Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

Postscript F*G*p cannot be expressed as G*F*φ ¬ (F*G*p  G*F*p) is obvious Show: there is no pure-past LTL-formula φ such that (F*G*p  G*F*φ) Assume the contrary: there is a pure-past LTL-formula φ such that (F*G*p  G*F*φ) Consider the model M0 = p = ppp... Then M0 ⊨ F*G*p, hence by ass. M0 ⊨ G*F*φ hence (M0,0) ⊨ F*φ and there is a point i0 such that (M0, i0) ⊨ φ Consider the model M1 = (pi0) (¬p) (p). Since φ is pure past, (M1, i0) ⊨ φ Furthermore, M1 ⊨ F*G*p, hence by ass. M1 ⊨ G*F*φ, hence (M1, i0+2) ⊨ F*φ and there is a point i1 > i0+1 such that (M1, i1) ⊨ φ Consider the model M2 where p is false only at (i0+1) and (i1+1). Again (M2, i0) ⊨ φ and (M2, i1) ⊨ φ . Furthermore, M2 ⊨ F*G*p and M2 ⊨ G*F*φ, hence (M2, i1+2) ⊨ F*φ and there is i2>i1+1 such that (M2, i2) ⊨ φ and so on. Let M be the model defined by (M, k) ⊨ p iff for all i, (Mi, k) ⊨ p (thanks, Jochen!) In M , p is false infinitely often and φ is true infinitely often. Hence, M ⊭ F*G*p and M ⊨ G*F*φ, which is a contradiction 12.4.2012

Safety and Liveness Properties Proof of decomposition theorem: φs={w0w1... | for every i, w0w1... wi is a prefix of φ} φl= φ{w0w1... | for some i, w0w1... wi is not a prefix of φ} show: φs is safety, φl is liveness, φ = φs  φl 24.5.2012

Examples (p U+ q) = ((p W+ q)  F+ q) G*(p  F*q) = (G*p  G*F*q) G*p  G*q = G*(H*p  H*q) (holds only initially, in the beginning!) Total program correctness = invariance  termination other direction does not hold 24.5.2012

Example: Peterson’s Mutual Exclusion {t=0; x=0; y=0; {0: while(true){NC1: skip; 1: x=1; 2: t=1; 3: await(t==0  y==0); C1: skip; 4: x=0;} || {0: while(true){NC2: skip; 1: y=1; 2: t=0; 3: await(t==1  x==0); C2: skip; 4: y=0;} } We want to show: G*(¬ C1  ¬ C2)  true G*(3  F* C1)  false!! (G*F*  G*F*)  G*(3  F* C1) 12.4.2012

Language inclusion “Safety property” is a semantic notion The language of any (finitary) LTS is a safety property show that if any finite prefix of an infinite model can be extended to an accepted model, then the whole model is accepted If a safety property is given as an LTS, model checking can be done by “parallel execution” Example 12.4.2012

Verification = language containment? An implementation I satisfies a specification S if L(I)  L(S) “the automata-theoretic approach to model-checking” But not always adequate: 12.4.2012

Simulation relation Simulation relation between models 12.4.2012

Preserving CTL properties Converse does not hold: image finiteness needed! 12.4.2012

Simulation Checking If both models are deterministic, use automata inclusion Otherwise, define a sequence of relations the intersection is the largest possible simulation relation partition refinement algorithm (greatest fixed point) 12.4.2012

12.4.2012

Examples 12.4.2012