2007 Motivation

More information

PETRI NET BASED SUPERVISORY CONTROL OF FLEXIBLE BATCH PLANTS. G. Mušič and D. Matko

PETRI NET BASED SUPERVISORY CONTROL OF FLEXIBLE BATCH PLANTS. G. Mušič and D. Matko PETRI NET BASED SUPERVISORY CONTROL OF FLEXIBLE BATCH PLANTS G. Mušič and D. Matko Faculty of Electrical Engineering, University of Ljubljana, Slovenia. E-mail: gasper.music@fe.uni-lj.si Abstract: The

More information

Development of global specification for dynamically adaptive software

Development of global specification for dynamically adaptive software Development of global specification for dynamically adaptive software Yongwang Zhao School of Computer Science & Engineering Beihang University zhaoyw@act.buaa.edu.cn 22/02/2013 1 2 About me Assistant

More information

Formal verification of contracts for synchronous software components using NuSMV

Formal verification of contracts for synchronous software components using NuSMV Formal verification of contracts for synchronous software components using NuSMV Tobias Polzer Lehrstuhl für Informatik 8 Bachelorarbeit 13.05.2014 1 / 19 Problem description and goals Problem description

More information

Analysis of Boolean Programs

Analysis of Boolean Programs Analysis of Boolean Programs Patrice Godefroid 1 Mihalis Yannakakis 2 1 Microsoft Research, pg@microsoft.com 2 Columbia University, mihalis@cs.columbia.edu Abstract. Boolean programs are a popular abstract

More information

tutorial: hardware and software model checking

tutorial: hardware and software model checking tutorial: hardware and software model checking gerard holzmann and anuj puri { gerard anuj } @research.bell-labs.com Bell Labs, USA outline introduction (15 mins) theory and algorithms system modeling

More information

Specification and Analysis of Contracts Lecture 1 Introduction

Specification and Analysis of Contracts Lecture 1 Introduction Specification and Analysis of Contracts Lecture 1 Introduction Gerardo Schneider gerardo@ifi.uio.no http://folk.uio.no/gerardo/ Department of Informatics, University of Oslo SEFM School, Oct. 27 - Nov.

More information

Büchi Complementation Made Tighter

Büchi Complementation Made Tighter International Journal of Foundations of Computer Science c World Scientific Publishing Company Büchi Complementation Made Tighter Ehud Friedgut Hebrew University, Institute of Mathematics, Jerusalem 91904,

More information

Development of dynamically evolving and self-adaptive software. 1. Background

Development of dynamically evolving and self-adaptive software. 1. Background Development of dynamically evolving and self-adaptive software 1. Background LASER 2013 Isola d Elba, September 2013 Carlo Ghezzi Politecnico di Milano Deep-SE Group @ DEIB 1 Requirements Functional requirements

More information

Verification of hybrid dynamical systems

Verification of hybrid dynamical systems Verification of hybrid dynamical systems Jüri Vain Tallinn Technical University/Institute of Cybernetics vain@ioc.ee Outline What are Hybrid Systems? Hybrid automata Verification of hybrid systems Verification

More information

Software Model Checking: Theory and Practice

Software Model Checking: Theory and Practice Software Model Checking: Theory and Practice Lecture: Secification Checking - Temoral Logic Coyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are coyrighted

More information

Model Checking LTL Properties over C Programs with Bounded Traces

Model Checking LTL Properties over C Programs with Bounded Traces Noname manuscript No. (will be inserted by the editor) Model Checking LTL Properties over C Programs with Bounded Traces Jeremy Morse 1, Lucas Cordeiro 2, Denis Nicole 1, Bernd Fischer 1,3 1 Electronics

More information

Software Model Checking: Theory and Practice

Software Model Checking: Theory and Practice Software Model Checking: Theory and Practice Lecture: Specification Checking - LTL Model Checking Copyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are

More information

http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86

http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 Atlantic Electronic http://aejm.ca Journal of Mathematics http://rema.ca Volume 1, Number 1, Summer 2006 pp. 69 86 AUTOMATED RECOGNITION OF STUTTER INVARIANCE OF LTL FORMULAS Jeffrey Dallien 1 and Wendy

More information

MetaGame: An Animation Tool for Model-Checking Games

MetaGame: An Animation Tool for Model-Checking Games MetaGame: An Animation Tool for Model-Checking Games Markus Müller-Olm 1 and Haiseung Yoo 2 1 FernUniversität in Hagen, Fachbereich Informatik, LG PI 5 Universitätsstr. 1, 58097 Hagen, Germany mmo@ls5.informatik.uni-dortmund.de

More information

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL University of Texas at El Paso DigitalCommons@UTEP Departmental Technical Reports (CS) Department of Computer Science 8-1-2007 Using Patterns and Composite Propositions to Automate the Generation of Complex

More information

Software Modeling and Verification

Software Modeling and Verification Software Modeling and Verification Alessandro Aldini DiSBeF - Sezione STI University of Urbino Carlo Bo Italy 3-4 February 2015 Algorithmic verification Correctness problem Is the software/hardware system

More information

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund RIACS Technical Report 01.21 August 2001 Presented at the 16 th IEEE International Conference

More information

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification Introduction Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification Advanced Topics in Software Engineering 1 Concurrent Programs Characterized by

More information

Digital Design Verification

Digital Design Verification Digital Design Verification Course Instructor: Debdeep Mukhopadhyay Dept of Computer Sc. and Engg. Indian Institute of Technology Madras, Even Semester Course No: CS 676 1 Verification??? What is meant

More information

Testing LTL Formula Translation into Büchi Automata

Testing LTL Formula Translation into Büchi Automata Testing LTL Formula Translation into Büchi Automata Heikki Tauriainen and Keijo Heljanko Helsinki University of Technology, Laboratory for Theoretical Computer Science, P. O. Box 5400, FIN-02015 HUT, Finland

More information

Constructing Automata from Temporal Logic Formulas : A Tutorial

Constructing Automata from Temporal Logic Formulas : A Tutorial Constructing Automata from Temporal Logic Formulas : A Tutorial Pierre Wolper Université de Liège, Institut Montefiore, B28, 4000 Liège, Belgium pw@montefiore.ulg.ac.be, http://www.montefiore.ulg.ac.be/~pw/

More information

Optimization-based Trajectory Generation with Linear Temporal Logic Specifications

Optimization-based Trajectory Generation with Linear Temporal Logic Specifications Optimization-based Trajectory Generation with Linear Temporal Logic Specifications Eric M. Wolff, Ufuk Topcu, and Richard M. Murray Abstract We present a mathematical programming-based method for optimal

More information

Runtime Verification for LTL and TLTL

Runtime Verification for LTL and TLTL Runtime Verification for LTL and TLTL ANDREAS BAUER NICTA and Australian National University MARTIN LEUCKER Technische Universität München and CHRISTIAN SCHALLHART Technische Universität Darmstadt This

More information

Feature Specification and Automated Conflict Detection

Feature Specification and Automated Conflict Detection Feature Specification and Automated Conflict Detection AMY P. FELTY University of Ottawa and KEDAR S. NAMJOSHI Bell Laboratories Large software systems, especially in the telecommunications field, are

More information

INF5140: Specification and Verification of Parallel Systems

INF5140: Specification and Verification of Parallel Systems Motivation INF5140: Specification and Verification of Parallel Systems Lecture 1 Introduction: Formal Methods Gerardo Schneider Department of Informatics University of Oslo INF5140, Spring 2009 Outline

More information

Non-Intrusive Repair of Reactive Programs

Non-Intrusive Repair of Reactive Programs Non-Intrusive Repair of Reactive Programs David Harel, Guy Katz, Assaf Marron Dept. of Computer Science and Applied Mathematics Weizmann Institute of Science Rehovot, Israel Email: firstname.lastname@weizmann.ac.il

More information

The Course. http://www.cse.unsw.edu.au/~cs3153/

The Course. http://www.cse.unsw.edu.au/~cs3153/ The Course http://www.cse.unsw.edu.au/~cs3153/ Lecturers Dr Peter Höfner NICTA L5 building Prof Rob van Glabbeek NICTA L5 building Dr Ralf Huuck NICTA ATP building 2 Plan/Schedule (1) Where and When Tuesday,

More information

Software Reliability: Runtime Verification

Software Reliability: Runtime Verification Software Reliability: Runtime Verification Martin Leucker and the whole ISP team Institute for Software Engineering Universität zu Lübeck Riga, 21.07. 04.08.14 Martin Leucker Basoti, 2014 1/117 Runtime

More information

Model Checking Distributed Software

Model Checking Distributed Software Model Checking Distributed Software Sagar Chaki September 19, 2014 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213 Model Checking and Me 1997 : Ed visits IIT Kharagpur Just

More information

Modular Verification of Dynamically Adaptive Systems

Modular Verification of Dynamically Adaptive Systems Modular Verification of Dynamically Adaptive Systems Ji Zhang, Heather J. Goldsby, and Betty H.C. Cheng Department of Computer Science and Engineering, Michigan State University East Lansing, Michigan,

More information

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection

Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection Runtime Verification - Monitor-oriented Programming - Monitor-based Runtime Reflection Martin Leucker Technische Universität München (joint work with Andreas Bauer, Christian Schallhart et. al) FLACOS

More information

Regular Linear Temporal Logic with Past

Regular Linear Temporal Logic with Past Regular Linear Temporal Logic with Past César Sánchez 1,2 and Martin Leucker 3 1 Madrid Institute for Advanced Studies (IMDEA Software), Spain 2 Spanish Council for Scientific Research (CSIC), Spain 3

More information

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl Model checking test models Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl February 14, 2014 Abstract This thesis is about model checking testing models. These testing

More information

Program Monitoring with LTL in EAGLE

Program Monitoring with LTL in EAGLE Howard Barringer University of Manchester, England Program Monitoring with LTL in EAGLE Allen Goldberg, Klaus Havelund Kestrel Technology, NASA Ames Research Center, USA Koushik Sen University of Illinois,

More information

Combining Software and Hardware Verification Techniques

Combining Software and Hardware Verification Techniques Formal Methods in System Design, 21, 251 280, 2002 c 2002 Kluwer Academic Publishers. Manufactured in The Netherlands. Combining Software and Hardware Verification Techniques ROBERT P. KURSHAN VLADIMIR

More information

Automatic Conversion Software for the Safety Verification of Goal-based Control Programs

Automatic Conversion Software for the Safety Verification of Goal-based Control Programs Automatic Conversion Software for the Safety Verification of Goal-based Control Programs Julia M. B. Braman and Richard M. Murray Abstract Fault tolerance and safety verification of control systems are

More information

LabVIEW Based Embedded Design

LabVIEW Based Embedded Design LabVIEW Based Embedded Design Sadia Malik Ram Rajagopal Department of Electrical and Computer Engineering University of Texas at Austin Austin, TX 78712 malik@ece.utexas.edu ram.rajagopal@ni.com Abstract

More information

Online testing of LTL properties for Java code

Online testing of LTL properties for Java code Online testing of LTL properties for Java code Paolo Arcaini 1, Angelo Gargantini 2, and Elvinia Riccobene 1 1 Dipartimento di Informatica, Università degli Studi di Milano, Italy {paolo.arcaini,elvinia.riccobene}@unimi.it

More information

An Automata-Theoretic Approach to Linear Temporal Logic

An Automata-Theoretic Approach to Linear Temporal Logic An Automata-Theoretic Approach to Linear Temporal Logic Moshe Y. Vardi? Rice University Department of Computer Science P.O. Box 1892 Houston, TX 77251-1892, U.S.A. Email: vardi@cs.rice.edu URL: http://www.cs.rice.edu/

More information

Decentralised diagnosis of discrete-event systems: application to telecommunication network

Decentralised diagnosis of discrete-event systems: application to telecommunication network Decentralised diagnosis of discrete-event systems: application to telecommunication network Yannick Pencolé CSL, Yannick.Pencole@anu.edu.au in collaboration with M.-O. Cordier and L. Rozé CSL Seminar 1

More information

A Modular ROS package for Linear Temporal Logic based Motion Planning. Parth Pandya

A Modular ROS package for Linear Temporal Logic based Motion Planning. Parth Pandya A Modular ROS package for Linear Temporal Logic based Motion Planning by Parth Pandya A Thesis Presented in Partial Fulfillment of the Requirements for the Degree Master of Science Approved February 2013

More information

LARVA Safer Monitoring of Real-Time Java Programs (Tool Paper)

LARVA Safer Monitoring of Real-Time Java Programs (Tool Paper) LARVA Safer Monitoring of Real-Time Java Programs (Tool Paper) Christian Colombo Department of Computer Science University of Malta, Malta Email: christian.colombo@um.edu.mt Gordon J. Pace Department of

More information

Reliability Guarantees in Automata Based Scheduling for Embedded Control Software

Reliability Guarantees in Automata Based Scheduling for Embedded Control Software 1 Reliability Guarantees in Automata Based Scheduling for Embedded Control Software Santhosh Prabhu, Aritra Hazra, Pallab Dasgupta Department of CSE, IIT Kharagpur West Bengal, India - 721302. Email: {santhosh.prabhu,

More information

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm

Introduction to Formal Methods. Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm Introduction to Formal Methods Các Phương Pháp Hình Thức Cho Phát Triển Phần Mềm Outline Introduction Formal Specification Formal Verification Model Checking Theorem Proving Introduction Good papers to

More information

Bounded LTL Model Checking with Stable Models

Bounded LTL Model Checking with Stable Models Under consideration for publication in Theory and Practice of Logic Programming 1 Bounded LTL Model Checking with Stable Models KEIJO HELJANKO and ILKKA NIEMELÄ Helsinki University of Technology Department

More information

Modeling and Validation of a Data Process Unit Control for Space Applications

Modeling and Validation of a Data Process Unit Control for Space Applications Modeling and Validation of a Data Process Unit Control for Space Applications Wan Hai, Huang Chongdi, Wang Yuhui, He Fei and Gu Ming Key Lab of ISS of MOE, TNList, School of Software, Tsinghua University,

More information

An Introduction to Hybrid Automata

An Introduction to Hybrid Automata An Introduction to Hybrid Automata Jean-François Raskin, email: jraskin@ulb.ac.be Computer Science Department University of Brussels Belgium 1 Introduction Hybrid systems are digital real-time systems

More information

A Classification of Model Checking-based Verification Approaches for Software Models

A Classification of Model Checking-based Verification Approaches for Software Models A Classification of Model Checking-based Verification Approaches for Software Models Petra Brosch, Sebastian Gabmeyer, Martina Seidl Sebastian Gabmeyer Business Informatics Group Institute of Software

More information

Introduction to Promela and SPIN. LACL, Université Paris 12

Introduction to Promela and SPIN. LACL, Université Paris 12 Introduction to Promela and SPIN LACL, Université Paris 12 Promela = Process Meta Language A specification language! No programming language! Used for system description : Specify an abstraction of the

More information

Enforcing Security Policies. Rahul Gera

Enforcing Security Policies. Rahul Gera Enforcing Security Policies Rahul Gera Brief overview Security policies and Execution Monitoring. Policies that can be enforced using EM. An automata based formalism for specifying those security policies.

More information

An Overview of the Runtime Verification Tool Java PathExplorer

An Overview of the Runtime Verification Tool Java PathExplorer An Overview of the Runtime Verification Tool Java PathExplorer Klaus Havelund Kestrel Technology NASA Ames Research Center California, USA http://ase.arc.nasa.gov/havelund Grigore Roşu Department of Computer

More information

Two-Way Traceability and Conflict Debugging for AspectLTL Programs

Two-Way Traceability and Conflict Debugging for AspectLTL Programs Two-Way Traceability and Conflict Debugging for AspectLTL Programs Shahar Maoz RWTH Aachen University, Germany maoz@se-rwth.de Yaniv Sa ar Weizmann Institute of Science, Israel yaniv.saar@weizmann.ac.il

More information

Software Model Checking of Liveness Properties via Transition Invariants

Software Model Checking of Liveness Properties via Transition Invariants I N F O R M A T I K Software Model Checking of Liveness Properties via Transition Invariants Andreas Podelski Andrey Rybalchenko MPI I 2003 2 004 December 2003 FORSCHUNGSBERICHT RESEARCH REPORT M A X -

More information

Validated Templates for Specification of Complex LTL Formulas

Validated Templates for Specification of Complex LTL Formulas Validated Templates for Specification of Complex LTL Formulas Salamah Salamah Department of Electrical, computer, Software, and Systems Engineering Embry Riddle Aeronautical University 600 S. Clyde Morris

More information

Algorithms for Monitoring Real-time Properties

Algorithms for Monitoring Real-time Properties Algorithms for Monitoring Real-time Properties David Basin, Felix Klaedtke, and Eugen Zălinescu Computer Science Department, ETH Zurich, Switzerland Abstract. We present and analyze monitoring algorithms

More information

Optimal Scheduling. Kim G. Larsen DENMARK

Optimal Scheduling. Kim G. Larsen DENMARK Priced Timed Automata Optimal Scheduling Kim G. Larsen Aalborg University it DENMARK Overview Timed Automata Scheduling Priced Timed Automata Optimal Reachability Optimal Infinite Scheduling Multi Objectives

More information

LTL Model Checking with Logic Based Petri Nets

LTL Model Checking with Logic Based Petri Nets LTL Model Checking with Logic Based Petri Nets Tristan M. Behrens and Jürgen Dix IfI Technical Report Series IfI-07-04 Impressum Publisher: Institut für Informatik, Technische Universität Clausthal Julius-Albert

More information

Informatique Fondamentale IMA S8

Informatique Fondamentale IMA S8 Informatique Fondamentale IMA S8 Cours 1 - Intro + schedule + finite state machines Laure Gonnord http://laure.gonnord.org/pro/teaching/ Laure.Gonnord@polytech-lille.fr Université Lille 1 - Polytech Lille

More information

Applying Run-Time Monitoring to the Deep-Impact Fault Protection Engine

Applying Run-Time Monitoring to the Deep-Impact Fault Protection Engine Applying Run-Time Monitoring to the Deep-Impact Fault Protection Engine Doron Drusinsky Time Rover, Inc. Cupertino, CA, USA www.time-rover.com Garth Watney NASA JPL Pasadena, CA, USA Garth.J.Watney@jpl.nasa.gov

More information

ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear:

ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear: ω-automata ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear: in verification, as encodings of non-terminating executions of a program. in arithmetic,

More information

Fair Model Checking with Process Counter Abstraction

Fair Model Checking with Process Counter Abstraction Fair Model Checking with Process Counter Abstraction Jun Sun, Yang Liu, Abhik Roychoudhury, Shanshan Liu and Jin Song Dong School of Computing, National University of Singapore {sunj,liuyang,abhik,liushans,dongjs}@comp.nus.edu.sg

More information

Model Based Testing for Security Checking. Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007

Model Based Testing for Security Checking. Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007 Model Based Testing for Security Checking Wissam Mallouli and Prof. Ana Cavalli National Institute of Telecommunications, France November 21, 2007 Outline Introduction Active/Passive Testing Active Testing

More information

Formal Verification of Computer Systems - (INFO-F-412)

Formal Verification of Computer Systems - (INFO-F-412) Formal Verification of Computer Systems - (INFO-F-412) Thierry Massart Université Libre de Bruxelles Département d Informatique February 2013 Acknowledgment I want to thank Edmund Clarke, Keijo Heljanko,

More information

Test Case Generation for Ultimately Periodic Paths Joint work with Saddek Bensalem Hongyang Qu Stavros Tripakis Lenore Zuck Accepted to HVC 2007 How to find the condition to execute a path? (weakest precondition

More information

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN Acknowledgments Introduction to SPIN Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck Ralf Huuck COMP 4152 1 Ralf Huuck COMP 4152 2 PROMELA/SPIN PROMELA (PROcess MEta

More information

Automated Route Planning for Milk-Run Transport Logistics with the NuSMV Model Checker

Automated Route Planning for Milk-Run Transport Logistics with the NuSMV Model Checker IEICE TRANS. INF. & SYST., VOL.E96 D, NO.12 DECEMBER 2013 2555 PAPER Special Section on Parallel and Distributed Computing and Networking Automated Route Planning for Milk-Run Transport Logistics with

More information

Using Strategy Objectives for Network Security Analysis

Using Strategy Objectives for Network Security Analysis Using Strategy Objectives for Network Security Analysis Elie Bursztein 1 and John C. Mitchell 2 {elie mitchell}@cs.stanford.edu 1 Stanford University and LSV, ENS Cachan, INRIA, CNRS 2 Stanford University

More information

From Workflow Design Patterns to Logical Specifications

From Workflow Design Patterns to Logical Specifications AUTOMATYKA/ AUTOMATICS 2013 Vol. 17 No. 1 http://dx.doi.org/10.7494/automat.2013.17.1.59 Rados³aw Klimek* From Workflow Design Patterns to Logical Specifications 1. Introduction Formal methods in software

More information