Formal Methods Lecture VII Symbolic Model Checking

Similar documents
FORMAL METHODS LECTURE V: CTL MODEL CHECKING

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

FORMAL METHODS LECTURE VI BINARY DECISION DIAGRAMS (BDD S)

Binary Decision Diagrams and Symbolic Model Checking

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Lecture 2: Symbolic Model Checking With SAT

Reduced Ordered Binary Decision Diagrams

Model checking the basic modalities of CTL with Description Logic

Symbolic Model Checking with ROBDDs

Scuola Estiva di Logica, Gargnano, 31 agosto - 6 settembre 2008 LOGIC AT WORK. Formal Verification of Complex Systems via. Symbolic Model Checking

Boolean decision diagrams and SAT-based representations

CS357: CTL Model Checking (two lectures worth) David Dill

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Reduced Ordered Binary Decision Diagrams

Model Checking: An Introduction

Model Checking with CTL. Presented by Jason Simas

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Symbolic Model Checking Property Specification Language*

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

CTL Model Checking. Wishnu Prasetya.

Logic: Propositional Logic (Part I)

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Lecture 16: Computation Tree Logic (CTL)

MODEL CHECKING. Arie Gurfinkel

T Reactive Systems: Temporal Logic LTL

Algorithmic verification

Finite-State Model Checking

Symbolic Model Checking of Domain Models. for Autonomous Spacecrafts

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Linear Temporal Logic and Büchi Automata

Timo Latvala. February 4, 2004

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Postprint.

Binary Decision Diagrams

3-Valued Abstraction-Refinement

Formal Verification Methods 1: Propositional Logic

Computation Tree Logic

Hardware Equivalence & Property Verification

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Model Checking Security Protocols Using a Logic of Belief

A brief introduction to Logic. (slides from

EECS 144/244: Fundamental Algorithms for System Modeling, Analysis, and Optimization

Natural Deduction. Formal Methods in Verification of Computer Systems Jeremy Johnson

Lecture 2. Logic Compound Statements Conditional Statements Valid & Invalid Arguments Digital Logic Circuits. Reading (Epp s textbook)

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Comp487/587 - Boolean Formulas

Introduction to Artificial Intelligence Propositional Logic & SAT Solving. UIUC CS 440 / ECE 448 Professor: Eyal Amir Spring Semester 2010

Sanjit A. Seshia EECS, UC Berkeley

Computation Tree Logic (CTL)

Logic and Discrete Mathematics. Section 3.5 Propositional logical equivalence Negation of propositional formulae

Tecniche di Verifica. Introduction to Propositional Logic

Models for Efficient Timed Verification

Overview. overview / 357

AMTH140 Lecture 8. Symbolic Logic

The algorithmic analysis of hybrid system

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Model for reactive systems/software

Parameterized model-checking problems

Towards an Optimal CNF Encoding of Boolean Cardinality Constraints

Bounded Model Checking Using Satisfiability Solving

Chapter 3 Combinational Logic Design

Undergraduate work. Symbolic Model Checking Using Additive Decomposition by. Himanshu Jain. Joint work with Supratik Chakraborty

Chapter 6: Computation Tree Logic

Unit 8A Computer Organization. Boolean Logic and Gates

Model Checking. Boris Feigin March 9, University College London

Computer Aided Verification

XOR - XNOR Gates. The graphic symbol and truth table of XOR gate is shown in the figure.

PSPACE-completeness of LTL/CTL model checking

Revising Specifications with CTL Properties using Bounded Model Checking

Towards Inference and Learning in Dynamic Bayesian Networks using Generalized Evidence

Motivation Framework Proposed theory Summary

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

Crash course Verification of Finite Automata CTL model-checking

Unit 1. Propositional Logic Reading do all quick-checks Propositional Logic: Ch. 2.intro, 2.2, 2.3, 2.4. Review 2.9

Chapter 4: Classical Propositional Semantics

Database Theory VU , SS Complexity of Query Evaluation. Reinhard Pichler

Interpolation. Seminar Slides. Betim Musa. 27 th June Albert-Ludwigs-Universität Freiburg

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Sample Problems for all sections of CMSC250, Midterm 1 Fall 2014

2009 Spring CS211 Digital Systems & Lab CHAPTER 2: INTRODUCTION TO LOGIC CIRCUITS

QBF Encoding of Temporal Properties and QBF-based Verification

Propositional Calculus: Formula Simplification, Essential Laws, Normal Forms

Computer Organization: Boolean Logic

Announcements. CS243: Discrete Structures. Propositional Logic II. Review. Operator Precedence. Operator Precedence, cont. Operator Precedence Example

Logic: First Order Logic

22c:145 Artificial Intelligence

Solvers for the Problem of Boolean Satisfiability (SAT) Will Klieber Aug 31, 2011

Model Checking for the -calculus. Paolo Zuliani , Spring 2011

First-Order Logic. 1 Syntax. Domain of Discourse. FO Vocabulary. Terms

PSL Model Checking and Run-time Verification via Testers

EECS 1028 M: Discrete Mathematics for Engineers

Chapter 3 Deterministic planning

Compressing BMC Encodings with QBF

Solutions to Homework I (1.1)

Transcription:

Formal Methods Lecture VII Symbolic Model Checking Faculty of Computer Science Free University of Bozen-Bolzano artale@inf.unibz.it http://www.inf.unibz.it/ artale/ Academic Year: 2006/07 Some material (text, figures) displayed in these slides is courtesy of: M. Benerecetti, A. Cimatti, M. Fisher, F. Giunchiglia, M. Pistore, M. Roveri, R.Sebastiani.

1 2

Main Ideas OBDD s allow systems with a large state space to be verified. The Labeling algorithm takes a CTL formula and returns a set of states manipulating intermediate set of states. The algorithm is changed by storing set of states as OBDD s and then manipulating them. Model checking using OBDD s is called Symbolic Model Checking.

Symbolic Representation of States Example: Three state variables x 1,x 2,x 3 : {000,001,010,011} represented as first bit false : x 1 With five state variables x 1,x 2,x 3,x 4,x 5 : {00000, 00001, 00010, 00011, 00100, 00101, 00110, 00111,...,01111} still represented as first bit false : x 1

Symbolic Representation of States (Cont.) Let M = (S,I,R,L,AP) be a Kripke structure States s S are described by means of a vector V = (v 1,v 2,...,v n ) of boolean values: One for each x i AP. A state, s, is a truth assignment to each variable in AP such that v i = 1 iff x i L(s). Example: 0100 represents the state s where only x 2 L(s).

Symbolic Representation of States (Cont.) Boolean vectors can be represented by boolean formulas Example: 0100 can be represented by the formula ξ(s) = ( x 1 x 2 x 3 x 4 ) We call ξ(s) the formula representing the state s S (Intuition: ξ(s) holds iff the system is in the state s) A set of states, Q S, can be represented by the formula Characteristic Function of Q: ξ(q) = _ ξ(s) s Q Thus, (set of) states can be encoded as OBDD s!

Remark Any propositional formula is a (typically very compact) representation of the set of assignments satisfying it Any formula equivalent to ξ(q) is a representation of Q Typically Q can be encoded by much smaller formulas than W s Q ξ(s)! Example: Q ={00000, 00001, 00010, 00011, 00100, 00101, 00110, 00111,..., 01111} represented as first bit false : x 1 W s Q ξ(s) = ( x 1 x 2 x 3 x 4 x 5 ) ( x 1 x 2 x 3 x 4 x 5 ) ( x 1 x 2 x 3 x 4 x 5 ) 2 4 disjuncts... ( x 1 x 2 x 3 x 4 x 5 )

Symbolic Representation of Transitions The transition relation R is a set of pairs of states: R S S. Then, a single transition is a pair of states (s,s ). A new vector of variables V (the next state vector) represents the value of variables after the transition has occurred. ξ(s,s ) defined as ξ(s) ξ(s ). The transition relation R can be (naively) represented by _ (s,s ) R ξ(s,s ) = _ (s,s ) R ξ(s) ξ(s )

Remark Any formula equivalent to ξ(r) is a representation of R Typically R can be encoded by a much smaller formula than W (s,s ) R ξ(s) ξ(s )! Example: a synchronous sequential circuit v 1 v 0 v 1 v 0 0 0 0 1 0 1 1 0 1 0 1 1 1 1 0 0 ξ(r) = (v 0 v 0) (v 1 v 0 L v1 ) W (s,s ) R ξ(s) ξ(s ) = ( v 0 v 1 v 0 v 1 ) (v 0 v 1 v 0 v 1 ) ( v 0 v 1 v 0 v 1 ) (v 0 v 1 v 0 v 1 )

Summary..

Intro Problem: M = ϕ? Let M = S,I,R,L,AP be a Kripke structure and ϕ be a CTL formula. The Symbolic Model-Checking algorithm is a Labeling algorithm that makes use of OBDD. It is implemented by a recursive procedure Check with: Input: ϕ, the formula to be checked; Output: B ϕ, the OBDD representing the states satisfying ϕ.

Intro (Cont.) To check whether I [[ϕ]]: i.e., (B I B ϕ ) B apply(,b I,B ϕ ) B To compute OBDD s for CTL formulas we need to understand how to compute them in case of the temporal operators: p, p U, p.

PreImage Backward (pre) image of a set: PreImage(P) P Evaluate all transitions ending in the states of the set. Set theoretic view: PreImage(P,R) := {s S s.(s,s ) R and s P} Logical Characterization: ξ(preimage(p,r)) := V.(ξ(P)[V ] ξ(r)[v,v ]) N.B.: quantification over propositional variables

PreImage: An Example Example: A synchronous sequential circuit v 0 v 1 v 1 v 0 v 1 v 0 0 0 0 1 0 1 1 0 1 0 1 1 1 1 0 0 ξ(r) = (v 0 v 0) (v 1 v 0 L v1 ) ξ(p) := (v 0 v 1 ) (i.e., P = {00,11}) Pre Image: ξ(preimage(p,r)) = V.(ξ(P)[V ] ξ(r)[v,v ]) = V.((v 0 v 1 ) (v 0 v 0) (v 1 v 0 L v1 ))

OBDD for PreImages B p ϕ, the OBDD for p ϕ, is computed starting from the OBDD s for both ϕ, B ϕ, and the transition relation, B R. ξ(preimage(ϕ,r)) := V.(ξ(ϕ)[V ] ξ(r)[v,v ]), then: 1 Rename the variable in B ϕ to their primed version, B ϕ 2 Compute B (ϕ R) = apply(,b ϕ,b R ); 3 B p ϕ is a sequence of: apply(,restrict(0,x i,b (ϕ R)),restrict(1,x i,b (ϕ R))) where x i V We call Pre(B ϕ ) the procedure that computes B p ϕ.

The Check Symbolic M.C. Algorithm Check(ϕ) { case ϕ of true: return B ; false: return B ; an atom x i : return B xi ; ϕ 1 : return Invert(Check(ϕ 1 )); ϕ 1 ϕ 2 : return Apply(,Check(ϕ 1 ),Check(ϕ 2 )); p ϕ 1 : return Pre(Check(ϕ 1 )); p (ϕ 1 U ϕ 2 ): return Check EU(Check(ϕ 1 ),Check(ϕ 2 )); p ϕ 1 : return Check EG(Check(ϕ 1 )); }

Check EG [[ p ϕ]] = [[ϕ]] Pre([[ p ϕ]]) Check EG(B ϕ ){ var X,OLD-X ; X := B ϕ ; OLD-X := B ; while X OLD-X begin OLD-X := X ; X := Apply(,X,Pre(X )) end return X }

Check EU [[ p (ϕu ψ)]] = [[ψ]] ([[ϕ]] Pre([[ p (ϕu ψ)]])) Check EU(B ϕ,b ψ ){ var X,OLD-X ; X := B ψ ; OLD-X := B ; while X OLD-X begin OLD-X := X ; X := Apply(,X,Apply(,B ϕ,pre(x ))) end return X }

CTL Symbolic Model Checking Summary Based on fixed point CTL M.C. algorithms Kripke structure encoded as boolean formulas (OBDDs) All operations handled as (quantified) boolean operations Avoids building the state graph explicitly Reduces dramatically the state explosion problem problems of up to 10 120 states handled!!

Partitioned Transition Relations There may be significant efficiency problems: The transition relation may be too large to construct Intermediate OBDDs may be too large to handle. IDEA: Partition conjunctively the transition relation: R(V,V ) ^ R i (V i,v i ) Trade one big quantification for a sequence of smaller quantifications V 1...V n.(r 1 (V 1,V 1 )... R n(v n,v n) Q(V )) by pushing quantifications inward can be reduced to V 1.(R 1(V 1,V 1 )... V n(r n (V n,v n) Q(V ))) which is typically much smaller i

Symbolic Model Checkers Most hardware design companies have their own Symbolic Model Checker(s) Intel, IBM, Motorola, Siemens, ST, Cadence,... very advanced tools proprietary technolgy! On the academic side CMU SMV [McMillan] VIS [Berkeley, Colorado] Bwolen Yang s SMV [CMU] NuSMV [CMU, IRST, UNITN, UNIGE]...

Summary of Lecture VII..

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback