CSE 522 Model-based Development (2)

1. CSE 522Model-based Development (2) Computer Science & Engineering DepartmentArizona State University Tempe, AZ 85287 Dr. Yann-Hang Leeyhlee@asu.edu(480) 727-7507 Some of the slides were based on lectures by Lee & Seshia (UC Berkeley)and Fainekos (ASU)

2. Temporal Logic Temporal logic is used to describe any system of rules and symbolism for representing, and reasoning about, propositions qualified in terms of time. An extension of a classical propositional or predicate logic by temporal quantifiers • "I am always hungry", • "I will eventually be hungry", • "I will be hungry until I eat something“ A single type of model is considered: a transition system(finite state machine) To express and verify properties of system dynamics • Safety (invariance): Nothing bad will happen • Liveness: Something good will happen

3. Invariants The simplest form of a temporal logic property Definition: A property that is true on the system at all times (always) Examples: • “The program never dereferences a null pointer” • “If a thread A blocks while trying to acquire a mutex lock, then the thread B that holds that lock must not be blocked attempting to acquire a lock held by A.” • “Whenever the reset signal is asserted the state machine shall move immediately to the ErrorReset state and remain there until the reset signal is de-asserted.”

4. Pedestrian Light with Car Light System invariant: There is no pedestrian crossing when the traffic light (for the cars) is green

5. Pedestrian Light with Car Light Combine the states of car light and pedestrian light Is there a way to enter the unsafe states Reachability unsafe states

6. FSM Behavior Each port p, for each reaction will take a value from Vp{absent}, generating a sequence (or function) sp : NVp{absent} Behavior: the assignment of signals to each input port such that an output sequence can be produced • Observable trace ((xi,yi))iN • Execution trace ((xi, si, yi))iN The set of all behaviors of an FSM M is called the language of M and it is denoted by L(M)

7. Garage Counter: Behavior Behavior: sup = (present, absent, present, absent, present, …) sdown = (present, absent, absent, present, absent, …) scount = (absent, absent, 1, 0, 1, …) Execution trace : τ = ((pres,pres),0, abs) ((abs, abs),0, abs)((pres,abs),1, 1) ...

8. Propositional logic Concerned with relationships between propositions A proposition is a sentence whose truth depends on the current context In Boolean logic, a proposition can be either true or false (not both) Atomic propositions: Statements about an input, output, or state of a state machine. Examples:

9. Propositions & Connectives A compound proposition is formed using propositions and connectives: •  : not ornegation •  : and or conjunction •  : or or disjunction (one or the other or both) •  : implies orimplication •  : if and only if orbiconditional y is present and the FSM is in state a. • Propositions: • p1 := “y is present” := y • p2 := “the FSM is in state a” := a • Symbolic representation: • p1 p2 (read as “p1 and p2”)

10. Propositions & Connectives If the FSM is in state a, then y is present. Propositions: p1 = “y” p2 = “the FSM is in state a” Symbolic representation: p2 p1 (read as “if p2, then p1” or “p2 implies p1”) y is present and the FSM is in state a. Propositions: p1 := “y is present” := y p2 := “the FSM is in state a” := a Symbolic representation: p1 p2 (read as “p1 and p2”) A compound proposition is formed using propositions and connectives: •  : not ornegation •  : and or conjunction •  : or or disjunction (one or the other or both) •  : implies orimplication •  : if and only if orbiconditional

11. Equivalences through truth tables Two compound propositions are logically equivalent if they have the same truth values for all the choices of truth values of the variables p, q, etc. We denote logical equivalence using the symbol  p1p2 (p1p2)

12. Propositional Logic on Traces ( (q,i) ⊨ φ ) (q,i) ⊨ φ ( M ⊨ φ ) M ⊨ φ A proposition formula p holds for a trace q0, q1, q2, . . . if and only if p is true for q0. A trace q (does not) satisfies a formula φ starting at time i an FSM M (does not) satisfies φ and we write ifffor all q in LE(M), we have (q,0) ⊨ φ where LE(M) contains all the execution traces of M

13. Examples M1 M2 Mi⊨b? Mi⊨x y? Mi⊨y?

14. Kripke Model a Kripke model S, I,R,AP,Lconsists of • a set of states S; • a set of initial states I ⊆ S; • a set of transitions R ⊆ S×S; • a set of atomic propositions AP; • a labeling function L : S 2AP. A path in a Kripke model M from a state s0is an infinitesequence of states = s0, s1, s2, . . . such that (si, si+1) ∈ R, for all i≥ 0.

15. FSM to Kripke K=<S ×I,S0 ×I, R, L>, for any s ∈ S and i∈ I (< s, i >, < s’, i’>) ∈ R iffδ(s, i) = s’ L(< s, i >) = i∪ s ∪ λ(s, i)

16. Linear Temporal Logic (LTL) LTL formulas: Statements about an execution trace q0, q1, q2, q3, . . . . . . p is propositional logic formula and  is either a propositional logic or an LTL formula. Suffix: a suffix of a string x is a string z such that there exists a string y such that x = yz

17. a – a now G a - always a F a–eventually a X a–next state a a U b – a until b a B b – a before b Linear Temporal Logics: Semantic Intuition a * * * * * a a a a a a * * * a * * * a * * * * a a a b * * * * a * b *

18. Propositional Linear Temporal Logic Globally (at any point in time) If x occurs It is eventually followed by y y holds x holds LTL operators can apply to LTL formulas as well as to propositional logic formulas. E.g. Every input x is eventually followed by an output y G (x Fy)

19. Examples M1 M2 M2⊨G(x˄y)? M2⊨G(x  y)? M1⊨Fb? M2⊨(Gx)  (Fb)? M2⊨G(x  Fb)? M1⊨x  Xa? M1⊨G(x  Xa) ? M2⊨G(b  Xa) ? M2⊨a U x ? M2⊨G(x)  (aUx) ?

20. Examples: What do they mean? • G F p • p holds infinitely often • F G p • Eventually, p holds henceforth • G( p  F q ) • Every p is eventually followed by a q • G( p  (X X q) ) • Every p is followed by a q two reactions later • G = F  (G = F ) • F = true U  Remember: Gp p holds in all states Fp p holds eventually Xp p holds in the next state

21. Model Checking in LTL Safety: Only one process is in its critical section at a time. -- “No two processes can be in the critical section at the same time.” • always not (CS1 and CS2): mutual exclusion Liveness: Whenever any process requests to enter its critical section it will eventually be permitted to do so -- “Every request is eventually granted.” • always (Request implies eventually Grant) “Every continuous request is eventually granted.” • always (Request implies (Request until Grant)) “Every repeated request is eventually granted.” • always (always eventually Request) implies eventually Grant

22. Examples: Write in Temporal Logic • “Whenever the iRobot is at the ramp-edge (cliff), eventually it moves 5 cm away from the cliff.” • p1 – iRobot is at the cliff • p2 – iRobot is 5 cm away from the cliff • “Whenever the distance between cars is less than 2m, cruise control is deactivated” • p1 – distance between cars is less than 2 m • p2 – cruise control is active

23. Why the linear in LTL? s0 s0 a/b s1 s2 true/b  a/c  a/c s1 s2 s0 a/b s2 s1 M s1 s2 s0 s1 s2 Does M ⊨G b ? Properties expressed over a single computation path or run • the satisfiability is checked on the run with no possibility of switching to another run during the checking.

24. Example: Mutual Exclusion (1) N1,N2 turn=0 T1,N2 turn=1 N1,T2 turn=2 C1,N2 turn=1 T1,T2 turn=1 T1,T2 turn=2 N1,C2 turn=2 C1,T2 turn=1 T1,C2 turn=2 Each process can be in its non-critical state (N), or trying to enter its critical state (T), or in its critical state (C). The variable turn considers the first process that went into its trying state.

25. Example: Mutual Exclusion (2) Safety M |= G (C1 C2) ? Is there a reachable state in which (C1C2) holds? Liveness M |= FC1 ? Is there an infinite cyclic solution in which C1 never holds? Liveness M |= G(T1 FC1) ? or M |= GFT1 GFC1 ? Does every path starting from each state where T1 holds pass through a state where C1 holds.

26. Automata-based Model Checking 00 00 00 00 00 01 01 00 00 00 00 01 11 01 00 00 00 11 00 11 11 01 00 00 00 11 00 11 The behaviors (computations) of a system can be seen as sequences of assignments to propositions over all traces. Represent the set of computation by a finite automaton An automaton for the set of all acceptable computations Check if the language of the system automaton is contained in the language accepted by the property automaton. 11 00 11 11 11

27. Automata-Based LTL Model Checking (2) Let M be a Kripke model and  be an LTL formula M ⊨ (LTL) (M) () (M) () = { } (AM) (A) = { } (AM A) = { } AM is a Büchi Automaton equivalent to M (which represents all and only the executions of M) Ais a Büchi Automaton which represents all and only the paths that satisfy (do not satisfy ) AM A: represents all and only the paths appearing in Mand not in  .

28. Automata-Based LTL Model Checking (1) (ChristelBaier and Joost-Pieter Katoen, "Principles of Model Checking”)

29. Büchi Automata • Automaton which accepts infinite traces • A Büchi automaton is 4-tupleS, I,, F • S is a finite set of states • I S is a set of initial states •   S S is a transition relation • F S is a set of accepting states • An infinite sequence of states is accepted iff it contains accepting states infinitely often ACCEPTED 1=S0S1S2S2S2S2… 2=S0S1S2S1S2S1… ACCEPTED S1 S0 S2 3=S0S1S2S1S1S1… REJECTED

30. Büchi Automata p a a b c b a c S2 Sinit S0 S1 S0 S1 S2 F={S0, S1,S2} The labels of a Büchi Automaton are different from the labels of a Kripke Structure. Also graphically, they are interpreted differently: • in a Kripke Structure, p is true and all other propositions are false; • in a Büchi Automaton, p is true and all other propositions are irrelevant (“don’t care”), i.e. can be either true or false.

31. T p T p p q p T T LTL and Büchi Automata • LTL formula • Represents a set of infinite traces which satisfy such formula • Büchi Automaton • Accepts a set of infinite traces • We can build an automaton which accepts all and only the infinite traces represented by an LTL formula p U q Fp Gp GFp

32. Product of Transition Systems: Example a b s0 t0 a a b b s1 t2 t1 a b a b b s1t0 s0t0 b a a a a s0t2 s1t2 s0t1 s1t1 a a b b b b

33. Explicit-State Model Checking Model checking exhaustively enumerates the states of the system • State space can be viewed as a graph • Explicitly enumerates each state and traverses each edge of the graph Example: explicit-state techniques in SPIN Nested DFS to detect reachable accepting cycles. • The first search is used to search for reachable accepting states • The second one (nested) tries to detect accepting cycles. Consider the simplest property G p • p is a system invariant to be satisfied by all states • DFS graph traversal and maintain 2 data structures: set of visited states and stack with current path from the initial state

34. Computational Temporal Logic In LTL, time is treated as if each moment in time has a unique possible future. • LTL formulas are interpreted over linear sequences which are used to describe a behavior of a single computation of a program. In branching temporal logics, each moment in time may split into various possible futures • infinite computation trees and each describing the behavior of the possible computations of a nondeterministic program. • When reaching an individual state, the choice of transitions remains undecided. • Two path quantifiers: E (“there exists a computation”) and A (“for all computations”). • Decide whether holds in the computation tree of M.

35. Path Quantifiers in CTL finally p globally p next p p until q In All Paths: The temporal formula is true in all the paths starting in the current state. There Exists a Path: The temporal formula is true in some path starting in the current state.

36. LTL vs. CTL (Ph. Schnoebelen: The Complexity of Temporal Logic Model Checking. Advances in Modal Logic 2002: 393-436) AP = {a; b; c; d; e} of atomic propositions. Sexm: Q = {q1; q2; q3; q4} and I = {q1; q2} L(q1) = {a}, L(q2) = ;, L(q3) = {b; e}, and L(q4) = {c}.

37. BDD and Symbolic Model Checking a b c+bd b b a 1 c+d c c c+bd c c 0 d+b d d d b b 0 1 0 1 Binary Decision Diagram (BDD): a DAG to represent a Boolean formula An example f = ab+a’c+bc’d Two different orderings, same function. ROBDD – reduced and ordered Can we process them?

38. Operations of BDD Negation: switch 0 and 1 If f then g else h operator: ite(f,g,h) • f AND g = ite (f, g, 0) • f OR g = ite (f, 1, g) Compute ite recursively: v is top-most variable among the three BDDs f, g, h Existential quantification (EXISTS and ANDEXIST) • (

39. Example of ite I = ite (F, G, H) = (a, ite (Fa , Ga , Ha ), ite (Fa, Ga , Ha )) = (a, ite (1, C , H ), ite(B, 0, H )) = (a, C, (b , ite (Bb , 0b , Hb ), ite (Bb , 0b , Hb )) = (a, C, (b , ite (1, 0, 1), ite (0, 0, D))) = (a, C, (b , 0, D)) = (a, C, J) Check: F = a + b, G = ac, H = b + d ite(F, G, H) = (a + b)(ac) + a b(b + d) = ac + abd G H I F a b a a 0 0 0 0 1 1 1 1 D J B C C d b c b 1 0 1 1 1 0 1 0 1 0 0 D 1 0 0 1 0 1 0 F,G,H,I,J,B,C,D are pointers

40. Symbolic Model Checking (01,10) = (¬v1v0, v’1¬v’0) = (¬v1v0) (v’1¬v’0) (R) = (v’0  ¬v0) (v’1  v0v1) 00 01 11 10 State representation: • A state is encoded as a Boolean formula (s), wheresS • sets of states as their characteristic function • three state variables x1, x2, x3: { 000, 001, 010, 011 } represented as “first bit false”: ¬x1 Representation of Transition Relations • A transition is a pair of states (s, s’) where s’ is the next state: (s,s’)=(s)(s’)

41. Pre-Image and Forward Image PreImage(P,R) := {s | for some s’P, (s, s’)R} Image(P,R) := {s’| for some sP, (s, s’)R} Compute EX[P] for the 2-bit counter, where(P) = (v0  v1) (i.e. P= { 00, 11}) PreImage(P,R)) = (P)[s’]  (R)[s,s’] = v’0v’1. (v’0 v’1)  ((v’0  ¬v0) (v’1  v0v1)) (substitute v’0v’1 with 00, 01, 10, 11) = (v0  ¬(v0v1)) (¬v0  (v0v1)) = v1 (i.e. P= { 01, 11} )

42. Reachability using BDD Reachability( v, Gin(s), R(s,s’), F(s)) [ s– states; Gin , R(s,s’) and F are BDDs ] G:=; G’=Gin; do { G = G’; G’ = G  (  s. ( G (s)  R(s,s’) ) [s/s’] ); – F[x/y] means that we substitute x for y in F } while (G≠ G’ or GF ≠ ); If (GF = ) report “Unreachable”, else report “Reachable”;

43. Timed Automata A timed automaton is a tuple A = (Q,Σ,C,E,q0) that consists of the following components: • Q is a finite set. The elements of Q are called the states of A. • Σ is a finite set called the alphabet or actions of A. • C is a finite set called the clocks of A. • E ⊆ Q×Σ×B(C)×P(C)×Q is a set of edges, called transitions of A, where • B(C) is the set of boolean clock constraints involving clocks from C, and • P(C) is the powerset of C. • q0 is an element of Q, called the initial state. An edge (q,a,g,r,q') from E is a transition from state q to q' with action a, guard g and clock resets r.