formal verification, model checking
TRANSCRIPT
![Page 1: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/1.jpg)
Introduction Modeling Specification Algorithms Conclusions
Formal Verification, Model Checking
Radek Pelanek
![Page 2: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/2.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Formal Methods: Motivation
examples of what can go wrong – first lecture
non-intuitiveness of concurrency (particularly with sharedresources)
mutual exclusionadding puzzle
![Page 3: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/3.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Formal Methods
Formal Methods
‘Formal Methods’ refers to mathematically rigorous techniquesand tools for
specification
design
verification
of software and hardware systems.
![Page 4: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/4.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Formal Verification
Formal Verification
Formal verification is the act of proving or disproving thecorrectness of a system with respect to a certain formalspecification or property.
![Page 5: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/5.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Formal Verification vs Testing
formal verification testingfinding bugs medium goodproving correctness good -cost high small
![Page 6: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/6.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Types of Bugs
likely rareharmless testing not importantcatastrophic testing, FV FV
![Page 7: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/7.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Formal Verification Techniques
manual human tries to produce a proof of correctness
semi-automatic theorem proving
automatic algorithm takes a model (program) and aproperty; decides whether the model satisfiesthe property
We focus on automatic techniques.
![Page 8: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/8.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Application Domains of FV
generally safety-critical systems: a system whose failurecan cause death, injury, or big financial loses (e.g.,aircraft, nuclear station)
particularly embedded systems
often safety criticalreasonably small and thus amenable to formalverification
![Page 9: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/9.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Well Known Bugs
Ariane 5 explosion on its first flight; caused by reuse ofsome parts of a code from its predecessor withoutproper verification
Therac-25 radiation therapy machine; due to a softwareerror, six people are believed to die because ofoverdoses
Pentium FDIV design error in a floating point division unit;Intel was forced to offer replacement of all flawedprocessors
![Page 10: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/10.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Outlook
this lecture (foundations):
basics of a model checking techniqueoverview of modeling formalisms, logicsbasic algorithms
next lectures (real-time, applications):
theory: timed automataextensions for practical modelingverification tool Uppaalcase studies, realistic examples
![Page 11: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/11.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Goal of the Lecture
goal: to understand the basic principles of modelchecking technique
important for efficient use of a model checking tool
![Page 12: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/12.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Overlap with Other Courses
IV113 Introduction to Validation and Verification
IA159 Formal Verification Methods
IA040 Modal and Temporal Logics for Processes
IA006 Selected topics on automata theory
verification in this course:
foundations only briefly
real-time aspects
![Page 13: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/13.jpg)
Introduction Modeling Specification Algorithms Conclusions
Motivation
Contents
2 ModelingGuarded Command LanguageFinite State MachinesOther Modeling Formalisms
3 SpecificationTypes of PropertiesTemporal LogicsTimed Logics
4 AlgorithmsState Space SearchLogic VerificationState Space Explosion
![Page 14: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/14.jpg)
Introduction Modeling Specification Algorithms Conclusions
Model Checking
Model Checking
automatic verification technique
user produces:
a model of a systema logical formula which describes the desired properties
model checking algorithm:
checks if the model satisfies the formulaif the property is not satisfied, a counterexample isproduced
![Page 15: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/15.jpg)
Introduction Modeling Specification Algorithms Conclusions
Model Checking
Model Checking (cont.)
specification
��
system
��
temporal logic
!)KKKKKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKformalmodel
w� xxxxxxxxxxxxxx
xxxxxxxxxxxxxx
model checking
![Page 16: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/16.jpg)
Introduction Modeling Specification Algorithms Conclusions
Model Checking
State Space
model checking algorithms are based on state spaceexploration, i.e., “brute force”
state space describes all possible behaviours of the model
state space ∼ graph:
nodes = states of the systemedges = transitions of the system
in order to construct state space, the model must beclosed, i.e., we need to model environment of the system
![Page 17: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/17.jpg)
Introduction Modeling Specification Algorithms Conclusions
Model Checking
Example: Model and State Space
![Page 18: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/18.jpg)
Introduction Modeling Specification Algorithms Conclusions
Model Checking
Model Checking: Steps
1 modeling: system → model
2 specification: natural language specification → propertyin formal logic
3 verification: algorithm for checking whether a modelsatisfies a property
![Page 19: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/19.jpg)
Introduction Modeling Specification Algorithms Conclusions
Modeling Formalisms
guarded command language simple low level modelinglanguage
finite state machines usually extended with variables,communication
Petri Nets graphical modeling language
process algebra infinite state systems
timed automata focus of the next lecture
![Page 20: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/20.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Guarded Command Language
the simplest modeling language
not useful for actual modeling
simple to formalize
we discuss formal syntax and semanticsfoundation for later discussion of timed automata
![Page 21: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/21.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Guarded Command Language
integer variables
rules:if condition then update
conditions: boolean expressions over variables
updates: sequences of assignments to variables
![Page 22: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/22.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Example
a : if x = 0 then x := 1b : if y < 2 then y := y + 1c : if x = 1 ∧ y ≥ 1 then x := 0, z := 1
Notes:
this is an artificial example (does not model anythingmeaningful)
a, b, c are names of actions
no control flow
rules executed repeatedly
initial state: x = 0, y = 0, z = 0
![Page 23: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/23.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Syntax
let V be a finite set of integer variables
expressions over V are defined using standard boolean(=, <) and binary (+,−, ·, ...) operations
model is a tuple M = (V ,E )
E = {t1, . . . , tn} is a finite set of transitions, whereti = (gi , ui):
predicate gi (a boolean expression over V )update ui (~x) (a sequence of assignments over V )
![Page 24: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/24.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Semantics
The semantics of model M is a state space (formally calledKripke structure) JMK = (S ,→, s0, L) where
states S are valuations of variables, i.e., V → Zs → s ′ iff there exists (gi , ui) ∈ T such thats ∈ JgiK, s ′ = ui(s)
semantics JgiK of guards and ui (s) is the natural one
s0 is the zero valuation (∀v ∈ V : s0(v) = 0)
![Page 25: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/25.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Example
a : if x = 0 then x := 1b : if y < 2 then y := y + 1c : if x = 1 ∧ y ≥ 1 then x := 0, z := 1
Construct the state space.
![Page 26: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/26.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Example
a : if x = 0 then x := 1b : if y < 2 then y := y + 1c : if x = 1 ∧ y ≥ 1 then x := 0, z := 1
![Page 27: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/27.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Application
simple to formalize, powerful (Turing power)
not suitable for “human” use
some simple protocols can be modeled
control flow – variable pc (program counter)
![Page 28: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/28.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Example: Ticket Protocol
![Page 29: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/29.jpg)
Introduction Modeling Specification Algorithms Conclusions
Guarded Command Language
Example: Ticket Protocol
pc1 := 0; pc2 := 0;
t := 0; s := 0; a1 := 0; a2 := 0;
pc1 = 0 -> pc1 := 1, a1 := t, t := t + 1;
pc1 = 1 && a1 <= s -> pc1 := 2;
pc1 = 2 -> pc1 := 0, s := s + 1;
pc2 = 0 -> pc2 := 1, a2 := t, t := t + 1;
pc2 = 1 && a2 <= s -> pc2 := 2;
pc2 = 2 -> pc2 := 0, s := s + 1;
![Page 30: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/30.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Extended Finite State Machines
each process (thread) is modelled as one finite statemachine (machine state = process program counter)
machines are extended with variables:
local computation: guards, updatesshared memory communication
automata can communicate via channels (with valuepassing):
handshake (rendezvous, synchronous communication)asynchronous communication via buffers
![Page 31: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/31.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Example: Peterson’s Algorithm
flag[0], flag[1] (initialed to false) — meaning Iwant to access CS
turn (initialized to 0) — used to resolve conflicts
Process 0:while (true) {
<noncritical section>;flag[0] := true;turn := 1;while flag[1] and
turn = 1 do { };<critical section>;flag[0] := false;
}
Process 1:while (true) {
<noncritical section>;flag[1] := true;turn := 0;while flag[0] and
turn = 0 do { };<critical section>;flag[1] := false;
}
![Page 32: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/32.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Example: Peterson’s Algorithm
Exercise: create a model of Peterson’s Algorithm usingextended finite state machines, i.e., of the following type:
![Page 33: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/33.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Example: Peterson’s Algorithm
![Page 34: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/34.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Art of Modeling
choosing the right level of abstraction
depends on purpose of the model, assumption about thesystem, ...
example: if x == 0 then x := x + 1
one atomic transitiontwo transitions: test, update (allows interleaving)multiple “assembler level” transitions: if, load, add, store
![Page 35: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/35.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
EFSM: Semantics
formal syntax and semantics defined in similar way as forguarded command language
just more technical, basic idea is the same
note: state space can be used to reason about the model– e.g., to prove mutual exclusion requirements (cf.Assignment 1)
![Page 36: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/36.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Example: Peterson’s Algorithm
![Page 37: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/37.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Example: Communication Protocol
![Page 38: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/38.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Example: Elevator
![Page 39: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/39.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Example: Elevator
![Page 40: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/40.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Application: Verification of Link Layer Protocol
![Page 41: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/41.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Layer Link Protocol of the IEEE-1394
model of the “FireWire” high performance serial bus
n nodes connected by a serial line
protocol consists of three stack layers:
the transaction layerthe link layerthe physical layer
link layer protocol – transmits data packets over anunreliable medium to a specific node or to all nodes(broadcast)
transmission can be performed synchronously orasynchronously
![Page 42: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/42.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
![Page 43: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/43.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
Notes
link layer
main focus of verificationmodeled in high detail
transportation layer, physical layer (bus)
“environment” of link layermodeled only abstractly
![Page 44: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/44.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
![Page 45: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/45.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
![Page 46: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/46.jpg)
Introduction Modeling Specification Algorithms Conclusions
Finite State Machines
![Page 47: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/47.jpg)
Introduction Modeling Specification Algorithms Conclusions
Other Modeling Formalisms
Timed Automata
extension of finite state machines with clocks (continuoustime)
next lecture
![Page 48: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/48.jpg)
Introduction Modeling Specification Algorithms Conclusions
Other Modeling Formalisms
Petri Nets: Small Example
graphical formalism (place, transitions, tokens)
![Page 49: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/49.jpg)
Introduction Modeling Specification Algorithms Conclusions
Other Modeling Formalisms
Petri Nets: Realistic Model
![Page 50: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/50.jpg)
Introduction Modeling Specification Algorithms Conclusions
Other Modeling Formalisms
Process Algebra
Aa−→ XX
Xb−→ A ‖ B
basic process algebra (BPA), basic parallel processes(BPP)
infinite state system modeling (e.g., recursion)
mainly theoretical research
![Page 51: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/51.jpg)
Introduction Modeling Specification Algorithms Conclusions
Specification of Properties
properties the verified system should satisfy
expressed in a formal logic
![Page 52: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/52.jpg)
Introduction Modeling Specification Algorithms Conclusions
Types of Properties
Safety and Liveness
safety liveness“nothing bad ever hap-pens”
“something good eventu-ally happens”
example: error state isnever reached
example: when a requestis issued, eventually a re-sponse is generated
verification = reachabilityproblem, find a run whichviolates the property
verification = cycle detec-tion, find a run in whichthe ‘good thing’ is post-poned indefinitely
![Page 53: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/53.jpg)
Introduction Modeling Specification Algorithms Conclusions
Types of Properties
Examples of Safety Properties
no deadlock
mutual exclusion is satisfied
a corrupted message is never marked as a good one
the wheels are in a ready position during the landing
![Page 54: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/54.jpg)
Introduction Modeling Specification Algorithms Conclusions
Types of Properties
Examples of Liveness Properties
each process can eventually access critical section
each request will be satisfied
a message is eventually transmitted
there will be always another sunrise
![Page 55: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/55.jpg)
Introduction Modeling Specification Algorithms Conclusions
Temporal Logics
Temporal Logic
temporal logic is a formal logic used to reason aboutsequences of events
there are many temporal logics (see the course IA040)
the main classification: linear X branching
![Page 56: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/56.jpg)
Introduction Modeling Specification Algorithms Conclusions
Temporal Logics
Linear Temporal Logic (LTL)
X φ neXt
F φ Future
G φ Globally
ψ U φ Until
![Page 57: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/57.jpg)
Introduction Modeling Specification Algorithms Conclusions
Temporal Logics
LTL: Examples
a message is eventually transmitted F transmiteach request will be satisfied G (request ⇒ F response)there will be always another sunrise G F sunrisethe road will be dry until it rains dry U rainsprocess waits until it access CS wait U CS
![Page 58: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/58.jpg)
Introduction Modeling Specification Algorithms Conclusions
Temporal Logics
LTL: Examples
What is expressed by these formulas? For each formula draw asequence of states such that the formula is a) satisfied, b) notsatisfied.
GFa
FGa
G(a⇒ Fb)
aU(bUc)
(aUb)Uc
![Page 59: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/59.jpg)
Introduction Modeling Specification Algorithms Conclusions
Timed Logics
Timed Logics
classical temporal logics
good for reasoning about sequences of statesmay be insufficient for dealing with real time
real time extensions
![Page 60: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/60.jpg)
Introduction Modeling Specification Algorithms Conclusions
Timed Logics
Metric Interval Temporal Logic (MITL)
extension of LTL
temporal operator can be restricted to certain interval
examples:
G(req ⇒ F≤3serv)any request will be serviced within three time unitsdry U[12,14] rainsafter lunch it will rain, until that the road will be dry
![Page 61: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/61.jpg)
Introduction Modeling Specification Algorithms Conclusions
Timed Logics
Specification in Practice
timed logics – mainly theoretical research
practical specification of properties:
classical temporal logicsoften limited subset or only specific patterns
![Page 62: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/62.jpg)
Introduction Modeling Specification Algorithms Conclusions
State Space Search
State Space Search
construction of the whole state space
verification of simple safety properties (e.g., mutualexclusion) = basically classical graph traversal(breadth-first or depth-first search)
graph is represented implicitly = constructed on-demandfrom the model (description)
![Page 63: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/63.jpg)
Introduction Modeling Specification Algorithms Conclusions
Logic Verification
Logic Verification
transformation to automata
Buchi automaton: finite automaton over infinite words
a word is accepted if the run of the automaton visits anaccepting state infinitely often (compare with a final statefor finite words)
![Page 64: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/64.jpg)
Introduction Modeling Specification Algorithms Conclusions
Logic Verification
Example
property: G(req ⇒ Fserv)negation: F(req ∧ G¬serv)
![Page 65: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/65.jpg)
Introduction Modeling Specification Algorithms Conclusions
Logic Verification
Product Automaton
property φ → automaton for the negation of the propertyA¬φ
state space of the model S + automaton A¬φ → productautomaton S × A¬φ
product automaton represents erroneous runs
![Page 66: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/66.jpg)
Introduction Modeling Specification Algorithms Conclusions
Logic Verification
Product Automaton: Emptiness Check
model satisfies property ⇔ the language of the productautomaton is empty
verification is reduced to non-emptiness check of productautomaton
Buchi automata: non-emptiness check is performed by(accepting) cycle detection
![Page 67: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/67.jpg)
Introduction Modeling Specification Algorithms Conclusions
State Space Explosion
State Space Explosion
size of the state space grows very quickly (with respect tosize of the model)
the worst case: exponential increase (next slide)
theory: most interesting model checking problems arePSPACE-complete
practice: the worst case does not occur, neverthelessmemory/time requirements are very high
![Page 68: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/68.jpg)
Introduction Modeling Specification Algorithms Conclusions
State Space Explosion
Example
For n processes the number of states is 2n + n · 2n−1.
![Page 69: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/69.jpg)
Introduction Modeling Specification Algorithms Conclusions
State Space Explosion
Dealing with State Space Explosion
abstraction
reduction techniques
efficient implementations
![Page 70: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/70.jpg)
Introduction Modeling Specification Algorithms Conclusions
State Space Explosion
Abstraction
data abstraction (e.g., instead of N use {blue, red})automated abstraction
abstract - model check - refine
![Page 71: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/71.jpg)
Introduction Modeling Specification Algorithms Conclusions
State Space Explosion
Reduction Techniques
symmetry – consider only one of symmetric states
partial order – consider only one of equivalentinterleavings
compositional construction – build the state space in steps
![Page 72: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/72.jpg)
Introduction Modeling Specification Algorithms Conclusions
State Space Explosion
Efficient Implementations
efficient representation of states, sets of states (symbolicmethods — Binary Decision Diagrams)
low level optimizations (e.g. memory management)
distributed algorithms on networks of workstations
randomization, heuristics – guiding toward errors
![Page 73: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/73.jpg)
Introduction Modeling Specification Algorithms Conclusions
Model Checking: History
80’: basic algorithms, automata theory, first simple tools,small examples
early 90’: reduction techniques, efficient versions of firsttools, applications to protocol verification
late 90’: extensions (timed, probabilistic), firstcommercial applications for hardware verification
state of the art: automatic abstraction, combination withother techniques, research tools for software verification,hardware verification widely adopted
![Page 74: Formal Verification, Model Checking](https://reader031.vdocuments.mx/reader031/viewer/2022021500/586774421a28abad638b68d5/html5/thumbnails/74.jpg)
Introduction Modeling Specification Algorithms Conclusions
Summary
formal verification
model checking: modeling, specification, verification
modeling formalisms: guarded command language, finitestate machines, Petri nets, ...
formal property specification: temporal logics
algorithms: state space search, Buchi automata,techniques for reducing state space explosion