model checking
DESCRIPTION
Model checking. Raúl Monroy (from Huth & Ryan’s LICS book). Verification by model checking. Model checking is based on temporal logic A formula is not statically true or false in a model The notion of truth is dynamic , the formulae may change their truth values as the system evolves - PowerPoint PPT PresentationTRANSCRIPT
Model checking
Raúl Monroy
(from Huth & Ryan’s LICS book)
Verification by model checking
Model checking is based on temporal logic
A formula is not statically true or false in a model
The notion of truth is dynamic, the formulae may change their truth values as the system evolves
Models are transition systems
Verification by model checking
To verify that a system satisfies a property:
1. Model the system using the description language (of the model checker.), M.
2. Code property using the specification language, resulting in .
3. Run the model checker with inputs M and .
Temporal logics
Linear-time logics Branching-time logics
Useful in modelling non-deterministic computations
Time: continuous or discrete LTL: time is linear and discrete CTL: time is branching and discrete
Linear-Time Temporal Logic
LTL: Syntax
Syntax of LTL formulae is defined inductively in Backus Naur form:
Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ XΦ │ FΦ │ GΦ │ Φ U Φ │ Φ W Φ │Φ R Φ
where p ranges over atomic formulae
LTL: Syntax
X, F, G, U, W and R are called temporal connectives
Convention: ¬, X, F, G bind most tightly; (unary connectives) U, R and W and , and after that
LTL: Syntax
F p G q p W r F(p G r) ¬q U p p W (q W r) G F p F(q s)
Now consider: U r p G q
Definition of a model
A model, M, is given by (S, , L) S is a set of states is a transition relation, such that
every s S has some s’ with s s’ L is a labelling function
L : S P(Atoms)
Semantics of LTL
p, q
q, r r
A concise presentation of a model M as a directed graph, whose nodes are states
containing all the propositional atoms which are true in that particular state.
Deadlock treatment
A system with a state S4 that does not have any further transitions.
S3
S1S0
S2
S4
Deadlock treatment
An expand system with a ‘deadlock’ state Sd such that no state can deadlock; of course, it is then our understanding that reaching the ‘deadlock’ state corresponds to deadlock in the original system.
S0 S1
S2
S3
S4
Sd
Linear-time temporal logic
A path in a model M = (S, , L) is an infinite sequence of states s1,s2,s3
in S such that, for each i1, si si+1
We write π = s1 s2 s3 π3 = s3 s4 s5
Satisfaction relation on paths
Let M = (S, , L) be a model and π = s1 s2 s3 be a path in M. The satisfaction relation, │=, is given by:
π │= T π │= p iff p L(s1) π │= ¬ Φ iff π │=/= Φ π │= Φ1 Φ2 iff π │= Φ1 and π │= Φ2
π │= Φ1 Φ2 iff π │= Φ1 or π │= Φ2
6. π │= X Φ iff π2 │= Φ7. π │= G Φ holds iff, for all i 1, πi │= Φ
8. π │= F Φ holds iff, for some i 1, πi │= Φ
9. π │= Φ U ψ holds iff there is some i1 s.t. πi│=ψ and for all j=1,…,i-1 πj │= Φ
10. π │= Φ W ψ holds iff either …; or for all k1 w.h.t. πk │= Φ
11. π │= Φ R ψ holds iff either there is some i 1 s.t. πi │= ψ and for all j=1,…,i πj│=Φ; or for all k1 w.h.t. πk│= ψ
S1S0 S3S2 S5S4 S7S6 S9S8 S10
pq
• Illustration of the meaning of Until in the semantics of LTL.
• Each of the states s3 to s9 satisfies p U q along the path shown
• W is just like U except it does not require that ψ is eventually satisfied along the path in question• R is the dual of U: Φ R ψ ¬(¬Φ U ¬ψ)
LTL: Semantics
Suppose M = (S, , L) is a model, sS, and Φ an LTL formula. We write M, s |= Φ if, for every execution path π of M starting at s, we have π |= Φ
Consider again system M
p, q
q, r r
p, q
q, r
p, q
q, r
r
r
r
r
r
S0
S1
S0
S1
S2
S2
S2
S2
S2
Unwinding M as an infinite tree of all computation paths beginning in a particular
state
Example checks for system M
1. M, s0 │= p q2. M, s0 │= ¬r3. M, s0 │= ┬4. M, s0 │= X r5. M, s0 │= ¬X (q r)6. M, s0 │= G¬(p r)7. M, s2 │= F(¬q r)F G r8. M, s2 │= G F p9. M, s0 │= G F p G F r10. M, s0 │= ¬(G F r G F p)
Computation Tree Logic
CTL: Syntax
CTL formulas are defined inductively via a Backus Naur form
Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ AX Φ │ EX Φ │ A [Φ U Φ] │ E [Φ U Φ] │ AG Φ │ AF Φ │ EF Φ
where p ranges over atomic formulas
CTL: Syntax
AX, EX, AG, EG, AU, EU, AF and EF are called temporal connectives
Each temporal connectives is a pair of symbols: 1st symbol of pair: A (along all paths) or E (along
at least one path) 2nd symbol of pair: X (neXt state), G (all future
states), U (until) and F (some Future step) AU and EU are binary X, G, U and F cannot occur independently
¬, AG, AF, AX bind most tightly. Next and , and after that , AU
CTL: Syntax
EG r
AG (q EG r) AG q EG r A [r U q] EF E [r U q]
A [p U EF r]
CTL: Syntax
AG AF r
A [ p1 U A [ p2 U p3 ]]
E [ A [ p1 U p2 ] U p3 ]
AG ( p A [ p U ( ¬p A [ ¬p U q ] ) ] )
CTL: Syntax
FG r A ¬G ¬p F [ r U q ] EF [ r U q ] AEF r AF [ ( r U q ) (r U q )]
Parse tree of a CTL formula
A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ’s parse tree
AU
AX EU
¬
p
EX ¬
p
p q
A [AX ¬p U E [EX (p q) U ¬p]]
Semantics of CTL
Let M = (S,,L). Given any s in S, a CTL formula Φ holds in state s
M, s │= Φ
iff
Satisfaction relation, │=
1. M, s │= T and M, s │=/= ┴, s S
2. M, s │= p iff p L(s)
3. M, s │= ¬ Φ iff M, s |=/= Φ
4. M, s │= Φ1 Φ2
iff M, s │= Φ1 and M, s │= Φ2
5. M, s │= Φ1 Φ2
iff M, s │= Φ1 or M, s │= Φ2
6. M, s │= Φ1 Φ2 iff M, s │=/= Φ1 or M, s │= Φ2
n M, s │= AX Φ iff for all s1 such that s s1
we have M, s1 │= Φ. Thus, AX says: ‘in every next state’
6. M, s │= EX Φ iff for some s1 such that s s1
we have M, s1 │= Φ. Thus, EX says: ‘in some next state’.
9. M, s │= AG Φ holds iff for all paths s1 s2 s3 …,
where s1 equals s,
and all si along the path, we have
M, si │= Φ
Mnemonically: for all computation paths beginning in s the property Φ holds globally
10. M, s │= EG Φ holds
iff there is a path s1 s2 s3 …,
where s1 equals s,
and for all si along the path, we have
M, si │= ΦMnemonically: there Exists a path that beginning in s such that Φ holds globally along the path
11. M, s │= AF Φ holds iff for all the paths s1 s2 …,
where s1 equals s,
there is some si such that
M, si │= Φ
Mnemonically: for all computation paths beginning in s there will be some future state where Φ holds
12. M, s │= EF Φ holds iff There is a path s1 s2 …, where s1 equals s, andfor some si along the path,We have
M, si │= Φ
Mnemonically: there Exists a computation path beginning in s such that Φ holds in some Future state
13. M, s │= A[Φ1UΦ2] holds iff for all paths s1 s2 …,
where s1 equals s,
there is some si along the path such that
M, si │= Φ2
and for each j<i, we have
M, sj │= Φ1
Mnemonically: All computation paths beginning in s satisfy that Φ1 Until Φ2 holds on it
14. M, s │= E[Φ1UΦ2] holds iff there is a path s1 s2 …,
where s1 equals s, and
there is some si along the path such that
M, si │= Φ2
and for each j<i, we have
M, sj │= Φ1
Mnemonically: there Exists a computation path beginning in s such that Φ1 Until Φ2 holds on it
Semantics of CTL
A system whose starting state satisfies EF Φ
A system whose starting state satisfies EG Φ
Φ
Φ
Φ
Φ
Semantics of CTL
A system whose starting state satisfies AG Φ
A system whose starting state satisfies AF Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ
Φ Φ
Φ
ΦΦ Φ
Φ
Semantics of CTL
S1S0 S3S2 S5S4 S7S6 S9S8 S10
p
q
An illustration of the meaning of Until in the semantics of CTL.
Each of the states s3 to s9 satisfiesp U q along the path shown
Consider again system M
p, q
q, r r
Semantics of CTLp, q
q, r
p, q
q, r
r
r
r
r
r
S0
S1
S0
S1
S2
S2
S2
S2
S2
Unwinding M as an infinite tree of all computation paths beginning in a particular
state
Example checks for system M
1. M, s0 │= p q2. M, s0 │= ¬r3. M, s0 │= ┬4. M, s0 │= EX (q r)5. M, s0 │= ¬AX (q r)6. M, s0 │= ¬EF (p r)7. M, s2 │= EG r8. M, s2 │= AG r9. M, s0 │= AF r10. M, s0 │= E [(p q) U r]11. M, s0 │= A [p U r]
Practical patterns of specification
It is possible to get to a state where started holds, but ready does not hold: EF ( started ¬ready)
For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: AG ( request AF acknowledged)
Practical patterns of specification
A certain process is enabled infinitely often on every computation path: AG ( AF enabled)
Whatever happens, a certain process will eventually be permanently dead-locked: AF ( AG deadlock)
Practical patterns of specification
From any state it is possible to get to restart state: AG ( EF restart)
Practical patterns of specification
An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: AG (floor=2 direction=up
ButtonPressed5 A [direction=up U floor=5]
Here, our atomic description are boolean expresions built from system variables, e.g. floor = 2
Practical patterns of specification
The elevator can remain idle in the third floor with its doors closed: AG (floor=3 idle door=closed
EG (floor=3 idle door=closed))
Mutual exclusion
The first modelling attempt
n1n2
t1t2
t1n2 n1t2
c1t2
c1n2 n1c2
t1c2
Mutual exclusion
Four properties:1. Safety: 1 = AG ¬(c1 c2)
2. Liveness: 2 = AG (t1 AF c1)
3. Non-blocking: 3 = AG (n1 EX t1)
4. No strict sequencing:
4 = EF (c1 E[c1 U (¬c1 E[¬c2 U c1])])
def
def
def
def
Mutual exclusion
The second modelling attempt
n1n2
t1t2
t1n2 n1t2
c1t2
c1n2 n1c2
t1c2
t1t2
Equivalences in CTL
Two CTL formulas and ψ are said to be semantically equivalent if any state in any model which satisfies one of them also satisfies the other; we denote this by ≡ ψ
Equivalences in CTL
¬AF ≡ EG ¬ ¬EF ≡ AG ¬ ¬AX ≡ EX ¬ AF ≡ A [┬ U ] EF ≡ E [┬ U ] AG ≡ AX AG EG ≡ EX EG AF ≡ AX AF EF ≡ EX EF A[ U ψ] ≡ ψ ( AX A [ U ψ]) E[ U ψ] ≡ ψ ( EX E [ U ψ])
Labelling algorithm
INPUT: a CTL model M = (S, , L) and a CTL formula Φ
OUTPUT: the set of states of M wich satisfies Φ
Labelling algorithm
┴ : then no state are labelled with ┴ p : then label s with p if p L(s) ψ1 ψ2 : label s with ψ1 ψ2 if s is
already labelled both with ψ1 and with ψ2
¬ψ1 : label s with ¬ψ1 if s is not already labelled with ψ1
Labelling algorithm
AF ¬ψ1:
If any state s is labelled with ψ1, label it with AF ψ1
Repeat: label any state AF ψ1 if all successor state are labelled with AF ψ1, until there is no change
Labelling algorithm
E[ψ1 U ψ2]: If any state s is labelled with ψ2, label
it with E[ψ1 U ψ2] Repeat: label any state AF ψ1 if all
successor state are labelled with AF ψ1, until there is no change
EX ψ1: label any state with EX ψ1 if one of its successor is labelled with ψ1
Labelling algorithm
The iteration step of the procedure for labelling states with subformulas of the form AF ψ1
AF ψ1
AF ψ1
AF ψ1
AF ψ1
AF ψ1
AF ψ1
AF ψ1
Repeat…
… until no change
Labelling algorithm
The iteration step of the procedure for labelling states with subformulas of the form E [ψ1 U ψ2]
ψ1
E [ψ1 U ψ2]Repeat…
… until no change
E [ψ1 U ψ2]
E [ψ1 U ψ2]
ψ1
Labelling algorithm
Handling EG directly EG ψ1:
Label all the states with EG ψ1
If any state s is not labelled EG ψ1 from any state if none of its succesors is labelled with EG ψ1; until there is no change
Labelling algorithm
A better way of handling EG
SCC
SCC
SCC
│= EG ψ1
Labelling algorithm
A variant which is more efficient For the EG ψ case:
Restrict the graph to states satisfying ψ, e.i. delete all other states and their transitions;
Find the maximal strongly connected components (SCCs); these are maximal regions of the state space in which every state is linked with ( = has a finite path to ) every other one in that region
Labelling algorithm
An example run of the labelling algorithm in our second model of mutual exclusion applied to formula E[ ¬c2 U c1]
Labelling algorithm
0: c1n2
1: E [ ¬c2 U c1]
0: n1n2
3: E [ ¬c2 U c1]
0: t1n2
2: E [ ¬c2 U c1]
0: t1t2
2: E [ ¬c2 U c1]
0: c1t2
1: E [ ¬c2 U c1]
0: n1t2
0: t1c2
0: n1c20: t1t2
The SMV system Input to SMV:
MODULE mainVAR
request : boolean;status : {ready, busy}
ASSIGNinit (status) : = ready;next (status) : = case;
request ; busy;
1 : {ready, busy}
esac;SPEC
AG (request AF status = busy)
reqready
reqbusy
¬reqready
¬reqbusy
Semantics of CTL
A system with four states
Another system with four states
r
p, t, r
q, r
p, q
rp, t, r
q, r p, q