model checking of action based concurrent systems
play

Model Checking of Action-Based Concurrent Systems Radu Mateescu - PowerPoint PPT Presentation

Dec 22, 2023 •216 likes •1.7k views

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY http://www.inrialpes.fr/vasy Action-based temporal logics Introduction Modal logics Branching-time logics Regular logics Fixed point logics VTSA'08

  1. ACTL logic (semantics – potentiality operators) ). Interpretation [[ ϕ ]] ⊆ Let M = ( S , A , T , s 0 S : [[ E [ ϕ 1 α U ϕ 2 ] ∈ | ∃ s(=s 0 ) → a 0 s 1 → a 1 s 2 → … . ]] = { s S ∃ k ≥ 0. ∀ 0 ≤ i < ∈ [[ ϕ 1 ]] ∧ ∈ [[ α ∨ τ ]]) ∧ k. ( s i a i ∈ [[ ϕ 2 s k ]] } α ∨ τ α ∨ τ α ∨ τ α ∨ τ α ∨ τ . . . ϕ 1 ϕ 2 ϕ 1 ϕ 1 ϕ 1 [[ E [ ϕ 1 α 1 ϕ 2 ] ∈ | ∀ s (=s 0 ) → a 0 s 1 → a 1 s 2 → … . U α 2 ]] = { s S ∃ k ≥ 0. ∀ 0 ≤ i < ∈ [[ ϕ 1 ]] ∧ ∈ [[ α 1 ∨ τ ]] ∧ k. ( s i a i ∈ [[ ϕ 1 ]] ∧ ∈ [[ α 2 ]] ∧ ∈ [[ ϕ 2 s k a k s k+1 ]] } α 1 ∨ τ α 1 ∨ τ α 2 α 1 ∨ τ α 1 ∨ τ α 1 ∨ τ . . . ϕ 2 ϕ 1 ϕ 1 ϕ 1 ϕ 1 ϕ 1 VTSA'08 - Max Planck Institute, Saarbrücken 25

  2. ACTL logic (semantics – inevitability operators) [[ A [ ϕ 1 α U ϕ 2 ] ]]: α ∨ τ α ∨ τ α ∨ τ α ∨ τ α ∨ τ . . . ϕ 1 ϕ 2 ϕ 1 ϕ 1 . . . ϕ 1 α ∨ τ α ∨ τ α ∨ τ α ∨ τ . . . ϕ 1 ϕ 2 ϕ 1 ϕ 1 [[ A [ ϕ 1 α 1 ϕ 2 ] U α 2 ]]: α 1 ∨ τ α 1 ∨ τ α 2 α 1 ∨ τ α 1 ∨ τ α 1 ∨ τ . . . ϕ 2 ϕ 1 ϕ 1 ϕ 1 ϕ 1 ϕ 1 α 1 ∨ τ α 1 ∨ τ α 2 α 1 ∨ τ α 1 ∨ τ . . . ϕ 2 ϕ 1 ϕ 1 ϕ 1 ϕ 1 VTSA'08 - Max Planck Institute, Saarbrücken 26

  3. Example (1/4) 〈 〉 Potential reachability: EF ¬ CS 0 tt REL1 REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 27

  4. Example (2/4) 〈 ∨ 〉 Inevitable reachability: AF ¬ CS 0 CS 1 tt (REL0 ∨ REL1) REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 28

  5. Example (3/4) 〈 ∨ 〉 Invariance: AG ¬ NCS 0 NCS 1 tt (NCS0 ∨ NCS1) REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 29

  6. Example (4/4) Trajectory: EG ¬ [ CS 0 ] ff CS0 REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 30

  7. Remark about inevitability Inevitable reachability : all sequences going out of a state lead to states where an action a is executable 〈 〉 AF tt a tt Inevitable execution : all sequences going out of a state contain the action a Inevitable execution ⇒ inevitable reachability but the converse does not hold: b a 〈 〉 s |= AF tt a tt s b Inevitable execution must be expressed using the inevitability operators of ACTL: s |= A [ tt tt U a tt ] VTSA'08 - Max Planck Institute, Saarbrücken 31

  8. Safety properties Informally, safety properties specify that “something bad never happens” during the execution of the system One way of expressing safety properties: forbid undesirable execution sequences – Mutual exclusion: CS 0 CS 1 ¬ 〈 CS 0 〉 〈 〉 EF ¬ REL0 CS 1 tt . . . = [ CS 0 ] AG ¬ REL0 [ CS 1 ] ff ¬ REL 0 In ACTL, forbidding a sequence is expressed by combining the [ α ] ϕ and AG α ϕ operators VTSA'08 - Max Planck Institute, Saarbrücken 32

  9. Liveness properties Informally liveness properties specify that “something good eventually happens” during the execution of the system One way of expressing liveness properties: require desirable execution sequences / trees – Potential release of the critical section: 〈 〉 〈 〉 〈 〉 NCS 0 EF tt REQ 0 EF tt REL 0 tt – Inevitable access to the critical section: A [ tt tt U CS0 tt ] In ACTL, the existence of a sequence is expressed by combining the 〈 α 〉 ϕ and EF α ϕ operators VTSA'08 - Max Planck Institute, Saarbrücken 33

  10. Branching-time logics (summary) The temporal operators of ACTL: strictly more powerful than the HML modalities 〈 α 〉 ϕ and [ α ] ϕ They allow to express branching-time properties on an unbounded depth in an LTS But: – They do not allow to express the unbounded repetition of a subsequence Example: the property “from a state s , there exists a sequence a . b . a . b ... a . b leading to a state s ’ where an action c is executable” cannot be expressed in ACTL VTSA'08 - Max Planck Institute, Saarbrücken 34

  11. Regular logics They allow to reason about the regular execution sequences of an LTS Basic operators: – Regular formulas two states are linked by a sequence whose concatenated actions form a word of a regular language – Modalities on sequences from a state, some (all) outgoing regular transition sequences lead to certain states Propositional Dynamic Logic (PDL) [Fischer-Ladner-79] VTSA'08 - Max Planck Institute, Saarbrücken 35

  12. Regular formulas (syntax) β α ::= one-step sequence | nil empty sequence β 1 . β 2 | concatenation β 1 | β 2 | choice β 1 | * iteration ( ≥ 0 times) β 1 | + iteration ( ≥ 1 times) Some identities: β + = β . β * nil = ff * VTSA'08 - Max Planck Institute, Saarbrücken 36

  13. Regular formulas (semantics) ). Interpretation [[ β ]] ⊆ × Let M = ( S , A , T , s 0 S S : [[ α ]] = { ( s , s ’) | ∃ a ∈ [[ α ]] . ( s , a , s ’) ∈ T } ∈ [[ nil ]] = { ( s , s ) | s S } (identity) [[ β 1 . β 2 ]] = [[ β 1 [[ β 2 ]] о ]] (composition) [[ β 1 | β 2 ]] = [[ β 1 ]] ∪ [[ β 2 ]] (union) [[ β 1 * ]] = [[ β 1 ]] * (transitive refl. closure) [[ β 1 + ]] + ]] = [[ β 1 (transitive closure) VTSA'08 - Max Planck Institute, Saarbrücken 37

  14. Example (1/3) One-step sequences: NCS 0 ∨ CS 0 REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 38

  15. Example (2/3) Alternative sequences: (REQ 0 . CS 0 ) | (REQ 1 . CS 1 ) REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 39

  16. Example (3/3) . ( ¬ NCS 1 Sequences with repetition: NCS 0 )* . CS 0 REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 40

  17. PDL logic (syntax) ϕ ::= tt | ff boolean constants ϕ 1 ∨ ϕ 2 | disjunction ϕ 1 ∧ ϕ 2 | conjunction ¬ϕ 1 | negation β 〈 〉 ϕ 1 | possibility β [ ] ϕ 1 | necessity β ] ϕ = ¬ 〈 β [ 〉 ¬ϕ Duality: VTSA'08 - Max Planck Institute, Saarbrücken 41

  18. PDL logic (semantics) ). Interpretation [[ ϕ ]] ⊆ Let M = ( S , A , T , s 0 S : [[ tt ]] = S [[ ff ]] = ∅ [[ ϕ 1 ∨ ϕ 2 ]] = [[ ϕ 1 ]] ∪ [[ ϕ 2 ]] [[ ϕ 1 ∧ ϕ 2 ]] = [[ ϕ 1 ]] ∩ [[ ϕ 2 ]] [[ ¬ϕ 1 ]] = S \ [[ ϕ 1 ]] [[ 〈 β 〉 ϕ 1 ∈ | ∃ ∈ ]] = { s S s ’ S . ( s , s’ ) ∈ [[ β ]] ∧ ∈ [[ ϕ 1 s’ ]] } [[ [ β ] ϕ 1 ∈ | ∀ ∈ ]] = { s S s ’ S . ( s , s’ ) ∈ [[ β ]] ⇒ ∈ [[ ϕ 1 s’ ]] } VTSA'08 - Max Planck Institute, Saarbrücken 42

  19. Example (1/2) of critical section: 〈 〉 Potential reachability NCS 0 . tt * . CS 0 tt REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 43

  20. Example (2/2) . ( ¬ REL 0 Mutual exclusion: [ CS 0 )* . CS 1 ] ff REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 44

  21. Some identities of regular operators over 〈 〉 and [ ]: Distributivity 〈 β 1 . β 2 〉 ϕ = 〈 β 1 〉 〈 β 2 〉 ϕ – 〈 β 1 | β 2 〉 ϕ = 〈 β 1 〉 ϕ ∨ 〈 β 2 〉 ϕ – 〈 β * 〉 ϕ = ϕ ∨ 〈 β 〉 〈 β * 〉 ϕ – [ β 1 . β 2 ] ϕ = [ β 1 ] [ β 2 ] ϕ – [ β 1 | β 2 ] ϕ = [ β 1 ] ϕ ∧ [ β 2 ] ϕ – [ β * ] ϕ = ϕ ∧ [ β ] [ β * ] ϕ – Potentiality and invariance operators of ACTL: ϕ = 〈 α * 〉 ϕ – EF α ϕ = [ α * ] ϕ – AG α VTSA'08 - Max Planck Institute, Saarbrücken 45

  22. Fairness properties Problem: from the initial state of the LTS, there is ⇒ process P 1 no inevitable execution of action CS 0 can enter its critical section indefinitely often b s |= A [ tt tt U a tt ] b b b a s Fair execution of an action a : from a state, all transition sequences that do not cycle indefinitely contain action a Action-based counterpart of the fair reachability of predicates [Queille-Sifakis-82] VTSA'08 - Max Planck Institute, Saarbrücken 46

  23. Fair execution Fair execution of an action a expressed in PDL: fair ( a ) = [ ( ¬ a )* ] 〈 〉 tt*. a tt b b b b a Equivalent formulation in ACTL: 〈 〉 fair ( a ) = AG ¬ a EF tt a tt VTSA'08 - Max Planck Institute, Saarbrücken 47

  24. Example Fair execution of critical section: [ ( ¬ CS 0 )* ] 〈 〉 tt*. CS 0 tt REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 48

  25. Regular logics (summary) They allow a direct and natural description of regular execution sequences in LTSs More intuitive description of safety properties: – Mutual exclusion: [ CS 0 ] AG ¬ REL0 [ CS 1 ] ff = (in ACTL) . ( ¬ REL 0 [ CS 0 )* . CS 1 ] ff (in PDL) But: – Not sufficiently powerful to express inevitability operators (expressiveness uncomparable with branching-time logics) VTSA'08 - Max Planck Institute, Saarbrücken 49

  26. Fixed point logics Very expressive logics (“temporal logic assembly languages”) allowing to characterize finite or infinite tree-like patterns in LTSs Basic temporal operators: ( μ ) – Minimal fixed point “recursive function” defined over the LTS: finite execution trees going out of a state ( ν ) – Maximal fixed point dual of the minimal fixed point operator: infinite execution trees going out of a state Modal mu-calculus [Kozen-83,Stirling-01] VTSA'08 - Max Planck Institute, Saarbrücken 50

  27. Modal mu-calculus (syntax) ϕ ::= tt | ff boolean constants ϕ 1 ∨ ϕ 2 | ¬ϕ 1 | connectors 〈 α 〉 ϕ 1 | possibility [ α ] ϕ 1 | necessity | X propositional variable μ X . ϕ 1 | minimal fixed point ν X . ϕ 1 | maximal fixed point ν X . ϕ = ¬ μ X . ¬ ϕ [ ¬ Duality: X / X ] VTSA'08 - Max Planck Institute, Saarbrücken 51

  28. Syntactic restrictions Syntactic monotonicity [Kozen-83] – Necessary to ensure the existence of fixed points In every formula σ X . ϕ ( X ), where σ ∈ { μ , ν – }, every free in ϕ occurrence of X falls in the scope of an even number of negations μ X . 〈 〉 ∨ ¬ 〈 b 〉 a X X Alternation depth 1 [Emerson-Lei-86] – Necessary for efficient (linear-time) verification In every formula μ X . ϕ – ( X ), every maximal subformula ν Y . ϕ ’ ( Y ) of ϕ is closed μ X . 〈 〉 ν Y ∧ a . ([ b ] Y [ c ] X ) VASY 52 VTSA'08 - Max Planck Institute, Saarbrücken 52

  29. Modal mu-calculus (semantics) ) and ρ → Let M = ( S , A , T , s 0 : X 2 S a context mapping propositional variables to state sets. Interpretation [[ ϕ ]] ⊆ S : ]] ρ = ρ [[ X ( X ) = ∪ k ≥ 0 [[ μ X . ϕ ]] ρ Φ ρ k ( ∅ ) = ∩ k ≥ 0 [[ ν X . ϕ ]] ρ Φ ρ k ( S ) Φ ρ → where : 2 S 2 S , ( U ) = [[ ϕ Φ ρ ]] ρ [ U / X ] VTSA'08 - Max Planck Institute, Saarbrücken 53

  30. Minimal fixed point Potential reachability of an action a (existence of a sequence leading to a transition labeled by a ): μ X . 〈 〉 ∨ 〈 tt 〉 a tt X Associated functional: Φ ( U ) = [[ 〈 〉 ∨ 〈 tt 〉 a tt X ]] [ U / X ] Evaluation on an LTS: b b b a c Φ ( ∅ ) Φ 2 ( ∅ ) Φ 3 ( ∅ ) Φ 4 ( ∅ ) VTSA'08 - Max Planck Institute, Saarbrücken 54

  31. Example . 〈 〉 ∨ 〈 ¬ (REL 1 ∨ ) 〉 Potential reachability: µ X CS 0 tt REL 0 X REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 55

  32. Maximal fixed point Infinite repetition of an action a (existence of a cycle containing only transitions labeled by a ): ν X . 〈 〉 a X Associated functional: Φ ( U ) = [[ 〈 〉 a X ]] [ U / X ] Evaluation on an LTS: a b b a a Φ 2 a ( S ) Φ ( S ) VTSA'08 - Max Planck Institute, Saarbrücken 56

  33. Example Infinite repetition: ν X . 〈 ∨ ∨ ∨ 〉 NCS 1 REQ 1 CS 1 REL 1 X REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 57

  34. Exercise . 〈 〉 ∨ ([ NCS 0 ] ff ∧ 〈 tt 〉 Evaluate the formula: µ X CS 0 tt X ) REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 58

  35. Some identities Description of (some) ACTL operators: E [ ϕ 1 α 1 ϕ 2 ] = μ X . ϕ 1 ∧ ( 〈 α 2 〉 ϕ 2 ∨ 〈 α 1 〉 – U α 2 X ) A [ ϕ 1 α 1 ϕ 2 ] = μ X . ϕ 1 ∧ 〈 tt 〉 ∧ [ ¬ ( α 1 ∨ α 2 – U α 2 tt ) ] ff ∧ [ ¬α 1 ∧ α 2 ] ϕ 2 ∧ [ ¬α 2 ∧ [ α 1 ∧ α 2 ] ( ϕ 2 ∨ ] X X ) ϕ = μ X . ϕ ∨ 〈 α 〉 X – EF α ϕ = μ X . ϕ ∨ ( 〈 〉 ∧ [ ¬α ] ff ∧ [ α – AF α tt tt ] X ) Description of the PDL operators: 〈 β * 〉 ϕ = μ X . ϕ ∨ 〈 β 〉 X – [ β * ] ϕ = ν X . ϕ ∧ [ β ] X – VTSA'08 - Max Planck Institute, Saarbrücken 59

  36. Inevitable reachability Inevitable reachability of an action a : 〈 〉 access ( a ) = AF tt a tt = μ X . 〈 〉 ∨ ( 〈 〉 ∧ a tt tt tt [ tt ] X ) Associated functional: Φ ( U ) = [[ 〈 〉 ∨ ( 〈 〉 ∧ a tt tt tt [ tt ] X ) ]] [ U / X ] Evaluation on an LTS: b c b b a Φ ( ∅ ) Φ 2 ( ∅ ) a VTSA'08 - Max Planck Institute, Saarbrücken 60

  37. Inevitable execution Inevitable execution of an action a : ( a ) = μ X . 〈 〉 ∧ [ ¬ a inev tt tt ] X Associated functional: Φ ( U ) = [[ 〈 〉 ∧ [ ¬ a tt tt ] X ]] [ U / X ] Evaluation on an LTS: b c b b a Φ ( ∅ ) a VTSA'08 - Max Planck Institute, Saarbrücken 61

  38. Example . 〈 〉 ∧ [ ¬ CS 0 Inevitable execution: µ X tt tt ] X REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 62

  39. Fair execution Fair execution of an action a : fair ( a ) = [ ( ¬ a )* ] 〈 〉 tt*. a tt = ν X . 〈 〉 ∧ [ ¬ a ] X tt*. a tt Associated functional: Φ ( U ) = [[ 〈 〉 ∧ [ ¬ a ] X ]] [ U tt*. a tt / X ] Evaluation on an LTS: b b b b a Φ ( S ) a VTSA'08 - Max Planck Institute, Saarbrücken 63

  40. Example Fair execution: [ ( ¬ CS 0 )* ] 〈 〉 tt*. CS 0 tt REL0 REL1 NCS1 NCS0 CS0 CS1 NCS1 NCS0 CS0 REQ0 REQ1 CS1 NCS1 NCS0 REQ0 REQ1 NCS0 NCS1 REL0 REL1 VTSA'08 - Max Planck Institute, Saarbrücken 64

  41. Fixed point logics (summary) They allow to encode virtually all TL proposed in the literature Expressive power obtained by nesting the fixed point operators: 〈 〉 ( a . b *)* . c tt = μ X . 〈 〉 ∨ 〈 a 〉 μ Y ∨ 〈 b 〉 c tt . ( X Y ) Alternation depth of a formula: degree of mutual recursion between μ and ν fixed points Example of alternation depth 2 formula: ν X . 〈 〉 = ν X . μ Y . 〈 〉 ∨ 〈 a 〉 a *. b X b X Y VTSA'08 - Max Planck Institute, Saarbrücken 65

  42. Some verification tools (for action-based logics) CWB (Edinburgh) and Concurrency Factory (State University of New York) Modal μ -calculus (fixed point operators) – JACK (University of Pisa, Italy) μ -ACTL (modal μ -calculus combined with ACTL) – CADP / Evaluator 3.x (INRIA Rhône-Alpes / VASY) Regular alternation-free μ -calculus (PDL modalities and – fixed point operators) VTSA'08 - Max Planck Institute, Saarbrücken 66

  43. Extensions of µ-calculus with data Temporal logics (ACTL, PDL, ...) and µ-calculi – No data manipulation (basic LOTOS, pure CCS, ...) – Too low-level operators (complex formulas) � Extended temporal logics are needed in practice Several μ -calculus extensions with data: – For polyadic pi-calculus [Dam-94] – For symbolic transition systems [Rathke-Hennessy-96] For μ CRL [Groote-Mateescu-99] – – For full LOTOS [Mateescu-Thivolle-08] VASY 67 VTSA'08 - Max Planck Institute, Saarbrücken 67

  44. Why to handle data? Some properties are cumbersome to express without data (e.g., action counting): b b b a 〈 〉 〈 b 〉 〈 b 〉 〈 a 〉 〈 〉 b tt or b {3} . a tt ? LTSs produced from value-passing process algebraic languages (full CCS, LOTOS, ...) contain values on transition labels RECV 1 ACK 1 RECV 2 ACK 2 value extraction and propagation VTSA'08 - Max Planck Institute, Saarbrücken 68

  45. M odel C hecking L anguage Based on EVALUATOR 3.5 input language standard µ-calculus • • regular operators Data-handling mechanisms data extraction from LTS labels • regular operators with counters • variable declaration • • parameterized fixed point operators expressions • Constructs inspired from programming languages VTSA'08 - Max Planck Institute, Saarbrücken 69

  46. Parameterized modalities SEND 1 RECV 1 Possibility: < {SEND ?msg:Nat} > < {RECV !msg} > true value extraction and propagation Necessity: RECV 5 [ {RECV ?msg:Nat} ] (msg < 6) value extraction and propagation VTSA'08 - Max Planck Institute, Saarbrücken 70

  47. Parameterized fixed points (basic) syntax: mu X (y:T := E) . P parameter initial value formula body – P contains « calls » X (E’) – Allows to perform computations and store intermediate results while exploring the PLTS VTSA'08 - Max Planck Institute, Saarbrücken 71

  48. Example Counting of actions (e.g., clock ticks): LEVEL 11 ALARM . . . ALARM . . . max. 15 transitions before the alarm [ {LEVEL ?l:Nat where l > 10} ] nu X (c:Nat := 15) . [ not ALARM ] (c > 0 and X (c - 1)) VTSA'08 - Max Planck Institute, Saarbrücken 72

  49. Quantifiers Existential quantifier: exists x:T among { E 1 ... E 2 } . P limits of the subdomain of T Universal quantifier: forall x:T among { E 1 ... E 2 } . P � shorthands for large disjunctions and conjunctions VTSA'08 - Max Planck Institute, Saarbrücken 73

  50. Example Broadcast of messages: i SEND 1 . . . SEND 2 . . . . . . SEND 10 . . . forall msg:Nat among { 1 ... 10 } . mu X . (< {SEND !msg} > true or < true > X) VTSA'08 - Max Planck Institute, Saarbrücken 74

  51. Counting operators (regular formulas) R { E } repetition E times R { E 1 ... } repetition at least E 1 times R { E 1 ... E 2 } repetition between E 1 and E 2 times Some identities: nil = false * R + = R . R* R * = R { 0 ... } R ? = R { 0 ... 1 } R + = R { 1 ... } R { E } = R { E ... E } VTSA'08 - Max Planck Institute, Saarbrücken 75

  52. Example (action counting revisited) LEVEL 11 ALARM . . . ALARM . . . max. 15 transitions before the alarm Formulation using counting operators: [ {LEVEL ?l:Nat where l > 10} . (not ALARM) { 16 } ] false VTSA'08 - Max Planck Institute, Saarbrücken 76

  53. Example (safety of a n-place buffer) Formulation using extended regular operators: [ true* . ((not OUTPUT)* . INPUT) { n + 1 } ] false INPUT i INPUT i INPUT . . . . . . n+1 INPUTs without OUTPUTs Formulation using parameterized fixed points: nu X . (nu Y (c:Nat:=0) . ( [not OUTPUT] Y (c) and if c = n+1 then [INPUT] false else [INPUT] Y (c+1) end if) and [ true ] X) VTSA'08 - Max Planck Institute, Saarbrücken 77

  54. Looping operator (from PDL-delta) Δ R operator added to PDL to specify infinite behaviours [Streett-82] R+ R* MCL syntax: < R > @ . . . . . . cycle containing one or more repetitions of R Examples: – process overtaking [ REQ 0 ] < (not GET 0 )* . REQ 1 . (not GET 0 )* . GET 1 > @ – Büchi acceptance condition < true* . if P accepting then true end if > @ � allows to encode LTL model checking VTSA'08 - Max Planck Institute, Saarbrücken 78

  55. Expressiveness (summary) PDL- Δ Δ Lµ 2 HML Lµ 1 ACTL PDL CTL* ⊆ PDL- Δ ⊆ MCL MCL [Wolper-82] VTSA'08 - Max Planck Institute, Saarbrücken 79

  56. Adequacy with equivalence relations A temporal logic L is adequate with an equivalence relation ≈ iff for all LTSs M 1 and M 2 ≈ ∀ϕ ∈ |= ϕ ⇔ |= ϕ ) M 1 M 2 iff L . ( M 1 M 2 HML: – Adequate with strong bisimulation – HMLU (HML with Until): weak bisimulation ACTL-X (fragment presented here): – Adequate with branching bisimulation PDL and modal mu-calculus: 〈〈 〉〉 ϕ = 〈 τ * 〉 ϕ – Adequate with strong bisimulation 〈〈 〉〉 ϕ = 〈 τ *. a . τ * 〉 ϕ a – Weak mu-calculus: weak bisimulation VTSA'08 - Max Planck Institute, Saarbrücken 80

  57. On-the-fly verification Principles Alternation-free boolean equation systems Local resolution algorithms Applications: – Equivalence checking – Model checking – Tau-confluence reduction Implementation and use VTSA'08 - Max Planck Institute, Saarbrücken 81

  58. Principle of explicit-state verification desired program properties compiler model verification (state space) tool Language Model true / false technology technology + diagnostic VTSA'08 - Max Planck Institute, Saarbrücken 82

  59. On-the-fly verification Incremental construction of the state space – Way of fighting against state explosion – Detection of errors in complex systems “Traditional” methods: – Equivalence checking – Model checking Solution adopted: – Translation of the verification problem into the resolution of a boolean equation system (BES) – Generation of diagnostics (fragments of the state space) explaining the result of verification VTSA'08 - Max Planck Institute, Saarbrücken 83

  60. Boolean equation systems (syntax) A BES is a tuple B = ( x , M 1 , …, M n ), where ∈ x X : main boolean variable = σ i M i = { x j op j X j } j ∈ [1, mi] : equation blocks σ i ∈ { μ , ν – } : fixed point sign of block i ∈ { ∨ , ∧ – op j } : operator of equation j ⊆ – X j X : variables in the right-hand side of equation j F = ∨∅ (empty disjunction), T = ∧∅ – (empty conjunction) ∈ – x j depends upon x k iff x k X j – M i depends upon M l iff a x j of M i depends upon a x k of M l – Closed block: does not depend upon other blocks Alternation-free BES: M i depends upon M i+1 … M n VTSA'08 - Max Planck Institute, Saarbrücken 84

  61. Example ∨ ∧ x 1 = μ x 2 x 3 x 7 = ν x 8 x 9 ∨ x 2 = μ x 3 x 4 x 8 = ν T ∧ x 3 = μ x 2 x 7 x 9 = ν F M 3 M 1 ∨ x 4 = μ x 5 x 6 ∨ x 5 = μ x 8 x 9 x 6 = μ F M 2 VTSA'08 - Max Planck Institute, Saarbrücken 85

  62. Particular blocks Acyclic block: – No cyclic dependencies between variables of the block = ∨ = ∧ ) Var. x i disjunctive (conjunctive): op i ( op i Disjunctive block: – contains disjunctive variables – and conjunctive variables � with a single non constant successor in the block (the last one in the right-hand side of the equation) � all other successors are constants or free variables (defined in other blocks) Conjunctive block: dual definition VTSA'08 - Max Planck Institute, Saarbrücken 86

  63. Boolean equation systems (semantics) Context: partial function δ : X � Bool Semantics of a boolean formula: } ]] δ ( δ ), …, δ – [[ op { x 1 , …, x p = op ( x 1 ( x p )) Semantics of a block: = σ ]] δ = σΦ δ – [[ { x j op j X j } j ∈ [1, m] : Bool m � Bool m Φ δ – Φ δ ]] ( δ ⊕ [b 1 – (b 1 , …, b m ) = ([[ op j X j /x 1 , …, b m /x m ])) j ∈ [1, m] Semantics of a BES: ) ]] = δ 1 – [[ ( x , M 1 , …, M n ( x ) δ n – = [[ M n ]] [] ( M n closed) δ i ]] δ i+1 ) ⊕ δ i+1 – = ([[ M i ( M i depends upon M i+1 … M n ) VTSA'08 - Max Planck Institute, Saarbrücken 87

  64. Local resolution Alternation-free BES B = ( x , M 1 , …, M n ) Primitive: compute a variable of a block – A resolution routine R i associated to M i – R i ( x j ) computes the value of x j in M i – Evaluation of the rhs of equations + substitution – Call stack R 1 ( x ) � … � R n ( x k ) bounded by the depth of the dependency graph between blocks – “Coroutine-like” style: each R i must keep its context Advantages: – Simple resolution routines (a single type of fixed point) – Easy to optimize for particular kinds of blocks VTSA'08 - Max Planck Institute, Saarbrücken 88

  65. Example ∨ ∧ x 1 = μ x 2 x 3 x 7 = ν x 8 x 9 ∨ x 2 = μ x 3 x 4 x 8 = ν T ∧ x 3 = μ x 2 x 7 x 9 = ν F M 3 M 1 ∨ x 4 = μ x 5 x 6 ∨ x 5 = μ x 8 x 9 x 6 = μ F M 2 VTSA'08 - Max Planck Institute, Saarbrücken 89

  66. Local resolution algorithms Representation of blocks as boolean graphs [Andersen-94] To a block M = { x j = μ op j X j } j in [1, m] we associate the = ( V , E , L, μ ), where: boolean graph G – V = { x 1 , …, x m }: set of vertices (variables) ∈ – E = { ( x i , x j ) | x j X i }: set of edges (dependencies) : V � { ∨ , ∧ }, L ( x j ) = op j : vertex labeling – L Principle of the algorithms: ∈ – Forward exploration of G starting at x V – Backward propagation of stable (computed) variables – Termination: x is stable or G is completely explored VTSA'08 - Max Planck Institute, Saarbrücken 90

  67. Example BES ( μ -block) boolean graph ∨ x 1 = μ x 2 x 3 1 x 2 = μ F ∨ x 3 = μ x 4 x 5 2 3 x 4 = μ T x 5 = μ x 1 5 4 : ∨ -variables : ∧ -variables VTSA'08 - Max Planck Institute, Saarbrücken 91

  68. Three effectiveness criteria [Mateescu-06] For each resolution routine R : A. The worst-case complexity of a call R ( x ) must be O (| V |+| E |) � linear-time complexity for the overall BES resolution B. While executing R ( x ), every variable explored must be « linked » to x via unstable variables � graph exploration limited to “useful” variables C. After termination of R ( x ), all variables explored must be stable � keep resolution results between subsequent calls of R VTSA'08 - Max Planck Institute, Saarbrücken 92

  69. Algorithm A0 (general) DFS of the boolean graph Satisfies A, B, C 1 Memory complexity O (| V |+| E |) Optimized version of 2 5 [Andersen-94] Developed for model checking regular 3 4 alternation-free μ -calculus [Mateescu-Sighireanu-00,03] VTSA'08 - Max Planck Institute, Saarbrücken 93

  70. Algorithm A1 (general) BFS of the boolean graph 1 Satisfies A, C (risk of computing useless variables) 2 3 Slightly slower than A0 Memory complexity O (| V |+| E |) 4 5 6 7 Low-depth diagnostics 8 9 10 VTSA'08 - Max Planck Institute, Saarbrücken 94

  71. Algorithm A2 (acyclic) DFS of the boolean graph Back-propagation of stable 1 variables on the DFS stack only Satisfies A, B, C 2 4 Avoids storing edges Memory complexity 3 5 6 O (| V |) Developed for trace-based verification [Mateescu-02] VTSA'08 - Max Planck Institute, Saarbrücken 95

  72. Algorithm A3 / A4 (disjunctive / conjunctive) DFS of the boolean graph Detection and 1 stabilization of SCCs Satisfies A, B, C 2 4 Avoids storing edges Memory complexity O (| V |) 3 5 6 Developed for model checking CTL, ACTL, SCC of false SCC of true variables variables and PDL VTSA'08 - Max Planck Institute, Saarbrücken 96

  73. Resolution algorithms (summary) A0 (DFS, general) – Satisfies A, B, C – Memory complexity O (| V |+| E |) A1 (BFS, general) – Satisfies A, C + « small » diagnostics – Memory complexity O (| V |+| E |) Time A2 (DFS, acyclic) complexity – Satisfies A, B, C O (| V |+| E |) – Memory complexity O (| V |) A3/A4 (DFS, disjunctive/conjunctive) – Satisfies A, B, C – Memory complexity O (| V |) VTSA'08 - Max Planck Institute, Saarbrücken 97

  74. Caesar_Solve library of CADP [Mateescu-03,06] (successor function) (successor function) implicit graph implicit graph diagnostic BES CAESAR_SOLVE (boolean (boolean library graph) A4 & (A0 – diagnostic) subgraph) variable value 15 000 lines of C OPEN/CAESAR Integrated into libraries CADP in Dec. 2004 Diagnostic generation features [Mateescu-00] Used as verification back-end for Bisimulator, Evaluator 3.5 and 4.0, Reductor 5.0 VTSA'08 - Max Planck Institute, Saarbrücken 98

  75. Equivalence checking (principle) description description of system of service compiler compiler LTS LTS equivalence checker 1 2 true / false + diagnostic VTSA'08 - Max Planck Institute, Saarbrücken 99

  76. Strong equivalence M 1 = ( Q 1 , A , T 1 , q 01 ), M 2 = ( Q 2 , A , T 2 , q 02 ) ≈ ⊆ Q 1 × ≈ Q 2 is the maximal relation s.t. p q iff ∀ a ∈ A . ∀ p → a p ’ ∈ T 1 . ∃ q → a q ’ ∈ T 2 ≈ . p ’ q ’ and ∀ a ∈ A . ∀ q → a q ’ ∈ T 2 . ∃ p → a p ’ ∈ T 1 ≈ . p ’ q ’ ≈ ≈ M 1 M 2 iff q 01 q 02 VTSA'08 - Max Planck Institute, Saarbrücken 100

Recommend

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY

Model Checking of Action-Based Concurrent Systems Radu Mateescu INRIA Rhne-Alpes / VASY http://www.inrialpes.fr/vasy Why formal verification? Therac-25 radiotherapy Ariane-5 launch Mars climate orbiter accidents (1985-1987) failure

1.16k views • 115 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides
Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara

Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara

Model Checking Concurrent Systems with Unboundedly Many Processes Using Data Logics Ahmet Kara MOVEP 2012, Marseille Interaction of Unboundedly Many Processes n m o 1 2 3 p 4 Ahmet Kara Model Checking Concurrent Systems with

852 views • 59 slides
Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course

Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course

Week-1: Introduction to model checking B. Srivathsan Chennai Mathematical Institute NPTEL-course July - November 2015 1 / 30 Module 4: Modeling concurrent systems 2 / 30 Concurrent systems Independent Shared variables Shared actions 3 / 30

844 views • 67 slides
Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com

Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com

Introduction Transactions Dynamic Experiments Conclusion Dynamic Reductions for Model Checking Concurrent Software Alfons Laarman alfons@laarman.com Henning G unther , Ana Sokolova and Georg Weissenbacher Formal Methods in Systems

905 views • 51 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL Other interesting books: Model Checking by Clarke, Grumberg, and Peled Principles of Model Checking by Baier and Katoen 3 Course

637 views • 11 slides
SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

496 views • 26 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr anek Masaryk University Czech Republic SFM 2013 1/150 Outline Introduction 1 LTL Model Checking 2 Parallel LTL Model Checking 3 Discrete

2.18k views • 199 slides
Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems Informationsteknologi System Description A No! Debugging Information TOOL TOOL Yes, Requirement F Prototypes C T L Executable Code Test sequences Tools:

637 views • 34 slides
Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de

Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de

Framework for Model Checking Concurrent Programs in Maude Gorka Surez-Garca Departamento de Sistemas Informticos y Computacin Universidad Complutense de Madrid gorka.suarez@ucm.es Table of Contents 1. Introduction 2. The Maude

512 views • 22 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled? How are concurrent systems analyzed? What tools are available for modeling and

1.13k views • 85 slides
Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group, University of Cambridge Academic year

972 views • 41 slides
Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model

Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model

Directed Model Checking (not only) for Timed Automata Sebastian Kupferschmid March, 2010 Model Checking Motivation Embedded Systems Omnipresent Safety relevant systems Pentium bug Ariane 5 Errors can be extremely harmful Correct

837 views • 67 slides
Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge Academic year

1.15k views • 48 slides
Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science

Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science

Automatic Verification of Finite State Concurrent Systems Edmund M. Clarke, Jr. Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213 1 Temporal Logic Model Checking Specification Language: A propositional temporal

710 views • 41 slides
Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition systems checks safety and

439 views • 17 slides
Modeling and Analyzing Concurrent Systems Robert B. France 1

Modeling and Analyzing Concurrent Systems Robert B. France 1

Modeling and Analyzing Concurrent Systems Robert B. France 1 Overview Why model and analyze concurrent systems? How are concurrent systems modeled?

1.39k views • 83 slides
Tractable Refinement Checking for Concurrent Objects Constantin Enea LIAFA, CNRS &amp;

Tractable Refinement Checking for Concurrent Objects Constantin Enea LIAFA, CNRS &amp;

Tractable Refinement Checking for Concurrent Objects Constantin Enea LIAFA, CNRS &amp; University Paris Diderot - Paris 7 joint work with Ahmed Bouajjani, Michael Emmi, Jad Hamza Concurrent objects Concurrent Object call (push, pop, )

442 views • 25 slides
Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on

Formal Verification by Model Checking Jonathan Aldrich Carnegie Mellon University Based on slides developed by Natasha Sharygina 17-654/17-754: Analysis of Software Artifacts Spring 2006 1 CTL Model Checking AG (Start AF Heat)

307 views • 20 slides
Statistical Model Checking for Biological Systems Paolo Zuliani Department of Computer Science

Statistical Model Checking for Biological Systems Paolo Zuliani Department of Computer Science

Statistical Model Checking for Biological Systems Paolo Zuliani Department of Computer Science Carnegie Mellon University Joint work with Edmund Clarke, James Faeder, Haijun Gong, Qinsi Wang Verification of Rule-based Models Temporal

462 views • 33 slides
Bounded Model Checking for Finite-State Systems Copenhagen, 2 March 2010 Quantitative Model

Bounded Model Checking for Finite-State Systems Copenhagen, 2 March 2010 Quantitative Model

Bounded Model Checking for Finite-State Systems Copenhagen, 2 March 2010 Quantitative Model Checking PhD School Keijo Heljanko Aalto University Keijo.Heljanko@tkk.fi Bounded Model Checking Tutorial, Part II, Keijo Heljanko 1/49 Co-Author

588 views • 55 slides

More recommend