p,egp AFp EFp ... p,agp

Transcription

1 TUESDAY, Session 2 Temoral logic and model checking, cont 1 Branching time and CTL model checking In a branching time temoral logics, we consider not just a single ath through the Krike model, but all ossible aths emanating from agiven state [1, 2] Path quantiers A ath quantier indicates whether a given formula alies to all all ossible aths from a given state or to some ossible ath: Note that A :E: M s i j= A i for all aths = s1 s2 :::: j= M s i j= E i for some aths = s1 s2 :::: j= The temoral logic CTL In the temoral logc CTL, every temoral oerator F, G, X, or U receded by a ath quantier Some CTL modalities and their interretations: is immediately AG AF EF EG \globally " \inevitably " \ossibly " \?",AG AF EF,EG Note the following dualities: AG :EF: AF :EG: 1

2 Other CTL oerators: AX EX A( Uq) E( U q) Examle: some secications for the mutual exclusion rotocol AG:(C1 ^ C2) AG(T1 ) AF C1) AG(N1 ) EX T1) mutual exclusion liveness non-blocking Note the last can't be stated in PLTL 11 CTL model checking Suose we have already labeled the set of states satisfying the roosition To label the set of states satisfying AF : 1 If any state s is labelled with, label it with AF ==>, AF 2 Reeat label any state AF if all successors labeled AF AF AF AF ==> AF AF AF AF until no change 3 Label all states with :AF if not labeled AF Now the truth value of AF in every state is known So AF can be treated as an atomic roosition while checking, for examle AG AF That is, model checking rocedes from smaller subformulas to larger subformulas Algorithms for the other oerators AG EF EG AX EX A( U q) E( U q) are similar 2

3 Comlexity is O(fV(V + E)) where { f is the number of oerators in the formula { V is the number of states { E is the number of transitions since each oerator terminates after at most V asses over the state grah Examle: checking AG(T1 ) AF C1) for the mutual exclusion rotocol \always, if [1] trying then inevitably [1] critical" 1 label grah with AF C1 2 label every state T1 ) AF C1 if T1 is false or C1 is true 3 OK, if all states labeled T1 ) AF C1 Result of labeling state grah with AF C1 (numbers in [] indicate on which ass the state was labeled) N1,N2 turn=0 [3] T1,N2 turn=1 N1,T2 turn=2 C1,N2 T1,T2 turn=1 turn=1 [1] [2] C1,T2 turn=1 [1] T1,T2 turn=2 [5] T1,C2 turn=2 [4] N1,C2 turn=2 In every state, if T1 is true, then AG C1 is true, hence AG AF C1 is true in the initial state A more ecient algorithm (Clarke/Emerson/Sistla) { First note, all formulas can be exressed using only EX, EU, EG eg AG :EF: { E( U ) case: backward breadth-rst search { EG case: restrict grah to states satisfying nd maximal strongly connected comonents use BFS to nd any state that can reach an SCC 3

4 states satisfying =EG SCC SCC SCC This algorithm is O(f(V + E)) (ie linear in both formula size and model size) 12 Examle: the ABP revisited M lossy chan inut I sender S lossy chan A recvr R outut O We construct a very abstract model, ignoring message data and considering only sequence numbers The sender rocess S :: in ctr, ack ctr : 01, initially 0 [ in ctr = ack ctr ) I?data() in ctr := in ctr + 1mod2 2 in ctr 6= ack ctr ) M!msg(in ctr) 2 A?ack(ack ctr) ]* the message channel (note, ack channel is similar) M :: ctr : 01, initially 0 [ S?msg(ctr) [ R!msg(ctr) 2 ski] ]* the receiver rocess 4

5 R:: rcv ctr, out ctr : 01, initially 0 [ M?msg(rcv ctr) [ out ctr 6= rcvctr ) O!data() out ctr := rcv ctr] A!ack(rcv ctr) ]* Verifying the model Generate Krike model from rogram text Exress secications in CTL Note: in the following, atomic rositions like (PmsgQ) will be used to denote \P sends msg to Q" These are roerly transition labels and not state labels However, this roblem is usually solved by using the \transition grah", where every transition becomes a state { No dulicaiton of messages (and no buering) in before out (:(R data O) W (I data S)) safe in before out ^ AG((R data O) ) AXin before out) { liveness { every time a message is inut one is eventually outut live AG((I data S) ) AF (R data O)) When checking live, the model checker roduces a counterexamle like the following: I-->S S-->M (M loses message) That is, an innite loo in the state grah, where every message is lost by the M channel Fairness assumtions We want to verify the model assuming the channels do not lose messages forever In PLTL, we could exress this assumtion as follows: M fair (GF (SmsgM) ) GF (MmsgR)) 5

6 We could then verify that M fair ^ A fair ) live As we will see, however, model checking for PLTL has exonential comlexity in the formula size Using many fairness constraints in this way would therefore be imractical Suose we try translating M fair ^ A fair ) live into CTL In general if there is a CTL equivalent of an LTL formula it is obtained by adding A ath quantier to every oerator For examle, M fair becomes M fair 0 (AGAF S msg M) ) (AGAF M msg R) This, however, is simly false in every state Therefore is trivially true M fair ^ A fair ) live In general, we can't exress fairness constraints directly in CTL CTL with fairness constraints A simle fairness constraint is a formula of the form GF, where is a state formula In a model with fairness constraints, ath quantiers aly only to aths satisfying all fairness constraints: M s i j= A f i for all fair aths = s1 s2 :::: j= M s i j= E f i for some fair aths = s1 s2 :::: j= where we us A f and E f to indicate the fair interretation For examle, under the fairness constraint AG, A f F q A(GF ) Fq) Model checking under fairness constraints ^ni=1 n { A state is fair (is the start of some fair ath) i it satises E f G true { E f (U q) E( U (q ^ E f G true)) 6

7 { Algorithm for E f G: restrict the state grah to states satisfying nd the SCC's remove an SCC if it does not contain astatesatisfying each i use BFS to nd any state that can reach a (fair) SCC states satisfying =EG o3 SCC o1 o2 Comlexity of this algorithm: O(f(V + E)n) (ie, still linear) Fairness constraints for ABP { A simle fairness constraint: GF ((MmsgR)) is sucient to make the \live" secication true, but this is too strong an assumtion (ie, what if the sender stos sending?) { A Streett fairness constraint GF (SmsgM) ) GF (MmsgR) is a weaker assumtion (but erhas still not justied, in case the reciever in- nitely blocks recetion of messages) CTL formulas under Streett fairness constraints can be veried in time O(f(V + E)n 2 ) A yet weaker set of assumtions might be GF EX(MmsgR) ) GF (MmsgR) GF EX(R data O) ) GF (R data O) (the latter is to eliminate the case where the recvr receives a msg and then forever blocks further recetions while the M channel innitely loses messages) 7

8 { A recetiveness roerty recetive AG AF EX((I data S)) \sender must eventually be ready to accet another message" This requires a fairness constraint on the A as well as the M channel 2 Exressiveness Issues 21 Linear vs branching time The logic CTL* subsumes PLTL and CTL { ath formulas: U q G F X : _ q { state formulas A E where is a ath formula An LTL formula like GF is equivalent to the CTL* state formula AGF Some exressiveness results { \Existential" roerties like AG EF not exressible in LTL, These are very useful for nding deadlocks in rotocols { \fairness" roerties, like A(GF ) GF ) not exressible in CTL Comlexity of model checking CTL (with fairness) O(f(V + E)n 2 ) PLTL (with fairness) O(2 f (V + E)n 2 ) (PSPACE comlete) CTL* (with fairness) same as PLTL Note: LTL formulas are often small (when fairness constraints are built into the model) This means it is often ractical to check them in site of the exonential comlexity Note: CTL* has same comlexity as PLTL because we can treat state formulas as atomic roositions when checking ath formulas Because of this, it is often said that branching time is suerior to linear time for model checking, since the comlexity is the same or better, and it is strictly more exressive 8

9 22 Data indeendence To check that ABP delivers correct data, we can add a one-bit data eld to the messages and check AG((I data(1) S) ) AF (R data(1) O)) Question: Can we infer from this that rotocol works for any data size? Suose we want to allow arbitrary buering of data? in out unbounded buffer eg allow behavior like: in(0) in(1) in(2) out(1) out(2) out(3) This is not exressible in roositional temoral logic Data indeendence (Woler) A model is \data indeendent" [3] if all \data" variables occur only in assignments of the form: x := y or as message arameters, eg P!data(x) or Q?data(y) The bounded buer roerty can be broken into two arts: 1 no dulication or loss of messages 2 messages delivered in order received Proerty (1) can be veried on a data-indeendent model with only two data values (say, 0 and 1): exactly once(x) (:x U (x ^ XG:x)) (1) exactly once(in(1)) ) exactly once(out(1)) The reasoning behind this is as follows: suose a message is dulicated, eg in(1) in(2) in(3) out(1) out(2) out(2) Every out() value must derive from some in() value by some sequence of assignments So, by changing the dulicated inut to 1, and all the others to 1, we a run like: which violates our roerty (1) in(0) in(1) in(0) out(0) out(1) out(1) 9

10 Proerty (2) can be veried with three data values (say, 0, 1and2) as follows: before(x y) :y W (x ^:y) (2) exactly once(in(1)) ^ exactly once(in(2)) ^ before(in(1) in(2)) ) before(out(1) out(2)) The reasoning is similar to the above 10

11 3 Summary Reactive systems { Concurrency! temoral roerties { LTL adds temoral oerators to roositonal logic model is an innite sequence of rogram states { Can exress safety, liveness, fairness { Proofs are somewhat laborious Model checking { Translate model (eg in CSP) to nite state grah (Krike model) interleaving semantics for concurrency model must be fairly abstract { Model checking algorithm for CTL Naive xed oint algorithm O(n 2 ) SCC based algorithm linear in formula size and model size { Fairness constraints Simle fairness (GF ) Streett fairness (GF ) GF q) Exressiveness issues { CTL* subsumes LTL and CTL { Tradeo of exressivenes vs comlexity { Unbounded buer roerties Cannot exress directly in TL Can verify using data indeendence arguments References [1] E M Clarke and O Grumberg Research on automatic verication of nite state systems Ann Rev Comut Sci, 2:269{90, 1987 [2] E A Emerson Temoral and modal logic In Handbook of Theoretical Com Sci, vol B: Formal Methods and Semantics, chater 16 Elsevier, 1990 [3] P Woler Exressing interesting roerties of rograms in roositional temoral logic In 13th ACM POPL, ages 184{193 11