02d LTL ModelChecking-print

Applications of Formal Verification
Model Checking with Temporal Logic
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov | SS 2010
KIT – I NSTITUT F ÜR T HEORETISCHE I NFORMATIK
KIT – University of the State of Baden-Württemberg and National Large-scale Research Center of the Helmholtz Association
Model Checking with S PIN
model correctness
name.pml properties
executable
-a verifier C
SPIN verifier
pan.c compiler
pan
e r
th
ei
or
failing
random/ interactive / guided run “errors: 0”
simulation name.pml.trail
Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov – Applications of Formal Verification SS 2010 2/25
Stating Correctness Properties
model correctness
name.pml properties
Correctness properties can be stated syntactically within or outside

the model.
stating properties within model using
assertion statements
meta labels
end labels
accept labels
progress labels
stating properties outside model using
never claims
temporal logic formulas (today’s main topic)
Model Checking of Temporal
Properties
many correctness properties not expressible by assertions
today:
model checking of properties formulated in temporal logic
Remark:
in this course, “temporal logic” is synonymous to “linear temporal logic” (LTL)
Beyond Assertions
Assertions only talk about the state ‘at their own location’ in the code.
Example: mutual exclusion expressed by adding assertion into each
critical section.
critical++;
assert( critical <= 1 );
critical--;
Drawbacks:
no separation of concerns (model vs. correctness property)
changing assertions is error prone (easily out of synch)
easy to forget assertions:
correctness property might be violated at unexpected locations
many interesting properties not expressible via assertions
Temporal Correctness Properties
properties more conveniently expressed as global properties,
rather than assertions:
Mutual Exclusion
“critical <= 1 holds throughout the run”
Array Index within Bounds (given array a of length len)
“0 <= i <= len-1 holds throughout the run”
properties impossible to express via assertions:

Absence of Deadlock
“If some processes try to enter their critical section,
eventually one of them does so.”
Absence of Starvation
“If one process tries to enter its critical section,
eventually that process does so.”
all these are temporal properties ⇒ use temporal logic
Boolean Temporal Logic
talking about numerical variables (like in critical <= 1 or

0 <= i <= len-1) requires variation of propositional temporal logic
which we call Boolean temporal logic:
Boolean expressions (over P ROMELA variables),
rather than propositions,
form basic building blocks of the logic
Boolean Temporal Logic over
P ROMELA
Set ForBTL of Boolean Temporal Formulas (simplified)

all P ROMELA variables and constants of type bool/bit are
∈ ForBTL
if e1 and e2 are numerical P ROMELA expressions, then all of
e1==e2, e1!=e2, e1<e2, e1<=e2, e1>e2, e1>=e2 are ∈ ForBTL
if P is a process and l is a label in P, then P@l is ∈ ForBTL
(P@l reads “P is at l”)
if φ and ψ are formulas ∈ ForBTL , then all of
! φ, φ && ψ, φ || ψ, φ −> ψ, φ <−> ψ
[ ]φ, < >φ, φ U ψ
are ∈ ForBTL
Semantics of Boolean Temporal
Logic
A run σ through a P ROMELA model M is a chain of states
L 0 , I0 L1 , I1 L2 , I2 L3 , I3 L4 , I4 ···
Lj maps each running process to its current location counter.

From Lj to Lj+1 , only one of the location counters has advanced
(exception: channel rendezvous).
Ij maps each variable in M to its current value.
Arithmetic and relational expressions are interpreted in states as

expected; e.g. Lj , Ij |= x<y iff Ij (x) < Ij (y)
Lj , Ij |= P@l iff Lj (P) is the location labeled with l
Evaluating other formulas ∈ ForBTL in runs σ: see lecture 2.

Boolean Temporal Logic Support in
S PIN
S PIN supports Boolean temporal logic

but
arithmetic operators (+,-,*,/, ...),
relational operators (==,!=,<,<=, ...),
label operators (@)
cannot appear directly in TL formulas given to S PIN
instead
Boolean expressions must be abbreviated using #define
Safety Properties
formulas of the form [ ]φ are called safety properties

state that something good, φ, is guaranteed throughout each run
special case:
[ ]¬ψ states that something bad, ψ, never happens
example: ‘[](critical <= 1)’

“it is guaranteed throughout each run that at most one process visits
its critical section”
or equivalently:
“more than one process visiting its critical section will never happen”
Applying Temporal Logic to Critical
Section Problem
We want to verify ‘[](critical<=1)’ as correctness property of:
active proctype P() {

do :: /* non-critical activity */
atomic {
!inCriticalQ;
inCriticalP = true
}
critical++;
/* critical activity */
critical--;
inCriticalP = false
od
}
/* similarly for process Q */
Model Checking a Safety Property
with J S PIN
1 add ‘#define mutex (critical <= 1)’ to P ROMELA file

2 open P ROMELA file
3 enter []mutex in LTL text field
4 select Translate to create a ‘never claim’, corresponding to the
negation of the formula
5 ensure Safety is selected
6 select Verify
7 (if necessary) select Stop to terminate too long verification
Never Claims
you may ignore them, but if you are interested:

a never claim tries to show the user wrong
it defines, in terms of P ROMELA, all violations of a wanted
correctness property
it is semantically equivalent to the negation of the wanted
correctness property
J S PIN adds the negation for you
using S PIN directly, you have to add the negation yourself
Model Checking a Safety Property
with S PIN directly
Command Line Execution

make sure ‘#define mutex (critical <= 1)’ is in
safety1.pml
> spin -a -f "!([] mutex)" safety1.pml
> gcc -DSAFETY -o pan pan.c
> ./pan
Temporal MC Without Ghost
Variables
We want to verify mutual exclusion without using ghost variables
#define mutex !(P@cs && Q@cs)

bool inCriticalP = false, inCriticalQ = false;

do :: atomic {
!inCriticalQ;
inCriticalP = true
}
cs: /* critical activity */
inCriticalP = false
od
}
/* with same label cs: */
Verify ‘[]mutex’ with J S PIN.
Liveness Properties
formulas of the form <>φ are called liveness properties

state that something good, φ, eventually happens in each run
example: ‘<>csp’
(with csp a variable only true in the critical section of P)
“in each run, process P visits its critical section eventually”
Applying Temporal Logic to
Starvation Problem
We want to verify ‘<>csp’ as correctness property of:

do :: /* non-critical activity */
atomic {
!inCriticalQ;
inCriticalP = true
}
csp = true;
/* critical activity */
csp = false;
inCriticalP = false
od
}

/* here using csq */
Model Checking a Liveness Property
with J S PIN

2 enter <>csp in LTL text field
4 ensure that Acceptance is selected
(S PIN will search for accepting cycles through the never claim)
5 for the moment uncheck Weak Fairness (see discussion
below)
6 select Verify
Verification Fails
Verification fails.
Why?
The liveness property on one process ‘had no chance’.

Not even weak fairness was switched on!
Fairness
Does the following P ROMELA model necessarily terminate?
byte n = 0;
bool flag = false;

do :: flag -> break;
:: else -> n = 5 - n;
od
}
active proctype Q() {
flag = true
}
Termination guaranteed only if scheduling is (weakly) fair!
Definition (Weak Fairness)

A run is called weakly fair iff the following holds:
each continuously executable statement is executed eventually.
Model Checking Liveness with Weak
Fairness!
Always switch Weak Fairness on when checking for liveness!

2 enter <>csp in LTL text field
4 ensure that Acceptance is selected
(S PIN will search for accepting cycles through the never claim)
5 ensure Weak Fairness is checked
6 select Verify
Model Checking Liveness with S PIN
directly
Command Line Execution

> spin -a -f "!csp" liveness1.pml
> gcc -o pan pan.c
> ./pan -a -f
Verification Fails
Verification fails again.

Why?
Weak fairness is still too weak.
Note that !inCriticalQ is not continuously executable!
Designing a fair mutual exclusion algorithm is complicated.
Literature for this Lecture
Ben-Ari Chapter 5

02d LTL ModelChecking-print

Uploaded by

Copyright:

Available Formats

02d LTL ModelChecking-print

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

02d LTL ModelChecking-print

Uploaded by

Copyright:

Available Formats

Applications of Formal Verification

Model Checking with Temporal Logic

Prof. Dr. Bernhard Beckert · Dr. Vladimir Klebanov | SS 2010

KIT – I NSTITUT F ÜR T HEORETISCHE I NFORMATIK

Correctness properties can be stated syntactically within or outside

many correctness properties not expressible by assertions

properties impossible to express via assertions:

all these are temporal properties ⇒ use temporal logic

talking about numerical variables (like in critical <= 1 or

Set ForBTL of Boolean Temporal Formulas (simplified)

Lj maps each running process to its current location counter.

Arithmetic and relational expressions are interpreted in states as

Lj , Ij |= P@l iff Lj (P) is the location labeled with l

Evaluating other formulas ∈ ForBTL in runs σ: see lecture 2.

S PIN supports Boolean temporal logic

formulas of the form [ ]φ are called safety properties

example: ‘[](critical <= 1)’

active proctype P() {

/* similarly for process Q */

1 add ‘#define mutex (critical <= 1)’ to P ROMELA file

you may ignore them, but if you are interested:

Command Line Execution

#define mutex !(P@cs && Q@cs)

active proctype P() {

formulas of the form <>φ are called liveness properties

“in each run, process P visits its critical section eventually”

active proctype P() {

/* similarly for process Q */

1 open P ROMELA file

The liveness property on one process ‘had no chance’.

active proctype P() {

Definition (Weak Fairness)

Always switch Weak Fairness on when checking for liveness!

Command Line Execution

Verification fails again.

Weak fairness is still too weak.

Note that !inCriticalQ is not continuously executable!

Designing a fair mutual exclusion algorithm is complicated.

You might also like