Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Similar documents
A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

CTL, the branching-time temporal logic

Explicit State Model Checking Algorithm for CTL. CSE 814 CTL Explicit-State Model Checking Algorithm

Computation Tree Logic

Finite State Model Checking

Computation Tree Logic (CTL)

Temporal Logic Model Checking

p,egp AFp EFp ... p,agp

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Overview. overview / 357

Finite-State Verification or Model Checking. Finite State Verification (FSV) or Model Checking

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Using BDDs to Decide CTL

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Linear Temporal Logic and Büchi Automata

DRAFT - do not circulate

CS357: CTL Model Checking (two lectures worth) David Dill

Lecture 16: Computation Tree Logic (CTL)

3-Valued Abstraction-Refinement

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Model Checking: An Introduction

Model for reactive systems/software

Model Checking with CTL. Presented by Jason Simas

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Chapter 6: Computation Tree Logic

Computation Tree Logic

Topics in Verification AZADEH FARZAN FALL 2017

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Memoryfull Branching-Time Logic

ABSTRACT MODEL REPAIR

Model Checking Algorithms

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

ABSTRACT MODEL REPAIR

MODEL CHECKING. Arie Gurfinkel

Finite-State Model Checking

Computation Tree Logic (CTL)

Computation Tree Logic

Timo Latvala. February 4, 2004

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Linear Temporal Logic (LTL)

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Verification Using Temporal Logic

T Reactive Systems: Temporal Logic LTL

Computer-Aided Program Design

From Liveness to Promptness

Alternating Time Temporal Logics*

Sets of Real Numbers

Computation Tree Logic

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Lecture Notes on Model Checking

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Chapter 5: Linear Temporal Logic

A Brief Introduction to Model Checking

Model checking the basic modalities of CTL with Description Logic

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Chapter 4: Computation tree logic

Computer Aided Verification

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Game Specification in the Trias Politica

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

UPPAAL tutorial What s inside UPPAAL The UPPAAL input languages

Automata-based Verification - III

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

Algorithms for Model Checking (2IW55)

Alan Bundy. Automated Reasoning LTL Model Checking

3. Temporal Logics and Model Checking

Learning to Verify Branching Time Properties

Automata-based Verification - III

LTL and CTL. Lecture Notes by Dhananjay Raju

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Guest lecturer: Mark Reynolds, The University of Western Australia

Chapter 3: Linear temporal logic

First-order resolution for CTL

An Introduction to Temporal Logics

Finite state automata

Theorem Proving beyond Deduction

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Crash course Verification of Finite Automata CTL model-checking

PSPACE-completeness of LTL/CTL model checking

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

SFM-11:CONNECT Summer School, Bertinoro, June 2011

The State Explosion Problem

Automata, Logic and Games: Theory and Application

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

IC3 and Beyond: Incremental, Inductive Verification

Efficient Model-Checking of Weighted CTL with Upper-Bound Constraints

From Liveness to Promptness

SAT based Abstraction-Refinement using ILP and Machine Learning Techniques

Abstractions and Decision Procedures for Effective Software Model Checking

ESE601: Hybrid Systems. Introduction to verification

Transcription:

Model Checking

Princiles Model (System Requirements) Secification (System Proerty) Model Checker Answer: Yes, if the model satisfies the secification Counterexamle, otherwise

Krike Model Krike Structure + Labeling Function Let AP be a non-emty set of atomic roositions. Krike Model: M = (S, s 0, R, L) S s 0 S R S S finite set of states initial state transition relation L: S 2 AP labeling function

Secification Often exressed in temoral logic Proositional logic with temoral asect Describes ordering of events without exlicitly using the concet of time Several variants: LTL, CTL, CTL* 4

Why Use Temoral Logic? Requirements of concurrent, distributed, and reactive systems are often hrased as constraints on sequences of events or states or constraints on execution aths. Temoral logic rovides a formal, exressive, and comact notation for realizing such requirements. The temoral logics we consider are also strongly tied to various comutational frameworks (e.g., automata theory) which rovides a foundation for building verification tools.

Temoral Logics Exress roerties of event orderings in time Linear Time Every moment has a unique successor Infinite sequences (words) Linear Temoral Logic (LTL) Branching Time Every moment has several successors Infinite tree Comutation Tree Logic (CTL)

Comutational Tree Logic (CTL) Syntax F ::= P rimitive roositions!f F && F F F F -> F roositional connectives AG F EG F AF F EF F temoral oerators AX F EX F A[F U F] E[F U F] Semantic Intuition AG along All aths holds Globally ath quantifier temoral oerator EG AF EF there Exists a ath where holds Globally along All aths holds at some state in the Future there Exists a ath where holds at some state in the Future

Comutational Tree Logic (CTL) Syntax F ::= P rimitive roositions!f F && F F F F -> F roositional connectives AG F EG F AF F EF F temoral oerators AX F EX F A[F U F] E[F U F] Semantic Intuition AX EX along All aths, holds in the next state there Exists a ath where holds in the next state A[ U q] E[ U q] along All aths, holds Until q holds there Exists a ath where holds Until q holds

Comutation Tree Logic AG

Comutation Tree Logic EG

Comutation Tree Logic AF

Comutation Tree Logic EF

Comutation Tree Logic AX

Comutation Tree Logic EX

Comutation Tree Logic A[ U q] q q q q q

Comutation Tree Logic E[ U q] q q q q q

Examle CTL Secifications For any state, a request (e.g., for some resource) will eventually be acknowledged AG(requested -> AF acknowledged) From any state, it is ossible to get to a restart state AG(EF restart) An uwards travelling elevator at the second floor does not changes its direction when it has assengers waiting to go to the fifth floor AG((floor=2 && direction=u && button5ressed) -> A[direction=u U floor=5])

CTL Examle

CTL Semantics M, s = M, s = M, s = q M, s = q if L(s) if not M, s = if M, s = and M, s = q if M, s = or M, s = q M, s = A M, s = E if (s): M, = if (s): M, =

CTL Semantics M, = X M, = F M, = G M, = Uq if M, 1 = if i 0: M, i = if i 0: M, i = if i 0: M, i = q and j< i: M, j = M = if M, s 0 =

CTL Satisfiability If a CTL formula is satisfiable, then the formula is satisfiable by a finite Krike model. CTL Model Checking: O( ( S + R ))

Examle: traffic light controller S E Guarantee no collisions Guarantee eventual service N

Secifications Safety (no collisions) Liveness AG (E_Go (N_Go S_Go)); AG ( N_Go N_Sense AF N_Go); AG ( S_Go S_Sense AF S_Go); AG ( E_Go E_Sense AF E_Go); Fairness constraints AF (N_Go N_Sense); AF (S_Go S_Sense); AF (E_Go E_Sense);

Equivalence EX EG E(Uq) --------------------------------------------------- AX EX AF EG AG EF A(Uq) E( R q) EF E(true U )

CTL Model Checking Six Cases: is an atomic roosition = q = q r = EXq = EGq = E(qUr)

Examle: Microwave Oven 1 Start Close Heat Error Start Close Heat Error start oven close door Start Close Heat Error oen door oen door 2 3 4 done Start Close Heat Error cook close door oen door reset start oven start cooking Start Close Heat Error 5 6 Start Close Heat Error warmu 7 Start Close Heat Error

CTL Secification We would like the microwave to have the following roerties (among others): No heat while door is oen AG( Heat Close): If oven starts, it will eventually start cooking AG (Start AF Heat) It must be ossible to correct errors AG( Error AF Error): Does it? How do we rove it?

CTL Model Checking Algorithm Iterate over subformulas of f from smallest to largest For each s S, if subformula is true in s, add it to labels(s) When algorithm terminates M,s f iff f labels(s)

Checking Subformulas Any CTL formula can be exressed in terms of:,, EX, EU, and EG, therefore must consider 6 cases: Atomic roosition if a L(s), add to labels(s) f 1 if f 1 labels(s), add f 1 to labels(s) f 1 f 2 if f 1 labels(s) or f 1 labels(s), add f 1 f 2 to labels(s) EX f 1 add EX f 1 to labels(s) if successor of s, s', has f 1 labels(s')

Checking Subformulas E[f 1 U f 2 ] Find all states s for which f 2 labels(s) Follow aths backwards from s finding all states that can reach s on a ath in which every state is labeled with f 1 Label each of these states with E[f 1 U f 2 ]

Checking Subformulas EG f 1 Basic idea look for one infinite ath on which f1 holds. Decomose M into nontrivial strongly connected comonents A strongly connected comonent (SCC) C is a maximal subgrah such that every node in C is reachable by every other node in C on a directed ath that contained entirely within C. C is nontrivial iff either it has more than one node or it contains one node with a self loo Create M' = (S,R,L ) from M by removing all states s S in which f 1 labels(s) and udating S, R, and L accordingly

Checking Subformulas Lemma M,s EG f 1 iff 1. s S' 2. There exists a ath in M' that leads from s to some node t in a nontrivial strongly connected comonent of the grah (S', R', L'). Proof left as exercise, but basic idea is Can t have an infinite ath over finite states without cycles So if we find a ath from s to a cycle and f 1 holds in every state (by construction), then we ve found an infinite ath over which f 1 holds

Checking EG f 1 rocedure CheckEG(f 1 ) S' = {s f 1 labels(s)}; SCC = {C C is a nontrivial SCC of S'}; T = C SCC {s s C}; for all s T do labels(s) = labels(s) {EG f 1 }; while T do choose s T; T = T \ {s}; for all t such that t S' and R(t,s) do if EG f 1 labels(t) then labels(t) = labels(t) {EG f 1 }; T = T {t}; end if; end for all; end while; end rocedure;

Checking a Proerty Checking AG(Start AF Heat) Rewrite as EF(Start EG Heat) Rewrite as E[ true U (Start EG Heat)] Comute labels for smallest subformulas Start, Heat Heat Formulas/States 1 2 3 4 5 6 7 Start x x x x Heat x x Heat x x x x x EG Heat Start EG Heat E[true U(Start EG Heat)] E[true U(Start EG Heat)]

Checking a Proerty Comute labels for EG Heat S = {1,2,3,5,6} SCC = {{1,2,3,5}} T = {1,2,3,5} No other state in S can reach a state in T along a ath in S. Comutation terminates. States 1,2,3, and 5 labelled with EG Heat Formulas/States 1 2 3 4 5 6 7 Start x x x x Heat x x Heat x x x x x EG Heat x x x x Start EG Heat E[true U(Start EG Heat)] E[true U(Start EG Heat)]

Checking a Proerty Comute labels for Start EG Heat Formulas/States 1 2 3 4 5 6 7 Start x x x x Heat x x Heat x x x x x EG Heat x x x x Start EG Heat x x E[true U(Start EG Heat)] E[true U(Start EG Heat)]

Checking a Proerty E[true U(Start EG Heat)] Start with set of states in which Start EG Heat holds i.e., {2,5} Work backwards marking every state in which true holds Formulas/States 1 2 3 4 5 6 7 Start x x x x Heat x x Heat x x x x x EG Heat x x x x Start EG Heat x x E[true U(Start EG Heat)] x x x x x x x E[true U(Start EG Heat)]

Checking a Proerty Check E[true U(Start EG Heat)] Leaves us with the emty set, so this roerty doesn t hold over our microwave oven Formulas/States 1 2 3 4 5 6 7 Start x x x x Heat x x Heat x x x x x EG Heat x x x x Start EG Heat x x E[true U(Start EG Heat)] x x x x x x x E[true U(Start EG Heat)]

Genealogy Floyd/Hoare late 60s Aristotle 300 s BCE Krike 59 Büchi, 60 w-automata S1S Logics of Programs Pnueli late 70 s Clarke/Emerson Early 80 s Temoral/ Modal Logics Tarski Park, 60 s 50 s Kurshan mid 80 s Vardi/Woler m-calculus ATV LTL Model Checking CTL Model Checking Bryant, mid 80 s QBF BDD Symbolic Model Checking late 80 s 39

Turing Awards in Verification 1. Amir Pnueli (1996) Temoral logics for secifying system behavior 2. Edmund Clarke, Allen Emerson, and Joseh Sifakis (2007) Develoment of model checking

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback