model checking

65
Model checking Raúl Monroy (from Huth & Ryan’s LICS book)

Upload: jane-mcgee

Post on 03-Jan-2016

81 views

Category:

Documents


0 download

DESCRIPTION

Model checking. Raúl Monroy (from Huth & Ryan’s LICS book). Verification by model checking. Model checking is based on temporal logic A formula is not statically true or false in a model The notion of truth is dynamic , the formulae may change their truth values as the system evolves - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Model checking

Model checking

Raúl Monroy

(from Huth & Ryan’s LICS book)

Page 2: Model checking

Verification by model checking

Model checking is based on temporal logic

A formula is not statically true or false in a model

The notion of truth is dynamic, the formulae may change their truth values as the system evolves

Models are transition systems

Page 3: Model checking

Verification by model checking

To verify that a system satisfies a property:

1. Model the system using the description language (of the model checker.), M.

2. Code property using the specification language, resulting in .

3. Run the model checker with inputs M and .

Page 4: Model checking

Temporal logics

Linear-time logics Branching-time logics

Useful in modelling non-deterministic computations

Time: continuous or discrete LTL: time is linear and discrete CTL: time is branching and discrete

Page 5: Model checking

Linear-Time Temporal Logic

Page 6: Model checking

LTL: Syntax

Syntax of LTL formulae is defined inductively in Backus Naur form:

Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ XΦ │ FΦ │ GΦ │ Φ U Φ │ Φ W Φ │Φ R Φ

where p ranges over atomic formulae

Page 7: Model checking

LTL: Syntax

X, F, G, U, W and R are called temporal connectives

Convention: ¬, X, F, G bind most tightly; (unary connectives) U, R and W and , and after that

Page 8: Model checking

LTL: Syntax

F p G q p W r F(p G r) ¬q U p p W (q W r) G F p F(q s)

Now consider: U r p G q

Page 9: Model checking

Definition of a model

A model, M, is given by (S, , L) S is a set of states is a transition relation, such that

every s S has some s’ with s s’ L is a labelling function

L : S P(Atoms)

Page 10: Model checking

Semantics of LTL

p, q

q, r r

A concise presentation of a model M as a directed graph, whose nodes are states

containing all the propositional atoms which are true in that particular state.

Page 11: Model checking

Deadlock treatment

A system with a state S4 that does not have any further transitions.

S3

S1S0

S2

S4

Page 12: Model checking

Deadlock treatment

An expand system with a ‘deadlock’ state Sd such that no state can deadlock; of course, it is then our understanding that reaching the ‘deadlock’ state corresponds to deadlock in the original system.

S0 S1

S2

S3

S4

Sd

Page 13: Model checking

Linear-time temporal logic

A path in a model M = (S, , L) is an infinite sequence of states s1,s2,s3

in S such that, for each i1, si si+1

We write π = s1 s2 s3 π3 = s3 s4 s5

Page 14: Model checking

Satisfaction relation on paths

Let M = (S, , L) be a model and π = s1 s2 s3 be a path in M. The satisfaction relation, │=, is given by:

π │= T π │= p iff p L(s1) π │= ¬ Φ iff π │=/= Φ π │= Φ1 Φ2 iff π │= Φ1 and π │= Φ2

π │= Φ1 Φ2 iff π │= Φ1 or π │= Φ2

Page 15: Model checking

6. π │= X Φ iff π2 │= Φ7. π │= G Φ holds iff, for all i 1, πi │= Φ

8. π │= F Φ holds iff, for some i 1, πi │= Φ

9. π │= Φ U ψ holds iff there is some i1 s.t. πi│=ψ and for all j=1,…,i-1 πj │= Φ

10. π │= Φ W ψ holds iff either …; or for all k1 w.h.t. πk │= Φ

11. π │= Φ R ψ holds iff either there is some i 1 s.t. πi │= ψ and for all j=1,…,i πj│=Φ; or for all k1 w.h.t. πk│= ψ

Page 16: Model checking

S1S0 S3S2 S5S4 S7S6 S9S8 S10

pq

• Illustration of the meaning of Until in the semantics of LTL.

• Each of the states s3 to s9 satisfies p U q along the path shown

• W is just like U except it does not require that ψ is eventually satisfied along the path in question• R is the dual of U: Φ R ψ ¬(¬Φ U ¬ψ)

Page 17: Model checking

LTL: Semantics

Suppose M = (S, , L) is a model, sS, and Φ an LTL formula. We write M, s |= Φ if, for every execution path π of M starting at s, we have π |= Φ

Page 18: Model checking

Consider again system M

p, q

q, r r

Page 19: Model checking

p, q

q, r

p, q

q, r

r

r

r

r

r

S0

S1

S0

S1

S2

S2

S2

S2

S2

Unwinding M as an infinite tree of all computation paths beginning in a particular

state

Page 20: Model checking

Example checks for system M

1. M, s0 │= p q2. M, s0 │= ¬r3. M, s0 │= ┬4. M, s0 │= X r5. M, s0 │= ¬X (q r)6. M, s0 │= G¬(p r)7. M, s2 │= F(¬q r)F G r8. M, s2 │= G F p9. M, s0 │= G F p G F r10. M, s0 │= ¬(G F r G F p)

Page 21: Model checking

Computation Tree Logic

Page 22: Model checking

CTL: Syntax

CTL formulas are defined inductively via a Backus Naur form

Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ AX Φ │ EX Φ │ A [Φ U Φ] │ E [Φ U Φ] │ AG Φ │ AF Φ │ EF Φ

where p ranges over atomic formulas

Page 23: Model checking

CTL: Syntax

AX, EX, AG, EG, AU, EU, AF and EF are called temporal connectives

Each temporal connectives is a pair of symbols: 1st symbol of pair: A (along all paths) or E (along

at least one path) 2nd symbol of pair: X (neXt state), G (all future

states), U (until) and F (some Future step) AU and EU are binary X, G, U and F cannot occur independently

¬, AG, AF, AX bind most tightly. Next and , and after that , AU

Page 24: Model checking

CTL: Syntax

EG r

AG (q EG r) AG q EG r A [r U q] EF E [r U q]

A [p U EF r]

Page 25: Model checking

CTL: Syntax

AG AF r

A [ p1 U A [ p2 U p3 ]]

E [ A [ p1 U p2 ] U p3 ]

AG ( p A [ p U ( ¬p A [ ¬p U q ] ) ] )

Page 26: Model checking

CTL: Syntax

FG r A ¬G ¬p F [ r U q ] EF [ r U q ] AEF r AF [ ( r U q ) (r U q )]

Page 27: Model checking

Parse tree of a CTL formula

A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ’s parse tree

AU

AX EU

¬

p

EX ¬

p

p q

A [AX ¬p U E [EX (p q) U ¬p]]

Page 28: Model checking

Semantics of CTL

Let M = (S,,L). Given any s in S, a CTL formula Φ holds in state s

M, s │= Φ

iff

Page 29: Model checking

Satisfaction relation, │=

1. M, s │= T and M, s │=/= ┴, s S

2. M, s │= p iff p L(s)

3. M, s │= ¬ Φ iff M, s |=/= Φ

4. M, s │= Φ1 Φ2

iff M, s │= Φ1 and M, s │= Φ2

5. M, s │= Φ1 Φ2

iff M, s │= Φ1 or M, s │= Φ2

Page 30: Model checking

6. M, s │= Φ1 Φ2 iff M, s │=/= Φ1 or M, s │= Φ2

n M, s │= AX Φ iff for all s1 such that s s1

we have M, s1 │= Φ. Thus, AX says: ‘in every next state’

6. M, s │= EX Φ iff for some s1 such that s s1

we have M, s1 │= Φ. Thus, EX says: ‘in some next state’.

Page 31: Model checking

9. M, s │= AG Φ holds iff for all paths s1 s2 s3 …,

where s1 equals s,

and all si along the path, we have

M, si │= Φ

Mnemonically: for all computation paths beginning in s the property Φ holds globally

Page 32: Model checking

10. M, s │= EG Φ holds

iff there is a path s1 s2 s3 …,

where s1 equals s,

and for all si along the path, we have

M, si │= ΦMnemonically: there Exists a path that beginning in s such that Φ holds globally along the path

Page 33: Model checking

11. M, s │= AF Φ holds iff for all the paths s1 s2 …,

where s1 equals s,

there is some si such that

M, si │= Φ

Mnemonically: for all computation paths beginning in s there will be some future state where Φ holds

Page 34: Model checking

12. M, s │= EF Φ holds iff There is a path s1 s2 …, where s1 equals s, andfor some si along the path,We have

M, si │= Φ

Mnemonically: there Exists a computation path beginning in s such that Φ holds in some Future state

Page 35: Model checking

13. M, s │= A[Φ1UΦ2] holds iff for all paths s1 s2 …,

where s1 equals s,

there is some si along the path such that

M, si │= Φ2

and for each j<i, we have

M, sj │= Φ1

Mnemonically: All computation paths beginning in s satisfy that Φ1 Until Φ2 holds on it

Page 36: Model checking

14. M, s │= E[Φ1UΦ2] holds iff there is a path s1 s2 …,

where s1 equals s, and

there is some si along the path such that

M, si │= Φ2

and for each j<i, we have

M, sj │= Φ1

Mnemonically: there Exists a computation path beginning in s such that Φ1 Until Φ2 holds on it

Page 37: Model checking

Semantics of CTL

A system whose starting state satisfies EF Φ

A system whose starting state satisfies EG Φ

Φ

Φ

Φ

Φ

Page 38: Model checking

Semantics of CTL

A system whose starting state satisfies AG Φ

A system whose starting state satisfies AF Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ Φ

Φ

ΦΦ Φ

Φ

Page 39: Model checking

Semantics of CTL

S1S0 S3S2 S5S4 S7S6 S9S8 S10

p

q

An illustration of the meaning of Until in the semantics of CTL.

Each of the states s3 to s9 satisfiesp U q along the path shown

Page 40: Model checking

Consider again system M

p, q

q, r r

Page 41: Model checking

Semantics of CTLp, q

q, r

p, q

q, r

r

r

r

r

r

S0

S1

S0

S1

S2

S2

S2

S2

S2

Unwinding M as an infinite tree of all computation paths beginning in a particular

state

Page 42: Model checking

Example checks for system M

1. M, s0 │= p q2. M, s0 │= ¬r3. M, s0 │= ┬4. M, s0 │= EX (q r)5. M, s0 │= ¬AX (q r)6. M, s0 │= ¬EF (p r)7. M, s2 │= EG r8. M, s2 │= AG r9. M, s0 │= AF r10. M, s0 │= E [(p q) U r]11. M, s0 │= A [p U r]

Page 43: Model checking

Practical patterns of specification

It is possible to get to a state where started holds, but ready does not hold: EF ( started ¬ready)

For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: AG ( request AF acknowledged)

Page 44: Model checking

Practical patterns of specification

A certain process is enabled infinitely often on every computation path: AG ( AF enabled)

Whatever happens, a certain process will eventually be permanently dead-locked: AF ( AG deadlock)

Page 45: Model checking

Practical patterns of specification

From any state it is possible to get to restart state: AG ( EF restart)

Page 46: Model checking

Practical patterns of specification

An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: AG (floor=2 direction=up

ButtonPressed5 A [direction=up U floor=5]

Here, our atomic description are boolean expresions built from system variables, e.g. floor = 2

Page 47: Model checking

Practical patterns of specification

The elevator can remain idle in the third floor with its doors closed: AG (floor=3 idle door=closed

EG (floor=3 idle door=closed))

Page 48: Model checking

Mutual exclusion

The first modelling attempt

n1n2

t1t2

t1n2 n1t2

c1t2

c1n2 n1c2

t1c2

Page 49: Model checking

Mutual exclusion

Four properties:1. Safety: 1 = AG ¬(c1 c2)

2. Liveness: 2 = AG (t1 AF c1)

3. Non-blocking: 3 = AG (n1 EX t1)

4. No strict sequencing:

4 = EF (c1 E[c1 U (¬c1 E[¬c2 U c1])])

def

def

def

def

Page 50: Model checking

Mutual exclusion

The second modelling attempt

n1n2

t1t2

t1n2 n1t2

c1t2

c1n2 n1c2

t1c2

t1t2

Page 51: Model checking

Equivalences in CTL

Two CTL formulas and ψ are said to be semantically equivalent if any state in any model which satisfies one of them also satisfies the other; we denote this by ≡ ψ

Page 52: Model checking

Equivalences in CTL

¬AF ≡ EG ¬ ¬EF ≡ AG ¬ ¬AX ≡ EX ¬ AF ≡ A [┬ U ] EF ≡ E [┬ U ] AG ≡ AX AG EG ≡ EX EG AF ≡ AX AF EF ≡ EX EF A[ U ψ] ≡ ψ ( AX A [ U ψ]) E[ U ψ] ≡ ψ ( EX E [ U ψ])

Page 53: Model checking

Labelling algorithm

INPUT: a CTL model M = (S, , L) and a CTL formula Φ

OUTPUT: the set of states of M wich satisfies Φ

Page 54: Model checking

Labelling algorithm

┴ : then no state are labelled with ┴ p : then label s with p if p L(s) ψ1 ψ2 : label s with ψ1 ψ2 if s is

already labelled both with ψ1 and with ψ2

¬ψ1 : label s with ¬ψ1 if s is not already labelled with ψ1

Page 55: Model checking

Labelling algorithm

AF ¬ψ1:

If any state s is labelled with ψ1, label it with AF ψ1

Repeat: label any state AF ψ1 if all successor state are labelled with AF ψ1, until there is no change

Page 56: Model checking

Labelling algorithm

E[ψ1 U ψ2]: If any state s is labelled with ψ2, label

it with E[ψ1 U ψ2] Repeat: label any state AF ψ1 if all

successor state are labelled with AF ψ1, until there is no change

EX ψ1: label any state with EX ψ1 if one of its successor is labelled with ψ1

Page 57: Model checking

Labelling algorithm

The iteration step of the procedure for labelling states with subformulas of the form AF ψ1

AF ψ1

AF ψ1

AF ψ1

AF ψ1

AF ψ1

AF ψ1

AF ψ1

Repeat…

… until no change

Page 58: Model checking

Labelling algorithm

The iteration step of the procedure for labelling states with subformulas of the form E [ψ1 U ψ2]

ψ1

E [ψ1 U ψ2]Repeat…

… until no change

E [ψ1 U ψ2]

E [ψ1 U ψ2]

ψ1

Page 59: Model checking

Labelling algorithm

Handling EG directly EG ψ1:

Label all the states with EG ψ1

If any state s is not labelled EG ψ1 from any state if none of its succesors is labelled with EG ψ1; until there is no change

Page 60: Model checking

Labelling algorithm

A better way of handling EG

SCC

SCC

SCC

│= EG ψ1

Page 61: Model checking

Labelling algorithm

A variant which is more efficient For the EG ψ case:

Restrict the graph to states satisfying ψ, e.i. delete all other states and their transitions;

Find the maximal strongly connected components (SCCs); these are maximal regions of the state space in which every state is linked with ( = has a finite path to ) every other one in that region

Page 62: Model checking

Labelling algorithm

An example run of the labelling algorithm in our second model of mutual exclusion applied to formula E[ ¬c2 U c1]

Page 63: Model checking

Labelling algorithm

0: c1n2

1: E [ ¬c2 U c1]

0: n1n2

3: E [ ¬c2 U c1]

0: t1n2

2: E [ ¬c2 U c1]

0: t1t2

2: E [ ¬c2 U c1]

0: c1t2

1: E [ ¬c2 U c1]

0: n1t2

0: t1c2

0: n1c20: t1t2

Page 64: Model checking

The SMV system Input to SMV:

MODULE mainVAR

request : boolean;status : {ready, busy}

ASSIGNinit (status) : = ready;next (status) : = case;

request ; busy;

1 : {ready, busy}

esac;SPEC

AG (request AF status = busy)

reqready

reqbusy

¬reqready

¬reqbusy

Page 65: Model checking

Semantics of CTL

A system with four states

Another system with four states

r

p, t, r

q, r

p, q

rp, t, r

q, r p, q