Course work CS256/Spring 2008 Lecture #1 Zohar Manna Weekly - PDF document

Course work CS256/Spring 2008 — Lecture #1 Zohar Manna • Weekly homeworks FORMAL METHODS FOR REACTIVE SYSTEMS • Final exam (3:30pm-6:30pm on Friday, June 6) Instructor: Zohar Manna No collaboration on homeworks & exam Email: zm@cs (but welcome otherwise). Office hours: by appointment No late homeworks. TA: Eric W. Smith Email: ewsmith@stanford Office hours: Tues. 3:45-4:45, Thurs. 3:45-4:45 Office: Gates 312 Web page: http://cs256.stanford.edu Course Meetings: TTh 12:50–2:05, Gates B12 1-1 1-2 Textbooks Manna & Pnueli Springer Concurrent Programs Temporal Logic Specifications (Hardware/Software) Vol. I: “The Temporal Logic of Reactive and Mathematical Logic Concurrent Systems: Specification” Automata (CS156 / CS157) Verification Springer 1992 (CS256) Practical Vol II: “Temporal Verification of Reactive Systems: Tools − Pentium Bug − STeP Safety” − Ariane Bug − others: − expected government model checking: Theory Springer 1995 regulation for formal Mur , SMV, VIS, methods in SPIN, UPPAAL, − Model checking signalling systems KRONOS, ... − Deductive verification medical equipment deductive: − Specification methods Vol. III: “Temporal Verification of Reactive Systems: power plants ACL2, PVS, − Combining model checking highway control EVES, HOL, ... and deduction Progress” Chapters 1–3, on Manna’s web site. 1-3 Copies of lecture slides. Papers. 1-4

Textbook Overview Transformational Systems (Volume II) Observable only at the beginning and the end of their execution (“black box”) Chapter 0: Preliminary Concepts [Summary of volume I] input system output − → − → Chapter 1: Invariance: Proof Methods with no interaction with the environment. Chapter 2: Invariance: Applications • specified by Chapter 3: Precedence [Chapter 4: General Safety ] input-output relations ⇓ Chapter 5: Algorithmic Verification state formulas (assertions) First-Order Logic (“Model Checking”) Extra: • typically • ω -automata terminating sequential programs e.g., input x ≥ 0 → output z = √ x • branching time logic CTL; BDDs 1-5 1-6 Interaction with the environment Reactive Systems • specified by Observable throughout their execution (“black cactus”) their on-going behaviors (histories of interactions with their environment) ⇓ sequence formulas ↓ ↑ ↓ ↑ ↓ ↑ Temporal Logic system • Typically ↓ ↑ ↓ ↑ ↓ ↑ – Airline reservation systems environment – Operating systems | − → time – Process control programs – Communication networks 1-7 1-8

The Components Overview of the Verification Process • System Description Language SPL (Simple Programming Language) Pascal-like high-level language with constructs for – concurrency – nondeterminism – synchronous/asynchronous communication • Computational Model FTS (Fair Transition System) Compact first-order representation of all sequences of states that can be generated by a system 1-9 1-10 The Components (cont.) Reactive System Specification • Specification Language SPL Program P TL formula ψ TL (temporal logic) ↓ Fair Transition System (FTS) Φ ↓ models of a TL formula are infinite ↓ sequences of states Verification • Verification Techniques Proof Counterexample Com ( Φ ) ⊆ Mod ( ψ ) computation σ of Φ , i.e., all computations of Φ s.t. σ �∈ Mod ( ψ ) – algorithmic (model checking) are models of ψ search a state-graph for counterexample – deductive (theorem proving) prove first-order verification conditions 1-11 1-12

States • vocabulary V — set of typed variables (type defines the domain over which the values can range) – expression over V x + y – assertion over V x > y • state s — interpretation over V Chapter 0: Example: V = { x, y : integer } Preliminary Concepts s = { x : 2 , y : 3 } (also written as s [ x ] = 2 , s [ y ] = 3) x + y is 5 on s false on s x > y • Σ — set of all states 1-13 1-14 Fair Transition System (FTS) • T — finite set of transitions Φ = � V, Θ , T , J , C� For each τ ∈ T , τ : Σ → 2 Σ (represents a Reactive Program) ( τ is a function from states to sets of states) – s ′ is a τ -successor of s if s ′ ∈ τ ( s ) • V = { u 1 , . . . , u n } ⊆ V — vocabulary – τ is represented by the A finite set of system variables transition relation System variables = data variables + (“next-state” relation) ρ τ ( V, V ′ ) where control variables V – values of variables in the current • Θ — initial condition state V ′ – values of variables in the next state First-order assertion over V that characterizes all initial states Example: Example: ρ τ : x ′ = x + 1 means Θ : x = 5 ∧ 3 ≤ y ≤ 5 s ′ [ x ] = s [ x ] + 1 initial states: { x : 5 , y : 3 } – special idling (stuttering) transition τ I , { x : 5 , y : 4 } ρ τ I : V = V ′ { x : 5 , y : 5 } 1-15 1-16

Enabled/Disabled/Taken Transition • For each τ ∈ T , Example: τ is enabled on s if τ ( s ) � = ∅ τ � x : 5 , y : 3 � − → {� x : 5 , y : 4 � , � x : 5 , y : 5 �} τ is disabled on s if τ ( s ) = ∅ “When in state � x : 5 , y : 3 � τ may increment y by either 1 or 2 , and keep x unchanged.” • For an infinite sequence of states σ : s 0 , s 1 , s 2 , . . . , s k , s k +1 , . . . � x : 5 , y : 4 � and � x : 5 , y : 5 � are τ -successors of � x : 5 , y : 3 � . – τ ∈ T is enabled at position k of σ if τ is enabled on s k • J ⊆ T : set of just (weakly fair) – τ ∈ T is taken at position k of σ transitions if s k +1 is a τ -successor of s k • C ⊆ T : set of compassionate (strongly fair) transitions 1-17 1-18 Computation Example: ρ τ : x = 5 ∧ x ′ = x + 1 ∧ y ′ = y Infinite sequence of states σ : s 0 , s 1 , s 2 , . . . τ is enabled on all states s.t. s [ x ] = 5 and disabled on all other states is a computation of an FTS Φ ( Φ -computation), if it satisfies the following: s k +1 s k � �� � � �� � σ : . . . � x : 5 , y : 3 � , � x : 6 , y : 3 � . . . • Initiality: s 0 is an initial state (satisfies Θ ) τ is enabled at position k τ is taken at position k • Consecution: For each i = 0 , 1 , . . . , s i +1 ∈ τ ( s i ) for some τ ∈ T . 1-19 1-20

• Justice: For each τ ∈ J , it is not the case that τ is continually enabled beyond some position j in σ but not taken beyond j .  � x : 0 � − → � x : 1 � − → � x : 2 � − → � x : 2 � − → Example: σ :  � x : 3 � − → � x : 3 � − → � x : 3 � − →  V : { x : integer } � x : 4 � − → · · · Θ : x = 0 is a computation T : { τ I , τ inc } with ρ τ inc : x ′ = x + 1 J : { τ inc } Question: ρ τ inc : ( x = 0 ∨ x = 1) ∧ x ′ = x + 1 C : ∅ Is τ I τ I τ I � σ : � x : 0 � − → � x : 0 � − → � x : 0 � − → . . . � x : 0 � − → � x : 1 � − → � x : 2 � − → σ : � x : 2 � − → � x : 2 � − → · · · satisfies Initiality and Consecution, but a computation? not Justice. Therefore σ is not a computation. (In any computation of this system, x grows beyond any bound.) 1-21 1-22 • Compassion: For each τ ∈ C , it is not the case that τ is enabled at infinitely many FTS Φ = � V, Θ , T , J , C� positions in σ , but taken at only finitely many positions in σ . Run = Initiality + Consecution Example: Fairness = Justice + Compassion V : { x, y : integer } Θ : x = 0 ∧ y = 0 T : { τ I , τ x , τ y } with Computation = Run + Fairness ρ τ x : x ′ = x + 1 mod 2 ρ τ y : x = 1 ∧ y ′ = y + 1 J : { τ x } τ 1 τ 2 τ 3 Notation: s 0 → s 1 → s 2 → s 3 → . . . C : { τ y } y x τ x τ x τ x σ : � 0 � − → � 1 , 0 � − → � 0 , 0 � − → . . . Note : For every two consecutive states s i , s i +1 , there 0 , may be more than one transition that leads from s i to is not a computation: τ y is infinitely s i +1 . often enabled, but never taken. Therefore, several different transitions can be considered ( Note : If τ y had only been just, as taken at the same time. σ would have been a computation, since τ y is not continually enabled.) 1-23 1-24

Finite-State • For a computation σ of Φ σ : s 0 , s 1 , s 2 , . . . , s i , . . . , state s i is a Φ -accessible state. • Φ is finite-state if the set of Φ -accessible states is finite. Otherwise, it is infinite-state. – If the domain of all variables of Φ is finite, (e.g., booleans, subranges, etc.), then Φ is finite-state. – Even if the domain of some variables of Φ is infi- nite (e.g., integer), Φ may still be finite-state. Example: V : { x : integer } Θ : x = 1 T : { τ I , τ 1 , τ 2 } with ρ τ 1 : x = 1 ∧ x ′ = 2 ρ τ 2 : x = 2 ∧ x ′ = 1 J , C : ∅ has 2 accessible states: � x : 1 � and � x : 2 � 1-25