1 / 65

660 likes | 971 Views

Model checking. Raúl Monroy (from Huth & Ryan’s LICS book). Verification by model checking. Model checking is based on temporal logic A formula is not statically true or false in a model The notion of truth is dynamic , the formulae may change their truth values as the system evolves

Download Presentation
## Model checking

**An Image/Link below is provided (as is) to download presentation**
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.
Content is provided to you AS IS for your information and personal use only.
Download presentation by click this link.
While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

**Model checking**Raúl Monroy (from Huth & Ryan’s LICS book)**Verification by model checking**• Model checking is based on temporal logic • A formula is not statically true or false in a model • The notion of truth is dynamic, the formulae may change their truth values as the system evolves • Models are transition systems**Verification by model checking**• To verify that a system satisfies a property: • Model the system using the description language (of the model checker.), M. • Code property using the specification language, resulting in . • Run the model checker with inputs M and .**Temporal logics**• Linear-time logics • Branching-time logics • Useful in modelling non-deterministic computations • Time: continuous or discrete • LTL: time is linear and discrete • CTL: time is branching and discrete**LTL: Syntax**• Syntax of LTL formulae is defined inductively in Backus Naur form: Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ XΦ │ FΦ │ GΦ│ ΦU Φ │ Φ W Φ │Φ R Φ where p ranges over atomic formulae**LTL: Syntax**• X, F, G, U, W and R are called temporal connectives • Convention: • ¬, X, F, G bind most tightly; (unary connectives) • U, R and W • and , and after that **LTL: Syntax**• F p G q p W r • F(p G r) ¬q U p • p W (q W r) • G F p F(q s) Now consider: • U r • pG q**Definition of a model**• A model, M, is given by (S, , L) • S is a set of states • is a transition relation, such that every s S has some s’ with s s’ • L is a labelling function L : S P(Atoms)**p, q**q, r r Semantics of LTL A concise presentation of a model M as a directed graph, whose nodes are states containing all the propositional atoms which are true in that particular state.**S0**S1 S2 S3 S4 Deadlock treatment • A system with a state S4 that does not have any further transitions.**S0**S1 S2 S3 S4 Sd Deadlock treatment • An expand system with a ‘deadlock’ state Sd such that no state can deadlock; of course, it is then our understanding that reaching the ‘deadlock’ state corresponds to deadlock in the original system.**Linear-time temporal logic**• A path in a model M = (S, , L) is an infinite sequence of states s1,s2,s3 in S such that, for each i1, si si+1 • We write • π = s1 s2 s3 • π3 = s3 s4 s5 **Satisfaction relation on paths**• Let M = (S, , L) be a model and π = s1 s2 s3 be a path in M. The satisfaction relation, │=, is given by: • π│= T • π │= p iff p L(s1) • π│= ¬ Φ iff π│=/= Φ • π│= Φ1Φ2 iff π│=Φ1 and π│=Φ2 • π│= Φ1 Φ2 iff π│=Φ1 or π│=Φ2**π│= X Φ iff π2│=Φ**• π│= G Φ holds iff, for all i 1, πi│=Φ • π│= F Φ holds iff, for some i 1, πi│=Φ • π│=Φ U ψ holds iff there is some i1 s.t. πi│=ψ and for all j=1,…,i-1 πj│=Φ • π│=Φ W ψ holds iff either …; or for all k1 w.h.t. πk│=Φ • π│=Φ R ψ holds iff either there is some i 1 s.t. πi│=ψ and for all j=1,…,iπj│=Φ; or for all k1 w.h.t. πk│= ψ**S0**S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 q p • Illustration of the meaning of Until in the semantics of LTL. • Each of the states s3 to s9 satisfies p U q along the path shown • W is just like U except it does not require that ψ is eventually satisfied along the path in question • R is the dual of U: Φ R ψ ¬(¬Φ U ¬ψ)**LTL: Semantics**• Suppose M = (S, , L) is a model, sS, and Φ an LTL formula. We write M, s |= Φif, for every execution path π of M starting at s, we have π |= Φ**p, q**q, r r Consider again system M**p, q**S0 q, r r S1 S2 p, q r S0 S2 r S2 q, r r S1 r S2 S2 Unwinding Mas an infinite tree of all computation paths beginning in a particular state**Example checks for system M**• M, s0 │= p q • M, s0 │= ¬r • M, s0 │= ┬ • M, s0 │= X r • M, s0 │= ¬X (q r) • M, s0 │= G¬(p r) • M, s2 │= F(¬q r)F G r • M, s2 │= G F p • M, s0 │= G F p G F r • M, s0 │= ¬(G F r G F p)**CTL: Syntax**• CTL formulas are defined inductively via a Backus Naur form Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ AX Φ │ EX Φ │ A [ΦU Φ] │ E [ΦU Φ] │ AG Φ │ AF Φ │ EF Φ where p ranges over atomic formulas**CTL: Syntax**• AX, EX, AG, EG, AU, EU, AF and EF are called temporal connectives • Each temporal connectives is a pair of symbols: • 1st symbol of pair: A (along all paths) or E (along at least one path) • 2nd symbol of pair: X (neXt state), G (all future states), U (until) and F (some Future step) • AU and EU are binary • X, G, U and F cannot occur independently • ¬, AG, AF, AX bind most tightly. Next and , and after that , AU**CTL: Syntax**• EG r • AG (q EG r) • AG q EG r • A [r U q] • EF E [r U q] • A [p U EF r]**CTL: Syntax**• AG AF r • A [ p1 U A [ p2 U p3 ]] • E [ A [ p1 U p2 ] U p3 ] • AG ( p A [ p U ( ¬p A [ ¬p U q ] ) ] )**CTL: Syntax**• FG r • A ¬G ¬p • F [ r U q ] • EF [ r U q ] • AEF r • AF [ (r U q ) (r U q )]**A subformula of a CTL formula Φ is any formula ψ whose**parse tree is a subtree of Φ’s parse tree AU AX EU ¬ EX ¬ p p p q Parse tree of a CTL formula A [AX ¬p U E [EX (p q) U ¬p]]**Semantics of CTL**• Let M = (S,,L). Given any s in S, a CTL formula Φ holds in state s M, s │= Φ iff**Satisfaction relation, │=**• M, s│= T and M, s│=/= ┴, s S • M, s│= p iff p L(s) • M, s│= ¬Φ iff M, s|=/= Φ • M, s │= Φ1 Φ2 iff M,s │= Φ1 and M, s │= Φ2 • M, s │= Φ1 Φ2 iff M,s │= Φ1 or M, s │= Φ2**M, s │= Φ1Φ2**iff M,s │=/= Φ1 or M, s │= Φ2 • M, s │= AX Φ iff for all s1 such that s s1 we have M, s1│= Φ. Thus, AX says: ‘in every next state’ • M, s │= EX Φ iff for some s1 such that s s1 we have M, s1│= Φ. Thus, EX says: ‘in some next state’.**M, s │= AG Φ holds**iff for all paths s1 s2 s3 …, where s1 equals s, and all si along the path, we have M, si │= Φ Mnemonically: for all computation paths beginning in s the property Φ holds globally**M, s │= EG Φ holds**iff there is a path s1 s2 s3 …, where s1 equals s, and for all si along the path, we have M, si │= Φ Mnemonically:there Exists a path that beginning in s such that Φ holds globally along the path**M, s │= AF Φ holds**iff for all the paths s1 s2 …, where s1 equals s, there is some si such that M, si │= Φ Mnemonically: for all computation paths beginning in s there will be some future state where Φ holds**M, s │= EF Φ holds iff**There is a path s1 s2 …, where s1 equals s, and for some si along the path, We have M, si │= Φ Mnemonically: there Exists a computation path beginning in s such that Φ holds in some Future state**M, s │= A[Φ1UΦ2] holds iff**for all paths s1 s2 …, where s1 equals s, there is some si along the path such that M, si │= Φ2 and for each j<i, we have M, sj │= Φ1 Mnemonically:All computation paths beginning in s satisfy that Φ1Until Φ2holds on it**M, s │= E[Φ1UΦ2] holds iff**there is a path s1 s2 …, where s1 equals s, and there is some si along the path such that M, si │= Φ2 and for each j<i, we have M, sj │= Φ1 Mnemonically: there Exists a computation path beginning in s such that Φ1Until Φ2holds on it**A system whose starting state satisfies EF Φ**A system whose starting state satisfies EG Φ Φ Φ Φ Φ Semantics of CTL**A system whose starting state satisfies AG Φ**A system whose starting state satisfies AF Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Semantics of CTL**Semantics of CTL**S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 q p An illustration of the meaning of Until in the semantics of CTL. Each of the states s3 to s9 satisfies p U q along the path shown**p, q**q, r r Consider again system M**p, q**S0 q, r r S1 S2 p, q r S0 S2 r S2 q, r r S1 r S2 S2 Semantics of CTL Unwinding M as an infinite tree of all computation paths beginning in a particular state**Example checks for system M**• M, s0 │= p q • M, s0 │= ¬r • M, s0 │= ┬ • M, s0 │= EX (q r) • M, s0 │= ¬AX (q r) • M, s0 │= ¬EF (p r) • M, s2 │= EG r • M, s2 │= AG r • M, s0 │= AF r • M, s0 │= E [(p q) U r] • M, s0 │= A [pU r]**Practical patterns of specification**• It is possible to get to a state where started holds, but ready does not hold: • EF ( started ¬ready) • For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: • AG ( request AF acknowledged)**Practical patterns of specification**• A certain process is enabled infinitely often on every computation path: • AG ( AF enabled) • Whatever happens, a certain process will eventually be permanently dead-locked: • AF ( AG deadlock)**Practical patterns of specification**• From any state it is possible to get to restart state: • AG ( EF restart)**Practical patterns of specification**• An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: • AG (floor=2 direction=up ButtonPressed5 A [direction=up U floor=5] Here, our atomic description are boolean expresions built from system variables, e.g. floor = 2**Practical patterns of specification**• The elevator can remain idle in the third floor with its doors closed: • AG (floor=3 idle door=closed EG (floor=3 idle door=closed))**n1n2**t1n2 n1t2 c1n2 t1t2 n1c2 c1t2 t1c2 Mutual exclusion • The first modelling attempt**Mutual exclusion**• Four properties: • Safety: 1 = AG ¬(c1c2) • Liveness: 2 = AG (t1 AF c1) • Non-blocking: 3 = AG (n1 EX t1) • No strict sequencing: 4 = EF (c1 E[c1 U (¬c1 E[¬c2 U c1])]) def def def def**The second modelling attempt**n1n2 t1n2 n1t2 c1n2 t1t2 t1t2 n1c2 c1t2 t1c2 Mutual exclusion

More Related