430 likes | 907 Views
Formal Verification and Model Checking. Traian Pop. System Validation. System Validation Techniques Simulation Testing Formal Verification Model Checking. Simulation. Based on executable model of the system permits a quick and shallow evaluation of the design quality
E N D
Formal Verification and Model Checking Traian Pop
System Validation • System Validation Techniques • Simulation • Testing • Formal Verification • Model Checking
Simulation • Based on executable model of the system • permits a quick and shallow evaluation of the design quality • not suitable for finding subtle errors
Testing • based on the real implementation of the system not on a model • it is the only way of (partially) validating a design when: • the construction of a valid and reliable model of the system is difficult (due to complexity) • system parts cannot be formally modelled • the model is proprietary
Formal Verification Formal Verification requires: • A model of the system • A specification method • A set of proof rules
Formal Verification (cont’d) • Verification of sequential programs • pre- and post-conditions: {f} S {y} (Hoare’s triple) • {f} S {y} is partially correct if any terminating computation S that starts in a state satisfying f,terminates in a state satisfying y. • {f} S {y} is totally correct if any computation S that starts in a state satisfying f,terminates and finishes in a state satisfying y.
Formal Verification (cont’d) • Formal verification of parallel systems introduces non-determinsm problems • Tools in formal verification • Proof assistants • Proof checkers • Theorem provers
Model Checking • Automated technique • Verifies whether the required properties hold for a model
Model Checking (cont’d) • Typical algorithm: exhaustive state-space search • Approaches (depending on requirement specificaton) • Heterogeneous (logic based) • Homogeneous (behavior based) • Bisimulation (A and B are bisimilar if A can simulate every step of B and vice-versa) • Two bisimilar models satisfy the same CTL formulas
Computational Tree Logic (CTL) • Specification language for finite–state systems • Each formula describes properties of computation paths (which are infinite sequences of states) • Logical operators: NOT, AND • Operators for temporal relationships: X (next-state), G(global), U(until), F(future) • Path quantifiers: E, A
Computational Tree Logic (cont’d) Descriptions • Xf holds for a path p iff it holds for succ(first(p)) • Gf =>f holds in all states of a computational path • Ff => f will hold sometime in the future • fUg holds for p if there exists a state s on p where g holds while f holds in all states preceding s • AXf holds in a state if f holds in all possible next states
Binary Decision Diagrams (BDD) • Rooted, acyclic graphs representing boolean functions • Capture some of the regularities in the state-space • Total ordering on variables is needed • Support AND, OR, NOT and functional composition
Fairness • Fairness constraint = an arbitrary formula of the logic • A path is fair with respect to a set of fairness constraints if each constraint holds infinitely often along the path • CTLF – enhanced for dealing with fair paths • Ex. • Fair = EG true • EX f EX(f Fair) • EG f with BZ = f EX(E[Z U (Z B)])
Model Checking for RTS • Extend both the state-transition graph and the logical formulas, with quantitative timing information • TCTL (Timed CTL) – expresses desired behavior • Timed graphs – express possible behavior
Timed CTL • Ef U~cg • Af U~cg • ~{, , , , } • Ef U c g – for some computational path p there is an initial prefix of time less than c such that g holds at the last state and f holds in all intermediate states • ! No X operator for time in real domain R, as there is no unique next-state/next-time
Timed graphs • Model finite-state RT systems • Composed of • Finite set of nodes • Finite set of clocks
Model Checking for RTS (cont’d) • The problem consists of deciding whether a finite-state RTS modelled as a timed graph meets its specification given as a TCTL-formula • System model: G = (S, m, s0, E, C, p, t) • TCTL-structure: MG = (S x G(G), m’, f) • For a TCTL-formula f, G satisfies f iff (MG, ,(s0, u0)) satisfies f, where u0(x) = 0, x C
Model Checking - Conclusions • Advantages • General approach • Supports partial verification • Relatively easy to use (as compared to theorem provers) • Can provide a significant increase in the level of confidence of a system • Disadvantages • Appropriate mainly to control intensive applications • Verifies the model, not the system • Only stated requirements are checked • State-space explosion problem -> complexity issues