You are on page 1of 50

La Vrification Formelle

Basics

Stephane Maag CNRS Samovar


Stephane.Maag@it-sudparis.eu Ecole dt Can Tho 2010

Content
3 Techniques de Verification

Equivalence de modles Preuves Model-checking

CTL Sat / BDD

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Rappel
VERIFICATION
spcifient
abstraction raffinements

TEST

Ides Ides
Conforme

Modle Modle Formel Formel

spcifient Conforme

Modle raffin Modle raffin

Systme Systme

dveloppe

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Techniques de Vrification formelle


3 techniques majeures

Vrification du code
Analyse statique pas de modles formels Reverse engineering BLAST, SLAM : pour les prog. C Bandera: JAVA Verisoft: C++

3 types de Vrification des modles


Equivalences de modles Mthodes dductives (preuve) Model checking

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Equivalence de modles
Equivalence de modles (Equivalence checking)

Comparaison de 2 spcifications : comparaison de modles Prouver que le comportement dun systme est quivalent un comportement donn Vrification complte, mais en pratique non ralisable sur des gros modles

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Techniques de preuve
Mthodes dductives (Theorem proving)

Prouver mathmatiquement quune proprit extraite du cahier des charges est vrifie dans le modle
Exple: timer dans un datagramme TCP respect dans la spcification Outil COQ (INRIA) theorem prover - infrence HOL (Higher Order Logic Austrialian National University) MetaLanguage (ML) Essentiellement pour les proprits qualitatives/fonctionnelles Vrification sur des systmes tats infinis

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Techniques de model-checking
Model checking

Ide: trouver, dans un modle formel, le contre exemple dune proprit dfinie laide dun langage logique. Modles Markoviens ou quantative-bound LTS Beaucoup plus rpandu utilis dans de nombreux domaines De nombreux outils Prop. qualitative/quantitative adapt la QoS Outils: SPIN, PRISM, UPPAAL, etc. Intrt industriel certain car aide la modlisation et rapide obtention des erreurs
Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Principes de base du model-checking


Modle formel
Un Model Checker est un outil qui vrifie si un Modle satisfait une Proprit

Proprit
Compilateur, simulateur

Systme de transitions tiquets

model-checker

Diagnostic (Vrai / Faux + contre exemple)


8 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Modle: un terme plein de bon sens !


Here models as they are used for model-checking are just annotated graphs:

A finite set of states, S Some initial state s0 A transition relation between states, TSS A finite set of atomic propositions, AP A labelling function L : S P(AP)

known as a kripke structure:

Labelled Transition systems, LTS Finite State machines, FSM State charts,
* For a physicist a model is a differential equation; For a biologist, it may be mice or frogs

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

An Example

AP = {empty, full} Some LTL formula that are valid for this model: empty (X empty) full (X full)
Stephane (X is for neXt)Maag / TSP

10

Ecole dt Can Tho, Sept. 2010

What are models good for?


System description and design:

The future system must conform to the model(s) The model(s) may be used as a starting point for (automatic) development

System analysis

Observing the existing system, one extracts a model and studies it

Essential role in V and V and quality assurance


11 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Programs
Everybody knows what it is Here:

A program is a piece of text in a (hopefully) well defined language There is a syntax, some semantics, and compilers

A program is a very detailed solution to a much more abstract problem [Ball2005]


12 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Why are programs useful?


They can be compiled and embedded into some systems.

13

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Interlude

A program text or a specification text is NOT the system !

14

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Systems
A system is a dynamic entity, embedded in the physical world It is observable via some limited interface/procedure It is not always controllable Quite different from a piece of text (formula, program) or a diagram

15

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Systems are the actual objects of interest How to ensure that a system satisfies certain properties?

Properties?

1. 2. 3.
16

Texts in natural languages Formulas in a given specification logic Sets of mandatory or forbidden behaviours
Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Calls to lock and unlock must alternate.

(locked X unlocked) (unlocked X locked)

The classical process

17

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Properties, specification languages


Logic-based specification languages

VDM, Z, CASL, HOL, B, JML, Temporal Logics: LTL, CTL,

Behaviour-based specification languages

Lotos, Promela, CSP, State charts, Petri Nets, Timed automata

Usages

Global requirement on the system as a whole, or of some subsystems Assertions in programs and models: pre-conditions, post-conditions, invariants.
Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

18

Types de proprits fonctionnelles


Atteignabilit Un tat du systme peut tre atteint Le train peut traverser le passage niveau Vivacit Sous certaines conditions, un vnement finira par se produire

Lorsque le train a annonc son arrive, la barrire finira par souvrir Sret Un vnement indsirable ne se produira jamais Il est impossible que la barrire soit ouverte et le train soit au niveau de la barrire. Absence de blocage Le systme ne se trouvera jamais dans une situation o il ne peut plus voluer Lorsque la barrire est ferme, elle peut toujours se rouvrir quit Un vnement se produira infiniment souvent La barrire sera ouverte infiniment souvent
19 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Model-checking problem

|=

System model Satisfaction relation

System property

20

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

The CTL Logic Computation Tree Logic


CTL allows to reason on computation tree Examples

There exists a path with a state in which P holds EF P


21 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

EXAMPLES

On each path there exists a state in which P holds true AF P (= EF P)

There exists an infinite path on which P holds in each state EG P (= E F P)

The temporal operators are of two types: - on an execution ( a path) - on all executions (all paths)

In all reachable states, P holds true AG P (= EF P)


22 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Temporal operators on an execution : X, F, G, U


X : the next state satisfies (neXt) F : there exists a state in the future which satisfies (Future) G : all the states satisfy (Global) G (= F ) U : a state in which holds and up to this state holds true (Until) F true U

23

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Formulas associated to the states of the automaton L(open_i) = {open, level = i}, i=0,1,2 L(close_i) = {open } i=0,1,2

an execution of the automaton

s,0 |= X open s,0 |= F close s,2 |= X open X level = 1 s,i |= G F open i = 0,, 5
24 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Notation: s|= P s,0 |= P

s |= G open

s |= open U level = 1

25

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Temporal operators on all executions : A, E


A : all the executions starting from the current state satisfy E : there exists an execution starting from the current state

E F : we can have , negation of a safety property A F : we will have mandatorily , liveness property
s,3 |= A X open Notation : A |= iff s,0 |= where contains A or E
26 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Example

Asc the controller of the lift :

Asc |= E G open Asc |= AG (open AX open) Asc |= AG (open EX open)

27

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Precise definition of CTL


Syntactical restrictions:

Each temporal operator X, F, G, U have to be on immediate scope of a A or E , the combinations are:


AX,AF, AG, AU, EX, EF, EG, EU

Syntax: atomic propositions are CTL formulas

if f and g are CTL formulas, then


f, f g, AX f, EX f, A(fUg), E(fUg) are also CTL formulas

Extensions :


28

f g = (f g) AF g = A(true U g) EF g = E(true U g) AG f = E(true U f) EG f = A(true U f)

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Semantic of CTL
s |= f (f atomic) s |= f s |= f g s,0 |= AX f s,0 |= EX f s,0 |= A (f U g) iff f L(s) iff s | f iff s|=f and s|=g iff for all s such that s0 = s,0, s,1|= f iff it exists a s such that s0 = s,0 and s,1|= f iff for all s s.t. s0 = s,0, it exists i0 s.t. s,i |= g and for all j<i, s,j |= f s,0 |= E (f U g) iff

it exists a s s.t. s0 = s,0 and it exists i0 s.t. s,i |= g and for all j<i, s,j |= f

29

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Algorithme CTL
Principe:

On dnote A (structure Kripke) et une formule CTL On marque chaque tat q de A et chaque sous formule si q |=
On construit q. partir de q. A |= iff q0. = vrai

Le nombre dtats doit tre fini

30

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Algorithme CTL (1)


procedure marking(phi, A) cas 1 : = f (*atomic*) for all q in A.Q do if f l(q) then q. := true else q. := false cas 2 : =

marking (, A); for all q in A.Q do q. := not(q. ) cas 3 : = 1 2 marking (1, A); marking (2, A); for all q in A.Q do q. := and (q.1, q.2)

31

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Algorithme CTL (2)


cas 4 : = EX marking(, A); for all q in A.Q do q. := false; for all (q, q) in A.T do if q. then q. := true

cas 5: = AX (* as EX *)

32

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Algorithme CTL (3)


cas 6 : = E 1 U 2 marking (1, A); marking (2, A); (*initialisations : *) for all q in A.Q do q. := false; q.dejavu := false; (* at the beginning L = {q | q |= 2} : *) L := { } ; for all q in A.Q do if q. 2 then L := L + {q} ; for all q in L do L := L {q} ; q. := true; for all (q, q) in A.T do if q.dejavu = false then q.dejavu := true; if q. 1 then L := L + {q} ; cas 7 : phi = A 1 U 2 (*+complex, same principle*)

33

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Cons and pro of CTL


Model checking of linear complexity

difficulties or unwillingness to express some kinds of properties (but they are advanced techniques resolving that issue!)

Other temporal logics: CTL*, PLTL (PSPACE complet), FCTL (Fairness), TCTL (Timers), Logiques avec pass: pas de model-checkers.
34 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Problme !!
Le nombre dtats dun systme est exponentiel dans son nombre de variables

Les algorithmes nafs des model-checkers ne


suffisent plus

Comment viter, ou du moins restreindre leffet


ngatif de lexplosion combinatoire?

35

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Model-checking Symbolique: ens. dtats, BDD


Il existe plusieurs autres techniques pour grer un nombre colossal dtats: les explorations on-thefly, abstractions; En combinant toutes ces techniques, nous savons grer de gros automates:

En 1992, 10 tats ont t analyss


A = < Q, T, & >

Notations:
Sat ( ) = ensemble dtats satisfaisant S Q, Pre (S) = ens. des prdcesseurs immdiats de S

36

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Obtention de Sat(), CTL


Sat() = Q\Sat() Sat( ) = Sat() Sat( ) Sat(EX ) = Pre(Sat()) Sat(AX ) = Q\Pre(Q\Sat()) Sat(EF ) = Pre*(Sat()) & Obtention itratives dtats Calcul de Pre*(S)
X := S ; Y := { } ; while Y X do (*computation of the fix point*) Y := X ; X := X + Pre(X) ; (* + is the union*) return(X) ;
37 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

(1)

Obtention de Sat(), CTL

(2)

Cas de A 1 U 2 - dfinition rcursive: 2 ( 1 EX true AX(A 1 U 2) P1 := Sat [1] ; P2 := Sat [2] ; X := P2 ; Y := { } ; while Y X do Y := X ; X := X + (P1 /\ pre(Q) /\ (Q\Pre(Q\X))) return(X) ;
38 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

Ce qui est recherch


Une implmentation efficace

Pour reprsenter lens. Sat(f) avec f atomic, Pour calculer Pre(S) partir de la reprsentation de S, Pour calculer le complmentaire, lunion et lintersection, Pour lgaliter de 2 ensembles.

39

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

BDD - Binary Decision Diagrams


X1, , xn: variables boolennes <b1, , bn>: vecteur de boolens Comment reprsenter lens. de vecteurs tq
(x1,,xn) soit vraie ?

Solution classique: arbre de dcision

40

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

BDD
Exemple: (x1 x3) (x2 x4)

Avantage: Test en n comparaisons Inconvnient: taille exponentielle


41 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

BDD
BDD = arbre de dcision rduit

1. 2.

Les sous arbres tant les mmes sont partags Le choix inutiles sont omis

Ex.: si b1 et b2 sont vrais, b3 est inutile

42

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Oprations sur les BDD


Ensemble vide, seulement une feuille F Comparaison de 2 ens.: mme BDD Complmentaire: on remplace les feuilles T par les feuilles F et rciproquement Union et Intersection: .., non complexit quadratique . stop !
43 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

BDD pour reprsenter un automate


Principe: coder les tats et transitions par des n-tuples de boolens. Ex.: Les tats: 6 tats q0, , q5, une variable boolen open, une variable level qui peut prendre les valeurs 0, 1, 2 et ND. 3 bits pour q, 1 pour open et 2 pour level. FFT T FF en q1, open est vraie et level vaut 0 open level = ND

44

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Les transitions:

Il peut y avoir des ens. de couples dtats

Si les tats sont cods par n bits

Vecteur de n n bits o on priorise le dernier n

45

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

46

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Calcul de Pre(S)
Soit des BDDT ou BDDS

(1)

On construit BDDS o chaque bi des BDDS devient bi (complexit: O(n))

On construit BDDS BDDS

ens. de couples <s,s> de T tq sS (complexit O(n))

47

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Calcul de Pre(S)
On abstrait / bi (complexit O(n))

(2)

(i.e. on loublie)

Nous avons maintenant tous les lments pour implmenter le model-checker symbolique de CTL.

Problme: la complexit en mmoire au pire des cas est exponentielle les performances sont dpendantes de lordre des variables

48

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

Few Model-Checkers
SPIN (Promela, LTL) NuSMV 2 (CTL) combines BDD-based model checking with SAT-based model checking. FDR (CSP, refinements) Timed automata: UPPAAL, KRONOS Stochastic models: PRISM, APMC

For Model-checking
49 Stephane Maag / TSP Ecole dt Can Tho, Sept. 2010

REFERENCES
Deux livres:
A Roadmap for Formal Property Verification, Pallab Dasgupta, Springer-Verlag New York Inc., 2006 Applied Formal Verification, Douglas L. Perry et Harry Foster, McGraw-Hill Professional, 2005

50

Stephane Maag / TSP

Ecole dt Can Tho, Sept. 2010

You might also like