1 / 27

About ACTL-W and the implementation of a BDD based model checker

ISTI, Pisa. About ACTL-W and the implementation of a BDD based model checker. Friday, Februar 13, 2004. Robert Meolic Faculty of EE&CS, Maribor, Slovenia. About ACTL-W and the implementation of a BDD based model checker. About our work on this project

gezana
Download Presentation

About ACTL-W and the implementation of a BDD based model checker

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ISTI, Pisa About ACTL-W and the implementation of a BDD based model checker Friday, Februar 13, 2004 Robert Meolic Faculty of EE&CS, Maribor, Slovenia

  2. About ACTL-W and the implementation of a BDD based model checker About our work on this project • definition of new action-based temporal logic, • fixed point characterisation, global model checking,witnesses and counterexamples, • EST - a free, open source tool incorporating ACTL-W. • About this presentation • an introduction of ACTL-W, • ACTL-W versus ACTL proposed in 1990, • a short overview of a BDD-based ACTL-W model checker • demonstration of EST under Windows.

  3. Labelled Transition System • A labelled transition system is a 4-tupleL = (S, At, d, s0)where: • Sis a non-empty set of states; • Atis a finite, non-empty set of actions containing visible actions and silent action t not visible to an external observer; • d  S  At Sis the transition relation; • s0is the initial state. States: p0, p1, p2, p3 Actions: a!, b!, c!,

  4. A path  in the LTS • st (p, 0) is the first state on the path p, • st (p, i ) is a state reached after the i-th transition on p (i 1), • act (p, i ) is an action executed during the i-th transition on p (i 1).

  5. Action-based temporal logic • A state where state formula holds is called  -state; • a transition (p, a, q) where action formula holds for action a is called -transiton; • a -transition (p, a, q) where state formula holds in state q is called (, )-transition.  - state  - transition (’, ’) - transition

  6. Computation Tree Logic (CTL)

  7. The idea of Action CTL EX {}  AX {}  E[ {} U{’} ’] A[ {} U{’} ’]

  8. The idea of Action CTL (cont.) EX {}  EF {}  EG  {}

  9. Definition of ACTL-W (2003) U = Until W = Unless (Weak Until) ACTL-W = Action CTL with Unless Operator

  10. ACTL-W operators

  11. Deadlocked states • In a deadlocked state, formulae E[ {} W{’} ’], A[{} W{’} ’], EG  {}, and AG  {} hold iff the state is a  -state. • Formulae E[ {} U{’} ’], A[{} U{’} ’], EX {} , AX {} ,EF {} , and AF {} , do not hold in a deadlocked state. • If there exists a finite fullpath starting in state p which is an empty fullpath or consists only of(, ) -transitions, then ACTL formulaeE[ {}W{’} ’] and EG {}hold in state p iff p is a  -state. • If there exists a finite fullpath starting in state p which is anempty fullpath or consists only of transitions which are not(’, ’) -transitions, then ACTL formulae A[{} U{’} ’] andAF {’} ’do not hold in state p.

  12. Even better definition of ACTL-W g:==[ {} U{’} ’] | [ {} W{’} ’] Strict ACTL-W operators allow a more elegant definition of semantics and also more structured model checking algorithms. E[ {} U{’} ’] =  E[ {} U{’} ’] E[ {} W{’} ’] =  E[ {} W{’} ’] EG {} =  EG{} 

  13. Useful abbreviations Equal to CTL !

  14. Adequate sets of ACTL-W operators 1. By definition:EU, EW, AU, AW 2. An important adequate set:EU, EG, AW, AF CTL:Usually used adequate set has 3 elements (EX, EG, EU)Minimal adequate set has 2 elements (EU >, AU >) ACTL-W:Minimal adequate set has 4 elements! we do not have a formal proof, yet

  15. ACTL-W Model Checking E[ {} U{’} ’]is valid if there exists the following path: EG {}is valid if there exists the following path:

  16. ACTL-W Model Checking (cont.) A[ {} W{’} ’]is not valid if there exists the following path: AF{} is not valid if there exists the following path:

  17. ACTL-W versus ACTL • ACTL was introduced by R. De Nicola and F. Vaandrager in 1990; • ACTL-W can render all formulae expressible in ACTL. The converse is not true:There exists a path consisting only of -transitions such that in all states on this path action a can be performed. EG (EX {a}) {} we do not have a formal proof, yet

  18. Conclusion of the first part • ACTL-W is a new, enriched variant of Action CTL. • Using ACTL-W, the properties can be expressed with patterns similar to those used with CTL. • ACTL-W model checking and counterexamples generation can be implemented using fixed point calculation. • We have incorporated ACTL-W in a BDD-based tool EST. Efficient Symbolic Tools GNU General Public License, Linux, MS Windows, Solaris http://lms.uni-mb.si/EST/

  19. A BDD based model checker You have: • a BDD package with: Bdd_ITE (f, g, h), Bdd_Cmp (f, g),Bdd_E (f, var), Bdd_A(f, var), Bdd_Rename(f, var1, var2), Bdd_Restrict(f, var, const), Bdd_Compose(f, var, g) • a process algebra package (or LTS package) with: Pa_ReadProcess (FILE), Pa_EncodeProcess (name), Pa_ExtractState (set), Pa_ExtractTransition (set) • transitions encoded as (r, a, s) You want to implement symbolic model checker.

  20. BNF for ACTL-W <ACTL> ::= 'FALSE' | 'TRUE' <ACTL> ::= 'E' '[' <LEFT> 'U' <RIGHT> ']' <ACTL> ::= 'A' '[' <LEFT> 'U' <RIGHT> ']' <ACTL> ::= 'E' '[' <LEFT> 'W' <RIGHT> ']' <ACTL> ::= 'A' '[' <LEFT> 'W' <RIGHT> ']' <ACTL> ::= 'EX' <RIGHT> | 'AX' <RIGHT> <ACTL> ::= 'EF' <RIGHT> | 'AF' <RIGHT> <ACTL> ::= 'EG' <LEFT> | 'AG' <LEFT> <ACTL> ::= '(' <ACTL> ')' | 'NOT' <ACTL> | <ACTL> 'AND' <ACTL> | <ACTL> 'OR' <ACTL> | <ACTL> 'EQV' <ACTL> | <ACTL> 'IMPL' <ACTL> <LEFT> ::= <ACTL> | <ACTL> '{' <ACTION> '}' | '{' <ACTION> '}' <RIGHT> ::= <ACTL> | '{' <ACTION> '}' <ACTL> | '{' <ACTION> '}' <ACTION> ::= 'FALSE' | 'TRUE' | 'TAU' | visible_action <ACTION> ::= '(' <ACTION> ')' | 'NOT' <ACTION> | <ACTION> 'AND' <ACTION> | <ACTION> 'OR' <ACTION> | <ACTION> 'IMPL' <ACTION> | <ACTION> 'EQV' <ACTION>

  21. Symbolic model checking operationsonLTSs operationsonBDDs operationsonBoolean functions

  22. Function Mc_CheckEEU: E[ {} U{’} ’] Bdd_Edge Mc_CheckEEU (Bdd_Edge D, Bdd_Edge s1, Bdd_Edge a1, Bdd_Edge a2, Bdd_Edge s2) { Bdd_Edge last,Z,tmp1,tmp2,tmp3; /* IF THERE ARE NO TRANSITIONS IN THE PROCESS */ if (Bdd_Cmp(D,bdd_termFalse)) return bdd_termFalse; /* LEAST FIXED POINT CALCULATION */ last = bdd_termNull; Z = bdd_termFalse; while (!Bdd_Cmp(Z,last)) { last = Z; tmp1 = Bdd_AND(a1,Z); tmp2 = Bdd_AND(a2,s2); tmp3 = Bdd_OR(tmp1,tmp2); tmp3 = Bdd_R2S(tmp3); tmp3 = Bdd_AND_ExAS(D,tmp3); tmp3 = Bdd_AND(s1,tmp3); Z = tm3; } return Z; } transition relation c ’  c’ {c} F z {c’}’ EX+(… V …) S  ...

  23. Function Mc_CheckEEU - some details Let L = (S, At, d, s0) be a finite-state LTS.We introduce a formula EX+({c}V {c’}’), which holds in a state p iff there exists either a (, ) -transition or a (, ) -transition from state p. This new operator help us to express a fixed point formula for EU:

  24. EST - An example A crossing of a road and a railway The crossing consists of two barriers and train traffic lights. 1. The barriers have to be kept down when the train crosses. 2. The train can cross only if the traffic lights are green, otherwise it has to stop.

  25. EST - An example (cont.)

  26. Conclusion My work during my stay at ISTI: • to study ACTL, mu-ACTL and ACTL-W in details; • to give an axiomatisation for ACTL-W (based on work of S. Gnesi); • to study counterexample and witnesses for ACTL, its subsets and extensions, especially interested in counterexample and witness automata for CTL, ACTL (based on work of A. Fantechi); • to implement a BDD-based algorithms for counterexample and witness automata and to integrate it into EST and JACK.

  27. About ACTL-W and the implementation of a BDD based model checker Thank you!

More Related