Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Successfully reported this slideshow.

Like this presentation? Why not share!

993 views

Published on

Published in:
Software

No Downloads

Total views

993

On SlideShare

0

From Embeds

0

Number of Embeds

3

Shares

0

Downloads

35

Comments

0

Likes

1

No embeds

No notes for slide

- 1. Temporal Logic & Model Checking Dr. Jayaraj Poroor
- 2. Formal methods: Why? REAL DEVELOPMENT IDEAL DEVELOPMENT Specification ¯ Design ¯ Coding ¯ Testing ¯ Product …. + DErrors ¯ + DErrors ¯¯ + DBugs ¯¯¯ Limited Coverage ¯ with safety issues
- 3. Formal methods: Where? Life Critical Mission Critical Medical Devices Therac-25 Space Vehicles Ariane-5 Industrial Control Slammer Worm at Davis-Besse Plant • An Investigation of Therac-25 Accidents [Leveson, Turner, 93] • Ariane 5 Flight 501 Failure, Report by Inquiry Board [Lions, 96] • Slammer worm crashed Ohio nuke plant network, News Report [http://www.securityfocus.com/news/6767, 03]
- 4. Sentences (Syntax) and Models (Semantics) “Every PhD student must have an advisor who is a member of faculty” F = "x× phd-student(x) Þ $y × advisor-of(y, x) Ù faculty(y) What does F mean? ◦ Classical Interpretation - A mathematical structure with: ◦ advisor-of mapped to a binary relation on the structure ◦ phd-student, faculty mapped to unary relations ◦ Logical symbols (Ù, Þ) have fixed interpretation ◦ Quantifiers (",$) range over elements of the underlying set Model of F = a satisfying interpretation for F
- 5. Fundamental reasoning tasks M satisfies F ? Model checking problem ? satisfies F Satisfiability problem * satisfies F Validity problem { a : M |= F(a)} Formula (query) evaluation Note: |= denotes satisfies relation
- 6. Modal Logic Modalities: Necessity, knowledge, belief, obligation, tense ◦ Symbolic Logic [Lewis,32] Possible World Semantics ◦ Kripke Structure Temporal Logic ◦ Time and Modality [Prior,57] ◦ Temporal modalities: always (), eventually ()
- 7. Possible Worlds & Kripke Structure for a washing machine idle spinning outlet-open Kripke Structure = (States, ®, washing Accessibility Relation: { } inlet-open outlet-open alarm Ø(spinning Ù washing) Ø(inlet-open Ù outlet-open) L) L : States ® 2AP alarm
- 8. Verification: Sequential Programs ◦ Assigning Meanings to Programs [Floyd,67] ◦ An Axiomatic basis for Computer Programming [Hoare, CACM69] (Hoare Logic) ◦ Guarded commands, non-determinism and formal derivation of programs [Dijstra,75] (GCL)
- 9. Hoare Logic (Assignment Axiom) (Conditional Rule) (Sequencing Rule) ; Proof Tableaux (Pre-strengthening, Post-weakening)
- 10. Hoare Logic Example P = if (x > y) then z := x else z := y Prove that: {true} P {z = max(x,y)} {true} if (x > y) then {x > y} {x = max(x,y)} {z = max(x,y)} z := x else z := y {true} {Ø(x > y)} {z = max(x,y)} {z = max(x,y)} {y = max(x,y)} x > y Þ x = max(x,y) x £ y Þ y = max(x,y)
- 11. Concurrency Simple pre-condition/post-condition assertions insufficient ◦ Deadlocks, Data races, Starvation! ◦ Need a language for expressing concurrency properties Cannot ignore intermediate steps! ◦ P ; Q : Intermediate states of P & Q do not interleave/interact ◦ P || Q : Intermediate states interleave/interact (in exponential number of ways)
- 12. Specifying properties of concurrent systems Language: Temporal Logic The Temporal Logic of Programs [Pnueli,77] (Linear Temporal Logic) Safety ◦ something bad will never happen: ◦ Ø(spinning Ù washing) Liveness ◦ Something good will eventually happen: ◦ alarm Fairness ◦ Always something good will eventually happen ◦ idle
- 13. Why Temporal Logics? Computational System Modal and Temporal Logics Operational Semantics models of Labelled Transition System (Kripke Structure) [Stirling03] http://www.fing.edu.uy/inco/eventos/wssa/
- 14. Producer-Consumer with 1-buffer Producer wtp: while (!isempty); csp: buf = produce(); flp : isempty = false; Consumer wtc: while (isempty); csc: consume(buf); flc : isempty = true;
- 15. State space for 1-buffer system States = control state ´ data state = {wtp,csp,flp} ´ {wtc,csc,flc} ´ {da} ´ {em} wt : wait cs : critical section fl : flag update da : buf has data available em : isempty is true e.g., (wtp, csc, ,em) Î States
- 16. LTS for 1-buffer system wtp, wtc, ,em csp, wtc,da,em flp, wtc,da, wtp, wtc,da, flp, csc, , flp, flc, ,em wtp, csc, , wtp, flc, ,em flp, wtc, ,em csp, flc,da,em flp, flc,da, wtp, flc,da,
- 17. Temporal Properties for 1-buffer system Safety: Ø(csp Ù csc) ◦ Producer and Consumer will never be in the CS at the same time Liveness: (da Ù Ø em) ◦ Eventually data will become available and empty flag reset Fairness: csp ◦ Producer is always given a fair chance to produce
- 18. Model Checking Model checking: M |= F? Design & Synthesis of synchronization skeletons using branching temporal logic [Clarke &Emerson, 81] Specification & Verification of Concurrent Systems in Cesar [Queille & Sifakis, 82] Automatic Verification of Finite-State Concurrent Systems using Temporal Logic Specifications [Clarke, Emerson, Sistla, TOPLAS86]
- 19. Computations of LTS Unfold LTS ® Infinite tree of computations ◦ Interleaved Semantics ◦ Concurrency as non-determinism View of computations: Linear vs Branching ◦ Linear Temporal Logic ◦ Computational Tree Logic
- 20. Computational Tree Logic Path quantifier ◦ A: All paths (inevitably) ◦ E: there Exists a path (possibly) Temporal operator ◦ X: neXt state ◦ F: some Future state (eventually) ◦ G: Globally; all future states ◦ U: Until e.g., AF: for all paths eventually, EG: for some path globally
- 21. CTL semantics s0 s0 M,s0 |= AF p [Clarke, Emerson, Sistla, TOPLAS86] M s0 M,s0 |= AG p M,s0 |= EF p
- 22. CTL examples Logic in Computer Science [Huth, Ryan, 04]
- 23. Computational Tree Logic f ::= T | F | p | Øf | fÙf | fÚf | f®f | AX f | EX f | AF f | EF f | AG f | EG f | A [f U f] | E [f U f] A: inevitably (along all paths) E : possibly (there exists a path) G: globally (always), F: in future (eventually) X: neXt state, U: until
- 24. Model Checking M |= F? SAT(M, f) : 2S ◦ INPUT: CTL model M = (S, ®, L) CTL formula f ◦ OUTPUT: Set of states (Í S)that satisfy f ◦ Complexity: O(f . |S| . (|S| + |®|)) Logic in Computer Science [Huth, Ryan, 04]
- 25. SAT: Conjunction & Inevitability y1, y2,, y1, y2 y1 Ù y2 AFy AFy AFy AFy AFy AFy AFy y y, AFy
- 26. SAT: Possibly Until y1 E[y1Uy2 ] y1, E[y1Uy2 ] E[y1Uy2 ] y2, E[y1Uy2 ] y2
- 27. SAT(f) : 2S begin case(f) T : return S ^ : return Æ Øy : return S – SAT(y) f1Ùf2 : return SAT(f1) Ç SAT(f2) f1Úf2 : return SAT(f1) È SAT(f2) f1Þf2 : return SAT(Øf1Úf2) …
- 28. SAT (case(f) cont.d) AFy : SATAF(y) E[f1Uf2] : SATEU(f1,f2) end case end
- 29. SATAF(f) function f(f,Y) begin if Y = Æ then return SAT(f) else return Y È pre"(Y) end begin Y := Æ; repeat X := Y; Y := f(f,Y); until X = Y end
- 30. Fixpoint characterization Consider, F: 2S ® 2S Formula are identified with their characteristic set ◦ e.g. f denotes set of all states where f is true Subsets of S (Î2S) form complete lattice ◦ Partial order: Í, Join: È, Meet: Ç Knaster-Tarski theorem ◦ “Monotone functions on a complete lattice possess least and greatest fixpoints”: A lattice-theoretical fixpoint theorem and its applications [Tarski,55]
- 31. Fixpoint characterization: Eventually, Until EFf = mZ. f Ú EX Z AFf = mZ. f Ú AX Z E[y1Uy2] = mZ. y2 Ú (y1 Ù EX Z) A[y1Uy2] = mZ. y2 Ú (y1 Ù AX Z)
- 32. Fixpoint characterization: globally AGf = nZ.fÙAX Z EGf = nZ.fÙEX Z
- 33. LTL Model checking The complexity of propositional linear temporal logics [Sistla, Clarke, 85] Checking that finite state concurrent programs satisfy their linear specification, [Lichtenstein, Pnueli, POPL85] An automata-theoretic approach to automatic program verification [Vardi, Wolper, 86] ◦ LTL to Buchi Automata
- 34. State explosion The state explosion problem [Clarke, Grumberg, 87] ◦ Number of concurrent processes ◦ Number of variables Partial-order reduction ◦ An Introduction to Trace Theory [Mazurkiewicz,95] Symbolic Model Checking: 1020 states and beyond [Burch, Clarke, McMillan, Dill, Hwang, 92] ◦ OBDD: Ordered Binary Decision Diagrams [Bryant,86] ◦ m-Calculus: Finiteness is m-ineffable [Park,74] Abstraction Combining theorem-proving & model checking On-the-fly model checking
- 35. Some Tools SPIN/Promela ◦ http://spinroot.com Java Pathfinder ◦ http://javapathfinder.sourceforge.net/ NuSMV ◦ http://nusmv.irst.itc.it/
- 36. Thank You Have a great day!

No public clipboards found for this slide

Be the first to comment