Instructor: Rajeev Alur alur@cis.upenn.edu CIS 540 Principles of Embedded Computation Spring 2015 http://www.seas.upenn.edu/~cis540/ Instructor: Rajeev Alur alur@cis.upenn.edu
CIS 540 Spring 2015; Lecture Feb 4 Requirements Requirement: Desirable property of the executions of the system Informal: Either implicit, or stated in English in documents Formal: Stated explicitly in a mathematically precise manner High assurance / safety-critical systems: Formal requirements Model/design/system meets the requirements if every execution satisfies all the requirements Clear separation between requirements (what needs to be implemented) and system (how it is implemented) Verification problem: Given a requirement j and a system/model C, prove/disprove that the system C satisfies the requirement j CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Safety Requirements A safety requirement states that a system always stays within “good’ states (i.e. a nothing bad ever happens) Leader election: it is never the case that two nodes consider them to be leaders Collision avoidance: Distance between two cars is always greater than some minimum threshold Different class of requirements: Liveness System eventually attains its goal Leader election: Each node eventually makes a decision Cruise controller: Actual speed eventually equals desired speed Formalization and analysis techniques for safety and liveness differ significantly, so let us first focus on safety CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Transition Systems States + Initial states + Transitions between states CIS 540 Spring 2015; Lecture Feb 4
Definition of Transition System Syntax: a transition system T has a set S of (typed) state variables Initialization Init for state variables Transition description Trans given by code to update state vars Semantics: Set QS of states Set [Init] of initial states (this is a subset of QS) Set [Trans] of transitions, subset of QS x QS Synchronous reactive components, programs, and more generally systems, all have an underlying transition system CIS 540 Spring 2015; Lecture Feb 4
Switch Transition System (press=0 & x<10) x:=x+1 (press=0) ? (press=1) ? State variables: {off, on} mode, int x int x:=0 off on (press=1 | x>=10) x:=0 Initialization: mode = off; x = 0 (off,0) (on, 56) Transitions: (off,n) -> (off,n); (off,n) -> (on,n); (on,n) -> (on,n+1) if n<10; (on,n) -> (off,0) (on, 2) (on, 0) (on, 3) (off, 17) (on, 17) Input/output variables become local Values for input vars chosen nondeterministically CIS 540 Spring 2015; Lecture Feb 4
Euclid’s GCD Algorithm Classical program to compute greatest common divisor of (non-negative) input numbers m and n (x>0 & y>0) if (x>y) then x:=x-y else y:=y-x nat x:=m; y:=n loop stop ~ (x>0 & y>0) if (x=0) then x:=y CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Reachable States off on int x:=0 (press=0) ? (press=1) ? (press=0 & x<10) x:=x+1 (press=1 | x>=10) x:=0 (on, 56) (off,0) (on, 0) (on, 1) (on, 10) (off, 17) (on, 17) CIS 540 Spring 2015; Lecture Feb 4
Reachable States of Transition Systems A state s of a transition system is reachable if there is an execution starting in an initial state and ending in the state s CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Invariants (on, 56) (off,0) (on, 0) (on, 1) (on, 10) (off, 17) (off, 10) (on, 17) Property of a transition system: Boolean-valued expression j over state variables Property j is an invariant of T if every reachable state satisfies j Examples of invariants: (x <= 10); ( x <= 50); ( mode= off -> x=0 ) Examples of properties that are not invariants: (x < 10); (mode=off) CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Invariants Express desired safety requirement as property j of state variables If j is an invariant then the system is safe If j is not an invariant, then some state satisfying ~j is reachable (execution leading to such a state is counterexample) Leader election: (rn = N -> idn = max P), P : set of identifiers of all nodes Euclid’s GCD Program: (mode=stop -> x = gcd(m,n)) CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Formal Verification Model/Program Verifier yes/proof no/bug Requirement Grand challenge: Automate verification as much as possible ! CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Analysis Techniques Dynamic Analysis (runtime) Execute the system, possibly multiple times with different inputs Check if every execution meets the desired requirement Static Analysis (design time) Analyze the source code or the model for possible bugs Trade-offs Dynamic analysis is incomplete, but accurate (checks real system, and bugs discovered are real bugs Static analysis can catch design bugs early ! Many static analysis techniques are not scalable (solution: analyze approximate versions, can lead to false warnings) CIS 540 Spring 2015; Lecture Feb 4
Invariant Verification Simulation Simulate the model, possibly multiple times with different inputs Easy to implement, scalable, but no correctness guarantees Proof based Construct a proof that system satisfies the invariant Requires manual effort (partial automation possible) State-space analysis (Model checking) Algorithm explores “all” reachable states to check invariants Not scalable, but current tools can analyze many real-world designs (relies on many interesting theoretical advances) CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Proving Invariants Given a transition system (S, Init, Trans), and a property j, prove that all reachable states of T satisfy j Inductive definition of reachable states All initial states are reachable using 0 transitions If a state s is reachable in k transitions and (s,t) is a transition, then the state t is reachable in (k+1) transitions Reachable = Reachable in n transitions, for some n Prove: for all n, states reachable in n transitions satisfy j Base case: Show that all initial states satisfy j Inductive case: Assume that a state s satisfies j Show that if (s,t) is a transition then t must satisfy j CIS 540 Spring 2015; Lecture Feb 4
Recap: Inductive Proofs To show that a statement P holds for all numbers n, Base case: Prove that P holds for n=0 Assume that P holds for an arbitrary number k Prove (using the assumption) that the statement holds for k+1 Example statement: For all n, (0 + 1 + 2 + … + n) = n(n+1)/2 CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Inductive Invariant A property j is an inductive invariant of transition system T if Every initial state of T satisfies j If a state satisfies j and (s,t) is a transition of T, then t must satisfy j If j is an inductive invariant, then all reachable states of T must satisfy j, and thus, it is an invariant CIS 540 Spring 2015; Lecture Feb 4
Proving Inductive Invariant Example (1) Consider transition system T given by State variable int x, initialized to 0 Transition description given by “if (x < m) then x:=x+1” Is the property j : (0 <= x <= m) an inductive invariant of T ? Base case: Consider initial state (x=0). Check that it satisfies j Inductive case: Consider an arbitrary state s, suppose s(x) = a Assume that s satisfies j, that is, assume 0 <= a <=m Consider the state t obtained by executing a transition from s If a < m then t(x) = a+1, else t(x) = a In either case, 0 <= t(x) <= m So t satisfies the property j, and the proof is complete CIS 540 Spring 2015; Lecture Feb 4
Proving Inductive Invariant Example (2) Consider transition system T given by State variables int x, y; x is initially 0, y is initially m Transition description given by “if (x < m) then {x:=x+1; y:=y-1}” Is the property j : (0 <= y <= m) an inductive invariant of T ? Base case: Consider initial state (x=0,y=m). Check that it satisfies j Inductive case: Consider an arbitrary state s with x=a and y=b Assume that s satisfies j, that is, assume 0 <= b <=m Consider the state t obtained by executing a transition from s If a < m then t(y) = b-1, else t(y) = b Can we conclude that 0 <= t(y) <= m ? No! The proof fails! In fact, j is not an inductive invariant of T! CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Why did the proof fail? Consider the state s with x=0 and y=0 State s satisfies j: (0<=y <=m) Executing a transition from s leads to state t with x=1 and y=-1 State t does not satisfy j ! The state s in above argument is not reachable! Cause of failure: The property j did not capture corelation between the variables x and y Solution: Inductive Strengthening! Consider property y: (0 <= y <= m) & (x+y = m) The property y implies property j While j is not inductive invariant, y is! It follows that all reachable states must satisfy j CIS 540 Spring 2015; Lecture Feb 4
Proving Inductive Invariant Example (3) Consider transition system T given by State variables int x, y; x is initially 0, y is initially m Transition description given by “if (x < m) then {x:=x+1; y:=y-1}” Property y : (0 <= y <= m) & (x+y = m) Base case: Consider initial state (x=0,y=m). Check that it satisfies y Inductive case: Consider an arbitrary state s with x=a and y=b Assume that s satisfies y, that is, assume 0 <= b <=m and a+b =m Consider the state t obtained by executing a transition from s If a < m then t(x) = a+1 and t(y) = b-1, else t(x)=a and t(y)=b But if a<m, since a+b=m holds, b >0, and thus b-1 >=0 In either case, the condition (0<= t(y) <=m & t(x)+t(y)=m) holds! Conclusion: Property y is an inductive invariant! CIS 540 Spring 2015; Lecture Feb 4
Proof Rule for Proving Invariants To establish that a property j is an invariant of transition system T Find another property y such that y implies j (that is, a state satisfying y must satisfy j) y is an inductive invariant Show that every initial state satisfies y Assume that a state s satisfies y. Consider a state t such that (s,t) is a transition. Show that t must satisfy y This is a sound and complete strategy for establishing invariants Sound means this is a correct proof technique Complete: If j is an invariant, then there must exist some inductive strengthening y satisfying above conditions CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Inductive Invariants Initial States Property j Reachable States Strengthening y CIS 540 Spring 2015; Lecture Feb 4
CIS 540 Spring 2015; Lecture Feb 4 Correctness of GCD (x>0 & y>0) if (x>y) then x:=x-y else y:=y-x nat x:=m; y:=n loop stop ~ (x>0 & y>0) if (x=0) then x:=y Property j : gcd(x,y) = gcd (m,n) Verify that this property is indeed an inductive invariant! Captures the core logic of the program: Even though x and y are updated at every step, their gcd stays unchanged When switching to “stop”, if x is 0, then gcd(0,y) is y; if y=0, then gcd(x,0)=x, and thus x=gcd(m,n) upon switching to stop Note that (mode=stop -> y=gcd(m,n)) is invariant, but not inductive CIS 540 Spring 2015; Lecture Feb 4
Muddy Childrens Puzzle There are some kids playing in a muddy pond. Their teacher walks by and says “some of you have mud on your forehead”. Each kid can look around and see which of other kids have muddy foreheads, but cannot see his/her own forehead. The teacher says “raise your hand if you know that you have muddy forehead”. Nobody raises their hands. The teacher repeats the same question, and it continues like that. If k kids have muddy foreheads, then after the teacher has asked the question k times, exactly those kids with muddy foreheads raise their hands. CIS 540 Spring 2015; Lecture Feb 4
Muddy Childrens Reasoning Claim: For all n, if exactly n kids have muddy foreheads, then (1) for first n-1 rounds nobody raises their hands and (2) after n rounds, exactly those kids with muddy foreheads raise their hands. Proof by induction. Base case: Show the claim for n=1 Inductive hypothesis: Assume the claim for n=k Inductive case: Show the claim for n=k+1 Note: We want to prove (2), but it cannot be proved on its own. Proving (1) and (2) together is akin to inductive strengthening CIS 540 Spring 2015; Lecture Feb 4