1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching15-398 SPIN An explicit state model checker.

Slides:



Advertisements
Similar presentations
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Advertisements

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Model Checking and Testing combined
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea
Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
Model Checking Lawrence Chung.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Infinite Automata -automata is an automaton that accepts infinite strings A Buchi automaton is similar to a finite automaton: S is a finite set of states,
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
On-the-fly Model Checking from Interval Logic Specifications Manuel I. Capel & Miguel J. Hornos Dept. Lenguajes y Sistemas Informáticos Universidad de.
Witness and Counterexample Li Tan Oct. 15, 2002.
Review of the automata-theoretic approach to model-checking.
1 Completeness and Complexity of Bounded Model Checking.
Witness and Counterexample Li Tan Oct. 15, 2002.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.
LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
1 Temporal Logic-Overview FM Temporal Logic u Classical logic: Good for describing static conditions u Temporal logic: Adds temporal operators Describe.
Model Checking and Related Techniques
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
Wishnu Prasetya LTL Model Checking.
Basics of automata theory
Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Yang Liu, Jun Sun and Jin Song Dong School of Computing National University of Singapore.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,
Copyright , Doron Peled and Cesare Tinelli. These notes are based on a set of lecture notes originally developed by Doron Peled at the University.
Four Lectures on Model Checking Tom Henzinger University of California, Berkeley.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.
Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology.
Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
15-820A 1 LTL Model Checking A Flavio Lerda.
Automatic Verification
Formal Methods in software development
An explicit state model checker
Producing short counterexamples using “crucial events”
Translating Linear Temporal Logic into Büchi Automata
Formal Methods in software development
Program correctness Branching-time temporal logics
Presentation transcript:

1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker

2 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching Properties Safety properties –Something bad never happens –Properties of states Liveness properties –Something good eventually happens –Properties of paths Reachability is sufficient We need something more complex to check liveness properties

3 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking Liveness properties are expressed in LTL –Subset of CTL* of the form: A f where f is a path formula which does not contain any quantifiers The quantifier A is usually omitted. G is substituted by   (always) F is substituted by  (eventually) X is (sometimes) substituted by  (next)

4 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Formulae Always eventually p:   p AGFp in CTL* AG(p  Fq) in CTL* Fairness: (   p )   AG(p  AFq) in CTL AG AF p in CTL A((GF p)   ) in CTL* Can’t express it in CTL Always after p there is eventually q:  ( p  (  q ) )

5 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Semantics The semantics is the one defined by CTL* Given an infinite execution trace  = s 0 s 1 …

6 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking An LTL formula defines a set of traces Check trace containment –Traces of the program must be a subset of the traces defined by the LTL formula –If a trace of the program is not in such set It violates the property It is a counterexample –LTL formulas are universally quantified

7 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking Trace containment can be turned into emptiness checking –Negate the formula corresponds to complement the defined set: –Subset corresponds to empty intersection:

8 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching Buchi Automata An LTL formula defines a set of infinite traces Define an automaton which accepts those traces Buchi automata are automata which accept sets of infinite traces

9 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching Buchi Automata A Buchi automaton is 4-tuple : –S is a set of states –I  S is a set of initial states –  : S  2 S is a transition relation –F  S is a set of accepting states We can define a labeling of the states: – : S  2 P is a labeling function where P is the set of propositions.

10 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching Buchi Automata s0s0 s1s1 s2s2 S = { s 0, s 1, s 2 } I = { s 0 }  = { (s 0, {s 0, s 1 }), (s 1, {s 2 }), (s 2, {s 2 }) } F = { s 2 } = { (s 0, {a}), (s 1, {b}), (s 2, {}) } abtrue

11 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching Buchi Automata An infinite trace  = s 0 s 1 … is accepted by a Buchi automaton iff: –s 0   I –  i ≥ 0: s i+1   (s i ) –  i ≥ 0:  j > i: s j  F

12 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking Let’s assume each state is labeled with a complete set of literals –Each proposition or its negation is present –Labeling function  A Buchi automaton accepts a trace  = S 0 S 1 … –  s o  I:  (S 0 )  (s o ) –  i ≥ 0:  s i+1   (s i ).  (S i+1 )  (s i+1 ) –  i ≥ 0:  j > i: s j  F

13 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching Buchi Automata s0s0 s1s1 s2s2 ba true  = a a a a a b b b a c c c c …  = a a a c a b b b a b a b b …

14 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching Buchi Automata Some properties: –Not all non-deterministic Buchi automata have an equivalent deterministic Buchi automata –Not all Buchi automata correspond to an LTL formula –Every LTL formula corresponds to a Buchi automaton –Set of Buchi automata closed until complement, union, intersection, and composition

15 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching Buchi Automata ba true s0s0 s1s1 s2s2 a U b What LTL formula does this Buchi automaton corresponds to (if any)?

16 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking Generate a Buchi automaton for the negation of the LTL formula to check Compose the Buchi automaton with the automaton corresponding to the system Check emptiness

17 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking Composition: –At each step alternate transitions from the system and the Buchi automaton Emptiness: –To have an accepted trace: There must be a cycle The cycle must contain an accepting state

18 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking Cycle detection –Nested DFS Start a second DFS Match the start state in the second DFS –Cycle! Second DFS needs to be started at each state? –Accepting states only will suffice Each second DFS is independent –If started in post-order states need to be visited at most once in the second DFS searches

19 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking procedure DFS(s) visited = visited  {s} for each successor s’ of s if s’  visited then DFS(s’) if s’ is accepting then DFS2(s’, s’) end if end for end procedure

20 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching LTL Model Checking procedure DFS2(s, seed) visited2 = visited2  {s} for each successor s’ of s if s’ = seed then return “Cycle Detect”; end if if s’  visited2 then DFS2(s’, seed) end if end for end procedure

21 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching References Design and Validation of Computer Protocols by Gerard Holzmann The Spin Model Checker by Gerard Holzmann An automata-theoretic approach to automatic program verification, by Moshe Y. Vardi, and Pierre Wolper An analysis of bitstate hashing, by G.J. Holzmann An Improvement in Formal Verification, by G.J. Holzmann and D. Peled Simple on-the-fly automatic verification of linear temporal logic, by Rob Gerth, Doron Peled, Moshe Vardi, and Pierre Wolper A Minimized automaton representation of reachable states, by A. Puri and G.J. Holzmann

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.