Model Checking I I

Model Checking II

How CTL model checking works

CTL

A E X F G U

Model checking problemDetermine M, s0 f

Or find all s s.t. M, s f

Need only E X F G Udefine otherse.g.AG p EF pAF p EG p

Explicit state model checking

Option 1 CES (original paper)

Represent state transition graph explicitlyWalk around marking states

Graph algorithms involving strongly connected components etc.

Not covered in this course (cf. SPIN)Used particularly in software model checking

Symbolic MC

Option 2 McMillan et al

because ofSTATE EXPLOSION problem

State graph exponential in program/circuit sizeGraph algorithms linear in state graph size

INSTEADUse symbolic representation of both sets of

statesand of state transtion graph

Symbolic MC

Sets of states formulas

relations between states (BDDs)

Fixed point characerisations of CTL ops

NO explicit state graph

A state

Vector of boolean variables

(v1,v2,v3, …., vn) {0,1}n

Boolean formulas

(x y) z ( is exclusive or)

(1 0) 0 = 1assignment [x=1,y=0,z=0] gives answer 1is a model or satisfying assignment

Write as 101

Exercise: Find another model

Boolean formulas

(x y) z ( is exclusive or)

(1 1) 0 = 0

assignment [x=1,y=1,z=0] is not a model

Formula is a tautology if ALL assignments are models and is contradictory if NONE is.

Boolean formulas

For us, interesting formulas are somewhere in between: some assignments are models, some not

IDEA: A formula can represent a set of states (its models)

{} false {111} x y z {101} x y z {111,101} x z

. . {000,001, … , 111} true

Example

(x y) z represents {100,010,110,111}(x y) z is in form ({100,010,110,111},xyz)

Exercise: Find formulas (with var. names x,y,z) for the sets

{}{100}{110,100,010,000}

Exercise

Find an element ofform({001,010,100},abc)

Will slarva and write form(P,vs) to stand

for a formula representing P and using variables vs

What is needed now?

A good data structure for boolean formulas

Binary Decision Diagrams (BDDs)Akers (IEEE Trans. Comp 78)Bryant (IEEE Trans. Comp. 86, most cited CS

paper!)see also Bryant’s document about a Hitachi patent from

93

McMillan saw application to symbolic MC

Binary Decision Diagrams

Canonical form (constant time comparison)

Polynomial algorithms for ’and’, ’or’, ’not’ etc.

Exponential but practically efficient algorithm for boolean quantification

(Presentation based on lecture notes by Ken McMillan)

Ordered Decision Tree

a

c

d d d d d d d d

c c c

b b

0 0 0 1 0 0 0 1 0 0 0 1 1 1 1 1

ab + cd(ab) (cd)

0 1

0 1 0 1

0 1 0 1 0 1 0 1

To get OBDD

Combine isomorphic subtrees

Eliminate redundant nodes (those with identical children)

Tree becomes a graph

(O)BDDab + cd(ab) (cd)

a

b

c

d

0 1

0

1

0

1

0

0 1

Make BDD for

(x y) z

Combining BDDs

apply algorithm (for building and of two BDDs, or of two BDDs etc.)

v is top variable in either f or gSolve recursively for v=0 and v=1 to get 0 and 1

branches of result nodeDo not create new result node if both brances

equal (return that result) or if equivalent node already exists in reduce table. (The apply function is also memoized.)

Terminates when both f and g constants (1 or 0)

Quantification

b. f is f | b=0 f | b=1

get by replacing each b node by its 0 branch

also have efficient algorithm for quantifying over a set of variables

BDDs

+ Many formulas (and circuits) have small representations

-Some do not! Multipliers- BDD representation of a function can vary

exponentially in size depending on variable ordering; users may need to play with variable orderings (less automatic)

+ Good algorithms and packages (e.g. CUDD)+ EXTREMELY useful in practice- Size limitations a big problem

Exercise revisited

Find a BDD for your

form({001,010,100},abc)

Lattice

{000,001, …. , 110, 111}

.

.

{000,001} {000,010} {110,111}

{000} {001} {010} . . . . {110} {111}

{}

form({},v) false

form(PQ,v) form(P,v) form(Q,v)

form(PQ,v) form(P,v) form(Q,v)

R set of pairs of states

p Image(P,R)

{t s s P s R t}

R

R

RR

Forward image

p {t s s P s R t}

form(Image(P,R),v’) = v form(P,v) form(R,(v,v’))

R

R

RR

Image(P,R)

Backward image

{s t t Q s R t}

form(Image-1(Q,R),v) = v form(Q,v’) form(R,(v,v’))

R

R

RR

Q

Symbolic MC of CTL

Compute set of states satisfying a formula recursively (and use BDDs as rep.)

consider E cases define others

e.g.AX p EX pA (p U q) ?

CTL formula f H(f) set of states satisfying f

a (atomic) L(a) (cf. Lars)

p S – H(p)p q H(p) H(q)

P q ?

EX p familiar ?

CTL formula f H(f) set of

states

satisfying f

P q H(p) H(q)

EX p Image-

1(H(p),R)

Remaining operators

Fixed point characterisation

EF p p EX (EF p)

least fixed point

Fixed points

f : set of S -> set of S

Monotonic x y => f(x) f(y)

Fixed point y s.t. f(y) = y

Fixed points

monotonic f has

Least fixed point y. f(y) [lfp y. f(y)]

Greatest fixed point y. F(y) [gfp y. F(y)]

Lattice again

{000,001, …. , 110, 111}

.

.

{000,001} {000,010} {110,111}

{000} {001} {010} . . . . {110} {111}

{}

Lattice (S finite)

S

.

.

{}

Fixed points

{} f({}) f(f({})) f(f(f({}))) ….Limit is the least fixed point y. f(y)

S f(S) f(f(S) f(f(f(S))) ….Limit is greatest fixed point y. f(y)

CTL

EF p p EX (EF p)

H(EF p)

= y. H(p) H( EX y)

= y. H(p) Image-1(y,R)

Fixed point iteration

S0 = H(p)

Si+1 = H(p) Image-1(Si,R)


P


p EX (p EX p)

P


Evetually stops!

P. . . .

Concrete example

000 100 110 111

001 101 010 011

Concrete example

000 100 110 111

001 101 010 011

0

1

2

3

4 6 7

5

EF p p = dreq q0 dack

and

and

or

dreq

q0

dack

EG

EG p p EX (EG p)

H(EG p)


EG

EG p p EX (EG p)

H(EG p)


NB: We can do all of these operations using BDDs to represent the sets

Fixed point interationin the other direction

P


P

p EX p


P

p EX (p EX p)


p

p EX (p EX p)

….

Concrete example

000 100 110 111

001 101 010 011

0

1

2

3

4 6 7

5

EG p p = (dreq q0 ) dack

EU

E (p U g) q (p EX (E (p U g) )

H(E (p U g) )

= y. H(q) (H(p) Image-1(y,R))

Exercise: define H (A(p U q))

All done with BDDS!

Glad påsk

Documents

Model Checking I I