introduction to model checking - robert...
TRANSCRIPT
![Page 1: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/1.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Introduction to Model Checking
Fabio Somenzi
Department of Electrical, Computer, and Energy EngineeringUniversity of Colorado at Boulder
July 25, 2009
![Page 2: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/2.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Outline
1 Introduction
2 Modeling Systems and Properties
3 Specification Mechanisms
4 CTL Model Checking
5 Model Checking LTL and CTL*
6 SAT-Based Model Checking
7 Abstraction
![Page 3: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/3.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Sales Pitch
Two thirds of ASIC budget goes into verification
Dynamic verification has improved, but . . .
The verification crisis only got worse over the last decade
Over 60% of IC designs requires a second spin
Bugs that go undetected may end up costing hundreds ofmillions of dollars
The FDIV bug costed Intel over�
500M
Security and dependability are increasingly important
![Page 4: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/4.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Sales Pitch
Two thirds of ASIC budget goes into verification
Dynamic verification has improved, but . . .
The verification crisis only got worse over the last decade
Over 60% of IC designs requires a second spin
Bugs that go undetected may end up costing hundreds ofmillions of dollars
The FDIV bug costed Intel over�
500M
Security and dependability are increasingly important
![Page 5: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/5.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Sales Pitch
Two thirds of ASIC budget goes into verification
Dynamic verification has improved, but . . .
The verification crisis only got worse over the last decade
Over 60% of IC designs requires a second spin
Bugs that go undetected may end up costing hundreds ofmillions of dollars
The FDIV bug costed Intel over�
500M
Security and dependability are increasingly important
![Page 6: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/6.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Sales Pitch
Two thirds of ASIC budget goes into verification
Dynamic verification has improved, but . . .
The verification crisis only got worse over the last decade
Over 60% of IC designs requires a second spin
Bugs that go undetected may end up costing hundreds ofmillions of dollars
The FDIV bug costed Intel over�
500M
Security and dependability are increasingly important
![Page 7: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/7.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Sales Pitch
Two thirds of ASIC budget goes into verification
Dynamic verification has improved, but . . .
The verification crisis only got worse over the last decade
Over 60% of IC designs requires a second spin
Bugs that go undetected may end up costing hundreds ofmillions of dollars
The FDIV bug costed Intel over�
500M
Security and dependability are increasingly important
![Page 8: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/8.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Sales Pitch
Two thirds of ASIC budget goes into verification
Dynamic verification has improved, but . . .
The verification crisis only got worse over the last decade
Over 60% of IC designs requires a second spin
Bugs that go undetected may end up costing hundreds ofmillions of dollars
The FDIV bug costed Intel over�
500M
Security and dependability are increasingly important
![Page 9: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/9.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Binary-Gray-Binary
Q D
QD
QD0101
p
q r
z1011
0101
1110
1011
AG(p ↔ z): invariably (AG) p and z have the same value
![Page 10: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/10.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Binary-Gray-Binary
Q D
QD
QD0101
p
q r
z1011
0101
1110
1011
AG(p ↔ z): invariably (AG) p and z have the same value
![Page 11: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/11.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Binary-Gray-Binary
Q D
QD
QD0101
p
q r
z1011
0101
1110
1011
AG(p ↔ z): invariably (AG) p and z have the same value
![Page 12: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/12.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Verilog Description
module gray (clock, i, z);input clock, i;output z;reg p, q, r;wire w;always @ (posedge clock) begin
r = z;q = p;p = i;
endassign w = pˆq, z = wˆr;
endmodule // gray
![Page 13: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/13.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
States and Transitions
100 : p ∧ ¬q ∧ ¬r
¬z z z
z
¬z
z
000
100
011
111 001
101
010
110
¬z
¬z
(p ↔ z) → AG(p ↔ z) holds of all initial states
(q ↔ r) → AG(p ↔ z) holds of all initial states
AG((p ↔ z) ↔ (q ↔ r)) holds of all initial states
![Page 14: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/14.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
States and Transitions
100 : p ∧ ¬q ∧ ¬r
¬z z z
z
¬z
z
000
100
011
111 001
101
010
110
¬z
¬z
(p ↔ z) → AG(p ↔ z) holds of all initial states
(q ↔ r) → AG(p ↔ z) holds of all initial states
AG((p ↔ z) ↔ (q ↔ r)) holds of all initial states
![Page 15: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/15.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
States and Transitions
100 : p ∧ ¬q ∧ ¬r
¬z z z
z
¬z
z
000
100
011
111 001
101
010
110
¬z
¬z
(p ↔ z) → AG(p ↔ z) holds of all initial states
(q ↔ r) → AG(p ↔ z) holds of all initial states
AG((p ↔ z) ↔ (q ↔ r)) holds of all initial states
![Page 16: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/16.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
States and Transitions
100 : p ∧ ¬q ∧ ¬r
¬z z z
z
¬z
z
000
100
011
111 001
101
010
110
¬z
¬z
(p ↔ z) → AG(p ↔ z) holds of all initial states
(q ↔ r) → AG(p ↔ z) holds of all initial states
AG((p ↔ z) ↔ (q ↔ r)) holds of all initial states
![Page 17: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/17.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Another Property
¬z z z
z
¬z
z
000
100
011
111 001
101
010
110
¬z
¬z
EF(p ↔ z) “p and z may become equal”
does not hold of all initial states
![Page 18: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/18.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The CGW Puzzle
llll rlrl llrl rrlr lrlr rrrr
lrll rrrl
lllr rlrr
rlll lrrr
rrll lrrl
rllr llrr
rlrl: boat and goat on right bank; cabbage and wolf on left
E¬ yellow U cyan
there is a path to a cyan state not going through any yellow states
![Page 19: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/19.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 20: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/20.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 21: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/21.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 22: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/22.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 23: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/23.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 24: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/24.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 25: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/25.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 26: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/26.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 27: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/27.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Solving the Puzzle
ComputeµZ . cyan ∨ (¬yellow ∧ EXZ )
lrlr rrrr
lrll rrrl
lllr rlrr
llll rlrl llrl rrlrrlll
lrrl
lrrr
rrll
rllr llrr
![Page 28: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/28.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Model Checking
Check whether the given finite-state system is a model for aproperty
That is, check whether the computations of the system satisfythe property
The check is based on exploring the states of the system
![Page 29: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/29.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Cube Puzzle
AG(position = center →∨
0≤i<27
¬visitedi)
There are 3.46 · 107 reachable states out of 4.29 · 109
![Page 30: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/30.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Cube Puzzle
AG(position = center →∨
0≤i<27
¬visitedi)
There are 3.46 · 107 reachable states out of 4.29 · 109
![Page 31: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/31.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Cube Puzzle
AG(position = center →∨
0≤i<27
¬visitedi)
There are 3.46 · 107 reachable states out of 4.29 · 109
![Page 32: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/32.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Glacier Gorge
![Page 33: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/33.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Further Up
![Page 34: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/34.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Starry Sky Above Me...
Galaxies in the (observable) universe: 2.5 · 1011
Stars in the Milky Way: 4 · 1011
Stars in the universe: 1023
Average number of neutrinos per cubic meter: 3.3 · 108
Neutrinos in the universe: 1093 (wild guess)
A small sequential circuit may have more than 10100 states(10100 = 1 googol)
![Page 35: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/35.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Starry Sky Above Me...
Galaxies in the (observable) universe: 2.5 · 1011
Stars in the Milky Way: 4 · 1011
Stars in the universe: 1023
Average number of neutrinos per cubic meter: 3.3 · 108
Neutrinos in the universe: 1093 (wild guess)
A small sequential circuit may have more than 10100 states(10100 = 1 googol)
![Page 36: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/36.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
The Starry Sky Above Me...
Galaxies in the (observable) universe: 2.5 · 1011
Stars in the Milky Way: 4 · 1011
Stars in the universe: 1023
Average number of neutrinos per cubic meter: 3.3 · 108
Neutrinos in the universe: 1093 (wild guess)
A small sequential circuit may have more than 10100 states(10100 = 1 googol)
![Page 37: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/37.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Combating State Explosion
Symbolic Model CheckingRepresent sets (of states and transitions) by their characteristicfunctions
{00, 01, 10} −→ ¬x1 ∨ ¬x2
x1 ∨ x100 represents 3 · 298 elements
BDDs and CNF popular representationsDo not enumerate the elements of the sets
Manipulate the characteristic functions instead
Abstraction
Infer properties of the concrete model from the analysis of asimplified abstract model
![Page 38: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/38.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Combating State Explosion
Symbolic Model CheckingRepresent sets (of states and transitions) by their characteristicfunctions
{00, 01, 10} −→ ¬x1 ∨ ¬x2
x1 ∨ x100 represents 3 · 298 elements
BDDs and CNF popular representationsDo not enumerate the elements of the sets
Manipulate the characteristic functions instead
Abstraction
Infer properties of the concrete model from the analysis of asimplified abstract model
![Page 39: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/39.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Familiar Abstractions
v(t)
−
C
+
R
#include <iostream>
int main()
{
std::cout << "Hello, world!" << std::endl;
return 0;
}
![Page 40: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/40.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Layered Abstractions
10-1
100
101
102
103
104
10-1 100 101 102 103 104
Case
D: t
ime
(s)
Case C: time (s)
![Page 41: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/41.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Peterson Mutex Algorithm
always @ (posedge clock) beginself = select;case (pc[self])L0: if (!pause) pc[self] = L1;L1: begin intr[self] = 1; pc[self] = L2; endL2: begin turn = ˜self; pc[self] = L3; endL3: if (!intr[˜self] || turn == self) pc[self] = L4;L4: if (!pause) pc[self] = L5; // criticalL5: begin intr[self] = 0; pc[self] = L0; endendcase
end
![Page 42: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/42.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Properties for Mutex Algorithm
Mutual exclusion
AG¬(pc[0] = L4 ∧ pc[1] = L4)
Absence of starvation
AG(pc[0] = L1 → AF pc[0] = L4)AG(pc[1] = L1 → AF pc[1] = L4)
Temporal logic operators
AG: invariably, AF: inevitably
![Page 43: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/43.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Nondeterminism
always @ (posedge clock) beginself = select;case (pc[self])L0: if (!pause) pc[self] = L1;L1: begin intr[self] = 1; pc[self] = L2; endL2: begin turn = ˜self; pc[self] = L3; endL3: if (!intr[˜self] || turn == self) pc[self] = L4;L4: if (!pause) pc[self] = L5; // criticalL5: begin intr[self] = 0; pc[self] = L0; endendcase
end
![Page 44: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/44.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Fairness Conditions
Fair scheduling
G F self = 1 ∧ G F self = 0
Neither process dwells forever in the critical section
G F pc[0] 6= L4 ∧ G F pc[1] 6= L4
Temporal logic operators
G F: infinitely often
![Page 45: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/45.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Outline
1 Introduction
2 Modeling Systems and Properties
3 Specification Mechanisms
4 CTL Model Checking
5 Model Checking LTL and CTL*
6 SAT-Based Model Checking
7 Abstraction
![Page 46: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/46.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Kripke Structures
Finite transition systems without inputs
〈S ,T ,S0,A, L〉
S : finite set of statesT ⊆ S × S : transition relationS0 ⊆ S : set of initial statesA: set of atomic propositionsL : S → 2A: labeling function
![Page 47: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/47.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Kripke Structure Example
p a
b
cp, q
K = 〈S ,T ,S0,A, L〉
S = {a, b, c}
T = {(a, a), (a, b), (b, c), (c , c)}
S0 = {a}
A = {p, q}
L : {a, b, c} → {{}, {p}, {q}, {p, q}}
L(a) = {p}L(b) = {}L(c) = {p, q}
![Page 48: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/48.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Composition
Complex systems are composed of several modules
Each module is described as a finite state machine (FSM)
The overall Kripke structure is obtained as the product of theFSMs
State explosion!
The product can be either synchronous or asynchronous(interleaving)
![Page 49: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/49.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Specifications
Properties are sets of behaviors
Various specification mechanisms are in use: Temporal logicsand automata are popular
The examples we have seen are formulae of the temporal logicCTL
Syntactic sugar often useful (e.g., PSL/Sugar)
![Page 50: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/50.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Specifications
Properties are sets of behaviors
Various specification mechanisms are in use: Temporal logicsand automata are popular
The examples we have seen are formulae of the temporal logicCTL
Syntactic sugar often useful (e.g., PSL/Sugar)
![Page 51: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/51.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Specifications
Properties are sets of behaviors
Various specification mechanisms are in use: Temporal logicsand automata are popular
The examples we have seen are formulae of the temporal logicCTL
Syntactic sugar often useful (e.g., PSL/Sugar)
![Page 52: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/52.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Specifications
Properties are sets of behaviors
Various specification mechanisms are in use: Temporal logicsand automata are popular
The examples we have seen are formulae of the temporal logicCTL
Syntactic sugar often useful (e.g., PSL/Sugar)
![Page 53: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/53.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Temporal Logics
Temporal logics add temporal operators and path quantifiersto standard (e.g., propositional) logics
Temporal operators allow one to conveniently describe theorder of occurrence of events and other statements involvingtime without explicitly mentioning time
Expressiveness of propositional temporal logic in betweenthose of propositional logic and predicate logic
![Page 54: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/54.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Temporal Logics
Temporal logics add temporal operators and path quantifiersto standard (e.g., propositional) logics
Temporal operators allow one to conveniently describe theorder of occurrence of events and other statements involvingtime without explicitly mentioning time
Expressiveness of propositional temporal logic in betweenthose of propositional logic and predicate logic
![Page 55: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/55.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Operators and Quantifiers
Gϕ: ϕ holds globally (�ϕ)
Fϕ: ϕ holds eventually (♦ϕ)
ψ Uϕ: ψ holds until ϕ holds
ψ Rϕ: ψ releases ϕ
Xϕ: ϕ holds at the next state (©ϕ)
E: along at least one path
A: along all paths
In CTL all temporal operators are immediately preceeded by apath quantifier
![Page 56: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/56.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Operators and Quantifiers
Gϕ: ϕ holds globally (�ϕ)
Fϕ: ϕ holds eventually (♦ϕ)
ψ Uϕ: ψ holds until ϕ holds
ψ Rϕ: ψ releases ϕ
Xϕ: ϕ holds at the next state (©ϕ)
E: along at least one path
A: along all paths
In CTL all temporal operators are immediately preceeded by apath quantifier
![Page 57: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/57.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Branching Time
Branching time logics reason about computation trees
5
1 2
3
4
5 1 2 2
1
1
2
3 4
3
![Page 58: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/58.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear Time
Linear time logics reason about sets of computation paths
3
1 2
3
4
5
3 4
1
2
3
221
1
5
1
1
1
1
1
1
1
![Page 59: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/59.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear vs. Branching Time: Syntax
A linear-time temporal logic formula can contain only onepath quantifier at the beginning
A F G p
A(F p → F q)EG F p (existential linear-time formula)
A branching-time formula may have multiple quantifiers
AF AG p
AG EF p
EG EF p
![Page 60: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/60.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear vs. Branching Time
ϕ a
b
cϕ
AFGϕ holds in this structure
Infinite paths eventually dwell in either a
or c where ϕ holds
AFAGϕ does not hold in this structure
As long as a run dwells in a, it canalways go to a state where ϕ does nothold
No CTL formula exists that is equivalentto AFGϕ
![Page 61: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/61.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear vs. Branching Time
ϕ a
b
cϕ
AFGϕ holds in this structure
Infinite paths eventually dwell in either a
or c where ϕ holds
AFAGϕ does not hold in this structure
As long as a run dwells in a, it canalways go to a state where ϕ does nothold
No CTL formula exists that is equivalentto AFGϕ
![Page 62: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/62.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear vs. Branching Time
ϕ a
b
cϕ
AFGϕ holds in this structure
Infinite paths eventually dwell in either a
or c where ϕ holds
AFAGϕ does not hold in this structure
As long as a run dwells in a, it canalways go to a state where ϕ does nothold
No CTL formula exists that is equivalentto AFGϕ
![Page 63: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/63.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear vs. Branching Time
25 �
tea tea
25 �
coffeecoffee
25 �
Linear-time properties cannot distinguish these two
![Page 64: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/64.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Trace Equivalence vs. Bisimilarity
Linear time properties cannot distinguish two structures ifthey are trace (language) equivalent
Branching time properties cannot distinguish two structures ifthey are bisimilar
Bisimilarity is stronger than trace equivalence (see previousexample)
![Page 65: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/65.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Trace Equivalence vs. Bisimilarity
Linear time properties cannot distinguish two structures ifthey are trace (language) equivalent
Branching time properties cannot distinguish two structures ifthey are bisimilar
Bisimilarity is stronger than trace equivalence (see previousexample)
![Page 66: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/66.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bisimilar States
L′(p′)L(p) same
bisimilar
bisimilar
p′p
p and p′ are bisimilar
![Page 67: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/67.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bisimulation Relation
A relation B among the states of two Kripke structures K andK ′ with A = A′ is a bisimulation relation if (p, p ′) ∈ B implies
L(p) = L(p′)(p, q) ∈ T → ∃q′ .(p′, q′) ∈ T ′ ∧ (q, q′) ∈ B
(p′, q′) ∈ T ′ → ∃q .(p, q) ∈ T ∧ (q, q′) ∈ B
![Page 68: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/68.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bisimilar Structures
Two Kripke structures K and K ′ are bisimulation equivalent(K ≡ K ′) if there is a bisimulation relation between theirstates such that every initial state of one structure is bisimilarto some initial state of the other structure
Two structures are bisimulation equivalent iff they satisfy thesame branching-time properties
CTL properties suffice (Browne et al. [1988])
![Page 69: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/69.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bisimilar Structures
Two Kripke structures K and K ′ are bisimulation equivalent(K ≡ K ′) if there is a bisimulation relation between theirstates such that every initial state of one structure is bisimilarto some initial state of the other structure
Two structures are bisimulation equivalent iff they satisfy thesame branching-time properties
CTL properties suffice (Browne et al. [1988])
![Page 70: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/70.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bisimilar Structures
Two Kripke structures K and K ′ are bisimulation equivalent(K ≡ K ′) if there is a bisimulation relation between theirstates such that every initial state of one structure is bisimilarto some initial state of the other structure
Two structures are bisimulation equivalent iff they satisfy thesame branching-time properties
CTL properties suffice (Browne et al. [1988])
![Page 71: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/71.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Similar States
L′(p′)L(p) = (over A)
simulated by
simulated by
p′p
p is simulated by p′
![Page 72: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/72.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Simulation Relation
A relation Σ among the states of two Kripke structures K andK ′ with A ⊆ A′ is a simulation relation if (p, p ′) ∈ Σ implies
L(p) = L′(p′) ∩ A
(p, q) ∈ T → ∃q′ .(p′, q′) ∈ T ′ ∧ (q, q′) ∈ Σ
We say that p is simulated by p ′
![Page 73: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/73.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Example of Simulation
25 �
tea tea
25 �
coffeecoffee
25 �
![Page 74: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/74.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Similar and Simulation-Equivalent Structures
Kripke structure K ′ simulates structure K (written K � K ′) ifthere exists a simulation relation Σ ⊆ S × S ′ such that forevery initial state s of K there is an initial state s ′ of K ′ suchthat (s, s ′) ∈ Σ
If K � K ′ and ϕ is a universal branching-time formula over A,then K ′ |= ϕ implies K |= ϕ.
Two Kripke structures K and K ′ are simulation equivalent(K ∼ K ′) iff K � K ′ and K ′ � K
Two structures are simulation equivalent iff they satisfy thesame branching-time universal properties
![Page 75: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/75.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Similar and Simulation-Equivalent Structures
Kripke structure K ′ simulates structure K (written K � K ′) ifthere exists a simulation relation Σ ⊆ S × S ′ such that forevery initial state s of K there is an initial state s ′ of K ′ suchthat (s, s ′) ∈ Σ
If K � K ′ and ϕ is a universal branching-time formula over A,then K ′ |= ϕ implies K |= ϕ.
Two Kripke structures K and K ′ are simulation equivalent(K ∼ K ′) iff K � K ′ and K ′ � K
Two structures are simulation equivalent iff they satisfy thesame branching-time universal properties
![Page 76: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/76.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Similar and Simulation-Equivalent Structures
Kripke structure K ′ simulates structure K (written K � K ′) ifthere exists a simulation relation Σ ⊆ S × S ′ such that forevery initial state s of K there is an initial state s ′ of K ′ suchthat (s, s ′) ∈ Σ
If K � K ′ and ϕ is a universal branching-time formula over A,then K ′ |= ϕ implies K |= ϕ.
Two Kripke structures K and K ′ are simulation equivalent(K ∼ K ′) iff K � K ′ and K ′ � K
Two structures are simulation equivalent iff they satisfy thesame branching-time universal properties
![Page 77: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/77.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Similar and Simulation-Equivalent Structures
Kripke structure K ′ simulates structure K (written K � K ′) ifthere exists a simulation relation Σ ⊆ S × S ′ such that forevery initial state s of K there is an initial state s ′ of K ′ suchthat (s, s ′) ∈ Σ
If K � K ′ and ϕ is a universal branching-time formula over A,then K ′ |= ϕ implies K |= ϕ.
Two Kripke structures K and K ′ are simulation equivalent(K ∼ K ′) iff K � K ′ and K ′ � K
Two structures are simulation equivalent iff they satisfy thesame branching-time universal properties
![Page 78: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/78.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear vs. Branching Time: Summary
Branching time is more powerful, but also trickier
Two vending machine modelsA F Gϕ vs. AF AGϕ
Linear time is more suitable for compositional verification andBounded Model Checking
Counterexample generation simpler for linear time
![Page 79: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/79.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear vs. Branching Time: Summary
Branching time is more powerful, but also trickier
Two vending machine modelsA F Gϕ vs. AF AGϕ
Linear time is more suitable for compositional verification andBounded Model Checking
Counterexample generation simpler for linear time
![Page 80: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/80.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Linear vs. Branching Time: Summary
Branching time is more powerful, but also trickier
Two vending machine modelsA F Gϕ vs. AF AGϕ
Linear time is more suitable for compositional verification andBounded Model Checking
Counterexample generation simpler for linear time
![Page 81: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/81.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Safety
A safety property describes something bad that should nothappen
AG¬(grant0 ∧ grant1): requestors 0 and 1 should not begranted access to the shared resource simultaneously
AG¬(door = open ∧ engine = running)
![Page 82: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/82.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Liveness
A liveness property describes something good that shouldhappen
AG(req → F ack): requests should be acknowledged
![Page 83: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/83.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Safety or Liveness?
The definitions given so far may be confusing
AG(command = stop → Xstate = halt)
AG(command = stop → F state = halt)
AG(req → F ack)
![Page 84: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/84.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Safety in Linear Time
A linear-time property is a set of (linear) traces or infinitesequences over the atomic propositions
A property ϕ is a safety property if every trace not in ϕ has aprefix that cannot be extended to a trace in ϕ
Intuitively, the prefix includes the bad event that causes theproperty to fail
AG(p → X q) is a safety property
A counterexample includes a state where p holds followed by astate where ¬q holdsThe prefix that includes these two states cannot be extendedto an infinite path satisfying the property
![Page 85: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/85.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Safety in Linear Time
A linear-time property is a set of (linear) traces or infinitesequences over the atomic propositions
A property ϕ is a safety property if every trace not in ϕ has aprefix that cannot be extended to a trace in ϕ
Intuitively, the prefix includes the bad event that causes theproperty to fail
AG(p → X q) is a safety property
A counterexample includes a state where p holds followed by astate where ¬q holdsThe prefix that includes these two states cannot be extendedto an infinite path satisfying the property
![Page 86: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/86.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Liveness in Linear Time
A linear-time property ϕ is a liveness property if every finitesequence over the atomic propositions can be extended to aninfinite sequence in ϕ
Intuitively, finite prefixes do not affect the fulfillment of theeventualities that characterize liveness properties
AG(p → F q) is a liveness property
One can add a state where q holds to any finite prefix
![Page 87: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/87.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Liveness in Linear Time
A linear-time property ϕ is a liveness property if every finitesequence over the atomic propositions can be extended to aninfinite sequence in ϕ
Intuitively, finite prefixes do not affect the fulfillment of theeventualities that characterize liveness properties
AG(p → F q) is a liveness property
One can add a state where q holds to any finite prefix
![Page 88: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/88.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Neither Safe Nor Live
A(p Uq) is neither a safety property nor a liveness property
A trace satisfying G(p ∧ ¬q) is a counterexample with noprefix that cannot be extendedA trace satisfying ¬q U(¬p¬q) is a counterexample with afinite prefix that cannot be extended
Every property can be written as the intersection of a safetyproperty and a liveness property
A(p U q) = A((q R(p ∨ q)) ∧ F q)
![Page 89: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/89.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Neither Safe Nor Live
A(p Uq) is neither a safety property nor a liveness property
A trace satisfying G(p ∧ ¬q) is a counterexample with noprefix that cannot be extendedA trace satisfying ¬q U(¬p¬q) is a counterexample with afinite prefix that cannot be extended
Every property can be written as the intersection of a safetyproperty and a liveness property
A(p U q) = A((q R(p ∨ q)) ∧ F q)
![Page 90: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/90.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Classification of Properties
Time structure: branching, linear
Bisimilarity, trace equivalence
Safety, liveness
Existential, universal
Tense: future, past
X versus Y (neXt vs. Yesterday)See (Laroussinie and Schnoebelen [2000])
![Page 91: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/91.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Outline
1 Introduction
2 Modeling Systems and Properties
3 Specification Mechanisms
4 CTL Model Checking
5 Model Checking LTL and CTL*
6 SAT-Based Model Checking
7 Abstraction
![Page 92: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/92.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL*
CTL* is a powerful branching-time temporal logic
We use a subset of the operators (X and U) and the Equantifier to define the syntax
The remaining operators are defined as abbreviations
We need both state formulae and path formulae to recursivelydefine the logic
The state formulae give CTL*Path formulae can only appear as subformulae
![Page 93: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/93.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL*
CTL* is a powerful branching-time temporal logic
We use a subset of the operators (X and U) and the Equantifier to define the syntax
The remaining operators are defined as abbreviations
We need both state formulae and path formulae to recursivelydefine the logic
The state formulae give CTL*Path formulae can only appear as subformulae
![Page 94: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/94.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL*
CTL* is a powerful branching-time temporal logic
We use a subset of the operators (X and U) and the Equantifier to define the syntax
The remaining operators are defined as abbreviations
We need both state formulae and path formulae to recursivelydefine the logic
The state formulae give CTL*Path formulae can only appear as subformulae
![Page 95: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/95.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL*
CTL* is a powerful branching-time temporal logic
We use a subset of the operators (X and U) and the Equantifier to define the syntax
The remaining operators are defined as abbreviations
We need both state formulae and path formulae to recursivelydefine the logic
The state formulae give CTL*Path formulae can only appear as subformulae
![Page 96: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/96.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL* Syntax
An atomic proposition is a state formula
A state formula is also a path formula
If ϕ and ψ are state formulae, so are ¬ϕ and ϕ ∧ ψ
If ϕ is a path formula, Eϕ is a state formula
If ϕ and ψ are path formulae, so are ¬ϕ and ϕ ∧ ψ
If ϕ and ψ are path formulae, so are Xϕ and ψUϕ
![Page 97: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/97.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL* Abbreviations
ϕ ∨ ψ = ¬(¬ϕ ∧ ¬ψ)
true = ϕ ∨ ¬ϕ
false = ϕ ∧ ¬ϕ
ψ Rϕ = ¬(¬ψU¬ϕ)
Fϕ = trueUϕ
Gϕ = false Rϕ
Aϕ = ¬E¬ϕ
![Page 98: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/98.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
“Pushing Down” Negations
¬AGFϕ = EFG¬ϕ
Negations can be pushed “down” toward the atomicpropositions
The basic rules are (beside DeMorgan)
ψ Rϕ = ¬(¬ψ U¬ϕ)Aϕ = ¬E¬ϕ
From the first we get Gϕ = ¬F¬ϕ
![Page 99: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/99.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL* Semantics
The semantics of CTL* formulae are defined with respect to aKripke structure K
If formula ϕ holds of state s (path π) of K , we writeK , s |= ϕ (K , π |= ϕ)
The double turnstile is read “models”
K is omitted when no ambiguity arises
πi is π without the first i states
![Page 100: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/100.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL* Semantics
The semantics of CTL* formulae are defined with respect to aKripke structure K
If formula ϕ holds of state s (path π) of K , we writeK , s |= ϕ (K , π |= ϕ)
The double turnstile is read “models”
K is omitted when no ambiguity arises
πi is π without the first i states
![Page 101: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/101.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL* Semantics
The semantics of CTL* formulae are defined with respect to aKripke structure K
If formula ϕ holds of state s (path π) of K , we writeK , s |= ϕ (K , π |= ϕ)
The double turnstile is read “models”
K is omitted when no ambiguity arises
πi is π without the first i states
![Page 102: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/102.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL* Semantics
s |= p, p ∈ A iff p ∈ L(s)
s |= ¬ϕ iff s 6|= ϕ
s |= ϕ ∧ ψ iff s |= ϕ and s |= ψ
s |= Eϕ iff ∃π from s such that π |= ϕ
π |= ¬ϕ iff π 6|= ϕ
π |= ϕ ∧ ψ iff π |= ϕ and π |= ψ
π |= Xϕ iff π1 |= ϕ
π |= ψ Uϕ iff ∃i ≥ 0 . πi |= ϕ and 0 ≤ j < i → πj |= ψ
![Page 103: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/103.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Semantics of X and U
s0
ψ ψ ψ ϕ
ψUϕ
Xϕ s0
ϕ
![Page 104: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/104.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL
Computational Tree Logic is a branching time fragment ofCTL*
In CTL every temporal operator must be immediatelypreceded by a path quantifier
AF AGϕ is a CTL formulaA F Gϕ is not a CTL formula
Model checking easy relative to CTL*
![Page 105: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/105.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL
Computational Tree Logic is a branching time fragment ofCTL*
In CTL every temporal operator must be immediatelypreceded by a path quantifier
AF AGϕ is a CTL formulaA F Gϕ is not a CTL formula
Model checking easy relative to CTL*
![Page 106: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/106.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
LTL
Linear Temporal Logic is a linear-time fragment of CTL*
In LTL there can be only one quantifier at the beginning ofthe formula
The quantifier is usually A, in which case it is usually omitted
F Gϕ means A F Gϕ
![Page 107: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/107.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
LTL
Linear Temporal Logic is a linear-time fragment of CTL*
In LTL there can be only one quantifier at the beginning ofthe formula
The quantifier is usually A, in which case it is usually omitted
F Gϕ means A F Gϕ
![Page 108: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/108.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Omega-Automata
Properties can be described by automata that take thecomputation of the system as input and either accept it orreject it
For computations that finish regular automata suffice
For non-terminating computations we need ω-automata
![Page 109: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/109.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Omega-Automata
Properties can be described by automata that take thecomputation of the system as input and either accept it orreject it
For computations that finish regular automata suffice
For non-terminating computations we need ω-automata
![Page 110: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/110.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Omega-Automata
Properties can be described by automata that take thecomputation of the system as input and either accept it orreject it
For computations that finish regular automata suffice
For non-terminating computations we need ω-automata
![Page 111: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/111.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Automaton for Safety Property
AG(ϕ→ X¬ψ) is negated to get the formula EF(ϕ ∧ Xψ)
ψϕ
![Page 112: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/112.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Why Omega Automata?
For safety properties we can “stretch” regular automatabecause it suffices to find the non-extensible prefixes of thecounterexamples
For liveness properties we need to address the fact that thecomputations we consider do not terminate
![Page 113: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/113.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Buchi Automata
Buchi automata are similar to (nondeterministic) regularautomata except for the acceptance conditions
A Buchi automaton accepts an infinite sequence if there is arun of it that goes through an accepting state infinitely often
![Page 114: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/114.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Buchi Automaton to Model Check AFGϕ
We negate the property to get EGF¬ϕ
¬ϕ
A computation accepted by the automaton is acounterexample to AFGϕ
![Page 115: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/115.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Omega-Automata
Omega-automata describe linear-time properties
They are more expressive than LTL
p
p q
p
p
![Page 116: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/116.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Fairness
Fairness constraints are used to
Model features of the environmentMitigate the effects of simplifications of the model
They instruct the model checker to disregard certain (unfair)computations
![Page 117: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/117.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Modeling the Environment
Property: The combination lock will open unless we keepmaking mistakes
Fairness constraint: provided we never give up
This constraint implies that the knob is turned infinitely often
![Page 118: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/118.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Modeling the Environment
Property: The combination lock will open unless we keepmaking mistakes
Fairness constraint: provided we never give up
This constraint implies that the knob is turned infinitely often
![Page 119: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/119.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Modeling the Environment
Property: The combination lock will open unless we keepmaking mistakes
Fairness constraint: provided we never give up
This constraint implies that the knob is turned infinitely often
![Page 120: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/120.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Mitigating Abstraction
Property: All requests are eventually acknowledged
Fairness constraints: provided all grantees eventuallyrelinquish the shared resource
These constraints imply that each requestor is not using theshared resource infinitely often
![Page 121: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/121.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Mitigating Abstraction
Property: All requests are eventually acknowledged
Fairness constraints: provided all grantees eventuallyrelinquish the shared resource
These constraints imply that each requestor is not using theshared resource infinitely often
![Page 122: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/122.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Mitigating Abstraction
Property: All requests are eventually acknowledged
Fairness constraints: provided all grantees eventuallyrelinquish the shared resource
These constraints imply that each requestor is not using theshared resource infinitely often
![Page 123: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/123.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Buchi Fairness Constraints
A Buchi fairness constraint is a set of states that a fair runmust intersect infinitely often
LTL can express fairness constraints
A(G Fψ → ϕ) says that ϕ must hold only along paths where ψholds infinitely often
CTL cannot express fairness constraints
They must be specified separately
![Page 124: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/124.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Outline
1 Introduction
2 Modeling Systems and Properties
3 Specification Mechanisms
4 CTL Model Checking
5 Model Checking LTL and CTL*
6 SAT-Based Model Checking
7 Abstraction
![Page 125: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/125.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL Model Checking
Given a Kripke structure K and a CTL formula ϕ, we want todetermine whether K |= ϕ
We find [[ϕ]]K , the set of all states s such that K , s |= ϕ
We then check whether S0 ⊆ [[ϕ]]K
When no confusion arises we write simply ϕ for [[ϕ]]K
![Page 126: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/126.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL Model Checking
Given a Kripke structure K and a CTL formula ϕ, we want todetermine whether K |= ϕ
We find [[ϕ]]K , the set of all states s such that K , s |= ϕ
We then check whether S0 ⊆ [[ϕ]]K
When no confusion arises we write simply ϕ for [[ϕ]]K
![Page 127: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/127.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL Model Checking
Given a Kripke structure K and a CTL formula ϕ, we want todetermine whether K |= ϕ
We find [[ϕ]]K , the set of all states s such that K , s |= ϕ
We then check whether S0 ⊆ [[ϕ]]K
When no confusion arises we write simply ϕ for [[ϕ]]K
![Page 128: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/128.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL Model Checking
Given a Kripke structure K and a CTL formula ϕ, we want todetermine whether K |= ϕ
We find [[ϕ]]K , the set of all states s such that K , s |= ϕ
We then check whether S0 ⊆ [[ϕ]]K
When no confusion arises we write simply ϕ for [[ϕ]]K
![Page 129: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/129.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing Satisfying Sets
Work bottom-up on the parse graph of the CTL formula
Annotate every node with the satisfying set of the subformularooted at the node
The computation at each node of the parse graph depends onits label
![Page 130: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/130.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Satisfying Sets for EG Eψ Uϕ
EG
EU
ψ ϕ
1
2
34
ϕ
ψ
ϕ
![Page 131: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/131.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Satisfying Sets for EG Eψ Uϕ
{2}
EG
EU
ψ ϕ
1
2
34
ϕ
ψ
ϕ
![Page 132: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/132.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Satisfying Sets for EG Eψ Uϕ
{1, 3}
EG
EU
ψ ϕ
1
2
34
ϕ
ψ
ϕ
{2}
![Page 133: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/133.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Satisfying Sets for EG Eψ Uϕ
{1, 2, 3}
EG
EU
ψ ϕ
1
2
34
ϕ
ψ
ϕ
{2} {1, 3}
![Page 134: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/134.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Satisfying Sets for EG Eψ Uϕ
{1, 2}EG
EU
ψ ϕ
1
2
34
ϕ
ψ
ϕ
{2} {1, 3}
{1, 2, 3}
![Page 135: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/135.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Action for Each Label
Atomic proposition p: return set of states with p in their labels
¬ϕ: return the complement of [[ϕ]]K
ϕ ∧ ψ: return [[ϕ]]K ∩ [[ψ]]K
EXϕ: return the set of predecessors in K of the states in [[ϕ]]K
Eψ Uϕ: return the set of states with paths to states in [[ϕ]]Kthat are entirely contained in [[ψ]]K (except possibly for thelast state of each path)
EGϕ: return the set of states on infinite paths entirelycontained in [[ϕ]]K
![Page 136: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/136.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Action for Each Label
Atomic proposition p: return set of states with p in their labels
¬ϕ: return the complement of [[ϕ]]K
ϕ ∧ ψ: return [[ϕ]]K ∩ [[ψ]]K
EXϕ: return the set of predecessors in K of the states in [[ϕ]]K
Eψ Uϕ: return the set of states with paths to states in [[ϕ]]Kthat are entirely contained in [[ψ]]K (except possibly for thelast state of each path)
EGϕ: return the set of states on infinite paths entirelycontained in [[ϕ]]K
![Page 137: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/137.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Action for Each Label
Atomic proposition p: return set of states with p in their labels
¬ϕ: return the complement of [[ϕ]]K
ϕ ∧ ψ: return [[ϕ]]K ∩ [[ψ]]K
EXϕ: return the set of predecessors in K of the states in [[ϕ]]K
Eψ Uϕ: return the set of states with paths to states in [[ϕ]]Kthat are entirely contained in [[ψ]]K (except possibly for thelast state of each path)
EGϕ: return the set of states on infinite paths entirelycontained in [[ϕ]]K
![Page 138: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/138.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Action for Each Label
Atomic proposition p: return set of states with p in their labels
¬ϕ: return the complement of [[ϕ]]K
ϕ ∧ ψ: return [[ϕ]]K ∩ [[ψ]]K
EXϕ: return the set of predecessors in K of the states in [[ϕ]]K
Eψ Uϕ: return the set of states with paths to states in [[ϕ]]Kthat are entirely contained in [[ψ]]K (except possibly for thelast state of each path)
EGϕ: return the set of states on infinite paths entirelycontained in [[ϕ]]K
![Page 139: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/139.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Action for Each Label
Atomic proposition p: return set of states with p in their labels
¬ϕ: return the complement of [[ϕ]]K
ϕ ∧ ψ: return [[ϕ]]K ∩ [[ψ]]K
EXϕ: return the set of predecessors in K of the states in [[ϕ]]K
Eψ Uϕ: return the set of states with paths to states in [[ϕ]]Kthat are entirely contained in [[ψ]]K (except possibly for thelast state of each path)
EGϕ: return the set of states on infinite paths entirelycontained in [[ϕ]]K
![Page 140: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/140.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Explicit Model Checking
To fix ideas, suppose Kripke structures are represented byadjacency lists and sets by bit vectors
Boolean operations on sets can be performed in linear time
Computing EU amounts to reachability in a graph
Computing EG amounts to finding the strongly connectedcomponents (SCCs) of a subgraph of K
Both reachability and SCC computation are based ondepth-first search and take time linear in the size of theKripke structure
In practice sets are often represented by hash tables
![Page 141: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/141.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Explicit Model Checking
To fix ideas, suppose Kripke structures are represented byadjacency lists and sets by bit vectors
Boolean operations on sets can be performed in linear time
Computing EU amounts to reachability in a graph
Computing EG amounts to finding the strongly connectedcomponents (SCCs) of a subgraph of K
Both reachability and SCC computation are based ondepth-first search and take time linear in the size of theKripke structure
In practice sets are often represented by hash tables
![Page 142: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/142.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Explicit Model Checking
To fix ideas, suppose Kripke structures are represented byadjacency lists and sets by bit vectors
Boolean operations on sets can be performed in linear time
Computing EU amounts to reachability in a graph
Computing EG amounts to finding the strongly connectedcomponents (SCCs) of a subgraph of K
Both reachability and SCC computation are based ondepth-first search and take time linear in the size of theKripke structure
In practice sets are often represented by hash tables
![Page 143: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/143.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Complexity of Explicit CTL MC
Considering fairness constraints does not change thecomplexity of the algorithm
It suffices to discard SCCs that do not intersect all fair sets
CTL model checking is linear in the size of the formula andthe size of the structure
![Page 144: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/144.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Symbolic Model Checking
Linear time complexity is great unless your system has 1050
states
Number of states grows exponentially with number of statevariables
Explicit model checking limited to a few billion states
Symbolic model checking can do much more (though notuniformly)
![Page 145: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/145.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Symbolic Model Checking
Linear time complexity is great unless your system has 1050
states
Number of states grows exponentially with number of statevariables
Explicit model checking limited to a few billion states
Symbolic model checking can do much more (though notuniformly)
![Page 146: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/146.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Symbolic Model Checking
Linear time complexity is great unless your system has 1050
states
Number of states grows exponentially with number of statevariables
Explicit model checking limited to a few billion states
Symbolic model checking can do much more (though notuniformly)
![Page 147: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/147.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Characteristic Functions
States are encoded as binary strings of length n (the numberof binary state variables)
A set of states V is represented by a characteristic functionχV : Bn → B that returns 1 for all elements of the set and 0for all other states
We often drop the “χ” from χV when there is no ambiguity
![Page 148: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/148.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Characteristic Functions
States are encoded as binary strings of length n (the numberof binary state variables)
A set of states V is represented by a characteristic functionχV : Bn → B that returns 1 for all elements of the set and 0for all other states
We often drop the “χ” from χV when there is no ambiguity
![Page 149: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/149.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Symbolic Representation
p
00
01
10
q
T (x1, x0, y1, y0) = (¬x1 ∧ ¬x0 ∧ ¬y1 ∧y0) ∨ (¬x1 ∧ x0 ∧ ¬y0) ∨ (x1 ∧ ¬x0 ∧ ¬y0)
S0(x1, x0) = ¬x1 ∧ ¬x0
p(x1, x0) = x1 ∧ ¬x0
q(x1, x0) = ¬x1 ∧ x0
![Page 150: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/150.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Characteristic Functions
Let V contain all states with either the first or the last bit setto 1
χV = x1 ∨ xn
Set V has 3 · 2n−2 elements
Great, but let us not get carried away, because it is notpossible to find a representation that is compact for mostfunctions
![Page 151: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/151.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Characteristic Functions
Let V contain all states with either the first or the last bit setto 1
χV = x1 ∨ xn
Set V has 3 · 2n−2 elements
Great, but let us not get carried away, because it is notpossible to find a representation that is compact for mostfunctions
![Page 152: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/152.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Characteristic Functions
Let V contain all states with either the first or the last bit setto 1
χV = x1 ∨ xn
Set V has 3 · 2n−2 elements
Great, but let us not get carried away, because it is notpossible to find a representation that is compact for mostfunctions
![Page 153: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/153.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Implicit Enumeration
Symbolic model checking enumerates states implicitly
No explicit loop on the states or the transitions is used
The cost of implicit enumeration is more affected by the sizeof the representation than by the cardinality of the set
![Page 154: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/154.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Implicit Enumeration
Symbolic model checking enumerates states implicitly
No explicit loop on the states or the transitions is used
The cost of implicit enumeration is more affected by the sizeof the representation than by the cardinality of the set
![Page 155: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/155.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing Predecessors
Let x (y) be the vector of current (next) state variables
The set of predecessors of the states in V is given by
∃y .T (x , y) ∧ V (y)
No loops over states and transitions
![Page 156: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/156.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing Predecessors
Let x (y) be the vector of current (next) state variables
The set of predecessors of the states in V is given by
∃y .T (x , y) ∧ V (y)
No loops over states and transitions
![Page 157: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/157.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Symbolic Model Checking
Boolean connectives give no difficulties
Complementation turns into negation
Union becomes disjunction and intersection becomesconjunction
We have seen how to deal with EXϕ
For EU and EG we use a fixpoint characterization
A fixpoint x of f is such that f (x) = x
![Page 158: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/158.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Fixpoint Characterization
The satisfying sets of EU and EG computations are fixpointsof monotonic functions over 2S
EψUϕ = ϕ ∨ [ψ ∧ EX EψUϕ]EGϕ = ϕ ∧ EX EGϕ
Specifically, Eψ Uϕ is the least fixpoint and EGϕ is thegreatest fixpoint. This is written
EψUϕ = µZ . ϕ ∨ [ψ ∧ EX Z ]EGϕ = νZ . ϕ ∧ EX Z
µ-calculus notation
![Page 159: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/159.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Fixpoint Characterization
The satisfying sets of EU and EG computations are fixpointsof monotonic functions over 2S
EψUϕ = ϕ ∨ [ψ ∧ EX EψUϕ]EGϕ = ϕ ∧ EX EGϕ
Specifically, Eψ Uϕ is the least fixpoint and EGϕ is thegreatest fixpoint. This is written
EψUϕ = µZ . ϕ ∨ [ψ ∧ EX Z ]EGϕ = νZ . ϕ ∧ EX Z
µ-calculus notation
![Page 160: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/160.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Fixpoint Characterization
The satisfying sets of EU and EG computations are fixpointsof monotonic functions over 2S
EψUϕ = ϕ ∨ [ψ ∧ EX EψUϕ]EGϕ = ϕ ∧ EX EGϕ
Specifically, Eψ Uϕ is the least fixpoint and EGϕ is thegreatest fixpoint. This is written
EψUϕ = µZ . ϕ ∨ [ψ ∧ EX Z ]EGϕ = νZ . ϕ ∧ EX Z
µ-calculus notation
![Page 161: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/161.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Tarski’s Theorem
A function f is monotonic if
x ≤ y → f (x) ≤ f (y)
A monotonic function over a finite lattice has a least fixpointthat can be computed as the limit of the sequence
0, f (0), f (f (0)), f (f (f (0))), . . .
For greatest fixpoints
1, f (1), f (f (1)), f (f (f (1))), . . .
This is the kitty version of the theorem for finite lattices
![Page 162: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/162.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Tarski’s Theorem
A function f is monotonic if
x ≤ y → f (x) ≤ f (y)
A monotonic function over a finite lattice has a least fixpointthat can be computed as the limit of the sequence
0, f (0), f (f (0)), f (f (f (0))), . . .
For greatest fixpoints
1, f (1), f (f (1)), f (f (f (1))), . . .
This is the kitty version of the theorem for finite lattices
![Page 163: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/163.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Tarski’s Theorem
A function f is monotonic if
x ≤ y → f (x) ≤ f (y)
A monotonic function over a finite lattice has a least fixpointthat can be computed as the limit of the sequence
0, f (0), f (f (0)), f (f (f (0))), . . .
For greatest fixpoints
1, f (1), f (f (1)), f (f (f (1))), . . .
This is the kitty version of the theorem for finite lattices
![Page 164: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/164.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Tarski’s Theorem
A function f is monotonic if
x ≤ y → f (x) ≤ f (y)
A monotonic function over a finite lattice has a least fixpointthat can be computed as the limit of the sequence
0, f (0), f (f (0)), f (f (f (0))), . . .
For greatest fixpoints
1, f (1), f (f (1)), f (f (f (1))), . . .
This is the kitty version of the theorem for finite lattices
![Page 165: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/165.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing Eψ Uϕ and Eψ Rϕ
Z = ∅;ζ = S ;
while (Z 6= ζ) {ζ = Z ;Z = ϕ ∨ (ψ ∧ EXZ );
}
Z = S ;ζ = ∅;
while (Z 6= ζ) {ζ = Z ;Z = ϕ ∧ (ψ ∨ EXZ );
}
![Page 166: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/166.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing Eψ Uϕ
ψ
ϕ
ϕ
ϕ
ψ
ψ
![Page 167: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/167.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing Eψ Uϕ
ψ
ϕ
ϕ
ϕ
ψ
ψ
![Page 168: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/168.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing Eψ Uϕ
ψ
ϕ
ϕ
ϕ
ψ
ψ
![Page 169: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/169.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing Eψ Uϕ
ψ
ϕ
ϕ
ϕ
ψ
ψ
![Page 170: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/170.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing EGϕ
ϕ
ϕ ϕ ϕ
ϕ
ϕ
![Page 171: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/171.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing EGϕ
ϕ
ϕ ϕ ϕ
ϕ
ϕ
![Page 172: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/172.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing EGϕ
ϕ
ϕ ϕ ϕ
ϕ
ϕ
![Page 173: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/173.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing EGϕ
ϕ
ϕ ϕ ϕ
ϕ
ϕ
![Page 174: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/174.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing EGϕ
ϕ
ϕ ϕ ϕ
ϕ
ϕ
![Page 175: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/175.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Backward vs. Forward Search
The algorithm we have presented is based on backward searchin the Kripke structure (EX computes predecessors)
Part of CTL can be model checked using forward search(using EY that computes successors)
Forward search popular for invariants (AG p)
Forward search is also used to find states reachable frominitial states and prune backward search
![Page 176: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/176.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
On-the-Fly Model Checking
In checking K |= EF p we can stop the computation of theleast fixpoint as soon as all initial states are acquired
This is an instance of on-the-fly model checking
In general, on-the-fly model checking stops as soon as theanswer is known
![Page 177: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/177.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
ECTL and ACTL
ECTL is a fragment of CTL that consists of existentialproperties
Negation can only occur in front of atomic propositions
The path quantifier A cannot be used
ACTL consists of the negation of ECTL formulae (universalproperties)
![Page 178: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/178.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
ECTL and ACTL
ECTL is a fragment of CTL that consists of existentialproperties
Negation can only occur in front of atomic propositions
The path quantifier A cannot be used
ACTL consists of the negation of ECTL formulae (universalproperties)
![Page 179: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/179.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
ECTL and ACTL Examples
EF(ϕ ∧ EG¬ψ) ECTL
AG(ϕ→ AFψ) ACTL
Negation of the previous formula
AG(AFϕ→ AFψ) mixed
EF(EGϕ ∨ EGψ) ECTL
![Page 180: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/180.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Counterexamples and Witnesses
If a property fails it is useful to show an execution of thesystem that is a counterexample
For a property that holds, it may be useful to show anexecution of the system that is a witness
A witness to K , s |= ϕ is a counterexample to K , s |= ¬ϕ andvice versa
![Page 181: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/181.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Witness Example
Witness for the ECTL property
EF(ϕ ∧ EG¬ψ)
¬ψϕ,¬ψ ¬ψ
![Page 182: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/182.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
A Witness May Not Suffice
One witness computation does not suffice to show that AGϕholds in a structure with multiple paths
One counterexample computation does not suffice to showthat EF¬ϕ fails
Complete witnesses can be found for ECTL formulae andcomplete counterexamples for ACTL formulae
![Page 183: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/183.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
A Witness May Not Suffice
One witness computation does not suffice to show that AGϕholds in a structure with multiple paths
One counterexample computation does not suffice to showthat EF¬ϕ fails
Complete witnesses can be found for ECTL formulae andcomplete counterexamples for ACTL formulae
![Page 184: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/184.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
A Witness May Not Suffice
One witness computation does not suffice to show that AGϕholds in a structure with multiple paths
One counterexample computation does not suffice to showthat EF¬ϕ fails
Complete witnesses can be found for ECTL formulae andcomplete counterexamples for ACTL formulae
![Page 185: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/185.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Branching Witnesses
Consider a witness for the ECTL formula
EF(EGϕ ∧ EGψ)
ψ
ϕ, ψ
ϕ ϕ
ψ
![Page 186: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/186.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Adding Fairness Constraints
Fairness constraints are given as sets of states that must betraversed infinitely often (Buchi fairness)
In CTL the fair sets are the satisfying sets of CTL formulae(distinct from the formulae for the properties to be verified)
Quantifiers are restricted to fair paths
Paths that intersect all the fair sets infinitely often
![Page 187: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/187.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Adding Fairness Constraints
Fairness constraints are given as sets of states that must betraversed infinitely often (Buchi fairness)
In CTL the fair sets are the satisfying sets of CTL formulae(distinct from the formulae for the properties to be verified)
Quantifiers are restricted to fair paths
Paths that intersect all the fair sets infinitely often
![Page 188: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/188.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Adding Fairness Constraints
Fairness constraints are given as sets of states that must betraversed infinitely often (Buchi fairness)
In CTL the fair sets are the satisfying sets of CTL formulae(distinct from the formulae for the properties to be verified)
Quantifiers are restricted to fair paths
Paths that intersect all the fair sets infinitely often
![Page 189: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/189.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Computing the Fair States
The fair states are those along fair paths
They are computed by the µ-calculus formula
νZ .EX[E Z U(Z ∧ c)]
in the case of one fairness constraint c
![Page 190: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/190.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
MC for CTL with Fairness
Let Φ = νZ .∧
i EX[EZ U(Z ∧ ci )]
The set of fair states with C = {ci}
EC Gϕ = νZ . ϕ ∧∧
i EX[EZ U(Z ∧ ci )]
EC Xϕ = EX(ϕ ∧ Φ)
EC ψUϕ = Eψ U(ϕ ∧ Φ)
![Page 191: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/191.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Fair Witnesses
For EX and EU, we append witness to EG true to finite witness
For EGϕ, while tracing a loop in a fair SCC we need to insurethat all fair sets are visited
Finding a shortest witness is hard, but heuristics workreasonably well
![Page 192: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/192.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Outline
1 Introduction
2 Modeling Systems and Properties
3 Specification Mechanisms
4 CTL Model Checking
5 Model Checking LTL and CTL*
6 SAT-Based Model Checking
7 Abstraction
![Page 193: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/193.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
LTL Model Checking
LTL operators can be characterized in terms of fixpoints liketheir CTL counterparts
ψUϕ = ϕ ∨ [ψ ∧ X(ψUϕ)]ψ Rϕ = ϕ ∧ [ψ ∨ X(ψ Rϕ)]
The problem is that we have sets of paths instead of sets ofstates
We take a different approach
![Page 194: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/194.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Model Checking LTL
Negate the given formula ϕ to get ¬ϕ
Build a Buchi automaton A¬ϕ that accepts exactly thecomputations that model ¬ϕ
Compose A¬ϕ with the system to be verified
Check whether there is a fair path in the composition
![Page 195: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/195.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
From Formula to Automaton
ψUϕ = ϕ ∨ [ψ ∧ X(ψ Uϕ)]
true
ϕ
ψ
![Page 196: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/196.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Model Checking AG(p → F q)
A counterexample to AG(p → F q) is an execution in which p
happens, but q does not follow it
Compose automaton for all counterexamples with model andcheck for accepting path
b1
{p}
b
0
1
a0
a
a1
b0
A K ‖ A
K
p ∧ ¬q
true
¬q
![Page 197: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/197.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
CTL* Model Checking
If formula is propositional, compute its satisfying set directly,otherwise
There is a subformula that is an LTL formula Eψ: find itssatisfying set with LTL model checking algorithm and use itas a new atomic proposition
Repeat until the satisfying set of the root of the parse tree isfound
![Page 198: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/198.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Outline
1 Introduction
2 Modeling Systems and Properties
3 Specification Mechanisms
4 CTL Model Checking
5 Model Checking LTL and CTL*
6 SAT-Based Model Checking
7 Abstraction
![Page 199: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/199.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bounded Model Checking
Checks for a counterexample to a property of a model
We assume finite state and LTL
Encodes the property checking problem as propositionalsatisfiability (SAT)
Constructs a propositional formula that is satisfiable iff thereexits a length-k counterexample, e.g.,
I (s0) ∧∧
0≤i<k
T (si , si+1) ∧ ¬p(sk)
If no counterexample is found, BMC increases k until
a counterexample is found,the search becomes intractable, ork reaches a certain bound
![Page 200: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/200.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bounded Model Checking
Checks for a counterexample to a property of a model
We assume finite state and LTL
Encodes the property checking problem as propositionalsatisfiability (SAT)
Constructs a propositional formula that is satisfiable iff thereexits a length-k counterexample, e.g.,
I (s0) ∧∧
0≤i<k
T (si , si+1) ∧ ¬p(sk)
If no counterexample is found, BMC increases k until
a counterexample is found,the search becomes intractable, ork reaches a certain bound
![Page 201: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/201.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bounded Model Checking
Checks for a counterexample to a property of a model
We assume finite state and LTL
Encodes the property checking problem as propositionalsatisfiability (SAT)
Constructs a propositional formula that is satisfiable iff thereexits a length-k counterexample, e.g.,
I (s0) ∧∧
0≤i<k
T (si , si+1) ∧ ¬p(sk)
If no counterexample is found, BMC increases k until
a counterexample is found,the search becomes intractable, ork reaches a certain bound
![Page 202: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/202.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Bounded Model Checking
Checks for a counterexample to a property of a model
We assume finite state and LTL
Encodes the property checking problem as propositionalsatisfiability (SAT)
Constructs a propositional formula that is satisfiable iff thereexits a length-k counterexample, e.g.,
I (s0) ∧∧
0≤i<k
T (si , si+1) ∧ ¬p(sk)
If no counterexample is found, BMC increases k until
a counterexample is found,the search becomes intractable, ork reaches a certain bound
![Page 203: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/203.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Falsification vs. Verification
Sometime, proving the absence of an error is more useful thanfinding one
When checking an abstract model for a universal property
Finding an error in the abstract model does not imply its
existence in the original model
However, proving that the property passes in the abstract
model guarantee the absence of errors in the original model
BMC efficiency reduces as the length of the counterexampleincreases
It may be more efficient to prove the property and stop earlythan keep searching for a counterexample
![Page 204: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/204.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Proving Properties with BMC
The original BMC algorithm (Biere et al. [1999]), althoughcomplete in theory, is limited in practice to falsification of LTLproperties
BMC can prove that an LTL property ψ passes on a model Monly if a bound, κ, is known such that:
if no counterexample of length up to κ is found, thenM |= Aψ
Several methods exist to compute a suitable κ
The optimum value of κ, however, is usually very expensive toobtain
Finding it is at least as hard as checking whether M |= Aψ(Clarke et al. [2004])
![Page 205: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/205.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Proving Properties with BMC
The original BMC algorithm (Biere et al. [1999]), althoughcomplete in theory, is limited in practice to falsification of LTLproperties
BMC can prove that an LTL property ψ passes on a model Monly if a bound, κ, is known such that:
if no counterexample of length up to κ is found, thenM |= Aψ
Several methods exist to compute a suitable κ
The optimum value of κ, however, is usually very expensive toobtain
Finding it is at least as hard as checking whether M |= Aψ(Clarke et al. [2004])
![Page 206: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/206.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Proving Properties with BMC
The original BMC algorithm (Biere et al. [1999]), althoughcomplete in theory, is limited in practice to falsification of LTLproperties
BMC can prove that an LTL property ψ passes on a model Monly if a bound, κ, is known such that:
if no counterexample of length up to κ is found, thenM |= Aψ
Several methods exist to compute a suitable κ
The optimum value of κ, however, is usually very expensive toobtain
Finding it is at least as hard as checking whether M |= Aψ(Clarke et al. [2004])
![Page 207: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/207.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Proving Properties with BMC
The original BMC algorithm (Biere et al. [1999]), althoughcomplete in theory, is limited in practice to falsification of LTLproperties
BMC can prove that an LTL property ψ passes on a model Monly if a bound, κ, is known such that:
if no counterexample of length up to κ is found, thenM |= Aψ
Several methods exist to compute a suitable κ
The optimum value of κ, however, is usually very expensive toobtain
Finding it is at least as hard as checking whether M |= Aψ(Clarke et al. [2004])
![Page 208: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/208.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
SupposeI (s0) ∧ T (s0, s1) ∧ T (s1, s2) ∧ · · · ∧ T (sk−1, sk ) ∧ ¬p(sk) isunsatisfiable
Let F1 = I (s0) ∧ T (s0, s1) andF2 = T (s1, s2) ∧ · · · ∧ T (sk−1, sk) ∧ ¬p(sk)
Then F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
Interpolant I1(s1) (McMillan [2003]) is such that
F1(s0, s1) → I1(s1)I1(s1) ∧ F2(s1, . . . , sk) is unsatisfiable
I1(s1) can be computed in linear time from a resolution proofthat F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
∃s0 . I (s0) ∧ T (s0, s1) is the strongest interpolant
set of states reachable from I (s0) in one step
![Page 209: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/209.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
SupposeI (s0) ∧ T (s0, s1) ∧ T (s1, s2) ∧ · · · ∧ T (sk−1, sk ) ∧ ¬p(sk) isunsatisfiable
Let F1 = I (s0) ∧ T (s0, s1) andF2 = T (s1, s2) ∧ · · · ∧ T (sk−1, sk) ∧ ¬p(sk)
Then F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
Interpolant I1(s1) (McMillan [2003]) is such that
F1(s0, s1) → I1(s1)I1(s1) ∧ F2(s1, . . . , sk) is unsatisfiable
I1(s1) can be computed in linear time from a resolution proofthat F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
∃s0 . I (s0) ∧ T (s0, s1) is the strongest interpolant
set of states reachable from I (s0) in one step
![Page 210: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/210.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
SupposeI (s0) ∧ T (s0, s1) ∧ T (s1, s2) ∧ · · · ∧ T (sk−1, sk ) ∧ ¬p(sk) isunsatisfiable
Let F1 = I (s0) ∧ T (s0, s1) andF2 = T (s1, s2) ∧ · · · ∧ T (sk−1, sk) ∧ ¬p(sk)
Then F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
Interpolant I1(s1) (McMillan [2003]) is such that
F1(s0, s1) → I1(s1)I1(s1) ∧ F2(s1, . . . , sk) is unsatisfiable
I1(s1) can be computed in linear time from a resolution proofthat F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
∃s0 . I (s0) ∧ T (s0, s1) is the strongest interpolant
set of states reachable from I (s0) in one step
![Page 211: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/211.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
SupposeI (s0) ∧ T (s0, s1) ∧ T (s1, s2) ∧ · · · ∧ T (sk−1, sk ) ∧ ¬p(sk) isunsatisfiable
Let F1 = I (s0) ∧ T (s0, s1) andF2 = T (s1, s2) ∧ · · · ∧ T (sk−1, sk) ∧ ¬p(sk)
Then F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
Interpolant I1(s1) (McMillan [2003]) is such that
F1(s0, s1) → I1(s1)I1(s1) ∧ F2(s1, . . . , sk) is unsatisfiable
I1(s1) can be computed in linear time from a resolution proofthat F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
∃s0 . I (s0) ∧ T (s0, s1) is the strongest interpolant
set of states reachable from I (s0) in one step
![Page 212: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/212.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
SupposeI (s0) ∧ T (s0, s1) ∧ T (s1, s2) ∧ · · · ∧ T (sk−1, sk ) ∧ ¬p(sk) isunsatisfiable
Let F1 = I (s0) ∧ T (s0, s1) andF2 = T (s1, s2) ∧ · · · ∧ T (sk−1, sk) ∧ ¬p(sk)
Then F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
Interpolant I1(s1) (McMillan [2003]) is such that
F1(s0, s1) → I1(s1)I1(s1) ∧ F2(s1, . . . , sk) is unsatisfiable
I1(s1) can be computed in linear time from a resolution proofthat F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
∃s0 . I (s0) ∧ T (s0, s1) is the strongest interpolant
set of states reachable from I (s0) in one step
![Page 213: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/213.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
SupposeI (s0) ∧ T (s0, s1) ∧ T (s1, s2) ∧ · · · ∧ T (sk−1, sk ) ∧ ¬p(sk) isunsatisfiable
Let F1 = I (s0) ∧ T (s0, s1) andF2 = T (s1, s2) ∧ · · · ∧ T (sk−1, sk) ∧ ¬p(sk)
Then F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
Interpolant I1(s1) (McMillan [2003]) is such that
F1(s0, s1) → I1(s1)I1(s1) ∧ F2(s1, . . . , sk) is unsatisfiable
I1(s1) can be computed in linear time from a resolution proofthat F1(s0, s1) ∧ F2(s1, . . . , sk) is unsatisfiable
∃s0 . I (s0) ∧ T (s0, s1) is the strongest interpolant
set of states reachable from I (s0) in one step
![Page 214: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/214.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
I1(s1) is a superset of the states reachable in one step suchthat no member state has a path of length k − 1 to a badstate
Replace I (s0) with I (s0) ∨ I1(s0) and repeat
If formula still unsatisfiable, interpolant I2(s1) is a superset ofstates reachable in one or two steps such that no memberstate has a path of length k − 1 to a bad state
A converging sequence of interpolants means that no statessatisfying ¬p (bad states) are reachable
![Page 215: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/215.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
I1(s1) is a superset of the states reachable in one step suchthat no member state has a path of length k − 1 to a badstate
Replace I (s0) with I (s0) ∨ I1(s0) and repeat
If formula still unsatisfiable, interpolant I2(s1) is a superset ofstates reachable in one or two steps such that no memberstate has a path of length k − 1 to a bad state
A converging sequence of interpolants means that no statessatisfying ¬p (bad states) are reachable
![Page 216: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/216.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Interpolation
I1(s1) is a superset of the states reachable in one step suchthat no member state has a path of length k − 1 to a badstate
Replace I (s0) with I (s0) ∨ I1(s0) and repeat
If formula still unsatisfiable, interpolant I2(s1) is a superset ofstates reachable in one or two steps such that no memberstate has a path of length k − 1 to a bad state
A converging sequence of interpolants means that no statessatisfying ¬p (bad states) are reachable
![Page 217: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/217.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Outline
1 Introduction
2 Modeling Systems and Properties
3 Specification Mechanisms
4 CTL Model Checking
5 Model Checking LTL and CTL*
6 SAT-Based Model Checking
7 Abstraction
![Page 218: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/218.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Informal Abstraction
In use since the early days of simulation
What if we write to a memory when the address contains Xs?
Still indispensable, but
May be laboriousComes with no implied warranty
Bus
ArbiterHigh Low High Low
![Page 219: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/219.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Informal Abstraction
In use since the early days of simulation
What if we write to a memory when the address contains Xs?
Still indispensable, but
May be laboriousComes with no implied warranty
LowArbiter
High Low
Bus
High
![Page 220: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/220.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Informal Abstraction
Given concrete model C and property ϕ
Derive somehow an abstract model A from C
Abstraction should preserve detail relevant to ϕ
Check whether A |= ϕ
If A |= ϕ confidence in correctness of C is increased
If A 6|= ϕ check counterexample
Is failure due to a real bug or an artifact of abstraction?Either fix bug or refine abstraction
![Page 221: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/221.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Formal Abstraction
Comes with warranty
Simulation Relations
s2
p p
K K ′
s0 s ′0
s ′1qqs1
p
bisimilarity preserves all of µ-calculussimulation equivalence preserves linear-time propertiessimulation preserves passing universal properties
![Page 222: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/222.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Formal Abstraction
Comes with warranty
Simulation Relations
s2
p p
K K ′
s0 s ′0
s ′1qqs1
p
bisimilarity preserves all of µ-calculussimulation equivalence preserves linear-time propertiessimulation preserves passing universal properties
![Page 223: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/223.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Simulation Relations
Computing simulation relations is expensive
Avoid direct computation
Cone of Influence (COI) Reduction and slicing yield a bisimilarmodelThe symmetry quotient induced by an invariance group isbisimilar to the original modelPredicate abstraction leads to bisimulation or simulationFreeing some components leads to simulation
Simulation is sufficient for language containment
![Page 224: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/224.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Property Driven Abstraction
Rule of thumb: The more you want to preserve, the less you canabstract
Bisimulation does not allow much abstraction
Property driven abstraction
focus on preserving only the property of interestStart with a coarse abstractionLet the property guide the initial abstraction and therefinement
![Page 225: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/225.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Abstraction Refinement
What is not in the abstract model is ignored
Refinement brings in something that was previously ignored
ϕ
![Page 226: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/226.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Abstraction Refinement
What is not in the abstract model is ignored
Refinement brings in something that was previously ignored
ϕ
![Page 227: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/227.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Abstraction Refinement
What is not in the abstract model is ignored
Refinement brings in something that was previously ignored
ϕ
![Page 228: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/228.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Abstraction Refinement
For universal properties:
Choose initial abstract modelwhile the property fails
if concrete model also fails, report failure
refine
report success
For mixed properties, use two abstractions
If property fails on abstract model, an abstractcounterexample is produced
![Page 229: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/229.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Back to the Cube
A cube is divided into 27 equal smaller cubes (blockshereafter). Is it possible to trace a path from any point on thesurface to the center that always travels parallel to some sideof the cube and visits each block exactly once?
If we number the smaller cubes consecutively, top-down, frontto back, and left to right, we find that there are 14odd-numbered blocks and 13 even-numbered blocks
Since all adjacent blocks have different parity, we cannot finda path of length 27 ending with an even-numbered block.
Since the center block is numbered 14, the answer is “no”
The same argument applies whenever the side of the cube isdivided into an odd number of parts, so that the number ofblocks is (2n + 1)3 for some n > 0
![Page 230: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/230.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Back to the Cube
A cube is divided into 27 equal smaller cubes (blockshereafter). Is it possible to trace a path from any point on thesurface to the center that always travels parallel to some sideof the cube and visits each block exactly once?
If we number the smaller cubes consecutively, top-down, frontto back, and left to right, we find that there are 14odd-numbered blocks and 13 even-numbered blocks
Since all adjacent blocks have different parity, we cannot finda path of length 27 ending with an even-numbered block.
Since the center block is numbered 14, the answer is “no”
The same argument applies whenever the side of the cube isdivided into an odd number of parts, so that the number ofblocks is (2n + 1)3 for some n > 0
![Page 231: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/231.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Back to the Cube
A cube is divided into 27 equal smaller cubes (blockshereafter). Is it possible to trace a path from any point on thesurface to the center that always travels parallel to some sideof the cube and visits each block exactly once?
If we number the smaller cubes consecutively, top-down, frontto back, and left to right, we find that there are 14odd-numbered blocks and 13 even-numbered blocks
Since all adjacent blocks have different parity, we cannot finda path of length 27 ending with an even-numbered block.
Since the center block is numbered 14, the answer is “no”
The same argument applies whenever the side of the cube isdivided into an odd number of parts, so that the number ofblocks is (2n + 1)3 for some n > 0
![Page 232: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/232.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Back to the Cube
A cube is divided into 27 equal smaller cubes (blockshereafter). Is it possible to trace a path from any point on thesurface to the center that always travels parallel to some sideof the cube and visits each block exactly once?
If we number the smaller cubes consecutively, top-down, frontto back, and left to right, we find that there are 14odd-numbered blocks and 13 even-numbered blocks
Since all adjacent blocks have different parity, we cannot finda path of length 27 ending with an even-numbered block.
Since the center block is numbered 14, the answer is “no”
The same argument applies whenever the side of the cube isdivided into an odd number of parts, so that the number ofblocks is (2n + 1)3 for some n > 0
![Page 233: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/233.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Back to the Cube
A cube is divided into 27 equal smaller cubes (blockshereafter). Is it possible to trace a path from any point on thesurface to the center that always travels parallel to some sideof the cube and visits each block exactly once?
If we number the smaller cubes consecutively, top-down, frontto back, and left to right, we find that there are 14odd-numbered blocks and 13 even-numbered blocks
Since all adjacent blocks have different parity, we cannot finda path of length 27 ending with an even-numbered block.
Since the center block is numbered 14, the answer is “no”
The same argument applies whenever the side of the cube isdivided into an odd number of parts, so that the number ofblocks is (2n + 1)3 for some n > 0
![Page 234: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/234.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Model Checking the Cube
We encode the problem with two state variables:
posn ∈ {1, . . . , 27} and visited ⊆ {1, . . . , 27}
S = {1, . . . , 27} × 2{1,...,27}
S0 = {(p, {p}) | p ∈ {1, . . . , 27} \ {14}}
Let adj(p) return the set of positions adjacent to block p
T = {((p, v), (p′, v ′)) | (p, v) ∈ S ∧p′ ∈ adj(p) \ v ∧ v ′ = v \ {p′}}
Finally, the property:
ϕ = AG(posn = 14 → visited 6= {1, . . . , 27}) .
In Verilog, we need 32 binary variables. Out of the 232 states,3.46426 · 107 are reachable and ϕ is proved in about one minute
![Page 235: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/235.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Model Checking the Cube
We encode the problem with two state variables:
posn ∈ {1, . . . , 27} and visited ⊆ {1, . . . , 27}
S = {1, . . . , 27} × 2{1,...,27}
S0 = {(p, {p}) | p ∈ {1, . . . , 27} \ {14}}
Let adj(p) return the set of positions adjacent to block p
T = {((p, v), (p′, v ′)) | (p, v) ∈ S ∧p′ ∈ adj(p) \ v ∧ v ′ = v \ {p′}}
Finally, the property:
ϕ = AG(posn = 14 → visited 6= {1, . . . , 27}) .
In Verilog, we need 32 binary variables. Out of the 232 states,3.46426 · 107 are reachable and ϕ is proved in about one minute
![Page 236: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/236.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Model Checking the Cube
We encode the problem with two state variables:
posn ∈ {1, . . . , 27} and visited ⊆ {1, . . . , 27}
S = {1, . . . , 27} × 2{1,...,27}
S0 = {(p, {p}) | p ∈ {1, . . . , 27} \ {14}}
Let adj(p) return the set of positions adjacent to block p
T = {((p, v), (p′, v ′)) | (p, v) ∈ S ∧p′ ∈ adj(p) \ v ∧ v ′ = v \ {p′}}
Finally, the property:
ϕ = AG(posn = 14 → visited 6= {1, . . . , 27}) .
In Verilog, we need 32 binary variables. Out of the 232 states,3.46426 · 107 are reachable and ϕ is proved in about one minute
![Page 237: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/237.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Augmenting the Transition Relation
We can do significantly better by keeping the same stateencoding, initial states and property, but augmenting thetransition relation
Let opp(p) returns the set of positions in the cube that haveparity opposite to block p. The transition relation can then bedefined as before, but with opp(p) replacing adj(p)
The new relation has many more transitions. For instance, itis now possible to go from Block 1 to Block 6
The number of reachable states correspondingly increases to5.41574 · 108, but the model checking time decreases to lessthan a second
Since ϕ is universal, the fact that it passes on the model withthe augmented transition relation guarantees that it passesalso on the original model
![Page 238: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/238.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Augmenting the Transition Relation
We can do significantly better by keeping the same stateencoding, initial states and property, but augmenting thetransition relation
Let opp(p) returns the set of positions in the cube that haveparity opposite to block p. The transition relation can then bedefined as before, but with opp(p) replacing adj(p)
The new relation has many more transitions. For instance, itis now possible to go from Block 1 to Block 6
The number of reachable states correspondingly increases to5.41574 · 108, but the model checking time decreases to lessthan a second
Since ϕ is universal, the fact that it passes on the model withthe augmented transition relation guarantees that it passesalso on the original model
![Page 239: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/239.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Augmenting the Transition Relation
We can do significantly better by keeping the same stateencoding, initial states and property, but augmenting thetransition relation
Let opp(p) returns the set of positions in the cube that haveparity opposite to block p. The transition relation can then bedefined as before, but with opp(p) replacing adj(p)
The new relation has many more transitions. For instance, itis now possible to go from Block 1 to Block 6
The number of reachable states correspondingly increases to5.41574 · 108, but the model checking time decreases to lessthan a second
Since ϕ is universal, the fact that it passes on the model withthe augmented transition relation guarantees that it passesalso on the original model
![Page 240: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/240.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Augmenting the Transition Relation
We can do significantly better by keeping the same stateencoding, initial states and property, but augmenting thetransition relation
Let opp(p) returns the set of positions in the cube that haveparity opposite to block p. The transition relation can then bedefined as before, but with opp(p) replacing adj(p)
The new relation has many more transitions. For instance, itis now possible to go from Block 1 to Block 6
The number of reachable states correspondingly increases to5.41574 · 108, but the model checking time decreases to lessthan a second
Since ϕ is universal, the fact that it passes on the model withthe augmented transition relation guarantees that it passesalso on the original model
![Page 241: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/241.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Augmenting the Transition Relation
We can do significantly better by keeping the same stateencoding, initial states and property, but augmenting thetransition relation
Let opp(p) returns the set of positions in the cube that haveparity opposite to block p. The transition relation can then bedefined as before, but with opp(p) replacing adj(p)
The new relation has many more transitions. For instance, itis now possible to go from Block 1 to Block 6
The number of reachable states correspondingly increases to5.41574 · 108, but the model checking time decreases to lessthan a second
Since ϕ is universal, the fact that it passes on the model withthe augmented transition relation guarantees that it passesalso on the original model
![Page 242: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/242.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Changing State Space
The proof that there is no path refers to the parity of the blocknumbers and the total number of blocks of each parity.
parity ∈ {0, 1}, visitedO ∈ {1, . . . , 14}, visitedE ∈ {1, . . . , 13}
S = {0, 1} × {1, . . . , 14} × {1, . . . , 13}
S0 = {(0, 0, 1), (1, 1, 0)}
The transition relation is
{((0, vO , vE ), (1, vO , v′E )) | (0, vO , vE ) ∈ S∧vE < 13∧v ′
E = vE+1}∪
{((1, vO , vE ), (0, v ′O , vE )) | (1, vO , vE ) ∈ S∧vO < 14∧v ′
O = vO+1}
Transitions are possible to states of opposite parity with one of thetwo counters incremented (if it has not saturated).
![Page 243: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/243.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Changing State Space
The proof that there is no path refers to the parity of the blocknumbers and the total number of blocks of each parity.
parity ∈ {0, 1}, visitedO ∈ {1, . . . , 14}, visitedE ∈ {1, . . . , 13}
S = {0, 1} × {1, . . . , 14} × {1, . . . , 13}
S0 = {(0, 0, 1), (1, 1, 0)}
The transition relation is
{((0, vO , vE ), (1, vO , v′E )) | (0, vO , vE ) ∈ S∧vE < 13∧v ′
E = vE+1}∪
{((1, vO , vE ), (0, v ′O , vE )) | (1, vO , vE ) ∈ S∧vO < 14∧v ′
O = vO+1}
Transitions are possible to states of opposite parity with one of thetwo counters incremented (if it has not saturated).
![Page 244: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/244.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Changing the State Space
The property needs to be changed
ϕ1 = AG(parity = 0 → (visitedO 6= 14 ∨ visitedE 6= 13))
Since parity = 0 corresponds to posn ∈ {2, 4, . . . , 26}, our newproperty actually corresponds to
ϕ2 = AG(posn ∈ {2, 4, . . . , 26} → visited 6= {1, . . . , 27})
If ϕ2 is satisfied on the original model, ϕ is satisfied as well.The number of binary variables has been reduced from 32 to 9,there are only 53 reachable states, and verification takes negligibletime. Interestingly, the following property also holds:
ϕ′1 = AG(parity = 0 → visitedO 6= 14)
![Page 245: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/245.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Changing the State Space
The property needs to be changed
ϕ1 = AG(parity = 0 → (visitedO 6= 14 ∨ visitedE 6= 13))
Since parity = 0 corresponds to posn ∈ {2, 4, . . . , 26}, our newproperty actually corresponds to
ϕ2 = AG(posn ∈ {2, 4, . . . , 26} → visited 6= {1, . . . , 27})
If ϕ2 is satisfied on the original model, ϕ is satisfied as well.The number of binary variables has been reduced from 32 to 9,there are only 53 reachable states, and verification takes negligibletime. Interestingly, the following property also holds:
ϕ′1 = AG(parity = 0 → visitedO 6= 14)
![Page 246: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/246.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Changing the State Space
The property needs to be changed
ϕ1 = AG(parity = 0 → (visitedO 6= 14 ∨ visitedE 6= 13))
Since parity = 0 corresponds to posn ∈ {2, 4, . . . , 26}, our newproperty actually corresponds to
ϕ2 = AG(posn ∈ {2, 4, . . . , 26} → visited 6= {1, . . . , 27})
If ϕ2 is satisfied on the original model, ϕ is satisfied as well.The number of binary variables has been reduced from 32 to 9,there are only 53 reachable states, and verification takes negligibletime. Interestingly, the following property also holds:
ϕ′1 = AG(parity = 0 → visitedO 6= 14)
![Page 247: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/247.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Another Twist
In the reachable states of our model, the values of visitedO andvisitedE never differ by more than one in absolute value. If we let
diff = visitedE− visitedO
then we can choose the following encoding:
parity ∈ {0, 1} and diff ∈ {−1, 0,+1}
Each state is a pair consisting of parity and difference:
S = {0, 1} × {−1, 0,+1}
S0 = {(0,+1), (1,−1)}
The transition relation is
{((0, d), (1, d−1)) | d ∈ {0,+1}}∪{((1, d), (0, d+1)) | d ∈ {−1, 0}}
![Page 248: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/248.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Another Twist
In the reachable states of our model, the values of visitedO andvisitedE never differ by more than one in absolute value. If we let
diff = visitedE− visitedO
then we can choose the following encoding:
parity ∈ {0, 1} and diff ∈ {−1, 0,+1}
Each state is a pair consisting of parity and difference:
S = {0, 1} × {−1, 0,+1}
S0 = {(0,+1), (1,−1)}
The transition relation is
{((0, d), (1, d−1)) | d ∈ {0,+1}}∪{((1, d), (0, d+1)) | d ∈ {−1, 0}}
![Page 249: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/249.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Another Twist
Once again, we need to rewrite the property to be checked becausethe state encoding has changed:
ϕ3 = AG(parity = 0 → diff 6= −1)
Since diff 6= −1 implies visitedO 6= 14 ∨ visitedE 6= 13, wehave further strengthened our property.Since ϕ3 holds in our new model, as long as satisfaction of ϕ3 inthe new, 3-bit model implies satisfaction of ϕ3 in the previos, 9-bitmodel, then we can conclude that ϕ holds in the original model.There are four reachable states in the 3-bit model, and ϕ3 isproved in almost no time.
![Page 250: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/250.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Another Twist
Once again, we need to rewrite the property to be checked becausethe state encoding has changed:
ϕ3 = AG(parity = 0 → diff 6= −1)
Since diff 6= −1 implies visitedO 6= 14 ∨ visitedE 6= 13, wehave further strengthened our property.Since ϕ3 holds in our new model, as long as satisfaction of ϕ3 inthe new, 3-bit model implies satisfaction of ϕ3 in the previos, 9-bitmodel, then we can conclude that ϕ holds in the original model.There are four reachable states in the 3-bit model, and ϕ3 isproved in almost no time.
![Page 251: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/251.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
Another Twist
Once again, we need to rewrite the property to be checked becausethe state encoding has changed:
ϕ3 = AG(parity = 0 → diff 6= −1)
Since diff 6= −1 implies visitedO 6= 14 ∨ visitedE 6= 13, wehave further strengthened our property.Since ϕ3 holds in our new model, as long as satisfaction of ϕ3 inthe new, 3-bit model implies satisfaction of ϕ3 in the previos, 9-bitmodel, then we can conclude that ϕ holds in the original model.There are four reachable states in the 3-bit model, and ϕ3 isproved in almost no time.
![Page 252: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/252.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
State Encoding
If we use the following encoding:
diff = −1 → diff1 = 0 ∧ diff0 = 0
diff = 0 → diff1 = 0 ∧ diff0 = 1
diff = +1 → diff1 = 1 ∧ diff0 = 0
then, over all four reachable states, we have
diff1 ↔ parity = 0 ∧ diff0 = 0
We can replace one state bit with a combinational function of theother two. In the resulting model, ϕ3 becomes
AG(parity = 0 → (parity = 0 ∨ diff0 = 1))
which simplifies to AG true; this property trivially holds.
![Page 253: Introduction to Model Checking - Robert Dickziyang.eecs.umich.edu/~dickrp/dass09/slides/somenzi...Introduction to Model Checking Fabio Somenzi Department of Electrical, Computer, and](https://reader034.vdocument.in/reader034/viewer/2022042811/5fa60f61a738bb07300662fb/html5/thumbnails/253.jpg)
Introduction Modeling Specifications CTL LTL and CTL* SAT Abstraction
State Encoding
If we use the following encoding:
diff = −1 → diff1 = 0 ∧ diff0 = 0
diff = 0 → diff1 = 0 ∧ diff0 = 1
diff = +1 → diff1 = 1 ∧ diff0 = 0
then, over all four reachable states, we have
diff1 ↔ parity = 0 ∧ diff0 = 0
We can replace one state bit with a combinational function of theother two. In the resulting model, ϕ3 becomes
AG(parity = 0 → (parity = 0 ∨ diff0 = 1))
which simplifies to AG true; this property trivially holds.