Formal Verification
and Linear-time Model Checking
Paul Jackson
University of Edinburgh
Automated Reasoning 21st and 24th October 2013
Why Automated Reasoning?
I Intellectually stimulating and challenging area
I AI
I Building autonomous agents that can reason and interact with each other
I Formal mathematics & assisting with mathematical reasoning
I Formal verification
Formal Verification
I Create a formal model of some system of interest
I Hardware
I Communication protocol
I Software, esp. concurrent software
I Describe formally a specification which we desire the model to satisfy
I Check the model satisfies the specification
I Interactive theorem proving
I Model checking
Formal Verification Examples
I Floating Point Hardware Verification
I FDIV bug. Cost Intel $500M.
I Now cost would be several $B.
I Concurrent Software Verification
I Microsoft’s Static Driver Verifier
Model Checking Introduction - Models
I A model of some system has
I A set ofstates
I A subset of states consider theinitial states
I Atransition relationwhich, given a current state, describes which next states a system
I Good for
I Software, both sequential and concurrent
I Digital hardware
I Communication protocols
I Refinements handle state with continuous components and continuous rather than step-wise state evolution.
I Good for hybrid and control systems
Model Checking Introduction - Specifications
I Interested in specifying behaviours of systems over time
I Elementary parts of specifications refer to properties of individual states
I Temporal specifications then relate properties at different times
I At all times, the read and write signals are never simultaneously asserted
I If a request signal is asserted at some time, a corresponding grant signal will be asserted within 10 time units.
I Two common treatments of time
I Linear
I Branching
Differ in how they incorporate reasoning about non-determinism
Non-determinism
In general system descriptions are non-deterministic
I A system is non-deterministic when, from some state there are multiple alternative next states the system could transition to.
I Non-determinism good for
I Modelling alternate inputs to the system from its environment (External non-determinism)
I Allowing model to be under-specified, allowing it to capture many possible system implementations. (Internal
non-determinism)
Linear vs. Branching Time
I Linear Time
I Considers paths (sequences of states)
I If system non-deterministic, many paths for each initial state
I Questions of form
I For all paths, does some path property hold?
I Does there exist a path such that some path property holds?
I Branching Time
I Considers tree of possible future states from each initial state
I If system non-deterministic at some state, tree forks
I Questions more complex. E.g.
I For all states reachable from an initial state, does there exist an onwards path to a state satisfying some property?
I Most-basic branching-time logic (CTL) is complementary to most-basic linear-time logic (LTL)
I Richer branching-time logic (CTL*) incorporates both CTL and LTL.
LTL Syntax
I LTL = Linear Temporal Logic
I Assume some set Atom of atomic propositions
I Syntax of LTL formulas φ:
φ ::= p | ¬φ | φ ∧ φ | φ ∨ φ | φ ⇒ φ | X φ | F φ | G φ | φ U φ where p ∈ Atom
I Temporal operators are
X NeXt
G Globally
F Future ♦
U Until
I Other common temporal operators are W (Weak until) and R (Release)
I Precedence high-to-low: (X , F , G , ¬), ( U , R ), (∧, ∨), ⇒
LTL Semantics 1: Transition Systems and Paths
Definition (Transition System)
Atransition system M = hS, →, Li consists of
S set of states
→⊆ S × S transition relation L : S → P(Atom) labelling function such that ∀s. ∃t. s → t.
Definition (Path)
Apathin a model M = hS , →, Li is an infinite sequence of states s0, s1, . . . such that ∀i ≥ 0. si → si +1. We write the path as s0→ s1→ . . ..
LTL Semantics 2: Satisfaction by Path
Satisfactionrelation π |=i φ read as
“path π at position i satisfies LTL formula φ”.
π |=i >
π 6|=i ⊥
π |=i p iff p ∈ L(si) π |=i ¬φ iff π 6|=i φ
π |=i φ1∧ φ2 iff π |=i φ1 and π |=i φ2 π |=i φ1∨ φ2 iff π |=i φ1 or π |=i φ2 π |=i φ1 ⇒ φ2 iff π |=i φ1 implies π |=i φ2
π |=i X φ iff π |=i +1 φ π |=i F φ iff ∃j ≥ i . π |=j φ π |=i G φ iff ∀j ≥ i . π |=j φ
π |=i φ1U φ2 iff ∃j ≥ i . π |=j φ2 and ∀k ∈ {i ..j − 1}. π |=k φ1 π |=i φ1R φ2 iff (∀j ≥ i . π |=j φ2) or
∃k ≥ i . π |=k φ1 and ∀j ∈ {i ..k}. π |=k φ2
LTL Semantics 3: Alternative Satisfaction by Path
Alternatively, we can define π |= φ using the notion of i th suffix πi = si → si +1 → . . . of a path π = s0 → s1 → . . ..
E.g. write
π |= G φ iff ∀j ≥ 0. πj |= φ instead of
π |=i G φ iff ∀j ≥ i . π |=j φ
I π |=i φ better for understanding and needed for past time operators.
I π |= φ needed for semantics of CTL branching-time temporal logic.
LTL Semantics 4: Satisfaction by Model
We write
M, s |= φ
if, forevery execution path π of model M starting at state s, we have
π |=0 φ .
LTL Formula Examples
1. G invar
2. G ¬(read ∧ write) 3. G (request ⇒ F grant)
4. G (request ⇒ (request U grant)) 5. G F enabled
6. F G stable
Understand formulas by using semantics: e.g.
π |=0F G stable ≡ ∃i ≥ 0. ∀j ≥ i . stable ∈ L(sj)
LTL Equivalences 1
φ ≡ ψ .
= ∀M. ∀π ∈ M. π |=0 φ ←→ π |=0ψ
Dualities in Propositional Logic
¬(φ ∧ ψ) ≡ ¬φ ∨ ¬ψ ¬(φ ∨ ψ) ≡ ¬φ ∧ ¬ψ Dualities in LTL
¬X φ ≡ X ¬φ ¬G φ ≡ F ¬φ ¬F φ ≡ G ¬φ
¬(φ U ψ) ≡ ¬φ R ¬ψ ¬(φ R ψ) ≡ ¬φ U ¬ψ Distributive laws
G (φ ∧ ψ) ≡ G φ ∧ G ψ F (φ ∨ ψ) ≡ F φ ∨ F ψ
LTL Equivalences 2
Inter-definitions
F φ ≡ ¬G ¬φ G φ ≡ ¬F ¬φ F φ ≡ > U φ G φ ≡ ⊥ R φ Idempotency
F F φ ≡ F φ G G φ ≡ G φ Weak and strong Until
φ U ψ ≡ φ W ψ ∧ F ψ φ W ψ ≡ φ U ψ ∨ G φ Some more suprising equivalences
G F G φ ≡ F G φ F G F φ ≡ G F φ G (F φ ∨ F ψ) ≡ G F φ ∨ G F ψ