Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, 2008-05-19 Open Implication.

Published byScott Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, 2008-05-19 Open Implication."— Presentation transcript:

1 Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, 2008-05-19 Open Implication

2 Institute for Applied Information Processing and Communications 2 Karin Greimel Semmering, 2008-05-19 Open Implication Outline Context Introduction –LTL specifications, systems –example Formal Definition, Complexity Algorithms –with optimal complexity –Safraless –GR(1) Experimental Results Summary

3 Institute for Applied Information Processing and Communications 3 Karin Greimel Semmering, 2008-05-19 Open Implication Big Picture What do HW and SW designers do? 1.Write a specification 2.Implement system 3.Check if sys. realizes spec. 4.Debug Our idea of HW/SW design: 1.Write specification 2.Automatically construct 3.Relax

4 Institute for Applied Information Processing and Communications 4 Karin Greimel Semmering, 2008-05-19 Open Implication LTL Specifications Linear Temporal Logic: High level specification language Boolean logic + temporal operators (X, G, F, U) Semantics defined over infinite sequences (= words = traces) Describe behavior of open systems Open system ( = Moore machine = transducer): Interacts with its environment (output and input variables) Examples: controller for elevator, traffic light, arbiter for a bus Definitions: An open system realizes an LTL formula iff all traces of the open system satisfy the formula. Verification: Does a given system realize the specification. Realizability: Is there an open system that realizes a given spec.? Synthesis: Automatically construct an open system realizing the spec..

5 Institute for Applied Information Processing and Communications 5 Karin Greimel Semmering, 2008-05-19 Open Implication LTL Specifications - Example Part of a requirement for an arbiter: a... acknowledgement, output variable r... request, input variable f = GF(r) → G(a→X(¬a)) If there is always a request at some point, then always if there is an ack., there is no ack. in the next step. Open system realizing f, all traces satisfy f:

6 Institute for Applied Information Processing and Communications 6 Karin Greimel Semmering, 2008-05-19 Open Implication Example Equivalence Are f and g equivalent? Consider w = (a,¬r) ω, w satisfies f but not g. Find an open system which realizes f but not g? f = GF(r) → G(a→X(¬a)) g = G(a→X(¬a)) Not equivalent!

7 Institute for Applied Information Processing and Communications 7 Karin Greimel Semmering, 2008-05-19 Open Implication Definitions Motivation: Synthesis of g: find a smaller specification f such that f → o g and synthesise f. Verification of g: find a smaller specification f such that f → o g and f → o g and verify f. Definition: Given two LTL formulas f and g, f open-implies g (f → o g) if all open systems realizing f also realize g. Definition: Given two LTL formulas f and g, f trace-implies g if all traces satisfying f also satisfy g.

8 Institute for Applied Information Processing and Communications 8 Karin Greimel Semmering, 2008-05-19 Open Implication Comparison Definition of equivalence of LTL specifications with respect to open systems and with respect to traces. + Open-implication is weaker: f = GF(r) → G(a→X(¬a)) and g = G(a→X(¬a)) are not trace equivalent but open equivalent. - Open-implication has a very high complexity: same complexity as realizability, consider f → o false, 2EXP.

9 Institute for Applied Information Processing and Communications 9 Karin Greimel Semmering, 2008-05-19 Open Implication Characteristic f = GF(r) → G(a→X(¬a)) g = G(a→X(¬a)) Not trace equivalent (a,¬r) ω but open equivalent. Start with (a,¬r). Can not continue with a. (a,¬r) ω is f-clairvoyant. The difference between f trace-implies g and f open-implies g are f-clairvoyant words.

10 Institute for Applied Information Processing and Communications 10 Karin Greimel Semmering, 2008-05-19 Open Implication Algorithm - Idea Find an open system that realizes f but not g, then ¬(f → o g): –An open system does not realize g iff there exists a trace that satisfies ¬g. Calculate realizability for f and satisfiability for ¬g simultaneously. An open system can be represented by a tree: every trace of the open system corresponds to a path in the tree.

11 Institute for Applied Information Processing and Communications 11 Karin Greimel Semmering, 2008-05-19 Open Implication Algorithm with optimal complexity 1) Realizability (2EXP): –f → Deterministic Parity Tree automaton –f realizable iff language of the DPT is not empty –tree accepted by the DPT ≙ open system realizing f 2) Satisfiability (PSPACE): –¬g → Nondeterministic Büchi Word automaton –¬g satisfiable iff language of NBW is not empty –word accepted by the NBW ≙ word satisfying ¬g

12 Institute for Applied Information Processing and Communications 12 Karin Greimel Semmering, 2008-05-19 Open Implication Algorithm - Safraless Calculate realizability avoiding Safra’s determinization construction (O. Kupferman and M. Y. Vardi. Safraless decision procedures.): f → Universal Co-Büchi Tree automaton tree accepted by the UCT ≙ open system realizing f UCT → Nondeterministic Büchi Tree automaton with bound k tree accepted by the NBT k ≙ open system of size ≤ k realizing f + easier to implement + incremental approach, useful to find counter examples - does not meet the lower bound

13 Institute for Applied Information Processing and Communications 13 Karin Greimel Semmering, 2008-05-19 Open Implication Implementation Consider a subset of LTL: General Reactivity of Rank 1 (GR(1)) (N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs) : g = g e → g s environment assumption → system guaranty Environment assumptions and system guaranties can be represented by deterministic Büchi automata. Example: f = GFr → G(a→X(¬a)) f → o g?: Calculate realizability for f and satisfiability for ¬g simultaneously, by solving a fixpoint formula. Symbolic algorithm in P.

14 Institute for Applied Information Processing and Communications 14 Karin Greimel Semmering, 2008-05-19 Open Implication Results of Arbiter Case Study: new → o old R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer: - Automatic hardware synthesis from specification: A case study - Specify, compile, run: Hardware from PSL Time for synthesis new + open implication << time for old synthesis

15 Institute for Applied Information Processing and Communications 15 Karin Greimel Semmering, 2008-05-19 Open Implication Summary Defined open implication: –Compared to trace-implication Developed 3 algorithms: –Automata theoretic with optimal complexity –Automata theoretic avoiding Safras construction –Fixpoint formula for GR(1) with implementation Case study

16 Institute for Applied Information Processing and Communications 16 Karin Greimel Semmering, 2008-05-19 Open Implication Thank you for your attention References: O. Kupferman and M. Y. Vardi. Safraless decision procedures. In Symposium on Foundations of Computer Science (FOCS’05), pages 531-542, 2005. N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs. In Proc. Verification, Model Checking and Abstract Interpretation, pages 364-380, 2006 R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Automatic hardware synthesis from specifications: A case study. In DATE, 2007. R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Specify, compile, run: Hardware from PSL. In 6 th International Workshop on Compiler Optimization Meets Compiler Verification, pages 3-16, 2007.

Download ppt "Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, 2008-05-19 Open Implication."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Avoiding Determinization Orna Kupferman Hebrew University Joint work with Moshe Vardi.

Avoiding Determinization Orna Kupferman Hebrew University Joint work with Moshe Vardi.
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
Synthesis of Reactive systems Orna Kupferman Hebrew University Moshe Vardi Rice University.

Synthesis of Reactive systems Orna Kupferman Hebrew University Moshe Vardi Rice University.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Timed Automata.

Timed Automata.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.

Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Similar presentations

Ads by Google