1 / 56

LTL Model Checking

LTL Model Checking. Wishnu Prasetya wishnu@cs.uu.nl www.cs.uu.nl/docs/vakken/pv. Overview. This pack : Abstract model of programs Temporal properties Verification (via model checking) algorithm Concurrency . Finite State Automaton/Machine. Abstraction of a real program Choices

baruch
Download Presentation

LTL Model Checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LTL Model Checking Wishnu Prasetya wishnu@cs.uu.nl www.cs.uu.nl/docs/vakken/pv

  2. Overview • This pack : • Abstract model of programs • Temporal properties • Verification (via model checking) algorithm • Concurrency

  3. Finite State Automaton/Machine • Abstraction of a real program • Choices • What information do we want to put in the states? • In the arrows? • How to model execution? • A path through the FSA, staring at an initial state. Additionally: • Does it have to be finite? • Do we need a concept of “acceptance” ? • These choices influence what you can express, and how you can verify properties over executions. 0 1

  4. FSA • Described by (S, I, , R) • S : the set of possible states • I S : set of possible initial states •  : set of labels, to decorate the arrows. • They model possible actions. • R : Spow(S), the arrows • R(s,a) is the set of possible next-states of a if executed on s • non-deterministic

  5. Program compositions can be modeled by operations over FSA • M1 ; M2 • connect “terminal states” of M1 to M2’s initial states. • M1 || M2 • Parallel composition • M1M2 • Only do executions that are possible in both

  6. Example c • Actions are atomic; M1 and M2 has no common action. • Their parallel composition is basically the full product over the component automata. • To note: if each component has n number of states, constructing || over k components explode to nkstates. 0 0 a b 1 1

  7. Parallel composition with synchronized actions c • Any action a  1  2 has to be executed together by both automata. 0 0 a a 1 1

  8. Intersection c • Not something you do in real programs • A useful concept for verification  later. (0,0) 0 0  a a a (1,1) 1 1

  9. Kripke Structure • A finite automaton ( S, s0, R, Prop, V ) • S : the set of possible states, with s0 the initial state. • R : Spow(S), the arrows • R(s) is the set of possible next-states from s • non-deterministic • Prop : set of atomic propositions • abstractly modeling state properties. • V : Spow(Prop), labeling function • a  V(s) means a holds in s, else it does not hold. • No concept of accepting states.

  10. Prop • It consists of atomic propositions. • We’ll require them to be non-contradictive. That is, for any subset Q of Prop : (/\Q) /\ (/\{ p | p  Q})is satisfiable. Else you may get inconsistent labeling. • This is the case if they are independent of each other. • Example: • Prop = { x>0 , y>0 } is ok. • Prop = { x>0 , x>1 } is not ok. E.g. the subset { x>1 } is inconsistent.

  11. Example With Prop = { isOdd x, x>0 }V(0) = { isOdd x }V (1) = { isOdd x, x>0 } So, which properties hold in state 0? 0 1

  12. Execution • An execution is a path through your automaton. • Let’s focus on properties of infinite executions • All executions are assumed infinite • Extend each terminal state (states with no successor) in the original Krikpe with a stuttering loop. • This induces an ‘abstract’ execution: Natpow(Prop) • infinite sequence of the set of propositions that hold along that path. • We’ll often use the term execution and abstract execution interchangbly.

  13. Example 0 { isOdd x } { isOdd x, x>0 } 1 Exec. : 0 0 1 1 ... Abs-exec: {isOdd x} , {isOdd x}, {isOdd x, x>0}, {isOdd x, x>0} , ...

  14. Run-time properties • Hoare triple : express what should hold when the program terminates. • Many programs are supposed to work continuously • They should be “safe” • They should not dead lock • No process should starve • Linear Temporal Logic (LTL) • Originally designed by philosophers to study the way that time is used in natural language arguments Based on a number of operators to express relation over time: “next”, “always”, “eventually” • Brought to Computer Science by Pnueli, 1977.

  15. f f f f f g f f f f f f Informal meaning f // always f Xf// next f fUg// f holds until g

  16. Quite expressive • ( p (true Uq )) // whenever p holds, eventually q will hold • pU ( qUr) • true U p// eventually stabilizing to p • true U p// eventually p will hold infinitely many often

  17. Syntax •  ::= p// atomic proposition from Prop |  |  /\  | X |  U  • Derived operators: •  \/  =  (  /\ ) •    =  \/  •  ,  , W , … • Interpreted over abstract executions.

  18. Defining the meaning of temporal formulas • First we’ll define the meaning wrt to a single abstract execution. Let  be such an execution: • ,i |==  •  |==  = ,0 |==  • If P is a Kripke structure,P |==  means that  holds on all abs. executions of P

  19. Meaning • Let  be an (abstract) execution. • ,i |== p = p  (i) // p  Prop • ,i |==  = not (,i |== ) • ,i |== /\ = ,i |==  and ,i |== 

  20. Meaning • ,i |== X = ,i+1 |==  • ,i |==  U  = there is a ji such that ,j |==  and for all h, ih<j, we have ,h |== .

  21. Example 0 { isOdd x } { isOdd x, x>0 } 1 Consider  : {isOdd x} , {isOdd x}, {isOdd x, x>0}, {isOdd x, x>0} , ... • |== isOdd xUx>0 • Is this a valid property of the FSA?

  22. Derived operators • Eventualy  = true U  • Always  =  • Weak until  W  =  \/ ( U ) • Release  R  =  W ( /\ )

  23. f f f f g f f f f f f f f f f f f f f f f g,f Some derived operators <> f// eventually f fWg// weak until gRf// releases

  24. Past operators • Useful, e.g. to say: if P is doing something with x, then it must have asked a permission to do so. • “previous”,i |== Y =  holds in the previous state • “since” ,i |==  S  =  held in the past, and since that to now  holds • Unfortunately, not supported by SPIN.

  25. Ok, so how can I verify M |==  ? • We can’t directly check all executions  infinite (in two dimensions). • Try to prove it directly using the definitions? • We’ll take a look another strategy… • First, let’s view abstract executions as sentences.View M as a sentence-generator. Define: L(M) = {  |  is an abs-exec of M} these are sentences over pow(Prop)

  26. Representing  as an automaton … • Let  be the temporal formula we want to verify. • Suppose we can construct automaton B that ‘accepts’ exactly those infinite sentences over pow(Prop) for which  holds. • So B is such that : L(B) = {  |  |==  }

  27. Re-express as a language problem • Well, M |==  iff • There is no L(M) which will violate . • In other words, there is no L(M) that will be accepted by L(B). • So: M|==  iffL(M)  L(B) = 

  28. Automaton with “acceptance” • So far, all paths are accepted. What if we only want to accept some of them? • Add acceptance states. • Accepted sentence: “aba” and “aa” is accepted “bb” is not accepted. • But this is for finite sentences. For infinite ...? a q1 a b q2 b

  29. Buchi Automaton “abab”  not an infinite “ababab…”  accepted “abbbb…”  not accepted! • Pass an acceptance state infinitely many times. • Examples a q1 a b q2 b

  30. Expressing temporal formulas as Buchi Use pow(Prop) as the alphabet  of arrow-labels. Example: Xp ( = Xp) We’ll take Prop = { p } Indirectly saying that p is false.  {p}  {p}  {p} We can drop this, since we only need to (fully) cover accepted sentences.

  31. To make the drawing less verbose... Xp, using Prop = {p}  * * So we have 4 subsets. Stands for all subsets of Prop that do not contain p; thus implying “p does not hold”. Xp, using Prop = {p,q} p p * * Stands for all subsets of Prop that contain p; thus implying “p holds”. p

  32. Always and Eventually p []p p <>p * * p <>[]p * p

  33. Until pUq : q * p q pUXq : * * p

  34. Not Until Formula:  ( p Uq ) Note first these properties: (pUq) = p /\ qW p /\ q (pWq) = p /\ qU p /\ q(also generally when p,qare LTL formulas) = qW p /\ q = qU p /\ q p,q pq *

  35. Generalized Buchi Automaton []<>p /\ []<>q q p 2 0 1 * * * Sets of accepting states: F = { {1} , {2} }which is different than just F = { 1, 2 } in an ordinary Buchi. Every GBA can be converted to BA.

  36. Difficult cases • How about nested formulas like: (Xp) U q ( pUq ) UrTheir Buchi is not trivial to construct. • Still, any LTL formula can be converted to a Buchi. SPIN implements an automated conversion algorithm; unfortunately it is quite complicated.

  37. Check list • How to construct B ?  Buchi • We still have a mismatch, because M is a Kripke structure! • Fortunately, we can easily convert it to a Buchi. • We still have to construct the intersection. • We still to figure out a way to check emptiness. M|==  iffL(M)  L(B) = 

  38. Label on state or label on arrow... a a b c generate the same sentences b c b c c b d e generate the same sentences d e

  39. Converting Kripke to Buchi 0 { isOdd x } Single accepting set F, containing all states. { isOdd x, x>0 } z 1 { isOdd x } { isOdd x } 0 { isOdd x, x>0 } 1 { isOdd x, x>0 } Generate the same inf. sentences!

  40. Computing intersection The Buchi version of Kripke M  • Rather than directly checking: L(BM)  L(B) = We check:L(BM B) =  We already discuss this! Execution over such an intersection is also called a “lock-step” execution.

  41. Intersection • Two buchi automata A and Bover the same alphabet • The set of states are respectively SA and SB. • starting at respectively s0A and s0B. • Single accepting set, respectively FA and FB. • FA is assumed to be SA • A  B can be thought as defining lock-step execution of both: • The states : SA  SB, starting at (s0A,s0B) • Can make a transition only if A and B can both make the corresponding transition. • A single acceptance set F; (s,t) is accepting if t  FB.

  42. Constructing Intersection, example p : isOdd xq : x>0 AP: { p,q } { p } 0 1 { p } Ap A<>q : A<>q: q a (1,a) (0,a) { p } { p }

  43. Verification • Sufficient to have an algorithm to check if L(C) = , for the intersection-automaton C. • So, it comes down to a cycle finding in a finite graph! Solvable. • The path leading to such a cycle also acts as your counter example! L(C)   iff there is a finite path from C’s initial state to an accepting state f , followed by a cycle back to f .

  44. Approaches • View C = AP A as a directed graph. Approach 1 : • Calculate all strongly connected component (SCCs) of C (e.g. with Tarjan) . • Check if there is an SCC containing an accepting state, reachable from C’s initial state. • Approach 2, based on Depth First Search (DFS); can be made lazy : • the full graph is constructed as-we-go, as you search for a cycle.If M = M1 || M2 || ... , this means that we can lazily construct M.

  45. DFS-approach (SPIN) • DFS is a way to traverse a graph : • This will visit all reachable nodes. You can already use this to check assertions. DFS(u) { if (u visited) return ; visited.add(u) ; for (snext(u)) DFS(s) ; }

  46. Example 0 4 1 2 3

  47. Adding cycle detection DFS(u) {if (u visited) return ; visited.add(u) ; foreach (snext(u)) { if (u  accept) {visited2 =  ;checkCycle (u,s) ;} DFS(s) ; } }

  48. checkCycle is another DFS checkCycle(root,s) { if(s= root) throw CycleFound ; if ( svisited2 ) return ; visited2.add(s) ; foreach(tnext(s)) checkCycle(root, t) ; } Can be extended to keep track of the path leading to the cycle  counter example. See Lecture Notes.

  49. Example 0 1 2 3 checkCycle(1,2) the node currentlybeingprocessed root

  50. Tweak: lazy model checking • Remember that automaton to explore is C = BM B • In particular, BM can huge if M = M1 || M2 || ... • Can we construct C lazily? • Benefit : if a cycle is found (verification fails), effort is not wasted to first construct the full C. • Of course if  turns out to be valid, then C will in the end fully constructed. • Question: don’t we get this for free in e.g. Haskell?

More Related