Model Checking for tcc Calculus

Model Checking for tcc Calculus
Cali
Jaime E. Arias Almeida
Supervisors:
Dr. Carlos Olarte
Dr. Eugenio Tamura
AVISPA Research Group
Pontiﬁcia Universidad Javeriana - Cali
December, 2012

View Slide

Motivation
Concurrent systems are everywhere:
• Engineering: Security protocols, mobile computing, synchronous systems.
• Science: Biological and chemical systems.
• Arts: Multimedia interaction.
Models of Concurrency
Formal models to describe and analyze concurrent systems. They must be:
• Simple.
• Expressive.
• Formal.
• Provide reasoning techniques.
Some examples: CCS [Mil89], the π calculus [Mil99, SW03], CSP [Hoa85],
CCP [Sar93].
2 / 71

View Slide

Motivation
• Concurrent Constraint Programming (ccp) [Sar93] is a formalism for con-
currency where agents interact with one another by adding (telling) and
reading (asking) information represented as constraints in a shared medium
(global store).
• The type of constraints and the entailment relation is given by a Constraint
System (e.g. x > 42 |= x > 0).
3 / 71

View Slide

Motivation
• Temporal Concurrent Constraint Programming (tcc) [SJG94] extends ccp
by adding temporal constructs for modeling timed and reactive systems.
• Formal veriﬁcation plays an important role in detecting errors in concurrent
systems. The presence of a system failure in air traﬃc control systems,
medical instruments, aircrafts or in general, reactives systems could be
catastrophic.
(a) Therac-25 (b) Ariane-5
Figure: Some disasters
4 / 71

View Slide

Motivation
• Verification of tcc programs is performed using inductive techniques since
the model does not provide automatic formal verification tools.
• Problems:
◦ Difficult
◦ Error prone
◦ Experts are required.
• Hubert Garavel [Gar08]: “...The research agenda for theoretical concur-
rency should therefore address the design of efficient algorithms for trans-
lating and verifying formal specifications of concurrent systems”.
5 / 71

View Slide

Motivation
• Model checking is an automated technique that, given a ﬁnite-state model
of a system and a formal property, systematically checks whether this
property holds for (a given state in) that model [CGP99].
• Advantages
◦ Formal technique.
◦ Fully-automatic.
◦ Experts are not required.
◦ Counterexample.
• Drawback:
◦ State-space explosion problem.
6 / 71

View Slide

Our Goal
• We aim at developing a model checking algorithm for tcc calculus to
automatically verify digital systems.
7 / 71

View Slide

Our Approach
Requirements System
Formalizing Modeling
Property
Speciﬁcation
System Model
Model Checking
Satisﬁed
Violated +
Counterexample
ntcc LTL tcc Structure
Classical approach and
prototype
Our approach: A model checking algorithm based on the work of Falaschi
and Villanueva [FV06].
8 / 71

View Slide

Our Contributions
• A structure for modeling the behavior of a tcc program.
• An algorithm for constructing the model from the tcc speciﬁcation.
• A method for reducing the size of a model.
• A model checking algorithm for verifying tcc programs.
• A prototype of the model checking algorithm.
9 / 71

View Slide

Outline
1 The tcc Calculus
2 The Model Checking Technique
3 A Model for tcc Programs
4 A Logic for the Speciﬁcation of Properties
5 The Model Checking Algorithm
6 A Prototypical Tool
7 Application
8 Concluding Remarks
10 / 71

View Slide

Outline
1 The tcc Calculus
7 Application
11 / 71

View Slide

The tcc Calculus [SJG94]
Intuitive Description and Operational Semantics
temperature = ?
ask (temperature < 100) then Q
tell (temperature < 70)
ask (temperature = 50) then P
tell (temperature > 45)
12 / 71

View Slide

temperature = ?
tell (temperature < 70)
tell (temperature > 45)
12 / 71

View Slide

42 < temperature < 70
12 / 71

View Slide

12 / 71

View Slide

Q
Remains Blocked
12 / 71

View Slide

Stimulus
Store
Time Unit 1
1. Receives a stimulus (i.e. a constraint) from the environment.
13 / 71

View Slide

Stimulus
Time Unit 1
ccp Process
2. Computes a ccp process in the current time unit and wait for stability.
13 / 71

View Slide

Stimulus
Time Unit 1
Resting Point
Final Store
3. Responds with the resulting store.
13 / 71

View Slide

Stimulus
Time Unit 1
Resting Point
Final Store
Residual Process
Store
Time Unit 2
3. Responds with the resulting store.
4. Executes the residual process in the next time unit.
* Note: Stores are not automatically transferred from a time unit to the next
one.
13 / 71

View Slide

Syntax
Process Description Action within the time interval
tell (c) telling information add c to the store in the current
time interval
now c then P asking information executes P if c can be deduced
from the current store
∃x
(P) hiding executes P with local x
P || Q parallelism executes P and Q
next P unit-delay executes P in the next time unit
now c else P time-out executes P in the next time unit if
c cannot be entailed now
Syntax SOS
14 / 71

View Slide

Example
Example
p()::
now (in=true) then next(tell(x=2)) ||
now (in=true) else tell(x=1) || next(p())
Prototype
15 / 71

View Slide

Outline
1 The tcc Calculus
7 Application
16 / 71

View Slide

The Model Checking Technique
Requirements System
Property
Speciﬁcation
System Model
Model Checking
Satisﬁed
Violated +
Counterexample
System Model: Models of systems describe the behavior of systems in a
formal way. They are mostly expressed using transition systems.
17 / 71

View Slide

Requirements System
Property
Specification
System Model
Model Checking
Satisfied
Violated +
Counterexample
Property Specification: Properties should be described in a precise and
unambiguous manner. Temporal logic is typically used to express properties.
17 / 71

View Slide

Requirements System
Property
Speciﬁcation
System Model
Model Checking
Satisﬁed
Violated +
Counterexample
Model Checking: Algorithm which checks the validity of the property in all
states of the system model.
17 / 71

View Slide

Outline
1 The tcc Calculus
7 Application
18 / 71

View Slide

A Model for tcc Programs
Program Labeling
• The labeling process consists in assigning a different label to each occur-
rence of an agent in the program.
• Labels provide an unique identification for agents in order to know the
point of execution of the program during the construction of the model.
Example
{lp0
}p()::
{l||1
}({lnowp2
}now (in=true) then {lnext3
}next({ltell4
}tell(x=2)) ||
{l||5
}({lnown6
}now (in=true) else {ltell7
}tell(x=1) ||
{lnext8
}next({lp9
}p())))
Definition
19 / 71

View Slide

The tcc Structure
• tcc Structure is a graph structure which allows to model the behavior of
a tcc speciﬁcation.
• It is a variant of a Kripke Structure.
current store
internal labels temporal labels
(a) tcc state
Internal Transition
Temporal Transition
(b) Transitions
Figure: Components of a tcc Structure
Deﬁnition
20 / 71

View Slide

The tcc Structure
Definition (tcc Structure)
Let AP be a set of atomic propositions, we define a tcc Structure M over AP as a
seven tuple M = (S, S0, T, R, C, L, LT) where
1. S is a finite set of states.
2. S0 ⊆ S is the set of initial states.
3. T = {i, t} is the set of possible type of transitions. i denotes an internal
transition while t denotes a temporal transition.
4. R ⊆ S × S × T is a transition relation.
5. C : S → 2AP is the function that returns the set of atomic propositions in a
given state.
6. L : S → 2L is the function that returns the set of internal labels in a given state.
7. LT : S → 2L is the function that returns the set of temporal labels in a given
state.
21 / 71

View Slide

Construction of the Model
• Transitions are described according to the operational rules of each tcc
process.
• For each diﬀerent declaration we construct a tcc Structure.
• Each state is composed of labels associated with agents that can be
executed in a step of the construction process.
• Each label can be active or disable.
• The labels associated with temporal agents cannot be executed before all
the labels associated with normal agents are executed.
Algorithm
22 / 71

View Slide

Procedure Call:
p0
{lp0 }p()::
{l||1
}({lnowp2 }now (in=true) then {lnext3 }next({ltell4
}tell(x=2)) ||
{l||5
}({lnown6 }now (in=true) else {ltell7
}tell(x=1) || {lnext8 }next({lp9 }p())))
23 / 71

View Slide

Procedure Call:
p0
1
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Procedure Call:
p0
||1
1
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Parallel:
p0
||1
1
2
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Parallel:
p0
||1
1
2
nowp2,
||5
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Parallel:
nowp2,
nown6,
next8
3
p0
||1
1
2
nowp2,
||5
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Positive Ask:
nowp2,
nown6,
next8
3
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Positive Ask:
nowp2,
nown6,
next8
3
4 19
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Positive Ask:
nowp2,
nown6,
next8
in=true
3
4 19
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Positive Ask:
nowp2,
nown6,
next8
~(in=true)
in=true
3
4 19
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Positive Ask:
nowp2,
nown6,
next8
~(in=true)
in=true
3
4 19
next3,
nown6,
next8
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Positive Ask:
nowp2,
nown6,
next8
~(in=true)
in=true
3
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
5 33
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5 33
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
in=true,~(in=true)
33
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
next3,
next8
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
next3,
next8
34 20
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
next3,
next8
34
~(in=true),in=true
20
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
next3,
next8
34
~(in=true),in=true
20
~(in=true)
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
next3,
next8
20
~(in=true)
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
next3,
next8
20
~(in=true)
nowp2,
next8
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Timed Negative Ask:
~(in=true)
in=true
4 19
next3,
nown6,
next8
nowp2,
nown6,
next8
in=true
5
next3,
next8
20
~(in=true)
nowp2,
next8
tell7
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Unit Delay:
5
next3,
next8
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Unit Delay:
in=true
5
next3,
next8
6
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Unit Delay:
in=true
5
next3,
next8
6
in=true
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Unit Delay:
in=true
5
next3,
next8
6
tell4,
p9
in=true
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Passage to the Next Time:
6
tell4,
p9
in=true
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

6
tell4,
p9
in=true
7
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

6
tell4,
p9
in=true
7
tell4,
p9
{lp0 }p()::
{l||1
}tell(x=2)) ||
{l||5
23 / 71

View Slide

Equivalent States:
6
tell4,
p9
in=true
7
tell4,
p9
13
tell4,
p9
x=2, in=true
14
tell4,
p9
24 / 71

View Slide

Equivalent States:
6
tell4,
p9
in=true
7
tell4,
p9
13
tell4,
p9
x=2, in=true
24 / 71

View Slide

Equivalent States:
6
tell4,
p9
in=true
7
tell4,
p9
13
tell4,
p9
x=2, in=true
• Reduction of states is necessary to decrease the state explosion problem.
• The store on the quiescent point is deﬁned as the output of the
computation.
24 / 71

View Slide

Simpliﬁcation of the Model
1 5
4
1 2 3 4 5
Sequence of internal transitions
(a) Reduction of a sequence of
internal transitions
2
1
3 4
2 2
1
3 4
(b) Reduction of a branching
Figure: Reduction rules
25 / 71

View Slide

Outline
1 The tcc Calculus
7 Application
26 / 71

View Slide

A Logic for the Speciﬁcation of Properties
The ntcc Logic
• Linear temporal logic (LTL) named CLTL for reasoning about ntcc
processes.
• It expresses properties over sequences of constraints.
• ntcc is an extension of tcc.
Deﬁnition (CLTL Syntax)
The formulae F, G, . . . ∈ F are built from constraints c ∈ C in the
underlying constraint system by
F, G, . . . := c | ˙
true | ˙
false | F ˙
∧ G | F ˙
∨ G | ˙
¬F | ˙
∃x
F | ◦ F | F | ♦F
Semantics
27 / 71

View Slide

Outline
1 The tcc Calculus
7 Application
28 / 71

View Slide

The Model Checking Algorithm
• Classical tableau algorithm for the LTL model checking
problem [CGP99, MP95, LP85].
• To prove that a property is satisﬁed, it is possible to prove that there is no
path in the model checking graph satisfying the negation of the formula.
29 / 71

View Slide

Definition (Strongly Connected Component)
Given a graph G, we define a Strongly Connected Component (SCC) S as a
maximal subgraph of G such that for every two distinct nodes A, B ∈ S,
there exists a path from A to B that passes through nodes of S.
We say that S is transient if it consists of a single node that is not
connected to itself.
Definition (Self-fulfilling SCC)
Given a model-checking graph G, a self-fulfilling strongly connected
component C is defined as a non-transient strongly connected component in
G which satisfies that for every node n in C and for every ♦φ ∈ Qn
there
exists a node m in C such that φ ∈ Qm
.
30 / 71

View Slide

Algorithm:
1. To construct the model checking graph using the negation of φ (i.e. ¬φ).
Deﬁnition
31 / 71

View Slide

Algorithm:
Deﬁnition
◦ First of all, we have to compute the closure CL(¬φ). This closure is
reminiscent to the Fisher Ladner’s one [MP95, FL79]. Deﬁnition
31 / 71

View Slide

Algorithm:
Definition
2. To look for a sequence such that starting from an initial node of the
graph that satisfies the negation of φ, it reaches a self-fulfilling strongly
connected component.
31 / 71

View Slide

Algorithm:
Definition
2. To look for a sequence such that starting from an initial node of the
graph that satisfies the negation of φ, it reaches a self-fulfilling strongly
connected component.
3. If we find a self-fulfilling SCC in the graph, then the system satisfies the
property represented by the negated formula (i.e. the model does not
satisfy the property).
31 / 71

View Slide

Outline
1 The tcc Calculus
7 Application
32 / 71

View Slide

A Prototypical Tool
Property
• We represent a temporal formula as a binary syntax tree.
♦
∧
¬
◦
x=1
in=true
Figure: ♦((in = true) ˙
∧ ˙
¬ ◦ (x = 1))
>>> phi = Formula ({"<>": {"^":{"":"in=true","~":{"o":"x=1"}}}})
33 / 71

View Slide

A Prototypical Tool
Model
nowp2,
||5
nowp2,
nown6,
next8
next3,
nown6,
next8
in=true ~(in=true)
next3,
next8
in=true
~(in=true)
tell7,
p9
tell4,
p9
in=true
2
tell4,
p9
tell7,
p9
7
X=2
p9
X=1
p9
8
X=2
nowp2,
||5
X=2
nowp2,
nown6,
next8
next3,
nown6,
next8
X=2, in=true
nowp2,
nown6,
next8
X=2, ~(in=true)
next3,
next8
tell7,
p9
tell4,
p9
tell4,
p9
tell7,
p9
X=2, in=true
X=2, ~(in=true)
X=2, in=true
3
4
5
6
9
nowp2,
next8
~(in=true)
tell7
19
nowp2,
nown6,
next8
20
21
22
23
10
11
12
13
14
nowp2,
next8
X=2, ~(in=true)
tell7
15
16
17
18
||1
1
p0
nowp2 nowp2
(a) tcc Structure
p0
~(in=true)
tell7,
p9
tell4,
p9
in=true
tell7,
p9
X=2, ~(in=true)
X=2, in=true
tell4,
p9
tell7,
p9
X=1, ~(in=true)
X=1, in=true
tell4,
p9
6 (s1)
13 (s2)
17 (s3)
21 (s4)
28 (s5)
32 (s6)
nowp2
nowp2
nowp2
(b) Simpliﬁed tcc Structure
Figure: Model of the system
Results
34 / 71

View Slide

A Prototypical Tool
Model
• We assume that a tcc Structure is a list of tcc nodes.
store: (list of Formulas)
internal: (list of strings)
temporal: (list of strings)
edges: (list of integers)
initial: (boolean)
tcc node
Figure: tcc node
>>> {"store": [Formula ({"":"in=true"})], "internal": [], "temporal": ["
tell4","p9"], "edges": [2,3], "initial": True}
35 / 71

View Slide

A Prototypical Tool
Model Checking Algorithm
Closure
>>> getClosure(phi ,closure)
{’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}
{’~’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}}
{’o’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}}
...
See
Model Checking Nodes
>>> atoms = getAllAtoms(closure)
>>> model_checking_atoms = getModelCheckingAtoms (tcc_structure ,atoms)
tcc State 1
Atom 1
{’o’: {’<>’: {’^’: {’’: ’in=true ’, ’~’: {’o’: ’x=1’}}}}}
{’’: ’in=true ’}
...
36 / 71

View Slide

A Prototypical Tool
Model Checking Graph
>>> model_checking_graph = getModelCheckingGraph (tcc_structure ,
model_checking_atoms )
>>> model_checking_graph
{1: [], 2: [], 3: [9, 11, 12, 13, 15], 4: [10, 16, 14], 5: [], 6: [],
7: [9, 11, 12, 13, 15], 8: [10, 16, 14], 9: [], 10: [], 11: [9, 11,
12, 13, 15], 12: [10, 16, 14], 13: [25, 27, 28, 29, 31], 14: [26,
32, 30], 15: [], 16: [], 17: [25, 27, 28, 29, 31], 18: [26, 32,
30], 19: [], 20: [], 21: [25, 27, 28, 29, 31], 22: [26, 32, 30],
23: [], 24: [], 25: [], 26: [], 27: [9, 11, 12, 13, 15], 28: [10,
16, 14], 29: [25, 27, 28, 29, 31], 30: [26, 32, 30], 31: [], 32:
[]}
See
37 / 71

View Slide

A Prototypical Tool
Strongly Connected Components
>>> strongly_connected_components = tarjan( model_checking_graph )
>>> sccGraphs = getModelCheckingSCCSubgraphs (
strongly_connected_components , tcc_structure , model_checking_atoms ,
model_checking_graph )
>>> sccGraphs [0]
[{3: [11, 13], 7: [11, 13], 11: [11, 13], 13: [27, 29], 17: [27, 29],
21: [27, 29], 27: [11, 13], 29: [27, 29]}]
See
38 / 71

View Slide

A Prototypical Tool
Self-fulﬁlling SCC
>>> initialNodes = getInitialNodes (tcc_structure , model_checking_atoms )
>>> initialNodesEntailFormula (sccGraphs [0], initialNodes ,
model_checking_atoms ,formula)
True
>>> isSelfFulfilling (sccGraphs [0], initialNodes , model_checking_atoms )
True
>>> result = modelSatisfiesProperty (phi , tcc_structure )
is Self Fulfilling : True
Initial Nodes Entail Formula: True
>>> print "Model Satisfies Original Formula: ", not result
Model Satisfies Formula: False
39 / 71

View Slide

A Prototypical Tool
Results
1. tcc Program: See
2. tcc Structure: See
3. Property:
◦ φ = ((in = true) ˙
⇒ ◦ (x = 1))
◦ ˙
¬φ = ♦((in = true) ˙
∧ ˙
¬ ◦ (x = 1))
4. Model Checking Algorithm1:
◦ Self-fulﬁlling SCC: True
◦ Initial Nodes Entail Formula: True
◦ Model Satisﬁes Formula: True
5. Conclusion: Model does not satisfy the original formula.
1http://escher.puj.edu.co/~jearias/files/tccModelChecking.zip
40 / 71

View Slide

Outline
1 The tcc Calculus
7 Application
41 / 71

View Slide

Application
Coffee Vending Machine
• Model checking is a principal technique for verifying finite-state reactive
systems, and in particular, digital systems [Kot08a] (e.g. Traffic light
controller [BCDM86, Swa97], radar jammer [CEP03], sequence detec-
tor [KK09], binary comparator [Kot08b]).
• The coffee machine provides the user with a cup of coffee or a cup of hot
water (for tea), given that the consumer has inserted the required amount
of money.
Coffee 10
5
Tea
42 / 71

View Slide

Application
Modeling and Verification of Digital Systems
• To describe the digital system using tcc.
• To create the model (tcc Structure) of the system.
• To specify the properties to be verified.
• Use the model checking algorithm to determine whether the model
satisfies the property.
43 / 71

View Slide

Outline
1 The tcc Calculus
7 Application
44 / 71

View Slide

Concluding Remarks
Overview
• We proposed a model checking algorithm for tcc, an automated formal
verification tool.
• Model of the system:
◦ Structure (tcc Structure) to model the behavior of a tcc system.
◦ Algorithm to construct the tcc Structure from the tcc specification.
◦ Method to simplify the model.
• Temporal logic to specify properties of tcc systems.
• Algorithm to determine whether the model of the system satisfies a
formula.
• Prototype of the model checking algorithm.
45 / 71

View Slide

Concluding Remarks
Future Work
• Local operator in the model construction algorithm.
• Automatic tool for constructing the model of the system.
• Symbolic and abstract techniques for reducing the state explosion
problem.
• ntcc model checking.
• Prototype improvement (e.g. compute automatically the negated form of
the formulas).
46 / 71

View Slide

Thank you!

View Slide

References (1)
Michael C. Browne, Edmund M. Clarke, David L. Dill, and Bud Mishra.
Automatic Veriﬁcation of Sequential Circuits Using Temporal Logic.
IEEE Transactions on Computers, C-35(12):1035–1044, 1986.
Luis Alejandro Cort´
es, Petru Eles, and Zebo Peng.
Modeling and Formal Veriﬁcation of Embedded Systems Based On a
Petri Net Representation.
Journal of Systems Architecture, 49:571–598, 2003.
Edmund M. Clarke, Orna Grumberg, and Doron A. Peled.
Model Checking.
MIT Press, Cambridge, 1999.
Michael J. Fischer and Richard E. Ladner.
Propositional Dynamic Logic of Regular Programs.
Journal of Computer and System Sciences, 18(2):194–211, 1979.
48 / 71

View Slide

References (2)
Moreno Falaschi and Alicia Villanueva.
Automatic Veriﬁcation of Timed Concurrent Constraint Programs.
Theory and Practice of Logic Programming, 6(3):265–300, 2006.
Hubert Garavel.
Reﬂections on the Future of Concurrency Theory in General and
Process Calculi in Particular.
In Proceedings of LIX Colloquium on Emergent Trends in Concurrency
Theory, volume 209 of Electronic Notes in Theoretical Computer
Science, pages 149–164. Elsevier, 2008.
C. A. R. Hoare.
Communicating Sequential Processes.
Prentice Hall, 1985.
49 / 71

View Slide

References (3)
Daniela Kotmanov´
a and Milan Koles´
ar.
Application of Model Checking to the Verification of Digital Systems.
Acta Electrotechnica et Informatica, 9(2):30–37, 2009.
Daniela Kotmanov´
a.
Temporal Logic in Verification of Digital Circuits.
Journal of Electrical Engineering, 59(1):14–22, 2008.
Daniela Kotmanov´
a.
Temporal Logic in Verification of Digital Circuits.
Journal of Electrical Engineering, 59(1):14–22, 2008.
50 / 71

View Slide

References (4)
Orna Lichtenstein and Amir Pnueli.
Checking that Finite State Concurrent Programs Satisfy their Linear
Speciﬁcation.
In Proceedings of the 12th ACM SIGACT-SIGPLAN Symposium on
Principles of Programming Languages, pages 97–107, New York, NY,
USA, 1985. ACM Press.
Robin Milner.
Communication and Concurrency.
International Series in Computer Science. Prentice Hall, 1989.
Robin Milner.
Communicating and Mobile Systems: the Pi-Calculus.
Cambridge University Press, 1999.
51 / 71

View Slide

References (5)
Zohar Manna and Amir Pnueli.
Temporal Veriﬁcation of Reactive Systems: Safety.
Springer-Verlag New York, Inc., 1995.
Vijay A. Saraswat.
Concurrent Constraint Programming.
The MIT Press, 1993.
Vijay A. Saraswat, Radha Jagadeesan, and Vineet Gupta.
Programming in Timed Concurrent Constraint Languages.
In Constraint Programming: Proceedings 1993, NATO Advanced
Science Institute Series, pages 361–410, Berlin, 1994. Springer-Verlag.
Davide Sangiorgi and David Walker.
The Pi-Calculus: A Theory of Mobile Processes.
Cambridge University Press, 2003.
52 / 71

View Slide

References (6)
Gitanjali Swamy.
Formal Veriﬁcation of Digital Systems.
In Proceedings of the 10th International Conference on VLSI Design,
pages 213–217, Washington, 1997. IEEE Computer Society.
53 / 71

View Slide

Formal Syntax
(Agents) A ::= c (Tell)
| now c then A (Timed Positive Ask)
| now c else A (Timed Negative Ask)
| next A (Unit Delay)
| abort (Abort)
| skip (Skip)
| A || A (Parallel Composition)
| ∃x(A) (Hiding)
| g (Procedure Call)
(Procedure Calls) g ::= p(t1, . . . , tn)
(Declarations) D ::= g :: A (Deﬁnition)
| D.D (Conjunction)
(Programs) P ::= D.A
Return
54 / 71

View Slide

Formal Operational Semantics
Axioms for →. The binary relation → on conﬁgurations is the least relation satisfying the
rules :
(?, skip) → ?
(?, abort) → abort
(?, A || B) → (?, A, B)
(?, ∃x(A)) → (?, A[y/x]) (y not free in ?)
(?, p(t1, . . . , tn)) → (?, A[x1 → t1, . . . , xn → tn])
σ(?) c
(?, now c then A) → (?, A)
σ(?) c
(?, now c else B) → ?
Axioms for . The binary relation is the least relation satisfying the single rule :
∆, {now ci else Ai | i < n}
∆, {now ci else Ai | i < n}, {next Bj | j < m} {Ai | i < n}, {Bj | j < m}
Return
55 / 71

View Slide

Program Labeling
Let P be a tcc speciﬁcation, the labeled version Pl
of P is deﬁned as follows.
The subindex k ∈ N corresponds to the number of labels introduced up to a
given point. When the labeling process starts, k = 0 and each time that we
introduce a new label, k is incremented by one.
• If P = tell c then Pl
= {ltellk
} tell c.
• If P = now c then A then Pl
= {lnowpk
} now c then Al
.
• If P = now c else A then Pl
= {lnownk
} now c else Al
.
• If P = next A then Pl
= {lnextk
} next Al
.
• If P = skip then Pl
= {lskipk
} skip.
• If P = A || B then Pl
= {l||
k
} (Al || Bl
).
• If P = p(t1, . . . , tn
) then Pl
= {lpk
} p(t1, . . . , tn
).
Return
56 / 71

View Slide

The tcc Structure
Definition (tcc State)
Let AP be the atomic propositions in the tcc syntax and L be the set of all
labels generated during the labeling process described above. We define the
set of states as S ⊆ 2AP × 2L.
Definition (Equivalent States)
Given two tcc states s and s , we say that two states are equivalent if
1. the set of labels of s and s coincide, and
2. there exists a renaming γ of variables of the constraints in s which makes
them syntactically identical to the set of constraints of s .
Return
57 / 71

View Slide

Our procedure consists in locating an active label and perform the actions
associated with such agent. The process is performed while there are active
labels. When we reach a state where there is no active labels (quiescent
point) we have to pass to the next time unit, and then we continue with the
procedure. We represent this passage in our graph as follows:
1. Introduce a new node s related with s by a temporal transition. The
state s is a state where there is no active labels.
2. We introduce the temporal labels of s in the labels of s .
3. The store and the temporal labels of s are empty.
Return
58 / 71

View Slide

Tell S ≡ {ltellk
} tell c. The new information c is added to the
store in the current time. We translate this behavior to our
graph structure as follows:
1. Add a new node s related with the node s from which the
agent is execute.
2. The store of s is deﬁned as the store of s plus the
constraint c (i.e. C(s ) = C(s) ∧ c).
3. The internal labels of s are obtained from those of s by
removing {ltellk
} (i.e. L(s ) = L(s)\{ltellk
}).
4. The temporal labels of s are the same as s (i.e.
LT(s ) = LT(s)).
Return
59 / 71

View Slide

Parallel S ≡ {l||
k
} (Al || Bl
). The agents A and B are executed in
parallel. We translate this behavior to our graph structure as
follows:
1. Introduce a new node s related with the node s from
which the agent is execute.
adding Al
and Bl
, and removing {l||
k
}. Notice that this
corresponds to a concurrent semantics rather than an
interleaving interpretation of the parallel operator.
3. The store and the temporal labels of s are the same as s.
Return
60 / 71

View Slide

Timed Positive Ask S ≡ {lnowpk
} now c then Al
. If the current store entails
c then the agent A is executed or does nothing otherwise.
Next we describe how to translate this agent to our graph.
1. Add two new nodes s1
, s2
related with the node s from
which the agent is execute. This branch corresponds to
the two possible behaviors.
2. The store of s1
is deﬁned as the union of the store of s
and the constraint c.
3. The store of s2
is deﬁned as the store of s plus the
absence of the constraint c (i.e. C(s2
) = C(s) ∧ ∼ c).
4. The internal labels of s1
are obtained from those of s by
adding Al
and removing {lnowpk
}.
are the same as s.
6. The temporal labels of s1
and s2
are the same as s.
Return
61 / 71

View Slide

Skip S ≡ {lskipk
} skip. This agent does nothing at every time
instant. We translate this agent to our graph as follows:
1. Construct a new node s related with the node s from
which the agent is executed.
removing {lskipk
}.
3. The store and the temporal labels of s are the same as s.
Return
62 / 71

View Slide

Procedure Call S ≡ {lpk
} p(t1, . . . , tn
). This operator refers to another
procedure which have diﬀerent labels and variables. To
translate this agent to our graph we create a new node and
the label associated to the ﬁrst agent of p is added to the
internal labels of the node.
Return
63 / 71

View Slide

Timed Negative Ask S ≡ {lnownk
} now c else Al
. If on the quiescent point
the store does not entail c then the agent A is executed in
the next time instant, or does nothing otherwise. We
translate this behavior to our graph as follows:
1. Introduce two new nodes s1
, s2
related with the node s
from which the agent is execute. This branch corresponds
to the two possible behaviors of the agent.
2. The store of s1
is deﬁned as the union of the store of s
and the constraint c.
3. The store of s2
is deﬁned as the store of s plus the
absence of the constraint c.
and s2
are the same as s by
removing {lnownk
}.
are the same as s.
are obtained from those of s by
adding Al
.
Return
64 / 71

View Slide

Unit Delay S ≡ {lnextk
} next Al
. The agent A is executed in the next
time instant. We translate this agent to our graph as follows:
1. Construct a new node s related with the node s from
which the agent is execute.
2. The internal labels of s are the same as s but removing
{lnextk
}.
3. The temporal labels of s are obtained from those of s by
adding Al
.
4. The store of s is the same as s.
Return
65 / 71

View Slide

A Logic for the Specification of Properties
The ntcc Logic
Definition (CLTL Semantics)
We say that α ∈ Cω satisfies (or that it is a model of) F in CLTL, written α CLTL F, iff
α, 1 CLTL F, where:
α, i CLTL
˙
true
α, i CLTL
˙
false
α, i CLTL c iff α(i) c
α, i CLTL ˙
¬F iff α, i CLTL F
α, i CLTL F ˙
∧ G iff α, i CLTL F and α, i CLTL G
α, i CLTL F ˙
∨ G iff α, i CLTL F or α, i CLTL G
α, i CLTL ◦F iff α, i + 1 CLTL F
α, i CLTL F iff for all j ≥ i α, j CLTL F
α, i CLTL ♦F iff there is a j ≥ i s.t. α, j CLTL F
α, i CLTL
˙
∃x F iff there is an x-variant α of α s.t. α , i CLTL F
Define F = {α | α CLTL F}. We say that F is CLTL valid iff F = Cω, and that F is CLTL
satisfiable iff F = ∅.
Return
66 / 71

View Slide

Closure
The closure of a formula ϕ, CL(ϕ), is the smallest set of formulas satisfying the
following conditions:
1. ϕ ∈ CL(ϕ),
2. ˙
¬ϕ1 ∈ CL(ϕ), iﬀ ϕ1 ∈ CL(ϕ),
3. if ϕ1
˙
∧ϕ2 ∈ CL(ϕ), then ϕ1, ϕ2 ∈ CL(ϕ),
4. if ϕ1
˙
∨ϕ2 ∈ CL(ϕ), then ϕ1, ϕ2 ∈ CL(ϕ),
5. if ˙
∃x ϕ1 ∈ CL(ϕ), then ϕ1 ∈ CL(ϕ),
6. if ◦ϕ1 ∈ CL(ϕ), then ϕ1 ∈ CL(ϕ),
7. if ˙
¬ ◦ ϕ1 ∈ CL(ϕ), then ◦ ˙
¬ϕ1 ∈ CL(ϕ),
8. if ϕ1 ∈ CL(ϕ), then ϕ1, ◦ ϕ1 ∈ CL(ϕ),
9. if ♦ϕ1 ∈ CL(ϕ), then ϕ1, ◦♦ϕ1 ∈ CL(ϕ)
Return
67 / 71

View Slide

Definition (Model-Checking Graph)
Let ϕ be a formula, CL(ϕ) be the closure of ϕ and Z the tcc Structure. A node n of the
model-checking graph is formed by a pair of the form (sn, Qn) where sn is a state of Z and Qn is a
subset of CL(ϕ) and the atomic propositions such that the following conditions are satisfied:
1. for every atomic proposition p, p ∈ Qn iff p ∈ C(sn),
2. for every ˙
∃x ϕ1 ∈ CL(ϕ), ˙
∃x ϕ1 ∈ Qn iff ˙
∃x ϕ1 ∈ C(sn),
3. for every ϕ1 ∈ CL(ϕ), ϕ1 ∈ Qn iff ˙
¬ϕ1 /
∈ Qn,
4. for every ϕ1
˙
∧ϕ2 ∈ CL(ϕ), ϕ1
˙
∧ϕ2 ∈ Qn iff ϕ1 ∈ Qn and ϕ2 ∈ Qn,
5. for every ϕ1
˙
∨ϕ2 ∈ CL(ϕ), ϕ1
˙
∨ϕ2 ∈ Qn iff ϕ1 ∈ Qn or ϕ2 ∈ Qn,
6. for every ˙
¬ ◦ ϕ1 ∈ CL(ϕ), ˙
¬ ◦ ϕ1 ∈ Qn iff ◦ ˙
¬ϕ1 ∈ Qn,
7. for every ϕ1 ∈ CL(ϕ), ϕ1 ∈ Qn iff ϕ1 ∈ Qn and ◦ ϕ1 ∈ Qn,
8. for every ♦ϕ1 ∈ CL(ϕ), ♦ϕ1 ∈ Qn iff ϕ1 ∈ Qn or ◦ ♦ϕ1 ∈ Qn.
An edge in the graph is defined as follows: there will be an edge from one node n1 = (s1, Q1) to
another node n2 = (s2, Q2) iff there is an arc from the node s1 to the node s2 in Z and for every
formula ◦ϕ1 ∈ CL(ϕ), ◦ϕ1 ∈ Q1 iff ϕ1 ∈ Q2. This means that the next state s2 must satisfy φ if s1
satisfies ◦φ.
Return
68 / 71

View Slide

A Prototypical Tool
Closure
CL(¬ϕ) = {♦((in = true) ˙
∧ ˙
¬ ◦ (x = 1)),
˙
¬♦((in = true) ˙
∧ ˙
¬ ◦ (x = 1)),
◦ ♦((in = true) ˙
∧ ˙
¬ ◦ (x = 1)),
˙
¬ ◦ ♦((in = true) ˙
∧ ˙
¬ ◦ (x = 1)),
◦ ˙
¬♦((in = true) ˙
∧ ˙
¬ ◦ (x = 1)),
(in = true) ˙
∧ ˙
¬ ◦ (x = 1),
˙
¬((in = true) ˙
∧ ˙
¬ ◦ (x = 1)),
˙
¬ ◦ (x = 1), ◦ ˙
¬(x = 1),
◦ (x = 1), (x = 1), ˙
¬(x = 1),
(in = true), ˙
¬(in = true)
}
Return
69 / 71

View Slide

A Prototypical Tool
s3 State
s2 State
s1 State
n1
n2
n3
n4
n5
n6
n7
n8
n9
n10
n12
n13
n14
n15
n16
s4 State
n17
n18
n19
n20
n21
n22
n23
n24
s5 State
n25
n26
n27
n28
s6 State
n29
n30
n31
n32
n11
Return
70 / 71

View Slide

A Prototypical Tool
Strongly Connected Components
s3 State
s2 State
s1 State
n3
n7
n13
s4 State
n17
n21
s5 State
n27
s6 State
n29
n11
Self-Fulﬁlling SCC
Return
71 / 71

View Slide

Model Checking for tcc Calculus

Model Checking for tcc Calculus

Jaime Arias Almeida

More Decks by Jaime Arias Almeida

Other Decks in Research

Featured

Transcript