Temporal Logics. & verification. & automated verification. Why formal specifications? automated verification: specification:

Transcription

1 Temoral Logics & Model Checking Farn Wang Det. of Electrical Engineering National Taiwan University Secifications, descritions, & verification secification: The user s reuirement descrition (imlementation): The user s descrition of the systems No strict line between descrition and secification. verification: Does the descrition satisfy the secification? 1 2 Formal secification & automated verification formal secificaton: secification with rigorous mathematical ti notations ti automated verification: verification with suort from comuter tools. Why formal secifications? to make the engineers/users understand the system to design through rigorous mathematical notations. to avoid ambiguity/confusion/misunderstanding in communication/discussion/reading. to secify the system recisely. to generate mathematical models for automated analysis. 3 But according to Goedel s incomleteness theorem, it is imossible to come u with a comlete secification. 4

2 Why automated verification? to somehow be able to verify comlexer & larger systems to liberate human from the labor-intensive verification tasks to set free the creativity of human to avoid the huge cost of fixing early bugs in late cycles. to comete with the core verification technology of the future. Secification & Verification? Secification Comlete & sound. Verfication Reducing bugs in a system. Making sure there are very few bugs. Very difficult! Cometitiveness of high-tech industry! A way to survive for the students! A way to survive for Taiwan! 5 6 2,500,000+1,500,000,,, lines of codes (most in Ada) 7 8

3 Bugs in comlex software Budget aroriation They take effects only with secial event seuences. the number of event seuences is factorial and suer astronomical! It is imossible to check all traces with test/simulation. The rest VERIFICATION 1% % VERIFICATION 40%-60% Design & Coding 99% Design & Coding 10%-20% Training in Taiwan College 9 10 Three technologies in verification Testing g( (real wall for real cars) Exensive Low coverage Late in develoment cycles Simulation(virtual wall for virtual ca Economic Low coverage Don t know what you haven t seen. Formal Verification (virtual car checked) Exensive Functional comleteness 100% coverage Automated! With algorithms and roofs. 11 Sum of the 3 angles = 180? Testing (check all Δs you see) Exensive Low coverage Late in develoment cycles Simulation (check all Δs you draw) Economic Low coverage Don t know what you haven t seen. Formal Verification(we rove it.) Exensive Functional comleteness 100% coverage Automated! With algorithms and roofs. 12

4 Model-checking -a general framework for verification of seuential systems model Model Checker secification Answer Yes if the model is euivalent to the secification No if not. Models & Secifications - formalism Whenever a baby cries, it is hungry. Logics: (crying i hungry) Grahs: crying hungry crying hungry crying hungry Models & Secifications - fairness assumtions Some roerties are almost imossible to verify without assumtions. Examle: (start ( finish) To verify that a rogram halts, we assume CPU does not burn out. OS gives the rogram a fair share of CPU time. All the drivers do not stuck. 15 Model-checking - frameworks in our lecture Model Logics Sec Logics traces Trees Linear Branching F= F F= F F= F F= F traces F= F Trees F= F Linear F= F Branc hing : known; F= F : discussed in the lecture 16

5 History of Temoral Logic Framework Designed by hilosohers to study the way that time is used in natural a language arguments Reviewed by Prior [PR57, PR67] Brought to Comuter Science by Pnueli [PN77] Has roved to be useful for secification of concurrent systems Temoral Logic is a class of Modal Logic Allows ualitatively describing and reasoning about changes of the truth values over time Usually imlicit time reresentation Provides variety of temoral oerators (sometimes,, always) Different views of time (branching vs. linear, discrete vs. continuous, ast vs. future, etc.) Outline Krike structure Linear LPTL (Linear time Proositional Temoral Logics) Branching CTL (Comutation Tree Logics) CTL* (the full branching temoral logics) A = (S, S 0, R, L) S S 0 S a set of all states of the system a set of initial states R S S a transition relation between states L : S 2 P a function that t associates each state t with set of roositions true in that state 19 20

6 Krike Model Examle of Krike Structure Set of states S { 1, 2, 3 } Set of initial states S 0 1 { 1 } Set of atomic roositions AP {a,b} a Suose there is a rogram initially x=1 and y=1; while true do x:=(x+y) mod 2; endwhile a,b 2 b 3 where x and y range over D={0,1} Examle of Krike Structure S=DxD S 0 ={(1,1)} R={((1,1),(0,1)),((0,1),(1,1)),((1,0),(1,0)),((0,0),(0,0))} L((1,1))={x=1,y=1},L((0,1))={x=0,y=1}, L((1,0)) 0))={x=1 1,y=0} 0},L((0,0)) 0))={x=0 0,y=0} 0,0 BNF, syntax definitions Note! Be sure how to read BNF! used for define e syntax of context-free t ee language imortant for the definition of automata redicates and temoral logics Used throughout the lectures! In exam: violate the syntax rules no credit. 1,1 0,1 1,0 A ::= c x (M) A 1 +A 2 A 1 A 2 M::= c x (A) M 1 *M 2 M 1 /M 2 c is an integer x is a variable name

7 BNF, syntax definitions BNF, syntax definitions - derivation trees (from to down) A ::= c x (M) A 1 +A 2 A 1 A 2 A ::= c x (M) A 1 +A 2 A 1 A 2 M ::= c x ( (A) M 1*M 2 M 1 1/ /M 2 c is an integer x is a variable name. M * A ( ) A + A A - A M ::= c x ( (A) M 1*M 2 M 1 1/ /M 2 c is an integer x is a variable name. used in string generation. M * A ( ) A + A A - A M M y 3 M M y 3 3 x (3*x)+y-3 3 x (3*x)+y BNF, syntax definitions - arsing trees (from bottom u) Temoral Logics:Catalog A ::= c x (M) A 1 +A 2 A 1 A 2 M ::= c x ( (A) M 1*M 2 M 1 1/ /M 2 c is an integer x is a variable name. used in comiler. M M * A ( ) M 3 x A + A A - A y 3 (3*x)+y-3 roositional first-order global comositional branching linear-time oints discrete ast intervals continuous future 27 28

8 Temoral Logics Linear LPTL (Linear time Proositional Temoral Logics) LTL, PTL, PLTL Branching CTL (Comutation Tree Logics) CTL* (the full branching temoral logics) Amir Pnueli 1941 Professor, Weizmann Institute Professor, NYU Turing Award, 1996 Presentation of a gift at ATVA /FORTE 2005, Taiei LPTL (PTL, LTL) Linear-Time Proositional Temoral Logic Conventional notation: roositions :,, r, sets : A, B, C, D, states : s state seuences : S formulas : φ,ψ Set of natural number:n = {0, 1, 2, 3, } Set of real number:r LPTL Given P : a set of roositions, a Linear-time structure : state seuence S= s 0 s 1 s 2 s 3 s 4... s k... s k is a function of P where P or s k 2 P examle: P={a,b} {a}{a,b}{a}{a}{b} {true,false} 31 32

9 Syntax definitions Note! Be sure how to read BNF! used for define e syntax of context-free t ee language imortant for the definition of automata redicates and temoral logics Used throughout the lectures! In exam: violate the syntax rules no credit. A ::= (M) A1 + A2 A1 A2 M::= (A) M1 * M2 M1 / M2 LPTL -syntax syntax definition in BNF ψ ::= true ψ ψ ψ 1 ψ 2 ψ ψ 1 Uψ 2 abbreviation false true ψ 1 ψ 2 (( ψ 1 ) ( ψ 2 )) ψ 1 ψ 2 ( ψ 1 ) ψ 2 ψ true Uψ ψ ψ LPTL -syntax Exam. Symbol in CMU LPTL -syntax X is true on next state X istrue on next state U U From now on, is always true until is true F From now on, there will be a state where is eventually (sometimes) true G From now on, is always true????? : don t care 35 36

10 LPTL -syntax U U From now on, is always true until is true,?,? true don t care LPTL -syntax F From now on, there will be a state where is eventually (sometimes) true???? G From now on, is always true?? LPTL -syntax Two oerator for Fairness ; will haen infinitely many times infinitely often ; will be always true after some time in the future almost everywhere LPTL - semantics suffix ath : S= s 0 s 1 s 2 s 3 s 4 s S (0) = s 0 s 1 s 2 s 3 s 4 s S (1) = s 1 s 2 s 3 s 4 s 5 s S (2) = s 2 s 3 s 4 s 5 s 6... S (3) = s 3 s 4 s 5 s 6... S (k) = s k s k+1 s k+2 s k

11 LPTL - semantics Given a state seuence S= s 0 s 1 s 2 s 3 s 4... s k... We define S ψ (S satisfies ψ)inductively as: S true S s 0 ()=true, or euivalently s 0 S ψ S ψ is false S ψ 1 ψ 2 S ψ 1 or S ψ 2 S ψ S (1) ψ S ψ 1 Uψ 2 k 0(S (k) ψ 2 0 j<k(s (j) ψ 1 )) Branching Temoral Logics Basic assumtion of tree-like structure Every node is a function s 0 of P {true,false} Every state may have many successors s 2 s 1 s 3 s 4 s Branching Temoral Logics Branching Temoral Logic Basic assumtion of tree-like structure Every ath is isomorhic as N s 0 Corresond to a state seuence Path : s 0 s 1 s 3 s 0 s 1 s 2 s 1 s 3 s 4 s 5 s 2 s 1 s 3 s 4 s 5 It can accommodate infinite and dense state successors In CTL and CTL*, it can t tell Finite and infinite Is there infinite transitions? Dense and discrete Is there countable(ω)transitions? 44 45

12 Branching Temoral Logic Get by flattening a finite state machine s s 0 s 0 s 1 s 2 s 1 s 2 s 0 s 1 s 1 s 2 s 0 CTL(Comutation Tree Logic) Edmund M. Clarke Professor, CS & ECE Carnegie Mellon University it EAll E. Allen Emerson Professor, CS The University of Texas at Austin Chin-Laung Lei Professor, EE National Taiwan University CTL(Comutation Tree Logic) - syntax φ::= true φ φ φ 1 φ 2 φ φ φ 1 Uφ 2 φ 1 Uφ 2 abbreviation: false true φ 1 φ 2 (( φ 1 ) ( φ 2 )) φ 1 φ 2 ( φ 1 ) φ 2 φ true Uφ φ φ φ true Uφ φ φ 48 CTL - semantics examle symbol in CMU EX there exists a ath where is true on next state U U EU from now on, there is a ath where is always true until is true AX for all ath where is true on next state U AU from now on, for all ath where is always true until is true 49

13 CTL - semantics EX there exists a ath where? is true on next state t CTL - semantics U EU from now on, there is a ath where is always true until is true?????????? CTL - semantics AX for all ath where is true on next state? CTL - semantics U AU from now on, for all ath where is always true until is true??????? 52 53

14 CTL - semantic Assume there are a tree stucture M, one state s in M, and a CTL fomula φ M,sφ means s in M satisfy φ 54 CTL - semantics s 0 s-ath:a ath in M s s 1 which stats from s 11 s 0 -ath: s 0 s 1 s 2 s 3 s 5... s 0 s 1 s 6 s 7 s 8... s 2 s 6 s 12 s 3 s 7 s s 9 s ath: s 1 s 2 s 3 s 5... s 2 -ath: s 2 s 3 s 5... s 5 s 8 s 10 s 14 s 13 -ath: s 13 s s 4 s CTL - semantics M,s true M,s s M,s φ it is false that M,s φ M,s φ 1 φ 2 M,s φ 1 or M,s φ 2 M,s φ s-ath = s 0 s 1 (M,s 1 φ) M,s φ s-ath = s 0 s 1 (M,s 1 φ) Ms M,s φ 1 Uφ 2 s-ath = s 0 s 1, k 0 (M,s k φ 2 0 j<k(m,s j φ 1 ) Ms M,s φ 1 Uφ 2 s-ath = s 0 s 1, k 0 (M,s k φ 2 0 j<k(m,s j φ 1 ) CTL -examles(i) P 0 :( 0 :=0 0 := ) P 1 :( 1 :=0 1 := 0 1 ) P2 :( 2 :=0 2 := 1 2 ) P 2 var: 2 If P 0 is true, it is ossible that P 2 can be true P 0 P 1 after the next two cycles. var: 0 var: 1 ( 0 2 ) 56 57

15 CTL - examles (II) 1. If there are dark clouds, it will rain. (dark-clouds rain) 2. if a buttefly flas its wings, the New York stock could lunder. (buttefly-fla-wings NY-stock-lunder) 3. if I win the lottery, I will be hay forever. (win-lottery hay) 4. In an execution state, if an interrut occurs in the next cycle, the interrut handler will execute at the 2nd next cycle. (exec (intrt (intrt-handler))) CTL - examles (III) In an execution state, if an interrut occurs in the next cycle, cle the interrut handler will execute ec at the 2nd next cycle. (exec (intrt (intrt-handler))) ( ( ( Some ossible mistakes: (exec (( intrt) intrt-handler)) (exec (( intrt) intrt-handler)) CTL - examles (IIIa) Please draw a Krike structure that tells (intrt (intrt-handler)) from and ( intrt) intrt-handler ( intrt) intrt-handler 60 CTL -imortant classes : safety roerties is always true in all comutations ti from now. : reachability yroerties is eventually true in some comutation from now. : inevitabilities is eventually true in all comutations from now. 61

16 CTL* - syntax CTL* fomula ( state-fomula ) φ::= true φ 1 φ 1 φ 2 ψ ψ ath-fomula ψ ::= φ ψψ 1 ψ 1 ψψ 2 ψψ 1 ψ 1 Uψψ 2 CTL* is the set of all state-fomulas! CTL* - examles (1/4) In a fair concurrent environment, jobs will eventually finish. (((execute 1 ) (execute 2 )) finish) or ((( execute 1 ) ( execute 2 )) finish) CTL* - examles (2/4) No matter what, infinitely many comets will hit earth. Difference? comet-hit-earth Why not CTL? comet-hit-earth earth Difference? comet-hit-earth Exercise, lease construct a model that tells the last from the first che 64 CTL* - examles (2/4) No matter what, infinitely many comets will hit earth. comet-hit-eartht th What is the Or comet-hit-earth Why not CTL? comet-hit-earth comet-hit-earth difference? weak true next! 65

17 CTL* - Workout The same according to lemma CTL* - examles (3/4) (1) comet-hit-earth (2) comet-hit-earth (3) comet-hit-earth Please draw Krike structures that tell (1) from (2) and (3) (2) from (1) and (3) (3) from (1) and (2) If you never have a lover, I will marry you. ((you-have-no-lover) marry-you) Why not CTL? ( you-have-no-lover) ) marry-you ( you-have-no-lover) marry-you ( you-have-no-lover) ) marry-you y CTL* - Workout CTL* - examles (4/4) (1) ((you-have-no-lover) marry-you) you) (2) ( you-have-no-lover) marry-you (3) ( you-have-no-lover) marry-you (4) ( you-have-no-lover) marry-youyou Please draw trees that tell (1) from (2) (2) from (3) (3) from (4) (4) from (1) 68 If I buy lottory tickets infinitely many times, eventually I will win the lottery. ((buy-lottery) win-lottery) or (( buy-lottery) y) win-lottery) 69

18 CTL* - semantics s 0 suffix ath : s s 1 11 S= s 0 s 1 s 2 s 3 s 5... S (0) = s 0 s 1 s 2 s 3 s 5... s S (1) = s 2 s 6 s 1 s 2 s 3 s S (2) = s 2 s 3 s 5... S (3) = s 3 s 5... s S (4) = s S= s 0 s 1 s 6 s 7 s 8... s s s s S (2) = s 6 s 7 s 8 S= s 0 s 11 s 12 s 13 s S (3) = s 13 s s 7 s 9 s 13 s 4 s 15 CTL* - semantics state-fomula φ::= true φφ 1 φ 1 φφ 2 ψ ψ M,s true M,s s M,s φ M,s φ 是 false Ms M,s φ 1 φ 2 Ms M,s φ 1 or Ms M,s φ 2 M,s ψ s-ath = S (S ψ) M,s ψ s-ath = S (S ψ) 71 CTL* - semantics ath-fomula ψ ::= φ ψ 1 ψ 1 ψ 2 ψ ψ 1 Uψ 2 If S= s 0 s 1 s 2 s 3 s 4...,S φ M,s 0 φ S ψ 1 S ψ 1 是 false S ψ 1 ψ 2 S ψ 1 or S ψ 1 S ψ S (1) ψ S ψ (k) 0 j<k(s (j) 1 Uψ 2 k 0 (S ψ 2 ψ 1 )) 72 Exressiveness Given a language L, what model sets L can exress? what model sets L cannot? model set: a set of behaviors A formula = a set of models (behaviors) for anyφ L, [φ] {M M φ} A language = a set of formulas. Exressiveness: Given a model set F, F is exressible in L iff φ L([φ]=F) 73

19 Exressiveness Comarison in exressiveness: Given two languages L 1 and L 2 Definition: L 1 is more exressive than L 2 (L 2 <L 1 ) iff φ L 2 ([φ] is exressible in L 1 ) Definition: L 1 and L 2 are exressively euivalent (L 1 L 2 ) iff (L 2 <L 1 ) (L 1 <L 2 ) Definition: L 1 L 2 are exressively incomarable iff ((L 2 <L 1 ) (L 1 <L 2 )) Exressiveness - branching-time logics What to comare with? finite-state automata on infinite trees. 2nd-order logics with monadic rdicate and many successors (SnS) 2nd-order logics with monadic and artial-order Very little known at the moment, the fine difference in semantics of branching-structures Exressiveness -CTL*, examle (I) A tree the distinguishes the following two formulas. ((eat) ) full) ) Negation: ((eat) full) ( eat) ( full) eat Exressiveness -CTL*, examle (II) A tree that distinguishes the following two formulas. ((eat) full) (eat full) ) Negation: (eat full) eat 76 77

20 Exressiveness -CTL* With the abundant semantics in CTL*, we can comare the subclasses of CTL*. With restrictions on the modal oerations after,, we have many CTL * subclasses. Examle: B(,,,U),, : only,,,u,,, after,, B(,,, ): only,,, after, B(,) ) : only,after, Exressiveness -CTL* CTL * subclass exressiveness heirarchy CTL * > B(,,,,U, ) > B(,,U, U ) > B(,,,,U) = B(,,U) > B(,,,) ) > B(,), > B() Exressiveness -CTL* Some theorems : B(,,,,U) B(,,U) is inexressible in B(,,U). Exressiveness -CTL* Comaring PLTL with CTL* assumtion, all φ PLTL are interreted as φ Intuition: PLTL is used to secify all runs of a system. CTL * > > B(,,,,U, ) PLTL > > PLTL(F) 80 81

21 Verification model (system) formula LPTL, validity checking ψ φ instead, check the satisfiability of ψ φ construct a tabelau for ψ φ model-checking Mφ secification formula LPTL: M: a Büchi automata, φ: anlptlformula CTL: M: a finite-state automata, φ: a CTL formula simulation & bisimulation checking M M Satisfiability-checking framework model in logics,,,,,,,u,,, Model Checker secification in logics,,,,,u U Answer Yes if the model is euivalent to the secification No if not LPTL - tableau for satisfiability checking Tableau for φ a finite Krike structure that fully describes the behaviors of φ exonential number of states t An algorithm can exlore a fulfilling ath in the tableau to answer the satisfiability. nondeterministic without construction of the tableau PSPACE. LPTL - tableau for satisfiability checking Tableau construction a rerocessing ste: ush all negations to the literals. l (ψ 1 ψ 2 ) ( ψ 1 ) ( ψ 2 ) (ψ 1 ψ 2 ) ( ψ 1 ) ( ψ 2 ) ψ ψ ψ ψ (ψ 1 Uψ 2 ) ( ψ 2 ) (( ψ 2 )U (( ψ 1 ) ( ψ 2 ))) ψ ψ 84 85

22 LPTL - tableau for satisfiability checking Tableau construction CL(ϕ) )(closure) )is the smallest set of formulas containing i ϕ with the following consistency reuirement. CL(ϕ) iff CL(ϕ) If ψ 1 ψ 2, ψ 1 ψ 2 CL(ϕ), then ψ 1, ψ 2 CL(ϕ) If ψ CL(ϕ), then ψ CL(ϕ) If ψ 1 Uψ 2 CL(ϕ), then ψ 1, ψ 2, (ψ 1 U ψ 2 ) CL(ϕ) If ψ CL(ϕ), then ψ, ψ CL(ϕ) LPTL - tableau for satisfiability checking Tableau (V, E), node consistency condition: A tableau node v V is a set v CL(f) such that v iff v If ψ 1 ψ 2 v, then ψ 1 v or ψ 2 v If ψ 1 ψ 2 v, then ψ 1 v and ψ 2 v if ψψ v, then ψ v and ψ v if ψ v, then ψ v or ψ v if ψ 1 Uψ 2 v, then ψ 2 v or (ψ 1 v and (ψ 1 Uψ 2 ) v)) LPTL - tableau for satisfiability checking Tableau (V, E), arc consisitency condition: Given an arc (v,v ) E, if ψ v, then ψ v A node v in (V,E) is initial iti for ϕ if ϕ v. 88 LPTL - tableau for satisfiability checking CL(U) = {U, U,,,, } Examle: ( U ) tableau (V,E) V: {,, U, U} {,, U} {, } E:? {,, U} {,, U, U} {,, U} {, } {,, U, U} {,, U} {,, U} {,, U} {,} {, } 89

23 LPTL - tableau for satisfiability ψ 2 checking ϕ is satisfiable iff in (V,E), initial there is an infinite ath from an initial node for ϕ such that all until formulas are eventually satisfied; Uψ or ϕ ψ 1 ψ 2 1st there is a strong cycle connected comonent (SCC) node reachable from an initial node for ϕ such that for all until formula ψ 1 Uψ 2 in a node in the SCC, there is also a node in the SCC containing ψ 2 ; or there is a cycle reachable from an initial node for ϕ such that the for all until formulas ψ 1Uψ 2 in the first cycle node, there is also a node in the cycle 90 containing ψ 2. LPTL - tableau for satisfiability checking Please use tableau method to show that U istrue true. 1) Convert to negation: (U) 2) CL((U) ) = {(U), U, U,,,, } Pf: In each ath that is a model of (U), must always be satisfied. Thus, U is never fulfilled in the model. QED LPTL - tableau for satisfiability checking Please use tableau method to show that U isfalse false. 1) Convert to negation: (U) 2) CL((U) ) = {(U), U, U,,,, } (U) U LPTL (U) U U - tableau for satisfiability checking ϕ is satisfiable iff in (V,E), there exists ath+cycle ( CL(ϕ) +2) V CL(ϕ) flags to check the until-formulas from the first cycle node. ϕ nondeterministic PSPACE can solve it. PSPACE-comlete. initial ψ 2 ψ 1 Uψ 2 U 91 1st cycle node 93

24 CTL model-checking framework model Model Checker secification in logics,,,,,,,u Answer Yes if the model is euivalent to the secification No if not. CTL - model-checking Given a finite Krike structure M and a CTL formula φ, is M a model of φ? usually, M is a finite-state automata. PTIME algorithm. When M is generated from a rogram with variables, its size is easily exonential CTL - model-checking algorithm techniues state-sace sace exloration state-saces reresented as finite Krike structure directed grah nodes: states or ossible worlds t t t iti execute finish arcs: state transitions regular behaviors wait Krike structure - Least fixoint in modal logics Dark-night murder, strategy I: A susect will be in the 2nd round iff He/she lied to the olice in the 1st round; or He/she is loyal l to someone in the 2nd round What is the minimal solution to 2nd[]? 2nd[i] Liar[i] j i(2nd[j] Loyal-to[i,j]) Usually the state count is astronomical

25 Krike structure - Least fixoint in modal logics In a dark night, there was a cruel murder. n susects, numbered 0 through n-1. Liar[i] iff susect i has lied to the olice in the 1st round investigation. Loyal-to[i,j] iff susect i is loyal to susect j in the same criminal gang. 2nd[i] iff susect i to be in 2nd round investigation. What is the minimal solution to 2nd[]? 98 Krike structure - Greatest fixoint in modal logics In a dark night, there was a cruel murder. n susects, numbered 0 through n-1. Liar[i] iff the olice cannot rove susect i has lied to the olice in the 1st round investigation. Loyal-to[i,j] iff susect i is loyal to j are in the same criminal gang. 2nd[i] iff susect i to be in 2nd round investigation. What is the maximal solution to 2nd[]? 99 Krike structure - Greatest fixoint in modal logics Dark-night murder, strategy II A susect will not be in the 2nd round iff We cannot rove he/she has lied to the olice; and He/she is loyal to someone not in the 2nd round. What is the maximal solution to 2nd[]? 2nd[i] Liar[i] j i( 2nd[j] Loyal-to[i,j]) In comarison: 2nd[i] Liar[i] j i( 2nd[j] Loyal-to[i,j]) 2nd[i] Liar[i] j i( 2nd[j] 2 Loyal-to[i,j]) 2nd[i] Liar[i] j i(loyal-to[i,j] 2nd[j] ) 100 Safety analysis Given M and (safety redicate), do all states reachable ab e from initial states in M satisfy s? In model-checking: Is M a model of? Or in risk analysis: Is there a state reachable from initial states in M satisfy? true U 101

26 Reachability analysis: Is there a state s reachable from another state s? Encode risk analysis Encode the comlement of safety analysis Most used in real alications Krike structure - safety analysis Reachability algorithm in grah theory Given a Krike structure A = (S, S 0, R, L) a safety redicate, find a ath from a state in S 0 to a state in [ ]. Solutions in grah theory Shortest distance algorithms sanning tree algorithms Krike structure - safety analysis /* Given A = (S, S 0, R, L)*/ safety_analysis() analysis() /* using least fixoint algorithm */ { for all s, if L(s), L(s)=L(s) { }; reeat { for all s, if (s,s )( L(s )), L(s)=L(s) { }; ) } until no more changes to L(s) for any s. if there is an s 0 S 0 with L(s 0 ), return unsafe, else return safe. reeat { A notation ti for the ossibility of } The rocedure terminates since S is finite in the Krike structure. 104 Krike structure - safety analysis Least fixoint in modal logics iterative exansion 105

27 Krike structure - liveness analysis : Given a Krike structure A = (S, S 0, R, L) a liveness redicate, can be true eventually? Examle: Can the comuter be started successfully? Will the alarm sound in case of fire? Krike structure - liveness analysis Strongly connected comonent algorithm in grah theory Given a Krike structure A = (S, S 0, R, L) a liveness redicate, find a cycle such that all states in the cycle are there is a ath from a state in S 0 to the cycle. Solutions in grah theory strongly gyconnected comonents (SCC) Krike structure - liveness analysis Turn=0 L 0,L 1 (Turn=0 Turn=1) Turn=1 L 0,L 1 Turn=0 Turn=0 Turn=1 Turn=1 L 0,NC 1 NC 0,L 1 L 0,NC 1 NC 0,L 1 Turn=0 NC 0,NC 1 Turn=0 CR 0,L 1 Turn=0 CR 0,NC 1 Turn=1 L 0,CR 1 Turn=1 NC 0,CR 1 Turn=1 NC 0,NC 1 Krike structure - liveness analysis liveness() /* using greatest fixoint algorithm */ { for all s, if L(s), L(s)=L(s) { }; reeat { for all s, if L(s) and (s,s)( s )( L(s)), L(s)=L(s) - { }; } until no more changes to L(s) for any s. if there is an s 0 S 0 with L(s 0 ), return liveness not true, else return liveness true. } The rocedure terminates since S is finite in the Krike structure

28 Krike structure - liveness analysis Greatest fixoint in modal logics iterative elimination CTL model-checking The NORMAL form needed in CTL model- checking: 1. only modal oerators φ, ψ 1 Uψ 2, φ 2. No modal oerators φ, ψ 1 Uψ 2, φ, φ, φ 3. No double negation: φ 4. No imlication: ψ 1 ψ CTL - model-checking algorithm (1/6) Given M and φ, 1. Convert φ to NORMAL form. 2. list the elements in Cl (φ) according to their sizes φ 0 φ 1 φ 2 φ n for all 0 i<j n,φφ j is not a subformula ofφ i See 2. for i=0 to n, next label (φ i ) age! 3. for all initial states s 0 of M, if φ L(s 0 ), return `No! 4. return `Yes! CTL - model-checking algorithm (2/6) label(φ ) { case, return; case φ, for all s, if φ L(s), L(s) = L(s) { φ} caseφ ψ, for all s, ifφ L(s) orψ L(s), L(s)=L(s) {φ ψ} ( ) case φ, for all s, if (s,s ) with φ L(s ), L(s)=L(s) { φ} L(s) { φ} case ψ 1 Uψ 2, lf(ψ 1, ψ 2 ); case φ, gf(φ); }

29 CTL - model-checking algorithm (3/6) lf(ψ 1, ψ 2 ) /* least fixoint algorithm */ { } for all s, if ψ 2 L(s), ) L(s)=L(s) { ψ ) 1 Uψ 2 }; reeat { for all s, if ψ 1 L(s) and (s,s )( ψ 1 Uψ 2 L(s )), L(s)=L(s) { ψ ) 1 Uψ 2 }; } until no more changes to L(s) for any s. The rocedure terminates since S is finite in the Krike structure. CTL - model-checking algorithm (4/6) Least fixoint in modal logics iterative exansion ψ 1 ψ 1 ψ 1 ψ 1 ψ 1 ψ CTL - model-checking algorithm (5/6) gf(ψ) /* greatest fixoint algorithm */ { for all s, if ψ L(s), L(s)=L(s) { ψ }; reeat { for all s, if ψ L(s) and (s,s )( ψ L(s )), L(s)=L(s) - { ψ }; } until no more changes to L(s) for any s. } The rocedure terminates since S is finite in the Krike structure. CTL - model-checking algorithm (6/6) Greatest fixoint in modal logics iterative elimination ψ ψ ψ ψ ψ ψ ψ ψ ψ ψ

30 ( U) Labeling funciton: label the subforumulae true in each state. ( U) Evaluating U using least fixoint Iteration 0,, Iteration 0 U U ( U) Evaluating U using least fixoint Iteration 1 U Iteration 1 ( U) Evaluating U using least fixoint Iteration 2 Iteration 2 U Iteration 1 U, U Iteration 0 U, U Iteration 0 U

31 ( U) Evaluating U U U U UU U ( U) Evaluating using greatest fixoint Iteration 0 U U U U U, U U U U, U U Iteration 0 U U ( U) Evaluating using greatest fixoint Iteration 1 U U U Iteration 1 U U ( U) Evaluating using greatest fixoint Result: U U U U U, U U Iteration 0 U U, U U U U

32 ( U) Finally, evaluating g( ( U) Workout: labelling ll ( ) ) U, U U, ( U), U U, ( U), U U U U, CTL - model-checking roblem comlexities The PLTL model-checking roblem is PSPACE- comlete. definition: Is there a run that satisfies the formula? The PLTL without (modal oerator next ) model-checking roblem is NP-comlete. The model-checking groblem of CTL is PTIME- comlete. The model-checking roblem of CTL* is PSPACEcomlete. CTL - symbolic model-checking with BDD System states are described with binary variables. n binary variables 2 n states x 1, x 2,..., x n we can use a BDD to describe legal states. a Boolean function with n binary variables state(x 1, x 2,..., x n )

33 CTL - symbolic model-checking with Proositioal oa logics Examle: x 1 x 2 x CTL - symbolic model-checking with Proositioal oa logics State transition relation as a logic funciton with 2n arameters transition(x 1, x 2,..., x n, y 1, y 2,..., y n ) state(x 1, x 2, x 3) = (x 1 x 2 x 3) ( x 1 x 2 x 3 ) ( x 1 x 2 x 3 ) x 1, x 2,..., x n y 1, y 2,..., y n CTL - symbolic model-checking with Proositioal oa logics CTL - symbolic model-checking with Proositioal logics x 1 x 2 x 3 y 1 y 2 y Path relation also as a logic funciton with 2n arameters reach(x 1, x 2,..., x n, y 1, y 2,..., y n ) transition(x 1, x 2, x 3, y 1, y 2, y 3 ) = (x 1 x 2 x 3 y 1 y 2 y 3 ) ( x 1 x 2 x 3 y 1 y 2 y 3 ) ( xx 1 x 2 x 3 yy 1 yy 2 y 3 ) 132 x 1, x 2,..., x n y 1, y 2,..., y n 133

34 CTL - symbolic model-checking with Proositioal logics x 1 x 2 x 3 y 1 y 2 y reach(x 1, x 2, x 3, y 1, y 2, y 3 ) = (x 1 x 2 x 3 y 1 y 2 y 3 ) (x 1 x 2 x 3 yy 1 yy 2 yy 3 ) ( x 1 x 2 x 3 y 1 y 2 y 3 ) ( x 1 x 2 x 3 y 1 y 2 y 3 ) ( x 1 x 2 x 3 y 1 y 2 y 3 ) ( x 1 x 2 x 3 y 1 y 2 y 3 ) 134 Symbolic safety analysis I : initial condition with arameters x, x 2,..., x n : safe condition with arameters y 1, y 2,..., y n If I reach(x 1, x 2,..., x n, y 1, y 2,..., y n ) is not false, a risk state is reachable. the system is not safe. 135 Symbolic safety analysis (backward) Encode the states with variables x 0,x 1,,x n. 0, 1,, n the state set as a roosition formula: s(x 0,x 1,,x n ) the risk state set as r (x 0,x 1,,x n ) change all umrimed variable in b k-1 to rimed. the initial state set as i(x 0,x 1,,x n ) the transition set as t(x 0,x 1,,x n,x 0,x 1,,x n ) b 0 = r(x 0,x 1,,x n ) s(x 0,x 1,,x n ); k = 1; reeat b k = b k-1 x 0 x 1 x n n( (t(x( 0,x 1,,x, n,x 0 0,,x 1 1,,,x, n n) ) (b k-1 )); k = k +1; a least fixoint rocedure until b k b k-1 ; if (b k i(x 0,x 1,,x n )) false, return safe ; else return risky ; 136 Krike structure -symbolic safety analysis states: s(x,y,z) ( x y z) ( x y z) ( x y z) ( x y z) (x y ) ( z) (x y ) ( z) ) ( x) (x y) initial state: i(x,y,z) x y z risk state: r(x,y,z) x y z 137

35 Krike structure -symbolic safety analysis transitions: T(x,y,z,x,y,z ) ( x y z x y z ) ( x y z x y z ) ) ( ) ( x y z x y z ) ( x y z x y z ) ( x y z x y z ) ( x y z x y z ) Symbolic safety analysis (backward) b 0 =r(x,y,z) x y z b 1 = b 0 x y z (t(x,y,z,x,y,z ) b 0 ) =(x y z) x y z (t(xyzx y z(t(x,y,z,x,y y,z) z ) x y z ) z) = (x y z) x y z ((( x y z) ( x y z)) x y z ) = (x y z) ( x y z) ( x y z) ) ( ) ( ) b 2 = b 1 x y z (t(x,y,z,x,y,z ) b 1 ) = ( x y z) (x y z) ( x y z) ( x y z) fixoint b 3 = b 2 x y z (t(x,y,z,x,y,z ) y ( (,, ) b 2 ) ) = ( x y z) ( x y z) (x y z) ( x y z) ( x y z) b 4 =b 3 x y z (t(xyzx y z(t(x,y,z,x,y y,z) z ) b 3 ) = ( x y z) ( x y z) (x y z) ( x y z) ( x y z) b 4 i(x,y,z) = ( x y z) non-emty intersection with the initial condition risk detected. 139 Symbolic safety analysis (backward) One assumtion for the correctness! Two states cannot be with the same roosition labeling. Otherwise, the collasing of the states may cause roblem. may need a few roositions for the names of the states.,, r, Symbolic safety analysis (forward) Encode the states with variables x 0,x 1,,x n. 0, 1,, n the state set as a roosition formula: s(x 0,x 1,,x n ) the risk state set as r (x 0,x 1,,x n ) change all rimed variable to umrimed. the initial state set as i(x 0,x 1,,x n ) the transition set as t(x 0,x 1,,x n,x 0,x 1,,x n ) f 0 = i(x 0,x 1,,x n ) s(x 0,x 1,,x n ); k = 1; reeat f k = f k-1 ( x( 0 x 1 x n n( (t(x( 0,x 1,,x, n,x 0 0,,x 1 1,,,x, n n) ) f k-1)) )) ; k = k +1; until f k f k-1 ; if (f k r(x 0,x 1,,x n )) false, return safe ; else return risky ;

36 Symbolic safety analysis (forward) f 0 =i(x,y,z) x y y z f 1 = f 0 ( x y z(t(x,y,z,x,y,z ) f 0 )) =( x y z) ( x y z(t(xyzx ( x y z(t(x,y,z,x,y y,z) z ) x y z)) = ( x y z) ( x y z( x y z x y z)) = ( x y z) ( x y z ) ) ( ) = ( x y z) ( x y z) = x y fixoint f 2 = f 1 ( x y z(t(x,y,z,x,y,z ) f 1 ) = ( x y) ( x y z) f 3 = f 2 ( x y z(t(x,y,z,x,y,z ) f 2 ) = ( y) ( x y z) 3 2 ( y ( (,y,,,y, ) 2) ( y) ( y ) f 4 = f 3 ( x y z(t(x,y,z,x,y,z ) f 3 ) = ( y) ( x y z) f 4 r(x,y,z) = (( y) ( x y z)) (x y z) = (x y z) Bounded model-checking non-emty intersection with the risk condition risk detected. f 0 =i(x,y,z) x 0 yy 0 z 0 f 1 = t(x 0,y 0,z 0,x 1,y 1,z 1 ) f 0 = x 0 y 0 z 0 x 1 y 1 z 1 f 2 = t(x 1,y 1,z 1,x 2,y 2,z 2 ) f 1 = x 0 y 0 z 0 x 1 y 1 z 1 (( x 2 y 2 z 2 ) ( x 2 y 2 z 2 )) f 3 = t(x 2,y 2,z 2,x 3,y 3,z 3 ) f 2 = x 0 y 0 z 0 x 1 y 1 z 1 ( ( x 2 y 2 z 2 x 3 y 3 z 3 ) ( x( 2 yy 2 z 2 ((x 3 yy 3 z 3 ) (x 3 yy 3 z 3 ))) ) = xx 0 yy 0 zz 0 xx 1 yy 1 z 1 (( x 2 y 2 z 2 x 3 y 3 z 3 ) ( x 2 y 2 z 2 x 3 y 3 )) f 3 r(x 3,y 3,z 3 ) = (x 3 y 3 z 3 ) Bounded model-checking The value of x n at state k. Encode the states with variables x 0k 0,k,,x 1k 1,k,,x, nk n,k. the state set as a roosition formula: s(x 0,k,x 1,k,,x n,k ) the risk state set as r(x 0,k,x 1,k,,x n,k ) the initial state set as i(x 0,0,x 1,0,,x n,0 ) the transition set as t(x 0,k-1,x 1,k-1,,x n,k-1,x 0,k,x 1,k,,x n,k ) f 0 = i(x 0,0,x 1,0,,x n,0 ) s(x 0,0,x 1,0,,x n,0 ); k = 1; reeat f k = t(x 0,k-1,x 1,k-1,,x n,k-1,x 0,k,x 1,k,,x n,k ) f k-1 ; k=k+1; k until f k r(x 0,k,x 1,k,,x n,k ) false Symbolic liveness analysis Encode the states with variables x0,x1,,xn.,, When to sto? 1. diameter of the state grah 2. exlosion u to tens of stes. the state set as a roosition formula: s(x 0,x 1,,x n ) the non-liveness state set as b(x 0,x 1,,x n ) change all the initial state set as i(x 0,x 1,,x n ) umrimed the transition set as t(x 0,x 1,,x n,x 0,x 1,,x n ) to rimed. b 0 = b(x 0,x 1,,x n ) s(x 0,x 1,,x n ); k = 1; reeat b k = b k-1 x 0 x 1 x n n( (t(x( 0,x 1,,x, n,x 0 0,,x 1 1,,,x, n n) ) b k-1 ); k = k +1; 143 variable in b k-1 until b k b k-1 ; if (b k i(x 0,x 1,,x n )) false, return live ; else return not live ; 145

37 Krike structure -symbolic liveness analysis 101 Krike structure -symbolic liveness analysis states: s(x,y,z) ( x y z) ( x y z) ( x y z) ( x y z) (x y ) ( z) (x y ) ( z) ) ( x) (x y) initial state: i(x,y,z) x y z non-liveness state: b(x,y,z) ( x) (x y z) 146 transitions: T(x,y,z,x,y,z ) ( x y z x y z ) ( x y z x y z ) ) ( ) ( x y z x y z ) ( x y z x y z ) ( x y z x y z ) ( x y z x y z ) 147 Symbolic liveness analysis b0 = b(x,y,z) ( x) (x y ( z) ) b1 = b0 x y z (T(x,y,z,x,y,z ) b0 ) =(( x) (x y z)) x y z (T(x,y,z,x,y,z ) (( x ) (x y z ))) = (( x) (x y ( z)) x y z ( (( x y z) ( x y z) ( x y z)) (( x ) (x y z ))) = ( x y z) ( x y z) ( x y z) b2 = b1 x y z (T(x,y,z,x,y,z ) b1 ) = ( x y z) ( x y z) b3 = b2 x y z (T(x,y,z,x,y,z ) b2 ) = ( x y z) ( x y z) ( x y fixoint non-emty intersection with the initial condition non-liveness detected. 148 CTL - symbolic model-checking algorithm Assume rogram with rules r 1, r 2,, r n label(φ ){ case, return ; case φ, return label(φ); case φ ψ, return label(φ) label(ψ), case φ, return i=n red(r i, label(φ)); case ψ 1 Uψ 2, return lf(l abel(ψ 1 ), label(ψ l( 2 )) ); case φ, return gf(label(φ)); } 149

38 Symbolic model-checking - with real-world rograms Consider guarded commands with modes (GCM) Guard Actions Guard is a roositional formula of state variables. Actions is a command of the following syntax. C ::= ACT {C} C C if (B) C else C while (B) C ACT ::= ; goto name; x = E ; Guarded commands with modes (GCM) 1: w = 0; 2: x = 0; 3: y = z*z; 4: while (x < y) { 5: w=w+x*z; w 6: x = x + 1; 7: } 8: if (w > z*z*z) zz) w = z*z*z; zz; rogram guarded commands (c==1) w = 0; c=2; (c==2) x = 0; ; c=3; (c==3) y = z*z; c=4; (c==4&&x>=y) c=8; (c==4&&x < y) c=5; (c==5) w=w+x*z; w+x c=6; (c==6) x=x+1; c=4; (c==8) if (w>z*z*z) z z) w= z*z*z; zz; A state-transition t t - reresented as a GCM 8 rules in total: (a1) w = 0; goto a2; (a2) x = 0; goto a3; (a3) y = z*z; goto a4; (a4&&x>=y) goto a8; (a4&&x < y) goto a5; (a5) w=w+x*z; goto a6; (a6) x=x+1; x goto a4; (a8) if (w>z*z*z) w= z*z*z; } A state-transition transition - reresented as a GCM (a3)y = z*z; a1 (a1)w = 0; a3 (a2)x = 0; a2 (a6)x= x+1; a4 a5 a6 (a4 x<y); (a4 x>=y); (a5)w = w+x*z; a8 (a8)if(w>z*z*z)w = z*z*z; a

39 Transition relation - from state-transition grahs Given a set of rules r 1, r 2,, r m of the form r k : (τ k ) y k,0 =d 0 ; y k,1 =d 1 ; ; y k,nk =d nk ; t(x 0,x 1,,x n,x 0,x 1,,x n ) k [1,m] ( τ k y k,0 ==d 0 y k,1 ==d 1 y k,nk ==d nk h [1,n] (x h {y k,0, y k,1,, y k,nk }=>x h == x h ) ) Transition relation from GCM rules. Given a set of rules for X={x,y,z} r 1 : (x<y&& y>2) y=x+y; x=3; r 2 : (z>=2) y=x+1; z=0; r 3 : (x<2) x=0; t(x 0,x 1,,x n,x 0,x 1,,x n ) (x<y y>2 y ==x+y y x ==3 z ==z) z) (z>=2 y ==x+1 z ==0 x ==x) (x<2 x ==0 y ==y z ==z) Transition relation - from state-transition grahs In gneral, transition relation is exensive to construct. Can we do the following state-sace construction x 0 x 1 x n (t(x 0,x 1,,x n,x 0,x 1,,x n ) (b k-1 )) directly with the GCM rules? Yes, on-the-fly state sace construction. 156 On-the-fly recondition calculation with GCM rules. Given a set of rules r 1, r 2,, r m of the form r k : (τ k ) y k,0 =d 0 ; y k,1 =d 1 ; ; y k,nk =d nk ; x 0 x 1 x n (t(x 0,x 1,,x n,x 0,x 1,,x n ) (b )) k [1,m] (τ k ) y k,0 y k,1 y k,nk (b h [0,nk] y k,h ==d h ) However, GCM rules are more comlex than that. 157

40 On-the-fly recondition calculation with GCM rules. Given a set of rules for X={x,y,z} r 1 : (x<y&& y>2) y=z; x=3; r 2 : (z>=2) y=x+1; z=7; r 3 : (x<2) z=0; x 0 x 1 x n (t(x 0,x 1,,x n,x 0,x 1,,x n ) (x<4 z>5) ) (x<y y>2 y x( x<4 z>5 y==z x==3)) (z>=2 y z( x<4 z>5 y==x+1 z==7)) (x<2 2 z( x<4 z>5 z==0)) (x<y y>2 z>5) (z>=2 x<4) (x<2 z(false)) (x<y y>2 z>5) (z>=2 2 x<4) On-the-fly recondition calculation with GCM rules. Given a set of rules r 1, r 2,, r m of the form r k : (τ k ) s k ; B 158 On-the-fly recondition calculation with GCM rules. Given a set of rules r 1, r 2,, r m of the form r k : (τ k ) s k ; x 0 x 1 x n (t(x 0,x 1,,x n,x 0,x 1,,x n ) (b )) k [1,m] (τ k re(s k,b ))) recondition rocedure What is re(s,b)? A GCM statement A general roositional formula On-the-fly recondition calculation with GCM rules. Given a set of rules r 1, r 2,, r m of the form r k : (τ k ) s k ; 159 What is re(s,b)? new exression obtained from b by relacing every occurrence of x with E. What is re(s,b)? new exression obtained from b by relacing every occurrence of x with E. re( x = E;, b) b[x/e] Ex 1. the recondition to x=x+z; (x==y+2 x<4 z>5) [x/x+z] x+z==y+2 x+z<4 z>5z>5 Ex 2. the recondition to x=5; (x==y+2 x<4 z>5) [x/x+z] 5==y+2 5<4 z>5 Ex 3. the recondition to x=2*x+1; (x==y+2 x<4 z>5) [x/x+z] 2*x+1==y+2 2*x+1<4 z>5 160 re( x = E;, b) b[x/e] Ex. the recondition to x=x+z; (x==y+2 x<4 z>5) [x/x+z] re(s 1 s 2,b) re(s 1, re(s 2,b)) x+z==y+2 x+z<4 z>5 re(if (B) s 1else s 2 2) (B re(s ( 1, b)) ( B re(s ( 2,b)) re(while (B) s, b). 161

41 On-the-fly recondition calculation with GCM rules. Given a set of rules r 1, r 2,, r m of the form What is re(s,b)? r k : (τ k ) s k ; re(while (B) s, b) formula L 1 L 2 for L 1 : those states that reach B b with finite stes of s through states in B; and L 2 : those states that never leave B with stes of s. On-the-fly recondition calculation with GCM rules. L 1 : those states that reach B b with finite stes of s through states in B w 0 = B b; k = 1; reeat also a least fixoint rocedure w k = w k-1 (B re(s, w k-1 )); k = k +1; until w k w k-1 ; return w k ; w 0 = B b; k = 1; Precondition to b reeat through while (B) s; k = k +1; Examle: b x==2 y == 3 while ( x < y) x = x+1; L1 comutation. w k = w k-1 (B re(s, w k-1 )); until w k w k-1 ; return w k ; w 0 x>=y x==2 y==3 false ; k = 1; w 1 false (x<y re(x=x+1, ( false)); false (x<y false); false; 164 On-the-fly recondition calculation with GCM rules. Given a set of rules r 1, r 2,, r m of the form re(while (B) s, b) L 2: those states that never leave B with stes of s. w 0 = B; k = 1; reeat a greatest fixoint rocedure w k = w k-1 re(s, (, w k-1); k = k +1; until w k w k-1 ; return eu w k k; 165

42 w 0 = B; k = 1; Precondition to b reeat through while (B) s; k = k +1; Examle: while ( x<y && x>0) x = x+1; L2 comutation. w 0 x<y x>0 ; k = 1; w k = w k-1 re(s, w k-1 ); until w k w k-1 ; return w k ; w 0 = B; k = 1; Precondition to b reeat through while (B) s; k = k +1; Examle: while ( x>y && x>0) x = x+1; L2 comutation. w 0 x>y x>0 ; k = 1; w k = w k-1 re(s, w k-1 ); until w k w k-1 ; return w k ; w 1 x<y x>0 re(x=x+1, x<y x>0) x<y x>0 x+1<y x+1>0 +1>0 x>0 x+1<y w 2 x+1<y x>0 re(x=x+1, x x+1<y x>0) x+1<y x>0 x+2<y x+1>0 x>0 x+2<y non-terminating for algorithms and rotocols! 166 w 1 x>y x>0 re(x=x+1, x>y x>0) x>y x>0 >0 x+1>y x+1>0 +1>0 x>y x>0 terminating for algorithms and rotocols! 167 w 0 = B b; k = 1; Precondition to b reeat through while (B) s; k = k +1; Examle: b x==2 y==3 while ( x>y && x>0) x = x+1; L1 comutation. w k = w k-1 (B re(s, w k-1 )); until w k w k-1 ; return w k ; w 0 (x<=y x<=0) x==2 y==3 x==2 y==3; w 1 (x==2 y==3) (x>y x>0 re(x=x+1,x==2 y==3)); (x==2 y==3) (x>y x>0 x==1 y==3); (x==2 y==3) false x==2 y==3 168 Symbolic weakest recondition Assume rogram with rules x=3 y=6 x:=2; z:=7;? x=3 y=6 x:=2; z:=7; x, y, z are discrete variables with range declarations What is the weakest recondition of for those states before the transitions? 169

43 Symbolic weakest recondition Assume rogram with rules r: x=3 y=6 x:=2; z:=7;? x=3 y=6 x:=2; z:=7; What is the weakest recondition of for those states before the transitions? re(r, (,) x=3 y=6 x z(x=2 z=7 ) Symbolic liveness analysis - with Krike structures as rograms Assume rogram with rules r 1, r 2,, r n What is the charcterization of all states that may not reach? gf (φ) /* for φ */{ I gf( ) Z := false; Z:= φ; while (Z Z ) { Z := Z; Z:= φ i=n red(r i, Z); } return (Z); } Initial condition 170 negative liveness redicate 172 Symbolic safety analysis - with Krike structures as rograms Assume rogram with rules r 1, r 2,, r n What charcterizes all states that can reach? lf (φ, ψ) /* for φuψ*/ { } Z := false; Z:= ψ; while (Z Z ) Z) { Z := Z; Z := Z (φ i=n red(r i, Z)); } return (Z); I lf(true, ) false Initial condition Bisimulation Framework Design imlementation model Model construction Model Checker secification risk redicate 171 Answer Yes if the model is euivalent to the secification No if not. 173

44 Bisimulation-checking Bisimulations K = (S, S 0, R, AP, L) K = K= (S, S 0, R, AP, L) L ) Note K and K use the same set of atomic roositions AP. B S S is a bisimulation relation between K and K iff for every B(s, s ): L(s) = L (s ) (BSIM 1) If R(s, s 1 ), then there exists s 1 such that R (s, s 1 ) and B(s 1, s 1 ). (BISIM 2) If R(s, s 2 ), then there exists s 2 such that R(s, s 2 ) and B(s 2, s 2 ). (BISIM 3) s 1 s s K K Bisimulations Bisimulations s s s s s 1 s 1 K K 1 K K s

45 Bisimulations Examles s s s 2 s 2 K K Examles Examles.. Unwinding reserves bisimulation r s r s r s

46 Examles Examles r s r s r s r s r s r s Examles Examles r s r s r s r s r s r s

47 Examles Examles r s r s r s r s r s r s Bisimulations The Preservation Proerty. K = (S, S 0, R, AP, L) K = (S, S 0, R, AP, L ) K and K are bisimilar (bisimulation euivalent) iff there exists a bisimulation relation B S S between K and K such that: For each s 0 in S 0 there exists s 0 in S 0 such that B(s 0, s 0 ). For each s 0 in S 0 there exists s 0 in S 0 such that B(s 0, s 0 ). K = (S, S 0, R, AP, L) K = (S, S 0, R, AP, L ) B S S, a bisimulation. Suose B(s, s ). FACT: For any CTL formula ψ (over AP), K,sψ iff K,s ψ. If K is smaller than K this is worth something

48 Simulation Framework Simulation-checking Design imlementation model Model construction Model Checker secification Answer Yes if the model satisfies the secification No if not. K = (S, S 0, R, AP, L) K = (S, S 0, R, AP, L ) Note K and K use the same set of atomic roositions AP. B S S is a simulation relation between K and K iff for every B(s, s ): L(s) = L (s ) (BSIM 1) If R(s, s 1 ), then there exists s 1 such that R (s R(s, s 1 ) and B(s 1, s 1 ). (BISIM 2) Simulations Bisimulation Quotients K = (S, S 0, R, AP, L) K = (S, S 0, R, AP, L ) K is simulated by (imlements or refines) K iff there exists a simulation relation B S S between K and K such that for each s 0 in S 0 there exists s 0 in S 0 such that B(s 0, s 0 ). K = (S, S 0, R, AP, L) There is a maximal simulation B S S. Let R be this bisimulation. [s] = {s s R s }. R can be comuted easily.. K = K / R is the bisimulation uotient of K

49 Bisimulation Quotient Examles K = (S, S 0, R, AP, L) [s] = {s s R s }. K = K / R = (S, S 0, R, AP,L ). S = {[s] s 2 S} S 0 = {[s 0 ] s 0 2 S 0 } R = {([s], [s ]) R(s 1, s 1 ), s 1 [s], s 1 [s ]} L ([s]) = L(s). r s r Examles Examles r s r r s

50 Facts About a (Bi)Simulation The emty set is always a (bi)simulation If R, R are (bi)simulations, so is R U R Hence, there always exists a maximal (bi)simulation: Checking if DB 1 =DB 2 : comute the maximal bisimulation R, then test (root(db 1 ),root(db 2 )) in R Krike structure - bisimulation-checking /* Given model A = (S, S 0, R, L), sec. A =(S, S 0, R, L ) */ Bisimulation-checking(A,A ) /* using greatest fixoint algorithm */ { Let B={(s,s ) s S, s S, L(s)=L (s )} ; reeat { B = B - {(s,s ) (s,s ) B, (s,t) R (s,t ) R ((t,t ) B)}; B=B B - {(s,s) s ) (s,s) B, s ) B (s t ) R (s,t) R((t,t) B)}; t ) B)}; } until no more changes to B. if there is an s 0 SS 0 with s 0 S 0 ((s 0,s 0 ) B), return no simulation, if there is an s 0 S 0 with s 0 SS 0 ((s 0,s 0 ) B), return no simulation, else return simulation exists. } Krike structure - simulation-checking /* Given model A = (S, S 0, R, L), sec. A =(S, S 0, R, L ) */ Simulation-checking(A,A ) /* using greatest fixoint algorithm */ { Let B={(s,s ) s S, s S, L(s)=L (s )} ; reeat { B = B - {(s,s ) (s,s ) B, (s,t) R (s,t ) R ((t,t ) B)}; } until no more changes to B. if there is an s 0 S 0 with s 0 S 0 ((s 0,s 0 ) B), return no simulation, else return simulation exists. } The rocedure terminates since B is finite in the Krike structure. t (Bi)Simulation -comlexities Bisimulation: O((m+n)log(m+n)) Simulation: O(m n) In contrast, finding a grah homeomorhism is NP-comlete

51 Symbolic simulation-checking Encode the states with variables x 0,x 1,,x n (for the model) and y 0,y 1,, y m. (for the sec.) Usually there are shared variables between {x 0,x 1,,x n } and {y 0,y 1,, y m }. L(s)=L (s ) means that the shared variables are of the same values. the state sets as roosition formulas: s(x 0,x 1,,x n ) & s(y 0,y 1,,y m ) the initial state set as i(x 0,x 1,,x n ) & i'(y 0,y 1,,y m ) the transition set as R(x 0,x 1,,x n,x 0,x 1,,x n ) & R (y 0,y 1,,y n,y 0,y 1,,y n ) Symbolic simulation-checking B 0 = L(x0,x1,,xn) =L(y0,y1,,ym) s(x 0,x 1,,x n ) s(y 0,y 1,,y m ); for (k = 1, B 1 = false; B k B k-1 ;k=k+1) k B k = B k-1 x 0 x 1 x n ( R(x 0,x 1,,x n, x 0,x 1,,x n ) y 0 y 1 y m ( R (y 0,y 1,,y m, y 0,y 1,,y m ) (B k-1 ) ) ) ; h if (i(x 0,x 1,,x n ) y 0 y 1 y m (B k )), return no simulation ; else return a simulation exists ; change all umrimed variable in B k-1 to rimed Symbolic simulation-checking - an examle sec model {x,y} sec {x,y,z} Symbolic simulation-checking - an examle sec model {x,y} sec {x,y,z} s(x,y) true, s (x,y,z) z ( x y z) i(x,y) x y, i (x (x,y,z) yz) x y z R(x,y,x,y ), R (x,y,z,x,y,z ) R(x,y,x,y ) ( x y x y ) y ( x y x y ) ( y y) ( x y x y ) (x y x y ) (x y x y ) R (x,y,z,x,y,z ) y ( x y z x y ) y ( x y z x y z ) ( x y z x y z ) (x y z x y z ) (x y z x y z )

52 Symbolic simulation-checking - an examle B 0 = s(x,y) s (x,y,z) = z ( x y z) B 1 =( ( z ( x y z)) ( z)) x y ( (( x y x y ) ( x y x y ) ( x y x y ) (x y x x y) y ) (x y x y) y ) ) x y z y z ( ( ( x y z x y ) ( x y z x y z ) y z) ( x y z x y z ) z) (x y z x y z ) (x y z x y z ) ) ( z ( x y z )) z )) = ( z ( x y z)) x y ((( x y z x y ) ( x y x y ) (x y ( y z x y ) y) (x y( y z x y ))) y))) = ( z ( x y z)) (( x y z) ( x y) (x y z) (x y z)) 206 Symbolic simulation-checking - an examle B 1 = ( z ( x y z)) (( x y z) ( x y) (x y z) (x y z)) =( ( z ( x y z)) ( z)) (( x y x y z) ( x y) (x y ( x (x y z) (x y y z)) = ( z ( x y z)) (z ( x y z)) =( ( z ( x y z)) (z) ( x y( z) = ( z ( x y z)) (z) ( x y z) =( x y z) (x y z) (x y z) 207 Symbolic simulation-checking - an examle B 2 = ( ( x y z) (x y z) (x y z) ) x y ( (( x y x y ) x y ) ( x y x y ) ( x y x y ) ( x y x y ) (x y x y ) (x y x y ) ) x y z ( ( ( x y z x y ) y ( x y z x y z ) ( x y z x y z ) (x y z x y y z ) z) (x y z x y z ) y z) ) (( x y z ) (x y z ) (x y z )) )) = (( x y z) (x y z) (x y z)) x y y ( (( x y x y ) (x y z x y ) (x y z x y ))) = (( x y z) (x ( y z) (x y y z)) (( x y) (x y z) (x y z))) ( y ) ( y ))) Symbolic simulation-checking - an examle B 2 =(( (( x y z) (x (x y z) (x y y z)) (( x y) (x y z) (x y z))) x (x y (x y z))) = (x y z) (x y z) Here, the initial stateair has been elimianted