Alexandre Duret-Lutz
23 August 2010
IITJodhpur
http://www.lrde.epita.fr/~ad l/en s/m /iit j.p df
system
properties tests?
not exhaustive!
system
properties
modelof the system model of the properties
system
properties
modelof the system model of the properties simulation?
not exhaustive!
system
properties
modelof the system model of the properties formal
veriation
system
properties
modelof the system model of the properties formal
veriation
theorem proving modelheking
1
Desribe the system in a way that allowsreasoning
2
Proveproperty by logial reasoning
Thisan beentirely manual, or using the help of a theorem prover
(e.g. Coq) that isnot fully automati.
Problem: it is hard to produe a ounterexample whena theorem is
false.
Researhwork in the area: new proof systems, study ofthe expressive
powerof various logis...
Anautomati approah to formal veriation.
Anexhaustive veriation of allbehaviorsof a model.
Theath: the model has to beabstrat enough (i.e. not too
detailed) to allowits omplete exploration.
Globalvariables: req
P
and req
Q .
Proess P (innite loop)
1. req
P
←
12. wait
(
reqQ=
0)
3. Critial Setion
4. req
P
←
0Proess Q (innite loop)
1. req
Q
←
12. wait
(
reqP=
0)
3. Critial Setion
4. req
Q
←
0Initialstate: P
=
1,Q=
1, reqP=
0,reqQ=
0.Properties to hek:
1
At anytime, there is atmost oneproess in Critial Setion.
2
Anyproess requesting entrane to the CS will eventually enter
it.
3
Theorderof entranes to the CS shouldfollow the orderof
P
=
1,
reqP
=
0Q
=
1,
reqQ=
0P
=
1,
reqP
=
0Q
=
1,
reqQ=
0P
=
2,
reqP
=
1Q
=
1,
reqQ=
0P
=
3,
reqP
=
1Q
=
1,
reqQ=
0P
=
4,
reqP
=
1Q
=
1,
reqQ=
0P
=
1,
reqP
=
0Q
=
1,
reqQ=
0P
=
2,
reqP
=
1Q
=
1,
reqQ=
0P
=
3,
reqP
=
1Q
=
1,
reqQ=
0P
=
4,
reqP
=
1Q
=
1,
reqQ=
0P
=
1,
reqP
=
0Q
=
2,
reqQ=
1P
=
1,
reqP
=
0Q
=
3,
reqQ=
1P
=
1,
reqP
=
0Q
=
4,
reqQ=
1P
=
1,
reqP
=
0Q
=
1,
reqQ=
0P
=
2,
reqP
=
1Q
=
1,
reqQ=
0P
=
3,
reqP
=
1Q
=
1,
reqQ=
0P
=
4,
reqP
=
1Q
=
1,
reqQ=
0P
=
1,
reqP
=
0Q
=
2,
reqQ=
1P
=
1,
reqP
=
0Q
=
3,
reqQ=
1P
=
1,
reqP
=
0Q
=
4,
reqQ=
1P
=
2,
reqP
=
1Q
=
2,
reqQ=
1P
=
3,
reqP
=
1Q
=
1,
reqQ=
0P
=
3,
reqP
=
1Q
=
2,
reqQ=
1P
=
2,
reqP
=
1Q
=
3,
reqQ=
1P
=
4,
reqP
=
1Q
=
2,
reqQ=
1P
=
2,
reqP
=
1Q
=
4,
reqQ=
1At anytime, there isat most oneproess in CS.
Translation: thereis no state with P
=
3and Q=
3.It istrue.
Tohek thispropertyweneed to explorethe entirestate spae one.
Weonly need to know the set of states, not how they are onneted.
Anyproess requesting entrane to CS will eventually enterit.
Translation: anyexeutionthat visits a state with P
=
2should latervisit a state with P
=
3; likewise forQ=
2 and Q=
3.It isfalse.
Thestate
P
=
2,
reqP=
1Q
=
2,
reqQ=
1has no suessor (it is a deadlok).
To hekthis property, wehave to know the entire graph (states
alone are not enough).
Theorder of entranes into the CS follow the order of requests.
Translation: anyexeutionpath that sees a state with
P
=
2∧
Q=
1 should not visit anystate with Q=
3before visitinga state with P
=
3(+ symmetri property for Q).It istrue if we ignorethe deadlok.
Samekind of veriationas property 2.
Represent the system using a niteautomaton.
Represent the property using a temporallogiformula.
To ompare these two objets, onvert the temporal logi
formula into an automaton.
Some work onthe twoautomata will tell us ifthey are
ompatible.
Propositional logi formulas an beuse haraterizeone instant.
r: red light on
y: yellow light on
g: green light on
r
∧
y∧
g=
, r∧ ¬
y∧ ¬
g=
,¬
r∧ ¬
y∧
g=
,¬
r∧ ¬
y∧ ¬
g=
.How an we say that preedes ?
How an we say that the system is not always ?
⇒
we need to make time apparent in the formulaLetf and g betwo propositional logi formulas:
f f Present
f Xf
Next
Letf and g betwo propositional logi formulas:
f f Present
f Xf
Next
f f f f f f f f f
Gf Globally
f Ff
Finally
Letf and g betwo propositional logi formulas:
f f Present
f Xf
Next
f f f f f f f f f
Gf Globally
f Ff
Finally
f f f f f
g
f Ug Until
g g g g g g
fg
g g g g g g g g g
f Rg Releases
Next Xf f is true atnext instant
Globally Gf f it true at all instants
Finally Ff f will be trueeventually (now or in the future)
Until f Ug f stays true untilg beomes true
¬
G(
r∧ ¬
y∧ ¬
g)
: the system is not always .G
((¬
r∧
y∧ ¬
g) →
X(
r∧ ¬
y∧ ¬
g))
: always imm. w'd by .GF
(¬
r∧ ¬
y∧
g)
: the systems isinnitely often .These formulas an be translated into automata.
ATransition-based Generalized BühiAutomata has:
a set of states, with a designated initial state,
a setof transitions between these states, labeledbypropositional
logiformulas,
a set of sets of transitions, alled aeptane sets.
Aninnite pathin this automaton is aepted ifit visits innitely
often a transition for eah aeptane sets.
s
1
s
2
s
3 s
4 s
5
p
∧
qp
¬
qp
∨
qq p
p
∧
qp
Example of TGBA for G
(
d→
Fr)
r
∨ ¬
d⊤
⊤
r
¯
a b
¯
ab
¯
ab
¯
ab
⊗
a∨
b¬
a¯
a b
¯
ab
¯
ab
¯
ab
⊗
a∨
b¬
aHigh-levelmodel
M
State-spaegeneration
State-spaeautomaton
A
M
Synhronizedprodut
L (
AM⊗
A¬ϕ ) = L (
AM) ∩ L (
A¬ϕ )
Negatedformula
automaton
A
¬ϕ
LTL
→
Bühitranslation
LTLformula
ϕ
Produtautomaton
A
M
⊗
A¬ϕ
Emptinesshek
L (
AM⊗
A¬ϕ ) = ? ∅
M
|= ϕ
or
formula set 1 st
hild 2
nd
hild
Γ ∪ {¬⊤} Γ ∪ {⊥}
Γ ∪ {¬⊥} Γ ∪ {⊤}
Γ ∪ {¬¬
f} Γ ∪ {
f} Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g}
Γ ∪ {¬(
f∧
g)} Γ ∪ {¬
f} Γ ∪ {¬
g}
Γ ∪ {¬(
f∨
g)} Γ ∪ {¬
f, ¬
g}
Tableau for
¬ϕ
withϕ = ¬(¬
A∨
B) ∨ (¬(
A∧
C) ∨ (
B∧
C))
{¬(¬(¬
A∨
B) ∨ (¬(
A∧
C) ∨ (
B∧
C)))}
{¬¬(¬
A∨
B), ¬(¬(
A∧
C) ∨ (
B∧
C))}
{¬
A∨
B, ¬(¬(
A∧
C) ∨ (
B∧
C))}
{¬
A∨
B, ¬¬(
A∧
C), ¬(
B∧
C)}
{¬
A∨
B,
A∧
C, ¬(
B∧
C)}
{¬
A∨
B,
A,
C, ¬(
B∧
C)}
{¬
A,
A,
C, ¬(
B∧
C)} {
B,
A,
C, ¬(
B∧
C)}
{
B,
A,
C, ¬
B} {
B,
A,
C, ¬
C}
Xa
a
¯
b ab¯
a b· · ·
⊤
a⊤
aUb
a
¯
b a
¯
b ab
¯
a¯
b
· · ·
b
a
⊤
aUb
≡
b∨ (
a∧
X(
aUb))
formula set 1 st
hild 2
nd
hild
Γ ∪ {¬⊤} Γ ∪ {⊥}
Γ ∪ {¬⊥} Γ ∪ {⊤}
Γ ∪ {¬¬
f} Γ ∪ {
f} Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g}
Γ ∪ {¬(
f∧
g)} Γ ∪ {¬
f} Γ ∪ {¬
g}
Γ ∪ {¬(
f∨
g)} Γ ∪ {¬
f, ¬
g}
formula set 1 st
hild 2
nd
hild
Γ ∪ {¬⊤} Γ ∪ {⊥}
Γ ∪ {¬⊥} Γ ∪ {⊤}
Γ ∪ {¬¬
f} Γ ∪ {
f} Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g} Γ ∪ {¬(
f∧
g)} Γ ∪ {¬
f} Γ ∪ {¬
g} Γ ∪ {¬(
f∨
g)} Γ ∪ {¬
f, ¬
g}
Γ ∪ {¬
Xf} Γ ∪ {
X¬
f}
Γ ∪ {
f Ug} Γ ∪ {
g} Γ ∪ {
f,
X(
f Ug),
Pg} Γ ∪ {¬(
f Ug)} Γ ∪ {¬
f, ¬
g} Γ ∪ {¬
g,
X¬(
f Ug)}
Pg is a promise that g will befullled
Tableau for
(
Xa) ∧ (
b U¬
a)
{(
Xa) ∧ (
bU¬
a)}
Règlesdetableau
formulaset 1 st
hild 2
nd
hild
Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g} Γ ∪ {
fUg} Γ ∪ {
g} Γ ∪ {
f,
X(
fUg),
Pg}
.
.
.
.
.
.
.
.
.
Tableau for
(
Xa) ∧ (
b U¬
a)
{(
Xa) ∧ (
bU¬
a)}
{
Xa,
bU¬
a}
{
Xa, ¬
a} {
Xa,
b,
X(
bU¬
a),
P¬
a}
Règlesdetableau
formulaset 1 st
hild 2
nd
hild
Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g} Γ ∪ {
fUg} Γ ∪ {
g} Γ ∪ {
f,
X(
fUg),
Pg}
.
.
.
.
.
.
.
.
.
Tableau for
(
Xa) ∧ (
b U¬
a)
{(
Xa) ∧ (
bU¬
a)}
{
Xa,
bU¬
a} {
Xa, ¬
a}
{
a}
{
Xa,
b,
X(
bU¬
a),
P¬
a}
Règlesdetableau
formulaset 1 st
hild 2
nd
hild
Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g} Γ ∪ {
fUg} Γ ∪ {
g} Γ ∪ {
f,
X(
fUg),
Pg}
.
.
.
.
.
.
.
.
.
Tableau for
(
Xa) ∧ (
b U¬
a)
{(
Xa) ∧ (
bU¬
a)}
{
Xa,
bU¬
a} {
Xa, ¬
a}
{
a}
∅
{
Xa,
b,
X(
bU¬
a),
P¬
a}
Règlesdetableau
formulaset 1 st
hild 2
nd
hild
Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g} Γ ∪ {
fUg} Γ ∪ {
g} Γ ∪ {
f,
X(
fUg),
Pg}
.
.
.
.
.
.
.
.
.
Tableau for
(
Xa) ∧ (
b U¬
a)
{(
Xa) ∧ (
bU¬
a)}
{
Xa,
bU¬
a} {
Xa, ¬
a}
{
a}
∅
{
Xa,
b,
X(
bU¬
a),
P¬
a} {
a,
bU¬
a}
{
a, ¬
a} {
a,
b,
X(
bU¬
a),
P¬
a}
Règlesdetableau
formulaset 1 st
hild 2
nd
hild
Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g} Γ ∪ {
fUg} Γ ∪ {
g} Γ ∪ {
f,
X(
fUg),
Pg}
.
.
.
.
.
.
.
.
.
Tableau for
(
Xa) ∧ (
b U¬
a)
{(
Xa) ∧ (
bU¬
a)}
{
Xa,
bU¬
a} {
Xa, ¬
a}
{
a}
∅
{
Xa,
b,
X(
bU¬
a),
P¬
a} {
a,
bU¬
a}
{
a, ¬
a} {
a,
b,
X(
bU¬
a),
P¬
a} {
bU¬
a}
{ ¬
a} {
b,
X(
bU¬
a),
P¬
a}
Règlesdetableau
formulaset 1 st
hild 2
nd
hild
Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g} Γ ∪ {
fUg} Γ ∪ {
g} Γ ∪ {
f,
X(
fUg),
Pg}
.
.
.
.
.
.
.
.
.
Tableau for
(
Xa) ∧ (
b U¬
a)
{(
Xa) ∧ (
bU¬
a)}
{
Xa,
bU¬
a} {
Xa, ¬
a}
{
a}
∅
{
Xa,
b,
X(
bU¬
a),
P¬
a} {
a,
bU¬
a}
{
a, ¬
a} {
a,
b,
X(
bU¬
a),
P¬
a} {
bU¬
a}
{ ¬
a} {
b,
X(
bU¬
a),
P¬
a}
Règlesdetableau
formulaset 1 st
hild 2
nd
hild
Γ ∪ {
f∧
g} Γ ∪ {
f,
g}
Γ ∪ {
f∨
g} Γ ∪ {
f} Γ ∪ {
g} Γ ∪ {
fUg} Γ ∪ {
g} Γ ∪ {
f,
X(
fUg),
Pg}
.
.
.
.
.
.
.
.
.
(
Xa) ∧ (
bU¬
a)
into TGBA{(
Xa) ∧ (
bU¬
a)}
{
Xa,
bU¬
a} {
Xa, ¬
a}
{
a}
∅
{
Xa,
b,
X(
bU¬
a),
P¬
a} {
a,
bU¬
a}
{
a, ¬
a} {
a,
b,
X(
bU¬
a),
P¬
a} {
bU¬
a}
{ ¬
a} {
b,
X(
bU¬
a),
P¬
a}
¬
a ba
⊤
a
∧
bb
¬
aHigh-levelmodel
M
State-spaegeneration
State-spaeautomaton
A
M
Synhronizedprodut
L (
AM⊗
A¬ϕ ) = L (
AM) ∩ L (
A¬ϕ )
Negatedformula
automaton
A
¬ϕ
LTL
→
Bühitranslation
LTLformula
ϕ
Produtautomaton
A
M
⊗
A¬ϕ
Emptinesshek
L (
AM⊗
A¬ϕ ) = ? ∅
M
|= ϕ
or
1 2 s
r
Client C
1
2 3
r
1
s
1
r
2
s
2
Server S
− ×
a
d
ChannelB
Synhronizationrules for the system
h
C,
C,
S,
B,
B,
B,
Bi
:(
1) h
s , . , . , . , . , a , .i (
2) h
. , s , . , . , . , . , ai (
3) h
r , . , . ,d , . , . , .i (
4) h
. , r , . , . , d , . , .i (
5) h
. , . , r1, . , . , d , .
i (
6) h
. , . , s1 , a , . , . , .i (
7) h
. , . , r2 , . , . , . , di (
8) h
. , . , s2, . , a , . , .
i
If a lient sends a request, will healways get an answer?
111
− − −−
211
− − ×−
121
− − −×
212
− − −−
221
− − ××
123
− − −−
211
× − −−
222
− − −×
223
− − ×−
121
− × −−
221
× − −×
221
− × ×−
223
× − −−
222
− × −−
221 q0
q1 q2
q3 q4 q5
q
6
q
7
q
8
q
9
q
10
q
11
q
12
q
13
q14
Wewill write properties regarding sending and reeiving messages:
LetAP
= {
a1,
a2,
r1,
r2}
with:a
1
: an answeris on its way between S and C
1
a
2
: an answeris on its way between S and C
2
r
1
: a request is on its way between C
1 and S
r
2
: a request is on its way between C
2 and S
Theproperty if a lient sends a request, hewill getan answer an
be rewritten as
∀
i∈ {
1,
2}
an exeution that visits a state where riistrue will visit a state where a
i
is true.
¯
r1¯
r2¯
d
1
¯
d
2
¯
r1
¯
r2d1
¯
d2
¯
r1
¯
r2¯
d1d2
¯
r
1
¯
r2¯
d
1
¯
d
2
¯
r1¯
r2 d1 d
2
¯
r1¯
r2¯
d
1
¯
d
2
r1
¯
r2¯
d1
¯
d2
¯
r1
¯
r2¯
d1d2
¯
r1
¯
r2d1
¯
d2
¯
r1r2
¯
d1
¯
d2
r1
¯
r2¯
d
1 d
2
¯
r1r2
d
1
¯
d
2
r
1
¯
r2¯
d1
¯
d2
¯
r
1 r
2
¯
d1
¯
d2
r1r2
¯ ¯
q0
q
1
q
2
q3 q4 q5
q6 q7 q8 q9
q
10
q
11
q12 q13
q14
an exeutionthat visits a state where r
i
is true will visit a state
where a
i
is true. In LTL: G
(
ri→
Fai)
.(by symmetryon the model, let'sdeal onlywith i
=
1).Weare looking for a ounterexample: an exeutionthat visits a state
where r
1
is trueand whih will neververify a
1
fromthen on. In LTL:
¬
G(
r1→
Fa1) =
F(
r1∧
G¬
a1)
an exeutionthat visits a state where r
i
is true will visit a state
where a
i
is true. In LTL: G
(
ri→
Fai)
.(by symmetryon the model, let'sdeal onlywith i
=
1).Weare looking for a ounterexample: an exeutionthat visits a state
where r
1
is trueand whih will neververify a
1
fromthen on. In LTL:
¬
G(
r1→
Fa1) =
F(
r1∧
G¬
a1)
Suh a ounterexample an be represented by a (transition-based)
Bühiautomaton:
⊤
r
1
∧ ¬
a1¬
a1q
C
q
D
q0
,
qCq1
,
qCq2
,
qCq3
,
qC q4,
qCq5
,
qCq6
,
qC q7,
qCq8
,
qCq9
,
qCq10
,
qC q11,
qCq12
,
qC q13,
qCq14
,
qCq0
,
qDq1
,
qD q2,
qDq3
,
qDq4
,
qD q5,
qDq6
,
qDq7
,
qD q8,
qD q9,
qDq10
,
qD q11,
qDq12
,
qD q13,
qDq14
,
qD1
Roots:
1
DFS:
s
1
s
1
s
2
s
3 s
4 s
5
1 2
Roots:
1 2
DFS:
s
1 s
2
s
1
s
2
s
3 s
4 s
5
1 2 3
Roots:
1 2 3
DFS:
s
1 s
2 s
3
s
1
s
2
s
3 s
4 s
5
4
1 2 3
Roots:
1 2 3 4
DFS:
s
1 s
2 s
3 s
4
s
1
s
2
s
3 s
4 s
5
4
1 2 3
Roots:
1 2 3:
DFS:
s
1 s
2 s
3 s
4 s
3
s
1
s
2
s
3 s
4 s
5
4
1 2 3
Roots:
1 2 3:
DFS:
s
1 s
2 s
3 s
4
s
1
s
2
s
3 s
4 s
5
4
1 2 3
Roots:
1 2 3:
DFS:
s
1 s
2 s
3
s
1
s
2
s
3 s
4 s
5
0
1 2 0
Roots:
1 2
DFS:
s
1 s
2
s
1
s
2
s
3 s
4 s
5
0 5
1 2 0
Roots:
1 2 5
DFS:
s
1 s
2 s
5
s
1
s
2
s
3 s
4 s
5
0 5
1 2 0
Roots:
1 2 5
DFS:
s
1 s
2 s
4
s
5
s
1
s
2
s
3 s
4 s
5
0 5
1 2 0
Roots:
1 2 5
DFS:
s
1 s
2 s
5
s
1
s
2
s
3 s
4 s
5
0 5
1 2 0
Roots:
1:
DFS:
s
1 s
2 s
5 s
1
s
1
s
2
s
3 s
4 s
5
0 5
1 2 0
Roots:
1:
DFS:
s
1 s
2 s
5
s
1
s
2
s
3 s
4 s
5
0 5
1 2 0
Roots:
1:
DFS:
s
1 s
2
s
1
s
2
s
3 s
4 s
5
0 5
1 2 0
Roots:
1:
DFS:
s
1 s
2 s
1
s
1
s
2
s
3 s
4 s
5
Found!
High-levelmodel
M
State-spaegeneration
State-spaeautomaton
A
M
Synhronizedprodut
L (
AM⊗
A¬ϕ ) = L (
AM) ∩ L (
A¬ϕ )
Negatedformula
automaton
A
¬ϕ
LTL
→
Bühitranslation
LTLformula
ϕ
Produtautomaton
A
M
⊗
A¬ϕ
Emptinesshek
L (
AM⊗
A¬ϕ ) = ? ∅
M
|= ϕ
or
ounterexample
Bühiautomata an be used to represent sets (nite or innite)
of innitebehaviors. Some operations are easy to perform on
these sets: union, intersetion, and emptiness hek. Some are
harder(e.g. omplementation, universality hek)
Byreduing the veriationproblemto someoperationsbetween
automata,we atually obtained an eient veriation
proedure.
Bottlenek: translating a formula of size n an lead to a TGBA
of size 2 O
(
n)
. Thesize of the produt of two automatais
bounded by the produt of the sizes, so it is important to have
small automataon both sides. Emptiness hek is linear in the
size of the produt.
For CSE students: the automataseen in ToC are simpler beause
they reognizenite words. Yet they allow similar operations and
