Escolar Documentos
Profissional Documentos
Cultura Documentos
Basics
Content
3 Techniques de Verification
Rappel
VERIFICATION
spcifient
abstraction raffinements
TEST
Ides Ides
Conforme
spcifient Conforme
Systme Systme
dveloppe
Vrification du code
Analyse statique pas de modles formels Reverse engineering BLAST, SLAM : pour les prog. C Bandera: JAVA Verisoft: C++
Equivalence de modles
Equivalence de modles (Equivalence checking)
Comparaison de 2 spcifications : comparaison de modles Prouver que le comportement dun systme est quivalent un comportement donn Vrification complte, mais en pratique non ralisable sur des gros modles
Techniques de preuve
Mthodes dductives (Theorem proving)
Prouver mathmatiquement quune proprit extraite du cahier des charges est vrifie dans le modle
Exple: timer dans un datagramme TCP respect dans la spcification Outil COQ (INRIA) theorem prover - infrence HOL (Higher Order Logic Austrialian National University) MetaLanguage (ML) Essentiellement pour les proprits qualitatives/fonctionnelles Vrification sur des systmes tats infinis
Techniques de model-checking
Model checking
Ide: trouver, dans un modle formel, le contre exemple dune proprit dfinie laide dun langage logique. Modles Markoviens ou quantative-bound LTS Beaucoup plus rpandu utilis dans de nombreux domaines De nombreux outils Prop. qualitative/quantitative adapt la QoS Outils: SPIN, PRISM, UPPAAL, etc. Intrt industriel certain car aide la modlisation et rapide obtention des erreurs
Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
Proprit
Compilateur, simulateur
model-checker
A finite set of states, S Some initial state s0 A transition relation between states, TSS A finite set of atomic propositions, AP A labelling function L : S P(AP)
Labelled Transition systems, LTS Finite State machines, FSM State charts,
* For a physicist a model is a differential equation; For a biologist, it may be mice or frogs
An Example
AP = {empty, full} Some LTL formula that are valid for this model: empty (X empty) full (X full)
Stephane (X is for neXt)Maag / TSP
10
The future system must conform to the model(s) The model(s) may be used as a starting point for (automatic) development
System analysis
Programs
Everybody knows what it is Here:
A program is a piece of text in a (hopefully) well defined language There is a syntax, some semantics, and compilers
13
Interlude
14
Systems
A system is a dynamic entity, embedded in the physical world It is observable via some limited interface/procedure It is not always controllable Quite different from a piece of text (formula, program) or a diagram
15
Systems are the actual objects of interest How to ensure that a system satisfies certain properties?
Properties?
1. 2. 3.
16
Texts in natural languages Formulas in a given specification logic Sets of mandatory or forbidden behaviours
Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
17
Usages
Global requirement on the system as a whole, or of some subsystems Assertions in programs and models: pre-conditions, post-conditions, invariants.
Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
18
Lorsque le train a annonc son arrive, la barrire finira par souvrir Sret Un vnement indsirable ne se produira jamais Il est impossible que la barrire soit ouverte et le train soit au niveau de la barrire. Absence de blocage Le systme ne se trouvera jamais dans une situation o il ne peut plus voluer Lorsque la barrire est ferme, elle peut toujours se rouvrir quit Un vnement se produira infiniment souvent La barrire sera ouverte infiniment souvent
19 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
Model-checking problem
|=
System property
20
EXAMPLES
The temporal operators are of two types: - on an execution ( a path) - on all executions (all paths)
23
Formulas associated to the states of the automaton L(open_i) = {open, level = i}, i=0,1,2 L(close_i) = {open } i=0,1,2
s,0 |= X open s,0 |= F close s,2 |= X open X level = 1 s,i |= G F open i = 0,, 5
24 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
s |= G open
s |= open U level = 1
25
E F : we can have , negation of a safety property A F : we will have mandatorily , liveness property
s,3 |= A X open Notation : A |= iff s,0 |= where contains A or E
26 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
Example
27
Extensions :
28
Semantic of CTL
s |= f (f atomic) s |= f s |= f g s,0 |= AX f s,0 |= EX f s,0 |= A (f U g) iff f L(s) iff s | f iff s|=f and s|=g iff for all s such that s0 = s,0, s,1|= f iff it exists a s such that s0 = s,0 and s,1|= f iff for all s s.t. s0 = s,0, it exists i0 s.t. s,i |= g and for all j<i, s,j |= f s,0 |= E (f U g) iff
it exists a s s.t. s0 = s,0 and it exists i0 s.t. s,i |= g and for all j<i, s,j |= f
29
Algorithme CTL
Principe:
On dnote A (structure Kripke) et une formule CTL On marque chaque tat q de A et chaque sous formule si q |=
On construit q. partir de q. A |= iff q0. = vrai
30
marking (, A); for all q in A.Q do q. := not(q. ) cas 3 : = 1 2 marking (1, A); marking (2, A); for all q in A.Q do q. := and (q.1, q.2)
31
cas 5: = AX (* as EX *)
32
33
difficulties or unwillingness to express some kinds of properties (but they are advanced techniques resolving that issue!)
Other temporal logics: CTL*, PLTL (PSPACE complet), FCTL (Fairness), TCTL (Timers), Logiques avec pass: pas de model-checkers.
34 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
Problme !!
Le nombre dtats dun systme est exponentiel dans son nombre de variables
35
Notations:
Sat ( ) = ensemble dtats satisfaisant S Q, Pre (S) = ens. des prdcesseurs immdiats de S
36
(1)
(2)
Cas de A 1 U 2 - dfinition rcursive: 2 ( 1 EX true AX(A 1 U 2) P1 := Sat [1] ; P2 := Sat [2] ; X := P2 ; Y := { } ; while Y X do Y := X ; X := X + (P1 /\ pre(Q) /\ (Q\Pre(Q\X))) return(X) ;
38 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
Pour reprsenter lens. Sat(f) avec f atomic, Pour calculer Pre(S) partir de la reprsentation de S, Pour calculer le complmentaire, lunion et lintersection, Pour lgaliter de 2 ensembles.
39
40
BDD
Exemple: (x1 x3) (x2 x4)
BDD
BDD = arbre de dcision rduit
1. 2.
Les sous arbres tant les mmes sont partags Le choix inutiles sont omis
42
44
Les transitions:
45
46
Calcul de Pre(S)
Soit des BDDT ou BDDS
(1)
47
Calcul de Pre(S)
On abstrait / bi (complexit O(n))
(2)
(i.e. on loublie)
Nous avons maintenant tous les lments pour implmenter le model-checker symbolique de CTL.
Problme: la complexit en mmoire au pire des cas est exponentielle les performances sont dpendantes de lordre des variables
48
Few Model-Checkers
SPIN (Promela, LTL) NuSMV 2 (CTL) combines BDD-based model checking with SAT-based model checking. FDR (CSP, refinements) Timed automata: UPPAAL, KRONOS Stochastic models: PRISM, APMC
For Model-checking
49 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010
REFERENCES
Deux livres:
A Roadmap for Formal Property Verification, Pallab Dasgupta, Springer-Verlag New York Inc., 2006 Applied Formal Verification, Douglas L. Perry et Harry Foster, McGraw-Hill Professional, 2005
50