Download presentation

Presentation is loading. Please wait.

Published byAbel Mackrell Modified over 2 years ago

1
Algorithmic Software Verification VII. Computation tree logic and bisimulations

2
Motivation See McMillan’s thesis where he models a synchronous fair bus arbiter circuit. See table: # of states, BDD size and time Wants to check: - No two acks are asserted simultaneously - Every persistent request is eventually ack-ed - Ack is not asserted without a request. Not really safety/reachability properties: so how do we state and check these specs? Temporal logics!

3
References Symbolic model checking An approach to the state explosion problem Ken McMillan 1992

4
Model: Kripke structures Finite state machines with boolean variables ignoring . FSM = (X, {{true, false}} {x X}, Q, Q_in,, δ ) X finite set of variables/propositions Q finite set of states Q_in Q set of initial states For each q Q, (q) is a function that maps each x in X to true or false δ Q x Q transition relation

5
CTL: Syntax Fix X the set of atomic propositions. CTL(X) f,g ::= p | f | f g | f g | EX f | EF f | E(f U g) | A(f U g) Intuitively: EX f --- some successor state satisfies f AX f --- every successor state satisfies f E(f U g) – along some path, f holds until g holds A(f U g) – along every path, f holds until g holds

6
CTL: Syntax Additional derived operators: EF f --- there is some reachable state where f holds (reachability) E(true U f) AG f --- in every reachable state, f holds (safety) E (true U f) EG f --- there is some path along which f always holds. A(true U f) AF f --- along every path, f eventually holds A(true U f) Actually, EX, EG and EU are sufficient.

7
CTL: Examples - ack1 and ack2 are never asserted simultaneously - Every request req is eventually acknowledged by an ack. - ack is not asserted without a request

8
CTL: Examples - ack1 and ack2 are never asserted simultaneously AG( (ack1 ack2) ) - Every request req is eventually acknowledged by an ack. AG(req (AF ack)) - ack is not asserted without a request E( req U ack)

9
Semantics FSM = (X, {{true, false}} {x X}, Q, Q_in,, δ ) With every f associate the set of states of a Kripke structure that satisfies f: M, s |= p iff (s)(p) = true M, s |= f g iff M,s |= f or M,s |= g M, s |= f iff M,s | f M, s |= EX f iff there is an s’ with δ(s,s’) and s’ |= f M, s |= EF f iff there is an s’ reachable from s such that s’ |= f

10
Semantics M, s |= E (f U g) iff there is a path s=s1 s2 … from s and a k such that s’ |= g and for each i

11
Bisimulations Let M =(X, Q, Q_in,, δ ) and M’ =(X’, Q’, Q_in’, ’, δ’ ) be two Kripke structures (can be same) A bisimilation relation is a relation R QxQ’ such that: - For every (q, q’) in R, (q) = ’(q’) - If (q,q’) is in R, and q q1 then there is a q1’ in Q’ such that q1 q1’ in M’ and (q1,q1’) is in R. - If (q,q’) is in R, and q’ q1’ then there is a q1 in Q such that q q1 in M and (q1,q1’) is in R. Fact: If R and R’ are bisimulation relations, then so is R R’.

12
Bisimulations Let R* be the largest bisimulation relation: R* = { R | R is a bisimulation relation} If q is in Q and q’ is in Q’, then q and q’ are bisimilar iff (q,q’) is in R*. Denoted: q ~ q’ Two models are bisimilar if q_in ~ q_in’

13
Bisimulations Let M =(X, Q, q_in,, δ ) be a model. The unfolding of M, unf(M), is a tree model: Nodes: xq where x is in Q* Edges: xq xqq’ iff q q’ Initial node: q_in ’(xq) = (q) Claim: - M and unf(M) are bisimilar - For each xq, q ~ xq.

14
CTL and bisimilarity Lemma: Let f be a CTL formula. Let q in Q and q’ in Q’ be two states such that q ~ q’. Then M,q |= f iff M,q’ |= f Proof: By induction on structure of formulas.

15
CTL and bisimilarity CTL can distinguish between models that exhibit the same sequential behaviors. Hence CTL is a branching-time logic and not a linear-time logic. What is the right notion of behavior of a model? --- The set of strings exhibited by it --- The tree unfolding of the model

16
Model-checking CTL Given M and f. Compute the set of all states of M that satisfy f, by induction on structure of f. ║p║ = states where p holds ║f g║ = ║f║ ║g ║ ║ f ║ = complement of ║f ║ ║EX f ║ = the set of states s that have a succ s’ in ║f ║

17
Model-checking CTL ║E f U g ║ : Take the set X =║g ║. Repeat{ Add the set of states that satisfy f and have a successor in X. } till X reaches a fixpoint.

18
Model-checking CTL ║EG f║ : Let M’ be M restricted to states satisfying f. A state s satisfies EG f iff s is in M’ and there is a path from s to an SCC of M’.

19
Model-checking CTL Model-checking CTL can be done in time O(|f|. |M|). Number of subformulas of f is O(|f|) ║p║, ║f g║, ║ f ║ and ║EX f ║ are easy. ║EX f U g║ -- Start with states T satisfying g; put them in ║EX f U g║ -- In each round, take a state in T, remove it from T, and add predecessors of this state that satisfy f and put them in T and ║EX f U g║. -- Each state is processed only once – linear time.

20
Model-checking CTL ║EG f║ -- Construct M’. -- Partition M’ into SCCs using Tarjan’s algorithm -- Starting from states in nontrivial SCCs, work backwards adding states that satisfy f. -- Linear time.

Similar presentations

OK

1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.

1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google