Model Checking Graph Grammars

Slides:



Advertisements
Similar presentations
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Advertisements

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Partial Order Reduction: Main Idea
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification
François Fages MPRI Bio-info 2007 Formal Biology of the Cell Inferring Reaction Rules from Temporal Properties François Fages, Constraint Programming Group,
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
© Katz, 2007CS Formal SpecificationsLecture - Temporal logic 1 Temporal Logic Formal Specifications CS Shmuel Katz The Technion.
CSE 555 Protocol Engineering Dr. Mohammed H. Sqalli Computer Engineering Department King Fahd University of Petroleum & Minerals Credits: Dr. Abdul Waheed.
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Witness and Counterexample Li Tan Oct. 15, 2002.
¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.
Review of the automata-theoretic approach to model-checking.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Witness and Counterexample Li Tan Oct. 15, 2002.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
1 Temporal Logic-Overview FM Temporal Logic u Classical logic: Good for describing static conditions u Temporal logic: Adds temporal operators Describe.
1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.
15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Copyright 2001, Matt Dwyer, John Hatcliff, and Radu Iosif. The syllabus and all lectures for this course are copyrighted materials and may not be used.
Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.
On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.
Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.
CS 267: Automated Verification Lecture 3: Fixpoints and Temporal Properties Instructor: Tevfik Bultan.
1 CSEP590 – Model Checking and Automated Verification Lecture outline for August 6, 2003.
Verification & Validation By: Amir Masoud Gharehbaghi
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
Basic concepts of Model Checking
Symbolic model checking with SAT/SMT
CSEP590 – Model Checking and Automated Verification
CTL model checking algorithms
CIS 842: Specification and Verification of Reactive Systems
Graph-Based Operational Semantics
CSCI1600: Embedded and Real Time Software
CSEP590 – Model Checking and Automated Verification
Formal Methods in software development
Chapter 4: Model Checking of Finite State Systems
Formal Methods in software development
Computer Security: Art and Science, 2nd Edition
CSCI1600: Embedded and Real Time Software
Translating Linear Temporal Logic into Büchi Automata
Introduction to Graph Transformation
Introduction to verification
Formal Methods in software development
Formal Methods in software development
Program correctness Branching-time temporal logics
Model Checking CS 680 Formal Methods Jeremy Johnson.
Program correctness Model-checking CTL
Presentation transcript:

Model Checking Graph Grammars Kaminski, Seidl et al. Muscholl Estonian Summer School on Computer and Systems Science Lecture 3 Arend Rensink, University of Twente

Model Checking Graph Grammars Seen last time Visual and textual operational semantics With and without parallelism Statements and expressions with data Type graph and instances Graph structure Program graph Frame graph Value graph Operational semantics One or two rules per syntax construct Completely modular ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Temporal logic So far: state properties Invariants Inconsistencies More difficult: evolutionary properties In the next state … After some time … Never … Again and again … Every time this, eventually that Predicates & temporal nature orthogonal! Today: propositional temporal logic Predicate logic Temporal logic ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Example properties: circular buffer In every next state, the buffer is nonempty Holds if current buffer size is not 1 “empty” is a proposition The empty buffer is always reachable Correct The buffer is always emptied again Does not hold After every get, eventually there is a put ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Not covered: temporal predicates Examples: Every value is eventually removed Values are added and removed in FIFO Require quantification outside temporal modalities ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Syntax of the logic (propositional) State properties  ::= p proposition p holds in this state | 1 Ç 2 disjunction | : negation | A   holds along All paths | E   holds along somE path Path properties  ::=   holds in the first state | 1 Ç 2 disjunction | : negation | X   holds in the neXt state | 1 U 2 1 holds Until 2 holds ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Useful auxiliary operators Eventually  holds (liveness) Abbreviation: F  (in the Future) Equivalent to true U   holds always (safety) Abbreviation: G  (Globally) Equivalent to :(F :) ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Example properties In the next state, the buffer is nonempty X :empty or AX :empty The empty buffer is always reachable AG EF empty The buffer is always emptied again AF empty After every get, eventually there is a put AG (get ) F put) Negation: EF (get Æ G :put) ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Semantics of temporal logic Interpreted over Kripke structures Quadruple <S, T, P, I> with S a set of states T a set of transitions: T µ S £ S P a proposition evaluation: P µ Prop £ S I a start state: I 2 S For graph transition systems Transitions are applications of changing rules LHS and RHS not isomorphic Rule labels disregarded Propositions are applications of testing rules Distinguished start node ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Auxiliary notions Paths: sequences s0 s1 s2 … such that Transitions everywhere: (si,si+1) 2 T for all i We need infinite paths What about final states? Allow stuttering: (si,si+1) 2 T or si = si+1 and @ s’: (si,s’) 2 T All (infinite) paths considered No notion of fairness or progress Extension: Büchi automata – not covered ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Interpretation of state formulae Satisfied by Kripke structure + state Satisfaction relation K, s ²  Defined inductively K, s ² p if (p,s) 2 P K, s ² 1Ç 2 if K,s ² 1 or K,s ² 2 K, s ² : if not K,s ²  K, s ² A  if K,s0s1... ²  for all paths with s0=s K, s ² E  if K,s0s1... ²  for some path with s0=s State component omitted if initial K ²  equivalent to K, I ²  ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Schematically For a tree-like Kripke structure Some path All paths For a cyclic Kripke structure there are infinitely many paths think of the unfolding (which is a tree) ... ... ... ... ... ... ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Interpretation of path formulae Satisfied by Kripke structure + path Satisfaction relation K,  ²  (with  = s0 s1 s2 ...) Defined inductively K,  ²  if K, s0 ²  K,  ² 1Ç 2 if K,  ² 1 or K,  ² 2 K,  ² : if not K,  ²  K,  ² X  if K, s1s2... ²  K,  ² 1 U 2 if K, sisi+1... ² 2 for some i and K, sjsj+1... ² 1 for all j<i Path component omitted if for all paths Starting from initial state ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Schematically p,q q p,q p,r q,r ... p X q pÇq U r F pÆr G qÇr ... ... ... ... ... ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Fragments of temporal logic Linear temporal logic (LTL) No quantification over paths Just X and U (hence F and G) Not included: e.g., AG EF empty Computation tree logic (CTL) Always quantification over paths Just EX, AX, EU and AU (hence EF, AF etc.) Not included: e.g., G (get ) F put) Complete logic (CTL*) quite expressive Model checking complex ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Can we answer the question K ²  For given (arbitrary) K and  This is called the model checking question For linear temporal logic (LTL): yes Based on nested depth-first search Complexity: linear in |K|, exponential in || Various optimizations: e.g., on-the-fly For computation tree logic (CTL): yes Based on breadth-first search Complexity: linear in |K|, linear in || More amenable to symbolic methods (BDDs) ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Syntax of CTL State properties only  ::= true always true | p proposition p holds in this state | 1 Ç 2 disjunction | : negation | AX   holds in All neXt states | EX   holds in somE neXt state | A(1 U 2) along All paths, 1 holds Until 2 | E(1 U 2) along somE path, 1 holds Until 2 dual not dual ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Useful auxiliary operators Eventually  holds (liveness) Abbreviation: AF  & EF  (in the Future) Equivalent to A(true U ) (resp. E)  holds always (safety) Abbreviation: AG  & EG  (Globally) Equivalent to :(EF :) (resp. A) ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Interpretation of CTL Satisfied by Kripke structure + state Satisfaction relation K, s ²  Defined inductively K, s ² p if (p,s) 2 P K, s ² 1 Ç 2 if K, s ² 1 or K, s ² 2 K, s ² : if not K, s ²  K, s ² AX  if K, s’ ²  for all (s,s’) 2 T K, s ² A(1 U 2) if for all paths  starting in s, there is a position k in  such that K, si ² 1 for all i<k and K, sk ² 2 K, s ² E(1 U 2) if there is a path  starting in s, and a position k in  such that K, si ² 1 for all i<k and K, sk ² 2 ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model checking question: K,I ² ? Method: compositional (visitor pattern) Let S = { s j K,s ²  } (set of states satisfying ) Given sets Si for i (i=1,2), compute S for:  = :1  = 1 Ç 2  = AX 1 Problem: Until ( = A(1 U 2)) Due to quantification over paths: Requires “infinite” amount of knowledge Key observation: A(1 U 2) , 2 Ç (1 Æ AXA(1 U 2)) S is solution of X = S2 [ { s 2 S1 | 8(s,s’)2T: s’ 2 X } S is smallest solution of this equation S = S n S1 S = S1 [ S2 S = { s | 8 (s,s’) 2 T: s’ 2 S1} ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Fixpoint theory Let f be a function mapping sets to sets f is monotonic if X µ Y implies f(X) µ f(Y) X is a fixpoint of f if f(X) = X X is smallest if f(Y) = Y implies X µ Y Notation: f for smallest fixpoint of f Smallest fixpoints through iteration: let X0 = ; first approximant Xi+1 = f(Xi) next approximants Due to monotonicity, Xi µ Xi+1 If Xi = Xi+1 it is the smallest fixpoint of f If universe is finite, this always terminates ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Until as fixpoint Assume S1 and S2 are predefined sets Characteristic sets of 1 and 2 Let fAU be defined by fAU(X) = S2 [ { s 2 S1 | 8 (s,s’) 2 T: s’ 2 X } Then: fAU = S with  = A(1 U 2) fAU is monotonic and universe is finite So: f can be calculated through iteration What are fEU, fAF, fAG, fEF, fEG? In G cases: largest fixpoint, denoted fAG ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Example 1 Property: p U q X0 = ; X1 = {2} X2 = {2,3} X3 = {1,2,3} X4 = {1,2,3} Ready after 4th iteration! 2 1 4 p p q q p 3 p,r p,r fAU(X) = Sq [ { s 2 Sp | 8 (s,s’) 2 T: s’ 2 X } with Sp = {1,3,4} Sq = {2} ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Example Property: EG p X0 = {1,2,3,4} X1 = {1,3,4} X2 = {1,4} X3 = {4} X4 = {4} Ready after 4th iteration! 2 1 4 p p q q p p 3 p,r p,r fEG(X) = Sp Å { s | 9 (s,s’) 2 T: s’ 2 X } with Sp = {1,3,4} SEG p is largest fixpoint fEG! ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model checking graph transformations 2-phase approach First generate entire state space, then model check Disadvantages: Does not work for infinite state spaces Too much work if error is found early On-the-fly Check during state space generation, stop at error Only works for LTL (depth-first-search) Fails to terminate if wrong branch is chosen and state space is infinite Bounded On-the-fly up to a certain depth Increase depth if no error is found ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Optimisations Symmetry reduction Automatic due to isomorphism check Partial order reduction Standard solutions rely on parallel processes Do not exist for graph transformation New: optimistic approach (CONCUR 2008) Implementation pending Abstraction Theory of shape analysis (Sagiv et al.) Similar (parts of) graphs are collapsed Partial implementation in GROOVE ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Model Checking Graph Grammars Seen today Temporal Logic Path and state formulae Semantics Example properties Useful fragments Linear temporal logic (LTL) Computation tree logic (CTL) Model checking CTL ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.