Formal System Verification

Formal System Verification LTL Model Checking Vered Gafni, TAU

The Verification Problem • Given •  - system requirements specification, •  - system assumptions specification, • D – controller design (a transition system) Verify that: Dsatisfies, assuming. Vered Gafni, TAU

Satisfaction: Traces & Models • Dsatisfies, assuming. • def Every possible run of D is a model of  • Runs (traces) of D are of the form: • 0,1,… where =2Obs2@A , i.e., = , , 2Obs,2@A. • Models of  are traces of the form: • 0,1,… where =2Obs@A • Hence, unify by 1-2-1 mapping 2Obs2@A  2Obs@A • defined by: , Vered Gafni, TAU

Satisfaction Checking Techniques* • Logical approach - D and represented by logical formulae. • Automata-Theoretic approach- D and represented by automata • Semantic approach - Computation of the semantics of  on D. * Henceforth, for the technical treatment assume  represents  Vered Gafni, TAU

Basic Limitation • All methods are based on representation of the design • in form of a finite state machine, hence: • Appropriate to reactive part of systems (may consists of interacting subsystems). • Not suited to data-transformation computations since usually introduce huge (practically infinite) state space. • All verification algorithms, except deductive reasoning, does not provide for generalization. Vered Gafni, TAU

Logical approach • Express design by a logical formula . • Satisfaction checking:  • Either use deductive reasoning to prove -(not automatic) • Or, use decision procedure (fully automatic) • From logic:  iff , • The formula  is valid iff () is not satisfiable. So checksatiafiability of () • Transform  into an operational transition system (program synthesis). Vered Gafni, TAU

Example: XR Crossingdesign expressed in LTL • Upon train entrance and no train leaving trigger gate closing • (Tin Tout)  @Close • Upon gate closing turns the signal to show “go”. • Close!  Go • At startup and upon train exit triggers gate opening and turns the signal to show “stop” • @Open Stop  ((ToutTin)  @Open Stop) Vered Gafni, TAU

 D  yes, no (why ?) D Automata-Theoretic approach • Underlying formalism: Buchi Automata (BA) - infinite words. • Given system design D that is supposed to satisfy property : • Transform  into equivalent BAA • Transform D into equivalent BAAsys • Check containment L(Asys)L(A). Model Checker Vered Gafni, TAU

Transition Labeled Buchi Automata (TL-BA) • A = , S, S0, , F  • S – set of states, S0 S initial states. •  - set of propositions (events) • : S 2S– non deterministictransition function, • FS - subset of final states. A accepts  iff S s.t. • 0S0, • i. i1(i,i) • inf()F • L(A)= { | A accepts  } Vered Gafni, TAU

State Labeled Buchi Automata (SL-BA) • A = , S, S0, , F, l • S – set of states, S0 S initial states. •  - set of propositions (events) • : S  2S– non deterministictransition function • FS - subset of final states • l: S   - states labeling function • A accepts  iff S s.t. • 0S0, • i. i1(i) and l(si)=i • inf()F • L(A)= {| A accepts  } Vered Gafni, TAU

SL-BA to TL-BA • Given SL=, S, S0, , F, I define TL=, S’, S’0, ’, F • S’0 --new states one per each state in S0 • S’ = SS’0 • ’= { (s’0,,s0) | l(s0)= }  { (q,,r) | (q,r)  l(r)= } Vered Gafni, TAU

TL-BA to SL-BA • Given TL=, S, S0, , FdefineSL=, S’, S’0, ’, F’, l • S’ = { q,|r.(q,,r)}, -- puling events back • S’0 = {q,S’ |qS0 } • ’(q,)= { r,’S’ | (q,,r) }, • F’ = { r,’S’ | rF}, • l (q,)=. TL-BA  SL-BA Vered Gafni, TAU

* vs.  • L(A1)=L(A2) does not imply L(A1)=L(A2) L(A1)=L(A2)={ bn+2 | n }, L(A1)=b, L(A2)=  L(A1)=L(A2)  L(A1)=L(A2) if A1,A2 are deterministic • L(A1)=L(A2) does not imply L(A1)=L(A2) L(A1)= { b2n | n }, L(A2)= { b2n+1 | n }, L(A1)= L(A2)= b, Vered Gafni, TAU

* vs.  (cont) • Finite automata: Non-deterministic  deterministic • -automata: Non-deterministic  deterministic Accepts (r+q)*r,not accepted by any deterministic -automata (Exercise) Vered Gafni, TAU

BA Closure Properties • LBA are closed under • union, • intersection (needs special treatment), • projection, • complementation (not trivial). • Non-emptiness is decidable Vered Gafni, TAU

Closure Properties of BA - L(A1A2)= L(A1)  L(A2) A1A2 = , S1S2, S01S02, (s)=?sS1: 1(s), 2(s), F1F2, L(s)=?sS1: L1(s), L2(s) • L(AC) = - L(A) • Unlike deterministic case, complementation is highly not trivial: • - BA is not determinizable • - It is possible to have runs s.t. inf(r)F, and inf(r)(S-F) - L(A1A2)L (A1) L (A2) will be discussed later Vered Gafni, TAU

Other Acceptance Criteria • Buchi FS inf(s)∩F≠F • Co-Buchi FS inf(s)⊆F F • Streett F 2S×2S(l,r)∈F, inf(s)∩l≠ inf(s)∩r≠ • ∧(l ⇒r) • Rabin F 2S×2S (l,r)∈F, inf(s)∩l= inf(s)∩r≠ • ∨(¬l ∧r) • -Buchiand CoBuchi automata cannot be determinized • Streett and Rabin automata can be determinized • Nondeterministic Buchi • = Nondeterministic Streett = Deterministic Streett • = NondeterministicRabin= Nondeterministic Rabin • =-regular [Buchi 1960] Vered Gafni, TAU

Set Labeling of SL-BA select one letter of the set labeling a state • A = , S, S0, , F, l • l: S  2- states labeling function • A accepts  iff S s.t. • 0S0, • i. i1(i) and i l(i) • inf()F • L(A)= {| A accepts  } ((p+q)p(q+)) Vered Gafni, TAU

LTL to SL-BA (I) • Given an LTL formula over AP, • Define = 2AP i.e.  is a set of events, e.g.: { p,q } • So l(s)2 is a set of sets of events, e.g.: {{p},{p,q}} • Assume , true • Example: L (A) = ({q}*({p}+{p,q})) (qUp) Vered Gafni, TAU

LTL to SL-BA (II) L (A) = ({q,r}*[p]) ((qr)Up) L (A) = (([q]+[r])*[p]) ((qr)Up) -- for pAP, [p]=2AP , the elements that contain p e.g., [p] ={ {p}, {p,q}, {p,r}, {p,q,r} } Vered Gafni, TAU

LTL to SL-BA (III) L (A) = ({}*{p}) p L (A) = {p} p -- {}  true (recall true is implicitly associated with every set) multiple representations Vered Gafni, TAU

LTL vs. BA Expressive power • Consider the property: • odd(p)=p is true at the odd positions (and may be true or • false elsewhere). • -regular expression: (p) • SL-BA representation: • LTL attempts: 1 = p (p OOp), 2 = p (pOp) let =ppppp then |=odd(p) but |1. let =p then |=odd(p) but |2. • However, the ETL formula: q.(q ((q Oq)  (qp))) • is correct. Vered Gafni, TAU

LTL to BA Translation • Theorem (Wolper,Vardi, Sisla 83). • For any LTL formula  a Buchi automaton A can be constructed • s.t. L(A) is exactly the set of models that satisfy . • In general, BA are more expressive than LTL: • LTL  monadic first order theory of linear orders •  star-free -regular languages •  • BA  monadic second order theory of linear orders •  -regular languages • ETL (q.LTL)  BA No periodic sub-strings Vered Gafni, TAU

Naive LTL to SL-BA Translation • Induction on the structure of . • =p (proposition), define A={{p}},{1,2},{1},,{2}, l where: • (1)=2, (2)=2, and l (1)={p}, l(2)={{p},{}} • =12 use the union construction • A1A2 = , S1S2, s1s2, (s)=?sS1: 1(s), 2(s), • F1F2, l(s)=?sS1: l1(s), l2(s) Vered Gafni, TAU

Naive LTL to Automata Translation (Cont.) • =O, let A =, S, s0,, F, l and define • A=, S{i},{i},’, F, l’ • where: ’(s)=?(s=i): s0,(s), l’(s)=?(s=i): , l(s) • =, use the complement A=(A)C - difficult • =1U2 - difficult. Complexity: The size of (A)C and A1U2 is exponential in the size of the formula. Thus total complexity: |A| = 22… (exponent raises || times). Vered Gafni, TAU

Towards LTL Automaton • Decidability proof of LTL: • LTL formula  is transformed into a directed graph A, X : • A – generalized atoms (consistent subset of closure formulae), • X A A (next relation) • It is proved that 0,1,2,… is a model of  iff there is afulfilling path =D0,D1,D2,…in A, X  • Our goal is to turn A,X into an automaton that recognizes • exactly the fulfilling paths. Vered Gafni, TAU

LTL Transition System • GivenA, X define the transition system: • A =  S, , , S0, l • S = A, S0 = { AA | A } •  = 2AP where AP={ atomic events in  } • = X , • l(A) = { | pos(A), neg(A) } • where: pos(A)=AAP, • neg(A)={pAP | pA} •  In order to turn into BA, F needs to be defined Vered Gafni, TAU

pq, p, q, p, q, Op, Oq, p, q pq, p, q, p, q, Op, Oq, p, Oq A B pq, p, q, p, q, Op, Oq, Op, q pq, p, q, p, q, Op, Oq, Oq,Op C D Why BA is not sufficient?pq • Every path that goes i.o. through A is a model • Every path that goes i.o. through BandC is a model • Therefore, we need 2 • final sets: • For p: {A,B} • For q: {A,C} Vered Gafni, TAU

Generalized Buchi Automata (G-BA) • , S, S0, , F, l • Buchi automata where F 2S: • – F={F1,…Fk}, k0 -- FiS - subsets of final states, • Run of G-BA: • = s0,s1,s2 ,…S s.t. s0S0 , si+1(si) •  is accepting iff inf()Fi, i=1..k •  accepts =123…iff it is accepting run s.t. iL(si) Vered Gafni, TAU

G-BA Example • If F={{Q,S}} ( |F|=1) then L = a(b(a+))  a(b(a+))*b • If F=={{Q},{S}} ( |F|=2) then L =  • For BA: F=  L=, F=S  L=all runs are accepting • For G-BA: F=  L= all runs are accepting Vered Gafni, TAU

LTL Graph to G-BA • GivenA, X we define the G-BA • A =  S, , , S0, l, {Fi}1..k • S = A, S0 = { A A | A } •  = 2AP where AP={ atomic events in  } • = X, • l(A) = { | pos(A), neg(A) } • where: pos(A)=AAP, neg(A)={pAP | pA} • For each pUqcl():Fi(pUq)={ A | pUqA or qA } Theorem: Aaccepts exactly those runs over (2AP) that satisfy the LTL formula  (Gerth, Peled, Vardi, Wolper, 1995). Vered Gafni, TAU

LTL G-BA Construction Examples (I)  =p, AP={p}, ={,{p}}, F= p p  =Op, AP={p}, ={,{p}}, F= O(p), p Op,p, O(p), p O(p), p Vered Gafni, TAU

LTL G-BA Construction Examples (II)  = p, AP={p}, ={,{p}} p, p p, p p, p  = p, AP={p},  = {,{p}} p, p  p is in the closure therefore F Vered Gafni, TAU

LTL G-BA Construction Examples (III)  = p, AP={p}, ={,{p}}, F={F(p)={3}, F(p)={2,3}} 2: p,p, p 1:p,p, p 3: p,p, p  = p, AP={p},  = {,{p}} , F={F(p)={1,2}, F(p)={2}} 2: p,p, p 1: p,p, p Vered Gafni, TAU

LTL G-BA Construction Examples (IV) • = (pq), AP={p,q}, ={,{p},{q},{p,q}} – add F due to (p q) (all states) and q (Green states) (p q) (p q) p, q, q (p q) (p q) p, q, q (p q) (p q) p, q, q (p q) (p q) p, q, q (p q) (p q) p, q, q Vered Gafni, TAU

LTL G-BA Construction Examples (IV)  = pq, AP={p,q}, ={,{p},{q},{p,q}} pq, p, q, p, q, Op, Oq, p, q pq, p, q, p, q, Op, Oq, p, Oq,q F due to p, q but also p, q (all states) pq, p, q, p, q, Op, Oq, Op, q,p pq, p, q, p,q,p,q Op, Oq, Oq,Op Vered Gafni, TAU

TheoremAaccepts exactly those runs over (2AP) that satisfy . • Proof. We show that D0,D1,… where D0 is a fulfilling path iff it is accepting • run of A. Then, the proof follows from the proof of LTL satisfiability. • By construction, D0 for all runs of A. • If no pUqcl() then every run is fulfilling and F={}, hence all runs are accepting. • In what follows, assume exists pUqcl() •  Assume fulfilling path =D0,D1,… observe 2 cases: • k s.t. for jk pUqDj then D’inf() s.t. pUqD’. Thereforeinf()F(pUq) hence is accepting run of A. • o.w.  i.m. Dj s.t.qDj, (since  is fulfilling). Hence, at least one of them D’inf(), and by def. D’F(pUq) therefore inf()F(pUq) Vered Gafni, TAU

Proof.Aaccepts exactly those runs over (2AP) that satisfy . •  Assume =D0,D1,…accepting run and pUqDj then if qDj we are done. O.w. DjF(pUq). Let k be the least index s.t.: k>j, DkF(pUq) ( i.m. such states since  is accepting). Then if qDk we are done. O.w, pUqDk (by def. of F(pUq)), so observe the seq. =Dj..Dk since pUqDj but qDj then pUqDj+1(next relation) so continuing we must find j<m<k s.t. qDm o.w. we get that pUqDkand qDk contradiction to DkF(pUq). Vered Gafni, TAU

TheoremAaccepts exactly those runs over (2AP) that • satisfy the LTL formula . •   is satisfiable iff L(A). • Complexity results: • Let ||=n then |cl()|=O(n) hence |A|2O(n) • Checking L(A) can be done in |A|2 hence satisfiability can be checked in time (2O(n))2 = 2O(n) Vered Gafni, TAU

From G-BA to BA Lemma: For every G-BA there is an equivalent BA • Transformation principle • Let A be G-BA with Fi, i=1..k, define A’ as: • the BA that consists of k copies of A. • For each state in copy i that belongs to Fi replace its connections to successors in copy i to the corresponding successors in copy i+1. • Define F’=Fi for some i. Vered Gafni, TAU

G-BA  BA (formal) • Let A=, S, S0, , F, I be G-BA with F={F1,…Fk}. k1. • Then define an BA A’=, S’, S0’,’, F’, l’ as follows. • S’ = S{ i | i=1..k }, S0’ = S0{ j } for some 1jk • ’ = { (s,i) (s’,i) iff ss’ and sFi } •  { (s,i)(s’,i+1 mod k) iff ss’ and sFi } • F’ = Fi{h} for some 1hk • l’(s,i) = l(s) • Claim: L (A) = L (A’) Vered Gafni, TAU

Example: G-BA  BA Vered Gafni, TAU

From Design to LBA • Given TS: D =  S, T, sinit,Ainit over E, A • where:sinitS, A init2@A, T: S2Obs2@A S • Define the BA:AD =  SD, , , spre, F, l • SD = {s, | s’. T(s,(,))=s’}  { spre} •  = 2Obs@A, • (s,) = { s’’,’ | T(s,(,))=s’ }, • (spre)= {s, | s=sinit} • F = SD, • l(s, ) = , l(spre)= Ainit Vered Gafni, TAU

Example:TS BA Vered Gafni, TAU

 D  L(AD)  L(A) yes, no (why ?) D LTL model checking I • Model checking: • Given , construct A , the corresponding BA • Construct AD, the BA representing the design • Check whether L(AD)  L(A) • Direct check: L(AD)  L(A) • L(AD)  L(A)  L(AD)  L(AC) =  • The construction of AC is quadratically exponential (if A hasn states then AC has kn2 states). Vered Gafni, TAU

LTL model checking II L(AC) = L(A) • Model checking: • Given , construct A , • Construct AD, • Check whether L(AD)  L(A) =  •  L=L(AD)L(A) then every element in L is a counter-example; furthermore it has the form UV (recall the decidability proof) same ‘price’ as the construction of A Vered Gafni, TAU

Product Automata • GivenA1 = 1, S1, s01, 1, F1, l1, A2 = 2, S2, s02, 2, F2, l2 • A1A2 = 12, S, s0, , F, l • Where: • S = { (s,s’)S1S2 |l1(s)=l2(s’) } • s0 = (s01, s02) if (s01, s02)S •  = {(s1, s2)(s1’, s2’) | s1 s1’1and s2 s2’2 } • F = F1F2 S • l(s,s’) = l1(s) - also l2(s’) L(A1A2)L(A1) L(A2) ? Vered Gafni, TAU

Example: Product Automata FA: L(A1)=a2n+1, L(A2)=a2n and L(A1A2) • In general, for FA:L(A1A2)=L(A1)L(A2) BA: L(A1)=a, L(A2)=a but L(A1A2) In general, for BA:L(A1A2)L(A1)L(A2) Vered Gafni, TAU

Sync. Product Buchi Automata • GivenA1 = 1, S1, s01, 1, F1, l1, A2 = 2, S2, s02, 2, F2, l2 • A1A2 = 12, S, s0, , F, l • Where: • S = { (s, s’)S1S2|l1(s)=l2(s’) }  { 1, 2 } • s0 = (s01, s02,1) if (s01, s02, 1)S •  = if s1 s1’  1and s2 s2’  2 then • if s1F1then (s1, s2,1) (s1’, s2’,2) else (s1, s2,1) (s1’, s2’,1) • if s2F2 then (s1, s2,2) (s1’, s2’,1) else (s1, s2,2) (s1’, s2’,2) • F = (F1S2 {1})S • I((s,s’),i) = l1(s) -- also l2(s’) •  In fact, for G-BA with F={F1,…,FK}: L(F)= L(Fi), i=1..K L(A1A2)=L(A1)  L(A2) Vered Gafni, TAU

Example: Sync. Product Buchi Automata BA: L(A1)=a, L(A2)=a, L(A1A2)=a Vered Gafni, TAU

Formal System Verification

Formal System Verification

Presentation Transcript

Overview of Formal Verification

Formal Verification

Simulation meets formal verification

Formal Verification: An Overview

An Introduction to Formal Verification

Formal Verification

Formal verification in Embedded System design

Coverage Metrics in Formal Verification

The Reveal Turn-Key Formal Verification System

Formal verification in SPIN

Formal Software Verification

Formal verification of software

Formal Verification(1)

Formal Verification

Modernizing Formal Verification Engines

Formal Verification

Formal verification: Property checking

Teaching Functional Formal Verification

Formal verification : SAT

Formal verification : SAT