1 / 65

Model checking

Model checking. Raúl Monroy (from Huth & Ryan’s LICS book). Verification by model checking. Model checking is based on temporal logic A formula is not statically true or false in a model The notion of truth is dynamic , the formulae may change their truth values as the system evolves

jane-mcgee
Download Presentation

Model checking

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Model checking Raúl Monroy (from Huth & Ryan’s LICS book)

  2. Verification by model checking • Model checking is based on temporal logic • A formula is not statically true or false in a model • The notion of truth is dynamic, the formulae may change their truth values as the system evolves • Models are transition systems

  3. Verification by model checking • To verify that a system satisfies a property: • Model the system using the description language (of the model checker.), M. • Code property using the specification language, resulting in . • Run the model checker with inputs M and .

  4. Temporal logics • Linear-time logics • Branching-time logics • Useful in modelling non-deterministic computations • Time: continuous or discrete • LTL: time is linear and discrete • CTL: time is branching and discrete

  5. Linear-Time Temporal Logic

  6. LTL: Syntax • Syntax of LTL formulae is defined inductively in Backus Naur form: Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ XΦ │ FΦ │ GΦ│ ΦU Φ │ Φ W Φ │Φ R Φ where p ranges over atomic formulae

  7. LTL: Syntax • X, F, G, U, W and R are called temporal connectives • Convention: • ¬, X, F, G bind most tightly; (unary connectives) • U, R and W •  and , and after that 

  8. LTL: Syntax • F p  G q  p W r • F(p  G r)  ¬q U p • p W (q W r) • G F p  F(q  s) Now consider: • U r • pG q

  9. Definition of a model • A model, M, is given by (S, , L) • S is a set of states •  is a transition relation, such that every s  S has some s’ with s  s’ • L is a labelling function L : S P(Atoms)

  10. p, q q, r r Semantics of LTL A concise presentation of a model M as a directed graph, whose nodes are states containing all the propositional atoms which are true in that particular state.

  11. S0 S1 S2 S3 S4 Deadlock treatment • A system with a state S4 that does not have any further transitions.

  12. S0 S1 S2 S3 S4 Sd Deadlock treatment • An expand system with a ‘deadlock’ state Sd such that no state can deadlock; of course, it is then our understanding that reaching the ‘deadlock’ state corresponds to deadlock in the original system.

  13. Linear-time temporal logic • A path in a model M = (S, , L) is an infinite sequence of states s1,s2,s3 in S such that, for each i1, si  si+1 • We write • π = s1  s2  s3  • π3 = s3  s4  s5 

  14. Satisfaction relation on paths • Let M = (S, , L) be a model and π = s1  s2  s3  be a path in M. The satisfaction relation, │=, is given by: • π│= T • π │= p iff p L(s1) • π│= ¬ Φ iff π│=/= Φ • π│= Φ1Φ2 iff π│=Φ1 and π│=Φ2 • π│= Φ1 Φ2 iff π│=Φ1 or π│=Φ2

  15. π│= X Φ iff π2│=Φ • π│= G Φ holds iff, for all i 1, πi│=Φ • π│= F Φ holds iff, for some i 1, πi│=Φ • π│=Φ U ψ holds iff there is some i1 s.t. πi│=ψ and for all j=1,…,i-1 πj│=Φ • π│=Φ W ψ holds iff either …; or for all k1 w.h.t. πk│=Φ • π│=Φ R ψ holds iff either there is some i  1 s.t. πi│=ψ and for all j=1,…,iπj│=Φ; or for all k1 w.h.t. πk│= ψ

  16. S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 q p • Illustration of the meaning of Until in the semantics of LTL. • Each of the states s3 to s9 satisfies p U q along the path shown • W is just like U except it does not require that ψ is eventually satisfied along the path in question • R is the dual of U: Φ R ψ ¬(¬Φ U ¬ψ)

  17. LTL: Semantics • Suppose M = (S, , L) is a model, sS, and Φ an LTL formula. We write M, s |= Φif, for every execution path π of M starting at s, we have π |= Φ

  18. p, q q, r r Consider again system M

  19. p, q S0 q, r r S1 S2 p, q r S0 S2 r S2 q, r r S1 r S2 S2 Unwinding Mas an infinite tree of all computation paths beginning in a particular state

  20. Example checks for system M • M, s0 │= p q • M, s0 │= ¬r • M, s0 │= ┬ • M, s0 │= X r • M, s0 │= ¬X (q r) • M, s0 │= G¬(p r) • M, s2 │= F(¬q  r)F G r • M, s2 │= G F p • M, s0 │= G F p  G F r • M, s0 │= ¬(G F r  G F p)

  21. Computation Tree Logic

  22. CTL: Syntax • CTL formulas are defined inductively via a Backus Naur form Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ AX Φ │ EX Φ │ A [ΦU Φ] │ E [ΦU Φ] │ AG Φ │ AF Φ │ EF Φ where p ranges over atomic formulas

  23. CTL: Syntax • AX, EX, AG, EG, AU, EU, AF and EF are called temporal connectives • Each temporal connectives is a pair of symbols: • 1st symbol of pair: A (along all paths) or E (along at least one path) • 2nd symbol of pair: X (neXt state), G (all future states), U (until) and F (some Future step) • AU and EU are binary • X, G, U and F cannot occur independently • ¬, AG, AF, AX bind most tightly. Next  and , and after that , AU

  24. CTL: Syntax • EG r • AG (q  EG r) • AG q  EG r • A [r U q] • EF E [r U q] • A [p U EF r]

  25. CTL: Syntax • AG AF r • A [ p1 U A [ p2 U p3 ]] • E [ A [ p1 U p2 ] U p3 ] • AG ( p  A [ p U ( ¬p  A [ ¬p U q ] ) ] )

  26. CTL: Syntax • FG r • A ¬G ¬p • F [ r U q ] • EF [ r U q ] • AEF r • AF [ (r U q )  (r U q )]

  27. A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ’s parse tree AU AX EU ¬ EX ¬ p  p p q Parse tree of a CTL formula A [AX ¬p U E [EX (p q) U ¬p]]

  28. Semantics of CTL • Let M = (S,,L). Given any s in S, a CTL formula Φ holds in state s M, s │= Φ iff

  29. Satisfaction relation, │= • M, s│= T and M, s│=/= ┴, s  S • M, s│= p iff p L(s) • M, s│= ¬Φ iff M, s|=/= Φ • M, s │= Φ1 Φ2 iff M,s │= Φ1 and M, s │= Φ2 • M, s │= Φ1 Φ2 iff M,s │= Φ1 or M, s │= Φ2

  30. M, s │= Φ1Φ2 iff M,s │=/= Φ1 or M, s │= Φ2 • M, s │= AX Φ iff for all s1 such that s s1 we have M, s1│= Φ. Thus, AX says: ‘in every next state’ • M, s │= EX Φ iff for some s1 such that s s1 we have M, s1│= Φ. Thus, EX says: ‘in some next state’.

  31. M, s │= AG Φ holds iff for all paths s1 s2  s3  …, where s1 equals s, and all si along the path, we have M, si │= Φ Mnemonically: for all computation paths beginning in s the property Φ holds globally

  32. M, s │= EG Φ holds iff there is a path s1 s2  s3  …, where s1 equals s, and for all si along the path, we have M, si │= Φ Mnemonically:there Exists a path that beginning in s such that Φ holds globally along the path

  33. M, s │= AF Φ holds iff for all the paths s1 s2  …, where s1 equals s, there is some si such that M, si │= Φ Mnemonically: for all computation paths beginning in s there will be some future state where Φ holds

  34. M, s │= EF Φ holds iff There is a path s1 s2  …, where s1 equals s, and for some si along the path, We have M, si │= Φ Mnemonically: there Exists a computation path beginning in s such that Φ holds in some Future state

  35. M, s │= A[Φ1UΦ2] holds iff for all paths s1 s2  …, where s1 equals s, there is some si along the path such that M, si │= Φ2 and for each j<i, we have M, sj │= Φ1 Mnemonically:All computation paths beginning in s satisfy that Φ1Until Φ2holds on it

  36. M, s │= E[Φ1UΦ2] holds iff there is a path s1 s2  …, where s1 equals s, and there is some si along the path such that M, si │= Φ2 and for each j<i, we have M, sj │= Φ1 Mnemonically: there Exists a computation path beginning in s such that Φ1Until Φ2holds on it

  37. A system whose starting state satisfies EF Φ A system whose starting state satisfies EG Φ Φ Φ Φ Φ Semantics of CTL

  38. A system whose starting state satisfies AG Φ A system whose starting state satisfies AF Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Φ Semantics of CTL

  39. Semantics of CTL S0 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 q p An illustration of the meaning of Until in the semantics of CTL. Each of the states s3 to s9 satisfies p U q along the path shown

  40. p, q q, r r Consider again system M

  41. p, q S0 q, r r S1 S2 p, q r S0 S2 r S2 q, r r S1 r S2 S2 Semantics of CTL Unwinding M as an infinite tree of all computation paths beginning in a particular state

  42. Example checks for system M • M, s0 │= p q • M, s0 │= ¬r • M, s0 │= ┬ • M, s0 │= EX (q r) • M, s0 │= ¬AX (q r) • M, s0 │= ¬EF (p r) • M, s2 │= EG r • M, s2 │= AG r • M, s0 │= AF r • M, s0 │= E [(p q) U r] • M, s0 │= A [pU r]

  43. Practical patterns of specification • It is possible to get to a state where started holds, but ready does not hold: • EF ( started  ¬ready) • For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: • AG ( request  AF acknowledged)

  44. Practical patterns of specification • A certain process is enabled infinitely often on every computation path: • AG ( AF enabled) • Whatever happens, a certain process will eventually be permanently dead-locked: • AF ( AG deadlock)

  45. Practical patterns of specification • From any state it is possible to get to restart state: • AG ( EF restart)

  46. Practical patterns of specification • An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: • AG (floor=2  direction=up  ButtonPressed5  A [direction=up U floor=5] Here, our atomic description are boolean expresions built from system variables, e.g. floor = 2

  47. Practical patterns of specification • The elevator can remain idle in the third floor with its doors closed: • AG (floor=3  idle  door=closed  EG (floor=3  idle  door=closed))

  48. n1n2 t1n2 n1t2 c1n2 t1t2 n1c2 c1t2 t1c2 Mutual exclusion • The first modelling attempt

  49. Mutual exclusion • Four properties: • Safety: 1 = AG ¬(c1c2) • Liveness: 2 = AG (t1 AF c1) • Non-blocking: 3 = AG (n1  EX t1) • No strict sequencing: 4 = EF (c1 E[c1 U (¬c1 E[¬c2 U c1])]) def def def def

  50. The second modelling attempt n1n2 t1n2 n1t2 c1n2 t1t2 t1t2 n1c2 c1t2 t1c2 Mutual exclusion

More Related