Presentation is loading. Please wait.

Presentation is loading. Please wait.

Program correctness Model-checking CTL

Published byИнна Ваткеева Modified over 5 years ago

Similar presentations

Presentation on theme: "Program correctness Model-checking CTL"— Presentation transcript:

1 Program correctness Model-checking CTL
Spring 2007 Program correctness Model-checking CTL Marcello Bonsangue

2 Formal Verification Verification techniques comprise
a modelling framework M,  to describe a system a specification language  to describe the properties to be verified a verification method M ,    to establish whether a model satisfies a property Today for CTL Slide 2

3 Model Checking Can we do better?
Question: does a given transition system satisfies a temporal formula? Simple answer: use definition of  ! We cannot implement it as we have to unwind the transition system in a possibly infinite tree Can we do better? and most probably! Slide 3

4 The problem We need efficient algorithms to solve the problems
where M should have finitely many states, and  is a CTL formula. We concentrate to solution of [2], as [1] can be easily derived from it. ? ? Slide 4

5 The solution Input: A CTL model M and CTL formula 
Output: The set of states of M which satisfy  Basic principles: Translate any CTL formula  in terms of the connectives AF, EU,EX, ,, and . Label the states of M with sub-formulas of  that are satisfied there, starting from the smallest sub-formulas and working outwards towards  Output the states labeled by  Slide 5

6 We proceed by case analysis
The labelling An immediate sub-formula of a formula  is any maximal-length formula  other than  itself Let  be a sub-formula of  and assume the states of M have been already labeled by all immediate sub-formulas of . Which states have to be labeled by ? We proceed by case analysis Slide 6

7 The basic labeling  no states are labeled
p label a state s with p if p  l(s) 1  2 label a state s with 1  2 if s is already labeled with 1 and 2  label a state s with  if s is not already labeled with  Slide 7

8 The EX labeling EX Label with EX any state s with one of its successors already labeled with  EX Slide 8

9 The EU labeling E[1U 2]  2  (1  EXE[1U 2 ])
Label with E[1U 2] any state s already labeled with 2 Repeat until no change: label any state s with E[1U 2] if s is labeled with 1 and at least one of its successor is already labeled with E[1U 2] E[1U 2] E[1U 2] repeat 1 E[1U 2] 1 … until no change Slide 9

10 The AF labeling AF    AXAF
Label with AF any state s already labeled with  Repeat until no change: label any state s with AF if all successors of s are already labeled with AF AF repeat AF AF AF AF AF … until no change AF Slide 10

11 The EG labeling (direct)
EG    EXEG  AF Label all the states with EG Delete the label EG from any state s not labeled with  Repeat until no change: delete the label EG from any state s if none of its successors is labeled with EG repeat EG … until no change Slide 11

12 Complexity The complexity of the model checking algorithm is
O(f*V*(V+E)) where f = number of connectives in  V = number of states of M E = number of transitions of M It can be easily improved to an algorithm linear both in the size of the formula and of the model Slide 12

13 Can we reduce state explosion?
The algorithm is linear in the size of the model but the size of the model is exponential in the number of variables, components, etc. Can we reduce state explosion? Abstraction (what is relevant?) Induction (for ‘similar’ components) Composition (divide and conquer) Reduction (prove semantic equivalence) Ordered binary decision diagrams Slide 13

14 Example: Input p q p q  = AF(E[q U p] v EXq) Slide 14

15 Example: EU - step 1 1. Label with E[qUp] all states which satisfy p
Slide 15

16 Example: EU-step 2.1 E[qUp] p E[qUp] q E[qUp] p E[qUp] q 2.1 label with E[qUp] any state that is already labeled with q and with one of its successor already labeled by E[qUp] Slide 16

17 Example: EU-step 2.2 E[qUp] E[qUp] P E[qUp] q E[qUp] P E[qUp] q No! 2.2 label with E[qUp] any state that is already labeled with q and with one of its successor already labeled by E[qUp] Slide 17

18 Example: EX-step 3 E[qUp] q
EXq q EXq p E[qUp] EXq E[qUp] p E[qUp] q 3. Label with EXq any state with one of it successors already labeled by q Slide 18

19 Example: -step 4 E[qUp] EXq E[qUp] EXq E[qUp] p, E[qUp] ,q EXq ,p E[qUp] q 4. Label with  = E[qUp] v EXq any state s already labeled by E[qUp] or EXq Slide 19

20 Example: AF-step 5.1 , E[qUp] , EXq , E[qUp] , EXq , E[qUp] p,, E[qUp] ,,q EXq ,,p E[qUp] q 5.1 Label with  = AF(E[qUp]vEXq) any state already labeled by  = E[qUp]vEXq Slide 20

21 Example: AF-step 5.2 , E[qUp] , EXq , E[qUp] , EXq , E[qUp] p,, E[qUp] ,,q EXq ,,p E[qUp] ,q 5.2 Label with  any state with all successor already labeled by . Slide 21

22 Example: Output All states satisfy AF(E[q U p] v EXq) p q p q
Slide 22

Download ppt "Program correctness Model-checking CTL"

Similar presentations

Completeness and Expressiveness

Completeness and Expressiveness
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
NP-complete and NP-hard problems Transitivity of polynomial-time many-one reductions Concept of Completeness and hardness for a complexity class Definition.

NP-complete and NP-hard problems Transitivity of polynomial-time many-one reductions Concept of Completeness and hardness for a complexity class Definition.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Algorithms Recurrences. Definition – a recurrence is an equation or inequality that describes a function in terms of its value on smaller inputs Example.

Algorithms Recurrences. Definition – a recurrence is an equation or inequality that describes a function in terms of its value on smaller inputs Example.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Similar presentations

Ads by Google