310 likes | 491 Views
Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications. Authors: E.M. Clarke , E.A. Emerson, A. P. Sistla Presented by Anjana Chatta.
E N D
Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications Authors: E.M. Clarke , E.A. Emerson, A. P. SistlaPresented by Anjana Chatta
Basic Outline of the PaperPart 1.Discuss the syntax and semantics of Computational Tree Logic CTL and illustrate an example Part 2. Describe the basic model checking algorithm and illustrate an examplePart 3. Discuss the extension of this model checking algorithm which only considers fair computations i.e. Extended Model Checking (EMC)Part 4. Verify the correctness of the ‘Alternating Bit Protocol’ model through EMCPart 5. Extensions of the CTL to make it more expressive
Basic Definitions1. Temporal logic : Temporal ordering of events and states within a logical framework2. Computation Tree logic : Propositional, Branching-time Temporal logic 3. Specification : Explicit set of requirements to be satisfied by a system4. Verification : Check if system meets the required specifications5. Finite state machine: Designed for expressing the behavior of a system6. Finite state Concurrent system : The systems are modeled by labeled state-transition graphs, called Kripke Structures
Definitions cont.7. Model checking : Method for formally verifying finite-state Concurrent systems8. Temporal Logic Model checking : Input is the Specification Language : Expressed in a propositional temporal logicVerification Procedure : Exhaustive search of the state space of the system to determine if the specification is true or not. i.e. provide all states of model M which satisfies the formula f9. Model checking algorithms : Traverse the model and check if the specification holds against the model
PART 1 : The Specification Language CTL1. Formal Syntax of CTL AP is the set of atomic propositions Symbols : - AND - NegationPath quantifiers :A ... : holds for all path (starting at the tree’s root)E ... : holds for some pathTemporal operators :X ... : holds next time F ... : holds in the futureG...: always holdU….: until
AX p - if on all paths starting at state s, p holds in the next state EX p - if there exists a path starting at state s on which p holds at the next state EF p - if p is reachable (if there exists a path starting at state s, on which p holds in some future state) AF p - if p is inevitable (if on all paths that start at state s, p holds in some future state) EG p - if there exists a path starting at state s, on which p holds globally AG p - if p is invariant (if on all paths that start at state s, p holds globally) E[g U f] - if there exists a path starting at state s, on which g holds until f eventually holds A[g U f] - if on all paths that start at state s, g holds until f eventually holds The Specification Language cont.2.Semantics of CTL
The Specification Language cont.Formally CTL structure is triple model M = (S, R, P)
The Specification Language cont.1. For M = (S, R, P) and state s0 ∈ S there is an infinite computation tree with root labeled at s0An infinite computation tree with root labeled at s0
The Specification Language cont.1. For M , s0|= f , means CTL formula or property f holds at state s0 in M2. The relation |= is defined as Atomic proposition p is true in s0 (s0 |= f1) and (s0|= f2) f1 holds true for every path starting with s0 f1 holds true for some path starting with s0 For all paths, f1 holds true until f2 holds There exits a path, f1 holds true until f2 holds
CTL Model Example Mutual Exclusion Two processesP1 P2N1->T1 N2->T2T1->C1 T2->C2C1->N1 C2->N2 PROPERTIES : SAFETY : Only one process should be in the critical section at any timeAG((C1C2))LIVENESS : Whenever any process wants to enter its critical section, it will eventually be permitted to do so AG [ T1 ----> AF ( C1)] In this model, AF(C1) is true in state 1 and that EF(C1 C2) is false in state 0
PART 2 : MODEL CHECKING1. What is Model Checking ?Given a finite state system model M = (S, R, P), check whether this model meets a given specification or set of formulae2. But why use model checking ? 1 . No proofs! Hand written Temporal Logic Proof construction using axioms are tedious 2. Fast 3. Counter-examples 4. No problem with partial specifications3. Problem: Model checking suffers from state explosion problem
MODEL CHECKING cont.State Labeling Algorithm :1. Model checking can be achieved through State Labeling Algorithm2. The algorithm basically works by iteratively determining the states that satisfy a given formula (i.e. labeling the states) 3. The basic input output of the labelling algorithm : Input : A Model M = (S, R, P) and CTL formula f Output : The set of states that satisfy formula f
State Labeling AlgorithmState label algorithm handles seven cases1. Algorithm uses DFS for f = A ( f1 U f2)2. The recursive procedure au( f, s, b) performs the search for formula f starting from state s 3. When au terminates, booleanresult parameter b will be set to true s I= f4. Whether s is currently on stack ST is implemented in the boolean procedure stacked(s)
1. arg1(f) - first argument 2. arg2(f) - second argument of a two-argument temporal operator 3. If f = A (f1U f2) then arg1( f) = f1, arg2(f) = f2 4. labeled (s, f) will return true if state s is labeled with formula f 3. add-label (s, f) adds formula f to the current label of state s 4. If f2 is true at s, f is true at s else… 5 . Algorithm requires time O(card(S)+ card(R)) State labeling algorithm cont.
State labeling algorithm cont.1. Is f true in all successor states of s ?2. If there is some successor state s1 at which f is false, then f is false at s too; hence remove s from the stack and return false 3. If f is true for all successor states, then f is true at s; so pop s from the stack,label s with f, and return true
State labeling algorithm cont.For CTL formula f = E(f1U f 2)1. First find all of those states that are labeled with f2 , label it with E(f1Uf2)2. Then work backwards using the converse of the successor relation i.e. Repeat : Label any state with E(f1Uf2) if 1. it is labeled with f1 and 2. at least one of its successor is labeled with E(f1Uf2) until there is no change 3. E(f1 U f2) == f2 ˅ (f1 EX E(f1 U f2))
State labeling algorithm cont.CTL formulas with arbitrary nesting of sub-formulas1. nf[i] is the ithsub-formula of f in (length of f)2. sf [i] is the list of the numbers assigned to the immediate sub-formulas of the ith formula3. If f = (AU(NOT X)(OR Y Z)), then nfand sf are given below
ExampleLIVENESS: Whenever any process wants to enter its critical section it will eventually be permitted to do so AG(T1 --> AFC1) ==EF(T1 v AFC1) ==E(T U (T1 v AFC1))Split into sub formulas In order to handle an arbitrary CTL formula f, 1. Associate with Each state s an array L[s] of size length(f)2. Procedure add-label(s, fi) sets L[s][fi] to true 3. Procedure labeled(s, fi) returns the current value of L[s][fi]4. Successively apply the State labeling algorithm to the sub-formulas of f5. Starting with simplest (i.e., highest numbered) and working backwards to f6. Entire algorithm requires O(length(f) x (card(S) + card(R)))
Part 3 – Introduce fairness to CTL Model Checking with Fairness1. In the verification of model M, (s |= f ) might fail because the model M may contain unrealistic behavior 2. We need to filter out this behavior3. Solution is put on some FAIRNESS constraint on M, so it would remove that behaviorHow to handle fairness?1. Modify semantics of CTL i.e. the new logic is called CTL F2. M is now 4-tuple (S, R, P, F) where F 2S = set of predicates on S3. A path p is F-fair For each g that belongs to F, there are infinitely many states on path p that satisfies predicate g
Model Checking Label algorithm with new CTLFExtended Model Checking algorithm How do we achieve it ?Introduce an additional proposition Q, which is TRUE at a state s there is a Fair path starting from that sHow can we do it ?1. Obtain the strongly connected components (SCC) of the graph denoted by the model (SCC means ALL components/states that can reached from any other state)2. A SCC is fair if that SCC contains at least one state from Gi in F = {G1, G2, …Gi} S (From Lemma: we know every state in SCC, is start of infinite fair path)3. Finally Label a state s with Q if there is path from s, to some state in SCC4. Algorithm takes O( n x m x p ) where n = max (cars(S), card(R)), m = length(f), p = card(F)
CTL Formula Once we start the oven, eventually it must turn on the heating coil AG(start --> AF heat) Sub formulae heat, AF heat, start, (start -> AF heat) AG(start -> AF heat) Example Micro Oven- Internets1s2 s3 s4s5 s6 s7 By applying label algorithm we see (start -> AF heat) is true in {s4,s7,s6,s3.s1} But AG(start -> AF heat) is not true in other states s2 and s5 are some sort of unrealistic behavior as Start -> Close the Start -> Close So put some constraint while doing Model checking i.e. Fairness {start, close, error} i.e. when its start, then close not go to error condition Restrict the graph – remove s2, s5 Find SCC Now AG(start -> AF heat) is true in {s1,s3,s4,s6,s7}
EMC algorithm Can EMC handle 3 types of fairness properties Impartiality, Justice, Fair ?Impartiality : Every process should be executed infinitely often1. Take a concurrent system Pr. Let M = { S, R, P} and labeling function L: R->Pr2. By duplicating each state in S card(Pr)times, design new concurrent model = { S*, R*, P*, F} where each state in S* is reached by at most one process 3. F is partition of S* , F = {set of states} each state reached by one process4. card(F) = card(Pr). The above Fair paths are impartial execution sequencesJustice : A model is just if every process is either infinitely often disabled OR it is infinitely often executedFair : A computation is fair For each process , if the process is infinitely often enabled then it will be infinitely often executed
Part 4 - Using EMC to verify Alternating Bit Protocol1. The Alternating Bit Protocol ABP is a protocol for correctly transmitting data on faulty channels that may lose or duplicate data2. ABP uses two faulty channels between a sender and a receiver3. In case of a unsuccessful transmission the attempt is repeated4. To achieve its goal, APB keeps track on this repeated send messages using a control bit which is switched5. The sender appends its control bit to the data to be send and keeps sending till it receives this control bit back via the acknowledgement channel
Using EMC to verify ABP1. Use CSP (Communicating Sequential Processes) programming language (only boolean data types are permitted)2. The Sender and Receiver processes in the ABP, are inthe form of a global state graph 3. The graph for ABP has 251 states4. EMC can be used to verify the graph
Using EMC to verify ABP1. Sending a message (SndMsg) strictly alternates with receiving a message (RcvMsg)2. Smsg – the bit that was sendRmsg – the bit that was received If a O-message (l-message) is sent, then a O-message (l-message) is received3. Fairness constraint: SndMsg, RcvMsg
Part 5 : Extended LogicThe computation tree logic CTL∗ (pronounced “CTL star”) combines both branching-time and linear-time operatorsPath Formulas1. If f is a path formula, the notation (M, S |= f ) means that f holds true for path S in Kripke structure M where s = {s0,s1,s2…}4. If f and g are path formulas, then ¬f, f ∨ g, Xf, F f, Gf, and f U g are path formulas.State Formulas1. If p is an atomic proposition, then p is a state formula2. If f is a state formula, the notation (M, s |= f ) means that f holds at state s in the Kripke structure M3. If f and g are state formulas, then ¬f and f ∨ g are state formulas4. If f is a path formula, then E(f) and A(f) are state formulas5. If f is a state formula, then f is also a path formula (A state formula f is true for a path S if the f is true in the initial state of the path S where S= {s0,s1,s2…} )
Extended Logic cont.We can write :A(f) ≡ ¬E(¬f)Gf ≡ ¬F ¬fSo, given any CTL∗ formula, we can rewrite it without using the operators A, F, or G
Summary1. Syntax and semantics of Computational Tree Logic CTL and illustrate an example Mutual Exclusion2. Basic model checking algorithm and illustrate an example3. Extension of this model checking algorithm which only considers fair computations i.e. Extended Model Checking4. Correctness of the ‘Alternating Bit Protocol’ model through EMC
References(The Importance of Ensuringhttp://www.cs.utexas.edu/users/psp/unity/notes/)http://www.comp.nus.edu.sg/~cs3234/cs3234-lec07.pdfhttp://home.ku.edu.tr/~stasiran/ecoe560/Lectures/verification/modelchecking2.pdfftp://www.ics.ele.tue.nl/pub/papers/fv/gjalt_ifipwg10.2_90.pdf