CSCI 1600 Embedded and Real Time Software Lecture
CSCI 1600: Embedded and Real Time Software Lecture 33: Verification III Steven Reiss, Fall 2016
Property Definition Using CTL or LTL temporal logic As conditions over paths Where the paths are specified by predicates Recall 2 Xf (ne. Xt time) Ff (eventually, in the Future) Gf (always, Globally) f. Ug (Until) f. Rg (Release) A (for All paths) E (there Exists a path) Lecture 33: Verification III 9/9/2021
Program Definition Finite State Automata Extended FSAs: simple variables to determine transitions Unless a transition is explicitly limited, it is possible Assumes non-determinism Associate labels with states Properties that are true in the state Properties are determined from the predicates of interest Automata can be simplified to only reflect these properties 3 Lecture 33: Verification III 9/9/2021
Proving Properties Show that for all possible “executions” of the program The property holds If it doesn’t hold Show the counter example Serves to document or understand the problem Can be used to further refine the model program Include other variables or values Checks to avoid false positives 4 Lecture 33: Verification III 9/9/2021
How Can We Do Such Proofs? Map the formula into an FSA and work with 2 FSAs Condition changes during execution trigger changes in the state FSA Track the property FSA states for each program state Work directly on the automata with the formula Track what parts of the formula a true at each point in the program Work by induction Since the program is finite state Can associate all valid subformulas with each state This tells us what is valid at each state Map the program into a formula and work with 2 formulas What works best depends on application and property But all have been tried and used successfully 5 Lecture 33: Verification III 9/9/2021
Example: Microwave Oven 6 Lecture 33: Verification III 9/9/2021
Example: Properties AG(start -> AF heat) For all paths, if we hit start, then we eventually get heat Is this true? 7 Lecture 33: Verification III 9/9/2021
Working with formula over FSA Identify the states of the FSA where the formula holds By using labels on the states Using all subformulas of the formula If we know the value for all subformulas, we can compute the value of the formula How depends on the particular operator that combines the subformulas Example: AND, OR, NOT This can be done inductively over subformula Only need to consider EU and EG operators All the other CTL operators can be defined in terms of these 8 Lecture 33: Verification III 9/9/2021
Showing EU: E(f 1 U f 2) f 1 holds until f 2 holds on some path from this state Want to find all states where this is true Given we know the states where f 1 and f 2 hold (induction) Algorithm: T = { s : f 2 is in label(s) } FORALL s in T DO: add E(f 1 U f 2) to label(s) WHILE (T is non-empty) CHOOSE s in T and remove it from T FORALL t such that t is a predecessor state of s IF E(f 1 U f 2) is not in label(t) and f 1 is in label(t) THEN ENDIF Add E(f 1 U f 2) to label(t); Add t to T NEXT 9 Lecture 33: Verification III 9/9/2021
Showing EG f f always holds on some path What does this require in terms of the program automata Algorithm: S = { s | f is in label(s) } SCC = { C | C is a nontrivial strongly connected component of S } T = Union of all s in a C in SCC FORALL s in T DO: add (EG f) to label(s) WHILE T is non-empty DO CHOOSE s in T and remove it from T FORALL t such that t is a predecessor of s and t is in S IF (EG f) is not in label(t) THEN ENDIF ADD (EG f) to label(t) ADD t to T NEXT 10 Lecture 33: Verification III 9/9/2021
Proving AG(start -> AF heat) Convert to using these operators AG(start -> AF heat) ~EF(start ˄ EG ~heat) ~E(true U (start ˄ EG ~heat)) Prove: ~E(true U (start ˄ EG ~heat)) 11 Lecture 33: Verification III 9/9/2021
Work On: ~E(true U (start ˄ EG ~heat)) S(start) = { 2, 5, 6, 7 } S(~heat) = { 1, 2, 3, 5, 6 } S(EG ~heat) Find SCC of ~heat : { 1, 2, 3, 5 } S(EG ~heat) = { 1, 2, 3, 5 } S(start and EG ~heat) = { 2, 5 } S(E(true U (start and EG ~heat))) Initially { 2, 5 } Add any predecessor where true is true Yields { 1, 2, 3, 4, 5, 6, 7 } S(~E(true U (start and EG ~heat))) = { } The property does not hold 12 Lecture 33: Verification III 9/9/2021
AG(~error AND start -> AF heat) Convert to use the operators AG(~error ˄ start -> AF heat) ~EF(~error ˄ start ˄ EG ~heat) ~E(true U (~error ˄ start ˄ EG ~heat)) 13 Lecture 33: Verification III 9/9/2021
Show: ~E(true U (~error ˄ start ˄ EG ~heat)) 14 Lecture 33: Verification III 9/9/2021
Can also work with formulas Convert program into a logical formula Create a joint formula combining program and condition Verify the joint formula is correct 15 Lecture 33: Verification III 9/9/2021
Working with Formula Assume we have a LTL/CTL formula for property Assume we have a finite state program Objective: Map the program to a Boolean formula Create a combined formula for property + program Prove the combined formula 16 Lecture 33: Verification III 9/9/2021
Mapping the Program Represent the current state as a set of Boolean variables (s 0, s 1, s 2, …, sn) Each state has a identifying number (s 0, s 1, …sn) is the bit representation of that number Define a relation R specifying valid transitions R(s, t): there is a transition from s to t R can be stated as a (complex) Boolean formula Can be used to look at both successors and predecessors 17 Lecture 33: Verification III 9/9/2021
Merge Program and Formula For each condition f, create formula F(s’) that is true for all states s’ where f holds (and false for all other states) This is done inductively over the subformula Base case: primitive formulas EF, EG operators Defined iteratively (using fixed points) using current formulas and R to build the current formula Essentially using the algorithms we saw last time This is all done mechanically 18 Lecture 33: Verification III 9/9/2021
Making This Practical The formulas can be generated but They are going to be very large Need to both generate and use them efficiently We need an efficient representation of a formula Easy to operate on (AND/OR/NOT/IMPLIES) Space efficient Easy to manipulate by computer We need a practical solver 19 Lecture 33: Verification III 9/9/2021
Decision Trees A formula can be written as a decision tree T Each node is labeled with a Boolean variable Each node has a true and a false branch out Leaves are labeled either TRUE or FALSE Example: A and (B or C) Try a AND (b OR (c XOR d)) What is the size of the tree? Does it have to be this size? 20 Lecture 33: Verification III A F B F T C F T T F 9/9/2021
Simplifying Decision Trees Most of the decision trees look the same Extra variables just yield identical subtrees Trees can be simplified Simplify the tree into a DAG There are only two real leaves (merge these) If two nodes have the same children and the same labels, they can be merged If both branches of a node go to the same node, the original node can be eliminated This can be iterated Worst case size is still exponential, actual size is generally much smaller The results is a BDD (Binary Decision Diagram) 21 Lecture 33: Verification III 9/9/2021
Ordered BDDs Place an a priori order on the variables as labels Note that order affects the size Optimum ordering is NP complete Logical operations are easy to do on ordered BDDs Complement: flip TRUE and FALSE leaves AND, OR: Merge the two trees level by level Ordering makes this easy Setting result to be AND/OR or merged result EG and EU Defined as iterative procedures on BDDs Stopping at appropriate fixed points (no changes to BDD on next pass) 22 All computations are O(1) or O(nlogn) on the tree Lecture 33: Verification III 9/9/2021
Model Checking BDDs Compute the BDD for R(s, t) for the program Inductively compute F(s) for the formula f F(S) is true iff f is true in the program F(S) is true iff it is the singleton node True Otherwise there is a path that shows false Can use the BDD path to FALSE to find counterexample BDDs have been used to verify programs with 2^80 states 23 Lecture 33: Verification III 9/9/2021
Extensions RTCTL : handle incremental real time constraints G[a, b]f : : f holds from a to b Continuous Real Time Work in terms of timed automata & clock regions 24 Lecture 33: Verification III 9/9/2021
Homework Read Chapter 16 Exercise 16. 1, 16. 2 25 Lecture 33: Verification III 9/9/2021
Solving with only Automata Map the formula into an automata Annotate the program automata with output events That trigger the formula automata Then annotate the program automata For each state: list the set of states in the formula automata that are reachable This can only grow and must eventually come to a fixed point Determine success/failure from the result 26 Lecture 33: Verification III 9/9/2021
Example Once an iterator is allocated, every call to next must be preceded by a call to has. Next 27 Lecture 33: Verification III 9/9/2021
Iterator Example Program for (Iterator it = x. iterator(); it. has. Next(); ) { y = it. next(); } it = x. iterator / ALLOC it. has. Next() / HASNEXT 28 y = it. next() / NEXT Lecture 33: Verification III 9/9/2021
Iterator Example A it = x. iterator / ALLOC B it. has. Next() / HASNEXT C D 29 y = it. next() / NEXT Lecture 33: Verification III E 9/9/2021
- Slides: 29