1 / 15

CTL Model Checking

CTL Model Checking. David L. Dill. CTL syntax:. AP -- atomic propositions p  AP is a formula f  g is a formula, if f and g are ¬ f is a formula AX f is a formula EX f is a formula A[ f U g ] ... E[ f U g ]. CTL model checking. CTL formulas (propeties). State graph

clara
Download Presentation

CTL Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CTL Model Checking David L. Dill

  2. CTL syntax: AP -- atomic propositions pAP is a formula fg is a formula, if f and g are ¬f is a formula AX f is a formula EX f is a formula A[f U g] ... E[f U g] ...

  3. CTL model checking CTL formulas (propeties) State graph from implementation (Kripke structure) OK or counter- example Model checker

  4. State graph • Many representations can be translated to state graphs • circuits • concurrent programs • various description languages • SCR, statecharts • Translation is usually to a BDD representation of graph, not explicit graph.

  5. Abbreviations: AFf = A[true U f] "future" EFf = E[true U f] AGf = EFf "globally" EGf = AFf

  6. CTL intuition AX p p EX p p p p p

  7. AGp: p is invariant AFp: p is inevitable EFp: p potentially holds

  8. CTL examples: Mutual exclusion: AG (c1 c2) Fairness: AG (t1AF c1) Resetability: AG (EF "init") (there is always a path back to init)

  9. Request/Acknowledge example A[req U ack]  A[ack U ¬req]  A[¬req U ¬ack]  A[¬ack U ¬req] (Weak Until? A[¬ack u ¬req]) Req Ack

  10. Algorithm for model checking Idea: progressively label states with nonatomic properties. Subformulas are treated like atomic formulas after they have been checked. labels(s) -- set of labels of state s in M. Initially, labels(s) = P(s).

  11. Fixed point algorithm for model checking We then traverse the formula to be checked bottom-up, checking subformulas of f before checking f. • Add ¬f to labels(s) if f not in labels(s) • Add fg to labels(s) if f in labels(s) and g in labels(s) • Add AX f to labels(s) if f in labels(s') for alls':sRs' • Add EX f to labels(s) if f in labels(s') for somes': sRs'

  12. Fixed point algorithm for model checking Until formulas require a fixed-point iteration: Use fact that A[f U g] = gAX A[f U g] Algorithm: 1. Whenever state g in labels(s), add A[f U g] to labels(s). 2. Repeat: Whenever all next states of s have A[f U g] in labels(s), add A [f U g] to labels(s). Similarly for E [f U g] .

  13. Z (“zed”) specifications

  14. Z • Logical specification language • Probably most widely known such • Very general: can describe • data structures • relations and tables • functions • Few tools • syntax checkers • recently, theorem provers

  15. Z has really been used • IBM CICS specification (1992) • Cyclotron specification (Jacky) • Used routinely by Praxis Critical Systems, Ltd (UK)

More Related