Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur

Published byLilian Simmons Modified over 8 years ago

Similar presentations

Presentation on theme: "CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur"— Presentation transcript:

1 CIS 540 Principles of Embedded Computation Spring 2016 http://www.seas.upenn.edu/~cis540/ Instructor: Rajeev Alur alur@cis.upenn.edu

2 LTL Recap  Syntax: Formulas built from  Base formulas: Boolean-valued expressions over typed variables  Logical connectives: AND, OR, NOT, IMPLIES …  Temporal Operators: Always, Eventually, Next, Until  LTL formula is evaluated w.r.t. a trace  (infinite seq of valuations)  Semantics defined by rules for the satisfaction relation  A system satisfies LTL spec  if every infinite execution satisfies   Derived operators  Repeatedly (Always Eventually); Persistently (Eventually Always)  Sample requirement: Every req is eventually granted Always [ req=1  Eventually ( grant=1) ] CIS 540 Spring 2016; Lecture March 16

3 Temporal Implications and Equivalences  Understanding subtle differences among different variants of LTL formulas can be tricky  Formula  is stronger than the formula  : whenever a trace satisfies , it is guaranteed to satisfy   Every trace satisfies the implication     Formula  is equivalent to the formula  : a trace satisfies  if and only if it satisfies   Two formulas express exactly the same requirement  Knowing some standard equivalences can be useful for simplifying formulas CIS 540 Spring 2016; Lecture March 16

4 Temporal Implications and Equivalences  Always  is stronger than   Repeatedly  is equivalent to ~ Persistently ~   Persistently  is stronger than Repeatedly   Always  is equivalent to [  & Next Always  ]  What’s the relationship between  Always Eventually   Next Always Eventually   Eventually Always Eventually  CIS 540 Spring 2016; Lecture March 16

5 Logical Connectives and Temporal Operators  Are these equivalent? Eventually (  |  ) and Eventually  | Eventually  [Proof in one direction]. Suppose a trace  satisfies Eventually (  |  )  There exists a position j such that ( , j) |=  |   Either ( , j) |=  or ( , j) |=   Suppose ( , j) |=  (the other case is similar)  Then  satisfies Eventually   Hence also satisfies Eventually  | Eventually  [Proof of converse]. Suppose trace  satisfies Eventually  | Eventually   Suppose it satisfies Eventually  (the other case is similar)  There exists a position j such that ( , j) |=   Then, it also is the case that ( , j) |=  |   It follows that  satisfies Eventually (  |  ) CIS 540 Spring 2016; Lecture March 16

6 Logical Connectives and Temporal Operators  Are these equivalent? Eventually (  &  ) and Eventually  & Eventually  [Proof in one direction]. The first is stronger than the second  Suppose a trace  satisfies Eventually (  &  )  There exists a position j such that ( , j) |=  &   It follows that both ( , j) |=  and ( , j) |=   Since ( , j) |=  it also satisfies Eventually   Similarly it also satisfies Eventually   It follows that the trace satisfies Eventually  & Eventually  [Disprove the converse]. But the two are not equivalent!  Consider trace 0,1,0,1,0,1,… over a boolean variable x  It satisfies Eventually(x=0) & Eventually(x=1)  But does not satisfy Eventually (x=0 & x=1) CIS 540 Spring 2016; Lecture March 16

7 Logical Connectives and Temporal Operators  Distributivity rules for logical connectives and temporal operators  Are these equivalent?  Always (  &  ) and Always  & Always   Always (  |  ) and Always  | Always    Repeatedly (  &  ) and Repeatedly  & Repeatedly    Repeatedly (  |  ) and Repeatedly  | Repeatedly  CIS 540 Spring 2016; Lecture March 16

8 Model Checking System Model LTL Requirement yes no/bug Model Checker  Performed using enumerative or symbolic search through the state- space of the program  Success story for transitioning academic research to industrial practice  2007 Turing Award to Ed Clarke, Alan Emerson, and Joseph Sifakis  Used to debug multicore protocols, pipelined processors, device driver code, distributed algorithms in Intel, Microsoft, IBM … CIS 540 Spring 2016; Lecture March 16

9 Buchi Automata  A safety monitor classifies finite executions into good and bad  Verification of safety requirements is done by analyzing reachable states of the system composed with the monitor  Bug: An execution that drives the monitor into an error state  How can a monitor (also called an automaton) classify “infinite” executions into good and bad?  Theoretical model of Buchi automata proposed by Richard Buchi (1960)  Model checking application (1990s) using Buchi automata  Automatically translate LTL formula  to a Buchi monitor M  Consider the composition of system C and monitor M  Reachable cycles in this composite correspond to counter-examples (if no such cycle is found, system satisfies spec)  Implemented in many model checkers including SPIN CIS 540 Spring 2016; Lecture March 16

10 Buchi Automaton: Example 1 a ~e e  Inputs: boolean variable e  Of two states a and b, a is initial and b is accepting  Given a trace  over e (i.e. infinite sequence of 0/1 values to e), there is a corresponding execution of M  The trace  is accepted if accepting state appears repeatedly  Language of M = Set of traces in which e is satisfied repeatedly  M accepts  iff  |= Repeatedly e ~e e b CIS 540 Spring 2016; Lecture March 16

11 Buchi Automaton: Example 2 a  Automaton is nondeterministic: as long as it is in state a, at each step it can either stay in state a, or switch to state b  On a given input trace, many possible executions  An execution is accepting if it visits accepting state repeatedly  M accepts an input trace if there exists some accepting execution on that input  M accepts  iff  |= Persistently e e b CIS 540 Spring 2016; Lecture March 16

12 Buchi Automaton: Example 3  Design a Buchi automaton such that M accepts  iff  |= Always [ e  Eventually f ]  Inputs: Boolean conditions e and f  In an accepting execution, every e must be followed by f b ~ e | f e & ~f f a ~ f CIS 540 Spring 2016; Lecture March 16

13 Buchi Automaton: Example 4 a e c b f Which traces does this accept? Express it in LTL M accepts  iff  |= Repeatedly e & Repeatedly f CIS 540 Spring 2016; Lecture March 16

14 Buchi Automaton M Definition  V: set of Boolean input variables  Finite set Q of states  Set Init of initial states  Set F of accepting states  Set of edges/transitions, where each edge is of the form q –Guard  q’ where Guard is a Boolean-valued condition over input vars V  Given an input trace  = v 1, v 2, v 3, … over V, an accepting run/execution of M over  is an infinite sequence of states q 0, q 1, q 2, … such that 1.State q 0 is initial 2.For each i, there exists an edge q i -Guard  q i+1 such that input v i satisfies Guard 3.There are infinitely many positions i such that state q i is in F  The automaton M accepts the input trace  if there exists an accepting run of M over  CIS 540 Spring 2016; Lecture March 16

15 Buchi Automata: More Examples e Eventually e ~ e e Eventually e CIS 540 Spring 2016; Lecture March 16

16 Buchi Automata Examples a e c b f Eventually [e & Next Eventually f] Eventually e | Eventually f a e c f b CIS 540 Spring 2016; Lecture March 16

Download ppt "CIS 540 Principles of Embedded Computation Spring 2016 Instructor: Rajeev Alur"

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Timed Automata.

Timed Automata.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.

Chair of Software Engineering Software Verification Stephan van Staden Lecture 10: Model Checking.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CSEP590 – Model Checking and Software Verification University of Washington Department of Computer Science and Engineering Summer 2003.

CSEP590 – Model Checking and Software Verification University of Washington Department of Computer Science and Engineering Summer 2003.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
Infinite Automata -automata is an automaton that accepts infinite strings A Buchi automaton is similar to a finite automaton: S is a finite set of states,

Infinite Automata -automata is an automaton that accepts infinite strings A Buchi automaton is similar to a finite automaton: S is a finite set of states,

Similar presentations

Ads by Google