Verification of Parameterized Hierarchical State Machines Using Action Language Verifier Tuba Yavuz-Kahveci Tevfik Bultan University of Florida, Gainesville University of California, Santa Barbara download Action Language Verifier at: //www.cs.ucsb.edu/~bultan/composite/
41
Embed
Verification of Parameterized Hierarchical State Machines Using Action Language Verifier Tuba Yavuz-Kahveci Tevfik Bultan University of Florida, Gainesville.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Verification of Parameterized Hierarchical State Machines Using Action Language Verifier
Tuba Yavuz-Kahveci Tevfik Bultan
University of Florida, Gainesville University of California, Santa Barbara
download Action Language Verifier at: //www.cs.ucsb.edu/~bultan/composite/
Outline
• An Example: Airport Ground Traffic Control• Hierarchical State Machines• Action Language Verifier• Composite Symbolic Library• Infinite State Verification• Parameterized Verification• Experimental Results• Related work
Example: Airport Ground Traffic Control
Runway r1 Runway r2
Taxiway t1 Taxiway t2
Gate g
Control Logic
• An arriving airplane lands using runway r1, navigates to taxiway t1, crosses runway r2, navigates to taxiway t2 and parks at gate g
• A departing airplane starts at gate g, navigates to taxiway t2, and takes off using runway r2
• Only one airplane can use a runway at any given time • Only one airplane can use a taxiway at any given time• An airplane taxiing on taxiway t1 can cross runway r2 only
if no airplane is taking off at the moment
Hierarchical State Machines
In a Hierarchical State Machine (HSM) [Harel 87]• States can be combined to form superstates• OR decomposition of a superstate
– The system can be in only one of the substates at any given time
• AND decomposition of a superstate – The system has to be in all of the substates at the same
• We use “*” to denote arbitrary number of instantiations of a state– These instantiations are asynchronously composed
using interleaving semantics• We used Action Language Verifier to verify CTL properties
parameterized hierarchical state machines• In order to verify a specification for arbitrary instances of a
module we used counting abstraction technique
Action Language [Bultan, ICSE 00], [Bultan, Yavuz-Kahveci, ASE 01]
• A state based language– Actions correspond to state changes
• States correspond to valuations of variables– boolean– enumerated– integer (possibly unbounded)– there is an extension to heap variables (i.e., pointers) but
this is not included in the current version• Parameterized constants
– specifications are verified for every possible value of the constant
Action Language
• Transition relation is defined using actions– Atomic actions: Predicates on current and next state
variables– Action composition:
• asynchronous (|) or synchronous (&)• Modular
– Modules can have submodules– A modules is defined as asynchronous and/or
synchronous compositions of its actions and submodules
Readers Writers Example
module main()integer nr;boolean busy;restrict: nr>=0;initial: nr=0 and !busy;
module Reader()boolean reading;initial: !reading;rEnter: !reading and !busy and nr’=nr+1 and reading’;rExit: reading and !reading’ and nr’=nr-1;Reader: rEnter | rExit;
S S :: Cartesian product ofCartesian product of variable domains defines variable domains defines the set of statesthe set of states
I I : Predicates defining : Predicates defining the initial statesthe initial states
RR : Atomic actions of the : Atomic actions of the ReaderReader
RR : Transition relation of : Transition relation of Reader defined as Reader defined as asynchronous composition asynchronous composition of its atomic actionsof its atomic actions
RR : Transition relation of main defined as asynchronous : Transition relation of main defined as asynchronous composition of two Reader and two Writer processescomposition of two Reader and two Writer processes
Translating HSMs to Action Language
• Transitions (arcs) correspond to actions• OR states correspond to enumerated variables and they
define the state space• Transitions (actions) of OR states are combined using
asynchronous composition• Transitions (actions) of AND states are combined using
• Uses a common interface for each symbolic representation• Easy to extend with new symbolic representations• Enables polymorphic verification• Multiple symbolic representations:
– As a BDD library we use Colorado University Decision Diagram Package (CUDD) [Somenzi et al]
– For integers we use two representations• Polyhedral representation provided by the Omega
Library [Pugh et al]
• An automata representation we developed using the automata package of MONA [Klarlund et al]
Composite Symbolic Library Class Diagram
OMEGA Library
Symbolic+union()
+isSatisfiable()+isSubset()+forwardImage()
CompSym
–representation: list of comAtom
+ union() • • •
compAtom
–atom: *Symbolic
IntSymAuto
–representation: automaton
+union() • • •
IntSym
–representation: list of Polyhedra
+union() • • •
CUDD Library
BoolSym
–representation: BDD
+union() • • •
MONA
IntBoolSymAuto
–representation: automaton
+union() • • •
Pre and Post-condition Computation
Variables:x: integer, y: boolean
Transition relation:R: x>0 and x´x-1 and y´ or x<=0 and x´x and y´y
Set of states: s: x=2 and !y or x=0 and !y
Compute post(s,R)
Pre and Post-condition Distribute
R: x>0 and x´x-1 and y´ or x<=0 and x´x and y´y
s: x=2 and !y or x=0 and y
post(s,R) = post(x=2 , x>0 and x´x-1) post(!y , y´) x=1 y
post(x=2 , x<=0 and x´x) post (!y , y´y) false !y
post(x=0 , x>0 and x´x-1) post(y , y´) false y
post (x=0 , x<=0 and x´x) post (y, y´y ) x=0 y
= x=1 and y or x=0 and y
Polymorphic Verifier
Symbolic TranSys::check(Node f) {
•
•
•
Symbolic s = check(f.child);
switch f.op {
case EX:
s.pre(transRelation);
case EF:
do
sold = s;
s.pre(transRelation);
s.union(sold);
while not sold.isEqual(s) •
•
•
}
}
Action Language Verifier is Action Language Verifier is polymorphicpolymorphic
It becomes a BDD based model It becomes a BDD based model checker when there or no integer checker when there or no integer variablesvariables
Undecidability Conservative Approximations
• Compute a lower ( p ) or an upper ( p+ ) approximation to the truth set of the property ( p ) using truncated fixpoints and widening
• Action Language Verifier can give three answers:
II pppp
1) “The property is satisfied”
II pp
3) “I don’t know”
2) “The property is false and here is a counter-example”
II pp ppstates whichstates whichviolate the violate the propertyproperty
pp++
pp
Arbitrary Number of Instances of a Module
• We use counting abstraction to verify asynchronous composition of arbitrary number of instances of a module
• Counting abstraction– Creates an integer variable for each local state of a
module– Each variable counts the number of instances in a
particular state– Parameterized constants are used to denote the number
of instances of each module • Local variables of the module have to be finite domain
– Shared variables can be unbounded• Counting abstraction is automated
Readers-Writers After Counting Abstraction
module main()integer nr;boolean busy;
parameterized integer numReader, numWriter;restrict: nr>=0 and numReader>=0 and numWriter>=0;initial: nr=0 and !busy;module Reader()
integer readingF, readingT;initial: readingF=numReader and readingT=0;rEnter: readingF>0 and !busy and nr’=nr+1 and readingF’=readingF-1 and
readingT’=readingT+1;rExit: readingT>0 and nr’=nr-1 readingT’=readingT-1