1 / 37

Optimizing CTL Model checking + Model checking TCTL

Optimizing CTL Model checking + Model checking TCTL. CS 5270 Lecture 9. A(FG p) not AF( AG p). Today…. Summary Optimizations for model checking ROBDDs TCTL- Syntax Semantics Algorithm for MC Optimizations. Summary: Model checking CTL. Optimization. The principal one:

ronat
Download Presentation

Optimizing CTL Model checking + Model checking TCTL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Optimizing CTL Model checking+Model checking TCTL CS 5270Lecture 9 Lecture 8

  2. A(FG p) not AF( AG p) Lecture 8

  3. Today… • Summary • Optimizations for model checking • ROBDDs • TCTL- • Syntax • Semantics • Algorithm for MC • Optimizations Lecture 8

  4. Summary: Model checking CTL Lecture 8

  5. Optimization • The principal one: • Reduce to a problem with Boolean variables/Boolean formulæ • Is this reasonable? • Well – most modelling is done like this – even when you do have (non-boolean) variables • + efficiencies from efficient operations on boolean functions Lecture 8

  6. States as boolean formulæ • Encode states using m boolean variables. • Allows for 2m states. • For example: m=3: • S={s1,s2,s3,s4,s5,s6,s7,s8} • Propositional booleans a,b,c: • S={000,001,010,011,100,101,110,111} • S = {abc, abc, abc , … } Lecture 8

  7. Transitions as boolean formulæ • Encode (s,s’) using before and after propositional boolean variables • a,b,c and a’,b’,c’. • For example: (s1,s4): • (s1,s4) = (abc)  (a’b’c’) Lecture 8

  8. Sufficient for modelling? • Encode another mutual exclusion protocol • Two processes, P1 and P2 share booleans • Co-operate for mutual exclusion • Third process T1 monitors and sets a turn variable • System is parallel composition: P1 || P2 || T1 Lecture 8

  9. Co-operative mutex: Process P1 P1 = if (idle1) { wait1 = true; idle1 = false; } else if (wait1 & idle2) { active1 = true; wait1 = false; } else if (wait1 & wait2 & (!turn)) { active1 = true; wait1 = false; } if (active1) { CritSect(); idle1 = true; active1 = false; }; ( followed by P1 ) Lecture 8

  10. Co-operative mutex: Process P2 P2 = if (idle2) { wait2 = true; idle2 = false; } else if (wait2 & idle1) { active2 = true; wait2 = false; } else if (wait2 & wait1 & turn) { active2 = true; wait2 = false; } if (active2) { CritSect(); idle2 = true; active2 = false; }; ( followed by P2 ) Lecture 8

  11. Co-operative mutex: Process T1 if (idle1 & wait2) { turn = true; } else if (idle2 & wait1) { Turn = false; }; ( followed by T1 ) (P1 || P2 || T1); System; T1 = System = Lecture 8

  12. State transition diagram – whole system Lecture 8

  13. Transitions as predicates • P1 = (i1w1’i1’)  (w1i2a1’w1’)  (w1w2ta1’w1’)  (a1i1’a1’) • P2 = (i2w2’i2’)  (w2i1a2’w2’) • (w2w1ta2’w2’)  (a2i2’a2’) • T1 = (i1w2t’)  (i2w1t’) Lecture 8

  14. Ordered Binary Decision Tree Lecture 8

  15. OBDT example: (i1i2)(i3i4) Lecture 8

  16.  ROBDD: (i1i2)(i3i4) Lecture 8

  17.  ROBDD: (i1i2)(i3i4) Lecture 8

  18.  ROBDD: (i1i2)(i3i4) Lecture 8

  19.  ROBDD: (i1i2)(i3i4) Lecture 8

  20.  ROBDD: (i1i2)(i3i4) Lecture 8

  21.  ROBDD: (i1i2)(i3i4) Lecture 8

  22. History… • The ROBDD optimization originally by Bryant (86) – paper on boolean graphs • The application to model checking by McMillan (Originally in late 80’s – subject of thesis in 1992) • smv – Symbolic model verifier – originally by McMillan Lecture 8

  23. Today… • Summary • Optimizations for model checking • ROBDDs • TCTL- • Syntax • Semantics • Algorithm for MC • Optimizations Lecture 8

  24. Regional transition system (RTS) • Given TATTS = (s,s0,Act, ), then the RTS is a quotiented transition system RTS = (Ř,Ř0, Act,), where Ř= {(s,[v]t) | (s,v)s [v]tREGv}, and Ř0= {(s,[v]t) | (s,v)s0 [v]tREGv}, and • finally, (s,[v]t)  (s’,[v’]t) if and only if there is a transition (s,v) (s’,v’) in TATTS. a a Lecture 8

  25. Regional transition system (RTS) • Notation: Ř – a set of regions ř – a particular region in the set: (s,[v]t) r – a particular valuation: (s,v) Lecture 8

  26. Regional transition system (RTS) Lecture 8

  27. Kripke structure/model for TCTL • Def: A TCTL model over a set of atomic propositions AP is the 4-tuple (Ř,Δ,AP,L) • Ř – finite set of regions from RTS • Δ ŘŘ - a total transition relation • AP – a finite set of atomic propositions • L: Ř→ 2AP – A labelling function which labels each region with the propositions true in that region Note that the propositions may include clock constraints… Lecture 8

  28. TCTL- syntax • Given pAP, xX (model clock variables), zZ (property clock variables), (XZ) (clock constraints), then p and  are TCTL- formulæ, and if 1 and 2 are TCTL- formulæ then so are: • 1 • 1  2 • 1  2 • z in 1 • A( 1U 2 ) • E( 1U 2 ) Lecture 8

  29. TCTL examples • Note: temporal operators can be subscripted: • A( 1U<72 ) means 1 holds until (within 7 time units) 2 becomes true. • Implemented as: z in A( (1z<7) U2 ) • A( alarm U<7boiler-off): the alarm is on until (within 7 time units) the boiler-off is signaled. • EF<7( alarm ) = E( true U<7alarm): the alarm will be on within 7 time units. Lecture 8

  30. Semantics of TCTL • Expressed in terms of a model, and the modelling relation² which links a model, a composite stater=(s,v) and a formula clock valuation with a property. • M,(r,f)²P - means that (TCTL) property P holds in (or is satisfied in) state r in the case of a formula valuation f for a given model M Lecture 8

  31. (Inductive) definition of ² M,(r,f)²P  pL(ř) M,(r,f)²  v  f ² M,(r,f)²1 (M,(r,f)²1 ) M,(r,f)²1  2  M,(r,f)²1, and M,(r,f)²2 M,(r,f)²1  2  M,(r,f)²1, or M,(r,f)²2 Lecture 8

  32. (Inductive) definition of ² • M,(r,f)²z in 1  M,(r,z in f)²1 • The notation z in f asserts that z is reset to 0 whenever it appears in the formula f • M,(r,f)² A( 1 U2 )  for every path p from r, for some j, M,(j)²2, and i<j, M,(i)²1  2. Lecture 8

  33. (Inductive) definition of ² • M,(r,f)² E( 1 U2 )  for one path p from r, for some j, M,(j)²2, and i<j, M,(i)²1  2. • Note that in both EU and AU, the condition up until 2 is 1  2. and not just 1!! Lecture 8

  34. AU: 1  2 until 2 Lecture 8

  35. Model checking TCTL • Definition of a labelling algorithm in the notes – not much different from CTL • The only problem is this definition uses a least fixpoint iteration over an infinite set… • In practice use the region construction… Lecture 8

  36. Optimization for TCTL MC • We have already seen the steps to create a (finite) regional automaton • Apart from that there is no magic bullet, and real-time model checking has an equivalent region-space explosion • For this reason, limit the size of systems • … so far … Lecture 8

  37. Uppaal – more formally • TCTL, but with restrictions that amount to only safety (reachability) formulæ: • Set of clock constraints Z in formula is {} • Syntax just AG() and EF() (outer level) •  ::= a | x op n |  | 12 (op {,,,,}) • a is a location in the model • Other properties (bounded liveness…) require extended models/automatons: • compare system model with other test model Lecture 8

More Related