DOCSLIB.ORG

Temporal Verification of Reactive Systems Springer New York Berlin Heidelberg Barcelona Budapest Hong Kong London Milan Paris Tokyo Zohar Manna Amir Pnueli

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Temporal Verification of Reactive Systems Springer New York Berlin Heidelberg Barcelona Budapest Hong Kong London Milan Paris Tokyo Zohar Manna Amir Pnueli Temporal Verification of Reactive Systems Springer New York Berlin Heidelberg Barcelona Budapest Hong Kong London Milan Paris Tokyo Zohar Manna Amir Pnueli Temporal Verification of Reactive Systems Safety With 181 Illustrations , Springer Zohar Manna Amir Pnueli Department of Computer Science Computer Science Department Stanford University Weizmann Institute of Science Stanford, CA 94305 USA Rehovot, 76100 Israel Library of Congress Cataloging-in-Publication Data Manna, Zohar. Temporal verification of reactive systems:safety / Zohar Manna and Amir Pnueli. p. cm. Includes bibliographical references and index. ISBN-13:978-1-4612-8701-8 e-ISBN -13:978-1-4612-4222-2 D0I.10.100/978-1-4612-4222-2 1. Computer software-Verification. 2. Parallel processing (Electronic computers) I. Pnueli, A. II. Title. 005.2-dc20 95-5442 Printed on acid-free paper. @ 1995 Springer-Verlag New York, Inc. Softcover reprint of the hardcover 1st edition 1995 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer-Verlag New York, Inc., 175 Fifth Avenue, New York, NY 10010, USA) except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use of general descriptive names, trade names, trademarks, etc., in this publication, even if the former are not especially identified, is not to be taken as a sign that such names, as understood by the Trade Marks and Merchandise Marks Act, may accordingly be used freely by anyone. Production managed by Hal Henglein; manufacturing supervised by Joe Quatela. Photocomposed copy prepared from the authors' '!EX file. 987654321 ISBN-13:978-1-4612-8701-8 Springer-Verlag New York Berlin Heidelberg To our families: Nitza Ariela Yonit Shira Hagit Ishay Irit Noga Amit Preface This book is about the verification of reactive systems. A reactive system is a system that maintains an ongoing interaction with its environment, as opposed to computing some final value on termination. The family of reactive systems includes many classes of programs whose correct and reliable construction is con­ sidered to be particularly challenging, including concurrent programs, embedded and process control programs, and operating systems. Typical examples of such systems are an air traffic control system, programs controlling mechanical devices such as a train, or perpetually ongoing processes such as a nuclear reactor. With the expanding use of computers in safety-critical areas, where failure is potentially disastrous, correctness is crucial. This has led to the introduction of formal verification techniques, which give both users and designers of software and hardware systems greater confidence that the systems they build meet the desired specifications. Framework The approach promoted in this book is based on the use of temporal logic for specifying properties of reactive systems, and develops an extensive verification methodology for proving that a system meets its temporal specification. Reactive programs must be specified in terms of their ongoing behavior, and temporal logic provides an expressive and natural language for specifying this behavior. Our framework for specifying and verifying temporal properties of reactive systems is based on the following four components: 1. A computational model to describe the behavior of reactive systems. The model adopted in this book is that of a Fair Transition System (FTS). 2. A system description language to express proposed implementations. Here we use a Simple Programming Language (SPL) for this purpose. 3. A specification language to express properties that should be satisfied by any proposed implementation. The language of choice in this text is Temporal Logic (TL). viii Preface 4. Verification techniques to prove that the proposed implementation meets its prescribed specification. We consider two types of verification techniques. The first is a deductive approach, which provides a set of verification rules that reduce the task of proving a temporal property to checking the validity of first­ order formulas. The second is an algorithmic approach ("model checking") which presents algorithms for automatic verification of temporal properties. Figure A illustrates how the four parts of the framework interact. System Description Specification Language Language TL SPL Computational Model FTS Verification Techniques Fig. A. The four parts of the framework. Temporal properties of systems can be classified according to the form of the formulas expressing them. A safety property is a property that can be specified by a safety formula of the form 0 p (using the temporal operator 0 meaning always) . This formula states that the property p holds throughout the computa­ tion. Consider, for example, a system that controls the gates to a railroad cross­ ing. The requirement "whenever the train is passing, the gates should be down" Preface ix is a property expressible by a formula 0 p where p characterizes all states except those in which the train is passing while the gate is up. Typically, safety prop­ erties specify that nothing "bad" ever happens, such as allowing a train in the intersection while the gate is up. However, there are additional properties that cannot be specified by such safety formulas. For example, one such property expresses the requirement "if the intersection has been clear of trains for a sufficiently long time, then eventually a train will arrive or the gate will be raised." Properties that cannot be speci­ fied by a safety formula 0 p are called progress properties. Typically, progress properties specify that something "good" eventually happens, such as the gate eventually being raised after a long absence of trains. Progress properties are further classified into several distinct classes according to the formulas expressing them. Our verification methodology partitions the verification rules according to this classification, presenting rules for each class that are specific and effective for proving properties belonging to this class. The Three Volumes This book is the second in a sequence of three volumes (published by Springer­ Verlag) organized as follows: • Volume I (appeared in 1991): "The Temporal Logic of Reactive and Con­ current Systems: Specification." This volume studies in great detail the computational model, the system description language, the language of tem­ porallogic and its use for specifying system properties. We refer to Volume I as the SPEC book. • Volume II (This volume): "Temporal Verification of Reactive Systems: Safety." This volume presents verification techniques for proving safety prop­ erties. We refer to this volume as the SAFETY book. • Volume III: "Temporal Verification of Reactive Systems: Progress." This volume presents verification techniques for proving progress properties. We refer to Volume III as the PROGRESS book. Even though this is the second volume in the sequence, it is largely self-contained and can be studied or taught independently of the first volume. In particular, Chapter 0 includes all the material from the first volume that is relevant to tem­ poral verification. Naturally, most of the discussions and examples have been omitted, and we encourage the more inquisitive reader to consult the SPEC book whenever a more detailed explanation or motivation is needed. Verification Techniques As previously explained, this volume is devoted to the verification of safety prop­ erties. While all safety properties are specifiable by a formula of the form 0 p, it x Preface is possible to distinguish several subclasses of the safety class according to more specialized formulas expressing them. The main approach to verification studied in this volume (Chapters 1-4) is that of deductive verification: program properties are verified using formal deduction based on a set of inference rules. Such rules are presented first for some of the simpler subclasses, followed by rules for the entire safety class. A convenient and visual representation of the structure of a proof is provided by verification diagrams. Each set of rules, corresponding to a subclass or to the entire safety class, is shown to be complete for proving properties belonging to that class. This ensures that Every correct property of a system can be formally proven, using the deductive techniques presented in this book. In our presentation, we attempt to emphasize the feasibility, practicality, and universality of the deductive approach. In addition to the deductive approach, we also consider a second verification technique: algorithmic verification (often referred to as "model checking"). This technique is based on algorithms that, without any user guidance or ingenuity, check automatically whether a given system satisfies its temporal specification. The obvious advantages of this approach are offset by the fact that it usually can only be applied to finite-state systems, i.e., systems restricted to having only finitely many distinct states. In this volume we present several algorithms for checking that a given temporal formula is valid over a given finite-state system. In some cases these algorithms are also applicable to systems with infinitely many states. The presentation of algorithmic verification is also organized by subclasses of safety properties; we provide an algorithm for each
Load more

Recommended publications
  • —Daniel 12:3 ZOHAR MANNA (B
    ÖÛÜ Ü Ü ÑÐÝÒ —Daniel 12:3 ZOHAR MANNA (b. 1939) Preface Zohar Manna, founding father of the study and application of formal methods for software and hardware verification, turned 64 early this (Gregorian) year, a date of numerological significance to cognoscenti in the realm of binary computers.1 To honor this event, many of Zohar’s graduate students, research collaborators, and computer-science colleagues gathered in Sicily for a symposium on subjects related to Zohar’s manifold contributions in the field. Their breadth and depth were a tribute to Zohar’s lasting impact on the field. The symposium was held in Taormina, Sicily, Italy between June 29 and July 4, 2003. Local arrangements were coordinated by Alfredo Ferro of Catania University. The help of Ugo Montanari was instrumental in the success of the event and is most gratefully acknowledged. Thanks are also due Domenico Can- tone, Rajeev Alur, the late Armando Haeberer, Tom Henzinger, Paola Schettino, and Henny Sipma. The meeting received generous support from the following institutions: – Dipartimento di Informatica of the University of Pisa; – School of Computer Science of Tel Aviv University; – Lipari International School for Computer Science Researchers; and – Dipartimento di Matematica e Informatica of Catania University. The event comprised the following lectures: 1. Amir Pnueli: “TLPVS: a PVS-Based LTL Verification System” (with Tama- rah Arons) 2. Bernd Finkbeiner: “Runtime Verification with Alternating Automata” (with Sriram Sankaranarayanan and Henny Sipma) 3. Rajeev Alur: “Formal Analysis of Hierarchical State Machines” 4. Luca de Alfaro: “Games and Mu-Calculus” 5. Manfred Broy: “A Functional Calculus for Specification and Verification of Nondeterministic Interactive Systems” 6.
    [Show full text]
  • BEATCS No 119
    ISSN 0252–9742 Bulletin of the European Association for Theoretical Computer Science EATCS E A T C S Number 119 June 2016 Council of the European Association for Theoretical Computer Science President:Luca Aceto Iceland Vice Presidents:Paul Spirakis United Kingdom and Greece Antonin Kucera Czech Republic Giuseppe Persiano Italy Treasurer:Dirk Janssens Belgium Bulletin Editor:Kazuo Iwama Kyoto,Japan Lars Arge Denmark Anca Muscholl France Jos Baeten The Netherlands Luke Ong UK Lars Birkedal Denmark Catuscia Palamidessi France Mikolaj Bojanczyk Poland Giuseppe Persiano Italy Fedor Fomin Norway Alberto Policriti Italy Pierre Fraigniaud France Alberto Marchetti Spaccamela Italy Leslie Ann Goldberg UK Vladimiro Sassone UK Magnus Halldorsson Iceland Thomas Schwentick Germany Monika Henzinger Austria Jukka Suomela Finland Christos Kaklamanis Greece Thomas Wilke Germany Elvira Mayordomo Spain Peter Widmayer Switzerland Michael Mitzenmacher USA Gerhard Woeginger¨ The Netherlands Past Presidents: Maurice Nivat (1972–1977)Mike Paterson (1977–1979) Arto Salomaa (1979–1985)Grzegorz Rozenberg (1985–1994) Wilfred Brauer (1994–1997)Josep D´iaz (1997–2002) Mogens Nielsen (2002–2006)Giorgio Ausiello (2006–2009) Burkhard Monien (2009–2012) Secretary Office:Ioannis Chatzigiannakis Italy Efi Chita Greece EATCS Council Members email addresses Luca Aceto ..................................... [email protected] Lars Arge .............................. [email protected] Jos Baeten ............................... [email protected] Lars Birkedal ............................ [email protected] Mikolaj Bojanczyk .......................... [email protected] Fedor Fomin ................................ [email protected] Pierre Fraigniaud .. [email protected] Leslie Ann Goldberg ................ [email protected] Magnus Halldorsson ........................ [email protected] Monika Henzinger ................ [email protected] Kazuo Iwama ........................ [email protected] Dirk Janssens ........................
    [Show full text]
  • Pæan to Zohar Manna
    Pæan to Zohar Manna Nachum Dershowitz School of Computer Science Tel Aviv University Ramat Aviv, Tel Aviv 69978, Israel email: [email protected] .xdf ‘l‘ epipia did ‘le [And what we shared was zohar.] —Leah Goldberg Zohar’s Origins Zohar, whose name in Hebrew means “illumination,” was born in early 1939 c.e. and grew up in Haifa, Israel. This volume is offered in tribute to Zohar – and in celebration of his 64th birthday. Two academic symposia were held to mark this event: a one-day symposium, held in Tel Aviv, Israel on May 16, 2003, and a week-long symposium, held in Taormina, Sicily, from June 29 to July 4, which gave rise to this volume. Zohar received his bachelor’s and master’s degrees, in Mathematics, from the Technion in Haifa (in 1962 and 1965, respectively). He also served as a scientific programmer in the Israel Defense Forces from 1962 to 1964. He continued his graduate studies in Computer Science at Carnegie-Mellon University in Pitts- burgh, Pennsylvania, under the guidance of Robert W Floyd and Alan J. Perlis, where he obtained his Ph.D. in 1968. Going backwards, we find that his advisor, Alan J. Perlis, was a student of Philip Franklin, who was a student of Oswald Veblen, who was a student of Eliakim Hastings Moore, who was a student of Hubert Anson Newton, who was a student of Michel Chasles, who was a student of Simeon Denis Poisson, who was a student of Joseph Louis Lagrange, who was an unofficial student of Leonhard Euler, who was a student of Johann Bernoulli, who was a student of his brother, Jacob Bernoulli, who was an autodidact.
    [Show full text]
  • Curriculum Vitae1 Rajeev Alur
    Curriculum Vitae1 Rajeev Alur Address Department of Computer and Information Science 3330 Walnut Street, Levine Hall University of Pennsylvania Philadelphia, PA 19104 Tel: (215) 573-7483 Fax: (215) 898-0587 Email: alur @ cis.upenn.edu URL: http://www.cis.upenn.edu/~alur/ Personal Information Date of birth: March 5, 1966. Citizen of the United States. Married with two children. Research Interests Formal methods: computer-aided verification, software analysis, and system synthesis; Cyber-physical systems: hybrid dynamical system, model-based design, and safe learning; Theoretical computer science: automata, logics, concurrency, and models of computation. Education Ph.D. in Computer Science (August 1991) Stanford University, Stanford. Thesis: Techniques for automatic verification of real-time systems Advisors: Professor David Dill and Professor Zohar Manna. Bachelor of Technology in Computer Science (May 1987) Indian Institute of Technology, Kanpur, India. Employment • July 2003 onwards: Zisman Family Professor of Computer and Information Science, University of Pennsylvania. • July 2001 onwards: Professor, Department of Computer and Information Science, University of Pennsylvania. • July 1999{June 2001: Associate Professor with tenure, Department of Computer and Infor- mation Science, University of Pennsylvania. • July 1997{June 1999: Associate Professor without tenure, Department of Computer and Information Science, University of Pennsylvania. • September 1991{June 1997: Member of Technical Staff, Computing Sciences Research Center, Bell Laboratories, Murray Hill. 1Updated May 2021 1 Visiting Positions • February { April 2018: Visiting Scientist, Simons Institute for Theoretical Computer Science, University of California at Berkeley. • July 2006 { May 2009: Consulting Scientist, NEC Labs America, Princeton, NJ. • July 1997{August 2001: Part-time Member of Technical Staff, Computing Sciences Research Center, Bell Laboratories, Murray Hill.
    [Show full text]
  • Amir Pnueli a Gentle Giant: Lord of the ??S and the ??S
    Amir Pnueli A Gentle Giant: Lord of the ??s and the ??s Formal Aspects of Computing Applicable Formal Methods ISSN 0934-5043 Volume 22 Number 6 Form Asp Comp (2010) 22:663-665 DOI 10.1007/ s00165-010-0165-0 1 23 Your article is protected by copyright and all rights are held exclusively by British Computer Society. This e-offprint is for personal use only and shall not be self-archived in electronic repositories. If you wish to self-archive your work, please use the accepted author’s version for posting to your own website or your institution’s repository. You may further deposit the accepted author’s version on a funder’s repository at a funder’s request, provided it is not made publicly available until 12 months after publication. 1 23 Author's personal copy DOI 10.1007/s00165-010-0165-0 BCS © 2010 Formal Aspects Formal Aspects of Computing (2010) 22: 663–665 of Computing Amir Pnueli A Gentle Giant: Lord of the ϕ’s and the ψ’s David Harel Most of this piece focuses on Amir’s personality, since FACS readers are unlikely to need too much introduction to his scientific contributions. Amir completed his PhD in applied mathematics, the tile of his thesis being Calculation of Tides in the Ocean, under Chaim Pekeris, who was the founder of our department at the Weizmann Institute. He then switched to computer sci- ence during a brief stint at Stanford and at IBM Yorktown Heights. He was then at the Weizmann Institute until 1973, with two other young, brilliant computer scientists: Shimon Even and Zohar Manna.
    [Show full text]
  • Zohar Manna (1939–2018)
    Under consideration for publication in Formal Aspects of Computing Zohar Manna (1939–2018) Nachum Dershowitz and Richard Waldinger ולא היה בינינו אלא זהר [And what we shared was solely zohar.] —Leah Goldberg (1944) Zohar Manna, founding father of the study and application of formal methods for software and hardware verification, died peacefully at his home in Netanya, Israel, a year ago, on August 30, 2018, after a long and marvelously productive career. He passed away surrounded by his extended family. He was 79. Zohar, whose name in Hebrew means “illumination,” was born in early 1939 and grew up in Haifa, Israel. He met his future wife, Nitza Kletchevsky, at a folk-dancing class in Haifa in 1959. The couple married in 1963. Zohar is survived by Nitza and their children—daughters, Yonit, a software engineer, Hagit, a psychiatrist, Irit, an operations manager, and son Amit, a product manager—all of whom were at his bedside when he passed away. He also left five grandchildren, three boys and two girls. Photo courtesy Manna family. 2 Nachum Dershowitz and Richard Waldinger 1. Zohar’s Academic Life Zohar received his bachelor’s and master’s degrees in mathematics from the Technion in Haifa in 1961 and 1965, respectively, serving as a scientific programmer, with the rank of First Lieutenant, in the Israel Defense Forces from 1962 to 1964. Afterwards, he attended Carnegie Mellon University in Pittsburgh (together with one of us, Richard), where he earned his Ph.D. in computer science in the spring of 1968 under the guidance of Robert W Floyd and Alan J.
    [Show full text]
  • ABCD Key Textbooks
    ABCD springer.com Key Textbooks Spring 2012 springer.com Biomedicine 2 Biomedicine challenges that have been written by the authors for use in their own biotransport courses. Chapter summaries, review questions and over 230 problems are included at the end of chapters. More on www.springer.com/978-1-4419-8118-9 Free Shipping. Online orders shipping within 2-3 days. 2011. XXVII, 650 p. Hardcover 978-1-4419-8118-9 ▶$99.00 R.J. Roselli, Vanderbilt University, Nashville, TX, USA; K.R. Diller, The University of Texas, Austin, TX, USA Y. Okada, National Institute for Physiological Sciences, Biotransport: Principles and Chemistry Okazaki, Japan (Ed.) Applications Patch Clamp Techniques Biotransport: Principles and Applications is From Beginning to Advanced Protocols written primarily for biomedical engineering and Channels and transporters are multi-functional bioengineering students at the introductory level, proteins that mediate substrate transport and signal but should prove useful for anyone interested transmission and simultaneously act as regulators in quantitative analysis of transport in living for other proteins and biosensors for environmental systems. It is important that bioengineering materials. Patch clamping is an epoch-making students be exposed to the principles and subtleties technique that allows researchers to perform real-time of transport phenomena within the context of measurements of electrogenic channel/transporter problems that arise in living systems. These tend functions at the single/multiple molecular level. to have constitutive properties, compositions, This book describes not only the conventional patch and geometries that are quite distinct from those clamp techniques but also their newly developed of typical inanimate systems. The book derives H.-D.
    [Show full text]
  • Download Chapter 296KB
    Memorial Tributes: Volume 16 Copyright National Academy of Sciences. All rights reserved. Memorial Tributes: Volume 16 AMIR PNUELI 1941–2009 Elected in 1999 “For the invention of temporal logic and other tools for designing and verifying software and systems.” BY DAVID HAREL AND MOSHE VARDI AMIR PNUELI, a pioneer in the fields of specification, verification, and analysis of computer systems, and a Turing Award winner, died after suffering a brain hemorrhage on November 2, 2009. His sudden death shocked the international computing community. A brilliant man who was shy, modest, and graceful, Pnueli, or simply Amir as he was called by anyone who knew him, was born in Nahalal, in what is now Israel, on April 22, 1941. He spent the bulk of his career at Tel Aviv University and at the Weizmann Institute of Science in Israel and in recent years also at New York University. Amir did his doctoral work at Weizmann in applied mathematics under the late Chaim L. Pekeris, writing a thesis in 1967 on the calculation of ocean tides. Immediately thereafter he made a transition to computer science, working as a postdoctoral fellow at Stanford University and at IBM’s research center in Yorktown Heights, New York, for two years. He returned to Israel in 1968 as a faculty member in the Department of Applied Mathematics at the Weizmann Institute and in 1973 moved to Tel Aviv University, where he founded the Department of Computer Science and was its first chair. In 1980, Pnueli returned to the Weizmann Institute as a professor, together with three younger computer scientists— 239 Copyright National Academy of Sciences.
    [Show full text]