Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program Synthesis is a Game

Published byAnastasia Harper Modified over 6 years ago

Similar presentations

Presentation on theme: "Program Synthesis is a Game"— Presentation transcript:

1 Program Synthesis is a Game
Presented by: Sumit Nain Slides Credit: Barbara Jobstmann (CNRS/Verimag)

2 Outline Synthesis using automata-based game theory Lecture 2 Lecture 1
High Level Overview Motivate Model Checking, program repair/synthesis by analyzing example code Connection to games Not covered today: formal syntax, details of algorithms Lecture 2 Deeper dive into Automata-based game theory Formal terminology Reachability/safety, Buchi, parity games Algorithms for solving games

3 Analyze, Verify, and Synthesize
Synthesis System Implementation Algorithm “How” Specification Properties Model “What” Verification Here is my picture of what the different techniques try to do Analysis Synthesis translates a high-level system description into an executable implementation Benefits: implementation and reward for writing specs (no double effort) Techniques vary depending on specification language and target implementation.

4 Reactive Systems Synthesis Verification Analysis Specifications
Systems (e.g., servers) Interact with environment Infinite duration (non-terminating) Finite data (or data abstractions) Control-oriented Specifications Set of good behaviors (a language) Temporal logic (which includes safety and liveness) Verification How “good” does a system satisfies its spec Analysis [Z. Manna and A. Pnueli. The Temporal Logic of Reactive and Concurrent Systems., 1992] [N. Halbwachs. Synchronous Programming of Reactive Systems. 1993]

5 Verification Model Checking: Synthesis:
Does system satisfy given specification Synthesis: Find a system that “satisfies” given specification

6 Example Specification
Real life example from a specification for a high performance on-chip bus with multiple masters and an arbiter (ARM’s AMBA AHB bus) Specification: “When a locked unspecified length burst starts, a new access does not start until the current master (i) releases the bus by lowering HBUSREQi.”

7

8 Example: Formal Specification using Linear Temporal Logic (LTL)
“When a locked unspecified length burst starts, a new access does not start until the current master (i) releases the bus by lowering HBUSREQi.” Formal specification: for all masters i: always((HMASTLOCK and HBURST=INCRand START and HMASTER=i) ➝ (not START until not HBUSREQi))‏ Time progresses with clock tick

9 Example: Software unsigned int got_lock = 0; ... while(*) { if (*) { lock(); got_lock++; } if (got_lock != 0) { unlock(); got_lock--; lock() {LOCK:=1;} unlock() {LOCK:=0;} Specifications P1: do not acquire a lock twice P2: do not call unlock without holding the lock reactive systems can also describe aspects of a concurrent software

10 Example: Software unsigned int got_lock = 0; ... 1: while(*) { 2: if (*) { 3: lock(); 4: got_lock++; } 5: if (got_lock != 0) { 6: unlock(); 7: got_lock--; lock() lock: {LOCK:=1;} unlock() unlock: {LOCK:=0;} Specifications P1: do not acquire a lock twice P2: do not call unlock without holding the lock P1: always( line=lock implies next( line!=lock wait-until line=unlock )) P2: ( line!=unlock wait-until line=lock )) and always( line=unlock implies next( line!=unlock wait-until line=lock )) Time progresses with change of line

11 How to verify a Reactive System?
Core algorithm for Model Checking linear-time temporal logic: Source code modeled as transition system M (an FSM) Specification modeled as FSM A that accepts violations of the spec. 3. Check if model has a violating trace product of trans. system M and monitor A check for existence of a trace in product (check emptiness of M x A )

12 Source Code unsigned int got_lock = 0; ... 1: while(*) { 2: if (*) { 3: lock(); 4: got_lock++; } 5: if (got_lock != 0) { 6: unlock(); 7: got_lock--; lock() lock: {LOCK:=1;} unlock() unlock: {LOCK:=0;}

13 Step 1: Transition System
Trans. system variables: line (l), got_lock (gl) int[0,1,2] got_lock = 0; ... 1: while(*) { 2: if (*) { 3: lock(); lock: {LOCK:=1;} 4: got_lock++; } 5: if (got_lock != 0) { 6: unlock(); unlock: {LOCK:=0;} 7: got_lock--; 8: l=1, gl=0 l=1, gl=1 l=1, gl=2 l=2, gl=0 .... l=2, gl=2 l=3, gl=0 l=3, gl=2 l=lock,gl=0 l=lock,gl=2 l=4, gl=0 l=4, gl=2 l=5, gl=0 l=5, gl=1 l=5, gl=2 l=6, gl=1 l=6, gl=2 l=unlock,gl=1 l=unlock,gl=2 l=7, gl=0 l=7, gl=1 l=7, gl=2 l=8, gl=0 .... ....

14 Specification P1: always( line=lock implies
P1: do not acquire a lock twice P2: do not call unlock without holding the lock P1: always( line=lock implies next(line!=lock wait-until line=unlock)) P2: ( line!=unlock wait-until line=lock )) and always( line=unlock implies next( line!=unlock wait-until line=lock ))

15 Linear-Time Temporal Logic
[Pnueli77] Syntax: Atomic propositions, e.g., line=1, line!=1, got_lock=0 Boolean operators: not, and, or, implies,... Temporal operators: next (ϕ) ... ϕ holds in the next step ϕ1 until ϕ2 ... ϕ1 holds until at some point ϕ2 holds Used in industrial spec languages PSL/SVA Can express many interesting properties, e.g., mutual exclusion, deadlock freedom, termination

16 Linear-Time Temporal Logic
Semantics defined with respect to infinite traces in each step atomic propositions holds or not E.g., line=1, got_lock≤1 line=1 line=1 got_lock≤1 .....

17 Linear-Time Temporal Logic
Semantics next (ϕ) ... ϕ holds in the next step ϕ1 until ϕ ϕ1 holds until at some point ϕ2 holds System S satisfies/models ϕ, if all its behaviors satisfy ϕ ϕ ..... ϕ1 ϕ1 ϕ1 ϕ1 ϕ2 ..... .....

18 Linear-Time Temporal Logic
Many useful abbreviations true = p or not p false = not true eventually(ϕ) = true until ϕ always(ϕ) = not (eventually(not ϕ)) ϕ1 wait-until ϕ2 = (ϕ1 until ϕ2) or always(ϕ1)

19 How to verify a Reactive System?
Core algorithm for linear-time temporal logic: Source code ➝auto/manual transition system M Specification ➝auto/manual monitor violations A Check if model has a violating trace Compute product of M and A Check product for emptiness

20 Step 2: Monitor for Violations
P1: always( line=lock implies next( line!=lock wait-until line=unlock )) = not eventually( line=lock and next( line!=unlock until line=lock )) line!=unlock line=lock line=lock 1 2 3 s1: non-deterministic choice s2: no edge with line=unlock Automaton accepts trace/behavior is a blue state is visited infinitely often (Büchi )

21 Step 3: Product l=1, gl=0 l=1, gl=1 l=1, gl=2 l=2, gl=0 .... l=2, gl=2
l=lock,gl=0 l=lock,gl=2 l=4, gl=0 l=4, gl=2 l=5, gl=0 l=5, gl=1 l=5, gl=2 l=6, gl=1 l=6, gl=2 l=unlock,gl=1 l=unlock,gl=2 l=7, gl=0 l=7, gl=1 l=7, gl=2 line!=unlock line=lock line=lock 1 2 3 l=8, gl=0 .... ....

22 Step 3: Product l=1, gl=0 l=1, gl=1 l=1, gl=2 l=2, gl=0 .... l=2, gl=2
l=lock,gl=0 1 l=lock,gl=2 1 l=4, gl=0 l=4, gl=0 2 1 l=4, gl=2 1 l=5, gl=0 1 l=5, gl=1 l=5, gl=1 2 1 l=5, gl=2 1 l=6, gl=1 l=6, gl=1 2 1 l=6, gl=2 1 unlock,1 unlock,1 2 1 l=unlock,gl=2 1 l=7, gl=0 1 l=7, gl=1 1 l=7, gl=2 line!=unlock line=lock line=lock 1 2 3 1 l=8, gl=0 1 .... 1 ....

23 Recall, we want to show a violation:
Step 3: Product 1 l=1, gl=0 1 l=1, gl=1 1 l=1, gl=2 l=1, gl=2 2 1 l=2, gl=0 1 .... 1 l=2, gl=2 l=2, gl=2 2 1 l=3, gl=0 1 l=3, gl=2 l=3, gl=2 2 1 l=lock,gl=0 1 l=lock,gl=2 l=lock,gl=2 2 1 l=4, gl=0 l=4, gl=0 2 1 l=4, gl=2 l=4, gl=2 2 l=4, gl=2 3 1 l=5, gl=0 l=5, gl=0 2 1 l=5, gl=1 l=5, gl=1 2 1 l=5, gl=2 1 l=6, gl=1 l=6, gl=1 2 1 l=6, gl=2 1 unlock,1 unlock,1 2 1 l=unlock,gl=2 1 l=7, gl=0 l=7, gl=0 2 1 l=7, gl=1 1 l=7, gl=2 line!=unlock line=lock line=lock 1 2 3 1 l=8, gl=0 1 .... 1 .... Recall, we want to show a violation:

24 Step 3: Product 1 l=1, gl=0 1 l=1, gl=1 1 l=1, gl=2 l=1, gl=2 2 1 l=2, gl=0 1 .... 1 l=2, gl=2 l=2, gl=2 2 1 l=3, gl=0 1 l=3, gl=2 l=3, gl=2 2 1 l=lock,gl=0 1 l=lock,gl=2 l=lock,gl=2 2 1 l=4, gl=0 l=4, gl=0 2 1 l=4, gl=2 l=4, gl=2 2 l=4, gl=2 3 1 l=5, gl=0 l=5, gl=0 2 1 l=5, gl=1 l=5, gl=1 2 1 l=5, gl=2 1 l=6, gl=1 l=6, gl=1 2 1 l=6, gl=2 1 unlock,1 unlock,1 2 1 l=unlock,gl=2 1 l=7, gl=0 l=7, gl=0 2 1 l=7, gl=1 1 l=7, gl=2 line!=unlock line=lock line=lock 1 2 3 1 l=8, gl=0 1 .... 1 .... Recall, we want to show a violation: non-determinism in transition system and in monitor pull in the same direction (both can be used to violate property)

25 Source Code line = 1 line = 2 line = 5 line = 7 line = 3 line = lock
int[0,1,2] got_lock = 0; ... 1: while(*) { 2: if (*) { 3: lock(); lock: {LOCK:=1;} 4: got_lock++; } 5: if (got_lock != 0) { 6: unlock(); unlock: {LOCK:=0;} 7: got_lock--; 8:

26 How to verify a Reactive System?
Core algorithm for linear-time temporal logic: Source code ➝auto/manual transition system M Specification ➝auto/manual monitor violations A Check if model has a violating trace Compute product of M and A Check product for emptiness But how to repair it?

27 How to repair a Reactive System?
Add freedom (choice for the system, allowed ways to modify system) Source code ➝a/m transition system (game) Specification ➝a/m monitor acceptance Check if we can find system choices s.t. model is accepted by monitor product of trans. system and monitor search for winning strategy in game

28 Step 1: Freedom (We can also extend to fault localization)
int[0,1,2] got_lock = 0; int[0,1,2] freedom; ... 1: while(*) { 2: if (*) { 3: lock(); lock: {LOCK:=1;} 4: got_lock:=freedom; } 5: if (got_lock != 0) { 6: unlock(); unlock: {LOCK:=0;} 7: got_lock:=freedom; 8: (We can also extend to fault localization)

29 Step 2: Game Trans. system variables: line (l), got_lock (gl)
int[0,1,2] got_lock = 0; int[0,1,2] freedom; ... 1: while(*) { 2: if (*) { 3: lock(); lock: {LOCK:=1;} 4: got_lock:=freedom; } 5: if (got_lock != 0) { 6: unlock(); unlock: {LOCK:=0;} 7: got_lock:=freedom; 8: Trans. system variables: line (l), got_lock (gl) l=1, gl=0 l=1, gl=1 l=1, gl=2 l=2, gl=0 .... l=2, gl=2 l=3, gl=0 l=3, gl=2 l=lock,gl=0 l=lock,gl=2 f=0 f=2 f=1 l=4, gl=0 l=4, gl=2 l=5, gl=0 l=5, gl=1 l=5, gl=2 l=6, gl=1 l=6, gl=2 l=unlock,gl=1 l=unlock,gl=2 l=7, gl=0 l=7, gl=1 l=7, gl=2 l=8, gl=0 .... ....

30 Step 2: Game Trans. system variables: line (l), got_lock (gl)
int[0,1,2] got_lock = 0; int[0,1,2] freedom; ... 1: while(*) { 2: if (*) { 3: lock(); lock: {LOCK:=1;} 4: got_lock:=freedom; } 5: if (got_lock != 0) { 6: unlock(); unlock: {LOCK:=0;} 7: got_lock:=freedom; 8: Trans. system variables: line (l), got_lock (gl) l=1, gl=0 l=1, gl=1 l=1, gl=2 l=2, gl=0 .... l=2, gl=2 l=3, gl=0 l=3, gl=2 l=lock,gl=0 l=lock,gl=2 f=0 f=2 f=1 l=4, gl=0 l=4, gl=2 l=5, gl=0 l=5, gl=1 l=5, gl=2 l=6, gl=1 l=6, gl=2 l=unlock,gl=1 l=unlock,gl=2 l=7, gl=0 l=7, gl=1 l=7, gl=2 l=8, gl=0 .... .... Two types of non-determinism!

31 Step 2: Game Trans. system variables: line (l), got_lock (gl)
int[0,1,2] got_lock = 0; int[0,1,2] freedom; ... 1: while(*) { 2: if (*) { 3: lock(); lock: {LOCK:=1;} 4: got_lock:=freedom; } 5: if (got_lock != 0) { 6: unlock(); unlock: {LOCK:=0;} 7: got_lock:=freedom; 8: Trans. system variables: line (l), got_lock (gl) l=1, gl=0 l=1, gl=1 l=1, gl=2 l=2, gl=0 .... l=2, gl=2 l=3, gl=0 l=lock, gl=0 l=3, gl=2 l=lock, gl=2 f=0 f=2 f=1 l=4, gl=0 l=4, gl=2 l=5, gl=0 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 l=5, gl=2 l=6, gl=2 l=unlock, gl=2 l=7, gl=0 l=7, gl=1 l=7, gl=2 l=8, gl=0 .... .... Two types of non-determinism!

32 Step 3: Monitor for Acceptance
P1: always( line=lock implies next( line!=lock wait-until line=unlock )) line!=lock & line!=unlock line!=lock line=lock line=unlock line=lock

33 Step 3: Product TS for got_lock in {0,1} Deterministic automaton
l=1, gl=0 l=1, gl=1 l=2, gl=0 l=1, gl=2 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 l!=lock & l!=unlock l!=lock l=lock l=4, gl=0 l=4, gl=0 1 2 3 1 1 l=5, gl=0 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 l=unlock l=lock 1 1 l=7, gl=0 l=7, gl=1 l=8, gl=0 ....

34 Step 3: Product l=1, gl=0 l=1, gl=1 l=1, gl=0 l=1, gl=1 l=2, gl=0
l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 2 l=3, gl=0 l=lock, gl=0 2 l=4, gl=0 1 l=4, gl=1 1 l=4, gl=0 2 l=4, gl=1 2 l=4, gl=.. 3 1 1 l=5, gl=0 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 1 l=5, gl=0 2 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 2 1 l=7, gl=0 1 l=7, gl=1 1 l=7, gl=0 2 l=7, gl=1 2 l=8, gl=0 1 l=8, gl=1 1 l=8, gl=0 2 l=8, gl=1 2 l!=lock & l!=unlock l!=lock l=lock 1 2 3 l=lock l=unlock

35 Step 4: Winning States l=1, gl=0 l=1, gl=1 l=1, gl=0 l=1, gl=1
2 l=1, gl=1 2 l=2, gl=0 1 l=2, gl=1 1 l=2, gl=0 2 l=2, gl=1 2 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 2 l=3, gl=0 l=lock, gl=0 2 l=4, gl=0 1 l=4, gl=1 1 l=4, gl=0 2 l=4, gl=1 2 l=4, gl=.. 3 1 1 l=5, gl=0 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 1 l=5, gl=0 2 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 2 1 l=7, gl=0 1 l=7, gl=1 1 l=7, gl=0 2 l=7, gl=1 2 l=8, gl=0 1 l=8, gl=1 1 l=8, gl=0 2 l=8, gl=1 2 l!=lock & l!=unlock l!=lock l=lock 1 2 3 l=lock l=unlock

36 Step 4: Winning States l=1, gl=0 l=1, gl=1 l=1, gl=0 l=1, gl=1
2 l=1, gl=1 2 l=2, gl=0 1 l=2, gl=1 1 l=2, gl=0 2 l=2, gl=1 2 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 2 l=3, gl=0 l=lock, gl=0 2 l=4, gl=0 1 l=4, gl=1 1 l=4, gl=0 2 l=4, gl=1 2 l=4, gl=.. 3 1 1 l=5, gl=0 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 1 l=5, gl=0 2 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 2 1 l=7, gl=0 1 l=7, gl=1 1 l=7, gl=0 2 l=7, gl=1 2 l=8, gl=0 1 l=8, gl=1 1 l=8, gl=0 2 l=8, gl=1 2 l!=lock & l!=unlock l!=lock l=lock 1 2 3 l=lock l=unlock

37 Step 4: Winning States l=1, gl=0 l=1, gl=1 l=1, gl=0 l=1, gl=1
2 l=1, gl=1 2 l=2, gl=0 1 l=2, gl=1 1 l=2, gl=0 2 l=2, gl=1 2 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 2 l=3, gl=0 l=lock, gl=0 2 l=4, gl=0 1 l=4, gl=1 1 l=4, gl=0 2 l=4, gl=1 2 l=4, gl=.. 3 1 1 l=5, gl=0 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 1 l=5, gl=0 2 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 2 1 l=7, gl=0 1 l=7, gl=1 1 l=7, gl=0 2 l=7, gl=1 2 l=8, gl=0 1 l=8, gl=1 1 l=8, gl=0 2 l=8, gl=1 2 l!=lock & l!=unlock l!=lock l=lock 1 2 3 l=lock l=unlock

38 Step 4: Winning States l=1, gl=0 l=1, gl=1 l=2, gl=0 l=2, gl=1
l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 1 l=4, gl=0 1 l=4, gl=1 1 l=4, gl=0 2 l=4, gl=1 2 1 1 1 l=5, gl=0 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 2 1 l=7, gl=0 1 l=7, gl=1 1 l=8, gl=0 1 l=8, gl=1 1

39 Step 4: Winning Strategy
In general: strategy is function of program and monitor state l=1, gl=0 1 l=1, gl=1 1 l=2, gl=0 1 l=2, gl=1 1 Strategy to Repair: if (l=4 & gl=0 & s=1) freedom:=0 if (l=4 & gl=1 & s=1) freedom:=1 if (l=4 & gl=0 & s=0) freedom:=1 if (l=7 & gl=0 & s=1) freedom:=0 if (l=7 & gl=1 & s=1) freedom:=0 .. freedom := f(l,gl,s) if (line=4) freedom := (gl=1) | (s=2) if (line=7) freedom := 0 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 1 l=4, gl=0 1 l=4, gl=1 1 l=4, gl=0 2 l=4, gl=1 2 1 1 1 l=5, gl=0 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 2 l=7, gl=0 1 l=7, gl=1 1 l=8, gl=0 1 l=8, gl=1 1 What we actually do: merge states before picking the strategy

40 Step 4: Winning Strategy
l=1, gl=0 l=2, gl=0 l=3, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 l=7, gl=1 l=8, gl=0 l=5, gl=0 l=7, gl=0 l=1, gl=1 l=2, gl=1 l=8, gl=1 l=4, gl=1 1 l=1, gl=0 1 l=1, gl=1 1 l=2, gl=0 1 l=2, gl=1 1 l=3, gl=0 l=lock, gl=0 1 l=3, gl=0 l=lock, gl=0 1 l=4, gl=0 1 l=4, gl=1 1 l=4, gl=0 2 l=4, gl=1 2 1 1 1 l=5, gl=0 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 1 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 2 1 l=7, gl=0 1 l=7, gl=1 1 l=8, gl=0 1 l=8, gl=1 1

41 Step 4: Winning Strategy
l=1, gl=0 l=1, gl=1 l=2, gl=0 l=2, gl=1 l=3, gl=0 l=lock, gl=0 l=3, gl=0 l=lock, gl=0 (line=4): freedom= 1 (line=7): freedom= 0 l=4, gl=0 l=4, gl=1 1 1 l=5, gl=0 l=5, gl=1 l=6, gl=1 l=unlock, gl=1 l=7, gl=0 l=7, gl=1 l=8, gl=0 l=8, gl=1

42 Repaired Program unsigned int got_lock = 0; ... 1: while(*) { 2: if (*) { 3: lock(); 4: got_lock = 1; } 5: if (got_lock != 0) { 6: unlock(); 7: got_lock = 0; lock() lock: {LOCK = 1;} unlock() unlock: {LOCK = 0;}

43 Original Program unsigned int got_lock = 0; ... 1: while(*) { 2: if (*) { 3: lock(); 4: got_lock++; } 5: if (got_lock != 0) { 6: unlock(); 7: got_lock--; lock() lock: {LOCK = 1;} unlock() unlock: {LOCK = 0;}

44 Program Repair Program Finite-state program Game TS:
program with freedom Solve game Monitor Monitor TS: Winning condition (Simple) Strategy Specification Correct Program with Bloem, Griesmayer, Staber in CAV 2005, CHARME (+ext to fault localization)

45 Synthesis from Temporal Logics
Game Solve game Monitor + interface definition Monitor TS: Winning condition (Simple) Strategy Specification Correct Program Church (1962), Büchi/Landweber (1969, games), Rabin (1972, trees), Pnueli/Rosner (1989, LTL)

46 Program Synthesis Program FSM + freedom Game TS Solve game
Monitor Monitor TS: Winning condition (Simple) Strategy Specification Correct Program Modern Controller Synthesis, see overview papers by Walukiewicz et al., Rutten & Girault, ...

47 Issues? Program FSM + freedom Game TS Solve game Monitor TS: Winning
How to abstract? Game Size? How to solve efficiently? FSM + freedom Game TS Solve game How to construct efficiently? How expressive?Size? How to pick a strategy? Monitor Monitor TS: Winning condition (Simple) Strategy Quantitative Program Synthesis Specification How to map back? Correct Program How to specify? Related research areas: PL, AV, Control Theory, Game and Automata Theory LTL

48 Next Lecture Basic of automata-based game theory terminology
reachability/safety, Buchi, parity games Algorithms for solving games

Download ppt "Program Synthesis is a Game"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.

Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.

Temporal Logic Model- checking with SPIN COMP6004 Stéphane Lo Presti Part 4: Specifications.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Modeling Software Systems Lecture 2 Book: Chapter 4.

Modeling Software Systems Lecture 2 Book: Chapter 4.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.

Specification Formalisms Book: Chapter 5. Properties of formalisms Formal. Unique interpretation. Intuitive. Simple to understand (visual). Succinct.
Review of the automata-theoretic approach to model-checking.

Review of the automata-theoretic approach to model-checking.

Similar presentations

Ads by Google