Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Published byKathryn Candace Conley Modified over 8 years ago

Similar presentations

Presentation on theme: "Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property."— Presentation transcript:

1 Model Checking Lecture 2 Tom Henzinger

2 Model-Checking Problem I |= S System modelSystem property

3 a a,b b q1 q3q2 System model: State-transition graph StatesQ = { q1, q2, q3 } Atomic observations A = { a, b } Transition relation   Q  Q Observation function[ ] : Q  2 A

4 Run: sequence of states q1, q2 Observation: set of atomic observations Trace: sequence of observations {a}, {a,b}

5 -safety (finite runs) vs. liveness (infinite runs) -linear time (traces) vs. branching time (runs) -logic (declarative) vs. automata (executable) System property: 2x2x2 choices

6 STL (Safe Temporal Logic) -safety (only finite runs) -branching (runs, not traces) -logic

7 Defining a logic 1.Syntax: What are the formulas? 2. Semantics: What are the models? Does model M satisfy formula  ? M |= 

8 Propositional logics: 1. boolean variables (a,b) & boolean operators ( ,  ) 2. model = truth-value assignment for variables Propositional modal (e.g. temporal) logics: 1.... & modal operators ( ,  ) 2. model = set of (e.g. temporally) related prop. models

9 Propositional logics: 1. boolean variables (a,b) & boolean operators ( ,  ) 2. model = truth-value assignment for variables Propositional modal (e.g. temporal) logics: 1.... & modal operators ( ,  ) 2. model = set of (e.g. temporally) related prop. models observations state-transition graph (“Kripke structure”)

10 STL Syntax  ::= a |    |   |    |   U  boolean variable (atomic observation) boolean operators modal operators

11 STL Model ( K, q ) state-transition graphstate of K

12 STL Semantics (K,q) |= aiff a  [q] (K,q) |=    iff (K,q) |=  and (K,q) |=  (K,q) |=  iff not (K,q) |=  (K,q) |=    iff exists q’ s.t. q  q’ and (K,q’) |=  (K,q) |=   U  iff exist q 0,..., q n s.t. 1. q = q 0  q 1 ...  q n 2. for all 0  i < n, (K,q i ) |=  3. (K,q n ) |= 

13   EX exists next    =    AX forall next  U EUexists until    = true  U  EFexists eventually    =     AGforall always  W  =  ( (  )  U (    )) AW forall waiting-for (forall weak-until) Defined modalities

14 Important safety properties Invariance   a Sequencing a  W b  W c  W d = a  W (b  W (c  W d))

15 Important safety properties: mutex protocol Invariance    (in_cs1  in_cs2) Sequencing   ( req_cs1   in_cs2  W in_cs2  W  in_cs2  W in_cs1 )

16 Branching properties Deadlock freedom     true Possibility   (a    b)   (req_cs1    in_cs1)

17 CTL (Computation Tree Logic) -safety & liveness -branching time -logic [Clarke & Emerson; Queille & Sifakis 1981]

18 CTL Syntax  ::= a |    |   |    |   U  |   

19 CTL Model ( K, q ) fair state-transition graphstate of K

20 CTL Semantics (K,q) |=    iff exist q 0, q 1,... s.t. 1. q = q 0  q 1 ... is an infinite fair run 2. for all i  0, (K,q i ) |= 

21   EG exists always    =    AF forall eventually   W  = (   U  )  (    )   U  = (   W  )  (    ) Defined modalities

22 Important liveness property Response   (a    b)   (req_cs1    in_cs1)

23 If only universial properties are of interest, why not omit the path quantifiers?

24 LTL (Linear Temporal Logic) -safety & liveness -linear time -logic [Pnueli 1977; Lichtenstein & Pnueli 1982]

25 LTL Syntax  ::= a |    |   |   |  U 

26 LTL Model infinite trace t = t 0 t 1 t 2...

27 (K,q) |=  iff for all t  L(K,q), t |=  (K,q) |=  iff exists t  L(K,q), t |=  Language of deadlock-free state-transition graph K at state q : L(K,q)... set of infinite traces of K starting at q

28 LTL Semantics t |= aiff a  t 0 t |=    iff t |=  and t |=  t |=  iff not t |=  t |=   iff t 1 t 2... |=  t |=  U  iff exists n  0 s.t. 1. for all 0  i < n, t i t i+1... |=  2. t n t n+1... |= 

29  X next U U until   = true U  Feventually   =    G always  W  = (  U  )    W waiting-for (weak-until) Defined modalities

30 Important properties Invariance  a   (in_cs1  in_cs2) Sequencing a W b W c W d  ( req_cs1   in_cs2 W in_cs2 W  in_cs2 W in_cs1 ) Response  (a   b)  (req_cs1   in_cs1)

31 Composed modalities  ainfinitely often a  aalmost always a

32 Where did fairness go ?

33 Unlike in CTL, fairness can be expressed in LTL ! So there is no need for fairness in the model. Weak (Buchi) fairness :   (enabled   taken )  (enabled  taken) Strong (Streett) fairness : (  enabled )  (  taken )

34 Starvation freedom, corrected  (in_cs2  out_cs2)   (req_cs1   in_cs1)

35 CTL cannot express fairness   a      a   b      b b aa q0q0 q1q1 q2q2

36 LTL cannot express branching Possibility   (a    b) So, LTL and CTL are incomparable. (There are branching logics that can express fairness, e.g. CTL * = CTL + LTL, but they lose the computational attractiveness of CTL.)

37 Finite Automata -safety (no infinite runs) -linear or branching time -automata (not logic)

38 Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0  Sset of initial states   S  S transition relation  : S  PL(A) where the formulas of PL are  ::= a |    |   for a  A

39 Language L(M) of specification automaton M = (S, S 0, ,  ) : finite trace t 0,..., t n  L(M) iff there exists a finite run s 0  s 1 ...  s n of M such that for all 0  i  n, t i |=  (s i )

40 (K,q) |= L M iff L(K,q)  L(M) Linear semantics of specification automata: language containment state-transition graph state of K specification automaton finite traces

41 Invariance specification automaton  in_cs1   in_cs2

42 Starvation freedom specification automaton out_cs1 req_cs1   in_cs2 req_cs1  in_cs2 in_cs1 req_cs1   in_cs2

43 Automata are more expressive than logic, because temporal logic cannot count : This cannot be expressed in LTL. (How about a   (a   a) ?) atrue

44 Checking language containment between finite automata is PSPACE-complete ! L(K,q)  L(M) iff L(K,q)  complement( L(M) ) =  involves determinization (subset construction)

45 In practice: 1. require deterministic specification automata 2. use monitor automata 3. use branching semantics

46 Monitor Automata Syntax: same as specification automata, except also set E  S of error states Semantics: define L(M) s.t. runs must end in error states (K,q) |= C M iff L(K,q)  L(M) = 

47 Invariance monitor automaton  in_cs1   in_cs2 in_cs1  in_cs2

48 Starvation freedom monitor automaton out_cs1 req_cs1   in_cs2 req_cs1  in_cs2 in_cs1 req_cs1   in_cs2 req_cs1  in_cs2

49 Specification automatonMonitor automaton M complement(M) -describe correct traces-describe error traces -check language containment-check emptiness (linear): (exponential) reachability of error states “All safety verification is reachability checking.”

50 Main problem with deterministic specifications and monitor automata: not suitable for stepwise refinement / abstraction S1 |= S2 |= S3 “refines”

51 In practice: 1. require deterministic specification automata 2. use monitor automata 3. use branching semantics

52 (K,q) |= B M iff there exists a simulation relation R  Q  S s.t. (q,s)  R for some initial state s of M Branching semantics of specification automata: simulation states of K states of M

53 R  Q  S is a simulation relation iff (q,s)  R implies 1.[q] |=  (s) 2.for all q’ s.t. q  q’, exists s’ s.t. s  s’ and (q’,s’)  R. [Milner 1974]

54 (K,q) |= L MM language contains (K,q) : exponential check (K,q) |= B MM simulates (K,q) : quadratic check   X involves only traces (hence linear !) involves states (hence branching !)

55 In practice, simulation is usually the “right” notion. (If there is language containment, but not simulation, this is usually accidental, not by design.)

56 Finite Omega-Automata -safety & liveness (infinite runs !) -linear or branching time -automata (not logic)

57 -specification vs. monitor automata -linear (language containment) vs. branching (simulation) semantics We discuss only the linear specification case.

58 Specification Omega-Automata Syntax as for finite automata, in addition one of the following acceptance conditions: Buchi:BA  S coBuchi:CA  S Streett:SA  2 S  2 S Rabin:RA  2 S  2 S

59 Language L(M) of specification omega-automaton M = (S, S 0, , , A ) : infinite trace t 0, t 1,...  L(M) iff there exists an infinite run s 0  s 1 ... of M such that 1. s 0  s 1 ... satisfies A 2. for all i  0, t i |=  (s i )

60 Let Inf(s) = { p | p = s i for infinitely many i }. The infinite run s satisfies the acceptance condition A iff Buchi:Inf(s)  BA   coBuchi:Inf(s)  CA Streett:for all (l,r)  SA, if Inf(s)  l   then Inf(s)  r   Rabin:for some (l,r)  RA, Inf(s)  l =  and Inf(s)  r  

61 Buchi:  BA coBuchi:  CA Streett:  (  l   r) Rabin:  (   l   r)

62 (K,q) |= L M iff L(K,q)  L(M) Linear semantics of specification omega-automata: omega-language containment infinite traces

63 Response specification automaton :  (a   b) assuming (a  b) = false a bb b aa s1s1 s2s2 s3s3 s0s0 Buchi condition { s 0, s 3 }

64 a aa s0s0 s1s1 Buchi condition { s 0 } No coBuchi condition  a Streett condition { ({s 0,s 1 }, {s 0 }) } Rabin condition { ( ,{s 0 }) }

65 a aa s0s0 s1s1 No Buchi condition coBuchi condition { s 0 }  a Streett condition { ({s 1 },  ) } Rabin condition { ({s 1 }, {s 0,s 1 }) }

66 a aa s0s0 s1s1 Buchi condition { s 2 }  a a s2s2

67 -Buchi and coBuchi automata cannot be determinized -Streett and Rabin automata can be determinized nondeterministic Buchi = deterministic Streett = deterministic Rabin = nondeterministic Streett = nondeterministic Rabin = omega-regular [Buchi 1960]

68 Omega-automaton determinization is even harder (conceptually, at least) than finite- automaton determinization [Safra 1989]. So monitor automata and simulation are particularly important.

69 Omega-automata are strictly more expressive than LTL Omega-automata:omega-regular languages LTL: counter-free omega-regular languages 

70 Omega-automata:omega-regular languages = second-order theory of monadic predicates & successor = omega-regular expressions LTL: counter-free omega-regular languages = first-order theory of monadic predicates & successor = star-free omega-regular expressions 

71 Structure of the omega-regular languages Streett = Rabin Buchi coBuchi FinitecoFinite

72 Structure of the counter-free omega-regular languages    positive boolean combinations of  and 

73 The location of a linear-time property in the Borel hierarchy indicates how hard (theoretically as well as conceptually) the corresponding model-checking problem is.

74    positive boolean combinations of  and  safety weak fair strong fair response

Download ppt "Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property."

Similar presentations

Model Checking Lecture 1.

Model Checking Lecture 1.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.

CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Similar presentations

Ads by Google