Download Model Checking for Reactive Systems: A Fall 2003 CMSC 631 Course Overview - Prof. Jeffrey and more Study notes Computer Science in PDF only on Docsity! CMSC 631 – Program Analysis and Understanding Fall 2003 Model Checking Slides from Adam Porter 2CMSC 631, Fall 2003 Reactive Systems • Two kinds of systems: ■ Transformational: Produce outputs from inputs ■ Reactive: Infinite process, responding to environment - Model checking usually applied to reactive systems Input OutputP P Environment Inputs Outputs 3CMSC 631, Fall 2003 Program State • The state of a program is the values of its variables at some point in time • System state changes according to inputs ■ Takes transitions from one state to another 4CMSC 631, Fall 2003 Example: Microwave Oven ¬Start ¬Close ¬Heat ¬Error Start ¬Close ¬Heat Error ¬Start Close ¬Heat ¬Error ¬Start Close Heat ¬Error Start Close ¬Heat Error Start Close ¬Heat ¬Error Start Close Heat ¬Error 5CMSC 631, Fall 2003 Properties • We would like to verify the following properties (among others): ■ The oven doesn’t heat up until the door is closed ■ If the oven starts, it will eventually start cooking ■ It must be possible to correct errors 6CMSC 631, Fall 2003 Temporal Operators • Specifications in temporal logic ■• Includes standard logical connectives ■ ⋀, ⋁, ¬ -• Plus path quantifiers, basic temporal operators ■ E (exists a path from here), A (for all paths from here) ■ Fp – p holds sometime in the future ■ Gp – p holds globally (always) in the future ■ Xp – p holds next time ■ pUq – p holds until q holds 7CMSC 631, Fall 2003 Properties • We would like to verify the following properties (among others): ■ The oven doesn’t heat up until the door is closed - (¬Heat) U Closed ■ If the oven starts, it will eventually start cooking - AG(Start ⇒ AF Heat) ■ It must be possible to correct errors - AG(Error ⇒ AF ¬Error) 8CMSC 631, Fall 2003 The Model Checking Problem • Let M be a state transition graph ■ A.k.a. a Kripke structure • Let f be the specification in temporal logic • Find all states s of M such that M, s ⊨ f 9CMSC 631, Fall 2003 A Model Checking Algorithm • Goal: For each state s, compute ■ lab(s) = { formulas true in s } • When algorithm terminates ■ M, s ⊨ f iff f ∋ lab(s) • Algorithm: Iterate over subformulas of f inside- out, computing lab(s) 10CMSC 631, Fall 2003 Checking Subformulas • Lemma: Any CTL (see paper) formula can be expressed in terms of ¬,⋁, EX, EU, and EG • Therefore, six cases: ■ Atomic proposition p - If p is true in s, then add p to lab(s) ■ ¬f – If f∉lab(s), add ¬f to lab(s) ■ f1⋁ f2 – If f1∈lab(s) or f2∈lab(s), add f1⋁ f2 to lab(s) ■ EX f – If there exists a successor s′ of s such that f∈ lab(s′), add EX f to lab(s) 11CMSC 631, Fall 2003 Checking Subformulas (cont’d) • E[f1 U f2] ■ Find all states s for which f2∈lab(s) ■ Follow paths backward from s, finding all states that can reach s on a path in which every state is labeled with f1 ■ Label each of these states with E[f1 U f2] 12CMSC 631, Fall 2003 Checking Subformulas (cont’d) • EG f ■ Idea: Look for an infinite path on which f holds ■ Divide M into nontrivial strongly-connected components - A strongly-connected component (SCC) C is - a maximal subgraph such that every node in C is reachable from everyone other node in C on a directed path contained entirely within C - C is nontrivial if either it has more than one node or it contains a node with a self loop ■ Compute M′ from M by removing all states s in which f ∉ lab(s)
