Timing Is Everything - oxon.bcs.org fileAutomated Veriﬁcation “Nobody is going to run into a...

transcript

Timing Is Everything

Joël Ouaknine

Department of Computer ScienceOxford University

BCS Meeting, Oxford

17 May 2012

Automated Verification

theory practice

“In theory, there is no difference between theory andpractice. In practice, there is.”

Jan L.A. van de Snepscheut

Ariane 5 Explosion, French Guyana, 1996

NASA Mars Missions, 1997–2004

• 1997: Mars Rover loses contact• 1999: Mars Climate Orbiter is lost• 1999: Mars Polar Lander is lost• 2004: Mars Rover freezes

Intel Pentium FDIV Bug, 1994

Northeast Blackout, 2003

Chrysler Pacifica SUV, 2006

December 2006: DaimlerChrysler recalls 128,000 Pacificasports utility vehicles because of a problem with the softwaregoverning the fuel pump and power train control. The defectcould cause the engine to stall unexpectedly. [Washington Post]

“A Grand Challenge for computing research.”

Sir Tony Hoare, 2003

Now one of a small handful of areas ‘targetted for growth’ byUK funding council EPSRC.

“A Grand Challenge for computing research.”

Sir Tony Hoare, 2003

Now one of a small handful of areas ‘targetted for growth’ byUK funding council EPSRC.

“Nobody is going to run into a friend’s office with aprogram verification. Nobody is going to sketch averification out on a paper napkin. . . One can feelone’s eyes glaze over at the very thought.”

Rich de Millo, Richard Lipton, Alan Perlis, 1979

“The success of program verification as a generallyapplicable and completely reliable method forguaranteeing program performance is not even atheoretical possibility.”

James H. FetzerProgram Verification: The Very Idea, CACM 31(9), 1988

“Nobody is going to run into a friend’s office with aprogram verification. Nobody is going to sketch averification out on a paper napkin. . . One can feelone’s eyes glaze over at the very thought.”

Rich de Millo, Richard Lipton, Alan Perlis, 1979

“The success of program verification as a generallyapplicable and completely reliable method forguaranteeing program performance is not even atheoretical possibility.”

James H. FetzerProgram Verification: The Very Idea, CACM 31(9), 1988

Automated Verification: A High-Level Overview

G(a ==> Fb)

G(!c && d)

Modelling Specification

Properties:

Verification

system ok

bug found

parameter values

performance indices

TERMINATOR vs. The Ackermann Function

i n t Ack ( i n t m, i n t n ) {i f (m == 0)

return n + 1;else i f ( n == 0)

return Ack (m − 1 , 1 ) ;else

return Ack (m − 1 , Ack (m, n − 1 ) ) ;}

Ack(n, n) : 1, 3, 7, 61, 2222222

− 3, 222···2︸︷︷︸

Ack(5,4)+3

TERMINATOR vs. The Ackermann Function

i n t Ack ( i n t m, i n t n ) {i f (m == 0)

return n + 1;else i f ( n == 0)

return Ack (m − 1 , 1 ) ;else

return Ack (m − 1 , Ack (m, n − 1 ) ) ;}

Ack(n, n) : 1, 3, 7, 61, 2222222

− 3, 222···2︸︷︷︸

Ack(5,4)+3

Timing Is Everything

A Login Protocol

pw_wrong

login_name

restart

log_pw_wrong

pw_correctSTART VALIDATE

LOG_ERRORDELAY

connectedx x

<60?:=0

<60?x ≥10?

A Login Protocol

pw_wrong

login_name

restart

log_pw_wrong

LOG_ERRORDELAY

connectedx x

<60?:=0

<60?x ≥10?

A Login Protocol

pw_wrong

login_name

restart

log_pw_wrong

LOG_ERRORDELAY

connectedx x

<60?:=0

<60?x ≥10?

A Login Protocol

pw_wrong

login_name

restart

log_pw_wrong

LOG_ERRORDELAY

connectedx x

<60?:=0

<60?x ≥10?

A Login Protocol

pw_wrong

login_name

restart

log_pw_wrong

LOG_ERRORDELAY

connectedx x

<60?:=0

<60?x ≥10?

A Login Protocol

pw_wrong

login_name

restart

log_pw_wrong

LOG_ERRORDELAY

connectedx x

<60?:=0

<60?x ≥10?

A Login Protocol

x ≥10? pw_wrong

login_name

restart

log_pw_wrong

LOG_ERRORDELAY

connectedx x

<60?:=0

BMW Hydrogen 7

�(PEDAL→ ♦ BRAKE)

�(PEDAL→ ♦[25,40] BRAKE)

BMW Hydrogen 7

Timed Automata

Introduced by Rajeev Alur at Stanford during his PhD underDavid Dill:

I Rajeev Alur, David L. Dill: Automata For ModelingReal-Time Systems. ICALP 1990: 322-335

I Rajeev Alur, David L. Dill: A Theory of Timed Automata.TCS 126(2): 183-235, 1994

Timed Automata

x ≥10? pw_wrong

login_name

restart

log_pw_wrong

LOG_ERRORDELAY

connectedx x

<60?:=0

Timed Automata

Time is modelled as the non-negative reals, R≥0.

Theorem (Alur, Courcourbetis, Dill 1990)Reachability is decidable (in fact PSPACE-complete).

Unfortunately:

Theorem (Alur & Dill 1990)Language inclusion is undecidable for timed automata.

Timed Automata

Unfortunately:

Timed Automata

Unfortunately:

Temporal Logic Model Checking

“The paradigmatic idea ofthe automata-theoreticapproach to verification isthat we can compilehigh-level logicalspecifications into anequivalent low-levelfinite-state formalism.”

Moshe Vardi

TheoremAutomata are closed under all Boolean operations. Moreover,the language inclusion problem [ L(A) ⊆ L(B) ?] is decidable.

Temporal Logic Model Checking

“The paradigmatic idea ofthe automata-theoreticapproach to verification isthat we can compilehigh-level logicalspecifications into anequivalent low-levelfinite-state formalism.”

Moshe VardiTheoremAutomata are closed under all Boolean operations. Moreover,the language inclusion problem [ L(A) ⊆ L(B) ?] is decidable.

An Uncomplementable Timed Automaton

A : //ONMLHIJK@GF ECD

��a

x :=0//ONMLHIJK a

x=1?//

@GF ECDa

�� ONMLHIJKGFED@ABC@GF ECD

��

A cannot be complemented:There is no timed automaton B with L(B) = L(A).

��a

x :=0//ONMLHIJK a

x=1?//

@GF ECDa

��

L(A):1

��a

x :=0//ONMLHIJK a

x=1?//

@GF ECDa

��

��a

x :=0//ONMLHIJK a

x=1?//

@GF ECDa

��

��a

x :=0//ONMLHIJK a

x=1?//

@GF ECDa

��

Metric Temporal Logic

�(a→ ♦[0,1] b)

0 1 2 3

Does the timed word satisfy the specification? Yes.

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

Does the timed word satisfy the specification?

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

�(a→ ♦[0,1] b)

0 1 2 3

Real-Time Model Checking

Given a timed automaton A and a Metric Temporal Logicspecification ϕ, does every timed word of A satisfy ϕ?

I For about 15 years (∼ 1990–2005), the real-timemodel-checking problem was widely claimed in theliterature to be undecidable.

I In 2005, James Worrell and I showed decidability throughthe development of the theory of timed alternatingautomata.

�(a→ ♦=1 b)

{a, b}

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

s1, )0.6(

s2,( 1.1)

,( 1.4)s0

s1, )0.5(

s2, )( 1.0

,( 1.3)s0,( 0.8)

s1,0( )

s1, )( 0.5

s1,( )0.2

,( 0.5)s0,( )0.3

s1,0( )

s2,( )1.5

s2, )( 1.0s0,0( )s0,0( )

( 1.8)

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

s1, )0.6(

s2,( 1.1)

,( 1.4)s0

s1, )0.5(

s2, )( 1.0

,( 1.3)s0,( 0.8)

s1,0( )

s1, )( 0.5

s1,( )0.2

,( 0.5)

s2,( )1.5

s2, )( 1.0s0,( )0.3

s1,0( )

s0,0( )s0,0( )

0.3,a( 1.8)

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

s1, )0.6(

s2,( 1.1)

,( 1.4)s0

s1, )0.5(

s2, )( 1.0

,( 1.3)s0,( 0.8)

s1,0( )

s1, )( 0.5

s2,( )1.5

s2, )( 1.0s0

s1,( )0.2

s0,( )0.3

s1,0( )

s0,0( )s0,0( )

0.3, 0.2,ba( 1.8)

,( 0.5),

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

s1, )0.6(

s2,( 1.1)

,( 1.4)s0

s1, )0.5(

s2, )( 1.0

,( 1.3)s0,( 0.8)

s1,0( )

s1, )( 0.5 s2,( )1.5

s2, )( 1.0s0

s1,( )0.2

s0,( )0.3

s1,0( )

s0,0( )s0,0( )

0.3, 0.2,b 0.3,aa( 1.8)

,( 0.5),

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

s1, )0.6(

s2,( 1.1)

,( 1.4)s0,( 0.8) s

s1,0( )

s1, )( 0.5

s1, )0.5(

s2, )( 1.0 s2,( )1.5

s2, )( 1.0s0

s1,( )0.2

s0,( )0.3

s1,0( )

s0,0( )s0,0( )

0.3, 0.2,b 0.3,a0.5,b

a ,( 1.3) ( 1.8)

,( 0.5),

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

s0,( 0.8) s

s1,0( )

s1, )( 0.5

s1, )0.5( s

1, )0.6(

s2, )( 1.0 s

2,( 1.1) s2,( )1.5

s2, )( 1.0s0

s1,( )0.2

s0,( )0.3

s1,0( )

s0,0( )s0,0( )

0.3, 0.2,b 0.3,a0.5,b 0.1,b

a ,( 1.3) ,( 1.4) ( 1.8)

,( 0.5),

�(a→ ♦=1 b)

=1?xs1

<1?x {a, b}

a b a b b b

0.5 0.8 1.31.4 1.80.3

s0,0( )s0,0( )

s0,( )0.3

s1,0( )

s1,( )0.2

,( 0.5)s0,( 0.8) s

s1,0( )

s1, )( 0.5

s1, )0.5( s

1, )0.6(

s2, )( 1.0 s

2,( 1.1)

s2, )( 1.0

s2,( )1.5

0.3, 0.2,b 0.3,a0.5,b 0.1,b 0.4,b

a ,( 1.3) ,( 1.4) ,( 1.8)

Real-Time Model Checking:A High-Level Algorithm

Real-time model checking problem

Alternating timed automaton emptiness problem

Halting problem for Turing machine with insertion errors

Higman’s Lemma

TheoremThe subword order over a finite alphabet is a well-quasi order.

(Graham Higman, Ordering by Divisibility in Abstract Algebras,Proceedings of the London Mathematical Society, vol. 2, 1952.)

“HIGMAN” is a subword of “HIGHMOUNTblackAIblackN”.

Any infinite sequence of words W1, W2, W3, . . . must eventuallyhave two words, Wi and Wi+k , such that the first is a subwordof the second.

aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b

Higman’s Lemma

“HIGMAN” is a subword of “HIGHMOUNTAIN”.

Higman’s Lemma

I aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b

Higman’s Lemma

, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b

Higman’s Lemma

I aba, abbb

, baab, aa, ba, bbb, abb, ab, a, bb, b

Higman’s Lemma

I aba, abbb, baab

, aa, ba, bbb, abb, ab, a, bb, b

Higman’s Lemma

I aba, abbb, baab, aa

, ba, bbb, abb, ab, a, bb, b

Higman’s Lemma

I aba, abbb, baab, aa, ba

, bbb, abb, ab, a, bb, b

Higman’s Lemma

I aba, abbb, baab, aa, ba, bbb

, abb, ab, a, bb, b

Higman’s Lemma

I aba, abbb, baab, aa, ba, bbb, abb

, ab, a, bb, b

Higman’s Lemma

I aba, abbb, baab, aa, ba, bbb, abb, ab

, a, bb, b

Higman’s Lemma

I aba, abbb, baab, aa, ba, bbb, abb, ab, a

, bb, b

Higman’s Lemma

I aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb

Higman’s Lemma

I aba, abbb, baab, aa, ba, bbb, abb, ab, a, bb, b

The Halting Problem for Faulty Turing Machines

, W’)

q0 , <>)(

q(is a subword of

...(q, W)

, W’)

q0 , <>)(

q(is a subword of

...(q, W)

, W’)

q0 , <>)(

q(is a subword of

...(q, W)

, W’)

q0 , <>)(

q(is a subword of

...(q, W)

, W’)

q0 , <>)(

...( , W)q

is a subword of

q0 , <>)(

halt...

, W’)

( , W)q

is a subword ofq(

q0 , <>)(

halt...

q( , W’)

( , W)q

is a subword of

q0 , <>)(

q( , W’)

( , W)q

is a subword of

q0 , <>)(

q( , W’)

( , W)q

is a subword of

q0 , <>)(

halt...

q( , W’)

( , W)q

is a subword of

TheoremThe real-time model-checking problem for Metric TemporalLogic is decidable (under the pointwise semantics).

The complexity is provably non-primitive recursive. In particular,it grows faster than Ackermann’s function in the worst case.

TheoremThe real-time model-checking problem for Metric TemporalLogic is decidable (under the pointwise semantics).

The complexity is provably non-primitive recursive. In particular,it grows faster than Ackermann’s function in the worst case.

From Timed Alternating Automata toEfficient Runtime Monitoring Algorithms

Quantitative Verification:From Model Checking to Model Measuring

quantitativesystems

qualitativesystems

monito

metric

module

quantitativesystems

qualitativesystems

monito

metric

module

quantitativesystems

qualitativesystems

monito

metric

module

quantitativesystems

qualitativesystems

monito

metric

module

Timing Is Everything - oxon.bcs.org fileAutomated Veriﬁcation “Nobody is going to run into a...

Documents