Model checking, verification of CTL. One must verify or expel... doubts, and convert them into the certainty of YES [Thomas Carlyle]

Similar documents
CTL, the branching-time temporal logic

Principles. Model (System Requirements) Answer: Model Checker. Specification (System Property) Yes, if the model satisfies the specification

p,egp AFp EFp ... p,agp

Computation Tree Logic

Finite-State Verification or Model Checking. Finite State Verification (FSV) or Model Checking

Finite State Model Checking

DRAFT - do not circulate

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Chapter 6: Computation Tree Logic

Game Specification in the Trias Politica

ABSTRACT MODEL REPAIR

Using BDDs to Decide CTL

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

ABSTRACT MODEL REPAIR

Overview. overview / 357

Chapter 4: Computation tree logic

Model for reactive systems/software

RANDOM WALKS AND PERCOLATION: AN ANALYSIS OF CURRENT RESEARCH ON MODELING NATURAL PROCESSES

Finite-State Model Checking

Memoryfull Branching-Time Logic

Model Checking with CTL. Presented by Jason Simas

MODEL CHECKING. Arie Gurfinkel

Approximating min-max k-clustering

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Verification. Arijit Mondal. Dept. of Computer Science & Engineering Indian Institute of Technology Patna

SAT based Abstraction-Refinement using ILP and Machine Learning Techniques

Computation Tree Logic

Model Checking: An Introduction

MATH 2710: NOTES FOR ANALYSIS

Statics and dynamics: some elementary concepts

John Weatherwax. Analysis of Parallel Depth First Search Algorithms

Finding Shortest Hamiltonian Path is in P. Abstract

A Social Welfare Optimal Sequential Allocation Procedure

A Reduction Theorem for the Verification of Round-Based Distributed Algorithms

Distributed Maximality based CTL Model Checking

Feedback-error control

Guest lecturer: Prof. Mark Reynolds, The University of Western Australia

Evaluating Circuit Reliability Under Probabilistic Gate-Level Fault Models

MODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL

Introduction to Probability and Statistics

Convex Optimization methods for Computing Channel Capacity

Model Checking I. What are LTL and CTL? dack. and. dreq. and. q0bar

Topic: Lower Bounds on Randomized Algorithms Date: September 22, 2004 Scribe: Srinath Sridhar

Periodic scheduling 05/06/

Computation Tree Logic

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Chapter 5: Linear Temporal Logic

On Line Parameter Estimation of Electric Systems using the Bacterial Foraging Algorithm

Blame, coercion, and threesomes: Together again for the first time

Sets of Real Numbers

LTL and CTL. Lecture Notes by Dhananjay Raju

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

CMSC 425: Lecture 4 Geometry and Geometric Programming

Abstractions and Decision Procedures for Effective Software Model Checking

Proof Nets and Boolean Circuits

Dialectical Theory for Multi-Agent Assumption-based Planning

Automata-Theoretic Model Checking of Reactive Systems

Lilian Markenzon 1, Nair Maria Maia de Abreu 2* and Luciana Lee 3

CSE 599d - Quantum Computing When Quantum Computers Fall Apart

Lecture 16: Computation Tree Logic (CTL)

Verification Using Temporal Logic

Model Checking. Boris Feigin March 9, University College London

Topic 7: Using identity types

CSE 311 Lecture 02: Logic, Equivalence, and Circuits. Emina Torlak and Kevin Zatloukal

Pretest (Optional) Use as an additional pacing tool to guide instruction. August 21

Temporal Logic Model Checking

On the Chvatál-Complexity of Knapsack Problems

Outline. Markov Chains and Markov Models. Outline. Markov Chains. Markov Chains Definitions Huizhen Yu

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

The Logic of Compound Statements. CSE 2353 Discrete Computational Structures Spring 2018

Universal Finite Memory Coding of Binary Sequences

Combining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)

Chapter 7 Rational and Irrational Numbers

Applying the Mu-Calculus in Planning and Reasoning about Action

Reduced Ordered Binary Decision Diagrams

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

GOOD MODELS FOR CUBIC SURFACES. 1. Introduction

ESE601: Hybrid Systems. Introduction to verification

Linear Temporal Logic and Büchi Automata

Topics in Verification AZADEH FARZAN FALL 2017

Chapter 3: Linear temporal logic

UPPAAL tutorial What s inside UPPAAL The UPPAAL input languages

4. Score normalization technical details We now discuss the technical details of the score normalization method.

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

FAIRNESS FOR INFINITE STATE SYSTEMS

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Lecture 2: Symbolic Model Checking With SAT

Network Configuration Control Via Connectivity Graph Processes

Assignment 1 Solutions Structural Induction and First-Order Logic Due: 11am on Monday 26th August 2013

Node-voltage method using virtual current sources technique for special cases

THEORY OF SYSTEMS MODELING AND ANALYSIS. Henny Sipma Stanford University. Master class Washington University at St Louis November 16, 2006

An introduction to forest-regular languages

Linear-Time Logic. Hao Zheng

SMV the Symbolic Model Verifier. Example: the alternating bit protocol. LTL Linear Time temporal Logic

Distributed Rule-Based Inference in the Presence of Redundant Information

Linear diophantine equations for discrete tomography

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

The State Explosion Problem

Chapter 1: PROBABILITY BASICS

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Transcription:

Chater 5 Model checking, verification of CTL One must verify or exel... doubts, and convert them into the certainty of YES or NO. [Thomas Carlyle] 5. The verification setting Page 66 We introduce linear and branching time, temoral logics and the basic idea of model checking. 5. Theoretical foundations Page 7 Formal resentation of CTL, Krike structures and model checking. 5.3 Model checking CTL Page 77 The analysis for CTL, examle and otimization. Concets introduced: LTL, CTL, linear and branching time, Krike models, control state reachability, liveness analysis, model checking, ROBDDs. THE BEHAVIOUR of a transition system is its set of runs, or its set of comutations. To verify behaviours, we can consider questions like: Does every comutation (run) of the transition system have a desired roerty X? or Is it true that in no comutation, C is immediately followed by on-ac?. 65

66 5. The verification setting Proerties may involve reachability of states. For examle, is there a run leading to deadlock? A deadlocked system can do no more comutation, more formally: Definition 9 The run with is in deadlock if no action is enabled at. We would like to ose more sohisticated questions (other than reachability questions). For examle, we may have qualitative questions like: Every request is eventually served. The sensor signal x is sensed infinitely often. From any stage of the comutation the all clear state can be reached within 3 stes We may also be interested in quantitative questions like: Every request is served within 3 microseconds. The sensor signal x is sensed every milliseconds for ever. From any stage of the comutation the all clear state can be reached within second. An extensional logic is one in which the truth value of a comlex formula can be determined by the truth values of its comonents. By contrast, modal or intensional logics deal with sentences qualified by modal oerators such as could or eventually or must and so on. If the modal oerators refer to time, then we call these logics temoral logics. Consider an assertion like The engine is too hot." The meaning is clear, it does not vary with time, but the truth value of the assertion can vary in time. Sometimes it is true, and sometimes it is false, and it is never true and false simultaneously. Temoral logics are a good mechanism for exressing qualitative temoral roerties of reactive systems. The basic modal oerators are which reresents necessity and its dual which reresents ossibility ( ). The language of modal logic consists of roositional variables, a set of Boolean connectives such as, and the modal oerators.

5. The verification setting 67 (a) Transition system 3 (b) Branching time view Figure 5.: Notions of comutation Consider the transition system in Figure 5.(a). A linear time view of the comutations induced by this system is just the set of all runs: A branching time view of the same system is shown in Figure 5.(b), where the temoral order forms a tree which branches into the future. LTL (Linear Temoral Logic) is a modal linear-time temoral logic, built u from a set of roosition variables, logic connectives and the temoral oerators: indicating that must hold in the next state. (or ) indicating that must hold in all the following states.!" (or #$ ) indicating that eventually (finally) must hold somewhere. %'& indicating that has to hold until & holds at the current or a future osition. ()& The dual of %+* & holds until the first state where holds. In LTL, one can encode formulæ about events along a single comutation ath. By contrast, CTL (Comutation Tree Logic) is a modal branching-time temoral logic. The oerators quantify over all ossible future aths from a given state. CTL and LTL are both subsets of a more general temoral logic CTL*. There are exressions in CTL that cannot be exressed in LTL and vice versa. 3 As an examle, consider,.-/ 3, which is an LTL formula reresenting the idea that: for all aths, eventually holds globally (i.e. from then on).,4/ -5,+63 is a 3

68 CTL formula reresenting the idea that: for all aths, eventually you get to a state where for all aths holds globally (i.e. from then on). This CTL formula does not reresent the same thing as the original LTL formula, even though at first sight it seems to be similar. A counter-examle is given below in Figure 5.. s t Figure 5.: Counter examle It is fairly easy to see that in the LTL linear time view, all runs that start in state have eventually holding globally. In a linear time view, the ossible (infinite) runs from are: u where means an infinite run of state, and means a finite run of. In both state and state, the roerty holds, so in the linear time view, for state,,.-/ 3. However, let us now consider the branching time view, and the CTL formula,4/ -5,+3. Figure 5.3 has the unfolded branching time view.

5. The verification setting 69 Figure 5.3: Unfolded counter examle The CTL formula,4/ -,+63 reresents the idea that: for all aths, eventually you get to a state where for all aths holds globally (i.e. from then on). If you traverse down the left hand sequence in the figure, it does not matter how far you go, you will never get to a state where for all aths holds globally. In other words, this does not reresent the same assertion as the LTL one. CTL formulæ are differentiated from LTL formulæ, because each of the temoral oerators must be receded by a ath quantifier:, (for all aths), and (there exists a ath). Since CTL exressions require every temoral oerator to be receded by a quantifier, and since there are five temoral oerators, and two quantifiers, we have ten base exression tyes.

7 The ten base exression tyes may be exressed in terms of just three exressions: : For one comutation ath, roerty holds in the next state; % : For all comutation aths, roerty holds until holds. % : For one comutation ath, roerty holds until holds. We focus here on CTL secifications. The model-checking verification setting may be visualized as in Figure 5.4, where we extract a (state transition) model from a system. Sense Comuter system Plant Model extraction Actuate Model checker: on heat S5 ok S4 S6 C TS S off heat H S off ac S3 on ac ok Semantics Behaviour of TS S YES! U Figure 5.4: Verification setting Proerty (Temoral logic formula φ) Models of φ The meaning that we attach to is that it correctly reresents the behaviour of the system, exressed as the allowable set of runs (or comutations) of the system. A model-checker checks if this behaviour of the system is a subset of the set of runs (or comutations) induced by an arbitrary roerty, returning YES or NO. NO!

5. The verification setting 7 P P req,ret grt req,ret grt Arbiter (a) Resource arbiter Rsrc S4 Ret S3 S6 S Req Req Ret S5 S Grt Req Req Grt Ret Figure 5.5: Arbiter for an oerating system Ret Req Grt Grt Req S7 (b) Arbiter transition system Consider the following scenario: We have an arbiter in an oerating system, which is controlling access by two rocesses to a single resource, only allowing one at a time to gain access to the resource. Each rocess can request access to the resource, by (erhas) making a req() call. When the resource is free, the arbiter can grant access by signalling the rocess using the grt() signal. When a rocess no longer needs the resource, it signals the arbiter using the ret() signal. In Figure 5.5(a) we see the arbiter, with Figure 5.5(b) showing a transition system for its correct oeration. When modelling this system, it is imortant to identify suitable atomic roositions relevant to the system. Suitable roositions might be: * : Processes and are idle. In the starting state both rocesses are idle. * : Processes and are waiting for the resource. * : Processes and are using the resource. S

7 5. Foundations for CTL model checking The oerator cannot be formalized with an extensional semantics. The Krike semantics is a formal semantics for modal logic systems. - Definition 3 A Krike structure over a set of atomic roositions is a 4- tule, where. is a finite set of states. is a transition relation that must be total 3. is a finite set of atomic roositions 4. is a function which labels each state with the set of atomic roositions true in that state Consider the transition system shown in Figure 5.5(b). The atomic roositions reresent the system s view of the state of the two tasks. They are idle, waiting or using the resource, and we have the following set of atomic roositions: We can convert the transition system into a Krike structure, by writing out $- for each state. The labelling function for each state returns the atomic roositions that are valid in each state. A suitable function is: 5.. The unfolding of " - - - - - - - -! When investigating a Krike structure, it is often easier to visualize the unfolded version # / -$ of the structure.

% 5. Foundations for CTL model checking 73 TS (K if you ignore the actions) off off ch off on on ch UF(K) Figure 5.6: Unfolding of the TV Krike structure In Figure 5.6 the Krike structure reresents a transition system for the irritable TV viewer. The viewer can switch the TV on and off, and also change channels. As soon as the irritable TV viewer switches to a TV channel that is not worth watching, the TV must be switched off. # / -$ is another Krike structure, equivalent in terms of the ath structure of, but much easier to visualize ossible runs, and to see when a run reeats. Definition 3 The unfolding of a Krike structure, from an identified starting state, is # / -$ -, where. - "! $#. 6- - - &% ' () 6- &% ($# *+#(,- 3. "- $- 5.. CTL and CTL- We define a fragment of CTL, called CTL-, which we use to secify the formulæ defining the roerties to be checked against the Krike structure. When used in this context, such a Krike structure is often called a CTL-model (or just a model), and we will refer to such models as.. The CTL- fragment is sufficient to encode any (traditional) CTL formula. % &%.

74 Definition 3 Given a roosition (a finite set of atomic roositions), then is a CTL- formula, and if and are CTL- formulæ, then. is a CTL- formula. is a CTL- formula 3. is a CTL- formula 4..- is a CTL- formula 5., - # is a CTL- formula 6. +- # is a CTL- formula Formulæ with this syntax can be viewed as a tree. For examle, the formula )- )- +- # could be reresented by the tree in Figure 5.7. 5..3 Model checking EX EX Figure 5.7: A CTL- formula shown as a tree Model checking is commonly exressed as a ternary relation - :. The relation is true when the roerty holds in state for a given model.. It is normally defined inductively, with a set of interlocking rules. A labelling algorithm may then be used to establish the set of states satisfying the relation. There are two kinds of roerties that are of interest: EU r

5. Foundations for CTL model checking 75. safety: nothing bad will ever haen. liveness: eventually something good will haen (One is like there exists and the other like for all ). The techniques for assessing safety and liveness are different. For examle, in model checking we use Büchiautomata to exress and check liveness, and state-sace enumeration for safety. Safety is about reachability, but with liveness we must consider infinite non-terminating execution, checking for the reachability of certain (control) states, and so an overall goal is to solve a control state reachability roblem. Let us return to the arbiter examle in Figure 5.5(b), and let. be the resulting CTL-model. We can determine whether or not. for the following examle roerties: EF-, AF- and AG-. Given the Krike structure, it is fairly easy to see that:. * leading to a state in which both and are true. (In fact there is no state in which both and are true).. * EF as there is no ath from AF as every ath from and each of these has either or true. 3. * AG as * 5..4 The definition of and * must lead to one of,, or, The model checking relation (In L A TEX, \models) can be read various ways. In. we might say that holds or is satisfied at state.. A ath from one state is a sequence of states such that and 6- for every. The -th element of is -. The model checking relation is defined for each atomic roosition and each CTL- formula, as:

# # % % 76. $-. iff it is not the case that.. iff. and.. iff. or.. )- iff - and. (i.e. has a successor state at which holds).,.- # iff for every ath from, for some,. -, and. -. +- # iff there is a ath from, where for some,. -, and. - Figure 5.8 shows each of the temoral CTL- oerators in an unfolded Krike structure # / -.. UF(M) (a) s UF(M) q s (b) q q UF(M) s (c)!" Figure 5.8: EX, AU and EU in the unfolded Krike structure The table clearly defines the model checking relation for,, # and # in CTL-, but not for the other CTL oerators,,,+ and so on. The following list shows some of the other oerators that can be derived in terms of the three just given. $#. & & For every next state & holds. It is not the case that there exists a next state at which & does not hold. %#. & '&)(+*-, % & There exists a ath. from such that for every /$ : *3. 4/ &. It is not the case that... q

5.3 Model checking algorithm for CTL 77 5.3 Model checking algorithm for CTL The label field in the Krike structure gives us a mechanism for calculating when a formula satisfies the associated model. in a articular state :.. The model checking rocess has two stes, visualized in Figure 5.9. Sense Comuter system Plant Model extraction Actuate Model checker: on heat S5 ok S4 S6 C TS S off heat H S off ac S3 YES! on ac ok S Ste : Labelled CTL Model Ste : Check state s in Sat( ψ) Figure 5.9: Model checking CTL models Proerty (Temoral logic formula ψ) Firstly, we label each state with the atomic roositions that are true in each state. Secondly, we calculate the sets of states that satisfy the roerty, and if our state is in this set, we can return YES, otherwise NO. We show an algorithm for calculating the satisfaction set for a model, given a formula. This can be calculated using a recursive function (corresonding to a recursive traversal of the structure), which returns the set of states that satisfy a given formula: NO!

< 78 set_of_states sat(proerty ) = if then! else case of true: false: : sat : sat+ sat : sat+ sat EX :!" $#% '&( $#% sat +) A U : lf+*--,! sat % sat3./ /'- # &, E U : lf3 -,! sat 4" sat %/ 5 76 # &, ; where 98 reresents the set of successor states of. The last two lines in the function exress the idea that we can calculate the sets of states for,.- # and +- #, by taking the least fix-oint (and hence the function name lf) of functions : and ; (sometimes exressed as the algorithms and = ). What are the functions : and ;? Some investigation will show.< that,.- # -,.-, - # +#, +- # - )- +- # and it seems aroriate to exress these as fix-oints of the corresonding functions :-?> -,.-?>4 +#, ; -@>4 - )-?>4 We can view this as a labelling rocedure for. where we build u extra labels for each state in the model, rogressively uncovering the subformulas of.

5.3 Model checking algorithm for CTL 79 In Figure 5., we see the labelled arbiter model, and the states that satisfy )-$ and +- #. S4 u i S3 w i u S6 w S i i S5 w w (a) S w S7 w u S u S4 u i S3 w i u S6 w (b)! Figure 5.: Arbiter model checking 5.3. Examle and otimizations S i i S5 w w - The model checking aroach to verification [CGP99] is to abstract out key elements of the software and to verify just these elements. For efficiency, various otimizations can be made if the elements reduce to binary values. Given the underlying reliance on binary abstractions, it is no surrise that model checking is being used in the analysis of digital electronic circuits, but it has also roved effective in the software domain, in the areas of rotocol analysis, the behaviour of reactive systems, and for checking concurrent systems. It is difficult to find examles convincing enough to demonstrate a technique, but which are small enough to fully describe in a short chater. We choose to use as an examle a simle mutual exclusion rotocol in which two rocesses, and share six (boolean) variables, and co-oerate to ensure mutually exclusive access to a critical section of code. A third rocess monitors the variables and changes a turn variable. The entire system is the arallel comosition of these three rocesses, and is continuous (indicated by the trailing recursive call). Each line of code is considered to be atomic, and we use to reresent, to reresent. S w S7 w u S u

+ 8 = if then else if then! " else if then " '&( ; # if then %$ ; = if then else if then ) *" else if then " '&( ; if then %$ ; = if * then ) *" else if then! " &-,(.!! / ; + = ; &-,(.!! / ; The secific rotocol is chosen because it only uses boolean variables, simlifying and shortening this resentation. We can reresent a state of this system as a valuation of the relevant variables. The states for this system are listed in Table 5.. State vars vars 3 vars Next state(s) 46587:9 ;=< 4:> >A4B@9 <@? 465879 ;=< 4:> >A4B@9 <@? (H I J J I J J J $ J I J I J J J *K *L $ I J J J I J J (M L *N K J J I I J J J (H *O (M I J J J J I J (H *P *L J I J J I J J O *N I J J J I J I *Q H *O J J I J I J J $ *P J I J J J I J Q J I J J I J I @ 'H I J J J J I I @ L @ J I J J J I I J I J I J J I *Q K K J J I I J J I 'M L 'M J J I J I J I *N L I J J I J J I *N Table 5.: States for the comlete system We may also characterize this system using a transition diagram as in Figure 5., where the labels on the transitions relate to the line-numbers of the rogram. >DCFEAG

5.3 Model checking algorithm for CTL 8 4 S 3 S S 5 3 S 7 5 S S 5 4 5 9 6 S 6 6 S 4 S S9 8 4 8 S 8 5 8 7 8 S S S3 S4 S5 5 4 Figure 5.: State transition diagram The transition relation may be comactly exressed (using short names for the variables) as the following redicate : 5 Note that the redicate has been ordered to clearly show a correlation with the rogram. The first line corresonds to, the second to and the third to. 5.3. BDD reresentation of transition relation A redicate such as just seen may also be encoded as an ordered binary decision tree (OBDT), in which the levels denote the different variables, and aths through the tree reresent valuations of the transition relation. In Figure 5. we have an OBDT for the exression - -.

8 i3 i i i4 i3 i i T T T T T T T F F F F F F F F F Figure 5.: OBDT for - - Note that if we reorder the variables, we get a different decision tree, but this new tree still reresents the redicate. In other words, it is indeendent of the order of the variables. The OBDT does not scale well, but there are otimizations that may be done. An otimization to exloit reetition on OBDTs leads to reduced ordered binary decision diagrams (ROBDDs). i3 i i i4 i3 i i T T T T T T T F F F F F F F F F i i3 i4 i T T T F F F F F F i 3 T i 4 i T F F F i 3 Figure 5.3: ROBDD reduction for - - ROBDDs rovide a canonical form for the OBDTs, but more significantly, similar sub-trees of a OBDT result in the ROBDD merging the two subtrees. Bryant [Bry86] introduced these data structures, showing how such reresentations of functions may be maniulated efficiently. In the aer, fast algorithms for common boolean oerations are described, with comlexities roortional to the sizes of the grahs. The ROBDD otimization for the urose of model checking was first identified by McMillan [McM93], and resulted in significant imrovements in the number of states that could be model-checked. In roblems which exhibit a attern regularity, T i 4 F i T F i 3 T i 4 F i

5.4 Summary of toics 83 the ROBDD reresentation can be many orders of magnitude smaller than an equivalent (OBDT or enumerated) reresentation. Modern branching time model checkers all use the ROBDD otimization. 5.4 Summary of toics In this section, we introduced the following toics: Verification setting. Basic setting for the verification roblem. Theoretical foundations. Formal foundations for CTL. Model checking algorithms. Algorithms for checking systems. Examle and otimizations. Using BDDs for CTL model checking.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback