Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Published byNathaniel MacLean Modified over 10 years ago

Similar presentations

Presentation on theme: "Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness."— Presentation transcript:

1 Model Checking Lecture 2

2 Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness The three decisions are orthogonal, and they lead to substantially different model-checking problems.

3 If only universal properties are of interest, why not omit the path quantifiers?

4 LTL (Linear Temporal Logic) -safety & liveness -linear time [Pnueli 1977; Lichtenstein & Pnueli 1982]

5 LTL Syntax ::= a | | | | U

6 LTL Model infinite trace t = t 0 t 1 t 2... (sequence of observations)

7 (K,q) |= iff for all t L(K,q), t |= (K,q) |= iff exists t L(K,q), t |= Language of deadlock-free state-transition graph K at state q : L(K,q) = set of infinite traces of K starting at q

8 LTL Semantics t |= aiff a t 0 t |= iff t |= and t |= t |= iff not t |= t |= iff t 1 t 2... |= t |= U iff exists n 0 s.t. 1. for all 0 i < n, t i t i+1... |= 2. t n t n+1... |=

9 X next U U until = true U Feventually = G always W = ( U ) W waiting-for (weak-until) Defined modalities

10 Summary of modalities STL U W CTLall of the above and W U LTL U W

11 Important properties Invariance asafety (pc1=in pc2=in) Sequencing a W b W c W dsafety (pc1=req (pc2 in) W (pc2=in) W (pc2 in) W (pc1=in)) Response (a b)liveness (pc1=req (pc1=in))

12 Composed modalities ainfinitely often a aalmost always a

13 Where did fairness go ?

14 Unlike in CTL, fairness can be expressed in LTL ! So there is no need for fairness in the model. Weak (Buchi) fairness : (enabled taken ) = (enabled taken) Strong (Streett) fairness : ( enabled ) ( taken )

15 Starvation freedom, corrected (pc2=in (pc2=out)) (pc1=req (pc1=in))

16 CTL cannot express fairness a a b b b aa q0q0 q1q1 q2q2

17 LTL cannot express branching Possibility (a b) So, LTL and CTL are incomparable. (There are branching logics that can express fairness, e.g., CTL * = CTL + LTL, but they lose the computational attractiveness of CTL.)

18 -safety (finite runs) vs. liveness (infinite runs) -linear time (traces) vs. branching time (trees) -logic (declarative) vs. automata (operational) System property: 2x2x2 choices

19 Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition relation : S PL(A) where the formulas of PL are ::= a | | for a A

20 Language L(M) of specification automaton M = (S, S 0,, ) : infinite trace t 0, t 1,... L(M) iff there exists a infinite run s 0 s 1... of M such that for all 0 i, t i |= (s i )

21 (K,q) |= L M iff L(K,q) L(M) Linear semantics of specification automata: language containment state-transition graph state of K specification automaton infinite traces

22 finite trace t 0,..., t n L fin (M) iff there exists a finite run s 0 s 1... s n of M such that for all 0 i n, t i |= (s i ) L fin (K,q) = set of finite traces of K starting at q L fin (M) defined as follows:

23 (K,q) |= L M iff L(K,q) L(M) iff L fin (K,q) L fin (M) Proof requires three facts: - K is deadlock-free - every state in K has a transition from it - M is finite-branching: - number of transitions from a state in M is bounded - Konigs lemma - A finite-branching infinite tree has an infinite path

24 (K,q) |= L M iff L fin (K,q) L fin (M) To verify (K,q) |= L M, check finitary trace-containment

25 Invariance specification automaton pc1 in pc2 in

26 One-bounded overtaking specification automaton pc1=out pc1=req pc2 in pc1=req pc2=in pc1=in pc1=req pc2 in

27 Automata are more expressive than logic, because temporal logic cannot count : This cannot be expressed in LTL. (How about a (a a) ?) atrue Let A = { a }

28 aa a aaaa a aaaa

29 aa a aaaa a aa atrue aa

30 aa a aaaa a aa a (a a) aa

31 aa a aaaa a aaaa In fact, no LTL formula with at most two occurrences of can distinguish between the two traces. Proof?

32 Checking language containment between finite automata is PSPACE-complete ! L(K,q) L(M) iff L(K,q) complement( L(M) ) = involves determinization (subset construction)

33 In practice: 1. use monitor automata 2. use simulation as a sufficient condition

34 Monitor Automata Syntax: same as specification automata, except also set E S of error states Semantics: define L(M) s.t. runs must end in error states (K,q) |= C M iff L(K,q) L(M) =

35 Invariance monitor automaton pc1 in pc2 in pc1 = in pc2 = in ERROR

36 One-bounded overtaking monitor automaton pc1=out pc1=req pc2 in pc1=req pc2=in pc1=in pc1=req pc2 in pc1=req pc2=in ERROR

37 Specification automatonMonitor automaton M complement(M) -describe correct traces-describe error traces -check language containment-check emptiness (linear): (exponential) reachability of error states All safety verification is reachability checking.

38 In practice: 1. use monitor automata 2. use simulation as sufficient condition

39 (K,q) |= B M iff there exists a simulation relation R Q S s.t. (q,s) R for some initial state s of M Branching semantics of specification automata: simulation states of K states of M

40 R Q S is a simulation relation iff (q,s) R implies 1.[q] |= (s) 2.for all q s.t. q q, exists s s.t. s s and (q,s) R. [Milner 1974]

41 a a c bc q |= L b true

42 a a c bc q |= B b true

43 (K,q) |= L MM language contains (K,q) : exponential check (K,q) |= B MM simulates (K,q) : quadratic check X involves only traces (hence linear !) involves states (hence branching !)

44 In practice, simulation is usually the right notion. (If there is language containment, but not simulation, this is usually accidental, not by design.)

45 Branching semantics of specification automata, alternative definition: trace-tree containment (K,q) |= B M iff T(K,q) T(M) finite trace trees

46 -safety & liveness (infinite runs !) -specification vs. monitor automata -linear (language containment) vs. branching (simulation) semantics We discuss only the linear specification case. Omega Automata

47 Specification Omega Automata Syntax as for finite automata, in addition an acceptance condition: Buchi:BA S

48 Language L(M) of specification omega-automaton M = (S, S 0,,, BA ) : infinite trace t 0, t 1,... L(M) iff there exists an infinite run s 0 s 1... of M such that 1. s 0 s 1... satisfies BA 2. for all i 0, t i |= (s i )

49 Let Inf(s) = { p | p = s i for infinitely many i }. The infinite run s satisfies the acceptance condition BA iff Buchi:Inf(s) BA

50 (K,q) |= L M iff L(K,q) L(M) Linear semantics of specification omega automata: omega-language containment infinite traces

51 Response specification automaton : (a b) assuming (a b) = false a b b a s1s1 s2s2 s3s3 s0s0 Buchi condition { s 0, s 3 }

52 Response monitor automaton : (a b) assuming (a b) = false a b s1s1 s2s2 Buchi condition { s 2 } s0s0 true

53 a a s0s0 s1s1 Buchi condition { s 0 } a

54 a a s0s0 s1s1 Buchi condition { s 2 } a a s2s2

55 Omega automata are strictly more expressive than LTL. Omega-automata:omega-regular languages LTL: counter-free omega-regular languages

56 atrue ( p) ( p p (p p) (p a)) ( p) ( p(0) p(1) ( t) (p(t) p(t+2)) ( t) (p(t) a(t))) (a; true)

Download ppt "Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Model Checking Lecture 1.

Model Checking Lecture 1.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Avoiding Determinization Orna Kupferman Hebrew University Joint work with Moshe Vardi.

Avoiding Determinization Orna Kupferman Hebrew University Joint work with Moshe Vardi.
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Model Checking and Testing combined

Model Checking and Testing combined
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

Similar presentations

Ads by Google