Presentation is loading. Please wait.

Presentation is loading. Please wait.

VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran.

Published byDorothy Wilcox Modified over 8 years ago

Similar presentations

Presentation on theme: "VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran."— Presentation transcript:

1 VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran

2 Today l Fairness l Linear Temporal Logic (LTL) l Automata-theoretic verification u Design vs. implementation verification u Monitors u Languages, FSM equivalence, language containment u Using automata for model checking: The “tableau” method

3 Why fairness constraints? l Non-determinism is used to hide irrelevant detail. l May introduce behavior that is not part of actual system. Example: Client module l Non-det. model allows No Req, Req, Req, Have_Token, Have_Token... but actual client eventually gives up token. l Want to refine the non-det. description to model the client more closely. l Must remove traces that stay in Have_Token forever. No Req Req Have_Token Have_Token True True

4 Infinite Traces and Fairness Constraints l A trace is a sequence of states. l Infinite traces are useful for reasoning about eventualities and arbitration. Examples: l “If Have_Token then eventually No Req.”..., Have_Token, Have_Token, NoReq, NoReq,... 4..., Have_Token, Have_Token, Have_Token,... 8 l An environment model that randomly generates input patterns A, B, and C. “It is always the case that sometime in the future an A is generated. ” Similarly for B and C. A, B, C, A, B, C, A, B, C,... A, B, C, B, A, B, C, B, A,... both satisfy constraints. A, B, C, A, B, A, B, A, B,... does not.

5 Infinity Sets l Number of states is finite, so an infinite trace visits some states infinitely often. l These states are called the infinity set of a trace: 1. a, b, a, b, a, b,... {a, b} 2. a, b, a, c, c, c, c,... {c} 3. a, b, a, c, a, c, a, c... {a, c} l Fairness constraints are conditions on the infinity set. l F inf {a, b} : “Infinitely often {a,b}” means some state in {a, b} must be in the infinity set. Satisfied by 1 and 3, but not 2. b a d c

6 Fairness Constraints in VIS l VIS allows fairness constraints of the form F inf S 1 & F inf S 2 &... & F inf S n F inf S 1 & F inf S 2 &... & F inf S n l S i : A set of states represented by a CTL formula. l The fairness constraint is satisfied if some state in each S i is visited infinitely often. l Example: Let S 1 be given by !(client_state = Have_Token) S 1 = {NoReq, Req} S 1 = {NoReq, Req} l F inf S 1 means {NoReq, Req} is visited infinitely often, i.e., Have_Token does not remain asserted forever. l Usage: vis> read_fairness file.fair l Restricts attention to traces that satisfy the fairness constraints. l Like listing a set of false paths. No Req Req Have_Token Have_Token True True

7 Common Uses of Fairness Constraints l Modeling an unknown amount of wait: “ Don’t stay in ”a” forever. ” F inf !( state_var = a) l “It is always the case that sometime in the future an “a” is generated. ” Similarly for ”b”, ”c” and ”d”. F inf {a} & F inf {b} & F inf {c} & F inf {d} a b a d c

8 Bad Behaviors and Monitors l Want to see if a design can have bad behavior. l Example of undesired behavior: “Clients B and C are in the BUSY state at the same time.” Mutual exclusion is violated. l A monitor is a module that watches for bad behavior. Example: Mutual exclusion. assign error = (B.state == BUSY) && (C.state == BUSY) Good Good Bad!errorerror true

9 Why write monitors? l Some properties are hard or impossible to express in CTL. Example: Store -Load order. Let X be a memory location. “If load_req X follows store_req X, then the store must be serviced before the load.” l Undesired behavior: store_req X... load_req X... load_service X... l Note: In the initial state, we non-deterministically start checking for the bad sequence. Undesired behavior can be detected anywhere along the trace. s1 s1 Idle Idle s2 s2 else else Bad true true store_req X load_req X load_req X load_service X load_service X true true store_service X store_service X

10 Monitor Example Property: If A requests resource, and resource is free, A gets resource within 3 clock cycles unless another client requests resource in the meantime. Bad Behavior: For more than 3 clock cycles, A is in state REQ and ackA is false, A is in state REQ and ackA is false, B and C are in state NO REQ. B and C are in state NO REQ.Monitor: assign not_served = (A.state = REQ) && !(ackA) && assign not_served = (A.state = REQ) && !(ackA) && (B.state != REQ) && (C.state != REQ) (B.state != REQ) && (C.state != REQ) s3 s3 Bad true truenot_served Fairness Constraint: F inf (Bad) s1 s1 Idle Idle not_served not_served true true s2 s2 not_served not_served

11 Using monitors in VIS l Property holds iff l Procedure: u Write verilog code for the monitor, append to the system description. u Write CTL file specifying fairness constraints for system + monitor. Fairness constraints of monitor should allow bad behavior only. u Use the “lang_empty” command. u If there exists bad behavior, VIS will give a short error trace. the system + monitor combination has no fair traces.

Download ppt "VIS Technology Transfer Course Session 7 Fairness Constraints and Monitors Serdar Tasiran."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Model Checking Lecture 1.

Model Checking Lecture 1.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
A Survey of Runtime Verification Jonathan Amir 2004.

A Survey of Runtime Verification Jonathan Amir 2004.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 3: Verification of Navigation Models with the Spin Model Checker Instructor: Tevfik Bultan.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.

1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

Similar presentations

Ads by Google