1 / 54

Model Checking I I

Model Checking I I. How CTL model checking works. CTL. A E X F G U Model checking problem Determine M, s0 f Or find all s s.t. M, s f. Need only the boolean connectives (  ,  ) and

bess
Télécharger la présentation

Model Checking I I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking II How CTL model checking works

  2. CTL A E X F G U Model checking problem Determine M, s0 f Or find alls s.t. M, s f

  3. Need only the boolean connectives ( ,  ) and E X F G U define others e.g. AG p   EF p A(p U q)   E( q U  p &  q) &  EG( q) (Could skip EF and define in terms of EU, but hopefully seeing how EF is done aids understanding)

  4. Explicit state model checking Option 1 CES (original paper) Represent state transition graph explicitly Walk around marking states Graph algorithms involving strongly connected components etc. Not covered in this course (cf. SPIN) Used particularly in software model checking

  5. Symbolic MC Option 2 McMillan et al because of STATE EXPLOSION problem State graph exponential in program/circuit size Graph algorithms linear in state graph size INSTEAD Use symbolic representation of both sets of states and of state transtion graph

  6. Symbolic MC Sets of states formulas relations between states (BDDs) Fixed point characerisations of CTL ops NO explicit state graph

  7. A state Vector of boolean variables (v1,v2,v3, …., vn)  {0,1}n

  8. Boolean formulas (x  y)  z ( is exclusive or) (1  0)  0 = 1 assignment [x=1,y=0,z=0] gives answer 1 is a model or satisfying assignment Write as 100 Exercise: Find another model

  9. Boolean formulas (x  y)  z (1  1)  0 = 0 assignment [x=1,y=1,z=0] is not a model

  10. Formula is a tautology if ALL assignments are models and is contradictory if NONE is.

  11. Boolean formulas For us, interesting formulas are somewhere in between: some assignments are models, some not IDEA: A formula can represent a set of states (its models)

  12. {} false {111} x  y  z {101} x  y  z {111,101} x  z . . {000,001, … , 111} true

  13. Example (x  y)  z represents {100,010,001,111} for states of the form xyz Exercise: Find formulas (with var. names x,y,z) for the sets {} {100} {110,100,010,000}

  14. What is needed now? A good data structure for boolean formulas Binary Decision Diagrams (BDDs) Lee (Bell Systems Tech. Journal 59) Akers (IEEE Trans. Comp 78) Bryant (IEEE Trans. Comp. 86, most cited CS paper!) see also Bryant’s document about a Hitachi patent from 93 McMillan saw application to symbolic MC

  15. Binary Decision Diagrams Canonical form (constant time comparison) Polynomial algorithms for ’and’, ’or’, ’not’ etc. Exponential but practically efficient algorithm for boolean quantification (even of sets of variables) Read Hu’s excellent tutorial paper (See Course Literature) (Presentation based on lecture notes by Ken McMillan)

  16. Ordered Decision Tree ab + cd (ab)  (cd) a 0 1 b b 0 1 0 1 c c c c 0 1 0 1 0 1 0 1 d d d d d d d d 0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1

  17. To get OBDD Combine isomorphic subtrees Eliminate redundant nodes (those with identical children) Tree becomes a graph

  18. (O)BDD ab + cd (ab)  (cd) a 1 0 b 0 c 1 d 0 0 1 0 1

  19. Make BDD for (x  y)  z

  20. Combinational equivalence checking For two circuits with single boolean outputs, make BDDs for each circuit and see if they are the same Of course the BDDs are built up by application of BDD construction functions and, or, not etc. NOT by making decision tree and then reducing

  21. BDDs + Many formulas (and circuits) have small representations -Some do not! Multipliers - BDD representation of a function can vary exponentially in size depending on variable ordering; users may need to play with variable orderings (less automatic) + Good algorithms and packages (e.g. CUDD) + EXTREMELY useful in practice - Size limitations a big problem

  22. Represent a set of states Just make the BDD for a corresponding formula!

  23. Represent a transition relation R Remember that R is just a set of pairs of states Use two sets of variables, v and v’ (with the primed variables representing next states) Make a formula involving both v and v’ and from that a BDD bdd(R,(v,v’))

  24. What set of states can we reach from set P in one step? R R R R P Image(P,R) {t  s s  P  s R t}

  25. Forward Image R R R R P Image(P,R) {t  s s  P  s R t} bdd(Image(P,R),v’) =  v bdd(P,v)  bdd(R,(v,v’))

  26. Backward image R R R R Q {s  t t  Q  s R t} bdd(Image-1(Q,R),v) = v’ bdd(Q,v’)  bdd(R,(v,v’)) 

  27. So far BDDs for • sets of states • transition relation • calculating forward or backward image of a set Need one last idea: iteration to a fixed point based on recursive description of CTL ops

  28. Symbolic MC of CTL Compute set of states satisfying a formula recursively (and use BDDs as rep.) consider  ,  , EX, EF, EG, EU define others

  29. CTL formula f H(f) set of states satisfying f a (atomic) L(a) (cf.Lars) p S – H(p) p  qH(p)  H(q) EX p familiar ?

  30. CTL formula f H(f) set of states satisfying f EX p Image-1(H(p),R)

  31. CTL formula f bdd for set of states satisfying f EX p v’bdd(p,v’)  bdd(R,(v,v’))

  32. Remaining operators Recursive characterisation EF p p  EX (EF p)

  33. CTL EF p p  EX (EF p) Start with the empty set of states, , as a first guess, and improve it by applying p  EX (.) to it

  34. Fixed point iteration (formulas) S0 = false S1 = pEX (false)=p S2 = pEX (p) S3 = pEX (pEX (p)) and so on Will eventually terminate. Why?

  35. Now think sets S0 = Ø = empty set of states S1 = H(p)Image-1(Ø,R) =H(p) S2 = H(p)Image-1(H(p),R) Si+1 = H(p)  Image-1(Si,R) Will eventually terminate. Why?

  36. Fixed point iteration P

  37. Fixed point iteration p  EX p P

  38. Fixed point iteration p  EX (p  EX p) P

  39. Fixed point iteration Evetually stops! P . . . .

  40. LEAST fixed point Started with a small set (empty, indeed) and made it larger. All ok because F(B) = H(p)  Image-1(B,R) is monotonic (i.e. if B  B’ then F(B)  F(B’)) Write least y s.t. y = F(y) as y.F(y)

  41. EG EG p p  EX (EG p) This time need to work downwards

  42. Fixed point iteration (formulas) S0 = true S1 = pEX (true) S2 = pEX (pEX (true)) and so on Will eventually terminate. Why?

  43. Now think sets S0 = S = the entire set of states S1 = H(p) Image-1(S,R) S2 = H(p) Image-1(H(p) Image-1(S,R) ,R) Si+1 = H(p) Image-1(Si,R) Will eventually terminate.

  44. Greatest fixed point EG p p  EX (EG p) H(EG p) = y. H(p) Image-1(y,R)

  45. EG EG p  p  EX (EG p) H(EG p) = y. H(p) Image-1(y,R) NB: We can do all of these operations using BDDs to represent the sets

  46. Fixed point interationin the other direction P

  47. Fixed point interationin the other direction p EX p P

  48. Fixed point interationin the other direction p EX (p  EX p) P

  49. Fixed point interationin the other direction p EX (p  EX p) …. p

  50. EU E (p U q) q  (p  EX (E (p U q)) H(E (p U q)) = y. H(q)  (H(p) Image-1(y,R)) This is a generalisation of the EF case. Remember that E (True U q) = EF q Exercise: define H (A(p U q)). See earlier slide

More Related