Supporting material for Model checking Jean Pichon-Pharabod that - PDF document

Supporting material for Model checking Jean Pichon-Pharabod that provides the value. This diagram gives a very static, top-down picture, but it is the feedback checker model expert human in temporal logic temporal model M artefact desired goal Motivation This document contains the nitty-gritty details. 2019/2020 1 specifjcation ψ OK ( M � ψ ) | NO (+maybe a counterexample)

7 transition (it is empty) def The initial temporal model 7.2.1 Corner cases 7.2 with abstraction. Temporal models 7.1.1 left-total state labelling Remarks 2 states initial states 7.1 Defjnition def AP , . . . ∈ Set TModel ∈ Set → Set M , . . . ∈ TModel AP = ( S ∈ Set ) × ( S 0 ∈ S → Prop ) × ( ← T ⇐ ∈ S → S → Prop ) × ( ℓ ∈ S → AP → Prop ) × ( ∀ s ∈ S. ∃ s ′ ∈ S. s T s ′ ) Elements of AP are denoted p, . . . . Elements of S are denoted s, . . . . Some defjnitions require S to be fjnite. Some defjnitions require ℓ to be boolean-valued, and interpret s not being labelled with p as s being labelled with ¬ p . However, this is not compatible ∈ ( AP ∈ Set ) → TModel AP 0 ← � � 0 , s �→ † , s 0 �→ s 1 �→ † , = 0 AP s �→ p �→ † , . . .

7.2.2 def The terminal temporal model Useful notions 7.3.1 Paths (Infjnite) paths def Path AP M 7.3.2 Exercise: It is not unique! (only unique up to bisimulation) — can you Reachable states Because the transition relation is left-total, these infjnite paths are “com- plete”, in that they coincide with reachability: def 7.3.3 Stuttering A temporal model is stuttering when all states loop back to themselves: fjnd another (interestingly difgerent) one? 7.3 3 def { p 2 } { p 1 , p 2 } { p 1 } ∈ ( AP ∈ Set ) → TModel AP ✶ ← � � { p 3 } AP → B , s �→ ⊤ , ∅ s 0 �→ s 1 �→ ⊤ , = ✶ AP { p 1 , p 3 } s �→ p �→ s p, . . . . . . { p 2 , p 3 } { p 1 , p 2 , p 3 } IsPath ∈ ( AP ∈ Set ) → ( M ∈ TModel AP ) → stream ( M � S ) → Prop = ( ∀ n ∈ N . ( π n ) M � T ( π ( n + 1))) IsPath AP M π Path ∈ ( AP ∈ Set ) → TModel AP → Set = ( π ∈ stream M � S ) × IsPath AP M π Reachable ∈ ( AP ∈ Set ) → ( M ∈ TModel AP ) → M � S → Prop Reachable AP M s = ∃ π ∈ stream M � S, n ∈ N . IsPath AP M π ∧ M � S 0 ( π 0) ∧ s = π n

4 Cfg def stuttering AP M If the temporal model is not stuttering, then we can count transitions. This is only sound if they exactly match those of the system being anal- ysed [ ? ]. 7.4 Temporal models from operational semantics AP Interesting atomic properties could be along the lines of def step def stuttering ∈ ( AP ∈ Set ) → TModel AP → Prop = ∀ s ∈ M � S. s M � T s C, . . . ∈ Cmd ::= . . . σ, . . . ∈ Stack = Var → Z Cmd × Stack = ∈ Cfg → Cfg → Prop X, Y, Z, . . . ∈ Var v ∈ Z · = v | ::= X · = Y | X · < Y | X · · X + Y < Z | · · × Y < Z | X . . . We write s � AP p when a stack s satisfjes p . Given an initial stack σ 0 , we can build � � Cfg , s �→ s = � C 0 , σ 0 � , s 0 �→ s 1 �→ step s 0 s 1 , s �→ p �→ s � stack � AP p, . . .

7.5 Assuming the registers are initially both set to 1: set to 0: not xor and or not Temporal models from circuits Other example circuit 7.5.2 5 other example circuit 1 not 7.5.1 Another circuit, with input arity 1. nand xor r 0 r 1 x y { r 0 , r 1 } ∅ { r 1 } { r 0 } r 0 r 2 r 1 y x Assuming registers r 0 and r 2 are initially both set to 1, and r 1 is initially { r 0 , r 1 , r 2 } { r 0 , r 1 } { r 0 } { r 2 , r 0 } { r 2 } ∅

7.5.3 def Statics Well-formedness condition for simple circuits: def 6 We consider a very simple circuit language: G, . . . ∈ Gate ::= id | join | not | and | or | xor | nor | nand | reg | in | out C, . . . ∈ SCircuit ( i, o ∈ N ) = ( N ∈ Set ) × ( I ∈ NoDupList N ) × ( O ∈ NoDupList N ) × ( ℓ ∈ N → Gate ) × ( w ∈ N → N → Prop ) × ( wf N I O ℓ w ) wf N I O ℓ w = disjoint I O ∧ ( ∀ n, n ′ . w n n ′ → w n ′ n ) ∧ w n n ′ ∧      ∀ n, n ′ , n ′′ ∈ N. w n n ′′ ∧  → n ′ = n ′′  ∧  ℓ n = not . . .

7.5.4 def def def RMap def IOs def Types of the dynamics Regs 7 Defjning the dynamic semantics is most straightforwardly done using a tem- IO poral model. def Reg ∈ SCircuit → Set Reg C = ( n ∈ C � N ) × ( C � ℓ n = reg ) ∈ SCircuit → Set IO C = ( n ∈ C � N ) × ( C � ℓ n = in ∨ B C � ℓ n = out ) ∈ SCircuit → Set Regs C = ✶ → Reg C ∈ SCircuit → Set IOs C = ✶ → IO C ∈ SCircuit → Set s, . . . ∈ RMap C = Regs C → B I, . . . ∈ InputValuation C = ( n ∈ C � N ) → ( C � ℓ n = in ) → B

7.5.5 the wire outgoing value agrees with the previous register state def ???internal model Dynamics the wire ingoing value agrees with the new register state and the corresponding conditions for other operators... values the wire outgoing value for an and is the conjunction of the wire ingoing 8 T the wire valuation agrees with the input wire valuation ∈ ( i, o ∈ N ) → ( C ∈ SCircuit i o ) → InputValuation C → RMap C → RMap C → Prop T i o C I s s ′ def = ∃ W ∈ ( n ∈ C � N ) → ( n ′ ∈ C � N ) → ( C � w n n ′ = ⊤ B ) → B . ( ∀ n, n ′ . C � ℓ n = in → W n n ′ = I n ) ∧ ( ∀ n, n ′ . C � ℓ n = reg ∧ C � w i o n n ′ → W n n ′ = s n ) ∧ ( ∀ n 1 n 2 , n 3 , n 4 . C � ℓ n 3 = and → W n 3 n 4 = W n 1 n 3 ∧ B W n 2 n 3 ) ∧ ( ∀ n, n ′ . C � ℓ n ′ = reg ∧ C � w n n ′ → W n n ′ = s ′ n ′ ) model ∈ ( i, o ∈ N ) → SCircuit i o → ( AP ∈ Set ) × TModel AP � � � � RMap C, ( n �→ ⊥ B ) , s �→ s ′ �→ ∃ I. T i o C I s s ′ , Regs C, = model i o C ( s �→ n �→ s n = ⊤ B ) , . . . or we could have IOs C as the labels, giving a ??? view

7.6 Distributed algorithms operational semantics def NetworkState then we can defjne If we have 9 T 1 ms 1 2 ms 2 1 ms 1 0 T 2 ms 1 3 ms 1 4 ms 2 0 ms 0 1 ms 0 2 ms 2 3 ms 2 4 T 0 ms 0 3 ms 3 1 ms 3 2 ms 0 4 ms 4 1 ms 4 2 ms 3 0 T 3 ms 4 0 ms 3 4 ms 4 3 T 4 m, . . . ∈ Msg ∈ Set st , . . . ∈ NodeState ∈ Set i, . . . ∈ NodeId ∈ Set → node ∈ ( NodeState × Id × Msg ) → NodeState × ( NodeId → Msg → Prop ) → Prop = ( NodeId → NodeState ) × ( NodeId → NodeId → Msg → Prop ) ∀ i, i ′ , m. X ′ i i ′ m → X i i ′ m �T , X � → �T , X ′ � � T i, i, m � → node � S ′ , ms � ∀ i ′ , i ′′ , m. X ′ i ′ i ′′ m ↔ ( X i ′ i ′′ m ∨ ( i ′ = i ∧ ms i ′′ m )) �T , X � → �T [ i �→ S ′ ] , X ′ �

7.7 IF X state property IF injs disjunction IF Temporal models from cryptographic protocols conjunction next IF IF existential IF E universal IF IF F atomic predicate IF IF - p IF - s using two auxiliary mutually inductive predicates IF IF - s IF StateProp 8.2 IF until IF IF generally IF G future A 10 false StateProp IF IF true IF IF conjunction IF PathProp Temporal logics injp disjunction [ ? ] IF 8 8.1 Syntax of CTL ∗ IF IF ∈ Set → Set IF ∈ Set → Set ψ IF , . . . ∈ StateProp IF AP ::= φ IF , . . . ∈ PathProp IF AP ::= IF - p φ ⊥ | 1 ∧ 2 | φ IF - p φ ⊤ | φ 1 ∨ 2 | IF - s ψ IF ψ 1 ∧ 2 | | ψ IF - s ψ IF φ 1 ∨ 2 | | ψ IF p IF φ | | IF φ IF φ | | IF φ IF φ φ 1 U 2 Semantics of CTL ∗ IF We defjne whether M satisfjes ψ , ∈ ( AP ∈ Set ) → TModel AP → ⇐ � ← ⇚ IF AP → Prop = ∀ s ∈ M � S. M � S 0 s → s � M � AP ψ AP , M ψ IF def ← , ⇐ ⭅ ∈ ( AP ∈ Set ) → ( M ∈ TModel AP ) → ⇚ � M � S → StateProp IF AP → Prop ← , ⇐ ⭅ ∈ ( AP ∈ Set ) → ( M ∈ TModel AP ) → ⇚ � stream M � S → PathProp IF AP → Prop

8.2.1 IF - p IF - p IF IF - p IF IF - p def IF IF IF - p IF def 8.2.2 IF IF IF - p def IF IF - s IF IF - p def IF IF - s def IF - s IF def IF - s IF - p IF IF - p IF IF - p def IF IF IF - p IF IF - p def IF IF IF - p IF - p def IF IF - p IF IF - p def IF IF - p IF IF - p IF IF IF - s 11 IF - s IF def IF IF IF - s IF - s IF IF - s def IF IF def IF - s IF IF - s IF - s IF IF def Semantics of CTL ∗ IF : state properties AP , M ⊤ = ⊤ s � s � AP , M ⊥ = ⊥ IF - s ψ � � � � s � AP , M ψ 1 ∧ = s � AP , M ψ ∧ s � AP , M ψ 2 1 2 IF - s ψ � � � � 1 ∨ = ∨ s � AP , M ψ s � AP , M ψ s � AP , M ψ 2 1 2 IF p = M � ℓ s p s � AP , M injp � ∀ π ∈ stream M � S. � IF φ s � = AP , M A IsPath AP M π → π 0 = s → π � AP , M φ  ∃ π ∈ stream M � S.  IF φ = IsPath AP M π ∧ π 0 = s ∧ s �   AP , M E π � AP , M φ Semantics of CTL ∗ IF : path properties IF ψ = ( π 0) � π � AP , M ψ AP , M injs � � � � IF - p φ π � AP , M φ 1 ∧ = π � AP , M φ ∧ π � AP , M φ 2 1 2 � � � � IF - p φ 1 ∨ ∨ π � AP , M φ = π � AP , M φ π � AP , M φ 2 1 2 IF φ π � = ( tailn M � S 1 π ) � AP , M φ AP , M X IF φ = ∃ n ∈ N . ( tailn M � S n π ) � π � AP , M φ AP , M F IF φ = ∀ n ∈ N . ( tailn M � S n π ) � π � AP , M φ AP , M G IF φ π � AP , M φ = 1 U 2 �� � � ∀ k ∈ N . 0 ≤ k < n → ( tailn M � S k π ) � ∧ AP , M φ 1 ∃ n ∈ N . ( tailn M � S n π ) � AP , M φ 2