CTL Model Checking. Wishnu Prasetya.

Transcription

1 CTL Model Checking Wishnu Prasetya

2 Background Example: verification of web applications à e.g. to prove existence of a path from page A to page B. Use of CTL is popular à another variant of temporal logic à different way of model checking. Model checker for verifying CTL: SMV. Also uses a technique called symbolic model checking. In contrast, SPIN model checking is called explicit state. 2 We ll show you how this symbolic MC works, but first we ll take a look at CTL, and the web application case study.

3 Overview CTL CTL Model checking Symbolic model checking BDD Definition Reducing BDD Operations on BDD Acknowledgement: some slides are taken and adapted from various presentations by Randal Bryant (CMU), Marsha Chechik (Toronto) 3

4 CTL Stands for Computation Tree Logic Consider this Kripke structure (labeling omitted) : M : 0 In LTL, properties are defined over executions, which are sequences : In CTL properties are defined in terms of your computation tree:

5 CTL Informally, CTL is interpreted over computation trees. M ϕ = M s computation trees satisfies ϕ We have path quantifiers : A... : holds for all path (starting at the tree s root) E... : holds for some path 5 Temporal operators : X... : holds next time F... : holds in the future G... : always hold U : until

6 Intuition of CTL operators EX (exists next) ϕ AX (all next) ϕ ϕ ϕ ϕ EG ϕ ϕ AG ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ ϕ 6

7 Intuition of CTL operators EF ϕ AF ϕ ϕ ϕ ϕ ϕ ϕ E[ ψ U ϕ ] A[ ψ U ϕ ] ψ ψ ψ ϕ ψ ϕ ψ ϕ ϕ 7

8 Syntax ϕ ::= p // atomic (state) proposition ϕ ϕ 1 ϕ 2 EX ϕ AX ϕ E[ϕ 1 U ϕ 2 ] A[ϕ 1 U ϕ 2 ] 8

9 Semantics R : S {S} : transition relation V : S {Prop} : observations Let M = ( S, {s 0 }, R, V ) be a Kripke structure J M,t ϕ ϕ holds on the comp. tree t M ϕ is defined as M, tree(s 0 ) ϕ M,t p = p V(root(t)) M,t ϕ = not ( M,t ϕ ) 9 M,t ϕ ψ = M,t ϕ and M,t ψ

10 Semantic of X M,t EXϕ = ( v R(root(t)) :: M,tree(v) ϕ ) M,t AXϕ = ( v R(root(t)) :: M,tree(v) ϕ ) This definition of the A-quantifier is a bit problematic if you have a terminal state t (state with no successor), because then you get t AX ϕ for free, for any ϕ (the above - quantification would quantify over an empty domain). This can be patched; but we ll just assume that your M contains no terminal state (all executions are infinite). 10

11 Semantic of U M,t E[ ψ U ϕ ] = There is a path σ in M, starting in root(t) such that: For some i 0, M,tree(σ i ) ϕ For all previous j, 0 j<i, M,tree(σ j ) ψ M,s A[ ψ U ϕ ] = For all path σ in M, starting in root(t), these hold: 11

12 Derived operators ψ ϕ = ( ϕ ψ) ψ ϕ = ψ ϕ EF ϕ = E[ true U ϕ ] AF ϕ = A[ true U ϕ ] EG ϕ = AF ϕ AG ϕ = EF ϕ 12

13 LTL vs CTL They are not the same. Some properties can be expressed in both: AG (x=0) = (x=0) AF (x=0) = (x=0) A[x=0 U y=0] = x=0 U y=0 Some CTL properties can t be expressed in LTL, e.g: EF (x = 0) {x=0} Prop = { x= 0 } 13

14 LTL vs CTL Some LTL properties cannot be expressed in CTL, e.g. <>[] p {p} {p}... Prop = { p }... E.g. AF AG p does not express the property; the above Kripke does not satisfy it. 14

15 LTL vs CTL Another example, fairness restriction: ([]<> p <>q) <>q = []<>p \/ <>q {p} {q} e.g. AGAF p \/ AF q hold on the tree. does not 15

16 CTL* CTL formulas are also CTL* formulas. LTL formulas can also be expressed in CTL*. Syntax: (State formula) ϕ :: p // p is atomic proposition ϕ ϕ 1 ϕ 2 E f A f // f is a path formula (Path formula) f :: ϕ f f g Xf Ff Gf f 1 U f 2 An example of CTL* formulas that is not CTL: EFG(x=0). 16

17 CTL* The meaning of state formulas: t p = p holds at root(t) t ϕ = not t ϕ t ϕ 1 \/ ϕ 2 = t ϕ 1 or t ϕ 2 t E f = for some path σ starting in root(t), σ,0 f Af can be defines as Ef. The meaning of path formulas: σ,i ϕ σ,i f σ,i Xf = tree(σ i ) ϕ = not σ,i f = σ,i+1 f the defs. of other opereators as in LTL. 17

18 Model checking CTL formulas Kripke M = ( S, {s 0 }, R, V ) We want to verify M == ϕ Assume ϕ is expressed in CTL s (chosen) basic operators. The verification algorithm works by systematically labeling M s states with subformulas of ϕ; bottom up. For a sub-formula f ; we inspect every state s: { p } 0 2 { p,q } { p } 1 3 If tree(s) = f, we label s with f (and otherwise we don t label it) Eventually, when we are done with the labeling of the root formula ϕ : 18 M = ϕ iff s 0 is labeled with ϕ

19 Example, checking EX(p q) Prop = {p,q} Initial state is not labeled with the target formula; so the formula is not valid. 0 { p } 1 { p } EX(p q) 2 { p,q } p q 3 EX(p q) 19

20 Example, checking: E[ p U (p q) ] E[ p U p/\q] { p } { p } E[ p U p q] 0 1 Initial state is labeled with the target formula; so M satisfies the formula. 2 3 { p,q } p q E[ p U p q] 20

21 Example, checking A[ p U (p q) ] At the end, initial state is not labeled with the target formula; so the formula is not valid 0 { p } 1 { p } A[ p U p q] 2 3 { p,q } p q A[ p U p q] A[ p U p q] 21

22 Can we apply this to LTL? Consider p Prop = { p } Applying labeling : {p} we can t label this with p; thus also not with p p {p} p p 22

23 Checking CTL* Notice that M φ is the same as checking tree(s 0 ) φ, where s 0 is M s initial state (assuming it only has one). Let M/s be the same Kripke structure as M, but s as the initial state. Examples: t AGF q à by checking M/root(t) q in LTL t EGF q à by checking M/root(t) q in LTL, if this is not valid, then for some path σ starting in root(t), σ q does not hold. In other words, σ q holds. In other words, t EGF q is valid. t AGF(EFq) 1. First recurcively label the states of M with EFq. A state s is labelled with EFq iff tree(s) EFq 2. Pretend EFq is a new state-predicate r, added to he labelling of M. 3. Now check t AGF r, for which we can proceed as above 23

24 Symbolic representation You need the full statespace to do the labeling! Idea: Use formulas to encode sets of states (e.g. to express the set of states labeled by something) A small formula can express a large set of states à suggest a potential of space reduction. 24

25 Example 0 { p } 1 { p } E.g. the set of states where q holds is encoded by the formula: x y 2 { p,q } 3 4 states, can be encoded by 2 boolean variables x and y. St-0 St-1 St-2 St-3 x y xy x y xy Similarly, the set of states where p holds : {0,1,2}, can be encoded by formula: (xy) More generally, a boolean formula f represents the set of states, formed by value-combinations that satisfies f. 25

26 Example { p } { p } We can also describe this more program-like: 0 x y x y 2 { p,q } 1 3 xy xy if state {0,2} goto {0,1} [] state {1,3} goto 2 [] state=3 goto {2,3} fi which can be encoded with this boolean formula: N.D. States encoding: St-0 x y St-1 xy St-2 x y St-3 xy y x \/ yx y \/ xyx 26

27 Example byte x ; // unspecified initial value if x 255 x=0 ; The automaton has 256 states, with 256 arrows. Bit matrix : 8.3 Kbyte List of arrows: 512 bytes With boolean formula: (x 0..x 7 ) /\ x 0... x 7 \/ x 0...x 7 /\ x 0... x 7 27

28 Model checking When we label states with a formula f, we are basically calculating the set of states (of M) that satisfy f. Introduce this notation: W f = the set of states (whose comp. trees) satisfy f = { s s S, M, tree(s) == f } We now encode W f as as a boolean formula M = f if and only if W f evaluated on s 0 returns true 28

29 Labeling If p is an atomic formula: W p = boolean formula representing the set of states where p holds. For conjunction: Negation: W f/\g = W f /\ W g W f = W f For EX: W EXf = x,y :: R /\ W f [x,y /x,y] (The relation R is assumed to be defined in terms of x,y and x,y ) 29 AX f = EX f So: W AXf = W EX f

30 Restricting the arrows over the destinations States encoding: St-0 x y St-1 xy St-2 x y St-3 xy Suppose we have these arrows, R = y x y \/ xyy {1,3} {2} {3} {1,3} The set of all states that has at least one outgoing arrow to one of {0,1} { s ( t:: t R(s) /\ t {0,1} ) } Encoding in Boolean formula: ( x,y :: ( y x y \/ xyy ) /\ x ) 30

31 Restricting the arrows over the destinations The set of all states whose all outgoing arrows go to one of {0,1} : { s ( t:: t R(s) t {0,1} ) } Encoding in Boolean formula : ( x,y :: R(x,y,x,y ) x ) Note: Some state-encoding may be invalid (e.g. what if state 0 does not exist?) Some care need to be taken, not to quantify over invalid states. In the example, all terminal states in M will automatically be included in the set weird, but we discussed this before. We assumed M does not contain terminals. 31

32 Example, EXp 0 { p } 1 { p } xy W p q = x W EXp q = x,y :: R /\ x x y x y 2 { p,q } 3 xy = x,y :: ( y x \/ yx y \/ xyx ) /\ x States encoding: St-0 St-1 St-2 St-3 x y xy x y xy 32

33 Labeling E.g. the states satisfying E[f U g] can be computed by: Let Z 1 = W g Iteratively compute Z i Z i+2 = Z i+1 \/ (W f /\ ( x,y :: R /\ Z i+1 [x,y /x,y] )) Stop when Z i+1 = Z i ; then W E[p U q] = Z i 33

34 Example, E[ p U q ] 0 { p } 1 { p } xy Z 1 = W q = x y x y x y 2 { p,q } States encoding: 3 xy Z 2 = Z 1 \/ (W p /\ ( x,y :: R /\ Z 1 [x,y /x,y])) x y \/ ( (xy) /\ ( x,y ::... /\ x y )) St-0 St-1 St-2 St-3 x y xy x y xy Z 3 = Till fix point. 34

35 But how to check fix point? To make this works, we need a way to efficiently check the equivalence of two boolean formulas: f g So, we can decide when to we have reached a fixpoint In general this is an NP-hard problem. Use a SAT-solver to check if (f g) is unsatisfiable. We ll discusss BDD approach 35

36 Canonical representation = simplest/standard form. Here, a canonical representation C f of a formula f is a representation such that: f g iff C f = C g Gives us a way to check equivalence. 36 Only useful if the cost of constructing C f, C g + checking C f = C g is cheaper than directly checking f g. Some possibilities: Truth table à exponentially large. DNF/CNF à can also be exponentially large.

37 BDD Binary Decision Diagram; a compact, and canonical representation of a boolean formula. Can be constructed and combined efficiently. Invented by Bryant: "Graph-Based Algorithms for Boolean Function Manipulation". Bryant, in IEEE Transactions on Computers, C-35(8),

38 Decision Tree x 1 x 2 x 3 \/ x 1 x 2 x 3 \/ x 1 x 2 x 3 with truth table : x 1 x 2 x TT is canonical if we fix the order of the columns. f Or representing the table with a (binary decision) tree : x 1 x 2 x 2 x 3 x 3 x 3 x Each node x i represents a decision: Blue out-edge from x i à assigning 1 to x i 38 Red out-edge from x i à assigning 0 to x i Function value is determined by leaf value.

39 But we can compact the tree E.g. by merging the duplicate leaves: x 1 x 1 x 2 x 2 x 2 x 2 x 3 x 3 x 3 x 3 x 3 x 3 x 3 x We can compact this further by merging duplicate subgraphs 39

40 Results Note: this is from Bryant s paper in They use their version of MC at that time, running it on an DEC VAX 11/780, with about 1 MIP speed J 40

41 Boolean formula A boolean formula (proposition logic formula) e.g. x. y \/ z can be seen as a function : f(x,y,z) = x.y \/ z In Bryant s paper this is called a : boolean function. E.g. composing functions as in f(x, y, g(x,y,z)) is the same as the corresponding substitution. 41

42 Binary Decision Diagram A BDD is a directed acyclic graph, with a single root two leaves à 0/1 non-leaf node labeled with varname has 2 children suppose we call this node: v v.low Along every path, no var appears more than 1x y x z v.var v.high We ll keep the arrow-heads implicit always from top to bottom 0 w: 1 w.val 42

43 func(g) x = var(v) func(v) = x. func(v.low) \/ x. f(v.high) func(g) = func(root) x xz \/ x. y.z y.z y z z 0 1 func(0) = 0, func(1) = 1 43

44 Ordered BDD OBDD à fix an ordering on the variables let index(v) à the order of v in this ordering J index(v) < index(v.low) same with v.high y z z x satisfies ordering [y,z,x] but not [y,x,z]

45 Reduced BDD 45 Two BDDS F ang G are isomorphic if you can obtain G from F by renaming F s nodes, vice versa. But you are not allowed to rename v.var nor v.val! A BDD G is reduced if: then: func(f) = func(g) for any non-leaf node v, v.low v.high. for any distinct nodes u and v, the sub-bdds rooted at them are not isomorphic. otherwise G can be reduced!

46 Reduced OBDD Reduced OBDD is canonical: If we fix the variable ordering, every boolean function is uniquely represented by a reduced OBDD (up to isomorphism). Same idea as in truth tables: canonical if you fix the order of the columns. However, the chosen ordering may influence the size of the OBDD. 46

47 Effect of ordering Consider: xyz \/ yz x y y z z z 0 1 x 0 1 Order: x,y,z Order: y,z,x 47

48 The difference can be huge consider: a 1 b 1 \/ a 2 b 2 \/ a 3 b 3 a 1 a 1 b 1 a 2 a 2 a 2 a 3 a 3 a 3 a 3 b 2 b 1 b 1 b 1 b 1 a 3 b 2 b 2 48 b Linear Growth b Exponential Growth Here: red for value 1, green for 0.

49 Reducing BDD x x y y y y z z z z z z z z By sharing leaves 49

50 Reducing BDD y x y y x y z z z z z z x y z

51 The reduction algorithm Introduce a class Node to represent the nodes in a BDD. If v is an instance of Node and it has these fields v.var (non-leaf) v.low, v.high : Node (non-leaf) v.value (leaf) A BDD can be represented by a single instance of Node, which is to be the root of the BDD. 51

52 The reduction algorithm Introduce id, mapping/function Node Node Use it to keep track which nodes actually represent the same formula. Iterate/recurse and maintain this invariant: func(u) = func(id(u)) Initially, id(u) = u, for all u. So, we can remove u from the graph, and re-route arrows to it, to go to id(u) instead. Work bottom up, and such that a node decorated with x is processed after all nodes whose decorations come later in the var-ordering are processed first. 52

53 The reduction algorithm We ll work recursively, bottom-up. Keep track of V = set of visited/processed nodes. Now suppose we are at a node v labeled with y, index(y)=i. Note that this implies that we must have done the work for all nonleaves labeled with z with index(z)>i. Case-1, id(v.low) = id(v.high) ; suppose v.var = y y z x v y func(v) = y. func(v.low) \/ y. func(v.high) = y. func(id(v.low)) \/ y. func(id(v.high)) = y. func(id(v.low)) \/ y. func(id(v.low)) = func(id(v.low)) update: id(v) := id(v.low)

54 The reduction algorithm Case-2: there is another non-leaf u V (u has been processed) such that: 1. u.var = v.var ; suppose this is y 2. id(u.low) = id(v.low) 3. id(u.high) = id(v.high) id u y y v id func(v) = y. func(u.low) \/ y. func(v.high) = y. func(u.low) \/ y. func(u.high) // by inv = func(u) = func(id(u)) update: id(v) := id(u) 54

55 The reduction algorithm Case 3 : otherwise we can t reduce v, if v is not a leaf, update : v.high := id(v.high) v.low := id(v.low) We are done if we have processed the root Node; return id(root) as the new graph. Orphan nodes can be garabage-collected. 55

56 Building a BDD So far: we can reduce a BDD. Recall in CTL model checking, e.g. to the set of states satisfying EX p is calculated by constructing this formula: x,y :: R /\ W p [x,y /x,y] Since formulas are now represented as BDDs, this implies the need to combine BDDs. The combinators should be efficient! 56

57 Basic operations to combine BDDs Apply f 1 <op> f 2 Restrict f x=b // b is constant Compose f 1 x=f2 // f2 is another function Satisfy-one Return a single combination of the variables of f that would make it true, else return nothing. 57

58 Quantification With restriction we can encodes boolean quantifications : ( y:: f(x,y) ) = f(x,y) y=0 \/ f(x,y) y=1 ( y:: f(x,y) ) = ( y:: f(x,y)) (Recall that we need this in the MC algorithm). 58

59 Restriction f(x,y,z) y=c how to construct the BDD of the new function?? f(x,y,z) y=0 f(x,y,z) y=1 à replace all y nodes by low-sub-tree à replace all y nodes by high-sub-tree Example: x x f (x,y.z) = xz \/ x yz y z So, f(x,y,z) y=0 = z z z Reduced version. 59 After replacing y

60 Apply Apply, denoted by f <op> g, means the boolean function obtained by applying op to f and g. E.g. assuming they take x,y as parameters, f <and> g means the function that maps x,y to f(x,y) /\ g(x,y). A single algorithm to implement /\, \/, xor We can even implement f, namely as f <xor> 1 60

61 Apply So, given the BDDs of f and g, how to construct the BDD of f <op> g? There is this Shannon expansion : f <op> g = x. (f x=0 <op> g x=0 ) \/ x. ( f x=1 <op> g x=1 ) This tells us how to implement apply recursively! 61 Detail, see LN.

62 Example u2 y x u1 y v1 z u3 z v2 We ll do this by hand. u4 0 1 u5 v3 0 1 v4 We name the nodes, just so that we can refer to them. f <and> g = x. (f x=0 <and> g x=0 ) \/ x. ( f x=1 <and> g x=1 ) 62

63 Example u2 y x u1 y v1 apply(u1,v1) apply(u2,v1) apply(u3,v1) z u4 0 1 u3 u5 z v3 0 1 v2 v4 apply(u3,v3) apply(u4,v3) apply(u3,v2) apply(u3,v2) apply(u5,v4) Repeated call in recursion! To avoid this, maintain a table to keep track of already computed results. apply(u4,v3) apply(u5,v4) apply(u4,v3) 63

64 Satisfy and Compose Compose, constructed through : f 1 x=f2 = f 2. f 1 x=1 \/ f 2. f 1 x=0 In a reduced graph of a satisfiable formula, every non-terminal node must have both leaf-0 and leaf-1 as decendants. It follows that satisfy-one can be implemented in O(n) time (e.g. run a DFS from root to find a path leading to 1) 64

65 And substitution Recall in CTL model checking, e.g. to the set of states satisfying EX p is calculated by constructing this formula: x,y :: R /\ W p [x,y /x,y] So, how to we construct the BDD representing e.g. f[x,y /x,y]? 65 Just replace x,y in the BDD with x,y, assuming this does not violate the BDD s ordering constraint (e.g. if x<y but x >y ). Else use compose.

66 The cost of various operations Reduce f O( G log G ) where G is the graph of f s BDD. Apply f 1 <op> f 2 O( G1 G2 ) Restrict f x=b O( G log G ) Compose f 1 x=f2 O( G1 2 G2 ) Satisfy-one O( G ) 66