Algorithmic software verification
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

Algorithmic Software Verification PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

Algorithmic Software Verification. VII. Computation tree logic and bisimulations. Motivation. See McMillan’s thesis where he models a synchronous fair bus arbiter circuit. See table: # of states, BDD size and time Wants to check:

Download Presentation

Algorithmic Software Verification

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Algorithmic software verification

Algorithmic Software Verification

VII. Computation tree logic

and bisimulations


Motivation

Motivation

See McMillan’s thesis where he models a synchronous fair bus arbiter circuit.

See table: # of states, BDD size and time

Wants to check:

- No two acks are asserted simultaneously

- Every persistent request is eventually ack-ed

- Ack is not asserted without a request.

Not really safety/reachability properties:

so how do we state and check these specs?

Temporal logics!


References

References

  • Symbolic model checking

    An approach to the state explosion problem

    Ken McMillan 1992


Model kripke structures

Model: Kripke structures

  • Finite state machines with boolean variables

    ignoring .

    FSM = (X, {{true, false}} {x  X} , Q, Q_in, , δ )

    X finite set of variables/propositions

    Q finite set of states

    Q_in  Q set of initial states

     For each q  Q, (q) is a function that maps

    each x in X to true or false

    δ  Q x Q transition relation


Ctl syntax

CTL: Syntax

Fix X the set of atomic propositions.

CTL(X) f,g ::= p |  f | f  g | f  g |

EX f | EF f | E(f U g) | A(f U g)

Intuitively:

EX f --- some successor state satisfies f

AX f --- every successor state satisfies f

E(f U g) – along some path, f holds until g holds

A(f U g) – along every path, f holds until g holds


Ctl syntax1

CTL: Syntax

Additional derived operators:

EF f --- there is some reachable state where f holds

(reachability) E(true U f)

AG f --- in every reachable state, f holds

(safety)  E (true U  f)

EG f --- there is some path along which f always holds.

 A(true U  f)

AF f --- along every path, f eventually holds

A(true U f)

Actually, EX, EG and EU are sufficient.


Ctl examples

CTL: Examples

- ack1 and ack2 are never asserted simultaneously

  • Every request req is eventually acknowledged by

    an ack.

  • ack is not asserted without a request


Ctl examples1

CTL: Examples

- ack1 and ack2 are never asserted simultaneously

AG(  (ack1  ack2) )

  • Every request req is eventually acknowledged by

    an ack.

    AG(req  (AF ack))

  • ack is not asserted without a request

    E( req U ack)


Semantics

Semantics

FSM = (X, {{true, false}} {x  X} , Q, Q_in, , δ )

With every f associate the set of states of a Kripke structure that satisfies f:

M, s |= p iff (s)(p) = true

M, s |= f  g iff M,s |= f or M,s |= g

M, s |= f iff M,s | f

M, s |= EX f iff there is an s’ with δ(s,s’) and

s’ |= f

M, s |= EF f iff there is an s’ reachable from s

such that s’ |= f


Semantics1

Semantics

M, s |= E (f U g) iff there is a path s=s1s2… from s

and a k such that s’ |= g and

for each i<k, si |= f

M, s’ |= A(f U g) iff for every path s=s1s2… from s

and a k such that sk |= g and

for every i<k, si |=f


Bisimulations

Bisimulations

Let M =(X, Q, Q_in, , δ ) and M’ =(X’, Q’, Q_in’, ’, δ’ )

be two Kripke structures (can be same)

A bisimilation relation is a relation R  QxQ’ such that:

- For every (q, q’) in R, (q) = ’(q’)

- If (q,q’) is in R, and q  q1 then there is a q1’ in Q’

such that q1  q1’ in M’ and (q1,q1’) is in R.

- If (q,q’) is in R, and q’  q1’ then there is a q1 in Q

such that q  q1 in M and (q1,q1’) is in R.

Fact: If R and R’ are bisimulation relations, then so is

R  R’.


Bisimulations1

Bisimulations

Let R* be the largest bisimulation relation:

R* = { R | R is a bisimulation relation}

If q is in Q and q’ is in Q’, then

q and q’ are bisimilar iff (q,q’) is in R*.

Denoted: q ~ q’

Two models are bisimilar if q_in ~ q_in’


Bisimulations2

Bisimulations

Let M =(X, Q, q_in, , δ ) be a model.

The unfolding of M, unf(M), is a tree model:

Nodes: xq where x is in Q*

Edges: xq  xqq’ iff q  q’

Initial node: q_in

’(xq) = (q)

Claim:

- M and unf(M) are bisimilar

- For each xq, q ~ xq.


Ctl and bisimilarity

CTL and bisimilarity

Lemma: Let f be a CTL formula.

Let q in Q and q’ in Q’ be two states such

that q ~ q’.

Then M,q |= f iff M,q’ |= f

Proof: By induction on structure of formulas.


Ctl and bisimilarity1

CTL and bisimilarity

CTL can distinguish between models that exhibit

the same sequential behaviors.

Hence CTL is a branching-time logic and not a linear-time logic.

What is the right notion of behavior of a model?

--- The set of strings exhibited by it

--- The tree unfolding of the model


Model checking ctl

Model-checking CTL

Given M and f.

Compute the set of all states of M that satisfy f,

by induction on structure of f.

║p║ = states where p holds

║f  g║ = ║f║ ║g ║

║  f ║ = complement of ║f ║

║EX f ║ = the set of states s that have a succ s’ in ║f ║


Model checking ctl1

Model-checking CTL

║E f U g ║ :

Take the set X =║g ║.

Repeat{

Add the set of states that satisfy f and have

a successor in X.

} till X reaches a fixpoint.


Model checking ctl2

Model-checking CTL

║EG f║ :

Let M’ be M restricted to states satisfying f.

A state s satisfies EG f iff

s is in M’ and there is a path from s to an

SCC of M’.


Model checking ctl3

Model-checking CTL

Model-checking CTL can be done in time O(|f|. |M|).

Number of subformulas of f is O(|f|)

║p║, ║f  g║ , ║  f ║ and ║EX f ║ are easy.

║EX f U g║

-- Start with states T satisfying g; put them in

║EX f U g║

-- In each round, take a state in T, remove it from T, and add predecessors of this state that satisfy f

and put them in T and ║EX f U g║.

-- Each state is processed only once – linear time.


Model checking ctl4

Model-checking CTL

║EG f║

-- Construct M’.

-- Partition M’ into SCCs using Tarjan’s algorithm

-- Starting from states in nontrivial SCCs, work

backwards adding states that satisfy f.

-- Linear time.


  • Login