Introduction to Software Verification

Similar documents
Model Checking II Temporal Logic Model Checking

Model Checking: An Introduction

logic language, static/dynamic models SAT solvers Verified Software Systems 1 How can we model check of a program or system?

Temporal Logics. Computation Tree Logic

Algorithmic Software Verification

Formal Verification and Linear-time Model Checking

Software Model Checking: Theory and Practice

Formal Verification by Model Checking

Formal Verification of Software

Development of dynamically evolving and self-adaptive software. 1. Background

Journal of Mathematics Volume 1, Number 1, Summer 2006 pp

Software Modeling and Verification

Testing LTL Formula Translation into Büchi Automata

Software Verification and Testing. Lecture Notes: Temporal Logics

Automata-based Verification - I

CISC422/853: Formal Methods

Fundamentals of Software Engineering

Software Engineering using Formal Methods

T Reactive Systems: Introduction and Finite State Automata

A computational model for MapReduce job flow

LTL Model Checking with Logic Based Petri Nets

2 Temporal Logic Model Checking

Schedule. Logic (master program) Literature & Online Material. gic. Time and Place. Literature. Exercises & Exam. Online Material

Automated Route Planning for Milk-Run Transport Logistics with the NuSMV Model Checker

Formal Verification of Computer Systems - (INFO-F-412)

Model checking test models. Author: Kevin de Berk Supervisors: Prof. dr. Wan Fokkink, dr. ir. Machiel van der Bijl

Checking. E. M. Clarke O. Grumberg K. L. McMillan X. Zhao

Counterexample-guided Design of Property-based Dynamic Software Updates

Software safety - DEF-STAN 00-55

Validated Templates for Specification of Complex LTL Formulas

Business Process Verification: The Application of Model Checking and Timed Automata

From Workflow Design Patterns to Logical Specifications

The Model Checker SPIN

Formal Verification Problems in a Bigdata World: Towards a Mighty Synergy

Static Program Transformations for Efficient Software Model Checking

On the Modeling and Verification of Security-Aware and Process-Aware Information Systems

tutorial: hardware and software model checking

Model Checking of Software

Today s Agenda. Automata and Logic. Quiz 4 Temporal Logic. Introduction Buchi Automata Linear Time Logic Summary

Bounded LTL Model Checking with Stable Models

Fixed-Point Logics and Computation

Using Patterns and Composite Propositions to Automate the Generation of Complex LTL

Model Checking LTL Properties over C Programs with Bounded Traces

Feature Specification and Automated Conflict Detection

Program Synthesis is a Game

Path Querying on Graph Databases

Semantics and Verification of Software

Automata-Based Verification of Temporal Properties on Running Programs Dimitra Giannakopoulou Klaus Havelund

Introduction to SPIN. Acknowledgments. Parts of the slides are based on an earlier lecture by Radu Iosif, Verimag. Ralf Huuck. Features PROMELA/SPIN

Fabio Patrizi DIS Sapienza - University of Rome

A Propositional Dynamic Logic for CCS Programs

CHAPTER 7 GENERAL PROOF SYSTEMS

Rigorous Software Development CSCI-GA

TO APPEAR IN: IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING 1. Proactive Detection of Computer Worms Using Model Checking

Formal Verification Coverage: Computing the Coverage Gap between Temporal Specifications

Digital Design Verification

Slides based in part on previous lectures by Mahesh Vishwanathan, and by Gul Agha January 21,

Formal verification of contracts for synchronous software components using NuSMV

(LMCS, p. 317) V.1. First Order Logic. This is the most powerful, most expressive logic that we will examine.

MODEL CHECKING OF SERVICES WORKFLOW RECONFIGURATION: A PERSPECTIVE ON DEPENDABILITY

CS510 Software Engineering

Aachen. Model Checking of Software for Microcontrollers. Department of Computer Science. Technical Report. Bastian Schlich

Software Reliability: Runtime Verification

VeriTech - A Framework for Translating among Model Description Notations

Institut für Parallele und Verteilte Systeme. Abteilung Anwendersoftware. Universität Stuttgart Universitätsstraße 38 D Stuttgart

Decidable Fragments of First-Order and Fixed-Point Logic

Software Model Checking: Theory and Practice

6.080/6.089 GITCS Feb 12, Lecture 3

Software Model Checking. Equivalence Hierarchy

Verification of multiagent systems via ordered binary decision diagrams: an algorithm and its implementation

Verifying Real-Time Embedded Software by Means of Automated State-based Online Testing and the SPIN Model Checker Application to RTEdge Models

Concepts of Concurrent Computation

Predicate Logic Review

Outline. NP-completeness. When is a problem easy? When is a problem hard? Today. Euler Circuits

Transcription:

Introduction to Software Verification Orna Grumberg Lectures Material winter 2013-14

Lecture 4 5.11.13

Model Checking Automated formal verification: A different approach to formal verification

Model Checking [CE81,QS82] An efficient procedure that receives: A finite-state model describing a system A temporal logic formula describing a property It returns yes, if the system has the property no + Counterexample, otherwise 4

Building a model from a program 5

Back to the Mutual Exclusion Example Two processes with a joint Boolean signal sem Each process P i has a variable v i describing its state: v i := N Non critical v i := T Trying v i := C Critical

Mutual Exclusion Example Each process runs the following program: Atomic action P i :: while (true) { } if (v i == N) v i = T; else if (v i == T && sem) { v i = C; sem = 0; } else if (v i == C) {v i = N; sem = 1; } The full program is: P 1 P 2 Initial state: (v 1 =N, v 2 =N, sem) The execution is interleaving

Mutual Exclusion Example v 1 =N, v 2 =N, sem v 1 =T, v 2 =N, sem v 1 =N, v 2 =T, sem v 1 =C, v 2 =N, sem v 1 =T, v 2 =T, sem v 1 =N, v 2 =C, sem v 1 =C, v 2 =T, sem v 1 =T, v 2 =C, sem

v 1 =N, v 2 =N, sem T 1 v 1 =T, v 2 =N, sem v 1 =N, v 2 =T, sem C 1 v 1 =C, v 2 =N, sem v 1 =T, v 2 =T, sem v 1 =N, v 2 =C, sem C 1,T 2 v 1 =C, v 2 =T, sem v 1 =T, v 2 =C, sem We define atomic propositions: AP={C 1,C 2,T 1,T 2 ) A state is marked with T i if v i =T A state is marked with C i if v i =C

T 1 T 2 C 1 T 1,T 2 C 2 C 1,T 2 T 1,C 2 Property 1: AG (C 1 C 2 ) Property 2: AG((T 1 FC 1 ) (T 2 FC 2 ))

Temporal Logic

Kripke Structure M=(S,R,L,S 0 ) Given AP finite set of atomic proposition S (finite) set of states R S S total transition relation For every s S there exists s S such that (s,s ) R. Totality means that every path is infinite L:S 2 AP - labeling function that associates every state with the atomic propositions true in that state S 0 S set of initial states (optional)

= s 0,s 1, is a path in M from a state s if s = s 0 and R(s i,s i+1 ) for every I i the suffix of starting at s i 13

Temporal Logics Express properties of event orderings in time Linear Time Every moment has a unique successor Infinite sequences (words) Linear Time Temporal Logic (LTL) Branching Time Every moment has several successors Infinite tree Computation Tree Logic (CTL) 14

Propositional Temporal Logic AP a set of atomic propositions, p AP Temporal operators: Xp Gp Fp puq Path quantifiers: A for all path E there exists a path 15

State formulas: p AP CTL* g 1, g 1 g 2, g 1 g 2 where g 1,g 2 are state formulas Ef, Af where f is a path formula Path formulas: Every state formula g is a path formula f 1, f 1 f 2, f 1 f 2, Xf 1, Gf 1, Ff 1, f 1 Uf 2 where f 1,f 2 are path formulas CTL* - set of all state formulas 16

Semantics of CTL* The truth value of CTL* formula f is determined with respect to A Kripke structure M = (S, R, L), and A state s S, if f is a state formula A path, if f is a path formula 17

Semantics of CTL* 18

Semantics of CTL* 19

Semantics of CTL* 20

Semantics of CTL* 21

Semantics of CTL* 22

Semantics of CTL* 23

Semantics of CTL* 24

Semantics of Path Formulas If p,q are state formulas then: Xp Gp Fp puq But in the general case, they can be path formulas 25

Semantics of CTL* 26

LTL/CTL/CTL* LTL state formulas of the form A - path formula, contains no path quantifiers interpreted over infinite computation paths CTL state formulas where path quantifiers and temporal operators appear in pairs: AG, AU, AF, AX, EG, EU, EF, EX interpreted over infinite computation trees CTL* - Allows any combination of temporal operators and path quantifiers. Includes both LTL and CTL 27

State formulas: LTL Af where f is a path formula Path formulas: p AP f 1, f 1 f 2, f 1 f 2, Xf 1, Gf 1, Ff 1, f 1 Uf 2 where f 1,f 2 are path formulas LTL - set of all state formulas 28

CTL CTL - set of all state formulas p AP g 1, g 1 g 2, g 1 g 2 AG g 1, A g 1 U g 2, AF g 1, AX g 1, EG g 1, E g 1 U g 2, EF g 1, EX g 1 where g 1,g 2 are state formulas 29

Semantics of CTL Recall: path =s 0,s 1, M,s p p L(s) for p AP M,s 1 2 M,s 1 or M,s 2 M,s EX there is s s.t. R(s,s ) and M,s M,s EG there is a path from s, s.t. for every i 0, M,s i 30

Semantics of CTL M,s E[ 1 U 2 ] there is a path from s and there is k 0 s.t. M,s k 2 and for every k>i 0, M,s i 1 M,s AG for every path from s and for every i 0, M,s i M,s AF for every path from s there exists i 0 s.t. M,s i 31

Examples (LTL) AG (start ready) AG (req F ack) A GF enbled A FG deadlock A (GF enbled GF running) Cannot express existential properties: from any state the system can 32

Examples (CTL) EF (start ready) AG (req AF ack) AG (AF enbled) AF (AG deadlock) AG (EF restart) AG (non_critical EX tryring) AG (try A[try U succeed]) 33

Illustration of CTL Semantics EFp : AFp : exists reachable state s.t. EGp : AGp : all reachable states. 34

Property types Universal Existential Safety AGp EGp Liveness AFp EFp 35

Examples 36

Equivalence 37

Expressiveness,, X, U, E suffice to express all CTL*: Ff true U f Gf F ( f) Af E ( f) EG f E F ( f) E [true U ( f)] In CTL: EX, EG, EU are sufficient A [puq] ( EG q) E[ q U ( p q)] 38

LTL vs. CTL A (FG p) has no equivalent in CTL in all paths, p globally holds from some point on Failed attempts: AFAGP : in every path there is a point from which all reachable states satisfy p. s 0 p s 1 s 2 p - s 0,s 0,s 0, - s 0,s 0, s 0,s 1,s 2,s 2,s 2 All paths satisfy FGp But first one does not sat FAGp 39

LTL vs. CTL A (FG p) has no equivalent in CTL in all paths, p globally holds from some point on What about AFEGP? in every path there is a point from which there is a path where p globally holds s 0 s All paths satisfy FEGp 1 p - since s 1 sat EGp But s 0,s 1,s 0,s 1,s 0,s 1 does not sat FGp 40

LTL vs. CTL AG (EFp) has no equivalent in LTL all reachable states can reach p Failed attempt: AGFp : in all paths, p holds infinitely many times. s 0 s 1 All reachable states (s 0, s 1 ) satisfy EFp p But s 0,s 0,s 0, does not satisfy GFp 41

LTL and CTL vs. CTL* E (GFp) has no equivalent in LTL or CTL 42

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information