Model Checking

Doron A. Peled University of Warwick Coventry,

UK doron_at_dcs.warwick.ac.uk

Modelling and specification for verification and

validation

- How to specify what the software is supposed to

do? - How to model it in a way that allows us to check

it?

Sequential systems.

- Perform some computational task.
- Have some initial condition, e.g.,?0?i?n Ai

integer. - Have some final assertion, e.g., ?0?i?n-1

Ai?Ai1.(What is the problem with this

spec?) - Are supposed to terminate.

Concurrent Systems

- Involve several computation agents.
- Termination may indicate an abnormal event

(interrupt, strike). - May exploit diverse computational power.
- May involve remote components.
- May interact with users (Reactive).
- May involve hardware components (Embedded).

Problems in modeling systems

- Representing concurrency- Allow one transition

at a time, or- Allow coinciding transitions. - Granularity of transitions.
- Assignments and checks?
- Application of methods?
- Global (all the system) or local (one thread at a

time) states.

Modeling.The states based model.

- Vv0,v1,v2, - set of variables.
- p(v0, v1, , vn) - a parametrized assertion,

e.g., v0v1v2 /\ v3gtv4. - A state is an assignment of values to the program

variables. For example sltv01,v23,v37,,v182gt

- For predicate (first order assertion) p p (s )

is p under the assignment s.Example p is xgty

/\ ygtz. sltx4, y3, z5gt.Then we have 4gt3 /\

3gt5, which is false.

State space

- The state space of a program is the set of all

possible states for it. - For example, if Va, b, c and the variables are

over the naturals, then the state space includes

lta0,b0,c0gt,lta1,b0,c0gt,

lta1,b1,c0gt,lta932,b5609,c6658gt

Atomic Transitions

- Each atomic transition represents a small piece

of code such that no smaller piece of code is

observable. - Is aa1 atomic?
- In some systems, e.g., when a is a register and

the transition is executed using an inc command.

Non atomicity

- Execute the following when x0 in two concurrent

processes - P1aa1
- P2aa1
- Result a2.
- Is this always the case?

- Consider the actual translation
- P1load R1,a
- inc R1
- store R1,a
- P2load R2,a
- inc R2
- store R2,a
- a may be also 1.

Scenario

P2load R2,a inc R2 store

R2,a

- P1load R1,a
- inc R1
- store R1,a

a0 R10 R20 R11 R21 a1 a1

Representing transitions

- Each transition has two parts
- The enabling condition a predicate.
- The transformation a multiple assignment.
- For exampleagtb ? (c,d)(d,c)This transition

can be executed in states where agtb. The result

of executing it isswitching the value of c with

d.

Initial condition

- A predicate I.
- The program can start from states s such that I

(s ) holds. - For exampleI (s )agtb /\ bgtc.

A transition system

- A (finite) set of variables V over some domain.
- A set of states S.
- A (finite) set of transitions T, each transition

e?t has - an enabling condition e, and
- a transformation t.
- An initial condition I.

Example

- Va, b, c, d, e.
- S all assignments of natural numbers for

variables in V. - Tcgt0?(c,e)(c-1,e1),

dgt0?(d,e)(d-1,e1) - I ca /\ db /\ e0
- What does this transition system do?

The interleaving model

- An execution is a finite or infinite sequence of

states s0, s1, s2, - The initial state satisfies the initial

condition, I.e., I (s0). - Moving from one state si to si1 is by executing

a transition e?t - E (si ), I.e., si satisfies e.
- si1 is obtained by applying t to si.

Example

Tcgt0?(c,e)(c-1,e1),

dgt0?(d,e)(d-1,e1) I ca /\ db /\ e0

- s0lta2, b1, c2, d1, e0gt
- s1lta2, b1, c1, d1, e1gt
- s2lta2, b1, c1, d0, e2gt
- s3lta2, b1 ,c0, d0, e3gt

The transitions

- T0PC0L0?PC0NC0
- T1PC0NC0/\Turn0?
- PC0CR0
- T2PC0CR0?
- (PC0,Turn)(L0,1)
- T3PC1L1?PC1NC1
- T4PC1NC1/\Turn1?
- PC1CR1
- T5PC1CR1?
- (PC1,Turn)(L1,0)

- L0While True do
- NC0wait(Turn0)
- CR0Turn1
- endwhile
- L1While True do
- NC1wait(Turn1)
- CR1Turn0
- endwhile

Initially PC0L0/\PC1L1

The state graphSuccessor relation between states.

Some observations

- Executions the set of maximal paths (finite or

terminating in a node where nothing is enabled). - Nondeterministic choice when more than a single

transition is enabled at a given state. We have a

nondeterministic choice when at least one node at

the state graph has more than one successor.

Always (PC0CR0/\PC1CR1)(Mutual exclusion)

Always if Turn0 the at some point Turn1

Always if Turn0 the at some point Turn1

Interleaving semanticsExecute one transition at

a time.

Need to check the property for every possible

interleaving!

Interleaving semantics

Busy waiting

- T0PC0L0?PC0NC0
- T1PC0NC0/\Turn0?PC0CR0
- T1PC0NC0/\Turn1?PC0NC0
- T2PC0CR0?(PC0,Turn)(L0,1)
- T3PC1L1?PC1NC1
- T4PC1NC1/\Turn1?PC1CR1
- T4PC1NC1/\Turn0?PC1N1
- T5PC1CR1?(PC1,Turn)(L1,0)

- L0While True do
- NC0wait(Turn0)
- CR0Turn1
- endwhile
- L1While True do
- NC1wait(Turn1)
- CR1Turn0
- endwhile

Initially PC0L0/\PC1L1

Always when Turn0 then sometimes Turn1

Now it does not hold! (Red subgraph generates a

counterexample execution.)

How can we check the model?

- The model is a graph.
- The specification should refer the the graph

representation. - Apply graph theory algorithms.

What properties can we check?

- Invariants a property that need to hold in each

state. - Deadlock detection can we reach a state where

the program is blocked? - Dead code does the program have parts that are

never executed.

How to perform the checking?

- Apply a search strategy (Depth first search,

Breadth first search). - Check states/transitions during the search.
- If property does not hold, report counter example!

If it is so good, why learn deductive

verification methods?

- Model checking works only for finite state

systems. Would not work with - Unconstrained integers.
- Unbounded message queues.
- General data structures
- queues
- trees
- stacks
- parametric algorithms and systems.

The state space explosion

- Need to represent the state space of a program in

the computer memory. - Each state can be as big as the entire memory!
- Many states
- Each integer variable has 232 possibilities. Two

such variables have 264 possibilities. - In concurrent protocols, the number of states

usually grows exponentially with the number of

processes.

If it is so constrained, is it of any use?

- Many protocols are finite state.
- Many programs or procedure are finite state in

nature. Can use abstraction techniques. - Sometimes it is possible to decompose a program,

and prove part of it by model checking and part

by theorem proving. - Many techniques to reduce the state space

explosion.

Depth First Search

- Procedure dfs(s)
- for each s such that R(s,s) do
- If new(s) then dfs(s)
- end dfs.

- Program DFS
- For each s such that Init(s)
- dfs(s)
- end DFS

How can we check properties with DFS?

- Invariants check that all reachable

statessatisfy the invariant property. If not,

showa path from an initial state to a bad state. - Deadlocks check whether a state where noprocess

can continue is reached. - Dead code as you progress with the DFS, mark all

the transitions that are executed at least once.

(PC0CR0/\PC1CR1) is an invariant!

Want to do more!

- Want to check more properties.
- Want to have a unique algorithm to deal with all

kinds of properties. - This is done by writing specification in more

complicated formalisms. - We will see that in the next lecture.

(Turn0 --gt ltgtTurn1)

(No Transcript)

Turn0 L0,L1

Turn1 L0,L1

Turn1 L0,L1

Turn0 L0,L1

- Add an additional initial node.
- Propositions are attached to incoming nodes.
- All nodes are accepting.

Correctness condition

- We want to find a correctness condition for a

model to satisfy a specification. - Language of a model L(Model)
- Language of a specification L(Spec).
- We need L(Model) ? L(Spec).

Correctness

Sequences satisfying Spec

Program executions

All sequences

How to prove correctness?

- Show that L(Model) ? L(Spec).
- Equivalently ______Show that

L(Model) ? L(Spec) Ø. - Also can obtain L(Spec) by translating from LTL!

What do we need to know?

- How to intersect two automata?
- How to complement an automaton?
- How to translate from LTL to an automaton?

Specification Formalisms

Properties of formalisms

- Formal. Unique interpretation.
- Intuitive. Simple to understand (visual).
- Succinct. Spec. of reasonable size.
- Effective.
- Check that there are no contradictions.
- Check that the spec. is implementable.
- Check that the implementation satisfies spec.
- Expressive.
- May be used to generate initial code.
- Specifying the implementation or its properties?

A transition system

- A (finite) set of variables V.
- A set of states ?.
- A (finite) set of transitions T, each transition

egtt has - an enabling condition e and a transformation t.
- An initial condition I.
- Denote by R(s, s) the fact that s is a

successor of s.

The interleaving model

- An execution is a finite or infinite sequence of

states s0, s1, s2, - The initial state satisfies the initial

condition, I.e., I (s0). - Moving from one state si to si1 is by executing

a transition egtt - e(si), I.e., si satisfies e.
- si1 is obtained by applying t to si.
- Lets assume all sequences are infinite by

extending finite ones by stuttering the last

state.

Temporal logic

- Dynamic, speaks about several worlds and the

relation between them. - Our worlds are the states in an execution.
- There is a linear relation between them, each two

sequences in our execution are ordered. - Interpretation over an execution, later over all

executions.

LTL Syntax

- ? (?) ? ??/\ ? ????\/ ??????U???????????

??????????????????? O ? p - ????????box, always, forever
- ???????diamond, eventually, sometimes
- O ?????nexttime
- ??U??????until
- Propositions p, q, r, Each represents some

state property (xgty1, zt, at-CR, etc.)

Semantics over suffixes of execution

?

?

?

?

?

?

?

- ?????
- ????
- O ?
- ??U??

?

?

?

?

?

?

?

Combinations

- ltgtp p will happen infinitely often
- ltgtp p will happen from some point forever.
- (ltgtp) --gt (ltgtq) If p happens infinitely

often, then q also happens infinitely often.

Some relations

- (a/\b)(a)/\(b)
- But ltgt(a/\b)?(ltgta)/\(ltgtb)
- ltgt(a\/b)(ltgta)\/(ltgtb)
- But (a\/b)?(a)\/(b)

What about

- (ltgtA)/\(ltgtB)ltgt(A/\B)?
- (ltgtA)\/(ltgtB)ltgt(A\/B)?
- (ltgtA)/\(ltgtB)ltgt(A/\B)?
- (ltgtA)\/(ltgtB)ltgt(A\/B)?

No, just lt--

Yes!!!

Yes!!!

No, just --gt

Can discard some operators

- Instead of ltgtp, write true U p.
- Instead of p, we can write ltgtp,or (true U

p).Because pp.p means it is not true

that p holds forever, or at some point p holds

or ltgtp.

Formal semantic definition

- Let ? be a sequence s0 s1 s2
- Let ?i be a suffix of ? si si1 si2 (?0 ? )
- ?i p, where p a proposition, if sip.
- ?i ?/\? if ?i ? and ?i ?.
- ?i ?\/? if ?i ? or ?i ?.
- ?i ltgt? if for some j?i, ?j ?.
- ?i ? if for each j?i, ?j ?.
- ?i ?U ? if for some j?i, ?j?. and

for each i?kltj, ?k ?.

Then we interpret

- sp as in propositional logic.
- ?? is interpreted over a sequence, as in

previous slide. - P? holds if ?? for every sequence ? of P.

Spring Example

release

s1

s3

s2

pull

release

extended

extended

malfunction

r0 s1 s2 s1 s2 s1 s2 s1 r1 s1 s2 s3 s3 s3

s3 s3 r2 s1 s2 s1 s2 s3 s3 s3

LTL satisfaction by a single sequence

r2 s1 s2 s1 s2 s3 s3 s3

malfunction

- r2 extended ??
- r2 O extended ??
- r2 O O extended ??
- r2 ltgt extended ??
- r2 extended ??

r2 ltgt extended ?? r2 ltgt extended

?? r2 (extended) U malfunction ?? r2

(extended-gtO extended) ??

LTL satisfaction by a system

malfunction

- P extended ??
- P O extended ??
- P O O extended ??
- P ltgt extended ??
- P extended ??

P ltgt extended ?? P ltgt extended ?? P

(extended) U malfunction ?? P

(extended-gtO extended) ??

The state space

(PC0CR0/\PC1CR1)(Mutual exclusion)

(Turn0 --gt ltgtTurn1)

Interleaving semanticsExecute one transition at

a time.

Turn0 L0,L1

Turn0 L0,NC1

Turn1 L0,NC1

Turn0 NC0,NC1

Turn1 L0,CR1

Turn0 CR0,NC1

Need to check the property for every possible

interleaving!

More specifications

- (PC0NC0 ? ltgt PC0CR0)
- (PC0NC0 U Turn0)
- Try at home- The processes alternate in

entering their critical sections.- Each process

enters its critical section infinitely often.

Proof system

- ltgtplt--gtp
- (p?q)?(p?q)
- p?(p/\Op)
- Oplt--gtOp
- (p?Op)?(p?p)
- (pUq)lt--gt(q\/(p/\O(pUq)))
- (pUq)?ltgtq

- propositional logic axiomatization.
- axiom p p

Traffic light example

- Green --gt Yellow --gt Red --gt Green
- Always has exactly one light

((gr/\ye)/\(ye/\re)/\(re/\gr)/\(gr\/ye\/re))

Correct change of color

((grUye)\/(yeUre)\/(reUgr))

Another kind of traffic light

- Green--gtYellow--gtRed--gtYellow--gtGreen
- First attempt

(((gr\/re) U ye)\/(ye U (gr\/re)))

Correct specification

( (gr--gt(gr U (ye /\ ( ye U re ))))

/\(re--gt(re U (ye /\ ( ye U gr ))))

/\(ye--gt(ye U (gr \/ re))))

Properties of sequential programs

- init-when the program starts and satisfies the

initial condition. - finish-when the program terminates and nothing is

enabled. - Partial correctness init/\(finish??)
- Termination init/\ltgtfinish
- Total correctness init/\ltgt(finish/\ ?)
- Invariant init/\?

Automata over finite words

- Alt?, S, ?, I, Fgt
- ? (finite) the alphabet, S (finite) the states.
- ? S x ? x S is the transition relation
- I S are the starting states
- F S are the accepting states.

The transition relation

- (S0, a, S0)
- (S0, b, S1)
- (S1, a, S0)
- (S1, b, S1)

A run over a word

- A word over ?, e.g., abaab.
- A sequence of states, e.g. S0 S0 S1 S0 S0 S1.
- Starts with an initial state.
- Accepting if ends at accepting state.

The language of an automaton

- The words that are accepted by the automaton.
- Includes aabbba, abbbba.
- Does not include abab, abbb.
- What is the language?

Nondeterministic automaton

- Transitions (S0,a,S0), (S0,b,S0),

(S0,a,S1),(S1,a,S1). - What is the language of this automaton?

Equivalent deterministic automaton

a

a

S0

S1

b

b

Automata over infinite words

- Similar definition.
- Runs on infinite words over ?.
- Accepts when an accepting state occurs infinitely

often in a run.

Automata over infinite words

- Consider the word a b a b a b a b
- There is a run S0 S0 S1 S0 S1 S0 S1
- This run in accepting, since S0 appears

infinitely many times.

Other runs

- For the word b b b b b the run is S0 S1 S1 S1

S1 and is not accepting. - For the word a a a b b b b b , therun is S0

S0 S0 S0 S1 S1 S1 S1 - What is the run for a b a b b a b b b ?

Nondeterministic automaton

- What is the language of this automaton?
- What is the LTL specification if b -- PC0CR0,

ab?

- Can you find a deterministic automaton with same

language? - Can you prove there is no such deterministic

automaton?

Specification using Automata

- Let each letter correspond to some propositional

property. - Example a -- P0 enters critical section,

b -- P0 does not enter section. - ltgtPC0CR0

Mutual Exclusion

- A -- PC0CR0/\PC1CR1
- B -- (PC0CR0/\PC1CR1)
- C -- TRUE
- (PC0CR0/\PC1CR1)

- T0PC0L0gtPC0NC0
- T1PC0NC0/\Turn0gt
- PC0CR0
- T2PC0CR0gt
- (PC0,Turn)(L0,1)
- T3PC1L1gtPC1NC1
- T4PC1NC1/\Turn1gt
- PC1CR1
- T5PC1CR1gt
- (PC1,Turn)(L1,0)

- L0While True do
- NC0wait(Turn0)
- CR0Turn1
- endwhile
- L1While True do
- NC1wait(Turn1)
- CR1Turn0
- endwhile

Initially PC0L0/\PC1L1

The state space

(PC0CR0/\PC1CR1)

(Turn0 --gt ltgtTurn1)

Correctness condition

- We want to find a correctness condition for a

model to satisfy a specification. - Language of a model L(Model)
- Language of a specification L(Spec).
- We need L(Model) ? L(Spec).

Correctness

Sequences satisfying Spec

Program executions

All sequences

Incorrectness

Counter examples

Sequences satisfying Spec

Program executions

All sequences

Intersecting M1(S1,?,T1,I1,A1) and

M2(S2,?,T2,I2,S2)

- Run the two automata in parallel.
- Each state is a pair of states S1 x S2
- Initial states are pairs of initials I1 x I2
- Acceptance depends on first component A1 x S2
- Conforms with transition relation(x1,y1)-a-gt(x2,

y2) whenx1-a-gtx2 and y1-a-gty2.

Example (all states of second automaton

accepting!)

a

b,c

s0

s1

a

b,c

a

c

t0

t1

b

States (s0,t0), (s0,t1), (s1,t0),

(s1,t1). Accepting (s0,t0), (s0,t1). Initial

(s0,t0).

a

b,c

s0

s1

a

b,c

a

c

t0

t1

b

a

s0,t0

s0,t1

s1,t0

b

a

c

Also state (s0,t1) is unreachable but we will

keep it for thetime being!

s1,t1

b

c

More complicated when A2?S2

a

b,c

s0

s1

a

a

b,c

s0,t0

s0,t1

b

a

a

c

s1,t1

c

t0

t1

b

c

Should we have acceptance when both components

accepting? I.e., (s0,t1)? No, consider (ba)?

It should be accepted, but never passes that

state.

More complicated when A2?S2

a

b,c

s0

s1

a

A

b,c

s0,t0

s0,t1

b

a

a

c

s1,t1

c

t0

t1

c

b

Should we have acceptance when at least one

components is accepting? I.e., (s0,t0),(s0,t1),(s

1,t1)?No, consider b c? It should not be

accepted, but here will loop through (s1,t1)

Intersection - general caseAlso propositions on

nodes

q0

q2

A/\B

A/\B

q0 and q2 give false.

q3

q1

A

A\/B

Version 0 to catch q0Version 1 to catch q2

Version 0

A/\B q0,q3

A/\B q1,q3

A/\B q1,q2

Move when see accepting of left (q0)

Move when see accepting of right (q2)

A/\B q0,q3

A/\B q1,q3

A/\B q1,q2

Version 1

Make an accepting state in one of the version

according to a component accepting state

Version 0

A/\B q0,q3,0

A/\B q1,q3,0

A/\B q1,q2,0

A/\B q0,q3,1

A/\B q1,q3 ,1

A/\B q1,q2 ,1

Version 1

How to check for emptiness?

a

s0,t0

s0,t1

b

a

c

s1,t1

b

c

Emptiness...

- Need to check if there exists an accepting run

(passes through an accepting state infinitely

often).

Finding accepting runs

- If there is an accepting run, then at least one

accepting state repeats on it forever. This

state appears on a cycle. So, find a reachable

accepting state on a cycle.

Equivalently...

- A strongly connected component a set of nodes

where each node is reachable by a path from each

other node. Find a reachable strongly connected

component with an accepting node.

How to complement?

- Complementation is hard!
- Can ask for the negated property (the sequences

that should never occur). - Can translate from LTL formula ? to automaton A,

and complement A. Butcan translate ? into an

automaton directly!

Model Checking under Fairness

- Express the fairness as a property f.To prove a

property ? under fairness,model check f??.

Counter example

Fair (f)

Bad (?)

Program

Model Checking under Fairness

- Specialize model checking. For weak process

fairness search for a reachable strongly

connected component, where for each process P

either - it contains on occurrence of a transition from P,

or - it contains a state where P is disabled.

Dekkers algorithm

boolean c1 initially 1 boolean c2 initially

1 integer (1..2) turn initially 1

P2while true do begin non-critical

section 2 c20 while c10 do

begin if turn1 then

begin c21 wait

until turn2 c20

end end critical section 2

c21 turn1 end.

- P1while true do begin non-critical

section 1 c10 while c20 do

begin if turn2 then

begin c11 wait

until turn1 - c10 end

end critical section 1 c11

turn2 end.

Dekkers algorithm

boolean c1 initially 1 boolean c2 initially

1 integer (1..2) turn initially 1

P2while true do begin non-critical

section 2 c20 while c10 do

begin if turn1 then

begin c21 wait

until turn2 c20

end end critical section 2

c21 turn1 end.

- P1while true do begin non-critical

section 1 c10 while c20 do

begin if turn2 then

begin c11 wait

until turn1 - c10 end

end critical section 1 c11

turn2 end.

c1c20,turn1

Dekkers algorithm

boolean c1 initially 1 boolean c2 initially

1 integer (1..2) turn initially 1

P2while true do begin non-critical

section 2 c20 while c10 do

begin if turn1 then

begin c21 wait

until turn2 c20

end end critical section 2

c21 turn1 end.

- P1while true do begin non-critical

section 1 c10 while c20 do

begin if turn2 then

begin c11 wait

until turn1 - c10 end

end critical section 1 c11

turn2 end.

c1c20,turn1

Dekkers algorithm

P1 waits for P2 to set c2 to 1 again.Since

turn1 (priority for P1), P2 is ready to do that.

But never gets the chance, since P1 is constantly

active checking c2 in its while loop.

P2while true do begin non-critical

section 2 c20 while c10 do

begin if turn1 then

begin c21 wait

until turn2 c20

end end critical section 2

c21 turn1 end.

- P1while true do begin non-critical

section 1 c10 while c20 do

begin if turn2 then

begin c11 wait

until turn1 - c10 end

end critical section 1 c11

turn2 end.

c1c20,turn1

What went wrong?

- The execution is unfair to P2. It is not allowed

a chance to execute. - Such an execution is due to the interleaving

model (just picking an enabled transition. - If it did, it would continue and set c2 to 0,

which would allow P1 to progress. - Fairness excluding some of the executions in

the interleaving model, which do not correspond

to actual behavior of the system.

- while c10 do begin if

turn1 then begin

c21 wait until turn2 - c20 end

end

RecallThe interleaving model

- An execution is a finite or infinite sequence of

states s0, s1, s2, - The initial state satisfies the initial

condition, I.e., I (s0). - Moving from one state si to si1 is by executing

a transition e?t - e(si), I.e., si satisfies e.
- si1 is obtained by applying t to si.

Now consider only fair executions. Fairness

constrains sequences that are considered to be

executions.

Sequences

Fair executions

Executions

Some fairness definitions

- Weak transition fairnessIt cannot happen that a

transition is enabled indefinitely, but is never

executed. - Weak process fairness It cannot happen that a

process is enabled indefinitely, but non of its

transitions is ever executed - Strong transition fairnessIf a transition is

infinitely often enabled, it will get executed. - Strong process fairnessIf at least one

transition of a process is infinitely often

enabled, a transition of this process will be

executed.

How to use fairness constraints?

- Assume in the negative that some property (e.g.,

termination) does not hold, because of some

transitions or processes prevented from

execution. - Show that such executions are impossible, as they

contradict fairness assumption. - We sometimes do not know in reality which

fairness constraint is guaranteed.

Example

Initially x0 y0

- P1x1

- P2 do
- y0 ? if
- true x1 ? y1
- fi od

In order for the loop to terminate we need P1 to

execute the assignment. But P1 may never execute,

since P2 is in a loop executing true.

Consequently, x1 never holds, and y is never

assigned a 1.

pc1l0--gt(pc1,x)(l1,1) / x1

/ pc2r0/\y0--gtpc2r1 / y0/ pc2r1?pc2r0

/ true / pc2r1/\x1?(pc2,y)(r0,1)

/ x1 --gt y1 /

Weak transition fairness

Initially x0 y0

- P2 do
- y0 ? if
- true x1 ? y1
- fi od

- P1x1

Under weak transition fairness, P1 would assign 1

to x, but this does not guarantee that 1 is

assigned to y and thus the P2 loop will

terminates, since the transition for checking

x1 is not continuously enabled (program counter

not always there).

Weak process fairness only guarantees P2 to

execute, but it can still choose to do the true.

Strong process fairness same.

Strong transition fairness

Initially x0 y0

- P1x1

- P2 do
- y0 ? if
- true x1 ? y1
- fi od

Under strong transition fairness, P1 would assign

1 to x. If the execution was infinite, the

transition checking x1 was infinitely often

enabled. Hence it would be eventually selected.

Then assigning y1, the main loop is not enabled

anymore.

Some fairness definitions

- Weak transition fairness/\? ?T (ltgten? ?

ltgtexec?).Equivalently /\a?T ltgt(en?

/\exec?) - Weak process fairness /\Pi (ltgtenPi ?

ltgtexecPi ) - Strong transition fairness /\? ?T (ltgten? ?

ltgtexec? ) - Strong process fairness/\Pi (ltgtenPi ?

ltgtexecPi )

exec? ? is executed. execPi some transition

of Pi is executed. en? ? is enabled. enPi

some transition of process Pi is enabled. enPi

\/? ?T en? execPi \/? ?T exec?

Weaker fairness condition

- A is weaker than B if B?A.
- Consider the executions L(A) and L(B).Then L(B)

? L(A). - An execution is strong process,transition fair

implies that it is also weak process,transition

fair. - There are fewer strong process,transition fair

executions.

Strongtransitionfair execs

Weaktransitionfair execs

Strongprocessfair execs

Weakprocessfair execs

Model Checking under fairness

- Instead of verifying that the program satisfies

?, verify it satisfies fair ?? - Problem may be inefficient. Also fairness

formula may involves special arrangement for

specifying what exec means. - May specialize model checking algorithm instead.

Model Checking under Fairness

- Specialize model checking. For weak process

fairness search for a reachable strongly

connected component, where for each process P

either - it contains on occurrence of a transition from P,

or - it contains a state where P is disabled.
- Weak transition fairness similar.
- Strong fairness much more difficult algorithm.

Abstractions

Problems with software analysis

- Many possible outcomes and interactions.
- Not manageable by an algorithm (undecideable,

complex). - Requires a lot of practice and ingenuity (e.g.,

finding invariants).

More problems

- Testing methods fail to cover potential errors.
- Deductive verification techniques require
- too much time,
- mathematical expertise,
- ingenuity.
- Model checking requires a lot of time/space and

may introduce modeling errors.

How to alleviate the complexity?

- Abstraction
- Compositionality
- Partial Order Reduction
- Symmetry

Abstraction

- Represent the program using a smaller model.
- Pay attention to preserving the checked

properties. - Do not affect the flow of control.

Main idea

- Use smaller data objects.
- x f(m)
- yg(n)
- if xygt0 then
- else
- x, y never used again.

How to abstract?

- Assign values -1, 0, 1 to x and y.
- Based on the following connectionsgn(x) 1 if

xgt0, 0 if x0, and

-1 if xlt0.sgn(x)sgn(y)sgn(xy).

Abstraction mapping

- S - states, I - initial states. L(s) - labeling.
- R(S,S) - transition relation.
- h(s) maps s into its abstract image.Full model

--h--gt Abstract model I(s)

--gt I(h(s)) R(s,

t) --gt R(h(s),h(t))

L(h(s))L(s)

go

Traffic light example

stop

stop

go

go

stop

stop

stop

What do we preserve?

Every execution of the full model can be

simulated by an execution of the reduced

one. Every LTL property that holds in the reduced

model hold in the full one. But there can be

properties holding for the original model but not

the abstract one.

go

go

stop

stop

stop

Preserved (go-gtO stop)

go

Not preserved ltgtgo Counterexamples need to be

checked.

go

stop

stop

stop

Symmetry

- A permutation is a one-one and onto function

pA-gtA.For example, 1-gt3, 2-gt4, 3-gt1, 4-gt5,

5-gt2. - One can combine permutations, e.g.,p1 1-gt3,

2-gt1, 3-gt2p2 1-gt2, 2-gt1, 3-gt3p1_at_p2 1-gt3,

2-gt2, 3-gt1 - A set of permutations with _at_ is called a symmetry

group.

Using symmetry in analysis

- Want to find some symmetry group suchthat for

each permutation p in it,R(s,t) if and only if

R(p(s), p(t))and L(p(s))L(s). - Let K(s) be all the states that can be permuted

to s. This is a set of states such that each one

can be permuted to the other.

(No Transcript)

The quotient model

What is preserved in the following buffer

abstraction? What is not preserved?

e

empty

q

quasi

q

q

full

f

Translating from logic to automataComment the

language of LTL is a proper subset of the

language of Buchi Automata. For example,one

cannot express in LTL the following automaton

Wolper

a

a ,a

Why translating?

- Want to write the specification in some logic.
- Want model-checking tools to be able to check the

specification automatically.

Preprocessing

- Convert into normal form, where negation only

applies to propositional variables. - ? becomes ltgt?.
- ltgt? becomes ?.
- What about (? U ?)?
- Define operator V such that ( ? U ??) (?) R

(?), - ( ? R ??) (?) U (?).

Semantics of pR q(the Release operator, dual to

Until)

p

p

p

p

p

p

p

p

p

q

q

q

q

q

q

q

q

q

p

p

p

p

p

q

q

q

q

q

- Replace T by F, and F by T.
- Replace (? \/ ?) by (?) /\ (?) and

(? /\ ?) by (?) \/ (?)

Eliminate implications, ltgt,

- Replace ? -gt ? by ( ?) \/ ?.
- Replace ltgt? by (T U ?).
- Replace ? by (F R ?).

Example

- Translate ( ltgtP ) ? ( ltgtQ )
- Eliminate implication ( ltgtP ) \/ ( ltgtQ )
- Eliminate , ltgt( F R ( T U P ) ) \/ ( F R ( T

U Q ) ) - Push negation inwards(T U (F R P ) ) \/ ( F R

( T U Q ) )

The data structure

Name

The main idea

- ? U ? ? \/ ( ? /\ O ( ? U ? ) )
- ? R ? ? /\ ( ? \/ O ( ? R ? ) )
- This separates the formulas to two partsone

holds in the current state, and the other in the

next state.

How to translate?

- Take one formula from New and add it to Old.
- According to the formula, either
- Split the current node into two, or
- Evolve the node into a new version.

Splitting

Copy incoming edges, update other field.

Evolving

Copy incoming edges, update other field.

Possible cases

- ? U ? , split
- Add ? to New, add ? U ? to Next.
- Add ? to New.
- Because ? U ? ? \/ ( ? /\ O (? U ? )).
- ? R ? , split
- Add ???? to New.
- Add ? to New, ? R ? to Next.
- Because ? R ? ? /\ ( ? \/ O (? R ? )).

More cases

- ? \/ ?, split
- Add ? to New.
- Add ? to New.
- ? /\ ?, evolve
- Add ???? to New.
- O ?, evolve
- Add ? to Next.

How to start?

init

Incoming

New

Old

aU(bUc)

Next

init

Incoming

aU(bUc)

init

init

init

Incoming

aU(bUc)

bUc

init

init

Incoming

Incoming

aU(bUc)

aU(bUc)

c

b

(bUc)

When to stop splitting?

- When New is empty.
- Then compare against a list of existing nodes

Nodes - If such a with same Old, Next exists,just

add the incoming edges of the new versionto the

old one. - Otherwise, add the node to Nodes. Generate a

successor with New set to Next of father.

init

Incoming

a,aU(bUc)

Creating a successor node.

aU(bUc)

Incoming

aU(bUc)

How to obtain the automaton?

X

- There is an edge from node X to Y labeled with

propositions P (negated or non negated), if X is

in the incoming list of Y, and Y has propositions

P in field Old. - Initial nodes are those marked as init.

a, b, c

Node Y

The resulted nodes.

a, aU(bUc)

b, bUc, aU(bUc)

c, bUc, aU(bUc)

b, bUc

c, bUc

Initial nodes All nodes with incoming edge from

init.

Acceptance conditions

- Use generalized Buchi automata, wherethere are

several acceptance sets F1, F2, , Fn, and each

accepted infinite sequence must include at least

one state from each set infinitely often. - Each set corresponds to a subformula of form ?U

?. Guarantees that it is never the case that ?U ?

holds forever, without ?. - Translate to Buchi acceptance condition (will be

shown later).

Accepting w.r.t. bUc (green)

Acceptance w.r.t. aU(bUc)(blue)

Translating Multiple Buchi into Buchi automata

- For acceptance sets F1, F2, , Fn, generate n

copies of the automaton. - Move from the ith copy to the i1th copy when

passing a state of Fi. - In the first copy, the states of F1 are

accepting. - Same intuition as the unrestricted

intersectionNeed to see each accepting set

infinitely often, and it does not matter that we

miss some of them (there must be an infinite

supply anyway).

Conclusions

- Model checking automatic verification of finite

state systems. - Modeling affects how we can view and check the

systems properties. - Specification formalisms, e.g., LTL or Buchi

automata - Apply graph algorithms (or BDD, or BMD).
- Methods to alleviate state space explosion.
- Translate LTL into Buchi automata.

Algorithmic Testing and Black Box Checking

Why testing?

- Reduce design/programming errors.
- Can be done during development,

beforeproduction/marketing. - Practical, simple to do.
- Check the real thing, not a model.
- Scales up reasonably.
- Being state of the practice for decades.

Part 1 Testing of black box finite state machine

- Wants to know
- In what state we started?
- In what state we are?
- Transition relation
- Conformance
- Satisfaction of a temporal property

- Know
- Transition relation
- Size or bound on size

Finite automata (Mealy machines)

- S - finite set of states. (size n)
- S set of inputs. (size d)
- O set of outputs, for each transition.
- (s0 ? S - initial state).
- ? S ? S ? S - transition relation.
- ? ? S ? S ?O output on edge.

Why deterministic machines?

- Otherwise no amount of experiments would

guarantee anything. - If dependent on some parameter (e.g.,

temperature), we can determinize, by taking

parameter as additional input. - We still can model concurrent system. It means

just that the transitions are deterministic. - All kinds of equivalences are unified into

language equivalence. - Also connected machine (otherwise we may never

get to the completely separate parts).

Determinism

- When the black box is nondeterministic, we might

never test some choices.

Preliminaries separating sequences

b/1

s1

s2

a/0

b/1

b/0

a/0

s3

a/0

Start with one block containing all states s1,

s2, s3.

A separate to blocks of states with different

output.

b/1

s1

s2

a/0

b/1

b/0

a/0

s3

a/0

Two sets, separated using the string b s1, s3,

s2.

Repeat B Separate blocks based on moving to

different blocks.

b/1

s1

s2

a/0

b/1

b/0

a/0

s3

a/0

Separate first block using b to three singleton

blocks.Separating sequences b, bb.Max rounds

n-1, sequences n-1, length n-1.For each pair

of states there is a separating sequence.

Want to know the state of the machine (at end).

Homing sequence.

- Depending on output, would know in what state we

are. - Algorithm Put all the states in one block

(initially we do not know what is the state). - Then repeatedly partitions blocks of states, as

long as they are not singletons, as follows - Take a non singleton block, append a

distinguishing sequence ? that separates at least

two states. - Update all blocks to the states after executing

?. - Max length (n-1)2 (Lower bound

n(n-1)/2.)

Example (homing sequence)

s1, s2, s3

b

0

1

1

s1, s2 s3

b

1

1

0

s1 s2 s3

On input b and output 1, still dont know if was

in s1 or s3, i.e., if currently in s2 or s1.So

separate these cases with another b.

Synchronizing sequence

- One sequence takes the machine to the same final

state, regardless of the initial state or the

outputs. - Not every machine has a synchronizing sequence.
- Can be checked whether exists and can be found in

polynomial time.

State identification

- Want to know in which state the system has

started (was reset). - Can be a preset distinguishing sequence (fixed),

or a tree (adaptive). - May not exist (PSPACE complete to check if preset

exists, polynomial for adaptive). - Best known algorithm exponential length for

preset,polynomial for adaptive LY.

Sometimes cannot identify initial state

Start with ain case of being in s1 or s3 well

move to s1 and cannot distinguish.Start with

bIn case of being in s1 or s2 well move to s2

and cannot distinguish.

The kind of experiment we do affects what we can

distinguish. Much like the Heisenberg principle

in Physics.

Conformance testing

- Unknown deterministic finite state system B.
- Known n states and alphabet ?.
- An abstract model C of B. C satisfies all the

properties we want from B. C has m states. - Check conformance of B and C.
- Another version only a bound n on the number of

states l is known.

?

Check conformance with a given state machine

- Black box machine has no more states than

specification machine (errors are mistakes in

outputs, mistargeted edges). - Specification machine is reduced, connected,

deterministic. - Machine resets reliably to a single initial state

(or use homing sequence).

Conformance testing Ch,V

a/1

?

b/1

a/1

b/1

?

b/1

a/1

Cannot distinguish if reduced or not.

Conformance testing (cont.)

?

b

b

a

a

a

?

a

b

b

a

a

b

Need bound on number of states of B.

PreparationConstruct a spanning tree

How the algorithm works?

Reset or homing

- According to the spanning tree, force a sequence

of inputs to go to each state. - From each state, perform the distinguishing

sequences. - From each state, make a single transition, check

output, and use distinguishing sequences to check

that in correct target state.

Reset or homing

s1

b/1

a/1

s2

s3

Distinguishing sequences

Comments

- Checking the different distinguishing sequences

(m-1 of them) means each time resetting and

returning to the state under experiment. - A reset can be performed to a distinguished state

through a homing sequence. Then we can perform a

sequence that brings us to the distinguished

initial state. - Since there are no more than m states, and

according to the experiment, no less than m

states, there are m states exactly. - Isomorphism between the transition relation is

found, hence from minimality the two automata

recognize the same languages.

Combination lock automaton

- Assume accepting states.
- Accepts only words with a specific suffix (cdab

in the example).

b

d

c

a

s1

s2

s3

s4

s5

Any other input

When only a bound on size of black box is known

- Black box can pretend to behave as a

specification automaton for a long time, then

upon using the right combination, make a mistake.

Pretends to be S1

a/1

b/1

a/1

b/1

s1

s2

b/1

a/1

a/1

s3

Pretends to be S3

b/0

Conformance testing algorithm VC

- The worst that can happen is a combination lock

automaton that behaves differently only in the

last state. The length of it is the difference

between the size n of the black box and the

specification m. - Reach every state on the spanning tree and check

every word of length n-m1 or less. Check that

after the combination we are at the state we are

supposed to be, using the distinguishing

sequences. - No need to check transitions already included in

above check. - Complexity m2 n dn-m1 Probabilistic complexity

Polynomial.

Reset or homing

Reset or homing

s1

b/1

a/1

s2

s3

Words of length ?n-m1

Distinguishing sequences

Model Checking

- Finite state description of a system B.
- LTL formula ?. Translate ?? into an automaton P.
- Check whether L(B) ? L(P)?.
- If so, S satisfies ?. Otherwise, the intersection

includes a counterexample. - Repeat for different properties.

??

?

Buchi automata (w-automata)

- S - finite set of states. (B has l ? n states)
- S0 ? S - initial states. (P has m states)
- S - finite alphabet. (contains p letters)
- d ? S ? S ? S - transition relation.
- F ? S - accepting states.
- Accepting run passes a state in F infinitely

often.

System automata FS, deterministic, one initial

state. Property automaton not necessarily

deterministic.

Example check ?a

a

ltgt?a

?a

?a, a

Example check ltgt?a

?ltgt?a

Example check ? ltgta

?a, a

ltgt??a

?a

?a

Use automatic translation algorithms, e.g.,

Gerth,Peled,Vardi,Wolper 95

System

Every element in the product is a counter example

for the checked property.

a

a

?ltgt?a

s1

s2

q1

?a

c

b

a

?a

s3

q2

a

s1,q1

s2,q1

Acceptance isdetermined byautomaton P.

b

a

s1,q2

s3,q2

c

Model Checking / Testing

- Given Finite state system B.
- Transition relation of B known.
- Property represent by automaton P.
- Check if L(B) ? L(P)?.
- Graph theory or BDD techniques.
- Complexity polynomial.

- Unknown Finite state system B.
- Alphabet and number of states of B or upper bound

known. - Specification given as an abstract system C.
- Check if B ?C.
- Complexity polynomial if number states known.

Exponential otherwise.

Black box checking PVY

- Property represent by automaton P.
- Check if L(B) ? L(P)?.
- Graph theory techniques.

- Unknown Finite state system B.
- Alphabet and Upper bound on Number of states of B

known. - Complexity exponential.

??

?

Experiments

Simpler problem deadlock?

- Nondeterministic algorithmguess a path of

length ? n from the initial state to a deadlock

state.Linear time, logarithmic space. - Deterministic algorithmsystematically try paths

of length ?n, one after the other (and use

reset), until deadlock is reached.Exponential

time, linear space.

Deadlock complexity

- Nondeterministic algorithmLinear time,

logarithmic space. - Deterministic algorithmExponential (p n-1)

time, linear space. - Lower bound Exponential time (usecombination

lock automata). - How does this conform with what we know about

complexity theory?

Modeling black box checking

- Cannot model using Turing machines not all the

information about B is given. Only certain

experiments are allowed. - We learn the model as we make the experiments.
- Can use the model of games of incomplete

information.

Games of incomplete information

- Two players -player, ?-player (here,

deterministic). - Finitely many configurations C.

IncludingInitial Ci , Winning W and W- . - An equivalence relation _at_ on C (the -player

cannot distinguish between equivalent states). - Labels L on moves (try a, reset, success, fail).
- The -player has the moves labeled the same from

configurations that are equivalent. - Deterministic strategy for the -player will

lead to a configuration in W ? W-. Cannot

distinguish between equivalent configurations. - Nondeterministic strategy Can distinguish

between equivalent configurations..

Modeling BBC as games

- Each configuration contains an automaton and its

current state (and more). - Moves of the -player are labeled withtry a,

reset... Moves of the ?-player withsuccess,

fail. - c1 _at_ c2 when the automata in c1 and c2 would

respond in the same way to the experiments so far.

A naive strategy for BBC

- Learn first the structure of the black box.
- Then apply the intersection.
- Enumerate automata with ?n states (without

repeating isomorphic automata). - For a current automata and new automata,

construct a distinguishing sequence. Only one of

them survives. - Complexity O((n1)p (n1)/n!)

On-the-fly strategy

- Systematically (as in the deadlock case), find

two sequences v1 and v2 of length ltm n. - Applying v1 to P brings us to a state t that is

accepting. - Applying v2 to P brings us back to t.
- Apply v1 v2 n to B. If this succeeds,there is a

cycle in the intersection labeled with v2, with t

as the P (accepting) component. - Complexity O(n2p2mnm).

v1

v2

Learning an automaton

- Use Angluins algorithm for learning an

automaton. - The learning algorithm queries whether some

strings are in the automaton B. - It can also conjecture an automaton Mi and asks

for a counterexample. - It then generates an automaton with more states

Mi1 and so forth.

A strategy based on learning

- Start the learning algorithm.
- Queries are just experiments to B.
- For a conjectured automaton Mi , check if Mi ? P

? - If so, we check conformance of Mi with B (VC

algorithm). - If nonempty, it contains some v1 v2w . We test B

with v1 v2n. If this succeeds error, otherwise,

this is a counterexample for Mi .

Complexity

- l - actual size of B.
- n - an upper bound of size of B.
- d - size of alphabet.
- Lower bound reachability is similar to deadlock.
- O(l 3 d l l 2mn) if there is an error.
- O(l 3 d l l 2 n dn-l1 l 2mn) if there is no

error. - If n is not known, check while time allows.
- Probabilistic complexity polynomial.

Some experiments

- Basic system written in SML (by Alex Groce, CMU).
- Experiment with black box using Unix I/O.
- Allows model-free model checking of C code with

inter-process communication. - Compiling tested code in SML with BBC program as

one process.

Conclusions

- Black Box Checking automatic verification of

unspecified system. - A hard problem, exponential in number of states,

but polynomial on average. - Implemented, tested.
- Another use when the model is given, but is not

exact.

The rest is not part of this lecture

Part 2 Software testing

- Testing is not about showing that there are no

errors in the program. - Testing cannot show that the program performs its

intended goal correctly. - So, what is software testing?
- Testing is the process of executing the program

in order to find errors. - A successful test is one that finds an error.

Some software testing stages

- Unit testing the lowest level, testing some

procedures. - Integration testing different pieces of code.
- System testing testing a system as a whole.
- Acceptance testing performed by the customer.
- Regression testing performed after