Lecture 10: Verifying first order properties in PVS

1

• Black Box Checking

Doron Peled, University of Warwick
2
Why testing?

• Reduce design/programming errors.
• Can be done during development,
  beforeproduction/marketing.
• Practical, simple to do.
• Check the real thing, not a model.
• Scales up reasonably.
• Being state of the practice for decades.

3
Part 1 Testing of black box finite state machine

• Wants to know
• In what state we started?
• In what state we are?
• Transition relation
• Conformance
• Satisfaction of a temporal property

• Know
• Transition relation
• Size or bound on size

4
Finite automata (Mealy machines)

• S - finite set of states. (size n)
• S set of inputs. (size d)
• O set of outputs, for each transition.
• (s0 ? S - initial state).
• ? S ? S ? S - transition relation.
• ? ? S ? S ?O output on edge.

5
Why deterministic machines?

• Otherwise no amount of experiments would
  guarantee anything.
• If dependent on some parameter (e.g.,
  temperature), we can determinize, by taking
  parameter as additional input.
• We still can model concurrent system. It means
  just that the transitions are deterministic.
• All kinds of equivalences are unified into
  language equivalence.
• Also connected machine (otherwise we may never
  get to the completely separate parts).

6
Determinism

• When the black box is nondeterministic, we might
  never test some choices.

7
Preliminaries separating sequences
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Start with one block containing all states s1,
s2, s3.
8
A separate to blocks of states with different
output.
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Two sets, separated using the string b s1, s3,
s2.
9
Repeat B Separate blocks based on moving to
different blocks.
b/1
s1
s2
a/0
b/1
b/0
a/0
s3
a/0
Separate first block using b to three singleton
blocks.Separating sequences b, bb.Max rounds
n-1, sequences n-1, length n-1.For each pair
of states there is a separating sequence.
10
Want to know the state of the machine (at end).
Homing sequence.

• Depending on output, would know in what state we
  are.
• Algorithm Put all the states in one block
  (initially we do not know what is the state).
• Then repeatedly partitions blocks of states, as
  long as they are not singletons, as follows
• Take a non singleton block, append a
  distinguishing sequence ? that separates at least
  two states.
• Update all blocks to the states after executing
  ?.
• Max length (n-1)2 (Lower bound
  n(n-1)/2.)

11
Example (homing sequence)
s1, s2, s3
b
0
1
1
s1, s2 s3
b
1
1
0
s1 s2 s3
On input b and output 1, still dont know if was
in s1 or s3, i.e., if currently in s2 or s1.So
separate these cases with another b.
12
Synchronizing sequence

• One sequence takes the machine to the same final
  state, regardless of the initial state or the
  outputs.
• Not every machine has a synchronizing sequence.
• Can be checked whether exists and can be found in
  polynomial time.

13
State identification

• Want to know in which state the system has
  started (was reset).
• Can be a preset distinguishing sequence (fixed),
  or a tree (adaptive).
• May not exist (PSPACE complete to check if preset
  exists, polynomial for adaptive).
• Best known algorithm exponential length for
  preset,polynomial for adaptive LY.

14
Sometimes cannot identify initial state
Start with ain case of being in s1 or s3 well
move to s1 and cannot distinguish.Start with
bIn case of being in s1 or s2 well move to s2
and cannot distinguish.
The kind of experiment we do affects what we can
distinguish. Much like the Heisenberg principle
in Physics.
15
Conformance testing

• Unknown deterministic finite state system B.
• Known n states and alphabet ?.
• An abstract model C of B. C satisfies all the
  properties we want from B. C has m states.
• Check conformance of B and C.
• Another version only a bound n on the number of
  states l is known.

?
16
Check conformance with a given state machine

• Black box machine has no more states than
  specification machine (errors are mistakes in
  outputs, mistargeted edges).
• Specification machine is reduced, connected,
  deterministic.
• Machine resets reliably to a single initial state
  (or use homing sequence).

17
Conformance testing Ch,V
a/1
?
b/1
a/1
b/1
?
b/1
a/1
Cannot distinguish if reduced or not.
18
Conformance testing (cont.)
?
b
b
a
a
a
?
a
b
b
a
a
b
Need bound on number of states of B.
19
PreparationConstruct a spanning tree
20
How the algorithm works?
Reset or homing

• According to the spanning tree, force a sequence
  of inputs to go to each state.
• From each state, perform the distinguishing
  sequences.
• From each state, make a single transition, check
  output, and use distinguishing sequences to check
  that in correct target state.

Reset or homing
s1
b/1
a/1
s2
s3
Distinguishing sequences
21
Comments

• Checking the different distinguishing sequences
  (m-1 of them) means each time resetting and
  returning to the state under experiment.
• A reset can be performed to a distinguished state
  through a homing sequence. Then we can perform a
  sequence that brings us to the distinguished
  initial state.
• Since there are no more than m states, and
  according to the experiment, no less than m
  states, there are m states exactly.
• Isomorphism between the transition relation is
  found, hence from minimality the two automata
  recognize the same languages.

22
Combination lock automaton

• Assume accepting states.
• Accepts only words with a specific suffix (cdab
  in the example).

b
d
c
a
s1
s2
s3
s4
s5
Any other input
23
When only a bound on size of black box is known

• Black box can pretend to behave as a
  specification automaton for a long time, then
  upon using the right combination, make a mistake.

Pretends to be S1
a/1
b/1
a/1
b/1
s1
s2
b/1
a/1
a/1
s3
Pretends to be S3
b/0
24
Conformance testing algorithm VC

• The worst that can happen is a combination lock
  automaton that behaves differently only in the
  last state. The length of it is the difference
  between the size n of the black box and the
  specification m.
• Reach every state on the spanning tree and check
  every word of length n-m1 or less. Check that
  after the combination we are at the state we are
  supposed to be, using the distinguishing
  sequences.
• No need to check transitions already included in
  above check.
• Complexity m2 n dn-m1 Probabilistic complexity
  Polynomial.

Reset or homing
Reset or homing
s1
b/1
a/1
s2
s3
Words of length ?n-m1
Distinguishing sequences
25
Model Checking

• Finite state description of a system B.
• LTL formula ?. Translate ?? into an automaton P.
• Check whether L(B) ? L(P)?.
• If so, S satisfies ?. Otherwise, the intersection
  includes a counterexample.
• Repeat for different properties.

??
?
26
Buchi automata (w-automata)

• S - finite set of states. (B has l ? n states)
• S0 ? S - initial states. (P has m states)
• S - finite alphabet. (contains p letters)
• d ? S ? S ? S - transition relation.
• F ? S - accepting states.
• Accepting run passes a state in F infinitely
  often.

System automata FS, deterministic, one initial
state. Property automaton not necessarily
deterministic.
27
Example check ?a
a
ltgt?a
?a
?a, a
28
Example check ltgt?a
?ltgt?a
29
Example check ? ltgta
?a, a
ltgt??a
?a
?a
Use automatic translation algorithms, e.g.,
Gerth,Peled,Vardi,Wolper 95
30
System
31
Every element in the product is a counter example
for the checked property.
a
a
?ltgt?a
s1
s2
q1
?a
c
b
a
?a
s3
q2
a
s1,q1
s2,q1
Acceptance isdetermined byautomaton P.
b
a
s1,q2
s3,q2
c
32
Model Checking / Testing

• Given Finite state system B.
• Transition relation of B known.
• Property represent by automaton P.
• Check if L(B) ? L(P)?.
• Graph theory or BDD techniques.
• Complexity polynomial.

• Unknown Finite state system B.
• Alphabet and number of states of B or upper bound
  known.
• Specification given as an abstract system C.
• Check if B ?C.
• Complexity polynomial if number states known.
  Exponential otherwise.

33
Black box checking PVY

• Property represent by automaton P.
• Check if L(B) ? L(P)?.
• Graph theory techniques.

• Unknown Finite state system B.
• Alphabet and Upper bound on Number of states of B
  known.
• Complexity exponential.

??
?
34
Experiments
35
Simpler problem deadlock?

• Nondeterministic algorithmguess a path of
  length ? n from the initial state to a deadlock
  state.Linear time, logarithmic space.
• Deterministic algorithmsystematically try paths
  of length ?n, one after the other (and use
  reset), until deadlock is reached.Exponential
  time, linear space.

36
Deadlock complexity

• Nondeterministic algorithmLinear time,
  logarithmic space.
• Deterministic algorithmExponential (p n-1)
  time, linear space.
• Lower bound Exponential time (usecombination
  lock automata).
• How does this conform with what we know about
  complexity theory?

37
Modeling black box checking

• Cannot model using Turing machines not all the
  information about B is given. Only certain
  experiments are allowed.
• We learn the model as we make the experiments.
• Can use the model of games of incomplete
  information.

38
Games of incomplete information

• Two players -player, ?-player (here,
  deterministic).
• Finitely many configurations C.
  IncludingInitial Ci , Winning W and W- .
• An equivalence relation _at_ on C (the -player
  cannot distinguish between equivalent states).
• Labels L on moves (try a, reset, success, fail).
• The -player has the moves labeled the same from
  configurations that are equivalent.
• Deterministic strategy for the -player will
  lead to a configuration in W ? W-. Cannot
  distinguish between equivalent configurations.
• Nondeterministic strategy Can distinguish
  between equivalent configurations..

39
Modeling BBC as games

• Each configuration contains an automaton and its
  current state (and more).
• Moves of the -player are labeled withtry a,
  reset... Moves of the ?-player withsuccess,
  fail.
• c1 _at_ c2 when the automata in c1 and c2 would
  respond in the same way to the experiments so far.

40
A naive strategy for BBC

• Learn first the structure of the black box.
• Then apply the intersection.
• Enumerate automata with ?n states (without
  repeating isomorphic automata).
• For a current automata and new automata,
  construct a distinguishing sequence. Only one of
  them survives.
• Complexity O((n1)p (n1)/n!)

41
On-the-fly strategy

• Systematically (as in the deadlock case), find
  two sequences v1 and v2 of length ltm n.
• Applying v1 to P brings us to a state t that is
  accepting.
• Applying v2 to P brings us back to t.
• Apply v1 v2 n to B. If this succeeds,there is a
  cycle in the intersection labeled with v2, with t
  as the P (accepting) component.
• Complexity O(n2p2mnm).

v1
v2
42
Learning an automaton

• Use Angluins algorithm for learning an
  automaton.
• The learning algorithm queries whether some
  strings are in the automaton B.
• It can also conjecture an automaton Mi and asks
  for a counterexample.
• It then generates an automaton with more states
  Mi1 and so forth.

43
A strategy based on learning

• Start the learning algorithm.
• Queries are just experiments to B.
• For a conjectured automaton Mi , check if Mi ? P
  ?
• If so, we check conformance of Mi with B (VC
  algorithm).
• If nonempty, it contains some v1 v2w . We test B
  with v1 v2n. If this succeeds error, otherwise,
  this is a counterexample for Mi .

44
Complexity

• l - actual size of B.
• n - an upper bound of size of B.
• d - size of alphabet.
• Lower bound reachability is similar to deadlock.
• O(l 3 d l l 2mn) if there is an error.
• O(l 3 d l l 2 n dn-l1 l 2mn) if there is no
  error.
• If n is not known, check while time allows.
• Probabilistic complexity polynomial.

45
Some experiments

• Basic system written in SML (by Alex Groce, CMU).
• Experiment with black box using Unix I/O.
• Allows model-free model checking of C code with
  inter-process communication.
• Compiling tested code in SML with BBC program as
  one process.

46
Conclusions

• Black Box Checking automatic verification of
  unspecified system.
• A hard problem, exponential in number of states,
  but polynomial on average.
• Implemented, tested.
• Another use when the model is given, but is not
  exact.