Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1

2

3

4

PART 1 : The Specification Language CTL 1. Formal Syntax of CTL AP is the set of atomic propositions Symbols :  - AND  - Negation Path quantifiers : A... : holds for all path (starting at the tree’s root) E... : holds for some path Temporal operators : X... : holds next time F... : holds in the future G...: always hold U….: until 5

The Specification Language cont. 2.Semantics of CTL 6

7

8

The Specification Language cont. 1. For M, s 0 |= f, means CTL formula or property f holds at state s 0 in M 2. The relation |= is defined as Atomic proposition p is true in s 0 (s 0 |= f1) and (s 0 |= f2) f1 holds true for every path starting with s 0 f1 holds true for some path starting with s 0 For all paths, f1 holds true until f2 holds There exits a path, f1 holds true until f2 holds Atomic proposition p is true in s 0 (s 0 |= f1) and (s 0 |= f2) f1 holds true for every path starting with s 0 f1 holds true for some path starting with s 0 For all paths, f1 holds true until f2 holds There exits a path, f1 holds true until f2 holds 9

10

11

MODEL CHECKING cont. State Labeling Algorithm : 1. Model checking can be achieved through State Labeling Algorithm 2. The algorithm basically works by iteratively determining the states that satisfy a given formula (i.e. labeling the states) 3. The basic input output of the labelling algorithm : Input : A Model M = (S, R, P) and CTL formula f Output : The set of states that satisfy formula f 12

State Labeling Algorithm State label algorithm handles seven cases 1. Algorithm uses DFS for f = A ( f 1 U f 2 ) 2. The recursive procedure au( f, s, b) performs the search for formula f starting from state s 3. When au terminates, boolean result parameter b will be set to true  s I= f 4. Whether s is currently on stack ST is implemented in the boolean procedure stacked(s) 13

State labeling algorithm cont. 14

15

State labeling algorithm cont. For CTL formula f = E(f 1 U f 2 ) 1. First find all of those states that are labeled with f 2, label it with E(f 1 Uf 2 ) 2. Then work backwards using the converse of the successor relation i.e. Repeat : Label any state with E(f 1 Uf 2 ) if 1. it is labeled with f 1 and 2. at least one of its successor is labeled with E(f 1 Uf 2 ) until there is no change 3. E(f 1 U f 2 ) == f 2 ˅ (f 1  EX E(f 1 U f 2 )) 16

17

Example LIVENESS : Whenever any process wants to enter its critical section it will eventually be permitted to do so AG(T 1 --> AFC 1 ) ==  EF(  T 1 v AFC 1 ) ==  E(T U (  T 1 v AFC 1 )) Split into sub formulas 18 In order to handle an arbitrary CTL formula f, 1. Associate with Each state s an array L[s] of size length(f) 2. Procedure add-label(s, f i ) sets L[s][f i ] to true 3. Procedure labeled(s, f i ) returns the current value of L[s][f i ] 4. Successively apply the State labeling algorithm to the sub-formulas of f 5. Starting with simplest (i.e., highest numbered) and working backwards to f 6. Entire algorithm requires O(length(f) x (card(S) + card(R)))

Part 3 – Introduce fairness to CTL Model Checking with Fairness 1. In the verification of model M, (s |= f ) might fail because the model M may contain unrealistic behavior 2. We need to filter out this behavior 3. Solution is put on some FAIRNESS constraint on M, so it would remove that behavior How to handle fairness? 1. Modify semantics of CTL i.e. the new logic is called CTL F 2. M is now 4-tuple (S, R, P, F) where F  2 S = set of predicates on S 3. A path p is F-fair  For each g that belongs to F, there are infinitely many states on path p that satisfies predicate g 19

20

21 CTL Formula Once we start the oven, eventually it must turn on the heating coil AG(start --> AF heat) Sub formulae heat, AF heat, start, (start -> AF heat) AG(start -> AF heat) CTL Formula Once we start the oven, eventually it must turn on the heating coil AG(start --> AF heat) Sub formulae heat, AF heat, start, (start -> AF heat) AG(start -> AF heat) 1.By applying label algorithm we see (start -> AF heat) is true in {s 4,s 7,s 6,s 3.s 1 } 2.But AG(start -> AF heat) is not true in other states 3.s 2 and s 5 are some sort of unrealistic behavior as Start -> Close the Start -> Close 4.So put some constraint while doing Model checking i.e. Fairness {start, close,  error} i.e. when its start, then close not go to error condition 5.Restrict the graph – remove s 2, s 5 6.Find SCC 7.Now AG(start -> AF heat) is true in {s 1,s 3,s 4,s 6,s 7 } 1.By applying label algorithm we see (start -> AF heat) is true in {s 4,s 7,s 6,s 3.s 1 } 2.But AG(start -> AF heat) is not true in other states 3.s 2 and s 5 are some sort of unrealistic behavior as Start -> Close the Start -> Close 4.So put some constraint while doing Model checking i.e. Fairness {start, close,  error} i.e. when its start, then close not go to error condition 5.Restrict the graph – remove s 2, s 5 6.Find SCC 7.Now AG(start -> AF heat) is true in {s 1,s 3,s 4,s 6,s 7 }

22

Part 4 - Using EMC to verify Alternating Bit Protocol 1. The Alternating Bit Protocol ABP is a protocol for correctly transmitting data on faulty channels that may lose or duplicate data 2. ABP uses two faulty channels between a sender and a receiver 3. In case of a unsuccessful transmission the attempt is repeated 4. To achieve its goal, APB keeps track on this repeated send messages using a control bit which is switched 5. The sender appends its control bit to the data to be send and keeps sending till it receives this control bit back via the acknowledgement channel 23

24

25

26

27

28

29

30