Transcript Formal Verification and Model Checking Traian Pop Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden.

Formal Verification and Model
Checking
Traian Pop
Embedded Systems Laboratory
Department of Computer and Information Science
Linköping University
Sweden
System Validation

Formal Verification and Model Checking
Traian Pop
-2-
System Validation Techniques

Simulation

Testing

Formal Verification

Model Checking
2 of 20
11 Oct 2001
Simulation

Based on executable
model of the system

permits a quick and
shallow evaluation of the
design quality

not suitable for finding
subtle errors
Formal Verification and Model Checking
Traian Pop
-3-
3 of 20
11 Oct 2001
Testing

based on the real
implementation of the
system not on a model

it is the only way of
(partially) validating a
design when:



the construction of a valid
and reliable model of the
system is difficult (due to
complexity)
system parts cannot be
formally modelled
the model is proprietary
Formal Verification and Model Checking
Traian Pop
-4-
4 of 20
11 Oct 2001
Formal Verification
Formal Verification requires:

A model of the system

A specification method

A set of proof rules
Formal Verification and Model Checking
Traian Pop
-5-
5 of 20
11 Oct 2001
Formal Verification (cont’d)

Verification of sequential programs

pre- and post-conditions: {f} S {y} (Hoare’s triple)


{f} S {y} is partially correct if any terminating
computation S that starts in a state satisfying
f,terminates in a state satisfying y.
{f} S {y} is totally correct if any computation S that
starts in a state satisfying f,terminates and finishes in a
state satisfying y.
Formal Verification and Model Checking
Traian Pop
-6-
6 of 20
11 Oct 2001
Formal Verification (cont’d)
Operation
Proof/Axiom
skip
x = E
S;S
if B then S else S
while B do S
consequence
Formal Verification and Model Checking
Traian Pop
{f}skip{f}
{fx=k} x = k {f}
{f} S1{}  {} S2{y}
{f} S1;S2 {y}
{fB}S1{y}{fB}S2{y}
{f}if B then S1 else S2{y}
{fB}S{f}
{f} while B do S {fB}
ff',{f'}S{y'},y'y
{f}S{y}
-7-
7 of 20
11 Oct 2001
Formal Verification (cont’d)

Formal verification of parallel systems introduces
non-determinsm problems

Tools in formal verification

Proof assistants

Proof checkers

Theorem provers
Formal Verification and Model Checking
Traian Pop
-8-
8 of 20
11 Oct 2001
Model Checking

Automated technique

Verifies whether the
required properties hold
for a model
Formal Verification and Model Checking
Traian Pop
-9-
9 of 20
11 Oct 2001
Model Checking (cont’d)

Typical algorithm: exhaustive state-space search

Approaches (depending on requirement specificaton)

Heterogeneous (logic based)

Homogeneous (behavior based)


Bisimulation (A and B are bisimilar if A can simulate
every step of B and vice-versa)
Two bisimilar models satisfy the same CTL formulas
Formal Verification and Model Checking
Traian Pop
-10-
10 of 20
11 Oct 2001
Computational Tree Logic (CTL)

Specification language for finite–state systems

Each formula describes properties of computation
paths (which are infinite sequences of states)

Logical operators: NOT, AND

Operators for temporal relationships: X (nextstate), G(global), U(until), F(future)

Path quantifiers: E, A
Formal Verification and Model Checking
Traian Pop
-11-
11 of 20
11 Oct 2001
Computational Tree Logic (cont’d)
Descriptions

Xf holds for a path p iff it holds for succ(first(p))

Gf =>f holds in all states of a computational path

Ff => f will hold sometime in the future

fUg holds for p if there exists a state s on p where g
holds while f holds in all states preceding s

AXf holds in a state if f holds in all possible next
states
Formal Verification and Model Checking
Traian Pop
-12-
12 of 20
11 Oct 2001
Binary Decision Diagrams (BDD)

Rooted, acyclic graphs
representing boolean
functions

Capture some of the
regularities in the statespace

Total ordering on variables
is needed

Support AND, OR, NOT and
functional composition
Formal Verification and Model Checking
Traian Pop
-13-
13 of 20
11 Oct 2001
Model Checking with BDDs and CTL
fVg
BDD(f) V BDD(g)
NOT f
NOT BDD(f)
BDD(EX, f, R)(vi)
 vf [R(vi, vf)  BDD(f,R)(vf)]
E[f U g]
z = g V [f  EXz]
EGf
z = f  EXz
Formal Verification and Model Checking
Traian Pop
-14-
14 of 20
11 Oct 2001
Fairness

Fairness constraint = an arbitrary formula of the logic

A path is fair with respect to a set of fairness constraints if each
constraint holds infinitely often along the path

CTLF – enhanced for dealing with fair paths

Ex.

Fair = EG true

EX f  EX(f  Fair)

EG f with B  Z = f  EX(E[Z U (Z  B)])
Formal Verification and Model Checking
Traian Pop
-15-
15 of 20
11 Oct 2001
Model Checking for RTS

Extend both the state-transition graph and the
logical formulas, with quantitative timing
information

TCTL (Timed CTL) – expresses desired behavior

Timed graphs – express possible behavior
Formal Verification and Model Checking
Traian Pop
-16-
16 of 20
11 Oct 2001
Timed CTL

E f U~c g

A f U~c g



~{, , , , }
E f U  c g – for some computational path p there is
an initial prefix of time less than c such that g holds
at the last state and f holds in all intermediate states
! No X operator for time in real domain R, as
there is no unique next-state/next-time
Formal Verification and Model Checking
Traian Pop
-17-
17 of 20
11 Oct 2001
Timed graphs

Model finite-state RT
systems

Composed of

Finite set of nodes

Finite set of clocks
Formal Verification and Model Checking
Traian Pop
-18-
18 of 20
11 Oct 2001
Model Checking for RTS (cont’d)


The problem consists of deciding whether a finitestate RTS modelled as a timed graph meets its
specification given as a TCTL-formula

System model: G = (S, m, s0, E, C, p, t)

TCTL-structure: MG = (S x G(G), m’, f)
For a TCTL-formula f, G satisfies f iff (MG, ,(s0, u0))
satisfies f, where u0(x) = 0,  x  C
Formal Verification and Model Checking
Traian Pop
-19-
19 of 20
11 Oct 2001
Model Checking - Conclusions

Advantages

General approach

Supports partial verification

Relatively easy to use (as compared to theorem provers)


Can provide a significant increase in the level of confidence of a
system
Disadvantages

Appropriate mainly to control intensive applications

Verifies the model, not the system

Only stated requirements are checked

State-space explosion problem -> complexity issues
Formal Verification and Model Checking
Traian Pop
-20-
20 of 20
11 Oct 2001