Model Checking with CTL. Presented by Jason Simas

Similar documents
Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Computation Tree Logic (CTL)

Computation Tree Logic

Lecture 16: Computation Tree Logic (CTL)

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Model for reactive systems/software

Model Checking Algorithms

Model Checking: An Introduction

MODEL CHECKING. Arie Gurfinkel

Overview. overview / 357

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Model checking the basic modalities of CTL with Description Logic

Finite-State Model Checking

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Chapter 6: Computation Tree Logic

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Chapter 4: Computation tree logic

ESE601: Hybrid Systems. Introduction to verification

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Verification Using Temporal Logic

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

3-Valued Abstraction-Refinement

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Linear-Time Logic. Hao Zheng

A 3 Valued Contraction Model Checking Game: Deciding on the World of Partial Information

Automata-Theoretic Model Checking of Reactive Systems

CS357: CTL Model Checking (two lectures worth) David Dill

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Finite State Model Checking

Computation Tree Logic

Model checking (III)

Towards Algorithmic Synthesis of Synchronization for Shared-Memory Concurrent Programs

How Vacuous is Vacuous?

Temporal Logic Model Checking

FAIRNESS FOR INFINITE STATE SYSTEMS

Model Checking & Program Analysis

Chapter 5: Linear Temporal Logic

Lecture Notes on Emptiness Checking, LTL Büchi Automata

An n! Lower Bound On Formula Size

Linear Temporal Logic and Büchi Automata

Model Checking. Boris Feigin March 9, University College London

Topics in Verification AZADEH FARZAN FALL 2017

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

A Brief Introduction to Model Checking

Computation Tree Logic

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Explicit State Model Checking Algorithm for CTL. CSE 814 CTL Explicit-State Model Checking Algorithm

First-order resolution for CTL

Computation Tree Logic

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Revising Specifications with CTL Properties using Bounded Model Checking

CTL Model Checking. Wishnu Prasetya.

Models for Efficient Timed Verification

Partial model checking via abstract interpretation

Temporal Logic of Actions

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Multi-Valued Symbolic Model-Checking

Computer-Aided Program Design

Theorem Proving beyond Deduction

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

An Introduction to Temporal Logics

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Postprint.

Comp487/587 - Boolean Formulas

On the Expressiveness and Complexity of ATL

Alan Bundy. Automated Reasoning LTL Model Checking

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Chapter 3: Linear temporal logic

Linear Temporal Logic (LTL)

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Modal and Temporal Logics

Abstractions and Decision Procedures for Effective Software Model Checking

Linear Temporal Logic (LTL)

Linear-time Temporal Logic

Reducing CTL-live Model Checking to Semantic Entailment in First-Order Logic (Version 1)

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

Representing Temporal System Properties Specified with CCTL formulas using Finite Automaton

Propositional Logic: Syntax

Alternating-Time Temporal Logic

QBF Encoding of Temporal Properties and QBF-based Verification

Logics for Data and Knowledge Representation

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Formal Methods Lecture VII Symbolic Model Checking

First-Order Predicate Logic. Basics

INTRODUCTION TO PREDICATE LOGIC HUTH AND RYAN 2.1, 2.2, 2.4

09 Modal Logic II. CS 3234: Logic and Formal Systems. October 14, Martin Henz and Aquinas Hobor

Lecture 2: Symbolic Model Checking With SAT

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

LTL and CTL. Lecture Notes by Dhananjay Raju

Model Checking for the -calculus. Paolo Zuliani , Spring 2011

3. Temporal Logics and Model Checking

T Reactive Systems: Temporal Logic LTL

Propositional Logic: Models and Proofs

The Planning Spectrum One, Two, Three, Infinity

Transcription:

Model Checking with CTL Presented by Jason Simas

Model Checking with CTL Based Upon: Logic in Computer Science. Huth and Ryan. 2000. (148-215) Model Checking. Clarke, Grumberg and Peled. 1999. (1-26)

Content Context Model Checking Models CTL Syntax Semantics Checking Algorithm

Model Checking M = ϕ M is the model Requires a description language ϕ is the property to check Requires a specification language = is the satisfaction relation Algorithm to check whether (M, ϕ) ε = Outputs either yes or no (+ trace)

Models Fundamentals Language Definition Example Model

Fundamentals Want to prove properties Model all relevant sub properties Model abstraction level <= properties -> Model how properties change Over time? (sort of) Over property change? (yes) Abstract out time

Modeling Property Change Model = States + Transitions + Labels States Possibilities of which properties can be true together + Possibilities of which properties can follow each other + Transitions Possibilities of which states can follow each other Labels Possibilities of which properties are true for each state States need not be unique wrt labels Use a directed graph

Definition: Model for CTL M = (S,, L) S is a finite set of states {s 0, s 1,, s n } is a set of transitions SxS and for every s ε S there is some s ε S such that s s L is a labeling function L: S Ρ(Atoms) S is the set of states of Μ Ρ (Atoms) is the power set of Atoms Atoms is the set of all propositions

Mutual Exclusion (Interleaved)

Mutual Exclusion (Interleaved) Μ = (S,, L) where S = {s 0, s 1, s 2, s 3, s 4, s 5, s 6, s 7, s 9,} = {(s 0, s 1 ), (s 1, s 2 ), (s 1, s 3 ), (s 2, s 4 ), (s 3, s 4 ), (s 2, s 0 ), (s 4, s 5 ), (s 0, s 5 ), (s 5, s 6 ), (s 5, s 9 ), (s 6, s 7 ), (s 9, s 7 ), (s 6, s 0 ), (s 7, s 1 )} L = {(s 0, {n 1, n 2 }), (s 1, { t 1, n 2 }), (s 2, { c 1, n 2 }), (s 3, { t 1, t 2 }), (s 4, {c 1, t 2 }), (s 5, { n 1, t 2 }), (s 6, { n 1, c 2 }), (s 7, {t 1, c 2 }), (s 9, { t 1, t 2 })} Note: s 3, s 9 are distinct for turns

Properties Remember M = ϕ ϕ specifies properties of states/transitions Need a specification language for ϕ, CTL CTL: Computation Tree Logic Specifying properties of computation trees Logic = Language + Inference Rules Inference Rules = Algorithm for check

Computation Trees A tree such that starting at some state s, There exists edges to each of its children (s s ) Same is true for each child, ad infinitum

Example: Efficiency For each cycle (n i *n i ) some process enters its critical section CTL: AG ((s 1 v s 5 ) AX (A (s 1 v s 5 ) U (c 1 v c 2 )))

CTL Syntax φ := p ( φ) (φ ^ φ) (φ v φ) (φ φ) AX φ EX φ A[φ U φ] E[φ U φ] AG φ EG φ AF φ EF φ Atoms:,, p p is an arbitrary atomic property either true or false Example: c 1 : process 1 is in its critical section Propositional Connectives: ^, v,, Temporal Connectives: EG, AG, EX, AX, EF, AF, EU, AU Note: EU φ 1 φ 2 same as E [φ 1 U φ 2 ] Binding Precedence: Unary Connectives:, AX, EX, AG, EG, AF, EF Binary Connectives:, AU, EU, c 1, c 1 ^ c 2, AX (c 1 ^ c 2 ), A [c 1 U c 1 ], E [ U (AX (c 1 ^ c 2 ))]

CTL Semantics M,s = φ where φ is a CTL formula is φ true for the model M at state s? when s is the initial state: M = φ Irrelevant whether φ is true/false at other states Temporal Connectives: A,E: range over paths from s G,X,F,U: range over states on a path from s

,, p M,s = and not M,s = for all s ε S M,s = p iff p ε L(s)

M,s = φ iff not M,s = φ

^, v M,s = φ 1 ^ φ 2 iff M,s = φ 1 and M,s = φ 2 M,s = φ 1 v φ 2 iff M,s = φ 1 or M,s = φ 2

M,s = φ 1 φ 2 iff not M,s = φ 1 or M,s = φ 2

AX, EX AX EX M,s = AX φ iff for all s such that s s we have M,s = φ For all paths, for the next state, φ is true M,s = EX φ iff for some s such that s s we have M,s = φ For some path, for the next state, φ is true

AG M,s = AG φ iff for all paths s 1 s 2 s 3 where s 1 equals s and for all s i along the path, we have M,s i = φ For all paths, for all states along each path, φ is true

EG M,s = EG φ iff for some path s 1 s 2 s 3 where s 1 equals s and for all s i along the path, we have M,s i = φ For some path, for all states along the path, φ is true

AF M,s = AF φ iff for all paths s 1 s 2 s 3 where s 1 is s and for some s i along each path, we have M,s i = φ For all paths, for some state along each path, φ is true

EF M,s = EF φ iff for some path s 1 s 2 s 3 where s 1 equals s and for some s i along the path, we have M,s i = φ For some path, for some state along each path, φ is true

AU M,s = A [φ 1 U φ 2 ] iff for all paths s 1 s 2 s 3 where s 1 equals s, each path satisfies φ 1 U φ 2 (i.e. there is some s i along the path such that M,s i = φ 2 and for each j < i we have M,s j = φ 1 ) For all paths, for every state in each path φ 1 until φ 2

EU M,s = E [φ 1 U φ 2 ] iff for some path s 1 s 2 s 3 where s 1 equals s, the path satisfies φ 1 U φ 2 (i.e. there is some s i along the path such that M,s i = φ 2 and for each j < i we have M,s j = φ 1 ) For some path, for every state in the path φ 1 until φ 2

Inclusion of s in Condition s is the first state checked For G, F, U But not for X Examples: M = AF (n 1 ^ n 2 ) M = EG (n 1 ^ n 2 ) M = A [ U (n 1 ^ n 2 ) To exclude s, use X ϕ

Mutual Exclusion Properties Safety: Only one process shall be in its critical section at any time AG (c 1 ^ c 2 ) Liveness: Whenever any process wants to enter its critical section, it will eventually be permitted to do so AG (t 1 AF c1) ^ AG (t 2 AF c 2 ) Non-blocking A process can always request to enter its critical section AG (n 1 EX t 1 ) ^ AG (n 2 EX t 2 ) No strict sequencing: Processes need not enter their critical section in strict sequence EF (c 1 ^ E[c 1 U ( c 1 ^ E[ c 2 U c 1 ])]) v EF (c 2 ^ E[c 2 U ( c 2 ^ E[ c 1 U c 2 ])])

Checking Algorithm Minimal Set of Connectives Algorithm Correctness Complexity Implementation

Minimal Set of Connectives Two CTL formulas φ and ψ are semantically equivalent iff any state in any model which satisfies one of them also satisfies the other De Morgan s Law AF φ = EG φ EF φ = AG φ Minimal Set of Connectives: ^,,, AF, EX, EU Translate: AG, EG, EF, AX, AU For AG: AG φ = EF φ For EG: EG φ = AF φ For EF: EF φ = E [ U φ] For AX: AX φ = EX φ For AU: A [ U φ] = AF φ

Algorithm Input: The model M and the CTL formula φ Output: The set of states of M that satisfy φ Steps: Translate φ to φ where φ only has connectives in the minimal set Label the states of M with the sub formulas of φ that are satisfied there, starting with the smallest sub formulas and working outwards towards φ If s 0 is an element of the output, then yes

, : then no states are labeled with : then all states are labeled with

P, p: then label s with p if p ε L(s) ψ 1 : label s with ψ 1 if s is not already labeled with ψ 1

^, v ψ 1 ^ ψ 2 : label s with ψ 1 ^ ψ 2 if s is already labeled with both ψ 1 and ψ 2 ψ 1 v ψ 2 : label s with ψ 1 v ψ 2 if s is already labeled with ψ 1 or ψ 2

EX EX ψ 1 : label any state with EX ψ 1 if one of its successors is labeled with ψ 1

AF AF ψ 1 : If any state s is labeled with ψ 1, label it with AF ψ 1 Repeat: label any state with AF ψ 1 if all successor states are labeled with AF ψ 1, until there is no change

EU E[ψ 1 U ψ 2 ]: If any state s is labeled with ψ 2, label it with E[ψ 1 U ψ 2 ] Repeat: label any state with E[ψ 1 U ψ 2 ] if it is labeled with ψ 1 and at least one of its successors is labeled with E[ψ 1 U ψ 2 ], until there is no change

Correctness: Termination Repeat until no change of AF and EU Required since algorithm may add states and existence of states is part of condition Problem: repeat may not terminate Show that the functions for AF and UE terminate Show that F 0 (F 1 ( F n (S))) = F 0 (F 1 ( F n+1 (S))) for some n

Fixpoints Given: F is a function F: P(S) P(S) Fixpoint Sets A subset X of S is called a fixpoint of F if F(X) = X If we prove repeat has a fixpoint then we ve proved repeat terminates Known Theorem: Every monotone function has a fixpoint Is repeat monotone?

Monotone Functions Monotone Functions: F is monotone iff X Y implies F(X) F(Y) for all subsets X and Y of S F AF is monotone X,Y are the set of states with a label AFϕ F AF only adds states, that is F AF (Z) = Z { } Condition for what is in { } is dependent on Z More states in Z, then more potential for adding states Since X is contained in Y, then Y has all the potential of X (i.e. F AF (X) = F AF (Y)) And if X is smaller than Y, then Y has more potential than X (i.e. F AF (X) F AF (Y)) So if X Y then F AF (X) F AF (Y) F EU is similarly monotone

Complexity This Algorithm: O (f * V * (V + E)) f is the number of connectives in the formula V is the number of states E is the number of transitions linear in the size of the formula and quadratic in the size of the model Better Algorithms: O (f * (V + E)

Complexity: State Explosion Problem is size of model, not algorithm Size of model (V + E) is exponential in the number of variables (or properties on them) Size of model (V+E) is exponential in the number of components that can execute in parallel

Implementations SMV Model Checker Available from CMU Created by K. McMillan NuSMV Reimplementation Cadence SMV Reimplementation + Compositional Focus

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback