Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Slide 2 H. Schlingloff, SS2012: SWV 2 Lehrevaluation!!! bis online Das Passwort(Token) lautet: apple12ibm

Slide 3 H. Schlingloff, SS2012: SWV 2 Model checking Given a model M and a formula φ, model checking is answering the question whether M ⊨ φ  somewhat easier than checking validity or satisfiability of φ  usually easier than checking ⊨ φ M  φ  sometimes easier than checking L(M)  L(φ) or M  L(φ) Several variants, depending on the logic and the way the model is given  e.g., consider PL and a lookup truth table for propositions  linear in |φ|  e.g., consider FOL and a „computation engine“ for predicates  in general model checking is an undecidable problem Here, LTL and CTL are of interest

Slide 4 H. Schlingloff, SS2012: SWV 2 Model Checking LTL We want to check whether M ⊨ φ φ is a LTL formula (for simplicity, excluding past) M is a natural model (sequence of proposition interpretations)  if M is finite, then the problem is easy - M ⊨ φ iff check(M,0,φ) = true - check(M,i,p) = true iff p  M(i) - check(M,i,  )=false - check(M,i, φ  ψ) = true iff check(M,i,φ) implies check(M,i, ψ) - check(M,i, φU + ψ) = true iff for some j>i, check(M,j,ψ) = true and for all i<k<j, check(M,k,φ) = true  better: - check(M,i, φU + ψ) = i+1<|M| and check(M,i+1, (ψ  φ  φU + ψ))

Slide 5 H. Schlingloff, SS2012: SWV 2 Infinite sequences M=w 0 w 1 w 2... w n (w n+1... w n+m ) ω check(M,i, φU + ψ) = for some i n and for all i<k<=n+m, check(M,k,φ) = true and for some n<j<=i, check(M,j,ψ) = true and for all n<k<j, check(M,k,φ) = true iterative version of this clause? check(M,i, φU + ψ) = i<n+m and check(M,i+1, (ψ  φ  φU + ψ)) or i=n+m and check‘(M,n+1, (ψ  φ  φU + ψ) )

Slide 6 H. Schlingloff, SS2012: SWV 2 Kripke structures Usually, model M is an LTS, while-program, Kripke-structure, or such M ⊨ φ is read as „for all execution sequences σ of M it holds that σ ⊨ φ“ How to check all execution sequences?  depth-first search! given formula φ, define SF(φ) to be the set of all subformulas of φ (for reasons which will become clear later, we say that Xφ, Xψ and X(φU + ψ) are subformulae of φU + ψ) m  SF(φ) is propositionally consistent, if  not m ⊢  (propositionally), e.g., not (ψ  m and ¬ψ  m)  φU + ψ  m iff Xψ  m or Xφ  m and X(φU + ψ)  m atom α=(w,m), w  P interpretation, m  SF(φ) prop. cons., p  m iff p  w define an atom graph as „M  φ“

Slide 7 H. Schlingloff, SS2012: SWV 2 Atom Graph an initial atom is any α 0 =(w 0,m 0 ), where w 0 is any initial state of M and m 0 is any propositionally consistent set s.t. φ  m 0 (w,m)  (w‘,m‘) if  (w,w‘)  Δ  Xψ  m iff ψ  m‘ atom graph can be constructed depth-first Example φ = G + (p  q) = ¬(T U + ¬(p  q)) SF(φ)={ M=

Slide 8 H. Schlingloff, SS2012: SWV 2 Eventualities if m contains φU + ψ, some m‘ containing ψ must be reachable „reachable“ means „in the same strongly connected component“ (SCC) self-fulfilling SCC: for any α=(w,m) and φU + ψ  m there is reachable α‘=(w‘,m‘) and ψ  m‘  we have to decompose the atom graph into SCCs  Tarjan’s algorithm is a clever solution to this  linear complexity (enumerates SCCs as they are encountered)  overall complexity: |M|*2 |φ|

Slide 9 H. Schlingloff, SS2012: SWV 2 LTL Model Checking Algorithm

Slide 10 H. Schlingloff, SS2012: SWV

Slide 11 H. Schlingloff, SS2012: SWV 2 Improvements bitstate hashing incomplete hashing partial order techniques