Lecture 81 Optimizing CTL Model checking + Model checking TCTL CS 5270 Lecture 9

Lecture 82 A(FG p) not AF( AG p)

Lecture 83 Today… Summary Optimizations for model checking –ROBDDs TCTL- –Syntax –Semantics –Algorithm for MC –Optimizations

Lecture 84 Summary: Model checking CTL

Lecture 85 Optimization The principal one: –Reduce to a problem with Boolean variables/Boolean formulæ Is this reasonable? –Well – most modelling is done like this – even when you do have (non-boolean) variables –+ efficiencies from efficient operations on boolean functions

Lecture 86 States as boolean formulæ Encode states using m boolean variables. –Allows for 2 m states. For example: m=3: –S={s 1,s 2,s 3,s 4,s 5,s 6,s 7,s 8 } Propositional booleans a,b,c: –S={000,001,010,011,100,101,110,111} –S = {  a  b  c,  a  b  c,  a  b  c, … }

Lecture 87 Transitions as boolean formulæ Encode (s,s’) using before and after propositional boolean variables – a,b,c and a’,b’,c’. For example: (s 1,s 4 ): –(s 1,s 4 ) = (  a  b  c)  (  a’  b’  c’)

Lecture 88 Sufficient for modelling? Encode another mutual exclusion protocol Two processes, P 1 and P 2 share booleans –Co-operate for mutual exclusion Third process T 1 monitors and sets a turn variable System is parallel composition: P 1 || P 2 || T 1

Lecture 89 Co-operative mutex: Process P 1 if (idle 1 ) { wait 1 = true; idle 1 = false; } else if (wait 1 & idle 2 ) { active 1 = true; wait 1 = false; } else if (wait 1 & wait 2 & (!turn)) { active 1 = true; wait 1 = false; } if (active 1 ) { CritSect(); idle 1 = true; active 1 = false; }; ( followed by P 1 ) P 1 =

Lecture 810 Co-operative mutex: Process P 2 if (idle 2 ) { wait 2 = true; idle 2 = false; } else if (wait 2 & idle 1 ) { active 2 = true; wait 2 = false; } else if (wait 2 & wait 1 & turn) { active 2 = true; wait 2 = false; } if (active 2 ) { CritSect(); idle 2 = true; active 2 = false; }; ( followed by P 2 ) P 2 =

Lecture 811 Co-operative mutex: Process T 1 if (idle 1 & wait 2 ) { turn = true; } else if (idle 2 & wait 1 ) { Turn = false; }; ( followed by T 1 ) (P 1 || P 2 || T 1 ); System; T 1 = System =

Lecture 812 State transition diagram – whole system

Lecture 813 Transitions as predicates P 1 = (i 1  w 1 ’  i 1 ’)  (w 1  i 2  a 1 ’  w 1 ’)  (w 1  w 2  t  a 1 ’  w 1 ’)  (a 1  i 1 ’  a 1 ’) P 2 = (i 2  w 2 ’  i 2 ’)  (w 2  i 1  a 2 ’  w 2 ’)  (w 2  w 1  t  a 2 ’  w 2 ’)  (a 2  i 2 ’  a 2 ’) T 1 = (i 1  w 2  t’)  (i 2  w 1  t’)

Lecture 814 Ordered Binary Decision Tree

Lecture 815 OBDT example: (i 1  i 2 )  (i 3  i 4 )

Lecture 816  ROBDD: (i 1  i 2 )  (i 3  i 4 )

Lecture 817  ROBDD: (i 1  i 2 )  (i 3  i 4 )

Lecture 818  ROBDD: (i 1  i 2 )  (i 3  i 4 )

Lecture 819  ROBDD: (i 1  i 2 )  (i 3  i 4 )

Lecture 820  ROBDD: (i 1  i 2 )  (i 3  i 4 )

Lecture 821  ROBDD: (i 1  i 2 )  (i 3  i 4 )

Lecture 822 History… The ROBDD optimization originally by Bryant (86) – paper on boolean graphs The application to model checking by McMillan (Originally in late 80’s – subject of thesis in 1992) smv – Symbolic model verifier – originally by McMillan

Lecture 823 Today… Summary Optimizations for model checking –ROBDDs TCTL- –Syntax –Semantics –Algorithm for MC –Optimizations

Lecture 824 Regional transition system (RTS) Given TA TTS = (s,s 0,Act, ), then the RTS is a quotiented transition system RTS = (Ř,Ř 0, Act,  ), where Ř = {(s,[v] t ) | (s,v)  s  [v] t  REG v}, and Ř 0 = {(s,[v] t ) | (s,v)  s 0  [v] t  REG v}, and finally, (s,[v] t )  (s’,[v’] t ) if and only if there is a transition (s,v) (s’,v’) in TA TTS. a a

Lecture 825 Regional transition system (RTS) Notation: Ř – a set of regions ř – a particular region in the set: (s,[v] t ) r – a particular valuation: (s,v)

Lecture 826 Regional transition system (RTS)

Lecture 827 Kripke structure/model for TCTL Def: A TCTL model over a set of atomic propositions AP is the 4-tuple (Ř,Δ,AP,L) –Ř – finite set of regions from RTS –Δ  Ř  Ř - a total transition relation –AP – a finite set of atomic propositions –L: Ř → 2 AP – A labelling function which labels each region with the propositions true in that region Note that the propositions may include clock constraints…

Lecture 828 TCTL- syntax Given p  AP, x  X (model clock variables), z  Z (property clock variables),  (X  Z) (clock constraints), then p and  are TCTL- formulæ, and if  1 and  2 are TCTL- formulæ then so are:  1  1   2  1   2 z in  1 A(  1 U  2 ) E(  1 U  2 )

Lecture 829 TCTL examples Note: temporal operators can be subscripted: A(  1 U <7  2 ) means  1 holds until (within 7 time units)  2 becomes true. Implemented as: z in A( (  1  z<7) U  2 ) A( alarm U <7 boiler-off ): the alarm is on until (within 7 time units) the boiler-off is signaled. EF <7 ( alarm ) = E( true U <7 alarm ): the alarm will be on within 7 time units.

Lecture 830 Semantics of TCTL Expressed in terms of a model, and the modelling relation ²  which links a model, a composite state r=(s,v) and a formula clock valuation with a property. M,(r,f) ²  P - means that (TCTL) property P holds in (or is satisfied in) state r in the case of a formula valuation f for a given model M

Lecture 831 (Inductive) definition of ²  M,(r,f) ²  P  p  L(ř) M,(r,f) ²    v  f ²  M,(r,f) ²   1   (M,(r,f) ²   1 ) M,(r,f) ²   1   2  M,(r,f) ²   1, and M,(r,f) ²   2 M,(r,f) ²   1   2  M,(r,f) ²   1, or M,(r,f) ²   2

Lecture 832 (Inductive) definition of ²  M,(r,f) ²  z in  1  M,(r,z in f) ²   1 –The notation z in f asserts that z is reset to 0 whenever it appears in the formula f M,(r,f) ²  A(  1 U  2 )  for every path  from r, for some j, M,  (j) ²   2, and  i<j, M,  (i) ²   1   2.

Lecture 833 (Inductive) definition of ²  M,(r,f) ²  E(  1 U  2 )  for one path  from r, for some j, M,  (j) ²   2, and  i<j, M,  (i) ²   1   2. –Note that in both EU and AU, the condition up until  2 is  1   2. and not just  1 !!

Lecture 834 AU:  1   2 until  2

Lecture 835 Model checking TCTL Definition of a labelling algorithm in the notes – not much different from CTL The only problem is this definition uses a least fixpoint iteration over an infinite set… In practice use the region construction…

Lecture 836 Optimization for TCTL MC We have already seen the steps to create a (finite) regional automaton Apart from that there is no magic bullet, and real-time model checking has an equivalent region-space explosion For this reason, limit the size of systems … so far …

Lecture 837 Uppaal – more formally TCTL, but with restrictions that amount to only safety (reachability) formulæ: –Set of clock constraints Z in formula is {} –Syntax just AG(  ) and EF(  ) (outer level) –  ::= a | x op n |  |  1  2 (op  { , , , ,  }) –a is a location in the model Other properties (bounded liveness…) require extended models/automatons: –compare system model with other test model