Optimizing CTL Model checking + Model checking TCTL
description
Transcript of Optimizing CTL Model checking + Model checking TCTL
Lecture 8 3
Today…
• Summary
• Optimizations for model checking– ROBDDs
• TCTL-– Syntax– Semantics– Algorithm for MC– Optimizations
Lecture 8 5
Optimization
• The principal one: – Reduce to a problem with Boolean
variables/Boolean formulæ
• Is this reasonable?– Well – most modelling is done like this – even
when you do have (non-boolean) variables– + efficiencies from efficient operations on
boolean functions
Lecture 8 6
States as boolean formulæ
• Encode states using m boolean variables. – Allows for 2m states.
• For example: m=3: – S={s1,s2,s3,s4,s5,s6,s7,s8}
• Propositional booleans a,b,c:– S={000,001,010,011,100,101,110,111}– S = {abc, abc, abc , … }
Lecture 8 7
Transitions as boolean formulæ
• Encode (s,s’) using before and after propositional boolean variables– a,b,c and a’,b’,c’.
• For example: (s1,s4):
– (s1,s4) = (abc) (a’b’c’)
Lecture 8 8
Sufficient for modelling?
• Encode another mutual exclusion protocol
• Two processes, P1 and P2 share booleans
– Co-operate for mutual exclusion
• Third process T1 monitors and sets a turn variable
• System is parallel composition:P1 || P2 || T1
Lecture 8 9
Co-operative mutex: Process P1
if (idle1) {wait1 = true;idle1 = false;
} else if (wait1 & idle2) {active1 = true;wait1 = false;
} else if (wait1 & wait2 & (!turn)) {active1 = true;wait1 = false;
}if (active1) {
CritSect();idle1 = true;active1 = false;
}; ( followed by P1 )
P1 =
Lecture 8 10
Co-operative mutex: Process P2
if (idle2) {wait2 = true;idle2 = false;
} else if (wait2 & idle1) {active2 = true;wait2 = false;
} else if (wait2 & wait1 & turn) {active2 = true;wait2 = false;
}if (active2) {
CritSect();idle2 = true;active2 = false;
}; ( followed by P2 )
P2 =
Lecture 8 11
Co-operative mutex: Process T1
if (idle1 & wait2) {
turn = true;
} else if (idle2 & wait1) {
Turn = false;
}; ( followed by T1 )
(P1 || P2 || T1); System;
T1 =
System =
Lecture 8 13
Transitions as predicates
• P1 = (i1w1’i1’) (w1i2a1’w1’)
(w1w2ta1’w1’) (a1i1’a1’)
• P2 = (i2w2’i2’) (w2i1a2’w2’)
(w2w1ta2’w2’) (a2i2’a2’)
• T1 = (i1w2t’) (i2w1t’)
Lecture 8 22
History…
• The ROBDD optimization originally by Bryant (86) – paper on boolean graphs
• The application to model checking by McMillan (Originally in late 80’s – subject of thesis in 1992)
• smv – Symbolic model verifier – originally by McMillan
Lecture 8 23
Today…
• Summary
• Optimizations for model checking– ROBDDs
• TCTL-– Syntax– Semantics– Algorithm for MC– Optimizations
Lecture 8 24
Regional transition system (RTS)
• Given TATTS = (s,s0,Act, ), then the RTS is a quotiented transition system
RTS = (Ř,Ř0, Act,), where Ř = {(s,[v]t) | (s,v)s [v] t REGv}, and
Ř0 = {(s,[v]t) | (s,v)s0 [v] t REGv}, and
• finally, (s,[v]t) (s’,[v’]t) if and only if there is a transition (s,v) (s’,v’) in TATTS.
a
a
Lecture 8 25
Regional transition system (RTS)
• Notation:Ř – a set of regions
ř – a particular region in the set: (s,[v]t)
r – a particular valuation: (s,v)
Lecture 8 27
Kripke structure/model for TCTL
• Def: A TCTL model over a set of atomic propositions AP is the 4-tuple (Ř,Δ,AP,L) – Ř – finite set of regions from RTS– Δ Ř Ř - a total transition relation– AP – a finite set of atomic propositions– L: Ř → 2AP – A labelling function which labels each
region with the propositions true in that region
Note that the propositions may include clock constraints…
Lecture 8 28
TCTL- syntax
• Given pAP, xX (model clock variables), zZ (property clock variables), (XZ) (clock constraints), then p and are TCTL- formulæ, and if 1 and 2 are TCTL- formulæ then so are:• 1
• 1 2
• 1 2
• z in 1
• A( 1 U 2 )• E( 1 U 2 )
Lecture 8 29
TCTL examples
• Note: temporal operators can be subscripted:• A( 1 U<7 2 ) means 1 holds until (within 7 time
units) 2 becomes true.
• Implemented as: z in A( (1z<7) U 2 )
• A( alarm U<7 boiler-off ): the alarm is on until (within 7 time units) the boiler-off is signaled.
• EF<7( alarm ) = E( true U<7 alarm ): the alarm will be on within 7 time units.
Lecture 8 30
Semantics of TCTL
• Expressed in terms of a model, and the modelling relation ² which links a model, a composite state r=(s,v) and a formula clock valuation with a property.
• M,(r,f) ² P - means that (TCTL) property P holds in (or is satisfied in) state r in the case of a formula valuation f for a given model M
Lecture 8 31
(Inductive) definition of ²
M,(r,f) ² P pL(ř)
M,(r,f) ² v f ²
M,(r,f) ² 1 (M,(r,f) ² 1 )
M,(r,f) ² 1 2 M,(r,f) ² 1, and
M,(r,f) ² 2
M,(r,f) ² 1 2 M,(r,f) ² 1, or
M,(r,f) ² 2
Lecture 8 32
(Inductive) definition of ²
• M,(r,f) ² z in 1 M,(r,z in f) ² 1
– The notation z in f asserts that z is reset to 0 whenever it appears in the formula f
• M,(r,f) ² A( 1 U 2 ) for every pathfrom r, for some j, M,(j) ² 2, and i<j, M,(i) ² 1 2.
Lecture 8 33
(Inductive) definition of ²
• M,(r,f) ² E( 1 U 2 ) for one pathfrom r, for some j,
M,(j) ² 2, and
i<j, M,(i) ² 1 2.
– Note that in both EU and AU, the condition up until 2 is 1 2. and not just 1!!
Lecture 8 35
Model checking TCTL
• Definition of a labelling algorithm in the notes – not much different from CTL
• The only problem is this definition uses a least fixpoint iteration over an infinite set…
• In practice use the region construction…
Lecture 8 36
Optimization for TCTL MC
• We have already seen the steps to create a (finite) regional automaton
• Apart from that there is no magic bullet, and real-time model checking has an equivalent region-space explosion
• For this reason, limit the size of systems
• … so far …
Lecture 8 37
Uppaal – more formally• TCTL, but with restrictions that amount to only
safety (reachability) formulæ:– Set of clock constraints Z in formula is {}– Syntax just AG() and EF() (outer level) ::= a | x op n | | 12 (op {,,,,})
– a is a location in the model
• Other properties (bounded liveness…) require extended models/automatons:– compare system model with other test model