Verification Using Temporal Logic

Similar documents
Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model for reactive systems/software

An Introduction to Temporal Logics

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Linear Temporal Logic and Büchi Automata

Automata-Theoretic Model Checking of Reactive Systems

Lecture 16: Computation Tree Logic (CTL)

ESE601: Hybrid Systems. Introduction to verification

Computation Tree Logic

Overview. overview / 357

Model Checking with CTL. Presented by Jason Simas

Computation Tree Logic (CTL)

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Chapter 4: Computation tree logic

Modal and Temporal Logics

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Timo Latvala. February 4, 2004

Finite-State Model Checking

FAIRNESS FOR INFINITE STATE SYSTEMS

T Reactive Systems: Temporal Logic LTL

Formal Verification of Mobile Network Protocols

Computation Tree Logic

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Model Checking: An Introduction

Computation Tree Logic

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Chapter 6: Computation Tree Logic

Linear-Time Logic. Hao Zheng

CIS 842: Specification and Verification of Reactive Systems. Lecture Specifications: Specification Patterns

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

Temporal Logic Model Checking

PSPACE-completeness of LTL/CTL model checking

Model Checking. Boris Feigin March 9, University College London

LTL and CTL. Lecture Notes by Dhananjay Raju

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Linear Temporal Logic (LTL)

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

MODEL CHECKING. Arie Gurfinkel

Revising Specifications with CTL Properties using Bounded Model Checking

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Computer-Aided Program Design

Alternating Time Temporal Logics*

Chapter 3: Linear temporal logic

Linear Temporal Logic (LTL)

Topics in Verification AZADEH FARZAN FALL 2017

QBF Encoding of Temporal Properties and QBF-based Verification

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Alan Bundy. Automated Reasoning LTL Model Checking

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Introduction. Pedro Cabalar. Department of Computer Science University of Corunna, SPAIN 2013/2014

Methods for Software Verification. Andrea Corradini Gian Luigi Ferrari. Second Semester 6 CFU

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Goal specification using temporal logic in presence of non-deterministic actions

Model checking (III)

Abstractions and Decision Procedures for Effective Software Model Checking

CTL, the branching-time temporal logic

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Transition Systems and Linear-Time Properties

Model checking the basic modalities of CTL with Description Logic

Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Model Checking Algorithms

3-Valued Abstraction-Refinement

Chapter 5: Linear Temporal Logic

A Brief Introduction to Model Checking

Monodic fragments of first-order temporal logics

Revising UNITY Programs: Possibilities and Limitations 1

Lecture Notes on Model Checking

Testing with model checkers: A survey

An n! Lower Bound On Formula Size

Characterizing Fault-Tolerant Systems by Means of Simulation Relations

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

The State Explosion Problem

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Decision Procedures for CTL

Symbolic Model Checking Property Specification Language*

Partial model checking via abstract interpretation

Finite State Model Checking

CS357: CTL Model Checking (two lectures worth) David Dill

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

First-order resolution for CTL

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

A logical framework to deal with variability

Another Glance at the Alpern-Schneider. Characterization of Safety andliveness in. Concurrent Executions. Abstract

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Towards Algorithmic Synthesis of Synchronization for Shared-Memory Concurrent Programs

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Model-Checking Games: from CTL to ATL

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Transcription:

CMSC 630 February 25, 2015 1 Verification Using Temporal Logic Sources: E.M. Clarke, O. Grumberg and D. Peled. Model Checking. MIT Press, Cambridge, 2000. E.A. Emerson. Temporal and Modal Logic. Chapter 16 in Volume B of J. van Leeuwen, editor, Handbook of Theoretical Computer Science. MIT Press, Cambridge, 1990. D. Peled. Software Reliability Methods. Springer-Verlag, Berlin, 2001. C. Baier and J.-P. Katoen. Principles of Model Checking. MIT Press, Cambridge, 2008.

CMSC 630 February 25, 2015 2 Temporal Logic...... a language for describing time-varying properties of systems.... originally developed as a branch of philosophical logic.... is a modal logic (logic of possibility and necessity).... brought to attention of computer scientists by A. Pnueli in 1977.

CMSC 630 February 25, 2015 3 Temporal Logic Verification Framework How is the verification question S sat R formulated in the temporal-logic setting? Temporal logic used to define requirements Spec. Sys? sat?

CMSC 630 February 25, 2015 4 Kripke Structures Kripke structures used as system models in temporal logic. {} { incs1} { incs2}

CMSC 630 February 25, 2015 5 Defining Kripke Structures Mathematically, a Kripke structure has form S,A,R,l,s I, where: S is a set of states; A is a set of atomic propositions; R S S is the transition relation; l : S 2 A is the labeling; and s I S is the initial state.

CMSC 630 February 25, 2015 6 Another Kripke Structure Example

CMSC 630 February 25, 2015 7 Where Do Kripke Structures Come From? Kripke structures are usually not specified directly by users; they are compiled from higher-level specifications using (small-step) operational semantics of programming / modeling notation. States: assignments of variables to values Labeling function given as relation on states / atomic propositions Transitions: execution steps defined by semantics

CMSC 630 February 25, 2015 8 Example: UNITY A modeling notation for concurrent systems See K.M. Chandy and J. Misra, Parallel Program Design, Addison Wesley, Reading MA, 1988 Emblematic of notations used by model-checking tools

CMSC 630 February 25, 2015 9 Example UNITY Model program mutex declare in: array [0..1] of int lock: int initially in[0] = in[1] = lock = 0 assign end P0enter: lock = 0 lock, in[0] = 1, 1 P1enter: lock = 0 lock, in[1] = 1, 1 P0exit: in[0] = 1 lock, in[0] = 0,0 P1exit: in[1] = 1 lock, in[0] = 0,0 lock = 0,in[0] = 0,in[1] = 0 lock = 1,in[0] = 1,in[1] = 0 lock = 1,in[0] = 0,in[1] = 1

CMSC 630 February 25, 2015 10 UNITY in Detail Programs consist of declare, initially, assign sections (among others) declare section defines variables initially section initializes variables assign section contains guarded commands Guarded command has formg S G is boolean condition,s is Hoare program Intended semantics: at each step, command with true guard is selected, executed atomically. Program terminates when all guards are false.

CMSC 630 February 25, 2015 11 Defining Temporal Logic Now that we know what systems (Sys) are, what about requirements (Spec)? Idea Formulas of temporal logic constitute Spec. but there are a number of variants of temporal logic. An important categorization: linear time vs. branching time. The difference: how time is modeled! (More on this later.) We ll start with linear-time.

CMSC 630 February 25, 2015 12 Linear-Time Temporal Logic (LTL) Used to specify properties of sequences. Given: set(a, b )A of atomic propositions. Formulas generated as follows. φ ::= a φ φ φ Xφ next φ U φ until Φ LTL is the set of all LTL formulas.

CMSC 630 February 25, 2015 13 LTL Semantics Formal semantics given as = (2 A ) ω Φ LTL. A: set of atomic propositions 2 A : set of all subsets ofa. (2 A ) ω : set of infinite sequences of2 A. That is, formulas interpreted with respect to sequences of sets of atomic propositions. π = φ: sequenceπhas propertyφ

CMSC 630 February 25, 2015 14 Notation Ifπ = A 0 A 1... (2 A ) ω then π[i] = A i 2 A π[i..] = A i A i+1... (2 A ) ω

CMSC 630 February 25, 2015 15 LTL Semantics (cont.) π = a ifa π[0]. π = φ ifπ = φ. π = φ 1 φ 2 ifπ = φ 1 orπ = φ 2. π = Xφ ifπ[1..] = φ. π = φ 1 U φ 2 if i 0. π[i..] = φ 2 and j < i. π[j..] = φ 1

CMSC 630 February 25, 2015 16 Derived Operators tt ff = a a true = tt false φ 1 φ 2 = (( φ1 ) ( φ 2 )) conjunction φ 1 φ 2 = ( φ1 ) φ 2 implication

CMSC 630 February 25, 2015 17 More Derived Operators Eventually Fφ tt U φ Always Gφ F φ

CMSC 630 February 25, 2015 18 Still More Derived Operators Release φ 1 R φ 2 (( φ 1 ) U ( φ 2 )) Weak Until φ 1 W φ 2 φ 2 R (φ 1 φ 2 ) What does (( φ 2 ) U ( φ 1 φ 2 )) mean?

CMSC 630 February 25, 2015 19 Writing Requirements in LTL LTL can be used to specify different properties of execution sequences. Safety Nothing bad ever happens. G bad Liveness Something good eventually happens. F good

CMSC 630 February 25, 2015 20 More Kinds of Properties Responsiveness Every request is eventually serviced. G(req F serviced) Reactivity (GF enabled) (GF executed) Partition φ 1 U (φ 2 U φ 3 )

CMSC 630 February 25, 2015 21 Example: Specifying Mutual Exclusion A = {in i, out i, trying i },i = 1,2. Mutual Exclusion G (in 1 in 2 ) Starvation-Freedom for Process 1 G(trying 1 F in 1 ) 1-Bounded Overtaking for Process 1 G(trying 1 (trying 2 U in 2 U in 1 ))

CMSC 630 February 25, 2015 22 But What About System Properties? So far we have used LTL to define properties of executions. How do we use it to define properties/requirements of systems? Idea Define a system to satisfy a formula if all its executions do. How to make this precise?

CMSC 630 February 25, 2015 23 Formalizing sat LetM = S,A,R,l,s I be a Kripke structure. π = s 0 s 1... S ω is an execution ofm if: s 0 = s I For alli 0, s i,s i+1 R or for alls S, s i,s R ands i+1 = s i. E(M): set of all executions ofm. l(s 0 s 1...) = l(s 0 )l(s 1 )... M satφ if for allπ E(M),l(π) = φ.

CMSC 630 February 25, 2015 24 What We Have...... a verification framework based on LTL! Systems: Requirements: sat: Kripke structures LTL formulas sat What s next? 1. Other temporal logics. 2. How to showm satφ.

CMSC 630 February 25, 2015 25 Branching-Time Temporal Logic Recall: Two kinds of temporal logic: linear-time and branching-time Linear-time: models are sequences Branching-time: models are trees (alternatively, states in Kripke structures) How do we define a branching-time temporal logic?

CMSC 630 February 25, 2015 26 CTL = LTL+Path Quantifiers The CTL approach: add path quantifiers to LTL! Eφ: satisfied by a state if there exists a path from the state and satisfyingφ. E is a path quantifier.

CMSC 630 February 25, 2015 27 Syntax of CTL Defines state formulas... σ ::= a σ σ σ Eφ Σ CTL : set of all CTL (state) formulas.

CMSC 630 February 25, 2015 28 Syntax of CTL (cont.)... and path formulas. φ ::= σ φ φ φ Xφ φ U φ Φ CTL : set of all CTL path formulas.

CMSC 630 February 25, 2015 29 Defining Semantics of CTL... given with respect to Kripke structurem = S,A,R,l,s I as relation = M (S Σ CTL ) (S ω Φ CTL )... i.e. states related to state formulas and paths to path formulas. FixM in what follows. Notation E(M,s) S ω : execution paths emanating froms. π E(M,s) if: π[0] = s For alli 0, π[i],π[i+1] R or for alls S, π[i],s R andπ[i+1] = π[i].

CMSC 630 February 25, 2015 30 Semantics of State Formulas s = M a ifa l(s). s = M σ ifs = M σ. s = M σ 1 σ 2 ifs = M σ 1 ors = M σ 2. s = M Eφ if there existsπ E(M,s) such thatπ = M φ.

CMSC 630 February 25, 2015 31 Semantics of Path Formulas π = M σ ifπ[0] = M σ. π = M φ ifπ = M φ. π = M φ 1 φ 2 ifπ = M φ 1 orπ = M φ 2. π = M Xφ ifπ[1..] = M φ. π = M φ 1 Uφ 2 if i 0. σ[i..] = M φ 2 and j < i. σ[j..] = M φ 1 Note:,, X, U as in LTL! Derived operators: usual LTL derived operators, A E.

CMSC 630 February 25, 2015 32 CTL Verification Framework Sys: Kripke structuresm = S,A,R,l,s I Spec: CTL state formulasσ Σ CTL sat: M satσ ifs I = M σ.

CMSC 630 February 25, 2015 33 Expressing Properties in CTL Possibility Any message can be lost. AG(sent EF lost) LTL Any LTL system specificationφcan be rendered as a CTL state formula Aφ. So CTL is at least as expressive a system specification notation as LTL. In fact, it is more so (LTL can t express E).

CMSC 630 February 25, 2015 34 CTL...... a sublogic of CTL... development preceded that of CTL... stands for Computation Tree Logic... first temporal logic used in model checking CTL formulas: state formulas in CTL in which every path modality (U, X, G, etc.) is immediately preceded by a path quantifier. CTL AG(sent AF received) Not CTL AG(sent F received)

CMSC 630 February 25, 2015 35 Formal CTL Syntax Note All CTL formulas are state formulas. σ ::= a σ σ σ EXσ E(σ Uσ) E(σ Rσ) Σ CTL : set of all CTL formulas. Recall that R is dual of U. Derived operators: AX, AU, AR, EG, EF, AG, AF, etc.

CMSC 630 February 25, 2015 36 Expressiveness of CTL System Specifications No more expressive than CTL, sinceσ CTL Σ CTL. Incomparable to LTL: CTL can express possibility properties. LTL can express fairness properties. AFGa expressible in LTL, not in CTL. Consequently, strictly less expressive than CTL! (Why?)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback