Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Computer Science and Artificial Intelligence Laboratory
MIT Armando Solar-Lezama
Dec 01, 2011
December 01, 2011
Explicit State Model Checking
1
Explicit State Model checking
o The basic Strategy
Temporal Logic Formula
Kripke structure
Buchi Automata
Product Automata Model
checker
OK
Counterexample
trace
System Description
2
Buchi Automata
o A Buchi Automaton is a 5-tuple ÎŁ, đ, đŒ, đż, đč
- ÎŁ is an alphabet
- S is a finite set of states
- đŒ â đ is a set of initial states
- đż â đ Ă ÎŁ Ă đ is a transition relation
- đč â đ is a set of accepting states
o Non-deterministic Buchi Automata are not
equivalent to deterministic ones
3
Buchi Automaton from Kripke Structure
o Given a Kripke structure:
- M = (S, S0, R, L)
o Construct a Buchi Automaton
- (đź , S U {Init}, {Init}, T, S U {Init} )
- T is defined s.t.
âą T(s, đ, sâ) iff R(s, sâ) and đÏ” L(sâ) âą T(Init, đ,s) iff s Ï” S0 and đÏ” L(s)
s1
s4
s3
s2
start
close start cooking
close
open door
close door
close door
start
start finish
cooking
4
Buchi Automaton from Kripke Structure
- (đź , S U {Init}, {Init}, T, S U {Init} )
- T is defined s.t.
âą T(s, đ, sâ) iff R(s, sâ) and đÏ” L(sâ) âą T(Init, đ,s) iff s Ï” S0 and đÏ” L(s)
s1
s4
s3
s2
start
close start cooking
close
Init
s1
s4
s3
s2
start -cooking -close
close start cooking
close -start -cooking
close -start -cooking
close start cooking
close -start -cooking
-start -cooking -close
-start -cooking -close
5
Buchi Automaton from Kripke Structure
o Given a Kripke structure:
- M = (S, S0, R, L)
o Construct a Buchi Automaton
- (đź , S U {Init}, {Init}, T, S U {Init} )
- T is defined s.t.
âą T(s, đ, sâ) iff R(s, sâ) and đÏ” L(sâ) âą T(Init, đ,s) iff s Ï” S0 and đÏ” L(s)
o What about missing transitions? - Need to add a dummy âerror stateâ
s1
s4
s3
s2
start
close start cooking
close
open door
close door
close door
start
start finish
cooking
6
Explicit State Model checking
o The basic Strategy
Temporal Logic Formula
Kripke structure
Buchi Automata
Product Automata Model
checker
OK
Counterexample
trace
System Description
7
Negated Properties
o Given a good property P, you can define a bad property Pâ
- If the system has a trace that satisfies Pâ, then it is buggy.
o Example
- Good property: G( req F ack)
- Bad property: F (req & ( G !ack))
o We are going to ask whether M satisfies Pâ
- If it does, then we found a bug
o Why are we doing the negation?
8
Computing the Product Automata
o Given Buchi automata A and Bâ
- A = (đź , SA, TA, {InitA}, SA)
- Bâ = (đź , SB, TB, {InitB}, Fâ)
- A x Bâ = (đź , SA x SB, T, {(InitA, InitB)}, F)
o Where
- T((s1,s2), đ, (s1â, s2â)) iff TA(s1, đ, s1â) and TB(s2, đ, s2â)
- (s1,s2) Ï” F iff s2 Ï” Fâ
9
Check if a state is visited infinitely often
o Check for a cycle with an accepting state
o Cycle must be reachable from the initial state
o Simple algorithm
- Do DFS to find an accepting state
- Do a DFS from that accepting state to see if it can reach itself
10
Explicit State Model checking
o The basic Strategy
Temporal Logic Formula
Kripke structure
Buchi Automata
Product Automata Model
checker
OK
Counterexample
trace
System Description
DFS on state machine!
11
Example
ok
rec
ack đź-rec
đź-ack
G rec F ack
rec
rec ack
12
Optimizations: Partial Order Reduction
o Example
H
V
while(*){ if(p=0){ p:=1; } if(p=1){ if(g=free){ g:=id; p:=2; } } if(p=2){ p:=3; g:=free } if(p=3){ p:=0; } }
pc=0 pc=1 pc=2 pc=3 pc=4 pc=5 pc=6 pc=7 pc=8 pc=9
0 1 2 3
0
1
3
while(*){ if(p=0){ p:=1; } if(p=1){ if(g=free){ g:=id; p:=2; } } if(p=2){ p:=3; g:=free } if(p=3){ p:=0; } }
H train V train 13
Optimizations: Partial Order Reduction
o Example
H
V
while(*){ if(p=0){ p:=1; } if(p=1){ if(g=free){ g:=id; p:=2; } } if(p=2){ p:=3; g:=free } if(p=3){ p:=0; } }
pc=0 pc=1 pc=2 pc=3 pc=4 pc=5 pc=6 pc=7 pc=8 pc=9
0 1 2 3
0
1
3
while(*){ if(p=0){ p:=1; } if(p=1){ if(g=free){ g:=id; p:=2; } } if(p=2){ p:=3; g:=free } if(p=3){ p:=0; } }
H train V train 14
Partial Order Reduction
o Key idea:
- The order of independent actions on different threads does not
matter
- Note: what is considered independent depends on the property
P
P -P
-P
đčÂŹđ a
b
b
a
P
P
-P
a
b
15
Ample set
o On state s1, the transitions to s2 and s3 are both
enabled.
- enabled(s1)
o We only want to explore a subset of the enabled set
- ample(s1) â enabled(s1)
P
P -P
-P
đčÂŹđ a
b
b
a
P
P
-P
a
b
s1 s1
s2
s4
s3
16
Ample set
o We have 3 goals in computing ample(s)
- Using ample instead of enabled should give us a much smaller
graph
- Using ample instead of enabled should still allow us to find what
we are looking for
- Computing ample should be easy
P
P -P
-P
đčÂŹđ a
b
b
a
P
P
-P
a
b
s1 s1
s2
s4
s3
17
Independence and Invisibility
o Independence:
- Actions a and b are independent iff:
âą a does not disable b and vice-versa
âą Commutativity: a(b(s)) = b(a(s))
o Invisibility:
- a and b should not affect the values of any relevant property
18
Ample is computed heuristically
o Computing it precisely is too hard, but we can find
actions that are definitely not in ample(s) and can
therefore be ignored.
o What we need to consider:
- Actions that share variables with the property
- If two actions share variables, they are dependent
- If two actions appear in the same thread they are dependent
19
MIT OpenCourseWarehttp://ocw.mit.edu
6.820 Fundamentals of Program AnalysisFall 2015
For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.