Finite State

(1)

Finite State

Model Checking

(2)

Informationsteknologi

UCb

Finite State Model Checking

TOOL TOOL

System Description A

Requirement F Yes,

Prototypes

Executable Code Test sequences No!

Debugging Information

Tools: visualSTATE, SPIN, Statemate, Verilog, Formalcheck,...

Finite State Systems

CTL

(3)

UCb

From Programs to Networks

P1 :: while True do

T1 : wait(turn=1) C1 : turn:=0

endwhile

||

P2 :: while True do

endwhile

P1 :: while True do

endwhile

||

P2 :: while True do

endwhile

Mutual Exclusion Program

(4)

UCb

From

Network

Models to Kripke Structures

I1 I2 t=0

T1 I2 t=0

T1 T2 t=0

I1 T2 t=0

I1 C2 t=0

T1 C2 t=0

C1 I2

t=1 T1 T2

t=1

C1 T2 t=1

T1 I2 t=1

I1 T2 t=1 I1 I2

t=1

(5)

UCb

CTL Models =

Kripke Structures

(6)

UCb

Computation Tree Logic, CTL

Clarke & Emerson 1980

Syntax

(7)

UCb

Path

p

s s₁

s₂ s₃...

The set of path starting in s

(8)

UCb

Formal Semantics

( )

(9)

UCb

CTL, Derived Operators

. . .

p

p p

AF p

. . .

. . . p

EF p

possible inevitable

(10)

UCb

CTL, Derived Operators

p p

p

. . .

AG p

p p p p

p p

. . .

EG p

p

always

potentially always

(11)

UCb

Theorem

All operators are derivable from

• EX f

• EG f

• E[ f U g ]

and boolean connectives

All operators are derivable from

• EX f

• EG f

• E[ f U g ]

and boolean connectives

[ ^f Û ^g ] ^≡ ^¬ Ê [ ^¬ ^g Û ( ^¬ ^f ^∧ ^¬ ^g ) ] ^∧ ^¬ ÊG ^¬ ^g

A

(12)

UCb

Example

p p

q

p,q

EX p

1 2

3

4

(13)

UCb

Example

p p

q

p,q

AX p

1 2

3

4

(14)

UCb

Properties of MUTEX example ?

I1 I2 t=0

T1 I2 t=0

T1 T2 t=0

I1 T2 t=0

I1 C2 t=0

T1 C2 t=0

C1 I2

t=1 T1 T2

t=1

C1 T2 t=1

T1 I2 t=1

I1 T2 t=1 I1 I2

t=1

[ ]

( )

[ ]

[^C Â ^C Û ^C Â ^C Û ^C ]

AG

C EG

AF(C T

AG[

C (C

AG

2 1

1 1

2 1

¬

∧

¬

⇒

¬

⇒

∧

¬

)]

) HOW toIN GEN DECIDERAL E

(15)

CTL Model Checking

Algorithms

(16)

UCb

Fixpoint Characterizations

p p

p EX EF

EF ≡ ∨

or let A be the set of states satisfying EF p then

A EX

A ≡ p ∨

in fact A is the smallest such set (the least fixpoint)

(17)

UCb

Example

p

q

p,q

EF q

A

∨ EX q

p

1 2

3

4

(18)

UCb

Fixed points of monotonic functions

Let τ be a function 2^S → 2^S

Say τ is monotonic when

Fixed point of τ is y such that

If τ monotonic, then it has

− least fixed point μy. τ(y)

− greatest fixed point νy. τ(y)

) ( )

( implies

x y

y

x ⊆ τ ⊆ τ

y y ) =

τ (

(19)

UCb

Iteratively computing fixed points

Suppose S is finite

− The least fixed point μy. τ(y) is the limit of

− The greatest fixed point νy. τ(y) is the limit of

⊆ L

⊆

⊆ (false) ( (false))

false τ τ τ

⊇ L

⊇

⊇ (true) ( (true))

true τ τ τ

Note, since S is finite, convergence is finite

(20)

UCb

Example: EF p

EF p is characterized by

Thus, it is the limit of the increasing series...

) (

. p EX y

y p

EF = μ ∨

p ∨ ^{EX p} p p ∨

EX(p ∨ ^{EX p)}

. . .

(21)

UCb

Example: EG p

EG p is characterized by

Thus, it is the limit of the decreasing series...

) (

. p EX y

y p

EG = ν ∧

p ∧ ^{EX p} ^p

p ∧

EX(p ∧ ^{EX p)}

...

(22)

UCb

Example, continued

p

q

p,q

EF q

p

1 2

3

4

} 3 , 2 , 1 {

} 3 , 2 {

3 2 1

0

=

A A A

Ø A

) (

. q EX y

y q

EF =

μ

∨

(23)

UCb

Remaining operators

)) (

( . )

(

)) (

( . )

(

) (

.

) (

.

y AX p

q y

q U p A

y EX p

q y

q U p E

y AX p

y p

AG

y AX p

y p

AF

∧

∨

=

∧

∨

=

∧

=

∨

=

μ μ ν

μ

(24)

UCb

I1 I2 t=0

T1 I2 t=0

T1 T2 t=0

I1 T2 t=0

I1 C2 t=0

T1 C2 t=0

C1 I2

t=1 T1 T2

t=1

C1 T2 t=1

T1 I2 t=1

I1 T2 t=1 I1 I2

t=1

)]

1

1 1

AF(C

AF(C T

AG[ ⇒

(25)

UCb

(26)

UCb

(27)

UCb

)) ( }

' )

' , '.(

|

({s ∀s s s ∈R ⇒ s ∈Q ∩ Sat φ

(28)

UCb

p SCC

SCC SCC

EG p

More Efficient Check

(29)

UCb

Example

p q

p

p,q

EG p

q

p

(30)

UCb

Example

p

p,q

EG p

p

Reduced Model

(31)

UCb

Example

p

EG p

p

Non trivial Strongly Connected Component

(32)

UCb

I1 I2 t=0

T1 I2 t=0

T1 T2 t=0

I1 T2 t=0

I1 C2 t=0

T1 C2 t=0

C1 I2

t=1 T1 T2

t=1

C1 T2 t=1

T1 I2 t=1

I1 T2 t=1 I1 I2

t=1

[ ^C₁]

EG ¬

(33)

UCb

I1 I2 t=0

T1 I2 t=0

T1 T2 t=0

I1 T2 t=0

I1 C2 t=0

T1 C2 t=0

T1 T2 t=1 T1 I2

t=1

I1 T2 t=1 I1 I2

t=1

[ ^C₁]

EG ¬

Reduced Model

which are the non-trivial SCC’s?

(34)

UCb

Complexity

However S_sys may be EXPONENTIAL in number of parallel components!

--

FIXPOINT COMPUTATIONS may be carried out using

ROBDD’s

(Reduced Ordered Binary Decision Diagrams) Bryant, 86

However S_sys may be EXPONENTIAL in number of parallel components!

--

FIXPOINT COMPUTATIONS may be carried out using

ROBDD’s

(Reduced Ordered Binary Decision Diagrams) Bryant, 86

Finite State

Finite State

Model Checking

TOOL TOOL

From Programs to Networks

Network

Computation Tree Logic, CTL

Path

( )

CTL, Derived Operators

CTL, Derived Operators

Theorem

[ f U g ] ≡ ¬ E [ ¬ g U ( ¬ f ∧ ¬ g ) ] ∧ ¬ EG ¬ g

A

Example

Example

CTL Model Checking

Algorithms

Fixpoint Characterizations

p p

p EX EF

EF ≡ ∨

A EX

A ≡ p ∨

Example

A

∨ EX q

) ( )

( implies

x y

y

x ⊆ τ ⊆ τ

y y ) =

τ (

Iteratively computing fixed points

Example: EF p

Example: EG p

Example, continued

μ

Remaining operators

)) (

( . )

(

)) (

( . )

(

) (

.

) (

.

y AX p

q y

q U p A

y EX p

q y

q U p E

y AX p

y p

AG

y AX p

y p

AF

∧

∨

=

∧

∨

=

∧

=

∨

=

μ μ ν

μ

Example

Example

Example

Complexity

[ ^f Û ^g ] ^≡ ^¬ Ê [ ^¬ ^g Û ( ^¬ ^f ^∧ ^¬ ^g ) ] ^∧ ^¬ ÊG ^¬ ^g