1 / 55

Model Checking I

Model Checking I. What are LTL and CTL?. dack. and. or. D. q0. dreq. D. q0bar. and. View circuit as a transition system. ( dreq , q0, dack )  ( dreq ’, q0’, dack ’) q0’ = dreq dack ’ = dreq and (q0 or ( not q0 and dack )). dack. and. or. D. q0. dreq. D.

nibal
Download Presentation

Model Checking I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking I What are LTL and CTL?

  2. dack and or D q0 dreq D q0bar and

  3. View circuit as a transition system (dreq, q0, dack)  (dreq’, q0’, dack’) q0’ = dreq dack’ = dreqand (q0 or (not q0 and dack))

  4. dack and or D q0 dreq D and

  5. dreq dack q0 q0’ dack’

  6. Idea Transition system + special temporal logic + automatic checking algorithm

  7. Exercise(from examplecircuit) (dreq, q0, dack)  (dreq’, dreq, dreq and (q0 or (not q0 and dack))) Draw state transition diagram Q: How many states for a start?

  8. Hint (partial answer) 000 100 110 111 001 101 010 011

  9. Question 000 100 110 111 001 101 010 011 Q: how many arrows should there be out of each state? Why so?

  10. Exercise 000 100 110 111 001 101 010 011 Complete the diagram Write down the corresponding binary relation as a set of pairs of states

  11. Another view computation tree from a state 111

  12. 111 011 111 • 011 000 100 111 011 000 100 000 100 010 110 Unwinding further . . .

  13. s Possible behaviours from state s Transition relation R . . . Relation vs. Function?

  14. s path = possible run of the system Transition relation R . . .

  15. Points to note Transition system models circuit behaviour We chose the tick of the transition system to be the same as one clock cycle. Gates have zero delay – a very standard choice for synchronous circuits Could have had a finer degree of modelling of time (with delays in gates). Choices here determine what properties can be analysed Model checker starts with transition system. It doesn’t matter where it came from

  16. G(p -> F q) yes property MC algorithm no p p q q counterexample finite-statemodel Model Checking (Ken McMillan)

  17. Netlist dack and or D 1 q0 dreq D 0 and

  18. input to SMV model checker MODULE main VAR w1 : boolean; VAR w2 : boolean; VAR w3 : boolean; VAR w4 : boolean; VAR w5 : boolean; VAR i0 : boolean; VAR w6 : boolean; VAR w7 : boolean; VAR w8 : boolean; VAR w9 : boolean; VAR w10 : boolean; DEFINE w4 := 0; DEFINE w5 := i0; ASSIGN init(w3) := w4; ASSIGN next(w3) := w5; DEFINE w7 := !(w3); DEFINE w9 := 1; DEFINE w10 := w5 & w6; ASSIGN init(w8) := w9; ASSIGN next(w8) := w10; DEFINE w6 := w7 & w8; DEFINE w2 := w3 | w6; MC builds internal representation of transition system

  19. Transition system M S set of states (finite) Rbinary relation on states assumed total, eachstate has at leastonearrowout A set of atomicformulas LfunctionS -> set of atomicformulas that holdin that state Lars backwards finite Kripkestructure

  20. Path in M Infinite sequence of states π = s0 s1 s2 ... st

  21. Path in M s0 s1 s2 ... R (s0,s1) є R (s1,s2) є R etc

  22. Properties Express desired behaviour over time using special logic LTL (linear temporal logic) CTL (computation tree logic) CTL* (more expressive logic with both . LTL and CTL as subsets)

  23. CTL* path quantifers A “for all computation paths” E “for some computation path” can prefix assertions made from Linear operators G “globally=always” F “sometimes” X “nexttime” U “until” about a path

  24. CTL* formulas (syntax) path formulas f ::= s | f | f1  f2 | X f | f1 U f2 state formulas (about an individual state) s ::= a | s | s1  s2 | E f atomic formulas

  25. Build up from core A f = E  f F f= trueU f G f =  F  f

  26. Example G (req -> F ack)

  27. Example G (req -> F ack) A request will eventually lead to an acknowledgement liveness linear

  28. Example (Gordon) It is possible to get to a state where Started holds but Ready does not

  29. Example (Gordon) It is possible to get to a state where Started holds but Ready does not E (F (Started & Ready))

  30. Semantics M = (L,A,R,S) M, s ffholds at state s in M (and omit M if it is clearwhich M we are talkingabout) M, πg gholds for pathπ in M

  31. Semantics Back to syntax and writedowneachcase S a a in L(s) (atomic) s fnot (s f) s f1  f2 s f1 ors f2 s E (g) Existsπ. head(π) = s andπ g

  32. Semantics πf s f andhead(π) = s π g not(π g) πg1  g2 π g1 orπg2

  33. Semantics πX gtail(π) g πg1 U g2 Exists k ≥ 0. drop kπ g2 and Forall 0 ≤ j < k.drop j πg1 (note: I meantail in the Haskellsense)

  34. CTL Branching time (remember upside-down tree) Restrict path formulas (compare with CTL*) f ::= f | s1s2 | X s | s1 U s2 state formulas Linear time ops (X,U,F,G) must be wrapped up in a path quantifier (A,E).

  35. Back to CTL* formulas (syntax) path formulas f ::= s | f | f1  f2 | X f | f1 U f2 state formulas (about an individual state) s ::= a | s | s1  s2 | E f atomic formulas

  36. CTL Another view is that we just have the combined operators AU, AX, AF, AG and EU, EX, EF, EG and only need to think about state formulas A operators for necessity E operators for possibility

  37. f :: = atomic | f Allimmediatesuccessors| AX f Someimmediatesuccesor| EX f Allpathsalways| AG f Somepathalways| EG f Allpathseventually| AF f Somepatheventually| EF f | f1 & f2 | A (f1 U f2) | E (f1 U f2)

  38. Examples (Gordon) It is possible to get to a state where Started holds but Ready does not

  39. Examples (Gordon) It is possible to get to a state where Started holds but Ready does not EF (Started & Ready)

  40. Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Ack

  41. Examples (Gordon) If a requestReqoccurs, then it willeventually be acknowledged by Ack AG (Req-> AF Ack)

  42. Examples (Gordon) If a request Req occurs, then it continues to hold, until it is eventually acknowledged

  43. Examples (Gordon) If a requestReqoccurs, then it continues to hold, until it is eventuallyacknowledged AG (Req-> A [Req U Ack])

  44. LTL LTL formula is of form A f where f is a pathformula with subformulas that are atomic (The f is whatwewritedown. The A is implicit.) Restrictpathformulas (compare with CTL*) f ::= a | f | f1  f2 | X f | f1 U f2

  45. Back to CTL* formulas (syntax) path formulas f ::= s | f | f1  f2 | X f | f1 U f2 state formulas (about an individual state) s ::= a | s | s1  s2 | E f atomic formulas

  46. LTL It is the restrictedpathformulas that wethink of as LTL specifications (See P&R again) G(critical1 & critical2) mutex FG initialisedeventuallystaysinitialised GF myMovemyMovewillalwayseventuallyhold G (req-> F ack)requestacknowledgepattern

  47. In CTL but not LTL AG EF start Regardlessof whatstate the program enters, thereexists a computationleading back to the start state AF AG p

  48. In both AG (p → AF q) in CTL G(p → F q) in LTL

More Related