Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella
Introducing FV What is formal verification? –Establishing properties of system designs using mathematical methods Why use formal methods? –Safety Critical Systems –High Bug Costs Why Hardware? –High bug costs –Greater reliability requiered by costumers –Feaseable (more or less)
Introducing FV How is it done? The method consists of a Model and a Property. The Method’s output is an assurance that the property holds or a counter-example p P always holds Counter- example
Defining a Model Definitions –State - snapshot of the values of variables at a particular instant of time. –Finite state system - a system which has a finite number of different states. –Transition – the ordered pair –Computation - is an infinite sequence of states where each state is obtained from the previous by a transition
Defining a Model Intuition –A State – (0,1) –A Finite state system – {(0,0),(0,1),(1,0),(1,1)} –A Transition – –A Computation Reset inc 01
Kripke Structure Let AP be a set of atomic propositions A Kripke structure M over AP is a tuple M=(S,S 0,R,L) where, –S is a finite set of states –S 0 S, the set of initial states –R S x S, is a transition relation that must be total, i.e., for every state s in S there is a state s’ in S such that R(s,s’). –L is a function that labels each state with the set of all atomic proposition in AP that are true in that state. A path in M from s is an infinite sequence of states = s 0 s 1 s 2,… such that s o =s, and R(s i,s i+1 ) holds for all i>=0.
Defining a Model M=(S,S 0,R,L) S ={s0,s1,s2,s3} S 0 = {(0,0)} (system starts with Reset) R = {,,... } L = {(s0,(0,0)),(s1,(0,1)),(s2,(1,0)),(s3,(1,1))} Reset inc 01 s0 s2 s3 s1
Verifica basata sul modello | |= K |=
4/12/ CTL Temporal operators are immediately preceded by a path quantifier The following are a complete set ¬p, p q, AX p, EX p, A( p U q), E( p U q) Others can be derived –EF p E(true U P) –AF p A(true U p) –EG p ¬ AF ¬ p –AG p ¬ EF ¬p
4/12/ Minimal set of CTL Formulas Full set of operators –Boolean: ¬, , , , –temporal:E, A, X, F, G, U, W Minimal set sufficient to express any CTL formula –Boolean:¬, –temporal:E, X, U Examples: f g = ¬(¬f ¬g), F f = true U f, A (f ) = ¬E(¬f ) G f = f Ufalse
4/12/ Minimal set of CTL Formulas
Model Checking Example Traffic light controller (simplified) R1 G2 Y1 R2 G1 R2 R1 Y2 C ’+ T ’ C T C T ’ C ’+ T C = car sensor T = timer G1 R2 Y1 R2 R1 G2 G1 R2 Y1 R2 R1 G2 R1 Y2 R1 G2 G1 R2R1 Y2R1 G2 R1 Y2 G2 Y2 R2 G1 Y1 R1 C C Timer T sensor Road 2 Road 1
Traffic light controller - Model Checking Model Checking task: check – safety condition – fairness conditions Safety condition: no green lights on both roads at the same time A G ¬ (G1 G2 ) Fairness condition: eventually one road has green light E F (G1 G2) R1 G2 Y1 R2 G1 R2 R1 Y2 C ’+T ’ C T C T ’ C ’+T
Checking the Safety Condition A G ¬ (G1 G2) = ¬ E F (G1 G2) S(G1 G2 ) = S(G1) S(G2) = {1} {3} = S(EF (G1 G2 )) = S(¬ EF (G1 G2 )) = ¬ = {1, 2, 3, 4} Each state is included in {1,2,3,4} the safety condition is true (for each state) 2 R1 G2 Y1 R2 G1 R2 R1 Y
Checking the Fairness Condition E F (G1 G2 ) = E(true U (G1 G2 ) ) S(G1 G2 ) = S(G1) S(G2) = {1} {3} = {1,3} S(EF (G1 G2 )) = {1,2,3,4} (going backward from {1,3}, find predecessors) Since {1,2,3,4} contains all states, the condition is true for all the states
Another Check (E X) 2 (Y1) = E X (E X (Y1)) (starting at S 1 =G1R2, is there a path s.t. Y1 is true in 2 steps ?) S (Y1) = {2} S (EX (Y1)) = {1} (predecessor of 2) S (EX (EX(Y1)) = {1,4} (predecessors of 1) R1 G2 Y1 R2 G1 R2 R1 Y Property E X 2 (Y1) is true for states {1,4}, hence true
Explicit Model Checking - complexity CTL model checking is linear in the size of the formula and the size of the structure M Not a good news: –what if you have states? –Number of states grows exponentially with number of variables –Explicit model checking limited to … 10 9 states Symbolic model checking can do much better