VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Model Checking Lecture 1.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
A Survey of Runtime Verification Jonathan Amir 2004.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.
A university for the world real R © 2009, Chapter 6 Declarative Workflow Maja Pesic Helen Schonenberg Wil van der Aalst.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Review of the automata-theoretic approach to model-checking.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.
System Design Research Laboratory Specification-based Testing with Linear Temporal Logic Li Tan Oleg Sokolsky Insup Lee University of Pennsylvania.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
The Model Checker SPIN Written by Gerard J. Holzmann Presented by Chris Jensen.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
1 Temporal Logic-Overview FM Temporal Logic u Classical logic: Good for describing static conditions u Temporal logic: Adds temporal operators Describe.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Jasper Design Automation© PSL Property Specification Language Jasper Design Automation.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Properties as Processes : FORTE slide Properties as Processes: their Specification and Verification Joel Kelso and George Milne School of Computer.
1 Temporal logic. 2 Prop. logic: model and reason about static situations. Example: Are there truth values that can be assigned to x,y simultaneously.
Model Checking Lecture 1. Model checking, narrowly interpreted: Decision procedures for checking if a given Kripke structure is a model for a given formula.
Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.
From Natural Language to LTL: Difficulties Capturing Natural Language Specification in Formal Languages for Automatic Analysis Elsa L Gunter NJIT.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
Model Checking Lecture 1: Specification Tom Henzinger.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
CIS 842: Specification and Verification of Reactive Systems
SS 2017 Software Verification LTL monitoring
CSEP590 – Model Checking and Automated Verification
Formal Methods in software development
Formal Methods in software development
Finite-Trace Linear Temporal Logic: Coinductive Completeness
Linear Time Properties
Introduction to verification
Formal Methods in software development
Formal Methods in software development
BLAST: A Software Verification Tool for C programs
Presentation transcript:

VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran

Today l Fairness l Linear Temporal Logic (LTL) l Automata-theoretic verification u Design vs. implementation verification u Monitors u Languages, FSM equivalence, language containment u Using automata for model checking: The “tableau” method

Why fairness constraints? l Non-determinism is used to hide irrelevant detail. l May introduce behavior that is not part of actual system. Example: Client module l Non-det. model allows No Req, Req, Req, Have_Token, Have_Token... but actual client eventually gives up token. l Want to refine the non-det. description to model the client more closely. l Must remove traces that stay in Have_Token forever. No Req Req Have_Token Have_Token True True

Infinite Traces and Fairness Constraints l A trace is a sequence of states. l Infinite traces are useful for reasoning about eventualities and arbitration. Examples: l “If Have_Token then eventually No Req.”..., Have_Token, Have_Token, NoReq, NoReq, , Have_Token, Have_Token, Have_Token,... 8 l An environment model that randomly generates input patterns A, B, and C. “It is always the case that sometime in the future an A is generated. ” Similarly for B and C. A, B, C, A, B, C, A, B, C,... A, B, C, B, A, B, C, B, A,... both satisfy constraints. A, B, C, A, B, A, B, A, B,... does not.

Infinity Sets l Number of states is finite, so an infinite trace visits some states infinitely often. l These states are called the infinity set of a trace: 1. a, b, a, b, a, b,... {a, b} 2. a, b, a, c, c, c, c,... {c} 3. a, b, a, c, a, c, a, c... {a, c} l Fairness constraints are conditions on the infinity set. l F inf {a, b} : “Infinitely often {a,b}” means some state in {a, b} must be in the infinity set. Satisfied by 1 and 3, but not 2. b a d c

Fairness Constraints in VIS l VIS allows fairness constraints of the form F inf S 1 & F inf S 2 &... & F inf S n F inf S 1 & F inf S 2 &... & F inf S n l S i : A set of states represented by a CTL formula. l The fairness constraint is satisfied if some state in each S i is visited infinitely often. l Example: Let S 1 be given by !(client_state = Have_Token) S 1 = {NoReq, Req} S 1 = {NoReq, Req} l F inf S 1 means {NoReq, Req} is visited infinitely often, i.e., Have_Token does not remain asserted forever. l Usage: vis> read_fairness file.fair l Restricts attention to traces that satisfy the fairness constraints. l Like listing a set of false paths. No Req Req Have_Token Have_Token True True

Common Uses of Fairness Constraints l Modeling an unknown amount of wait: “ Don’t stay in ”a” forever. ” F inf !( state_var = a) l “It is always the case that sometime in the future an “a” is generated. ” Similarly for ”b”, ”c” and ”d”. F inf {a} & F inf {b} & F inf {c} & F inf {d} a b a d c

Bad Behaviors and Monitors l Want to see if a design can have bad behavior. l Example of undesired behavior: “Clients B and C are in the BUSY state at the same time.” Mutual exclusion is violated. l A monitor is a module that watches for bad behavior. Example: Mutual exclusion. assign error = (B.state == BUSY) && (C.state == BUSY) Good Good Bad!errorerror true

Why write monitors? l Some properties are hard or impossible to express in CTL. Example: Store -Load order. Let X be a memory location. “If load_req X follows store_req X, then the store must be serviced before the load.” l Undesired behavior: store_req X... load_req X... load_service X... l Note: In the initial state, we non-deterministically start checking for the bad sequence. Undesired behavior can be detected anywhere along the trace. s1 s1 Idle Idle s2 s2 else else Bad true true store_req X load_req X load_req X load_service X load_service X true true store_service X store_service X

Monitor Example Property: If A requests resource, and resource is free, A gets resource within 3 clock cycles unless another client requests resource in the meantime. Bad Behavior: For more than 3 clock cycles, A is in state REQ and ackA is false, A is in state REQ and ackA is false, B and C are in state NO REQ. B and C are in state NO REQ.Monitor: assign not_served = (A.state = REQ) && !(ackA) && assign not_served = (A.state = REQ) && !(ackA) && (B.state != REQ) && (C.state != REQ) (B.state != REQ) && (C.state != REQ) s3 s3 Bad true truenot_served Fairness Constraint: F inf (Bad) s1 s1 Idle Idle not_served not_served true true s2 s2 not_served not_served

Using monitors in VIS l Property holds iff l Procedure: u Write verilog code for the monitor, append to the system description. u Write CTL file specifying fairness constraints for system + monitor. Fairness constraints of monitor should allow bad behavior only. u Use the “lang_empty” command. u If there exists bad behavior, VIS will give a short error trace. the system + monitor combination has no fair traces.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.