LTL and CTL Semantics with Model Checking Algorithms, Study Guides, Projects, Research of Computer Science

Download LTL and CTL Semantics with Model Checking Algorithms and more Study Guides, Projects, Research Computer Science in PDF only on Docsity! 1 Model Checking Foundations and Applications Tevfik Bultan Department of Computer Science University of California, Santa Barbara bultan@cs.ucsb.edu http://www.cs.ucsb.edu/~bultan/ Outline • Temporal Logics for Reactive Systems • Automated Verification of Temporal Properties of Finite State Systems • Temporal Properties ≡ Fixpoints • Symbolic Model Checking – SMV • LTL Properties ≡ Büchi automata – SPIN • Infinite State Model Checking • Model Checking Programs – SLAM project – Java Path Finder Temporal Logics for Reactive Systems [Pnueli FOCS 77, TCS 81] Transformational systems get input; compute something; return result; Reactive systems while (true) { receive some input, send some output } • Transformational view follows from the initial use of computers as advanced calculators: A component receives some input, does some calculation and then returns a result. • Nowadays, the reactive system view seems more natural: components which continuously interact with each other and their environment without terminating Transformational vs. Reactive Systems Transformational systems get input; {pre-condition} compute something; {post-condition} return result; Reactive systems while (true) { receive some input, send some output } • Earlier work in verification uses the transformational view: – halting problem – Hoare logic – pre and post-conditions – partial vs. total correctness • For reactive systems: – termination is not the main issue – pre and post-conditions are not enough Reactive Systems: A Very Simple Model • We will use a very simple model for reactive systems • A reactive system generates a set of execution paths • An execution path is a concatenation of the states (configurations) of the system, starting from some initial state • There is a transition relation which specifies the next-state relation, i.e., given a state what are the states that can follow that state • We need an example A Mutual Exclusion Protocol Process 1: while (true) { out: a := true; turn := true; wait: await (b = false or turn = false); cs: a := false; } || Process 2: while (true) { out: b := true; turn := false; wait: await (a = false or turn); cs: b := false; } Two concurrently executing processes are trying to enter a critical section without violating mutual exclusion 2 State Space • The state space of a program can be captured by the valuations of the variables and the program counters – you have to wait until the next lecture for a discussion about the control stack (and recursion) and the heap (and dynamic memory allocation) • For our example, we have – two program counters: pc1, pc2 domains of the program counters: {out, wait, cs} – three boolean variables: turn, a, b boolean domain: {True, False} • Each state of the program is a valuation of all the variables State Space • Each state can be written as a tuple (pc1,pc2,turn,a,b) • Initial states: {(o,o,F,F,F), (o,o,F,F,T), (o,o,F,T,F), (o,o,F,T,T), (o,o,T,F,F), (o,o,T,F,T), (o,o,T,T,F), (o,o,T,T,T)} – initially: pc1=o and pc2=o • How many states total? 3 * 3 * 2 * 2 * 2 = 72 exponential in the number of variables and the number of concurrent components Transition Relation • Transition Relation specifies the next-state relation, i.e., given a state what are the states that can come after that state • For example, given the initial state (o,o,F,F,F) Process 1 can execute: out: a := true; turn := true; or Process 2 can execute: out: b := true; turn := false; • If process 1 executes, the next state is (w,o,T,T,F) • If process 2 executes, the next state is (o,w,F,F,T) • So the state pairs ((o,o,F,F,F),(w,o,T,T,F)) and ((o,o,F,F,F),(o,w,F,F,T)) are included in the transition relation Transition Relation The transition relation is like a graph, edges represent the next-state relation (o,o,F,F,F) (o,w,F,F,T) (w,o,T,T,F) (o,c,F,F,T) (w,w,T,T,T) Transition System • A transition system T = (S, I, R) consists of – a set of states S – a set of initial states I ⊆ S – and a transition relation R ⊆ S × S • A common assumption in model checking – R is total, i.e., for all s ∈ S, there exists s’ such that (s,s’) ∈ R Execution Paths • An execution path is an infinite sequence of states x = s0, s1, s2, ... such that s0 ∈ I and for all i ≥ 0, (si,si+1) ∈ R Notation: For any path x xi denotes the i’th state on the path (i.e., si) xi denotes the i’th suffix of the path (i.e., si, si+1, si+2, ... ) 5 CTL Semantics s0 |= EG p iff there exists a path s0, s1, s2, ... such that for all i, si |= p s0 |= AG p iff for all paths s0, s1, s2, ..., for all i, si |= p s0 |= EF p iff there exists a path s0, s1, s2, ... such that there exists an i such that si |= p s0 |= AF p iff for all paths s0, s1, s2, ..., there exists an i, such that, si |= p s0 |= p EU q iff there exists a path s0, s1, s2, ..., such that, there exists an i such that si |= q and for all j < i, sj |= p s0 |= p AU q iff for all paths s0, s1, s2, ..., there exists an i such that si |= q and for all j < i, sj |= p CTL Equivalences • CTL basis: EX, EU, EG AX p = ¬ EX ¬p AG p = ¬ EF ¬p AF p = ¬ EG ¬p p AU q = ¬( (¬q EU (¬p ∧¬q)) ∨ EG ¬ q) EF p = True EU p • Another CTL basis: EX, EU, AU CTL Properties s2s1 s4s3 Transition System Computation Tree s4 s3 s3 s1 s2 ... . . . s3s4 s1 . . . ... . . . s4 s1 . . . p p p p p p s3 |= p s4 |= p s1 |= ¬ p s2 |= ¬ p s3 |= EX p s3 |= EX ¬ p s3 |= ¬ AX p s3 |= ¬ AX ¬ p s3 |= EG p s3 |= ¬ EG ¬ p s3 |= AF p s3 |= EF ¬ p s3 |= ¬ AF ¬ p p p CTL Model Checking • Given a transition system T= (S, I, R) and a CTL property p T |= p iff for all initial state s ∈ I, s |= p Model checking problem: Given a transition system T and a CTL property p, determine if T is a model for p (i.e., if T |=p) For example: T |=? AG ( ¬ (pc1=c ∧ pc2=c)) T |=? AG(pc1=w ⇒ AF(pc1=c)) ∧ AG(pc2=w ⇒ AF(pc2=c)) • Question: Are CTL and LTL equivalent? CTL vs. LTL • CTL and LTL are not equivalent – There are properties that can be expressed in LTL but cannot be expressed in CTL • For example: FG p – There are properties that can be expressed in CTL but cannot be expressed in LTL • For example: AG(EF p) • Hence, expressive power of CTL and LTL are not comparable CTL* • CTL* is a temporal logic which is strictly more powerful than CTL and LTL • CTL* also uses the temporal operators X, F, G, U and the path quantifiers A and E, but temporal operators can also be used without path quantifiers • The following CTL* property cannot be expressed in CTL or LTL – A(FG p) ∨ AG(EF p) 6 Automated Verification of Finite State Systems [Clarke and Emerson 81], [Queille and Sifakis 82] CTL Model checking problem: Given a transition system T = (S, I, R), and a CTL formula f, does the transition system satisfy the property? CTL model checking problem can be solved in O(|f| × (|S|+|R|)) Note that the complexity is linear in the size of the transition system – Recall that the size of the transition system is exponential in the number of variables and concurrent components (this is called the state space explosion problem) CTL Model Checking Algorithm • Translate the formula to a formula which uses the basis – EX p, EG p, p EU q • Start from the innermost (non-atomic) subformulas and label the states in the transition system with the subformulas that hold in that state – Initially states are labeled with atomic properties • Each (temporal or boolean) operator has to be processed once • Computation of each subformula takes O(|S|+|R|) CTL Model Checking Algorithm • EX p is easy to do in O(|S|+|R|) – All the nodes which have a next state labeled with p should be labeled with EX p • p EU q: Find the states which are the source of a path where p U q holds – Equivalently, find the nodes which reach a node that is labeled with q by a path where each node is labeled with p – Label such nodes with p EU q – It is a reachability problem which can be solved in O(|S|+|R|) CTL Model Checking Algorithm • EG p: Find infinite paths where each node is labeled with p and label nodes in such paths with EG p – First remove all the states which do not satisfy p from the transition graph – Compute the strongly connected components of the remaining graph and then find the nodes which can reach the strongly connected components (both of which can be done in O(|S|+|R|) – Label the nodes in the strongly connected components and that can reach the strongly connected components with EG p Verification vs. Falsification • Verification: – Show: initial states ⊆ truth set of p • Falsification: – Find: a state ∈ initial states ∩ truth set of ¬p – Generate a counter-example starting from that state • CTL model checking algorithm can also generate a counter- example path if the property is not satisfied – without increasing the complexity • The ability to find counter-examples is one of the biggest strengths of the model checkers What About LTL and CTL* Model Checking? • The complexity of the model checking problem for LTL and CTL* are: – (|S|+|R|) × 2O(|f|) • Typically the size of the formula is much smaller than the size of the transition system – So the exponential complexity in the size of the formula is not very significant in practice 7 Temporal Properties ≡ Fixpoints [Emerson and Clarke 80] Here are some interesting CTL equivalences: AG p = p ∧ AX AG p EG p = p ∧ EX EG p AF p = p ∨ AX AF p EF p = p ∨ EX EF p p AU q = q ∨ (p ∧ AX (p AU q)) p EU q = q ∨ (p ∧ EX (p EU q)) Note that we wrote the CTL temporal operators in terms of themselves and EX and AX operators Functionals • Given a transition system T=(S, I, R), we will define functions from sets of states to sets of states – F : 2S → 2S • For example, one such function is the EX operator (which computes the precondition of a set of states) – EX : 2S → 2S which can be defined as: EX(p) = { s | (s,s’) ∈ R and s’ ∈ p } Abuse of notation: I am using p to denote the set of states which satisfy the property p Functionals • Now, we can think of all temporal operators also as functions from sets of states to sets of states • For example: AX p = ¬EX(¬p) or if we use the set notation AX p = (S - EX(S - p)) Abuse of notation: I will use the set and logic notations interchangeably. Logic Set p ∧ q p ∩ q p ∨ q p ∪ q ¬p S – p False ∅ True S Lattice The set of states of the transition system forms a lattice: • lattice 2S • partial order ⊆ • bottom element ∅ • top element S • Least upper bound ∪ (aka join) operator • Greatest lower bound ∩ (aka meet) operator Temporal Properties ≡ Fixpoints Based on the equivalence EF p = p ∨ EX EF p we observe that EF p is a fixpoint of the following function: F y = p ∨ EX y F (EF p) = EF p In fact, EF p is the least fixpoint of F, which is written as: EF p = µ y . p ∨ EX y Based on the equivalence EG p = p ∧ AX EG p we observe that EG p is a fixpoint of the following function: F y = p ∧ EX y F (EG p) = EG p In fact, EG p is the greatest fixpoint of F, which is written as: EG p = ν y . p ∧ EX y Fixpoint Characterizations Fixpoint Characterization Equivalences AG p = ν y . p ∧ AX y AG p = p ∧ AX AG p EG p = ν y . p ∧ EX y EG p = p ∧ EX EG p AF p = µ y . p ∨ AX y AF p = p ∨ AX AF p EF p = µ y . p ∨ EX y EF p = p ∨ EX EF p p AU q = µ y . q ∨ (p ∧ AX (y)) p AU q=q ∨ (p ∧ AX (p AU q)) p EU q = µ y . q ∨ (p ∧ EX (y)) p EU q = q ∨ (p ∧ EX (p EU q)) 10 Symbolic Pre-condition Computation • Remember the function EX : 2S → 2S which is defined as: EX(p) = { s | (s,s’) ∈ R and s’ ∈ p } • We can symbolically compute pre as follows EX(p) ≡ ∃V’ R ∧ p[V’ / V] – V : current-state boolean variables – V’ : next-state boolean variables – p[V’ / V] : rename variables in p by replacing current- state variables with the corresponding next-state variables – ∃V’ f : existentially quantify out all the variables in V’ from f Renaming • Assume that we have two variables x, y. • Then, V = {x, y} and V’={x’, y’} • Renaming example: Given p ≡ x ∧ y : p[V’ / V] ≡ x ∧ y [V’ / V] ≡ x’ ∧ y’ Existential Quantifier Elimination • Given a boolean formula f and a single variable v ∃v f ≡ f[True/v] ∨ f[False/v] i.e., to existentially quantify out a variable, first set it to true then set it to false and then take the disjunction of the two results • Example: f ≡ ¬x ∧ y ∧ x’ ∧ y’ ∃V’ f ≡ ∃x’ ( ∃y’ (¬x ∧ y ∧ x’ ∧ y’) ) ≡ ∃x’ ((¬x ∧ y ∧ x’ ∧ y’ )[T/y’] ∨ (¬x ∧ y ∧ x’ ∧ y’ )[F/y’]) ≡ ∃x’ (¬x ∧ y ∧ x’ ∧T ∨ ¬x ∧ y ∧ x’ ∧ F ) ≡ ∃x’ ¬x ∧ y ∧ x’ ≡ (¬x ∧ y ∧ x’)[T/x’] ∨ (¬x ∧ y ∧ x’)[F/x’]) ≡ ¬x ∧ y ∧ T ∨ ¬x ∧ y ∧ F ≡ ¬x ∧ y An Extremely Simple Example Variables: x, y: boolean Set of states: S = {(F,F), (F,T), (T,F), (T,T)} S ≡ True Initial condition: I ≡ ¬ x ∧ ¬ y Transition relation (negates one variable at a time): R ≡ x’=¬x ∧ y’=y ∨ x’=x ∧ y’=¬y (= means ↔) F,T F,F T,T T,F An Extremely Simple Example Given p ≡ x ∧ y, compute EX(p) EX(p) ≡ ∃V’ R ∧ p[V’ / V] ≡ ∃V’ R ∧ x’ ∧ y’ ≡ ∃V’ (x’=¬x ∧ y’=y ∨ x’=x ∧ y’=¬y ) ∧ x’ ∧ y’ ≡ ∃V’ (x’=¬x ∧ y’=y) ∧ x’ ∧ y’ ∨ (x’=x ∧ y’=¬y) ∧ x’ ∧ y’ ≡ ∃V’ ¬x ∧ y ∧ x’ ∧ y’ ∨ x ∧ ¬y ∧ x’ ∧ y’ ≡ ¬x ∧ y ∨ x ∧ ¬y EX(x ∧ y) ≡ ¬x ∧ y ∨ x ∧ ¬y In other words EX({(T,T)}) ≡ {(F,T), (T,F)} F,T F,F T,T T,F An Extremely Simple Example Let’s compute compute EF(x ∧ y) The fixpoint sequence is False, x∧y , x∧y ∨ EX(x∧y) , x∧y ∨ EX (x∧y ∨ EX(x∧y) ) , ... If we do the EX computations, we get: False, x ∧ y , x ∧ y ∨ ¬x ∧ y ∨ x ∧ ¬y, True EF(x ∧ y) ≡ True In other words EF({(T,T)}) ≡ {(F,F),(F,T), (T,F),(T,T)} F,T F,F T,T T,F 0 1 2 3 1 2 3 11 An Extremely Simple Example • Based on our results, for our extremely simple transition system T=(S,I,R) we have I ⊆ EF(x ∧ y) (⊆ corresponds to implication) hence: T |= EF(x ∧ y) (i.e., there exists a path from each initial state where eventually x and y both become true at the same time) I ⊆ EX(x ∧ y) hence: T |= EX(x ∧ y) (i.e., there does not exist a path from each initial state where in the next state x and y both become true) An Extremely Simple Example • Let’s try one more property AF(x ∧ y) • To check this property we first convert it to a formula which uses only the temporal operators in our basis: AF(x ∧ y) ≡ ¬ EG(¬(x ∧ y)) If we can find an initial state which satisfies EG(¬(x ∧ y)), then we know that the transition system T, does not satisfy the property AF(x ∧ y) An Extremely Simple Example Let’s compute compute EG(¬(x ∧ y)) The fixpoint sequence is True, ¬x ∨ ¬y, (¬x ∨ ¬y) ∧ EX(¬x ∨ ¬y) , … If we do the EX computations, we get: True, ¬x ∨ ¬y, ¬x ∨ ¬y, EG(¬(x ∧ y)) ≡ ¬x ∨ ¬y Since I ∩ EG(¬(x ∧ y)) ≠ ∅ we conclude that T |= AF(x ∧ y) F,T F,F T,T T,F 0 1 2 0 1 Symbolic CTL Model Checking Algorithm • Translate the formula to a formula which uses the basis – EX p, EG p, p EU q • Atomic formulas can be interpreted directly on the state representation • For EX p compute the precondition using existential variable elimination as we discussed • For EG and EU compute the fixpoints iteratively Symbolic Model Checking Algorithm Check(f : CTL formula) : boolean logic formula case: f ∈ AP return f; case: f ≡ ¬p return ¬Check(p); case: f ≡ p ∧q return Check(p) ∧ Check(q); case: f ≡ p ∨ q return Check(p) ∨ Check(q); case: f ≡ EX p return ∃V’ R ∧ Check(p) [V’ / V]; Symbolic Model Checking Algorithm Check(f) … case: f ≡ EG p Y := True; P := Check(p); Y’ := P ∧ Check(EX(Y)); while (Y ≠ Y’) { Y := Y’; Y’ := P ∧ Check(EX(Y)); } return Y; 12 Symbolic Model Checking Algorithm Check(f) … case: f ≡ p EU q Y := False; P := Check(p); Q := Check(q); Y’ := Q ∨ P ∧ Check(EX(Y)); while (Y ≠ Y’) { Y := Y’; Y’ := Q ∨ P ∧ Check(EX(Y)); } return Y; Binary Decision Diagrams (BDDs) • Ordered Binary Decision Diagrams (BDDs) – An efficient data structure for boolean formula manipulation – There are BDD packages available: (for example CUDD from Colorado University) • BDD data structure can be used to implement the symbolic model checking algorithm discussed above • BDDs are a canonical representation for boolean logic formulas – given two boolean logic formulas F and G, if F and G are equivalent their BDD representations will be identical Binary Decision Trees Fix a variable order, in each level of the tree branch on the value of the variable in that level • Examples for boolean formulas on two variables Variable order: x, y F F F T T T x y y T F T T x ∨ y F F F T T F x y y F F T T x ∧ y F F F T T F x y y T F T T x F F F T T F x y y F F T F False BDDs • Repeatedly apply the following transformations to a binary decision tree: – Remove duplicate terminals – Remove duplicate non-terminals – Remove redundant tests • These transformations transform the tree to a directed acyclic graph Binary Decision Trees vs. BDDs F F F T T T x y y T F T T x ∨ y F F F T T F x y y F F T T x ∧ y F F F T T F x y y T F T T x F F F T T F x y y F F T F False F F F T T T x y F F F T T T x y F F T T x F Good News About BDDs • Given BDDs for two boolean logic formulas F and G – The BDDs for F ∧ G and F ∨ G are of size |F| × |G| (and can be computed in that time) – The BDD for ¬F can be computed in and is of size |F| (and can be computed in that time) – F ≡? G can be checked in constant time – Satisfiability of F can be checked in constant time • No, this does not mean that you cane solve SAT in constant time