510 likes | 639 Views
Model checking CTL. CS 5270 Lecture 8. Today…. Summary, operations on zones Preliminaries to MC Automata and TS, B ü chi Automaton Extensional and Intensional logics Kripke structure CTL- Syntax Semantics Algorithm for MC. The Reductions….
E N D
Model checking CTL CS 5270Lecture 8 Lecture 8
Today… • Summary, operations on zones • Preliminaries to MC • Automata and TS, Büchi Automaton • Extensional and Intensional logics • Kripke structure • CTL- • Syntax • Semantics • Algorithm for MC Lecture 8
The Reductions… Both the set of states and actions are infinite. TTS Semantics TSTTS Time abstraction Finite set of actions but infinite set of states. TATTS Quotient via bisimulation of finite index. Regions QTS/RTS Both states and actions are finite sets. Lecture 8
The Reductions… Lecture 8
QTS – encodings • RTS – (Regional TS): • Zones/DBM – efficient: Lecture 8
Operations on Zones • Intersection of two zones… Lecture 8
Operations on Zones • Time elapsed zone… Lecture 8
Operations on Zones • Reset operation on y… Lecture 8
Operations on Zones • Past operation?… Lecture 8
Today… • Summary, operations on zones • Preliminaries to MC • Automata and TS, Büchi Automaton • Extensional and Intensional logics • Kripke structure • CTL- • Syntax • Semantics • Algorithm for MC Lecture 8
Automaton=TS+accepting states • Finite automaton: (Q,Σ,Δ,q0,F) • Q – finite number of states • Σ – the alphabet (correspond to actions) • Δ - Q Σ→ Q – a transition function • q0 – the start state • F Q – the set of accepting states • The language accepted by such an automaton can be related to reachability questions – “Does a run lead to a desired accepting state?” Lecture 8
Büchi Automaton • Finite automaton: (Q,Σ,Δ,q0,F) • But … interpret F differently, so that the automaton accepts an input sequence if an infinite run visits states in F infinitely many times. • Use this for liveness in non-terminating systems - “there is a measurement not followed by a recording”. Lecture 8
Extensional and intensional logic • Please answer YES or NO: Will the next answer you give me be NO? • You are either going to die in a bomb raid or you are not… • Extensional logic means that you can determine the truth of a formula from the truth values of its parts. • Intensional/modal logic refers to QUALIFIED truth (words like could, eventually, possibly and so on). Lecture 8
Modal logic • Operators: • □ - necessity • ◊ - possibility • With propositional variables, and connectives (,,) • TEMPORAL logic is a particular modal logic, with operators related to TIME, so that (for example) □ means that propositional variable must hold in all the following (later) states. Lecture 8
Propositional variables? • The resource arbiter: each process is idle, waiting, or using the resource i1,i2,w1,w2,u1,u2 Lecture 8
Propositional variables? • Label each state with properties true in that state: Lecture 8
Temporal logics • Common to use letter notation: • X - holds in the next state • G - holds in all following states • F - eventually holds somewhere • U - holds until holds • R - holds up to holds (if it holds) • Path quantification • A – for all paths • E – there exists a path Lecture 8
Linear vs branching time Linear time: The set of all runs: { 010101010…,010232323…, …} Branching time: Transition system Lecture 8
LTL versus CTL • LTL and CTL both subsets of CTL* • LTL – Linear Temporal Logic • A modal, linear-time temporal logic (spin) • CTL – Computation Tree Logic • A modal, branching-time temporal logic (smv) • All temporal operators are preceded by a path quantifier (A or E) Lecture 8
Example CTL • EX p - For (at least) one path, p holds in the next state • A(p U q) – For all paths, p holds until q holds • E(p U q) – For one path, p holds until q holds Lecture 8
CTL and CTL- • CTL has two quantifiers, and five temporal operators, giving a total of 10 CTL temporal formulæ types. • However all ten can be written in terms of the three just given – EXAU and EU. • For simplicity we only consider this subset, called here CTL-. Lecture 8
Example CTL: EX(w1) Lecture 8
Example CTL: E(i2U w2) Lecture 8
Kripke structure • Intensional semantics for modal systems • Def: A Kripke structure over a set of atomic propositions AP is the 4-tuple (S,Δ,AP,L) • S – finite set of states • Δ S S - a total transition relation • AP – a finite set of atomic propositions • L: S → 2AP – A labelling function which labels each state with the functions true in that state Lecture 8
Kripke structure • In model-checking, called a CTL-model, or just a model: Lecture 8
Unfolded Kripke structure Lecture 8
Today… • Summary, operations on zones • Preliminaries to MC • Automata and TS, Büchi Automaton • Extensional and Intensional logics • Kripke structure • CTL- • Syntax • Semantics • Algorithm for MC Lecture 8
CTL- syntax • Given pAP, p is a CTL- formula, and if 1 and 2 are CTL- formulæ then each of the following is also a CTL- formula: • 1 • 1 2 • 1 2 • EX( 1 ) • A( 1U 2 ) • E( 1U 2 ) Lecture 8
Semantics of CTL • Expressed in terms of a model, and the modelling relation ²which links a model, a state and a property. • M,s² P means that (CTL) property P holds in (or is satisfied in) state s for a given model M Lecture 8
Semantics of CTL off s0 AP = {B, G,R} off on on s1 s2 M,s0²EX(R) ? M,s0²EX(R) ? M,s1²EX(R) ? M,s2²EX(G) ? Note that the actions are not needed… Lecture 8
M,s2 ² E( u2 U w1 ) ??? Lecture 8
M,s2 ² A( u2 U w1 ) ??? Lecture 8
M,s2 ² A( u2 U i2 ) ??? Lecture 8
(Inductive) definition of ² M,s² p pL(s) M,s²1 ( M,s²1 ) M,s²1 2 M,s²1 and M,s²2 M,s²1 2 M,s²1 or M,s²2 M,s² EX( 1 ) Δ(s,s’) and M,s’²1 (i.e. s has a successor at which 1 holds) Lecture 8
M,s²EX( p ) Lecture 8
(Inductive) definition of ² • A path p from s is a state sequence such that: • si→ si+1 (Δ(si, si+1)) for every i. (p(i) is si, the ith element of p) • M,s²A( 1U2 ) for every path p from s, for some j, M,p(j)²2, and i<j M,p(i)²1. • M,s²E( 1U2 ) for one path p from s, for some j, M,p(j)²2, and i<j M,p(i)²1. Lecture 8
M,s²A( p U q ) Lecture 8
M,s²E( p U q ) Lecture 8
Model checking CTL Lecture 8
The sat algorithm for CTL • Traverses a CTL model, and … • returns a set of states that … • Satisfy a property expressed in CTL • We then see if our state s is in this set… Assuming AP is the set of atomic propositions, and S the set of states, then… Lecture 8
The sat algorithm for CTL set_of_states sat( property ) = if AP then {s | L(s)} else case of true : S false : {} : S–sat() 1 2 : sat(1) sat(2) 1 2 : sat(1) sat(2) EX(1) : {sS| s’ s s’ sat(1)} … (Note that s is the set of successors of s) Lecture 8
The sat algorithm for CTL • To find EU and AU, we use an algorithm which can be expressed as the least fixed point of a function. • In general, a fixed point for a function g is any z such that z=g(z). • If it is a continuous function over a CPO, there will be a least fixed point. Now consider this: A( 1U2 ) = 2 (1 AX( A( 1U2 ))) Z = 2 (1 AX( Z )) (i.e. A fix-point equation) Lecture 8
The sat algorithm for CTL • The lfp algorithms for EU and AU iterate over the model, labelling those states which satisfy EU (and AU) • Not detailed here, but you may want to investigate the algorithms in more detail. Lecture 8
M,s2 ² E( i2 U ( u1 w2 )) ??? Lecture 8
sat(E( i2 U ( u1 w2 )) ) 2 (1 EX( E( 1U2 ))) Lecture 8
sat(E( i2 U ( u1 w2 )) ) 2 (1 EX( E( 1U2 ))) Lecture 8
sat(E( i2 U ( u1 w2 )) ) 2 (1 EX( E( 1U2 ))) Lecture 8
sat(E( i2 U ( u1 w2 )) ) 2 (1 EX( E( 1U2 ))) Lecture 8
M,s2 ² E( i2 U ( u1 w2 )) ??? Fixed point… Lecture 8
Summary: Model checking CTL Lecture 8