Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Similar documents
Finite-State Model Checking

Computation Tree Logic (CTL)

PSPACE-completeness of LTL/CTL model checking

Model Checking: An Introduction

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Computation Tree Logic

An Introduction to Temporal Logics

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Model checking the basic modalities of CTL with Description Logic

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Lecture 16: Computation Tree Logic (CTL)

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

CS357: CTL Model Checking (two lectures worth) David Dill

Model for reactive systems/software

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Formal Verification of Mobile Network Protocols

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Lecture Notes on Model Checking

Model Checking. Boris Feigin March 9, University College London

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Abstractions and Decision Procedures for Effective Software Model Checking

MODEL CHECKING. Arie Gurfinkel

Model Checking with CTL. Presented by Jason Simas

Algorithmic verification

Verification Using Temporal Logic

First-order resolution for CTL

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

A Brief Introduction to Model Checking

Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

ESE601: Hybrid Systems. Introduction to verification

Software Verification using Predicate Abstraction and Iterative Refinement: Part 1

Linear Temporal Logic and Büchi Automata

Automata-based Verification - III

T Reactive Systems: Temporal Logic LTL

Alan Bundy. Automated Reasoning LTL Model Checking

3-Valued Abstraction-Refinement

Syntax of propositional logic. Syntax tree of a formula. Semantics of propositional logic (I) Subformulas

Model checking (III)

Reasoning about Strategies: From module checking to strategy logic

Temporal Logic Model Checking

State-Space Exploration. Stavros Tripakis University of California, Berkeley

Models. Lecture 25: Model Checking. Example. Semantics. Meanings with respect to model and path through future...

Relating Counterexamples to Test Cases in CTL Model Checking Specifications

Alternating-Time Temporal Logic

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Automata-based Verification - III

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Automata-Theoretic Model Checking of Reactive Systems

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

3. Temporal Logics and Model Checking

Overview. overview / 357

Chapter 4: Computation tree logic

Chapter 6: Computation Tree Logic

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Timo Latvala. February 4, 2004

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Model Checking Algorithms

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Computation Tree Logic

Computer-Aided Program Design

Learning to Verify Branching Time Properties

Linear Temporal Logic (LTL)

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Lecture 2: Symbolic Model Checking With SAT

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Logic-Based Modeling in Systems Biology

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

FORMAL METHODS LECTURE V: CTL MODEL CHECKING

Synthesis weakness of standard approach. Rational Synthesis

LTL and CTL. Lecture Notes by Dhananjay Raju

Revising Specifications with CTL Properties using Bounded Model Checking

Sanjit A. Seshia EECS, UC Berkeley

Computer Aided Verification

Guest lecturer: Mark Reynolds, The University of Western Australia

Computation Tree Logic

Models for Efficient Timed Verification

Symbolic Model Checking Property Specification Language*

Circular Compositional Reasoning about Liveness

An Informal introduction to Formal Verification

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Formula-Dependent Equivalence for Compositional CTL Model Checking

Testing with model checkers: A survey

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Crash course Verification of Finite Automata CTL model-checking

Reasoning about Time and Reliability

Semi-Automatic Distributed Synthesis

Parameter Synthesis for Timed Kripke Structures

Topics in Verification AZADEH FARZAN FALL 2017

Design of Distributed Systems Melinda Tóth, Zoltán Horváth

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

The State Explosion Problem

Decision Procedures for CTL

An On-the-fly Tableau Construction for a Real-Time Temporal Logic

Transcription:

Sérgio Campos, Edmund Why? Advantages: No proofs Fast Counter-examples No problem with partial specifications can easily express many concurrency properties Main Disadvantage: State Explosion Problem Too many processes Data Paths Much progress has been made on this problem recently Tree Problem 1 / 34 Tree Problem 3 / 34 Specification Language: A propositional temporal logic called CTL. Verification Procedure: Exhaustive search of the state space of the concurrent system to determine if the specification is true or not. E. M. and E. A. Emerson. Synthesis of synchronization skeletons for branching time temporal logic. In Logic of programs: workshop Yorktown Heights NY May 1981, volume 131 of Lecture Notes in Computer Science. Springer-Verlag, 1981. J.P. Quielle and J. Sifakis. Specification and verification of concurrent systems in CESAR. In Proceedings of the Fifth International Symposium in Programming, volume 137 of Lecture Notes in Computer Science. Springer-Verlag, 1981. Finite-state systems are modeled by labeled state-transition graphs, called Kripke Structures. If some state is designated as the initial state, the structure can be unwound into an infinite tree with that state as the root. We will refer to the infinite tree obtained in this manner as the computation tree of the system. Paths in the tree represent possible computations or behaviors of the program. Tree Problem 2 / 34 Tree Problem 4 / 34

Cont.) State Transition Graph or Kripke Model b c c b c c c c Infinite Tree (Unwind State Graph to obtain Infinite Tree) Tree Temporal logics may differ according to how they handle branching in the underlying computation tree. In a linear temporal logic, operators are provided for describing events along a single computation path. In ranching-time logic the temporal operators quantify over the paths that are possible from a given state. Tree Problem 5 / 34 Tree Problem 7 / 34 Cont.) Formally, a Kripke structure is a triple M = S R L, where S is the set of states, R S S is the transition relation, and L : S (AP) gives the set of atomic propositions true in each state. We assume that R is total (i.e., for all states s S there exists a state s S such that (s s ) R). A path in M is an infinite sequence of states, π = s0 s1... such that for i 0, (s s1) R. We write π to denote the suffix of π starting at s. Unless otherwise stated, all of our results apply only to finite Kripke structures. The computation tree logic CTL combines both branching-time and linear-time operators. In this logic a path quantifier can prefix an assertion composed of arbitrary combinations of the usual linear-time operators. 1. Path quantifier: for every path E there exists a path 2. Linear-time operators: Xp p holds next time. Fp p holds sometime in the future Gp p holds globally in the future puq p holds until q holds Tree Problem 6 / 34 Tree Problem 8 / 34

Path Formulas and State Formulas The syntax of state formulas is given by the following rules: If p AP, then p is a state formula. If f and g are state formulas, then f and f g are state formulas. If f is a path formula, then E(f ) is a state formula. Two additional rules are needed to specify the syntax of path formulas: If f is a state formula, then f is also a path formula. If f and g are path formulas, then f, f g, X f, and U fg are path formulas. Path Formulas If f is a path formula, M π = f means that f holds along path π in Kripke structure M. Assume g1 and g2 are path formulas and f is a state formula. The relation M π = f is defined inductively as follows: 1. π = f s is the first state of π and s = f. 2. π = g1 π = g1. 3. π = g1 g2 π = g1 or π = g2. 4. π = X g1 π 1 = g1. 5. π = U g1g2 there exists a k 0 such that π k = g2 and for 0 j < k, π j = g1. Tree Problem 9 / 34 Tree Problem 11 / 34 State Formulas If f is a state formula, the notation M s = f means that f holds at state s in the Kripke structure M. Assume f1 and f2 are state formulas and g is a path formula. The relation M s = f is defined inductively as follows: 1. s = p p L(s). 2. s = f1 s = f1. 3. s = f1 f2 s = f1 or s = f2. 4. s = E(g) there exists a path π starting with s such that π = g. Standard Abbreviations The customary abbreviations will be used for the connectives of propositional logic. In addition, we will use the following abbreviations in writing temporal operators: (f ) E( f ) F f U truef G f F f Tree Problem 10 / 34 Tree Problem 12 / 34

CTL is a restricted subset of CTL that permits only branching-time operators each of the linear-time operators G, F, X, and U must be immediately preceded by a path quantifier. More precisely, CTL is the subset of CTL that is obtained if the following two rules are used to specify the syntax of path formulas. If f and g are state formulas, then X f and U fg are path formulas. If f is a path formula, then so is f. Example: G(EF p) Expressive Power It can be shown that the three logics discussed in this section have different expressive powers. For example, there is no CTL formula that is equivalent to the LTL formula (FG p). Likewise, there is no LTL formula that is equivalent to the CTL formula G(EF p). The disjunction (FG p) G(EF p) is a CTL formula that is not expressible in either CTL or LTL. Tree Problem 13 / 34 Tree Problem 15 / 34 Linear temporal logic (LTL), on the other hand, will consist of formulas that have the form f where f is a path formula in which the only state subformulas permitted are atomic propositions. More precisely, a path formula is either: If p AP, then p is a path formula. If f and g are path formulas, then f, f g, X f, and U fg are path formulas. Example: (FG p) There are eight basic CTL operators: X and EX, G and EG, F and EF, U and EU Each of these can be expressed in terms of EX, EG, and EU: X f = EX( f ) G f = EF( f ) F f = EG( f ) EF f = E[true U f ] [f U g] E[ g U f g] EG g Tree Problem 14 / 34 Tree Problem 16 / 34

Cont.) The four most widely used CTL operators are illustrated below. Each computation tree has the state s0 as its root. M s0 = EF g M s0 = F g M s0 = EG g M s0 = G g True or Counterexample Tree Problem 17 / 34 Tree Problem 19 / 34 The Problem Let M be the state transition graph obtained from the concurrent system. Let f be the specification expressed in temporal logic. Find all states s of M such that M s = f. There exist very efficient model checking algorithms for the logic CTL. E. M., E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Trans. Programming Languages and Systems, 8(2):pages 244 263, 1986. Basic M s0 = EF p? Tree Problem 18 / 34 Tree Problem 20 / 34

Basic M s0 = EF p? U1 = p EX U0 Basic M s0 = EF p? U3 = p EX U2 Tree Problem 21 / 34 Tree Problem 23 / 34 Basic M s0 = EF p? U2 = p EX U1 Basic M s0 = EF p? U4 = p EX U3 Tree Problem 22 / 34 Tree Problem 24 / 34

Basic M s0 = EG a F b? M s0 = F a F b? ~ Basic M s0 = EG a F b? M s0 = F a F b? ~ AF ~a Tree Problem 25 / 34 Tree Problem 27 / 34 Basic M s0 = EG a F b? M s0 = F a F b? ~ AF ~a Basic M s0 = EG a F b? M s0 = F a F b? ~ AF ~a Tree Problem 26 / 34 Tree Problem 28 / 34

Basic M s0 = EG a F b? M s0 = F a F b? ~AF ~a ~ AF ~a ~AF ~a Mutual Exclusion Example ~AF ~a Tree Problem 29 / 34 Tree Problem 31 / 34 Mutual Exclusion Example n t c t c Mutual Exclusion Example t n t n Tree Problem 30 / 34 Tree Problem 32 / 34

Mutual Exclusion Example Tree Problem 33 / 34 The Kyoto University Verifier Vectorized version of EMC algorithm on Fujitsu FACOM VP400E using an explicit representation of the state transition graph. State Machine size: 131,072 states 67,108,864 transitions 512 transitions from each state on the average. CTL formula: 113 different subformulas. Time for model checking: 225 seconds Tree Problem 34 / 34

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback