Temporal Logic and Model Checking. Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the.

Slides:

Advertisements

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Advertisements

5. Model Checking Modellbasierte Softwareentwicklung

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

1 Verification of Parameterized Systems Reducing Model Checking of the Few to the One. E. Allen Emerson, Richard J. Trefler and Thomas Wahl Junaid Surve.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

CS6133 Software Specification and Verification

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Witness and Counterexample Li Tan Oct. 15, 2002.

1 CTL Model Checking David L. Dill. 2 CTL syntax: AP -- atomic propositions p  AP is a formula f  g is a formula, if f and g are ¬f is a formula AX.

¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction.

Review of the automata-theoretic approach to model-checking.

Witness and Counterexample Li Tan Oct. 15, 2002.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

A Simple Model Checker for CTL. The problem n We need efficient algorithms to solve the problems [1]M,s  [2]M,s  where M should have finitely many states,

Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.

15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.

1 Introduction to SMV and Model Checking Mostly by: Ken McMillan Cadence Berkeley Labs Small parts by: Brandon Eames ISIS/Vanderbilt.

10/19/2015COSC , Lecture 171 Real-Time Systems, COSC , Lecture 17 Stefan Andrei.

Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications 1.

On Reducing the Global State Graph for Verification of Distributed Computations Vijay K. Garg, Arindam Chakraborty Parallel and Distributed Systems Laboratory.

CTL Model Checking 张文辉

Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9.

CS 267: Automated Verification Lecture 3: Fixpoints and Temporal Properties Instructor: Tevfik Bultan.

1 Parallel Model Checking Game for CTL Lecture 6 – Lecturer: Orna Grumberg.

Introduction to Model Checking

CTL Model-checking for Systems with Unspecified Components Summer-1384 Hajar Niamehr Neda Noroozi.

- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Validation - Formal verification -

1 Symmetry Symmetry Chapter 14 from “Model Checking” by Edmund M. Clarke Jr., Orna Grumberg, and Doron A. Peled presented by Anastasia Braginsky March.

1 CSEP590 – Model Checking and Automated Verification Lecture outline for July 9, 2003.

Bounded Model Checking A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic Model Checking without BDDs, TACAS’99 Presented by Daniel Choi Provable Software.

Software Verification 2 Automated Verification Prof. Dr. Holger Schlingloff Institut für Informatik der Humboldt Universität and Fraunhofer Institut für.

Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.

Complexity of Compositional Model Checking of Computation Tree Logic on Simple Structures Krishnendu Chatterjee Pallab Dasgupta P.P. Chakrabarti IWDC 2004,

15-820A 1 LTL Model Checking A Flavio Lerda.

Basic concepts of Model Checking

Model Checking Formal Methods Workshop August 18, 2017 Amrita

Semantically Equivalent Formulas

Automatic Verification

CSCI1600: Embedded and Real Time Software

CSEP590 – Model Checking and Automated Verification

Automatic Verification of Industrial Designs

Albert M. K. Cheng Real-Time Systems Laboratory University of Houston

Formal Methods in software development

CSCI1600: Embedded and Real Time Software

Computer Security: Art and Science, 2nd Edition

CSCI1600: Embedded and Real Time Software

Linear Time Properties

Formal Methods in software development

Program correctness Branching-time temporal logics

Midterm COM3220 Open book/open notes Tuesday, April 28, 6pm pm

Model Checking CS 680 Formal Methods Jeremy Johnson.

Program correctness Model-checking CTL

Presentation transcript:

Temporal Logic and Model Checking

Reactive Systems We often classify systems into two types: Transformational: functions from inputs available at the start of the computation to outputs provided on termination Reactive: behaviour is in general infinite: a process in a reactive system is usually non terminating continuously responding to stimuli from its environment Implication – these different systems need different techniques for reasoning about system correctness

Reasoning about Correctness A system state is a snapshot of the system’s variables at some point in time System changes state in response to stimuli A pair of states, one before action, one after is called a transition The computation of a reactive system is a possibly infinite sequence of states, each obtained from the previous state via a transition Clarke slides

Example: Microwave Oven  Start  Close  Heat  Error  Start Close  Heat  Error Start  Close  Heat Error  Start Close Heat  Error Start Close  Heat Error Start Close  Heat  Error Start Close Heat  Error start ovenclose dooropen door done open doorclose doorstart ovenreset start cooking warmup cook

CTL Specification We would like the microwave to have the following properties (among others): No heat while door is open AG( Heat → Close): If oven starts, it will eventually start cooking AG (Start → AF Heat) It must be possible to correct errors AG( Error → AF ¬ Error): Does it? How do we prove it?

Model Checking Problem Given a Kripke structure M = (S,R,L) that represents a finite- state transition graph and a temporal logic formula f Find all states in S that satisfy f: {s  S | M,s ╞ f } and check that initial states are among these.

CTL Model Checking Algorithm Iterate over subformulas of f from smallest to largest For each s  S, if subformula is true in s, add it to labels(s) When algorithm terminates M,s ╞ f iff f  labels(s)

Checking Subformulas Any CTL formula can be expressed in terms of: ¬, , EX, EU, and EG, Therefore must consider 6 cases: Atomic proposition if ap  L(s), add to labels(s) ¬f 1 if f 1  labels(s), add ¬f 1 to labels(s) f 1  f 2 if f 1  labels(s) or f 1  labels(s), add f 1  f 2 to labels(s) EX f 1 add EX f 1 to labels(s) if successor of s, s', has f 1  labels(s')

Checking Subformulas E[f 1 U f 2 ] Find all states s for which f 2  labels(s) Follow paths backwards from s finding all states that can reach s on a path in which every state is labeled with f 1 Label each of these states with E[f 1 U f 2 ]

Checking Subformulas EG f 1 Basic idea – look for one infinite path on which f1 holds. Decompose M into nontrivial strongly connected components A strongly connected component (SCC) C is a maximal subgraph such that every node in C is reachable by every other node in C on a directed path that contained entirely within C. C is nontrivial iff either it has more than one node or it contains one node with a self loop Create M' = (S’,R’,L’) from M by removing all states s  S in which f 1  labels(s) and updating S, R, and L accordingly

Checking Subformulas Lemma M,s ╞ EG f 1 iff 1. s  S' 2. There exists a path in M' that leads from s to some node t in a nontrivial strongly connected component of the graph (S', R'). Proof left as exercise, but basic idea is Can’t have an infinite path over finite states without cycles So if we find a path from s to a cycle and f 1 holds in every state (by construction) Then we’ve found an infinite path over which f 1 holds

Checking EF f 1 procedure CheckEG(f 1 ) S' = {s | f 1  labels(s)}; SCC = {C | C is a nontrivial SCC of S'}; T =  C  SCC {s | s  C}; for all s  T do labels(s) = labels(s)  {EG f 1 }; while T ≠  do choose s  T; T = T \ {s}; for all t such that t  S' and R(t,s) do if EG f 1  labels(t) then labels(t) = labels(t)  {EG f 1 }; T = T  {t}; end if; end for all; end while; end procedure;

Checking a Property Checking AG(Start → AF Heat) Rewrite as ¬EF(Start  EG ¬Heat) Rewrite as ¬ E[ true U (Start  EG ¬Heat)] Compute labels for smallest subformulas Start, Heat ¬ Heat Formulas/States Start xxxx Heat xx ¬ Heat xxxxx EG ¬Heat Start  EG ¬Heat E[true U(Start  EG ¬Heat)] ¬ E[true U(Start  EG ¬Heat)]

Checking a Property Compute labels for EG ¬Heat S’ = {1,2,3,5,6} SCC = {{1,2,3,5}} T = {1,2,3,5} No other state in S’ can reach a state in T along a path in S’. Computation terminates. States 1,2,3, and 5 labelled with EG ¬Heat Formulas/States Start xxxx Heat xx ¬ Heat xxxxx EG ¬Heat xxxx Start  EG ¬Heat E[true U(Start  EG ¬Heat)] ¬ E[true U(Start  EG ¬Heat)]

Checking a Property Compute labels for Start  EG ¬Heat Formulas/States Start xxxx Heat xx ¬ Heat xxxxx EG ¬Heat xxxx Start  EG ¬Heat xx E[true U(Start  EG ¬Heat)] ¬ E[true U(Start  EG ¬Heat)]

Checking a Property E[true U(Start  EG ¬Heat)] Start with set of states in which Start  EG ¬Heat holds i.e., {2,5} Work backwards marking every state in which true holds Formulas/States Start xxxx Heat xx ¬ Heat xxxxx EG ¬Heat xxxx Start  EG ¬Heat xx E[true U(Start  EG ¬Heat)] xxxxxxx ¬ E[true U(Start  EG ¬Heat)]

Checking a Property Check ¬ E[true U(Start  EG ¬Heat)] Leaves us with the empty set, so safety property doesn’t hold over microwave oven Formulas/States Start xxxx Heat xx ¬ Heat xxxxx EG ¬Heat xxxx Start  EG ¬Heat xx E[true U(Start  EG ¬Heat)] xxxxxxx ¬ E[true U(Start  EG ¬Heat)]