Algorithmic Software Verification (LTL Model Checking) Azadeh Farzan
What is Verification Anyway? Proving (in a formal way) that program satisfies a specification written in a logical language. Formal models for programs. Logics for specifications. Algorithms for checking the model against the specification.
First Step: We need a formal model!
Finite State Machines F SM =(Σ, X, {D x } x X, Q, Q 0, λ, δ) Σ X D x Q Q 0 Q λ δ Q Σ Q finite set of actions. finite set of variables. domain of x for all x X. finite set of states. set of initial states. q (x D x ) transition relation.
Extended Finite State Machines EF SM =(Σ, X, {D x } x X, L, L 0, G, δ) Σ X D x L L 0 L G δ finite set of actions. finite set of variables. domain of x for all x X. finite set of control locations. set of initial locations. predicates (guards) over variables. transition relation.
Kripke Structures An FSM where: D x = {true, false}
Kripke Structures An FSM where: D x = {true, false} In short: M =(Q, Q 0, AP, L : Q 2 AP, δ)
Reachability in FSMs Problem: given an FSM, and a target set T, is T reachable from Q 0. Solution?
Reachability in FSMs Problem: given an FSM, and a target set T, is T reachable from Q 0. Solution? Depth First Search, in O(n) time.
Reachability in FSMs Problem: given an FSM, and a target set T, is T reachable from Q 0. Solution? Depth First Search, in O(n) time. DFS(q) Add q to visited_states; for each q such that q -a-> q if q in T print "YES!"; halt; else if q not in visited_states DFS(q )
Model Checking FSMs Given an FSM M for the model and an FSM S for the specification: Question: Is every behavior of M a behavior of S? L(M) L(S) Solvable in PSpace: linear in M and exponential in S.
Exercise I 3 cannibals and 3 missionaries are on the left side of a river. There is 1 boat that can carry two people. (The boat of course needs to be ferried by at least one person). If at any point, there are more cannibals than missionaries on one bank, the cannibals eat the missionaries. Model all the possibilities of movement between the banks using an EFSM. The EFSM should have at least two locations, one for the configurations where the boat is on the left bank, and one for configurations where it is on the right. Also, model it such that checking whether all of them can get safely across to the right side reduces to reachability in the model.
Temporal Logic (A language for writing specifications) Language for describing properties of infinite sequences. Extension of propositional logic (or firstorder logic). Uses temporal operators to describe sequencing properties.
Temporal Logic Interpreted on sequences of states. Each state in the sequence gives a truth value to atomic propositions. Temporal operators indicate in which states the formula should be interpreted.
Temporal Operators (Next) formula is true in the next state. : (eventually) formula is true in some future state. : (Always) formula is true in all future states. U: (Until) binary operator. R: (Release) binary operator.
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Examples p,q p, q p,q p,q p,q p q (p q) (p q) p ( p q)
Temporal Logic (Syntax) true, false,p, or p where p P is an atomic proposition. φ 1 φ 2 or φ 1 φ 2, where φ 1 and φ 2 are LTL formulas. φ 1, φ 1 U φ 2, or φ 1 R φ 2, where φ 1 and φ 2 are LTL formulas.
Temporal Logic (Syntax) true, false,p, or p where p P is an atomic proposition. φ 1 φ 2 or φ 1 φ 2, where φ 1 and φ 2 are LTL formulas. φ 1, φ 1 U φ 2, or φ 1 R φ 2, where φ 1 and φ 2 are LTL formulas. Two useful abbreviations:
Temporal Logic (Syntax) true, false,p, or p where p P is an atomic proposition. φ 1 φ 2 or φ 1 φ 2, where φ 1 and φ 2 are LTL formulas. φ 1, φ 1 U φ 2, or φ 1 R φ 2, where φ 1 and φ 2 are LTL formulas. Two useful abbreviations: φ = true U φ φ = false R φ
Temporal Logic (Semantics) The semantics of LTL is defined with respect to paths. For a path π : N 2 P, let π i represent the suffix of π when the first i states are removed.
Temporal Logic (Semantics) The semantics of LTL is defined with respect to paths. For a path π : N 2 P, let π i represent the suffix of π when the first i states are removed. For all π, we have π = true and π = false.
Temporal Logic (Semantics) The semantics of LTL is defined with respect to paths. For a path π : N 2 P, let π i represent the suffix of π when the first i states are removed. For all π, we have π = true and π = false. π = p iff p π(0).
Temporal Logic (Semantics) The semantics of LTL is defined with respect to paths. For a path π : N 2 P, let π i represent the suffix of π when the first i states are removed. For all π, we have π = true and π = false. π = p iff p π(0). π = p iff p π(0).
Temporal Logic (Semantics) The semantics of LTL is defined with respect to paths. For a path π : N 2 P, let π i represent the suffix of π when the first i states are removed. For all π, we have π = true and π = false. π = p iff p π(0). π = p iff p π(0). π = φ 1 φ 2 iff π = φ 1 and π = φ 2.
Temporal Logic (Semantics)
Temporal Logic (Semantics) π = φ 1 φ 2 iff π = φ 1 or π = φ 2.
Temporal Logic (Semantics) π = φ 1 φ 2 iff π = φ 1 or π = φ 2. π = φ iff π 1 = φ.
Temporal Logic (Semantics) π = φ 1 φ 2 iff π = φ 1 or π = φ 2. π = φ iff π 1 = φ. π = φ 1 U φ 2 iff i 0 such that π i = φ 2 and 0 j < i, we have π j = φ 1.
Temporal Logic (Semantics) π = φ 1 φ 2 iff π = φ 1 or π = φ 2. π = φ iff π 1 = φ. π = φ 1 U φ 2 iff i 0 such that π i = φ 2 and 0 j < i, we have π j = φ 1. π = φ 1 R φ 2 iff i 0 such that π i = φ 2, 0 j < i such that π j = φ 1.
Negation?
Negation? π = φ iff π = ( φ 1 )
Negation? π = φ iff π = ( φ 1 ) π = φ 1 U φ 2 iff π = ( φ 1 ) R( φ 2 )
Negation? π = φ iff π = ( φ 1 ) π = φ 1 U φ 2 iff π = ( φ 1 ) R( φ 2 ) π = φ 1 R φ 2 iff π = ( φ 1 ) U( φ 2 )
But, how do I get an FSM from a formula???
From LTL to Automata Given a LTL formula φ built from a set of atomic propositions construct an automaton on infinite words over the alphabet that accepts exactly the infinite sequences satisfying. φ 2 P P
From LTL to Automata Given a LTL formula φ built from a set of atomic propositions construct an automaton on infinite words over the alphabet that accepts exactly the infinite sequences satisfying. φ 2 P P Example: p
From LTL to Automata Given a LTL formula φ built from a set of atomic propositions construct an automaton on infinite words over the alphabet that accepts exactly the infinite sequences satisfying. φ 2 P P Example: p, {p} {p}
Tutorial on Büchi Automata