Motivation Checking Quality Testing is incomplete, gives no guarantees of correctness. Deductive verification is expensive. Typical reasons for system failure Unexpected or boundary input values. Interaction of system components. Parallelism (difficult to test). Model Checking Automated verification process for ... ... parallel and distributed systems. Section Verification of Parallel and Reactive Programs Parallel Programs Parallel Composition Components concurrently contribute to the transformation of a computation state. The meaning comes from interleaving of actions (transformation steps) of individual components. Meaning Functions Do Not Compose Meaning function of a composition cannot be obtain as composition of meaning functions of participating components. The result depends on particular interleaving. Example of Incomposability Parallel System System: (y=x; y++; x=y) (y=x; y++; x=y) Input-output variable x Meaning function of both processes is λx->x+1. The composition is: (λx->x+1)·(λx->x+1). (λx->x+1)·(λx->x+1) 0 = 2 Two Different System Runs State = (x, y1, y2) (0,-,-) y1=x −→ (0,0,-) y2=x −→ (0,0,0) y1++ −→ x=y1 −→ (1,1,0) y2++ −→ x=y2 −→ (1,1,1) (0,-,-) y1=x −→ (0,0,-) y1++ −→ x=y1 −→ (1,1,-) y2=x −→ (1,1,1) y2++ −→ x=y2 −→ (2,1,2) Properties of Parallel Programs Observation Specific timing of events related to interaction of components is a form of (part of) input. Asynchronous parallel system can be viewed as reactive as there are unknown inputs at the time of execution. Consequence For parallel and reactive systems it is difficult to specify the intended behaviour using pre- and post-conditions. Properties of Parallel/Reactive Programs Examples of Specification Events A and B happens before event C. User is not allowed to enter a new value until the system processes the previous one. Procedure X cannot be executed simultaneously by processes P and Q (mutual exclusion). Every action A is immediately followed by a sequence of actions B,C and D. Turning into Formal Language Use of Modal and Temporal Logics. Amir Pnueli, 1977 Deductive Verification for Modal and Temporal Logic Observation Systems similar to Hoare Logic may be built for modal and temporal logic. Even more demanding on personal. For parallel and reactive systems exhibits similar disadvantages as techniques built on top of pre- and post-conditions. Model checking Alternative way of formal verification of systems. Specification given with formulae of some temporal logic. Based on state-space exploration. Section Model Checking Model Checking – Overview Build a formal model M of the system under verification. Express specification as a formula ϕ of selected temporal logic. Decide, if M |= ϕ. That is, if M is a model of formula ϕ. (Hence the name.) Optionally As a side effect of the decision a counterexample may be produced. The counterexample is a sequence of states witnessing violation (in the case the system is erroneous) of the formula. Model checking (the decision process) can be fully automated for all finite (and some infinite) models of systems. Model Checking – Schema Requirements Specification Property Formalization System System Model Model Checking Simulation Counterexample Invalid Valid ErrorModelling Automated Tools for Model Checking Model Checkers Software tools that can decide validity of a formula over a model of system under verification. SPIN, UppAal, SMV, Prism, DIVINE . . . Modelling Languages Processes described as extended finite state machines. Extension allows to use shared or local variables and guard execution of a transition with a Boolean expression. Optionally, some transitions may be synchronised with transitions of other finite state machines/processes. Section Modelling and Formalisation of Verified Systems Atomic Proposition Reminder System can be viewed as a set of states that are walked along by executing instructions of the program. State = valuation of modelled variables. Atomic Propositions Basic statements describing qualities of individual states, for example: max(x, y) ≥ 3. Validity of atomic proposition for a given state must be decidable with information merely encoded by the state. Amount of observable events and facts depends on amount of abstraction used during the system modelling. Kripke Structure Kripke Structure Let AP be a set of atomic propositions. Kripke structure is a quadruple (S, T, I, s0), where S is a (finite) set of states, T ⊆ S × S is a transition relation, I : S → 2AP is an interpretation of AP. s0 ∈ S is an initial state. Kripke Transition System Let Act be a set of instructions executable by the program. Kripke structure can be extended with transition labelling to form a Kripke Transitions System. Kripke Transition System is a five-tuple (S, T, I, s0, L), where (S, T, I, s0) is Kripke Structure, L : T → Act is labelling function. Kripke Structure – Example Kripke Structure P P,S,B P,S,C Beer Coke Payment Choice AP={P – Paid, S – Served, C – Coke, B – Beer} Kripke Transition System P P,S,B P,S,C Takes Beer Takes Coke Chooses Coke Chooses BeerGives Coin Beer Coke Payment Choice AP={P – Paid, S – Served, C – Coke, B – Beer} System Run Run Maximal path (such that it cannot be extended) in the graph induced by Kripke Structure starting at the initial state. Let M = (S, T, I, s0) be a Kripke structure. Run is a sequence of states π = s0, s1, s2, . . . such that ∀i ∈ N0.(si , si+1) ∈ T. Finite Paths and Runs Some finite path π = s0, s1, s2, . . . , sk cannot be extended if sk+1 ∈ S.(sk, sk+1) ∈ T. Technically, we will turn maximal finite path into infinite by repeating the very last state. Maximal path s0, . . . , sk will be understood as infinite run s0, . . . , sk, sk, sk, . . .. Implicit and Explicit System Description Observation Usually, Kripke structure that captures system behaviour is not given by full enumeration of states and transitions (explicitly), but it is given by the program source code (implicitly). Implicit description tends to be exponentially more succinct. State-Space Generation Computation of explicit representation from the implicit one. Interpretation of implicit representation must be formally precise. Practise Programming languages do not have precise formal semantics. Model checkers often build on top of modelling languages. En Example of Modelling Language – DVE Finite Automaton States (Locations) Initial state Transitions (Accepting states) Transitions Extended with Guards Synchronisation and Value Passing Effect (Assignment) Local Variables integer, byte channel p1 p4 p2 p3 x==b b=0,x=0 sync c?x b=b+1 b=b+1 Process B byte b,x; Example of System Described in DVE Language channel {byte} c[0]; process A { byte a; state q1,q2,q3; init q1; trans q1→q2 { effect a=a+1; }, q2→q3 { effect a=a+1; }, q3→q1 { sync c!a; effect a=0; }; } process B { byte b,x; state p1,p2,p3,p4; init p1; trans p1→p2 { effect b=b+1; }, p2→p3 { effect b=b+1; }, p3→p4 { sync c?x; }, p4→p1 { guard x==b; effect b=0, x=0; }; } system async; Semantics Shown By Interpretation State: []; A:[q1, a:0]; B:[p1, b:0, x:0] 0 0.0 : q1 → q2 { effect a = a+1; } 1 1.0 : p1 → p2 { effect b = b+1; } Command:1 ————————————————————— State: []; A:[q1, a:0]; B:[p2, b:1, x:0] 0 0.0 : q1 → q2 { effect a = a+1; } 1 1.1 : p2 → p3 { effect b = b+1; } Command:1 ————————————————————— State: []; A:[q1, a:0]; B:[p3, b:2, x:0] 0 0.0 : q1 → q2 { effect a = a+1; } Command:0 ————————————————————— State: []; A:[q2, a:1]; B:[p3, b:2, x:0] 0 0.1 : q2 → q3 { effect a = a+1; } Command:0 ————————————————————— State: []; A:[q3, a:2]; B:[p3, b:2, x:0] 0 0.2&1.2 : q3 → q1 { sync c!a; effect a = 0; } p3 → p4 { sync c?x; } Command:0 ————————————————————— State: []; A:[q1, a:0]; B:[p4, b:2, x:2] Section Formalising System Properties Specification as Languages of Infinite Words Problem How to formally describe properties of a single run? How to mechanically check for their satisfaction? Solution Employ finite automaton as a mechanical observer of run. Runs are infinite. Finite automata for infinite words (ω-regular languages). Büchi acceptance condition – automaton accepts a word if it passes through an accepting state infinitely many often. Automata over infinite words Büchi automata Büchi automaton is a tuple A = (Σ, S, s, δ, F), where Σ is a finite set of symbols, S is a finite set f states, s ∈ S is an initial state, δ : S × Σ → 2S is transition relation, and F ⊆ S is a set of accepting states. Language accepted by a Büchi automaton Run ρ of automaton A over infinite word w = a1a2 . . . is a sequence of states ρ = s0, s1, . . . such that s0 ≡ s and ∀i : si ∈ δ(si−1, ai ). inf (ρ) – Set of states that appear infinitely many time in ρ. Run ρ is accepting if and only if inf (ρ) ∩ F = ∅. Language accepted with an automaton A is a set of all words for which an accepting run exists. Denoted as L(A). Shortcuts in Transition Guards Observation Let AP={X,Y,Z}. Transition labelled with {X} denotes that X must hold true upon execution of the transition, while Y and Z are false. If we want to express that X is true, Z is false, and for Y we do not care, we have to create two transitions labelled with {X} and {X, Y }. APs as Boolean Formulae Transitions between the two same states may be combined and labelled with a Boolean formula over atomic propositions. Example Transitions {X}, {Y}, {X,Y}, {X,Z}, {Y,Z} a {X,Y,Z} can be combined into a single one labelled with X ∨ Y . If there are no restrictions upon execution of the transition, it may be labelled with true ≡ X ∨ ¬X. Task: Express with a Büchi automaton System Vending machine as seen before. Σ = 2{P,S,C,B}, Paid = {A ∈ Σ | P ∈ A}, Served = {A ∈ Σ | S ∈ A}, . . . Express the following properties Vending machine serves at least one drink. Vending machine serves at least one coke. Vending machine serves infinitely many drinks. Vending machine serves infinitely many beers. Vending machine does not serve a drink without being paid. After being paid, vending machine always serve a drink. Section Linear Temporal Logic Linear Temporal Logic (LTL) Informally Formula ϕ Is evaluated on top of a single run of Kripke structure. Express validity of APs in the states along the given run. Temporal Operators of LTL F ϕ — ϕ holds true eventually (Future). G ϕ — ϕ holds true all the time (Globally). ϕ U ψ — ϕ holds true until eventually ψ holds true (Until). X ϕ — ϕ is valid after execution of one transition (Next). ϕ R ψ — ψ holds true until ϕ ∧ ψ holds true (Release). ϕ W ψ — until, but ψ may never become true (Weak Until). Graphical Representation of LTL Temporal Operators X ϕ : •−→ ϕ •−→•−→•−→•−→• · · · ϕ U ψ : ϕ •−→ ϕ •−→ ϕ •−→ ϕ •−→ ψ •−→• · · · F ϕ : •−→•−→•−→•−→ ϕ •−→• · · · G ϕ : ϕ •−→ ϕ •−→ ϕ •−→ ϕ •−→ ϕ •−→ ϕ • · · · ϕ R ψ : ψ •−→ ψ •−→ ψ •−→ ψ •−→ ϕ∧ψ • −→• · · · or ψ •−→ ψ •−→ ψ •−→ ψ •−→ ψ •−→ ψ • · · · ϕ W ψ : ϕ •−→ ϕ •−→ ϕ •−→ ϕ •−→ ψ •−→• · · · or ϕ •−→ ϕ •−→ ϕ •−→ ϕ •−→ ϕ •−→ ϕ • · · · Syntax of LTL Let AP be a set of atomic propositions. If p ∈ AP, then p is an LTL formula. If ϕ is Alternatively ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | X ϕ | ϕ U ϕ IA169 System Verification and Assurance – 05 str. 30/45 Syntactic shortcuts Propositional Logic ϕ ∧ ψ ≡ ¬(¬ϕ ∨ ¬ψ) ϕ ⇒ ψ ≡ ¬ϕ ∨ ψ ϕ ⇔ ψ ≡ (ϕ ⇒ ψ) ∧ (ψ ⇒ ϕ) Temporal operators F ϕ ≡ true U ϕ G ϕ ≡ ¬F ¬ϕ ϕ R ψ ≡ ¬(¬ϕ U ¬ψ) ϕ W ψ ≡ ϕ U ψ ∨ G ϕ Alternative syntax Fϕ ≡ ϕ Gϕ ≡ ϕ Xϕ ≡ ◦ϕ IA169 System Verification and Assurance – 05 str. 31/45 Models of LTL Formulae Model of an LTL formula Let AP be a set of atomic propositions. Model of an LTL formula is a run π of Kripke structure. Notation Let π = s0, s1, s2, . . .. Suffix of run π starting at sk is denoted as πk = sk, sk+1, sk+2, . . .. K-th state of the run, is referred to as π(k) = sk. IA169 System Verification and Assurance – 05 str. 32/45 Semantics of LTL Assumptions Let AP be a set of atomic propositions. Let π be a run of Kripke structure M = (S, T, I, s0). Let ϕ, ψ be syntactically correct LTL formulae. Let p ∈ AP denote atomic proposition. Semantics π |= p iff p ∈ I(π(0)) π |= ¬ϕ iff π |= ϕ π |= ϕ ∨ ψ iff π |= ϕ or π |= ψ π |= X ϕ iff π1 |= ϕ π |= ϕ U ψ iff ∃k.0 ≤ k, πk |= ψ and ∀i.0 ≤ i < k, πi |= ϕ IA169 System Verification and Assurance – 05 str. 33/45 Semantics of Other Temporal Operators π |= F ϕ iff ∃k.k ≥ 0, πk |= ϕ π |= G ϕ iff ∀k.k ≥ 0, πk |= ϕ π |= ϕ R ψ iff (∃k.0 ≤ k, πk |= ϕ ∧ ψ and ∀i.0 ≤ i < k, πi |= ψ) or (∀k.k ≥ 0, πk |= ψ) π |= ϕ W ψ iff (∃k.0 ≤ k, πk |= ψ and ∀i.0 ≤ i < k, πi |= ϕ) or (∀k.k ≥ 0, πk |= ϕ) IA169 System Verification and Assurance – 05 str. 34/45 LTL Model Checking Verification Employing LTL System is viewed as a set of runs. System is satisfies LTL formula if and only if all system runs satisfy the formula. In other words, any run violating the formula is a witness that the system does not satisfy the formula. Lemma If a finite state system does not satisfy an LTL formula then this may be witnessed with a lasso-shaped run. Run π is lasso-shaped if π = π1 · (π2)ω, where π1 = s0, s1, . . . , sk π2 = sk+1, sk+2, . . . , sk+n, where sk ≡ sk+n. Note that πω denotes infinite repetition of π. IA169 System Verification and Assurance – 05 str. 35/45 Section Automata-Based Approach to LTL Model Checking IA169 System Verification and Assurance – 05 str. 36/45 Languages of infinite words Observation One System is a set of (infinite) runs. Also referred to as formal language of infinite words. Observation Two Two different runs are equal with respect to an LTL formula if they agree in the interpretation of atomic propositions (need not agree in the states). Let π = s0, s1, . . ., then I(π) def ⇐⇒ I(s0), I(s1), I(s2), . . .. Observation Three Every run either satisfies an LTL formula, or not. Every LTL formula defines a set of satisfying runs. IA169 System Verification and Assurance – 05 str. 37/45 Reduction to Language Inclusion Problem Formulation Let the system under verification be given as Kripke structure M = (S, T, I, s0) and system specification as LTL formula ϕ. Does system M satisfies specification ϕ? (M ? |= ϕ) Reformulation as Language Problem Let Σ = 2AP be an alphabet. Language Lsys of all runs of system M is defined as follows. Lsys = {I(π) | π is a run in M}. Language Lϕ of runs satisfying ϕ is defined as follows. Lϕ = {I(π) | π |= ϕ}. Observation System M satisfies specification ϕ if and only if Lsys ⊆ Lϕ. IA169 System Verification and Assurance – 05 str. 38/45 Lsys and Lϕ expressed by Büchi automaton Theorem For every LTL formula ϕ there exists (and can be efficiently constructed) Büchi automaton Aϕ such that Lϕ = L(Aϕ). Vardi and Wolper, 1986 Theorem For every Kripke structure M = (S, T, I, s0) we can construct Büchi automaton Asys such that Lsys = L(Asys). Construction of Asys Let AP be a set of atomic propositions. Then Asys = (S, 2AP , s0, δ, S), where q ∈ δ(p, a) if and only if (p, q) ∈ T ∧ I(p) = a. IA169 System Verification and Assurance – 05 str. 39/45 Synchronous Product of Büchi Automata Theorem Let A = (SA, Σ, sA, δA, FA) and B = (SB, Σ, sB, δB, FB) be Büchi automata over the same alphabet Σ. Then we can construct Büchi automaton A × B such that L(A × B) = L(A) ∩ L(B). Construction of A × B A×B = (SA ×SB ×{0, 1}, Σ, (sA, sB, 0), δA×B, FA ×SB ×{0}) (p , q , j) ∈ δA×B((p, q, i), a) for all p ∈ δA(p, a) q ∈ δB(q, a) j = (i + 1) mod 2 if (i = 0 ∧ p ∈ FA) ∨ (i = 1 ∧ q ∈ FB) j = i otherwise IA169 System Verification and Assurance – 05 str. 40/45 Synchronous Product of Büchi Automata – Task Let L1 = {w ∈ {a, b, c}ω | a ∈ inf (w)} L2 = {w ∈ {a, b, c}ω | inf (w) = {b}} L3 = L1 ∩ L2 Find Büchi automata for L1, L2 and L3. IA169 System Verification and Assurance – 05 str. 41/45 Synchronous Product of Büchi Automata – Simplification Observation For the purpose of LTL model checking, we do not need general synchronous product of Büchi automata, since Büchi automaton Asys is constructed in such a way that FA = SA, i.e. it has all states accepting. For such a special case the construction of product automata can be significantly simplified. Construction of A × B when FA = SA A × B = (SA × SB, Σ, (sA, sB), δA×B, SA × FB) (p , q ) ∈ δA×B((p, q), a) for all p ∈ δA(p, a) q ∈ δB(q, a) IA169 System Verification and Assurance – 05 str. 42/45 Reduction to Büchi Emptiness Problem Theorem For every LTL formula ϕ it holds that co−L(Aϕ) = L(A¬ϕ). By co−M we denote complement to the set of all words over the alphabet of M. Reduction of M |= ϕ to the emptiness of L(Asys × A¬ϕ) M |= ϕ ⇐⇒ Lsys ⊆ Lϕ M |= ϕ ⇐⇒ L(Asys) ⊆ L(Aϕ) M |= ϕ ⇐⇒ L(Asys) ∩ co−L(Aϕ) = ∅ M |= ϕ ⇐⇒ L(Asys) ∩ L(A¬ϕ) = ∅ M |= ϕ ⇐⇒ L(Asys × A¬ϕ) = ∅ IA169 System Verification and Assurance – 05 str. 43/45 Reduction to Accepting Cycle Detection Theorem Büchi automaton A = (S, Σ, s0, δ, F) accepts a non-empty language if and only if there is a state s ∈ F and words w1, w2 ∈ Σ∗ such that s ∈ ˆδ(s0, w1) a s ∈ ˆδ(s, w2). That is, the graph of Büchi automaton contains a reachable accepting cycle (cycle through an accepting state). Decision Procedure for M |= ϕ? Build a product automaton (Asys × A¬ϕ). Check the automaton for presence of an accepting cycle. If there is a reachable accepting cycle then M |= ϕ. Otherwise M |= ϕ. IA169 System Verification and Assurance – 05 str. 44/45 Practicals and Homework – 05 Practicals Specifying properties with Büchi Automata. Specify properties using LTL. Model-based verification using DIVINE model checker. Homework Model Peterson’s mutual exclusion protocol in ProMeLa. State expected LTL properties of Peterson’s protocol. Verify them using SPIN model checker. IA169 System Verification and Assurance – 05 str. 45/45