FORMAL METHODS LECTURE V: CTL MODEL CHECKING

Similar documents
Formal Methods Lecture VII Symbolic Model Checking

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

FORMAL METHODS LECTURE III: LINEAR TEMPORAL LOGIC

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Model Checking Algorithms

Gerwin Klein, June Andronick, Ramana Kumar S2/2016

FORMAL METHODS LECTURE VI BINARY DECISION DIAGRAMS (BDD S)

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Model Checking for the -calculus. Paolo Zuliani , Spring 2011

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

A should be R-closed: R(A) A. We would like this to hold because we would like every element that the rules say should be in A to actually be in A.

Computation Tree Logic (CTL)

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

CS357: CTL Model Checking (two lectures worth) David Dill

Chapter 6: Computation Tree Logic

Computation Tree Logic

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Temporal Logic Model Checking

Model Checking with CTL. Presented by Jason Simas

CTL Model Checking. Prof. P.H. Schmitt. Formal Systems II. Institut für Theoretische Informatik Fakultät für Informatik Universität Karlsruhe (TH)

T Reactive Systems: Temporal Logic LTL

NPTEL Phase-II Video course on. Design Verification and Test of. Dr. Santosh Biswas Dr. Jatindra Kumar Deka IIT Guwahati

Semantics and Verification of Software

Timo Latvala. February 4, 2004

Model for reactive systems/software

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

An Introduction to Multi-Valued Model Checking

Fixpoint Extensions of Temporal Description Logics

Linear Temporal Logic and Büchi Automata

Explicit State Model Checking Algorithm for CTL. CSE 814 CTL Explicit-State Model Checking Algorithm

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Lecture 16: Computation Tree Logic (CTL)

Alternating-Time Temporal Logic

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Overview. overview / 357

3-Valued Abstraction-Refinement

Partial model checking via abstract interpretation

CTL Model checking. 1. finite number of processes, each having a finite number of finite-valued variables. Model-Checking

Computation Tree Logic

Applied Logic. Lecture 1 - Propositional logic. Marcin Szczuka. Institute of Informatics, The University of Warsaw

Inductive Definitions and Fixed Points

Double Header. Model Checking. Model Checking. Overarching Plan. Take-Home Message. Spoiler Space. Topic: (Generic) Model Checking

Model checking (III)

On Modal Logics of Partial Recursive Functions

Reading: Chapter 9.3. Carnegie Mellon

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

cse371/mat371 LOGIC Professor Anita Wasilewska Fall 2018

PSPACE-completeness of LTL/CTL model checking

Logic: Propositional Logic (Part I)

Automata-based Verification - III

LTL and CTL. Lecture Notes by Dhananjay Raju

Model Checking: An Introduction

An Introduction to Multi Valued Model Checking

Modal and temporal logic

Model checking the basic modalities of CTL with Description Logic

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Büchi Automata and Linear Temporal Logic

Automata-based Verification - III

Learning to Verify Branching Time Properties

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Lecture Notes on Model Checking

Scuola Estiva di Logica, Gargnano, 31 agosto - 6 settembre 2008 LOGIC AT WORK. Formal Verification of Complex Systems via. Symbolic Model Checking

Axioms for Set Theory

Metatheory of Recursive Types

Resource-bounded alternating-time temporal logic

What does the partial order "mean"?

Automata on Infinite words and LTL Model Checking

Automata-Theoretic Model Checking of Reactive Systems

Logic Model Checking

Model Checking & Program Analysis

KRIPKE S THEORY OF TRUTH 1. INTRODUCTION

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Boolean decision diagrams and SAT-based representations

The Knaster-Tarski Fixed Point Theorem for Complete Partial Orders

Crash course Verification of Finite Automata CTL model-checking

Real Analysis. Joe Patten August 12, 2018

Introduction to Model Checking

Binary Decision Diagrams

Propositional and Predicate Logic - VII

On the Complexity of the Reflected Logic of Proofs

Math Fall 2014 Final Exam Solutions

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Alan Bundy. Automated Reasoning LTL Model Checking

Löwenheim-Skolem Theorems, Countable Approximations, and L ω. David W. Kueker (Lecture Notes, Fall 2007)

The algorithmic analysis of hybrid system

Model-Checking Games: from CTL to ATL

Theoretical Foundations of the UML

Recursion and Intro to Coq

PSL Model Checking and Run-time Verification via Testers

Comp487/587 - Boolean Formulas

Generalized Strong Preservation by Abstract Interpretation

Introduction. Büchi Automata and Model Checking. Outline. Büchi Automata. The simplest computation model for infinite behaviors is the

CS256/Winter 2009 Lecture #1. Zohar Manna. Instructor: Zohar Manna Office hours: by appointment

Guest lecturer: Mark Reynolds, The University of Western Australia. May 7, 2014

Introduction to Artificial Intelligence Propositional Logic & SAT Solving. UIUC CS 440 / ECE 448 Professor: Eyal Amir Spring Semester 2010

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Systems Verification. Alessandro Abate. Day 1 January 25, 2016

Transcription:

FORMAL METHODS LECTURE V: CTL MODEL CHECKING Alessandro Artale Faculty of Computer Science Free University of Bolzano Room 2.03 artale@inf.unibz.it http://www.inf.unibz.it/ artale/ Some material (text, figures) displayed in these slides is courtesy of: M. Benerecetti, A. Cimatti, M. Fisher, F. Giunchiglia, M. Pistore, M. Roveri, R.Sebastiani. Alessandro Artale (FM First Semester 2010/2011) p. 1/33

Alessandro Artale (FM First Semester 2010/2011) p. 2/33 Summary of Lecture V CTL Model Checking: General Ideas. CTL Model Checking: The Labeling Algorithm. Labeling Algorithm in Details. CTL Model Checking: Theoretical Issues.

Alessandro Artale (FM First Semester 2010/2011) p. 3/33 CTL Model Checking CTL Model Checking is a formal verification technique s.t. The system is represented as a Kripke ModelKM: 1 p 4 2 q 3 p The property is expressed as a CTL formula ϕ, e.g.: P (p P q) The algorithm checks whether all the initial states, s 0, of the Kripke model satisfy the formula (KM,s 0 = ϕ).

Alessandro Artale (FM First Semester 2010/2011) p. 4/33 CTL M.C. Algorithm: General Ideas The algorithm proceeds along two macro-steps: 1. Construct the set of states where the formula holds: [[ϕ]] := {s S :KM,s = ϕ} ([[ϕ]] is called the denotation of ϕ); 2. Then compare the denotation with the set of initial states: I [[ϕ]]?

Alessandro Artale (FM First Semester 2010/2011) p. 5/33 CTL M.C. Algorithm: General Ideas (Cont.) To compute [[ϕ]] proceed bottom-up on the structure of the formula, computing [[ϕ i ]] for each subformula ϕ i of ϕ. For example, to compute [[ P compute: (p P q)]] we need to [[q]], [[ P q]], [[p]], [[p P q]], [[ P (p P q)]]

Alessandro Artale (FM First Semester 2010/2011) p. 6/33 CTL M.C. Algorithm: General Ideas (Cont.) To compute each [[ϕ i ]] for generic subformulas: Handle boolean operators by standard set operations; Handle temporal operators P, P by computing pre-images; Handle temporal operators P, P, P, P, P U, P U, by applying fixpoint operators.

Alessandro Artale (FM First Semester 2010/2011) p. 7/33 Summary CTL Model Checking: General Ideas. CTL Model Checking: The Labeling Algorithm. Labeling Algorithm in Details. CTL Model Checking: Theoretical Issues.

Alessandro Artale (FM First Semester 2010/2011) p. 8/33 The Labeling Algorithm: General Idea The Labeling Algorithm: Input: Kripke Model and a CTL formula; Output: set of states satisfying the formula. Main Idea: Label the states of the Kripke Model with the subformulas of ϕ satisfied there.

Alessandro Artale (FM First Semester 2010/2011) p. 9/33 The Labeling Algorithm: An Example 1 p 1 p 4 2 q 4 2 q 3 p 3 p "q" "AF q" P q (q P ( P q)) [[ P q]] can be computed as the union of: [[q]] = {2} [[q P q]] = {2} {1} = {1,2} [[q P (q P q)]] = {2} {1} = {1,2} (fixpoint).

Alessandro Artale (FM First Semester 2010/2011) p. 10/33 The Labeling Algorithm: An Example (Cont.) "p" 1 p 4 3 p 2 q 4 1 p 2 q 4 1 p 2 q 3 p "p > AF q" 3 p "AF q"

Alessandro Artale (FM First Semester 2010/2011) p. 11/33 The Labeling Algorithm: An Example (Cont.) 1 p 1 p 4 2 q 4 2 q 3 p 3 p "p > AF q" "AG(p > AF q)" P ϕ (ϕ P ( P ϕ)) [[ P ϕ]] can be computed as the intersection of: [[ϕ]] = {1,2,4} [[ϕ P ϕ]] = {1,2,4} {1,3} = {1} [[ϕ P (ϕ P ϕ)]] = {1,2,4} {} = {} (fixpoint)

Alessandro Artale (FM First Semester 2010/2011) p. 12/33 The Labeling Algorithm: An Example (Cont.) The set of states where the formula holds is empty, thus: The initial state does not satisfy the property; KM = P (p P q). Counterexample: A lazo-shaped path: 1,2,{3,4} ω (satisfying P (p P q))

Alessandro Artale (FM First Semester 2010/2011) p. 13/33 Summary CTL Model Checking: General Ideas. CTL Model Checking: The Labeling Algorithm. Labeling Algorithm in Details. CTL Model Checking: Theoretical Issues.

Alessandro Artale (FM First Semester 2010/2011) p. 14/33 The Labeling Algorithm: General Schema Assume ϕ written in terms of,, P, U P, P minimal set of CTL operators The Labeling algorithm takes a CTL formula and a Kripke Model as input and returns the set of states satisfying the formula (i.e., the denotation of ϕ): 1. For every ϕ i Sub(ϕ), find [[ϕ i ]]; 2. Compute [[ϕ]] starting from [[ϕ i ]]; 3. Check if I [[ϕ]]. Subformulas Sub(ϕ) of ϕ are checked bottom-up To compute each [[ϕ i ]]: if the main operator of ϕ i is a Boolean Operator: apply standard set operations; Temporal Operator: apply recursive rules until a fixpoint is reached.

Alessandro Artale (FM First Semester 2010/2011) p. 15/33 Denotation of Formulas: The Boolean Case LetKM = S,I,R,L,Σ be a Kripke Model. [[ f alse]] = {} [[true]] = S [[p]] = {s p L(s)} [[ ϕ 1 ]] = S \[[ϕ 1 ]] [[ϕ 1 ϕ 2 ]] = [[ϕ 1 ]] [[ϕ 2 ]]

Alessandro Artale (FM First Semester 2010/2011) p. 16/33 Denotation of Formulas: The P Case [[ P ϕ]] = {s S s. s,s R and s [[ϕ]]} [[ P ϕ]] is said to be the Pre-image of [[ϕ]] (PRE([[ϕ]])). Key step of every CTL M.C. operation. PreImage(P) P

Alessandro Artale (FM First Semester 2010/2011) p. 17/33 Denotation of Formulas: The P Case From the semantics of the ϕ ϕ ( ϕ) Then, the following equivalence holds: P ϕ ϕ ( P P ϕ) temporal operator: To compute [[ P ϕ]] we can apply the following recursive definition: [[ P ϕ]] = [[ϕ]] PRE([[ P ϕ]])

Alessandro Artale (FM First Semester 2010/2011) p. 18/33 Denotation of Formulas: The P Case (Cont We can compute X := [[ P X 1 := [[ϕ]] X 2 := X 1 PRE(X 1 )... X j+1 := X j PRE(X j ) ϕ]] inductively as follows: When X n = X n+1 we reach a fixpoint and we stop. Termination. Since X j+1 X j for every j 0, thus a fixed point always exists (Knaster-Tarski s theorem).

Alessandro Artale (FM First Semester 2010/2011) p. 19/33 Denotation of Formulas: The P U Case From the semantics of theu temporal operator: ϕu ψ ψ (ϕ (ϕu ψ)) Then, the following equivalence holds: P (ϕu ψ) ψ (ϕ P P (ϕu ψ)) To compute [[ (ϕu P ψ)]] we can apply the following recursive definition: [[ (ϕu P ψ)]] = [[ψ]] ([[ϕ]] PRE([[ (ϕu P ψ)]]))

Alessandro Artale (FM First Semester 2010/2011) p. 20/33 Denotation of Formulas: The P U Case (Cont. We can compute X := [[ (ϕu P ψ)]] inductively as follows: X 1 := [[ψ]] X 2 := X 1 ([[ϕ]] PRE(X 1 ))... X j+1 := X j ([[ϕ]] PRE(X j )) When X n = X n+1 we reach a fixpoint and we stop. Termination. Since X j+1 X j for every j 0, thus a fixed point always exists (Knaster-Tarski s theorem).

Alessandro Artale (FM First Semester 2010/2011) p. 21/33 The Pseudo-Code We assume the Kripke Model to be a global variable: FUNCTION Label(ϕ) { case ϕ of true: return S; f alse: return {}; an atom p: return {s S p L(s)}; } ϕ 1 : return S\Label(ϕ 1 ); ϕ 1 ϕ 2 : return Label(ϕ 1 ) Label(ϕ 2 ); P ϕ 1 : return PRE(Label(ϕ 1 )); P (ϕ 1 U ϕ 2 ): return Label_EU(Label(ϕ 1 ),Label(ϕ 2 )); P ϕ 1 : return Label_EG(Label(ϕ 1 )); end case

Alessandro Artale (FM First Semester 2010/2011) p. 22/33 PreImage [[ P ϕ]] = PRE([[ϕ]]) = {s S s. s,s R and s [[ϕ]]} FUNCTION PRE([[ϕ]]){ var X; X := {}; for each s [[ϕ]] do for each s S do if s,s R then X := X {s}; return X }

Alessandro Artale (FM First Semester 2010/2011) p. 23/33 Label_EG [[ P ϕ]] = [[ϕ]] PRE([[ P ϕ]]) FUNCTION LABEL EG([[ϕ]]){ var X, OLD-X; X := [[ϕ]]; OLD-X := /0; while X OLD-X begin OLD-X := X; X := X PRE(X) end return X }

Alessandro Artale (FM First Semester 2010/2011) p. 24/33 Label_EU [[ P (ϕu ψ)]] = [[ψ]] ([[ϕ]] PRE([[ P (ϕu ψ)]])) FUNCTION LABEL EU([[ϕ]],[[ψ]]){ var X, OLD-X; X := [[ψ]]; OLD-X := S; while X OLD-X begin OLD-X := X; X := X ([[ϕ]] PRE(X)) end return X }

Alessandro Artale (FM First Semester 2010/2011) p. 25/33 Summary CTL Model Checking: General Ideas. CTL Model Checking: The Labeling Algorithm. Labeling Algorithm in Details. CTL Model Checking: Theoretical Issues.

Alessandro Artale (FM First Semester 2010/2011) p. 26/33 Correctness and Termination The Labeling algorithm works recursively on the structure ϕ. For most of the logical constructors the algorithm does the correct things according to the semantics of CTL. To prove that the algorithm is Correct and Terminating we need to prove the correctness and termination of both P and P U operators.

Alessandro Artale (FM First Semester 2010/2011) p. 27/33 Monotone Functions and Fixpoints Definition. Let S be a set and F a function, F : 2 S 2 S, then: 1. F is monotone iff X Y then F(X) F(Y); 2. A subset X of S is called a fixpoint of F iff F(X) = X; 3. X is a least fixpoint (LFP) of F, written µx.f(x), iff, for every other fixpoint Y of F, X Y 4. X is a greatest fixpoint (GFP) of F, written νx.f(x), iff, for every other fixpoint Y of F, Y X Example. Let S = {s 0,s 1 } and F(X) = X {s 0 }.

Alessandro Artale (FM First Semester 2010/2011) p. 28/33 Knaster-Tarski Theorem Notation: F i (X) means applying F i-times, i.e., F(F(...F(X)...)). Theorem[Knaster-Tarski]. Let S be a finite set with n+1 elements. If F : 2 S 2 S is a monotone function then: 1. µx.f(x) F n+1 (/0); 2. νx.f(x) F n+1 (S). Proof. (See the textbook Logic in CS pg.241)

Alessandro Artale (FM First Semester 2010/2011) p. 29/33 Correctness and Termination: P Case The function LABEL EG computes: [[ P ϕ]] = [[ϕ]] PRE([[ P ϕ]]) applying the semantic equivalence: P ϕ ϕ ( P P ϕ) Thus, [[ P ϕ]] is the fixpoint of the function: F(X) = [[ϕ]] PRE(X)

Alessandro Artale (FM First Semester 2010/2011) p. 30/33 Correctness and Termination: P Case (Con Theorem. Let F(X) = [[ϕ]] PRE(X), and let S have n+1 elements. Then: 1. F is monotone; 2. [[ P ϕ]] is the greatest fixpoint of F. Proof. (See the textbook Logic in CS pg.242)

Alessandro Artale (FM First Semester 2010/2011) p. 31/33 Correctness and Termination: P U Case The function LABEL EU computes: [[ (ϕu P ψ)]] = [[ψ]] ([[ϕ]] PRE([[ (ϕu P ψ)]])) applying the semantic equivalence: P (ϕu ψ) ψ (ϕ P P (ϕu ψ)) Thus, [[ P (ϕu ψ)]] is the fixpoint of the function: F(X) = [[ψ]] ([[ϕ]] PRE(X))

Alessandro Artale (FM First Semester 2010/2011) p. 32/33 Correctness and Termination: P U Case (Con Theorem. Let F(X) = [[ψ]] ([[ϕ]] PRE(X)), and let S have n+1 elements. Then: 1. F is monotone; 2. [[ P (ϕu ψ)]] is the least fixpoint of F. Proof. (See the textbook Logic in CS pg.243)

Alessandro Artale (FM First Semester 2010/2011) p. 33/33 Summary of Lecture V CTL Model Checking: General Ideas. CTL Model Checking: The Labeling Algorithm. Labeling Algorithm in Details. CTL Model Checking: Theoretical Issues.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback