Presentation is loading. Please wait.

Presentation is loading. Please wait.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Published byKenya Lavelle Modified over 9 years ago

Similar presentations

Presentation on theme: "Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson."— Presentation transcript:

1 Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson

2 Formal Verification  Framework for modelling systems  A specification language for describing properties to be verified  A verification method to establish whether the description of the system satisfies its specification

3 Approaches to Verification  Proof based vs model based  Degree of automation  Full vs. property verification  Intended domain of application  Pre vs post development

4 Model Checking  Describe a model for the system  Describe properties using temporal logic  Run the model checker to see if the property is satisfied in the model  Contrast to Alloy

5 Linear-Time Temporal Logic

6 Transition System p,q q,rr S0S0 S1S1 S2S2

7 Tree of Computation Paths p,q S0S0 r S2S2 r S2S2 q,r S1S1 r S2S2 r S2S2 p,q S0S0 r S2S2 q,r S1S1 … … … … …

8 Semantics of LTL

9

10

11

12

13 Examples p,q S0S0 r S2S2 r S2S2 q,r S1S1 r S2S2 r S2S2 p,q S0S0 r S2S2 q,r S1S1 … … … … …

14 Examples

15

16 Practical Examples  It is impossible to get to a state where started holds, but ready does not hold  G  (started  ready)  Negation says it is possible but only interpreted on paths. Does not say for all states there exists a path to get to such a state

17 Practical Examples  For any state, if a request occurs then it will eventually be acknowledged  G(requested  F acknowledged)  A certain process is enabled infinitely often  GF enabled

18 Practical Examples  Whatever happens a certain process will eventually be permantently deadlocked  F G deadlocked  If a process is enabled infinitely often it runs infinitely often  GF enabled  GF running

19 Practical Examples  An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the 5 th floor  G(floor2  up  Button5Pressed  (up U floor5)

20 What can’t you say  From any state it is possible to get to a restart state  An elevator can remain idle on the third floor  LT can not assert the existence of paths.  CTL can

21 Equivalent Formulas  Negation   G   F    F   G    X   X    (  U  )  (   R   )   (  R  )  (   U   )

22 Equivalent Formulas  Distributivity  F(    )  F   F   G(    )  G   G   What about the other way?

23 Equivalent Formulas

24 Mutual Exlcusion  Critical section (c, t, n)  Two processes that can be interleaved  Safety (only one process is in its critical section at a time)  G  (c 1  c 2 )  Liveness (whenever a process requests to enter its critical section it will eventually be permitted to do so)  G(t 1  F c 1 )

25 Mutual Exclusion  Critical section (c, t, n)  Non-blocking (a process can always request to enter its critical section)  Every state satisfying n there is a path satisfying t  No strict sequencing (processes need not enter their critical section in strict sequence)  There is a path with two distinct states satisfying c1 [not expressible in LTL]  Complement (all paths having c1 can not have further c1 until c2 occurs  G(c1  c1W(  c1   c1 W c2))

26 First Attempt n1n2n1n2 t1n2t1n2 n1t2n1t2 t1t2t1t2 c1n2c1n2 c1t2c1t2 n1c2n1c2 t1c2t1c2 s0s0 s1s1 s2s2 s3s3 s4s4 s5s5 s6s6 s7s7

27 Second Attempt n1n2n1n2 t1n2t1n2 n1t2n1t2 t1t2t1t2 c1n2c1n2 c1t2c1t2 n1c2n1c2 t1c2t1c2 s0s0 s1s1 s2s2 s3s3 s5s5 s6s6 s7s7 s4s4 t1t2t1t2 s9s9

28 Branching-Time Logic  In LTL a state of a system satisfies  iff for all paths from that state  is satisfied  Implicit universal quantifier  Properties which assert the existence of a path can not be expressed (partially solved by considering negation     Branching-time logic solve this problem by allowing quantifiers over paths

29 Computation Tree Logic (CTL)  Branching time logic where model of time is tree-like: there are different paths in the future, any of which might be the actual path

30 Computation Tree Logic (CTL)

31 Examples  There is a reachable state satisfying q  EF q  From all reachable states satisfying p, it is possible to maintain p continuously until reaching a state satisfying q  AG(p  E(p U q))

32 Examples  Whenever a state satisfying p is reached, the system can exhibit q continuously forevermore  AG (p  EG q)  There is a reachable state from which all reachable states satisfy p  EF AG p

33 Mutual Exclusion Revisited  Critical section (c, t, n)  Non-blocking (a process can always request to enter its critical section)  Every state satisfying n there is a path satisfying t  AG( n 1  EX t 1 )  No strict sequencing (processes need not enter their critical section in strict sequence)  There is a path with two distinct states satisfying c1 [not expressible in LTL]  EF(c1  E[c1 U (  c1  E[  c2 U c1])])

34 Second Attempt n1n2n1n2 t1n2t1n2 n1t2n1t2 t1t2t1t2 c1n2c1n2 c1t2c1t2 n1c2n1c2 t1c2t1c2 s0s0 s1s1 s2s2 s3s3 s5s5 s6s6 s7s7 s4s4 t1t2t1t2 s9s9

35 Semantics of CTL

36

37

Download ppt "Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 1.

Model Checking Lecture 1.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Similar presentations

Ads by Google