1. Software Verification 2 Automated Verification
Prof. Dr. Holger Schlingloff
Institut für Informatik der Humboldt Universität
and
Fraunhofer Institut für Rechnerarchitektur und Softwaretechnik

2. Postscript F*G*p cannot be expressed as G*F*φ
¬ (F*G*p  G*F*p) is obvious
Show: there is no pure-past LTL-formula φ such that (F*G*p  G*F*φ)
Assume the contrary: there is a pure-past LTL-formula φ such that (F*G*p  G*F*φ)
Consider the model M0 = p = ppp... Then M0 ⊨ F*G*p, hence by ass. M0 ⊨ G*F*φ hence (M0,0) ⊨ F*φ and there is a point i0 such that (M0, i0) ⊨ φ
Consider the model M1 = (pi0) (¬p) (p). Since φ is pure past, (M1, i0) ⊨ φ Furthermore, M1 ⊨ F*G*p, hence by ass. M1 ⊨ G*F*φ, hence (M1, i0+2) ⊨ F*φ and there is a point i1 > i0+1 such that (M1, i1) ⊨ φ
Consider the model M2 where p is false only at (i0+1) and (i1+1). Again (M2, i0) ⊨ φ and (M2, i1) ⊨ φ . Furthermore, M2 ⊨ F*G*p and M2 ⊨ G*F*φ, hence (M2, i1+2) ⊨ F*φ and there is i2>i1+1 such that (M2, i2) ⊨ φ
and so on.
Let M be the model defined by (M, k) ⊨ p iff for all i, (Mi, k) ⊨ p (thanks, Jochen!)
In M , p is false infinitely often and φ is true infinitely often. Hence, M ⊭ F*G*p and M ⊨ G*F*φ, which is a contradiction

3. Safety and Liveness Properties
Proof of decomposition theorem:
φs={w0w1... | for every i, w0w1... wi is a prefix of φ}
φl= φ{w0w1... | for some i, w0w1... wi is not a prefix of φ}
show: φs is safety, φl is liveness, φ = φs  φl

4. Examples (p U+ q) = ((p W+ q)  F+ q) G*(p  F*q) = (G*p  G*F*q)
G*p  G*q = G*(H*p  H*q) (holds only initially, in the beginning!)
Total program correctness = invariance  termination
other direction does not hold

5. Example: Peterson’s Mutual Exclusion
{t=0; x=0; y=0; {0: while(true){NC1: skip; 1: x=1; 2: t=1; 3: await(t==0  y==0); C1: skip; 4: x=0;} || {0: while(true){NC2: skip; 1: y=1; 2: t=0; 3: await(t==1  x==0); C2: skip; 4: y=0;} } We want to show: G*(¬ C1  ¬ C2)  true G*(3  F* C1)  false!! (G*F*  G*F*)  G*(3  F* C1)

6. Language inclusion “Safety property” is a semantic notion
The language of any (finitary) LTS is a safety property
show that if any finite prefix of an infinite model can be extended to an accepted model, then the whole model is accepted
If a safety property is given as an LTS, model checking can be done by “parallel execution”
Example

7. Verification = language containment?
An implementation I satisfies a specification S if L(I)  L(S)
“the automata-theoretic approach to model-checking”
But not always adequate:

8. Simulation relation
Simulation relation between models

9. Preserving CTL properties
Converse does not hold:
image finiteness needed!

10. Simulation Checking
If both models are deterministic, use automata inclusion
Otherwise, define a sequence of relations
the intersection is the largest possible simulation relation
partition refinement algorithm (greatest fixed point)

12. Examples