Introduction to Model Checking Temporal Logics for Reactive

Document Sample

```					                                                                                     Temporal Logics for Reactive Systems
[Pnueli FOCS 77, TCS 81]

Transformational systems               •! Transformational view follows
from the initial use of computers
get input;                               as advanced calculators: A
compute something;                       component receives some input,
Introduction to Model Checking
return result;                           does some calculation and then
returns a result.

Reactive systems
view seems more natural:
while (true) {                           components which continuously
receive some input,                interact with each other and their
send some output                   environment without terminating
}
These slides are based on those of
Tevfik Bultan for CS 267
University of California, Santa Barbara
http://www.cs.ucsb.edu/~bultan/
http://www.cs.ucsb.edu/~bultan/courses/267/

Transformational vs. Reactive Systems                                                Temporal Logics

Transformational systems                      •! Earlier work in verification uses     Temporal Logics
the transformational view:            •! Invariant p (G p, AG p, p)
get input;
–! halting problem                   •! Eventually p (F p, AF p, p)
{pre-condition}
–! Hoare logic                       •! Next p : (X p, AX p, p)
compute something;
–! pre and post-conditions           •! p Until q : ( p U q, A(p U q) )
{post-condition}
–! partial vs. total correctness
return result;

Branching vs. Linear Time         LTL view          CTL view
Reactive systems                              •! For reactive systems:                                                      G(p) F(p)         AF(p), EG(p)
–! termination is not the main          Transition system:
while (true) {                                                                                                              p    p               p
–! pre and post-conditions are                 p             p              p                  p
send some output
not enough
}                                                                                                    p                      p                  p           p
.   .              .   .       .
.   .              .   .       .
.   .              .   .       .
Automated Verification of Finite State Systems                                     Temporal Properties % Fixpoints
[Clarke and Emerson 81], [Queille and Sifakis 82]                                  [Emerson and Clarke 80]

Transition Systems                        Verification vs. Falsification
•! S : Set of states (finite)
•! I ! S : Set of initial states          Verification:
•! R ! S " S : Transition relation        show: initial states ! truth set of p

Falsification:
Model checking problem: Given a           find: a state # initial states \$ truth
temporal logic property, does the           set of ¬p
transition system satisfy the           generate a counter-example
property?                                   starting from that state
–! Complexity: linear in the size
of the transition system

Symbolic Model Checking                                                            SMV [McMillan 93]
[McMillan et al. LICS 90]

•! Represent sets of states and the transition relation as                         •! BDD-based symbolic model checker
Boolean logic formulas                                                          •! Finite state
•! Temporal logic: CTL
•! Fixpoint computation becomes formula manipulation                               •! Focus: hardware verification
–! pre and post-condition computations: Existential variable                       –! Later applied to software specifications, protocols, etc.
elimination                                                                 •! SMV has its own input specification language
–! conjunction (intersection), disjunction (union) and                             –! concurrency: synchronous, asynchronous
negation (set difference), and equivalence check
–! shared variables
–! boolean and enumerated variables
•! Use an efficient data structure
–! bounded integer variables (binary encoding)
–! Binary Decision Diagrams (BDDs)
•! SMV is not efficient for integers, can be fixed
LTL Properties % Büchi automata                                      SPIN [Holzmann         91, TSE 97]
[Vardi and Wolper LICS 86]

•! Explicit state, finite state                •! Property automaton from the
•! Büchi automata: Finite state                                      •! Temporal logic: LTL                            negated LTL property
true
automata that accept infinite
strings                                      p      ¬p            •! Input language: PROMELA                     •! Product of the property
Gp                                 –! Asynchronous processes                     automaton and the transition
–! Shared variables                           system (on-the-fly)
•! A Büchi automaton accepts a
string when the corresponding                                         –! Message passing through                 •! Show that there is no accepting
true
run visits an accepting state                                            (bounded) communication                    cycle in the product automaton
infinitely often                   Fp       ¬p      p                    channels                                •! Nested depth first search to look
–! Variables: boolean, char,                  for accepting cycles
•! The size of the property                                                 integer (bounded), arrays
(fixed size)                            •! If there is a cycle, it corresponds
automaton can be exponential in                                                                                     to a counterexample behavior
the size of the LTL formula
true      p                                                            that demonstrates the bug
G (F p)
true

Model Checking Research                                              Model Checking Impact

•! These key ideas and tools inspired a lot of research              •! Model checking research had significant impact in other
[Clarke, Grumberg and Peled, 99]                                        areas. Some examples:
–! efficient symbolic representations                            •!   Software Engineering:
–! Chaki et al. "Modular Verification of Software Components in C" ICSE 03,
–! partial order reductions                                               ACM SIGSOFT distinguished paper
–! abstraction                                                         –! Betin Can at al. "Application of Design for Verification with Concurrency
Controllers to Air Traffic Control Software" ASE 05 best paper
–! compositional/modular verification
•!   Systems:
–! model checking infinite state systems (pushdown                     –! Yang et al. “Using Model Checking to Find Serious File System Errors,
automata)                                                              OSDI 04 best paper.
–! Killian et al. “Life, Death, and the Critical Transition: Finding Liveness Bugs
–! model checking real time systems                                       in Systems Code” NSDI 2007 best paper
–! model checking hybrid systems                                 •!   Also conferences in Security and Programming Languages have plenty of
–! model checking programs
–! ...
Other issues                                                      Abstract Interpretation [Cousot and Cousot POPL 77]

•!   Abstraction                                                  •! Abstract interpretation provides a general framework for
•!   Bounded model checking                                          defining abstractions
•!   Dealing with infinite-state transition system                •! The size of the state space of an abstracted system is
•!   Automated synthesis                                             smaller than the original system, which makes static
analysis of the abstract state space feasible
•! Different abstract domains can be combined using the
abstract interpretation framework
•! Abstract interpretation framework also provides
conservative approximation techniques such as widening
for computing approximations of fixpoints

Predicate Abstraction [Graf and Saidi CAV 97]                     Counter-example Guided Abstraction Refinement
[Clarke et al. CAV 00][Ball and Rajamani SPIN 00]
•! An automated abstraction technique that reduces the state      The basic idea in counter-example guided abstraction
space of a program by removing some variables from the            refinement is the following:
program and just keeping information about a set of            •! First look for an error in the abstract program (if there are
predicates about them                                             no errors, we can terminate since we know that the original
•! Given a program and a set of predicates, predicate                program is correct)
abstraction abstracts the program so that only the             •! If there is an error in the abstract program, generate a
information about the given predicates are preserved              counter-example path on the abstract program
•! The abstracted program adds nondeterminism since in            •! Check if the generated counter-example path is feasible
some cases it may not be possible to figure out what the          using a theorem prover.
next value of a predicate will be based on the predicates in   •! If the generated path is infeasible add the predicate from
the given set                                                     the branch condition where an infeasible choice is made to
•! One needs an automated theorem prover to compute the              the predicate set and generate a new abstract program.
abstraction
Bounded Model Checking [Biere et al. TACAS 99]

•! Represent sets of states and the transition relation as
Boolean logic formulas

•! Instead of computing the fixpoints, unroll the transition
relation up to certain fixed bound and search for violations
of the property within that bound

•! Transform this search to a Boolean satisfiability problem
and solve it using a SAT solver

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 6 posted: 5/30/2009 language: English pages: 5