Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Graph Grammars

Published byMari Carlsson Modified over 5 years ago

Similar presentations

Presentation on theme: "Model Checking Graph Grammars"— Presentation transcript:

1 Model Checking Graph Grammars
Kaminski, Seidl et al. Muscholl Estonian Summer School on Computer and Systems Science Lecture 3 Arend Rensink, University of Twente

2 Model Checking Graph Grammars
Seen last time Visual and textual operational semantics With and without parallelism Statements and expressions with data Type graph and instances Graph structure Program graph Frame graph Value graph Operational semantics One or two rules per syntax construct Completely modular ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

3 Model Checking Graph Grammars
Temporal logic So far: state properties Invariants Inconsistencies More difficult: evolutionary properties In the next state … After some time … Never … Again and again … Every time this, eventually that Predicates & temporal nature orthogonal! Today: propositional temporal logic Predicate logic Temporal logic ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

4 Example properties: circular buffer
In every next state, the buffer is nonempty Holds if current buffer size is not 1 “empty” is a proposition The empty buffer is always reachable Correct The buffer is always emptied again Does not hold After every get, eventually there is a put ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

5 Not covered: temporal predicates
Examples: Every value is eventually removed Values are added and removed in FIFO Require quantification outside temporal modalities ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

6 Syntax of the logic (propositional)
State properties  ::= p proposition p holds in this state | 1 Ç 2 disjunction | : negation | A   holds along All paths | E   holds along somE path Path properties  ::=   holds in the first state | 1 Ç 2 disjunction | : negation | X   holds in the neXt state | 1 U 2 1 holds Until 2 holds ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

7 Useful auxiliary operators
Eventually  holds (liveness) Abbreviation: F  (in the Future) Equivalent to true U   holds always (safety) Abbreviation: G  (Globally) Equivalent to :(F :) ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

8 Model Checking Graph Grammars
Example properties In the next state, the buffer is nonempty X :empty or AX :empty The empty buffer is always reachable AG EF empty The buffer is always emptied again AF empty After every get, eventually there is a put AG (get ) F put) Negation: EF (get Æ G :put) ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

9 Semantics of temporal logic
Interpreted over Kripke structures Quadruple <S, T, P, I> with S a set of states T a set of transitions: T µ S £ S P a proposition evaluation: P µ Prop £ S I a start state: I 2 S For graph transition systems Transitions are applications of changing rules LHS and RHS not isomorphic Rule labels disregarded Propositions are applications of testing rules Distinguished start node ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

10 Model Checking Graph Grammars
Auxiliary notions Paths: sequences s0 s1 s2 … such that Transitions everywhere: (si,si+1) 2 T for all i We need infinite paths What about final states? Allow stuttering: (si,si+1) 2 T or si = si+1 s’: (si,s’) 2 T All (infinite) paths considered No notion of fairness or progress Extension: Büchi automata – not covered ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

11 Interpretation of state formulae
Satisfied by Kripke structure + state Satisfaction relation K, s ²  Defined inductively K, s ² p if (p,s) 2 P K, s ² 1Ç 2 if K,s ² 1 or K,s ² 2 K, s ² : if not K,s ²  K, s ² A  if K,s0s1... ²  for all paths with s0=s K, s ² E  if K,s0s1... ²  for some path with s0=s State component omitted if initial K ²  equivalent to K, I ²  ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

12 Model Checking Graph Grammars
Schematically For a tree-like Kripke structure Some path All paths For a cyclic Kripke structure there are infinitely many paths think of the unfolding (which is a tree) ... ... ... ... ... ... ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

13 Interpretation of path formulae
Satisfied by Kripke structure + path Satisfaction relation K,  ²  (with  = s0 s1 s2 ...) Defined inductively K,  ²  if K, s0 ²  K,  ² 1Ç 2 if K,  ² 1 or K,  ² 2 K,  ² : if not K,  ²  K,  ² X  if K, s1s2... ²  K,  ² 1 U 2 if K, sisi+1... ² 2 for some i and K, sjsj+1... ² 1 for all j<i Path component omitted if for all paths Starting from initial state ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

14 Model Checking Graph Grammars
Schematically p,q q p,q p,r q,r ... p X q pÇq U r F pÆr G qÇr ... ... ... ... ... ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

15 Fragments of temporal logic
Linear temporal logic (LTL) No quantification over paths Just X and U (hence F and G) Not included: e.g., AG EF empty Computation tree logic (CTL) Always quantification over paths Just EX, AX, EU and AU (hence EF, AF etc.) Not included: e.g., G (get ) F put) Complete logic (CTL*) quite expressive Model checking complex ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

16 Model Checking Graph Grammars
Can we answer the question K ²  For given (arbitrary) K and  This is called the model checking question For linear temporal logic (LTL): yes Based on nested depth-first search Complexity: linear in |K|, exponential in || Various optimizations: e.g., on-the-fly For computation tree logic (CTL): yes Based on breadth-first search Complexity: linear in |K|, linear in || More amenable to symbolic methods (BDDs) ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

17 Model Checking Graph Grammars
Syntax of CTL State properties only  ::= true always true | p proposition p holds in this state | 1 Ç 2 disjunction | : negation | AX   holds in All neXt states | EX   holds in somE neXt state | A(1 U 2) along All paths, 1 holds Until 2 | E(1 U 2) along somE path, 1 holds Until 2 dual not dual ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

18 Useful auxiliary operators
Eventually  holds (liveness) Abbreviation: AF  & EF  (in the Future) Equivalent to A(true U ) (resp. E)  holds always (safety) Abbreviation: AG  & EG  (Globally) Equivalent to :(EF :) (resp. A) ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

19 Model Checking Graph Grammars
Interpretation of CTL Satisfied by Kripke structure + state Satisfaction relation K, s ²  Defined inductively K, s ² p if (p,s) 2 P K, s ² 1 Ç 2 if K, s ² 1 or K, s ² 2 K, s ² : if not K, s ²  K, s ² AX  if K, s’ ²  for all (s,s’) 2 T K, s ² A(1 U 2) if for all paths  starting in s, there is a position k in  such that K, si ² 1 for all i<k and K, sk ² 2 K, s ² E(1 U 2) if there is a path  starting in s, and a position k in  such that K, si ² 1 for all i<k and K, sk ² 2 ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

20 Model checking question: K,I ² ?
Method: compositional (visitor pattern) Let S = { s j K,s ²  } (set of states satisfying ) Given sets Si for i (i=1,2), compute S for:  = :1  = 1 Ç 2  = AX 1 Problem: Until ( = A(1 U 2)) Due to quantification over paths: Requires “infinite” amount of knowledge Key observation: A(1 U 2) , 2 Ç (1 Æ AXA(1 U 2)) S is solution of X = S2 [ { s 2 S1 | 8(s,s’)2T: s’ 2 X } S is smallest solution of this equation S = S n S1 S = S1 [ S2 S = { s | 8 (s,s’) 2 T: s’ 2 S1} ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

21 Model Checking Graph Grammars
Fixpoint theory Let f be a function mapping sets to sets f is monotonic if X µ Y implies f(X) µ f(Y) X is a fixpoint of f if f(X) = X X is smallest if f(Y) = Y implies X µ Y Notation: f for smallest fixpoint of f Smallest fixpoints through iteration: let X0 = ; first approximant Xi+1 = f(Xi) next approximants Due to monotonicity, Xi µ Xi+1 If Xi = Xi+1 it is the smallest fixpoint of f If universe is finite, this always terminates ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

22 Model Checking Graph Grammars
Until as fixpoint Assume S1 and S2 are predefined sets Characteristic sets of 1 and 2 Let fAU be defined by fAU(X) = S2 [ { s 2 S1 | 8 (s,s’) 2 T: s’ 2 X } Then: fAU = S with  = A(1 U 2) fAU is monotonic and universe is finite So: f can be calculated through iteration What are fEU, fAF, fAG, fEF, fEG? In G cases: largest fixpoint, denoted fAG ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

23 Model Checking Graph Grammars
Example 1 Property: p U q X0 = ; X1 = {2} X2 = {2,3} X3 = {1,2,3} X4 = {1,2,3} Ready after 4th iteration! 2 1 4 p p q q p 3 p,r p,r fAU(X) = Sq [ { s 2 Sp | 8 (s,s’) 2 T: s’ 2 X } with Sp = {1,3,4} Sq = {2} ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

24 Model Checking Graph Grammars
Example Property: EG p X0 = {1,2,3,4} X1 = {1,3,4} X2 = {1,4} X3 = {4} X4 = {4} Ready after 4th iteration! 2 1 4 p p q q p p 3 p,r p,r fEG(X) = Sp Å { s | 9 (s,s’) 2 T: s’ 2 X } with Sp = {1,3,4} SEG p is largest fixpoint fEG! ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

25 Model checking graph transformations
2-phase approach First generate entire state space, then model check Disadvantages: Does not work for infinite state spaces Too much work if error is found early On-the-fly Check during state space generation, stop at error Only works for LTL (depth-first-search) Fails to terminate if wrong branch is chosen and state space is infinite Bounded On-the-fly up to a certain depth Increase depth if no error is found ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

26 Model Checking Graph Grammars
Optimisations Symmetry reduction Automatic due to isomorphism check Partial order reduction Standard solutions rely on parallel processes Do not exist for graph transformation New: optimistic approach (CONCUR 2008) Implementation pending Abstraction Theory of shape analysis (Sagiv et al.) Similar (parts of) graphs are collapsed Partial implementation in GROOVE ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

27 Model Checking Graph Grammars
Seen today Temporal Logic Path and state formulae Semantics Example properties Useful fragments Linear temporal logic (LTL) Computation tree logic (CTL) Model checking CTL ESSCASS Lecture 3, 28 August 2007 Model Checking Graph Grammars

Download ppt "Model Checking Graph Grammars"

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
François Fages MPRI Bio-info 2007 Formal Biology of the Cell Inferring Reaction Rules from Temporal Properties François Fages, Constraint Programming Group,

François Fages MPRI Bio-info 2007 Formal Biology of the Cell Inferring Reaction Rules from Temporal Properties François Fages, Constraint Programming Group,
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

Similar presentations

Ads by Google