Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D.

Published byAsher Douglas Modified over 9 years ago

Similar presentations

Presentation on theme: "Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D."— Presentation transcript:

1 Model Checking I What are LTL and CTL?

2 and or dreq q0 dack q0bar D D

3 View circuit as a transition system (dreq, q0, dack)  (dreq’, q0’, dack’) q0’ = dreq dack’ = dreq and (q0 or (not q0 and dack))

4 and or dreq q0 dack D D

5 dreq q0 dack dack’ q0’

6 Idea Transition system + special temporal logic + automatic checking algorithm

7 Exercise (from example circuit) (dreq, q0, dack)  (dreq’, dreq, dreq and (q0 or (not q0 and dack))) Draw state transition diagram Q: How many states for a start?

8 Hint (partial answer) 000 100 110 111 001 101 010 011

9 Question 000 100 110 111 001 101 010 011 Q: how many arrows should there be out of each state? Why so?

10 Exercise 000 100 110 111 001 101 010 011 Complete the diagram Write down the corresponding binary relation as a set of pairs of states

11 Another view computation tree from a state 111

12 Unwinding further 111 011 111 011 000 100 111 011 000 100 000 100 010 110......

13 Possible behaviours from state s s...... Transition relation R Relation vs. Function?

14 path = possible run of the system s...... Transition relation R

15 Points to note Transition system models circuit behaviour We chose the tick of the transition system to be the same as one clock cycle. Gates have zero delay – a very standard choice for synchronous circuits Could have had a finer degree of modelling of time (with delays in gates). Choices here determine what properties can be analysed Model checker starts with transition system. It doesn’t matter where it came from

16 Model Checking MC G(p -> F q) yes no p q p q property finite-state model algorithm counterexample (Ken McMillan)

17 and or dreq q0 dack D D 0 1 Netlist

18 input to SMV model checker MODULE main VAR w1 : boolean; VAR w2 : boolean; VAR w3 : boolean; VAR w4 : boolean; VAR w5 : boolean; VAR i0 : boolean; VAR w6 : boolean; VAR w7 : boolean; VAR w8 : boolean; VAR w9 : boolean; VAR w10 : boolean; DEFINE w4 := 0; DEFINE w5 := i0; ASSIGN init(w3) := w4; ASSIGN next(w3) := w5; DEFINE w7 := !(w3); DEFINE w9 := 1; DEFINE w10 := w5 & w6; ASSIGN init(w8) := w9; ASSIGN next(w8) := w10; DEFINE w6 := w7 & w8; DEFINE w2 := w3 | w6; MC builds internal representation of transition system

19 Transition system M S set of states (finite) R binary relation on states assumed total, each state has at least one arrow out A set of atomic formulas L function S -> set of atomic formulas that hold in that state Lars backwards finite Kripke structure

20 Path in M Infinite sequence of states π = s0 s1 s2... st

21 Path in M s0 s1 s2... R(s0,s1) є R (s1,s2) є R etc

22 Properties Express desired behaviour over time using special logic LTL (linear temporal logic) CTL (computation tree logic) CTL* (more expressive logic with both. LTL and CTL as subsets)

23 CTL* path quantifers A “for all computation paths” E “for some computation path” can prefix assertions made from Linear operators G “globally=always” F “sometimes” X “nexttime” U “until” about a path

24 CTL* formulas (syntax) path formulas f ::= s |  f | f1  f2 | X f | f1 U f2 state formulas (about an individual state) s ::= a |  s | s1  s2 | E f atomic formulas

25 Build up from core A f =  E  f F f = true U f G f =  F  f

26 Example G (req -> F ack)

27 Example G (req -> F ack) A request will eventually lead to an acknowledgement liveness linear

28 Example (Gordon) It is possible to get to a state where Started holds but Ready does not

29 Example (Gordon) It is possible to get to a state where Started holds but Ready does not E (F (Started &  Ready))

30 Semantics M = (L,A,R,S) M, s f f holds at state s in M (and omit M if it is clear which M we are talking about) M, π g g holds for path π in M

31 Semantics Back to syntax and write down each case S a a in L(s) (atomic) s  f not (s f) s f1  f2 s f1 or s f2 s E (g) Exists π. head(π) = s and π g

32 Semantics π f s f and head(π) = s π  g not (π g) π g1  g2 π g1 or π g2

33 Semantics π X g tail(π) g π g1 U g2 Exists k ≥ 0. drop k π g2 and Forall 0 ≤ j < k. drop j π g1 (note: I mean tail in the Haskell sense)

34 CTL Branching time (remember upside-down tree) Restrict path formulas (compare with CTL*) f ::=  f | s1  s2 | X s | s1 U s2 state formulas Linear time ops (X,U,F,G) must be wrapped up in a path quantifier (A,E).

35 Back to CTL* formulas (syntax) path formulas f ::= s |  f | f1  f2 | X f | f1 U f2 state formulas (about an individual state) s ::= a |  s | s1  s2 | E f atomic formulas

36 CTL Another view is that we just have the combined operators AU, AX, AF, AG and EU, EX, EF, EG and only need to think about state formulas A operators for necessity E operators for possibility

37 f :: = atomic |  f All immediate successors | AX f Some immediate succesor | EX f All paths always | AG f Some path always | EG f All paths eventually | AF f Some path eventually | EF f | f1 & f2 | A (f1 U f2) | E (f1 U f2)

38

39 Examples (Gordon) It is possible to get to a state where Started holds but Ready does not

40 Examples (Gordon) It is possible to get to a state where Started holds but Ready does not EF (Started &  Ready )

41 Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Ack

42 Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Ack AG (Req -> AF Ack)

43 Examples (Gordon) If a request Req occurs, then it continues to hold, until it is eventually acknowledged

44 Examples (Gordon) If a request Req occurs, then it continues to hold, until it is eventually acknowledged AG (Req -> A [Req U Ack])

45 LTL LTL formula is of form A f where f is a path formula with subformulas that are atomic (The f is what we write down. The A is implicit.) Restrict path formulas (compare with CTL*) f ::= a |  f | f1  f2 | X f | f1 U f2

46 Back to CTL* formulas (syntax) path formulas f ::= s |  f | f1  f2 | X f | f1 U f2 state formulas (about an individual state) s ::= a |  s | s1  s2 | E f atomic formulas

47

48 LTL It is the restricted path formulas that we think of as LTL specifications (See P&R again) G  (critical1 & critical2) mutex FG initialised eventually stays initialised GF myMove myMove will always eventually hold G (req -> F ack) request acknowledge pattern

49 In CTL but not LTL AG EF start Regardless of what state the program enters, there exists a computation leading back to the start state AF AG p

50 In both AG (p → AF q) in CTL G(p → F q) in LTL

51 In LTL but not CTL [ G F p → F q] if there are infinitely many p along the path, then there is an occurrence of q F G p

52 In CTL* but not in LTL or CTL E [G F p] there is a path with infinitely many p

53 Further reading Ed Clarke’s course on Bug Catching: Automated Program Verification and Testing complete with moving bug on the home page! Covers model checking relevant to hardware too. http://www.cs.cmu.edu/afs/cs.cmu.edu/academic/class/15414- f06/www/index.html For some history (by the inventors themselves) see this workshop celebrating 25 years of MC http://www.easychair.org/FLoC-06/25MC-day227.html

54 Example revisited A sequence beginning with the assertion of signal strt, and containing two not necessarily consecutive assertions of signal get, during which signal kill is not asserted, must be followed by a sequence containing two assertions of signal put before signal end can be asserted AG~(strt & EX E[~get & ~kill U get & ~kill & EX E[~get & ~kill U get & ~kill & E[~put U end] or E[~put & ~end U (put & ~end & EX E[~put U end])]]])

55 Next lecture How to model check CTL formulas

Download ppt "Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar D D."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 1.

Model Checking Lecture 1.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.
Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.

Model Checking I What are LTL and CTL?. and or dreq q0 dack q0bar.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.
CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.

CS 267: Automated Verification Lecture 7: SMV Symbolic Model Checker, Partitioned Transition Systems, Counter-example Generation in Symbolic Model Checking.
Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.

Digitaalsüsteemide verifitseerimise kursus1 Formal verification: Property checking Property checking.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.

1 Temporal Logic u Classical logic:  Good for describing static conditions u Temporal logic:  Adds temporal operators  Describe how static conditions.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Similar presentations

Ads by Google