inf5140: specification and verification of parallel systems · open vs closed systems backward vs...
TRANSCRIPT
![Page 1: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/1.jpg)
university-logo
INF5140: Specification and Verification of ParallelSystems
Lecture 11 – The Great Debates
Gerardo Schneider
Department of InformaticsUniversity of Oslo
INF5140, Spring 2011
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 1 / 33
![Page 2: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/2.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 2 / 33
![Page 3: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/3.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 3 / 33
![Page 4: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/4.jpg)
university-logo
CTL vs LTL
Two main types of temporal logic used in model checkingCTL (Computational Tree Logic): mainly used in hardwareverificationLTL (Linear Temporal Logic): almost exclusively used for softwareverification
Main debates concernRelative expressivenessRelative complexity
Their expressiveness are incomparableCTL can express reset properties (LTL cannot)
From every state there exists at least one execution that can makethe system return to the initial state
LTL can express fairness (CTL cannot, although it can beembedded into the verification algorithms)
Every cyclic execution must (or may not) traverse specific types ofstates infinitely often
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 4 / 33
![Page 5: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/5.jpg)
university-logo
CTL vs LTL
Two main types of temporal logic used in model checkingCTL (Computational Tree Logic): mainly used in hardwareverificationLTL (Linear Temporal Logic): almost exclusively used for softwareverification
Main debates concernRelative expressivenessRelative complexity
Their expressiveness are incomparableCTL can express reset properties (LTL cannot)
From every state there exists at least one execution that can makethe system return to the initial state
LTL can express fairness (CTL cannot, although it can beembedded into the verification algorithms)
Every cyclic execution must (or may not) traverse specific types ofstates infinitely often
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 4 / 33
![Page 6: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/6.jpg)
university-logo
CTL vs LTL
Two main types of temporal logic used in model checkingCTL (Computational Tree Logic): mainly used in hardwareverificationLTL (Linear Temporal Logic): almost exclusively used for softwareverification
Main debates concernRelative expressivenessRelative complexity
Their expressiveness are incomparableCTL can express reset properties (LTL cannot)
From every state there exists at least one execution that can makethe system return to the initial state
LTL can express fairness (CTL cannot, although it can beembedded into the verification algorithms)
Every cyclic execution must (or may not) traverse specific types ofstates infinitely often
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 4 / 33
![Page 7: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/7.jpg)
university-logo
CTL vs LTLComplexity
Worst case complexityCTL is linear on the size of the formulaLTL is exponential on the size of the formula
In practice there is no big difference in performance!A nice example is given in Holzmann’s pp. 564
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 5 / 33
![Page 8: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/8.jpg)
university-logo
CTL vs LTLComplexity
The worst-case behavior of LTL converters is rarePractical LTL formula usually have two or three temporal operatorsWhat affects complexity is not the number of potentially reachablesates but the effectively reachable statesLTL verification algorithms can more easily be implemented withon-the-fly strategies (no need to build the whole state space)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 6 / 33
![Page 9: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/9.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 7 / 33
![Page 10: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/10.jpg)
university-logo
Symbolic Verification
Symbolic verification algorithms (BDD-based methods) are veryeffective in hardware verification
Boolean data (bit-vectors) are common in hardware verificationwhich are well represented using BDDs
In general they perform poorly in software verification problemsThe performance depends critically on the variable orderingchosen for the BDDs
Choosing an optimal variable ordering is NP-complete
The memory used by a BDD-based method is determined by thenumber of nodes in the BDD structure
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 8 / 33
![Page 11: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/11.jpg)
university-logo
Symbolic Verification
Symbolic verification algorithms (BDD-based methods) are veryeffective in hardware verification
Boolean data (bit-vectors) are common in hardware verificationwhich are well represented using BDDs
In general they perform poorly in software verification problemsThe performance depends critically on the variable orderingchosen for the BDDs
Choosing an optimal variable ordering is NP-complete
The memory used by a BDD-based method is determined by thenumber of nodes in the BDD structure
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 8 / 33
![Page 12: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/12.jpg)
university-logo
Symbolic Verification
Symbolic verification algorithms (BDD-based methods) are veryeffective in hardware verification
Boolean data (bit-vectors) are common in hardware verificationwhich are well represented using BDDs
In general they perform poorly in software verification problemsThe performance depends critically on the variable orderingchosen for the BDDs
Choosing an optimal variable ordering is NP-complete
The memory used by a BDD-based method is determined by thenumber of nodes in the BDD structure
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 8 / 33
![Page 13: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/13.jpg)
university-logo
Explicit Verification
In software verification partial order reduction strategies performvery well
Complex and highly correlated data structures, common in softwareverification problems, are not easily exploited with BDDsPartial order reduction techniques apply well to asynchronousprocess executionSynchronous, clocked, operations are not well suitable for partialorder reduction
Computing the optimal reduction is NP-completeThe memory used by an explicit state method is determined bythe number of states storedIn terms of memory consumption (number of bytes used), there isno big difference between symbolic and explicit verificationmethods
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 9 / 33
![Page 14: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/14.jpg)
university-logo
Explicit Verification
In software verification partial order reduction strategies performvery well
Complex and highly correlated data structures, common in softwareverification problems, are not easily exploited with BDDsPartial order reduction techniques apply well to asynchronousprocess executionSynchronous, clocked, operations are not well suitable for partialorder reduction
Computing the optimal reduction is NP-completeThe memory used by an explicit state method is determined bythe number of states storedIn terms of memory consumption (number of bytes used), there isno big difference between symbolic and explicit verificationmethods
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 9 / 33
![Page 15: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/15.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 10 / 33
![Page 16: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/16.jpg)
university-logo
Breadth-First Search vs Depth-First Search
In explicit verification, is it better to use breadth-first (BFS) ordepth-first (DFS) default search algorithm?Spin’s default algorithm is DFS
BFS is a user-defined optionMain advantage of BFS: for safety properties, it finds the shortestcounterexample
Usually DFS finds a longer pathMain advantage of DFS: to get counterexamples it suffices to printout the content of the stack
With a BFS, more information needs to be storedFor liveness properties or properties of infinite sequences, bothalgorithms may be used
Tarjan’s classic DFS algorithm and Spin nested DFS method areefficient variants of DFS
In verification of hybrid and real-time systems BFS algorithms aremore common
In specific applications (e.g. polygonal hybrid systems) DFSalgorithms seem more natural
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 11 / 33
![Page 17: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/17.jpg)
university-logo
Breadth-First Search vs Depth-First Search
In explicit verification, is it better to use breadth-first (BFS) ordepth-first (DFS) default search algorithm?Spin’s default algorithm is DFS
BFS is a user-defined optionMain advantage of BFS: for safety properties, it finds the shortestcounterexample
Usually DFS finds a longer pathMain advantage of DFS: to get counterexamples it suffices to printout the content of the stack
With a BFS, more information needs to be storedFor liveness properties or properties of infinite sequences, bothalgorithms may be used
Tarjan’s classic DFS algorithm and Spin nested DFS method areefficient variants of DFS
In verification of hybrid and real-time systems BFS algorithms aremore common
In specific applications (e.g. polygonal hybrid systems) DFSalgorithms seem more natural
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 11 / 33
![Page 18: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/18.jpg)
university-logo
Breadth-First Search vs Depth-First Search
In explicit verification, is it better to use breadth-first (BFS) ordepth-first (DFS) default search algorithm?Spin’s default algorithm is DFS
BFS is a user-defined optionMain advantage of BFS: for safety properties, it finds the shortestcounterexample
Usually DFS finds a longer pathMain advantage of DFS: to get counterexamples it suffices to printout the content of the stack
With a BFS, more information needs to be storedFor liveness properties or properties of infinite sequences, bothalgorithms may be used
Tarjan’s classic DFS algorithm and Spin nested DFS method areefficient variants of DFS
In verification of hybrid and real-time systems BFS algorithms aremore common
In specific applications (e.g. polygonal hybrid systems) DFSalgorithms seem more natural
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 11 / 33
![Page 19: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/19.jpg)
university-logo
Breadth-First Search vs Depth-First Search
In explicit verification, is it better to use breadth-first (BFS) ordepth-first (DFS) default search algorithm?Spin’s default algorithm is DFS
BFS is a user-defined optionMain advantage of BFS: for safety properties, it finds the shortestcounterexample
Usually DFS finds a longer pathMain advantage of DFS: to get counterexamples it suffices to printout the content of the stack
With a BFS, more information needs to be storedFor liveness properties or properties of infinite sequences, bothalgorithms may be used
Tarjan’s classic DFS algorithm and Spin nested DFS method areefficient variants of DFS
In verification of hybrid and real-time systems BFS algorithms aremore common
In specific applications (e.g. polygonal hybrid systems) DFSalgorithms seem more natural
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 11 / 33
![Page 20: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/20.jpg)
university-logo
Breadth-First Search vs Depth-First Search
In explicit verification, is it better to use breadth-first (BFS) ordepth-first (DFS) default search algorithm?Spin’s default algorithm is DFS
BFS is a user-defined optionMain advantage of BFS: for safety properties, it finds the shortestcounterexample
Usually DFS finds a longer pathMain advantage of DFS: to get counterexamples it suffices to printout the content of the stack
With a BFS, more information needs to be storedFor liveness properties or properties of infinite sequences, bothalgorithms may be used
Tarjan’s classic DFS algorithm and Spin nested DFS method areefficient variants of DFS
In verification of hybrid and real-time systems BFS algorithms aremore common
In specific applications (e.g. polygonal hybrid systems) DFSalgorithms seem more natural
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 11 / 33
![Page 21: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/21.jpg)
university-logo
Breadth-First Search vs Depth-First Search
In explicit verification, is it better to use breadth-first (BFS) ordepth-first (DFS) default search algorithm?Spin’s default algorithm is DFS
BFS is a user-defined optionMain advantage of BFS: for safety properties, it finds the shortestcounterexample
Usually DFS finds a longer pathMain advantage of DFS: to get counterexamples it suffices to printout the content of the stack
With a BFS, more information needs to be storedFor liveness properties or properties of infinite sequences, bothalgorithms may be used
Tarjan’s classic DFS algorithm and Spin nested DFS method areefficient variants of DFS
In verification of hybrid and real-time systems BFS algorithms aremore common
In specific applications (e.g. polygonal hybrid systems) DFSalgorithms seem more natural
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 11 / 33
![Page 22: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/22.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 12 / 33
![Page 23: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/23.jpg)
university-logo
Tarjan Search vs Nested Search
The classical way to detect the presence of infinite accepting runsin a finite reachability graph is to use Tarjan’s DFS algorithm forconstructing all the SCC of the graphIn the worst-case, Tarjan’s algorithm visit every reachable statetwiceAdvantage: it detects all accepting runsSpin nested DFS algorithm does not detect all accepting runsThe search is set up s.t. an accepting run corresponds to acounterexample of a correctness claimThe worst-case time complexity is the same as Tarjan’s algorithmbut the memory overhead is lowerTarjan’s algorithm makes the implementation of strong fairnessconstraints easy
Spin does no support strong fairness
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 13 / 33
![Page 24: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/24.jpg)
university-logo
Tarjan Search vs Nested Search
The classical way to detect the presence of infinite accepting runsin a finite reachability graph is to use Tarjan’s DFS algorithm forconstructing all the SCC of the graphIn the worst-case, Tarjan’s algorithm visit every reachable statetwiceAdvantage: it detects all accepting runsSpin nested DFS algorithm does not detect all accepting runsThe search is set up s.t. an accepting run corresponds to acounterexample of a correctness claimThe worst-case time complexity is the same as Tarjan’s algorithmbut the memory overhead is lowerTarjan’s algorithm makes the implementation of strong fairnessconstraints easy
Spin does no support strong fairness
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 13 / 33
![Page 25: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/25.jpg)
university-logo
Tarjan Search vs Nested Search
The classical way to detect the presence of infinite accepting runsin a finite reachability graph is to use Tarjan’s DFS algorithm forconstructing all the SCC of the graphIn the worst-case, Tarjan’s algorithm visit every reachable statetwiceAdvantage: it detects all accepting runsSpin nested DFS algorithm does not detect all accepting runsThe search is set up s.t. an accepting run corresponds to acounterexample of a correctness claimThe worst-case time complexity is the same as Tarjan’s algorithmbut the memory overhead is lowerTarjan’s algorithm makes the implementation of strong fairnessconstraints easy
Spin does no support strong fairness
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 13 / 33
![Page 26: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/26.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 14 / 33
![Page 27: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/27.jpg)
university-logo
Event vs States
Existing model checking techniques usually represent finite-statemachines as annotated graphs using formalisms which are:
State-based, orEvent-based
Both frameworks are interchangeableIt is difficult, however, to express actions (events) which aredata-dependent
Difficult to annotate the program and to specify correctness claimsSpin is an explicit state model checker
The verifier builds a global state reachability graph
Correctness properties are also formalized as simple booleanproperties of system states
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 15 / 33
![Page 28: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/28.jpg)
university-logo
Event vs States
Existing model checking techniques usually represent finite-statemachines as annotated graphs using formalisms which are:
State-based, orEvent-based
Both frameworks are interchangeableIt is difficult, however, to express actions (events) which aredata-dependent
Difficult to annotate the program and to specify correctness claimsSpin is an explicit state model checker
The verifier builds a global state reachability graph
Correctness properties are also formalized as simple booleanproperties of system states
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 15 / 33
![Page 29: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/29.jpg)
university-logo
Event vs States
Existing model checking techniques usually represent finite-statemachines as annotated graphs using formalisms which are:
State-based, orEvent-based
Both frameworks are interchangeableIt is difficult, however, to express actions (events) which aredata-dependent
Difficult to annotate the program and to specify correctness claimsSpin is an explicit state model checker
The verifier builds a global state reachability graph
Correctness properties are also formalized as simple booleanproperties of system states
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 15 / 33
![Page 30: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/30.jpg)
university-logo
Event vs States
Existing model checking techniques usually represent finite-statemachines as annotated graphs using formalisms which are:
State-based, orEvent-based
Both frameworks are interchangeableIt is difficult, however, to express actions (events) which aredata-dependent
Difficult to annotate the program and to specify correctness claimsSpin is an explicit state model checker
The verifier builds a global state reachability graph
Correctness properties are also formalized as simple booleanproperties of system states
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 15 / 33
![Page 31: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/31.jpg)
university-logo
Event vs States
Some properties are difficult to establish in a state-based settingand others in an event-basedFor example, for the correctness property:“Always within a finite amount of time after the transmission of a
message, the message will be received at its destination”
If the message is sent to a buffered channel, the state changes as aresult of the send and receive eventsIf send and receive are rendez-vous handshakes, recording theexecution in a way observable to Spin is a bit subtle
The ideal is to have a combined approach without adding anyverification penalty
See “State/Event-based Software Model Checking” by Chaki et al(based on labeled Kripke structures)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 16 / 33
![Page 32: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/32.jpg)
university-logo
Event vs States
Some properties are difficult to establish in a state-based settingand others in an event-basedFor example, for the correctness property:“Always within a finite amount of time after the transmission of a
message, the message will be received at its destination”
If the message is sent to a buffered channel, the state changes as aresult of the send and receive eventsIf send and receive are rendez-vous handshakes, recording theexecution in a way observable to Spin is a bit subtle
The ideal is to have a combined approach without adding anyverification penalty
See “State/Event-based Software Model Checking” by Chaki et al(based on labeled Kripke structures)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 16 / 33
![Page 33: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/33.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 17 / 33
![Page 34: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/34.jpg)
university-logo
Real-time vs Timeless Verification
Real-time verification techniques need the explicit representationof time (discrete or continuous)
Typical properties are response-time and time deadlines
The computational complexity of real-time analysis is high(undecidable in many cases)Spin focuses only on functional and logical correctness issues
No assumption about relative speed of execution of asynchronousprocessesTime is abstracted away
Promela only has a rudimentary notion of timeout (which is nottimed)Spin is not meant to be used as a performance analysis tool
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 18 / 33
![Page 35: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/35.jpg)
university-logo
Real-time vs Timeless Verification
Real-time verification techniques need the explicit representationof time (discrete or continuous)
Typical properties are response-time and time deadlines
The computational complexity of real-time analysis is high(undecidable in many cases)Spin focuses only on functional and logical correctness issues
No assumption about relative speed of execution of asynchronousprocessesTime is abstracted away
Promela only has a rudimentary notion of timeout (which is nottimed)Spin is not meant to be used as a performance analysis tool
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 18 / 33
![Page 36: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/36.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 19 / 33
![Page 37: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/37.jpg)
university-logo
Probabilities vs Possibilities
Standard model checking algorithm may be modified in order toinclude probabilityIn most cases the inclusion of probabilities increase theverification complexity
In some cases (e.g. there are examples in real-time verification),adding probability simplifies the verification analysis
Promela/Spin does not have probabilities and only deals withpossible system behaviors
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 20 / 33
![Page 38: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/38.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 21 / 33
![Page 39: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/39.jpg)
university-logo
Asynchronous vs Synchronous Systems
Most hardware model checkers have a synchronous viewAll process actions are clock-drivenEvery process take a step at every clock tick
Asynchronous behavior can be modeled in the synchronoussettingDistributed systems are essentially asynchronousSpin is one of the few asynchronous model checkersAdvantages of asynchronous model checkers:
Greater verification efficiencyOnly w.r.t. to explicit state verification methods (not compared withsymbolic algorithms)
Main disadvantage of asynchronous model checkers:Difficult to model synchronous behavior
That’s why Spin is not good for hardware verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 22 / 33
![Page 40: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/40.jpg)
university-logo
Asynchronous vs Synchronous Systems
Most hardware model checkers have a synchronous viewAll process actions are clock-drivenEvery process take a step at every clock tick
Asynchronous behavior can be modeled in the synchronoussettingDistributed systems are essentially asynchronousSpin is one of the few asynchronous model checkersAdvantages of asynchronous model checkers:
Greater verification efficiencyOnly w.r.t. to explicit state verification methods (not compared withsymbolic algorithms)
Main disadvantage of asynchronous model checkers:Difficult to model synchronous behavior
That’s why Spin is not good for hardware verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 22 / 33
![Page 41: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/41.jpg)
university-logo
Asynchronous vs Synchronous Systems
Most hardware model checkers have a synchronous viewAll process actions are clock-drivenEvery process take a step at every clock tick
Asynchronous behavior can be modeled in the synchronoussettingDistributed systems are essentially asynchronousSpin is one of the few asynchronous model checkersAdvantages of asynchronous model checkers:
Greater verification efficiencyOnly w.r.t. to explicit state verification methods (not compared withsymbolic algorithms)
Main disadvantage of asynchronous model checkers:Difficult to model synchronous behavior
That’s why Spin is not good for hardware verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 22 / 33
![Page 42: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/42.jpg)
university-logo
Asynchronous vs Synchronous Systems
Most hardware model checkers have a synchronous viewAll process actions are clock-drivenEvery process take a step at every clock tick
Asynchronous behavior can be modeled in the synchronoussettingDistributed systems are essentially asynchronousSpin is one of the few asynchronous model checkersAdvantages of asynchronous model checkers:
Greater verification efficiencyOnly w.r.t. to explicit state verification methods (not compared withsymbolic algorithms)
Main disadvantage of asynchronous model checkers:Difficult to model synchronous behavior
That’s why Spin is not good for hardware verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 22 / 33
![Page 43: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/43.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 23 / 33
![Page 44: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/44.jpg)
university-logo
Interleaving Semantics vs True Concurrency
True concurrency semantics allows the simultaneous execution ofactions, in addition to the interleaving of actionsIn distributed systems, two asynchronous processes may executeactions at the same timeIn terms of verification, true concurrency implies the addition ofmore transitions to the verification modelIs true concurrency really needed?
1 If the process actions access either distinct data objects or none atall
Interleaving gives a correct interpretation: the simultaneous executionof actions is indistinguishable from any sequential interleaving
2 If two processes access shared dataBy representing the data objects at some level of granularity it isalways possible to accurately describe the possible behavior withinterleaving semantics
Interleaving semantics is often preferred (as the simplest sufficientmodel)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 24 / 33
![Page 45: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/45.jpg)
university-logo
Interleaving Semantics vs True Concurrency
True concurrency semantics allows the simultaneous execution ofactions, in addition to the interleaving of actionsIn distributed systems, two asynchronous processes may executeactions at the same timeIn terms of verification, true concurrency implies the addition ofmore transitions to the verification modelIs true concurrency really needed?
1 If the process actions access either distinct data objects or none atall
Interleaving gives a correct interpretation: the simultaneous executionof actions is indistinguishable from any sequential interleaving
2 If two processes access shared dataBy representing the data objects at some level of granularity it isalways possible to accurately describe the possible behavior withinterleaving semantics
Interleaving semantics is often preferred (as the simplest sufficientmodel)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 24 / 33
![Page 46: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/46.jpg)
university-logo
Interleaving Semantics vs True Concurrency
True concurrency semantics allows the simultaneous execution ofactions, in addition to the interleaving of actionsIn distributed systems, two asynchronous processes may executeactions at the same timeIn terms of verification, true concurrency implies the addition ofmore transitions to the verification modelIs true concurrency really needed?
1 If the process actions access either distinct data objects or none atall
Interleaving gives a correct interpretation: the simultaneous executionof actions is indistinguishable from any sequential interleaving
2 If two processes access shared dataBy representing the data objects at some level of granularity it isalways possible to accurately describe the possible behavior withinterleaving semantics
Interleaving semantics is often preferred (as the simplest sufficientmodel)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 24 / 33
![Page 47: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/47.jpg)
university-logo
Interleaving Semantics vs True Concurrency
True concurrency semantics allows the simultaneous execution ofactions, in addition to the interleaving of actionsIn distributed systems, two asynchronous processes may executeactions at the same timeIn terms of verification, true concurrency implies the addition ofmore transitions to the verification modelIs true concurrency really needed?
1 If the process actions access either distinct data objects or none atall
Interleaving gives a correct interpretation: the simultaneous executionof actions is indistinguishable from any sequential interleaving
2 If two processes access shared dataBy representing the data objects at some level of granularity it isalways possible to accurately describe the possible behavior withinterleaving semantics
Interleaving semantics is often preferred (as the simplest sufficientmodel)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 24 / 33
![Page 48: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/48.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 25 / 33
![Page 49: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/49.jpg)
university-logo
Open vs Closed Systems
Traditionally, model checking is based on two requirements on themodel: finiteness and closenessTo be closed, a system must include all the possible inputs andpossible interactions with the environmentOpen systems are more difficult to analyze since in many casesthe environment behavior is not knownIn practice open systems are verified by making worst-caseassumptions about the environment
This is compatible with the assume-guarantee style of reasoning
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 26 / 33
![Page 50: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/50.jpg)
university-logo
Open vs Closed Systems
Traditionally, model checking is based on two requirements on themodel: finiteness and closenessTo be closed, a system must include all the possible inputs andpossible interactions with the environmentOpen systems are more difficult to analyze since in many casesthe environment behavior is not knownIn practice open systems are verified by making worst-caseassumptions about the environment
This is compatible with the assume-guarantee style of reasoning
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 26 / 33
![Page 51: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/51.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 27 / 33
![Page 52: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/52.jpg)
university-logo
Backward vs Forward Reachability
Many verification problems can be reduced to reachability analysisReachability may be done using a forward or a backward analysisForward: Verification start in the initial state and computes the setof successors in the reachability graph
It terminates when the intersection of reachable states with theintended (bad) state is non-empty
Backward: Verification start in a final state (or a state marked asbad) and computes the set of predecessors in the reachabilitygraph
It terminates when the intersection of reachable states with theinitial state is non-empty
In both cases heuristics may direct the search spaceWhich one to use depends on the particular application and thekind of properties
E.g., in real-time verification backward reachability is widely usedfor safety properties (the timed automata containing an error state)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 28 / 33
![Page 53: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/53.jpg)
university-logo
Backward vs Forward Reachability
Many verification problems can be reduced to reachability analysisReachability may be done using a forward or a backward analysisForward: Verification start in the initial state and computes the setof successors in the reachability graph
It terminates when the intersection of reachable states with theintended (bad) state is non-empty
Backward: Verification start in a final state (or a state marked asbad) and computes the set of predecessors in the reachabilitygraph
It terminates when the intersection of reachable states with theinitial state is non-empty
In both cases heuristics may direct the search spaceWhich one to use depends on the particular application and thekind of properties
E.g., in real-time verification backward reachability is widely usedfor safety properties (the timed automata containing an error state)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 28 / 33
![Page 54: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/54.jpg)
university-logo
Backward vs Forward Reachability
Many verification problems can be reduced to reachability analysisReachability may be done using a forward or a backward analysisForward: Verification start in the initial state and computes the setof successors in the reachability graph
It terminates when the intersection of reachable states with theintended (bad) state is non-empty
Backward: Verification start in a final state (or a state marked asbad) and computes the set of predecessors in the reachabilitygraph
It terminates when the intersection of reachable states with theinitial state is non-empty
In both cases heuristics may direct the search spaceWhich one to use depends on the particular application and thekind of properties
E.g., in real-time verification backward reachability is widely usedfor safety properties (the timed automata containing an error state)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 28 / 33
![Page 55: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/55.jpg)
university-logo
Backward vs Forward Reachability
Many verification problems can be reduced to reachability analysisReachability may be done using a forward or a backward analysisForward: Verification start in the initial state and computes the setof successors in the reachability graph
It terminates when the intersection of reachable states with theintended (bad) state is non-empty
Backward: Verification start in a final state (or a state marked asbad) and computes the set of predecessors in the reachabilitygraph
It terminates when the intersection of reachable states with theinitial state is non-empty
In both cases heuristics may direct the search spaceWhich one to use depends on the particular application and thekind of properties
E.g., in real-time verification backward reachability is widely usedfor safety properties (the timed automata containing an error state)
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 28 / 33
![Page 56: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/56.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 29 / 33
![Page 57: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/57.jpg)
university-logo
Compositional vs Non-compositional Verification
In fact there is no big debate about this topic since everybodywants to have a compositional verification methodCompositionality is good for
Increasing local reasoningMinimizing the state-space search (using less memory)Parallelizing (distributing) the verification algorithm withoutrepeating computation
If it so good, why not to write only compositional algorithms?Obtaining compositional algorithms is not easy in general
Many approaches are non-compositional or they are restricted tocertain kind of subsystems and propertiesIn many cases the underlying system is not compositional by natureSometimes it is only possible to obtain partial compositionalalgorithms, still needing a global computation but in a reducedstate-space
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 30 / 33
![Page 58: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/58.jpg)
university-logo
Compositional vs Non-compositional Verification
In fact there is no big debate about this topic since everybodywants to have a compositional verification methodCompositionality is good for
Increasing local reasoningMinimizing the state-space search (using less memory)Parallelizing (distributing) the verification algorithm withoutrepeating computation
If it so good, why not to write only compositional algorithms?Obtaining compositional algorithms is not easy in general
Many approaches are non-compositional or they are restricted tocertain kind of subsystems and propertiesIn many cases the underlying system is not compositional by natureSometimes it is only possible to obtain partial compositionalalgorithms, still needing a global computation but in a reducedstate-space
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 30 / 33
![Page 59: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/59.jpg)
university-logo
Compositional vs Non-compositional Verification
In fact there is no big debate about this topic since everybodywants to have a compositional verification methodCompositionality is good for
Increasing local reasoningMinimizing the state-space search (using less memory)Parallelizing (distributing) the verification algorithm withoutrepeating computation
If it so good, why not to write only compositional algorithms?Obtaining compositional algorithms is not easy in general
Many approaches are non-compositional or they are restricted tocertain kind of subsystems and propertiesIn many cases the underlying system is not compositional by natureSometimes it is only possible to obtain partial compositionalalgorithms, still needing a global computation but in a reducedstate-space
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 30 / 33
![Page 60: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/60.jpg)
university-logo
Outline
1 The Great DebatesBranching vs Linear TimeSymbolic vs Explicit VerificationBreadth-First Search vs Depth-First SearchTarjan’s SCC Algorithms vs Spin’s Nested Depth-First SearchEvents vs StatesReal-time vs Timeless VerificationProbabilities vs PossibilitiesAsynchronous vs Synchronous SystemsInterleaving Semantics vs True ConcurrencyOpen vs Closed SystemsBackward vs Forward ReachabilityCompositional vs Non-compositional VerificationDeductive vs Algorithmic Verification
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 31 / 33
![Page 61: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/61.jpg)
university-logo
Deductive vs Algorithmic Verification
Verification can be done following a deductive approach (likeManna & Pnueli’s formalism) or algorithmically (like Spin)Deductive verification
Usually uses theorem provers/assistantsDifficult to automatizeApplication domain: any kind of system (finite and infinite)Needs a lot of expertise for using it
Algorithmic verificationCompletely automatic in most cases; semi-automatic in someapplicationsUsually restricted to finite-state systems
Automatic procedures for infinite-state systems has been developedusing special techniques and/or suitable abstractions
A push-button procedure: almost everybody can use it
Some attempts have been done to combine both approaches
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 32 / 33
![Page 62: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/62.jpg)
university-logo
Deductive vs Algorithmic Verification
Verification can be done following a deductive approach (likeManna & Pnueli’s formalism) or algorithmically (like Spin)Deductive verification
Usually uses theorem provers/assistantsDifficult to automatizeApplication domain: any kind of system (finite and infinite)Needs a lot of expertise for using it
Algorithmic verificationCompletely automatic in most cases; semi-automatic in someapplicationsUsually restricted to finite-state systems
Automatic procedures for infinite-state systems has been developedusing special techniques and/or suitable abstractions
A push-button procedure: almost everybody can use it
Some attempts have been done to combine both approaches
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 32 / 33
![Page 63: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/63.jpg)
university-logo
Deductive vs Algorithmic Verification
Verification can be done following a deductive approach (likeManna & Pnueli’s formalism) or algorithmically (like Spin)Deductive verification
Usually uses theorem provers/assistantsDifficult to automatizeApplication domain: any kind of system (finite and infinite)Needs a lot of expertise for using it
Algorithmic verificationCompletely automatic in most cases; semi-automatic in someapplicationsUsually restricted to finite-state systems
Automatic procedures for infinite-state systems has been developedusing special techniques and/or suitable abstractions
A push-button procedure: almost everybody can use it
Some attempts have been done to combine both approaches
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 32 / 33
![Page 64: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/64.jpg)
university-logo
Deductive vs Algorithmic Verification
Verification can be done following a deductive approach (likeManna & Pnueli’s formalism) or algorithmically (like Spin)Deductive verification
Usually uses theorem provers/assistantsDifficult to automatizeApplication domain: any kind of system (finite and infinite)Needs a lot of expertise for using it
Algorithmic verificationCompletely automatic in most cases; semi-automatic in someapplicationsUsually restricted to finite-state systems
Automatic procedures for infinite-state systems has been developedusing special techniques and/or suitable abstractions
A push-button procedure: almost everybody can use it
Some attempts have been done to combine both approaches
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 32 / 33
![Page 65: INF5140: Specification and Verification of Parallel Systems · Open vs Closed Systems Backward vs Forward Reachability Compositional vs Non-compositional Verification Deductive](https://reader030.vdocuments.site/reader030/viewer/2022040719/5e282ed996ca6a412d51ae0b/html5/thumbnails/65.jpg)
university-logo
Further Reading and Final Remarks
Except for the last three topics the rest was based on Appendix Bof Holzmann’s book “The Spin Model Checker”
Gerardo Schneider (Ifi, UiO) INF5140 - Lecture 11: Great Debates 12.05.2011 33 / 33