Temporal Logic Model Checking

Similar documents
Lecture 16: Computation Tree Logic (CTL)

Computer-Aided Program Design

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

T Reactive Systems: Temporal Logic LTL

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Alan Bundy. Automated Reasoning LTL Model Checking

Timo Latvala. February 4, 2004

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Model for reactive systems/software

Lecture Notes on Emptiness Checking, LTL Büchi Automata

From Liveness to Promptness

Model Checking: An Introduction

Finite-State Model Checking

Model checking the basic modalities of CTL with Description Logic

CS357: CTL Model Checking (two lectures worth) David Dill

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Computation Tree Logic

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Automata-based Verification - III

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Overview. overview / 357

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

3. Temporal Logics and Model Checking

Logic Model Checking

Introduction to Model Checking

Automata-based Verification - III

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Alternating Time Temporal Logics*

Lecture 9 Synthesis of Reactive Control Protocols

Model checking (III)

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Thorough Checking Revisited

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Computation Tree Logic (CTL)

Model Checking Algorithms

Linear Temporal Logic and Büchi Automata

The State Explosion Problem

Automata, Logic and Games: Theory and Application

PSPACE-completeness of LTL/CTL model checking

Lecture 2: Symbolic Model Checking With SAT

Chapter 6: Computation Tree Logic

Lecture 7 Synthesis of Reactive Control Protocols

Learning to Verify Branching Time Properties

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Büchi Automata and Linear Temporal Logic

Model Checking of Safety Properties

3-Valued Abstraction-Refinement

From Löwenheim to Pnueli, from Pnueli to PSL and SVA

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Finite State Model Checking

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Computation Tree Logic

Computation Tree Logic

Chapter 4: Computation tree logic

Decision Procedures for CTL

Model Checking with CTL. Presented by Jason Simas

Linear-time Temporal Logic

An Introduction to Temporal Logics

Formal Verification of Mobile Network Protocols

Automata-Theoretic Verification

MODEL CHECKING. Arie Gurfinkel

Chapter 3: Linear temporal logic

Testing with model checkers: A survey

Models for Efficient Timed Verification

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

The Planning Spectrum One, Two, Three, Infinity

Sanjit A. Seshia EECS, UC Berkeley

a Hebrew University b Weizmann Institute c Rice University

Model Checking for the -calculus. Paolo Zuliani , Spring 2011

Synthesis of Designs from Property Specifications

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

Chapter 5: Linear Temporal Logic

A Symbolic Approach to Safety LTL Synthesis

Automata-Theoretic LTL Model-Checking

A Hierarchy for Accellera s Property Specification Language

ESE601: Hybrid Systems. Introduction to verification

Verification Using Temporal Logic

A tableau-based decision procedure for a branching-time interval temporal logic

Scenario Graphs and Attack Graphs

Modal and Temporal Logics

Abstractions and Decision Procedures for Effective Software Model Checking

Topics in Verification AZADEH FARZAN FALL 2017

2. Elements of the Theory of Computation, Lewis and Papadimitrou,

LTL Model Checking. Wishnu Prasetya.

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Lecture Notes on Model Checking

Timo Latvala. March 7, 2004

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

method. In model checking [CES86, LP85, VW86], we check that a system meets a desired requirement by checking that a mathematical model of the system

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Model Checking & Program Analysis

MODEL CHECKING TIMED SAFETY INSTRUMENTED SYSTEMS

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Transcription:

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 1 Temporal Logic Model Checking Thomas Wahl Computing Laboratory, Oxford University

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 2 Outline Temporal Logics LTL Model Checking CTL Model Checking

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 3 Temporal Logics: Purpose Temporal Logic: decidable logic to reason over program behavior along infinite timelines. Is statement x executed infinitely often? Is every request followed by a grant eventually? Is there an execution along which always x 0?

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 4 Temporal Logics: Ingredients All temporal logics have temporal operators, which quantify over states along a program execution path: in all future states in some future state in the next state Some also have branching operators, which quantify over execution paths of a program: for all executions for some execution

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 5 Temporal Logics: Representatives LTL: only temporal operators. cannot distinguish different program executions CTL: temporal + branching operators. can explicitly specify behavior along different paths CTL*: LTL CTL µ-calculus: CTL* [LTL: Pnueli 77, CTL: Emerson/Clarke 82]

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 6 Temporal Logics: Which One to Use? Infinite debate about which logic is best... Criteria: easy of use, expressiveness, efficiency. Allen Emerson: Modalities for Model Checking: Branching Time Logic Strikes Back. (1987) Moshe Vardi: Branching vs. Linear Time: Final Showdown. (2001)

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 7 Outline Temporal Logics LTL Model Checking CTL Model Checking

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 8 Linear Temporal Logic (LTL): Syntax LTL formulas are built out of: atomic propositions: p, q, r Boolean operators:,,... temporal operators: X p: next time p F q: eventually q G r: always r p U q: p until q Again: these apply to a fixed execution path

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 9 Linear Temporal Logic: Semantics LTL formulas evaluated over a path π = π 0 π 1 π 2... Suffix of π starting at the ith state: π i. Validity is defined as follows: π = p iff p L(π 0 ) π = f iff π = f π = g h iff π = g and π = h π = X f iff π 1 = f π = G f iff i : π i = f π = F f iff i : π i = f π = g U h iff i : (π i = h and j < i : π j = g)

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 10 LTL Model Checking Given Kripke structure M := (S, R, L, s 0 ) and LTL formula f : do all paths π through M satisfy f? M = f := π : π 0 = s 0 π path in M : π = f Approach: represent M and f in same data structure should be efficiently manipulatable Solution: finite-state automata

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 11 Finite-State Automata (FSA)... quite similar to a transition system like a Kripke structure: A = (Σ, Q, δ, Q 0, F). Σ, Q finite alphabet, finite state set Transition relation: δ Q Σ Q. Q 0 initial states, F accepting states. Automaton A accepts certain words, which form its language L(A).

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 12 Kripke Structure and FSA Goal: given structure M, define automaton A M such that L(A M ) = {π : π is a path in M}. Pretty straightforward. Technicality: FSAs have edge labels ( inputs ), M has state labels (atomic propositions). But that can be fixed...

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 13 Kripke Structure and FSA M: M A : i {p, q} {p, q} {p, q} s 0 {p} s 1 s 0 s 1 {p} {q} s 2 {q} {p, q} s 2 Every state of M A is accepting.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 14 LTL Formula and FSA Goal: given LTL formula f, define automaton A f such that L(A f ) = {π : π = f }. Achieve this using Büchi acceptance condition: Infinite path is accepted by a FSA if some accepting state is visited infinitely often. Means: path goes through a cycle that contains an accepting state.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 15 LTL Formula and FSA {p} {p} {p} {q}, {p, q} (These FSAs represent which LTL formulas?) Tableau Construction [GPVW 1985-95]

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 16 LTL Model Checking Finally: LTL Model Checking, by Language Containment: M = f iff L(A M ) L(A f ) iff L(A M ) L( A f ) = iff L(A M ) L(A f ) = iff L(A M A f ) =. Terminology in MCer SPIN: f is a never claim Our algorithm looks for violations of f.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 17 LTL Model Checking We had: M = f iff L(A M A f ) =. Intersection of two FSAs: by lock-step execution (standard constructions) Emptiness of a FSA A with Büchi acceptance condition: L(A) iff there is a reachable cycle through A that contains an accepting state.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 18 LTL Model Checking Final remarks. Counter examples: If L(A M A f ), then M = f. The path to and through the accepting cycle is a counter example. Complexity: O( M 2 f ). Exponential complexity in f is not as big a problem in practice as it may seem: Usually, f M

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 19 Outline Temporal Logics LTL Model Checking CTL Model Checking

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 20 Computation Tree Logic (CTL): Syntax Combines branching operators A: for all executions ( futures, paths ) E: for some execution and temporal operators X, F, G, U, but only in specific ways: [ ] X A F E G p U and arbitrarily nested: AG EF reset E(req U ack) EX AX false Not: A E p (makes no sense), A FG p (allowed in CTL*, not CTL)

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 21 AXp p CTL: Intuitive Semantics s 0 p EFp s 0 AFp p "p imminent" "p reachable" p AGp s 0 p s 0 p p p p p p p pp "p inevitable" pppp pppp "p invariant"

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 22 CTL Model Checking Input: M := (S, R, L, s 0 ) and CTL formula f Goal: determine whether M, s 0 = f. We will do this by 1. computing S f = {s S : M, s = f }, and then 2. checking whether s 0 S f, possibly on the fly.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 23 The Tarski-Knaster Theorem View CTL formula as set of states satisfying it. Then observe: EG p = p EX p EX EX p... = p EX(p EX(p...)) = p EX(EG p).

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 24 The Tarski-Knaster Theorem View CTL formula as set of states satisfying it. Then observe: EG p = p EX p EX EX p... = p EX(p EX(p...)) = p EX(EG p). EG p is a fixpoint of the operator τ(z ) = p EX Z : in fact the greatest fixpoint of τ computable by series of overapproximations: Z 0 = S Z 1 = p EX Z 0 Z 2 = p EX Z 1... = νz.p EX Z

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 25 Computing Fixpoints Least fixpoint µz.τ(z ): 1: Z := 2: repeat 3: Z := Z 4: Z := τ(z ) 5: until Z = Z 6: return Z Greatest fixpoint νz.τ(z ): 1: Z := S 2: repeat 3: Z := Z 4: Z := τ(z ) 5: until Z = Z 6: return Z Only difference: initial value of Z

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 26 Fixpoint Characterization of CTL EF h = µz.(h EX Z ) EG h = νz.(h EX Z ) E(g U h) = µz.(h (g EX Z )) AF h = µz.(h AX Z ) AG h = νz.(h AX Z ) A(g U h) = µz.(h (g AX Z )) F, U: least fixpoint µ, uses. Liveness properties G : greatest fixpoint ν, uses. Safety properties

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 27 CTL Model Checking: Complexity Example AG EF p: It is always possible to reach a p-state. AG EF p = AG(EF p) = νz. (µy.p EX Y ) AX Z. Procedure: 1. Y 0 := µy. p EX Y (O( M )) 2. Z 0 := νz.y 0 AX Z (O( M )) 3. return Z 0 cost 2 M.

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 28 CTL Model Checking: Complexity Each fixpoint costs O( M ) steps (and each step only involves EX, AX,, ) number of fixpoint computations = number of EF, EG, AF, AG s that appear in f complexity O( M f ). Compare: LTL model checking: O( M 2 f ).

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 29 CTL Model Checking using BDDs All we need to do is implement the fixpoint routines: Set of states satisfying EF p: 1: Z := 2: repeat 3: Z := Z 4: Z := p EX Z 5: until Z = Z 6: return Z Need: disjunction (pre-)image EX termination Z = Z Termination easy with BDDs: canonicity!

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 30 Symbolic Transition Relations set of states: constraint over the state variables set of transitions: constraint over two copies of the state variables: if x then y := true as a Boolean formula over 4 (not 2) variables: R(x, x, y, y ) = ((x y ) ( x y = y)) x = x

18 Feb, 2009 Thomas Wahl, Oxford University Temporal Logic Model Checking 31 Symbolic Image Operations Pre-image (predecessors) of a set of states Z : Given: EX Z = {s : z Z : R(s, z)}. BDD Z over x 1,..., x k, and BDD R over x 1,..., x k, x 1,..., x k. Wanted: BDD for EX Z over x 1,..., x k. Operation Result over variables 1. Z := Z with x i renamed to x i x 1..x k 2. L := Z R x 1..x k, x 1..x k 3. result := x 1..x k : L x 1..x k

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback