fachgebiet rechnersysteme 6. model checking · model checking fachgebiet rechnersysteme...

Fachgebiet Rechnersysteme Verification Technology

Technische UniversitätDarmstadt

6. Model-Checking 1

6. Model CheckingFachgebiet RechnerSysteme

Verification Technology

Content

6.1 Temporal logic6.2 CTL6.3 Symbolic model-checking6.4 Specification of temporal properties in CTL 6.5 Non-deterministic systemsy6.6 Fairness conditions 6.7 Property specification by automata6.8 LTL and CTL

6. Model-Checking 2

What is model-checking? Checking of temporal properties of sequential circuits

Examples:p „It is never possible that all traffic lights are green“ „Eventually, each traffic light will become green“

Model

Temporalproperty

Sequentialcircuit

Model-Checker

Y

N

counter example

6. Model-Checking 3

"It is possible that a=1, b=1, c=1 and d=1 at the same time" Note: it is much easier to specify this

a

b b

+5

+5

+5

+5+1

p yproperty and do model-checking, rather than to invent input sequences that may lead to this state

c c

d d

0 1

+ + + +-1 - -

a b c d

represents allreachable states

6. Model-Checking 4

Temporal logic is used to specify temporal properties, in particular

6.1 Temporal Logic

particular Safety-conditions: "bad things (all traffic lights are

green, deadlock, ...) will never happen" Liveness-conditions: "good things will happen"

(a request will always be followed by an acknowledgement, each traffic light will finally become green, ...)



6. Model-Checking 5

Examples: true or false? "All states can be reached from all other states" "State 11 can never be left"

6.1 Temporal logic

"Starting from initial state 00, it is inevitable that r=1 at some time in the future" The answer depends on the given

state diagram

0/0r s

00 10 11

01

1/0

0/0

0/1

1/0

1/00/0

0/0

1/0

6. Model-Checking 6

Temporal logic is a modal logic: There are different types or modes of "truth"

– Example: today: "it is Thursday" holds, tomorrow:

6.1 Temporal logic

p y y ,it does not hold Not temporally independent like 3+7 = 7+3

Fundamental research by A.Pnueli und Z.Manna in the 70's

Temporal logic can be reduced to predicate logic There are however efficient decision procedures like There are, however, efficient decision procedures like

model-checking for some types of temporal logic

6. Model-Checking 7

Several types of temporal logic (TL)– Example: Linear Temporal Logic (LTL)

considers all execution paths in a system

6.1 Temporal logic

6. Model-Checking 8

LTL Operators X "In the next state" G "Globally in all states"

6.1 Temporal logic

G Globally in all states F "Finally in some state" Reasoning about linear execution paths

– Examples:

X(p)

p p

X(p)

G(p)

F(p)



6. Model-Checking 9

Computation Tree Logic (CTL, Clarke/ Emerson 1981) Model-checkers for CTL based on explicit state

6.2 CTL

Model-checkers for CTL based on explicit state representation were developed since '85

Symbolic model-checking (Clarke/ McMillan) since '90 Propositional logic (Boolean expressions) + temporal

operators Branching-time concept

6. Model-Checking 10

CTL temporal operators are combinations of X, G, F, and Path quantifiers E (existential) and A (universal)

6.2 CTL

q ( ) ( )– Examples: EX, AX, EG, AG, EF, AF

The CTL operators can be nested and combined with Boolean expression

– Examples: EX(a + b), p + AX(b·c), AX(AF(b))


AX(p) characterizes all states where p is certain in the next step

EX(p) characterizes all states where p is possible in the t t

6.2 CTL

next step EX(p)

AX(p) p

successor states


s2

– Example: AX(s2) = ?

6.2 CTL

01

0/0

0/11/00/0

1/0

s1s2

AX(s2) = s1

00 10 111/0

0/1

1/0

0/0




EF(p): p is reachable (now or later)

6.2 CTL

. . .


– Example: EF(s1*s2) = ?"Characterize all states from which we can go back to the initial state"

6.2 CTL

01

0/0

0/11/00/0

0/0

1/0

s1s2

EF(s1*s2) = s1 + s2

s1*s2 00 10 111/0 1/0


AF(p): p is inevitable (now or later)

6.2 CTL

. . .


EG(p): p holds globally on at least one (infinite) path (now and later)

6.2 CTL

. . .




– Example: EG(s1) = ?"Characterize all states from which there exists an infinite path where s1 = 0 ?"

6.2 CTL

01

0/0

0/11/00/0

0/0

1/0

s1s2

s1

EG(s1) = s1

00 10 111/0 1/0


AG(p): p holds always (now and later)

6.2 CTL

. . .


A CTL formula p characterizes a set of states Quiz:

Which states are characterized by the following CTL f l

6.2 CTL

0/0 s1s2

CTL-formulas: AX(s2) = AG(s2 + s1) = EG(s1) =

00 10 11

01

1/0

0/1

1/0

1/00/0

0/0

1/0


More operators ... AU(q,p): p is unavoidable (now or later) and q holds

until p

6.2 CTL

EU(q,p): there exists at least one path where p is reachable (now or later) and q holds until p

p

q q

. . .p

p

p

p

q

q

q q

q . . .p

p

qq




AW(q,p) (weak until): p is inevitable (now or later) and q holds until p, or q holds globally

6.2 CTL

. . .


EW(q,p) (weak until): p is reachable (now or later) and q holds until p on this path, or there exists some path where q holds globally

6.2 CTL

. . .


Formal definition of the syntax of CTL: A Boolean expression is a CTL formula If f and g are CTL formulas then

6.2 CTL

gf, f*g, f+g, AX(f), EX(f), AF(f), EF(f), AG(f), EG(f),AU(f, g), EU(f, g) are CTL formulas

– Example:

f + AX( AF(f) )

– Counter example:

f + AXF(f)


Formal definition of the semantics of CTL The validity of a CTL formula is relative to a given transition

system

6.2 CTL

A transition system is characterized by its transition relation T,

T = (sr' r(s1, ..., sn, i1, ..., im ))

Let S be the set of states given by the set of all possible values of the vector (s1, ..., sn) of storage elements

r=1

n

1 n

– Example: for two storage elements we have S = {00, 01, 10, 11}

I and S' are defined correspondingly We introduce the notation T(S, I, S') for the transition

relation




A legal path is a sequence of states z0 , ..., zn where for each pair of states (zi, zi+1), 0 i < n, holds

I: T(zi, I, zi+1) = 1 Thi th t th t iti f t

6.2 CTL

This means that the transition from zi to zi+1 is possible ("legal") for the system defined by T for at least one input combination I

A legal path obviously consists of a sequence of legal transitions

If we talk about "paths" we always mean: If we talk about paths we always mean: "legal paths" in the following


A CTL formula generally characterizes a set of states In the case of Boolean expressions, a Boolean expression

p is viewed as a characteristic function as usual

6.2 CTL

– e.g., the Boolean expression s1 characterizes the states 10 and 11 if we have two flipflops s1 and s2

We introduce the notation

T, z |= p

to denote that the CTL formula p characterizes a state z of ato denote that the CTL formula p characterizes a state z of a transition system T

A CTL formula is a "state formula" A CTL operator is a functional which maps

characteristic functions to characteristic functions


A state z0 is characterized by AX(p), T,z0 |= AX(p), iff for all paths z0, z1, ... we have T,z1 |= p

A state z0 is characterized by EX(p), T,z0 |= EX(p),

6.2 CTL

iff for at least one path z0, z1, ... we have T,z1 |= p

EX(p)

z0z

AX(p) pz1


A state z0 is characterized by AF(p), T,z0 |= AF(p), iff for all paths z0, z1, ... there exists some state zn, 0 n, so that T,zn |= p

t

6.2 CTL

etc.

. . .. . .




A CTL formula p holds for a transition systemT |= p

if the initial state is in the set of states characterized by p

6.2 CTL


In many situations, one is interested in whether a property p holds globally for all reachable states or not

One possibility to check this is

6.2 CTL

To calculate AG(p) To check if the initial state is in AG(p)

Then, for all initializable paths, p holds globally, and thus for all reachable states

if p = 1 we do not need to calculate AG(p)


Example: is s2 AX(s2) valid for all reachable states? "If s2 is zero then s2 is certainly 1 in the next state" ? To prove this, build AG(s2 AX(s2))

6.2 CTL

p , ( 2 ( 2))– AX(s2) = s1

– AG(s2 AX(s2)) = AG(s2 + s1) = s1s2

– Since the initial state 00 is not characterized by this formula the formula does not hold for the transition system

0/0

00 10 11

01

1/0

0/0

0/1

1/0

1/00/0

0/0

1/0

s1s2


A CTL formula is universally valid if it is valid for all transition systems

– Examples:

6.2 CTL

)q(EF)p(EF)qp(EF),q(AG)p(AG)qp(AG

),p,1(EU)p(EF),p,1(AU)p(AF,)p(EG)p(AF

,)p(EF)p(AG,)p(EX)p(AX

++•=•

===

==

)q(EF)p(EF)qp(EF +=+




The history of model-checkers First model checker 1985 (Clarke/Emerson)

6.3 Symbolic Model Checking

First model-checker ~ 1985 (Clarke/Emerson)– Representation of states enumeratively– Limited to ~ 5,000 states

Symbolic model-checking ~ 1990 (McMillan/Clarke)– Based on transiton-functions or -relation– Sets of states are represented by means ofSets of states are represented by means of

OBDD's– "1020 states and beyond"– Breadth-first backwards traversal


Computation of AX(p)


AX(p) p

Successor states("new" states)

Predecessor states("old" states)


Computation of AX(p)

Combinational network, transition functions i


s1

s2

is1'

s2'

1

2

Input

s1

s2

Storageelements

Successor states("new" states)p(s1', s2' )

Predecessor states("old" states) + inputSubstitution:p(s1' , s2' )


– Example: s1' * s2'

1 = s1*s2 + s1*i + s1*s2*i1 * 2

Transition functions:


1 s1 s2 s1 i s1 s2 i

2 = s1 + i

0/0s1 s2

1 2

(s1*s2 + s1*i + s1*s2*i) * (s1 + i)

00 10 11

01

1/0

0/1

1/0

1/00/0

0/0

1/0




Computation of AX(p) by substitution and universal quantification

s'


s1

s2

is1'

s2'

1

2

s1

s2

i: [ p(s1' 1(s1, s2 , i), s2' 2(s1, s2 , i)) ]

p

i: f(i) = f(0) + f(1)i: f(i) = f(0) * f(1)


AX( )– Example: s1' * s2'

1 = s1*s2 + s1*i + s1*s2*i1 * 2


1 1 2 1 1 2

2 = s1 + i

0/0s1 s2

1 2

(s1*s2 + s1*i + s1*s2*i) * (s1 + i)

= (s1*s2 + s1*0 + s1*s2*0) * (s1 + 0) *(s1*s2 + s1*1 + s1*s2*1) * (s1 + 1)

= s1*s2

i: [ (s1*s2 + s1*i + s1*s2*i) * (s1 + i) ]

00 10 11

01

1/0

0/1

1/0

1/00/0

0/0

1/0

i: f(i) = f(0) + f(1)i: f(i) = f(0) * f(1)


We have

)1()0()s(

nn

n


Substitution can be reduced to existential quantification

)s()s(:s n

nn


General computation of AX and EX:


old (s1, ..., sn) =

old (s1, ..., sn) =

i1, ..., im s1', ..., sn ': (sr' r(s1, ..., sn, i1, ..., im ))*new (s1', ..., sn') r=1

n

i1, ..., im s1', ..., sn ': (sr' r(s1, ..., sn, i1, ..., im ))*new (s1', ..., sn') r=1

n




Efficency of symbolic model-checking is based on OBDD's

T l


OBDD

Sequentialcircuit1 2

Model-Checker

Y

Temporalproperty

package+, *, ,, , ...

1, 2 ,...

N

Counter-example


Computation of the other CTL operators: AF(p): p is unavoidable (now or later)

– Fixed-point calculation:


pK0 := pKi+1 := Ki + AX(Ki)

until Ki = Ki+1

– p AF(p)

EF(p): p is reachable (now or later)

. . .

– Fixed-point calculation:K0 := pKi+1 := Ki + EX(Ki)

until Ki = Ki+1

– p EF(p). . .


– Example: AF(s2) = ?

01

0/0

1/00/0

1/0

s1s2


00 10 111/0

0/1

1/0

1/0

0/0

1/0


AG(p): p holds always– Fixed-point calculation:

K0 := p


0Ki+1 := Ki * AX(Ki)

until Ki = Ki+1

– AG(p) p

EG(p): p holds globally on at least one infinite path

. . .

– Fixed-point calculation:K0 := pKi+1 := Ki * EX(Ki)

until Ki = Ki+1

– EG(p) p

. . .




01

0/0

0/11/00/0

1/0

s1s2

– Example: EG(s1) = ?


00 10 111/0

0/1

1/0

0/0


AU(q,p): q holds until p on all paths– Fixed-point calculation:

K0 := pp

pq q


0Ki+1 := Ki + q*AX(Ki)

until Ki = Ki+1

– p AU(q,p) – If p holds, q does not have to hold

EU(q,p): q holds until p on some path

. . .p

p

p

p

q

qq

(q p) q p p– Fixed-point calculation:

K0 := pKi+1 := Ki + q*EX(Ki)

until Ki = Ki+1

– p EU(q,p)

. . .p

p

qq


Examples of specifications:

6.4 Specification of Temporal Properties in CTL

– AG(req AF(ack)): a request signal is always followed by an acknowledgement

– AG(EF(init)): the initial state init is reachable from all states

– AG(AF(p)): p holds on all infinite paths infinitely often


It is often much easier to specifiy a property and let the model-checker do the work than to invent simulation stimuli to check a specific situation

E l i it ibl th t 1 b 1 1 d d 1 t


– Example: is it possible that a=1, b=1, c=1 und d=1 at the same point of time?

– EF(a*b*c*d)

+5

+5

+5

+5+1

-1 - -a b c d




The specification of general properties in terms of CTL formulas is, however, intricate in many cases

Example (typical beginner's error): "If th i i it bl i th f t " i f l t d b


"If p, then p is inevitable in the future" is formulated by

p AF(p)

This is universally valid since p AF(p) ! The model-checker says "yes" and the

designer is happy !designer is happy ! Correct:

p AX(AF(p))


A further problem are CTL expressions which may be trivially valid Example AG(Req AF(Ack)):


– Intention: check if a request signal is always followed by an acknowledgement If the Req signal is never set, i.e., AG(Req)

holds, then the formula is trivially valid! More complex example:

AG(p AX(q AX(r)))– Intention: check if after p follows q and after q

follows r– The formula is trivially valid if q is never set in

the step after p was set, i.e., if AG(p AX(q)) holds


Using property specification patternss. http://www.cis.ksu.edu/santos/spec-patterns/


Source: Dwyer, Avrunin, Corbett


Pattern "absence"P is false :

Globally AG(P)Before R AU[P , R + AG(R)]

not P holds or R is not reachable

After Q AG(Q AG(P))After Q AG(Q AG(P))Between Q and R AG(Q AU[P , R + AG(R)]) After Q until R AG(Q EU[R , P*R])

even if R is not reachable, not P has to hold "after Q" R R R R

P P P -R R R RP P P

...

Typical application:mutual exclusion

R R R RP P P P

P P P - ...

R R R RP P P P ...

...





CTL was originally defined for so-called Kripke-structures Closed systems, no inputs

6.5 Non-Deterministic Systems

y , p Non-deterministic behavior

S0,a, b

S SS1,c

S2,c, b

S3,c


A number of atomic propositions, e.g., a, b, ... hold in each state (the states are labeled by these propositions) Di ti t t t h id ti l

6.5 Non-deterministic systems

Distinct states may have identical labelings

S0,a, b

S SS1,c

S2,c, b

S3,c


Non-determinism is an important modeling-concept in situations where we have incomplete knowledge of the exact behavior of a systemE l


Examples: Qualitative models of physical systems Behaviour of concurrent programs

2nd floor 2nd

1st floor

1st

between




In a deterministic environment, e.g., HDL and simulators, pseudo input variables are used to model non-determinism; inputs are "free"


2nd floor2nd

progress = '1'

; puncontrolled variables

1st floor

1st

between

progress 1

progress = '0'

progress = '1'


– Example: a qualitative model of a (ideal) pendulum

r, s


00 11

01

10

,

00 11

00: left maximum01: right move11: right maximum10: left move

Problem: infinitely long in state 10 ???


How to represent and reason about a non-deterministic system? The transition-relation T(s1, ..., sn, s1', ..., sn') can be

d t i d t iti b i


determined on a per-transition basis

00 10 s s1 2 s s1 2

State at t-1 State at t

2121 ssssT one product pertransition


– Trivial example:

0 1


T = ss' + ss' + ss' = s + s'




How to get the transition relation of


DeterministicSystems

Non-DeterministicSystems

0 1

Systems Systems

State-diagram

00 10 11

01

1/0

0/0

0/1

1/0

1/00/0

0/0

1/0

s1s2

State-diagram Circuit

s3

s4

s5

s2

i s1

T = ss' + ss' + ss' = s + s'

per-transition basisState-table

T = (s1' 1)*(s2' 2)*...

Determinetransition

functions i


How to calculate EX, AX, etc. for a non-deterministic system with transition relation T(s1, ..., sn, s1', ..., sn')? Calculation of EX:

( )


old (s1, ..., sn) =

s1', ..., sn ': T(s1, ..., sn, s1', ..., sn') *new (s1', ..., sn')

Compute AX(p) as EX(p) ! etc.


– Example:

0 1


0 1

T = ss' + ss' + ss' = s + s'

AX(s') =? EX(s'),EX(s') = s': T*s'

= s': (s + s')*s' = s': ss' + s's' = s

AX(s') = s


The concept of Fairness: The speed of the transitions of the individual

6.6 Fairness Conditions

The speed of the transitions of the individual components of a concurrent system is completely undetermined

It would be unfair if, e.g., only one system were allowed to make progress

Concurrency = Non-determinism + Fairness

System A System B




Fairness is important to model arbitrary, but finite delays

6.6 Fairness conditions

2nd floor

2nd

between

1st floor 1st

It is very unfair to letthe elevator in the

between-stateinfinitely long !


An infinite path is fair, if a number of fairness-conditions are satisfied infinitely often.

A state is fair if it belongs to at least one fair path.


1. Example: fairness-condition c, no state is fair

2. Example: fairness-condition c, all states are fair

c c

fair

c c


Computation of fair-CTL expressions Fairness-condition c Computation of EGF (p, c)


p F (p, )

K0 := p,Ki+1 := Ki * EX(EU( Ki , Ki *c ))

(rather than EG(p) :K0 := p,Ki+1 := Ki * EX(Ki ) )

i.e., c has to be reachable within Kii+1 i ( i ) )

The fair states are characterized by EGF (1, c)

i


In order to understand the meaning and calculation of EGF, we consider first the calculation of the ordinary EGin the case of an acyclic state-diagram:


K0 := p,Ki+1 := Ki * EX(Ki )




K = p*EX(p)

K0 := p,Ki+1 := Ki * EX(Ki )

6.6 Fairness conditions EG(p)

K1 = p*EX(p)

EX(p) K0 = p

Building the product of p and EX(p), we observe thatwe loose the "tail" of the state diagram after the first step


K2 = K1*EX(K1)

K0 := p,Ki+1 := Ki * EX(Ki )


K1 EX(K1)

EX(K1) K1

In the next step building K1*EX(K1) again one slice of the tail of the state diagram is cut


K0 := p,Ki+1 := Ki * EX(Ki )


EX(K2) K2

Finally, the intersection of K2 and EX(K2) becomes empty


K *EX( )

EG(p) is non-empty only if there is a cycle in p:

K0 := p,Ki+1 := Ki * EX(Ki )


K1 = p*EX(p)

EX(p) K0 = p

Building the product of p and EX(p), we again loose the "tail" of the state diagram after the first step




K2 = K *EX(K )

K0 := p,Ki+1 := Ki * EX(Ki )


K1 EX(K1)

EX(K1) K1

In the next step building K1*EX(K1), again one slice of the tail of the state diagram is cut


K3 = K *EX(K )

K0 := p,Ki+1 := Ki * EX(Ki )


K2 EX(K2)

EX(K2) K2

However, in the next step we have K3 = K2 due to the cyclic nature of the state diagram


K p*EX(EU(p p*c))

Calculating EGF(p, c) we add some fairness condition c:

K0 := p,Ki+1 := Ki*EX(EU(Ki, Ki*c))


K1 = p*EX(EU(p, p*c))

EX(EU(p, p*c)) K0 = pc

c

Calculating EX(EU(p, p*c)) we loose some states of the "tail" which are not on a fair path

EU(p, p*c)


K0 := p,Ki+1 := Ki*EX(EU(Ki , Ki*c))


EX(EU(K K * ))

K1 c

EX(EU(K1 , K1*c))c

Calculating K2 = K1* EX(EU(K1 , K1*c)) we get EU(K1 , K1*c), loose all unfair states, and a fixed-point is reached

EU(K1 , K1*c)




1. Example: EG cF ( , )1 ),( 00 cKKEU


K 0 1

K 3 0

KK2

c c

0

K pK K EX EU K K ci i i i

0

1

: ,: ( ( , ) )

KK EX EU K K c

1

0 0 0

( ( , ))K EX EU K K c

2

1 1 1 ( ( , ))


2. Example: EG cF ( , )1


K EU c1 1 ( )

c c

K EU cK K EX EU K K c

1

2 1 1 1

1

( , )( ( , ))

K pK K EX EU K K ci i i i

0

1

: ,: ( ( , ) )


3. Example: pendulum

r, s


K0

00 11

01

10

c

00 11

Ki+1 := Ki * EX(EU( Ki , Ki *c ))

K1 := K0 * EX(EU(1, 1*c )) = K0

00: left maximum01: right move11: right maximum10: left move


EX p c EX p EG cEF EF EG

F F( , ) ( ( , ) ),( ) ( ( ) )

11

Computation of the other fair-CTL expressions:


EF p c EF p EG cEU q p c EU q p EG c

AX p c EX p c

AF p c EG p c

AG p c EF p c

F F

F F

F F

F F

F F

( , ) ( ( , ) ),( , , ) ( , ( , ) ),

( , ) ( , ),

( , ) ( , ),

( , ) ( , ),

11

AU q p c EU p q p c EG p cF F

F F F( , , ) ( , , ) ( , )




– Example: calculation of AFF(rs, r), i.e., rs is unavoidable under fairness-condition r(in contrast, AF(rs) = rs)


0/0

00 10 11

01

1/0

0/1

1/0

1/00/0

0/0

1/0

r s


AFF(rs, r) = EGF(r + s, r)


K0 := p, Ki+1 := Ki * EX(EU( Ki , Ki *c ))

0/0

r s

00 10 11

01

1/0

0/1

1/0

1/00/0

0/0

1/0

r s


AFF(rs, r) = EGF(r + s, r)K0= r + s,K1= (r + s)*EX(EU(r + s, (r + s)*r))

= (r + s)*EX(EU(r + s sr))


0/0

= (r + s) EX(EU(r + s, sr)) = (r + s)*EX(sr) = (r + s)*r = rs,

K2= rs*EX(EU(rs, (rs)*r))= rs*EX(rs) = rs*r = rs,

AFF(rs, r) = rs = r + s K0 := p, Ki+1 := Ki * EX(EU( Ki , Ki *c ))

00 10 11

01

1/0

0/1

1/0

1/00/0

0/0

1/0

r s


Basic idea: Represent a property by an "observer" (or monitor)

6.7 Property Specification by Automata

Represent a property by an observer (or monitor) automaton

The observer checks the behavior of a system and goes into a "bad" state if the property is violated

Build the product-machine of the observer and the system

Show that the "bad" state is unreachable i e Show that the bad state is unreachable, i.e., AG(bad)




Product-machine of observer and system

6.7 Property specification by automata

Observer

observed values(inputs, storage elements)

"bad" state

SystemInput Output


Rationale: Designers are used to state-diagrams, but not to

temporal logic formalisms


Property verification is reduced to proving properties of type AG(bad)

This type of property can also be proven "on-the-fly" by forward reachability analysis (see Chapter 5) Particularly useful in the case of errors


Example observers for property patterns:P is false :

Globally AG(P)P

P-

"bad"


Before R AU[P , R + AG(R)]P*R

R-

-

P*R R

state

R "bad" state


Q -P is false:After Q

AG(Q AG(P))

P*Q

P*Q P"bad"


Pbad state




6.8 LTL and CTL

LTL Operators X "In the next state" G "Globally in all states" F "Finally in some state"

– Examples:

X(p)

G(p)

F(p)


The semantics of LTL formulas is defined as path formulas

CTL formulas are state formulas

6.8 LTL and CTL

We again use the notation z0, z1, ... for a (legal) path We follow the notational convention that i denotes the i-th

suffix zi, zi+1, ... of a path z0, z1, ..., zi-1, zi, zi+1, ... A Boolean expression b characterizes a path = z0, z1, ...,

notation T, |= b, iff the state z0 is characterized by b T, |= X(p) iff the suffix is characterized by p, , | (p) y p,

i.e., T,1 |= p T, |= F(p) iff there exists some suffix i, 0 ≤ i,

so that T,i |= p T, |= G(p) iff for all suffixes i we have T,i |= p


A LTL formula f holds for a transition system T, T |= f, iff f holds for all intialized paths

6.8 LTL and CTL

In LTL, we always talk about "all" paths There is no possibility to reason about

"some" path


– Example:

6.8 LTL and CTL

0/0r s

00 10 11

01

1/0

0/0

0/1

1/0

1/00/0

0/0

1/0




The subtle differences between path-based and state-based formulas is illustrated by the following example

Assume that we want to express the fact that in the f ll i t t di ll th t ti f t t 00

6.8 LTL and CTL

following state-diagram on all paths starting from state 00, s=1 holds after some time forever

– If the system stays in state 01 forever, then the property is satisfied

– If the system leaves state 01 after some time, then it will get to state 11 satisfying the property as wellI f t F(G( )) h ld– In fact, F(G(s)) holds

00 01 10 11

rs


If, however, we try to formalize the property as a CTL formula, e.g., AF(AG(s)), then we observe that Only state 11 is characterized by AG(s) because in

t t 01 h th h t t t t 10 h

6.8 LTL and CTL

state 01 we have the chance to go to state 10 where s=1 does not hold

Hence, only states 10 and 11 are characterized by AF(AG(s))!

00 01 10 11

rsAG(s)


There is a general agreement that LTL formulas more closely represent the intuitive understanding of temporal properties than CTL formulasH d l h ki LTL f l i t ti ll

6.8 LTL and CTL

However, model-checking LTL formulas is computationally much harder than model-checking CTL

Fortunately, it turns out that in many cases the restriction of temporal formulas to a finite number of steps is sufficient Efficient algorithms exist for this subset! Finite time-windows are typical for many engineering

li ti ( th f ti i di )application (see the usage of timing-diagrams) The importance of powerful language constructs for

finite time-windows is reflected by current developments in the area of verification languages

fachgebiet rechnersysteme 6. model checking · model checking fachgebiet rechnersysteme...

Documents