Formal Verification and Linear-time Model Checking

Formal Verification

and Linear-time Model Checking

Paul Jackson

University of Edinburgh

Automated Reasoning 21st and 24th October 2013

Why Automated Reasoning?

I Intellectually stimulating and challenging area

I AI

I Building autonomous agents that can reason and interact with each other

I Formal mathematics & assisting with mathematical reasoning

I Formal verification

Formal Verification

I Create a formal model of some system of interest

I Hardware

I Communication protocol

I Software, esp. concurrent software

I Describe formally a specification which we desire the model to satisfy

I Check the model satisfies the specification

I Interactive theorem proving

I Model checking

Formal Verification Examples

I Floating Point Hardware Verification

I FDIV bug. Cost Intel $500M.

I Now cost would be several $B.

I Concurrent Software Verification

I Microsoft’s Static Driver Verifier

Model Checking Introduction - Models

I A model of some system has

I A set ofstates

I A subset of states consider theinitial states

I Atransition relationwhich, given a current state, describes which next states a system

I Good for

I Software, both sequential and concurrent

I Digital hardware

I Communication protocols

I Refinements handle state with continuous components and continuous rather than step-wise state evolution.

I Good for hybrid and control systems

Model Checking Introduction - Specifications

I Interested in specifying behaviours of systems over time

I Elementary parts of specifications refer to properties of individual states

I Temporal specifications then relate properties at different times

I At all times, the read and write signals are never simultaneously asserted

I If a request signal is asserted at some time, a corresponding grant signal will be asserted within 10 time units.

I Two common treatments of time

I Linear

I Branching

Differ in how they incorporate reasoning about non-determinism

Non-determinism

In general system descriptions are non-deterministic

I A system is non-deterministic when, from some state there are multiple alternative next states the system could transition to.

I Non-determinism good for

I Modelling alternate inputs to the system from its environment (External non-determinism)

I Allowing model to be under-specified, allowing it to capture many possible system implementations. (Internal

non-determinism)

Linear vs. Branching Time

I Linear Time

I Considers paths (sequences of states)

I If system non-deterministic, many paths for each initial state

I Questions of form

I For all paths, does some path property hold?

I Does there exist a path such that some path property holds?

I Branching Time

I Considers tree of possible future states from each initial state

I If system non-deterministic at some state, tree forks

I Questions more complex. E.g.

I For all states reachable from an initial state, does there exist an onwards path to a state satisfying some property?

I Most-basic branching-time logic (CTL) is complementary to most-basic linear-time logic (LTL)

I Richer branching-time logic (CTL*) incorporates both CTL and LTL.

LTL Syntax

I LTL = Linear Temporal Logic

I Assume some set Atom of atomic propositions

I Syntax of LTL formulas φ:

φ ::= p | ¬φ | φ ∧ φ | φ ∨ φ | φ ⇒ φ | X φ | F φ | G φ | φ U φ where p ∈ Atom

I Temporal operators are

X NeXt

G Globally 

F Future ♦

U Until

I Other common temporal operators are W (Weak until) and R (Release)

I Precedence high-to-low: (X , F , G , ¬), ( U , R ), (∧, ∨), ⇒

LTL Semantics 1: Transition Systems and Paths

Definition (Transition System)

Atransition system M = hS, →, Li consists of

S set of states

→⊆ S × S transition relation L : S → P(Atom) labelling function such that ∀s. ∃t. s → t.

Definition (Path)

Apathin a model M = hS , →, Li is an infinite sequence of states s₀, s₁, . . . such that ∀i ≥ 0. s_i → s_{i +1}. We write the path as s0→ s₁→ . . ..

LTL Semantics 2: Satisfaction by Path

Satisfactionrelation π |=ⁱ φ read as

“path π at position i satisfies LTL formula φ”.

π |=ⁱ >

π 6|=ⁱ ⊥

π |=ⁱ p iff p ∈ L(s_i) π |=ⁱ ¬φ iff π 6|=ⁱ φ

π |=ⁱ φ₁∧ φ₂ iff π |=ⁱ φ₁ and π |=ⁱ φ₂ π |=ⁱ φ₁∨ φ₂ iff π |=ⁱ φ₁ or π |=ⁱ φ₂ π |=ⁱ φ1 ⇒ φ₂ iff π |=ⁱ φ1 implies π |=ⁱ φ2

π |=ⁱ X φ iff π |=^{i +1} φ π |=ⁱ F φ iff ∃j ≥ i . π |=^j φ π |=ⁱ G φ iff ∀j ≥ i . π |=^j φ

π |=ⁱ φ₁U φ₂ iff ∃j ≥ i . π |=^j φ₂ and ∀k ∈ {i ..j − 1}. π |=^k φ₁ π |=ⁱ φ₁R φ₂ iff (∀j ≥ i . π |=^j φ₂) or

∃k ≥ i . π |=^k φ1 and ∀j ∈ {i ..k}. π |=^k φ2

LTL Semantics 3: Alternative Satisfaction by Path

Alternatively, we can define π |= φ using the notion of i th suffix πⁱ = si → s_{i +1} → . . . of a path π = s₀ → s₁ → . . ..

E.g. write

π |= G φ iff ∀j ≥ 0. π^j |= φ instead of

π |=ⁱ G φ iff ∀j ≥ i . π |=^j φ

I π |=ⁱ φ better for understanding and needed for past time operators.

I π |= φ needed for semantics of CTL branching-time temporal logic.

LTL Semantics 4: Satisfaction by Model

We write

M, s |= φ

if, forevery execution path π of model M starting at state s, we have

π |=⁰ φ .

LTL Formula Examples

1. G invar

2. G ¬(read ∧ write) 3. G (request ⇒ F grant)

4. G (request ⇒ (request U grant)) 5. G F enabled

6. F G stable

Understand formulas by using semantics: e.g.

π |=⁰F G stable ≡ ∃i ≥ 0. ∀j ≥ i . stable ∈ L(s_j)

LTL Equivalences 1

φ ≡ ψ .

= ∀M. ∀π ∈ M. π |=⁰ φ ←→ π |=⁰ψ

Dualities in Propositional Logic

¬(φ ∧ ψ) ≡ ¬φ ∨ ¬ψ ¬(φ ∨ ψ) ≡ ¬φ ∧ ¬ψ Dualities in LTL

¬X φ ≡ X ¬φ ¬G φ ≡ F ¬φ ¬F φ ≡ G ¬φ

¬(φ U ψ) ≡ ¬φ R ¬ψ ¬(φ R ψ) ≡ ¬φ U ¬ψ Distributive laws

G (φ ∧ ψ) ≡ G φ ∧ G ψ F (φ ∨ ψ) ≡ F φ ∨ F ψ

LTL Equivalences 2

Inter-definitions

F φ ≡ ¬G ¬φ G φ ≡ ¬F ¬φ F φ ≡ > U φ G φ ≡ ⊥ R φ Idempotency

F F φ ≡ F φ G G φ ≡ G φ Weak and strong Until

φ U ψ ≡ φ W ψ ∧ F ψ φ W ψ ≡ φ U ψ ∨ G φ Some more suprising equivalences

G F G φ ≡ F G φ F G F φ ≡ G F φ G (F φ ∨ F ψ) ≡ G F φ ∨ G F ψ