ESE601: Hybrid Systems. Introduction to verification

Similar documents
Verification of hybrid systems. Thanks to

Discrete abstractions of hybrid systems for verification

Model Checking with CTL. Presented by Jason Simas

T Reactive Systems: Temporal Logic LTL

Verification Using Temporal Logic

Computation Tree Logic

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Model Checking: An Introduction

Automata-Theoretic Model Checking of Reactive Systems

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

Alan Bundy. Automated Reasoning LTL Model Checking

Model for reactive systems/software

Timo Latvala. February 4, 2004

Chapter 4: Computation tree logic

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

A Brief Introduction to Model Checking

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Chapter 6: Computation Tree Logic

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Computer-Aided Program Design

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Overview. overview / 357

PSPACE-completeness of LTL/CTL model checking

Formal Verification of Mobile Network Protocols

Safety and Liveness Properties

Model Checking. Boris Feigin March 9, University College London

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

Abstractions and Decision Procedures for Effective Software Model Checking

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Temporal Logic Model Checking

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

The State Explosion Problem

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Linear Time Logic Control of Discrete-Time Linear Systems

Linear Temporal Logic and Büchi Automata

CS156: The Calculus of Computation

FAIRNESS FOR INFINITE STATE SYSTEMS

Problem 1: Suppose A, B, C and D are finite sets such that A B = C D and C = D. Prove or disprove: A = B.

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Modal and Temporal Logics

Syntax of propositional logic. Syntax tree of a formula. Semantics of propositional logic (I) Subformulas

Model checking (III)

Computation Tree Logic

Finite-State Model Checking

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

Model checking the basic modalities of CTL with Description Logic

Syntax and Semantics of Propositional Linear Temporal Logic

Models for Efficient Timed Verification

CS 267: Automated Verification. Lecture 1: Brief Introduction. Transition Systems. Temporal Logic LTL. Instructor: Tevfik Bultan

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Topics in Verification AZADEH FARZAN FALL 2017

CS156: The Calculus of Computation Zohar Manna Autumn 2008

Lecture Notes on Emptiness Checking, LTL Büchi Automata

MODEL CHECKING. Arie Gurfinkel

Propositional Logic. Testing, Quality Assurance, and Maintenance Winter Prof. Arie Gurfinkel

Logic. Propositional Logic: Syntax

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

An Introduction to Temporal Logics

3-Valued Abstraction-Refinement

Axiomatic Semantics: Verification Conditions. Review of Soundness of Axiomatic Semantics. Questions? Announcements

Abstraction for Falsification

On simulations and bisimulations of general flow systems

Reasoning About Bounds In Weighted Transition Systems

Course Runtime Verification

Trace Diagnostics using Temporal Implicants

Dynamic Semantics. Dynamic Semantics. Operational Semantics Axiomatic Semantics Denotational Semantic. Operational Semantics

Alternating-Time Temporal Logic

arxiv:math/ v1 [math.lo] 5 Mar 2007

CTL, the branching-time temporal logic

Chapter 5: Linear Temporal Logic

Guest lecturer: Mark Reynolds, The University of Western Australia. May 7, 2014

Lecture 2: Symbolic Model Checking With SAT

The Calculus of Computation: Decision Procedures with Applications to Verification. Part I: FOUNDATIONS. by Aaron Bradley Zohar Manna

CSE507. Course Introduction. Computer-Aided Reasoning for Software. Emina Torlak

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Propositional Logic: Syntax

Axiomatic Semantics: Verification Conditions. Review of Soundness and Completeness of Axiomatic Semantics. Announcements

22c:145 Artificial Intelligence

Predicate Abstraction: A Tutorial

Linear Temporal Logic (LTL)

Discrete Mathematics

Reasoning about Time and Reliability

Lecture 16: Computation Tree Logic (CTL)

Chapter 3: Linear temporal logic

02 Propositional Logic

Lecture Notes: Axiomatic Semantics and Hoare-style Verification

PSL Model Checking and Run-time Verification via Testers

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Lecture Notes on Software Model Checking

Computation Tree Logic (CTL)

A Context Dependent Equivalence Relation Between Kripke Structures (Extended abstract)

Basic Algebraic Logic

Alternating Time Temporal Logics*

Automated Program Verification and Testing 15414/15614 Fall 2016 Lecture 2: Propositional Logic

Natural Deduction for Propositional Logic

Transcription:

ESE601: Hybrid Systems Introduction to verification Spring 2006

Suggested reading material Papers (R14) - (R16) on the website. The book Model checking by Clarke, Grumberg and Peled.

What is verification? We need to make sure that the engineering systems we build are safe, functioning correctly, etc. Systems can mean software, hardware, protocols, etc. Thus, not restricted to hybrid systems. In fact, verification originates in computer science, i.e. for discrete event systems. How is verification done? The system is represented as transition system, the properties to be verified are represented as temporal logic formulas, whose truth values are to be determined/verified.

Transition Systems A transition system consists of T = ( Q, Σ,, O, ) A set of states Q A set of events Σ A set of observations O The transition relation q The observation map q = 1 q2 1 o 0 o 0 o 0 q 0 q1 o 0 q2 Initial may be incorporated The sets Q,, and O may be infinite Σ Language of T is all sequences of observations o1 q3 o2 q4

The parking meter A painful example 5p 5p 5p 0 1 2 3 4 5 60 exp act act act act tick tick tick tick tick tick tick tick 5p States Q ={0,1,2,,60} Events {tick,5p} Observations {exp,act} A possible string of observations (exp,act,act,act,act,act,exp, ) act act

Temporal logic (informal) Temporal logic involves logical propositions whose truth values depend on time. Tomorrow is Thursday The time is related to the execution steps of the transition system. The asserted property is related to the observation of the transition system. At the next state, the meter expires

The basic verification problem Given transition system T, and temporal logic formula ϕ Basic verification problem T =ϕ The transition system satisfies the formula if: -All executions satisfy the formula (linear time) -The initial states satisfy the formula (branching time)

Another verification problem Given transition system T, and specification system S Another verification problem L(T) ò L(S) Language inclusion problems. Recall supervisory control problem.

Linear temporal logic syntax Linear temporal logic The LTL formulas are defined inductively as follows Atomic propositions All observation symbols p are formulas Boolean operators If ϕ 1 and ϕ 2 are formulas then ϕ 1 ϕ 2 ϕ 1 Temporal operators If and are formulas then ϕ 1 ϕ 2 ϕ 1 U ϕ 2 í ϕ 1

Linear temporal logic LTL formulas are evaluated over (infinite) sequences of execution, which are called words. Ex: w=(exp,act,act,act,act,act,exp, ) (w, 0) =exp, (w, 1) =act, (w, 1) = exp, ááá A word w satisfies a formula iff (w,0) satisfies it. w = þ : (w, 0) = þ w = í þ : (w, 1) = þ w = ò U þ : (w, i) = ò, (w, N) = þ, 0 ô i<n.

Linear temporal logic Express temporal specifications along sequences Informally Syntax Semantics Eventually p p ããããããããp Always p p pppppppppppppp If p then next q p í q ãããããããpq p until q puq ppppppppppq ããã

Linear temporal logic Syntactic boolean abbreviations Conjunction Implication Equivalence ϕ 1 ϕ 2 = ( ϕ 1 ϕ 2 ) ϕ 1 ϕ 2 = ϕ 1 ϕ 2 ϕ 1 ϕ 2 =(ϕ 1 ϕ 2 ) (ϕ 2 ϕ 1 ) Syntactic temporal abbreviations Eventually Always In 3 steps ϕ = > U ϕ ϕ = ϕ í 3 ϕ = íííϕ

Linear temporal logic semantics The LTL formulas are interpreted over infinite (omega) words (w, i) =p iff p i = p w = p 0 p 1 p 2 p 3 p 4... (w, i) =ϕ 1 ϕ 2 iff (w, i) =ϕ 1 or (w, i) =ϕ 2 (w, i) = ϕ 1 iff (w, i) 6 =ϕ 1 (w, i) = í ϕ 1 iff (w, i +1) =ϕ 1 (w, i) =ϕ 1 U ϕ 2 j õ i (w, j) =ϕ 2 and i ô k ô j (w, k) =ϕ 2 w =ϕ iff (w, 0) = ϕ T =ϕ iff w L(T) w = ϕ

LTL examples Two processors want to access a critical section. Each processor can has three observable states p1={incs, outcs, reqcs} p2={incs, outcs, reqcs} Mutual exclusion Both processors are not in the critical section at the same time. (p 1 = incs p 2 = incs) Starvation freedom If process 1 requests entry, then it eventually enters the critical section. p 1 = reqcs p 1 = incs

LTL Model Checking Given transition system and LTL formula we have LTL model checking Determine if T =ϕ System verified Counterexample The transition system satisfies the formula if all executions satisfy it. LTL model checking is decidable for finite T Complexity : O(n + m)2 O(k) states transitions formula length

Computational tree logic (CTL) CTL is based on branching time. Its formulas are evaluated over the tree of trajectories generated from a given state of the transition system.

Computation tree logic CTL syntax The CTL formulas are defined inductively as follows Atomic propositions All observation symbols p are formulas Boolean operators If ϕ 1 and ϕ 2 are formulas then Temporal operators If and are formulas then ϕ 1 ϕ 2 ϕ 1 ϕ 2 ϕ 1 ϕ 1 U ϕ 2 í ϕ 1

Computation tree logic (informally) Express specifications in computation trees (branching time) Informally Syntax Semantics Inevitably next p í p p p p Possibly always p p q p q p

CTL Model Checking Given transition system and CTL formula we have CTL model checking Determine if T =ϕ System verified Counterexample The transition system satisfies the formula if all initial states satisfy it. CTL model checking is decidable for finite T Complexity : O((n + m)k) states transitions formula length

Comparing logics CTL LTL CTL*

Dealing with complexity Bisimulation Simulation Language Inclusion

Language Equivalence Consider two transition systems and over same and O T 1 T 2 Σ T 1 o0 q0 o0 p0 T 2 o 0 q1 o 0 q2 p 1 o 0 o1 q3 o2 q4 o1 p3 o2 p4 Languanges are equivalent L( )=L( ) T 1 T 2

LTL equivalence Consider two transition systems and and an LTL formula T 1 T 2 Language equivalence If L(T 1 )=L(T 2 ) then T 1 =ϕ T 2 =ϕ Language inclusion If L(T 1 ) ò L(T 2 ) then T 2 =ϕ T 1 =ϕ Language equivalence and inclusion are difficult to check

Language Equivalence CTL equivalence T 1 o0 q0 o0 p0 T 2 o 0 q1 o 0 q2 p 1 o 0 o1 q3 o2 q4 o1 p3 o2 p4 false true

Simulation Relations Consider two transition systems T1 = ( Q 1, Σ, 1, O, 1 = ( Q, Σ,, O, T2 2 2 2 over the same set of labels and observations. A relation is called a simulation relation (of T 1 by T 2 ) if it 1. Respects observations if (q,p) S then q = 1 p 2 ) ) S Q 1 Q 2 2. Respects transitions if (q,p) S and q q', then p p' for some (q',p') S If a simulation relation exists, then T1 T 2

Game theoretic semantics Simulation is a matching game between the systems T 1 o0 q0 o0 p0 T 2 o 0 q1 o 0 q2 p 1 o 0 o1 q3 o2 q4 o1 p3 o2 p4 T1 T 2 T2 T1 Check that but it is not true that

The parking meter The parking example 5p 5p 5p 0 1 2 3 4 5 60 exp act act act act tick tick tick tick tick tick tick tick 5p act act A coarser model tick 0 exp 5p tick many 5p act tick S = {(0,0),(1,many),..., (60,many)}

Simulation relations Consider two transition systems and T 1 T 2 Simulation implies language inclusion If T 1 ô T 2 then L(T 1 ) ò L(T 2 ) Complexity of L(T 1 ) ò L(T 2 ) O((n 1 + m 1 )2 n 2 ) Complexity of T 1 ô T 2 O((n 1 + m 1 )(n 2 + m 2 ))

Two important cases Abstraction Refinement T 2 T 1 T1 T 2 T1 T 2 T 1 T 2

Bisimulation Relations Consider two transition systems T1 = ( Q 1, Σ, 1, O, 1 = ( Q, Σ,, O, T2 2 2 2 over the same set of labels and observations. A relation is called a bisimulation relation if it 1. Respects observations if (q,p) S then q = 1 p 2 ) ) S Q 1 Q 2 2. Respects transitions if (q,p) S and if (q,p) S and q q', p p', then p p' then q q' for some (q',p') S for some (q',p') S If a simulation relation exists, then T1 T 2

Bisimulation Consider two transition systems and T 1 T 2 Bisimulation T 1 ñ T 2 if T 1 ô T 2 T 2 ô T 1 Bisimulation is a symmetric simulation Strong notion of equivalence for transition systems CTL* (and LTL) equivalence If T 1 ñ T 2 then T 1 =ϕ T 2 =ϕ If T 1 ñ T 2 then L(T 1 )=L(T 2 )

Special quotients Abstraction T / T T / T When is the quotient language equivalent or bisimilar to T?

Quotient Transition Systems Given a transition system and an observation preserving partition, define naturally using 1. Observation Map T = ( Q, Σ,, O, ) Q Q T/ = ( Q/, Σ,, O, ) P = o iff there exists p P with p = o 2. Transition Relation P P' iff there exists p P, p' P' with p p'

Bisimulation Algorithm T / Quotient system always simulates the original system T When does original system T simulate the quotient system T /? o 2 o 1

Bisimulation Algorithm T / Quotient system always simulates the original system T When does original system T simulate the quotient system T /? o 2 o 1

Transition Systems A region is a subset of states P Q We define the following operators Pre (P) = {q Q p P Pre(P) = {q Q Σ q p} p P q p} Post (P) = {q Q p P Post(P) = {q Q Σ p q} p P p q}

Bisimulation algorithm Bisimulation Algorithm initialize Q/ ø = {p ø q iff <q>=< p>} while P, P 0 Q/ ø such that P 1 := P Pre(P 0 ) P 2 := P \ Pre(P 0 ) Q/ ø := (Q/ ø \{P}) {P 1,P 2 } end while = ò P Pre(P 0 )= ò P If T is finite, then algorithm computes coarsest quotient. If T is infinite, there is no guarantee of termination

Relationships Bisimulation Strongest, more properties, easiest to check Simulation Weaker, less properties, easy to check Language Inclusion Weakest, less properties, difficult to check

Complexity comparisons Bisimulation O(m á log(n)) Simulation O(m á n) Language Equivalence O(m á 2 n )

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback