Today’s Agenda  Quiz 5 (end of the class)  Quick Review  Finish Search Algorithms Formal Methods in Software Engineering1.

Slides:

Advertisements

Similar presentations

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

Advertisements

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

A Survey of Runtime Verification Jonathan Amir 2004.

Data-Flow Analysis II CS 671 March 13, CS 671 – Spring Data-Flow Analysis Gather conservative, approximate information about what a program.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

Partial Order Reduction: Main Idea

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

CS252: Systems Programming Ninghui Li Program Interview Questions.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

/ PSWLAB P ROMELA Semantics from “THE SPIN MODEL CHECKER” by G. J. Holzmann Presented by Hong,Shin 5 th Oct :021PROMELA Semantics.

תרגול 9 META LABELS. Basic types of claims State properties.

Theory of Computing Lecture 6 MAS 714 Hartmut Klauck.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Spin Model Checker Samaneh Navabpour Electrical and Computer Engineering Department University of Waterloo SE-464 Summer 2011.

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Weizmann Institute Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Shtrichman Weizmann Institute & IBM (HRL)

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

DAST, Spring © L. Joskowicz 1 Data Structures – LECTURE 1 Introduction Motivation: algorithms and abstract data types Easy problems, hard problems.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

1 Completeness and Complexity of Bounded Model Checking.

Witness and Counterexample Li Tan Oct. 15, 2002.

Hashing General idea: Get a large array

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

CS 290C: Formal Models for Web Software Lecture 4: Model Checking Navigation Models with Spin Instructor: Tevfik Bultan.

The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.

SAT Solver Math Foundations of Computer Science. 2 Boolean Expressions  A Boolean expression is a Boolean function  Any Boolean function can be written.

15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.

Comp 249 Programming Methodology Chapter 15 Linked Data Structure - Part B Dr. Aiman Hanna Department of Computer Science & Software Engineering Concordia.

Wishnu Prasetya Model Checking with SPIN A Bit More about SPIN.

Identifying Reversible Functions From an ROBDD Adam MacDonald.

IKI 10100: Data Structures & Algorithms Ruli Manurung (acknowledgments to Denny & Ade Azurat) 1 Fasilkom UI Ruli Manurung (Fasilkom UI)IKI10100: Lecture8.

Correctness requirements. Basic Types of Claims Basic assertions End-state labels Progress-state labels Accept-state labels Never claims Trace assertions.

Languages of nested trees Swarat Chaudhuri University of Pennsylvania (with Rajeev Alur and P. Madhusudan)

Scientific Computing By: Fatima Hallak To: Dr. Guy Tel-Zur.

Chapter 12 Recursion, Complexity, and Searching and Sorting

Computer Science Department Data Structure & Algorithms Lecture 8 Recursion.

1 Bisimulations as a Technique for State Space Reductions.

Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.

CSC 221: Recursion. Recursion: Definition Function that solves a problem by relying on itself to compute the correct solution for a smaller version of.

Lecture 3: Uninformed Search

1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.

Memory-Efficient Algorithms for the Verification of Temporal Properties C. Courcoubetis Inst. Of Comp. Sci. FORTH, Crete, Greece M. Verdi IBM Almaden P.

Hash Table March COP 3502, UCF 1. Outline Hash Table: – Motivation – Direct Access Table – Hash Table Solutions for Collision Problem: – Open.

/ PSWLAB S PIN Search Optimization from “THE SPIN MODEL CHECKER” by G. Holzmann Presented by Hong,Shin 23 th Nov SPIN Search.

Week 15 – Wednesday.  What did we talk about last time?  Review up to Exam 1.

Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.

Software Testing Reference: Software Engineering, Ian Sommerville, 6 th edition, Chapter 20.

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

Complexity Relief Techniques for Model Checking METU, Aug SOFTWARE VERIFICATION WORKSHOP Hüsnü Yenigün Sabanci University Informatics Institute,

15-820A 1 LTL Model Checking A Flavio Lerda.

All-pairs Shortest paths Transitive Closure

Programming Languages Translator

Software Testing and Maintenance 1

Automatic Verification

Over-Approximating Boolean Programs with Unbounded Thread Creation

An explicit state model checker

Producing short counterexamples using “crucial events”

Presentation transcript:

Today’s Agenda  Quiz 5 (end of the class)  Quick Review  Finish Search Algorithms Formal Methods in Software Engineering1

Quick Review  How to check a safety property? Formal Methods in Software Engineering2

Formal Methods in Software Engineering3 Search Algorithms  Introduction  Computing Automata Product  Checking Safety Properties  Checking Liveness Properties  Search Optimization  Summary

Formal Methods in Software Engineering4 It is all about search! Model checking is basically a process that searches through the global state space. Checking a safety property is to search for a bad state which violates the property. Checking a liveness property is to search for a cycle that does not pass through a progress state.

Formal Methods in Software Engineering5 The challenge The idea of searching is simple, especially many search algorithms have been developed. The main challenge with model checking is dealing with the state explosion problem. The strength of Spin is in its ability to highly optimize the search process.

Formal Methods in Software Engineering6 Search Algorithms  Introduction  Computing Automata Product  Checking Safety Properties  Checking Liveness Properties  Search Optimization  Summary

Formal Methods in Software Engineering7 Automata Product  consider a system of n process, modeled as n finite state automata, A1, A2,..., An  add property automaton B (derived from an LTL formula)  the model checker computes the product of these automata: S = B   Ai a synchronous productan asynchronous product

Formal Methods in Software Engineering8 Example (1) # define p x >= 4 never { /* ! []<> p */ T0_init: if :: (! ((p))) -> goto accept_S4 :: (1) -> goto T0_init fi; accept_S4: if :: (! ((p))) -> goto accept_S4 fi; } int x = 4; active proctype A () { do :: x % 2 -> x = 3 *x + 1 od } active proctype B () { do :: ! (x % 2) -> x = x / 2 od }

Formal Methods in Software Engineering9 Example (2) s0 s1 (x%2) x=3x+1 A1A1 s0 s1 !(x%2) x=x/2 A2A2 s0 s1 true x<4 B s 0,s 0 s 1,s 0 s 0,s 1 s 1,s 1 (x%2) x=3x+1 (x%2) x=3x+1 x=x/2 !(x%2)  int x 

Formal Methods in Software Engineering10 Example (3) s 0,s 0 s 1,s 0 s 0,s 1 s 1,s 1 (x%2) x=3x+1 (x%2) x=3x+1 x=x/2 !(x%2) s 0,s 0 4 s 0,s 1 4 s 0,s 0 2 s 0,s 1 2 s 1,s 0 1 s 0,s 0 1 !(x%2) x=x/2 !(x%2) x=x/2 (x%2) x=3x+1 “pure” (expanded) finite state asynchronous product automaton for initial value x = 4 (the value of x is made part of the state of the automaton)

Formal Methods in Software Engineering11 Example (4) s0 s1 true x<4 B are there any accepting cycles? if not, then the property <>[](x<4) cannot be satisfied and its negation holds !<>[](x<4) []![](x<4) []<>!(x<4) []<>(x>=4)  s 0,s 0, 4,s 0 s 0,s 1 4,s 0 s 0,s 0 2,s 0 s 0,s 1 2,s 0 s 1,s 0 1,s 0 s 0,s 0 1,s 0 !(x%2) x=x/2 !(x%2) x=x/2 (x%2) x=3x+1 x=x/2 (x%2) s 1,s 0 1,s 1 s 0,s 0 1,s 1 s 0,s 1 2,s 1 s 0,s 0 4,s 1 s 0,s 0 4 s 0,s 1 4 s 0,s 0 2 s 0,s 1 2 s 1,s 0 1 s 0,s 0 1 !(x%2) x=x/2 !(x%2) x=x/2 (x%2) x=3x+1

Formal Methods in Software Engineering12 Search Algorithms  Introduction  Computing Automata Product  Checking Safety Properties  Checking Liveness Properties  Search Optimization  Summary

Formal Methods in Software Engineering13 Basic DFS (1) Automaton A = { S, s 0, L, T, F } Stack D = {} Statespace V = {} Start() { Add_Statespace(V, A.s 0 ) Push_Stack(D, A.s 0 ) Search() } Search() { s = Top_Stack(D) for each (s,l,s')  A.T if In_Statespace(V, s')== false { Add_Statespace(V, s') Push_Stack(D, s') Search() } Pop_Stack(D) } the DFS is most easily written as a recursive procedure -- but the actual Spin implementation is iterative to increase efficiency a little Fig. 8.1 p. 168 Add_Statespace(V,s) adds s to set V In_Statespace(V,s) true iff s is in V Push_Stack(D,s) adds s to ordered set D In_Stack(D,s) true iff s is in D Top_Stack(D,s) returns top element in D if any Pop_Stack(D) removes top element from D if any

Formal Methods in Software Engineering14 Basic DFS (2) s0s0 s1s1 s2s2 s4s4 s3s3       s0s0 1 s1s1 2 s2s2 3 s3s3 4 s4s4 5

Formal Methods in Software Engineering15 Basic DFS (3) Automaton A = { S, s 0, L, T, F } Stack D = {} Statespace V = {} Start() { Add_Statespace(V, A.s 0 ) Push_Stack(D, A.s 0 ) Search() } Search() { s = Top_Stack(D) if (!Safety(s)) Print_Stack(D) for each (s,l,s')  A.T if In_Statespace(V, s')== false { Add_Statespace(V, s') Push_Stack(D, s') Search() } Pop_Stack(D) } Fig. 8.2, p. 170 prints out the elements of stack D, from bottom to top, giving the complete counter-example / error scenario for the safety violation assertion violations invalid endstates termination of a never claim

Formal Methods in Software Engineering16 Stateless Search (1) Automaton A = { S, s 0, L, T, F } Stack D = {} /* Statespace V = {} */ Start() { Push_Stack(D, A.s 0 ) Search() } Search() { s = Top_Stack(D) for each (s,l,s')  A.T if In_Stack(D, s')== false { Push_Stack(D, s') Search() } Pop_Stack(D) } Fig. 8.5 p. 176 replaced In_Statespace(V,s’) with In_Stack(D,s’) no Statespace V

Formal Methods in Software Engineering17 Stateless Search (2) s0s0 1 if s 3 has a sub-tree of 100,000 states the stateless search would visit that entire subtree at least 2 times... s4s4 s3s3 2 s2s2 3 s1s1 4 5 s1s1 6 s2s2 7 s3s3 8 s4s4 9 this version of the search visits 9 instead of 5 states... (doing redundant work) s 3 is visited 2 times here s0s0 s1s1 s2s2 s4s4 s3s3      

Formal Methods in Software Engineering18 BFS (1) Automaton A = { S, s 0, L, T, F } Queue D = {} Statespace V = {} Start() { Add_Statespace(V, A.s 0, nil) Add_Queue(D, A.s 0 ) Search() } Search() { s = Del_Queue(D) if (!Safety(s)) PrintPath(s) for each (s,l,s')  A.T if In_Statespace(V, s') == s’ {Add_Statespace(V, s’, s) Add_Queue(D, s') Search() } Figure 8.6 (pointer to) predecessor state s to allow constructing a path from the initial system state to error PrintPath(s) { State s’ = In_Statespace(V,s); if (s’ != nil && s’ != s) PrintPath(s’) PrintState(s) } Add_Statespace(V,s,s’) adds state s to set V, together with (a pointer to) a predecessor state s’ In_Statespace(V,s) returns s if s is not yet in V else returns predecessor state s’ if any, or nil if s has no predecessor

Formal Methods in Software Engineering19 BFS (2) 1:nil 2:1 3:1 5:2 6:3 4:2 7:

Formal Methods in Software Engineering20 BFS (3)  BFS detects safety violations at the shortest possible path  Difficult to produce a counter example  full statespace must be stored to guarantee termination  no efficient strategy is known for cycle detection (to check liveness properties)

Formal Methods in Software Engineering21 Search Algorithms  Introduction  Computing Automata Product  Checking Safety Properties  Checking Liveness Properties  Search Optimization  Summary

Formal Methods in Software Engineering22 Cyclic Paths Basically, to prove liveness properties, it is sufficient to show the existence of cyclic paths in the product automaton that contain at least one accepting state

Formal Methods in Software Engineering23 Nested Search (1) The problem is equivalent to show that there exists at least one accepting state that is reachable from the root of the tree AND that is also reachable from itself. 5 start of 2nd dfs with state 5 as root (the seed state 5’) 3’ start of 1st dfs 4’ 2 1’ 3 2’ 4 6 5’ 1 cycle found!

Formal Methods in Software Engineering24 Nested Search (2) Stack D = {} Statespace V = {} State seed = nil Boolean toggle = false Start() { Add_Statespace(V, A.s 0, toggle) Push_Stack(D, A.s 0, toggle) Search() } Search() { (s, toggle) = Top_Stack (D) for each (s,l,s')  A.T { /* check if seed is reachable from itself */ if (s’ == seed  On_Stack (D, s’, false) { PrintStack (D) PopStack (D) return } if In_Statespace(V, s‘, toggle)== false { Add_Statespace(V, s‘, toggle) Push_Stack(D, s‘, toggle) Search() } if s  A.F && toggle == false { seed = s /* reachable accepting state *./ toggle = true Push_Stack (D, s, toggle) Search () /* start 2 nd search */. Pop_Stack (D) seed = nil toggle = false } Pop_Stack (D) }

Formal Methods in Software Engineering25 Search Algorithms  Introduction  Computing Automata Product  Checking Safety Properties  Checking Liveness Properties  Search Optimization  Summary

Formal Methods in Software Engineering26 State Explosion Problem The number of reachable states in a system is an exponential function of the number of processes in the system. The main challenge of model checking is dealing with this state explosion problem.

Formal Methods in Software Engineering27 Optimization Techniques There are two types of optimization techniques employed in Spin:  techniques to reduce the number of states that needs to be searched  techniques to efficiently store the states in memory

Formal Methods in Software Engineering28 Example (1) x=1 g=g+2 y=1 g=g*2 T1T2 x,y,g 0,0,0 1,0,0 1,0,2 0,1,0 1,1,0 1,1,2 1,1,0 1,1,4 1,1,2 x=1 y=1 g=g*2 g=g+2 g=g*2 six runs: x=1;g=g+2;y=1;g=g*2 x=1;y=1;g=g+2;g=g*2 x=1;y=1;g=g*2;g=g+2 y=1;g=g*2;x=1;g=g+2 y=1;x=1;g=g*2;g=g+2 y=1;x=1;g=g+2;g=g*2 only two operations share data: g=g+2 and g=g*2 all other combinations of operations are data-independent, e.g. x=1 and g=g+2 local variables: x and y global variable: g

Formal Methods in Software Engineering29 Example (2) x,y,g 0,0,0 1,0,0 1,0,2 0,1,0 0,0,0 1,1,2 1,1,0 1,1,4 1,1,2 x=1 y=1 g=g*2 g=g+2 g=g*2 independent pairs: x=1  y=1 x=1  g=g*2 y=1  g=g+2 2 groups of 3 equivalent runs each: x=1;g=g+2;y=1;g=g*2 x=1;y=1;g=g+2;g=g*2 y=1;x=1;g=g+2;g=g*2 x=1;y=1;g=g*2;g=g+2 y=1;x=1;g=g*2;g=g+2 y=1;g=g*2;x=1;g=g+2 reducing R from 10 to 7 states

Formal Methods in Software Engineering30 Independence  Two transitions t1 and t2 are independent if the following two conditions are met:  Enabledness: The execution of t1 does not disable t2, and vice versa.  Commutativity: The execution of t1 and t2 in any order leads to the same state.  Two transitions t1 and t2 are dependent if they are not independent

Formal Methods in Software Engineering31 Example SS’S1S2 t1 t2 t1

Formal Methods in Software Engineering32 Visibility  A transition is invisible if its execution does not change the value of the property being checked. A transition is visible if it is not invisible.  If t1 and t2 are invisible transitions, then it is safe to ignore state s2.

Formal Methods in Software Engineering33 Effect of POR best case worst case

Formal Methods in Software Engineering34 State Compression - Basic Idea The basic idea is that a small number of local component typically appear in many different global states. A global state is broken down into separate components: (1) global data; (2) local components (one for each active process). Each component is stored separately in a lookup table, and is given a unique index-number; only the index numbers are used to form a global state.

Formal Methods in Software Engineering35 State Expression - Example global data process 1 process 2 p1_1 p2_1 g_1 global data process 1 process 2 p1_2 p2_2 g_2 global data process 1 process 2... p1_5 p2_7 g_10... g_1 p1_2 p2_7 statevector1: g_1 p2_2 p2_7 statevector2:

Formal Methods in Software Engineering36 Hash Table Lookup S3S3 h(s) state hash function lookup table S3S3 S1S1 S 45 S 12  H-1  there are R states to be stored; distinguish two cases: H >> Reach state is likely to be stored in a different slot H << Rhash collision could occur and can be resolved using a linked list

Formal Methods in Software Engineering37 Bithash  In the case where H >> R there is no need to store the states.  the possibility of a hash-collision now becomes remote  trading increased memory use for increased accuracy:  instead of 1 hash-function, use k>1 independent hash- functions  “store” each state k times  a hash-collision now requires k matches

Formal Methods in Software Engineering38 Bitstate Array S h1(s ) state 1 hash functions h2(s ) 1 even better: use a combination of two hash-keys, and set 2 bitflags instead of 1 – a match now requires a match on both positions simultaneously each hash key that is computed now defines the address of a bit in memory – i.e., the key itself need not be stored typically we compute a bit hash key to encode up to 2 32 distinct bit positions

Formal Methods in Software Engineering39 Search Algorithms  Introduction  Computing Automata Product  Checking Safety Properties  Checking Liveness Properties  Search Optimization  Summary

Formal Methods in Software Engineering40 Summary  DFS is usually preferred over BFS for model checking. Why?  Liveness properties are more expensive to check than safety properties. Why?  Partial order reduction conducts a selective search to reduce the number of states to be searched.  State compression does not reduce the number of states, but reduces the amount of memory to store them.  Bitstate hashing further reduces the memory requirement, but is subject to incomplete coverage.