Automatic Verification Book Chapter 6 What is verification
Automatic Verification Book: Chapter 6
What is verification? n Traditionally, verification means proof of correctness n n n automatic: model checking deductive: theorem proving Practical view: n n automated systematic debugging VERY good at finding errors!
How can we check the model? n n n The model is a graph. The specification should refer to the graph representation. Apply graph theory algorithms.
What properties can we check? n n n Invariants: a property that need to hold in each state. Deadlock detection: can we reach a state where the program is blocked? Dead code: does the program have parts that are never executed.
How to perform the checking? n n n Apply a search strategy (Depth first search, Breadth first search). Check states/transitions during the search. If property does not hold, report counter example!
If it is so good, is this all we need? n Model checking works only for finite state systems. Would not work with n n n Unconstrained integers. Unbounded message queues. General data structures: n n queues trees stacks Parametric algorithms and systems.
The state space explosion n Need to represent the state space of a program in the computer memory. n n Each state can be as big as the entire memory! Many states: n n Each integer variable has 2^32 possibilities. Two such variables have 2^64 possibilities. In concurrent protocols, the number of states usually grows exponentially with the number of processes.
If it is so constrained, is it of any use? n n Many protocols are finite state. Many programs or procedure are finite state in nature. Can use abstraction techniques. Sometimes it is possible to decompose a program, and prove part of it by model checking and part by theorem proving. Many techniques to reduce the state space explosion (BDDs, Partial Order Reduction).
Depth First Search Program DFS For each s such that Init(s) dfs(s) end DFS Procedure dfs(s) for each s’ such that R(s, s’) do If new(s’) then dfs(s’) end dfs.
Start from an initial state Hash table: q 1 Stack: q 1 q 2 q 1 q 3 q 4 q 5
Continue with a successor Hash table: q 1 Stack: q 1 q 2 q 3 q 4 q 5
One successor of q 2. Hash table: q 1 Stack: q 1 q 2 q 4 q 2 q 1 q 2 q 4 q 3 q 4 q 5
Backtrack to q 2 (no new successors for q 4). Hash table: q 1 Stack: q 1 q 2 q 4 q 3 q 4 q 5
Backtracked to q 1 Hash table: q 1 Stack: q 1 q 2 q 4 q 3 q 4 q 5
Second successor to q 1. Hash table: q 1 Stack: q 1 q 3 q 2 q 1 q 2 q 4 q 3 q 4 q 5
Backtrack again to q 1. Hash table: q 1 Stack: q 1 q 2 q 4 q 3 q 4 q 5
How can we check properties with DFS? n n n Invariants: check that all reachable states satisfy the invariant property. If not, show a path from an initial state to a bad state. Deadlocks: check whether a state where no process can continue is reached. Dead code: as you progress with the DFS, mark all the transitions that are executed at least once.
![[]¬)PC 0=CR 0/PC 1=CR 1) is an invariant! Turn=1 L 0, L 1 Turn=0](http://slidetodoc.com/presentation_image_h2/d08559f0157e48780fb5d35342499a64/image-18.jpg "[]¬)PC 0=CR 0/PC 1=CR 1) is an invariant! Turn=1 L 0, L 1 Turn=0")
[]¬)PC 0=CR 0/PC 1=CR 1) is an invariant! Turn=1 L 0, L 1 Turn=0 L 0, NC 1 Turn=0 NC 0, L 1 Turn=0 NC 0, NC 1 Turn=0 Turn=1 L 0, NC 1 Turn=0 CR 0, L 1 CR 0, NC 1 Turn=1 L 0, CR 1 Turn=1 NC 0, L 1 NC 0, NC 1 Turn=1 NC 0, CR 1
Want to do more! n n Want to check more properties. Want to have a uniform algorithm to deal with all kinds of properties. This is done by writing specification is temporal logics. Temporal logic specification can be translated into graphs (finite automata).
![)[]Turn=0 --> <>Turn=1) Turn=1 L 0, L 1 Turn=0 L 0, NC 1 Turn=0](http://slidetodoc.com/presentation_image_h2/d08559f0157e48780fb5d35342499a64/image-20.jpg ")[]Turn=0 --> <>Turn=1) Turn=1 L 0, L 1 Turn=0 L 0, NC 1 Turn=0")
)[]Turn=0 --> <>Turn=1) Turn=1 L 0, L 1 Turn=0 L 0, NC 1 Turn=0 NC 0, L 1 Turn=0 NC 0, NC 1 Turn=0 Turn=1 L 0, NC 1 Turn=0 CR 0, L 1 CR 0, NC 1 Turn=1 L 0, CR 1 Turn=1 NC 0, L 1 NC 0, NC 1 Turn=1 NC 0, CR 1
init Turn=1 L 0, L 1 Turn=0 L 0, NC 1 Turn=0 NC 0, L 1 Turn=0 NC 0, NC 1 Turn=0 Turn=1 L 0, NC 1 Turn=0 CR 0, L 1 CR 0, NC 1 Turn=1 L 0, CR 1 Turn=1 NC 0, L 1 NC 0, NC 1 Turn=1 NC 0, CR 1
Turn=0 L 0, L 1 init Turn=0 L 0, L 1 Turn=1 L 0, L 1 • Add an additional initial node. • Propositions are attached to incoming nodes. • All nodes are accepting.
Correctness condition n We want to find a correctness condition for a model to satisfy a specification. Language of a model: L(Model) Language of a specification: L(Spec). n We need: L(Model) L(Spec). n n
Correctness Sequences satisfying Spec Program executions All sequences
How to prove correctness? n n n Show that L(Model) L(Spec). Equivalently: ______ Show that L(Model) L(Spec) = Ø. Also: can obtain L(Spec) by translating from LTL!
What do we need to know? n n n How to intersect two automata? How to complement an automaton? How to translate from LTL to an automaton?
Intersecting two automata n n n A 1=< , S 1, , I 1, F 1> and A 2=< , S 2, , I 2, S 2> Each state is a pair (x, y): a state x from S 1 and a state y from S 1. Initial states: x is from I 1 and y is from I 2. Accepting states: x is from F 1. ((x, y) a (x’, y’)) is a transition if (x, a, x’) is in 1, and (y, a, y’) is in 2.
Example A S 0 T 0 A B, C S 1 B, C T 1 C A B States: (S 0, T 0), (S 0, T 1), (S 1, T 0), (S 1, T 1). Accepting: (S 0, T 0), (S 0, T 1). Initial: (S 0, T 0).
A A S 0 B, C S 1 B, C T 1 C A T 0 B A S 0, T 1 C S 0, T 0 B S 1, T 0 A S 1, T 1 C B
How to check for emptiness? A S 0, T 1 C S 0, T 0 B S 1, T 0 A S 1, T 1 C B
Emptiness. . . Need to check if there exists an accepting run (passes through an accepting state infinitely often).
Finding accepting runs If there is an accepting run, then at least one accepting state repeats on it forever. This state appears on a cycle. So, find a reachable accepting state on a cycle.
Equivalently. . . n A strongly connected component: a set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.
How to complement? n n n Complementation is hard! Can ask for the negated property (the sequences that should never occur). Can translate from LTL formula to automaton A, and complement A. But: can translate ¬ into an automaton directly!
From LTL to automata n n Exponential blow-up Formulas are usually small “always eventually p”: []<>p “always p until q”: [](p. Uq) p true p/q p q
Model Checking under Fairness Express the fairness as a property φ. To prove a property ψ under fairness, model check φ ψ. Counter example Fair (φ) Bad (¬ψ) Program
![)[]Turn=0 --> <>Turn=1) Turn=1 L 0, L 1 Turn=0 L 0, NC 1 Turn=0](http://slidetodoc.com/presentation_image_h2/d08559f0157e48780fb5d35342499a64/image-37.jpg ")[]Turn=0 --> <>Turn=1) Turn=1 L 0, L 1 Turn=0 L 0, NC 1 Turn=0")
)[]Turn=0 --> <>Turn=1) Turn=1 L 0, L 1 Turn=0 L 0, NC 1 Turn=0 NC 0, L 1 Turn=0 NC 0, NC 1 Turn=0 Turn=1 L 0, NC 1 Turn=0 CR 0, L 1 CR 0, NC 1 Turn=1 L 0, CR 1 Turn=1 NC 0, L 1 NC 0, NC 1 Turn=1 NC 0, CR 1
Model Checking under Fairness Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either n it contains on occurrence of a transition from P, or n it contains a state where P is disabled.
- Slides: 38