• No results found

Formal Specification and Verification

N/A
N/A
Protected

Academic year: 2021

Share "Formal Specification and Verification"

Copied!
19
0
0

Loading.... (view fulltext now)

Full text

(1)

Formal Specification and Verification

Stefan Ratschan

Katedra ˇc´ıslicov´eho n´avrhu Fakulta informaˇcn´ıch technologi´ı ˇ

Cesk´e vysok´e uˇcen´ı technick´e v Praze

2. 5. 2011

(2)

History of System Design

build

(3)

History of System Design

build model

test model

implement model Intel Pentium FDIV bug (1994)

(4)

History of System Design

build model

implement model prove correctness

(5)

Example

Modulo 8 counter: State: S = B. 3

v00 = ¬v0

v10 = v0⊕ v1

v20 = (v0∧ v1) ⊕ v2

(6)

Example: Digital Circuit

Transition relation: T ⊆ S × S T ((v0, v1, v2), (v00, v10, v20)) . =    ((v0, v1, v2), (v00, v 0 1, v 0 2)) | (v00 ⇔ ¬v0)∧ (v10 ⇔ v0⊕ v1)∧ (v20 ⇔ (v0∧ v1) ⊕ v2)    Non-determinism

(7)

Formal Specification

Transition System:

I Set of states S

I Set I ⊆ S of initial states

I Transition relation R ⊆ S × S For example:

I S = Bn, I , R given by formulas in propositional logic

I S is program state (program counter + ranges of variables) I , R given by computer program

I S = {1, . . . , n} × Rn, R given by clock checksandresets: timed systems/automata

I S = Rn, I given by (in)equalities, R given by ordinarydifferential equations(models of physical systems)

I S = {1, . . . , n}, I , R given by (in)equalities, ordinary differential equations, and discrete rules: hybrid(dynamical) systems (models of embedded systems)

(8)

Formal Specification

How to specify whether a given system behaves correctly?

First we have to specify properties of single states: state properties

Example:

I error(s): state s is an error state I zero(s): state s represents zero

Now we can extend this to onebehavior of system: A pathin a transition system (S , I , R) is

an infinite sequence of states s0s1s2. . . s.t.

I s0 ∈ I ,

I for all i ∈ {0, 1, . . . } , (si, si +1) ∈ R.

(9)

Properties on Paths π

State property g holds on first element of path: π |= g :⇔ g (π(0)) State property holds on next elementof path: π |= Xg :⇔ π1|= g

Train eventually reaches full speed

π |= Fg :⇔ there is k ≥ 0 s.t. πk |= g (F: ”in the future”)

Number of motor rotations always stays in safe area π |= Gg :⇔ for all k ≥ 0, πk |= g (G: ”globally”)

The train eventually stops and until then the doors remain closed π |= g Uh :⇔ there is i s.t. πi |= h and for all j < i , πj |= g (U: ”until”)

As long as the plane does not reach full height the fasten seat belts sign is on

π |= g Rh :⇔ for all j ≥ 0, if for all i < j , not πi |= g then πj |= h (R:

”release”)

(10)

Combining Operators

If the elevator is called, it will eventually show up (g → Fh). The train will never move with open doors G¬(g ∧ h) So: Boolean combinations (∧, ∨, ¬).

Combining temporal operators. For example:

I FGg : Eventually property g will hold forever.

I GFg : Always eventually g will hold. Result: Linear Temporal Logic (LTL)

Syntax:

I every state property is an LTL formula

I If g and h are LTL formulas then also Xg , g Uh, g Rh, Fg , Gg , and g Uh, ¬g , g ∨ h, g ∧ h, are LTL formulas.

(11)

Semantics

For a path π and LTL formulas g , h,

I π |= g iff g is a state property and g (π(0))

I π |= Xg iff π1 |= g

I π |= Fg iff there is k ≥ 0 s.t. πk |= g

I π |= Gg iff for all k ≥ 0, πk |= g

I π |= g Uh iff there is i s.t. πi |= h and for all j < i , πj |= g .

I π |= g Rh iff for all j ≥ 0, if for all i < j , not πi |= g then πj |= h

I π |= ¬g iff not π |= g

I π |= g ∧ h iff π |= g and π |= h

I π |= g ∨ h iff π |= g or π |= h

(12)

Specification of System

We already can specify correctness of one path. Correctness of system:

|= g iff for all paths π of, π |= g

Industrial Usage: PSL (property specification language) ≈ LTL + regular expressions

(13)

Formal Verification

Problem: Even finite transition systems may havepaths ofinfinite length! Checking G ok:

Check prefixes of paths of length 1, 2, . . . : bounded model checking

BMC (n)

In Boolean case, individual checks can be done efficiently by SAT (in practice, not in theory)

Especially: Bugs can often be found fast

Bounded model checking algorithms for other types of systems:

I Software: CBMC [Clarke et al., 2004]

I Hybrid Systems: iSAT [Fr¨anzle and Herde, 2007, Fr¨anzle et al., 2007]

I . . .

(14)

Full LTL? Unbounded Case?

Full LTL [Biere et al., 2003] For every LTL formula φ, for all n,

|= φ implies BMC (φ, n) Opposite direction?

Observation: |= Gs iff BMC (Gs, |S |) If system does not fulfill Gs

then it has an error path of length at most |S |

Theorem

for all finite transition system, for all LTL formula φ

there is a bound n s.t.

for all n0 ≥ n, BMC (φ, n0) iff |= φ But: bound may be huge!

(15)

Unbounded Model Checking

If we want to prove correctnessoverunbounded time, or we search for abug that shows up afterlong time.

Reach set computation:

I let R be the set of initial states

I add reachable state reachable from R until no more new reachable states If for all x ∈ R, ok(x ), then |= G ok. For full LTL (and other temporal logics),

more complicated [Clarke et al., 1999].

(16)

Unbounded Model Checking for Specific System Types

In Booleancase, sets can be represented by

(reduced ordered) binary decision diagrams (BDD) BDDs provide aunique representation for Boolean formulas Hence can be used equivalence checking

(i.e., specification is another circuit) Other systems:

I Software: Huge field of software model checking [Jhala and Majumdar, 2009]

I Timed automata: Uppaal (http://www.uppaal.org)

I Hybrid systems:

I HyTech [Henzinger et al., 1997]

I PHAver [Frehse, 2008]

(17)

Literature I

Armin Biere, Alessandro Cimatti, Edmund M. Clarke, Ofer Strichman, and Yunshan Zhu. Bounded model checking. volume 58 of Advances in Computers, pages 117 – 148. Elsevier, 2003. doi:

DOI:10.1016/S0065-2458(03)58003-2.

Edmund Clarke, Daniel Kroening, and Flavio Lerda. A tool for checking ANSI-C programs. In Kurt Jensen and Andreas Podelski, editors, Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2004), volume 2988 of Lecture Notes in Computer Science, pages 168–176. Springer, 2004. ISBN 3-540-21299-X.

Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press, 1999.

(18)

Literature II

M. Fr¨anzle, C. Herde, S. Ratschan, T. Schubert, and T. Teige. Efficient solving of large non-linear arithmetic constraint systems with complex boolean structure. JSAT—Journal on Satisfiability, Boolean Modeling and Computation, Special Issue on SAT/CP Integration, 1:209–236, 2007.

Martin Fr¨anzle and Christian Herde. Hysat: An efficient proof engine for bounded model checking of hybrid systems. Formal Methods in System Design, 30(3):179–198, 2007.

Goran Frehse. Phaver: algorithmic verification of hybrid systems past hytech. International Journal on Software Tools for Technology Transfer (STTT), 10(3):263–279, 2008. doi: 10.1007/s10009-007-0062-x. Thomas A. Henzinger, Pei-Hsin Ho, and Howard Wong-Toi. HYTECH: a

model checker for hybrid systems. International Journal on Software Tools for Technology Transfer (STTT), 1:110–122, 1997.

(19)

Literature III

Ranjit Jhala and Rupak Majumdar. Software model checking. ACM Comput. Surv., 41(4):1–54, 2009. ISSN 0360-0300. doi:

http://doi.acm.org/10.1145/1592434.1592438.

Stefan Ratschan and Zhikun She. Safety verification of hybrid systems by constraint propagation based abstraction refinement. ACM Transactions in Embedded Computing Systems, 6(1), 2007.

References

Related documents

The O’Sullivan Project – (100% owned by Kenorland), covering 27,595 ha of prospective geology within the Abitibi Greenstone belt, adjacent to Cartier Resource’s Benoist Project,

The ability offered by TSO for WPWE OSD is published on TSO’s website and is equivalent to the total capacity (contractual capacity) acquired by the DSO from

The EPAS Acquirer protocol is composed of a series of standard ISO 20022 messages (CAPE) for authorising or pre-authorising card payment transactions, cancelling or rejecting

The essay proposes a three-pronged reform of international human rights: (1) a shift from Western human rights to the more inclusive and pluralist notion of human dignity; (2)

While liberalization of debt flows has gotten many countries in trouble, liberalization of portfolio equity flows has been associated with booming stock markets, greater

Second, establishing that the emergence of these capital-extractive sharing economy models constitutes a form of primitive accumulation that seeks to extend capitalist

Align technology and education programs with Maine’s economic development needs.. Innovate for Maine Fellows Program –

The consolidated financial statements have been prepared in accordance with the historical cost convention (by which items are measured at historical cost or amortised cost) with