p,egp AFp EFp ... p,agp

Similar documents
Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

CTL, the branching-time temporal logic

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Finite-State Verification or Model Checking. Finite State Verification (FSV) or Model Checking

Computation Tree Logic

Finite State Model Checking

DRAFT - do not circulate

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Using BDDs to Decide CTL

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Feedback-error control

Overview. overview / 357

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

ABSTRACT MODEL REPAIR

ABSTRACT MODEL REPAIR

Memoryfull Branching-Time Logic

MATH 2710: NOTES FOR ANALYSIS

Distributed Rule-Based Inference in the Presence of Redundant Information

Verification Using Temporal Logic

Model Checking with CTL. Presented by Jason Simas

CSC165H, Mathematical expression and reasoning for computer science week 12

ECE 534 Information Theory - Midterm 2

Chapter 6: Computation Tree Logic

Approximating min-max k-clustering

The Logic of Compound Statements. CSE 2353 Discrete Computational Structures Spring 2018

Computation Tree Logic (CTL)

Figure 4: Expansion of (S b jt jc 1 jc 2 jr b ) n L. def. def. def. P T ABP as given in section 5, we can conclude

Topic 7: Using identity types

Unbounded Integer Variables: Symbolic. Representations, Approximations and Experimental. Results y. Abstract

Cryptanalysis of Pseudorandom Generators

Sets of Real Numbers

Linear Temporal Logic and Büchi Automata

2 J.Burton and M.Koutny we have to exlicitly generate a state sace, namely when testing for trace inclusion, only two rocesses are involved and the te

Section 0.10: Complex Numbers from Precalculus Prerequisites a.k.a. Chapter 0 by Carl Stitz, PhD, and Jeff Zeager, PhD, is available under a Creative

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Sums of independent random variables

Solved Problems. (a) (b) (c) Figure P4.1 Simple Classification Problems First we draw a line between each set of dark and light data points.

ute measures of uncertainty called standard errors for these b j estimates and the resulting forecasts if certain conditions are satis- ed. Note the e

CSE 599d - Quantum Computing When Quantum Computers Fall Apart

On the Chvatál-Complexity of Knapsack Problems

Game Specification in the Trias Politica

SAT based Abstraction-Refinement using ILP and Machine Learning Techniques

Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models

Automatic Synthesis of Distributed Protocols

Periodic scheduling 05/06/

Lecture 16: Computation Tree Logic (CTL)

Outline. CS21 Decidability and Tractability. Regular expressions and FA. Regular expressions and FA. Regular expressions and FA

Computer arithmetic. Intensive Computation. Annalisa Massini 2017/2018

Distributed Maximality based CTL Model Checking

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Computation Tree Logic

1/25/2018 LINEAR INDEPENDENCE LINEAR INDEPENDENCE LINEAR INDEPENDENCE LINEAR INDEPENDENCE

Analysis of execution time for parallel algorithm to dertmine if it is worth the effort to code and debug in parallel

UPPAAL tutorial What s inside UPPAAL The UPPAAL input languages

Microeconomics Fall 2017 Problem set 1: Possible answers

John Weatherwax. Analysis of Parallel Depth First Search Algorithms

Analysis of some entrance probabilities for killed birth-death processes

A Reduction Theorem for the Verification of Round-Based Distributed Algorithms

Lecture 21: Quantum Communication

Convex Optimization methods for Computing Channel Capacity

Notes on Instrumental Variables Methods

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

A Social Welfare Optimal Sequential Allocation Procedure

Computation Tree Logic

A Brief Introduction to Model Checking

Model for reactive systems/software

Bayesian Networks Practice

Probabilistic Algorithms

Fuzzy Methods. Additions to Chapter 5: Fuzzy Arithmetic. Michael Hanss.

CTL Model Checking. Prof. P.H. Schmitt. Formal Systems II. Institut für Theoretische Informatik Fakultät für Informatik Universität Karlsruhe (TH)

Proof Nets and Boolean Circuits

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Elementary Analysis in Q p

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Public Key Cryptosystems RSA

An Introduction to Temporal Logics

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Model Checking: An Introduction

3. Temporal Logics and Model Checking

Part III. for energy minimization

Statics and dynamics: some elementary concepts

1 1 c (a) 1 (b) 1 Figure 1: (a) First ath followed by salesman in the stris method. (b) Alternative ath. 4. D = distance travelled closing the loo. Th

Operations Management

Formal Modeling in Cognitive Science Lecture 29: Noisy Channel Model and Applications;

PHYS 301 HOMEWORK #9-- SOLUTIONS

Cryptography Assignment 3

A SIMPLE AD EFFICIET PARALLEL FFT ALGORITHM USIG THE BSP MODEL MARCIA A. IDA AD ROB H. BISSELIG Abstract. In this aer, we resent a new arallel radix-4

Principles of Computed Tomography (CT)

THE ERDÖS - MORDELL THEOREM IN THE EXTERIOR DOMAIN

Why Proofs? Proof Techniques. Theorems. Other True Things. Proper Proof Technique. How To Construct A Proof. By Chuck Cusack

For q 0; 1; : : : ; `? 1, we have m 0; 1; : : : ; q? 1. The set fh j(x) : j 0; 1; ; : : : ; `? 1g forms a basis for the tness functions dened on the i

4. Score normalization technical details We now discuss the technical details of the score normalization method.

Outline. Markov Chains and Markov Models. Outline. Markov Chains. Markov Chains Definitions Huizhen Yu

MODEL CHECKING. Arie Gurfinkel

ON THE INJECTIVE DOMINATION OF GRAPHS

PSPACE-completeness of LTL/CTL model checking

MATH 829: Introduction to Data Mining and Analysis Consistency of Linear Regression

A Study of Active Queue Management for Congestion Control

Transcription:

TUESDAY, Session 2 Temoral logic and model checking, cont 1 Branching time and CTL model checking In a branching time temoral logics, we consider not just a single ath through the Krike model, but all ossible aths emanating from agiven state [1, 2] Path quantiers A ath quantier indicates whether a given formula alies to all all ossible aths from a given state or to some ossible ath: Note that A :E: M s i j= A i for all aths = s1 s2 :::: j= M s i j= E i for some aths = s1 s2 :::: j= The temoral logic CTL In the temoral logc CTL, every temoral oerator F, G, X, or U receded by a ath quantier Some CTL modalities and their interretations: is immediately AG AF EF EG \globally " \inevitably " \ossibly " \?",AG AF EF,EG Note the following dualities: AG :EF: AF :EG: 1

Other CTL oerators: AX EX A( Uq) E( U q) Examle: some secications for the mutual exclusion rotocol AG:(C1 ^ C2) AG(T1 ) AF C1) AG(N1 ) EX T1) mutual exclusion liveness non-blocking Note the last can't be stated in PLTL 11 CTL model checking Suose we have already labeled the set of states satisfying the roosition To label the set of states satisfying AF : 1 If any state s is labelled with, label it with AF ==>, AF 2 Reeat label any state AF if all successors labeled AF AF AF AF ==> AF AF AF AF until no change 3 Label all states with :AF if not labeled AF Now the truth value of AF in every state is known So AF can be treated as an atomic roosition while checking, for examle AG AF That is, model checking rocedes from smaller subformulas to larger subformulas Algorithms for the other oerators AG EF EG AX EX A( U q) E( U q) are similar 2

Comlexity is O(fV(V + E)) where { f is the number of oerators in the formula { V is the number of states { E is the number of transitions since each oerator terminates after at most V asses over the state grah Examle: checking AG(T1 ) AF C1) for the mutual exclusion rotocol \always, if [1] trying then inevitably [1] critical" 1 label grah with AF C1 2 label every state T1 ) AF C1 if T1 is false or C1 is true 3 OK, if all states labeled T1 ) AF C1 Result of labeling state grah with AF C1 (numbers in [] indicate on which ass the state was labeled) N1,N2 turn=0 [3] T1,N2 turn=1 N1,T2 turn=2 C1,N2 T1,T2 turn=1 turn=1 [1] [2] C1,T2 turn=1 [1] T1,T2 turn=2 [5] T1,C2 turn=2 [4] N1,C2 turn=2 In every state, if T1 is true, then AG C1 is true, hence AG AF C1 is true in the initial state A more ecient algorithm (Clarke/Emerson/Sistla) { First note, all formulas can be exressed using only EX, EU, EG eg AG :EF: { E( U ) case: backward breadth-rst search { EG case: restrict grah to states satisfying nd maximal strongly connected comonents use BFS to nd any state that can reach an SCC 3

states satisfying =EG SCC SCC SCC This algorithm is O(f(V + E)) (ie linear in both formula size and model size) 12 Examle: the ABP revisited M lossy chan inut I sender S lossy chan A recvr R outut O We construct a very abstract model, ignoring message data and considering only sequence numbers The sender rocess S :: in ctr, ack ctr : 01, initially 0 [ in ctr = ack ctr ) I?data() in ctr := in ctr + 1mod2 2 in ctr 6= ack ctr ) M!msg(in ctr) 2 A?ack(ack ctr) ]* the message channel (note, ack channel is similar) M :: ctr : 01, initially 0 [ S?msg(ctr) [ R!msg(ctr) 2 ski] ]* the receiver rocess 4

R:: rcv ctr, out ctr : 01, initially 0 [ M?msg(rcv ctr) [ out ctr 6= rcvctr ) O!data() out ctr := rcv ctr] A!ack(rcv ctr) ]* Verifying the model Generate Krike model from rogram text Exress secications in CTL Note: in the following, atomic rositions like (PmsgQ) will be used to denote \P sends msg to Q" These are roerly transition labels and not state labels However, this roblem is usually solved by using the \transition grah", where every transition becomes a state { No dulicaiton of messages (and no buering) in before out (:(R data O) W (I data S)) safe in before out ^ AG((R data O) ) AXin before out) { liveness { every time a message is inut one is eventually outut live AG((I data S) ) AF (R data O)) When checking live, the model checker roduces a counterexamle like the following: I-->S S-->M (M loses message) That is, an innite loo in the state grah, where every message is lost by the M channel Fairness assumtions We want to verify the model assuming the channels do not lose messages forever In PLTL, we could exress this assumtion as follows: M fair (GF (SmsgM) ) GF (MmsgR)) 5

We could then verify that M fair ^ A fair ) live As we will see, however, model checking for PLTL has exonential comlexity in the formula size Using many fairness constraints in this way would therefore be imractical Suose we try translating M fair ^ A fair ) live into CTL In general if there is a CTL equivalent of an LTL formula it is obtained by adding A ath quantier to every oerator For examle, M fair becomes M fair 0 (AGAF S msg M) ) (AGAF M msg R) This, however, is simly false in every state Therefore is trivially true M fair ^ A fair ) live In general, we can't exress fairness constraints directly in CTL CTL with fairness constraints A simle fairness constraint is a formula of the form GF, where is a state formula In a model with fairness constraints, ath quantiers aly only to aths satisfying all fairness constraints: M s i j= A f i for all fair aths = s1 s2 :::: j= M s i j= E f i for some fair aths = s1 s2 :::: j= where we us A f and E f to indicate the fair interretation For examle, under the fairness constraint AG, A f F q A(GF ) Fq) Model checking under fairness constraints ^ni=1 n { A state is fair (is the start of some fair ath) i it satises E f G true { E f (U q) E( U (q ^ E f G true)) 6

{ Algorithm for E f G: restrict the state grah to states satisfying nd the SCC's remove an SCC if it does not contain astatesatisfying each i use BFS to nd any state that can reach a (fair) SCC states satisfying =EG o3 SCC o1 o2 Comlexity of this algorithm: O(f(V + E)n) (ie, still linear) Fairness constraints for ABP { A simle fairness constraint: GF ((MmsgR)) is sucient to make the \live" secication true, but this is too strong an assumtion (ie, what if the sender stos sending?) { A Streett fairness constraint GF (SmsgM) ) GF (MmsgR) is a weaker assumtion (but erhas still not justied, in case the reciever in- nitely blocks recetion of messages) CTL formulas under Streett fairness constraints can be veried in time O(f(V + E)n 2 ) A yet weaker set of assumtions might be GF EX(MmsgR) ) GF (MmsgR) GF EX(R data O) ) GF (R data O) (the latter is to eliminate the case where the recvr receives a msg and then forever blocks further recetions while the M channel innitely loses messages) 7

{ A recetiveness roerty recetive AG AF EX((I data S)) \sender must eventually be ready to accet another message" This requires a fairness constraint on the A as well as the M channel 2 Exressiveness Issues 21 Linear vs branching time The logic CTL* subsumes PLTL and CTL { ath formulas: U q G F X : _ q { state formulas A E where is a ath formula An LTL formula like GF is equivalent to the CTL* state formula AGF Some exressiveness results { \Existential" roerties like AG EF not exressible in LTL, These are very useful for nding deadlocks in rotocols { \fairness" roerties, like A(GF ) GF ) not exressible in CTL Comlexity of model checking CTL (with fairness) O(f(V + E)n 2 ) PLTL (with fairness) O(2 f (V + E)n 2 ) (PSPACE comlete) CTL* (with fairness) same as PLTL Note: LTL formulas are often small (when fairness constraints are built into the model) This means it is often ractical to check them in site of the exonential comlexity Note: CTL* has same comlexity as PLTL because we can treat state formulas as atomic roositions when checking ath formulas Because of this, it is often said that branching time is suerior to linear time for model checking, since the comlexity is the same or better, and it is strictly more exressive 8

22 Data indeendence To check that ABP delivers correct data, we can add a one-bit data eld to the messages and check AG((I data(1) S) ) AF (R data(1) O)) Question: Can we infer from this that rotocol works for any data size? Suose we want to allow arbitrary buering of data? in out unbounded buffer eg allow behavior like: in(0) in(1) in(2) out(1) out(2) out(3) This is not exressible in roositional temoral logic Data indeendence (Woler) A model is \data indeendent" [3] if all \data" variables occur only in assignments of the form: x := y or as message arameters, eg P!data(x) or Q?data(y) The bounded buer roerty can be broken into two arts: 1 no dulication or loss of messages 2 messages delivered in order received Proerty (1) can be veried on a data-indeendent model with only two data values (say, 0 and 1): exactly once(x) (:x U (x ^ XG:x)) (1) exactly once(in(1)) ) exactly once(out(1)) The reasoning behind this is as follows: suose a message is dulicated, eg in(1) in(2) in(3) out(1) out(2) out(2) Every out() value must derive from some in() value by some sequence of assignments So, by changing the dulicated inut to 1, and all the others to 1, we a run like: which violates our roerty (1) in(0) in(1) in(0) out(0) out(1) out(1) 9

Proerty (2) can be veried with three data values (say, 0, 1and2) as follows: before(x y) :y W (x ^:y) (2) exactly once(in(1)) ^ exactly once(in(2)) ^ before(in(1) in(2)) ) before(out(1) out(2)) The reasoning is similar to the above 10

3 Summary Reactive systems { Concurrency! temoral roerties { LTL adds temoral oerators to roositonal logic model is an innite sequence of rogram states { Can exress safety, liveness, fairness { Proofs are somewhat laborious Model checking { Translate model (eg in CSP) to nite state grah (Krike model) interleaving semantics for concurrency model must be fairly abstract { Model checking algorithm for CTL Naive xed oint algorithm O(n 2 ) SCC based algorithm linear in formula size and model size { Fairness constraints Simle fairness (GF ) Streett fairness (GF ) GF q) Exressiveness issues { CTL* subsumes LTL and CTL { Tradeo of exressivenes vs comlexity { Unbounded buer roerties Cannot exress directly in TL Can verify using data indeendence arguments References [1] E M Clarke and O Grumberg Research on automatic verication of nite state systems Ann Rev Comut Sci, 2:269{90, 1987 [2] E A Emerson Temoral and modal logic In Handbook of Theoretical Com Sci, vol B: Formal Methods and Semantics, chater 16 Elsevier, 1990 [3] P Woler Exressing interesting roerties of rograms in roositional temoral logic In 13th ACM POPL, ages 184{193 11

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback