CS357: CTL Model Checking (two lectures worth) David Dill

Similar documents
Temporal Logic Model Checking

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Model checking the basic modalities of CTL with Description Logic

Model for reactive systems/software

Model Checking: An Introduction

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Overview. overview / 357

PSPACE-completeness of LTL/CTL model checking

Chapter 6: Computation Tree Logic

Chapter 4: Computation tree logic

3-Valued Abstraction-Refinement

Model Checking for the -calculus. Paolo Zuliani , Spring 2011

Sanjit A. Seshia EECS, UC Berkeley

Computation Tree Logic

Model Checking with CTL. Presented by Jason Simas

Lecture 16: Computation Tree Logic (CTL)

Computation Tree Logic

Finite-State Model Checking

Reduced Ordered Binary Decision Diagrams

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

From Liveness to Promptness

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Models for Efficient Timed Verification

Binary Decision Diagrams and Symbolic Model Checking

3. Temporal Logics and Model Checking

Model Checking & Program Analysis

Computation Tree Logic (CTL)

Section Summary. Section 1.5 9/9/2014

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

MODEL CHECKING. Arie Gurfinkel

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Notes on induction proofs and recursive definitions

Alternating Time Temporal Logics*

CTL Model Checking. Wishnu Prasetya.

Binary Decision Diagrams

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Before we show how languages can be proven not regular, first, how would we show a language is regular?

Lecture 2: Symbolic Model Checking With SAT

Chapter 5: Linear Temporal Logic

CTL satisfability via tableau A C++ implementation

Computation Tree Logic (CTL)

Computation Tree Logic

Formal Methods Lecture VII Symbolic Model Checking

Linear Temporal Logic and Büchi Automata

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

First-order resolution for CTL

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

G52DOA - Derivation of Algorithms Predicate Logic

An Introduction to Temporal Logics

LTL Model Checking. Wishnu Prasetya.

Automata, Logic and Games: Theory and Application

Computational Boolean Algebra. Pingqiang Zhou ShanghaiTech University

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Section Summary. Predicate logic Quantifiers. Negating Quantifiers. Translating English to Logic. Universal Quantifier Existential Quantifier

Automata-based Verification - III

6.841/18.405J: Advanced Complexity Wednesday, February 12, Lecture Lecture 3

Reduced Ordered Binary Decision Diagrams

Comp487/587 - Boolean Formulas

Algorithmic verification

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Computer-Aided Program Design

T Reactive Systems: Temporal Logic LTL

Boolean decision diagrams and SAT-based representations

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Learning to Verify Branching Time Properties

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

1 First-order logic. 1 Syntax of first-order logic. 2 Semantics of first-order logic. 3 First-order logic queries. 2 First-order query evaluation

Mathematical Foundations of Logic and Functional Programming

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Partial model checking via abstract interpretation

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Notes on generating functions in automata theory

Model Checking Algorithms

Theoretical Foundations of the UML

Crash course Verification of Finite Automata CTL model-checking

Automata-based Verification - III

Decision Procedures for CTL

Algorithms for Model Checking (2IW55)

Lecture Notes on Model Checking

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Nondeterministic finite automata

Lecture 24: Randomized Complexity, Course Summary

Foundations of Mathematics MATH 220 FALL 2017 Lecture Notes

Reasoning about Strategies: From module checking to strategy logic

Quantified Boolean Formulas Part 1

Principles of Program Analysis: Control Flow Analysis

Seminaar Abstrakte Wiskunde Seminar in Abstract Mathematics Lecture notes in progress (27 March 2010)

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Formal Verification of Mobile Network Protocols

Abstractions and Decision Procedures for Effective Software Model Checking

Proof Rules for Correctness Triples

Transcription:

CS357: CTL Model Checking (two lectures worth) David Dill 1

CTL CTL = Computation Tree Logic It is a propositional temporal logic temporal logic extended to properties of events over time. CTL is a branching time logic there can be multiple possible next states. Temporal logic is most useful for reasoning about protocols, circuits, and other concurrent systems, which can be very tricky to get right. There are many such logics. CTL was invented by Emerson and Clarke in the early 1980 s. 2

Syntax of CTL Propositional variables: p, q, etc. Propositional connectives:,,, Modal connectives: (f, g are any CTL formulas): EX f f is true in some next state AX f f is true in all next states E[f U g] along some path, f is true until g is true. A[f U g] -- along all paths, f is true until g is true. 3

Semantics of CTL CTL formulas are interpreted on a Kripke structure (a state graph). <AP, S, R, L> AP a finite set of atomic propositions (p, q, etc.) S a set of states. R A relation from (current) states to (next) states. R must have a next state for every state. L a labeling function that maps states to sets of literals (members of AP or their negations). Model checking algorithms work when S and R are finite. 4

Semantics of CTL, cont. Example of a Kripke structure (from Clarke, Emerson, and Sistla, 1986) 5

Semantics of CTL, cont. In CTL, a state of the Kripke structure satisfies a formula: s = f. This is define recursively: s = p if p L(s) s = f g if s = f and s = g (other prop connectives are similar). p r satisfies p, p r, p q does not satisfy p, q, p q 6

Semantics of CTL, cont. s = EX f if t R(s, t) and t = f s = AX f if t R(s, t) and t = f EXp AXp p p p 7

Semantics of CTL, cont. s 0 = A[f U g] if there is some path s 0, s 1,... s n s.t s i = f for all 0 i n and s n = g s 0 = A[f U g] if for all paths s 0, s 1,... s n s.t s i = f for all 0 i n and s n = g p, E[p U q] p, A[p U q] p p q q q 8

Abbreviations EF p = E[True U p] -- p is eventually true on some path. AF p = A[True U p] -- p is eventually true on every path ( inevitably ) EG p = AF p p is always true along some path. AG p = EF p p is true in every reachable state. 9

Fairness constraints Often, we need to assume that certain properties hold infinitely often. E.g., every process gets scheduled infinitely often. We want to rule out unfair paths e.g, if we try to prove that transaction completes, we don t want the model checker to say: Nope here is an example where it didn t complete because a one of the processes never got scheduled. CTL allows a finite set of CTL formulas to be specified. Definitions of A/E[f U g] formulas modified to quantify over all fair paths. 10

BDD Kripke structure AP = Boolean state variables. Each state must be uniquely labeled S (set of states) = all bit vectors. N(x,x ) = Next state relation 11

Model checking Result of checking any formula is BDD of states that satisfy it. EX f(x) = y. N(x, y) f(y) This is Preds(N,P i )(y) AX f(x) = y. N(x, y) f(y) E[f Ug](x) = Q. g(x) (f(x) EX Q) A[f Ug](x) = Q. g(x) (f(x) AX Q) AF f = A[true U f] = Q. f(x) AX Q EF f = E[true U f] = Q. f(x) EX Q 12

Model Checking AG f = EF f = Q. f(x) EX Q = Q. f(x) AX Q EG f = AF f = Q. f(x) EX Q This gives an excuse to use CTL can be expanded into big mu-calculus formulas But, these formulas don t really have nested fixed points (outer fixed point does not bind variables inside inner ones). Best method for solving is still recursive bottomup. 13

Fair CTL Fairness constraints { c k } are BDDs on states Important formula: E C G f there is a fair path where all states satisfy f. Largest set of states Z satisfying All states in Z satisfy f For all c k and all s in Z, there is a path of at least length 1 from s to a state satisfying c k s.t. all states on the path satisfy f. E C G f = Z. (f k EX E[f U(Z c k )]) This is really nested. Z is in scope of least fixed point for EU operator. 14

Fair CTL The i th iteration of the GFP eliminates paths that visit any c k state fewer than i times. E C G f = Z. (f k EX E[f U(Z c k )]) After two iterations, only paths like this remain. f Z 2 f f f f f f f Z c 1 1 Z 1 f c 2 f f f f f f f c 1 Z 0 c 2 Z 0 Z0 f f f f f f c 1 f f f f c 2 Z 0 15

Fair CTL h = E C G true ( there exists a fair path from here ) E C X (f) = EX(f h) E C [f U g] = E[f U (g h)] This gives a model checking algorithm for Fair CTL (just do all the above using BDD operations) 16

Symbolic model checking with fairness constraints We ve talked about symbolic reachability with BDDs, but not specifically about CTL model checking, and especially not with fairness constraints. It helps to understand "fixed points" a little better. Fixed points are fundamental to program semantics, logic, and also automata and algorithms 17

Fixed Points Many problems boil down to solving an equation like X = F(X). Any solution to the equation is a fixed point (input = output). But there may be many solutions or no solution. Frequently, there is a least or greatest solution that is particularly interesting. 18

Lattices and monotonic functions Suppose we have a finite set S is a partial order on the subsets of S. Suppose F is a function that maps a subset of S to another subset of S (F : 2 S 2 S ) F is monotonic if, for all subsets X and Y of S, X Y implies F(X) F(Y). 19

Lattices and monotonic functions If these conditions are met, F always has unique least fixed point and unique greatest fixed point. i.e., there are unique smallest and largest sets satisfying X = F(X). 20

Properties of fixed points Fixed points closed under intersection and union: Least fixed point (LFP) is i { X i S X i = F(X i ) } Greatest fixed point (GFP) is i { X i S X i = F(X i ) } 21

Iterative computation Theorem: If S is a finite set and F : 2 S 2 S is monotonic w.r.t, there exists n such that F n ( ) is least fixed point. Proof: Claim: For all i, F i ( ) F i+1 ( ) Base: F 0 ( ) = F( ) Induction: If F i ( ) F i+1 ( ), then F(F i ( )) F(F i+1 ( )) [monotonicity of F] 22

Iterative computation Since there are only a finite number of sets, there must be some n < m such that F n ( ) = F m ( ) But then, for all i between n and m, F n ( ) = F i ( ) = F m ( ). So F n ( ) is the desired fixed point. Similarly, there exists some n where F n (S) is GFP of F. 23

Iterative computation For least fixed point, start with smallest set and work your way up as necessary. For greatest fixed point, start with largest set and work your way down. This is a simple instance of a beautiful general theory. Same general results hold for lattices, not just 2 S. Things change a bit for infinite lattices. In general, finite iteration only possible when S is finite. 24

-calculus Logic of fixed points R. F(R) is least fixed point of F (least solution of R = F(R)) R. F(R) is greatest fixed point of F R.F(R) = R. F(R) Example: reachable states I(x) -- x is initial state. N(x, y) -- y is successor of x. reachable(y) = R.[I(y) x.r(x) N(x, y)] 25

-calculus -calculus originally from programming language semantics (Dana Scott & Jaco de Bakker) We use it for BDDs, but original model checking was for explicit state graphs. -calculus model checking on explicit state graphs is not known to be in P or to be NP-complete In the middle ground with graph isomorphism and a few other problems, though it is not known to be equivalent to graph isomorphism. As we formalize the problem, everything is PSPACE-complete (I think ) 26

Reachable states (Abbreviate x.r(x) N(x, y)] as N(R)(y). ) R 0 (y) = false [initially, nothing is reachable] R 1 (y) = I(y) [start states are reachable] R 2 (y) = I(y) N(R 1 )(y) = I(y) N(I)(y) R 3 (y) = I(y) N[I(y) N(I)(y)](y) I(y) N(I)(y) N[N(I)](y) [start state and their successors are reachable]... 27

Efficiency As described, what I ve described will almost never work. Transition BDD N(x, y) is huge. Image computation is hard. It can be broken into parts. Lots of other optimizations Dynamic reordering Exploit don t cares Approximate methods With all of these it s sometimes practical. Fairness constraints are harder, though. 28

Relational image - more optimizations Combined ANDEXISTS has smaller intermediate BDDs than AND followed by EXISTS. Make one recursive pass over BDDs 29

Early quantification Reduce maximum size of intermediate BDDs by eliminating variables as soon as possible. Uses distributive laws for quantifiers: x (P(x) Q(x)) = [ x P(x)] [ x Q(x)] x (P(x,y) Q(y)) = [ x P(x,y)] Q(y) Quantification doesn t always reduce BDD size, but this usually works better than not doing it. 30

Disjunctive partitioning Represent N(x,y) = N 1 (x,y) N 2 (x,y) N n (x,y) This makes since for asynchronous models E.g., Proc 1 goes or Proc 2 goes or Proc 3 goes Image: x. R(x) N(x, y) = x. R(x) (N 1 (x,y) N 2 (x,y) N n (x,y)) = x. [R(x) N 1 (x,y)] [R(x) N 2 (x,y)] [R(x) N n (x,y)] (distributive law) = x[r(x) N 1 (x,y)] x [R(x) N 2 (x,y)] x[r(x) N n (x,y)] ( distributes over ) 31

Conjunctive partitioning Represent N(x,y) = N 1 (x,y) N 2 (x,y) N n (x,y) This makes since for synchronous models E.g., Proc 1 goes and Proc 2 goes and Proc 3 goes Limit variables x,y in N i (x,y) to the ones that it really depends on. This works well when R is deterministic: N i (x,y) is y i = F i (x), where y i is a single bit, and F i is some function of a subset of the x bits. 32

Conjunctive partitioning To do early quantification of x s Use x (P(x,y) Q(y)) = [ x P(x,y)] Q(y) Order components so to maximize the number of x bits that appear in early formulas but not later formulas. Loop: AND in next relation in sequence Quantify any variables that do not appear again. Repeat. 33

Ordering for early quantification Define lifetime of variable to be the interval [i,j] i least index relation where it appears j is greatest index of relation where it appears. Goal is to sort relations so that maximum number of live variables at any point is minimized. This is a rough heuristic. There are many variations on this idea (see imgiwls95.c in Berkeley VIS verifier). 34

Using don t cares Idea: don t waste BDD nodes representing parts of functions you don t care about. Suppose you are the middle of reachability computation If R(x) is current reached set, N(x,y) is next state relation We don t care about R(x) part of N(x,y) [because they are eliminated by R(x) N(x,y)] Don t care about R(y) part of N(x,y) [don t care about states we have already reached, just the new ones]. 35

Constrain Uses don t cares to reduce the size of a BDD It s a heuristic, not guaranteed to reduce size. Looks like a hack, but it has many beautiful and magical properties. Constrain(f, c) optimizes the BDD f while keeping the same values for inputs satisfying c (the care set). Constrain is also known as generalized cofactor Allows cofactoring on a function, not just a variable. Constrain(f, x) is just f x We write constrain(f, g) as f g 36

Constrain idea If c is not true for this node. This would always reduce tree size, but may reduce sharing in a DAG. Redirect the edge to its sibling (which then gets eliminated by reduce step). If constrain did not sometimes increase BDD size, we would have P=NP. 37

Constrain algorithm Constrain(f,c): if (c==1 isconst(f)) return f; else if (f.var == c.var) { if (c.t==0) return Constrain(f.e, c.e); else if (c.e==0) return Constrain(f.t, c.t); else return make_bdd(f.var, Constrain(f.t,c.t) Constrain(f.e,c.e),); } etc. 38

Geometric interpretation Let x = [x 1, x 2,..., x n ] If f = constrain(f, c), for every input x, let y be the closest point to x s.t. c(y) = 1. Then f (x) = f(y). Closest = minimum numerical value of x XOR y. [Bits are ordered as in BDD, top var is MSB] e.g. d(111, 101) = 010 = 2. 39

Use of constrain in reachability Use Constrain(Constrain(N i (x,y), R(x)), R(y)) instead of N i (x,y) 40

Find reachable states first CTL model checking fixed points work backwards in state graph EX f(x) = y. N(x, y) f(y) Usually, only forward reachable states matter for property of interest. Backwards reachable state space might have a big BDD. A preliminary forward traversal to limit to reachable states is often helpful. BDD for these states can be used as don t cares for the real model-checking. 41

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback