1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

Slides:



Advertisements
Similar presentations
Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Advertisements

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
1 MODULE name (parameters) “Ontology” “Program” “Properties” The NuSMV language A module can contain modules Top level: parameters less module Lower level.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification
UPPAAL Introduction Chien-Liang Chen.
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Temporal Logics Express reactive properties (order of events in time)
Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.
Witness and Counterexample Li Tan Oct. 15, 2002.
1 CTL Model Checking David L. Dill. 2 CTL syntax: AP -- atomic propositions p  AP is a formula f  g is a formula, if f and g are ¬f is a formula AX.
¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.
Review of the automata-theoretic approach to model-checking.
Embedded Systems Laboratory Department of Computer and Information Science Linköping University Sweden Formal Verification and Model Checking Traian Pop.
ESE601: Hybrid Systems Introduction to verification Spring 2006.
Witness and Counterexample Li Tan Oct. 15, 2002.
Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.
A Simple Model Checker for CTL. The problem n We need efficient algorithms to solve the problems [1]M,s  [2]M,s  where M should have finitely many states,
1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.
Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.
10/19/2015COSC , Lecture 171 Real-Time Systems, COSC , Lecture 17 Stefan Andrei.
Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.
Daniel Kroening and Ofer Strichman 1 Decision Procedures An Algorithmic Point of View BDDs.
Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.
Four Lectures on Model Checking Tom Henzinger University of California, Berkeley.
CS 267: Automated Verification Lecture 3: Fixpoints and Temporal Properties Instructor: Tevfik Bultan.
卜磊 Transition System. Definitions and notations Reactive System The intuition is that a transition system consists of a set of possible.
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -
Verification & Validation By: Amir Masoud Gharehbaghi
1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.
Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.
6/12/20161 a.a.2015/2016 Prof. Anna Labella Formal Methods in software development.
Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.
29/06/2016Verification Synchronous Languages Verification.
Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,
How CTL model checking works
CTL model checking algorithms
Semantically Equivalent Formulas
CSEP590 – Model Checking and Automated Verification
Automatic Verification of Industrial Designs
Chapter 4: Model Checking of Finite State Systems
Albert M. K. Cheng Real-Time Systems Laboratory University of Houston
Formal Methods in software development
CSCI1600: Embedded and Real Time Software
Computer Security: Art and Science, 2nd Edition
Introduction to verification
Formal Methods in software development
Program correctness Branching-time temporal logics
Model Checking CS 680 Formal Methods Jeremy Johnson.
Program correctness Model-checking CTL
Presentation transcript:

1 Computation Tree Logic (CTL)

2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f  g, EXf, A[fUg], E[fUg] E, A – path quantifiers, X, U, G, F – temporal operators Interpreted over a tree of states: EXf - f holds in some immediate successor A[fUg] - every path has a prefix that satisfies [fUg]

3 CTL Model (Kripke Structure) M = (S, s I, R, L) S is a finite set of states, s I  S is the initial state R  S  S s.t.  u  S.  v  S. (u,v)  R (total) L: S  2 AP Example: AP = {p,q,r}

4 Example: XR Control Program

5 Computation Tree The infinite computation tree spanned by a model M=(S,s I,R,L) root s 0 =s i s  t is an arc in the tree iff (s,t)  R. A path is: s 0,s 1,s 2,…  S  s.t.  i. (s i,s i+1 )  R

6 CTL Semantics w.r.t a given model (S,s I,R,L) and a state s  S: s  p iff p  L(s) s   f iff not s  f s  f  g iff s  f and s  g s  Exf iff  s’. (s,s’)  R and s’  f s  A[fUg] iff for every path (s 0, s 1,…) s.t s 0 =s,  k  0. s k  g   i. 0  i  k  s i  f s  E[fUg] iff for some path (s 0, s 1,…) s.t s 0 =s,  k  0. s k  g   i. 0  i  k  s i  f f is satisfiable iff there exists a model (S,s I,R,L) such that s I  f f is valid iff f is satisfiable by every model (S,s I,R,L)

7 Derived Operators AX(f)   EX  f f holds at all next states AF(f)  A[true U f] f holds in the future of every path EF(f)  E[true U f] f holds in the future of some path AG(f)   EF(  f) every state in every path satisfies f EG(f)   AF(  f) for some path every state satisfies f

8 Example: Explicit semantics of EGf s  EGf  s   AF  f  s   A(trueU  f)   (s  A(trueU  f))   (  (s 0, s 1,…) s.t s 0 =s,  i  0. s i   f   j. 0  j  i  s j  true   (  (s 0, s 1,…) s.t s 0 =s,  i  0. s i   f   (s 0, s 1,…) s.t s 0 =s,  i  0.  (s i  f)   (s 0, s 1,…) s.t s 0 =s,  i  0.(s i  f)

9

10 A note on temporal wff Syntax: EXf, A[fUg], E[fUg] E, A – path quantifiers X, U, G, F – temporal operators Structure of a formula: (path)(temporal)[formula] E, A – path quantifiers X, U, G, F – temporal operators EF(Gu) is not a wff, only EF(EGu) or EF(AGu) A(fUg) cannot be derived from E(fUg) since  E  (fUg) is not wff (since  (fUg) is not wff)

11 Properties Expressed in CTL Every req is followed by ack (not 1-1): AG(req  AF ack) It is possible to get to a state where started holds but ready does not hold. EF(started  ready) From any state it is possible to get to the restart state. AG EF restart Processes P,Q are not in their critical section simultaneously AG(  (PC  QC)) A process that asks to enter the critical section, eventually gets there AG(PE  AF(PC)) Processes strictly alternate in access to the critical section AG(Pc  A(PcU(  Pc  A(  PcUQc))))

12 Expressing Time in CTL Assertions: 50 seconds minimal delay between trains. AG(Tin  AX  Tin  AXAX  Tin  …  AX..AX  Tin ) It takes a train 6 seconds to arrive at the signal AG(Tin  AX(AX(AX(AX(AX(AX(AtSignal))))))) however, we could write AG(Tin  AX 6 (AtSignal) like we did in LTL 50

13 LTL vs. CTL LTL cannot distinguish behaviors that generate same path, therefore cannot express ‘possibility’. CTL is sensitive to the branching structure Thus, “it is always possible to get tea after inserting a coin” is expressible in CTL: AG(coin  EXtea) but not in LTL Different models - A CTL tree defines a subset of models of LTL Expressivity – Define LTL satisfied on Kripke model if satisfied by every path.

14 LTL vs. CTL (II) satisfies  p but not AFAGp. -- no single F state Similarly, –  p   q –  (p  Op) not expressible in CTL

15 LTL vs. CTL (III) AGEFp - not expressible in LTL Suppose A  is equivalent to AGEFp - (a) satisfies AGEFp hence A  - (b)-path(s)  (a)-paths hence (b) satisfies A  - However (b) does not satisfy AGEFp

16 CTL* Allows any LTL formula to be preceded by A or E. Exm. E(p  Xq), A(Fq  Gp) CTL* is more powerful then CTL and LTL but Model checking is PSPACE-complete in size of formula.

17 Model Checking Problem Model Checking problem: Given a program model (S, s 0, R, L) and a CTL formula f, determine if s 0  f. Model-checking  Satisfiability Semantic search: Given (S, s 0, R,L), and f, find the set S’  S of all states in S that satisfy f. Check if s 0  S’.

18 Model Checking by Semantic Search Given (S, s 0, R,L), and f, find the set S’  S of all states in S that satisfy f. Check if s 0  S’. Simple for formulae: { s | s  p } = { s | p  L(s) } -- p atomic { s | s  f  g } = { s | s  f }  { s | s  g } { s | s   f } = S - { s | s  f } { s | s  EXf } = { s |  t  S s.t. (s,t)  R  t  f } The problem arises with A(qUr) and E(qUr).

19 Fix-points Fix-point:  (x)=x Given a set S, a functional  : 2 S  2 S is: - monotonic iff P  Q   [P]  [Q] -  -continuous iff P1  P2  …   [  Pi]=  [Pi] -  -continuous iff P1  P2  …   [  Pi]=  [Pi] Theorem (Tarski) Monotonic  have least and greatest fix-points: lfp(  ) =  {Z :  [Z]=Z}, gfp(  ) =  {Z :  [Z]=Z}, lfp(  ) =  i [  ], i=0,1,… if  is also  -continuous gfp(  ) =  i [S], i=0,1,… if  is also  -continuous

20 Proof Example If  is monotonic and  -continuous then lfp(  [Z]) =  i [  ], i=0,1,… Proof:  i [  ] is non-decreasing:  [  ], and if  i [  ]  i+1 [  ] then  i+1 [  ]  i+2 [  ] since  is monotonic.  i [  ] is a fix-point since  is  -continuous:  (  i [  ])=  (  i [  ]) =    i+1 [  ]=  i [  ] least fix-point: for every i,  i [  ]  lfp(  ); again by induction on i: -  lfp(  ), -  i [  ]  lfp(  )   i+1 [  ]=  (  i [  ])  (lfp(  ))=lfp(  )

21 Fix-points of CTL Operators Given, M=(S,s 0,R,L), every formula is identified with the set of states that satisfy the formula (false , true  S). Lemma: EFf = f  EXEFf (satisfied by same states) Suppose s 0  EFf. Then by definition there is a path s 0,s 1,s 2,… in M s.t. for some k s k  f. If k=0 then s 0  f. Otherwise s 1  EFf and s 0  EXEFf. Thus, EFf  f  EXEFf. Similarly, if s 0  f  EXEFf then s 0  f or s 0  EXEFf. In either case s 0  EFf and f  EXEFf  EFf. Therefore, EFf= f  EXEFf.  EFf is a fix-point of  [Z] = f  EX Z

22 Lemma: The functional f  EX Z is monotonic Assume p  q, we show that EXp  EXq. By def. s  EXp iff there exists t  S s.t. (s,t)  R and t  p. But also t  q (since p  q) hence also s  EXq. Hence, if p  q then: { s | s  f  EXp } = { s | s  f }  { s | s  EXp }  { s | s  f }  { s | s  EXq } = { s | s  f  EXq } f  EX Z is monotonic,  -continuous and  -continuous Lemma: f  EX Z is  -continuous and  -continuous In fact true for every monotonic functional on finite set: P1  P2  …  Pm has a maximum Pm=  Pi. Also,  [Pi]=  [Pm] (monotonic), hence  [Pi]=  [  Pi].)  lfp(f  EXZ) =  (f  EX false) i

23 Lemma: EFf is a least fixpoint of  [Z]=f  EXZ Suppose p is a fixpoint of . Then, p = f  EXp. Hence, { s | s  p } = { s | s  f  EXp } = { s | s  f }  { s | s  EXp } Therefore: f  p and EXp  p Hence, p is closed under R -1 namely p contains all of its predecessors. Therefore, no path beginning in a non p- state can reach a p-state. Since f  p it follows that EFf  p (if s  EFf then s starts a path that reaches f, therefore reaches p, therefore s is a p- state). Therefore, EFf is contained in any fixpoint of .  EFf =  (f  EX false) i

24 Fixpoints of CTL Operators (Clark-Emerson) lfp  [Z] A[fUg] g  (f  AXZ) E[fUg] g  (f  EXZ) AFf f  AXZ EFf f  EXZ  [Z] gfp f  AXZ AGf f  EXZ EGf Recall AX(f)   EX  f

25 CTL Operators Computations EFf =  (f  EX false) i EGf =  (f  EX true) i -- gfp E[fUg] =  (g  (f  EX false)) i A[fUg] =  (g  (f  AX false)) i where i  S  (S is finite)

26 Example: EFp  (false)= p  EX false = p  2 (false)= p  EX p  3 (false)= p  EX(p  EX p)

27 Example: EGy =  (y  EX true) i S0:{x,y,z} S2:{y,z} S3:{x} S4:{y} S5:{x,z} S6:{z}S7:{} S1:{x,y} [EG(y)] = [y]  EX[S] = {s0,s1,s2,s4}=E 0  [y]  EX[E 0 ]= {s0,s1,s2,s4}  {s0,s2,s3,s4,s5,s6}= {s0,s2,s4}= E 1  [y]  EX[E 1 ]= {s0,s1,s2,s4}  {s0,s2,s3,s4,s6}= {s0,s2,s4}= E 1

28 Example: EF(x=z  y  z) =  ((x=z  y  z)  EX false) i S0:{x,y,z} S2:{y,z} S3:{x} S4:{y} S5:{x,z} S6:{z}S7:{} S1:{x,y} [EF(x=z  y  z)] = [(x=z  y  z)]  EX[  ] = {s4,s5}=E 0  [E 0 ]  EX[E 0 ]= {s4,s5}  {s6}= {s4,s5,s6}= E 1  (EX[E 1 ]= {s6,s7})= {s4,s5,s6,s7}= E 2  (EX[E 2 ]= {s6,,s7,s5}) = {s4,s5,s6,s7}

29 Model Checking Algorithm (sketch) 1.Construct A, the set of sub-formulae of f. 2.For i=1,…,|f|, label every state s  S with the sub-formulae of length i that are satisfied by s. 3.Check if s 0 is labeled by f. At stage i the algorithm employs the information gathered in earlier stages (in particular path formulae look at the information of the next states).

30 Model Checking Algorithm Given M=(S, s 0, R, L), and a CTL formula f for j=0 to length(f) for each sub-formula g of f of length j case (-- structure of g) p:nothing (-- S is already labeled with propositions) q  r:  s  S: if q  L(s) and r  L(s) then add q  r to L(s)  q:  s  S: if q  L(s) then add  q to L(s) EXq:  s  S: if  t s.t. (s,t)  R and q  L(t) then add EXq to L(s) A(qUr): AU-check(q, r) E(qUr): EU-check(q, r) if f  L(s 0 ) then output=true, else output=false.

31 AU-check (q, r) for each s  S, if r  L(s) then add A(qUr) to L(s) for j=1 to |S| for each s  S, if q  L(s) and A(qUr)  L(t) for all t s.t. (s,t)  R then add A(qUr) to L(s) EU-check (q, r) for each s  S, if r  L(s) then add E(qUr) to L(s) for j=1 to |S| for each s  S, if q  L(s) and E(qUr) to L(t) for some t s.t. (s,t)  R then add E(qUr) to L(s) Complexity: O(|  |  |S| 2 ) Checking state satisfiability fro A(qUr), E(qUr)

Fairness Assumption Strong fairness: a transition that is enabled i.o. is taken i.o - LTL: (      ) - -   private case,  =True Weak fairness: a transition that is continuously enabled is taken i.o - LTL: (       )  Rule out traces that are unrealistic or provide for unfair service (starvation).   (T_Red &P_Green) &   (P_Red &T_Green) Fairness assumptions are not in CTL

Fair Semantics for CTL Strong Fairness constraint: Sfair =  i (   i    i )   j (    j    j ),  i,  i,  j,  j, CTL formulae. For a model M= (S, s I, R, L) and s  S: FairPaths(s) = {  Paths(s) |   Sfair } Fair semantics w.r.t. Sfair s  F p iff s  p s  F  f iff not s  F f s  F f  g iff s  F f and s  F g s  F Exf iff  s’. (s,s’)  R and s’  f   FairPaths(s), s  F E[pUq] iff exists  =(s 0, s 1,…) s.t s 0 =s,  FairPaths(s),  k  0. s k  q   i. 0  i  k  s i  p s  F A[pUq] iff for every  =(s 0, s 1,…) s.t s 0 =s,  FairPaths(s),  k  0. s k  q   i. 0  i  k  s i  p

Model Checking under Farness Constraints How to check:  FairPaths(s) ? Observation:  FairPaths(s) iff  j  0  j  FairPaths(  j ) Hence, redefine fair semantic: s  F p iff s  p s  F  f iff not s  F f s  F f  g iff s  F f and s  F g s  F Exf iff  s’. (s,s’)  R and s’  f  FairPaths(s’)  s  F A[fUg] iff for every path (s 0, s 1,…) s.t s 0 =s,  k  0. s k  g   i. 0  i  k  s i  f  FairPaths(s k )  s  F E[fUg] iff for some path (s 0, s 1,…) s.t s 0 =s,  k  0. s k  g   i. 0  i  k  s i  f  FairPaths(s k ) 

Computation of FairPaths(s)  Let: Sfair = (      ) where ,  are CTL formulae.   Sfair iff  k  0, n  k, s.t.  = s 0 …s k-1 (s k …s n )  and:  k  i  n. s i  or  k  j  n. s j  Computation of FairPaths(s)  w.r.t. Sfair = (      ) For a model M= (S, s I, R, L):  Let a, b, fair be new fresh variables  Compute Sat(  )={s  S | s  } then  s  Sat(  ). L(s):=L(s)  {a}  Compute Sat(  )={s  S | s  } then  s  Sat(  ). L(s):=L(s)  {b}  Decompose M into a graph of maximal SCCs.  For each SCC, if for all states s  SCC, a  L(s), or otherwise there exists a state s’  SCC s.t. b  L(s’), mark the SCC as fair  For each s  S if there exists a path from s to a fair SCC then L(s)  {fair}

Computation of FairPaths(s)  Hence, redefine fair semantic: s  F p iff s  p s  F  f iff not s  F f s  F f  g iff s  F f and s  F g s  F Exf iff  s’. (s,s’)  R and s’  (f  fair) s  F A[fUg] iff for every path (s 0, s 1,…) s.t s 0 =s,  k  0. s k  g   i. 0  i  k  s i  (f  fair) s  F E[fUg] iff for some path (s 0, s 1,…) s.t s 0 =s,  k  0. s k  g   i. 0  i  k  s i  (f  fair) Thus, ‘fair’ model checking requires pre-processing of the model that extends the states labeling, then normal model checking algorithm

Complexity For a model with N states and M transitions and a CTL formula f and a CTL fairness constraint, still linear time: O(|f|·(N +M)). In the general case, with k fairness constraints, the labeling must be carried out separately for each constraint and the final labeling is the conjunction of the separate labeling. The complexity is then O(|f|·(N +M)·k)

38 RTCTL A(qU  k r) - at all paths r holds within k t.u. and q holds at all states until then. E(qU  k r) - at some path r holds within k t.u. and q holds at all states until then. Semantics (fixed rate progress approach): s 0  A(qU  k r) iff for every path ( s 0, s 1,…)  i. 0  i  k  s i  r   j. 0  j  i  s j  q s 0  E(qU  k r) iff exists path ( s 0, s 1,…) and  i  0. 0  i  k  s i  r   j. 0  j  i  s j  q

39 Model Checking Algorithm for RTCTL Given M=(S, s 0, R, L), and a CTL formula f for j=0 to length(f) for each sub-formula g of f of length j case (structure of g) p: ….. q  r: …..  q: ….. EXq:….. A(qUr): ….. A(qU  k r): AU-check(min(k,|S|), q, r) E(qUr): ….. E(qU  k r): EU-check(min(k,|S|), q, r) if f  L(s 0 ) then output=true, else output=false.

40 AU-check (max_len, q, r) -- max_len= min(k,|S|) for each s  S, if r  L(s) then add A(qU  0 r) to L(s) for len=1 to max_len for each s  S, if q  L(s) and for every t such that (s,t)  R there is j  len-1 s.t. A(qU  j r)  L(t) then add A(qU  len r) to L(s) for each s  S, if A(qU  j r)  L(s) for some j  max_len then replace by A(qU  max_len r) to L(s) A(qU  k r):

41 EU-check (max_len, q, r) -- max_len= min(k,|S|) for each s  S, if r  L(s) then add E(qU  0 r) to L(s) for len=1 to max_len for each s  S, if q  L(s) and E(qU  len-1 r)  L(t) for some t such that (s,t)  R then add E(qU  len r) to L(s) for each s  S, if E(qU  j r)  L(s) for some j  max_len then replace by E(qU  max_len r) to L(s) E(qU  k r):

42 RTCTL (II) In order to express fixed delays, we need: A(qU k r) - at all paths r holds at k t.u. and q holds at all states until then. E(qU k r) - at some path r holds at k t.u. and q holds at all states until then. Semantics (fixed rate progress approach): s 0  A(qU k r) iff for every path ( s 0, s 1,…) s k  r   j. 0  j  k  s j  q s 0  E(qU k r) iff exists path ( s 0, s 1,…) and s k  r   j. 0  j  k  s j  q Model checking same idea as for  k

43 Railroad Crossing in Real-Time CTL Assertions: 50 seconds minimal delay between trains. AG(Tin   EF  50 Tin) It takes a train 6 seconds to arrive at the signal AG(Tin  AF 6 AtSignal) Train exits XR within 15 to 25 seconds. AG(((Twait  AX(  Twait))  AX(AtSignal   Twait))  AG  16  Tout  AF  26 Tout ) Requirements: Train at the signal is allowed to continue within 10 seconds. AG(AtSignal  AF  5 (  Twait)) The gate is open whenever the crossing is empty for more than 10 seconds. AG(  E(Tcr0U =10  Open))

44 Symbolic Model Checking Symbolic representation with Boolean formulae of: the model (program) CTL formula thus avoiding the state explosion problem.  Model Checking reduces to Boolean formulae manipulation. The idea: Given a model (S,R,L) over P (set of atomic propositions), Represent every state s  S by a Boolean formula over P that is satisfied exactly by L(s) Represents R in terms of the Boolean formulas corresponding to source and destination states.

45 Program Representation - Example I S   p S’  p R  (  p  p’)  (p  p’)  (p   p’)  (  p  p)  p’  (p   p’)  p’  (p   p’)  (p’  p)  (p’   p’)  (p  p’)

46 S0   (v 0  v 1 ), S1  v 0   v 1, S2   v 0  v 1, S3  v 0  v 1 R  (v 0 '   v 0 )  (v 1 ’  (v 0  v 1 )) Program Representation - Example II

47 CTL Symbolic Representation p  P,  f, f  g, are Boolean formulae. We show Boolean representation for: EXf, A[fUg], E[fUg] EXf Let v 1,…,v n  P be the atomic propositions in f, then:  (v 1,…,v n ).f =  (a 1,…,a n )  {0,1} n f(a 1,…,a n ) Then, EXf is represented by the formula  (v 1 ',…,v n ').(R  f’(v 1 ',…,v n ') ) EX  p =  p'. R  f(p‘) =  p'. (p  p')  p' =  p'. (p  p') = (p  false)  (p  true) = p

48 EX(v 0  v 1 ) =  (v 0 ', v 1 '). R  (v 0 '  v 1 ') =  (v 0 ', v 1 '). (  v 0  v 1  v 0 '  v 1 ') =  (v 1 ').(  v 0  v 1  false  v 1 ')  (  v 0  v 1  true  v 1 ') =  (v 1 '). (  v 0  v 1  v 1 ') = (  v 0  v 1  false)  (  v 0  v 1  true) = (  v 0  v 1 )

49 CTL Operators Representation For other CTL operators use their fixed point representation in terms of EX. Example: computation of EFp - recall EFp =  i (false) where  (y)= p  EXy  1 (false) = p  EXfalse = p  2 (false) =  (p) = p  EXp = p  p'.(p  p')  p' = true  3 (false) =  (true) = p  EXtrue = true

50 Computation of EF(v 0  v 1 )  1 (false) = (v 0  v 1 )  EXfalse = (v 0  v 1 )  2 (false) =  (v 0  v 1 ) = (v 0  v 1 )  EX(v 0  v 1 ) = (v 0  v 1 )  (  v 0  v 1 ) = v 1  3 (false) =  (v 1 ) = (v 0  v 1 )  EXv 1 = (v 0  v 1 )  3 (false) =  (v 0  v 1 ) = (v 0  v 1 )  EX(v 0  v 1 ) = true

51 Symbolic Model Checking Algorithm eval(f) { Case (f) p : return p  g: return  eval(g) g  h: return eval(g)  eval(h) EXg: return  v'.(R  p') E(gUh): return evalEU(eval(g),eval(h),false)) EGg: return evalEG(eval(g),true) } evalEU(p,q,y) { y'=q  (p  evalEX(y)) if y'=y then return y else return evalEU(p.q.y') } evalEG(p,y) { y'=(p  evalEX(y)) if y'=y then return y else return evalEG(p.y') |

52 Binary Decision Diagrams (BDD) Graphical representation of Boolean formulae obtained from ordered decision trees. Ordered Decision Tree of a  b  c  d

53 BDD Derivation Apply in bottom-up manner: Combine isomorphic sub-trees into a single tree Eliminate nodes whose left and right children are isomorphic –Linear time –Size of resulting graph depends on variable ordering

54 Example - Step 1: node elimination

55 Example - Step 1: isomorphic trees

56 Example - Step 1: Final BDD

57 Properties of BDDs Canonical representation of formulae, enables simple comparison. Logical operators: , , , EX are computed w.r.t. BDD quadratic time.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.