Model Checking

1
Model Checking
Doron A. Peled University of Warwick Coventry,
UK doron_at_dcs.warwick.ac.uk
2
Modelling and specification for verification and
validation

• How to specify what the software is supposed to
  do?
• How to model it in a way that allows us to check
  it?

3
Sequential systems.

• Perform some computational task.
• Have some initial condition, e.g.,?0?i?n Ai
  integer.
• Have some final assertion, e.g., ?0?i?n-1
  Ai?Ai1.(What is the problem with this
  spec?)
• Are supposed to terminate.

4
Concurrent Systems

• Involve several computation agents.
• Termination may indicate an abnormal event
  (interrupt, strike).
• May exploit diverse computational power.
• May involve remote components.
• May interact with users (Reactive).
• May involve hardware components (Embedded).

5
Problems in modeling systems

• Representing concurrency- Allow one transition
  at a time, or- Allow coinciding transitions.
• Granularity of transitions.
• Assignments and checks?
• Application of methods?
• Global (all the system) or local (one thread at a
  time) states.

6
Modeling.The states based model.

• Vv0,v1,v2, - set of variables.
• p(v0, v1, , vn) - a parametrized assertion,
  e.g., v0v1v2 /\ v3v4.
• A state is an assignment of values to the program
  variables. For example s
  
• For predicate (first order assertion) p p (s )
  is p under the assignment s.Example p is xy
  /\ yz. s.Then we have 43 /\
  35, which is false.

7
State space

• The state space of a program is the set of all
  possible states for it.
• For example, if Va, b, c and the variables are
  over the naturals, then the state space includes
  ,,
  ,

8
Atomic Transitions

• Each atomic transition represents a small piece
  of code such that no smaller piece of code is
  observable.
• Is aa1 atomic?
• In some systems, e.g., when a is a register and
  the transition is executed using an inc command.

9
Non atomicity

• Execute the following when x0 in two concurrent
  processes
• P1aa1
• P2aa1
• Result a2.
• Is this always the case?

• Consider the actual translation
• P1load R1,a
• inc R1
• store R1,a
• P2load R2,a
• inc R2
• store R2,a
• a may be also 1.

10
Scenario
P2load R2,a inc R2 store
R2,a

• P1load R1,a
• inc R1
• store R1,a

a0 R10 R20 R11 R21 a1 a1
11
Representing transitions

• Each transition has two parts
• The enabling condition a predicate.
• The transformation a multiple assignment.
• For exampleab ? (c,d)(d,c)This transition
  can be executed in states where ab. The result
  of executing it isswitching the value of c with
  d.

12
Initial condition

• A predicate I.
• The program can start from states s such that I
  (s ) holds.
• For exampleI (s )ab /\ bc.

13
A transition system

• A (finite) set of variables V over some domain.
• A set of states S.
• A (finite) set of transitions T, each transition
  e?t has
• an enabling condition e, and
• a transformation t.
• An initial condition I.

14
Example

• Va, b, c, d, e.
• S all assignments of natural numbers for
  variables in V.
• Tc0?(c,e)(c-1,e1),
  d0?(d,e)(d-1,e1)
• I ca /\ db /\ e0
• What does this transition system do?

15
The interleaving model

• An execution is a finite or infinite sequence of
  states s0, s1, s2,
• The initial state satisfies the initial
  condition, I.e., I (s0).
• Moving from one state si to si1 is by executing
  a transition e?t
• E (si ), I.e., si satisfies e.
• si1 is obtained by applying t to si.

16
Example
Tc0?(c,e)(c-1,e1),
d0?(d,e)(d-1,e1) I ca /\ db /\ e0

• s0
• s1
• s2
• s3

17
The transitions

• T0PC0L0?PC0NC0
• T1PC0NC0/\Turn0?
• PC0CR0
• T2PC0CR0?
• (PC0,Turn)(L0,1)
• T3PC1L1?PC1NC1
• T4PC1NC1/\Turn1?
• PC1CR1
• T5PC1CR1?
• (PC1,Turn)(L1,0)

• L0While True do
• NC0wait(Turn0)
• CR0Turn1
• endwhile
• L1While True do
• NC1wait(Turn1)
• CR1Turn0
• endwhile

Initially PC0L0/\PC1L1
18
The state graphSuccessor relation between states.
19
Some observations

• Executions the set of maximal paths (finite or
  terminating in a node where nothing is enabled).
• Nondeterministic choice when more than a single
  transition is enabled at a given state. We have a
  nondeterministic choice when at least one node at
  the state graph has more than one successor.

20
Always (PC0CR0/\PC1CR1)(Mutual exclusion)
21
Always if Turn0 the at some point Turn1
22
Always if Turn0 the at some point Turn1
23
Interleaving semanticsExecute one transition at
a time.
Need to check the property for every possible
interleaving!
24
Interleaving semantics
25
Busy waiting

• T0PC0L0?PC0NC0
• T1PC0NC0/\Turn0?PC0CR0
• T1PC0NC0/\Turn1?PC0NC0
• T2PC0CR0?(PC0,Turn)(L0,1)
• T3PC1L1?PC1NC1
• T4PC1NC1/\Turn1?PC1CR1
• T4PC1NC1/\Turn0?PC1N1
• T5PC1CR1?(PC1,Turn)(L1,0)

• L0While True do
• NC0wait(Turn0)
• CR0Turn1
• endwhile
• L1While True do
• NC1wait(Turn1)
• CR1Turn0
• endwhile

Initially PC0L0/\PC1L1
26
Always when Turn0 then sometimes Turn1
Now it does not hold! (Red subgraph generates a
counterexample execution.)
27
How can we check the model?

• The model is a graph.
• The specification should refer the the graph
  representation.
• Apply graph theory algorithms.

28
What properties can we check?

• Invariants a property that need to hold in each
  state.
• Deadlock detection can we reach a state where
  the program is blocked?
• Dead code does the program have parts that are
  never executed.

29
How to perform the checking?

• Apply a search strategy (Depth first search,
  Breadth first search).
• Check states/transitions during the search.
• If property does not hold, report counter example!

30
If it is so good, why learn deductive
verification methods?

• Model checking works only for finite state
  systems. Would not work with
• Unconstrained integers.
• Unbounded message queues.
• General data structures
• queues
• trees
• stacks
• parametric algorithms and systems.

31
The state space explosion

• Need to represent the state space of a program in
  the computer memory.
• Each state can be as big as the entire memory!
• Many states
• Each integer variable has 232 possibilities. Two
  such variables have 264 possibilities.
• In concurrent protocols, the number of states
  usually grows exponentially with the number of
  processes.

32
If it is so constrained, is it of any use?

• Many protocols are finite state.
• Many programs or procedure are finite state in
  nature. Can use abstraction techniques.
• Sometimes it is possible to decompose a program,
  and prove part of it by model checking and part
  by theorem proving.
• Many techniques to reduce the state space
  explosion.

33
Depth First Search

• Procedure dfs(s)
• for each s such that R(s,s) do
• If new(s) then dfs(s)
• end dfs.

• Program DFS
• For each s such that Init(s)
• dfs(s)
• end DFS

34
How can we check properties with DFS?

• Invariants check that all reachable
  statessatisfy the invariant property. If not,
  showa path from an initial state to a bad state.
• Deadlocks check whether a state where noprocess
  can continue is reached.
• Dead code as you progress with the DFS, mark all
  the transitions that are executed at least once.

35
(PC0CR0/\PC1CR1) is an invariant!
36
Want to do more!

• Want to check more properties.
• Want to have a unique algorithm to deal with all
  kinds of properties.
• This is done by writing specification in more
  complicated formalisms.
• We will see that in the next lecture.

37
(Turn0 -- Turn1)
38
(No Transcript)
39
Turn0 L0,L1
Turn1 L0,L1
Turn1 L0,L1
Turn0 L0,L1

• Add an additional initial node.
• Propositions are attached to incoming nodes.
• All nodes are accepting.

40
Correctness condition

• We want to find a correctness condition for a
  model to satisfy a specification.
• Language of a model L(Model)
• Language of a specification L(Spec).
• We need L(Model) ? L(Spec).

41
Correctness
Sequences satisfying Spec
Program executions
All sequences
42
How to prove correctness?

• Show that L(Model) ? L(Spec).
• Equivalently ______Show that
  L(Model) ? L(Spec) Ø.
• Also can obtain L(Spec) by translating from LTL!

43
What do we need to know?

• How to intersect two automata?
• How to complement an automaton?
• How to translate from LTL to an automaton?

44
Specification Formalisms
45
Properties of formalisms

• Formal. Unique interpretation.
• Intuitive. Simple to understand (visual).
• Succinct. Spec. of reasonable size.
• Effective.
• Check that there are no contradictions.
• Check that the spec. is implementable.
• Check that the implementation satisfies spec.
• Expressive.
• May be used to generate initial code.
• Specifying the implementation or its properties?

46
A transition system

• A (finite) set of variables V.
• A set of states ?.
• A (finite) set of transitions T, each transition
  et has
• an enabling condition e and a transformation t.
• An initial condition I.
• Denote by R(s, s) the fact that s is a
  successor of s.

47
The interleaving model

• An execution is a finite or infinite sequence of
  states s0, s1, s2,
• The initial state satisfies the initial
  condition, I.e., I (s0).
• Moving from one state si to si1 is by executing
  a transition et
• e(si), I.e., si satisfies e.
• si1 is obtained by applying t to si.
• Lets assume all sequences are infinite by
  extending finite ones by stuttering the last
  state.

48
Temporal logic

• Dynamic, speaks about several worlds and the
  relation between them.
• Our worlds are the states in an execution.
• There is a linear relation between them, each two
  sequences in our execution are ordered.
• Interpretation over an execution, later over all
  executions.

49
LTL Syntax

• ? (?) ? ??/\ ? ????\/ ??????U???????????
  ??????????????????? O ? p
• ????????box, always, forever
• ???????diamond, eventually, sometimes
• O ?????nexttime
• ??U??????until
• Propositions p, q, r, Each represents some
  state property (xy1, zt, at-CR, etc.)

50
Semantics over suffixes of execution
?
?
?
?
?
?
?

• ?????
• ????
• O ?
• ??U??

?
?
?
?
?
?
?
51
Combinations

• p p will happen infinitely often
• p p will happen from some point forever.
• (p) -- (q) If p happens infinitely
  often, then q also happens infinitely often.

52
Some relations

• (a/\b)(a)/\(b)
• But (a/\b)?(a)/\(b)
• (a\/b)(a)\/(b)
• But (a\/b)?(a)\/(b)

53
What about

• (A)/\(B)(A/\B)?
• (A)\/(B)(A\/B)?
• (A)/\(B)(A/\B)?
• (A)\/(B)(A\/B)?

No, just
Yes!!!
Yes!!!
No, just --
54
Can discard some operators

• Instead of p, write true U p.
• Instead of p, we can write p,or (true U
  p).Because pp.p means it is not true
  that p holds forever, or at some point p holds
  or p.

55
Formal semantic definition

• Let ? be a sequence s0 s1 s2
• Let ?i be a suffix of ? si si1 si2 (?0 ? )
• ?i p, where p a proposition, if sip.
• ?i ?/\? if ?i ? and ?i ?.
• ?i ?\/? if ?i ? or ?i ?.
• ?i ? if for some j?i, ?j ?.
• ?i ? if for each j?i, ?j ?.
• ?i ?U ? if for some j?i, ?j?. and
  for each i?k

56
Then we interpret

• sp as in propositional logic.
• ?? is interpreted over a sequence, as in
  previous slide.
• P? holds if ?? for every sequence ? of P.

57
Spring Example
release
s1
s3
s2
pull
release
extended
extended
malfunction
r0 s1 s2 s1 s2 s1 s2 s1 r1 s1 s2 s3 s3 s3
s3 s3 r2 s1 s2 s1 s2 s3 s3 s3
58
LTL satisfaction by a single sequence
r2 s1 s2 s1 s2 s3 s3 s3
malfunction

• r2 extended ??
• r2 O extended ??
• r2 O O extended ??
• r2 extended ??
• r2 extended ??

r2 extended ?? r2 extended
?? r2 (extended) U malfunction ?? r2
(extended-O extended) ??
59
LTL satisfaction by a system
malfunction

• P extended ??
• P O extended ??
• P O O extended ??
• P extended ??
• P extended ??

P extended ?? P extended ?? P
(extended) U malfunction ?? P
(extended-O extended) ??
60
The state space
61
(PC0CR0/\PC1CR1)(Mutual exclusion)
62
(Turn0 -- Turn1)
63
Interleaving semanticsExecute one transition at
a time.
Turn0 L0,L1
Turn0 L0,NC1
Turn1 L0,NC1
Turn0 NC0,NC1
Turn1 L0,CR1
Turn0 CR0,NC1
Need to check the property for every possible
interleaving!
64
More specifications

• (PC0NC0 ? PC0CR0)
• (PC0NC0 U Turn0)
• Try at home- The processes alternate in
  entering their critical sections.- Each process
  enters its critical section infinitely often.

65
Proof system

• pp
• (p?q)?(p?q)
• p?(p/\Op)
• OpOp
• (p?Op)?(p?p)
• (pUq)(q\/(p/\O(pUq)))
• (pUq)?q

• propositional logic axiomatization.
• axiom p p

66
Traffic light example

• Green -- Yellow -- Red -- Green
• Always has exactly one light

((gr/\ye)/\(ye/\re)/\(re/\gr)/\(gr\/ye\/re))
Correct change of color
((grUye)\/(yeUre)\/(reUgr))
67
Another kind of traffic light

• Green--Yellow--Red--Yellow--Green
• First attempt

(((gr\/re) U ye)\/(ye U (gr\/re)))
Correct specification
( (gr--(gr U (ye /\ ( ye U re ))))
/\(re--(re U (ye /\ ( ye U gr ))))
/\(ye--(ye U (gr \/ re))))
68
Properties of sequential programs

• init-when the program starts and satisfies the
  initial condition.
• finish-when the program terminates and nothing is
  enabled.
• Partial correctness init/\(finish??)
• Termination init/\finish
• Total correctness init/\(finish/\ ?)
• Invariant init/\?

69
Automata over finite words

• A
• ? (finite) the alphabet, S (finite) the states.
• ? S x ? x S is the transition relation
• I S are the starting states
• F S are the accepting states.

70
The transition relation

• (S0, a, S0)
• (S0, b, S1)
• (S1, a, S0)
• (S1, b, S1)

71
A run over a word

• A word over ?, e.g., abaab.
• A sequence of states, e.g. S0 S0 S1 S0 S0 S1.
• Starts with an initial state.
• Accepting if ends at accepting state.

72
The language of an automaton

• The words that are accepted by the automaton.
• Includes aabbba, abbbba.
• Does not include abab, abbb.
• What is the language?

73
Nondeterministic automaton

• Transitions (S0,a,S0), (S0,b,S0),
  (S0,a,S1),(S1,a,S1).
• What is the language of this automaton?

74
Equivalent deterministic automaton
a
a
S0
S1
b
b
75
Automata over infinite words

• Similar definition.
• Runs on infinite words over ?.
• Accepts when an accepting state occurs infinitely
  often in a run.

76
Automata over infinite words

• Consider the word a b a b a b a b
• There is a run S0 S0 S1 S0 S1 S0 S1
• This run in accepting, since S0 appears
  infinitely many times.

77
Other runs

• For the word b b b b b the run is S0 S1 S1 S1
  S1 and is not accepting.
• For the word a a a b b b b b , therun is S0
  S0 S0 S0 S1 S1 S1 S1
• What is the run for a b a b b a b b b ?

78
Nondeterministic automaton

• What is the language of this automaton?
• What is the LTL specification if b -- PC0CR0,
  ab?

• Can you find a deterministic automaton with same
  language?
• Can you prove there is no such deterministic
  automaton?

79
Specification using Automata

• Let each letter correspond to some propositional
  property.
• Example a -- P0 enters critical section,
  b -- P0 does not enter section.
• PC0CR0

80
Mutual Exclusion

• A -- PC0CR0/\PC1CR1
• B -- (PC0CR0/\PC1CR1)
• C -- TRUE
• (PC0CR0/\PC1CR1)

81

• T0PC0L0PC0NC0
• T1PC0NC0/\Turn0
• PC0CR0
• T2PC0CR0
• (PC0,Turn)(L0,1)
• T3PC1L1PC1NC1
• T4PC1NC1/\Turn1
• PC1CR1
• T5PC1CR1
• (PC1,Turn)(L1,0)

• L0While True do
• NC0wait(Turn0)
• CR0Turn1
• endwhile
• L1While True do
• NC1wait(Turn1)
• CR1Turn0
• endwhile

Initially PC0L0/\PC1L1
82
The state space
83
(PC0CR0/\PC1CR1)
84
(Turn0 -- Turn1)
85
Correctness condition

• We want to find a correctness condition for a
  model to satisfy a specification.
• Language of a model L(Model)
• Language of a specification L(Spec).
• We need L(Model) ? L(Spec).

86
Correctness
Sequences satisfying Spec
Program executions
All sequences
87
Incorrectness
Counter examples
Sequences satisfying Spec
Program executions
All sequences
88
Intersecting M1(S1,?,T1,I1,A1) and
M2(S2,?,T2,I2,S2)

• Run the two automata in parallel.
• Each state is a pair of states S1 x S2
• Initial states are pairs of initials I1 x I2
• Acceptance depends on first component A1 x S2
• Conforms with transition relation(x1,y1)-a-(x2,
  y2) whenx1-a-x2 and y1-a-y2.

89
Example (all states of second automaton
accepting!)
a
b,c
s0
s1
a
b,c
a
c
t0
t1
b
States (s0,t0), (s0,t1), (s1,t0),
(s1,t1). Accepting (s0,t0), (s0,t1). Initial
(s0,t0).
90
a
b,c
s0
s1
a
b,c
a
c
t0
t1
b
a
s0,t0
s0,t1
s1,t0
b
a
c
Also state (s0,t1) is unreachable but we will
keep it for thetime being!
s1,t1
b
c
91
More complicated when A2?S2
a
b,c
s0
s1
a
a
b,c
s0,t0
s0,t1
b
a
a
c
s1,t1
c
t0
t1
b
c
Should we have acceptance when both components
accepting? I.e., (s0,t1)? No, consider (ba)?
It should be accepted, but never passes that
state.
92
More complicated when A2?S2
a
b,c
s0
s1
a
A
b,c
s0,t0
s0,t1
b
a
a
c
s1,t1
c
t0
t1
c
b
Should we have acceptance when at least one
components is accepting? I.e., (s0,t0),(s0,t1),(s
1,t1)?No, consider b c? It should not be
accepted, but here will loop through (s1,t1)
93
Intersection - general caseAlso propositions on
nodes
q0
q2
A/\B
A/\B
q0 and q2 give false.
q3
q1
A
A\/B
94
Version 0 to catch q0Version 1 to catch q2
Version 0
A/\B q0,q3
A/\B q1,q3
A/\B q1,q2
Move when see accepting of left (q0)
Move when see accepting of right (q2)
A/\B q0,q3
A/\B q1,q3
A/\B q1,q2
Version 1
95
Make an accepting state in one of the version
according to a component accepting state
Version 0
A/\B q0,q3,0
A/\B q1,q3,0
A/\B q1,q2,0
A/\B q0,q3,1
A/\B q1,q3 ,1
A/\B q1,q2 ,1
Version 1
96
How to check for emptiness?
a
s0,t0
s0,t1
b
a
c
s1,t1
b
c
97
Emptiness...

• Need to check if there exists an accepting run
  (passes through an accepting state infinitely
  often).

98
Finding accepting runs

• If there is an accepting run, then at least one
  accepting state repeats on it forever. This
  state appears on a cycle. So, find a reachable
  accepting state on a cycle.

99
Equivalently...

• A strongly connected component a set of nodes
  where each node is reachable by a path from each
  other node. Find a reachable strongly connected
  component with an accepting node.

100
How to complement?

• Complementation is hard!
• Can ask for the negated property (the sequences
  that should never occur).
• Can translate from LTL formula ? to automaton A,
  and complement A. Butcan translate ? into an
  automaton directly!

101
Model Checking under Fairness

• Express the fairness as a property f.To prove a
  property ? under fairness,model check f??.

Counter example
Fair (f)
Bad (?)
Program
102
Model Checking under Fairness

• Specialize model checking. For weak process
  fairness search for a reachable strongly
  connected component, where for each process P
  either
• it contains on occurrence of a transition from P,
  or
• it contains a state where P is disabled.

103
Dekkers algorithm
boolean c1 initially 1 boolean c2 initially
1 integer (1..2) turn initially 1
P2while true do begin non-critical
section 2 c20 while c10 do
begin if turn1 then
begin c21 wait
until turn2 c20
end end critical section 2
c21 turn1 end.

• P1while true do begin non-critical
  section 1 c10 while c20 do
  begin if turn2 then
  begin c11 wait
  until turn1
• c10 end
  end critical section 1 c11
  turn2 end.

104
Dekkers algorithm
boolean c1 initially 1 boolean c2 initially
1 integer (1..2) turn initially 1
P2while true do begin non-critical
section 2 c20 while c10 do
begin if turn1 then
begin c21 wait
until turn2 c20
end end critical section 2
c21 turn1 end.

• P1while true do begin non-critical
  section 1 c10 while c20 do
  begin if turn2 then
  begin c11 wait
  until turn1
• c10 end
  end critical section 1 c11
  turn2 end.

c1c20,turn1
105
Dekkers algorithm
boolean c1 initially 1 boolean c2 initially
1 integer (1..2) turn initially 1
P2while true do begin non-critical
section 2 c20 while c10 do
begin if turn1 then
begin c21 wait
until turn2 c20
end end critical section 2
c21 turn1 end.

• P1while true do begin non-critical
  section 1 c10 while c20 do
  begin if turn2 then
  begin c11 wait
  until turn1
• c10 end
  end critical section 1 c11
  turn2 end.

c1c20,turn1
106
Dekkers algorithm
P1 waits for P2 to set c2 to 1 again.Since
turn1 (priority for P1), P2 is ready to do that.
But never gets the chance, since P1 is constantly
active checking c2 in its while loop.
P2while true do begin non-critical
section 2 c20 while c10 do
begin if turn1 then
begin c21 wait
until turn2 c20
end end critical section 2
c21 turn1 end.

• P1while true do begin non-critical
  section 1 c10 while c20 do
  begin if turn2 then
  begin c11 wait
  until turn1
• c10 end
  end critical section 1 c11
  turn2 end.

c1c20,turn1
107
What went wrong?

• The execution is unfair to P2. It is not allowed
  a chance to execute.
• Such an execution is due to the interleaving
  model (just picking an enabled transition.
• If it did, it would continue and set c2 to 0,
  which would allow P1 to progress.
• Fairness excluding some of the executions in
  the interleaving model, which do not correspond
  to actual behavior of the system.

• while c10 do begin if
  turn1 then begin
  c21 wait until turn2
• c20 end
  end

108
RecallThe interleaving model

• An execution is a finite or infinite sequence of
  states s0, s1, s2,
• The initial state satisfies the initial
  condition, I.e., I (s0).
• Moving from one state si to si1 is by executing
  a transition e?t
• e(si), I.e., si satisfies e.
• si1 is obtained by applying t to si.

Now consider only fair executions. Fairness
constrains sequences that are considered to be
executions.
Sequences
Fair executions
Executions
109
Some fairness definitions

• Weak transition fairnessIt cannot happen that a
  transition is enabled indefinitely, but is never
  executed.
• Weak process fairness It cannot happen that a
  process is enabled indefinitely, but non of its
  transitions is ever executed
• Strong transition fairnessIf a transition is
  infinitely often enabled, it will get executed.
• Strong process fairnessIf at least one
  transition of a process is infinitely often
  enabled, a transition of this process will be
  executed.

110
How to use fairness constraints?

• Assume in the negative that some property (e.g.,
  termination) does not hold, because of some
  transitions or processes prevented from
  execution.
• Show that such executions are impossible, as they
  contradict fairness assumption.
• We sometimes do not know in reality which
  fairness constraint is guaranteed.

111
Example
Initially x0 y0

• P1x1

• P2 do
• y0 ? if
• true x1 ? y1
• fi od

In order for the loop to terminate we need P1 to
execute the assignment. But P1 may never execute,
since P2 is in a loop executing true.
Consequently, x1 never holds, and y is never
assigned a 1.
pc1l0--(pc1,x)(l1,1) / x1
/ pc2r0/\y0--pc2r1 / y0/ pc2r1?pc2r0
/ true / pc2r1/\x1?(pc2,y)(r0,1)
/ x1 -- y1 /
112
Weak transition fairness
Initially x0 y0

• P2 do
• y0 ? if
• true x1 ? y1
• fi od

• P1x1

Under weak transition fairness, P1 would assign 1
to x, but this does not guarantee that 1 is
assigned to y and thus the P2 loop will
terminates, since the transition for checking
x1 is not continuously enabled (program counter
not always there).
Weak process fairness only guarantees P2 to
execute, but it can still choose to do the true.
Strong process fairness same.
113
Strong transition fairness
Initially x0 y0

• P1x1

• P2 do
• y0 ? if
• true x1 ? y1
• fi od

Under strong transition fairness, P1 would assign
1 to x. If the execution was infinite, the
transition checking x1 was infinitely often
enabled. Hence it would be eventually selected.
Then assigning y1, the main loop is not enabled
anymore.
114
Some fairness definitions

• Weak transition fairness/\? ?T (en? ?
  exec?).Equivalently /\a?T (en?
  /\exec?)
• Weak process fairness /\Pi (enPi ?
  execPi )
• Strong transition fairness /\? ?T (en? ?
  exec? )
• Strong process fairness/\Pi (enPi ?
  execPi )

exec? ? is executed. execPi some transition
of Pi is executed. en? ? is enabled. enPi
some transition of process Pi is enabled. enPi
\/? ?T en? execPi \/? ?T exec?
115
Weaker fairness condition

• A is weaker than B if B?A.
• Consider the executions L(A) and L(B).Then L(B)
  ? L(A).
• An execution is strong process,transition fair
  implies that it is also weak process,transition
  fair.
• There are fewer strong process,transition fair
  executions.

Strongtransitionfair execs
Weaktransitionfair execs
Strongprocessfair execs
Weakprocessfair execs
116
Model Checking under fairness

• Instead of verifying that the program satisfies
  ?, verify it satisfies fair ??
• Problem may be inefficient. Also fairness
  formula may involves special arrangement for
  specifying what exec means.
• May specialize model checking algorithm instead.

117
Model Checking under Fairness

• Specialize model checking. For weak process
  fairness search for a reachable strongly
  connected component, where for each process P
  either
• it contains on occurrence of a transition from P,
  or
• it contains a state where P is disabled.
• Weak transition fairness similar.
• Strong fairness much more difficult algorithm.

118
Abstractions
119
Problems with software analysis

• Many possible outcomes and interactions.
• Not manageable by an algorithm (undecideable,
  complex).
• Requires a lot of practice and ingenuity (e.g.,
  finding invariants).

120
More problems

• Testing methods fail to cover potential errors.
• Deductive verification techniques require
• too much time,
• mathematical expertise,
• ingenuity.
• Model checking requires a lot of time/space and
  may introduce modeling errors.

121
How to alleviate the complexity?

• Abstraction
• Compositionality
• Partial Order Reduction
• Symmetry

122
Abstraction

• Represent the program using a smaller model.
• Pay attention to preserving the checked
  properties.
• Do not affect the flow of control.

123
Main idea

• Use smaller data objects.
• x f(m)
• yg(n)
• if xy0 then
• else
• x, y never used again.

124
How to abstract?

• Assign values -1, 0, 1 to x and y.
• Based on the following connectionsgn(x) 1 if
  x0, 0 if x0, and
  -1 if x

125
Abstraction mapping

• S - states, I - initial states. L(s) - labeling.
• R(S,S) - transition relation.
• h(s) maps s into its abstract image.Full model
  --h-- Abstract model I(s)
  -- I(h(s)) R(s,
  t) -- R(h(s),h(t))
  L(h(s))L(s)

126
go
Traffic light example
stop
stop
127
go
go
stop
stop
stop
128
What do we preserve?
Every execution of the full model can be
simulated by an execution of the reduced
one. Every LTL property that holds in the reduced
model hold in the full one. But there can be
properties holding for the original model but not
the abstract one.
go
go
stop
stop
stop
129
Preserved (go-O stop)
go
Not preserved go Counterexamples need to be
checked.
go
stop
stop
stop
130
Symmetry

• A permutation is a one-one and onto function
  pA-A.For example, 1-3, 2-4, 3-1, 4-5,
  5-2.
• One can combine permutations, e.g.,p1 1-3,
  2-1, 3-2p2 1-2, 2-1, 3-3p1_at_p2 1-3,
  2-2, 3-1
• A set of permutations with _at_ is called a symmetry
  group.

131
Using symmetry in analysis

• Want to find some symmetry group suchthat for
  each permutation p in it,R(s,t) if and only if
  R(p(s), p(t))and L(p(s))L(s).
• Let K(s) be all the states that can be permuted
  to s. This is a set of states such that each one
  can be permuted to the other.

132
(No Transcript)
133
The quotient model
134
What is preserved in the following buffer
abstraction? What is not preserved?
e
empty
q
quasi
q
q
full
f
135
Translating from logic to automataComment the
language of LTL is a proper subset of the
language of Buchi Automata. For example,one
cannot express in LTL the following automaton
Wolper
a
a ,a
136
Why translating?

• Want to write the specification in some logic.
• Want model-checking tools to be able to check the
  specification automatically.

137
Preprocessing

• Convert into normal form, where negation only
  applies to propositional variables.
• ? becomes ?.
• ? becomes ?.
• What about (? U ?)?
• Define operator V such that ( ? U ??) (?) R
  (?),
• ( ? R ??) (?) U (?).

138
Semantics of pR q(the Release operator, dual to
Until)
p
p
p
p
p
p
p
p
p
q
q
q
q
q
q
q
q
q
p
p
p
p
p
q
q
q
q
q
139

• Replace T by F, and F by T.
• Replace (? \/ ?) by (?) /\ (?) and
  (? /\ ?) by (?) \/ (?)

140
Eliminate implications, ,

• Replace ? - ? by ( ?) \/ ?.
• Replace ? by (T U ?).
• Replace ? by (F R ?).

141
Example

• Translate ( P ) ? ( Q )
• Eliminate implication ( P ) \/ ( Q )
• Eliminate , ( F R ( T U P ) ) \/ ( F R ( T
  U Q ) )
• Push negation inwards(T U (F R P ) ) \/ ( F R
  ( T U Q ) )

142
The data structure
Name
143
The main idea

• ? U ? ? \/ ( ? /\ O ( ? U ? ) )
• ? R ? ? /\ ( ? \/ O ( ? R ? ) )
• This separates the formulas to two partsone
  holds in the current state, and the other in the
  next state.

144
How to translate?

• Take one formula from New and add it to Old.
• According to the formula, either
• Split the current node into two, or
• Evolve the node into a new version.

145
Splitting
Copy incoming edges, update other field.
146
Evolving
Copy incoming edges, update other field.
147
Possible cases

• ? U ? , split
• Add ? to New, add ? U ? to Next.
• Add ? to New.
• Because ? U ? ? \/ ( ? /\ O (? U ? )).
• ? R ? , split
• Add ???? to New.
• Add ? to New, ? R ? to Next.
• Because ? R ? ? /\ ( ? \/ O (? R ? )).

148
More cases

• ? \/ ?, split
• Add ? to New.
• Add ? to New.
• ? /\ ?, evolve
• Add ???? to New.
• O ?, evolve
• Add ? to Next.

149
How to start?
init
Incoming
New
Old
aU(bUc)
Next
150
init
Incoming
aU(bUc)
init
init
151
init
Incoming
aU(bUc)
bUc
init
init
Incoming
Incoming
aU(bUc)
aU(bUc)
c
b
(bUc)
152
When to stop splitting?

• When New is empty.
• Then compare against a list of existing nodes
  Nodes
• If such a with same Old, Next exists,just
  add the incoming edges of the new versionto the
  old one.
• Otherwise, add the node to Nodes. Generate a
  successor with New set to Next of father.

153
init
Incoming
a,aU(bUc)
Creating a successor node.
aU(bUc)
Incoming
aU(bUc)
154
How to obtain the automaton?
X

• There is an edge from node X to Y labeled with
  propositions P (negated or non negated), if X is
  in the incoming list of Y, and Y has propositions
  P in field Old.
• Initial nodes are those marked as init.

a, b, c
Node Y
155
The resulted nodes.
156

a, aU(bUc)
b, bUc, aU(bUc)
c, bUc, aU(bUc)
b, bUc
c, bUc
Initial nodes All nodes with incoming edge from
init.
157
Acceptance conditions

• Use generalized Buchi automata, wherethere are
  several acceptance sets F1, F2, , Fn, and each
  accepted infinite sequence must include at least
  one state from each set infinitely often.
• Each set corresponds to a subformula of form ?U
  ?. Guarantees that it is never the case that ?U ?
  holds forever, without ?.
• Translate to Buchi acceptance condition (will be
  shown later).

158
Accepting w.r.t. bUc (green)
159
Acceptance w.r.t. aU(bUc)(blue)
160
Translating Multiple Buchi into Buchi automata

• For acceptance sets F1, F2, , Fn, generate n
  copies of the automaton.
• Move from the ith copy to the i1th copy when
  passing a state of Fi.
• In the first copy, the states of F1 are
  accepting.
• Same intuition as the unrestricted
  intersectionNeed to see each accepting set
  infinitely often, and it does not matter that we
  miss some of them (there must be an infinite
  supply anyway).

161
Conclusions

• Model checking automatic verification of finite
  state systems.
• Modeling affects how we can view and check the
  systems properties.
• Specification formalisms, e.g., LTL or Buchi
  automata
• Apply graph algorithms (or BDD, or BMD).
• Methods to alleviate state space explosion.
• Translate LTL into Buchi automata.

162
Algorithmic Testing and Black Box Checking
163
Why testing?

• Reduce design/programming errors.
• Can be done during development,
  beforeproduction/marketing.
• Practical, simple to do.
• Check the real thing, not a model.
• Scales up reasonably.
• Being state of the practice for decades.

164
Part 1 Testing of black box finite state machine

• Wants to know
• In what state we started?
• In what state we are?
• Transition relation
• Conformance
• Satisfaction of a temporal property

• Know
• Transition relation
• Size or bound on size

165
Finite automata (Mealy machines)

• S - finite set of states. (size n)
• S set of inputs. (size d)
• O set of outputs, for each transition.
• (s0 ? S - initial state).
• ? S ? S ? S - transition relation.
• ? ? S ? S ?O output on edge.

166
Why deterministic machines?

• Otherwise no amount of experiments would
  guarantee anything.
• If dependent on some parameter (e.g.,
  temperature), we can determinize, by taking
  parameter as additional input.
• We still can model concurrent system. It means
  just that the transitions are deterministic.
• All kinds of equivalences are unified into
  language equivalence.
• Also connected machine (otherwise we may never
  get to the completely separate parts).

167
Determinism

• When the black box is nondeterministic, we might
  never test some choices.

168
Preliminaries separating sequences
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Start with one block containing all states s1,
s2, s3.
169
A separate to blocks of states with different
output.
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Two sets, separated using the string b s1, s3,
s2.
170
Repeat B Separate blocks based on moving to
different blocks.
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Separate first block using b to three singleton
blocks.Separating sequences b, bb.Max rounds
n-1, sequences n-1, length n-1.For each pair
of states there is a separating sequence.
171
Want to know the state of the machine (at end).
Homing sequence.

• Depending on output, would know in what state we
  are.
• Algorithm Put all the states in one block
  (initially we do not know what is the state).
• Then repeatedly partitions blocks of states, as
  long as they are not singletons, as follows
• Take a non singleton block, append a
  distinguishing sequence ? that separates at least
  two states.
• Update all blocks to the states after executing
  ?.
• Max length (n-1)2 (Lower bound
  n(n-1)/2.)

172
Example (homing sequence)
s1, s2, s3
b
0
1
1
s1, s2 s3
b
1
1
0
s1 s2 s3
On input b and output 1, still dont know if was
in s1 or s3, i.e., if currently in s2 or s1.So
separate these cases with another b.
173
Synchronizing sequence

• One sequence takes the machine to the same final
  state, regardless of the initial state or the
  outputs.
• Not every machine has a synchronizing sequence.
• Can be checked whether exists and can be found in
  polynomial time.

174
State identification

• Want to know in which state the system has
  started (was reset).
• Can be a preset distinguishing sequence (fixed),
  or a tree (adaptive).
• May not exist (PSPACE complete to check if preset
  exists, polynomial for adaptive).
• Best known algorithm exponential length for
  preset,polynomial for adaptive LY.

175
Sometimes cannot identify initial state
Start with ain case of being in s1 or s3 well
move to s1 and cannot distinguish.Start with
bIn case of being in s1 or s2 well move to s2
and cannot distinguish.
The kind of experiment we do affects what we can
distinguish. Much like the Heisenberg principle
in Physics.
176
Conformance testing

• Unknown deterministic finite state system B.
• Known n states and alphabet ?.
• An abstract model C of B. C satisfies all the
  properties we want from B. C has m states.
• Check conformance of B and C.
• Another version only a bound n on the number of
  states l is known.

?
177
Check conformance with a given state machine

• Black box machine has no more states than
  specification machine (errors are mistakes in
  outputs, mistargeted edges).
• Specification machine is reduced, connected,
  deterministic.
• Machine resets reliably to a single initial state
  (or use homing sequence).

178
Conformance testing Ch,V
a/1
?
b/1
a/1
b/1
?
b/1
a/1
Cannot distinguish if reduced or not.
179
Conformance testing (cont.)
?
b
b
a
a
a
?
a
b
b
a
a
b
Need bound on number of states of B.
180
PreparationConstruct a spanning tree
181
How the algorithm works?
Reset or homing

• According to the spanning tree, force a sequence
  of inputs to go to each state.
• From each state, perform the distinguishing
  sequences.
• From each state, make a single transition, check
  output, and use distinguishing sequences to check
  that in correct target state.

Reset or homing
s1
b/1
a/1
s2
s3
Distinguishing sequences
182
Comments

• Checking the different distinguishing sequences
  (m-1 of them) means each time resetting and
  returning to the state under experiment.
• A reset can be performed to a distinguished state
  through a homing sequence. Then we can perform a
  sequence that brings us to the distinguished
  initial state.
• Since there are no more than m states, and
  according to the experiment, no less than m
  states, there are m states exactly.
• Isomorphism between the transition relation is
  found, hence from minimality the two automata
  recognize the same languages.

183
Combination lock automaton

• Assume accepting states.
• Accepts only words with a specific suffix (cdab
  in the example).

b
d
c
a
s1
s2
s3
s4
s5
Any other input
184
When only a bound on size of black box is known

• Black box can pretend to behave as a
  specification automaton for a long time, then
  upon using the right combination, make a mistake.

Pretends to be S1
a/1
b/1
a/1
b/1
s1
s2
b/1
a/1
a/1
s3
Pretends to be S3
b/0
185
Conformance testing algorithm VC

• The worst that can happen is a combination lock
  automaton that behaves differently only in the
  last state. The length of it is the difference
  between the size n of the black box and the
  specification m.
• Reach every state on the spanning tree and check
  every word of length n-m1 or less. Check that
  after the combination we are at the state we are
  supposed to be, using the distinguishing
  sequences.
• No need to check transitions already included in
  above check.
• Complexity m2 n dn-m1 Probabilistic complexity
  Polynomial.

Reset or homing
Reset or homing
s1
b/1
a/1
s2
s3
Words of length ?n-m1
Distinguishing sequences
186
Model Checking

• Finite state description of a system B.
• LTL formula ?. Translate ?? into an automaton P.
• Check whether L(B) ? L(P)?.
• If so, S satisfies ?. Otherwise, the intersection
  includes a counterexample.
• Repeat for different properties.

??
?
187
Buchi automata (w-automata)

• S - finite set of states. (B has l ? n states)
• S0 ? S - initial states. (P has m states)
• S - finite alphabet. (contains p letters)
• d ? S ? S ? S - transition relation.
• F ? S - accepting states.
• Accepting run passes a state in F infinitely
  often.

System automata FS, deterministic, one initial
state. Property automaton not necessarily
deterministic.
188
Example check ?a
a
?a
?a
?a, a
189
Example check ?a
??a
190
Example check ? a
?a, a
??a
?a
?a
Use automatic translation algorithms, e.g.,
Gerth,Peled,Vardi,Wolper 95
191
System
192
Every element in the product is a counter example
for the checked property.
a
a
??a
s1
s2
q1
?a
c
b
a
?a
s3
q2
a
s1,q1
s2,q1
Acceptance isdetermined byautomaton P.
b
a
s1,q2
s3,q2
c
193
Model Checking / Testing

• Given Finite state system B.
• Transition relation of B known.
• Property represent by automaton P.
• Check if L(B) ? L(P)?.
• Graph theory or BDD techniques.
• Complexity polynomial.

• Unknown Finite state system B.
• Alphabet and number of states of B or upper bound
  known.
• Specification given as an abstract system C.
• Check if B ?C.
• Complexity polynomial if number states known.
  Exponential otherwise.

194
Black box checking PVY

• Property represent by automaton P.
• Check if L(B) ? L(P)?.
• Graph theory techniques.

• Unknown Finite state system B.
• Alphabet and Upper bound on Number of states of B
  known.
• Complexity exponential.

??
?
195
Experiments
196
Simpler problem deadlock?

• Nondeterministic algorithmguess a path of
  length ? n from the initial state to a deadlock
  state.Linear time, logarithmic space.
• Deterministic algorithmsystematically try paths
  of length ?n, one after the other (and use
  reset), until deadlock is reached.Exponential
  time, linear space.

197
Deadlock complexity

• Nondeterministic algorithmLinear time,
  logarithmic space.
• Deterministic algorithmExponential (p n-1)
  time, linear space.
• Lower bound Exponential time (usecombination
  lock automata).
• How does this conform with what we know about
  complexity theory?

198
Modeling black box checking

• Cannot model using Turing machines not all the
  information about B is given. Only certain
  experiments are allowed.
• We learn the model as we make the experiments.
• Can use the model of games of incomplete
  information.

199
Games of incomplete information

• Two players -player, ?-player (here,
  deterministic).
• Finitely many configurations C.
  IncludingInitial Ci , Winning W and W- .
• An equivalence relation _at_ on C (the -player
  cannot distinguish between equivalent states).
• Labels L on moves (try a, reset, success, fail).
• The -player has the moves labeled the same from
  configurations that are equivalent.
• Deterministic strategy for the -player will
  lead to a configuration in W ? W-. Cannot
  distinguish between equivalent configurations.
• Nondeterministic strategy Can distinguish
  between equivalent configurations..

200
Modeling BBC as games

• Each configuration contains an automaton and its
  current state (and more).
• Moves of the -player are labeled withtry a,
  reset... Moves of the ?-player withsuccess,
  fail.
• c1 _at_ c2 when the automata in c1 and c2 would
  respond in the same way to the experiments so far.

201
A naive strategy for BBC

• Learn first the structure of the black box.
• Then apply the intersection.
• Enumerate automata with ?n states (without
  repeating isomorphic automata).
• For a current automata and new automata,
  construct a distinguishing sequence. Only one of
  them survives.
• Complexity O((n1)p (n1)/n!)

202
On-the-fly strategy

• Systematically (as in the deadlock case), find
  two sequences v1 and v2 of length
• Applying v1 to P brings us to a state t that is
  accepting.
• Applying v2 to P brings us back to t.
• Apply v1 v2 n to B. If this succeeds,there is a
  cycle in the intersection labeled with v2, with t
  as the P (accepting) component.
• Complexity O(n2p2mnm).

v1
v2
203
Learning an automaton

• Use Angluins algorithm for learning an
  automaton.
• The learning algorithm queries whether some
  strings are in the automaton B.
• It can also conjecture an automaton Mi and asks
  for a counterexample.
• It then generates an automaton with more states
  Mi1 and so forth.

204
A strategy based on learning

• Start the learning algorithm.
• Queries are just experiments to B.
• For a conjectured automaton Mi , check if Mi ? P
  ?
• If so, we check conformance of Mi with B (VC
  algorithm).
• If nonempty, it contains some v1 v2w . We test B
  with v1 v2n. If this succeeds error, otherwise,
  this is a counterexample for Mi .

205
Complexity

• l - actual size of B.
• n - an upper bound of size of B.
• d - size of alphabet.
• Lower bound reachability is similar to deadlock.
• O(l 3 d l l 2mn) if there is an error.
• O(l 3 d l l 2 n dn-l1 l 2mn) if there is no
  error.
• If n is not known, check while time allows.
• Probabilistic complexity polynomial.

206
Some experiments

• Basic system written in SML (by Alex Groce, CMU).
• Experiment with black box using Unix I/O.
• Allows model-free model checking of C code with
  inter-process communication.
• Compiling tested code in SML with BBC program as
  one process.

207
Conclusions

• Black Box Checking automatic verification of
  unspecified system.
• A hard problem, exponential in number of states,
  but polynomial on average.
• Implemented, tested.
• Another use when the model is given, but is not
  exact.

208
The rest is not part of this lecture
209
Part 2 Software testing

• Testing is not about showing that there are no
  errors in the program.
• Testing cannot show that the program performs its
  intended goal correctly.
• So, what is software testing?
• Testing is the process of executing the program
  in order to find errors.
• A successful test is one that finds an error.

210
Some software testing stages

• Unit testing the lowest level, testing some
  procedures.
• Integration testing different pieces of code.
• System testing testing a system as a whole.
• Acceptance testing performed by the customer.
• Regression testing performed after updates.
• Stress testing checking the code under extreme
  conditions.
• Mutation testing testing the quality of the
  test suite.

211
Some drawbacks of testing

• There are never sufficiently many test cases.
• Testing does not find all the errors.
• Testing is not trivial and requires considerable
  time and effort.
• Testing is still a largely informal task.

212
Black-Box (data-driven, input-output) testing

• The testing is not based on the structure of the
  program (which is unknown).
• In order to ensure correctness, every possible
  input needs to be tested - this is impossible!
• The goal to maximize the number of errors found.