Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

Published byMarcus Hendley Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems."— Presentation transcript:

1 1 Model checking

2 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems (textutal representation), or, equivalenely, with a Kripke structures (automata representation).

3 3 Kripke structures A convenient model for describing reactive systems Implicitly all states are accepting. M= h S, , I, L i S: States (finite).  µ S x S is the transition relation. I µ S are the Initial states. L: S ) 2 AP (where AP is a set of atomic propositions) Convention: we will only write the positive literals.

4 4 A Kripke structure Note: the alphabet is NOT the set AP. Rather it is 2 AP

5 From a Kripke structure to a Buchi automata Given a Kripke structure M= h S,  , I M, L i......we can build an equivalent Buchi automata B M = h , S, ¢, I, F i where  = 2 Prop S // same states (s, t) 2 ¢ iff (s,t) 2 ¢ M and a = L(s) // transition relation I = I M // same initial state F = S //every state is accepting

6 Example The system: M = p,q p becomes the Buchi automaton (recall: a transition is labelled with an element of 2 AP ) p,q   p p Recall that this is {  p,  q}

7 7 Correctness condition An LTL formula  a set of allowed computations ( ‘ models ’ ). A Kripke structure M = a set of computations. Are the computations of M models of 

8 8 Correctness All sequences Sequences satisfying Spec Program computations

9 9 Incorrectness All sequences Sequences satisfying Spec Program computations Counter examples

10 10 Model-Checking: formally Language of a model M: L (M) Language of a specification  : L (  ). We need: L (M)  L (  ). This is called Model-Checking If yes, we write M ²  

11 11 Model checking – example p q,x p,x p,y M BB M ²  ?  : G (p U q) Let  = s 0,s 1 .  2 L (M) but   L (B  ). Hence L(M) * L (B  ). s0s0 s1s1 s2s2 model spec q

12 12 How to model-check? Show that L(Model)  L(Spec). Equivalently: Show that L(Model)  L(Spec) = Ø. How? Check that A model £ A : Spec is empty. M S M : S M µ S M Å : S  ;

13 13 What do we need to know? 1.How to translate from LTL to an automaton ? 2.How to complement an automaton? 3.How to intersect two automata? 4.How to check for emptiness of an automaton ? L(Model)  L(Spec) = Ø.

14 14 How to complement? Complementation is hard! We know how to translate an LTL formula to a Buchi automaton. So we can: Build an automaton A for , and complement A, or Negate the property, obtaining ¬  (the sequences that should never occur). Build an automaton for ¬ .

15 15 But... reacall... Theoretically, model checking gives us a proof of correctness Practically, it mainly attempts to increase reliability: Automated systematic debugging VERY good at finding errors! Why ? Possible bugs in the model checker Capacity limitations Wrong or missing properties...

16 16 From programs to Kripke structures Supposed that we wish to model-check a program / concurrent program – How can we represent it as a Kripke structure ?

17 17 Kripke structures Kripke structures are suitable for modeling a synchronous system. When we move from state s to state s ’, the values of the atoms in the state are changed synchronously. Is this the case for programs ? How can we describe programs as transition systems?

18 18 Programs as transition systems Programs we know are sequential. What is the result of this computation :... x = y; y = x; We need to model the location in the program We will use a variable called the program counter (PC)

19 19 L 0 :While True do nc 0 :wait (Turn=0); cr 0 :Turn=1 T0: (pc 0 =L 0, pc 0 =nc 0 ) T1: (pc 0 =nc 0 Æ Turn=0, pc 0 =cr 0 ) T2: (pc 0 =cr 0, pc 0 = L 0 Æ Turn=1) T3: (pc 1 =L 1, pc 1 =nc 1 ) T4: (pc 1 =nc 1 Æ Turn=1, pc 1 =cr 1 ) T5: (pc 1 =cr 1, pc 1 = L 1 Æ Turn = 0) Initially: pc 0 =L 0 Æ pc 1 =L 1 L 1 :While True do nc 1 :wait (Turn=1); cr 1 :Turn=0 || Possible transitions: Example: A program that maintains mutual exclusion

20 20 And now as a Kripke structure Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1 PC 0 = L 0, PC 1 = L 1

21 21 Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1 G : (pc 0 =cr 0 Æ pc 1 =cr 1 ) (a safety property)

22 22 Turn=0 L 0,L 1 Turn=0 L 0,nc 1 Turn=0 nc 0,L 1 Turn=0 cr 0,nc 1 Turn=0 nc 0,nc 1 Turn=0 cr 0,L 1 Turn=1 L 0,cr 1 Turn=1 nc 0,cr 1 Turn=1 L 0,nc 1 Turn=1 nc 0,nc 1 Turn=1 nc 0,L 1 Turn=1 L 0,L 1 G(Turn=0 ! F Turn=1) (a liveness property)

23 23 What properties can we check? Examples: Invariants: a property that has to hold in each state. Deadlock detection: can we reach a state where the program is blocked? Dead code: does the program have parts that are never executed?

24 24 If it is so good, is this all we need? Model checking works only for finite state systems. Would not work with Unconstrained integers. Unbounded message queues. General data structures: queues trees stacks Parametric algorithms and systems.

25 25 The state space explosion problem Need to represent the state space of a program in the computer memory. Each state can be as big as the entire memory! Many states: Each integer variable has 2 32 possibilities. Two such variables have 2 64 possibilities. In concurrent protocols, the number of states usually grows exponentially with the number of processes.

26 26 If it is so constrained, is it of any use? Many protocols are finite state. Many programs or procedures are finite state in nature. Can use abstraction techniques.

27 27 If it is so constrained, is it of any use? Sometimes it is possible to decompose a program, and prove part of it by model checking and part by other methods. Many techniques to reduce the state space explosion We will NOT learn about such techniques, but let us mention some names: Data structures such as Binary Decision Diagrams, Reductions, such as Partial Order Reduction.

Download ppt "1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 1.

Model Checking Lecture 1.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Model Checking and Testing combined

Model Checking and Testing combined
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Similar presentations

Ads by Google