Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Verification: Modeling

Published byWilfrid Dorsey Modified over 6 years ago

Similar presentations

Presentation on theme: "Formal Verification: Modeling"— Presentation transcript:

1 Formal Verification: Modeling
NETW 90X Protocol Engineering Formal Verification: Modeling Dr. Eng. Amr T. Abdel-Hamid Lectures are based on slides by: K. Havelund & Agroce, Reliable Software: Testing and Monitoring, CMU. E. Clarke, Formal Methods, to be updated by course name S. Tahar, E. Cerny and X. Song, “ Formal Verification of Systems”. Winter 2008

2 Testing “for” Coverage
Never seek to improve coverage just for the sake of increasing coverage Coverage is not the goal Finding failures that expose faults is the goal No amount of coverage will prove that the program cannot fail “Program testing can be used to show the presence of bugs, but never to show their absence!” – E. Dijkstra, Notes On Structured Programming

3 Testing (Simulation) Drawbacks
Bottom line: Not feasible to simulate all input sequences to completely verify a design. Example 1: Suppose you want to test a 64-bit floating-point division routine. There are 2128 combinations. At 1 test/ms, it will take 1025 years Example 2: How long does it take to exhaustively simulate a 256 bit RAM? 2256=1080 combinations of initial states and inputs Assume Use all the matter in our galaxy (1017kg) to build computers Each computer is of the size of single electron ( kg) Each computer simulates 1012 per second 1010 years will reach 0.05% of test cases!

4 Formal Verification: Alternative to Testing
Formal Verification is the process of constructing a proof that a target system will behave in accordance with its specification. Use of mathematical reasoning to prove that an implementation satisfies a specification Like a mathematical proof: correctness of a formally verified hardware design holds regardless of input values. Consideration of all cases is implicit in formal verification. Must establish: A formal specification (properties or high-level behavior). A formal description of the implementation (design at higher level of abstraction —model (observationally) equivalent to implementation or implied by implementation).

5 Formal Verification Complete with respect to a given property (!)
Correctness guaranteed mathematically, regardless the input values No need to generate expected output sequences Can generate an error trace if a property fails: better understand, confirm by simulation Formal verification useful to detect and locate errors in designs Consideration of all cases is implicit in formal verification

6 Testing and FV (Example)
Prove that: Simulation:

7 Formal Verification

8 Testing and FV Simulation: complete (real) model, partial verification
Verification: partial (abstract) model, complete verification Simulation still needed to tune specifications; for large complete designs Verification can generate counter-examples (error traces); possibly false negatives! Techniques are complementary — formal verification gives additional confidence, e.g., Apply formal verification of abstract model Obtain error trace if bug found (may be false negative!) Simulate error trace on the real model Common difficulty in all verification methods: lack of “golden” reference what properties to verify .....? “Simulation and formal verification have to play together.” [IEEE Spectrum, January 1996]

9 System Modeling

10 Formal Logic What Does “Formal” mean?
Webster’s dictionary gives the following as one of the definitions of “formal”: “related to, concerned with, or constituting the outward form of something as distinguished from its content” A method is formal if its rules for manipulation are based on form (syntax) and not on content (semantics) Majority of existing formal techniques are based on some flavor of formal (symbolic) logic: Propositional logic, Predicate logic, other logics. Formal logic Every logic comprises a formal language for making statements about objects and reasoning about properties of these objects. Statements in a logic language are constructed according to a predefined set of formation rules (depending on the language) called syntax rules. A logic language can be used in different ways.

11 Formal Logic Propositional logic: traditional Boolean algebra, variables {0,1} First-order logic (Predicate logic): quantifies for all () and there exists () over variables Higher-order logic: adds reasoning about (quantifying over) sets and functions (predicates) Modal/temporal logics: reason about what must or may happen

12 Formal Logic: Proof Theory
A formal logic system consists of: a notation (syntax) a set of axioms (facts) a set of inference (deduction) rules A formal proof is a sequence of statements where every statement follows from a preceding one by a rule of inference Purely syntactic (mechanical) activity; not concerned with the meaning of statements, but with the arrangement of these statements, and whether proofs can be constructed

13 Model Theory The second use of a logic language is for expressing statements that receive a meaning when given an interpretation The language of logic is used here to formalize properties of structures, to determine when a statement is true on a structure This use of a logic language is called model theory Forces a precise and rigorous definition of the concept of truth on a structure

14 Formal Logic Logic = Syntax + Semantics
Syntax and semantics of logic are not independent A logic language has a syntax, and the meaning of statements by an interpretation on a structure The interaction between model theory and proof theory makes logic an interesting and effective tool

15 Proof System Given a logic (syntax and semantics), there can be one or more proof systems, e.g. HOL and PVS are two proof systems based on higher-order logic. Issues of proof systems Consistency (Soundness): all provable formulas (theorems) are logically (semantically) true Completeness: all valid formulas (semantically true) are provable (theorems) Decidability: there is an algorithm for deciding the (semantical) truth of any formula )theorems) A proof system is acceptable only if it is consistent (may not be complete nor decidable)

16 Propositional Logic An atomic proposition is a statement or assertion that must be true or false. Examples of atomic propositions are: “5 is a prime” and “program P Terminates” Example: The truth value of a propositional formula can be calculated from the truth values of the atomic propositions it contains.

17 Well-formed propositional formulas
The well-formed formulas of propositional logic are obtained by using the construction rules below:

18 Truth tables for basic logical connectives
A truth table shows whether a propositional formula is true or false for each possible truth assignment. If we know how the five basic logical connectives work, it is easy (in principle) to construct a truth table. Notice that X  Y is only false if X is true and Y is false. Not a mistake

19 Truth Tables Construct the Truth table of:

20 Implications A  B A is a hypotheses, then B is a conclusion/result.

21 Equivalences Two formulae A, and b are said to be Equivalent iff
A[] = B[] Some Useful Equivalences that can be used to simplify complex formulas:

22 Valid and Invalid Arguments
Which of the following arguments are valid? If I am wealthy, then I am happy. I am happy. Therefore, I am wealthy. If John drinks beer, he is at least 18 years old. John does not drink beer. Therefore, John is not yet 18 years old. If I study, then I will not fail basket weaving 101. If I do not play cards to often, then I will study. I failed basket weaving 101. Therefore, I played cards too often.

23

24 Temporal Logic Temporal logic is a type of modal logic that was originally developed by philosophers to study different modes of “truth” Temporal logic provides a formal system for qualitatively describing and reasoning about how the truth values of assertions change over time It is appropriate for describing the time-varying behavior of systems (or programs) Classification of Temporal Logics The underlying nature of time: Linear: at any time there is only one possible future moment, linear behavioral trace Branching: at any time, there are different possible futures, tree-like trace structure Other considerations: Propositional vs. first-order Point vs. intervals Discrete time vs. continuous time Past vs. future

25 Linear Temporal Logic Time lines
Underlying structure of time is a totally ordered set (S<), isomorphic to (N<): Discrete, an initial moment without predecessors, infinite into the future. Let AP be set of atomic propositions, a linear time structure M=(S, x, L) S: a set of states x: N→S an infinite sequence of states, (x=s0,s1,...) L: S→2AP labeling each state with the set of atomic propositions in AP true at the state.

26 Linear Temporal Logic Example:

27 LTL Formulas Classical propositional logic + temporal operators
Fp (“eventually p”, “sometime p”) Gp (“always p”, “henceforth p”) Xp (“next time p”) pUq (“p until q”)

28 LTL Formulas Semantics of a formula p of PLTL with respect to a linear-time structure M=(S, x, L) (M, x) p means that “in structure M, formula p is true of timeline x.” xi : suffix of x starting at si, xi = si, si+1, ... Duality between linear temporal operators PLTL formula p is satisfiable iff there exists M=(S, x, L) such that (M, x) p

29 LTL Formulas Example: A simple interface protocol,
pulses one clock period wide Safety property — nothing bad will ever happen: Liveness property — something good will eventually happen: Also named as Fairness constraint:

30 Branching Time Temporal Logic (BTTL)
Structure of time: an infinite tree, each instant may have many successor instants Along each path in the tree, the corresponding timeline is isomorphic to N State quantifiers: Xp, Fp, Gp, pUq (like in linear temporal logic) Path quantifiers: for All paths (A) and there Exists a path (E) from a given state A = ∀ E = ∃ In linear time logic, temporal operators are provided for describing events along a single future, however, when a linear formula is used for specification, there is usually an implicit universal quantification over all possible futures (linear traces) In contrast, in branching time logic the operators usually reflect the branching nature of time by allowing explicit quantification over possible futures in any state

31 CTL A: for every path E: there exists a path
Formulas are constructed from path quantifiers and temporal operators: Path quantifier: A: for every path E: there exists a path Temporal Operator: F: holds sometime in the future X: holds next time G: holds globally in the future p U q: p holds until q hold i.e. AF, AG, AX, A( U ), EF, EG, EX, E( U )

32 CTL

33 EXAMPLE Which of the following hold ?
AG p, EF¬q, AX p, AG ¬q, EG ¬q, AX(p Ú q)

34 CTL: Computation Tree Logic

35 CTL Example Structure M <S,R,L>: S = {1,2,3,4,5}, AP = {a,b,c},
A Kripke structure: triple M = <S, R, L> S: set of states R ⊆ S × S: transition relation L: S → 2AP : (Truth valuation) set of atomic propositions true in each state S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}

36 Example: Specification in CTL:
Two input Muller C-element (assuming finite discrete delays): Specification in CTL: Liveness: If inputs remain equal, then eventually the output will change to this value. AG( A( ( a=0 ∧ b=0 ) U ( out=0 ∨ a=1 ∨ b=1 ) ) ) AG( A( ( a=1 ∧ b=1 ) U ( out=1 ∨ a=0 ∨ b=0 ) ) ) Safety: If all inputs and the output have the same value then the output should not change until all inputs change their values. AG( ( a=0 ∧ b=0 ∧ out=0 ) ⇒ A( out=0 U (a=1 ∧ b=1 ) ) ) AG( ( a=1 ∧ b=1 ∧ out=1 ) ⇒ A( out=1 U (a=0 ∧ b=0 ) ) )

37 Model Checking Problem
Given an FSM M (equivalent Kripke structure) and a temporal logic formula p, does M define a model of p? Determine the truth of a formula with respect to a given (initial) state in M Find all states s of M such that (M, s)  p For any propositional temporal logic, the model checking problem is decidable: exhaustive search of all paths through the finite input structure

38 Model Checking Problem

39 Theoretical Background
Theorem [Wolper, 1986]: The model checking for CTL is in deterministic polynomial time Theorem [Sistla & Clark, 1985]: The model checking problem for PLTL is PSPACE complete Theorem [Emerson & Lei, 1987]: Given any model-checking algorithm for a linear logic LTL, there is a model checking algorithm for the corresponding branching logic BTL, whose basic modalities are defined by the LTL, of the same order of complexity • Theorem [Clark, Emerson & Sistla, 1986]: The model checking problem for CTL* is PSPACE-complete

40 PSPACE-complete

41 Fixpoints Algorithm Model Checking Algorithms
Original algorithm described in terms of labeling the CTL structure (Clark83) Required explicit representation of the whole state space Better algorithm based on fixed point calculations Algorithm amenable to symbolic formulation Symbolic evaluation allows implicit enumeration of states Significant improvement in maximum size of systems that can be verified

42 Symbolic model checking
Symbolic model checking approach Boolean formulas represent sets and relations Use fixed point characterizations of CTL operators Model checking without building complete state graph CTL model checking problem can be solved in O(|f|  (|S|+|R|)) Note that the complexity is linear in the size of the formula and the transition system Recall that the size of the transition system is exponential in the number of variables (this is called the state space explosion problem)

43 CTL Model Checking Algorithm
Translate the formula to a formula which uses the basis EX p, EG p, E(p U q) Start from the innermost subformulas Label the states in the transition system with the subformulas that hold in that state Initially states are labeled with atomic properties Each (temporal or boolean) operator has to be processed once Processing of each operator takes O(|S|+|R|)

44 CTL Model Checking Algorithm
Boolean operators are easy p : Each state which is not labeled with p should be labeled with p p  q : Each state which is labeled with both p and q should be labeled with p  q p  q : Each state which is labeled with p or q should be labeled with p  q

45 CTL Model Checking Algorithm: EX p
EX p is easy to do in O(|S|+|R|) All the nodes which have a next state labeled with p should be labeled with EX p p p s1 s2 s3 s4 p, EX p p, EX p s1 s2 s3 s4 EX p

46 CTL Model Checking Algorithm: E(pUq)
E(pUq): Find the states which are the source of a path where p U q holds Find the nodes that reach a node that is labeled with q by a path where each node is labeled with p Label such nodes with E(pUq) It is a reachability problem which can be solved in O(|S|+|R|) First label the nodes which satisfy q with E(pUq) For each node labeled with E(pUq), label all its previous states that are labeled with p with E(p U q)

47 CTL Model Checking Algorithm: E(pUq)
s1 s2 s3 s4 q p, E(pUq) p, E(pUq) s1 s2 s3 s4 q, E(pUq)

48 CTL Model Checking Algorithm: EG p
EG p: Find infinite paths where each node on the path is labeled with p, and label nodes in such paths with EG p First remove all the states which do not satisfy p from the transition graph Compute the strongly connected components of the remaining graph, and then find the nodes which can reach the strongly connected components (both of which can be done in O(|S|+|R|) Label the nodes in the strongly connected components and the nodes that can reach the strongly connected components with EG p

49 CTL Model Checking Algorithm: EG p
s1 s2 s3 s4 p A strongly connected component p p s2 s3 s4 p p, EG p p, EG p s1 s2 s3 s4 p, EG p

50 Verification vs. Falsification
Show: initial states  truth set of p Falsification: Find: a state  initial states  truth set of p Generate a counter-example starting from that state CTL model checking algorithm can also generate a counter-example path if the property is not satisfied without increasing the complexity The ability to find counter-examples is one of the biggest strengths of the model checkers

51 Temporal Properties  Fixpoints [Emerson and Clarke 80]
Here are some interesting CTL equivalences: AG p = p  AX AG p EG p = p  EX EG p AF p = p  AX AF p EF p = p  EX EF p A(p U q) = q  (p  AX A(p U q)) p EU q = q  (p  EX E(p U q)) Note that we wrote the CTL temporal operators in terms of themselves and EX and AX operators

52 Functionals Given a transition system M=(S, L, R), we will define functions (Properties) from sets of states to sets of states F : 2S  2S For example, one such function is the EX operator (which computes the precondition of a set of states) EX : 2S  2S which can be defined as: EX(p) = { s | (s,s’)  R and s’  p } Image calculation

53 CTL Example Structure M <S,R,L>: S = {1,2,3,4,5}, AP = {a,b,c},
A Kripke structure: triple M = <S, R, L> S: set of states R ⊆ S × S: transition relation L: S → 2AP : (Truth valuation) set of atomic propositions true in each state S = {1,2,3,4,5}, AP = {a,b,c}, R = {(1,2), (2,3), (5,3), (5,5), (5,1), (2,4), (4,2), (1,4), (3,4)} L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c}

54 Fixpoint Characterizations
Fixpoint Characterization Equivalences AG p =  y . p  AX y AG p = p  AX AG p EG p =  y . p  EX y EG p = p  EX EG p AF p =  y . p  AX y AF p = p  AX AF p EF p =  y . p  EX y EF p = p  EX EF p A(p U q) =  y . q  (p  AX (y)) p AU q=q  (p  AX (p AU q)) E(pUq) =  y . q  (p  EX (y)) p EU q = q  (p  EX (p EU q))

55 Functionals Logic Set p  q p  q p  q p  q p S – p False  True S
Now, we can think of all temporal operators also as functions from sets of states to sets of states For example: AX p = EX(p) or if we use the set notation AX p = (S - EX(S - p)) Logic Set p  q p  q p  q p  q p S – p False  True S

56 Lattice The set of states of the transition system forms a lattice:
lattice 2S partial order  bottom element  top element S Least upper bound (lub)  Greatest lower bound (glb) 

57 Lattice (lub): y∈ P is a least upper bound of S in P means y is an upper bound of S and ∀z ∈ P which is an upper bound of S, y ≤ z (glb) y∈ P is a greatest lower bound of S in P means y is a lower bound of S and ∀z ∈ P which is a lower bound of S, z ≤ y

58 Temporal Properties  Fixpoints
Based on the equivalence EF p = p  EX EF p EF p is a fixpoint of function (F): where F => F y = p  EX y F (EF p) = EF p In fact, EF p is the least fixpoint of F, which is written as: EF p =  y . p  EX y ( means least fixpoint)

59 EF Fixpoint Computation
EF(p)  states that can reach p  p  EX(p)  EX(EX(p))  ... p • • • EF(p)

60 Temporal Properties  Fixpoints
Based on the equivalence EG p = p  AX EG p EG p is a fixpoint of function (F): where F => F y = p  EX y F (EG p) = EG p In fact, EG p is the greatest fixpoint of F, which is written as: EG p =  y . p  EX y ( means greatest fixpoint)

61 EG Fixpoint Computation
EG(p)  states that can avoid reaching p  p  EX(p)  EX(EX(p))  ... • • • EG(p)

62 Least Fixpoint Given a monotonic function F, its least fixpoint is the greatest lower bound (glb) of all the reductive elements :  y . F y =  { y | F y  y } The least fixpoint  y . F y is the limit of the following sequence (assuming F is -continuous): , F , F2 , F3 , ... If S is finite, then we can compute the least fixpoint using the above sequence

63 EF Fixpoint Computation
EF p =  y . p  EX y is the limit of the sequence: , pEX , pEX(pEX ) , pEX(pEX(p EX )) , ... which is equivalent to , p, p  EX p , p  EX (p  EX (p) ) , ...

64 EF Fixpoint Computation
s1 s2 s3 s4 p Start 1st iteration pEX  = {s1,s4}  EX()= {s1,s4}   ={s1,s4} 2nd iteration pEX(pEX ) = {s1,s4}  EX({s1,s4})= {s1,s4} {s3}={s1,s3,s4} 3rd iteration pEX(pEX(p EX )) = {s1,s4}  EX({s1,s3,s4})= {s1,s4} {s2,s3,s4}={s1,s2,s3,s4} 4th iteration pEX(pEX(pEX(p EX ))) = {s1,s4}  EX({s1,s2,s3,s4})= {s1,s4}  {s1,s2,s3,s4} = {s1,s2,s3,s4}

65 EF Fixpoint Computation
EF(p)  states that can reach p  p  EX(p)  EX(EX(p))  ... p • • • EF(p)

66 Greatest Fixpoint Given a monotonic function F, its greatest fixpoint is the least upper bound (lub) of all the extensive elements:  y. F y =  { y | F y  y } The greatest fixpoint  y . F y is the limit of the following sequence (assuming F is -continuous): S, F S, F2 S, F3 S, ... If S is finite, then we can compute the greatest fixpoint using the above sequence

67 EG Fixpoint Computation
Similarly, EG p =  y . p  EX y is the limit of the sequence: S, pEX S, pEX(p  EX S) , pEX(p  EX (p  EX S)) , ... which is equivalent to S, p, p  EX p , p  EX (p  EX (p) ) , ...

68 EG Fixpoint Computation
s1 s2 s3 s4 p Start S = {s1,s2,s3,s4} 1st iteration pEX S = {s1,s3,s4}EX({s1,s2,s3,s4})= {s1,s3,s4}{s1,s2,s3,s4}={s1,s3,s4} 2nd iteration pEX(pEX S) = {s1,s3,s4}EX({s1,s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4} 3rd iteration pEX(pEX(pEX S)) = {s1,s3,s4}EX({s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4}

69 EG Fixpoint Computation
EG(p)  states that can avoid reaching p  p  EX(p)  EX(EX(p))  ... • • • EG(p)

70 Example Structure M <S,R,L>: S = {1,2,3,4,5}, AP = {a,b,c},
L(1) = {b}, L(2) = {a}, L(3) = {a,b,c}, L(4) = {b,c}, L(5) = {c} Check if AG(a ∨ c) holds

71 Example (cont.) Remember that: AG p =  y . p  AX y AX p = EX(p)
H(a∨c) = H(a) ∪ H(c) ={2,3} ∪ {3,4,5} = {2,3,4,5} I0  S = {1,2,3,4,5} I1  {2,3,4,5} ∩ S = {2,3,4,5} ∩ {1,2,3,4,5} = {2,3,4,5} I2  {2,3,4,5} ∩ AX(2,3,4,5) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} I3  {2,3,4,5} ∩ AX(2,3,4) = {2,3,4,5} ∩ {1,2,3,4} = {2,3,4} I3 = I2  H(AG(a∨c)) = {2,3,4} To verify that f holds in state s, check if s∈H(f)

72 Example For the FSM below, formally check the following properties, using Fixpoint Theorm: AG(a ∨c ∨b) AF(ab) If failed show the subset of the design the property holds for as well as the counter example 1 2 3 4 5 6 a,b c b,c a d S = {1,2,3,4,5,6}, AP = {a,b,c,d}, R = {(1,2), (1,3),(2,3), (3,4), (4,4), (4,5), (5,2), (2,6), (6,1)} L(1) = {a,b}, L(2) = {c}, L(3) = {b,c}, L(4) = {a}, L(5) = {c}, L(6) = {d}

73 Example (cont.) Remember that:
H(a ∪ b) = H(a) ∪ H(b) ∪ H(c) ={1,4} ∪ {2,3,5} ∪ {1,3} = {1,2,3,4,5} AG(a ∨c ∨b) = AG p =  y . p  AX y =  y . p  AX y AX p = EX(p) I0  S = {1,2,3,4,5,6} I1  {1,2,3,4,5} ∩ S = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,2,3,4,5} I2  {1,2,3,4,5} ∩ AX(1,2,3,4,5) = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,3,4,5} This is because that : AX(1,2,3,4,5) =  EX((1,2,3,4,5)) =  EX(6) =  (2) = S- {2 } = {1,3,4,5,6} I3  {1,2,3,4,5} ∩ AX(1,3,4,5) = {1,3,4,5} This is because that : AX(1,3,4,5) =  EX((1,3,4,5)) =  EX(2,6) =  (2,6) = S- {2 ,6} = {1,3,4,5} I3 = I2  H(AG(a∨b ∨ c)) = {1,3,4,5} The property does not hold, except for the above states, and it is clear that states {2,6} can be considered as counter examples. state 6 does not contain neither a,c,b and state 2 does not have a proceeding one on one of its pathes path (2,6)

74 Example (AF(ab)) Remember that:
H(a  b) = H(a)  H(b) ={1,4}  {1,3}= {1} AF(a  b) = AG p =  y . p  AX y =  y . p  AX y AX p = EX(p) I0   I1  {1} ∩ AX() = {1} ∩  =  This is because that : AX() =  EX(()) =  EX(1,2,3,4,5,6) = The property does not hold for any state.

75 Model Checking Tools (non-commercial)
SMV (Symbolic Model Verifier) A tool for checking finite state systems against specifications in the temporal logic CTL. Developed at Carnegie Mellon University by E. Clarke, K. McMillan et. al. Supports a simple input language: SMV For more information: Cadence SMV Updated version of SMV by K. McMillan at Berkeley Cadence Labs Input languages: extended SMV and synchronous Verilog Supports temporal logics CTL and LTL, finite automata, embedded assertions, and refinement specifications. Features compositional reasoning, link with a simple theorem prover, an easy-to-use graphical user interface and source level debugging capabilities For more information:

76 Model Checking Tools (commercial)
FormalCheck Supports the synthesizable subsets of Verilog and VHDL hardware design languages. User supplies FormalCheck with a set of queries (properties and constraints) Each property is defined using semantics of the class of omega automata. Tool provides powerful model reduction options. For more information:

77 Model Checking Automatic verification (or falsification) of finite state systems Explicit State Representation ⇒ State Explosion Problem (about 108 states maximum) Breakthrough: Implicit State Representation using ROBDD (about 1020 states). Use Boolean characteristic functions represented by ROBDDs to encode sets of states and transition relations.

78 We are not alone Theorem proving Model checking Testing

79 Hybrid Verification Model Theorem Checking Proving
Formal Verification using Theorem Proving + Model Checking Theorem Proving Model Checking

80 Scientists Quotes “Teaching to unsuspecting youngsters the effective use of formal methods is one of the joys of life because it is so extremely rewarding” “A formula is worth a thousand pictures”  Edsger Wybe Dijkstra (1930–2002)

Download ppt "Formal Verification: Modeling"

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Symbolic Model Checking Revision Slides Dr. Eng. Amr T. Abdel-Hamid NETW 703 Winter 2012 Network Protocols Slides based on slides of: Jim Kurose, Keith.

Symbolic Model Checking Revision Slides Dr. Eng. Amr T. Abdel-Hamid NETW 703 Winter 2012 Network Protocols Slides based on slides of: Jim Kurose, Keith.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Timed Automata.

Timed Automata.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

Similar presentations

Ads by Google