SS 2018 Software Verification Model Checking Prof. Dr. Holger Schlingloff 1,2 Dr. Esteban Pavese 1 (1) Institut für Informatik der Humboldt Universität (2) Fraunhofer Institut für offene Kommunikationssysteme FOKUS

Hallo! Mein Name ist Holger Schlingloff Ich bin Professor am Institut für Informatik Themen: Spezifikation, Verifikation & Testtheory Ich arbeite auch bei der Fraunhofer Gesellschaft Fraunhofer Institut für Offene Kommunikations- Systeme (FOKUS) Mehr finden Sie unter …

Worum geht‘s ... Software für sicherheitskritische Systeme Flugzeuge, Bahnsignalisierung, Airbags, … Methoden der Verifikation „automatisierte Korrektheitsbeweise“ Modellprüfung (Model Checking) Temporale Logik von Programmen

Organisatorisches Ziele: Kenntnisse über den praktischen Einsatz von Methoden und Werkzeugen zur Software-Verifikation Umfang: 4SWS VL, 2SWS Ü VL: Di und Do 9-11 in Rud26, 1307 Ü: Di 11-13, Beginn 24.4.2018 9 ECTS-Leistungspunkte = 270 Stunden = 20 Stunden pro Woche Hausaufgaben: Werkzeugeinsatz & praktische Beispiele eigene Präsentation von Lösungen erforderlich! Klausur oder mündliche Abschlussprüfung Materialien werden nach der VL verfügbar gemacht Moodle, Webseite, ... Sprache „teilweise Englisch“

Welcome to the class! Contents: Automated verification methods for (embedded) software (and hardware) for safety-critical applications temporal logic: expressivity, complexity model checking: theory and practice verification of real-time systems probabilistic verification multi-agent systems software model checking

A First Example (Hardware) gibts vielleicht noch besser (color)

Verification Model of Shift Register

Correctness Properties checked for n=32 in less than a second

Literature E.M. Clarke, H. Schlingloff: Model Checking. Chapter 21 in Alan Robinson and Andrei Voronkov (eds.), Handbook of Automated Reasoning; Elsevier Science Publishers B.V., pp. 1367 - 1522 (2000) E.M. Clarke,O. Grumberg, D. Peled: Model Checking. MIT Press (2000) C. Baier, J.-P. Katoen: Principles of Model Checking. MIT Press (2008) B. Bernard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, P. Schnoebelen: Systems and Software Verification: Model-Checking Techniques and Tools. Springer (2001, 2010)

Plan for the Summer Introduction Modeling of systems Temporal logics Model checking algorithms Symbolic representations Abstraction and refinement Real time model checking Probabilistic model checking Software model checking Parallel program checking Multi-agent systems

Propositional Logic A formal specification method consists of three parts syntax, i.e., what are well-formed specifications semantics, i.e., what is the meaning of a specification calculus, i.e., what are transformations or deductions of a specification Propositional logic: probably the first and most widely used specification method dates back to Aristotle, Chrysippus, Boole, Frege, … base of most modern logics fundamental for computer science

Syntax of Propositional Logic Let Ρ be a finite set {p1,…,pn} of propositions and assume that ,  and (, ) are not in Ρ Syntax PL ::= Ρ |  | (PL  PL) every p is a wff  is a wff („falsum“) if  and  are wffs, then () is a wff nothing else is a wff

Remarks Ρ may be empty Minimalistic approach still a meaningful logic! infix-operator  necessitates parentheses other connectives can be defined as usual ¬ ≙ (  ) (linear blowup!) Τ ≙ ¬ () ≙ (¬) () ≙ ¬(¬¬) ≙ ¬(¬) () ≙ (()()) (exponential blowup!) operator precedence as usual literal = a proposition or a negated proposition

Exercise Write ((pq)  ¬p) unabbreviated Abbreviations ¬ ≙ (  ) also ~ Τ ≙ ¬ () ≙ (¬) also (+), (|), (v) () ≙ ¬(¬¬) ≙ ¬(¬) also (*), (&), (^) () ≙ (()()) also ( <-> ), (<=>) Write ((pq)  ¬p) unabbreviated

Choice of the Signature Te set Ρ={p1,…,pn} of propositions is also called the signature of the logic The choice of Ρ often is the decisive abstraction step for modelling a system it determines which aspects are “accessible” to the specification Wittgenstein: “die Welt ist alles was der Fall ist”; the world consists of all true propositions e.g., sun-is-shining, pot-on-stove, line-busy, button_pressed, window5infocus, motor-on, … names should be chosen with consideration

Semantics of Propositional Logic Propositional Model Truth value universe U: {true, false} Interpretation I: assignment Ρ ↦ U Model M: (U,I) Validation relation ⊨ between model M and formula  M ⊨ p if I(p)=true M ⊭  M ⊨ () if M ⊨  implies M ⊨  M validates or satisfies  iff M ⊨   is valid (⊨) iff every model M validates   is satisfiable (SAT()) iff some model M satisfies 

Puzzle Example: Ivor Spence’s Sudoku SuDoku Puzzle as a Satisfiability Problem http://www.cs.qub.ac.uk/~i.spence/SuDoku/SuDoku.html

How Does He Do It? Propositional modelling (e.g., for the 9*9 grid) 9 propositions per cell: proposition “ijk” indicates that row i, column j contains value k individual cell clauses each cell contains exactly one value (ij1 v ij2 v … v ij9) ^ ~(ij1 ^ ij2) ^ … ^ ~(ij8 ^ ij9) row and column clauses each row i contains each number, exactly once (i11 v … v i91) ^ (i12 v … v i92) ^ … (i19 v … v i99) j1 j2, k=1..9: ~(ij1k ^ ij2k) same for columns block clauses – similar pre-filled cells – easy SAT solving 729 propositions, ca. 3200 clauses  few seconds