Transcript Document

Metodi formali dello sviluppo software
a.a.2013/2014
Prof.Anna Labella
Introducing FV

What is formal verification?
– Establishing properties of system designs using
mathematical methods

Why use formal methods?
– Safety Critical Systems
– High Bug Costs

Why Hardware?
– High bug costs
– Greater reliability requiered by costumers
– Feaseable (more or less)
Introducing FV
How is it done?
The method consists of a Model and a
Property.
The Method’s output is an assurance that
the property holds or a counter-example

P always
holds
p
Counterexample
Defining a Model

Definitions
– State - snapshot of the values of variables at a
particular instant of time.
– Finite state system - a system which has a finite
number of different states.
– Transition – the ordered pair <state before, state
after>
– Computation - is an infinite sequence of states
where each state is obtained from the previous by
a transition
Defining a Model

Intuition
–
–
–
–
A State – (0,1)
A Finite state system – {(0,0),(0,1),(1,0),(1,1)}
A Transition – <(0,0),(0,1)>
A Computation <(0,0),(0,1),(1,0),(0,0), (0,1),... >
inc
0
1
Reset
Kripke Structure


Let AP be a set of atomic propositions
A Kripke structure M over AP is a tuple M=(S,S0,R,L)
where,
– S is a finite set of states
– S0  S , the set of initial states
– R  S x S, is a transition relation that must be total, i.e., for every
state s in S there is a state s’ in S such that R(s,s’).
– L is a function that labels each state with the set of all atomic
proposition in AP that are true in that state.

A path in M from s is an infinite sequence of states  = s0s1s2,…
such that so=s, and R(si,si+1) holds for all i>=0.
Defining a Model

M=(S,S0,R,L)
S ={s0,s1,s2,s3}
S0 = {(0,0)} (system starts with Reset)
R = {< s0, s1 >,<s1, s2>,< s2, s0> ... }
L = {(s0,(0,0)),(s1,(0,1)),(s2,(1,0)),(s3,(1,1))}
inc
0
1
Reset
s3
s0
s1
s2
Verifica basata sul modello
| 
 |= 
K |= 
CTL
Temporal operators are immediately preceded by a path
quantifier
 The following are a complete set
¬p, p  q , AX p , EX p , A( p U q),
E( p U q)
Others can be derived
– EF p  E(true U P)
– AF p  A(true U p)
– EG p  ¬ AF ¬ p
– AG p  ¬ EF ¬p

7/17/2015
11
Minimal set of CTL Formulas

Full set of operators
– Boolean:
– temporal:

Minimal set sufficient to express any CTL formula
– Boolean:
– temporal:

¬, , , , 
E, A, X, F, G, U, W
¬, 
E, X, U
Examples:
f  g = ¬(¬f  ¬g),
G f = f Ufalse
7/17/2015
F f = true U f ,
A (f ) = ¬E(¬f )
12
Minimal set of CTL Formulas
7/17/2015
13
Model Checking Example
Traffic light controller
(simplified)
sensor
C Timer
C ’+ T ’
Road 2
G1 R2
TC
G1 R2
CT
R1 Y2
Road 1
C = car sensor
T = timer
G1 R2
G1 R2
Y1 R2
Y1 R2
R1 G2
Y1 R2
G1 G2
Y1 Y2
R1 R2
C ’+ T
R1 G2
Y1 R2
R1 Y2
R1 G2
R1 G2
R1 Y2
R1 G2
G1 R2
CT’
R1 Y2
Traffic light controller - Model
Checking

Model Checking task: check
– safety condition
– fairness conditions
C ’+T ’
G1 R2
CT

Safety condition: no green lights
on both roads at the same time
A G ¬ (G1  G2 )

Fairness condition: eventually
one road has green light
E F (G1  G2)
R1 Y2
Y1 R2
C ’+T
R1 G2
CT’
Checking the Safety Condition
A G ¬ (G1  G2) = ¬ E F (G1G2)
G1 R2



S(G1  G2 ) = S(G1)  S(G2) =
{1}{3} = 
S(EF (G1  G2 )) = 
S(¬ EF (G1  G2 )) = ¬
= {1, 2, 3, 4}
1
2
R1 Y2
Y1 R2
4
R1 G2
3
Each state is included in {1,2,3,4} 
the safety condition is true (for each state)
Checking the Fairness Condition
E F (G1  G2 ) = E(true U (G1  G2 ) )
•
•
S(G1  G2 ) = S(G1)S(G2) = {1} {3} = {1,3}
S(EF (G1  G2 )) = {1,2,3,4}
(going backward from {1,3}, find predecessors)
1
4
3
3
2
1
Since {1,2,3,4} contains all states, the condition is
true for all the states
Another Check
(E X)2 (Y1) = E X (E X (Y1))
G1 R2
(starting at S1=G1R2, is there a
path s.t. Y1 is true in 2 steps ?)

S (Y1) = {2}
 S (EX (Y1)) = {1}
(predecessor of 2)
 S (EX (EX(Y1)) = {1,4}
(predecessors of 1)
1
2
R1 Y2
Y1 R2
4
R1 G2
3
Property E X2 (Y1) is true for states {1,4}, hence true
Explicit Model Checking complexity

CTL model checking is linear in the size of
the formula and the size of the structure M
 Not a good news:
– what if you have 1050 states?
– Number of states grows exponentially with number
of variables
– Explicit model checking limited to … 109 states

Symbolic model checking can do much better