CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright 2001-2004, Matt Dwyer, John Hatcliff,

Slides:



Advertisements
Similar presentations
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Advertisements

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Concurrency: safety & liveness properties1 ©Magee/Kramer 2 nd Edition COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 14 Safety and.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Witness and Counterexample Li Tan Oct. 15, 2002.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Review of the automata-theoretic approach to model-checking.
Witness and Counterexample Li Tan Oct. 15, 2002.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
Wishnu Prasetya LTL Model Checking.
Basics of automata theory
Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright , Matt Dwyer, John Hatcliff,
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Basics and Observables Copyright , Matt Dwyer, John Hatcliff,
CS6133 Software Specification and Verification
Reactive systems – general
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Bogor-Simulation: Executing (Simulating) Concurrent Systems in Bogor Copyright.
CIS 842: Specification and Verification of Reactive Systems Lecture 1: Course Overview Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 842: Specification and Verification of Reactive Systems Lecture ADM: Course Administration Copyright , Matt Dwyer, John Hatcliff, Robby. The.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Examples: Simple BIR-Lite Examples Copyright 2004, Matt Dwyer, John Hatcliff,
LTL Model Checking 张文辉
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology.
About Alternating Automata Daniel Choi Provable Software Laboratory KAIST.
CIS 842: Specification and Verification of Reactive Systems Lecture INTRO-Depth-Bounded: Depth-Bounded Depth-first Search Copyright 2004, Matt Dwyer, John.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
15-820A 1 LTL Model Checking A Flavio Lerda.
Four Lectures on Model Checking Tom Henzinger University of California, Berkeley.
CIS 842: Specification and Verification of Reactive Systems
Automatic Verification
An explicit state model checker
Program Synthesis is a Game
CSE322 CONSTRUCTION OF FINITE AUTOMATA EQUIVALENT TO REGULAR EXPRESSION Lecture #9.
Translating Linear Temporal Logic into Büchi Automata
Presentation transcript:

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff, and Robby. The syllabus and all lectures for this course are copyrighted materials and may not be used in other course settings outside of Kansas State University in their current form or modified form without the express written permission of one of the copyright holders. During this course, students are prohibited from selling notes to or being paid for taking notes by any person or commercial firm without the express written permission of one of the copyright holders.

CIS 842: Spec Basics and Observables 2 Objectives To understand Buchi automata and the relationship to LTL To understand how Buchi acceptance search enables a general LTL model checking algorithm

CIS 842: Spec Basics and Observables 3 Safety Checking For safety properties we automated the “instrumentation” of checking for acceptance of a regular expression for a violation This involved modifying the DFS algorithm to Calculate states of the property automaton Check to see whether an accept state is reached We will apply the same basic strategy for LTL

CIS 842: Spec Basics and Observables 4 Property LTL Model Checking From the semantics An LTL formula defines a set of (accepting) traces We can Check for trace containment System

CIS 842: Spec Basics and Observables 5 LTL Model Checking From the semantics An LTL formula defines a set of (accepting) traces We can Check for non-empty language intersection System Negation of Property

CIS 842: Spec Basics and Observables 6 Emptiness Check LTL is closed under complement where the language of a formula defines a set of infinite traces A Buchi automaton accepts a set of infinite traces

CIS 842: Spec Basics and Observables 7 Buchi Automata A Buchi automaton is a quadruple S is a set of states is a set of initial states is a transition relation F is a set of accepting states Automaton states are labeled with atomic propositions of the formula

CIS 842: Spec Basics and Observables 8 Example : Buchi Automaton cruise offtrue

CIS 842: Spec Basics and Observables 9 Buchi Automata Semantics An infinite trace is accepted by a Buchi automaton iff

CIS 842: Spec Basics and Observables 10 Buchi Trace Containment Assume each system state (S) is labeled ( ) with the complete set of literals (A) either a literal or its negation is present A Buchi automaton accepts a system trace

CIS 842: Spec Basics and Observables 11 Example : Buchi Automaton cruise offtrue

CIS 842: Spec Basics and Observables 12 LTL and Buchi Automata Every LTL formula has a Buchi automaton that accepts its language (not vice versa) Buchi automata cannot be determinized i.e., there is no canonical deterministic automaton that accepts the same language Buchi automata are closed under the standard set operations

CIS 842: Spec Basics and Observables 13 Example : Buchi Automaton cruise offtrue What LTL property does this correspond to?

CIS 842: Spec Basics and Observables 14 Example : Buchi Automaton true offtrue What LTL property does this correspond to?

CIS 842: Spec Basics and Observables 15 LTL Model Checking Apply same strategy as before Generate Buchi automaton for the negation of the LTL property Compose the automaton with the system Check for emptiness Composition alternates transitions between the system and property Violation are indicated by accepting traces Cycles containing an accept state

CIS 842: Spec Basics and Observables 16 Nested DFS Algorithm If you can’t continue the property trace then give up (cannot lead to accept) Multiple start states (search them all) Only initiate a cycle check for accept states (since they are required in an acceptance cycle)

CIS 842: Spec Basics and Observables 17 Nested DFS Algorithm Any cycle is an acceptance cycle (since it started with an accept state) If you can’t continue the property trace then give up (cannot lead to accept)

CIS 842: Spec Basics and Observables 18 For You To Do Take the dining philosophers example, and the property [](P1.eating && P2.eating) Build a Buchi automaton for that property (using your intuition about automata) Apply the LTL NDFS algorithm You may need to make the program counter explicit to do this since these automata are fundamentally state oriented Do you find an error? Can you think of a way to find errors faster in the NDFS() routine?

CIS 842: Spec Basics and Observables 19 Fairness Progress states that the system should eventually do something Often times in real systems threads rely on a schedule to give them a chance to run Abstracting scheduling to non-deterministic choice introduces severe approximation There are many forms of fairness The intuition is that we restrict the systems behaviors to only those on which each process gets a chance to execute

CIS 842: Spec Basics and Observables 20 Fairness in LTL LTL is expressive enough to state fairness properties directly []<> (Phil1.eating || Phil2.eating) ([]<>Phil1.eating) && ([]<>Phil2.eating) Fairness formula can be used to filter the behaviors that are checked as follows Fairness -> Property If not Fairness then whole thing is true Property checked only when Fairness holds

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.