Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI1600: Embedded and Real Time Software

Published by Modified over 5 years ago

Similar presentations

Presentation on theme: "CSCI1600: Embedded and Real Time Software"— Presentation transcript:

1 CSCI1600: Embedded and Real Time Software
Lecture 31: Verification III Steven Reiss, Fall 2017

2 Property Definition Using CTL or LTL temporal logic Recall
As conditions over paths Where the paths are specified by predicates Recall X f (neXt time) F f (eventually, in the Future) G f (always, Globally) f U g (Until) f R g (Release) A (for All paths) E (there Exists a path) Lecture 33: Verification III 2/5/2019

3 Program Definition Finite State Automata Associate labels with states
Extended FSAs: simple variables to determine transitions Unless a transition is explicitly limited, it is possible Assumes non-determinism Associate labels with states Properties that are true in the state Properties are determined from the predicates of interest Automata can be simplified to only reflect these properties Lecture 33: Verification III 2/5/2019

4 Proving Properties Show that for all possible “executions” of the program The property holds If it doesn’t hold Show the counter example Serves to document or understand the problem Can be used to further refine the model program Include other variables or values Checks to avoid false positives Lecture 33: Verification III 2/5/2019

5 How Can We Do Such Proofs?
Map the formula into an FSA and work with 2 FSAs Condition changes during execution trigger changes in the state FSA Track the property FSA states for each program state Work directly on the automata with the formula Track what parts of the formula a true at each point in the program Work by induction Since the program is finite state Can associate all valid subformulas with each state This tells us what is valid at each state Map the program into a formula and work with 2 formulas What works best depends on application and property But all have been tried and used successfully Lecture 33: Verification III 2/5/2019

6 Example: Microwave Oven
Lecture 33: Verification III 2/5/2019

7 Example: Properties AG(start -> AF heat)
For all paths, if we hit start, then we eventually get heat Is this true? Lecture 33: Verification III 2/5/2019

8 Working with formula over FSA
Identify the states of the FSA where the formula holds By using labels on the states Using all subformulas of the formula If we know the value for all subformulas, we can compute the value of the formula How depends on the particular operator that combines the subformulas Example: AND, OR, NOT This can be done inductively over subformula Only need to consider primitives and EU and EG operators All the other CTL operators can be defined in terms of these Lecture 33: Verification III 2/5/2019

9 Showing EU: E(f1 U f2) f1 holds until f2 holds on some path from this state Want to find all states where this is true Given we know the states where f1 and f2 hold (induction) Algorithm: T = { s : f2 is in label(s) } FORALL s in T DO: add E(f1 U f2) to label(s) WHILE (T is non-empty) CHOOSE s in T and remove it from T FORALL t such that t is a predecessor state of s IF E(f1 U f2) is not in label(t) and f1 is in label(t) THEN Add E(f1 U f2) to label(t); Add t to T ENDIF NEXT Lecture 33: Verification III 2/5/2019

10 Showing EG f f always holds on some path Algorithm:
What does this require in terms of the program automata Algorithm: S = { s | f is in label(s) } SCC = { C | C is a nontrivial strongly connected component of S } T = Union of all s in a C in SCC FORALL s in T DO: add (EG f) to label(s) WHILE T is non-empty DO CHOOSE s in T and remove it from T FORALL t such that t is a predecessor of s and t is in S IF (EG f) is not in label(t) THEN ADD (EG f) to label(t) ADD t to T ENDIF NEXT Lecture 33: Verification III 2/5/2019

11 Proving AG(start -> AF heat)
Convert to using these operators AG(start -> AF heat) ~EF(start ˄ EG ~heat) ~E(true U (start ˄ EG ~heat)) Prove: ~E(true U (start ˄ EG ~heat)) Lecture 33: Verification III 2/5/2019

12 Work On: ~E(true U (start ˄ EG ~heat))
S(start) = { 2,5,6,7 } S(~heat) = { 1,2,3,5,6 } S(EG ~heat) Find SCC of ~heat : { 1,2,3,5 } S(EG ~heat) = { 1,2,3,5 } S(start and EG ~heat) = { 2,5 } S(E(true U (start and EG ~heat))) Initially { 2, 5 } Add any predecessor where true is true Yields { 1,2,3,4,5,6,7 } S(~E(true U (start and EG ~heat))) = { } The property does not hold Lecture 33: Verification III 2/5/2019

13 AG(~error AND start -> AF heat)
Convert to use the operators AG(~error ˄ start -> AF heat) ~EF(~error ˄ start ˄ EG ~heat) ~E(true U (~error ˄ start ˄ EG ~heat)) Lecture 33: Verification III 2/5/2019

14 Show: ~E(true U (~error ˄ start ˄ EG ~heat))
Lecture 33: Verification III 2/5/2019

15 Can also work with formulas
Convert program into a logical formula Create a joint formula combining program and condition Verify the joint formula is correct Lecture 33: Verification III 2/5/2019

16 Working with Formula Assume we have a LTL/CTL formula for property
Assume we have a finite state program Objective: Map the program to a Boolean formula Create a combined formula for property + program Prove the combined formula or find counter example Lecture 33: Verification III 2/5/2019

17 Mapping the Program Represent the current state as a set of Boolean variables (s0,s1,s2,…,sn) Each state has a identifying number (s0,s1,…sn) is the bit representation of that number Define a relation R specifying valid transitions R(s,t): there is a transition from s to t R can be stated as a (complex) Boolean formula Can be used to look at both successors and predecessors Lecture 33: Verification III 2/5/2019

18 Merge Program and Formula
For each condition f, create formula F(s’) that is true for all states s’ where f holds (and false for all other states) This is done inductively over the subformula Base case: primitive formulas EF, EG operators Defined iteratively (using fixed points) using current formulas and R to build the current formula Essentially using the algorithms we saw last time This can all be done mechanically Lecture 33: Verification III 2/5/2019

19 Making This Practical The formulas can be generated but
They are going to be very large Need to both generate and use them efficiently We need an efficient representation of a formula Easy to operate on (AND/OR/NOT/IMPLIES) Space efficient Easy to manipulate by computer We need a practical solver Lecture 33: Verification III 2/5/2019

20 Decision Trees A B F T C T F
A formula can be written as a decision tree Each node is labeled with a Boolean variable Each node has a true and a false branch out Leaves are labeled either TRUE or FALSE Example: A and (B or C) Try a AND (b OR (c XOR d)) What is the size of the tree? Does it have to be this size? A T F B F F T T C F T T F Lecture 33: Verification III 2/5/2019

21 Simplifying Decision Trees
Most of the decision trees look the same Extra variables just yield identical subtrees Trees can be simplified Simplify the tree into a DAG There are only two real leaves (merge these) If two nodes have the same children and the same labels, they can be merged If both branches of a node go to the same node, the original node can be eliminated This can be iterated Worst case size is still exponential, actual size is generally much smaller The results is a BDD (Binary Decision Diagram) Lecture 33: Verification III 2/5/2019

22 Ordered BDDs Place an a priori order on the variables as labels
Note that order affects the size Optimum ordering is NP complete Logical operations are easy to do on ordered BDDs Complement: flip TRUE and FALSE leaves AND, OR: Merge the two trees level by level Ordering makes this easy Setting result to be AND/OR or merged result EG and EU Defined as iterative procedures on BDDs Stopping at appropriate fixed points (no changes to BDD on next pass) All computations are O(1) or O(nlogn) or O(n) on the tree Lecture 33: Verification III 2/5/2019

23 Model Checking BDDs Compute the BDD for R(s,t) for the program
Inductively compute F(s) for the formula f F(S) is true iff f is true in the program F(S) is true iff it is the singleton node True Otherwise there is a path that shows false Can use the BDD path to FALSE to find counterexample BDDs have been used to verify programs with 2^80 states Lecture 33: Verification III 2/5/2019

24 Extensions RTCTL : handle incremental real time constraints
G[a,b]f :: f holds from a to b Continuous Real Time Work in terms of timed automata & clock regions Lecture 33: Verification III 2/5/2019

25 Homework Read Chapter 16 Exercise 16.1, 16.2
Lecture 33: Verification III 2/5/2019

26 Solving with only Automata
Map the formula into an automata Annotate the program automata with output events That trigger the formula automata Then annotate the program automata For each state: list the set of states in the formula automata that are reachable This can only grow and must eventually come to a fixed point Determine success/failure from the result Lecture 33: Verification III 2/5/2019

27 Example Once an iterator is allocated, every call to next must be preceded by a call to hasNext Lecture 33: Verification III 2/5/2019

28 Iterator Example Program
for (Iterator it = x.iterator(); it.hasNext(); ) { y = it.next(); } it = x.iterator / ALLOC it.hasNext() / HASNEXT y = it.next() / NEXT Lecture 33: Verification III 2/5/2019

29 Iterator Example A C D E B it = x.iterator / ALLOC
it.hasNext() / HASNEXT y = it.next() / NEXT Lecture 33: Verification III 2/5/2019

Download ppt "CSCI1600: Embedded and Real Time Software"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.

Data-Flow Analysis Framework Domain – What kind of solution is the analysis looking for? Ex. Variables have not yet been defined – Algorithm assigns a.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Determinization of Büchi Automata

Determinization of Büchi Automata
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Similar presentations

Ads by Google