- By
**ronat** - Follow User

- 203 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Optimizing CTL Model checking + Model checking TCTL' - ronat

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

A(FG p) not AF( AG p)

Lecture 8

Today…

- Summary
- Optimizations for model checking
- ROBDDs
- TCTL-
- Syntax
- Semantics
- Algorithm for MC
- Optimizations

Lecture 8

Summary: Model checking CTL

Lecture 8

Optimization

- The principal one:
- Reduce to a problem with Boolean variables/Boolean formulæ
- Is this reasonable?
- Well – most modelling is done like this – even when you do have (non-boolean) variables
- + efficiencies from efficient operations on boolean functions

Lecture 8

States as boolean formulæ

- Encode states using m boolean variables.
- Allows for 2m states.
- For example: m=3:
- S={s1,s2,s3,s4,s5,s6,s7,s8}
- Propositional booleans a,b,c:
- S={000,001,010,011,100,101,110,111}
- S = {abc, abc, abc , … }

Lecture 8

Transitions as boolean formulæ

- Encode (s,s’) using before and after propositional boolean variables
- a,b,c and a’,b’,c’.
- For example: (s1,s4):
- (s1,s4) = (abc) (a’b’c’)

Lecture 8

Sufficient for modelling?

- Encode another mutual exclusion protocol
- Two processes, P1 and P2 share booleans
- Co-operate for mutual exclusion
- Third process T1 monitors and sets a turn variable
- System is parallel composition:

P1 || P2 || T1

Lecture 8

Co-operative mutex: Process P1

P1 =

if (idle1) {

wait1 = true;

idle1 = false;

} else if (wait1 & idle2) {

active1 = true;

wait1 = false;

} else if (wait1 & wait2 & (!turn)) {

active1 = true;

wait1 = false;

}

if (active1) {

CritSect();

idle1 = true;

active1 = false;

}; ( followed by P1 )

Lecture 8

Co-operative mutex: Process P2

P2 =

if (idle2) {

wait2 = true;

idle2 = false;

} else if (wait2 & idle1) {

active2 = true;

wait2 = false;

} else if (wait2 & wait1 & turn) {

active2 = true;

wait2 = false;

}

if (active2) {

CritSect();

idle2 = true;

active2 = false;

}; ( followed by P2 )

Lecture 8

Co-operative mutex: Process T1

if (idle1 & wait2) {

turn = true;

} else if (idle2 & wait1) {

Turn = false;

}; ( followed by T1 )

(P1 || P2 || T1); System;

T1 =

System =

Lecture 8

Transitions as predicates

- P1 =

(i1w1’i1’) (w1i2a1’w1’)

(w1w2ta1’w1’) (a1i1’a1’)

- P2 =

(i2w2’i2’) (w2i1a2’w2’)

- (w2w1ta2’w2’) (a2i2’a2’)
- T1 =

(i1w2t’) (i2w1t’)

Lecture 8

Ordered Binary Decision Tree

Lecture 8

OBDT example: (i1i2)(i3i4)

Lecture 8

ROBDD: (i1i2)(i3i4)

Lecture 8

ROBDD: (i1i2)(i3i4)

Lecture 8

ROBDD: (i1i2)(i3i4)

Lecture 8

ROBDD: (i1i2)(i3i4)

Lecture 8

ROBDD: (i1i2)(i3i4)

Lecture 8

ROBDD: (i1i2)(i3i4)

Lecture 8

History…

- The ROBDD optimization originally by Bryant (86) – paper on boolean graphs
- The application to model checking by McMillan (Originally in late 80’s – subject of thesis in 1992)
- smv – Symbolic model verifier – originally by McMillan

Lecture 8

Today…

- Summary
- Optimizations for model checking
- ROBDDs
- TCTL-
- Syntax
- Semantics
- Algorithm for MC
- Optimizations

Lecture 8

Regional transition system (RTS)

- Given TATTS = (s,s0,Act, ), then the RTS is a quotiented transition system

RTS = (Ř,Ř0, Act,), where

Ř= {(s,[v]t) | (s,v)s [v]tREGv}, and

Ř0= {(s,[v]t) | (s,v)s0 [v]tREGv}, and

- finally, (s,[v]t) (s’,[v’]t) if and only if there is a transition (s,v) (s’,v’) in TATTS.

a

a

Lecture 8

Regional transition system (RTS)

- Notation:

Ř – a set of regions

ř – a particular region in the set: (s,[v]t)

r – a particular valuation: (s,v)

Lecture 8

Regional transition system (RTS)

Lecture 8

Kripke structure/model for TCTL

- Def: A TCTL model over a set of atomic propositions AP is the 4-tuple (Ř,Δ,AP,L)
- Ř – finite set of regions from RTS
- Δ ŘŘ - a total transition relation
- AP – a finite set of atomic propositions
- L: Ř→ 2AP – A labelling function which labels each region with the propositions true in that region

Note that the propositions may include clock constraints…

Lecture 8

TCTL- syntax

- Given pAP, xX (model clock variables), zZ (property clock variables), (XZ) (clock constraints), then p and are TCTL- formulæ, and if 1 and 2 are TCTL- formulæ then so are:
- 1
- 1 2
- 1 2
- z in 1
- A( 1U 2 )
- E( 1U 2 )

Lecture 8

TCTL examples

- Note: temporal operators can be subscripted:
- A( 1U<72 ) means 1 holds until (within 7 time units) 2 becomes true.
- Implemented as: z in A( (1z<7) U2 )
- A( alarm U<7boiler-off): the alarm is on until (within 7 time units) the boiler-off is signaled.
- EF<7( alarm ) = E( true U<7alarm): the alarm will be on within 7 time units.

Lecture 8

Semantics of TCTL

- Expressed in terms of a model, and the modelling relation² which links a model, a composite stater=(s,v) and a formula clock valuation with a property.
- M,(r,f)²P - means that (TCTL) property P holds in (or is satisfied in) state r in the case of a formula valuation f for a given model M

Lecture 8

(Inductive) definition of ²

M,(r,f)²P pL(ř)

M,(r,f)² v f ²

M,(r,f)²1 (M,(r,f)²1 )

M,(r,f)²1 2 M,(r,f)²1, and

M,(r,f)²2

M,(r,f)²1 2 M,(r,f)²1, or

M,(r,f)²2

Lecture 8

(Inductive) definition of ²

- M,(r,f)²z in 1 M,(r,z in f)²1
- The notation z in f asserts that z is reset to 0 whenever it appears in the formula f
- M,(r,f)² A( 1 U2 ) for every path p from r, for some j, M,(j)²2, and i<j, M,(i)²1 2.

Lecture 8

(Inductive) definition of ²

- M,(r,f)² E( 1 U2 ) for one path p from r, for some j,

M,(j)²2, and

i<j, M,(i)²1 2.

- Note that in both EU and AU, the condition up until 2 is 1 2. and not just 1!!

Lecture 8

AU: 1 2 until 2

Lecture 8

Model checking TCTL

- Definition of a labelling algorithm in the notes – not much different from CTL
- The only problem is this definition uses a least fixpoint iteration over an infinite set…
- In practice use the region construction…

Lecture 8

Optimization for TCTL MC

- We have already seen the steps to create a (finite) regional automaton
- Apart from that there is no magic bullet, and real-time model checking has an equivalent region-space explosion
- For this reason, limit the size of systems
- … so far …

Lecture 8

Uppaal – more formally

- TCTL, but with restrictions that amount to only safety (reachability) formulæ:
- Set of clock constraints Z in formula is {}
- Syntax just AG() and EF() (outer level)
- ::= a | x op n | | 12 (op {,,,,})
- a is a location in the model
- Other properties (bounded liveness…) require extended models/automatons:
- compare system model with other test model

Lecture 8

Download Presentation

Connecting to Server..