Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für offene Kommunikationssysteme FOKUS

Plan for the Winter Introduction Modeling of systems Temporal logics (LTL, CTL, CTL*) Simulations and bisimulations Model checking Symbolic representations (BDDs) Abstraction and refinement (CEGAR) Real time (UPPAAL)

Language inclusion “Safety property” is a semantic notion The language of any (finitary) LTS is a safety property show that if any finite prefix of an infinite model can be extended to an accepted model, then the whole model is accepted If a safety property is given as an LTS, model checking can be done by “parallel execution” Example

Verification = language containment? An implementation I satisfies a specification S if L(I)  L(S) “the automata-theoretic approach to model-checking” But not always adequate:

Simulation relation Simulation relation between models

Preserving CTL properties Converse does not hold: image finiteness needed!

Simulation Checking If both models are deterministic, use automata inclusion Otherwise, define a sequence of relations the intersection is the largest possible simulation relation partition refinement algorithm (greatest fixed point)

Examples

Simulation relation Simulation relation between models

Simulation Checking If both models are deterministic, use automata inclusion Otherwise, define a sequence of relations the intersection is the largest possible simulation relation partition refinement algorithm (greatest fixed point)

Preserving CTL properties Converse does not hold: image finiteness needed!

Bisimulations “symmetric simulation”

Properties of Bisimulations finite models are CTL-equivalent iff they are bisimilar (in general this does not hold for infinite models) efficiency: constructing the smallest model which is bisimilar to a given model Paige-Tarjan algorithm for bisimulation minimization partition refinement, O(m log n), where m=|result|, n=|input|

Plan for the Winter Introduction Modeling of systems Temporal logics (LTL, CTL, CTL*) Simulations and bisimulations Model checking Symbolic representations (BDDs) Abstraction and refinement (CEGAR) Real time (UPPAAL)

Model checking Given a model M and a formula φ, model checking is answering the question whether M ⊨ φ somewhat easier than checking validity or satisfiability of φ usually easier than checking ⊨ φMφ sometimes easier than checking L(M)  L(φ) or ML(φ) Several variants, depending on the logic and the way the model is given e.g., consider PL and a lookup truth table for propositions  linear in |φ| e.g., consider FOL and a „computation engine“ for predicates in general model checking is an undecidable problem Here, LTL and CTL are of interest

Model Checking LTL We want to check whether M ⊨ φ φ is a LTL formula (for simplicity, excluding past) M is a natural model (sequence of proposition interpretations) if M is finite, then the problem is easy M ⊨ φ iff check(M,0,φ) = true check(M,i,p) = true iff pM(i) check(M,i, )=false check(M,i, φψ) = true iff check(M,i,φ) implies check(M,i, ψ) check(M,i, φU+ψ) = true iff for some j>i, check(M,j,ψ) = true and for all i<k<j, check(M,k,φ) = true better: check(M,i, φU+ψ) = i+1<|M| and check(M,i+1, (ψφφU+ψ))

Infinite sequences iterative version of this clause? M=w0w1w2 ... wn(wn+1 ... wn+m)ω check(M,i, φU+ψ) = for some i<j<=n+m, check(M,j,ψ) = true and for all i<k<j, check(M,k,φ) = true or i>n and for all i<k<=n+m, check(M,k,φ) = true and for some n<j<=i, check(M,j,ψ) = true and for all n<k<j, check(M,k,φ) = true iterative version of this clause? check(M,i, φU+ψ) = i<n+m and check(M,i+1, (ψφφU+ψ)) or i=n+m and check‘(M,n+1, (ψφφU+ψ))

Improvements bitstate hashing incomplete hashing partial order techniques

CTL model checking For each LTS/model there is exactly one computation tree CTL model checking works directly on the model (no need to extract computation sequences) For all subformulas of a formula and all states of a given model, mark whether the state satisfies the subformula iteration on formulas according to their inductive definition if p is an atomic proposition, then pM= I(p) M={} (φψ)M = (M-φM +ψ M) (EXφ)M = {w | w‘ (wRw‘ w‘φM )} E(φU+ψ)M = {w | there is a path α from w and a w‘ on α such that (w<w‘ w‘ ψM ) w‘‘ (w<w‘‘<w‘ w‘‘ φM )} A(φU+ψ)M = {w | for all paths α from w there is a w‘ on α such that (w<w‘ w‘ ψM ) w‘‘ (w<w‘‘<w‘ w‘‘ φM )}

Actual Calculation How to calculate (EX ψ)M from ψM? Inverse image construction How to calculate E(φU+ψ)M or A(φU+ψ)M from φM and ψM?

Reflection What has been achieved Where this is relevant Vorläufige Vorlesungsplanung Einführung Modellierung von Systemen Temporale Logik Modellprüfung Symbolische Repräsentation Abstraktion Realzeit Where this is relevant HW design (IEEE‐1850 PSL) Safety-critical SW design Embedded systems design