Скачать презентацию Model Checking I What are LTL and CTL Скачать презентацию Model Checking I What are LTL and CTL

d7cfeb38ff728a78f26d0e8b88de4bcd.ppt

  • Количество слайдов: 53

Model Checking I What are LTL and CTL? Model Checking I What are LTL and CTL?

and or q 0 dreq q 0 bar and dack and or q 0 dreq q 0 bar and dack

View circuit as a transition system (dreq, q 0, dack) (dreq’, q 0’, dack’) View circuit as a transition system (dreq, q 0, dack) (dreq’, q 0’, dack’) q 0’ = dreq and dack’ = dreq & (q 0 + ( q 0 & dack))

dack and or q 0 dreq D and D dack and or q 0 dreq D and D

dreq q 0 dack q 0’ dack’ dreq q 0 dack q 0’ dack’

Idea Transition system + special temporal logic + automatic checking algorithm Idea Transition system + special temporal logic + automatic checking algorithm

Exercise (from example circuit) (dreq, q 0, dack) (dreq’, dreq & (q 0 + Exercise (from example circuit) (dreq, q 0, dack) (dreq’, dreq & (q 0 + ( q 0 & dack))) Draw state transition diagram Q: How many states for a start?

Hint (partial answer) 000 110 111 001 101 010 011 Hint (partial answer) 000 110 111 001 101 010 011

Question 000 110 111 001 101 010 011 Q: how many arrows should there Question 000 110 111 001 101 010 011 Q: how many arrows should there be out of each state? Why so?

Exercise 000 110 111 001 101 010 011 Complete the diagram Write down the Exercise 000 110 111 001 101 010 011 Complete the diagram Write down the corresponding binary relation as a set of pairs of states

Another view computation tree from a state 111 Another view computation tree from a state 111

Unwinding further 111 011 111 111 011 000 100 000 . . . 100 Unwinding further 111 011 111 111 011 000 100 000 . . . 100 010 110

Possible behaviours from state s s . . . Transition relation R Relation vs. Possible behaviours from state s s . . . Transition relation R Relation vs. Function?

path = possible run of the system s Transition relation R . . . path = possible run of the system s Transition relation R . . .

Points to note Transition system models circuit behaviour We chose the tick of the Points to note Transition system models circuit behaviour We chose the tick of the transition system to be the same as one clock cycle. Gates have zero delay – a very standard choice for synchronous circuits Could have had a finer degree of modelling of time (with delays in gates). Choices here determine what properties can be analysed Model checker starts with transition system. It doesn’t matter where it came from

Model Checking G(p -> F q) yes property MC no p q finite-state model Model Checking G(p -> F q) yes property MC no p q finite-state model algorithm p q counterexample (Ken Mc. Millan)

Netlist dack and or 1 q 0 dreq D 0 D and Netlist dack and or 1 q 0 dreq D 0 D and

input to SMV model checker MODULE main VAR w 1 : boolean; VAR w input to SMV model checker MODULE main VAR w 1 : boolean; VAR w 2 : boolean; VAR w 3 : boolean; VAR w 4 : boolean; VAR w 5 : boolean; VAR i 0 : boolean; VAR w 6 : boolean; VAR w 7 : boolean; VAR w 8 : boolean; VAR w 9 : boolean; VAR w 10 : boolean; DEFINE w 4 : = 0; DEFINE w 5 : = i 0; ASSIGN init(w 3) : = w 4; ASSIGN next(w 3) : = w 5; DEFINE w 7 : = !(w 3); DEFINE w 9 : = 1; DEFINE w 10 : = w 5 & w 6; ASSIGN init(w 8) : = w 9; ASSIGN next(w 8) : = w 10; DEFINE w 6 : = w 7 & w 8; MC builds internal representation of transition system

Transition system M S set of states (finite) R binary relation on states assumed Transition system M S set of states (finite) R binary relation on states assumed total, each state has at least one arrow out A set of atomic formulas L function A set of states in which A holds Lars backwards finite Kripke structre

Path in M Infinite sequence of states π = s 0 s 1 s Path in M Infinite sequence of states π = s 0 s 1 s 2. . . st

Path in M s 0 s 1 s 2. . . R (s 0, Path in M s 0 s 1 s 2. . . R (s 0, s 1) є R (s 1, s 2) є R etc

Read Another look at LTL model checking Clarke, Grumberg and Hamaguchi See course page Read Another look at LTL model checking Clarke, Grumberg and Hamaguchi See course page

Properties Express desired behaviour over time using special logic LTL CTL*. (linear temporal logic) Properties Express desired behaviour over time using special logic LTL CTL*. (linear temporal logic) (computation tree logic) (more expressive logic with both LTL and CTL as subsets)

CTL* path quantifers A “for all computation paths” E “for some computation path” can CTL* path quantifers A “for all computation paths” E “for some computation path” can prefix assertions made from Linear operators G “globally=always” F “sometimes” X “nexttime” U “until” about a path

CTL* formulas (syntax) path formulas f : : = s | f 1 f CTL* formulas (syntax) path formulas f : : = s | f 1 f 2 | X f | f 1 U f 2 state formulas (about an individual state) s : : = a | s 1 s 2 | E f atomic formulas

Build up from core Af E f F f Gf true U f F Build up from core Af E f F f Gf true U f F f

Example G (req -> F ack) Example G (req -> F ack)

Example G (req -> F ack) A request will eventually lead to an acknowledgement Example G (req -> F ack) A request will eventually lead to an acknowledgement liveness linear

Example (Gordon) It is possible to get to a state where Started holds but Example (Gordon) It is possible to get to a state where Started holds but Ready does not

Example (Gordon) It is possible to get to a state where Started holds but Example (Gordon) It is possible to get to a state where Started holds but Ready does not E (F (Started & Ready))

Semantics M = (L, A, R, S) M, s f f holds at state Semantics M = (L, A, R, S) M, s f f holds at state s in M (and omit M if it is clear which M we are talking about) M, π g g holds for path π in M

Semantics Back to syntax and write down each case s a a in L(s) Semantics Back to syntax and write down each case s a a in L(s) s f not (s s f 1 f 2 s E (g) s (atomic) f) f 1 or s f 2 Exists π. head(π) = s and π g

Semantics π f s π g π g 1 g 2 f and head(π) Semantics π f s π g π g 1 g 2 f and head(π) = s not (π π g) g 1 or π g 2

Semantics π Xg π tail(π) g 1 U g 2 Exists k ≥ 0. Semantics π Xg π tail(π) g 1 U g 2 Exists k ≥ 0. drop k π g g 2 Forall 0 ≤ j < k. drop j π (note: I mean tail in the Haskell sense) and g 1

CTL Branching time (remember upside-down tree) Restrict path formulas (compare with CTL*) f : CTL Branching time (remember upside-down tree) Restrict path formulas (compare with CTL*) f : : = f | s 1 s 2 | X s | s 1 U s 2 state formulas Linear time ops (X, U, F, G) must be wrapped up in a path quantifier (A, E).

Back to CTL* formulas (syntax) path formulas f : : = s | f Back to CTL* formulas (syntax) path formulas f : : = s | f 1 f 2 | X f | f 1 U f 2 state formulas (about an individual state) s : : = a | s 1 s 2 | E f atomic formulas

CTL Another view is that we just have the combined operators AU, AX, AF, CTL Another view is that we just have the combined operators AU, AX, AF, AG and EU, EX, EF, EG and only need to think about state formulas A operators E operators for necessity for possibility

f : : = atomic | f All immediate successors | AX f Some f : : = atomic | f All immediate successors | AX f Some immediate succesor | EX f All paths always | AG f Some path always | EG f All paths eventually | AF f Some path eventually | EF f | f 1 & f 2 | A (f 1 U f 2) | E (f 1 U f 2)

Examples (Gordon) It is possible to get to a state where Started holds but Examples (Gordon) It is possible to get to a state where Started holds but Ready does not

Examples (Gordon) It is possible to get to a state where Started holds but Examples (Gordon) It is possible to get to a state where Started holds but Ready does not EF (Started & Ready)

Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Ack

Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Examples (Gordon) If a request Req occurs, then it will eventually be acknowledged by Ack AG (Req => AF Ack)

Examples (Gordon) If a request Req occurs, then it continues to hold, until it Examples (Gordon) If a request Req occurs, then it continues to hold, until it is eventually acknowledged

Examples (Gordon) If a request Req occurs, then it continues to hold, until it Examples (Gordon) If a request Req occurs, then it continues to hold, until it is eventually acknowledged AG (Req => A [Req U Ack])

Exercise Draw computation trees illustrating AX f and EX f Exercise Draw computation trees illustrating AX f and EX f

Exercise Draw computation trees illustrating AG, EG, AF and EF (See nice pictures from Exercise Draw computation trees illustrating AG, EG, AF and EF (See nice pictures from Pistore and Roveri)

LTL formula is of form A f where f is a path formula with LTL formula is of form A f where f is a path formula with subformulas that are atomic (and then, as usual, have E f = A f etc) Restrict path formulas (compare with CTL*) f : : = a | f 1 f 2 | X f | f 1 U f 2

Back to CTL* formulas (syntax) path formulas f : : = s | f Back to CTL* formulas (syntax) path formulas f : : = s | f 1 f 2 | X f | f 1 U f 2 state formulas (about an individual state) s : : = a | s 1 s 2 | E f atomic formulas

LTL It is the restricted path formulas that we think of as LTL specifications LTL It is the restricted path formulas that we think of as LTL specifications (See P&R again) G (critical 1 & critical 2) FG initialised. GF my. Move G (req => F ack) mutex stays initialised once Initialised my. Move will always eventually hold request acknowledge pattern

Not possible to express in LTL AG EF start Regardless of what state the Not possible to express in LTL AG EF start Regardless of what state the program enters, there exists a computation leading back to the start state

Exercise Find something that can be expressed in LTL but not CTL Exercise Find something that can be expressed in LTL but not CTL

Further reading The ”Another look at LTL model checking paper” Ed Clarke’s course on Further reading The ”Another look at LTL model checking paper” Ed Clarke’s course on Bug Catching: Automated Program Verification and Testing complete with moving bug on the home page! Covers model checking relevant to hardware too. http: //www-2. cs. cmu. edu/~emc/15 -398/

Next lecture How to model check LTL and CTL formulas Next lecture How to model check LTL and CTL formulas