1 / 18

Model Checking

Model Checking. Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design Specify critical correctness properties Validate the model w/r to the specifications. Create a FSM. FSM languages

signa
Download Presentation

Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking

  2. Model Checking • Used in studying behaviors of reactive systems • Typically involves three steps: • Create a finite state model (FSM) of the system design • Specify critical correctness properties • Validate the model w/r to the specifications

  3. Create a FSM • FSM languages • focus on expressing concurrency, synchronization, and communication • abstract details of internal computations • must be precise and unambiguous (formally defined syntax and semantics) • We will use Promela for giving system descriptions

  4. Specify correctness properties • Safety properties: • Nothing “bad” ever happens • Formalized using state invariants • execution never reaches a “bad” state • Liveness properties: • Something “good” eventually happens • Formalized using temporal logic • special logic for describing sequences

  5. Validate the model • “Execute” the model to test it • simulate executions of the system • check satisfaction of safety properties along simulated executions • Exhaustive analysis • generate reachability graph to verify safety and liveness properties • Generate counterexamples to illustrate failures

  6. Home Heating System

  7. Example properties • Pump is never on unless Burner is also on • Whenever Sensor calls resp-temp(LOW), eventually Controller becomes all-on

  8. Reachability Graph • Graph of global states that can be “reached” during execution • global state contains a state for each concurrent “process” • transitions show how an event or action transforms the global state • Analyze global state space to verify safety properties • Analyze paths through the RG to verify liveness properties

  9. Promela • The system description language of SPIN • Designed for modeling data communication protocols • System described as a collection of concurrent processes • Processes communicate and synchronize via message channels and global variables

  10. Promela • Specify macro definitions #define signal 0 • Declare symbolic constants mtype = { ON, OFF, LOW, OK } • Declare a synchronous message channel chan pump_in = [0] of { mtype }

  11. Promela • Create a process instance active proctype pump ( ) { statements } • Send a message pump_in!ON • Receive a message pump_in?ON

  12. Promela version of HHS

  13. Promela version of HHS

  14. Promela version of HHS

  15. SPIN simulation of HHS • SPIN automatically generates sequence diagrams to represent executions • random • guided • interactive • Automates tracing between system views • sequence diagram • Promela description • state diagram • textual execution traces

  16. Verification of a safety property • Pump is never on unless Burner is also on bool burner_is_on;

  17. Verification of a liveness property Whenever Sensor calls resp-temp(LOW), eventually Controller becomes all-on

  18. Verification of a liveness property

More Related