Model Checking for tcc Calculus

Model Checking for tcc Calculus Cali Jaime E. Arias Almeida
Supervisors: Dr. Carlos Olarte Dr. Eugenio Tamura AVISPA Research Group Pontiﬁcia Universidad Javeriana - Cali December, 2012

Motivation Concurrent systems are everywhere: • Engineering: Security protocols, mobile
computing, synchronous systems. • Science: Biological and chemical systems. • Arts: Multimedia interaction. Models of Concurrency Formal models to describe and analyze concurrent systems. They must be: • Simple. • Expressive. • Formal. • Provide reasoning techniques. Some examples: CCS [Mil89], the π calculus [Mil99, SW03], CSP [Hoa85], CCP [Sar93]. 2 / 71

Motivation • Concurrent Constraint Programming (ccp) [Sar93] is a formalism
for concurrency where agents interact with one another by adding (telling) and reading (asking) information represented as constraints in a shared medium (global store). • The type of constraints and the entailment relation is given by a Constraint System (e.g. x > 42 |= x > 0). 3 / 71

Motivation • Temporal Concurrent Constraint Programming (tcc) [SJG94] extends ccp
by adding temporal constructs for modeling timed and reactive systems. • Formal veriﬁcation plays an important role in detecting errors in concurrent systems. The presence of a system failure in air traﬃc control systems, medical instruments, aircrafts or in general, reactives systems could be catastrophic. (a) Therac-25 (b) Ariane-5 Figure: Some disasters 4 / 71

Motivation • Verification of tcc programs is performed using inductive
techniques since the model does not provide automatic formal verification tools. • Problems: ◦ Difficult ◦ Error prone ◦ Experts are required. • Hubert Garavel [Gar08]: “...The research agenda for theoretical concurrency should therefore address the design of efficient algorithms for trans- lating and verifying formal specifications of concurrent systems”. 5 / 71

Motivation • Model checking is an automated technique that, given
a ﬁnite-state model of a system and a formal property, systematically checks whether this property holds for (a given state in) that model [CGP99]. • Advantages ◦ Formal technique. ◦ Fully-automatic. ◦ Experts are not required. ◦ Counterexample. • Drawback: ◦ State-space explosion problem. 6 / 71

Our Goal • We aim at developing a model checking
algorithm for tcc calculus to automatically verify digital systems. 7 / 71

Our Approach Requirements System Formalizing Modeling Property Speciﬁcation System Model
Model Checking Satisﬁed Violated + Counterexample ntcc LTL tcc Structure Classical approach and prototype Our approach: A model checking algorithm based on the work of Falaschi and Villanueva [FV06]. 8 / 71

Our Contributions • A structure for modeling the behavior of
a tcc program. • An algorithm for constructing the model from the tcc speciﬁcation. • A method for reducing the size of a model. • A model checking algorithm for verifying tcc programs. • A prototype of the model checking algorithm. 9 / 71

Outline 1 The tcc Calculus 2 The Model Checking Technique
3 A Model for tcc Programs 4 A Logic for the Speciﬁcation of Properties 5 The Model Checking Algorithm 6 A Prototypical Tool 7 Application 8 Concluding Remarks 10 / 71

The tcc Calculus [SJG94] Intuitive Description and Operational Semantics temperature
= ? ask (temperature < 100) then Q tell (temperature < 70) ask (temperature = 50) then P tell (temperature > 45) 12 / 71

The tcc Calculus [SJG94] Intuitive Description and Operational Semantics temperature
= ? ask (temperature < 100) then Q ask (temperature = 50) then P tell (temperature < 70) tell (temperature > 45) 12 / 71

The tcc Calculus [SJG94] Intuitive Description and Operational Semantics ask
(temperature < 100) then Q ask (temperature = 50) then P 42 < temperature < 70 12 / 71

(temperature = 50) then P 42 < temperature < 70 ask (temperature < 100) then Q 12 / 71

(temperature = 50) then P 42 < temperature < 70 Q Remains Blocked 12 / 71

The tcc Calculus [SJG94] Intuitive Description and Operational Semantics Stimulus
Store Time Unit 1 1. Receives a stimulus (i.e. a constraint) from the environment. 13 / 71

Time Unit 1 ccp Process 1. Receives a stimulus (i.e. a constraint) from the environment. 2. Computes a ccp process in the current time unit and wait for stability. 13 / 71

Time Unit 1 Resting Point Final Store 1. Receives a stimulus (i.e. a constraint) from the environment. 2. Computes a ccp process in the current time unit and wait for stability. 3. Responds with the resulting store. 13 / 71

Time Unit 1 Resting Point Final Store Residual Process Store Time Unit 2 1. Receives a stimulus (i.e. a constraint) from the environment. 2. Computes a ccp process in the current time unit and wait for stability. 3. Responds with the resulting store. 4. Executes the residual process in the next time unit. * Note: Stores are not automatically transferred from a time unit to the next one. 13 / 71

The tcc Calculus [SJG94] Syntax Process Description Action within the
time interval tell (c) telling information add c to the store in the current time interval now c then P asking information executes P if c can be deduced from the current store ∃x (P) hiding executes P with local x P || Q parallelism executes P and Q next P unit-delay executes P in the next time unit now c else P time-out executes P in the next time unit if c cannot be entailed now Syntax SOS 14 / 71

The tcc Calculus [SJG94] Example Example p():: now (in=true) then
next(tell(x=2)) || now (in=true) else tell(x=1) || next(p()) Prototype 15 / 71

The Model Checking Technique Requirements System Formalizing Modeling Property Speciﬁcation
System Model Model Checking Satisﬁed Violated + Counterexample System Model: Models of systems describe the behavior of systems in a formal way. They are mostly expressed using transition systems. 17 / 71

System Model Model Checking Satisﬁed Violated + Counterexample Property Speciﬁcation: Properties should be described in a precise and unambiguous manner. Temporal logic is typically used to express properties. 17 / 71

System Model Model Checking Satisﬁed Violated + Counterexample Model Checking: Algorithm which checks the validity of the property in all states of the system model. 17 / 71

A Model for tcc Programs Program Labeling • The labeling
process consists in assigning a different label to each occur- rence of an agent in the program. • Labels provide an unique identification for agents in order to know the point of execution of the program during the construction of the model. Example {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) Definition 19 / 71

A Model for tcc Programs The tcc Structure • tcc
Structure is a graph structure which allows to model the behavior of a tcc speciﬁcation. • It is a variant of a Kripke Structure. current store internal labels temporal labels (a) tcc state Internal Transition Temporal Transition (b) Transitions Figure: Components of a tcc Structure Deﬁnition 20 / 71

A Model for tcc Programs The tcc Structure Definition (tcc
Structure) Let AP be a set of atomic propositions, we define a tcc Structure M over AP as a seven tuple M = (S, S0, T, R, C, L, LT) where 1. S is a finite set of states. 2. S0 ⊆ S is the set of initial states. 3. T = {i, t} is the set of possible type of transitions. i denotes an internal transition while t denotes a temporal transition. 4. R ⊆ S × S × T is a transition relation. 5. C : S → 2AP is the function that returns the set of atomic propositions in a given state. 6. L : S → 2L is the function that returns the set of internal labels in a given state. 7. LT : S → 2L is the function that returns the set of temporal labels in a given state. 21 / 71

A Model for tcc Programs Construction of the Model •
Transitions are described according to the operational rules of each tcc process. • For each diﬀerent declaration we construct a tcc Structure. • Each state is composed of labels associated with agents that can be executed in a step of the construction process. • Each label can be active or disable. • The labels associated with temporal agents cannot be executed before all the labels associated with normal agents are executed. Algorithm 22 / 71

A Model for tcc Programs Construction of the Model Procedure
Call: p0 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Call: p0 1 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Call: p0 ||1 1 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

A Model for tcc Programs Construction of the Model Parallel:
p0 ||1 1 2 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

p0 ||1 1 2 nowp2, ||5 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

nowp2, nown6, next8 3 p0 ||1 1 2 nowp2, ||5 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

A Model for tcc Programs Construction of the Model Timed
Positive Ask: nowp2, nown6, next8 3 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Positive Ask: nowp2, nown6, next8 3 4 19 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Positive Ask: nowp2, nown6, next8 in=true 3 4 19 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Positive Ask: nowp2, nown6, next8 ~(in=true) in=true 3 4 19 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Positive Ask: nowp2, nown6, next8 ~(in=true) in=true 3 4 19 next3, nown6, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Positive Ask: nowp2, nown6, next8 ~(in=true) in=true 3 4 19 next3, nown6, next8 nowp2, nown6, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 5 33 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 33 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 in=true,~(in=true) 33 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 34 20 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 34 ~(in=true),in=true 20 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 34 ~(in=true),in=true 20 ~(in=true) {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 20 ~(in=true) {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 20 ~(in=true) nowp2, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Negative Ask: ~(in=true) in=true 4 19 next3, nown6, next8 nowp2, nown6, next8 in=true 5 next3, next8 20 ~(in=true) nowp2, next8 tell7 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

A Model for tcc Programs Construction of the Model Unit
Delay: 5 next3, next8 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Delay: in=true 5 next3, next8 6 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Delay: in=true 5 next3, next8 6 in=true {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

Delay: in=true 5 next3, next8 6 tell4, p9 in=true {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

A Model for tcc Programs Construction of the Model Passage
to the Next Time: 6 tell4, p9 in=true {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

to the Next Time: 6 tell4, p9 in=true 7 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

to the Next Time: 6 tell4, p9 in=true 7 tell4, p9 {lp0 }p():: {l||1 }({lnowp2 }now (in=true) then {lnext3 }next({ltell4 }tell(x=2)) || {l||5 }({lnown6 }now (in=true) else {ltell7 }tell(x=1) || {lnext8 }next({lp9 }p()))) 23 / 71

A Model for tcc Programs Construction of the Model Equivalent
States: 6 tell4, p9 in=true 7 tell4, p9 13 tell4, p9 x=2, in=true 14 tell4, p9 24 / 71

States: 6 tell4, p9 in=true 7 tell4, p9 13 tell4, p9 x=2, in=true 24 / 71

States: 6 tell4, p9 in=true 7 tell4, p9 13 tell4, p9 x=2, in=true • Reduction of states is necessary to decrease the state explosion problem. • The store on the quiescent point is deﬁned as the output of the computation. 24 / 71

A Model for tcc Programs Simpliﬁcation of the Model 1
5 4 1 2 3 4 5 Sequence of internal transitions (a) Reduction of a sequence of internal transitions 2 1 3 4 2 2 1 3 4 (b) Reduction of a branching Figure: Reduction rules 25 / 71

A Logic for the Speciﬁcation of Properties The ntcc Logic
• Linear temporal logic (LTL) named CLTL for reasoning about ntcc processes. • It expresses properties over sequences of constraints. • ntcc is an extension of tcc. Deﬁnition (CLTL Syntax) The formulae F, G, . . . ∈ F are built from constraints c ∈ C in the underlying constraint system by F, G, . . . := c | ˙ true | ˙ false | F ˙ ∧ G | F ˙ ∨ G | ˙ ¬F | ˙ ∃x F | ◦ F | F | ♦F Semantics 27 / 71

The Model Checking Algorithm • Classical tableau algorithm for the
LTL model checking problem [CGP99, MP95, LP85]. • To prove that a property is satisﬁed, it is possible to prove that there is no path in the model checking graph satisfying the negation of the formula. 29 / 71

The Model Checking Algorithm Definition (Strongly Connected Component) Given a
graph G, we define a Strongly Connected Component (SCC) S as a maximal subgraph of G such that for every two distinct nodes A, B ∈ S, there exists a path from A to B that passes through nodes of S. We say that S is transient if it consists of a single node that is not connected to itself. Definition (Self-fulfilling SCC) Given a model-checking graph G, a self-fulfilling strongly connected component C is defined as a non-transient strongly connected component in G which satisfies that for every node n in C and for every ♦φ ∈ Qn there exists a node m in C such that φ ∈ Qm . 30 / 71

The Model Checking Algorithm Algorithm: 1. To construct the model
checking graph using the negation of φ (i.e. ¬φ). Deﬁnition 31 / 71

checking graph using the negation of φ (i.e. ¬φ). Deﬁnition ◦ First of all, we have to compute the closure CL(¬φ). This closure is reminiscent to the Fisher Ladner’s one [MP95, FL79]. Deﬁnition 31 / 71

checking graph using the negation of φ (i.e. ¬φ). Definition ◦ First of all, we have to compute the closure CL(¬φ). This closure is reminiscent to the Fisher Ladner’s one [MP95, FL79]. Definition 2. To look for a sequence such that starting from an initial node of the graph that satisfies the negation of φ, it reaches a self-fulfilling strongly connected component. 31 / 71

checking graph using the negation of φ (i.e. ¬φ). Definition ◦ First of all, we have to compute the closure CL(¬φ). This closure is reminiscent to the Fisher Ladner’s one [MP95, FL79]. Definition 2. To look for a sequence such that starting from an initial node of the graph that satisfies the negation of φ, it reaches a self-fulfilling strongly connected component. 3. If we find a self-fulfilling SCC in the graph, then the system satisfies the property represented by the negated formula (i.e. the model does not satisfy the property). 31 / 71

A Prototypical Tool Property • We represent a temporal formula
as a binary syntax tree. ♦ ∧ ¬ ◦ x=1 in=true Figure: ♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)) >>> phi = Formula ({"<>": {"^":{"":"in=true","~":{"o":"x=1"}}}}) 33 / 71

A Prototypical Tool Model nowp2, ||5 nowp2, nown6, next8 next3,
nown6, next8 in=true ~(in=true) next3, next8 in=true ~(in=true) tell7, p9 tell4, p9 in=true 2 tell4, p9 tell7, p9 7 X=2 p9 X=1 p9 8 X=2 nowp2, ||5 X=2 nowp2, nown6, next8 next3, nown6, next8 X=2, in=true nowp2, nown6, next8 X=2, ~(in=true) next3, next8 tell7, p9 tell4, p9 tell4, p9 tell7, p9 X=2, in=true X=2, ~(in=true) X=2, in=true 3 4 5 6 9 nowp2, next8 ~(in=true) tell7 19 nowp2, nown6, next8 20 21 22 23 10 11 12 13 14 nowp2, next8 X=2, ~(in=true) tell7 15 16 17 18 ||1 1 p0 nowp2 nowp2 (a) tcc Structure p0 ~(in=true) tell7, p9 tell4, p9 in=true tell7, p9 X=2, ~(in=true) X=2, in=true tell4, p9 tell7, p9 X=1, ~(in=true) X=1, in=true tell4, p9 6 (s1) 13 (s2) 17 (s3) 21 (s4) 28 (s5) 32 (s6) nowp2 nowp2 nowp2 (b) Simpliﬁed tcc Structure Figure: Model of the system Results 34 / 71

A Prototypical Tool Model • We assume that a tcc
Structure is a list of tcc nodes. store: (list of Formulas) internal: (list of strings) temporal: (list of strings) edges: (list of integers) initial: (boolean) tcc node Figure: tcc node >>> {"store": [Formula ({"":"in=true"})], "internal": [], "temporal": [" tell4","p9"], "edges": [2,3], "initial": True} 35 / 71

A Prototypical Tool Model Checking Algorithm Closure >>> getClosure(phi ,closure)
{’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}} {’~’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}} {’o’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}} ... See Model Checking Nodes >>> atoms = getAllAtoms(closure) >>> model_checking_atoms = getModelCheckingAtoms (tcc_structure ,atoms) tcc State 1 Atom 1 {’o’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}} {’’: ’in=true ’} ... 36 / 71

A Prototypical Tool Model Checking Algorithm Model Checking Graph >>>
model_checking_graph = getModelCheckingGraph (tcc_structure , model_checking_atoms ) >>> model_checking_graph {1: [], 2: [], 3: [9, 11, 12, 13, 15], 4: [10, 16, 14], 5: [], 6: [], 7: [9, 11, 12, 13, 15], 8: [10, 16, 14], 9: [], 10: [], 11: [9, 11, 12, 13, 15], 12: [10, 16, 14], 13: [25, 27, 28, 29, 31], 14: [26, 32, 30], 15: [], 16: [], 17: [25, 27, 28, 29, 31], 18: [26, 32, 30], 19: [], 20: [], 21: [25, 27, 28, 29, 31], 22: [26, 32, 30], 23: [], 24: [], 25: [], 26: [], 27: [9, 11, 12, 13, 15], 28: [10, 16, 14], 29: [25, 27, 28, 29, 31], 30: [26, 32, 30], 31: [], 32: []} See 37 / 71

A Prototypical Tool Model Checking Algorithm Strongly Connected Components >>>
strongly_connected_components = tarjan( model_checking_graph ) >>> sccGraphs = getModelCheckingSCCSubgraphs ( strongly_connected_components , tcc_structure , model_checking_atoms , model_checking_graph ) >>> sccGraphs [0] [{3: [11, 13], 7: [11, 13], 11: [11, 13], 13: [27, 29], 17: [27, 29], 21: [27, 29], 27: [11, 13], 29: [27, 29]}] See 38 / 71

A Prototypical Tool Model Checking Algorithm Self-fulﬁlling SCC >>> initialNodes
= getInitialNodes (tcc_structure , model_checking_atoms ) >>> initialNodesEntailFormula (sccGraphs [0], initialNodes , model_checking_atoms ,formula) True >>> isSelfFulfilling (sccGraphs [0], initialNodes , model_checking_atoms ) True Model Checking Algorithm >>> result = modelSatisfiesProperty (phi , tcc_structure ) is Self Fulfilling : True Initial Nodes Entail Formula: True >>> print "Model Satisfies Original Formula: ", not result Model Satisfies Formula: False 39 / 71

A Prototypical Tool Results 1. tcc Program: See 2. tcc
Structure: See 3. Property: ◦ φ = ((in = true) ˙ ⇒ ◦ (x = 1)) ◦ ˙ ¬φ = ♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)) 4. Model Checking Algorithm1: ◦ Self-fulﬁlling SCC: True ◦ Initial Nodes Entail Formula: True ◦ Model Satisﬁes Formula: True 5. Conclusion: Model does not satisfy the original formula. 1http://escher.puj.edu.co/~jearias/files/tccModelChecking.zip 40 / 71

Application Coffee Vending Machine • Model checking is a principal
technique for verifying finite-state reactive systems, and in particular, digital systems [Kot08a] (e.g. Traffic light controller [BCDM86, Swa97], radar jammer [CEP03], sequence detec- tor [KK09], binary comparator [Kot08b]). • The coffee machine provides the user with a cup of coffee or a cup of hot water (for tea), given that the consumer has inserted the required amount of money. Coffee 10 5 Tea 42 / 71

Application Modeling and Verification of Digital Systems • To describe
the digital system using tcc. • To create the model (tcc Structure) of the system. • To specify the properties to be verified. • Use the model checking algorithm to determine whether the model satisfies the property. 43 / 71

Concluding Remarks Overview • We proposed a model checking algorithm
for tcc, an automated formal verification tool. • Model of the system: ◦ Structure (tcc Structure) to model the behavior of a tcc system. ◦ Algorithm to construct the tcc Structure from the tcc specification. ◦ Method to simplify the model. • Temporal logic to specify properties of tcc systems. • Algorithm to determine whether the model of the system satisfies a formula. • Prototype of the model checking algorithm. 45 / 71

Concluding Remarks Future Work • Local operator in the model
construction algorithm. • Automatic tool for constructing the model of the system. • Symbolic and abstract techniques for reducing the state explosion problem. • ntcc model checking. • Prototype improvement (e.g. compute automatically the negated form of the formulas). 46 / 71

Thank you!

References (1) Michael C. Browne, Edmund M. Clarke, David L.
Dill, and Bud Mishra. Automatic Veriﬁcation of Sequential Circuits Using Temporal Logic. IEEE Transactions on Computers, C-35(12):1035–1044, 1986. Luis Alejandro Cort´ es, Petru Eles, and Zebo Peng. Modeling and Formal Veriﬁcation of Embedded Systems Based On a Petri Net Representation. Journal of Systems Architecture, 49:571–598, 2003. Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press, Cambridge, 1999. Michael J. Fischer and Richard E. Ladner. Propositional Dynamic Logic of Regular Programs. Journal of Computer and System Sciences, 18(2):194–211, 1979. 48 / 71

References (2) Moreno Falaschi and Alicia Villanueva. Automatic Veriﬁcation of
Timed Concurrent Constraint Programs. Theory and Practice of Logic Programming, 6(3):265–300, 2006. Hubert Garavel. Reﬂections on the Future of Concurrency Theory in General and Process Calculi in Particular. In Proceedings of LIX Colloquium on Emergent Trends in Concurrency Theory, volume 209 of Electronic Notes in Theoretical Computer Science, pages 149–164. Elsevier, 2008. C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985. 49 / 71

References (3) Daniela Kotmanov´ a and Milan Koles´ ar. Application
of Model Checking to the Verification of Digital Systems. Acta Electrotechnica et Informatica, 9(2):30–37, 2009. Daniela Kotmanov´ a. Temporal Logic in Verification of Digital Circuits. Journal of Electrical Engineering, 59(1):14–22, 2008. Daniela Kotmanov´ a. Temporal Logic in Verification of Digital Circuits. Journal of Electrical Engineering, 59(1):14–22, 2008. 50 / 71

References (4) Orna Lichtenstein and Amir Pnueli. Checking that Finite
State Concurrent Programs Satisfy their Linear Speciﬁcation. In Proceedings of the 12th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 97–107, New York, NY, USA, 1985. ACM Press. Robin Milner. Communication and Concurrency. International Series in Computer Science. Prentice Hall, 1989. Robin Milner. Communicating and Mobile Systems: the Pi-Calculus. Cambridge University Press, 1999. 51 / 71

References (5) Zohar Manna and Amir Pnueli. Temporal Veriﬁcation of
Reactive Systems: Safety. Springer-Verlag New York, Inc., 1995. Vijay A. Saraswat. Concurrent Constraint Programming. The MIT Press, 1993. Vijay A. Saraswat, Radha Jagadeesan, and Vineet Gupta. Programming in Timed Concurrent Constraint Languages. In Constraint Programming: Proceedings 1993, NATO Advanced Science Institute Series, pages 361–410, Berlin, 1994. Springer-Verlag. Davide Sangiorgi and David Walker. The Pi-Calculus: A Theory of Mobile Processes. Cambridge University Press, 2003. 52 / 71

References (6) Gitanjali Swamy. Formal Veriﬁcation of Digital Systems. In
Proceedings of the 10th International Conference on VLSI Design, pages 213–217, Washington, 1997. IEEE Computer Society. 53 / 71

The tcc Calculus [SJG94] Formal Syntax (Agents) A ::= c
(Tell) | now c then A (Timed Positive Ask) | now c else A (Timed Negative Ask) | next A (Unit Delay) | abort (Abort) | skip (Skip) | A || A (Parallel Composition) | ∃x(A) (Hiding) | g (Procedure Call) (Procedure Calls) g ::= p(t1, . . . , tn) (Declarations) D ::= g :: A (Deﬁnition) | D.D (Conjunction) (Programs) P ::= D.A Return 54 / 71

The tcc Calculus [SJG94] Formal Operational Semantics Axioms for →.
The binary relation → on conﬁgurations is the least relation satisfying the rules : (?, skip) → ? (?, abort) → abort (?, A || B) → (?, A, B) (?, ∃x(A)) → (?, A[y/x]) (y not free in ?) (?, p(t1, . . . , tn)) → (?, A[x1 → t1, . . . , xn → tn]) σ(?) c (?, now c then A) → (?, A) σ(?) c (?, now c else B) → ? Axioms for . The binary relation is the least relation satisfying the single rule : ∆, {now ci else Ai | i < n} ∆, {now ci else Ai | i < n}, {next Bj | j < m} {Ai | i < n}, {Bj | j < m} Return 55 / 71

A Model for tcc Programs Program Labeling Let P be
a tcc speciﬁcation, the labeled version Pl of P is deﬁned as follows. The subindex k ∈ N corresponds to the number of labels introduced up to a given point. When the labeling process starts, k = 0 and each time that we introduce a new label, k is incremented by one. • If P = tell c then Pl = {ltellk } tell c. • If P = now c then A then Pl = {lnowpk } now c then Al . • If P = now c else A then Pl = {lnownk } now c else Al . • If P = next A then Pl = {lnextk } next Al . • If P = skip then Pl = {lskipk } skip. • If P = A || B then Pl = {l|| k } (Al || Bl ). • If P = p(t1, . . . , tn ) then Pl = {lpk } p(t1, . . . , tn ). Return 56 / 71

A Model for tcc Programs The tcc Structure Definition (tcc
State) Let AP be the atomic propositions in the tcc syntax and L be the set of all labels generated during the labeling process described above. We define the set of states as S ⊆ 2AP × 2L. Definition (Equivalent States) Given two tcc states s and s , we say that two states are equivalent if 1. the set of labels of s and s coincide, and 2. there exists a renaming γ of variables of the constraints in s which makes them syntactically identical to the set of constraints of s . Return 57 / 71

A Model for tcc Programs Construction of the Model Our
procedure consists in locating an active label and perform the actions associated with such agent. The process is performed while there are active labels. When we reach a state where there is no active labels (quiescent point) we have to pass to the next time unit, and then we continue with the procedure. We represent this passage in our graph as follows: 1. Introduce a new node s related with s by a temporal transition. The state s is a state where there is no active labels. 2. We introduce the temporal labels of s in the labels of s . 3. The store and the temporal labels of s are empty. Return 58 / 71

A Model for tcc Programs Construction of the Model Tell
S ≡ {ltellk } tell c. The new information c is added to the store in the current time. We translate this behavior to our graph structure as follows: 1. Add a new node s related with the node s from which the agent is execute. 2. The store of s is deﬁned as the store of s plus the constraint c (i.e. C(s ) = C(s) ∧ c). 3. The internal labels of s are obtained from those of s by removing {ltellk } (i.e. L(s ) = L(s)\{ltellk }). 4. The temporal labels of s are the same as s (i.e. LT(s ) = LT(s)). Return 59 / 71

A Model for tcc Programs Construction of the Model Parallel
S ≡ {l|| k } (Al || Bl ). The agents A and B are executed in parallel. We translate this behavior to our graph structure as follows: 1. Introduce a new node s related with the node s from which the agent is execute. 2. The internal labels of s are obtained from those of s by adding Al and Bl , and removing {l|| k }. Notice that this corresponds to a concurrent semantics rather than an interleaving interpretation of the parallel operator. 3. The store and the temporal labels of s are the same as s. Return 60 / 71

Positive Ask S ≡ {lnowpk } now c then Al . If the current store entails c then the agent A is executed or does nothing otherwise. Next we describe how to translate this agent to our graph. 1. Add two new nodes s1 , s2 related with the node s from which the agent is execute. This branch corresponds to the two possible behaviors. 2. The store of s1 is deﬁned as the union of the store of s and the constraint c. 3. The store of s2 is deﬁned as the store of s plus the absence of the constraint c (i.e. C(s2 ) = C(s) ∧ ∼ c). 4. The internal labels of s1 are obtained from those of s by adding Al and removing {lnowpk }. 5. The internal labels of s2 are the same as s. 6. The temporal labels of s1 and s2 are the same as s. Return 61 / 71

A Model for tcc Programs Construction of the Model Skip
S ≡ {lskipk } skip. This agent does nothing at every time instant. We translate this agent to our graph as follows: 1. Construct a new node s related with the node s from which the agent is executed. 2. The internal labels of s are obtained from those of s by removing {lskipk }. 3. The store and the temporal labels of s are the same as s. Return 62 / 71

Call S ≡ {lpk } p(t1, . . . , tn ). This operator refers to another procedure which have diﬀerent labels and variables. To translate this agent to our graph we create a new node and the label associated to the ﬁrst agent of p is added to the internal labels of the node. Return 63 / 71

Negative Ask S ≡ {lnownk } now c else Al . If on the quiescent point the store does not entail c then the agent A is executed in the next time instant, or does nothing otherwise. We translate this behavior to our graph as follows: 1. Introduce two new nodes s1 , s2 related with the node s from which the agent is execute. This branch corresponds to the two possible behaviors of the agent. 2. The store of s1 is deﬁned as the union of the store of s and the constraint c. 3. The store of s2 is deﬁned as the store of s plus the absence of the constraint c. 4. The internal labels of s1 and s2 are the same as s by removing {lnownk }. 5. The temporal labels of s1 are the same as s. 6. The temporal labels of s2 are obtained from those of s by adding Al . Return 64 / 71

Delay S ≡ {lnextk } next Al . The agent A is executed in the next time instant. We translate this agent to our graph as follows: 1. Construct a new node s related with the node s from which the agent is execute. 2. The internal labels of s are the same as s but removing {lnextk }. 3. The temporal labels of s are obtained from those of s by adding Al . 4. The store of s is the same as s. Return 65 / 71

A Logic for the Specification of Properties The ntcc Logic
Definition (CLTL Semantics) We say that α ∈ Cω satisfies (or that it is a model of) F in CLTL, written α CLTL F, iff α, 1 CLTL F, where: α, i CLTL ˙ true α, i CLTL ˙ false α, i CLTL c iff α(i) c α, i CLTL ˙ ¬F iff α, i CLTL F α, i CLTL F ˙ ∧ G iff α, i CLTL F and α, i CLTL G α, i CLTL F ˙ ∨ G iff α, i CLTL F or α, i CLTL G α, i CLTL ◦F iff α, i + 1 CLTL F α, i CLTL F iff for all j ≥ i α, j CLTL F α, i CLTL ♦F iff there is a j ≥ i s.t. α, j CLTL F α, i CLTL ˙ ∃x F iff there is an x-variant α of α s.t. α , i CLTL F Define F = {α | α CLTL F}. We say that F is CLTL valid iff F = Cω, and that F is CLTL satisfiable iff F = ∅. Return 66 / 71

The Model Checking Algorithm Closure The closure of a formula
ϕ, CL(ϕ), is the smallest set of formulas satisfying the following conditions: 1. ϕ ∈ CL(ϕ), 2. ˙ ¬ϕ1 ∈ CL(ϕ), iﬀ ϕ1 ∈ CL(ϕ), 3. if ϕ1 ˙ ∧ϕ2 ∈ CL(ϕ), then ϕ1, ϕ2 ∈ CL(ϕ), 4. if ϕ1 ˙ ∨ϕ2 ∈ CL(ϕ), then ϕ1, ϕ2 ∈ CL(ϕ), 5. if ˙ ∃x ϕ1 ∈ CL(ϕ), then ϕ1 ∈ CL(ϕ), 6. if ◦ϕ1 ∈ CL(ϕ), then ϕ1 ∈ CL(ϕ), 7. if ˙ ¬ ◦ ϕ1 ∈ CL(ϕ), then ◦ ˙ ¬ϕ1 ∈ CL(ϕ), 8. if ϕ1 ∈ CL(ϕ), then ϕ1, ◦ ϕ1 ∈ CL(ϕ), 9. if ♦ϕ1 ∈ CL(ϕ), then ϕ1, ◦♦ϕ1 ∈ CL(ϕ) Return 67 / 71

The Model Checking Algorithm Model Checking Graph Definition (Model-Checking Graph)
Let ϕ be a formula, CL(ϕ) be the closure of ϕ and Z the tcc Structure. A node n of the model-checking graph is formed by a pair of the form (sn, Qn) where sn is a state of Z and Qn is a subset of CL(ϕ) and the atomic propositions such that the following conditions are satisfied: 1. for every atomic proposition p, p ∈ Qn iff p ∈ C(sn), 2. for every ˙ ∃x ϕ1 ∈ CL(ϕ), ˙ ∃x ϕ1 ∈ Qn iff ˙ ∃x ϕ1 ∈ C(sn), 3. for every ϕ1 ∈ CL(ϕ), ϕ1 ∈ Qn iff ˙ ¬ϕ1 / ∈ Qn, 4. for every ϕ1 ˙ ∧ϕ2 ∈ CL(ϕ), ϕ1 ˙ ∧ϕ2 ∈ Qn iff ϕ1 ∈ Qn and ϕ2 ∈ Qn, 5. for every ϕ1 ˙ ∨ϕ2 ∈ CL(ϕ), ϕ1 ˙ ∨ϕ2 ∈ Qn iff ϕ1 ∈ Qn or ϕ2 ∈ Qn, 6. for every ˙ ¬ ◦ ϕ1 ∈ CL(ϕ), ˙ ¬ ◦ ϕ1 ∈ Qn iff ◦ ˙ ¬ϕ1 ∈ Qn, 7. for every ϕ1 ∈ CL(ϕ), ϕ1 ∈ Qn iff ϕ1 ∈ Qn and ◦ ϕ1 ∈ Qn, 8. for every ♦ϕ1 ∈ CL(ϕ), ♦ϕ1 ∈ Qn iff ϕ1 ∈ Qn or ◦ ♦ϕ1 ∈ Qn. An edge in the graph is defined as follows: there will be an edge from one node n1 = (s1, Q1) to another node n2 = (s2, Q2) iff there is an arc from the node s1 to the node s2 in Z and for every formula ◦ϕ1 ∈ CL(ϕ), ◦ϕ1 ∈ Q1 iff ϕ1 ∈ Q2. This means that the next state s2 must satisfy φ if s1 satisfies ◦φ. Return 68 / 71

A Prototypical Tool Closure CL(¬ϕ) = {♦((in = true) ˙
∧ ˙ ¬ ◦ (x = 1)), ˙ ¬♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), ◦ ♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), ˙ ¬ ◦ ♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), ◦ ˙ ¬♦((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), (in = true) ˙ ∧ ˙ ¬ ◦ (x = 1), ˙ ¬((in = true) ˙ ∧ ˙ ¬ ◦ (x = 1)), ˙ ¬ ◦ (x = 1), ◦ ˙ ¬(x = 1), ◦ (x = 1), (x = 1), ˙ ¬(x = 1), (in = true), ˙ ¬(in = true) } Return 69 / 71

A Prototypical Tool Model Checking Graph s3 State s2 State
s1 State n1 n2 n3 n4 n5 n6 n7 n8 n9 n10 n12 n13 n14 n15 n16 s4 State n17 n18 n19 n20 n21 n22 n23 n24 s5 State n25 n26 n27 n28 s6 State n29 n30 n31 n32 n11 Return 70 / 71

A Prototypical Tool Strongly Connected Components s3 State s2 State
s1 State n3 n7 n13 s4 State n17 n21 s5 State n27 s6 State n29 n11 Self-Fulﬁlling SCC Return 71 / 71

Model Checking for tcc Calculus

Model Checking for tcc Calculus

More Decks by Jaime Arias Almeida

Other Decks in Research

Featured

Transcript