model checking n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Model checking PowerPoint Presentation
Download Presentation
Model checking

Loading in 2 Seconds...

play fullscreen
1 / 27

Model checking - PowerPoint PPT Presentation


  • 145 Views
  • Uploaded on

Model checking. And now... the system. How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems (textutal representation), or, equivalenely, with a Kripke structures (automata representation). . Kripke structures.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Model checking' - hao


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
and now the system
And now... the system
  • How do we model a reactive system with an automaton ?
  • It is convenient to model systems with
    • Transition systems (textutal representation), or, equivalenely, with a
    • Kripke structures (automata representation).
kripke structures
Kripke structures
  • A convenient model for describing reactive systems
  • Implicitly all states areaccepting.
  • M=hS, , I, Li
    • S: States (finite).
    •  µ S x S is the transition relation.
    • I µ S are the Initial states.
    • L: S ) 2AP(where AP is a set of atomic propositions)

Convention: we will only write the positive literals.

a kripke structure
A Kripke structure
  • Note: the alphabet is NOT the set AP.
  • Rather it is 2AP
from a kripke structure to a buchi automata
From a Kripke structure to a Buchi automata
  • Given a Kripke structure M=hS, M, IM, Li...

...we can build an equivalent

Buchi automata BM = h, S, ¢, I, Fi where

    •  = 2Prop
    • S // same states
    • (s, t) 2¢ iff (s,t) 2¢M and a = L(s) // transition relation
    • I = IM // same initial state
    • F = S //every state is accepting
example
Example

Recall that this is {p,q}

  • The system: M =

p,q

p

becomes the Buchi automaton

(recall: a transition is labelled with

an element of 2AP)

p,q

p

p

correctness condition
Correctness condition
  • An LTL formula  = a set of allowed computations (‘models’).
  • A Kripke structure M = a set of computations.
  • Are the computations of M models of  ?
correctness
Correctness

Sequencessatisfying Spec

Program computations

All sequences

incorrectness
Incorrectness

Counter

examples

Sequencessatisfying Spec

Program computations

All sequences

model checking formally
Model-Checking: formally
  • Language of a model M: L(M)
  • Language of a specification : L().
  • We need: L(M) L().

This is called Model-Checking

  • If yes, we write M ².
model checking example

q

Model checking – example

: G (p U q)

p,y

p,x

s0

s1

p

s2

q,x

model

M

spec

B

M ² ?

  • Let = s0,s1.
  • 2L(M) but   L(B).

Hence L(M) *L(B).

how to model check

S

M

M

: S

M µ S

M Å: S ¹;

How to model-check?
  • Show that L(Model)  L(Spec).
  • Equivalently: Show that L(Model)  L(Spec) = Ø.
  • How? Check that Amodel £A:Specis empty.
what do we need to know
What do we need to know?
  • How to translate from LTL to an automaton ?
  • How to complement an automaton?
  • How to intersect two automata?
  • How to check for emptiness of an automaton ?

L(Model)  L(Spec) = Ø.

how to complement
How to complement?
  • Complementation is hard!
  • We know how to translate an LTL formula to a Buchi automaton. So we can:
    • Build an automaton A for , and complement A, or
    • Negate the property, obtaining ¬ (the sequences that should never occur). Build an automaton for ¬ .
but reacall
But... reacall...
  • Theoretically, model checking gives us a proof of correctness
  • Practically, it mainly attempts to increase reliability:
    • Automated systematic debugging
    • VERY good at finding errors!
  • Why ?
    • Possible bugs in the model checker
    • Capacity limitations
    • Wrong or missing properties
    • ...
from programs to kripke structures
From programs to Kripke structures
  • Supposed that we wish to model-check a program / concurrent program –
    • How can we represent it as a Kripke structure ?
kripke structures1
Kripke structures
  • Kripke structures are suitable for modeling a synchronous system.
  • When we move from state s to state s’, the values of the atoms in the state are changed synchronously.
  • Is this the case for programs ?
  • How can we describe programs as transition systems?
programs as transition systems
Programs as transition systems
  • Programs we know are sequential.
  • What is the result of this computation :

...

x = y;

y = x;

  • We need to model the location in the program
  • We will use a variable called the program counter (PC)
slide19
L0:While True do

nc0:wait (Turn=0);

cr0:Turn=1

T0:(pc0=L0, pc0=nc0)

T1: (pc0=nc0Æ Turn=0, pc0=cr0)

T2: (pc0=cr0, pc0 =L0 Æ Turn=1)

T3: (pc1=L1, pc1=nc1)

T4: (pc1=nc1 Æ Turn=1, pc1=cr1)

T5: (pc1=cr1, pc1 = L1 ÆTurn = 0)

Example: A program that maintains mutual exclusion

Initially: pc0=L0Æ pc1=L1

L1:While True do

nc1:wait (Turn=1);

cr1:Turn=0

||

Possible transitions:

and now as a kripke structure

Turn=0

L0,L1

Turn=1

L0,L1

Turn=0

L0,nc1

Turn=0

nc0,L1

Turn=1

L0,nc1

Turn=1

nc0,L1

Turn=0

nc0,nc1

Turn=0

cr0,L1

Turn=1

L0,cr1

Turn=1

nc0,nc1

Turn=0

cr0,nc1

Turn=1

nc0,cr1

And now as a Kripke structure

PC0 = L0, PC1 = L1

g pc 0 cr 0 pc 1 cr 1 a safety property

Turn=0

L0,L1

Turn=1

L0,L1

Turn=0

L0,nc1

Turn=0

nc0,L1

Turn=1

L0,nc1

Turn=1

nc0,L1

Turn=0

nc0,nc1

Turn=0

cr0,L1

Turn=1

L0,cr1

Turn=1

nc0,nc1

Turn=0

cr0,nc1

Turn=1

nc0,cr1

G:(pc0=cr0Æ pc1=cr1) (a safety property)
g turn 0 f turn 1 a liveness property

Turn=0

L0,L1

Turn=1

L0,L1

Turn=0

L0,nc1

Turn=0

nc0,L1

Turn=1

L0,nc1

Turn=1

nc0,L1

Turn=0

nc0,nc1

Turn=0

cr0,L1

Turn=1

L0,cr1

Turn=1

nc0,nc1

Turn=0

cr0,nc1

Turn=1

nc0,cr1

G(Turn=0 !FTurn=1) (a liveness property)
what properties can we check
What properties can we check?
  • Examples:
    • Invariants: a property that has to hold in each state.
    • Deadlock detection: can we reach a state where the program is blocked?
    • Dead code: does the program have parts that are never executed?
if it is so good is this all we need
If it is so good, is this all we need?
  • Model checking works only for finite state systems. Would not work with
    • Unconstrained integers.
    • Unbounded message queues.
    • General data structures:
      • queues
      • trees
      • stacks
    • Parametric algorithms and systems.
the state space explosion problem
The state space explosion problem
  • Need to represent the state space of a program in the computer memory.
    • Each state can be as big as the entire memory!
  • Many states:
    • Each integer variable has 232 possibilities. Two such variables have 264 possibilities.
    • In concurrent protocols, the number of states usually grows exponentially with the number of processes.
if it is so constrained is it of any use
If it is so constrained, is it of any use?
  • Many protocols are finite state.
  • Many programs or procedures are finite state in nature. Can use abstraction techniques.
if it is so constrained is it of any use1
If it is so constrained, is it of any use?
  • Sometimes it is possible to decompose a program, and prove part of it by model checking and part by other methods.
  • Many techniques to reduce the state space explosion
  • We will NOT learn about such techniques, but let us mention some names:
    • Data structures such as Binary Decision Diagrams,
    • Reductions, such as Partial Order Reduction.