Fachgebiet Rechnersysteme Technische Universität Verification Technology Darmstadt 6. Model-Checking 1 6. Model-Checking 3 Fachgebiet RechnerSysteme 6. Model Checking "It is possible that a=1, b=1, c=1 and d=1 at the same Verification Technology time" Content Note: it is much easier to specify this p y property and do model-checking, rather than 6.1 Temporal logic to invent input sequences that may lead to 6.2 CTL this state a 6.3 Symbolic model-checking 6.4 Specification of temporal properties in CTL b b +1 5 5 5 5 6.5 Non-deterministic systems y + + + + + + + + c c 6.6 Fairness conditions -1 - - a b c d d d 6.7 Property specification by automata 6.8 LTL and CTL 0 1 represents all reachable states 6. Model-Checking 2 6. Model-Checking 4 6.1 Temporal Logic What is model-checking? Checking of temporal properties of sequential circuits Temporal logic is used to specify temporal properties, in Examples: p particular particular „It is never possible that all traffic lights are green“ Safety-conditions: "bad things (all traffic lights are green, deadlock, ...) will never happen" „Eventually, each traffic light will become green“ Liveness-conditions: "good things will happen" (a request will always be followed by an Temporal acknowledgement, each traffic light will finally become property green, ...) Model Model- Y Checker Sequential N circuit counter example
Fachgebiet Rechnersysteme Technische Universität Verification Technology Darmstadt 6. Model-Checking 5 6. Model-Checking 7 6.1 Temporal logic 6.1 Temporal logic Examples: true or false? Several types of temporal logic (TL) "All states can be reached from all other states" – Example: Linear Temporal Logic (LTL) considers all execution paths in a system "State 11 can never be left" "Starting from initial state 00, it is inevitable that r=1 at some time in the future" The answer depends on the given state diagram r s 0/0 0/0 01 0/0 1/0 1/0 0/1 0/0 00 10 11 1/0 1/0 6. Model-Checking 6 6. Model-Checking 8 6.1 Temporal logic 6.1 Temporal logic Temporal logic is a modal logic: LTL Operators There are different types or modes of "truth" X "In the next state" – Example: today: "it is Thursday" holds, tomorrow: p y y , G Globally in all states G "Globally in all states" it does not hold F "Finally in some state" Not temporally independent like 3+7 = 7+3 Reasoning about linear execution paths Fundamental research by A.Pnueli und Z.Manna in the – Examples: 70's p p Temporal logic can be reduced to predicate logic There are, however, efficient decision procedures like There are however efficient decision procedures like X(p) X(p) model-checking for some types of temporal logic G(p) F(p)
Fachgebiet Rechnersysteme Technische Universität Verification Technology Darmstadt 6. Model-Checking 9 6. Model-Checking 11 6.2 CTL 6.2 CTL AX(p) characterizes all states where p is certain in the next step Computation Tree Logic (CTL, Clarke/ Emerson 1981) EX(p) characterizes all states where p is possible in the Model-checkers for CTL based on explicit state Model-checkers for CTL based on explicit state next step t t EX(p) representation were developed since '85 successor states Symbolic model-checking (Clarke/ McMillan) since '90 Propositional logic (Boolean expressions) + temporal operators Branching-time concept p AX(p) 6. Model-Checking 10 6. Model-Checking 12 6.2 CTL 6.2 CTL CTL temporal operators are combinations of – Example: AX(s 2 ) = ? X, G, F, and s 2 Path quantifiers E (existential) and A (universal) q ( ) ( ) – Examples: EX, AX, EG, AG, EF, AF 0/0 s 1 s 2 The CTL operators can be nested and combined with Boolean expression – Examples: EX(a + b), p + AX(b·c), AX(AF(b)) 0/0 01 1/0 1/0 0/1 0/1 0/0 00 10 11 1/0 1/0 AX(s 2 ) = s 1
Fachgebiet Rechnersysteme Technische Universität Verification Technology Darmstadt 6. Model-Checking 13 6. Model-Checking 15 6.2 CTL 6.2 CTL EF(p): p is reachable (now or later) AF(p): p is inevitable (now or later) . . . . . . 6. Model-Checking 14 6. Model-Checking 16 6.2 CTL 6.2 CTL EG(p): p holds globally on at least one (infinite) path – Example: EF(s 1 *s 2 ) = ? (now and later) "Characterize all states from which we can go back to the initial state" s 1 s 2 0/0 0/0 01 1/0 1/0 0/1 0/0 . . . 00 10 11 s 1 *s 2 1/0 1/0 EF(s 1 *s 2 ) = s 1 + s 2
Fachgebiet Rechnersysteme Technische Universität Verification Technology Darmstadt 6. Model-Checking 17 6. Model-Checking 19 6.2 CTL 6.2 CTL A CTL formula p characterizes a set of states – Example: EG(s 1 ) = ? "Characterize all states from which there exists an Quiz: infinite path where s 1 = 0 ?" Which states are characterized by the following CTL f CTL-formulas: l 0/0 s 1 s 2 AX(s 2 ) = AG(s 2 + s 1 ) = 0/0 01 1/0 EG(s 1 ) = 1/0 0/1 0/0 s 1 s 2 0/0 00 10 11 s 1 0/0 1/0 1/0 01 1/0 1/0 0/1 0/0 00 10 11 EG(s 1 ) = s 1 1/0 1/0 6. Model-Checking 18 6. Model-Checking 20 6.2 CTL 6.2 CTL AG(p): p holds always (now and later) More operators ... AU(q,p): p is unavoidable (now or later) and q holds until p EU(q,p): there exists at least one path where p is reachable (now or later) and q holds until p p . . . q q q q p . . . q q p . . . q p q q p p p
Fachgebiet Rechnersysteme Technische Universität Verification Technology Darmstadt 6. Model-Checking 21 6. Model-Checking 23 6.2 CTL 6.2 CTL Formal definition of the syntax of CTL: AW(q,p) (weak until): p is inevitable (now or later) and q holds until p, or q holds globally A Boolean expression is a CTL formula If f and g are CTL formulas then g f, f*g, f+g, AX(f), EX(f), AF(f), EF(f), AG(f), EG(f), AU(f, g), EU(f, g) are CTL formulas – Example: . . . f + AX( AF(f) ) – Counter example: f + AXF(f) 6. Model-Checking 22 6. Model-Checking 24 6.2 CTL 6.2 CTL Formal definition of the semantics of CTL EW(q,p) (weak until): p is reachable (now or later) and q holds until p on this path, or there The validity of a CTL formula is relative to a given transition exists some path where q holds globally system A transition system is characterized by its transition relation T, n T = (s r ' r (s 1 , ..., s n , i 1 , ..., i m )) r=1 . . . Let S be the set of states given by the set of all possible values of the vector (s 1 , ..., s n ) of storage elements 1 n – Example: for two storage elements we have S = {00, 01, 10, 11} I and S' are defined correspondingly We introduce the notation T(S, I, S') for the transition relation
Fachgebiet Rechnersysteme Technische Universität Verification Technology Darmstadt 6. Model-Checking 25 6. Model-Checking 27 6.2 CTL 6.2 CTL A legal path is a sequence of states z 0 , ..., z n where for A state z 0 is characterized by AX(p), T,z 0 |= AX(p), each pair of states (z i , z i+1 ), 0 i < n, holds iff for all paths z 0 , z 1 , ... we have T,z 1 |= p I: T(z i , I, z i+1 ) = 1 A state z 0 is characterized by EX(p), T,z 0 |= EX(p), Thi This means that the transition from z i to th t th t iti f t iff for at least one path z 0 , z 1 , ... we have T,z 1 |= p z i+1 is possible ("legal") for the system defined by T for at least one input combination I EX(p) A legal path obviously consists of a sequence of legal transitions z 0 If we talk about paths we always mean: If we talk about "paths" we always mean: z z 1 p "legal paths" in the following AX(p) 6. Model-Checking 26 6. Model-Checking 28 6.2 CTL 6.2 CTL A CTL formula generally characterizes a set of states A state z 0 is characterized by AF(p), T,z 0 |= AF(p), iff for all paths z 0 , z 1 , ... there exists some state z n , In the case of Boolean expressions, a Boolean expression 0 n, so that T,z n |= p p is viewed as a characteristic function as usual etc. t – e.g., the Boolean expression s 1 characterizes the states 10 and 11 if we have two flipflops s 1 and s 2 We introduce the notation T, z |= p . . . . . . to denote that the CTL formula p characterizes a state z of a to denote that the CTL formula p characterizes a state z of a transition system T A CTL formula is a "state formula" A CTL operator is a functional which maps characteristic functions to characteristic functions
Recommend
More recommend
