Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

Published byChristine Kathleen Norris Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur"— Presentation transcript:

1 CIS 540 Principles of Embedded Computation Spring 2015 http://www.seas.upenn.edu/~cis540/ Instructor: Rajeev Alur alur@cis.upenn.edu

2 Example Tableau Construction  = Eventually e & Next ~ e Sub(  )={e, ~e, N ~e, E e, N E e, E e & N ~e} Tableau states: q0 = { e, N ~e, N E e, E e, E e & N ~e } q1 = { e, N E e, E e } q2 = { e, N ~e, E e, E e & N ~e } q3 = { e, E e } q4 = { ~e, N ~e, N E e, E e, E e & N ~e } q5 = { ~e, N E e, E e } q6 = { ~e, N ~e } q7 = { ~e } Transitions from q0: q0 – e  q4 q0 – e  q5 Transitions from q1: q1 – e  q0 q1 – e  q1 q1 – e  q2 q1 – e  q3 Transitions from q6: q6 - ~e  q6 q6 - ~e  q7 Initial states = { q0, q2, q4 } Accepting set F1 = { q0, q1, q2, q3, q6, q7 } CIS 540 Spring 2015; Lecture March 25

3 Tableau Construction: Acceptance  For a subformula “Eventually  ” whenever “Eventually  “ appears is in a state either  or “Next Eventually  “ (or both) are included  If a state include “Eventually  “ but not , each successor state is guaranteed to include “Eventually  “, but we need to ensure that satisfaction of  is not postponed forever  Define F to be the set tableau states that either include  or exclude Eventually   Accepting condition: Repeatedly F  Similarly, for a subformula “Always  ”, define F’ to be the set that either include Always  or exclude , state in F’ is required to appear repeatedly on an accepting run CIS 540 Spring 2015; Lecture March 25

4 Handling Acceptance  In general, if there are multiple temporal formulas, then acceptance condition should ensure that each is satisfied  Generalized Buchi automaton: Modest syntactic generalization  Automaton M has k accepting sets F 1, F 2, … F k  An execution is accepting if for each j, some state in F j appears repeatedly Repeatedly F 1 & Repeatedly F 2 & … & Repeatedly F k  It is possible to “compile” a generalized Buchi automaton to a standard Buchi automaton  It is also possible to adapt cycle-detection algorithms to handle multiple accepting sets CIS 540 Spring 2015; Lecture March 25

5 Tableau Construction: Summary  Correctness claim: A trace over V satisfies the given LTL formula  if and only if it is accepted by the Generalized Buchi Automaton M   Complexity: Size of M  is 2 l, where l is the size of , such a blow-up is unavoidable  Practical implementations with a number of optimizations exist CIS 540 Spring 2015; Lecture March 25

6 Reachability Problem for Transition Systems Transition System T Property  Yes/Counter- example no Verifier Is  reachable?  Is there a (finite) execution from an initial state to a state satisfying   Checking whether  is an invariant of T => Checking if ~  is reachable  Verification techniques 1.Proof-based: Inductive invariants 2.Enumerative on-the-fly search (not covered, see notes) 3.Symbolic search based on iterative image computation CIS 540 Spring 2015; Lecture March 25

7 Repeatable Property for Transition Systems Transition System = States, Initial states, Transitions Property  : Subset of states Property  is repeatable if there exists an infinite execution that satisfies Repeatedly  Is there a state s such that 1. s is reachable 2. s satisfies  3. there is a cycle containing s CIS 540 Spring 2015; Lecture March 25

8 Repeatability Problem for Transition Systems Transition System T Property  Yes/Counter- example no Verifier Is  repeatable?  Is there an infinite execution along which states satisfying  appear repeatedly?  To check whether a system C satisfies an LTL formula , check if Mode is Accepting is repeatable in composition of C and Buchi monitor M ~   Verification techniques 1.Proof-based: Ranking functions (Sec 5.3, not covered) 2.Enumerative: Nested Depth-first Search (not covered, see 5.2.3) 3.Symbolic search CIS 540 Spring 2015; Lecture March 25

9 Recap: Symbolic Transition Systems  Region over variables X is a data structure that represents a set of states assigning values to X  Transition system T with state variables S represented by  Region  I over S for initial states  Region  T over S U S’ for transitions  Symbolic representation can be compiled automatically from code for updating variables CIS 540 Spring 2015; Lecture March 25

10 Towards Symbolic Algorithm Init Find states that are reachable and satisfy the property  Property  Find set of reachable states using symbolic reachability algorithm, and intersect it with  CIS 540 Spring 2015; Lecture March 25

11 Symbolic Image Computation  Core problem in symbolic search: Compute the post-image (i.e. the set of successors) of states in a given region  Given:  A of type reg over state variables S  Trans of type reg over S U S’  Post(A, Trans) = Rename(Exists(Conj(A,Trans),S), S’, S) 1.Take conjunction of A and Trans 2.Project out the variables in S using existential quantification 3.Rename primed variables to get a region over S CIS 540 Spring 2015; Lecture March 25

12 Symbolic BFS Algorithm Given region Init over S and region Trans over S U S’, compute the region representing all reachable states reg Reach := Empty; /* States found reachable */ reg New := Init; /* States not yet explored for outgoing transitions */ while IsEmpty(New) = 0 { /* while there are states to be explored */ Reach := Disj(Reach,New); /* add new states to reachable states */ New := Diff(Post(New,Trans),Reach); /*These are states in post-image of New, but not previously found reachable, so to be explored */ }; First phase of Symbolic Repeatability Check involves computing Reach CIS 540 Spring 2015; Lecture March 25

13 Symbolic Repeatability Check Recur0 = Reachable &  Property  Find states s in Recur0 such that from s there is a path with 1 or more transitions to some state in Recur0 Recur1 = Reachable &  & Next Eventually  Repeat to get Recur2 from Recur1 Recur2 = Reachable &  & Next Eventually (  & Next Eventually  ) Repeat to get Recur i+1 from Recur i CIS 540 Spring 2015; Lecture March 25

14 Symbolic Repeatability Check What can we conclude if Recur i+1 = Recur i What can we conclude if Recur i+1 is empty CIS 540 Spring 2015; Lecture March 25

15 Symbolic Repeatability Check  Key step: Given a region A, find the sub-region { s in A | there exists t in A that is reachable from s in >=1 transitions}  Recall: To compute states reachable from Init, we repeatedly apply Post-image operator  Symmetrically, to find from which states A is reachable, we can repeatedly apply pre-image operator  To get desired result, intersect this set with A CIS 540 Spring 2015; Lecture March 25

16 Symbolic Pre-Image Computation  Pre-image of a region A = Set of predecessors of states in A Pre(A,Trans) = { s | there exists a state t in A s.t. s  t is a transition}  Given:  A of type reg over state variables S  Trans of type reg over S U S’  Pre(A, Trans) = Exists(Conj(Rename(A,S,S’),Trans),S’) 1.Rename variables in A to primed copies to get a region over S’ 2.Take conjunction of the result with Trans (this captures the set of transitions whose target states belong to A) 3.Project out the variables in S’ using existential quantification CIS 540 Spring 2015; Lecture March 25

17 Symbolic Repeatability Algorithm Phase 1: Compute Reach as shown before reg Recur := Conj(Reach,  ); /* Potential candidate states for cycle */ while IsEmpty(Recur) = 0 { /* while there are potential candidates */ /* Compute from which states Recur is reachable */ Reach := Empty; New := Pre(Recur, Trans); /*Ensure at least one transition */ While IsEmpty(New)=0 { Reach := Disj(Reach,New); if IsSubset(Recur,Reach)=1 then return 1; /*Recur won’t change; Property repeatable */ New := Diff(Pre(New,Trans),Reach); }; Recur := Conj(Recur, Reach); /* Subset from which Recur is reachable }; return 0. /* No execution with property repeating */ CIS 540 Spring 2015; Lecture March 25

18 Example ABDCEF CIS 540 Spring 2015; Lecture March 25 H

19 Analysis of Symbolic Repeatability  Correctness (1): If there is a reachable state s that satisfies , and there is an infinite execution starting in s satisfying Repeatedly , then s will always stay in Recur (and thus, Recur cannot get empty)  Correctness (2): If inner loop finds that from every state in Recur, some state in Recur is reachable with >=1 transitions, then indeed there is an infinite execution satisfying Repeatedly   Algorithm is sound: cannot give wrong answers  If transition system has n reachable states of which k satisfy , then algorithm terminates with O(nk) region operations  In practice, depends on how effective is data structure for regions CIS 540 Spring 2015; Lecture March 25

20 Logistics  Homework 4: Due next Wednesday, April 1  Exercises 5.4, 5.5, 5.9, 5.10, 5.15  Recitation on Friday for problems in Chapter 5  Next week: Dynamical systems  Project description will be available next week CIS 540 Spring 2015; Lecture March 25

Download ppt "CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur"

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Timed Automata.

Timed Automata.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov 2007 2015-05-071SPIN Search Algorithm.

PSWLAB S PIN Search Algorithm from “THE SPIN MODEL CHECKER” by G Holzmann Presented by Hong,Shin 9 th Nov SPIN Search Algorithm.
Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.

Pushdown Systems Koushik Sen EECS, UC Berkeley Slide Source: Sanjit A. Seshia.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

Similar presentations

Ads by Google