Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright 2001-2004, Matt Dwyer, John Hatcliff,

Published byWillis McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright 2001-2004, Matt Dwyer, John Hatcliff,"— Presentation transcript:

1 CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright 2001-2004, Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

2 CIS 842: Spec Basics and Observables 2 Objectives To understand Buchi automata and the relationship to LTL To understand how Buchi acceptance search enables a general LTL model checking algorithm

3 CIS 842: Spec Basics and Observables 3 Safety Checking For safety properties we automated the “instrumentation” of checking for acceptance of a regular expression for a violation This involved modifying the DFS algorithm to Calculate states of the property automaton Check to see whether an accept state is reached We will apply the same basic strategy for LTL

4 CIS 842: Spec Basics and Observables 4 Property LTL Model Checking From the semantics An LTL formula defines a set of (accepting) traces We can Check for trace containment System

5 CIS 842: Spec Basics and Observables 5 LTL Model Checking From the semantics An LTL formula defines a set of (accepting) traces We can Check for non-empty language intersection System Negation of Property

6 CIS 842: Spec Basics and Observables 6 Emptiness Check LTL is closed under complement where the language of a formula defines a set of infinite traces A Buchi automaton accepts a set of infinite traces

7 CIS 842: Spec Basics and Observables 7 Buchi Automata A Buchi automaton is a quadruple S is a set of states is a set of initial states is a transition relation F is a set of accepting states Automaton states are labeled with atomic propositions of the formula

8 CIS 842: Spec Basics and Observables 8 Example : Buchi Automaton cruise offtrue

9 CIS 842: Spec Basics and Observables 9 Buchi Automata Semantics An infinite trace is accepted by a Buchi automaton iff

10 CIS 842: Spec Basics and Observables 10 Buchi Trace Containment Assume each system state (S) is labeled ( ) with the complete set of literals (A) either a literal or its negation is present A Buchi automaton accepts a system trace

11 CIS 842: Spec Basics and Observables 11 Example : Buchi Automaton cruise offtrue

12 CIS 842: Spec Basics and Observables 12 LTL and Buchi Automata Every LTL formula has a Buchi automaton that accepts its language (not vice versa) Buchi automata cannot be determinized i.e., there is no canonical deterministic automaton that accepts the same language Buchi automata are closed under the standard set operations

13 CIS 842: Spec Basics and Observables 13 Example : Buchi Automaton cruise offtrue What LTL property does this correspond to?

14 CIS 842: Spec Basics and Observables 14 Example : Buchi Automaton true offtrue What LTL property does this correspond to?

15 CIS 842: Spec Basics and Observables 15 LTL Model Checking Apply same strategy as before Generate Buchi automaton for the negation of the LTL property Compose the automaton with the system Check for emptiness Composition alternates transitions between the system and property Violation are indicated by accepting traces Cycles containing an accept state

16 CIS 842: Spec Basics and Observables 16 Nested DFS Algorithm If you can’t continue the property trace then give up (cannot lead to accept) Multiple start states (search them all) Only initiate a cycle check for accept states (since they are required in an acceptance cycle)

17 CIS 842: Spec Basics and Observables 17 Nested DFS Algorithm Any cycle is an acceptance cycle (since it started with an accept state) If you can’t continue the property trace then give up (cannot lead to accept)

18 CIS 842: Spec Basics and Observables 18 For You To Do Take the dining philosophers example, and the property [](P1.eating && P2.eating) Build a Buchi automaton for that property (using your intuition about automata) Apply the LTL NDFS algorithm You may need to make the program counter explicit to do this since these automata are fundamentally state oriented Do you find an error? Can you think of a way to find errors faster in the NDFS() routine?

19 CIS 842: Spec Basics and Observables 19 Fairness Progress states that the system should eventually do something Often times in real systems threads rely on a schedule to give them a chance to run Abstracting scheduling to non-deterministic choice introduces severe approximation There are many forms of fairness The intuition is that we restrict the systems behaviors to only those on which each process gets a chance to execute

20 CIS 842: Spec Basics and Observables 20 Fairness in LTL LTL is expressive enough to state fairness properties directly []<> (Phil1.eating || Phil2.eating) ([]<>Phil1.eating) && ([]<>Phil2.eating) Fairness formula can be used to filter the behaviors that are checked as follows Fairness -> Property If not Fairness then whole thing is true Property checked only when Fairness holds

Download ppt "CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright 2001-2004, Matt Dwyer, John Hatcliff,"

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Concurrency: safety & liveness properties1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 14 Safety and.

Concurrency: safety & liveness properties1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 14 Safety and.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
1 Carnegie Mellon UniversitySPINFlavio Lerda 15-398 SPIN An explicit state model checker.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Similar presentations

Ads by Google