CSCI1600: Embedded and Real Time Software Lecture 31: Verification III Steven Reiss, Fall 2017

Property Definition Using CTL or LTL temporal logic Recall As conditions over paths Where the paths are specified by predicates Recall X f (neXt time) F f (eventually, in the Future) G f (always, Globally) f U g (Until) f R g (Release) A (for All paths) E (there Exists a path) Lecture 33: Verification III 2/5/2019

Program Definition Finite State Automata Associate labels with states Extended FSAs: simple variables to determine transitions Unless a transition is explicitly limited, it is possible Assumes non-determinism Associate labels with states Properties that are true in the state Properties are determined from the predicates of interest Automata can be simplified to only reflect these properties Lecture 33: Verification III 2/5/2019

Proving Properties Show that for all possible “executions” of the program The property holds If it doesn’t hold Show the counter example Serves to document or understand the problem Can be used to further refine the model program Include other variables or values Checks to avoid false positives Lecture 33: Verification III 2/5/2019

How Can We Do Such Proofs? Map the formula into an FSA and work with 2 FSAs Condition changes during execution trigger changes in the state FSA Track the property FSA states for each program state Work directly on the automata with the formula Track what parts of the formula a true at each point in the program Work by induction Since the program is finite state Can associate all valid subformulas with each state This tells us what is valid at each state Map the program into a formula and work with 2 formulas What works best depends on application and property But all have been tried and used successfully Lecture 33: Verification III 2/5/2019

Example: Microwave Oven Lecture 33: Verification III 2/5/2019

Example: Properties AG(start -> AF heat) For all paths, if we hit start, then we eventually get heat Is this true? Lecture 33: Verification III 2/5/2019

Working with formula over FSA Identify the states of the FSA where the formula holds By using labels on the states Using all subformulas of the formula If we know the value for all subformulas, we can compute the value of the formula How depends on the particular operator that combines the subformulas Example: AND, OR, NOT This can be done inductively over subformula Only need to consider primitives and EU and EG operators All the other CTL operators can be defined in terms of these Lecture 33: Verification III 2/5/2019

Showing EU: E(f1 U f2) f1 holds until f2 holds on some path from this state Want to find all states where this is true Given we know the states where f1 and f2 hold (induction) Algorithm: T = { s : f2 is in label(s) } FORALL s in T DO: add E(f1 U f2) to label(s) WHILE (T is non-empty) CHOOSE s in T and remove it from T FORALL t such that t is a predecessor state of s IF E(f1 U f2) is not in label(t) and f1 is in label(t) THEN Add E(f1 U f2) to label(t); Add t to T ENDIF NEXT Lecture 33: Verification III 2/5/2019

Showing EG f f always holds on some path Algorithm: What does this require in terms of the program automata Algorithm: S = { s | f is in label(s) } SCC = { C | C is a nontrivial strongly connected component of S } T = Union of all s in a C in SCC FORALL s in T DO: add (EG f) to label(s) WHILE T is non-empty DO CHOOSE s in T and remove it from T FORALL t such that t is a predecessor of s and t is in S IF (EG f) is not in label(t) THEN ADD (EG f) to label(t) ADD t to T ENDIF NEXT Lecture 33: Verification III 2/5/2019

Proving AG(start -> AF heat) Convert to using these operators AG(start -> AF heat) ~EF(start ˄ EG ~heat) ~E(true U (start ˄ EG ~heat)) Prove: ~E(true U (start ˄ EG ~heat)) Lecture 33: Verification III 2/5/2019

Work On: ~E(true U (start ˄ EG ~heat)) S(start) = { 2,5,6,7 } S(~heat) = { 1,2,3,5,6 } S(EG ~heat) Find SCC of ~heat : { 1,2,3,5 } S(EG ~heat) = { 1,2,3,5 } S(start and EG ~heat) = { 2,5 } S(E(true U (start and EG ~heat))) Initially { 2, 5 } Add any predecessor where true is true Yields { 1,2,3,4,5,6,7 } S(~E(true U (start and EG ~heat))) = { } The property does not hold Lecture 33: Verification III 2/5/2019

AG(~error AND start -> AF heat) Convert to use the operators AG(~error ˄ start -> AF heat) ~EF(~error ˄ start ˄ EG ~heat) ~E(true U (~error ˄ start ˄ EG ~heat)) Lecture 33: Verification III 2/5/2019

Show: ~E(true U (~error ˄ start ˄ EG ~heat)) Lecture 33: Verification III 2/5/2019

Can also work with formulas Convert program into a logical formula Create a joint formula combining program and condition Verify the joint formula is correct Lecture 33: Verification III 2/5/2019

Working with Formula Assume we have a LTL/CTL formula for property Assume we have a finite state program Objective: Map the program to a Boolean formula Create a combined formula for property + program Prove the combined formula or find counter example Lecture 33: Verification III 2/5/2019

Mapping the Program Represent the current state as a set of Boolean variables (s0,s1,s2,…,sn) Each state has a identifying number (s0,s1,…sn) is the bit representation of that number Define a relation R specifying valid transitions R(s,t): there is a transition from s to t R can be stated as a (complex) Boolean formula Can be used to look at both successors and predecessors Lecture 33: Verification III 2/5/2019

Merge Program and Formula For each condition f, create formula F(s’) that is true for all states s’ where f holds (and false for all other states) This is done inductively over the subformula Base case: primitive formulas EF, EG operators Defined iteratively (using fixed points) using current formulas and R to build the current formula Essentially using the algorithms we saw last time This can all be done mechanically Lecture 33: Verification III 2/5/2019

Making This Practical The formulas can be generated but They are going to be very large Need to both generate and use them efficiently We need an efficient representation of a formula Easy to operate on (AND/OR/NOT/IMPLIES) Space efficient Easy to manipulate by computer We need a practical solver Lecture 33: Verification III 2/5/2019

Decision Trees A B F T C T F A formula can be written as a decision tree Each node is labeled with a Boolean variable Each node has a true and a false branch out Leaves are labeled either TRUE or FALSE Example: A and (B or C) Try a AND (b OR (c XOR d)) What is the size of the tree? Does it have to be this size? A T F B F F T T C F T T F Lecture 33: Verification III 2/5/2019

Simplifying Decision Trees Most of the decision trees look the same Extra variables just yield identical subtrees Trees can be simplified Simplify the tree into a DAG There are only two real leaves (merge these) If two nodes have the same children and the same labels, they can be merged If both branches of a node go to the same node, the original node can be eliminated This can be iterated Worst case size is still exponential, actual size is generally much smaller The results is a BDD (Binary Decision Diagram) Lecture 33: Verification III 2/5/2019

Ordered BDDs Place an a priori order on the variables as labels Note that order affects the size Optimum ordering is NP complete Logical operations are easy to do on ordered BDDs Complement: flip TRUE and FALSE leaves AND, OR: Merge the two trees level by level Ordering makes this easy Setting result to be AND/OR or merged result EG and EU Defined as iterative procedures on BDDs Stopping at appropriate fixed points (no changes to BDD on next pass) All computations are O(1) or O(nlogn) or O(n) on the tree Lecture 33: Verification III 2/5/2019

Model Checking BDDs Compute the BDD for R(s,t) for the program Inductively compute F(s) for the formula f F(S) is true iff f is true in the program F(S) is true iff it is the singleton node True Otherwise there is a path that shows false Can use the BDD path to FALSE to find counterexample BDDs have been used to verify programs with 2^80 states Lecture 33: Verification III 2/5/2019

Extensions RTCTL : handle incremental real time constraints G[a,b]f :: f holds from a to b Continuous Real Time Work in terms of timed automata & clock regions Lecture 33: Verification III 2/5/2019

Homework Read Chapter 16 Exercise 16.1, 16.2 Lecture 33: Verification III 2/5/2019

Solving with only Automata Map the formula into an automata Annotate the program automata with output events That trigger the formula automata Then annotate the program automata For each state: list the set of states in the formula automata that are reachable This can only grow and must eventually come to a fixed point Determine success/failure from the result Lecture 33: Verification III 2/5/2019

Example Once an iterator is allocated, every call to next must be preceded by a call to hasNext Lecture 33: Verification III 2/5/2019

Iterator Example Program for (Iterator it = x.iterator(); it.hasNext(); ) { y = it.next(); } it = x.iterator / ALLOC it.hasNext() / HASNEXT y = it.next() / NEXT Lecture 33: Verification III 2/5/2019

Iterator Example A C D E B it = x.iterator / ALLOC it.hasNext() / HASNEXT y = it.next() / NEXT Lecture 33: Verification III 2/5/2019