Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson

Formal Verification  Framework for modelling systems  A specification language for describing properties to be verified  A verification method to establish whether the description of the system satisfies its specification

Approaches to Verification  Proof based vs model based  Degree of automation  Full vs. property verification  Intended domain of application  Pre vs post development

Model Checking  Describe a model for the system  Describe properties using temporal logic  Run the model checker to see if the property is satisfied in the model  Contrast to Alloy

Linear-Time Temporal Logic

Transition System p,q q,rr S0S0 S1S1 S2S2

Tree of Computation Paths p,q S0S0 r S2S2 r S2S2 q,r S1S1 r S2S2 r S2S2 p,q S0S0 r S2S2 q,r S1S1 … … … … …

Semantics of LTL

Examples p,q S0S0 r S2S2 r S2S2 q,r S1S1 r S2S2 r S2S2 p,q S0S0 r S2S2 q,r S1S1 … … … … …

Examples

Practical Examples  It is impossible to get to a state where started holds, but ready does not hold  G  (started  ready)  Negation says it is possible but only interpreted on paths. Does not say for all states there exists a path to get to such a state

Practical Examples  For any state, if a request occurs then it will eventually be acknowledged  G(requested  F acknowledged)  A certain process is enabled infinitely often  GF enabled

Practical Examples  Whatever happens a certain process will eventually be permantently deadlocked  F G deadlocked  If a process is enabled infinitely often it runs infinitely often  GF enabled  GF running

Practical Examples  An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the 5 th floor  G(floor2  up  Button5Pressed  (up U floor5)

What can’t you say  From any state it is possible to get to a restart state  An elevator can remain idle on the third floor  LT can not assert the existence of paths.  CTL can

Equivalent Formulas  Negation   G   F    F   G    X   X    (  U  )  (   R   )   (  R  )  (   U   )

Equivalent Formulas  Distributivity  F(    )  F   F   G(    )  G   G   What about the other way?

Equivalent Formulas

Mutual Exlcusion  Critical section (c, t, n)  Two processes that can be interleaved  Safety (only one process is in its critical section at a time)  G  (c 1  c 2 )  Liveness (whenever a process requests to enter its critical section it will eventually be permitted to do so)  G(t 1  F c 1 )

Mutual Exclusion  Critical section (c, t, n)  Non-blocking (a process can always request to enter its critical section)  Every state satisfying n there is a path satisfying t  No strict sequencing (processes need not enter their critical section in strict sequence)  There is a path with two distinct states satisfying c1 [not expressible in LTL]  Complement (all paths having c1 can not have further c1 until c2 occurs  G(c1  c1W(  c1   c1 W c2))

First Attempt n1n2n1n2 t1n2t1n2 n1t2n1t2 t1t2t1t2 c1n2c1n2 c1t2c1t2 n1c2n1c2 t1c2t1c2 s0s0 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 s7s7

Second Attempt n1n2n1n2 t1n2t1n2 n1t2n1t2 t1t2t1t2 c1n2c1n2 c1t2c1t2 n1c2n1c2 t1c2t1c2 s0s0 s1s1 s2s2 s3s3 s5s5 s6s6 s7s7 s4s4 t1t2t1t2 s9s9

Branching-Time Logic  In LTL a state of a system satisfies  iff for all paths from that state  is satisfied  Implicit universal quantifier  Properties which assert the existence of a path can not be expressed (partially solved by considering negation     Branching-time logic solve this problem by allowing quantifiers over paths

Computation Tree Logic (CTL)  Branching time logic where model of time is tree-like: there are different paths in the future, any of which might be the actual path

Computation Tree Logic (CTL)

Examples  There is a reachable state satisfying q  EF q  From all reachable states satisfying p, it is possible to maintain p continuously until reaching a state satisfying q  AG(p  E(p U q))

Examples  Whenever a state satisfying p is reached, the system can exhibit q continuously forevermore  AG (p  EG q)  There is a reachable state from which all reachable states satisfy p  EF AG p

Mutual Exclusion Revisited  Critical section (c, t, n)  Non-blocking (a process can always request to enter its critical section)  Every state satisfying n there is a path satisfying t  AG( n 1  EX t 1 )  No strict sequencing (processes need not enter their critical section in strict sequence)  There is a path with two distinct states satisfying c1 [not expressible in LTL]  EF(c1  E[c1 U (  c1  E[  c2 U c1])])

Second Attempt n1n2n1n2 t1n2t1n2 n1t2n1t2 t1t2t1t2 c1n2c1n2 c1t2c1t2 n1c2n1c2 t1c2t1c2 s0s0 s1s1 s2s2 s3s3 s5s5 s6s6 s7s7 s4s4 t1t2t1t2 s9s9

Semantics of CTL