of 36
7/24/2019 ModelChecking.ppt
1/36
Lawrence Chung 1
Model Checking
7/24/2019 ModelChecking.ppt
2/36
Lawrence Chung 2
Safety and Liveness
Safety properties Invariants, deadlocks, reachaility, etc! Can e checked on finite traces
"so#ething ad never happens$
Liveness %roperties
&airness, response, etc! Infinite traces "so#ething good will eventually happen$
7/24/2019 ModelChecking.ppt
3/36
Lawrence Chung '
Model Checking %rocess
Model(System Requirements)
Specification(System Property)
Model
Checker
(nswer)
*es, if #odel satisfiesspecification
Countere+a#ple, otherwise
&or increasing our confidence in the correctness of the #odel)erification) -he #odel satisfies i#portant syste# properties.eugging) Study counter/e+a#ples, pinpoint the source of the error, correctthe #odel, and try again
M
0 (dapted fro# www!li+!polytechniue!frco#etese#inar1/ModelChecking!ppt]
7/24/2019 ModelChecking.ppt
4/36
Lawrence Chung 3
Mutual 4+clusion 4+a#ple
N1 T1T1S0 C1S1
C1 N1S0
N2 T2T2S0 C2S1C2 N2S0
||
Two process mutual exclusion with shared semaphoreEach process has three states
Non-critical (N)
Trying (T)Critical (C)
Semaphore can be available (S0) or taken (S1)
Initially both processes are in the Non-critical state and
the semaphore is available --- N1 N2 S0
Model(System Requirements)
-he Model 56ille# isser, http)ase!arc!nasa!govvisser(S42772-utSoftwareMC/fonts!ppt8
7/24/2019 ModelChecking.ppt
5/36
Lawrence Chung 9
Mutual 4+clusion 4+a#ple
N1 T1
T1S0 C1S1
C1 N1S0
N2 T2
T2S0 C2S1C2 N2S0
||
Initially both processes are in the Non-critical state and the semaphore is available --- N1 N2 S0
Model(System Requirements)
-he Model 56ille# isser, http)ase!arc!nasa!govvisser(S42772-utSoftwareMC/fonts!ppt8
N1N2S0
C1N2S1T1T2S0
N1T2S0T1N2S0
N1C2S1
T1C2S1C1T2S1
7/24/2019 ModelChecking.ppt
6/36
Lawrence Chung :
Mutual 4+clusion 4+a#ple
No matter where you arethere is
always a wayto get to the initial state
M
Kripke structure CTL (Computation Tree Logic)
Specification(System Property)
Specification .esirale %roperty
K AGEF(N1N2S0)
7/24/2019 ModelChecking.ppt
7/36
Lawrence Chung ;
Mutual 4+clusion 4+a#ple
N1N2S0
C1N2S1T1T2S0
N1T2S0T1N2S0
N1C2S1
T1C2S1C1T2S1
Model(System Requirements)
ModelCheckerM
(nswer) *es
Specification(System Property)
K AGEF(N1N2S0)
7/24/2019 ModelChecking.ppt
8/36
Lawrence Chung o
Countere+a#ple
N1N2S0
C1N2S1T1T2S0
N1T2S0T1N2S0
N1C2S1
T1C2S1C1T2S1
7/24/2019 ModelChecking.ppt
13/36
Lawrence Chung 1'
?ripke Structure
K = < S ,P, R > (M = < S ,P, R, L (, {s0})>) (s7S / initial state8
/S) the set of possile gloal states/%) a non/e#pty set of ato#ic propositions @p1, ! ! !, pkA which e+press ato#ic
properties of the gloal states, e!g!, eing an initial state, eing an accepting state, or that a particular variale has a special value!/B S S ) a transition relation s!t! B5s,sD8 if s to sD is a possile ato#ic transition
/L) S E 2%) a laeling function which defines which propositions hold in which states!
/State explosion problem: -he siFe of S is often e+ponential in Greuire#entsdesignG!
Model checking prole#) ( modelchecker checks whether a syste#, interpreted asan auto#aton, is a 5?ripke8 modelof a property
e+pressed as a te#poral logic for#ula!K |=
.efining ModelsModel
(System Requirements)
7/24/2019 ModelChecking.ppt
14/36
Lawrence Chung 13
.efining Models
&or a co#ple+ real/life control syste#s
-FSM with a way to
/#odulariFe the reuire#ents to view the# at different levels of detail
/co#ine reuire#ents 5or design8 of co#ponents
/ state variales and facilities in guards on transitions!
4+tended &inite State Machine 54&SM8
7/24/2019 ModelChecking.ppt
15/36
Lawrence Chung 19
.efining Specifications
Linear -i#e
4very #o#ent has a uniuesuccessor
Infinite seuences 5words8
Linear -i#e -e#poral Logic 5L-L8
Hranching -i#e
4very #o#ent has severalsuccessors
Infinite tree
Co#putation -ree Logic 5C-L8
Temporal LogicExpress properties of event orderings in timee.g.Always when a packet is sent it will Eventually be received
Specification(System Property)
7/24/2019 ModelChecking.ppt
16/36
Lawrence Chung 1:
o >e+t cycle5/8 previous cycle
Linear Temporal Logic (LTL)
L-L Synta+
a set of proposition varialesp1,p2,!!!, the usual logic connectives and
the following te#poral#odal operators) N/for ne+t
! Jfor always 5gloally8
"/Kfor eventually 5in the #uture8 $for until
%for release!
http)en!wikipedia!orgwikiLinearte#porallogic
ne can reduce to two of those operators since the following is always satisfied)"N O tr&e$N!N O #alse%N O " NP %N O 5 P $ N8
http://en.wikipedia.org/wiki/Proposition_variablehttp://en.wikipedia.org/wiki/Temporalhttp://en.wikipedia.org/wiki/Modal_operatorhttp://en.wikipedia.org/wiki/Modal_operatorhttp://en.wikipedia.org/wiki/Temporalhttp://en.wikipedia.org/wiki/Proposition_variable7/24/2019 ModelChecking.ppt
17/36
Lawrence Chung 1;
Text&al S'mbolic xplanation iagram
Qnary operators)
NN Ne+t) N has to hold at the ne+t state! 5is usedsynony#ously!8
!N !loally) N has to hold on the entire suseuent path!
"N "inally) N eventually has to hold 5so#ewhere on thesuseuent path8!
Hinary operators)
P $N $ntil) N holds at the current or a future position, and P has tohold until that position! (t that position P does not have tohold any #ore!
P %N %elease) P releases N if N is true until the first position inwhich P is true 5or forever if such a position does not e+ist8!
Linear Temporal Logic (LTL)L-L 5Infor#al8 Se#antics
7/24/2019 ModelChecking.ppt
18/36
Lawrence Chung 1 6orkshop held with ICS4 May 277'
Belevant theoretical papers can e found here http)netli!ell/las!co#netlispinwhatispin!ht#l
Ideal for software #odel checking due to e+pressiveness of the
%BM4L( language Close to a real progra##ing language
]erard ^olF#ann won the (CM software award for S%I>
Cf: SCR & the 4!aria"le modelRequirements should contain
n thin# "ut
information a"out the
http://netlib.bell-labs.com/netlib/spin/whatispin.htmlhttp://netlib.bell-labs.com/netlib/spin/whatispin.html7/24/2019 ModelChecking.ppt
22/36
Lawrence Chung 22
Hranching -e#poral Logic5H-L8Comp&tation Tree Logic (CTL) S'ntax
))O G _ G p G G _ 2G _ 2G E 2G (` G 4` G (& G 4& G (] G 4] G (0Q 2[ G 40Q 2[
( C-L wff is 5p is an ato#ic propertyproposition8)
http)www!cs!ucl!ac!ukstaff!Howen]S7'w'l1ctlnotes!pdf
tr&ein current state if for#ula N is tr&ein at least one of the ne+t states $2 tr&ein current state if for#ula N is tr&euntil P eco#estr&ein so#e path eginning
in current state that satisfies the for#ula N" tr&ein current state if there e+ists so#e state in so#e path eginning in current state
that satisfies the for#ula N! tr&ein current state if every state in so#e path eginning in current state that
satisfies the for#ula N3 tr&ein current state if for#ula N is tr&ein every one of the ne+t states3 $2 tr&ein current state if for#ula N is tr&euntil P eco#estr&ein every path eginning
in current state that satisfies the for#ula N3" tr&ein current state if there e+ists so#e state in every path eginning in current state
that satisfies the for#ula N3! tr&ein current state if every state in every path eginning in current state satisfies the
for#ula N
B 5bbBelease8
H hi - l L i 5H-L8
7/24/2019 ModelChecking.ppt
23/36
Lawrence Chung 2'
Hranching -e#poral Logic5H-L8Comp&tation Tree Logic (CTL) Semantics
Let M O 5S,B, L8 e a transition syste# 5or a ?ripke structure, also called a#odel for C-L8!Let e a C-L for#ula and s _ S!-hen M, s GO is defined inductively on the structure of , as follows )
M,s GOM,s GT _M,s GO p iff p _ L5s8M,s GO iff M,s G T M,s GO _ P iff M,s GO and M,s GO P M,s GO _ P iff M,s GO or M,s GO P
H hi - l L i 5H-L8
7/24/2019 ModelChecking.ppt
24/36
Lawrence Chung 23
Hranching -e#poral Logic5H-L8Comp&tation Tree Logic (CTL) Semantics
M,s GO (` iff _s s!t! sBs, M,s GO M,s GO 4` iff _s s!t! sBs and M,s GO M,s GO (] iff for all paths 5s, s 2, s', s3, ! ! !8 s!t! siBsi1
and for all i, it is the case that M,siGO
M,s GO 4] iff there is a path 5s, s 2, s', s3, ! ! !8 s!t! siBsi1
and for all i it is the case that M,si GO M,s GO (& iff for all paths 5s, s 2, s', s3, ! ! !8 s!t! siBsi1,
there is a state si s!t! M,siGO
M,s GO 4& iff there is a path 5s, s 2, s', s3, ! ! !8 s!t! siBsi1,
and there is a state s is!t! M,si GO
M,s GO (0 QP[ iff for all paths 5s, s 2, s', s3, ! ! !8 s!t! siBsi1
there is a state sV s!t! M,sVGO P and M,si GO P for all i W V!
M,s GO 40 QP[ iff there e+ists a path 5s, s2, s', s3, ! ! !8 s!t! siBsi1
and there is a state sVs!t! M,sV GO P and M,siGO for all i W V! -he satisfiaility prole# of C-L is 4`%-IM4/co#plete!
If a C-L for#ula is satisfiale, then the for#ula is satisfiale y a finite kripke #odel!
C-L Model Checking) 5GpG5GSGGBG88
M GO p if M, s7 GO p
H hi - l L i 5H-L8
7/24/2019 ModelChecking.ppt
25/36
Lawrence Chung 29
Hranching -e#poral Logic5H-L84&i1alences bet5een CTL #orm&las
(` 4`(] 4&(& 4]
4& 40 Q [-herefore, only three operators are reuired to e+press all the re#aining)4`,4],4Q 5this is called an a!e'uate set of operators8!
H hi - l L i 5H-L8
7/24/2019 ModelChecking.ppt
26/36
Lawrence Chung 2:
Hranching -e#poral Logic5H-L8Speci#ication patterns
-wo e+a#ple of reuire#ents patterns)
Li1eness) "So#ething good will eventually happen$!4!g!) "6henever any process reuests to enter its critical section,
it will eventually e per#itted to do so$!In C-L) (]5reuest E (&5critical88
Sa#et') ">othing ad will happen$!4!g) "nly one process is in its critical section at any ti#e$!In C-L 5with 2 processes only8) (]5 5critical1 critical288
More e+a#ples)1! "&ro# any state it is possile to get a reset state$)
(]4&5reset8
2! "4vent p precedes s and t on all co#putation paths$ 5try to encode the negation ofthis8) -he negation) there e+ists in the future a state in which p follows
s t) 4&55s t8 E 4&5p88! Its negation) 4&55s t8 E 4&5p88 (]5 55s t8 E 4&5p888
'! "n all co#putation paths, after p, is never true$)(]5p E 5 4&5888
7/24/2019 ModelChecking.ppt
27/36
Lawrence Chung 2;
.efining Specifications
6nt&ition #or CTL #orm&lae 5hich are satis#ied at state s
7/24/2019 ModelChecking.ppt
28/36
Lawrence Chung 2ow the algorith# can e applied to the for#ula S 5close8O @S2, S'A S 5start8O @S', S3A S 5 cooking8 O @S1, S2, S3A S 54] cooking8 O @S1, S2, S3A S 5close start 4] cooking8 O @A
S 54& 5close start 4] cooking8 O @A S 5 54& 5close start v 4] cooking88 O @S1, S2, S', S3A
ModelCheckerM
]enealogy
7/24/2019 ModelChecking.ppt
36/36
L Ch ':
]enealogy
Logics ofPrograms
Temporal/Modal Logics
CTL ModelChecking
Symbolic
M d l Ch ki
-automataS1S
LTL ModelChecking
AT
Tarski
-Calculus
!"# "$$
&loyd^oarelate :7s
(ristotle '77s HC4?ripke 9=
%nuelilate ;7s Clarke4#erson
4arly