Formal Verification Lab 1

1
Formal Verification Lab 1

• Dan Goldwasser
• dgoldwas_at_cs.haifa.ac.il

2
Introducing FV

• What is formal verification?
• Establishing properties of system designs using
  mathematical methods
• Why use formal methods?
• Safety Critical Systems
• High Bug Costs
• Why Hardware?
• High bug costs
• Greater reliability requiered by costumers
• Feaseable (more or less)

3
Introducing FV

• How is it done?
• The method consists of a Model and a Property.
• The Methods output is an assurance that the
  property holds or a counter-example

P always holds
Counter- example
p
4
Defining a Model

• Definitions
• State - snapshot of the values of variables at a
  particular instant of time.
• Finite state system - a system which has a
  finite number of different states.
• Transition the ordered pair ltstate before,
  state aftergt
• Computation - is an infinite sequence of states
  where each state is obtained from the previous by
  a transition

5
Defining a Model

• Intution
• A State (0,1)
• A Finite state system (0,0),(0,1),(1,0),(1,1)
• A Transition lt(0,0),(0,1)gt
• A Computation lt(0,0),(0,1),(1,0),(0,0),
  (0,1),... gt

6
Kripke Structure

• Let AP be a set of atomic propositions
• A Kripke structure M over AP is a tuple
  M(S,S0,R,L)where,
• S is a finite set of states
• S0 ? S , the set of initial states
• R ? S x S, is a transition relation that must be
  total, i.e., for every state s in S there is a
  state s in S such that R(s,s).
• L is a function that labels each state with the
  set of all atomic proposition in AP that are true
  in that state.
• A path in M from s is an infinite sequence of
  states ? s0s1s2, such that sos, and
  R(si,si1) holds for all igt0.

7
Defining a Model

• M(S,S0,R,L)
• S s0,s1,s2,s3
• S0 (0,0) (system starts with Reset)
• R lt(0,0),(0,1)gt,lt(0,1),(1,0)gt,lt(0,1),(0,0) ...
  gt
• L (s0,(0,0)),(s1,(0,1)),(s2,(1,0)),(s3,(1,1))

inc
0
1
Reset
8
Temporal Logic

• logic with a notion of time included.
  The formulas are interpreted over Kripke
  structures, which can model computation.
• Intution
• Propositional Logic Formula defines a set of
  states
• Temporal Logic Formula defines a set of
  sequences of sets of states

9
Temporal Operators

• Eventually p p will eventually hold (Fp)
• Globally p - p will always hold (Gp)
• Next-time p p will hold at the next step (Xp)
• p Until q p holds until q holds (pUq)
• p,q is a temporal logic formula or a
  propositional logic formula

10
Temporal Operators

• Eventually p p will eventually hold (Fp)
• qqqqq..qp...
• Globally p p will always hold
  (Gp) pppppppp...pp..
• Next-time p p will hold at the next step
  (Xp) qp....
• p Until q p holds until q holds (pUq)
• ppppq...

11
Linear time and Branch time

• Linear only one possible future in a moment
• Look at individual computations
• Branching may split to different courses
  depending on possible futures
• Look at the tree of computations

s3
s0
s2
s1
12
Path Quantifiers

• Branching time modeled with path quantifiers
• A f - f holds for all computation paths
• E f - f holds for some computation paths

13
Path Quantifiers

• Intuition

p
p
Temporal Operator Path quantifier
q
q
q
p
p
p
q
p
...
q
q
14
LTL and CTL

• LTL (Linear Temporal Logic) - Reasoning about
  infinite sequence of states p s0, s1, s2,
• CTL (Computation Tree Logic) Reasonning on a
  computation tree.
• Temporal operators are immediately preceded by a
  path quantifier (e.g. A F p )
• CTL vs. LTL different expressive power
• EFp is not expressible in LTL
• FGp is not expressible in CTL

15
LTL

• Linear time operators.
• The following are a complete set p , p ? q
  , X p, p U q
• Others can be derived
• p ? q ? (p ? q)
• p ?q ? p ? q
• F p ? (true U p)
• G p ?(p U false)

16
CTL

• Temporal operators are immediately preceded by a
  path quantifier
• The following are a complete set p, p
  ? q , AX p , EX p , A( p U q), E( p U q)
• Others can be derived
• EF p ? E(true U P)
• AF p ? A(true U p)
• EG p ? AF p
• AG p ? EF p