Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Similar documents
Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Finite-State Model Checking

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Lecture 16: Computation Tree Logic (CTL)

Model Checking with CTL. Presented by Jason Simas

Model for reactive systems/software

Model Checking: An Introduction

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

MODEL CHECKING. Arie Gurfinkel

Computation Tree Logic (CTL)

Crash course Verification of Finite Automata CTL model-checking

Computation Tree Logic

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Formal Methods Lecture VII Symbolic Model Checking

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Linear Temporal Logic (LTL)

T Reactive Systems: Temporal Logic LTL

CS357: CTL Model Checking (two lectures worth) David Dill

Alan Bundy. Automated Reasoning LTL Model Checking

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Model checking the basic modalities of CTL with Description Logic

Timo Latvala. February 4, 2004

ESE601: Hybrid Systems. Introduction to verification

Verification Using Temporal Logic

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

EXAMINATION in Hardware Description and Verification

Computation Tree Logic

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

CTL Model Checking. Wishnu Prasetya.

PSPACE-completeness of LTL/CTL model checking

FAIRNESS FOR INFINITE STATE SYSTEMS

Model checking (III)

3-Valued Abstraction-Refinement

3. Temporal Logics and Model Checking

LTL and CTL. Lecture Notes by Dhananjay Raju

Model Checking. Boris Feigin March 9, University College London

Overview. overview / 357

Temporal Logic Model Checking

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Linear Temporal Logic (LTL)

Chapter 4: Computation tree logic

Formal Verification of Mobile Network Protocols

Computation Tree Logic (CTL)

Model Checking Algorithms

Temporal Logic and Model Checking

Lecture Notes on Software Model Checking

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Computer Aided Verification

Computation Tree Logic

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Testing with model checkers: A survey

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Topics in Verification AZADEH FARZAN FALL 2017

Temporal Formula Specifications of Asynchronous Control Module in Model Checking

Reasoning about Strategies: From module checking to strategy logic

Guest lecturer: Mark Reynolds, The University of Western Australia. May 7, 2014

An Introduction to Temporal Logics

Comp487/587 - Boolean Formulas

Lecture 2: Symbolic Model Checking With SAT

Theorem Proving beyond Deduction

Automata-based Verification - III

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Chapter 6: Computation Tree Logic

Introduction to Model Checking

Abstractions and Decision Procedures for Effective Software Model Checking

Finite State Model Checking

Automata-based Verification - III

Models for Efficient Timed Verification

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Automata, Logic and Games: Theory and Application

Logic in Automatic Verification

Symbolic Model Checking Property Specification Language*

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Revising Specifications with CTL Properties using Bounded Model Checking

Computation Tree Logic

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Reasoning about Time and Reliability

Linear-Time Logic. Hao Zheng

Automata-Theoretic Model Checking of Reactive Systems

Postprint.

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Final Exam /614 Bug Catching: Automated Program Verification Matt Fredrikson André Platzer. December 17, 2017

Relating Counterexamples to Test Cases in CTL Model Checking Specifications

Algorithmic verification

Chapter 5: Linear Temporal Logic

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Modal and Temporal Logics

Transcription:

Model Checking I What are LTL and CTL? q0 or and dack dreq q0bar and 1

View circuit as a transition system (dreq, q0, dack) (dreq, q0, dack ) q0 = dreq and dack = dreq & (q0 + ( q0 & dack)) q0 or and D dack dreq D and 2

dreq dack q0 q0 dack Idea Transition system + special temporal logic + automatic checking algorithm 3

Exercise (from example circuit) (dreq, q0, dack) (dreq, dreq, dreq & (q0 + ( q0 & dack))) Draw state transition diagram Q: How many states for a start? Hint (partial answer) 000 100 110 111 001 101 010 011 4

Question 000 100 110 111 001 101 010 011 Q: how many arrows should there be out of each state? Why so? Exercise 000 100 110 111 001 101 010 011 Complete the diagram Write down the corresponding binary relation as a set of pairs of states 5

Another view computation tree from a state 111 Unwinding further 111 111 011 111 011 000 100 111 011 000 100 000. 100 010 110.. 6

Possible behaviours from state s s Transition relation R... Relation vs. Function? path = possible run of the system s Transition relation R... 7

Points to note Transition system models circuit behaviour We chose the tick of the transition system to be the same as one clock cycle. Gates have zero delay a very standard choice for synchronous circuits Could have had a finer degree of modelling of time (with delays in gates). Choices here determine what properties can be analysed Model checker starts with transition system. It doesn t matter where it came from Model Checking property G(p -> F q) yes MC algorithm finite-state model q p p q no counterexample (Ken McMillan) 8

Netlist and dack q0 or D 1 dreq D 0 and input to SMV model checker MODULE main VAR w1 : boolean; VAR w2 : boolean; VAR w3 : boolean; VAR w4 : boolean; VAR w5 : boolean; VAR i0 : boolean; VAR w6 : boolean; VAR w7 : boolean; VAR w8 : boolean; VAR w9 : boolean; VAR w10 : boolean; DEFINE w4 := 0; DEFINE w5 := i0; ASSIGN init(w3) := w4; ASSIGN next(w3) := w5; DEFINE w7 :=!(w3); DEFINE w9 := 1; DEFINE w10 := w5 & w6; ASSIGN init(w8) := w9; ASSIGN next(w8) := w10; DEFINE w6 := w7 & w8; DEFINE w2 := w3 w6; MC builds internal representation of transition system 9

Transition system M S R A set of states (finite) binary relation on states assumed total, each state has at least one arrow out set of atomic formulas L function A set of states in which A holds Lars backwards finite Kripke structre Path in M Infinite sequence of states π = s0 s1 s2... st 10

Path in M s0 s1 s2... R (s0,s1) є R (s1,s2) є R etc Properties Express desired behaviour over time using special logic LTL (linear temporal logic) CTL (computation tree logic) CTL* (more expressive logic with both. LTL and CTL as subsets) 11

CTL* path quantifers A for all computation paths E for some computation path can prefix assertions made from Linear operators G globally=always F sometimes X nexttime U until about a path CTL* formulas (syntax) path formulas f ::= s f f1 f2 X f f1 U f2 state formulas (about an individual state) s ::= a s s1 s2 E f atomic formulas 12

Build up from core A f E f F f G f true U f F f G (req -> F ack) Example 13

G (req -> F ack) Example A request will eventually lead to an acknowledgement liveness linear Example (Gordon) It is possible to get to a state where Started holds but Ready does not 14

Example (Gordon) It is possible to get to a state where Started holds but Ready does not E (F (Started & Ready)) Semantics M = (L,A,R,S) M, s f f holds at state s in M (and omit M if it is clear which M we are talking about) M, π g g holds for path π in M 15

Semantics Back to syntax and write down each case s a a in L(s) (atomic) s f not (s f) s f1 f2 s f1 or s f2 s E (g) Exists π. head(π) = s and π g Semantics π f s f and head(π) = s π g not (π g) π g1 g2 π g1 or π g2 16

Semantics π X g tail(π) g π g1 U g2 Exists k 0. drop k π g2 and Forall 0 j < k. drop j π g1 (note: I mean tail in the Haskell sense) CTL Branching time (remember upside-down tree) Restrict path formulas (compare with CTL*) f ::= f s1 s2 X s s1 U s2 state formulas Linear time ops (X,U,F,G) must be wrapped up in a path quantifier (A,E). 17

Back to CTL* formulas (syntax) path formulas f ::= s f f1 f2 X f f1 U f2 state formulas (about an individual state) s ::= a s s1 s2 E f atomic formulas CTL Another view is that we just have the combined operators AU, AX, AF, AG and EU, EX, EF, EG and only need to think about state formulas A operators E operators for necessity for possibility 18

f :: = atomic f All immediate successors AX f Some immediate succesor EX f All paths always AG f Some path always EG f All paths eventually AF f Some path eventually EF f f1 & f2 A (f1 U f2) E (f1 U f2) Examples (Gordon) It is possible to get to a state where Started holds but Ready does not 19

Examples (Gordon) It is possible to get to a state where Started holds but Ready does not EF (Started & Ready) Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Ack 20

Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Ack AG (Req => AF Ack) Examples (Gordon) If a request Req occurs, then it continues to hold, until it is eventually acknowledged 21

Examples (Gordon) If a request Req occurs, then it continues to hold, until it is eventually acknowledged AG (Req => A [Req U Ack]) Exercise Draw computation trees illustrating AX f and EX f 22

Exercise Draw computation trees illustrating AG, EG, AF and EF (See nice pictures from Pistore and Roveri) LTL LTL formula is of form A f where f is a path formula with subformulas that are atomic (and then, as usual, have E f = A f etc) Restrict path formulas (compare with CTL*) f ::= a f f1 f2 X f f1 U f2 23

Back to CTL* formulas (syntax) path formulas f ::= s f f1 f2 X f f1 U f2 state formulas (about an individual state) s ::= a s s1 s2 E f atomic formulas LTL It is the restricted path formulas that we think of as LTL specifications (See P&R again) G (critical1 & critical2) mutex FG initialised eventually stays initialised (CHANGED from earlier version of slides) GF mymove G (req => F ack) mymove will always eventually hold request acknowledge pattern 24

Not possible to express in LTL AG EF start Regardless of what state the program enters, there exists a computation leading back to the start state Exercise Find something that can be expressed in LTL but not CTL 25

Further reading Ed Clarke s course on Bug Catching: Automated Program Verification and Testing complete with moving bug on the home page! Covers model checking relevant to hardware too. http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15414-f06/www/index.html Next lecture How to model check CTL formulas 26

27

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback