620 likes | 641 Views
Formal Verification -- Deciding the Undecidable. Orna Kupferman Hebrew University. Is the system correct?. CORRECT TM ={<T, > : T satisfies }. Does the system halt?. HALT TM ={<T > : T halts}. Undecidable!. 1960+. 1980+. Testing, Simulation-based Verification. Formal Verification.
E N D
Formal Verification -- Deciding the Undecidable Orna Kupferman Hebrew University
Is the system correct? CORRECTTM ={<T, > : T satisfies } Does the system halt? HALTTM={<T> : T halts} Undecidable!
1960+ 1980+ Testing, Simulation-based Verification Formal Verification Still…., is the system correct?
1960+ 1980+ Testing, Simulation-based Verification Formal Verification Is the system correct? Proof-based methods State-exploration methods
A specification: x=X, y=Y≥0 P z=XY P:: begin z:=0 z:= z+x y:= y-1 y=0 end yes no
1. Find cut-points A specification: x=X, y=Y≥0 P z=XY 2. Find invariants begin 3. Prove implications. l0: x=X ∧ y=Y≥0 z=X (Y-y) ∧ y0∧ z’= z+X ∧ y’=y-1 z’=X(Y-y’) x=X ∧ y=Y≥0∧z=0 z=X(Y-y) z:=0 l1: z=X (Y-y) z=X (Y-y) ∧ y=0 z=XY z:= z+x y:= y-1 y=0 end yes no lfin: z=XY
Proof-based methods: • Coming up with intermediate assertions is manual. • What if we do not succeed?
1960+ 1980+ Testing, Simulation-based Verification Formal Verification Is the system correct? Proof-based methods State-exploration methods Model checking
Proof-based methods: • Coming up with intermediate assertions is manual. • What if we do not succeed? On going behaviors of non-terminating systems • Model checking: • Fully automatic • A counterexample is given when the system does not satisfy the specification.
Traditional view: Turing machines, accept/reject an input. Specifications:“z=XY”, “the program sorts the numbers”;... Operating systems, communication protocols, elevator controllers,… 1980s: Reactive systems: interact with an environment, generate on-going behaviors. Specifications:“every request is eventually granted”; “there is no deadlock”, …
The system has the desired behavior M satisfies Model checking, the idea: System A mathematical model M Desired behavior A formal specification
labeled state-transition graph temporal logic, automata on infinite words req grant Model checking: A mathematical model of the system: A formal specification of the desired behavior: “every request is followed by a grant” “only finitely many grants” ...
p p p p p p p p p p p p p p p p p p p p p p p p p p q • G (always) • F (eventually) • X (next) • U (until) Gp Fp Xp pUq Temporal logic • Atomic propositions: AP={p,q,…} • Boolean operators: , , ,… • Temporal operators: 1=G(req Fgrant) 2=GFgrant 3=req U(req grant) A: for all path E: exists a path
The system has the desired behavior M satisfies Model checking, the idea: System A mathematical model M Desired behavior A formal specification
What’s the big deal? 1996 Amir Pnueli For seminal work introducing temporal logic into computing science and for outstanding contributions to program and systems verification. 2007 Edmund M. Clarke, E. Allen Emerson and Joseph Sifakis For [their roles] in developing Model-Checking into a highly effective verification technology, widely adopted in the hardware and software industries. - it actually works! - it involves beautiful theoretical challenges! • Specification formalisms • Efficient algorithms • Ways to cope with huge, possibly infinite state spaces • Further applications (synthesis, control)
Specification formalisms: On-going behaviors! Temporal logic: ALWAYS (reqEVENTUALLYgrant) Automata on infinite words:
a q1 q0 a b b Büchi automata [1962, decidability of monadic S1S] Finite words: the run ends in an accepting state L(A)=(a+b)*b (all words ending with b) Infinite words: the run visits an accepting state infinitely often L(A)=(a*b) (all words with infinitely many b’s)
a q1 q0 a b b Büchi automata [1962, decidability of monadic S1S] Finite words: the run ends in an accepting state L(A)=(a+b)*b (all words ending with b) Infinite words: the run visits an accepting state infinitely often L(A)=(a*b) (all words with infinitely many b’s) Complementation?
a a b q1 q0 a Büchi automata [1962, decidability of monadic S1S] Finite words: the run ends in an accepting state L(A)=(a+b)*b (all words ending with b) Infinite words: the run visits an accepting state infinitely often L(A)=(a*b) (all words with infinitely many b’s) Complementation? Determinization?? Containment??? Complementation?
{req} {}, {grant}, {req, grant} {req}, {} {grant}, {req, grant} Specification formalisms: On-going behaviors! 1977 [Pnueli] Temporal logic: ALWAYS (reqEVENTUALLYgrant) 1986 [Vardi, Wolper] Automata on infinite words: Σ=2AP 1962 [Büchi]
Specification formalisms: active research 1980s: CTL, LTL, CTL* (linear vs. branching)
Specification formalisms: linear vs. branching idle idle coin coin coin tea coffee tea coffee Linear approach: identical systems Branching approach: different systems EX(EX coffee ∧ EX tea)
Specification formalisms: active research 1980s: CTL, LTL, CTL* (linear vs. branching) 1990s: regular expressions, real time 2000s: PSL (industry), ATL (multi-agent systems, games) 2010s: quantitative properties
… … … … … … Is satisfaction really Boolean? ALWAYS(requestEVENTUALLYgrant) √ The Boolean setting does not distinguish between the different ways in which a specification is satisfied. √ √ √ √
… … … … … … Is satisfaction really Boolean? ALWAYS(requestEVENTUALLYgrant) 0 0.6 0.95 0.4 0.5 0.3
Specification formalisms: active research 1980s: CTL, LTL, CTL* (linear vs. branching) 1990s: regular expressions, real time 2000s: PSL (industry), ATL (multi-agents, games) 2010s: quantitative properties Even “more undecidable”
A weighted finite automaton (WFA) b,4 c,4 a,4 b,4 c,4 a,2 q1, q3,4 a,2 a,3 c,1 a,4 b,4 c,4 b,1 c,1 b,1 q0,0 q2,5 q4,0 • Every transition has a cost. c(q1,a,q3)=2 , c(q4,c,q4)=4
A weighted finite automaton (WFA) b,4 c,4 a,4 b,4 c,4 a,2 q1, q3,4 a,2 a,3 c,1 a,4 b,4 c,4 b,1 c,1 b,1 q0,0 q2,5 q4,0 • Every transition has a cost. c(q1,a,q3)=2 , c(q4,c,q4)=4 • Every state has a final cost, charged if a run ends in it.(q3)=4, (q2)=5. • Note: There are no accepting states. It is possible to have (q1)=.
The cost of a word (in DWFA) b,4 c,4 a,4 b,4 c,4 a,2 q1, q3,4 a,2 a,3 c,1 a,4 b,4 c,4 b,1 c,1 b,1 q0,0 q2,5 q4,2 • In a deterministic WFA (DWFA), the cost of a word w is the cost of the single run of A on w.
The cost of a word (in a DWFA) b,4 c,4 a,4 b,4 c,4 a,2 q1, q3,4 a,2 a,3 c,1 a,4 b,4 c,4 b,1 c,1 b,1 q0,0 q2,5 q4,2 • In a deterministic WFA (DWFA), the cost of a word w is the cost of the single run of A on w. • For w=babc, cost(A,w)=1+3+1+4+2=11
The Cost of a Word (WFA) b,2 c,3 a,4 b,4 c,4 a,2 q1,0 q3,4 a,2 b,4 a,3 c,1 a,4 b,4 c,4 b,1 b,1 c,1 q0,0 q2,5 q4,6 In a non-deterministic WFA (NWFA), the cost of a word w is the cost of the cheapest run of A on w.
The cost of a word (in a WFA) b,2 c,3 A weighted regular language: L: *→ R a,4 b,4 c,4 a,2 q1,0 q3,4 a,2 b,4 a,3 c,1 a,4 b,4 c,4 b,1 b,1 c,1 q0,0 q2,5 q4,6 In a non-deterministic WFA (NWFA), the cost of a word w is the cost of the cheapest run of A on w. For w=bbc, cost(A,w)= min(9,12)=9 Upper path: 4+2+3+0=9 Lower path: 1+1+4+6=12
The exciting world of weighted automata Given two WFAs Aand A′, we say that Ais cheaper than A’if for every word wΣ*, we have that cost(A,w) ≤ cost(A′,w). a,3 b,1 a,3 b,6 ? ≤ q1,0 q1,4 a,4 b,4 c,2 a,2 b,4 a,3 c,1 a,3 c,1 b,1 c,3 b,1 c,1 q0,0 q2,2 q0,1 q2,5
a,3 b,1 a,3 b,6 q1,0 q1,4 ? ≤ a,4 b,4 c,2 a,2 b,4 a,3 c,1 a,3 c,1 b,1 c,3 b,1 c,1 q0,0 q2,2 q0,1 q2,5 Related problem: a,c a,b q1 q1 Containment between NFAs b a,b a a,c a,c b,c c q0 q2 q0 q2 • How to check whether A ≤ A′ ?
How to check whether A A′ ? a,c a,b q1 q1 b a,b a a,c a,c b,c c q0 q2 q0 q2 A A’ iff A comp(A’) = How to complement A′? Determinization!
b,2 q1 a,1 c,1 q0 q3 q2 d,1 a,1 b,1 Weighted Automata A cost(abc) = 1+2+1 = 4 cost(abb) = min { 1+2+2, 1+1+1 } = 3 L(A) = {<abi, 1+i> , <abic, 2+2i> , <abid, 2+i>}
b,2 q1 a,1 c,1 q0 q3 q2 d,1 a,1 b,1 Weighted Automata A -- There is no equivalent deterministic automaton. (q0,abi)=(q0,abj)=q cost(abi)=i+1 cost(abj)=j+1 cost(abic)=2i+2 cost(abjc)=2j+2 What’s the cost of a c-transition from q?
b,2 q1 a,1 c,1 q0 q3 q2 d,1 a,1 b,1 Weighted Automata A Open problem: Given a WFA, is there an equivalent DWFA? Undecidable? Undecidable #1: is there a word w such that L(w) ≥ 1 Undecidable #2: weighted containment (A ≤ A′)
Interesting connection #1: determinazability ↔ decidability Automata on infinite alphabets… Interesting connection #2: competitive ratio of online algorithms ↔ approximation required for determinization Open problem: Given a WFA, is there an equivalent DWFA? Undecidable? Undecidable #1: is there a word w such that L(w) ≥ 1 Undecidable #2: weighted containment (A ≤ A′)
Complementation… Back to the Boolean setting… Model-checking algorithms Linear time: the automata-theoretic approach S satisfies L(S) L() L(S) comp(L()) = Branching time: bottom up L(S) L() = AGFEXXp AGFq
The state-explosion problem • Huge state spaces: • n Boolean variables --> 2n configurations • parallelism • hierarchy, modularity • data in the model • software The main challenge in bringing formal methods to practice! Coping with the state-explosion problem • symbolic methods • abstraction • compositionality
Symbolic methods Description of the hardware: O(number of variables). State space: exponential in the number of variables input x1,x2 output y1,y2 init(y1)=true init(y2)=false next(y1)=(y1x1) y2 next(y2)=(y1 x2) (y2x1) VERILOG -- hardware description language (HDL) Symbolic methods: work with the description rather than with the state space.
How to work with the description? • Use Binary Decision Diagrams in order to represent sets of states and transitions. • BDD: a compact way to represent Boolean functions. fS: a BDD representing a set S of states x1x2 x1 x1,x2,…,xn 1 0 x2 S={01_ _ _ _ _ _} 0 1 fS:x1x2 F T
How to work with the description? 1. Use Binary Decision Diagrams in order to represent sets of states and transitions. fS: a BDD representing a set of states (a formula over X) fR: a BDD representing the transition relation (a formula over X and X’) pre(S): the set of predecessors of S (a formula over X) The BDD fpre(S) can be obtained fromfS and fR
fixed-point… BDD-based calculations of states satisfying EFp (reachability to a state satisfying p) ppre(p)pre(pre((p)) ppre(p) p All operations are done symbolically!
Enumerative: linear. Symbolic: quadratic, O(n log n), linear… An example to an interesting problem: Bad cycle detection: Input: a graph G given by a symbolic description of the edges, and a set T of states. Output: is there a path that visits T infinitely often? T
How to work with the description? 1. Use Binary Decision Diagrams in order to represent sets of states and transitions. 2. Reduce model checking to the satisfiability problem and use SAT-solvers. The system has a bad behavior: the propositional formula that describes the values of the variables along a bad behavior is satisfiable.
Related research: • Symbolic algorithms. • BDDs: variable ordering, extensions, fixed-point based logics (-calculus). • SAT-based methods: bounding the length of bad behaviors, SAT-solvers and their performance on formulas generated in bounded model checking, SMT (satisfiability modulo theories).
Abstraction: x := 0; while x < 1000 do x:= (x mod 800) +2 if x = 353 then x := 1000 BOOM x=353 x=1000 BOOM ? x=0 x=2 x=4 x=798 x=800
Predicate abstraction x := 0; while x < 1000 do x:= (x mod 800) +2 if x = 353 then x := 1000 BOOM p1: x=0 p2: 0 < x ≤ 800 p3: 800 < x < 1000 p4: x ≥ 1000 0 800 1000 p1 p2 p3 p4