1 / 65

# Model checking

Model checking. Raúl Monroy (from Huth &amp; Ryan’s LICS book). Verification by model checking. Model checking is based on temporal logic A formula is not statically true or false in a model The notion of truth is dynamic , the formulae may change their truth values as the system evolves Download Presentation ## Model checking

E N D

### Presentation Transcript

1. Model checking Raúl Monroy (from Huth & Ryan’s LICS book)

2. Verification by model checking • Model checking is based on temporal logic • A formula is not statically true or false in a model • The notion of truth is dynamic, the formulae may change their truth values as the system evolves • Models are transition systems

3. Verification by model checking • To verify that a system satisfies a property: • Model the system using the description language (of the model checker.), M. • Code property using the specification language, resulting in . • Run the model checker with inputs M and .

4. Temporal logics • Linear-time logics • Branching-time logics • Useful in modelling non-deterministic computations • Time: continuous or discrete • LTL: time is linear and discrete • CTL: time is branching and discrete

5. Linear-Time Temporal Logic

6. LTL: Syntax • Syntax of LTL formulae is defined inductively in Backus Naur form: Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ XΦ │ FΦ │ GΦ│ ΦU Φ │ Φ W Φ │Φ R Φ where p ranges over atomic formulae

7. LTL: Syntax • X, F, G, U, W and R are called temporal connectives • Convention: • ¬, X, F, G bind most tightly; (unary connectives) • U, R and W •  and , and after that 

8. LTL: Syntax • F p  G q  p W r • F(p  G r)  ¬q U p • p W (q W r) • G F p  F(q  s) Now consider: • U r • pG q

9. Definition of a model • A model, M, is given by (S, , L) • S is a set of states •  is a transition relation, such that every s  S has some s’ with s  s’ • L is a labelling function L : S P(Atoms)

10. p, q q, r r Semantics of LTL A concise presentation of a model M as a directed graph, whose nodes are states containing all the propositional atoms which are true in that particular state.

11. S0 S1 S2 S3 S4 Deadlock treatment • A system with a state S4 that does not have any further transitions.

12. S0 S1 S2 S3 S4 Sd Deadlock treatment • An expand system with a ‘deadlock’ state Sd such that no state can deadlock; of course, it is then our understanding that reaching the ‘deadlock’ state corresponds to deadlock in the original system.

13. Linear-time temporal logic • A path in a model M = (S, , L) is an infinite sequence of states s1,s2,s3 in S such that, for each i1, si  si+1 • We write • π = s1  s2  s3  • π3 = s3  s4  s5 

14. Satisfaction relation on paths • Let M = (S, , L) be a model and π = s1  s2  s3  be a path in M. The satisfaction relation, │=, is given by: • π│= T • π │= p iff p L(s1) • π│= ¬ Φ iff π│=/= Φ • π│= Φ1Φ2 iff π│=Φ1 and π│=Φ2 • π│= Φ1 Φ2 iff π│=Φ1 or π│=Φ2

15. π│= X Φ iff π2│=Φ • π│= G Φ holds iff, for all i 1, πi│=Φ • π│= F Φ holds iff, for some i 1, πi│=Φ • π│=Φ U ψ holds iff there is some i1 s.t. πi│=ψ and for all j=1,…,i-1 πj│=Φ • π│=Φ W ψ holds iff either …; or for all k1 w.h.t. πk│=Φ • π│=Φ R ψ holds iff either there is some i  1 s.t. πi│=ψ and for all j=1,…,iπj│=Φ; or for all k1 w.h.t. πk│= ψ

16. S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 q p • Illustration of the meaning of Until in the semantics of LTL. • Each of the states s3 to s9 satisfies p U q along the path shown • W is just like U except it does not require that ψ is eventually satisfied along the path in question • R is the dual of U: Φ R ψ ¬(¬Φ U ¬ψ)

17. LTL: Semantics • Suppose M = (S, , L) is a model, sS, and Φ an LTL formula. We write M, s |= Φif, for every execution path π of M starting at s, we have π |= Φ

18. p, q q, r r Consider again system M

19. p, q S0 q, r r S1 S2 p, q r S0 S2 r S2 q, r r S1 r S2 S2 Unwinding Mas an infinite tree of all computation paths beginning in a particular state

20. Example checks for system M • M, s0 │= p q • M, s0 │= ¬r • M, s0 │= ┬ • M, s0 │= X r • M, s0 │= ¬X (q r) • M, s0 │= G¬(p r) • M, s2 │= F(¬q  r)F G r • M, s2 │= G F p • M, s0 │= G F p  G F r • M, s0 │= ¬(G F r  G F p)

21. Computation Tree Logic

22. CTL: Syntax • CTL formulas are defined inductively via a Backus Naur form Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ AX Φ │ EX Φ │ A [ΦU Φ] │ E [ΦU Φ] │ AG Φ │ AF Φ │ EF Φ where p ranges over atomic formulas

23. CTL: Syntax • AX, EX, AG, EG, AU, EU, AF and EF are called temporal connectives • Each temporal connectives is a pair of symbols: • 1st symbol of pair: A (along all paths) or E (along at least one path) • 2nd symbol of pair: X (neXt state), G (all future states), U (until) and F (some Future step) • AU and EU are binary • X, G, U and F cannot occur independently • ¬, AG, AF, AX bind most tightly. Next  and , and after that , AU

24. CTL: Syntax • EG r • AG (q  EG r) • AG q  EG r • A [r U q] • EF E [r U q] • A [p U EF r]

25. CTL: Syntax • AG AF r • A [ p1 U A [ p2 U p3 ]] • E [ A [ p1 U p2 ] U p3 ] • AG ( p  A [ p U ( ¬p  A [ ¬p U q ] ) ] )

26. CTL: Syntax • FG r • A ¬G ¬p • F [ r U q ] • EF [ r U q ] • AEF r • AF [ (r U q )  (r U q )]

27. A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ’s parse tree AU AX EU ¬ EX ¬ p  p p q Parse tree of a CTL formula A [AX ¬p U E [EX (p q) U ¬p]]

28. Semantics of CTL • Let M = (S,,L). Given any s in S, a CTL formula Φ holds in state s M, s │= Φ iff

29. Satisfaction relation, │= • M, s│= T and M, s│=/= ┴, s  S • M, s│= p iff p L(s) • M, s│= ¬Φ iff M, s|=/= Φ • M, s │= Φ1 Φ2 iff M,s │= Φ1 and M, s │= Φ2 • M, s │= Φ1 Φ2 iff M,s │= Φ1 or M, s │= Φ2

30. M, s │= Φ1Φ2 iff M,s │=/= Φ1 or M, s │= Φ2 • M, s │= AX Φ iff for all s1 such that s s1 we have M, s1│= Φ. Thus, AX says: ‘in every next state’ • M, s │= EX Φ iff for some s1 such that s s1 we have M, s1│= Φ. Thus, EX says: ‘in some next state’.

31. M, s │= AG Φ holds iff for all paths s1 s2  s3  …, where s1 equals s, and all si along the path, we have M, si │= Φ Mnemonically: for all computation paths beginning in s the property Φ holds globally

32. M, s │= EG Φ holds iff there is a path s1 s2  s3  …, where s1 equals s, and for all si along the path, we have M, si │= Φ Mnemonically:there Exists a path that beginning in s such that Φ holds globally along the path

33. M, s │= AF Φ holds iff for all the paths s1 s2  …, where s1 equals s, there is some si such that M, si │= Φ Mnemonically: for all computation paths beginning in s there will be some future state where Φ holds

34. M, s │= EF Φ holds iff There is a path s1 s2  …, where s1 equals s, and for some si along the path, We have M, si │= Φ Mnemonically: there Exists a computation path beginning in s such that Φ holds in some Future state

35. M, s │= A[Φ1UΦ2] holds iff for all paths s1 s2  …, where s1 equals s, there is some si along the path such that M, si │= Φ2 and for each j<i, we have M, sj │= Φ1 Mnemonically:All computation paths beginning in s satisfy that Φ1Until Φ2holds on it

36. M, s │= E[Φ1UΦ2] holds iff there is a path s1 s2  …, where s1 equals s, and there is some si along the path such that M, si │= Φ2 and for each j<i, we have M, sj │= Φ1 Mnemonically: there Exists a computation path beginning in s such that Φ1Until Φ2holds on it

37. A system whose starting state satisfies EF Φ A system whose starting state satisfies EG Φ Φ Φ Φ Φ Semantics of CTL

38. A system whose starting state satisfies AG Φ A system whose starting state satisfies AF Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Semantics of CTL

39. Semantics of CTL S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 q p An illustration of the meaning of Until in the semantics of CTL. Each of the states s3 to s9 satisfies p U q along the path shown

40. p, q q, r r Consider again system M

41. p, q S0 q, r r S1 S2 p, q r S0 S2 r S2 q, r r S1 r S2 S2 Semantics of CTL Unwinding M as an infinite tree of all computation paths beginning in a particular state

42. Example checks for system M • M, s0 │= p q • M, s0 │= ¬r • M, s0 │= ┬ • M, s0 │= EX (q r) • M, s0 │= ¬AX (q r) • M, s0 │= ¬EF (p r) • M, s2 │= EG r • M, s2 │= AG r • M, s0 │= AF r • M, s0 │= E [(p q) U r] • M, s0 │= A [pU r]

43. Practical patterns of specification • It is possible to get to a state where started holds, but ready does not hold: • EF ( started  ¬ready) • For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: • AG ( request  AF acknowledged)

44. Practical patterns of specification • A certain process is enabled infinitely often on every computation path: • AG ( AF enabled) • Whatever happens, a certain process will eventually be permanently dead-locked: • AF ( AG deadlock)

45. Practical patterns of specification • From any state it is possible to get to restart state: • AG ( EF restart)

46. Practical patterns of specification • An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: • AG (floor=2  direction=up  ButtonPressed5  A [direction=up U floor=5] Here, our atomic description are boolean expresions built from system variables, e.g. floor = 2

47. Practical patterns of specification • The elevator can remain idle in the third floor with its doors closed: • AG (floor=3  idle  door=closed  EG (floor=3  idle  door=closed))

48. n1n2 t1n2 n1t2 c1n2 t1t2 n1c2 c1t2 t1c2 Mutual exclusion • The first modelling attempt

49. Mutual exclusion • Four properties: • Safety: 1 = AG ¬(c1c2) • Liveness: 2 = AG (t1 AF c1) • Non-blocking: 3 = AG (n1  EX t1) • No strict sequencing: 4 = EF (c1 E[c1 U (¬c1 E[¬c2 U c1])]) def def def def

50. The second modelling attempt n1n2 t1n2 n1t2 c1n2 t1t2 t1t2 n1c2 c1t2 t1c2 Mutual exclusion

More Related