Software Model Checking: Theory and Practice

Software Model Checking: Theory and Practice Lecture: Secification Checking - Temoral Logic Coyright 2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are coyrighted materials and may not be used in other course settings outside of Kansas State University and the University of Nebraska in their current form or modified form without the exress written ermission of one of the coyright holders. During this course, students are rohibited from selling notes to or being aid for taking notes by any erson or commercial firm without the exress written ermission of one Secification of the coyright Checking holders. : Temoral Logic

Objectives Understand why temoral logic can be a useful formalism for secifying roerties of concurrent/reactive systems. Understand the intuition behind Comutation Tree Logic (CTL) the secification logic used e.g., in the well-known SMV model-checker. Be able to confidently aly Linear Temoral Logic (LTL) the secification logic used in e.g., Bogor and SPIN to secify simle roerties of systems. Understand the formal semantics of LTL. Secification Checking : Temoral Logic

Outline CTL by examle LTL by examle LTL formal definition Common roerties to be stated for concurrent systems and how they can be secified using LTL Bogor s suort for LTL Secification Checking : Temoral Logic

To Do Show never claims being generated from LTL formula For you to do s Secification Checking : Temoral Logic

Reasoning about Executions 0.1 0.2 0.3 1.1 0.4 1.1 2.1 0.3 1.2 1.1 2.1 0.4 1.2 2.1 0.4 1.1 2.2 0.4 1.2 2.1 0.4 1.3 2.1 We want to reason about execution trees tree node = sna shot of the rogram s state Reasoning consists of two layers defining redicates on the rogram states (control oints, variable values) exressing temoral relationshis between those redicates Secification Checking : Temoral Logic

Why Use Temoral Logic? Requirements of concurrent, distributed, and reactive systems are often hrased as constraints on sequences of events or states or constraints on execution aths. Temoral logic rovides a formal, exressive, and comact notation for realizing such requirements. The temoral logics we consider are also strongly tied to various comutational frameworks (e.g., automata theory) which rovides a foundation for building verification tools. Secification Checking : Temoral Logic

Comutational Tree Logic (CTL) Syntax Φ ::= P rimitive roositions!φ Φ && Φ Φ Φ Φ -> Φ roositional connectives AG Φ EG Φ AF Φ EF Φ temoral oerators AX Φ EX Φ A[Φ U Φ] E[Φ U Φ] Secification Checking : Temoral Logic

Comutational Tree Logic (CTL) Syntax Φ ::= P rimitive roositions!φ Φ && Φ Φ Φ Φ -> Φ roositional connectives AG Φ EG Φ AF Φ EF Φ temoral oerators AX Φ EX Φ A[Φ U Φ] E[Φ U Φ] Semantic Intuition AG along All aths holds Globally ath quantifier temoral oerator EG AF EF there Exists a ath where holds Globally along All aths holds at some state in the Future there Exists a ath where holds at some state in the Future Secification Checking : Temoral Logic

Comutational Tree Logic (CTL) Syntax Φ ::= P rimitive roositions!φ Φ && Φ Φ Φ Φ -> Φ roositional connectives AG Φ EG Φ AF Φ EF Φ temoral oerators AX Φ EX Φ A[Φ U Φ] E[Φ U Φ] Semantic Intuition AX along All aths, holds in the next state EX there Exists a ath where holds in the next state A[ U q] along All aths, holds Until q holds E[ U q] there Exists a ath where holds Until q holds Secification Checking : Temoral Logic

Comutation Tree Logic AG Secification Checking : Temoral Logic

Comutation Tree Logic EG Secification Checking : Temoral Logic

Comutation Tree Logic AF Secification Checking : Temoral Logic

Comutation Tree Logic EF Secification Checking : Temoral Logic

Comutation Tree Logic AX Secification Checking : Temoral Logic

Comutation Tree Logic EX Secification Checking : Temoral Logic

Comutation Tree Logic A[ U q] q q q q Secification Checking : Temoral Logic

Comutation Tree Logic E[ U q] q q q q q Secification Checking : Temoral Logic

Examle CTL Secifications For any state, a request (e.g., for some resource) will eventually be acknowledged AG(requested -> AF acknowledged) Secification Checking : Temoral Logic

Examle CTL Secifications From any state, it is ossible to get to a restart state AG(EF restart) Secification Checking : Temoral Logic

Examle CTL Secifications An uwards travelling elevator at the second floor does not changes its direction when it has assengers waiting to go to the fifth floor AG((floor=2 && direction=u && button5ressed) -> A[direction=u U floor=5]) Secification Checking : Temoral Logic

Semantics for CTL (excerts) For AP: s = L(s) s = L(s) s = f g s = f and s = g s = f g s = f or s = g s = EXf π=s 0 s 1... from s: s 1 = f s = E(f U g) π=s 0 s 1... from s j 0 [ s j = g and i : 0 i <j [s i = f ] ] s = EGf π=s 0 s 1... from s i 0: s i = f Secification Checking : Temoral Logic Source: Orna Grumberg

CTL Notes Invented by E. Clarke and E. A. Emerson (early 1980 s) Secification language for Symbolic Model Verifier (SMV) model-checker SMV is a symbolic model-checker instead of an exlicit-state model-checker Symbolic model-checking uses Binary Decision Diagrams (BDDs) to reresent boolean functions (both transition system and secification Secification Checking : Temoral Logic

Linear Time Logic Restrict ath quantification to ALL (no EXISTS ) Secification Checking : Temoral Logic

Linear Time Logic Restrict ath quantification to ALL (no EXISTS ) Reason in terms of branching traces instead of branching trees Secification Checking : Temoral Logic

Linear Time Logic (LTL) Syntax Φ ::= P rimitive roositions!φ Φ && Φ Φ Φ Φ -> Φ roositional connectives []Φ <>Φ Φ U Φ X Φ temoral oerators Semantic Intuition []Φ always Φ ΦΦΦΦΦΦΦΦΦΦΦΦΦΦ <>Φ eventually Φ Φ Φ Φ U Γ Φ until Γ ΦΦΦΦΦΦΓ Φ Γ Secification Checking : Temoral Logic

Linear Time Logic []<> Along all aths, it must be the case that globally (I.e., in each state we come to) eventually will hold Exresses a form of fairness must occur infinitely often along the ath To check Φ under the assumtion of fair traces, check []<> -> Φ Secification Checking : Temoral Logic

Linear Time Logic <>[] Along all aths, eventually it is the case that holds at each state) (i.e., eventually ermanently ) Any ath contains only finitely many! states Secification Checking : Temoral Logic

Linear Time Logic W q = [] ( U q) q q q q q q q q q unless q, or waiting for q, or weak-until q Secification Checking : Temoral Logic

Semantics for LTL Semantics of LTL is given with resect to a (usually infinite) ath or trace π = s 1 s 2 s 3 We write π i for the suffix starting at s i, e.g., π 3 = s 3 s 4 s 5 A system satisfies an LTL formula f if each ath through the system satisfies f. Secification Checking : Temoral Logic

Semantics of LTL For AP: π = L(s 1 ) π = L(s 1 ) π = f g π = f and π = g π = f g π = f or π = g π = Xf π 2 = f π = <>f i >= 1. π i = f π = []f i >= 1. π i = f π = (f U g) i >= 1. π i = g and j : 1 j < i-1. π j = f Secification Checking : Temoral Logic

LTL Notes Invented by Prior (1960 s), and first use to reason about concurrent systems by A. Pnueli, Z. Manna, etc. LTL model-checkers are usually exlicitstate checkers due to connection between LTL and automata theory Most oular LTL-based checker is SPIN (G. Holzman) Secification Checking : Temoral Logic

Comaring LTL and CTL CTL* CTL LTL CTL is not strictly more exression than LTL (and vice versa) CTL* invented by Emerson and Halern in 1986 to unify CTL and LTL We believe that almost all roerties that one wants to exress about software lie in intersection of LTL and CTL Secification Checking : Temoral Logic

Bogor Suort As for regular roerties, Bogor defines an extension for LTL roerties Proerty extension is the same LTL extension Imlemented by bogor.module.roerty.ltl.lineartemorallogicmodule Suorts Atomic roositions and literals (e.g., true/false) Proositional connectives (e.g., and, or) Temoral oerators (e.g., always, eventually) Secification Checking : Temoral Logic

LTL extension extension LTL for edu.ksu.cis.rojects.bogor.module.roerty.ltl.lineartemorallogicmodule { tyedef Formula; exdef LTL.Formula ro(string); exdef LTL.Formula literal(boolean); exdef LTL.Formula always(ltl.formula); exdef LTL.Formula eventually(ltl.formula); exdef LTL.Formula negation(ltl.formula); exdef LTL.Formula until(ltl.formula, LTL.Formula); exdef LTL.Formula release(ltl.formula, LTL.Formula); exdef LTL.Formula equivalence(ltl.formula, LTL.Formula); exdef LTL.Formula imlication(ltl.formula, LTL.Formula); exdef LTL.Formula conjunction(ltl.formula, LTL.Formula); exdef LTL.Formula disjunction(ltl.formula, LTL.Formula); } exdef boolean temoralproerty(proerty.observabledictionary, LTL.Formula); Secification Checking : Temoral Logic

An Examle Mutual exclusion in ReadersWriters fun mutualexclusion() returns boolean = LTL.temoralProerty( Proerty.createObservableDictionary( Proerty.createObservableKey( "somereading", activereaders>0), Proerty.createObservableKey( "somewriting", activewriters>0) ), LTL.always( LTL.imlication( LTL.ro("someReading"), LTL.negation(LTL.ro("someWriting")) ) ) ); Secification Checking : Temoral Logic

Bogor Configuration Use the defaults excet for these settings edu.ksu.cis.rojects.bogor.module.istatefactory= edu.ksu.cis.rojects.bogor.module.roerty.fsa.fsastatefactory edu.ksu.cis.rojects.bogor.ast.transform.isystemtransformer= edu.ksu.cis.rojects.bogor.module.roerty.ltl.ltlsystemtransformer edu.ksu.cis.rojects.bogor.module.isearcher= edu.ksu.cis.rojects.bogor.module.roerty.buechi.nestedfsasearcher edu.ksu.cis.rojects.bogor.module.istatemanager.stateaugmenter= edu.ksu.cis.rojects.bogor.module.roerty.fsa.fsastateaugmenter ltlfunid=mutualexclusion Secification Checking : Temoral Logic