Optimizing ctl model checking model checking tctl
This presentation is the property of its rightful owner.
Sponsored Links
1 / 37

Optimizing CTL Model checking + Model checking TCTL PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on
  • Presentation posted in: General

Optimizing CTL Model checking + Model checking TCTL. CS 5270 Lecture 9. A(FG p) not AF( AG p). Today…. Summary Optimizations for model checking ROBDDs TCTL- Syntax Semantics Algorithm for MC Optimizations. Summary: Model checking CTL. Optimization. The principal one:

Download Presentation

Optimizing CTL Model checking + Model checking TCTL

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Optimizing ctl model checking model checking tctl

Optimizing CTL Model checking+Model checking TCTL

CS 5270Lecture 9

Lecture 8


A fg p not af ag p

A(FG p) not AF( AG p)

Lecture 8


Today

Today…

  • Summary

  • Optimizations for model checking

    • ROBDDs

  • TCTL-

    • Syntax

    • Semantics

    • Algorithm for MC

    • Optimizations

Lecture 8


Summary model checking ctl

Summary: Model checking CTL

Lecture 8


Optimization

Optimization

  • The principal one:

    • Reduce to a problem with Boolean variables/Boolean formulæ

  • Is this reasonable?

    • Well – most modelling is done like this – even when you do have (non-boolean) variables

    • + efficiencies from efficient operations on boolean functions

Lecture 8


States as boolean formul

States as boolean formulæ

  • Encode states using m boolean variables.

    • Allows for 2m states.

  • For example: m=3:

    • S={s1,s2,s3,s4,s5,s6,s7,s8}

  • Propositional booleans a,b,c:

    • S={000,001,010,011,100,101,110,111}

    • S = {abc, abc, abc , … }

Lecture 8


Transitions as boolean formul

Transitions as boolean formulæ

  • Encode (s,s’) using before and after propositional boolean variables

    • a,b,c and a’,b’,c’.

  • For example: (s1,s4):

    • (s1,s4) = (abc)  (a’b’c’)

Lecture 8


Sufficient for modelling

Sufficient for modelling?

  • Encode another mutual exclusion protocol

  • Two processes, P1 and P2 share booleans

    • Co-operate for mutual exclusion

  • Third process T1 monitors and sets a turn variable

  • System is parallel composition:

    P1 || P2 || T1

Lecture 8


Co operative mutex process p 1

Co-operative mutex: Process P1

P1 =

if (idle1) {

wait1 = true;

idle1 = false;

} else if (wait1 & idle2) {

active1 = true;

wait1 = false;

} else if (wait1 & wait2 & (!turn)) {

active1 = true;

wait1 = false;

}

if (active1) {

CritSect();

idle1 = true;

active1 = false;

}; ( followed by P1 )

Lecture 8


Co operative mutex process p 2

Co-operative mutex: Process P2

P2 =

if (idle2) {

wait2 = true;

idle2 = false;

} else if (wait2 & idle1) {

active2 = true;

wait2 = false;

} else if (wait2 & wait1 & turn) {

active2 = true;

wait2 = false;

}

if (active2) {

CritSect();

idle2 = true;

active2 = false;

}; ( followed by P2 )

Lecture 8


Co operative mutex process t 1

Co-operative mutex: Process T1

if (idle1 & wait2) {

turn = true;

} else if (idle2 & wait1) {

Turn = false;

}; ( followed by T1 )

(P1 || P2 || T1); System;

T1 =

System =

Lecture 8


State transition diagram whole system

State transition diagram – whole system

Lecture 8


Transitions as predicates

Transitions as predicates

  • P1 =

    (i1w1’i1’)  (w1i2a1’w1’)

     (w1w2ta1’w1’)  (a1i1’a1’)

  • P2 =

    (i2w2’i2’)  (w2i1a2’w2’)

    • (w2w1ta2’w2’)  (a2i2’a2’)

  • T1 =

    (i1w2t’)  (i2w1t’)

  • Lecture 8


    Ordered binary decision tree

    Ordered Binary Decision Tree

    Lecture 8


    Obdt example i 1 i 2 i 3 i 4

    OBDT example: (i1i2)(i3i4)

    Lecture 8


    Robdd i 1 i 2 i 3 i 4

     ROBDD: (i1i2)(i3i4)

    Lecture 8


    Robdd i 1 i 2 i 3 i 41

     ROBDD: (i1i2)(i3i4)

    Lecture 8


    Robdd i 1 i 2 i 3 i 42

     ROBDD: (i1i2)(i3i4)

    Lecture 8


    Robdd i 1 i 2 i 3 i 43

     ROBDD: (i1i2)(i3i4)

    Lecture 8


    Robdd i 1 i 2 i 3 i 44

     ROBDD: (i1i2)(i3i4)

    Lecture 8


    Robdd i 1 i 2 i 3 i 45

     ROBDD: (i1i2)(i3i4)

    Lecture 8


    History

    History…

    • The ROBDD optimization originally by Bryant (86) – paper on boolean graphs

    • The application to model checking by McMillan (Originally in late 80’s – subject of thesis in 1992)

    • smv – Symbolic model verifier – originally by McMillan

    Lecture 8


    Today1

    Today…

    • Summary

    • Optimizations for model checking

      • ROBDDs

    • TCTL-

      • Syntax

      • Semantics

      • Algorithm for MC

      • Optimizations

    Lecture 8


    Regional transition system rts

    Regional transition system (RTS)

    • Given TATTS = (s,s0,Act, ), then the RTS is a quotiented transition system

      RTS = (Ř,Ř0, Act,), where

      Ř= {(s,[v]t) | (s,v)s [v]tREGv}, and

      Ř0= {(s,[v]t) | (s,v)s0 [v]tREGv}, and

    • finally, (s,[v]t)  (s’,[v’]t) if and only if there is a transition (s,v) (s’,v’) in TATTS.

    a

    a

    Lecture 8


    Regional transition system rts1

    Regional transition system (RTS)

    • Notation:

      Ř – a set of regions

      ř – a particular region in the set: (s,[v]t)

      r – a particular valuation: (s,v)

    Lecture 8


    Regional transition system rts2

    Regional transition system (RTS)

    Lecture 8


    Kripke structure model for tctl

    Kripke structure/model for TCTL

    • Def: A TCTL model over a set of atomic propositions AP is the 4-tuple (Ř,Δ,AP,L)

      • Ř – finite set of regions from RTS

      • Δ ŘŘ - a total transition relation

      • AP – a finite set of atomic propositions

      • L: Ř→ 2AP – A labelling function which labels each region with the propositions true in that region

        Note that the propositions may include clock constraints…

    Lecture 8


    Tctl syntax

    TCTL- syntax

    • Given pAP, xX (model clock variables), zZ (property clock variables), (XZ) (clock constraints), then p and  are TCTL- formulæ, and if 1 and 2 are TCTL- formulæ then so are:

      • 1

      • 1  2

      • 1  2

      • z in 1

      • A( 1U 2 )

      • E( 1U 2 )

    Lecture 8


    Tctl examples

    TCTL examples

    • Note: temporal operators can be subscripted:

      • A( 1U<72 ) means 1 holds until (within 7 time units) 2 becomes true.

      • Implemented as: z in A( (1z<7) U2 )

    • A( alarm U<7boiler-off): the alarm is on until (within 7 time units) the boiler-off is signaled.

    • EF<7( alarm ) = E( true U<7alarm): the alarm will be on within 7 time units.

    Lecture 8


    Semantics of tctl

    Semantics of TCTL

    • Expressed in terms of a model, and the modelling relation² which links a model, a composite stater=(s,v) and a formula clock valuation with a property.

    • M,(r,f)²P - means that (TCTL) property P holds in (or is satisfied in) state r in the case of a formula valuation f for a given model M

    Lecture 8


    Inductive definition of

    (Inductive) definition of ²

    M,(r,f)²P  pL(ř)

    M,(r,f)²  v  f ²

    M,(r,f)²1 (M,(r,f)²1 )

    M,(r,f)²1  2  M,(r,f)²1, and

    M,(r,f)²2

    M,(r,f)²1  2  M,(r,f)²1, or

    M,(r,f)²2

    Lecture 8


    Inductive definition of1

    (Inductive) definition of ²

    • M,(r,f)²z in 1 M,(r,z in f)²1

      • The notation z in f asserts that z is reset to 0 whenever it appears in the formula f

    • M,(r,f)² A( 1 U2 ) for every path p from r, for some j, M,(j)²2, and i<j, M,(i)²1  2.

    Lecture 8


    Inductive definition of2

    (Inductive) definition of ²

    • M,(r,f)² E( 1 U2 )  for one path p from r, for some j,

      M,(j)²2, and

      i<j, M,(i)²1  2.

      • Note that in both EU and AU, the condition up until 2 is 1  2. and not just 1!!

    Lecture 8


    Au 1 2 until 2

    AU: 1  2 until 2

    Lecture 8


    Model checking tctl

    Model checking TCTL

    • Definition of a labelling algorithm in the notes – not much different from CTL

    • The only problem is this definition uses a least fixpoint iteration over an infinite set…

    • In practice use the region construction…

    Lecture 8


    Optimization for tctl mc

    Optimization for TCTL MC

    • We have already seen the steps to create a (finite) regional automaton

    • Apart from that there is no magic bullet, and real-time model checking has an equivalent region-space explosion

    • For this reason, limit the size of systems

    • … so far …

    Lecture 8


    Uppaal more formally

    Uppaal – more formally

    • TCTL, but with restrictions that amount to only safety (reachability) formulæ:

      • Set of clock constraints Z in formula is {}

      • Syntax just AG() and EF() (outer level)

      •  ::= a | x op n |  | 12 (op {,,,,})

      • a is a location in the model

    • Other properties (bounded liveness…) require extended models/automatons:

      • compare system model with other test model

    Lecture 8


  • Login