Presentation is loading. Please wait.

Presentation is loading. Please wait.

Automatic Verification

Published byFrank Short Modified over 5 years ago

Similar presentations

Presentation on theme: "Automatic Verification"— Presentation transcript:

1 Automatic Verification
(Book: Chapter 6)

2 How can we check the model?
The model is a graph. The specification should refer the the graph representation. Apply graph theory algorithms. 9

3 What properties can we check?
Invariant: a property that needs to hold in each state. Deadlock detection: can we reach a state where the program is blocked? Dead code: does the program have parts that are never executed. 10

4 How to perform the checking?
Apply a search strategy (Depth first search, Breadth first search). Check states/transitions during the search. If property does not hold, report counter example! 11

5 If it is so good, why learn deductive verification methods?
Model checking works only for finite state systems. Would not work with Unconstrained integers. Unbounded message queues. General data structures: queues trees stacks parametric algorithms and systems. 12

6 The state space explosion
Need to represent the state space of a program in the computer memory. Each state can be as big as the entire memory! Many states: Each integer variable has 2^32 possibilities. Two such variables have 2^64 possibilities. In concurrent protocols, the number of states usually grows exponentially with the number of processes. 13

7 If it is so constrained, is it of any use?
Many protocols are finite state. Many programs or procedure are finite state in nature. Can use abstraction techniques. Sometimes it is possible to decompose a program, and prove part of it by model checking and part by theorem proving. Many techniques to reduce the state space explosion. 14

8 Depth First Search Procedure dfs(s) Program DFS
for each s’ such that R(s,s’) do If new(s’) then dfs(s’) end dfs. Program DFS For each s such that Init(s) dfs(s) end DFS 15

9 Start from an initial state
Hash table: q1 q1 q2 q3 Stack: q1 q4 q5 16

10 Continue with a successor
Hash table: q1 q1 q2 q2 q3 Stack: q1 q2 q4 q5 17

11 One successor of q2. Hash table: q1 q1 q2 q4 q2 q3 Stack: q1 q2 q4 q4
18

12 Backtrack to q2 (no new successors for q4).
Hash table: q1 q1 q2 q4 q2 q3 Stack: q1 q2 q4 q5 19

13 Backtracked to q1 Hash table: q1 q1 q2 q4 q2 q3 Stack: q1 q4 q5 20

14 Second successor to q1. Hash table: q1 q1 q2 q4 q3 q2 q3 Stack: q1 q3
21

15 Backtrack again to q1. Hash table: q1 q1 q2 q4 q3 q2 q3 Stack: q1 q4
22

16 How can we check properties with DFS?
Invariants: check that all reachable states satisfy the invariant property. If not, show a path from an initial state to a bad state. Deadlocks: check whether a state where no process can continue is reached. Dead code: as you progress with the DFS, mark all the transitions that are executed at least once. 23

17 The state graph:Successor relation between states.
Turn=0 L0,L1 L0,NC1 NC0,L1 CR0,NC1 NC0,NC1 CR0,L1 Turn=1 L0,CR1 NC0,CR1 18

18 ¬(PC0=CR0/\PC1=CR1) is an invariant!
Turn=0 L0,L1 L0,NC1 NC0,L1 CR0,NC1 NC0,NC1 CR0,L1 Turn=1 L0,CR1 NC0,CR1 19 24

19 Want to do more! Want to check more properties.
Want to have a unique algorithm to deal with all kinds of properties. This is done by writing specification in more complicated formalisms. We will see that in the next lecture. 25

20 [](Turn=0  <>Turn=1)
L0,L1 Turn=1 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=1 L0,NC1 Turn=1 NC0,L1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,NC1 Turn=0 CR0,NC1 Turn=1 NC0,CR1 20 8

21 Convert graph into Buchi automaton New initial state
Turn=0 L0,L1 Turn=1 L0,L1 Turn=0 L0,NC1 Turn=0 NC0,L1 Turn=1 L0,NC1 Turn=1 NC0,L1 Turn=0 NC0,NC1 Turn=0 CR0,L1 Turn=1 L0,CR1 Turn=1 NC0,NC1 Turn=0 CR0,NC1 Turn=1 NC0,CR1

22 Propositions are attached to incoming nodes. All nodes are accepting.
init Turn=0 L0,L1 Turn=1 L0,L1 Turn=0 L0,L1 Turn=1 L0,L1 Propositions are attached to incoming nodes. All nodes are accepting. 19 20

23 Correctness condition
We want to find a correctness condition for a model to satisfy a specification. Language of a model: L(Model) Language of a specification: L(Spec). We need: L(Model)  L(Spec). 21

24 Correctness Sequences satisfying Spec Program executions All sequences
22

25 How to prove correctness?
Show that L(Model)  L(Spec). Equivalently: ______ Show that L(Model)  L(Spec) = Ø. Also: can obtain L(Spec) by translating from LTL! 23

26 What do we need to know? How to intersect two automata?
How to complement an automaton? How to translate from LTL to an automaton? 24

27 Intersecting M1=(S1,,T1,I1,A1) and M2=(S2,,T2,I2,S2)
Run the two automata in parallel. Each state is a pair of states: S1 x S2 Initial states are pairs of initials: I1 x I2 Acceptance depends on first component: A1 x S2 Conforms with transition relation: (x1,y1)-a->(x2,y2) when x1-a->x2 and y1-a->y2.

28 Example (all states of second automaton accepting!)
b,c s1 a b,c a t0 c t1 b States: (s0,t0), (s0,t1), (s1,t0), (s1,t1). Accepting: (s0,t0), (s0,t1). Initial: (s0,t0). 26

29 a s0 s1 b,c a b,c a t0 t1 c b a s0,t0 s0,t1 b a s1,t0 c s1,t1 b c 27

30 More complicated when A2S2
b,c s1 a a s0,t0 b,c s0,t1 b a a c s1,t1 t0 c t1 b c Should we have acceptance when both components accepting? I.e., {(s0,t1)}? No, consider (ba) It should be accepted, but never passes that state. 26

31 More complicated when A2S2
b,c s1 a a b,c s0,t0 s0,t1 b a a c s1,t1 t0 c t1 c b Should we have acceptance when at least one components is accepting? I.e., {(s0,t0),(s0,t1),(s1,t1)}? No, consider b c It should not be accepted, but here will loop through (s1,t1) 26

32 Intersection - general case
q0 q2 b a, c a c, b q1 q3 c b c q0,q3 q1,q3 q1,q2 a c

33 Version 0: to catch q0 Version 1: to catch q2
b c q0,q3 q1,q2 q1,q3 a c Move when see accepting of left (q0) Move when see accepting of right (q2) c b q0,q3 q1,q2 q1,q3 a c Version 1

34 Version 0: to catch q0 Version 1: to catch q2
b c q0,q3 q1,q2 q1,q3 a c Move when see accepting of left (q0) Move when see accepting of right (q2) c b q0,q3 q1,q2 q1,q3 a c Version 1

35 Make an accepting state in one of the version according to a component accepting state
q0,q3,0 q1,q2,0 q1,q3,0 a c a b c b q0,q3,1 q1,q2 ,1 q1,q3 ,1 c Version 1

36 How to check for emptiness?
a s0,t0 s0,t1 b a c s1,t1 c 28

37 Emptiness... Need to check if there exists an accepting run (passes through an accepting state infinitely often).

38 Strongly Connected Component (SCC)
A set of states with a path between each pair of them. Can use Tarjan’s DFS algorithm for finding maximal SCC’s.

39 Finding accepting runs
If there is an accepting run, then at least one accepting state repeats on it forever. Look at a suffix of this run where all the states appear infinitely often. These states form a strongly connected component on the automaton graph, including an accepting state. Find a component like that and form an accepting cycle including the accepting state.

40 Equivalently... A strongly connected component: a set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.

41 How to complement? Complementation is hard!
Can ask for the negated property (the sequences that should never occur). Can translate from LTL formula  to automaton A, and complement A. But: can translate ¬ into an automaton directly! 29

42 Model Checking under Fairness
Express the fairness as a property φ. To prove a property ψ under fairness, model check φψ. Counter example Fair (φ) Bad (¬ψ) Program

43 Model Checking under Fairness
Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either it contains on occurrence of a transition from P, or it contains a state where P is disabled.

Download ppt "Automatic Verification"

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Translating from logic to automata Book: Chapter 6.

Translating from logic to automata Book: Chapter 6.
Model Checking and Testing combined

Model Checking and Testing combined
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Two algorithms for checking emptiness. How to check for emptiness? Is L (A) = ; ? Need to check if there exists an accepting computation (passes through.

Two algorithms for checking emptiness. How to check for emptiness? Is L (A) = ; ? Need to check if there exists an accepting computation (passes through.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
Timed Automata.

Timed Automata.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

Similar presentations

Ads by Google