CSE 522Model-based Development (2)

Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU)

Computer Science & Engineering DepartmentArizona State University

Tempe, AZ 85287

Dr. Yann-Hang Leeyhlee@asu.edu(480) 727-7507

2

Temporal Logic

Temporal logic is used to describe any system of rules and symbolism for representing, and reasoning about, propositions qualified in terms of time.

An extension of a classical propositional or predicate logic by temporal quantifiers "I am always hungry", "I will eventually be hungry", "I will be hungry until I eat something“

A single type of model is considered: a transition system (finite state machine)

To express and verify properties of system dynamics Safety (invariance): Nothing bad will happen Liveness: Something good will happen

Invariants

The simplest form of a temporal logic property Definition: A property that is true on the system at all

times (always) Examples:

“The program never dereferences a null pointer” “If a thread A blocks while trying to acquire a mutex lock, then

the thread B that holds that lock must not be blocked attempting to acquire a lock held by A.”

“Whenever the reset signal is asserted the state machine shall move immediately to the ErrorReset state and remain there until the reset signal is de-asserted.”

Pedestrian Light with Car Light

System invariant:

There is no pedestrian crossing when the traffic light (for the cars) is green

unsafe states

Pedestrian Light with Car Light

q Combine the states of car light and pedestrian light

q Is there a way to enter the unsafe states

q Reachability

FSM Behavior

Each port p, for each reaction will take a value from Vp{absent}, generating a sequence (or function)

sp : N Vp {absent}

Behavior: the assignment of signals to each input port such that an output sequence can be produced• Observable trace ((xi,yi))iN

• Execution trace ((xi, si, yi))iN

The set of all behaviors of an FSM M is called the language of M and it is denoted by L(M)

Garage Counter: Behavior

Behavior:

sup = (present, absent, present, absent, present, …)

sdown = (present, absent, absent, present, absent, …)

scount = (absent, absent, 1, 0, 1, …)

Execution trace :

τ = ((pres,pres),0, abs) ((abs, abs),0, abs) ((pres,abs),1, 1) ...

Propositional logic

Concerned with relationships between propositions A proposition is a sentence whose truth depends on the

current context In Boolean logic, a proposition can be either true or false

(not both) Atomic propositions: Statements about an input, output,

or state of a state machine. Examples:

formula meaning

x true if x is present

x = 1 true if x is present and has value 1

y = absent true if y is absent

s true if machine is in state s

Propositions & Connectives

A compound proposition is formed using propositions and connectives: : not or negation : and or conjunction : or or disjunction (one or the other or both) : implies or implication : if and only if or biconditional

y is present and the FSM is in state a. Propositions:

p1 := “y is present” := y

p2 := “the FSM is in state a” := a

Symbolic representation: p1 p2 (read as “p1 and p2”)

Propositions & Connectives

A compound proposition is formed using propositions and connectives: : not or negation : and or conjunction : or or disjunction (one or the other or both) : implies or implication : if and only if or biconditional

y is present and the FSM is in state a.Propositions:

p1 := “y is present” := y

p2 := “the FSM is in state a” := a

Symbolic representation:

p1 p2 (read as “p1 and p2”)

If the FSM is in state a, then y is present.

Propositions:

p1 = “y”

p2 = “the FSM is in state a”

Symbolic representation:

p2 p1 (read as “if p2, then p1” or “p2 implies p1”)

Equivalences through truth tables

p1 p2 p1p2 p1 p2 p1p2 (p1p2)

0 0 0 1 1 1 0

0 1 1 1 0 0 1

1 0 1 0 1 0 1

1 1 1 0 0 0 1

p1p2 (p1p2)

q Two compound propositions are logically equivalent if they have the same truth values for all the choices of truth values of the variables p, q, etc.

q We denote logical equivalence using the symbol

Propositional Logic on Traces

A proposition formula p holds for a trace

q0, q1, q2, . . .

if and only if p is true for q0.

A trace q (does not) satisfies a formula φ starting at time i

an FSM M (does not) satisfies φ and we write

iff for all q in LE(M), we have (q,0) φ where L⊨ E(M) contains all the execution traces of M

(q,i) ⊨ φ ( (q,i) ⊨ φ )

M ⊨ φ ( M ⊨ φ )

Examples

1. Mi ⊨ b?

2. Mi ⊨ x y?

3. Mi ⊨ y?M1 M2

14

Kripke Model

a Kripke model S, I,R,AP,L consists of a set of states S; a set of initial states I ⊆ S; a set of transitions R ⊆ S×S; a set of atomic propositions AP; a labeling function L : S 2AP.

A path in a Kripke model M from a state s0 is an infinite sequence of states

= s0, s1, s2, . . .

such that (si, si+1) R∈ , for all i ≥ 0.

15

FSM to Kripke

K=<S ×I,S0 ×I, R, L>,

for any s S ∈ and i I∈

(< s, i >, < s’, i’>) R ∈i ff δ(s, i) = s’

L(< s, i >) = i s ∪ ∪ λ(s, i)

Linear Temporal Logic (LTL)

LTL formulas: Statements about an execution trace

q0, q1, q2, q3, . . . . . .

p is propositional logic formula and is either a propositional logic or an LTL formula.

Suffix: a suffix of a string x is a string z such that there exists a string y such that x = yz

formula mnemonic meaning

p proposition p holds in q0

G () globally holds for every suffix of trace

F () finally, future, eventually

holds for some suffix of trace

X () next state holds for q1, q2, q3, . . . .

1U2) until 1 holds for all suffix of the trace until a suffix for which 2 holds

Linear Temporal Logics: Semantic Intuition

a – a now

G a - always a

F a – eventually a

X a – next state a

a U b – a until b

a B b – a before b

a a a a aa

* * a * **

a * * * **

a a b * *a

* a * b **

a * * * **

LTL operators can apply to LTL formulas as well as to propositional logic formulas.

E.g. Every input x is eventually followed by an output y

G (x Fy)

Propositional Linear Temporal Logic

Globally

(at any point in time) If x occurs

It is eventually followed by y

x holdsy holds

Examples

1. M2 ⊨ G(x˄y)?

2. M2 ⊨ G(x y)?

3. M1 ⊨ Fb ?

4. M2 ⊨ (Gx) (Fb)?

5. M2 ⊨ G(x Fb)?

6. M1 ⊨ x Xa ?

7. M1 ⊨ G(x Xa) ?

8. M2 ⊨ G(b Xa) ?

9. M2 ⊨ a U x ?

10. M2 ⊨ G(x) (aUx) ?

M1 M2

Examples: What do they mean?

G F p p holds infinitely often

F G p Eventually, p holds henceforth

G( p F q ) Every p is eventually followed by a q

G( p (X X q) ) Every p is followed by a q two reactions later

G = F (G = F ) F = true U

Remember:

Gp p holds in all states

Fp p holds eventually

Xp p holds in the next state

21

Model Checking in LTL

Safety: Only one process is in its critical section at a time. -- “No two processes can be in the critical section at the same time.” always not (CS1 and CS2): mutual exclusion

Liveness: Whenever any process requests to enter its critical section it will eventually be permitted to do so -- “Every request is eventually granted.” always (Request implies eventually Grant)

“Every continuous request is eventually granted.” always (Request implies (Request until Grant))

“Every repeated request is eventually granted.” always (always eventually Request) implies eventually Grant

Examples: Write in Temporal Logic

1. “Whenever the iRobot is at the ramp-edge (cliff), eventually it moves 5 cm away from the cliff.”• p1 – iRobot is at the cliff

• p2 – iRobot is 5 cm away from the cliff

2. “Whenever the distance between cars is less than 2m, cruise control is deactivated”• p1 – distance between cars is less than 2 m

• p2 – cruise control is active

Why the linear in LTL?

Properties expressed over a single computation path or run the satisfiability is checked on the run with no possibility of

switching to another run during the checking.

s0

s1 s2

s0s2s1s2 s1

s0

a/ca/b

a/btrue/b

a/c

Does M ⊨ G b ?

M s0 s1 s2s1 s2

24

Example: Mutual Exclusion (1)

Each process can be in its non-critical state (N), or trying to enter its critical state (T), or in its critical state (C).

The variable turn considers the first process that went into its trying state.

N1,N2turn=0

T1,N2turn=1

T1,T2turn=1

C1,N2turn=1

C1,T2turn=1

N1,T2turn=2

T1,T2turn=2

N1,C2turn=2

T1,C2turn=2

25

Example: Mutual Exclusion (2)

SafetyM |= G (C1 C2) ?

Is there a reachable state in which (C1 C2) holds? Liveness

M |= FC1 ?

Is there an infinite cyclic solution in which C1 never holds? Liveness

M |= G(T1 FC1) ? or M |= GFT1 GFC1 ?

Does every path starting from each state where T1 holds pass

through a state where C1 holds.

26

Automata-based Model Checking

The behaviors (computations) of a system can be seen as sequences of assignments to propositions over all traces.

Represent the set of computation by a finite automaton

An automaton for the set of all acceptable computations

Check if the language of the system automaton is contained in the language accepted by the property automaton.

00

01

00

11

11

11

00

00

01

00

00

11

00

00

00

00

00

00

00

00

11

11

11

11

00

01

00

01

00

11

00 01

11

27

Automata-Based LTL Model Checking (2)

Let M be a Kripke model and be an LTL formula

M ⊨ (LTL)

(M) ( ) (M) ( ) = { }

(AM) (A ) = { }

(AM A ) = { }

AM is a Büchi Automaton equivalent to M (which represents all and only the executions of M)

A is a Büchi Automaton which represents all and only the

paths that satisfy (do not satisfy ) AM A : represents all and only the paths appearing in M and

not in .

28

Automata-Based LTL Model Checking (1)

(Christel Baier and Joost-Pieter Katoen, "Principles of Model Checking”)

Büchi Automata

Automaton which accepts infinite traces A Büchi automaton is 4-tupleS, I,, F

S is a finite set of states I S is a set of initial states S S is a transition relation F S is a set of accepting states

An infinite sequence of states is accepted iff it contains accepting states infinitely often

1=S0S1S2S2S2S2…

2=S0S1S2S1S2S1…

3=S0S1S2S1S1S1…

ACCEPTED

ACCEPTED

REJECTED

S0 S1 S2

30

Büchi Automata

The labels of a Büchi Automaton are different from the labels of a Kripke Structure. Also graphically, they are interpreted differently:

in a Kripke Structure, p is true and all other propositions are false; in a Büchi Automaton, p is true and all other propositions are

irrelevant (“don’t care”), i.e. can be either true or false.

p

a b c

S0 S1 S2 S0 S1 S2

a

b c

Sinit

F={S0, S1,S2}

a

LTL and Büchi Automata

LTL formula Represents a set of infinite traces which satisfy such formula

Büchi Automaton Accepts a set of infinite traces

We can build an automaton which accepts all and only the infinite traces represented by an LTL formula

Gp Fp p U q GFp

pp

T

T

q

p

T

p

T

32

Product of Transition Systems: Example

s1

s0

a

b

a

b

t1

a

a bt2

t0

b

b

a

s0t1

a

a

b

s0t2

s0t0

b

b

a

s1t1

a

ab

s1t2

b

b

a

s1t0

33

Explicit-State Model Checking

Model checking exhaustively enumerates the states of the system State space can be viewed as a graph Explicitly enumerates each state and traverses each edge of the

graph Example: explicit-state techniques in SPIN Nested DFS to detect reachable accepting cycles.

The first search is used to search for reachable accepting states The second one (nested) tries to detect accepting cycles.

Consider the simplest property G p p is a system invariant to be satisfied by all states DFS graph traversal and maintain 2 data structures: set of visited

states and stack with current path from the initial state

34

Computational Temporal Logic

In LTL, time is treated as if each moment in time has a unique possible future. LTL formulas are interpreted over linear sequences which are

used to describe a behavior of a single computation of a program.

In branching temporal logics, each moment in time may split into various possible futures infinite computation trees and each describing the behavior of

the possible computations of a nondeterministic program. When reaching an individual state, the choice of transitions

remains undecided. Two path quantifiers: E (“there exists a computation”) and A (“for

all computations”). Decide whether holds in the computation tree of M.

35

Path Quantifiers in CTL

In All Paths: The temporal formula is true in all the paths starting in the current state.

There Exists a Path: The temporal formula is true in some path starting in the current state.

finally p globally p next p p until q

36

LTL vs. CTL

AP = {a; b; c; d; e} of atomic propositions. Sexm: Q = {q1; q2; q3; q4} and I = {q1; q2} L(q1) = {a}, L(q2) = ;, L(q3) = {b; e},

and L(q4) = {c}.

(Ph. Schnoebelen: The Complexity of Temporal Logic Model Checking. Advances in Modal Logic 2002: 393-436)

BDD and Symbolic Model Checking

Binary Decision Diagram (BDD): a DAG to represent a Boolean formula

An example f = ab+a’c+bc’d Two different orderings, same function. ROBDD – reduced and ordered Can we process them?

37

a

c

d

b

0 1

c+bd

d+b

b

1

0

a

b b

c c

d

0 1

c+bd b

c+dc

d

38

Operations of BDD

Negation: switch 0 and 1 If f then g else h operator: ite(f,g,h)

f AND g = ite (f, g, 0) f OR g = ite (f, 1, g)

Compute ite recursively: v is top-most variable among the three BDDs f, g, h

Existential quantification (EXISTS and ANDEXIST) (

I = ite (F, G, H) = (a, ite (Fa , Ga , Ha ), ite (Fa , Ga , Ha ))= (a, ite (1, C , H ), ite(B, 0, H ))= (a, C, (b , ite (Bb , 0b , Hb ), ite (Bb , 0b , Hb )) = (a, C, (b , ite (1, 0, 1), ite (0, 0, D))) = (a, C, (b , 0, D))= (a, C, J)

Check: F = a + b, G = ac, H = b + dite(F, G, H) = (a + b)(ac) + a b(b + d) = ac + abd

Example of ite

39

F,G,H,I,J,B,C,Dare pointers

b1

1

a

0

1 0

1 0

F

B

1

1

a

0

1 0

0

G

c 0C

1

b

0

1 0

0

H

dD

11

0

a

1 0

0

I

bJ

1

C

D

40

Symbolic Model Checking

State representation: A state is encoded as a Boolean formula (s), where sS sets of states as their characteristic function three state variables x1, x2, x3: { 000, 001, 010, 011 } represented as “first

bit false”: ¬x1

Representation of Transition Relations A transition is a pair of states (s, s’) where s’ is the next state: (s,s’)=(s)

(s’)

00 01

10 11

(01,10) = (¬v1v0, v’1¬v’0) = (¬v1v0) (v’1¬v’0)

(R) = (v’0 ¬v0) (v’1 v0v1)

41

PreImage(P,R) := {s | for some s’P, (s, s’) R}

Image(P,R) := {s’| for some sP, (s, s’)R}

Compute EX[P] for the 2-bit counter,

where (P) = (v0 v1) (i.e. P= { 00, 11})

PreImage(P,R)) = (P)[s’] (R)[s,s’]

= v’0v’1. (v’0 v’1) ((v’0 ¬v0) (v’1 v0v1))

(substitute v’0v’1 with 00, 01, 10, 11)

= (v0 ¬(v0v1)) (¬v0 (v0v1))

= v1 (i.e. P= { 01, 11} )

Pre-Image and Forward Image

42

Reachability using BDD

Reachability( v, Gin(s), R(s,s’), F(s))

[ s – states; Gin , R(s,s’) and F are BDDs ]

G:=; G’=Gin;

do {

G = G’; G’ = G ( s. ( G (s) R(s,s’) ) [s/s’] );

– F[x/y] means that we substitute x for y in F

} while (G ≠ G’ or GF ≠ );

If (GF = ) report “Unreachable”, else report “Reachable”;

43

Timed Automata

A timed automaton is a tuple A = (Q,Σ,C,E,q0) that consists of the following components: Q is a finite set. The elements of Q are called the states of A. Σ is a finite set called the alphabet or actions of A. C is a finite set called the clocks of A. E   ⊆ Q×Σ×B(C)×P(C)×Q is a set of edges, called transitions of A,

where B(C) is the set of boolean clock constraints involving clocks

from C, and P(C) is the powerset of C.

q0 is an element of Q, called the initial state.

An edge (q,a,g,r,q') from E is a transition from state q to q' with action a, guard g and clock resets r.