Presentation is loading. Please wait.

Presentation is loading. Please wait.

Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck.

Published byRosalind Preston Modified over 9 years ago

Similar presentations

Presentation on theme: "Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck."— Presentation transcript:

1 Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck

2 Liveness with Counter Abstraction P nueli, X u, Z uck The Parameterized Verification Problem Given a system and a property f, Does S(N) satisfy f for every N ? ? The Problem where

3 Liveness with Counter Abstraction P nueli, X u, Z uck Lesson from Experience … In order to verify a reactive system: If it is finite state – model check it If it is infinite – verify it deductively But abstraction makes it all simpler!

4 Liveness with Counter Abstraction P nueli, X u, Z uck Data Abstraction Verifying that an infinite-state system S satisfies a property f using abstraction: abstract system into a simpler finite-state system that admits more behaviors abstract the property to model check abstract system with respect to abstract property conclude that concrete system satisfies concrete property

5 Liveness with Counter Abstraction P nueli, X u, Z uck Counter Abstraction Assumptions on the concrete system : the control variable of processes ranges over 0, … the shared variables are y1, …,yb there are no local variables counter abstracted The variables of the counter abstracted system are K_0, …,k_L : {0,1,2} Y_1, …,Y_b Where if no process is in control location l if there is exactly one process in control location l if there are at least two processes in control location l

6 Liveness with Counter Abstraction P nueli, X u, Z uck Counter Abstraction Assumptions on the concrete system : the control variable of processes ranges over 0, … the shared variables are y1, …,yb there are no local variables counter abstracted The variables of the counter abstracted system are K_0, …,k_L : {0,1,2} Y_1, …,Y_b Where if no process is in control location l if there is exactly one process in control location l if there are at least two processes in control location l

7 Liveness with Counter Abstraction P nueli, X u, Z uck A Toy Example: Mutex where Fairness requirements: Justice: Compassion:

8 Liveness with Counter Abstraction P nueli, X u, Z uck A Toy Example: Mutex Safety property - mutual exclusion: Liveness property – individual accessibility: (true only with fairness) where

9 Liveness with Counter Abstraction P nueli, X u, Z uck A Toy Example: Mutex

10 Liveness with Counter Abstraction P nueli, X u, Z uck A Toy Example: Mutex Concrete Safety property - mutual exclusion : Abstract Safety property - mutual exclusion :

11 Liveness with Counter Abstraction P nueli, X u, Z uck Safety follows trivially! Mutex after Counter Abstraction (graphical representation)

12 Liveness with Counter Abstraction P nueli, X u, Z uck Justice Abstracting Justice requirement since if process is not in control location 2 it is either in control location 0 or 1. form the concrete justice requirement we can obtain the abstract requirement

13 Liveness with Counter Abstraction P nueli, X u, Z uck abstract justice requirement unfortunately the abstract justice requirement liveness property doesn ’ t discard any states, so any liveness property justice that is not valid for Mutex without justice cannot be proven in this abstract system Liveness verifying Liveness in Mutex

14 Liveness with Counter Abstraction P nueli, X u, Z uck Justice Strengthening Justice Requirements How? We provide 4 guidelines (in two slides … ) Conclusion: fairness requirements we need to derive more/stronger fairness requirements

15 Liveness with Counter Abstraction P nueli, X u, Z uck concretejustice If the concrete system contains the justice safelyabstract justice Then we can safely add the abstract justice Justice Strengthening Justice Requirements Why?

16 Liveness with Counter Abstraction P nueli, X u, Z uck suppose a state satisfies then there exists exactly one process, say I, in location the process I violates its justice requirement to fulfill it, it must exit location l sometime in the future when it exits it, must hold since another process cannot enter location (execute a transition) at the same step concretejustice If the concrete system contains the justice safelyabstract justice Then we can safely add the abstract justice Why? Justice Strengthening Justice Requirements

17 Liveness with Counter Abstraction P nueli, X u, Z uck Justice Strengthening Justice Requirements

18 Liveness with Counter Abstraction P nueli, X u, Z uck Justice Strengthening Justice Requirements is a condition on shared variables leads only to Emerges from

19 Liveness with Counter Abstraction P nueli, X u, Z uck From the concrete justice and the concrete compassion concrete justice we can conclude the concrete justice Justice Strengthening Justice for Mutex

20 Liveness with Counter Abstraction P nueli, X u, Z uck Justice Strengthening Justice for Mutex Automaticall y obtained

21 Liveness with Counter Abstraction P nueli, X u, Z uck Liveness Verifying Liveness using Counter Abstraction which is abstracted to individual individual accessibility Counter abstraction does not allow to observe the behavior of an individual process, thus we cannot verify the liveness property of individual accessibility communal accessibility (livelock freedom) we can, however, verify the liveness property of communal accessibility (livelock freedom)

22 Liveness with Counter Abstraction P nueli, X u, Z uck Liveness Verifying Liveness Model Checking [LP85]

23 Liveness with Counter Abstraction P nueli, X u, Z uck Liveness Verifying Liveness Extract from the state-transition graph the sub- graph of pending states A pending state is any state which is not reachable from a p-state by a q-free path Show that the extracted sub-graph contains no infinite fair path Decompose the sub-graph into maximal SCCs Show that each of them violates some fairness requirement Model Checking [LP85]

24 Liveness with Counter Abstraction P nueli, X u, Z uck Liveness Verifying Liveness Model Checking [LP85] Extract from the state-transition graph the sub- graph of pending states A pending state is any state which is reachable from a p-state by a q-free path Show that the extracted sub-graph contains no infinite fair path Decompose the sub-graph into maximal SCCs Show that each of them violates some fairness requirement

25 Liveness with Counter Abstraction P nueli, X u, Z uck Liveness Verifying Liveness Model Checking [LP85] Extract from the state-transition graph the sub- graph of pending states A pending state is any state which is reachable from a p-state by a q-free path Show that the extracted sub-graph contains no infinite fair path Decompose the sub-graph into maximal SCCs Show that each of them violates some fairness requirement

26 Liveness with Counter Abstraction P nueli, X u, Z uck communal accessibility for Mutex Verifying communal accessibility for Mutex To establish we have to remove all states that are not in a q-free path reachable from a p-state

27 Liveness with Counter Abstraction P nueli, X u, Z uck communal accessibility for Mutex Verifying communal accessibility for Mutex

28 Liveness with Counter Abstraction P nueli, X u, Z uck Each maximal SCC (each node) violates the abstract justice Hence communal accessibility holds! communal accessibility for Mutex Verifying communal accessibility for Mutex

29 Liveness with Counter Abstraction P nueli, X u, Z uck Save One Counter Abstraction Save One To prove individual accessibility Counter abstractexcept one, Counter abstract all the processes except one, Model checkabstract system one concrete process Model check that the abstract system composed with one concrete process satisfies the liveness property for the concrete process

30 Liveness with Counter Abstraction P nueli, X u, Z uck Graphical representation of Mutex under counter abstraction save one Save One Counter Abstraction Save One - Mutex

31 Liveness with Counter Abstraction P nueli, X u, Z uck compassion requirement Considering the compassion requirement and the fact that no state satisfies we can remove all states satisfying Save One Counter Abstraction Save One - Mutex

32 Liveness with Counter Abstraction P nueli, X u, Z uck Save One Counter Abstraction Save One - Mutex

33 Liveness with Counter Abstraction P nueli, X u, Z uck Each maximal SCC (each node) violates the abstract justice Hence individual accessibility holds! Save One Counter Abstraction Save One - Mutex

34 Liveness with Counter Abstraction P nueli, X u, Z uck Compassion Adding Compassion requirements Consider program TERMINATE and the liveness property The abstracted liveness property is The counter abstraction of the program is

35 Liveness with Counter Abstraction P nueli, X u, Z uck Compassion Adding Compassion requirements The abstracted liveness property is The counter abstraction of the program is From the concrete justice We obtain the abstract justice The computation can stay forever in which violates the liveness property !

36 Liveness with Counter Abstraction P nueli, X u, Z uck Compassion Adding Compassion requirements

37 Liveness with Counter Abstraction P nueli, X u, Z uck Augment the system with two auxiliary variables and Compassion Adding Compassion requirements

38 Liveness with Counter Abstraction P nueli, X u, Z uck Augment the system with two auxiliary variables and Compassion Adding Compassion requirements For each transition If set Else set Add to the concrete compassion Counter abstract the augmented system For every justice requirement include the abstract requirement

39 Liveness with Counter Abstraction P nueli, X u, Z uck The transition graph for augmented TERMINATE Liveness Verifying Liveness for TERMINATE Abstract Compassion obtained fromAbstract Justice using Hence the liveness property holds !

40 Liveness with Counter Abstraction P nueli, X u, Z uck Success with Counter Abstraction Szymanski ’ s mutual exclusion algorithm The Bakery Algorithm (shared variables are unbounded) Probabilistic mutual exclusion protocol

41 Liveness with Counter Abstraction P nueli, X u, Z uck

Download ppt "Liveness Counter Abstraction Liveness with Counter Abstraction A mir P nueli, J essie X u and L enore Z uck."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.

Exploiting SAT solvers in unbounded model checking K. L. McMillan Cadence Berkeley Labs.
Completeness and Expressiveness

Completeness and Expressiveness
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.

Mutual Exclusion – SW & HW By Oded Regev. Outline: Short review on the Bakery algorithm Short review on the Bakery algorithm Black & White Algorithm Black.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
Linear Programming (LP) (Chap.29)

Linear Programming (LP) (Chap.29)
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.

Mutual Exclusion By Shiran Mizrahi. Critical Section class Counter { private int value = 1; //counter starts at one public Counter(int c) { //constructor.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Chapter 22: Elementary Graph Algorithms IV. 2 About this lecture Review of Strongly Connected Components (SCC) in a directed graph Finding all SCC (i.e.,

1 Chapter 22: Elementary Graph Algorithms IV. 2 About this lecture Review of Strongly Connected Components (SCC) in a directed graph Finding all SCC (i.e.,
Sept 2011 1 COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.

Sept COMP60611 Fundamentals of Parallel and Distributed Systems Lecture 12 The Critical Section problem John Gurd, Graham Riley Centre for Novel.

Similar presentations

Ads by Google