660 likes | 1.03k Views
Model checking. Raúl Monroy (from Huth & Ryan’s LICS book). Verification by model checking. Model checking is based on temporal logic A formula is not statically true or false in a model The notion of truth is dynamic , the formulae may change their truth values as the system evolves
E N D
Model checking Raúl Monroy (from Huth & Ryan’s LICS book)
Verification by model checking • Model checking is based on temporal logic • A formula is not statically true or false in a model • The notion of truth is dynamic, the formulae may change their truth values as the system evolves • Models are transition systems
Verification by model checking • To verify that a system satisfies a property: • Model the system using the description language (of the model checker.), M. • Code property using the specification language, resulting in . • Run the model checker with inputs M and .
Temporal logics • Linear-time logics • Branching-time logics • Useful in modelling non-deterministic computations • Time: continuous or discrete • LTL: time is linear and discrete • CTL: time is branching and discrete
LTL: Syntax • Syntax of LTL formulae is defined inductively in Backus Naur form: Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ XΦ │ FΦ │ GΦ│ ΦU Φ │ Φ W Φ │Φ R Φ where p ranges over atomic formulae
LTL: Syntax • X, F, G, U, W and R are called temporal connectives • Convention: • ¬, X, F, G bind most tightly; (unary connectives) • U, R and W • and , and after that
LTL: Syntax • F p G q p W r • F(p G r) ¬q U p • p W (q W r) • G F p F(q s) Now consider: • U r • pG q
Definition of a model • A model, M, is given by (S, , L) • S is a set of states • is a transition relation, such that every s S has some s’ with s s’ • L is a labelling function L : S P(Atoms)
p, q q, r r Semantics of LTL A concise presentation of a model M as a directed graph, whose nodes are states containing all the propositional atoms which are true in that particular state.
S0 S1 S2 S3 S4 Deadlock treatment • A system with a state S4 that does not have any further transitions.
S0 S1 S2 S3 S4 Sd Deadlock treatment • An expand system with a ‘deadlock’ state Sd such that no state can deadlock; of course, it is then our understanding that reaching the ‘deadlock’ state corresponds to deadlock in the original system.
Linear-time temporal logic • A path in a model M = (S, , L) is an infinite sequence of states s1,s2,s3 in S such that, for each i1, si si+1 • We write • π = s1 s2 s3 • π3 = s3 s4 s5
Satisfaction relation on paths • Let M = (S, , L) be a model and π = s1 s2 s3 be a path in M. The satisfaction relation, │=, is given by: • π│= T • π │= p iff p L(s1) • π│= ¬ Φ iff π│=/= Φ • π│= Φ1Φ2 iff π│=Φ1 and π│=Φ2 • π│= Φ1 Φ2 iff π│=Φ1 or π│=Φ2
π│= X Φ iff π2│=Φ • π│= G Φ holds iff, for all i 1, πi│=Φ • π│= F Φ holds iff, for some i 1, πi│=Φ • π│=Φ U ψ holds iff there is some i1 s.t. πi│=ψ and for all j=1,…,i-1 πj│=Φ • π│=Φ W ψ holds iff either …; or for all k1 w.h.t. πk│=Φ • π│=Φ R ψ holds iff either there is some i 1 s.t. πi│=ψ and for all j=1,…,iπj│=Φ; or for all k1 w.h.t. πk│= ψ
S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 q p • Illustration of the meaning of Until in the semantics of LTL. • Each of the states s3 to s9 satisfies p U q along the path shown • W is just like U except it does not require that ψ is eventually satisfied along the path in question • R is the dual of U: Φ R ψ ¬(¬Φ U ¬ψ)
LTL: Semantics • Suppose M = (S, , L) is a model, sS, and Φ an LTL formula. We write M, s |= Φif, for every execution path π of M starting at s, we have π |= Φ
p, q q, r r Consider again system M
p, q S0 q, r r S1 S2 p, q r S0 S2 r S2 q, r r S1 r S2 S2 Unwinding Mas an infinite tree of all computation paths beginning in a particular state
Example checks for system M • M, s0 │= p q • M, s0 │= ¬r • M, s0 │= ┬ • M, s0 │= X r • M, s0 │= ¬X (q r) • M, s0 │= G¬(p r) • M, s2 │= F(¬q r)F G r • M, s2 │= G F p • M, s0 │= G F p G F r • M, s0 │= ¬(G F r G F p)
CTL: Syntax • CTL formulas are defined inductively via a Backus Naur form Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ AX Φ │ EX Φ │ A [ΦU Φ] │ E [ΦU Φ] │ AG Φ │ AF Φ │ EF Φ where p ranges over atomic formulas
CTL: Syntax • AX, EX, AG, EG, AU, EU, AF and EF are called temporal connectives • Each temporal connectives is a pair of symbols: • 1st symbol of pair: A (along all paths) or E (along at least one path) • 2nd symbol of pair: X (neXt state), G (all future states), U (until) and F (some Future step) • AU and EU are binary • X, G, U and F cannot occur independently • ¬, AG, AF, AX bind most tightly. Next and , and after that , AU
CTL: Syntax • EG r • AG (q EG r) • AG q EG r • A [r U q] • EF E [r U q] • A [p U EF r]
CTL: Syntax • AG AF r • A [ p1 U A [ p2 U p3 ]] • E [ A [ p1 U p2 ] U p3 ] • AG ( p A [ p U ( ¬p A [ ¬p U q ] ) ] )
CTL: Syntax • FG r • A ¬G ¬p • F [ r U q ] • EF [ r U q ] • AEF r • AF [ (r U q ) (r U q )]
A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ’s parse tree AU AX EU ¬ EX ¬ p p p q Parse tree of a CTL formula A [AX ¬p U E [EX (p q) U ¬p]]
Semantics of CTL • Let M = (S,,L). Given any s in S, a CTL formula Φ holds in state s M, s │= Φ iff
Satisfaction relation, │= • M, s│= T and M, s│=/= ┴, s S • M, s│= p iff p L(s) • M, s│= ¬Φ iff M, s|=/= Φ • M, s │= Φ1 Φ2 iff M,s │= Φ1 and M, s │= Φ2 • M, s │= Φ1 Φ2 iff M,s │= Φ1 or M, s │= Φ2
M, s │= Φ1Φ2 iff M,s │=/= Φ1 or M, s │= Φ2 • M, s │= AX Φ iff for all s1 such that s s1 we have M, s1│= Φ. Thus, AX says: ‘in every next state’ • M, s │= EX Φ iff for some s1 such that s s1 we have M, s1│= Φ. Thus, EX says: ‘in some next state’.
M, s │= AG Φ holds iff for all paths s1 s2 s3 …, where s1 equals s, and all si along the path, we have M, si │= Φ Mnemonically: for all computation paths beginning in s the property Φ holds globally
M, s │= EG Φ holds iff there is a path s1 s2 s3 …, where s1 equals s, and for all si along the path, we have M, si │= Φ Mnemonically:there Exists a path that beginning in s such that Φ holds globally along the path
M, s │= AF Φ holds iff for all the paths s1 s2 …, where s1 equals s, there is some si such that M, si │= Φ Mnemonically: for all computation paths beginning in s there will be some future state where Φ holds
M, s │= EF Φ holds iff There is a path s1 s2 …, where s1 equals s, and for some si along the path, We have M, si │= Φ Mnemonically: there Exists a computation path beginning in s such that Φ holds in some Future state
M, s │= A[Φ1UΦ2] holds iff for all paths s1 s2 …, where s1 equals s, there is some si along the path such that M, si │= Φ2 and for each j<i, we have M, sj │= Φ1 Mnemonically:All computation paths beginning in s satisfy that Φ1Until Φ2holds on it
M, s │= E[Φ1UΦ2] holds iff there is a path s1 s2 …, where s1 equals s, and there is some si along the path such that M, si │= Φ2 and for each j<i, we have M, sj │= Φ1 Mnemonically: there Exists a computation path beginning in s such that Φ1Until Φ2holds on it
A system whose starting state satisfies EF Φ A system whose starting state satisfies EG Φ Φ Φ Φ Φ Semantics of CTL
A system whose starting state satisfies AG Φ A system whose starting state satisfies AF Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Semantics of CTL
Semantics of CTL S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 q p An illustration of the meaning of Until in the semantics of CTL. Each of the states s3 to s9 satisfies p U q along the path shown
p, q q, r r Consider again system M
p, q S0 q, r r S1 S2 p, q r S0 S2 r S2 q, r r S1 r S2 S2 Semantics of CTL Unwinding M as an infinite tree of all computation paths beginning in a particular state
Example checks for system M • M, s0 │= p q • M, s0 │= ¬r • M, s0 │= ┬ • M, s0 │= EX (q r) • M, s0 │= ¬AX (q r) • M, s0 │= ¬EF (p r) • M, s2 │= EG r • M, s2 │= AG r • M, s0 │= AF r • M, s0 │= E [(p q) U r] • M, s0 │= A [pU r]
Practical patterns of specification • It is possible to get to a state where started holds, but ready does not hold: • EF ( started ¬ready) • For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: • AG ( request AF acknowledged)
Practical patterns of specification • A certain process is enabled infinitely often on every computation path: • AG ( AF enabled) • Whatever happens, a certain process will eventually be permanently dead-locked: • AF ( AG deadlock)
Practical patterns of specification • From any state it is possible to get to restart state: • AG ( EF restart)
Practical patterns of specification • An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: • AG (floor=2 direction=up ButtonPressed5 A [direction=up U floor=5] Here, our atomic description are boolean expresions built from system variables, e.g. floor = 2
Practical patterns of specification • The elevator can remain idle in the third floor with its doors closed: • AG (floor=3 idle door=closed EG (floor=3 idle door=closed))
n1n2 t1n2 n1t2 c1n2 t1t2 n1c2 c1t2 t1c2 Mutual exclusion • The first modelling attempt
Mutual exclusion • Four properties: • Safety: 1 = AG ¬(c1c2) • Liveness: 2 = AG (t1 AF c1) • Non-blocking: 3 = AG (n1 EX t1) • No strict sequencing: 4 = EF (c1 E[c1 U (¬c1 E[¬c2 U c1])]) def def def def
The second modelling attempt n1n2 t1n2 n1t2 c1n2 t1t2 t1t2 n1c2 c1t2 t1c2 Mutual exclusion