CTL - Model Checking Franco Raimondi Department of Computer Science - - PowerPoint PPT Presentation

logo

CTL - Model Checking

Franco Raimondi

Department of Computer Science School of Science and Technology Middlesex University http://www.rmnd.net

Franco Raimondi CTL - Model Checking

logo

CTL: model checking

Franco Raimondi CTL - Model Checking

logo

CTL semantics (quick revision)

Let M = (S, Rt, I, L) be a transition system (also called a model for CTL). Let ϕ be a CTL formula and s ∈ S. M, s | = ϕ is defined inductively on the structure of ϕ, as follows (I’m using the first transition system of today as an example on the board):

M, s | = ⊤ M, s | = ⊥ M, s | = p iff p ∈ L(s) M, s | = ¬ϕ iff M, s | = ϕ M, s | = ϕ ∧ ψ iff M, s | = ϕ and M, s | = ϕ M, s | = ϕ ∨ ψ iff M, s | = ϕ or M, s | = ϕ

Franco Raimondi CTL - Model Checking

logo

CTL Semantics (temporal operators)

M, s | = AXϕ iff ∀s′ s.t. sRts′, M, s′ | = ϕ M, s | = EXϕ iff ∃s′ s.t. sRts′ and M, s′ | = ϕ M, s | = AGϕ iff for all paths (s, s2, s3, s4, . . . ) s.t. siRtsi+1 and for all i, it is the case that M, si | = ϕ M, s | = EGϕ iff there is a path (s, s2, s3, s4, . . . ) s.t. siRtsi+1 and for all i it is the case that M, si | = ϕ M, s | = AFϕ iff for all paths (s, s2, s3, s4, . . . ) s.t. siRtsi+1, there is a state si s.t. M, si | = ϕ M, s | = EFϕ iff there is a path (s, s2, s3, s4, . . . ) s.t. siRtsi+1, and there is a state si s.t. M, si | = ϕ

Franco Raimondi CTL - Model Checking

logo

CTL Semantics (temporal operators)

M, s | = A[ϕUψ] iff for all paths (s, s2, s3, s4, . . . ) s.t. siRtsi+1 there is a state sj s.t. M, sj | = ψ and M, si | = ψ for all i < j. M, s | = E[ϕUψ] iff there exists a path (s, s2, s3, s4, . . . ) s.t. siRtsi+1 and there a state sj s.t. M, sj | = ψ and M, si | = ψ for all i < j. We write M | = ϕ if a formula is true in all the initial states of a model.

Franco Raimondi CTL - Model Checking

logo

Model checking CTL: introduction

We have seen very simple examples in previous slides. However, real systems may be composed of hundred of thousand states. Efficient algorithms are needed to verify M, s | = ϕ. How do you verify a formula in a model? What we did: unwind the transition system M. However, a computer cannot check infinite data structures: we need to check finite data structure. Next: an algorithm to compute the set of states of a model M in which ϕ holds, the labelling algorithm.

Franco Raimondi CTL - Model Checking

logo

The labelling algorithm

INPUT: a CTL model M = (S, Rt, L) and a CTL formula ϕ. OUTPUT: the set of states of M which satisfy ϕ. Sketch: (1) express ϕ using the adequate set of operators: ¬, ∧, EX, EG, EU; (2) operate recursively on the structure of ϕ, starting from sub-formulas (do you remember the parse tree?).

Franco Raimondi CTL - Model Checking

logo

The labelling algorithm (core part)

SAT(ϕ) { ϕ is an atomic formula: return L(ϕ); ϕ is ¬ϕ1: return S \ SAT(ϕ1); ϕ is ϕ1 ∧ ϕ2: return SAT(ϕ1) ∩ SAT(ϕ2); ϕ is EXϕ1: return SATEX(ϕ1); ϕ is E(ϕ1Uϕ2): return SATEU(ϕ1, ϕ2); ϕ is EGϕ1: return SATEG(ϕ1); }

Franco Raimondi CTL - Model Checking

logo

The labelling algorithm, informally

The algorithm operates on sets of states. The following is an

• intuition. Suppose all the subformulas of ϕ have already been
• labelled. If ϕ is:

p: label s with p if p ∈ L(s). ϕ1 ∧ ϕ2: label s with ϕ1 ∧ ϕ2 if s is already labelled both with ϕ1 and ϕ2. ¬ϕ1: label s with ¬ϕ1 if s is not already labelled with ϕ1. EXϕ1: label s with EXϕ1 if one of its successor is labelled with ϕ1.

Franco Raimondi CTL - Model Checking

logo

The labelling algorithm for EG

If ϕ is EGϕ1

Label all states with EGϕ1. If any state s is not labelled with ϕ1, delete the label EGϕ1. Repeat: delete the label EGϕ from any state if none of its successors is labelled with EGϕ1, until there is no change.

If ϕ is E[ϕ1Uϕ2]: see below

Franco Raimondi CTL - Model Checking

logo

The procedure for EG

SATEG(ϕ, M) { X = SAT(ϕ, M); Y = S; Z = ∅; while ( Z! = Y ) { Z = Y ; Y = X ∩ {s ∈ S|∃s′.(s′ ∈ X and sRts′)} } return Y ; }

Franco Raimondi CTL - Model Checking

logo

Fix point characterisation

Notice that EGϕ ≡ ϕ ∧ EXEGϕ Let [ [ϕ] ] be the set of states of S satisfying the formula ϕ. The set of states satisfying EGϕ can be seen as the fix point of the

• perator τ : S → S defined by

τ(S) = [ [ϕ] ] ∩ [ [EX(S)] ]

Franco Raimondi CTL - Model Checking

logo

Fix point characterisation - monotonicity

It is possible to prove (Tarski, 1955) that a monotonic operator τ : Q → Q has a greatest and a least fix-point; these are denoted by νZ.τ(Z) and µZ.τ(Z), respectively. Let τ i(X) be defined by τ 0(X) = X, and τ i+1(X) = τ(τ i(X)). If Q is finite and τ is monotonic, then there exist integer numbers n, m such that νZ.τ(Z) = ∩iτ n(Q) and µZ.τ(Z) = ∪iτ n(∅). τ(S) as above is monotonic. S is finite. It follows that τ has a (greatest) fix point, and the fix point can be computed by iterating [ [S] ]

Franco Raimondi CTL - Model Checking

logo

Fix point characterisation: EG and EU

EGϕ ≡ ϕ ∧ EXEGϕ; E[ϕUψ] ≡ ψ ∨ (ϕ ∧ EX(E[ϕUψ])). SATEU(ϕ1, ϕ2, M) { X = SAT(ϕ1, M); Y = SAT(ϕ2, M); Z = ∅; W = S; while ( Z! = W ) { W = Z; Z = Y ∪ (X ∩ pre∃(Z)); } return Z; }

Franco Raimondi CTL - Model Checking

logo

EXERCISE

s2

✖✕ ✗✔ ✖✕ ✗✔ ✦ ✦ ✦ ✦ ✦ ✦ ❳ ❳ ❳ ❳ ❳ ❳ ❳ ❳ ✟✟✟✟✟✟ p,q

q,r r s0 s1

✖✕ ✗✔

Compute the set of states [ [EX(¬p ∧ r)] ] and [ [EG(q)] ].

Franco Raimondi CTL - Model Checking

logo

A note on complexity

It is easy to see that the labelling algorithm is polynomial in the size of the formula and the model (notice: model checking LTL is *not* in P). See book for the proof (or just check the algorithm) However, there is a problem here... We will get back to this issue in the next set of slides.

Franco Raimondi CTL - Model Checking

logo

CTL: Boolean encoding

Franco Raimondi CTL - Model Checking

logo

Model checking techniques and the “state explosion problem”

The size of the model is exponential in the number of variables used (see NuSMV later: add a Boolean variable and the size of the model will double!): this is called the state explosion problem. Solution: reduce the model checking problem to something you know how to solve efficiently (even if exponential) Symbolic model checking: states, relations, etc, are represented as Boolean formulae and manipulated using

• bdds (see below)

Bounded model checking: the model checking problem is reduced to a satisfiability problem for propositional logic.

Franco Raimondi CTL - Model Checking

logo

Boolean formulae?

(this is important!)

Sets of states are represented as Boolean formulae. Example: S = {s1, s2, s3}. How many Boolean variables are needed? N = ⌈log2(|S|)⌉ = 2.

State Boolean vector Boolean formula s1 (1, 1) x1 ∧ x2 s2 (1, 0) x1 ∧ ¬x2 s3 (0, 1) ¬x1 ∧ x2

Sets of states are encoded by taking the disjunction of the Boolean formulae encoding the single states. For instance, {s1, s3} ⊂ S is encoded by f = (x1 ∧ x2) ∨ (¬x1 ∧ x2). Raise your hand if you didn’t understand this point!

Franco Raimondi CTL - Model Checking

logo

Encoding the transition relation

Introduce a new set of “primed” variables x′

i to encode the

“next” states, for instance s′

2 = x′ 1 ∧ ¬x′ 2.

Model the transition between two states as a conjunction. For instance, if s1Rts2: this is translated as (x1 ∧ x2) ∧ (x′

1 ∧ ¬x′ 2).

The whole transition relation Rt is encoded by taking the disjunction of all the transitions between two states.

Franco Raimondi CTL - Model Checking

logo

The labelling algorithm to compute a Boolean formula

The labelling algorithm presented above can be used to compute the formula representing the set of states in which a formula holds. Thus, SAT(ϕ) can return a Boolean formula. By comparing this formula with the Boolean formula encoding M we can verify M | = ϕ. Why all this? Because (we will see in a moment) efficient techniques exist to represent and manipulate Boolean formulae using Ordered Binary Decision Diagrams (obdds).

Franco Raimondi CTL - Model Checking

logo

Ordered Binary Decision Diagrams

Franco Raimondi CTL - Model Checking

logo

• bdds

It is possible to associate a rooted, directed graph G to every Boolean function f (x1, . . . , xn) by imposing an ordering on the variables x1, . . . , xn, and by reducing the graph. Example for f = x1 ∧ (x2 ∨ x3) (assumption: left is choice 0, right is 1)

(b)

✒✑ ✓✏ ✒✑ ✓✏ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ❡ ❡ ❡ ❡

• ❭

❭ ❭ ❭ ✏ ✏ ✏ ✏ ✏ ❛❛❛ 1

x3 x2 x1

✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ✒✑ ✓✏ ❅ ❅ ❅ ✁ ✁ ❅ ❅ ✁ ✁ ❙ ❙ ✂ ✂ ❆ ❆ ✂ ✂ ❧ ❧ ❅ ❅ ❅ ✪ ✪ ✪ ❧ ❧ ❧ ✁ ✁ ✁ ✓ ✓ ✓

1 1 1 x1 x2 x2 x3 x3 x3 x3

(a)

✒✑ ✓✏

Franco Raimondi CTL - Model Checking

logo

Key concepts

(from Bryant’s paper) This is a heuristic approach: in the worst case the size of the graph is exponential. But, on average, “it works well”. For any Boolean function, the reduced OBDDs is canonical, i.e.: given an ordering of the variables, the reduced OBDD of a function is unique (Theorem 5 in the paper). Different ordering may have very different graphs! Efficient algorithms exist to reduce and combine OBDDs.

Franco Raimondi CTL - Model Checking

logo

Reduction procedure

A graph is reduced if (i) it contains no vertex s.t. the right child is equal to the left child, and (ii) there are no distinct vertices v, v′ s.t. the subgraphs rooted at v and v′ are isomorphic. (Definition 5 in the paper). Remove duplicate terminals (at the bottom of the tree). Remove duplicate non-terminals. Remove redundant tests. See R. Bryant, Graph-Based Algorithms for Boolean Function Manipulation, 1986

Franco Raimondi CTL - Model Checking

logo

EXERCISE

Compute the obdd for f = x1 ∧ (x2 ∨ x3) by using the ordering x2, x3, x1 and minimize it.

Franco Raimondi CTL - Model Checking

logo

The importance of variables ordering

(Fig. 2 in the paper)

Franco Raimondi CTL - Model Checking

logo

• bdds - part 2

Boolean functions can be composed (negation, conjunction, etc), and these operations can be performed on the corresponding

• bdds.

Complexity: some operations on obdds, such as reduction to canonical form and composition, require time linear in the size of the obdds; Boolean quantification, instead, may require exponential time (see section 4 of the paper)

Franco Raimondi CTL - Model Checking

logo

Implementation: CUDD, a C/C++ library for OBDDs

http://vlsi.colorado.edu/~fabio/CUDD/cuddIntro.html This is a C/C++ library for the manipulation of obdds. It implements all the operations on obdds, it can perform variable reordering to optimise obdd’s size, etc. From the programmer’s point of view: simply include and use. Using C++: operators for disjunction, conjunction, equality, assignment, etc. are overloaded (using +, *, ==, =, etc.) See next slide.

Franco Raimondi CTL - Model Checking

logo

int main(int argc, char* argv[]) Cudd bddmgr; // The manager bddmgr = Cudd(0,0); BDD x = bddmgr.bddVar(); BDD y = bddmgr.bddVar(); BDD f = x + y; BDD g = !y * !x; if ( f == g ) then cout << ”f is equal to g”; else cout << ”f is NOT equal to g”; end if

Franco Raimondi CTL - Model Checking