Download presentation
1
CSE 522 Model-based Development (2)
Computer Science & Engineering Department Arizona State University Tempe, AZ 85287 Dr. Yann-Hang Lee (480) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU)
2
Temporal Logic Temporal logic is used to describe any system of rules and symbolism for representing, and reasoning about, propositions qualified in terms of time. An extension of a classical propositional or predicate logic by temporal quantifiers "I am always hungry", "I will eventually be hungry", "I will be hungry until I eat something“ A single type of model is considered: a transition system (finite state machine) To express and verify properties of system dynamics Safety (invariance): Nothing bad will happen Liveness: Something good will happen
3
Invariants The simplest form of a temporal logic property
Definition: A property that is true on the system at all times (always) Examples: “The program never dereferences a null pointer” “If a thread A blocks while trying to acquire a mutex lock, then the thread B that holds that lock must not be blocked attempting to acquire a lock held by A.” “Whenever the reset signal is asserted the state machine shall move immediately to the ErrorReset state and remain there until the reset signal is de-asserted.”
4
Pedestrian Light with Car Light
System invariant: There is no pedestrian crossing when the traffic light (for the cars) is green
5
Pedestrian Light with Car Light
Combine the states of car light and pedestrian light Is there a way to enter the unsafe states Reachability unsafe states
6
FSM Behavior Each port p, for each reaction will take a value from Vp{absent}, generating a sequence (or function) sp : N Vp {absent} Behavior: the assignment of signals to each input port such that an output sequence can be produced Observable trace ((xi,yi))iN Execution trace ((xi, si, yi))iN The set of all behaviors of an FSM M is called the language of M and it is denoted by L(M)
7
Garage Counter: Behavior
sup = (present, absent, present, absent, present, …) sdown = (present, absent, absent, present, absent, …) scount = (absent, absent, 1, 0, 1, …) Execution trace : τ = ((pres,pres),0, abs) ((abs, abs),0, abs) ((pres,abs),1, 1) ...
8
Propositional logic Concerned with relationships between propositions
A proposition is a sentence whose truth depends on the current context In Boolean logic, a proposition can be either true or false (not both) Atomic propositions: Statements about an input, output, or state of a state machine. Examples: formula meaning x true if x is present x = 1 true if x is present and has value 1 y = absent true if y is absent s true if machine is in state s
9
Propositions & Connectives
A compound proposition is formed using propositions and connectives: : not or negation : and or conjunction : or or disjunction (one or the other or both) : implies or implication : if and only if or biconditional y is present and the FSM is in state a. Propositions: p1 := “y is present” := y p2 := “the FSM is in state a” := a Symbolic representation: p1 p2 (read as “p1 and p2”)
10
Propositions & Connectives
A compound proposition is formed using propositions and connectives: : not or negation : and or conjunction : or or disjunction (one or the other or both) : implies or implication : if and only if or biconditional If the FSM is in state a, then y is present. Propositions: p1 = “y” p2 = “the FSM is in state a” Symbolic representation: p2 p1 (read as “if p2, then p1” or “p2 implies p1”) y is present and the FSM is in state a. Propositions: p1 := “y is present” := y p2 := “the FSM is in state a” := a Symbolic representation: p1 p2 (read as “p1 and p2”)
11
Equivalences through truth tables
Two compound propositions are logically equivalent if they have the same truth values for all the choices of truth values of the variables p, q, etc. We denote logical equivalence using the symbol p1p2 (p1p2) p1 p2 p1p2 p1 p2 p1p2 (p1p2) 1
12
Propositional Logic on Traces
A proposition formula p holds for a trace q0, q1, q2, . . . if and only if p is true for q0. A trace q (does not) satisfies a formula φ starting at time i an FSM M (does not) satisfies φ and we write iff for all q in LE(M), we have (q,0) ⊨ φ where LE(M) contains all the execution traces of M (q,i) ⊨ φ ( (q,i) ⊨ φ ) Revise slide to include traces as functions M ⊨ φ ( M ⊨ φ )
13
Examples M1 M2 Mi ⊨ b? Mi ⊨ x y? Mi ⊨ y?
14
Kripke Model a Kripke model S, I,R,AP,L consists of
a set of states S; a set of initial states I ⊆ S; a set of transitions R ⊆ S×S; a set of atomic propositions AP; a labeling function L : S 2AP. A path in a Kripke model M from a state s0 is an infinite sequence of states = s0, s1, s2, . . . such that (si, si+1) ∈ R, for all i ≥ 0.
15
FSM to Kripke K=<S ×I,S0 ×I, R, L>, for any s ∈ S and i ∈ I
iff δ(s, i) = s’ L(< s, i >) = i∪ s ∪ λ(s, i)
16
Linear Temporal Logic (LTL)
LTL formulas: Statements about an execution trace q0, q1, q2, q3, p is propositional logic formula and is either a propositional logic or an LTL formula. Suffix: a suffix of a string x is a string z such that there exists a string y such that x = yz formula mnemonic meaning p proposition p holds in q0 G () globally holds for every suffix of trace F () finally, future, eventually holds for some suffix of trace X () next state holds for q1, q2, q3, 1U2 (⋃) until 1 holds for all suffix of the trace until a suffix for which 2 holds
17
Linear Temporal Logics: Semantic Intuition
a – a now G a - always a F a – eventually a X a – next state a a U b – a until b a B b – a before b a * b
18
Propositional Linear Temporal Logic
LTL operators can apply to LTL formulas as well as to propositional logic formulas. E.g. Every input x is eventually followed by an output y G (x Fy) Globally (at any point in time) If x occurs It is eventually followed by y y holds x holds
19
Examples M2 ⊨ G(x˄y)? M2 ⊨ G(x y)? M1 ⊨ Fb ? M2 ⊨ (Gx) (Fb)?
M1 ⊨ x Xa ? M1 ⊨ G(x Xa) ? M2 ⊨ G(b Xa) ? M2 ⊨ a U x ? M2 ⊨ G(x) (aUx) ? M1 M2
20
Examples: What do they mean?
G F p p holds infinitely often F G p Eventually, p holds henceforth G( p F q ) Every p is eventually followed by a q G( p (X X q) ) Every p is followed by a q two reactions later G = F (G = F ) F = true U Remember: Gp p holds in all states Fp p holds eventually Xp p holds in the next state
21
Model Checking in LTL Safety: Only one process is in its critical section at a time. -- “No two processes can be in the critical section at the same time.” always not (CS1 and CS2): mutual exclusion Liveness: Whenever any process requests to enter its critical section it will eventually be permitted to do so -- “Every request is eventually granted.” always (Request implies eventually Grant) “Every continuous request is eventually granted.” always (Request implies (Request until Grant)) “Every repeated request is eventually granted.” always (always eventually Request) implies eventually Grant
22
Examples: Write in Temporal Logic
“Whenever the iRobot is at the ramp-edge (cliff), eventually it moves 5 cm away from the cliff.” p1 – iRobot is at the cliff p2 – iRobot is 5 cm away from the cliff “Whenever the distance between cars is less than 2m, cruise control is deactivated” p1 – distance between cars is less than 2 m p2 – cruise control is active 1. G (p1 => F p2) 2. G (p1 => X \neg p2)
23
Why the linear in LTL? Properties expressed over a single computation path or run the satisfiability is checked on the run with no possibility of switching to another run during the checking. s0 s1 s2 a/c a/b true/b Does M ⊨ G b ? M
24
Example: Mutual Exclusion (1)
Each process can be in its non-critical state (N), or trying to enter its critical state (T), or in its critical state (C). The variable turn considers the first process that went into its trying state. N1,N2 turn=0 T1,N2 turn=1 T1,T2 C1,N2 C1,T2 N1,T2 turn=2 N1,C2 T1,C2
25
Example: Mutual Exclusion (2)
Safety M |= G (C1 C2) ? Is there a reachable state in which (C1 C2) holds? Liveness M |= FC1 ? Is there an infinite cyclic solution in which C1 never holds? M |= G(T1 FC1) ? or M |= GFT1 GFC1 ? Does every path starting from each state where T1 holds pass through a state where C1 holds.
26
Automata-based Model Checking
The behaviors (computations) of a system can be seen as sequences of assignments to propositions over all traces. Represent the set of computation by a finite automaton An automaton for the set of all acceptable computations Check if the language of the system automaton is contained in the language accepted by the property automaton. 00 01 11 00 01 11
27
Automata-Based LTL Model Checking (2)
Let M be a Kripke model and be an LTL formula M ⊨ (LTL) ⟺ℒ(M) ⊆ ℒ( ) ⟺ ℒ(M) ∩ℒ( ) = { } ⟺ ℒ (AM) ∩ ℒ (A ) = { } ⟺ ℒ (AM × A ) = { } AM is a Büchi Automaton equivalent to M (which represents all and only the executions of M) A is a Büchi Automaton which represents all and only the paths that satisfy (do not satisfy ) AM × A : represents all and only the paths appearing in M and not in .
28
Automata-Based LTL Model Checking (1)
(Christel Baier and Joost-Pieter Katoen, "Principles of Model Checking”)
29
Büchi Automata Automaton which accepts infinite traces
A Büchi automaton is 4-tupleS, I,, F S is a finite set of states I S is a set of initial states S S is a transition relation F S is a set of accepting states An infinite sequence of states is accepted iff it contains accepting states infinitely often S0 S1 S2 1=S0S1S2S2S2S2… ACCEPTED 2=S0S1S2S1S2S1… ACCEPTED 3=S0S1S2S1S1S1… REJECTED
30
Büchi Automata The labels of a Büchi Automaton are different from the labels of a Kripke Structure. Also graphically, they are interpreted differently: in a Kripke Structure, p is true and all other propositions are false; in a Büchi Automaton, p is true and all other propositions are irrelevant (“don’t care”), i.e. can be either true or false. p S0 S1 S2 a b c Sinit F={S0, S1,S2} a b c S0 S1 S2
31
LTL and Büchi Automata LTL formula
Represents a set of infinite traces which satisfy such formula Büchi Automaton Accepts a set of infinite traces We can build an automaton which accepts all and only the infinite traces represented by an LTL formula p T q p T Gp Fp p U q GFp p T p
32
Product of Transition Systems: Example
b t1 a b t2 t0 b s0t0 s1t0 b a a a a s0t2 s0t1 s1t2 s1t1 a a b b b b
33
Explicit-State Model Checking
Model checking exhaustively enumerates the states of the system State space can be viewed as a graph Explicitly enumerates each state and traverses each edge of the graph Example: explicit-state techniques in SPIN Nested DFS to detect reachable accepting cycles. The first search is used to search for reachable accepting states The second one (nested) tries to detect accepting cycles. Consider the simplest property G p p is a system invariant to be satisfied by all states DFS graph traversal and maintain 2 data structures: set of visited states and stack with current path from the initial state
34
Computational Temporal Logic
In LTL, time is treated as if each moment in time has a unique possible future. LTL formulas are interpreted over linear sequences which are used to describe a behavior of a single computation of a program. In branching temporal logics, each moment in time may split into various possible futures infinite computation trees and each describing the behavior of the possible computations of a nondeterministic program. When reaching an individual state, the choice of transitions remains undecided. Two path quantifiers: E (“there exists a computation”) and A (“for all computations”). Decide whether holds in the computation tree of M.
35
Path Quantifiers in CTL
In All Paths: The temporal formula is true in all the paths starting in the current state. There Exists a Path: The temporal formula is true in some path starting in the current state. finally p globally p next p p until q
36
LTL vs. CTL AP = {a; b; c; d; e} of atomic propositions.
Sexm: Q = {q1; q2; q3; q4} and I = {q1; q2} L(q1) = {a}, L(q2) = ;, L(q3) = {b; e}, and L(q4) = {c}. (Ph. Schnoebelen: The Complexity of Temporal Logic Model Checking. Advances in Modal Logic 2002: )
37
BDD and Symbolic Model Checking
Binary Decision Diagram (BDD): a DAG to represent a Boolean formula An example f = ab+a’c+bc’d Two different orderings, same function. ROBDD – reduced and ordered Can we process them? 1 a b c d 1 c+bd c+d a c d b 1 c+bd d+b
38
Operations of BDD Negation: switch 0 and 1
If f then g else h operator: ite(f,g,h) f AND g = ite (f, g, 0) f OR g = ite (f, 1, g) Compute ite recursively: v is top-most variable among the three BDDs f, g, h Existential quantification (EXISTS and ANDEXIST) ∃ 𝑣.𝑓 𝐴 = 𝑓 𝑣 𝐴 𝑓 𝑣 (𝐴) ( 𝑓| 𝑣=1 𝐴 𝑓| 𝑣=0 (𝐴)) ∃ 𝑣.𝑓 𝐴 𝑔 𝐵 =𝑓 𝐴 𝑔 𝐵 𝑣=1 𝑓 𝐴 𝑔 𝐵 𝑣=0
39
Example of ite I = ite (F, G, H)
b 1 a F B G c C H d D I J I = ite (F, G, H) = (a, ite (Fa , Ga , Ha ), ite (Fa , Ga , Ha )) = (a, ite (1, C , H ), ite(B, 0, H )) = (a, C, (b , ite (Bb , 0b , Hb ), ite (Bb , 0b , Hb )) = (a, C, (b , ite (1, 0, 1), ite (0, 0, D))) = (a, C, (b , 0, D)) = (a, C, J) Check: F = a + b, G = ac, H = b + d ite(F, G, H) = (a + b)(ac) + a b(b + d) = ac + abd F,G,H,I,J,B,C,D are pointers
40
Symbolic Model Checking
State representation: A state is encoded as a Boolean formula (s), where sS sets of states as their characteristic function three state variables x1, x2, x3: { 000, 001, 010, 011 } represented as “first bit false”: ¬x1 Representation of Transition Relations A transition is a pair of states (s, s’) where s’ is the next state: (s,s’)=(s) (s’) (01,10) = (¬v1v0, v’1¬v’0) = (¬v1v0) (v’1¬v’0) (R) = (v’0 ¬v0) (v’1 v0v1) 00 01 10 11
41
Pre-Image and Forward Image
PreImage(P,R) := {s | for some s’P, (s, s’) R} Image(P,R) := {s’| for some sP, (s, s’)R} Compute EX[P] for the 2-bit counter, where (P) = (v0 v1) (i.e. P= { 00, 11}) PreImage(P,R)) = ∃ 𝑠 ′ . (P)[s’] (R)[s,s’] = ∃ v’0v’1. (v’0 v’1) ((v’0 ¬v0) (v’1 v0v1)) (substitute v’0v’1 with 00, 01, 10, 11) = (v0 ¬(v0v1)) (¬v0 (v0v1)) = v1 (i.e. P= { 01, 11} )
42
Reachability using BDD
Reachability( v, Gin(s), R(s,s’), F(s)) [ s – states; Gin , R(s,s’) and F are BDDs ] G:=; G’=Gin; do { G = G’; G’ = G ( s. ( G (s) R(s,s’) ) [s/s’] ); – F[x/y] means that we substitute x for y in F } while (G ≠ G’ or GF ≠ ); If (GF = ) report “Unreachable”, else report “Reachable”;
43
Timed Automata A timed automaton is a tuple A = (Q,Σ,C,E,q0) that consists of the following components: Q is a finite set. The elements of Q are called the states of A. Σ is a finite set called the alphabet or actions of A. C is a finite set called the clocks of A. E ⊆ Q×Σ×B(C)×P(C)×Q is a set of edges, called transitions of A, where B(C) is the set of boolean clock constraints involving clocks from C, and P(C) is the powerset of C. q0 is an element of Q, called the initial state. An edge (q,a,g,r,q') from E is a transition from state q to q' with action a, guard g and clock resets r.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.