Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking CS 680 Formal Methods Jeremy Johnson.

Published byArnim Böhmer Modified over 5 years ago

Similar presentations

Presentation on theme: "Model Checking CS 680 Formal Methods Jeremy Johnson."— Presentation transcript:

1 Model Checking CS 680 Formal Methods Jeremy Johnson

2 Outliine Introduction Model checking for CTL Model checking for LTL
Labeling Algorithm Example Complexity and “state explosion” Correctness Model checking for LTL Strategy (Automaton for , Combine, Search for path in combined automaton)

3 Transition System M = (S, , L) S is a set of states
 a binary relation on S (transition relation) L : S  𝒫(Atoms) p,q S0 S2 q,r r S1

4 Tree of Computation Paths
p,q S2 q,r r S1 S2 S2 r r S0 p,q S2 r S2 q,r r S1 M,s0⊨ GF p  GF r , M,s0⊨ GF r  GF p

5 Tree of Computation Paths
p,q S2 q,r r S1 S2 S2 r r S0 p,q S2 r S2 q,r r S1 M,s0⊨ E[(pq)Ur], M,s0⊨ A[pUr]

6 First Attempt s0 s5 s1 s3 s6 s2 s4 s7
n1n2 s5 s1 t1n2 n1t2 s3 s6 s2 c1n2 t1t2 n1c2 c1t2 t1c2 s4 s7 M,s0⊨ AG[n1  EXt1], M,s0⊨ AG[t1  AFc1]

7 Second Attempt s0 s5 s1 s3 s9 s6 s2 s4 s7
n1n2 s5 s1 t1n2 n1t2 s3 s9 s6 s2 c1n2 t1t2 t1t2 n1c2 c1t2 t1c2 s4 s7 M,s0⊨ AG[n1  EXt1], M,s0⊨ AG[t1  AFc1]

8 Properties of CTL Theorem A set of temporal connectives in CTL is adequate iff it contains at least one of {AX,EX}, at least one of {EG, AF, AU} and EU. AF     AX AF  EG     EX EG  E[ U ]    (  EX E[ U ])

9 Labeling Algorithm Determine all states s which satisfy 
Label states with subformulas of  starting with the smallest working outwards to  Translate  to use only AF, EU, EX, , ,  : no states are labeled with  p: label s with p if p  L(S) 1  2 : label s with 1  2 if s already labeled with both 1 and 2 : label s with   if s not labeled with 

10 Labeling Algorithm: AF1
label s with AF1 if any state s is labeled with 1 label s with AF1 Repeat until no change: label any state with AF1 if all successor states are labeled with AF1 AF1 AF1 AF1 AF1 AF1 AF1 AF1

11 Labeling Algorithm: E[1 U 2]
If any state s is labeled with 2 label s with E[1 U 2] Repeat until no change: label any state with E[1 U 2] if it is labeled with 1 and one of its successors is labeled with E[1 U 2] E[1U 2] E[1U 2] E[1U 2] 1 1

12 Labeling Algorithm: EX1
Label any state s with EX1 if one of its successors is labeled with 1 1 1 EX1

13 Example: E[c2 U c1] s0 s5 s1 s3 s9 s6 s2 s7 s4 n1n2 t1n2 n1t2 c1n2
t1t2 t1t2 n1c2 c1t2 t1c2 s7 s4

14 Example: E[c2 U c1] * s0 s5 s1 s3 s9 s6 s2 s7 s4 n1n2 t1n2 n1t2 c1n2
t1t2 t1t2 n1c2 c1t2 * t1c2 s7 s4

15 Example: E[c2 U c1] ** s0 s5 s1 s3 s9 s6 s2 s7 s4 n1n2 t1n2 ** n1t2
c1n2 * t1t2 ** t1t2 n1c2 c1t2 * t1c2 s7 s4

16 Example: E[c2 U c1] *** s0 s5 s1 s3 s9 s6 s2 s7 s4 n1n2 *** t1n2 **
c1n2 * t1t2 ** t1t2 n1c2 c1t2 * t1c2 s7 s4

17 Complexity Let f be the number of connectives in 
V be the number of states in M E be the number of transitions The computing time for the labeling algorithm is O(fV(E+V))

18 Labeling Algorithm: EG1
Label all states s with label 1 with EG1 Repeat until no change: delete the label EG1 if none of its successor states are labeled with EG1 EG1 EG1 EG1 EG1 EG1

19 Efficient Labeling Algorithm
It is possible to reduce the complexity to O(f(E+V)) [linear in the size of the model and the size of the formula] Use breadth first search (predecessors) Replace AF by EG and use efficient graph algorithms Restrict graph to states satisfying  Compute strongly connected components (SCC) Use bfs on restricted graph to find any state that can reach an SCC

20 SAT() function SAT() case  is  : return   is atomic : return {s  S |   L(s) }  is 1 : return S – SAT(1)  is 1  2 : return SAT(1)  SAT(2)  is AF1: return SATAF(1)  is E(1 U 2): return SATEU(1,2)  is EX1: return SATEX(1) end case

21 SATEX() function SATEX() X := SAT(); Y := pre(X); return Y; pre(X) = {s  S| there is some s’ with s  s’, s’ X} pre(X) = {s  S| for all s’ with s  s’, s’ X}

22 SATAF() function SATAF() X := S; Y := SAT(); repeat X := Y; Y := Y  pre(X); until X = Y return Y AF𝜑= 𝜑 AX AF 𝜑 AF𝜑 = 𝜑  pre AF𝜑

23 SATEU(,) function SATEU(,) W := SAT(); X := S; Y := SAT(); repeat X := Y; Y := Y  (W  pre(Y)); until X = Y return Y E[ U ]=  (  EX E[ U ]) E[ U ] =   (   pre E[ U ] )

24 SATEG() function SATAF() X := ; Y := SAT(); repeat X := Y; Y := Y  pre(Y); until X = Y return Y EG𝜑= 𝜑 EX EG 𝜑 EG𝜑 = 𝜑  pre EG𝜑

25 Monotone Functions F: P(S)  P(S) F is monotone if X  Y  F(X)  F(Y)
X  S is a fixed point if F(X) = X Example S = {s0,s1,s2} F(X) = X  {s0} is monotone Any set containing s0 is a fixed point. {s0} is the least fixed point and S is the greatest fixed point

26 Correctness of SAT Monotone functions always have a least and greatest fixed point The meaning of EG, AF, and EU can be expressed via monotone functions on P(S) and least and greatest fixed points SATEU and SATAF compute these fixed points and their correctness depends on properties of the fixed points

27 Knaster-Tarski Theorem
Let S = {s0,s1,…,sn} and F: P(S)  P(S) a monotone function, then Fn+1() is the least fixed point and Fn+1(S) is the greatest fixed point. Proof.   F()  F2()  …  Fn+1(). Since S has n+1 points there exists 1  k  n+1 such that Fk+1() = F(Fk()) = Fk(). Now suppose X is a fixed point then   X  F()  F(X) = X. By induction Fi()  F(X) = X, so Fk() = Fn+1() is the least fixed point.

28 Correctness of SATEG()
Theorem Let F(X) = 𝜑  pre(X). Then F(X) is monotone and EG𝜑 is the greatest fixed point of F(X). Proof. Show that F(X) is monotone EGφ is a fixed point. Must show that it is the greatest fixed point EGφ = Fn+1(S)

29 Correctness of SATEG()
F(X) = 𝜑  pre(X). Show that if X  Y then F(X)  F(Y) If s0  s1 with s1  X then s1  Y, so pre(X)  pre(Y) and F(X)  F(Y). Show that if F(X) = X then X  EGφ . s0  X  s0  𝜑 and s0  s1 for s1  X By the same argument we have s1  𝜑 and s1  s2 for s2  X. Continuing this way we have an infinite path s0  s1  s2   with si  𝜑 , so s0  EGφ .

30 Correctness of SATAF()
Theorem Let F(X) = 𝜑  pre(X). Then F(X) is monotone and AF𝜑 is the least fixed point of F(X). Proof. Exercise.

31 LTL Model Checking Given M = (S,,L), s  S, and  and LTL formula determine if M,s⊨ , i.e.  satisfied along all paths starting with s. Construct an automaton A that accepts all traces that satisfy  Combine A and M – A transition system whose paths are both paths of the automaton and the system Discover if there is any path from a state corresponding to s. Such a path, if there is one, “is” a path of M which does not satisfy 

32 Example init(a) := TRUE; init(b) := FALSE; next(a) := case !a : FALSE; b : TRUE; TRUE : {TRUE, FALSE}; esac; next(b) := case a && next(a) : !b; !a : TRUE; LTLSPEC !(a U b) q2 q1 𝑎 𝑏 𝑎 𝑏 a 𝑏 ab q3 q4

33 A(a U b) q1 q2 𝑎 𝑏  𝑎 𝑏 a 𝑏  ab a 𝑏  q4 q’3 q3

34 Redrawn M q1 q2 𝑎 𝑏  𝑎 𝑏 a 𝑏  ab a 𝑏  q4 q’3 q3

35 Combined Automaton q1 q2 𝑎 𝑏 𝑎 𝑏 a 𝑏 ab a 𝑏 q4 q’3 q3

Download ppt "Model Checking CS 680 Formal Methods Jeremy Johnson."

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.

Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.

¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.
Review of the automata-theoretic approach to model-checking.

Review of the automata-theoretic approach to model-checking.
Witness and Counterexample Li Tan Oct. 15, 2002.

Witness and Counterexample Li Tan Oct. 15, 2002.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

Similar presentations

Ads by Google