1 / 119

Lectures on Model Checking

Lectures on Model Checking. Stolen from lectures of Tom Henzinger - EE219C (CS294). A specific model-checking problem is defined by. I |= S. more detailed. more abstract. “implementation” (system model). “specification” (system property).

cathye
Download Presentation

Lectures on Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lectures on Model Checking Stolen from lectures of Tom Henzinger - EE219C (CS294)

  2. A specific model-checking problem is defined by I|=S more detailed more abstract “implementation” (system model) “specification” (system property) “satisfies”, “implements”, “refines” (satisfaction relation)

  3. Model-checking problem I|=S system model system property satisfaction relation

  4. While the choice of system model is important for ease of modeling in a given situation, the only thing that is important for model checking is that the system model can be translated into some form of state-transition graph.

  5. State-transition graph • Q set of states {q1,q2,q3} • A set of atomic observations {a,b,c,d} •  Q  Q transition relation q1  q2 [ ]: Q  2A observation function [q1] = {a, b} set of observations

  6. State-transition graph q1 a a,b b q2 q3

  7. The translation from a system description to a state-transition graph usually involves an exponential blow-up !!! e.g., n boolean variables  2n states “state-explosion problem.” State-transition graphs are not necessarily finite-state, but if not, they are not easy to deal with.

  8. Model-checking problem I|=S system model system property satisfaction relation

  9. Three important decisions when choosing system properties: • operational vs. declarative: automata vs. logic • may vs. must: branching vs. linear time • prohibiting bad vs. desiring good behavior: safety vs. liveness The three decisions are orthogonal, and they lead to substantially different model-checking problems.

  10. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

  11. Safety vs. liveness for state-transition graphs Safety:those properties whose violation always has a finite witness (“if something bad happens on an infinite run, then it happens already on some finite prefix”) Liveness:those properties whose violation never has a finite witness (“no matter what happens along a finite run, something good could still happen later”) We can have an infinite witness by a trace that has a loop

  12. Runs and Traces q1 a a,b b q2 q3 Run: q1 q3  q1  q3  q1  q2  q2  Trace:a  b  a  b  a  a,b  a,b 

  13. State-transition graph S = ( Q, A, , [] ) Finite runs: finRuns(S)  Q* Infinite runs: infRuns(S)  Q Finite traces: finTraces(S)  (2A)* Infinite traces: infTraces(S)  (2A)

  14. This is much easier. Safety: the properties that can be checked on finRuns Liveness: the properties that cannot be checked on finRuns (they need to be checked on infRuns)

  15. Example: Mutual exclusion It cannot happen that both processes are in their critical sections simultaneously. Safety

  16. Example: Bounded overtaking Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter. Safety

  17. Example: Starvation freedom Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually. Liveness

  18. q1 a a,b b q2 q3 infRuns  finRuns

  19. q1 a a,b b q2 q3 infRuns  finRuns * closure *finite branching

  20. For state-transition graphs, all properties are safety properties !

  21. Example: Starvation freedom Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually. Liveness

  22. q1 a a,b b q2 q3 Fairness constraint: the green transition cannot be ignored forever

  23. q1 a a,b b q2 q3 Without fairness: infRuns = q1 (q3 q1)* q2 (q1 q3) With fairness: infRuns = q1 (q3 q1)* q2

  24. Two important types of fairness 1 Weak (Buchi) fairness: a specified set of transitions cannot be enabled forever without being taken 2 Strong (Streett) fairness: a specified set of transitions cannot be enabled infinitely often without being taken

  25. q1 a a,b b q2 q3 Strong fairness

  26. a q1 a,b q2 Weak fairness

  27. Fair state-transition graph S = ( Q, A, , [], WF, SF) WF set of weakly fair actions SF set of strongly fair actions where each action is a subset of 

  28. Weak fairness comes from modeling concurrency || loop x:=0 end loop. loop x:=1 end loop. x=0 x=1 Weakly fair actionWeakly fair action

  29. Strong fairness comes from modeling choice loop m: n: x:=0 | x:=1 end loop. pc=m x=0 pc=m x=1 pc=n x=0 pc=n x=1 Strongly fair actionStrongly fair action

  30. Weak fairness is sufficient for asynchronous models (“no process waits forever if it can move”). Strong fairness is necessary for modeling synchronous interaction (rendezvous). Strong fairness makes model checking more difficult.

  31. Fairness changes only infRuns, not finRuns.  Fairness can be ignored for checking safety properties.

  32. Two remarks The vast majority of properties to be verified are safety. While nobody will ever observe the violation of a true liveness property, fairness is a useful abstraction that turns complicated safety into simple liveness.

  33. Three important decisions when choosing system properties: • operational vs. declarative: automata vs. logic • may vs. must: branching vs. linear time • prohibiting bad vs. desiring good behavior: safety vs. liveness The three decisions are orthogonal, and they lead to substantially different model-checking problems.

  34. Branching vs. linear time Branching time: something may (or may not) happen (e.g., every req may be followed by grant) Linear time: something must (or must not) happen (e.g., every req must be followed by grant)

  35. One is rarely interested in may properties, but certain may properties are easy to model check, and they imply interesting must properties. (This is because unlike must properties, which refer only to observations, may properties can refer to states.)

  36. Fair state-transition graph S = ( Q, A, , [], WF, SF ) Finite runs: finRuns(S)  Q* Infinite runs: infRuns(S)  Q Finite traces: finTraces(S)  (2A)* Infinite traces: infTraces(S)  (2A)

  37. Linear time: the properties that can be checked on infTraces Branching time: the properties that cannot be checked on infTraces

  38. Linear Branching Safety finTraces finRuns Liveness infTraces infRuns

  39. q0 q0 a a q1 q2 q1 a a a q3 q4 q3 q4 b c b c Same traces{aab, aac}{aab, aac} Different runs {q0 q1 q3, q0 q2 q4}, {q0 q1 q3, q0 q1 q4}

  40. Observation a may occur. || It is not the case that a must not occur. Linear

  41. We may reach an a from which we must not reach a b . Branching

  42. q0 q0 a a q1 q2 q1 a a a q3 q4 q3 q4 b c b c Same traces, different runs

  43. Linear time is conceptually simpler than branching time (words vs. trees). Branching time is often computationally more efficient. (Because branching-time algorithms can work with given states, whereas linear-time algorithms often need to “guess” sets of possible states.)

  44. Three important decisions when choosing system properties: • operational vs. declarative: automata vs. logic • may vs. must: branching vs. linear time • prohibiting bad vs. desiring good behavior: safety vs. liveness The three decisions are orthogonal, and they lead to substantially different model-checking problems.

  45. Logics must may Linear Branching Safety STL LivenessLTLCTL finite infinite LTL linear temporal logic STL safe temporal logic CTL computational tree logic

  46. STL (Safe Temporal Logic) -safety (only finite runs) -branching (runs, not traces)

  47. Defining a logic • Syntax: • What are the formulas? • 2. Semantics: • What are the models? • Does model M satisfy formula  ? M |= 

  48. atomic observations Propositional logics (PL): 1. boolean variables (a,b) & boolean operators (,) 2. model = truth-value assignment for variables Propositional modal (e.g., temporal) logics: 1. PL + modal operators (,) 2. model = set of (e.g., temporally) related prop. models observations state-transition graph (“Kripke structure”)

  49. STL Syntax  ::= a |    |   |   |  U  boolean operators boolean variable (atomic observation) modal operators

  50. STL Model ( K, q ) state-transition graph (Kripke structure) state of K

More Related