Symbolic Model Checking of Real-time and Hybrid Systems: Lecture 8, Study notes of Electrical and Electronics Engineering

Download Symbolic Model Checking of Real-time and Hybrid Systems: Lecture 8 and more Study notes Electrical and Electronics Engineering in PDF only on Docsity! ECE 598: Modeling and Verification of Real-time and Hybrid Systems Fall 2008 Lecture 8 — DATE, 2008 Symbolic Model Checking Prof. Sayan Mitra Scribe: Kyoung-Dae Kim 8 Symbolic Model Checking CTL Here we define a symbolic model checking algorithm Check(f,M), for CTL formula f and finite state automatonM. It returns an OBDD that represents the subset of the states ofM that satisfy f . We define Check(f,M) inductively: • if f = p then Check(f,M) is the OBDD representing the set of states satisfying p, • if f = ¬ f1 then Check(f,M) = ¬Check(f1,M), • if f = f1 ∧ f2 then Check(f,M) = Check(f1,M) ∧ Check(f2,M), • if f = EXf1 then Check(f,M) = CheckEX(Check(f1,M),M), • if f = E[f1Uf2] then Check(f,M) = CheckEU(Check(f1,M), Check(f2,M),M), • if f = Ef1 then Check(f,M) = CheckE(Check(f1,M)), CheckE, CheckEX , and CheckEU take OBDDs as arguments. 8.1 CheckEX For simplicity, let us assume that Q = Bn. For q ∈ Q, we refer to the ith component, i ≤ n, by qi. CheckEX(f,M)(q) ⇐⇒ ∃q′ ∈ Bn[f(q′) ∧ q → q′] ⇐⇒ ∃q′ ∈ Bn−1[f(0q′) ∧ q → (0q′)] ∨ [f(1q′) ∧ q → (1q′)] As we have OBDDs for f and→. Each subproblem generates two subproblems. So we have to be careful in order to preven an exponential blow-up. By using dynamic programming it is possible to keep the algorithm polynomial. The procedures for EU and E are based on fixed-point characerization of CTL formulas. This is what we study next. 8.2 Fixedpoint Representations Definition 1. A lattice is a partially ordered set in which every pair of elements has a unique supremum (the elements’ least upper bound; called their join) and an infimum (greatest lower bound; called their meet). 1 Given a Kripke structure M = 〈Q,→, L〉, let P(Q) be the power set of Q. (P(Q),⊆) is a lattice. What are the joins and the meets of two arbitrary subsets? The greatest and the least elements in the lattice are Q (or true) and ∅ (or false), respectively. A predicate transformer is a function τ : P(Q) → P(Q) and it is said to be monotonic if Q1 ⊆ Q2 implies τ(Q1) ⊆ τ(Q2). It is ∪-continuous if Q1 ⊆ Q2 . . . implies τ(∪iQi) = ∪iτ(Qi). And it is ∩-continuous if Q1 ⊇ Q2 . . . implies τ(∩iQi) = ∩iτ(Qi). If Q is finite then monotonicy implies ∪ and ∩-continuity. Tarski proved that a monotonic predicate transformer always has (a) a least fixed point (LFP); when τ is ∪-continuous the LFP is ∪iτi(f alse), and (b) a greatest fixed point (GFP); when τ is ∩-continuous the GFP is ∩iτi(true). How can we compute LFP and GFP ? Each CTL formula f corresponds to a predicate {q | q |=M f}, and hence, it corresponds to a subset of Q. Each CTL operator AF,E,A, etc., take one or two CTL formulas, and return a new CTL formula. So, these operators are predicate transformers on P(Q). Thus, each CTL operator can be expressed as the LFP or GFP of an appropriate CTL function. Lemma 1. Define τ(Z) ∆= f1 ∧EXZ, where Z ∈ P(Q). Ef1 = GFP (τ). Proof. First, we show that τ is monotonic. Consider Q1 ⊆ Q2. Let q ∈ τ(Q1), then q |=M f1 and q |=M EXQ1. That is, there exists q′ ∈ Q, such that q → q′ and q′ ∈ Q1. As Q1 ⊆ Q2, q |=M EXQ2, therefore q ∈ τ(Q2). Let Q∗ be the limit of the sequence true ⊇ τ(true) ⊇ τ(τ(true)) . . .. Next we show that, if q ∈ Q∗ then q |=M (f1 ∧ EXQ∗). Fix q ∈ Q∗. By definition of Q∗, Q∗ is a FP of τ (not necessarily the LFP of GFP), τ(Q∗) = Q∗. And hence, q ∈ τ(Q∗). That is, q |=M (f1 ∧EXQ∗), which suffices. Next we show that Ef1 is a FP of τ . It suffices to show that Ef1 = τ(Ef1) = f1 ∧ EXEf1. We show this in two parts: First we show that Ef1 ⊆ f1 ∧ EXEf1. We fix q0 |=M Ef1. Then, there exists an execution q0, q1, . . . , of M such that for all i, qi |= f1. This implies that q0 |= f1 and q1 |= Ef1. That is, q0 |= (f1 ∧EXEf1). Next we show that Ef1 ⊇ f1 ∧EXEf1. Similarly. Finally we show that Ef1 = GFP (τ). As τ is monotonic and Q is finite, τ is also ∩-continuous, and from Tarski’s theorem we know that GFP (τ) = ∩iτ i(true). Thus, it suffices to show that τ i(true) = Ef1. Again we proceed in two steps. First we show that Ef1 ⊆ ∩iτ i(true). We proceed by induction on i. Base: Clearly Ef1 ⊆ ∩itrue. Inductive hypothesis: Ef1 ⊆ ∩iτn(true). τ(Ef1) ⊆ τn+1(true), by monotonicity of τ . As Ef1 is a FP for τ , τ(Ef1) = Ef1 ⊆ τn+1(true). Next we show that Ef1 ⊇ ∩iτ i(true). Consider any q ∈ ∩iτ i(true). For any n, q ∈ τn(true), in particular q ∈ Q∗, as Q is finite. Then, (by the claim proved in the second paragraph) there exists a infinite execution fragment starting with q, all the states in the execution satisfy f1. Thus q |=M Ef1. 2 state formulas are atomic propositions. As s |=M Af ≡ s |=M ¬E¬f , it suffices to be able to check formulas of the form E¬f . Informal description of algorithm: 1. Construct Kripke structure T (tableau) for path formula f such that T includes every path that satisfies f . 2. Composing M and T we find the set of paths that appear in both M and T . 3. s satisfies Ef if it is the start of a path in the composition that satisfies f . This is checked using CTL model checking Construction of tableau. Let APf be the set of atomic propositions in f . We need to definea cou- ple of function before giving the construction for the tableau. The set of elementary sub-formulas of f , denoted by el(f), is defined recursively as follows: el(p) = {p} ifp ∈ APf el(¬g) = el(g) el(h ∨ g) = el(g) ∪ el(h) el(Xg) = {Xg} ∪ el(g) el(gUh) = {X(gUh)} ∪ el(g) ∪ el(h). [[Skip the transition relation construction.]] The transitionion relation is carefully defined in such a way so that each elementary formula is in a state if and only if it is true in that state. The set of states of the tableau is going to be P(el(f). The sat function associates with each subformula of f a set of states that satisfy it. It is recursively defined as: sat(g) = {q | g ∈ q} sat(¬g) = {q | q /∈ sat(g)} sat(h ∨ g) = sat(g) ∪ sat(h) el(Xg) = {Xg} ∪ el(g) sat(gUh) = sat(h) ∪ (sat(g) ∩ sat(X(gUh)). The tableau T associated with f is a Kripke structure 〈QT ,→T , LT 〉, where (a) QT = P(el(f)) (b) The transitionion relation is carefully defined in such a way so that each elementary formula is in a state if and only if it is true in that state. The transition relation for the original Kripke structure M is represented by an OBDD defined over the set of atomic propositions AP . For defining the transition relation for the tableau T in terms of an OBDD, each elementary formula g is associated with a state variable vg. If g is an atomic proposition, then vg is g itself. Thus, M and T are both defined using: 1. state variables that appear inAPf , say p̄, 2. state variables that appear only inM, say q̄, and 3. state variables that appear onlu in T , say r̄. That is, each state ofM is an assignment to p̄, q̄, while each state of T is 5 an assignement to p̄, r̄. We use two sets of variables, p̄, p̄′, etc., for defining the transition relations. The transition relation for the product of the two is given by Rp(p̄, q̄, r̄, p̄′, q̄′, r̄′) = RT (p̄, r̄, p̄′, r̄′) ∧Rp(p̄, q̄, p̄′, q̄′) Then, we use the symbolic model checking algorithm that handles fairness constrains to find the states that satisfy Etrue with fairness constraint {sat(¬(gUh) ∨ h) |gUh occurs in f}. References [BK08] Christel Baier and Joost-Pieter Katoen. Principles of Model Checking. MIT Press, 2008. [CGP00] Edmund M. Clarke, Orna Grumberg, and Doron A. Peled. Model Checking. MIT Press, 2000. 6