Software Verification 2Automated Verification
Prof. Dr. Holger SchlingloffInstitut für Informatik der Humboldt Universität
andFraunhofer Institut für Rechnerarchitektur und Softwaretechnik
Slide 2H. Schlingloff, SS2012: SWV 2
CTL model checking• For each LTS/model there is exactly one computation
tree CTL model checking works directly on the model (no need to
extract computation sequences)• For all subformulas of a formula and all states of a
given model, mark whether the state satisfies the subformula iteration on formulas according to their inductive definition if p is an atomic proposition, then pM= I(p) M={} (φψ)M = (M-φM +ψ M) (EXφ)M = {w | w‘ (wRw‘ w‘φM )} (AXφ)M = {w | Aw‘ (wRw‘ w‘φM )}
5.7.2012
Slide 3H. Schlingloff, SS2012: SWV 2
Symbolic Representation
•Modelchecking algorithm deals with sets of states and with relations (sets of pairs of states)
•Need an efficient representation•BDD of the set {x | x >12 or even}
x1&x2 | !x4
5.7.2012
Slide 4H. Schlingloff, SS2012: SWV 2
Calculation of BDDs
5.7.2012
Slide 5H. Schlingloff, SS2012: SWV 2
The Influence of Variable Ordering
• Heuristics: keep dependent variables close together!5.7.2012
Slide 6H. Schlingloff, SS2012: SWV 2
Operations on BDDs• Negation: easy (exchange T and F)• Falsum: trivial• and, or: Shannon expansion
(φ OP ψ) = x (φ{x:=T} OP ψ{x:=T}) ¬ x (φ{x:=} OP ψ{x:=})
(φψ) = (x (φ{x:=T} ψ{x:=T})) (¬ x (φ{x:=} ψ{x:=}))
• BDD realization?
12.4.2012
Slide 7H. Schlingloff, SS2012: SWV 2
BDD-implies
12.4.2012
Slide 8H. Schlingloff, SS2012: SWV 2
Transitive Closure• Each finite (transition) relation can be
represented as a boolean formula / BDD • The transitive closure of a relation R is defined
recursively by
• Thus, transitive closure be calculated by an iteration on BDDs
• Logical operations (, , ) can be directly performed on BDDs
5.7.2012
Slide 9H. Schlingloff, SS2012: SWV 2
Reachability
•State s is reachable iff s0R*s, where s0S0 is an initial state and R is the transition relation
•Reachability is one of the most important properties in verification most safety properties can be reduced to it in a search algorithm, is the goal reachable?
•Can be arbitrarily hard for infinite state systems undecidable
•Can be efficiently calculated with BDDs
5.7.2012
Slide 10H. Schlingloff, SS2012: SWV 2
• Intuitively, xR*y iff there is a sequence w0 w1 ... wn of nodes connecting x with y
In a finite model, this sequence must be smaller than the number of states.
In practice, usually a few dozen steps are sufficient5.7.2012
Slide 11H. Schlingloff, SS2012: SWV 2
Reflection
•What has been achievedVorläufige Vorlesungsplanung- Einführung - Modellierung von Systemen - Temporale Logik - Modellprüfung - Symbolische Repräsentation - Abstraktion - Realzeit
•Where this is relevant HW design (IEEE‐1850 PSL) Safety-critical SW design Embedded systems design
5.7.2012
Slide 12H. Schlingloff, SS2012: SWV 2
Feedback
5.7.2012