Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Transcription

1 Chater 5 Model checking, verification of CTL One must verify or exel... doubts, and convert them into the certainty of YES or NO. [Thomas Carlyle] 5. The verification setting Page 66 We introduce linear and branching time, temoral logics and the basic idea of model checking. 5. Theoretical foundations Page 7 Formal resentation of CTL, Krike structures and model checking. 5.3 Model checking CTL Page 77 The analysis for CTL, examle and otimization. Concets introduced: LTL, CTL, linear and branching time, Krike models, control state reachability, liveness analysis, model checking, ROBDDs. THE BEHAVIOUR of a transition system is its set of runs, or its set of comutations. To verify behaviours, we can consider questions like: Does every comutation (run) of the transition system have a desired roerty X? or Is it true that in no comutation, C is immediately followed by on-ac?. 65

2 66 5. The verification setting Proerties may involve reachability of states. For examle, is there a run leading to deadlock? A deadlocked system can do no more comutation, more formally: Definition 9 The run with is in deadlock if no action is enabled at. We would like to ose more sohisticated questions (other than reachability questions). For examle, we may have qualitative questions like: Every request is eventually served. The sensor signal x is sensed infinitely often. From any stage of the comutation the all clear state can be reached within 3 stes We may also be interested in quantitative questions like: Every request is served within 3 microseconds. The sensor signal x is sensed every milliseconds for ever. From any stage of the comutation the all clear state can be reached within second. An extensional logic is one in which the truth value of a comlex formula can be determined by the truth values of its comonents. By contrast, modal or intensional logics deal with sentences qualified by modal oerators such as could or eventually or must and so on. If the modal oerators refer to time, then we call these logics temoral logics. Consider an assertion like The engine is too hot." The meaning is clear, it does not vary with time, but the truth value of the assertion can vary in time. Sometimes it is true, and sometimes it is false, and it is never true and false simultaneously. Temoral logics are a good mechanism for exressing qualitative temoral roerties of reactive systems. The basic modal oerators are which reresents necessity and its dual which reresents ossibility ( ). The language of modal logic consists of roositional variables, a set of Boolean connectives such as, and the modal oerators.

3 5. The verification setting 67 (a) Transition system 3 (b) Branching time view Figure 5.: Notions of comutation Consider the transition system in Figure 5.(a). A linear time view of the comutations induced by this system is just the set of all runs: A branching time view of the same system is shown in Figure 5.(b), where the temoral order forms a tree which branches into the future. LTL (Linear Temoral Logic) is a modal linear-time temoral logic, built u from a set of roosition variables, logic connectives and the temoral oerators: indicating that must hold in the next state. (or ) indicating that must hold in all the following states.!" (or #$ ) indicating that eventually (finally) must hold somewhere. %'& indicating that has to hold until & holds at the current or a future osition. ()& The dual of %+* & holds until the first state where holds. In LTL, one can encode formulæ about events along a single comutation ath. By contrast, CTL (Comutation Tree Logic) is a modal branching-time temoral logic. The oerators quantify over all ossible future aths from a given state. CTL and LTL are both subsets of a more general temoral logic CTL*. There are exressions in CTL that cannot be exressed in LTL and vice versa. 3 As an examle, consider,.-/ 3, which is an LTL formula reresenting the idea that: for all aths, eventually holds globally (i.e. from then on).,4/ -5,+63 is a 3

4 68 CTL formula reresenting the idea that: for all aths, eventually you get to a state where for all aths holds globally (i.e. from then on). This CTL formula does not reresent the same thing as the original LTL formula, even though at first sight it seems to be similar. A counter-examle is given below in Figure 5.. s t Figure 5.: Counter examle It is fairly easy to see that in the LTL linear time view, all runs that start in state have eventually holding globally. In a linear time view, the ossible (infinite) runs from are: u where means an infinite run of state, and means a finite run of. In both state and state, the roerty holds, so in the linear time view, for state,,.-/ 3. However, let us now consider the branching time view, and the CTL formula,4/ -5,+3. Figure 5.3 has the unfolded branching time view.

5 5. The verification setting 69 Figure 5.3: Unfolded counter examle The CTL formula,4/ -,+63 reresents the idea that: for all aths, eventually you get to a state where for all aths holds globally (i.e. from then on). If you traverse down the left hand sequence in the figure, it does not matter how far you go, you will never get to a state where for all aths holds globally. In other words, this does not reresent the same assertion as the LTL one. CTL formulæ are differentiated from LTL formulæ, because each of the temoral oerators must be receded by a ath quantifier:, (for all aths), and (there exists a ath). Since CTL exressions require every temoral oerator to be receded by a quantifier, and since there are five temoral oerators, and two quantifiers, we have ten base exression tyes.

6 7 The ten base exression tyes may be exressed in terms of just three exressions: : For one comutation ath, roerty holds in the next state; % : For all comutation aths, roerty holds until holds. % : For one comutation ath, roerty holds until holds. We focus here on CTL secifications. The model-checking verification setting may be visualized as in Figure 5.4, where we extract a (state transition) model from a system. Sense Comuter system Plant Model extraction Actuate Model checker: on heat S5 ok S4 S6 C TS S off heat H S off ac S3 on ac ok Semantics Behaviour of TS S YES! U Figure 5.4: Verification setting Proerty (Temoral logic formula φ) Models of φ The meaning that we attach to is that it correctly reresents the behaviour of the system, exressed as the allowable set of runs (or comutations) of the system. A model-checker checks if this behaviour of the system is a subset of the set of runs (or comutations) induced by an arbitrary roerty, returning YES or NO. NO!

7 5. The verification setting 7 P P req,ret grt req,ret grt Arbiter (a) Resource arbiter Rsrc S4 Ret S3 S6 S Req Req Ret S5 S Grt Req Req Grt Ret Figure 5.5: Arbiter for an oerating system Ret Req Grt Grt Req S7 (b) Arbiter transition system Consider the following scenario: We have an arbiter in an oerating system, which is controlling access by two rocesses to a single resource, only allowing one at a time to gain access to the resource. Each rocess can request access to the resource, by (erhas) making a req() call. When the resource is free, the arbiter can grant access by signalling the rocess using the grt() signal. When a rocess no longer needs the resource, it signals the arbiter using the ret() signal. In Figure 5.5(a) we see the arbiter, with Figure 5.5(b) showing a transition system for its correct oeration. When modelling this system, it is imortant to identify suitable atomic roositions relevant to the system. Suitable roositions might be: * : Processes and are idle. In the starting state both rocesses are idle. * : Processes and are waiting for the resource. * : Processes and are using the resource. S

8 7 5. Foundations for CTL model checking The oerator cannot be formalized with an extensional semantics. The Krike semantics is a formal semantics for modal logic systems. - Definition 3 A Krike structure over a set of atomic roositions is a 4- tule, where. is a finite set of states. is a transition relation that must be total 3. is a finite set of atomic roositions 4. is a function which labels each state with the set of atomic roositions true in that state Consider the transition system shown in Figure 5.5(b). The atomic roositions reresent the system s view of the state of the two tasks. They are idle, waiting or using the resource, and we have the following set of atomic roositions: We can convert the transition system into a Krike structure, by writing out $- for each state. The labelling function for each state returns the atomic roositions that are valid in each state. A suitable function is: 5.. The unfolding of " ! When investigating a Krike structure, it is often easier to visualize the unfolded version # / -$ of the structure.

9 % 5. Foundations for CTL model checking 73 TS (K if you ignore the actions) off off ch off on on ch UF(K) Figure 5.6: Unfolding of the TV Krike structure In Figure 5.6 the Krike structure reresents a transition system for the irritable TV viewer. The viewer can switch the TV on and off, and also change channels. As soon as the irritable TV viewer switches to a TV channel that is not worth watching, the TV must be switched off. # / -$ is another Krike structure, equivalent in terms of the ath structure of, but much easier to visualize ossible runs, and to see when a run reeats. Definition 3 The unfolding of a Krike structure, from an identified starting state, is # / -$ -, where. - "! $# &% ' () 6- &% ($# *+#(,- 3. "- $- 5.. CTL and CTL- We define a fragment of CTL, called CTL-, which we use to secify the formulæ defining the roerties to be checked against the Krike structure. When used in this context, such a Krike structure is often called a CTL-model (or just a model), and we will refer to such models as.. The CTL- fragment is sufficient to encode any (traditional) CTL formula. % &%.

10 74 Definition 3 Given a roosition (a finite set of atomic roositions), then is a CTL- formula, and if and are CTL- formulæ, then. is a CTL- formula. is a CTL- formula 3. is a CTL- formula 4..- is a CTL- formula 5., - # is a CTL- formula # is a CTL- formula Formulæ with this syntax can be viewed as a tree. For examle, the formula )- )- +- # could be reresented by the tree in Figure Model checking EX EX Figure 5.7: A CTL- formula shown as a tree Model checking is commonly exressed as a ternary relation - :. The relation is true when the roerty holds in state for a given model.. It is normally defined inductively, with a set of interlocking rules. A labelling algorithm may then be used to establish the set of states satisfying the relation. There are two kinds of roerties that are of interest: EU r

11 5. Foundations for CTL model checking 75. safety: nothing bad will ever haen. liveness: eventually something good will haen (One is like there exists and the other like for all ). The techniques for assessing safety and liveness are different. For examle, in model checking we use Büchiautomata to exress and check liveness, and state-sace enumeration for safety. Safety is about reachability, but with liveness we must consider infinite non-terminating execution, checking for the reachability of certain (control) states, and so an overall goal is to solve a control state reachability roblem. Let us return to the arbiter examle in Figure 5.5(b), and let. be the resulting CTL-model. We can determine whether or not. for the following examle roerties: EF-, AF- and AG-. Given the Krike structure, it is fairly easy to see that:. * leading to a state in which both and are true. (In fact there is no state in which both and are true).. * EF as there is no ath from AF as every ath from and each of these has either or true. 3. * AG as * 5..4 The definition of and * must lead to one of,, or, The model checking relation (In L A TEX, \models) can be read various ways. In. we might say that holds or is satisfied at state.. A ath from one state is a sequence of states such that and 6- for every. The -th element of is -. The model checking relation is defined for each atomic roosition and each CTL- formula, as:

12 # # % % 76. $-. iff it is not the case that.. iff. and.. iff. or.. )- iff - and. (i.e. has a successor state at which holds).,.- # iff for every ath from, for some,. -, and # iff there is a ath from, where for some,. -, and. - Figure 5.8 shows each of the temoral CTL- oerators in an unfolded Krike structure # / -.. UF(M) (a) s UF(M) q s (b) q q UF(M) s (c)!" Figure 5.8: EX, AU and EU in the unfolded Krike structure The table clearly defines the model checking relation for,, # and # in CTL-, but not for the other CTL oerators,,,+ and so on. The following list shows some of the other oerators that can be derived in terms of the three just given. $#. & & For every next state & holds. It is not the case that there exists a next state at which & does not hold. %#. & '&)(+*-, % & There exists a ath. from such that for every /$ : *3. 4/ &. It is not the case that... q

13 5.3 Model checking algorithm for CTL Model checking algorithm for CTL The label field in the Krike structure gives us a mechanism for calculating when a formula satisfies the associated model. in a articular state :.. The model checking rocess has two stes, visualized in Figure 5.9. Sense Comuter system Plant Model extraction Actuate Model checker: on heat S5 ok S4 S6 C TS S off heat H S off ac S3 YES! on ac ok S Ste : Labelled CTL Model Ste : Check state s in Sat( ψ) Figure 5.9: Model checking CTL models Proerty (Temoral logic formula ψ) Firstly, we label each state with the atomic roositions that are true in each state. Secondly, we calculate the sets of states that satisfy the roerty, and if our state is in this set, we can return YES, otherwise NO. We show an algorithm for calculating the satisfaction set for a model, given a formula. This can be calculated using a recursive function (corresonding to a recursive traversal of the structure), which returns the set of states that satisfy a given formula: NO!

14 < 78 set_of_states sat(proerty ) = if then! else case of true: false: : sat : sat+ sat : sat+ sat EX :!" $#% '&( $#% sat +) A U : lf+*--,! sat % sat3./ /'- # &, E U : lf3 -,! sat 4" sat %/ 5 76 # &, ; where 98 reresents the set of successor states of. The last two lines in the function exress the idea that we can calculate the sets of states for,.- # and +- #, by taking the least fix-oint (and hence the function name lf) of functions : and ; (sometimes exressed as the algorithms and = ). What are the functions : and ;? Some investigation will show.< that,.- # -,.-, - # +#, +- # - )- +- # and it seems aroriate to exress these as fix-oints of the corresonding functions :-?> -,.-?>4 +#, ; -@>4 - )-?>4 We can view this as a labelling rocedure for. where we build u extra labels for each state in the model, rogressively uncovering the subformulas of.

15 5.3 Model checking algorithm for CTL 79 In Figure 5., we see the labelled arbiter model, and the states that satisfy )-$ and +- #. S4 u i S3 w i u S6 w S i i S5 w w (a) S w S7 w u S u S4 u i S3 w i u S6 w (b)! Figure 5.: Arbiter model checking 5.3. Examle and otimizations S i i S5 w w - The model checking aroach to verification [CGP99] is to abstract out key elements of the software and to verify just these elements. For efficiency, various otimizations can be made if the elements reduce to binary values. Given the underlying reliance on binary abstractions, it is no surrise that model checking is being used in the analysis of digital electronic circuits, but it has also roved effective in the software domain, in the areas of rotocol analysis, the behaviour of reactive systems, and for checking concurrent systems. It is difficult to find examles convincing enough to demonstrate a technique, but which are small enough to fully describe in a short chater. We choose to use as an examle a simle mutual exclusion rotocol in which two rocesses, and share six (boolean) variables, and co-oerate to ensure mutually exclusive access to a critical section of code. A third rocess monitors the variables and changes a turn variable. The entire system is the arallel comosition of these three rocesses, and is continuous (indicated by the trailing recursive call). Each line of code is considered to be atomic, and we use to reresent, to reresent. S w S7 w u S u

16 + 8 = if then else if then! " else if then " '&( ; # if then %$ ; = if then else if then ) *" else if then " '&( ; if then %$ ; = if * then ) *" else if then! " &-,(.!! / ; + = ; &-,(.!! / ; The secific rotocol is chosen because it only uses boolean variables, simlifying and shortening this resentation. We can reresent a state of this system as a valuation of the relevant variables. The states for this system are listed in Table 5.. State vars vars 3 vars Next state(s) 46587:9 ;=< 4:> >A4B@9 <@? ;=< 4:> >A4B@9 <@? (H I J J I J J J $ J I J I J J J *K *L $ I J J J I J J (M L *N K J J I I J J J (H *O (M I J J J J I J (H *P *L J I J J I J J O *N I J J J I J I *Q H *O J J I J I J J $ *P J I J J J I J Q J I J J I J 'H I J J J J I J I J J J I I J I J I J J I *Q K K J J I I J J I 'M L 'M J J I J I J I *N L I J J I J J I *N Table 5.: States for the comlete system We may also characterize this system using a transition diagram as in Figure 5., where the labels on the transitions relate to the line-numbers of the rogram. >DCFEAG

17 5.3 Model checking algorithm for CTL 8 4 S 3 S S 5 3 S 7 5 S S S 6 6 S 4 S S S S S S3 S4 S5 5 4 Figure 5.: State transition diagram The transition relation may be comactly exressed (using short names for the variables) as the following redicate : 5 Note that the redicate has been ordered to clearly show a correlation with the rogram. The first line corresonds to, the second to and the third to BDD reresentation of transition relation A redicate such as just seen may also be encoded as an ordered binary decision tree (OBDT), in which the levels denote the different variables, and aths through the tree reresent valuations of the transition relation. In Figure 5. we have an OBDT for the exression - -.

18 8 i3 i i i4 i3 i i T T T T T T T F F F F F F F F F Figure 5.: OBDT for - - Note that if we reorder the variables, we get a different decision tree, but this new tree still reresents the redicate. In other words, it is indeendent of the order of the variables. The OBDT does not scale well, but there are otimizations that may be done. An otimization to exloit reetition on OBDTs leads to reduced ordered binary decision diagrams (ROBDDs). i3 i i i4 i3 i i T T T T T T T F F F F F F F F F i i3 i4 i T T T F F F F F F i 3 T i 4 i T F F F i 3 Figure 5.3: ROBDD reduction for - - ROBDDs rovide a canonical form for the OBDTs, but more significantly, similar sub-trees of a OBDT result in the ROBDD merging the two subtrees. Bryant [Bry86] introduced these data structures, showing how such reresentations of functions may be maniulated efficiently. In the aer, fast algorithms for common boolean oerations are described, with comlexities roortional to the sizes of the grahs. The ROBDD otimization for the urose of model checking was first identified by McMillan [McM93], and resulted in significant imrovements in the number of states that could be model-checked. In roblems which exhibit a attern regularity, T i 4 F i T F i 3 T i 4 F i

19 5.4 Summary of toics 83 the ROBDD reresentation can be many orders of magnitude smaller than an equivalent (OBDT or enumerated) reresentation. Modern branching time model checkers all use the ROBDD otimization. 5.4 Summary of toics In this section, we introduced the following toics: Verification setting. Basic setting for the verification roblem. Theoretical foundations. Formal foundations for CTL. Model checking algorithms. Algorithms for checking systems. Examle and otimizations. Using BDDs for CTL model checking.