Scribd
Upload
51 views

Lec 1

The document discusses several examples of software failures that caused harm, including radiation overdoses from a cancer treatment device, an AT&T network outage, and a floating point error in Intel Pentium chips. It notes that software errors cost the US economy billions annually and that correct systems are increasingly valuable. The complexity of integrated IT systems and pressure to reduce development time can contribute to errors, while traditional testing methods are insufficient to ensure correctness of concurrent systems. Formal verification techniques provide an alternative means to check system correctness.

Uploaded by

Awab Aqib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
51 views

Lec 1

The document discusses several examples of software failures that caused harm, including radiation overdoses from a cancer treatment device, an AT&T network outage, and a floating point error in Intel Pentium chips. It notes that software errors cost the US economy billions annually and that correct systems are increasingly valuable. The complexity of integrated IT systems and pressure to reduce development time can contribute to errors, while traditional testing methods are insufficient to ensure correctness of concurrent systems. Formal verification techniques provide an alternative means to check system correctness.

Uploaded by

Awab Aqib
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 118

Automata Theory

(Applied)

Dr. Falak Sher

Information Technology University, Punjab


Modeling, Verification and Synthesis Group

January 28, 2019

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 1 / 34
Therac-25 radiation overdosing (1985-87)

Device used for radiation


therapy of cancer patients.

At least 6 patients were


overdosed (∼ 100-times dosis)
during 1985-87.

Three cancer patients died


because of overdosis.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 2 / 34
Therac-25 radiation overdosing (1985-87)

Device used for radiation


therapy of cancer patients.

At least 6 patients were


overdosed (∼ 100-times dosis)
during 1985-87.

Three cancer patients died


because of overdosis.

Cause: Design error in the control software (race conditions).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 2 / 34
AT&T telephone netword outage (1990)

In Jan. 1990, large parts of


AT&T network was down for 9
hours in U.S.A. because of a
problem in New York city.
Estimated loss was several
100-million US$.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 3 / 34
AT&T telephone netword outage (1990)

In Jan. 1990, large parts of


AT&T network was down for 9
hours in U.S.A. because of a
problem in New York city.
Estimated loss was several
100-million US$.

Cause: Software flaw (wrong interpretation of break statement


in C program).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 3 / 34
Pentium floating point division unit (FDIV) bug (1994)

Certain floating point division


operations produced incorrect
results.

Estimated loss was approx.


500-million US$ – all flawed
processors were replaced +
enormous image loss of Intel
Corporation.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 4 / 34
Pentium floating point division unit (FDIV) bug (1994)

Certain floating point division


operations produced incorrect
results.

Estimated loss was approx.


500-million US$ – all flawed
processors were replaced +
enormous image loss of Intel
Corporation.

Cause: Flawed realization of floating-point division.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 4 / 34
Ariane 5 crash (1996)

In Jun. 1996, European


Ariane-5 missle crashed.
Estimated loss was more than
500-million US$.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 5 / 34
Ariane 5 crash (1996)

In Jun. 1996, European


Ariane-5 missle crashed.
Estimated loss was more than
500-million US$.

Cause: Flaw in the control software (disabling of the software


handler because of efficiency considerations).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 5 / 34
Economic loss due to eronous software systems

Software errors cost U.S. economy $59.5 Billion annually.


National Institute of Standards and Technology,
US Department of Commerce, June 2002

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 6 / 34
The quest for software correctness

Speech@50-years celebration CWI Amsterdam


“It is fair to state that in this digital era correct
systems of information processing are more valuable
than gold”

Henk Barendregt
(Dutch logician)

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 7 / 34
Factors contributing to eronous information and communication
technology (ICT) systems

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 8 / 34
Factors contributing to eronous information and communication
technology (ICT) systems

The complexity and magnitude of ICT systems grows apace.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 8 / 34
Factors contributing to eronous information and communication
technology (ICT) systems

The complexity and magnitude of ICT systems grows apace.


ICT systems are rapidly integrating in different applications:
embedded systems, communication protocols, transport systems, etc.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 8 / 34
Factors contributing to eronous information and communication
technology (ICT) systems

The complexity and magnitude of ICT systems grows apace.


ICT systems are rapidly integrating in different applications:
embedded systems, communication protocols, transport systems, etc.
ICT systems are no more standalone, rather composed of several
components – which are distributed/concurrent.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 8 / 34
Factors contributing to eronous information and communication
technology (ICT) systems

The complexity and magnitude of ICT systems grows apace.


ICT systems are rapidly integrating in different applications:
embedded systems, communication protocols, transport systems, etc.
ICT systems are no more standalone, rather composed of several
components – which are distributed/concurrent.
The number of defects, caused by concurrency, grows expo-
nentially with the number of interacting components.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 8 / 34
Factors contributing to eronous information and communication
technology (ICT) systems

The complexity and magnitude of ICT systems grows apace.


ICT systems are rapidly integrating in different applications:
embedded systems, communication protocols, transport systems, etc.
ICT systems are no more standalone, rather composed of several
components – which are distributed/concurrent.
The number of defects, caused by concurrency, grows expo-
nentially with the number of interacting components.

Developers face huge pressure to reduce time-to-market.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 8 / 34
Legacy practice to make (so-called) correct systems

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 9 / 34
Legacy practice to make (so-called) correct systems

At each level of production, we test systems thoroughly such


that no more bug is left behind before moving on to the next
phase.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 9 / 34
Software development life-cycle

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 10 / 34
What is system verification?

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 11 / 34
What is system verification?

Folklore definition

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 11 / 34
What is system verification?

Folklore definition
System verification amounts to check whether a system fulfills the
qualitative requirements that have been identified.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 11 / 34
What is system verification?

Folklore definition
System verification amounts to check whether a system fulfills the
qualitative requirements that have been identified.

Verification 6= Validation

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 11 / 34
What is system verification?

Folklore definition
System verification amounts to check whether a system fulfills the
qualitative requirements that have been identified.

Verification 6= Validation
Validation = check that we are building the right thing .

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 11 / 34
What is system verification?

Folklore definition
System verification amounts to check whether a system fulfills the
qualitative requirements that have been identified.

Verification 6= Validation
Validation = check that we are building the right thing .
Verification = check that we are building the thing right.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 11 / 34
Legacy verification techniques

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques

Peer reviewing – static technique

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques

Peer reviewing – static technique


manual requirement/model/code inspection – no execution.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques

Peer reviewing – static technique


manual requirement/model/code inspection – no execution.
Between 31-90% defects are hunted down with medain of about 60%.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques

Peer reviewing – static technique


manual requirement/model/code inspection – no execution.
Between 31-90% defects are hunted down with medain of about 60%.

Drawback: Subtle errors (concurrency and algorithm defects)


are hard to catch.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques

Peer reviewing – static technique


manual requirement/model/code inspection – no execution.
Between 31-90% defects are hunted down with medain of about 60%.

Drawback: Subtle errors (concurrency and algorithm defects)


are hard to catch.

Testing and Simulation – dynamic techniques

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques

Peer reviewing – static technique


manual requirement/model/code inspection – no execution.
Between 31-90% defects are hunted down with medain of about 60%.

Drawback: Subtle errors (concurrency and algorithm defects)


are hard to catch.

Testing and Simulation – dynamic techniques


code is tested or model is simulated for certain inputs.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques

Peer reviewing – static technique


manual requirement/model/code inspection – no execution.
Between 31-90% defects are hunted down with medain of about 60%.

Drawback: Subtle errors (concurrency and algorithm defects)


are hard to catch.

Testing and Simulation – dynamic techniques


code is tested or model is simulated for certain inputs.
About 30-50% of project cost is devoted to testing.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques

Peer reviewing – static technique


manual requirement/model/code inspection – no execution.
Between 31-90% defects are hunted down with medain of about 60%.

Drawback: Subtle errors (concurrency and algorithm defects)


are hard to catch.

Testing and Simulation – dynamic techniques


code is tested or model is simulated for certain inputs.
About 30-50% of project cost is devoted to testing.

Drawback: Impossible to test all scenarios (which might be


infinite) leaving behind undetected bugs.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 12 / 34
Legacy verification techniques are insufficient

Legacy techniques can show the presence of errors, but not


their absence.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 13 / 34
What do we need to make correct (software) systems?

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 14 / 34
What do we need to make correct (software) systems?

Idealy speaking, we need:


1 specification methods that gather requirements (the

intended behaviour) of systems concisely, precisely and


unambiguously.
What do we need to make correct (software) systems?

Idealy speaking, we need:


1 specification methods that gather requirements (the

intended behaviour) of systems concisely, precisely and


unambiguously.
2 development methods that ensure whether the output of
each production phase logically follows from that of the
previous one, and/or
What do we need to make correct (software) systems?

Idealy speaking, we need:


1 specification methods that gather requirements (the

intended behaviour) of systems concisely, precisely and


unambiguously.
2 development methods that ensure whether the output of
each production phase logically follows from that of the
previous one, and/or
3 verification methods that can test whether the output of
each phase satisfies systems’ intended behaviour.
What do we need to make correct (software) systems?

Idealy speaking, we need:


1 specification methods that gather requirements (the

intended behaviour) of systems concisely, precisely and


unambiguously.
2 development methods that ensure whether the output of
each production phase logically follows from that of the
previous one, and/or
3 verification methods that can test whether the output of
each phase satisfies systems’ intended behaviour.

Use of such methods can show the presence as well as absence


of errors.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 14 / 34
Formal Methods

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 15 / 34
Formal Methods

Formal methods are the applied mathematics for specification,


development and verification of ICT systems.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 15 / 34
Formal Methods

Formal methods are the applied mathematics for specification,


development and verification of ICT systems.

Specifi- Automata theory/mathematical logics, etc,


cations defines the intended behaviour of a system.

Model-based engineering, etc, is used to produce sys-


Devel-
tems starting with the highest possible abstraction and
opment
gradually refining them to actual implementations.

Verifi- Formal proofs, model-checking, etc, establish


cation that a system meets specifications/properties

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 15 / 34
High-level view of system verification

System
Specification

Properties
Design Process E.g. Deadlock free, No bugs found
termination,etc.

Product or
Verifier bug(s) found
Prototype

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 16 / 34
Verification is undecidable in general

Theorem
L = {(M, h) | System M depicts a behaviour h} is undecidable

That means there does not exist an algorithm that can tell
whether a system M depicts a behaviour h.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 17 / 34
Verification is undecidable in general

Theorem
L = {(M, h) | System M depicts a behaviour h} is undecidable

That means there does not exist an algorithm that can tell
whether a system M depicts a behaviour h.

Example (Halting problem)


For a Turing machine M it is impossible to decide algorithmically whether
it will eventually halt starting with a blank input tape.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 17 / 34
Verification is decidable for systems with finite configurations

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 18 / 34
Verification is decidable for systems with finite configurations

Theorem
L = {(M, h) | System M with finite configurations depicts a behaviour h}
is decidable

That means for systems with finite configurations, there ex-


ists an algorithm that can tell whether a system M depicts a
behaviour h.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 18 / 34
Verification is decidable for systems with finite configurations

Theorem
L = {(M, h) | System M with finite configurations depicts a behaviour h}
is decidable

That means for systems with finite configurations, there ex-


ists an algorithm that can tell whether a system M depicts a
behaviour h.

Example
For a linear bounded automata M, it is possible to decide algorithmically
whether it will eventually halt starting with a blank input tape.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 18 / 34
Automated verification technique

Model-checking
Model-checking is an automated technique that, given a (finite) model of
a system and a formal property, systematically checks whether this
property holds for that model.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 19 / 34
What are models?

Models are graphs representing all possible configurations of a


program along with their relationship.
In fact, they are the labelled-transition systems (LTSs).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 20 / 34
Peterson’s mutual exclusion algorithm (Example)

Code of Peterson’s mutual exclusion algorithm


b o o l b1=f a l s e , b2= f a l s e ;
int x ;

Process1 ( ) Process2 ( )
{ {
while ( t r u e ) while ( t r u e )
{ {
b1 = t r u e ; b2 = t r u e ;
x = 2; x = 1;
w h i l e ( b2 && x==2 ) w h i l e ( b1 && x==1 )
{ {
//busy waiting //busy waiting
} }
//critical section //critical section
... ...
//end of critical section //end of critical section
b1 = f a l s e ; b2 = f a l s e ;
} }
} }

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 21 / 34
Peterson’s mutual exclusion algorithm (Example)

Transition system of Peterson’s mutual exclusion algorithm

The behaviour of Peterson’s mutual exclusion algorithm is


given as a transition system.
Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 22 / 34
Expressivity of labelled-transition systems (LTSs)?

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 23 / 34
Expressivity of labelled-transition systems (LTSs)?

Expressivity
Sequential programs are LTSs.
Multi-threaded programs are LTSs.
Communicating protocols are LTSs.
Hardware circuits are LTSs.
etc.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 23 / 34
What are properties?

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 24 / 34
What are properties?

Example properties
Can a system reach a deadlock situation?

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 24 / 34
What are properties?

Example properties
Can a system reach a deadlock situation?
Can two processes ever be in a critical section at the same time?

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 24 / 34
What are properties?

Example properties
Can a system reach a deadlock situation?
Can two processes ever be in a critical section at the same time?
On termination, does a program provide the correct output?

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 24 / 34
What are properties?

Example properties
Can a system reach a deadlock situation?
Can two processes ever be in a critical section at the same time?
On termination, does a program provide the correct output?

Temporal logics formalize properties


Propositional logic.
Predicate logic.
Linear temporal logic (interpreted over state sequences).
Branching temporal logic (interpreted over state trees).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 24 / 34
The model-checking process

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.
as a first sanity check, perform some simulations.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.
as a first sanity check, perform some simulations.
formalize the property to be checked.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.
as a first sanity check, perform some simulations.
formalize the property to be checked.
Running Phase
run the model checker to check whether the property holds for the
model.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.
as a first sanity check, perform some simulations.
formalize the property to be checked.
Running Phase
run the model checker to check whether the property holds for the
model.
Analysis Phase
property satisfied? → check another property (if any)

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.
as a first sanity check, perform some simulations.
formalize the property to be checked.
Running Phase
run the model checker to check whether the property holds for the
model.
Analysis Phase
property satisfied? → check another property (if any)
property violated?

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.
as a first sanity check, perform some simulations.
formalize the property to be checked.
Running Phase
run the model checker to check whether the property holds for the
model.
Analysis Phase
property satisfied? → check another property (if any)
property violated?
analyze generated counter-example by simulation.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.
as a first sanity check, perform some simulations.
formalize the property to be checked.
Running Phase
run the model checker to check whether the property holds for the
model.
Analysis Phase
property satisfied? → check another property (if any)
property violated?
analyze generated counter-example by simulation.
refine the design, model or property; and repeat the entire procedure.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Modeling Phase
model the system under consideration.
as a first sanity check, perform some simulations.
formalize the property to be checked.
Running Phase
run the model checker to check whether the property holds for the
model.
Analysis Phase
property satisfied? → check another property (if any)
property violated?
analyze generated counter-example by simulation.
refine the design, model or property; and repeat the entire procedure.
out of memory? → try to reduce the model and try again.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 25 / 34
The model-checking process

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 26 / 34
The pros of model-checking

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 27 / 34
The pros of model-checking

widely applicable (hardware, software, protocol systems, ...).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 27 / 34
The pros of model-checking

widely applicable (hardware, software, protocol systems, ...).


allows for partial verification (only most relevant properties).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 27 / 34
The pros of model-checking

widely applicable (hardware, software, protocol systems, ...).


allows for partial verification (only most relevant properties).
potential ’push-button’ technology.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 27 / 34
The pros of model-checking

widely applicable (hardware, software, protocol systems, ...).


allows for partial verification (only most relevant properties).
potential ’push-button’ technology.
rapidly increasing industrial interest.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 27 / 34
The pros of model-checking

widely applicable (hardware, software, protocol systems, ...).


allows for partial verification (only most relevant properties).
potential ’push-button’ technology.
rapidly increasing industrial interest.
in case of property violation, a counter-example is generated.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 27 / 34
The pros of model-checking

widely applicable (hardware, software, protocol systems, ...).


allows for partial verification (only most relevant properties).
potential ’push-button’ technology.
rapidly increasing industrial interest.
in case of property violation, a counter-example is generated.
sound and interesting mathematical foundations.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 27 / 34
The pros of model-checking

widely applicable (hardware, software, protocol systems, ...).


allows for partial verification (only most relevant properties).
potential ’push-button’ technology.
rapidly increasing industrial interest.
in case of property violation, a counter-example is generated.
sound and interesting mathematical foundations.
not biased to the most possible scenarios (such as in testing).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 27 / 34
The cons of model-checking

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 28 / 34
The cons of model-checking

main focus on control intensive applications (less data-oriented).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 28 / 34
The cons of model-checking

main focus on control intensive applications (less data-oriented).


model-checking is only as good as the system model.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 28 / 34
The cons of model-checking

main focus on control intensive applications (less data-oriented).


model-checking is only as good as the system model.
no guarantee about the completeness of results.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 28 / 34
The cons of model-checking

main focus on control intensive applications (less data-oriented).


model-checking is only as good as the system model.
no guarantee about the completeness of results.
impossible to check generalizations (in general).

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 28 / 34
The cons of model-checking

main focus on control intensive applications (less data-oriented).


model-checking is only as good as the system model.
no guarantee about the completeness of results.
impossible to check generalizations (in general).

Nevertheless,

Model-checking is a very effective technique to expose poten-


tial design errors.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 28 / 34
Model-checking in practice

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 29 / 34
Model-checking in practice

Security: Needham-Schroeder encryption protocol.


error that remained undiscovered for 17 years unrevealed.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 29 / 34
Model-checking in practice

Security: Needham-Schroeder encryption protocol.


error that remained undiscovered for 17 years unrevealed.
Transportation systems
train model containing 10476 states.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 29 / 34
Model-checking in practice

Security: Needham-Schroeder encryption protocol.


error that remained undiscovered for 17 years unrevealed.
Transportation systems
train model containing 10476 states.
Model checkers for C, Java and C++
used (and developed) by Microsoft, NASA, etc.
successful application area: device drivers.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 29 / 34
Model-checking in practice

Security: Needham-Schroeder encryption protocol.


error that remained undiscovered for 17 years unrevealed.
Transportation systems
train model containing 10476 states.
Model checkers for C, Java and C++
used (and developed) by Microsoft, NASA, etc.
successful application area: device drivers.
Dutch storm surge barrier in Nieuwe Waterweg.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 29 / 34
Model-checking in practice

Security: Needham-Schroeder encryption protocol.


error that remained undiscovered for 17 years unrevealed.
Transportation systems
train model containing 10476 states.
Model checkers for C, Java and C++
used (and developed) by Microsoft, NASA, etc.
successful application area: device drivers.
Dutch storm surge barrier in Nieuwe Waterweg.
Software in the current/next generation of space missiles.
NASA’s Mars Path-finder, Deep Space 1, JPL LARS group.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 29 / 34
Model-checking in practice

Security: Needham-Schroeder encryption protocol.


error that remained undiscovered for 17 years unrevealed.
Transportation systems
train model containing 10476 states.
Model checkers for C, Java and C++
used (and developed) by Microsoft, NASA, etc.
successful application area: device drivers.
Dutch storm surge barrier in Nieuwe Waterweg.
Software in the current/next generation of space missiles.
NASA’s Mars Path-finder, Deep Space 1, JPL LARS group.
Facebook and Amazon use model-checking.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 29 / 34
Model-checking in practice

Security: Needham-Schroeder encryption protocol.


error that remained undiscovered for 17 years unrevealed.
Transportation systems
train model containing 10476 states.
Model checkers for C, Java and C++
used (and developed) by Microsoft, NASA, etc.
successful application area: device drivers.
Dutch storm surge barrier in Nieuwe Waterweg.
Software in the current/next generation of space missiles.
NASA’s Mars Path-finder, Deep Space 1, JPL LARS group.
Facebook and Amazon use model-checking.
Explore the SPIN model checker at http://spinroot.com.

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 29 / 34
Course Contents

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Course Contents

What are appropriate models?


labelled transition systems

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Course Contents

What are appropriate models?


labelled transition systems
from programs to transition systems

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Course Contents

What are appropriate models?


labelled transition systems
from programs to transition systems
from circuits to transition systems

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Course Contents

What are appropriate models?


labelled transition systems
from programs to transition systems
from circuits to transition systems
multi-threading, communication protocols to . . .

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Course Contents

What are appropriate models?


labelled transition systems
from programs to transition systems
from circuits to transition systems
multi-threading, communication protocols to . . .
nanoPromela: an example modeling language

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Course Contents

What are appropriate models?


labelled transition systems
from programs to transition systems
from circuits to transition systems
multi-threading, communication protocols to . . .
nanoPromela: an example modeling language

What are different types of properties:


safety: “something bad never happens”

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Course Contents

What are appropriate models?


labelled transition systems
from programs to transition systems
from circuits to transition systems
multi-threading, communication protocols to . . .
nanoPromela: an example modeling language

What are different types of properties:


safety: “something bad never happens”
liveness: “something good eventually happens”

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Course Contents

What are appropriate models?


labelled transition systems
from programs to transition systems
from circuits to transition systems
multi-threading, communication protocols to . . .
nanoPromela: an example modeling language

What are different types of properties:


safety: “something bad never happens”
liveness: “something good eventually happens”
fairness: “if something may happen frequently, it will happen”

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 30 / 34
Continue...

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

How to check regular properties?


finite-automata and regular safety properties

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

How to check regular properties?


finite-automata and regular safety properties
Buchi automata and ω-regular properties

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

How to check regular properties?


finite-automata and regular safety properties
Buchi automata and ω-regular properties
model checking: nested depth-first search

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

How to check regular properties?


finite-automata and regular safety properties
Buchi automata and ω-regular properties
model checking: nested depth-first search

How to express properties succinctly?


Linear-time Temporal Logic (LTL): syntax and semantics

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

How to check regular properties?


finite-automata and regular safety properties
Buchi automata and ω-regular properties
model checking: nested depth-first search

How to express properties succinctly?


Linear-time Temporal Logic (LTL): syntax and semantics
Computation Tree Logic (CTL): syntax and semantics

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

How to check regular properties?


finite-automata and regular safety properties
Buchi automata and ω-regular properties
model checking: nested depth-first search

How to express properties succinctly?


Linear-time Temporal Logic (LTL): syntax and semantics
Computation Tree Logic (CTL): syntax and semantics
What can be expressed in LTL/CTL

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

How to check regular properties?


finite-automata and regular safety properties
Buchi automata and ω-regular properties
model checking: nested depth-first search

How to express properties succinctly?


Linear-time Temporal Logic (LTL): syntax and semantics
Computation Tree Logic (CTL): syntax and semantics
What can be expressed in LTL/CTL
LTL/CTL model checking: algorithms, complexity

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

How to check regular properties?


finite-automata and regular safety properties
Buchi automata and ω-regular properties
model checking: nested depth-first search

How to express properties succinctly?


Linear-time Temporal Logic (LTL): syntax and semantics
Computation Tree Logic (CTL): syntax and semantics
What can be expressed in LTL/CTL
LTL/CTL model checking: algorithms, complexity
How to treat fairness in LTL/CTL

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 31 / 34
Continue...

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 32 / 34
Continue...

How to make models smaller?


Equivalences and pre-orders on transition systems

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 32 / 34
Continue...

How to make models smaller?


Equivalences and pre-orders on transition systems
Which properties are preserved

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 32 / 34
Continue...

How to make models smaller?


Equivalences and pre-orders on transition systems
Which properties are preserved
Minimization algorithms

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 32 / 34
General Information

Instructor Dr. Falak Sher


Office ITU, 4th Floor
Email [email protected]
Meeting Hours With appointment
Teaching Assistant Ahmad Zafar
Email ahmad.zafar
[email protected]
Prerequisite Discrete mathematics, Data structures and
algorithms, Theory of Automata, Com-
putability and Complexity Theory
Grading Policy
Quiz 10%
Assignments 15%
Midterm 30%
Final 45%

Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 33 / 34
Continue...

Makeups In general, missed items cannot be made up.


Text Book Principles of Model Checking by Christel
Bair and Joost-Pieter Katoen

Course Contents Chapters 1-7 (upto 7.3)

Aim of the course


Its about the theoretical foundations of model checking, not its usage!
Dr. Falak Sher (ITU Punjab) Automata Theory (Applied) January 28, 2019 34 / 34

You might also like