automatic verification book: chapter 6. how can we check the model? the model is a graph. the...
TRANSCRIPT
![Page 1: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/1.jpg)
Automatic Verification
Book: Chapter 6
![Page 2: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/2.jpg)
How can we check the model?
The model is a graph. The specification should refer the
the graph representation. Apply graph theory algorithms.
![Page 3: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/3.jpg)
What properties can we check?
Invariants: a property that need to hold in each state.
Deadlock detection: can we reach a state where the program is blocked?
Dead code: does the program have parts that are never executed.
![Page 4: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/4.jpg)
How to perform the checking?
Apply a search strategy (Depth first search, Breadth first search).
Check states/transitions during the search.
If property does not hold, report counter example!
![Page 5: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/5.jpg)
If it is so good, why learn deductive verification methods?
Model checking work only for finite state systems. Would not work with Unconstrained integers. Unbounded message queues. General data structures:
queues trees stacks
parametric algorithms and systems.
![Page 6: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/6.jpg)
The state space explosion
Need to represent the state space of a program in the computer memory. Each state can be as big as the entire
memory! Many states:
Each integer variable has 2^32 possibilities. Two such variables have 2^64 possibilities.
In concurrent protocols, the number of states usually grows exponentially with the number of processes.
![Page 7: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/7.jpg)
If it is so constrained, is it of any use?
Many protocols are finite state. Many programs or procedure are finite
state in nature. Can use abstraction techniques.
Sometimes it is possible to decompose a program, and prove part of it by model checking and part by theorem proving.
Many techniques to reduce the state space explosion (BDDs, Partial Order Reduction).
![Page 8: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/8.jpg)
Depth First Search
Program DFSFor each s such that
Init(s) dfs(s)end DFS
Procedure dfs(s)for each s’ such
that R(s,s’) do
If new(s’) then dfs(s’)
end dfs.
![Page 9: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/9.jpg)
Start from an initial state
q3
q4
q2
q1
q5
q1
q1
Stack:
Hash table:
![Page 10: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/10.jpg)
Continue with a successor
q3
q4
q2
q1
q5
q1 q2
q1
q2
Stack:
Hash table:
![Page 11: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/11.jpg)
One successor of q2.
q3
q4
q2
q1
q5
q1 q2 q4
q1
q2
q4
Stack:
Hash table:
![Page 12: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/12.jpg)
Backtrack to q2 (no new successors for q4).
q3
q4
q2
q1
q5
q1 q2 q4
q1
q2
Stack:
Hash table:
![Page 13: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/13.jpg)
Backtracked to q1
q3
q4
q2
q1
q5
q1 q2 q4
q1
Stack:
Hash table:
![Page 14: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/14.jpg)
Second successor to q1.
q3
q4
q2
q1
q5
q1 q2 q4 q3
q1
q3
Stack:
Hash table:
![Page 15: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/15.jpg)
Backtrack again to q1.
q3
q4
q2
q1
q5
q1 q2 q4 q3
q1
Stack:
Hash table:
![Page 16: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/16.jpg)
How can we check properties with DFS?
Invariants: check that all reachable statessatisfy the invariant property. If not, showa path from an initial state to a bad state.
Deadlocks: check whether a state where noprocess can continue is reached.
Dead code: as you progress with the DFS, mark all the transitions that are executed at least once.
![Page 17: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/17.jpg)
[]¬(PC0=CR0/\PC1=CR1) is an invariant!Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 18: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/18.jpg)
Want to do more!
Want to check more properties. Want to have a unique algorithm to
deal with all kinds of properties. This is done by writing specification
is temporal logics. Temporal logic specification can be
translated into graphs (finite automata).
![Page 19: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/19.jpg)
[](Turn=0 --> <>Turn=1)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
![Page 20: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/20.jpg)
Turn=0L0,L1
Turn=0L0,NC1
Turn=0NC0,L1
Turn=0CR0,NC1
Turn=0NC0,NC1
Turn=0CR0,L1
Turn=1L0,CR1
Turn=1NC0,CR1
Turn=1L0,NC1
Turn=1NC0,NC1
Turn=1NC0,L1
Turn=1L0,L1
init
![Page 21: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/21.jpg)
Turn=0L0,L1
Turn=1L0,L1
init
•Add an additional initial node.
•Propositions are attached to incoming nodes.
•All nodes are accepting.
Turn=1L0,L1
Turn=0L0,L1
![Page 22: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/22.jpg)
Correctness condition
We want to find a correctness condition for a model to satisfy a specification.
Language of a model: L(Model) Language of a specification:
L(Spec).
We need: L(Model) L(Spec).
![Page 23: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/23.jpg)
Correctness
All sequences
Sequences satisfying Spec
Program executions
![Page 24: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/24.jpg)
How to prove correctness?
Show that L(Model) L(Spec). Equivalently: ______
Show that L(Model) L(Spec) = Ø. Also: can obtain L(Spec) by
translating from LTL!
![Page 25: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/25.jpg)
What do we need to know?
How to intersect two automata? How to complement an
automaton? How to translate from LTL to an
automaton?
![Page 26: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/26.jpg)
Intersecting two automata
A1=<, S1, , I1, F1> andA2=<, S2, , I2, S2>
Each state is a pair (x,y): a state x from S1 and a state y from S1.
Initial states: x is from I1 and y is from I2.
Accepting states: y is from F1. ((x,y) a (x’,y’)) is a transition if
(x,a,x’) is in 1, and (y,a,y’) is in 2.
![Page 27: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/27.jpg)
Example
A
BCT0 T1
A
A
B,CB,CS0 S1
States: (S0,T0), (S0,T1), (S1,T0), (S1,T1).
Accepting: (S0,T0), (S0,T1). Initial: (S0,T0).
![Page 28: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/28.jpg)
A
BCT0 T1
A
A
B,CB,CS0 S1
S0,T0
S0,T1
S1,T1
S1,T0B
B
A
C
A
C
![Page 29: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/29.jpg)
How to check for emptiness?
S0,T0
S0,T1
S1,T1
S1,T0B
B
A
C
A
C
![Page 30: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/30.jpg)
Emptiness...
Need to check if there exists an accepting run (passes through an accepting state infinitely often).
![Page 31: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/31.jpg)
Finding accepting runs
If there is an accepting run, then at least one accepting state repeats on it forever. This state appears on a cycle. So, find a reachable accepting state on a cycle.
![Page 32: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/32.jpg)
Equivalently...
A strongly connected component: a set of nodes where each node is reachable by a path from each other node. Find a reachable strongly connected component with an accepting node.
![Page 33: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/33.jpg)
How to complement?
Complementation is hard! Can ask for the negated property (the
sequences that should never occur). Can translate from LTL formula to
automaton A, and complement A. But:can translate ¬ into an automaton directly!
![Page 34: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/34.jpg)
Model Checking under Fairness
Express the fairness as a property φ.To prove a property ψ under fairness,model check φψ.
Fair (φ)
Bad (¬ψ) Program
Counter
example
![Page 35: Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation](https://reader035.vdocument.in/reader035/viewer/2022062619/55160d9a550346d46f8b60bf/html5/thumbnails/35.jpg)
Model Checking under Fairness
Specialize model checking. For weak process fairness: search for a reachable strongly connected component, where for each process P either
it contains on occurrence of a transition from P, or
it contains a state where P is disabled.