metodi formali dello sviluppo software a.a.2013/2014 prof.anna labella
TRANSCRIPT
Metodi formali dello sviluppo software
a.a.2013/2014
Prof.Anna Labella
Introducing FV
What is formal verification? – Establishing properties of system designs using
mathematical methods Why use formal methods?
– Safety Critical Systems– High Bug Costs
Why Hardware?– High bug costs– Greater reliability requiered by costumers– Feaseable (more or less)
Introducing FV
How is it done?
The method consists of a Model and a Property.
The Method’s output is an assurance that the property holds or a counter-example
p
P always holds
Counter-example
Defining a Model
Definitions– State - snapshot of the values of variables at a
particular instant of time.– Finite state system - a system which has a finite
number of different states.– Transition – the ordered pair <state before, state
after> – Computation - is an infinite sequence of states
where each state is obtained from the previous by a transition
Defining a Model
Intuition– A State – (0,1)– A Finite state system – {(0,0),(0,1),(1,0),(1,1)}– A Transition – <(0,0),(0,1)>– A Computation <(0,0),(0,1),(1,0),(0,0), (0,1),... >
Reset
inc0 1
Kripke Structure
Let AP be a set of atomic propositions A Kripke structure M over AP is a tuple M=(S,S0,R,L)
where,– S is a finite set of states– S0 S , the set of initial states– R S x S, is a transition relation that must be total, i.e., for every
state s in S there is a state s’ in S such that R(s,s’).– L is a function that labels each state with the set of all atomic
proposition in AP that are true in that state. A path in M from s is an infinite sequence of states = s0s1s2,…
such that so=s, and R(si,si+1) holds for all i>=0.
Defining a Model
M=(S,S0,R,L)
S ={s0,s1,s2,s3}
S0 = {(0,0)} (system starts with Reset)
R = {< s0, s1 >,<s1, s2>,< s2, s0> ... }
L = {(s0,(0,0)),(s1,(0,1)),(s2,(1,0)),(s3,(1,1))}
Reset
inc0 1 s0
s2
s3
s1
Verifica basata sul modello
|
|=
K |=
04/18/23 11
CTL
Temporal operators are immediately preceded by a path quantifier
The following are a complete set ¬p, p q , AX p , EX p , A( p U q),
E( p U q) Others can be derived
– EF p E(true U P)– AF p A(true U p)– EG p ¬ AF ¬ p– AG p ¬ EF ¬p
04/18/23 12
Minimal set of CTL Formulas Full set of operators
– Boolean: ¬, , , , – temporal: E, A, X, F, G, U, W
Minimal set sufficient to express any CTL formula– Boolean: ¬, – temporal: E, X, U
Examples: f g = ¬(¬f ¬g), F f = true U f , A (f ) = ¬E(¬f )G f = f Ufalse
04/18/23 13
Minimal set of CTL Formulas
Model Checking ExampleTraffic light controller
(simplified)
R1 G2
Y1 R2
G1 R2
R1 Y2
C ’+ T ’
C T
C T ’
C ’+ T
C = car sensorT = timer
G1 R2
Y1 R2
R1 G2
G1 R2
G1 R2
Y1 R2
Y1 R2
R1 G2 R1 Y2 R1 G2
G1 R2R1 Y2 R1 G2
R1 Y2
G2
Y2
R2
G1
Y1
R1
C
C
Timer
T
sensor
Road 2
Ro
ad
1
Traffic light controller - Model Checking Model Checking task: check
– safety condition– fairness conditions
Safety condition: no green lights on both roads at the same time
A G ¬ (G1 G2 )
Fairness condition: eventually one road has green light
E F (G1 G2)
R1 G2
Y1 R2
G1 R2
R1 Y2
C ’+T ’
C T
C T ’
C ’+T
Checking the Safety ConditionA G ¬ (G1 G2) = ¬ E F (G1G2)
S(G1 G2 ) = S(G1) S(G2) = {1}{3} =
S(EF (G1 G2 )) = S(¬ EF (G1 G2 )) = ¬ =
{1, 2, 3, 4}
Each state is included in {1,2,3,4}
the safety condition is true (for each state)
2
R1 G2
Y1 R2
G1 R2
R1 Y2
1
3
4
Checking the Fairness Condition
E F (G1 G2 ) = E(true U (G1 G2 ) )• S(G1 G2 ) = S(G1)S(G2) = {1} {3} = {1,3}• S(EF (G1 G2 )) = {1,2,3,4}
(going backward from {1,3}, find predecessors)
1 34 23 1
Since {1,2,3,4} contains all states, the condition is true for all the states
Another Check(E X)2 (Y1) = E X (E X (Y1))
(starting at S1=G1R2, is there a path s.t. Y1 is true in 2 steps ?)
S (Y1) = {2} S (EX (Y1)) = {1}
(predecessor of 2) S (EX (EX(Y1)) = {1,4}
(predecessors of 1)
R1 G2
Y1 R2
G1 R2
R1 Y2
1
3
4
2
Property E X2 (Y1) is true for states {1,4}, hence true
Explicit Model Checking - complexity CTL model checking is linear in the size of
the formula and the size of the structure M Not a good news:
– what if you have 1050 states?– Number of states grows exponentially with number
of variables– Explicit model checking limited to … 109 states
Symbolic model checking can do much better
