CTL - Model Checking Franco Raimondi Department of Computer Science - PowerPoint PPT Presentation

CTL - Model Checking Franco Raimondi Department of Computer Science School of Science and Technology Middlesex University http://www.rmnd.net logo Franco Raimondi CTL - Model Checking

CTL: model checking logo Franco Raimondi CTL - Model Checking

CTL semantics (quick revision) Let M = ( S , R t , I , L ) be a transition system (also called a model for CTL). Let ϕ be a CTL formula and s ∈ S . M , s | = ϕ is defined inductively on the structure of ϕ , as follows (I’m using the first transition system of today as an example on the board): M , s | = ⊤ M , s �| = ⊥ M , s | p ∈ L ( s ) = p iff M , s | = ¬ ϕ M , s �| iff = ϕ M , s | = ϕ ∧ ψ M , s | = ϕ and M , s | iff = ϕ M , s | = ϕ ∨ ψ M , s | = ϕ or M , s | iff = ϕ logo Franco Raimondi CTL - Model Checking

CTL Semantics (temporal operators) ∀ s ′ s.t. sR t s ′ , M , s ′ | M , s | = AX ϕ iff = ϕ ∃ s ′ s.t. sR t s ′ and M , s ′ | M , s | = EX ϕ iff = ϕ M , s | = AG ϕ iff for all paths ( s , s 2 , s 3 , s 4 , . . . ) s.t. s i R t s i +1 and for all i , it is the case that M , s i | = ϕ M , s | = EG ϕ iff there is a path ( s , s 2 , s 3 , s 4 , . . . ) s.t. s i R t s i +1 and for all i it is the case that M , s i | = ϕ M , s | = AF ϕ iff for all paths ( s , s 2 , s 3 , s 4 , . . . ) s.t. s i R t s i +1 , there is a state s i s.t. M , s i | = ϕ M , s | = EF ϕ iff there is a path ( s , s 2 , s 3 , s 4 , . . . ) s.t. s i R t s i +1 , and there is a state s i s.t. M , s i | = ϕ logo Franco Raimondi CTL - Model Checking

CTL Semantics (temporal operators) M , s | = A [ ϕ U ψ ] iff for all paths ( s , s 2 , s 3 , s 4 , . . . ) s.t. s i R t s i +1 there is a state s j s.t. M , s j | = ψ and M , s i | = ψ for all i < j . M , s | = E [ ϕ U ψ ] iff there exists a path ( s , s 2 , s 3 , s 4 , . . . ) s.t. s i R t s i +1 and there a state s j s.t. M , s j | = ψ and M , s i | = ψ for all i < j . We write M | = ϕ if a formula is true in all the initial states of a model. logo Franco Raimondi CTL - Model Checking

Model checking CTL: introduction We have seen very simple examples in previous slides. However, real systems may be composed of hundred of thousand states. Efficient algorithms are needed to verify M , s | = ϕ . How do you verify a formula in a model? What we did: unwind the transition system M . However, a computer cannot check infinite data structures: we need to check finite data structure. Next: an algorithm to compute the set of states of a model M in which ϕ holds, the labelling algorithm . logo Franco Raimondi CTL - Model Checking

The labelling algorithm INPUT: a CTL model M = ( S , R t , L ) and a CTL formula ϕ . OUTPUT: the set of states of M which satisfy ϕ . Sketch: (1) express ϕ using the adequate set of operators: ¬ , ∧ , EX , EG , EU ; (2) operate recursively on the structure of ϕ , starting from sub-formulas (do you remember the parse tree?). logo Franco Raimondi CTL - Model Checking

The labelling algorithm (core part) SAT ( ϕ ) { ϕ is an atomic formula: return L ( ϕ ); ϕ is ¬ ϕ 1 : return S \ SAT ( ϕ 1 ); ϕ is ϕ 1 ∧ ϕ 2 : return SAT ( ϕ 1 ) ∩ SAT ( ϕ 2 ); ϕ is EX ϕ 1 : return SAT EX ( ϕ 1 ); ϕ is E ( ϕ 1 U ϕ 2 ): return SAT EU ( ϕ 1 , ϕ 2 ); ϕ is EG ϕ 1 : return SAT EG ( ϕ 1 ); } logo Franco Raimondi CTL - Model Checking

The labelling algorithm, informally The algorithm operates on sets of states. The following is an intuition. Suppose all the subformulas of ϕ have already been labelled. If ϕ is: p : label s with p if p ∈ L ( s ). ϕ 1 ∧ ϕ 2 : label s with ϕ 1 ∧ ϕ 2 if s is already labelled both with ϕ 1 and ϕ 2 . ¬ ϕ 1 : label s with ¬ ϕ 1 if s is not already labelled with ϕ 1 . EX ϕ 1 : label s with EX ϕ 1 if one of its successor is labelled with ϕ 1 . logo Franco Raimondi CTL - Model Checking

The labelling algorithm for EG If ϕ is EG ϕ 1 Label all states with EG ϕ 1 . If any state s is not labelled with ϕ 1 , delete the label EG ϕ 1 . Repeat: delete the label EG ϕ from any state if none of its successors is labelled with EG ϕ 1 , until there is no change. If ϕ is E [ ϕ 1 U ϕ 2 ]: see below logo Franco Raimondi CTL - Model Checking

The procedure for EG SAT EG ( ϕ, M ) { X = SAT ( ϕ, M ); Y = S ; Z = ∅ ; while ( Z ! = Y ) { Z = Y ; Y = X ∩ { s ∈ S |∃ s ′ . ( s ′ ∈ X and sR t s ′ ) } } return Y ; } logo Franco Raimondi CTL - Model Checking

Fix point characterisation Notice that EG ϕ ≡ ϕ ∧ EXEG ϕ Let [ [ ϕ ] ] be the set of states of S satisfying the formula ϕ . The set of states satisfying EG ϕ can be seen as the fix point of the operator τ : S → S defined by τ ( S ) = [ [ ϕ ] ] ∩ [ [ EX ( S )] ] logo Franco Raimondi CTL - Model Checking

Fix point characterisation - monotonicity It is possible to prove (Tarski, 1955) that a monotonic operator τ : Q → Q has a greatest and a least fix-point; these are denoted by ν Z .τ ( Z ) and µ Z .τ ( Z ), respectively. Let τ i ( X ) be defined by τ 0 ( X ) = X , and τ i +1 ( X ) = τ ( τ i ( X )). If Q is finite and τ is monotonic, then there exist integer numbers n , m such that ν Z .τ ( Z ) = ∩ i τ n ( Q ) and µ Z .τ ( Z ) = ∪ i τ n ( ∅ ). τ ( S ) as above is monotonic . S is finite. It follows that τ has a (greatest) fix point, and the fix point can be computed by iterating [ [ S ] ] logo Franco Raimondi CTL - Model Checking

Fix point characterisation: EG and EU EG ϕ ≡ ϕ ∧ EXEG ϕ ; E [ ϕ U ψ ] ≡ ψ ∨ ( ϕ ∧ EX ( E [ ϕ U ψ ])) . SAT EU ( ϕ 1 , ϕ 2 , M ) { X = SAT ( ϕ 1 , M ); Y = SAT ( ϕ 2 , M ); Z = ∅ ; W = S ; while ( Z ! = W ) { W = Z ; Z = Y ∪ ( X ∩ pre ∃ ( Z )); } return Z ; } logo Franco Raimondi CTL - Model Checking

EXERCISE ✗✔ s 0 ✟✟✟✟✟✟ p,q ✖✕ ❳ ✦ ❳ ❳ ✦ ❳ ✦ ❳ s 2 ❳ ✗✔ ✦ ✗✔ ❳ ❳ ✦ ✦ q,r r ✖✕ ✖✕ s 1 Compute the set of states [ [ EX ( ¬ p ∧ r )] ] and [ [ EG ( q )] ]. logo Franco Raimondi CTL - Model Checking

A note on complexity It is easy to see that the labelling algorithm is polynomial in the size of the formula and the model (notice: model checking LTL is *not* in P). See book for the proof (or just check the algorithm) However, there is a problem here... We will get back to this issue in the next set of slides. logo Franco Raimondi CTL - Model Checking

CTL: Boolean encoding logo Franco Raimondi CTL - Model Checking

Model checking techniques and the “state explosion problem” The size of the model is exponential in the number of variables used (see NuSMV later: add a Boolean variable and the size of the model will double!): this is called the state explosion problem . Solution: reduce the model checking problem to something you know how to solve efficiently (even if exponential) Symbolic model checking: states, relations, etc, are represented as Boolean formulae and manipulated using obdd s (see below) Bounded model checking: the model checking problem is reduced to a satisfiability problem for propositional logic. logo Franco Raimondi CTL - Model Checking

Boolean formulae? (this is important!) Sets of states are represented as Boolean formulae. Example: S = { s 1 , s 2 , s 3 } . How many Boolean variables are needed? N = ⌈ log 2 ( | S | ) ⌉ = 2. State Boolean vector Boolean formula s 1 (1 , 1) x 1 ∧ x 2 (1 , 0) s 2 x 1 ∧ ¬ x 2 (0 , 1) s 3 ¬ x 1 ∧ x 2 Sets of states are encoded by taking the disjunction of the Boolean formulae encoding the single states. For instance, { s 1 , s 3 } ⊂ S is encoded by f = ( x 1 ∧ x 2 ) ∨ ( ¬ x 1 ∧ x 2 ). Raise your hand if you didn’t understand this point! logo Franco Raimondi CTL - Model Checking

Encoding the transition relation Introduce a new set of “primed” variables x ′ i to encode the “next” states, for instance s ′ 2 = x ′ 1 ∧ ¬ x ′ 2 . Model the transition between two states as a conjunction. For instance, if s 1 R t s 2 : this is translated as ( x 1 ∧ x 2 ) ∧ ( x ′ 1 ∧ ¬ x ′ 2 ). The whole transition relation R t is encoded by taking the disjunction of all the transitions between two states. logo Franco Raimondi CTL - Model Checking

The labelling algorithm to compute a Boolean formula The labelling algorithm presented above can be used to compute the formula representing the set of states in which a formula holds. Thus, SAT ( ϕ ) can return a Boolean formula . By comparing this formula with the Boolean formula encoding M we can verify M | = ϕ . Why all this? Because (we will see in a moment) efficient techniques exist to represent and manipulate Boolean formulae using Ordered Binary Decision Diagrams ( obdd s). logo Franco Raimondi CTL - Model Checking

Ordered Binary Decision Diagrams logo Franco Raimondi CTL - Model Checking