Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.

Published byStuart Waters Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9."— Presentation transcript:

1 Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9

2 Lecture 82 A(FG p) not AF( AG p)

3 Lecture 83 Today… Summary Optimizations for model checking –ROBDDs TCTL- –Syntax –Semantics –Algorithm for MC –Optimizations

4 Lecture 84 Summary: Model checking CTL

5 Lecture 85 Optimization The principal one: –Reduce to a problem with Boolean variables/Boolean formulæ Is this reasonable? –Well – most modelling is done like this – even when you do have (non-boolean) variables –+ efficiencies from efficient operations on boolean functions

6 Lecture 86 States as boolean formulæ Encode states using m boolean variables. –Allows for 2 m states. For example: m=3: –S={s 1,s 2,s 3,s 4,s 5,s 6,s 7,s 8 } Propositional booleans a,b,c: –S={000,001,010,011,100,101,110,111} –S = {  a  b  c,  a  b  c,  a  b  c, … }

7 Lecture 87 Transitions as boolean formulæ Encode (s,s’) using before and after propositional boolean variables – a,b,c and a’,b’,c’. For example: (s 1,s 4 ): –(s 1,s 4 ) = (  a  b  c)  (  a’  b’  c’)

8 Lecture 88 Sufficient for modelling? Encode another mutual exclusion protocol Two processes, P 1 and P 2 share booleans –Co-operate for mutual exclusion Third process T 1 monitors and sets a turn variable System is parallel composition: P 1 || P 2 || T 1

9 Lecture 89 Co-operative mutex: Process P 1 if (idle 1 ) { wait 1 = true; idle 1 = false; } else if (wait 1 & idle 2 ) { active 1 = true; wait 1 = false; } else if (wait 1 & wait 2 & (!turn)) { active 1 = true; wait 1 = false; } if (active 1 ) { CritSect(); idle 1 = true; active 1 = false; }; ( followed by P 1 ) P 1 =

10 Lecture 810 Co-operative mutex: Process P 2 if (idle 2 ) { wait 2 = true; idle 2 = false; } else if (wait 2 & idle 1 ) { active 2 = true; wait 2 = false; } else if (wait 2 & wait 1 & turn) { active 2 = true; wait 2 = false; } if (active 2 ) { CritSect(); idle 2 = true; active 2 = false; }; ( followed by P 2 ) P 2 =

11 Lecture 811 Co-operative mutex: Process T 1 if (idle 1 & wait 2 ) { turn = true; } else if (idle 2 & wait 1 ) { Turn = false; }; ( followed by T 1 ) (P 1 || P 2 || T 1 ); System; T 1 = System =

12 Lecture 812 State transition diagram – whole system

13 Lecture 813 Transitions as predicates P 1 = (i 1  w 1 ’  i 1 ’)  (w 1  i 2  a 1 ’  w 1 ’)  (w 1  w 2  t  a 1 ’  w 1 ’)  (a 1  i 1 ’  a 1 ’) P 2 = (i 2  w 2 ’  i 2 ’)  (w 2  i 1  a 2 ’  w 2 ’)  (w 2  w 1  t  a 2 ’  w 2 ’)  (a 2  i 2 ’  a 2 ’) T 1 = (i 1  w 2  t’)  (i 2  w 1  t’)

14 Lecture 814 Ordered Binary Decision Tree

15 Lecture 815 OBDT example: (i 1  i 2 )  (i 3  i 4 )

16 Lecture 816  ROBDD: (i 1  i 2 )  (i 3  i 4 )

17 Lecture 817  ROBDD: (i 1  i 2 )  (i 3  i 4 )

18 Lecture 818  ROBDD: (i 1  i 2 )  (i 3  i 4 )

19 Lecture 819  ROBDD: (i 1  i 2 )  (i 3  i 4 )

20 Lecture 820  ROBDD: (i 1  i 2 )  (i 3  i 4 )

21 Lecture 821  ROBDD: (i 1  i 2 )  (i 3  i 4 )

22 Lecture 822 History… The ROBDD optimization originally by Bryant (86) – paper on boolean graphs The application to model checking by McMillan (Originally in late 80’s – subject of thesis in 1992) smv – Symbolic model verifier – originally by McMillan

23 Lecture 823 Today… Summary Optimizations for model checking –ROBDDs TCTL- –Syntax –Semantics –Algorithm for MC –Optimizations

24 Lecture 824 Regional transition system (RTS) Given TA TTS = (s,s 0,Act, ), then the RTS is a quotiented transition system RTS = (Ř,Ř 0, Act,  ), where Ř = {(s,[v] t ) | (s,v)  s  [v] t  REG v}, and Ř 0 = {(s,[v] t ) | (s,v)  s 0  [v] t  REG v}, and finally, (s,[v] t )  (s’,[v’] t ) if and only if there is a transition (s,v) (s’,v’) in TA TTS. a a

25 Lecture 825 Regional transition system (RTS) Notation: Ř – a set of regions ř – a particular region in the set: (s,[v] t ) r – a particular valuation: (s,v)

26 Lecture 826 Regional transition system (RTS)

27 Lecture 827 Kripke structure/model for TCTL Def: A TCTL model over a set of atomic propositions AP is the 4-tuple (Ř,Δ,AP,L) –Ř – finite set of regions from RTS –Δ  Ř  Ř - a total transition relation –AP – a finite set of atomic propositions –L: Ř → 2 AP – A labelling function which labels each region with the propositions true in that region Note that the propositions may include clock constraints…

28 Lecture 828 TCTL- syntax Given p  AP, x  X (model clock variables), z  Z (property clock variables),  (X  Z) (clock constraints), then p and  are TCTL- formulæ, and if  1 and  2 are TCTL- formulæ then so are:  1  1   2  1   2 z in  1 A(  1 U  2 ) E(  1 U  2 )

29 Lecture 829 TCTL examples Note: temporal operators can be subscripted: A(  1 U <7  2 ) means  1 holds until (within 7 time units)  2 becomes true. Implemented as: z in A( (  1  z<7) U  2 ) A( alarm U <7 boiler-off ): the alarm is on until (within 7 time units) the boiler-off is signaled. EF <7 ( alarm ) = E( true U <7 alarm ): the alarm will be on within 7 time units.

30 Lecture 830 Semantics of TCTL Expressed in terms of a model, and the modelling relation ²  which links a model, a composite state r=(s,v) and a formula clock valuation with a property. M,(r,f) ²  P - means that (TCTL) property P holds in (or is satisfied in) state r in the case of a formula valuation f for a given model M

31 Lecture 831 (Inductive) definition of ²  M,(r,f) ²  P  p  L(ř) M,(r,f) ²    v  f ²  M,(r,f) ²   1   (M,(r,f) ²   1 ) M,(r,f) ²   1   2  M,(r,f) ²   1, and M,(r,f) ²   2 M,(r,f) ²   1   2  M,(r,f) ²   1, or M,(r,f) ²   2

32 Lecture 832 (Inductive) definition of ²  M,(r,f) ²  z in  1  M,(r,z in f) ²   1 –The notation z in f asserts that z is reset to 0 whenever it appears in the formula f M,(r,f) ²  A(  1 U  2 )  for every path  from r, for some j, M,  (j) ²   2, and  i<j, M,  (i) ²   1   2.

33 Lecture 833 (Inductive) definition of ²  M,(r,f) ²  E(  1 U  2 )  for one path  from r, for some j, M,  (j) ²   2, and  i<j, M,  (i) ²   1   2. –Note that in both EU and AU, the condition up until  2 is  1   2. and not just  1 !!

34 Lecture 834 AU:  1   2 until  2

35 Lecture 835 Model checking TCTL Definition of a labelling algorithm in the notes – not much different from CTL The only problem is this definition uses a least fixpoint iteration over an infinite set… In practice use the region construction…

36 Lecture 836 Optimization for TCTL MC We have already seen the steps to create a (finite) regional automaton Apart from that there is no magic bullet, and real-time model checking has an equivalent region-space explosion For this reason, limit the size of systems … so far …

37 Lecture 837 Uppaal – more formally TCTL, but with restrictions that amount to only safety (reachability) formulæ: –Set of clock constraints Z in formula is {} –Syntax just AG(  ) and EF(  ) (outer level) –  ::= a | x op n |  |  1  2 (op  { , , , ,  }) –a is a location in the model Other properties (bounded liveness…) require extended models/automatons: –compare system model with other test model

Download ppt "Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9."

Similar presentations

1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.

1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.
Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.

Compatibility between shared variable valuations in timed automaton network model- checking Zhao Jianhua, Zhou Xiuyi, Li Xuandong, Zheng Guoliang Presented.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Similar presentations

Ads by Google