modelchecking.ppt

7/24/2019 ModelChecking.ppt

1/36

Lawrence Chung 1

Model Checking


2/36

Lawrence Chung 2

Safety and Liveness

Safety properties Invariants, deadlocks, reachaility, etc! Can e checked on finite traces

"so#ething ad never happens$

Liveness %roperties

&airness, response, etc! Infinite traces "so#ething good will eventually happen$


3/36

Lawrence Chung '

Model Checking %rocess

Model(System Requirements)

Specification(System Property)

Model

Checker

(nswer)

*es, if #odel satisfiesspecification

Countere+a#ple, otherwise

&or increasing our confidence in the correctness of the #odel)erification) -he #odel satisfies i#portant syste# properties.eugging) Study counter/e+a#ples, pinpoint the source of the error, correctthe #odel, and try again

M

0 (dapted fro# www!li+!polytechniue!frco#etese#inar1/ModelChecking!ppt]


4/36

Lawrence Chung 3

Mutual 4+clusion 4+a#ple

N1 T1T1S0 C1S1

C1 N1S0

N2 T2T2S0 C2S1C2 N2S0

||

Two process mutual exclusion with shared semaphoreEach process has three states

Non-critical (N)

Trying (T)Critical (C)

Semaphore can be available (S0) or taken (S1)

Initially both processes are in the Non-critical state and

the semaphore is available --- N1 N2 S0


-he Model 56ille# isser, http)ase!arc!nasa!govvisser(S42772-utSoftwareMC/fonts!ppt8


5/36

Lawrence Chung 9


N1 T1

T1S0 C1S1

C1 N1S0

N2 T2

T2S0 C2S1C2 N2S0

||

Initially both processes are in the Non-critical state and the semaphore is available --- N1 N2 S0


-he Model 56ille# isser, http)ase!arc!nasa!govvisser(S42772-utSoftwareMC/fonts!ppt8

N1N2S0

C1N2S1T1T2S0

N1T2S0T1N2S0

N1C2S1

T1C2S1C1T2S1


6/36

Lawrence Chung :


No matter where you arethere is

always a wayto get to the initial state

M

Kripke structure CTL (Computation Tree Logic)


Specification .esirale %roperty

K AGEF(N1N2S0)


7/36

Lawrence Chung ;


N1N2S0

C1N2S1T1T2S0

N1T2S0T1N2S0

N1C2S1

T1C2S1C1T2S1


ModelCheckerM

(nswer) *es


K AGEF(N1N2S0)


8/36

Lawrence Chung o

Countere+a#ple

N1N2S0

C1N2S1T1T2S0

N1T2S0T1N2S0

N1C2S1

T1C2S1C1T2S1


13/36

Lawrence Chung 1'

?ripke Structure

K = < S ,P, R > (M = < S ,P, R, L (, {s0})>) (s7S / initial state8

/S) the set of possile gloal states/%) a non/e#pty set of ato#ic propositions @p1, ! ! !, pkA which e+press ato#ic

properties of the gloal states, e!g!, eing an initial state, eing an accepting state, or that a particular variale has a special value!/B S S ) a transition relation s!t! B5s,sD8 if s to sD is a possile ato#ic transition

/L) S E 2%) a laeling function which defines which propositions hold in which states!

/State explosion problem: -he siFe of S is often e+ponential in Greuire#entsdesignG!

Model checking prole#) ( modelchecker checks whether a syste#, interpreted asan auto#aton, is a 5?ripke8 modelof a property

e+pressed as a te#poral logic for#ula!K |=

.efining ModelsModel

(System Requirements)


14/36

Lawrence Chung 13

.efining Models

&or a co#ple+ real/life control syste#s

-FSM with a way to

/#odulariFe the reuire#ents to view the# at different levels of detail

/co#ine reuire#ents 5or design8 of co#ponents

/ state variales and facilities in guards on transitions!

4+tended &inite State Machine 54&SM8


15/36

Lawrence Chung 19

.efining Specifications

Linear -i#e

4very #o#ent has a uniuesuccessor

Infinite seuences 5words8

Linear -i#e -e#poral Logic 5L-L8

Hranching -i#e

4very #o#ent has severalsuccessors

Infinite tree

Co#putation -ree Logic 5C-L8

Temporal LogicExpress properties of event orderings in timee.g.Always when a packet is sent it will Eventually be received



16/36

Lawrence Chung 1:

o >e+t cycle5/8 previous cycle

Linear Temporal Logic (LTL)

L-L Synta+

a set of proposition varialesp1,p2,!!!, the usual logic connectives and

the following te#poral#odal operators) N/for ne+t

! Jfor always 5gloally8

"/Kfor eventually 5in the #uture8 $for until

%for release!

http)en!wikipedia!orgwikiLinearte#porallogic

ne can reduce to two of those operators since the following is always satisfied)"N O tr&e$N!N O #alse%N O " NP %N O 5 P $ N8
http://en.wikipedia.org/wiki/Proposition_variablehttp://en.wikipedia.org/wiki/Temporalhttp://en.wikipedia.org/wiki/Modal_operatorhttp://en.wikipedia.org/wiki/Modal_operatorhttp://en.wikipedia.org/wiki/Temporalhttp://en.wikipedia.org/wiki/Proposition_variable


17/36

Lawrence Chung 1;

Text&al S'mbolic xplanation iagram

Qnary operators)

NN Ne+t) N has to hold at the ne+t state! 5is usedsynony#ously!8

!N !loally) N has to hold on the entire suseuent path!

"N "inally) N eventually has to hold 5so#ewhere on thesuseuent path8!

Hinary operators)

P $N $ntil) N holds at the current or a future position, and P has tohold until that position! (t that position P does not have tohold any #ore!

P %N %elease) P releases N if N is true until the first position inwhich P is true 5or forever if such a position does not e+ist8!

Linear Temporal Logic (LTL)L-L 5Infor#al8 Se#antics


18/36

Lawrence Chung 1 6orkshop held with ICS4 May 277'

Belevant theoretical papers can e found here http)netli!ell/las!co#netlispinwhatispin!ht#l

Ideal for software #odel checking due to e+pressiveness of the

%BM4L( language Close to a real progra##ing language

]erard ^olF#ann won the (CM software award for S%I>

Cf: SCR & the 4!aria"le modelRequirements should contain

n thin# "ut

information a"out the
http://netlib.bell-labs.com/netlib/spin/whatispin.htmlhttp://netlib.bell-labs.com/netlib/spin/whatispin.html


22/36

Lawrence Chung 22

Hranching -e#poral Logic5H-L8Comp&tation Tree Logic (CTL) S'ntax

))O G _ G p G G _ 2G _ 2G E 2G (` G 4` G (& G 4& G (] G 4] G (0Q 2[ G 40Q 2[

( C-L wff is 5p is an ato#ic propertyproposition8)

http)www!cs!ucl!ac!ukstaff!Howen]S7'w'l1ctlnotes!pdf

tr&ein current state if for#ula N is tr&ein at least one of the ne+t states $2 tr&ein current state if for#ula N is tr&euntil P eco#estr&ein so#e path eginning

in current state that satisfies the for#ula N" tr&ein current state if there e+ists so#e state in so#e path eginning in current state

that satisfies the for#ula N! tr&ein current state if every state in so#e path eginning in current state that

satisfies the for#ula N3 tr&ein current state if for#ula N is tr&ein every one of the ne+t states3 $2 tr&ein current state if for#ula N is tr&euntil P eco#estr&ein every path eginning

in current state that satisfies the for#ula N3" tr&ein current state if there e+ists so#e state in every path eginning in current state

that satisfies the for#ula N3! tr&ein current state if every state in every path eginning in current state satisfies the

for#ula N

B 5bbBelease8

H hi - l L i 5H-L8


23/36

Lawrence Chung 2'

Hranching -e#poral Logic5H-L8Comp&tation Tree Logic (CTL) Semantics

Let M O 5S,B, L8 e a transition syste# 5or a ?ripke structure, also called a#odel for C-L8!Let e a C-L for#ula and s _ S!-hen M, s GO is defined inductively on the structure of , as follows )

M,s GOM,s GT _M,s GO p iff p _ L5s8M,s GO iff M,s G T M,s GO _ P iff M,s GO and M,s GO P M,s GO _ P iff M,s GO or M,s GO P

H hi - l L i 5H-L8


24/36

Lawrence Chung 23

Hranching -e#poral Logic5H-L8Comp&tation Tree Logic (CTL) Semantics

M,s GO (` iff _s s!t! sBs, M,s GO M,s GO 4` iff _s s!t! sBs and M,s GO M,s GO (] iff for all paths 5s, s 2, s', s3, ! ! !8 s!t! siBsi1

and for all i, it is the case that M,siGO

M,s GO 4] iff there is a path 5s, s 2, s', s3, ! ! !8 s!t! siBsi1

and for all i it is the case that M,si GO M,s GO (& iff for all paths 5s, s 2, s', s3, ! ! !8 s!t! siBsi1,

there is a state si s!t! M,siGO

M,s GO 4& iff there is a path 5s, s 2, s', s3, ! ! !8 s!t! siBsi1,

and there is a state s is!t! M,si GO

M,s GO (0 QP[ iff for all paths 5s, s 2, s', s3, ! ! !8 s!t! siBsi1

there is a state sV s!t! M,sVGO P and M,si GO P for all i W V!

M,s GO 40 QP[ iff there e+ists a path 5s, s2, s', s3, ! ! !8 s!t! siBsi1

and there is a state sVs!t! M,sV GO P and M,siGO for all i W V! -he satisfiaility prole# of C-L is 4`%-IM4/co#plete!

If a C-L for#ula is satisfiale, then the for#ula is satisfiale y a finite kripke #odel!

C-L Model Checking) 5GpG5GSGGBG88

M GO p if M, s7 GO p

H hi - l L i 5H-L8


25/36

Lawrence Chung 29

Hranching -e#poral Logic5H-L84&i1alences bet5een CTL #orm&las

(` 4`(] 4&(& 4]

4& 40 Q [-herefore, only three operators are reuired to e+press all the re#aining)4`,4],4Q 5this is called an a!e'uate set of operators8!

H hi - l L i 5H-L8


26/36

Lawrence Chung 2:

Hranching -e#poral Logic5H-L8Speci#ication patterns

-wo e+a#ple of reuire#ents patterns)

Li1eness) "So#ething good will eventually happen$!4!g!) "6henever any process reuests to enter its critical section,

it will eventually e per#itted to do so$!In C-L) (]5reuest E (&5critical88

Sa#et') ">othing ad will happen$!4!g) "nly one process is in its critical section at any ti#e$!In C-L 5with 2 processes only8) (]5 5critical1 critical288

More e+a#ples)1! "&ro# any state it is possile to get a reset state$)

(]4&5reset8

2! "4vent p precedes s and t on all co#putation paths$ 5try to encode the negation ofthis8) -he negation) there e+ists in the future a state in which p follows

s t) 4&55s t8 E 4&5p88! Its negation) 4&55s t8 E 4&5p88 (]5 55s t8 E 4&5p888

'! "n all co#putation paths, after p, is never true$)(]5p E 5 4&5888


27/36

Lawrence Chung 2;

.efining Specifications

6nt&ition #or CTL #orm&lae 5hich are satis#ied at state s


28/36

Lawrence Chung 2ow the algorith# can e applied to the for#ula S 5close8O @S2, S'A S 5start8O @S', S3A S 5 cooking8 O @S1, S2, S3A S 54] cooking8 O @S1, S2, S3A S 5close start 4] cooking8 O @A

S 54& 5close start 4] cooking8 O @A S 5 54& 5close start v 4] cooking88 O @S1, S2, S', S3A

ModelCheckerM

]enealogy


36/36

L Ch ':

]enealogy

Logics ofPrograms

Temporal/Modal Logics

CTL ModelChecking

Symbolic

M d l Ch ki

-automataS1S

LTL ModelChecking

AT

Tarski

-Calculus

!"# "$$

&loyd^oarelate :7s

(ristotle '77s HC4?ripke 9=

%nuelilate ;7s Clarke4#erson

4arly

modelchecking.ppt

Documents