Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.

Published byAnn Porter Modified over 8 years ago

Similar presentations

Presentation on theme: "Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used."— Presentation transcript:

1 Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders. CIS 842: Specification and Verification of Reactive Systems Lecture 4: Temporal Specification Patterns

2 Motivation for Specification Patterns Temporal properties are not always easy to write Clearly many specifications can be captured in both CTL and LTL LTL: [](P -> <>Q) CTL: AG(P -> AF Q) Example: action Q must respond to action P Capture the experience base of expert designers Transfer that experience between practitioners. Classify properties - leverage in implementations (specialize by pattern) - allow informative communication about properties e.g., “this is a response property with after scope” We use specification patterns to:

3 Other Classifications Safety vs Liveness –Independent of a particular formalism Practically, it is important to know the difference because… –It impacts how we design verification algorithms and tools Some tools only check safety properties (e.g., based on reachability algorithms) –It impacts how we run tools Different command line options are used for Spin –It impacts how we form abstractions Liveness properties often require forms of abstraction that differ from those used in safety properties

4 Safety Properties Informally, a safety property states that nothing bad ever happens Examples –Invariants: “x is always less than 10” –Deadlock freedom: “the system never reaches a state where no moves are possible” –Mutual exclusion: “the system never reaches a state where two processes are in the critical section” As soon as you see the “bad thing”, you know the property is false Safety properties can be falsified by a finite-prefix of an execution trace –Practically speaking, a Spin error trace for a safety property is a finite list of states beginning with the initial state

5 Liveness Properties Informally, a liveness property states that something good will eventually happen Examples –Termination: “the system eventually terminates” –Response properties: “if action X occurs then eventually action Y will occur” Need to keep looking for the “good thing” forever Liveness properties can be falsified by an infinite-suffix of an execution trace –Practically speaking, a Spin error trace for a liveness property is a finite list of states beginning with the initial state followed by a cycle showing you a loop that can cause you to get stuck and never reach the “good thing”

6 Assessment Safety vs Liveness is an important distinction However, it is very coarse –Lots of variations within safety and liveness –A finer classification might be more useful

7 Manna & Pnueli Classification Classification based on syntactic structure of formula Reactivity PersistenceResponse SafetyGuaranteeObligation

8 Manna & Pnueli Classification Canonical Forms Safety: [] p Guarantee: <> p Obligation: [] q || <> p Response: [] <> p Persistence: <> [] p Reactivite: []<> p || <>[] q

9 Pattern Hierarchy Property Patterns OccurrenceOrder Absence UniversalityExistence Bounded Existence Precedence Response Chain Precedence Chain Response Classification Occurrence Patterns: require states/events to occur or not to occur Order Patterns constrain the order of states/events

10 Occurrence Patterns Absence: A given state/event does not occur within a scope Existence: A given state/event must occur within a scope Bounded Existence: A given state/event must occur k times within a scope variants: at least k times in scope, at most k times in scope Universality: A given state/event must occur throughout a scope

11 Order Patterns Precedence: A state/event P must always be preceded by a state/event Q within a scope Response: A state/event P must always be followed a state/event Q within a scope Chain Precedence: A sequence of state/events P1, …, Pn must always be preceded by a sequence of states/events Q1, …, Qm within a scope Chain Response: A sequence of state/events P1, …, Pn must always be followed by a sequence of states/events Q1, …, Qm within a scope

12 Pattern Scopes Global Before Q After Q Between Q and R After Q and R State sequence QRQQRQ

13 The Response Pattern To describe cause-effect relationships between a pair of events/states. An occurrence of the first, the cause, must be followed by an occurrence of the second, the effect. Also known as Follows and Leads-to. Intent Mappings: In these mappings, P is the cause and S is the effect [](P -> <>S) <>R -> (P -> (!R U (S & !R))) U R [](Q -> [](P -> <>S)) []((Q & !R & <>R) -> (P -> (!R U (S & !R))) U R) [](Q & !R -> ((P -> (!R U (S & !R))) W R) Globally: Before R: After Q: Between Q and R: After Q until R: LTL:

14 The Response Pattern (continued) Mappings: In these mappings, P is the cause and S is the effect AG(P -> AF(S)) A[((P -> A[!R U (S & !R)]) | AG(!R)) W R] A[!Q W (Q & AG(P -> AF(S))] AG(Q & !R -> A[((P -> A[!R U (S & !R)]) | AG(!R)) W R]) AG(Q & !R -> A[(P -> A[!R U (S & !R)]) W R]) Globally: Before R: After Q: Between Q and R: After Q until R: CTL: Examples and Known Uses: Response properties occur quite commonly in specifications of concurrent systems. Perhaps the most common example is in describing a requirement that a resource must be granted after it is requested. Relationships Note that a Response property is like a converse of a Precedence property. Precedence says that some cause precedes each effect, and...

15 Specify Patterns in Bandera The Bandera Pattern Library is populated by writing pattern macros: pattern { name = “Response” scope = “Globally” parameters = {P, S} format = “{P} leads to {S} globally” ltl = “[]({P} –> <>{S})” ctl = “AG({P} –> AF({S}))” }

16 Evaluation 555 TL specs collected from at least 35 different sources 511 (92%) matched one of the patterns Of the matches... –Response: 245 (48%) –Universality: 119 (23%) –Absence: 85 (17%)

17 Questions Do patterns facilitate the learning of specification formalisms like CTL and LTL? Do patterns allow specifications to be written more quickly? Are the specifications generated from patterns more likely to be correct? Does the use of the pattern system lead people to write more expressive specifications? Based on anecdotal evidence, we believe the answer to each of these questions is “yes”

18 For more information... http://www.cis.ksu.edu/santos/spec-patterns Pattern web pages and papersweb pages

Download ppt "Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 1.

Model Checking Lecture 1.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.

卜磊 Transition System. Part I: Introduction  Chapter 0: Preliminaries  Chapter 1: Language and Computation Part II: Models  Chapter.
Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.

Learning Objectives Explain similarities and differences among algorithms, programs, and heuristic solutions List the five essential properties of an algorithm.
Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.

Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
Tele Design of Reactive Systems Summer 2001 Prof. Dr. Stefan Leue Institute for Computer Science Albert-Ludwigs-Universität Freiburg

Tele Design of Reactive Systems Summer 2001 Prof. Dr. Stefan Leue Institute for Computer Science Albert-Ludwigs-Universität Freiburg
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
© Katz, 2007CS236368 Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS236368 Shmuel Katz The Technion.

© Katz, 2007CS Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS Shmuel Katz The Technion.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

Similar presentations

Ads by Google