Verification by Model Checking - Institute of Information Science

Verification by Model Checking
Bow-Yaw Wang
Institute of Information Science
Academia Sinica, Taiwan
November 30, 2016
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
1 / 154
Motivation I
Computers are commonly used in modern society.
▸
aircrafts, high-speed trains, cars, nuclear plants, banks, hospitals,
governments, etc.
What if computer programs go wrong?
▸
Therac-25, Ariane 5, Pentium FDIV, high-speed rail, etc.
A prominent application of logic in computer science is to verify
critical computer systems.
With logic, we are able to state and prove properties about computer
systems formally.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
2 / 154
Motivation II
Engineering techniques are also used to build critical systems.
▸
testing, metrics, documentation, good programming practices, etc.
Such techniques cannot guarantee correctness.
Since mid-1990’s, formal logic has been deployed in computer
industry.
Many organizations are asking manufacturers to apply formal
methods in development cycles.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
3 / 154
Classification of Verification Techniques
Proof- versus model-based. Is the technique syntactic or semantic?
Degree of automation. Does the technique need human guidance?
How much?
Full- versus property-verification. Does the technique verify all or
some requirements?
Intended domain. What types of systems (hardware/software,
interactive/reactive etc) the technique is designed for?
Pre- versus post-development. Is the technique applied before or after
system development?
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
4 / 154
Model Checking
Model checking is a model-based, automatic, property-oriented
verification technique for concurrent and reactive systems.
We construct a model M of a system and specify a property φ in
some logic.
The model M describes system behaviors (variable values, messages
sent or received, etc).
M has a designated state s.
The property φ is specified in temporal logics.
Informally, M, s ⊧ φ holds if M satisfies φ at s.
Model checking verifies whether M, s ⊧ φ holds.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
5 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
7
The fixed-point characterisation of CTL
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
6 / 154
Outline
1
Linear-time temporal logic
Syntax of LTL
Semantics of LTL
Practical patterns of specifications
Important equivalences between LTL formulae
Adequate sets of connectives for LTL
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
7 / 154
Linear-time Temporal Logic (LTL)
Linear-time temporal logic (LTL) models time as an infinite sequence
of states.
▸
Such an infinite sequence of states is called a computation path or
simply path.
LTL allows us to describe temporal properties about computation
paths.
▸
For instance, event P eventually happens, or event P happens until
event Q does, etc.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
8 / 154
Outline
1
Linear-time temporal logic
Syntax of LTL
Semantics of LTL
Practical patterns of specifications
Important equivalences between LTL formulae
Adequate sets of connectives for LTL
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
9 / 154
Syntax of LTL
Consider a fixed set Atoms of atomic formulae p, q, r , . . ..
Definition
Linear-time temporal logic has the following syntax:
φ ∶∶= ⊺ ∣ ∣ p ∣ (¬φ) ∣ (φ ∧ φ) ∣ (φ ∨ φ) ∣ (φ Ô⇒ φ) ∣
(Xφ) ∣ (Fφ) ∣ (Gφ) ∣ (φ U φ) ∣ (φ W φ) ∣ (φ R φ)
where p ∈ Atoms is an atomic formula.
The connectives X, F, G, U, R, and W are temporal connectives.
Informally, X means “neXt state,” F means “some Future state,” G
means “all future states (Globally),” U means “Until,” R means
“Release,” and W means “Weak-until.”
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
10 / 154
Convention and Examples
By convention, binding powers of LTL connectives are:
strongest
¬, X, F, G
→
U, R, W
∧, ∨
weakest
Ô⇒
Examples:
Fp ∧ Gq Ô⇒ p W r
p W (q W r )
F(p Ô⇒ Gr ) ∨ ¬q U p
GFp Ô⇒ F(q ∨ s)
Non-examples:
Ur
pGq
A subformula of an LTL formula φ is a formula ψ whose parse tree is
a subtree of φ’s parse tree.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
11 / 154
Outline
1
Linear-time temporal logic
Syntax of LTL
Semantics of LTL
Practical patterns of specifications
Important equivalences between LTL formulae
Adequate sets of connectives for LTL
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
12 / 154
Semantics of LTL I
Recall that LTL allows us to describe properties about computation
paths.
We will formalize computation paths by transition systems.
Definition
A transition system M = (S, →, L) consists of a set S of states, a total
transition relation →⊆ S × S, and a labelling function L ∶ S → 2Atoms .
Instead of (s, s ′ ) ∈→, we will write s → s ′ .
A transition relation →⊆ S × S is total if for every s ∈ S there is an
s ′ ∈ S such that s → s ′ .
For any s ∈ S, L(s) contains the set of atomic formulae which are
true in s.
A transition system is also called a model.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
13 / 154
Semantics of LTL II
p, q s0
s2
s1 q, r
r
Let M = (S, →, L) with S = {s0 , s1 , s2 },
→= {(s0 , s1 ), (s0 , s2 ), (s1 , s0 ), (s1 , s2 ), (s2 , s2 )}, and L(s0 ) = {p, q},
L(s1 ) = {q, r }, and L(s2 ) = {r }.
We can represent the transition system M as a directed graph.
Note that transition relations must be total.
▸
▸
If the self loop at s2 were removed, M would not be a transition
system.
In order to model a state s without any outgoing transition, we add a
new state sd with a self loop and s → sd .
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
14 / 154
Computation Path and Suffix
Definition
A path in a model M = (S, →, L) is an infinite sequence of states
s0 , s1 , . . . , sn , . . . such that si → si+1 for every i ≥ 0. We also write
s0 → s1 → ⋯ for the path s0 , s1 , . . . , sn , . . ..
For instance, s1 → s0 → s1 → s2 → s2 → ⋯ is a path in the example.
Definition
Let π = s0 → s1 → ⋯ be a path in a model M = (S, →, L). The i-suffix π i
is the suffix si → si+1 → ⋯ of π.
Let π = s1 → s0 → s1 → s2 → s2 → ⋯. We have
△
π 0 = π;
△
π 1 = s0 → s1 → s2 → s2 → ⋯;
△
π 2 = s1 → s2 → s2 → ⋯;
3 △
π = s2 → s2 → ⋯; etc.
△
▸
▸
▸
▸
Suffixes of a path are paths.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
15 / 154
π⊧φ I
Definition
Let M = (S, →, L) be a model, π = s0 → s1 → ⋯ a path in M, and φ an LTL formula.
Define the satisfaction relation π ⊧ φ as follows.
1
π ⊧ ⊺; π ⊧
/ ; and π ⊧ p if p ∈ L(s0 );
2
π ⊧ ¬φ if π ⊧
/ φ; π ⊧ φ ∧ ψ if π ⊧ φ and π ⊧ ψ; π ⊧ φ ∨ ψ if π ⊧ φ or π ⊧ ψ;
3
π ⊧ φ Ô⇒ ψ if π ⊧ ψ whenever π ⊧ φ;
4
π ⊧ Xφ if π 1 ⊧ φ;
5
π ⊧ Gφ if π i ⊧ φ for every i ≥ 0;
6
π ⊧ Fφ if π i ⊧ φ for some i ≥ 0;
7
π ⊧ φ U ψ if there is some i ≥ 0 such that π i ⊧ ψ and for every 0 ≤ j < i, π j ⊧ φ;
8
9
π ⊧ φ W ψ if either there is some i ≥ 0 such that π i ⊧ ψ and for every 0 ≤ j < i we
have π j ⊧ φ; or for every k ≥ 0 we have π k ⊧ φ;
π ⊧ φ R ψ if either there is some i ≥ 0 such that π i ⊧ φ and for every 0 ≤ j ≤ i we
have π j ⊧ ψ; or for every k ≥ 0 we have π k ⊧ ψ.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
16 / 154
π ⊧ φ II
1
⊺ is always true; is always false; and π ⊧ p if p is true at the start of π;
2
¬φ, φ ∧ ψ, φ ∨ ψ, and φ Ô⇒ ψ have the usual semantics;
3
Xφ is true if φ is true at the 1-suffix of π;
4
Gφ is true if φ is always true in the future;
▸
Note that “present” is a part of “future.”
5
Fφ is true if φ is true for some future;
6
φ U ψ is true if φ is true until exclusively ψ is true;
▸
7
φ W ψ is true if φ U ψ or φ is always true;
▸
8
Note that ψ must be true in the future.
Note that φ W ψ does not require ψ to be true in the future.
φ R ψ is true if ψ is true until inclusively φ releases ψ, or ψ is always true.
▸
Note that φ R ψ does not require φ to be true in the future.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
17 / 154
M, s ⊧ φ
Definition
Let M = (S, →, L) be a model, s ∈ S, and φ an LTL formula. M, s ⊧ φ if
for every path π of M starting at s, we have π ⊧ φ.
Think of the model M as the description of a program and s a state
of the program.
M, s ⊧ φ holds if for every possible computation path satisfies the
LTL formula φ.
Particularly, consider programs that depends on user inputs and the
initial state si of such a program.
M, si ⊧ φ holds if all executions of the program satisfy φ no matter
what user inputs are.
This is a very strong statement.
▸
▸
Much stronger than testing programs.
Testing can only falsify properties; it cannot prove properties.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
18 / 154
Examples I
p, q s0
s2
s1 q, r
r
M, s0 ⊧ p ∧ q;
M, s0 ⊧ ¬r ;
M, s0 ⊧ ⊺;
M, s0 ⊧ Xr ;
M, s0 ⊧
/ X(q ∧ r );
M, s0 ⊧ G¬(p ∧ r );
M, s0 ⊧ GFr ;
M, s0 ⊧ GFp Ô⇒ GFr ;
M, s0 ⊧
/ GFr Ô⇒ GFp.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
19 / 154
Outline
1
Linear-time temporal logic
Syntax of LTL
Semantics of LTL
Practical patterns of specifications
Important equivalences between LTL formulae
Adequate sets of connectives for LTL
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
20 / 154
Patterns of Specifications
It is impossible to go to a state where started holds but ready does
not: G¬(started ∧ ¬ready)
For any state, if request holds then it will be acknowledged
eventually: G(request Ô⇒ Facknowledged)
enabled occurs infinitely often: GFenabled
stable will eventually occurs permanently: FGstable
If a process is enabled infinitely often, it is running infinitely often:
GFenabled Ô⇒ GFrunning
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
21 / 154
Outline
1
Linear-time temporal logic
Syntax of LTL
Semantics of LTL
Practical patterns of specifications
Important equivalences between LTL formulae
Adequate sets of connectives for LTL
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
22 / 154
Semantically Equivalence I
Definition
Let φ and ψ be LTL formulae. φ and ψ are semantically equivalent
(written φ ≡ ψ) if for all paths π, π ⊧ φ iff π ⊧ ψ.
Semantically equivalent propositional formulae are still equivalent, for
example:
¬(φ ∧ ψ) ≡ ¬φ ∨ ¬ψ
¬(φ ∨ ψ) ≡ ¬φ ∧ ¬ψ.
F and G are dual; X is dual to itself:
¬Gφ ≡ F¬φ
¬Fφ ≡ G¬φ
¬Xφ ≡ X¬φ.
U and R are dual (why?):
¬(φ U ψ) ≡ ¬φ R ¬ψ
Bow-Yaw Wang (Academia Sinica)
¬(φ R ψ) ≡ ¬φ U ¬ψ.
Verification by Model Checking
November 30, 2016
23 / 154
Semantically Equivalence II
F distributes over ∨ and G over ∧ (why?):
F(φ ∨ ψ) ≡ Fφ ∨ Fψ
▸
G(φ ∧ ψ) ≡ Gφ ∧ Gψ.
What about F over ∧ and G over ∨?
F(φ ∧ ψ) ≡ Fφ ∧ Fψ
?
G(φ ∨ ψ) ≡ Gφ ∨ Gψ.
?
F and G in U and R:
Fφ ≡ ⊺ U φ
Gφ ≡ R φ.
U is equivalent to W and F:
φ U ψ ≡ φ W ψ ∧ Fψ.
W and R are closely related:
φ W ψ ≡ ψ R (φ ∨ ψ)
Bow-Yaw Wang (Academia Sinica)
φ R ψ ≡ ψ W (φ ∧ ψ)
Verification by Model Checking
November 30, 2016
24 / 154
Semantically Equivalence III
Theorem
φ U ψ ≡ ¬(¬ψ U (¬φ ∧ ¬ψ)) ∧ Fψ.
Proof.
Consider any path π = s0 → s1 → ⋯.
Suppose π ⊧ φ U ψ. Let n be the smallest number that π n ⊧ ψ. We have
π ⊧ Fψ. It remains to show π ⊧ ¬(¬ψ U (¬φ ∧ ¬ψ)). By the definition of
n, π i ⊧ ¬ψ for 0 ≤ i < n. Moreover, π n ⊧ ψ and hence π n ⊧
/ ¬φ ∧ ¬ψ. That
is, π ⊧
/ ¬ψ U (¬φ ∧ ¬ψ).
Conversely, suppose π ⊧ ¬(¬ψ U (¬φ ∧ ¬ψ)) ∧ Fψ. Let n be the smallest
number that π n ⊧ ψ (by π ⊧ Fψ). Assume π i ⊧ ¬φ for some 0 ≤ i < n.
Then π i ⊧ ¬ψ by the minimality of n. Hence π i ⊧ ¬φ ∧ ¬ψ. There is an
0 ≤ j < i < n such that π j ⊧ ψ since π ⊧ ¬(¬ψ U (¬φ ∧ ¬ψ)). A
contradiction to the minimality of n.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
25 / 154
Outline
1
Linear-time temporal logic
Syntax of LTL
Semantics of LTL
Practical patterns of specifications
Important equivalences between LTL formulae
Adequate sets of connectives for LTL
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
26 / 154
Adequate Sets of LTL Connectives I
An adequate set of connectives in a logic can express any connective
in the same logic.
▸
For instance, {, ∧, ¬} is an adequate set of connectives in
propositional logic.
By semantical equivalences in LTL, we have the following adequate
sets:
▸
▸
▸
{U, X}. Recall φ R ψ ≡ ¬(¬φ U ¬ψ) and φ W ψ ≡ ψ R (φ ∨ ψ).
{R, X}. Recall that φ U ψ ≡ ¬(¬φ R ¬ψ) and φ W ψ ≡ ψ R (φ ∨ ψ).
{W, X}. Recall that φ R ψ ≡ ψ W (φ ∧ ψ) and φ U ψ ≡ ¬(¬φ R ¬ψ).
Note that X is independent of other connectives.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
27 / 154
Adequate Sets of LTL Connectives II
Consider the fragment of LTL without negation and X.
We have the following adequate sets:
▸
▸
▸
▸
▸
{U, R} since φ W ψ ≡ ψ R (φ ∨ ψ), Fφ ≡ ⊺ U φ, and Gφ ≡ R φ.
{U, W} since φ R ψ ≡ ψ W (φ ∧ ψ), Fφ ≡ ⊺ U φ, and Gφ ≡ R φ.
{U, G} since φ W ψ ≡ φ U ψ ∨ Gφ, φ R ψ ≡ ψ W (φ ∧ ψ), and Fφ ≡ ⊺ U φ.
{R, F} since φ W ψ ≡ ψ R (φ ∨ ψ), φ U ψ ≡ φ W ψ ∧ Fψ, and Gφ ≡ R φ.
{W, F} since φU ≡ φ W ψ ∧ Fφ, φ R ψ ≡ ψ W (φ ∧ ψ), and Gφ ≡ R φ.
Note that {R, G}, {W, G}, and {U, F} are not adequate.
▸
▸
F cannot be defined by {R, G} nor {W, G}.
G cannot be defined by {U, F}.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
28 / 154
Outline
1
Linear-time temporal logic
2
Model checking
Example: mutual exclusion
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
7
The fixed-point characterisation of CTL
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
29 / 154
Outline
1
Linear-time temporal logic
2
Model checking
Example: mutual exclusion
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
7
The fixed-point characterisation of CTL
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
30 / 154
Mutual Exclusion I
When two concurrent processes share a resource (printer, disk, etc),
they sometimes need to access the resource exclusively.
Critical sections are portions of process codes that have exclusive
access to a shared resource.
For efficiency, critical sections should be as small as possible.
Moreover, at most one process can enter its critical section at any
time.
We will design a simple protocol to ensure mutually exclusive access
to critical sections and verify our solution.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
31 / 154
Mutual Exclusion II
Let us first try to specify our requirements informally.
A protocol solving the mutual exclusion problem must ensure the
following property:
Safety: at most one process can enter its critical section at any time.
Moreover, a protocol should not prevent any process from entering
critical sections permanently:
Liveness: When a process requests to enter its critical section, it will
eventually be permitted to do so.
Non-blocking: A process can always request to enter its critical
section.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
32 / 154
Mutual Exclusion: First Attempt I
s0
n1 n2
s1 t1 n2
s2 c1 n2
n1 t2 s5
n1 c2 s6
t1 t2
s3
s4 c1 t2
t1 c2 s7
Consider two processes P1 and P2 .
P1 has three states: non-critical state (n1 ), trying state (t1 ), and
critical state (c1 ). Similarly, P2 has states n2 , t2 , and c2 .
▸
Local states are modeled as atomic formulae.
Each process has transitions n → t → c → n → t → c → ⋯.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
33 / 154
Mutual Exclusion: First Attempt II
s0
n1 n2
s1 t1 n2
s2 c1 n2
n1 t2 s5
n1 c2 s6
t1 t2
s3
s4 c1 t2
t1 c2 s7
The system starts with both processes at non-critical states (s0 ).
Exactly one process makes a transition at any time.
▸
This is called an asynchronous interleaving model.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
34 / 154
Mutual Exclusion: First Attempt III
s0
n1 n2
s1 t1 n2
s2 c1 n2
n1 t2 s5
n1 c2 s6
t1 t2
s3
s4 c1 t2
t1 c2 s7
Safety. The property is expressed by G¬(c1 ∧ c2 ) in LTL. It holds.
Liveness. This is expressed by G(t1 Ô⇒ Fc1 ) in LTL. The property
is not satisfied due to the path s0 → s1 → s3 → s7 → s1 → s3 → s7 ⋯.
Non-blocking. We would like to express: when a process at n, there is
a successor at t. This is not expressible in LTL.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
35 / 154
Mutual Exclusion: Second Attempt
s0
n1 n2
s1 t1 n2
s2 c1 n2
n1 t2 s5
t1 t2
s3
n1 c2 s6
t1 t2
s8
s4 c1 t2
t1 c2 s7
Liveness does not hold because the state s3 does not record which
process enters the trying state first.
In our second design, we use two states to record which process
enters the trying state first.
▸
s3 remembers P1 enters t1 first; s8 remembers P2 enters t2 first.
One can verify all three properties are satisfied.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
36 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
Mutual exclusion revisited
The ferryman
The alternating bit protocol
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
37 / 154
The NuSMV Model Checker
NuSMV is an open-sourced model checker.
We specify a transition system M = (S, →, L) with an initial state
s0 ∈ S, and a linear temporal logic formula φ.
NuSMV checks whether M, s0 ⊧ φ holds.
We will learn how to specify a transition system in NuSMV.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
38 / 154
NuSMV Modules I
A NuSMV model consists of several modules.
A module can be instantiated several times with different names.
There is exactly one main module.
An LTL formula uses the following symbols:
NuSMV
!
&
G
X
Bow-Yaw Wang (Academia Sinica)
for
LTL NuSMV
¬
−>
∧
∣
F
G
X
U
Verification by Model Checking
for
LTL
Ô⇒
∨
F
U
November 30, 2016
39 / 154
NuSMV Modules II
Here is a NuSMV model with an LTL formula
G(request Ô⇒ F(status = busy)):
MODULE main
VAR
request : boolean ;
status : { ready , busy };
ASSIGN
init ( status ) := ready ;
next ( status ) := case
request : busy ;
TRUE : { ready , busy };
esac ;
LTLSPEC
G ( request -> F status = busy );
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
40 / 154
NuSMV Modules III
The NuSMV model specifies the following transition system:
Bow-Yaw Wang (Academia Sinica)
req
ready
req
busy
¬req
ready
¬req
busy
Verification by Model Checking
November 30, 2016
41 / 154
One-bit Adder
MODULE adder ( i0 , i1 )
VAR o : boolean ; c : boolean ;
ASSIGN
o := i0 xor i1 ;
c := i0 & i1 ;
MODULE main
VAR
b0 : boolean ; b1 : boolean ;
a : adder ( b0 , b1 );
LTLSPEC G (! b0 & ! b1 -> ! a . c & ! a . o );
LTLSPEC G ( b0 & ! b1 -> ! a . c & a . o );
LTLSPEC G (! b0 & b1 -> ! a . c & a . o );
LTLSPEC G ( b0 & b1 -> a . c & ! a . o );
Here is a possible trace:
(b0, b1, a.o, a.c)
Bow-Yaw Wang (Academia Sinica)
0
(F F F F)
1
(F T T F)
2
(F F F F)
Verification by Model Checking
3
(T T F T)
⋯
⋯
November 30, 2016
42 / 154
Two-bit Adder
MODULE adder ( b0 , b1 , ic )
VAR o : word [1]; c : word [1];
ASSIGN
o := word1 ( bool ( b0 ) xor bool ( b1 ) xor bool ( ic ));
c := word1 (( bool ( b0 ) & bool ( b1 )) | ( bool ( b0 ) & bool ( ic )) |
( bool ( b1 ) & bool ( ic )));
MODULE main
VAR
i : word [2]; j : word [2];
a0 : adder ( i [0:0] , j [0:0] , 0 b1_0 );
a1 : adder ( i [1:1] , j [1:1] , a0 . c );
DEFINE
o := a1 . o :: a0 . o ; c := a1 . c ;
LTLSPEC G ( i = 0 b2_10 & j = 0 b2_10 -> c = 0 b1_1 & o = 0 b2_00 );
LTLSPEC G ( i = 0 b2_10 & j = 0 b2_11 -> c = 0 b1_1 & o = 0 b2_01 );
id [high :low ] selects bits in words
0b4 1010 = 0o2 12 = 0d2 10 = 0h1 a
DEFINE defines a macro
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
43 / 154
A Two-bit Counter
MODULE counter
VAR b : array 0..1 of boolean ;
ASSIGN
init ( b [0]) := FALSE ; init ( b [1]) := FALSE ;
next ( b [0]) := ! b [0];
next ( b [1]) := case
! b [0] : b [1];
b [0] : ! b [1];
esac ;
MODULE main
VAR c : counter ;
Use array of to declare arrays
Use init to refer the initial value of a variable
The following shows how c.b changes
(c.b[1], c.b[0])
Bow-Yaw Wang (Academia Sinica)
0
(F F)
1
(F T)
2
(T F)
3
(T T)
Verification by Model Checking
4
(F F)
⋯
⋯
November 30, 2016
44 / 154
More about case
var := case
bexp0 : exp0 ;
bexp1 : exp1 ;
...
bexpn : expn ;
esac ;
In a case expression, bexp’s are evaluated consecutively
The result of a case expression is expi if bexp0 to bexpi-1 all
evaluate to false but bexpi evaluates to true
NuSMV requires bexp0 ∨ bexp1 ∨⋯∨ bexpn is valid
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
45 / 154
Define by Constraints
MODULE delayed - inverter - constraint ( b )
VAR o : boolean ;
TRANS next ( o ) = ! b ;
MODULE main
VAR
b : boolean ;
i : delayed - inverter - constraint ( b );
INIT b = FALSE ;
INVAR b = ! i . o ;
LTLSPEC G ! b
INIT bexp specifies a condition to be fulfilled at an initial state
INVAR bexp specifies a condition to be fulfilled at any state
TRANS next-bexp specifies a condition to be fulfilled at each
transition
(b, i.o)
0
(F T)
Bow-Yaw Wang (Academia Sinica)
1
(F T)
2
(F T)
⋯
⋯
Verification by Model Checking
November 30, 2016
46 / 154
Synchronous and Asynchronous Composition
NuSMV composes modules synchronously by default.
▸
That is, every module make a transition at the same time.
We may want to specify asynchronous modules sometimes.
▸
That is, exactly one module makes a transition at any time.
To specify asynchronous modules, we use the keyword process to
instantiate a module.
An asynchronous module has an implicit Boolean variable running.
The variable running is true when the module takes a transition.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
47 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
Mutual exclusion revisited
The ferryman
The alternating bit protocol
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
48 / 154
Mutual Exclusion Revisited I
MODULE prc ( other - st , turn , myturn )
VAR st : { n , t , c };
ASSIGN
init ( st ) := n ;
next ( st ) := case
st = n
st = t & other - st = n
st = t & other - st = t & turn = myturn
st = c
TRUE
esac ;
next ( turn ) := case
turn = myturn & st = c
TRUE
esac ;
FAIRNESS running ;
FAIRNESS !( st = c );
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
:
:
:
:
:
{ t , n };
c;
c;
{ c , n };
st ;
: ! turn ;
: turn ;
November 30, 2016
49 / 154
Mutual Exclusion Revisited II
MODULE main
VAR
turn : boolean ;
pr1 : process prc ( pr2 . st , turn , FALSE );
pr2 : process prc ( pr1 . st , turn , TRUE );
ASSIGN
init ( turn ) := FALSE ;
-- safety
LTLSPEC G !(( pr1 . st = c ) & ( pr2 . st = c ))
-- liveness
LTLSPEC G (( pr1 . st = t ) -> F ( pr1 . st = c ))
LTLSPEC G (( pr2 . st = t ) -> F ( pr2 . st = c ))
FAIRNESS bexp ; is a fairness constraint.
NuSMV only considers paths where bexp is true infinitely often if
fairness constraints present.
▸
What happens if we remove fairness constraints?
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
50 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
Mutual exclusion revisited
The ferryman
The alternating bit protocol
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
51 / 154
The Ferryman Puzzle I
Consider the following puzzle: a ferryman, goat, cabbage, and a wolf
are on one side of a river. The ferryman can cross the river with at
most one passenger in his boat. However
▸
▸
the goat eats the cabbage; and
the wolf eats the goat.
The ferryman must be on the same side of the river to prevent
conflicts. Can the ferryman transport all goods to the other side
safely?
Let us use NuSMV to check if the ferryman is solvable.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
52 / 154
The Ferryman Puzzle II
MODULE main
VAR
ferryman : boolean ;
goat : boolean ;
cabbage : boolean ;
wolf : boolean ;
carry : { g , c , w , n };
ASSIGN
init ( ferryman ) := FALSE ;
init ( goat )
:= FALSE ;
init ( cabbage ) := FALSE ;
init ( wolf )
:= FALSE ;
init ( carry )
:= n ;
next ( ferryman ) := { FALSE , TRUE };
next ( goat ) := case
ferryman = goat & next ( carry ) = g : next ( ferryman );
TRUE
: goat ;
esac ;
next ( cabbage ) := case
ferryman = cabbage & next ( carry ) = c : next ( ferryman );
TRUE
: cabbage ;
esac ;
next ( wolf ) := case
ferryman = wolf & next ( carry ) = w : next ( ferryman );
TRUE
: wolf ;
esac ;
TRANS
( next ( carry ) = n ) |
( ferryman = goat
& next ( carry ) = g ) |
( ferryman = cabbage & next ( carry ) = c ) |
( ferryman = wolf
& next ( carry ) = w );
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
53 / 154
The Ferryman Puzzle III
Boolean variables ferryman, goat, cabbage, wolf denote the
location of the ferryman, goat, cabbage, wolf.
Initially, all are on the same side (FALSE).
The variable carry denotes the good carried by the ferryman: g
(goat), c (cabbage), w (wolf), or n (none).
At any time, the ferryman moves to either side.
At any time, we have
▸
▸
▸
▸
the
the
the
the
ferryman
ferryman
ferryman
ferryman
Bow-Yaw Wang (Academia Sinica)
does not carry anything;
carries the goat;
carries the cabbage; or
carries the wolf.
Verification by Model Checking
November 30, 2016
54 / 154
The Ferryman Puzzle IV
We verify if it is impossible that no conflict occurs until all are on the
other side.
LTLSPEC
!((
( goat = cabbage | goat = wolf ) -> goat = ferryman )
U ( cabbage & goat & wolf & ferryman ))
That is, any “bug” gives a solution to the ferryman puzzle.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
55 / 154
The Ferryman Puzzle V
Here is a solution found by NuSMV:
-> State : 1.1 <ferryman = FALSE
goat = FALSE
cabbage = FALSE
wolf = FALSE
carry = n
-> State : 1.2 <ferryman = TRUE
goat = TRUE
carry = g
-> State : 1.3 <ferryman = FALSE
carry = n
-> State : 1.4 <ferryman = TRUE
wolf = TRUE
carry = w
-> State : 1.5 <ferryman = FALSE
goat = FALSE
carry = g
-> State : 1.6 <ferryman = TRUE
cabbage = TRUE
carry = c
-> State : 1.7 <-
Bow-Yaw Wang (Academia Sinica)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ferryman = FALSE
carry = n
-> State : 1.8 <ferryman = TRUE
goat = TRUE
carry = g
-> State : 1.9 <ferryman = FALSE
wolf = FALSE
carry = w
-> State : 1.10 <ferryman = TRUE
carry = n
-> State : 1.11 <ferryman = FALSE
cabbage = FALSE
carry = c
-> State : 1.12 <ferryman = TRUE
carry = n
-> State : 1.13 <ferryman = FALSE
goat = FALSE
carry = g
-> State : 1.14 <carry = n
Verification by Model Checking
November 30, 2016
56 / 154
The Ferryman Puzzle VI
Side A
ferryman, cabbage, goat, wolf
cabbage, wolf
ferryman, cabbage, wolf
cabbage
ferryman, cabbage, goat
goat
ferryman, goat
ferryman, wolf
wolf
ferryman, cabbage, wolf
cabbage, wolf
ferryman, cabbage, goat, wolf
Bow-Yaw Wang (Academia Sinica)
Side B
ferryman, goat
goat
ferryman, wolf, goat
wolf
ferryman, cabbage, wolf
cabbage, wolf
ferryman, cabbage, goat, wolf
cabbage, goat
ferryman, cabbage, goat
goat
ferryman, goat
Verification by Model Checking
November 30, 2016
57 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
Mutual exclusion revisited
The ferryman
The alternating bit protocol
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
58 / 154
The Alternating Bit Protocol I
The alternating bit protocol (ABP) is a network protocol for
transmitting messages over a lossy line.
▸
That is, messages may be lost during transmission.
Here is an infomal description of ABP:
▸
▸
▸
▸
▸
▸
▸
Consider a sender, a receiver, a data channel, and an acknowledgment
channel.
Every packet is associated with a control bit.
The sender sends a packet with the control bit 0 over the data channel.
When the receiver receives a packet with the control bit 0, he sends 0
over the acknowledgment channel.
When the sender receives 0 from the acknowledgment channel, she
sends another packet with the control bit 1.
When the receiver receives a packet with the control bit 1, he sends 1
over the acknowledgment channel.
If anyone did not get expected messages, she or he resends the last
message.
The control bit makes sure that packets cannot be lost or duplicated.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
59 / 154
The Alternating Bit Protocol II
MODULE sender ( ack )
VAR
st : { sending , sent };
message : boolean ; control : boolean ;
ASSIGN
init ( st ) := sending ;
next ( st ) := case
ack = control & !( st = sent ) : sent ;
TRUE
: sending ;
esac ;
next ( message ) := case
st = sent
: { FALSE , TRUE };
TRUE
: message ;
esac ;
next ( control ) := case
st = sent
: ! control ;
TRUE
: control ;
esac ;
FAIRNESS running
LTLSPEC G F ( st = sent )
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
60 / 154
The Alternating Bit Protocol III
The variable st denotes that a message is sent or sending.
The variable message represents a 1-bit packet.
The variable control is the current control bit.
The variable ack is the current acknowledgment.
The sender module is sending a message most of the time.
A message is sent when the acknowledgment bit is equal to the
control bit.
The 1-bit packet selects an arbitrary value when a message is sent.
The control bit is inverted when a message is sent.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
61 / 154
The Alternating Bit Protocol IV
MODULE receiver ( message , control )
VAR
st : { receiving , received };
ack : boolean ; expected : boolean ;
ASSIGN
init ( st ) := receiving ;
next ( st ) := case
control = expected & !( st = received )
TRUE
esac ;
next ( ack ) := case
st = received
TRUE
esac ;
next ( expected ) := case
st = received
TRUE
esac ;
FAIRNESS running
LTLSPEC G F ( st = received )
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
: received ;
: receiving ;
: control ;
: ack ;
: ! expected ;
: expected ;
November 30, 2016
62 / 154
The Alternating Bit Protocol V
The variable st denotes that a message is received or receiving.
The variable message represents a 1-bit packet.
The variable control is the current control bit.
The variable ack is the current acknowledgment.
The variable expected is the expected control bit.
The receiver module is receiving a message most of the time.
A message is received when the control bit is equal to the expected
control bit.
The acknowledgment bit changes when a message is received.
The expected acknowledgment bit is inverted when a message is
received.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
63 / 154
The Alternating Bit Protocol VI
MODULE one - bit - channel ( input )
VAR
forget : boolean ; output : boolean ;
ASSIGN
next ( output ) :=
case
forget
: output ;
TRUE
: input ;
esac ;
FAIRNESS running
FAIRNESS input & ! forget
FARINESS ! input & ! forget
MODULE two - bit - channel ( input1 , input2 )
VAR
forget : boolean ;
output1 : boolean ; output2 : boolean ;
ASSIGN
next ( output1 ) :=
case
forget
: output1 ;
TRUE
: input1 ;
esac ;
next ( output2 ) :=
case
forget
: output2 ;
TRUE
: input2 ;
esac ;
FAIRNESS running
FAIRNESS input1 & ! forget
FARINESS ! input1 & ! forget
FAIRNESS input2 & ! forget
FARINESS ! input2 & ! forget
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
64 / 154
The Alternating Bit Protocol VII
The variable input denotes an input bit.
The variable output denotes the output of a lossy channel.
A lossy channel sends the old output when it forget; otherwise, it
sends the input.
It is important that a lossy channel does not always forget.
▸
▸
In fact, it cannot always forget the same input.
What if all FALSE (or TRUE) are lost?
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
65 / 154
The Alternating Bit Protocol VIII
MODULE main
VAR
s : process sender ( ack_chan . output );
r : process receiver ( data_chan . output1 , data_chan . output2 );
data_chan : process two - bit - channel ( s . message , s . control );
ack_chan : process one - bit - channel ( r . ack );
ASSIGN
init ( s . control ) := FALSE ;
init ( r . expected ) := FALSE ;
init ( r . ack )
:= TRUE ;
init ( data_chan . output2 ) := TRUE ;
init ( ack_chan . output ) := TRUE ;
LTLSPEC
G ( s . st = sent & s . message -> data_chan . output1 )
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
66 / 154
The Alternating Bit Protocol IX
Our system has a sender, a receiver, a two-bit lossy data channel, and
a one-bit acknowledgment channel.
The initial control bit is FALSE.
The initial expected control bit is FALSE.
The initial acknowledgment bit is TRUE.
THe initial control bit from the data channel is TRUE.
THe initial acknowledgment bit from the acknowledgment channel is
TRUE.
Three properties are checked:
▸
▸
▸
Messages are sent by the sender infinitely often.
Messages are received by the receiver infinitely often.
When TRUE is sent, the packet in data channel is TRUE.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
67 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
Syntax of CTL
Semantics of computation tree logic
Practical patterns of specifications
Important equivalences between CTL formulae
Adequate sets of CTL connectives
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
68 / 154
Branching-time Logic I
In LTL, we specify properties about paths.
A model satisfies an LTL formula if all its paths from the initial state
satisfy the formula.
Sometimes, we may wish to consider properties about states.
▸
Recall that non-blocking asks if a process can always enter the trying
state when it is at the non-critical state.
Branching-time logic allows us to specify such properties.
We can ask if
▸
▸
all paths from a state satisfy certain properties; and
a path from a state satisfies certain properties.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
69 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
Syntax of CTL
Semantics of computation tree logic
Practical patterns of specifications
Important equivalences between CTL formulae
Adequate sets of CTL connectives
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
70 / 154
Computation Tree Logic (CTL)
Computation Tree Logic (CTL) is a branching-time logic.
As usual, we fix a set Atoms of atomic formulae p, q, . . ..
Definition
Computation Tree Logic (CTL) has the following syntax:
φ ∶∶= ∣ ⊺ ∣ p ∣ (¬φ) ∣ (φ ∧ φ) ∣ (φ ∨ φ) ∣ (φ Ô⇒ φ) ∣ AXφ ∣ EXφ ∣
AFφ ∣ EFφ ∣ AG ∣ EG ∣ A[φ U φ] ∣ E[φ U φ]
where p ∈ Atoms is an atomic formula.
Observe that CTL temporal connectives are either A (for all paths) or
E (there exists) followed by an LTL temporal connectives X, F, G, U.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
71 / 154
Convention and Examples
By convention, binding powers of CTL connectives are:
strongest
¬, AX, EX, AF, EF, AG, EG
∧, ∨
→
weakest
Ô⇒ , AU, EU
Examples:
AG(q Ô⇒ EGr ) EFE[r U q]
A[p U EFr ]
EFEGp Ô⇒ AFr A[p1 U A[p2 U p3 ]] E[A[p1 U p2 ] U p3 ]
AG(p Ô⇒ A[p U (¬p ∧ A[¬p U q])])
Non-examples:
q]
U
EFGr
A¬G¬p
F[r
((
((
q) ((p
(∧
EF(r
AEFr
A[(r
U
q)
U
r )]
(
U
(
(
(
A subformula of a CTL formula φ is any formula ψ whose parse tree
is a subtree of φ’s parse tree.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
72 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
Syntax of CTL
Semantics of computation tree logic
Practical patterns of specifications
Important equivalences between CTL formulae
Adequate sets of CTL connectives
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
73 / 154
M, s ⊧ φ
Definition
Let M = (S, →, L) be a transition system, s ∈ S, and φ a CTL formula. M, s ⊧ φ is
defined as follows.
1
M, s ⊧ ⊺; M, s ⊧
/ ; M, s ⊧ p if p ∈ L(s); M, s ⊧ ¬φ if M, s ⊧
/ φ;
2
M, s ⊧ φ ∧ ψ if M, s ⊧ φ and M, s ⊧ ψ; M, s ⊧ φ ∨ ψ if M, s ⊧ φ or M, s ⊧ ψ;
3
M, s ⊧ φ Ô⇒ ψ if M, s ⊧ ψ whenever M, s ⊧ φ;
4
M, s ⊧ AXφ if for all s ′ that s → s ′ we have M, s ′ ⊧ φ;
5
M, s ⊧ EXφ if for some s ′ that s → s ′ we have M, s ′ ⊧ φ;
6
M, s ⊧ AGφ if for all paths s0 (= s) → s1 → ⋯ we have M, si ⊧ φ for every i ≥ 0;
7
M, s ⊧ EGφ if for some path s0 (= s) → s1 → ⋯ we have M, si ⊧ φ for every i ≥ 0;
8
M, s ⊧ AFφ if for all paths s0 (= s) → s1 → ⋯ we have M, si ⊧ φ for some i ≥ 0;
9
M, s ⊧ EFφ if for some path s0 (= s) → s1 → ⋯ we have M, si ⊧ φ for some i ≥ 0;
10
11
M, s ⊧ A[φ U ψ] if for all paths s0 (= s) → s1 → ⋯ there is i ≥ 0 that M, si ⊧ ψ and
for every 0 ≤ j < i we have M, sj ⊧ φ;
M, s ⊧ E[φ U ψ] if for some path s0 (= s) → s1 → ⋯ there is i ≥ 0 that M, si ⊧ ψ
and for every 0 ≤ j < i we have M, sj ⊧ φ.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
74 / 154
Visualization – M, s ⊧ p
p
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
75 / 154
Visualization – M, s ⊧ AXp
p
Bow-Yaw Wang (Academia Sinica)
p
Verification by Model Checking
November 30, 2016
76 / 154
Visualization – M, s ⊧ EXp
p
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
77 / 154
Visualization – M, s ⊧ AGp
p
p
p
p
p
p
p
p
Bow-Yaw Wang (Academia Sinica)
p
p
p
Verification by Model Checking
p
p
p
November 30, 2016
p
78 / 154
Visualization – M, s ⊧ EGp
p
p
p
p
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
79 / 154
Visualization – M, s ⊧ AFp
p
p
p
Bow-Yaw Wang (Academia Sinica)
p
Verification by Model Checking
November 30, 2016
80 / 154
Visualization – M, s ⊧ EFp
p
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
81 / 154
Visualization – M, s ⊧ A[p U q]
p
q
p
p
q
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
q
q
November 30, 2016
82 / 154
Visualization – M, s ⊧ E[p U q]
p
p
p
q
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
83 / 154
Example I
p, q s0
s2
s1 q, r
r
Recall the transition system M above.
We will give examples of M, s ⊧ φ.
To do so, we first “unroll” M from its initial state s0 .
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
84 / 154
Example II
q, r
s1
p, q
s0
q, r
r
s1
s2
p, q s0
r
s2
r
r
s2
s2
r
s2
r
s2
M, s0 ⊧ p ∧ q; M, s0 ⊧ ¬r ; M, s0 ⊧ ⊺;
M, s0 ⊧ EX(q ∧ r ); M, s0 ⊧ ¬AX(q ∧ r );
M, s0 ⊧ ¬EF(p ∧ r ) since a state with p, r is not reachable from s0 ;
M, s2 ⊧ EGr since s2 → s2 → ⋯;
M, s0 ⊧ AFr since r is always reachable from s0 ;
M, s0 ⊧ E[(p ∧ q) U r ] since s0 → s2 → s2 → ⋯;
M, s0 ⊧ A[p U r ] since s0 → s1 → ⋯ and s0 → s2 → ⋯;
M, s0 ⊧ AG(p ∨ q ∨ r Ô⇒ EFEGr ).
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
85 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
Syntax of CTL
Semantics of computation tree logic
Practical patterns of specifications
Important equivalences between CTL formulae
Adequate sets of CTL connectives
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
86 / 154
Patterns of Specifications
It is possible to get to a state where started holds but ready doesn’t:
EF(started ∧ ¬ready);
For any state, if a requested occurs, it will be acknowledged
eventually: AG(requested Ô⇒ AFacknowledged);
A process is enabled infinitely often on all paths: AG(AFenabled);
A process will eventually be stable permanently: AF(AGstable);
From any state it is possible to get to a restart state: AG(EFrestart);
Process P1 can always request to enter its critical section:
AG(n1 Ô⇒ EXt1 ).
▸
Recall that non-blocking is not expressible in LTL.
Consider the following property: “if a process is enabled infinitely
often, it is running infinitely often. This is not expressed by
AGAFenabled Ô⇒ AGAFrunning.
▸
▸
In fact, this property is not expressible in CTL.
We can express the property by GFenabled Ô⇒ GFrunning in LTL.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
87 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
Syntax of CTL
Semantics of computation tree logic
Practical patterns of specifications
Important equivalences between CTL formulae
Adequate sets of CTL connectives
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
88 / 154
Semantic Equivalences
Definition
Let φ and ψ be CTL formulae. φ and ψ are semantically equivalent
(written φ ≡ ψ) if for all models M and all state s in M, M, s ⊧ φ iff
M, s ⊧ ψ.
Since A is a universal quantifier and E an existential quantifier, it is
not hard to see the following semantically equivalent formulae:
¬AFφ ≡ EG¬φ
¬EFφ ≡ AG¬φ
¬AXφ ≡ EX¬φ.
Moreover, by similar arguments in LTL, we have
AFφ ≡ A[⊺ U φ]
EFφ ≡ E[⊺ U φ].
Finally, we have
AGφ ≡ φ ∧ AXAGφ
EGφ ≡ φ ∧ EXEGφ
AFφ ≡ φ ∨ AXAFφ
EFφ ≡ φ ∨ EXEFφ
A[φ U ψ] ≡ ψ ∨ (φ ∧ AXA[φ U ψ])
E[φ U ψ] ≡ ψ ∨ (φ ∧ EXE[φ U ψ]).
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
89 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
Syntax of CTL
Semantics of computation tree logic
Practical patterns of specifications
Important equivalences between CTL formulae
Adequate sets of CTL connectives
5
CTL∗ and the expressive powers of LTL and CTL
Wang (Academia Sinica)
Verification by Model Checking
6Bow-Yaw
Model-checking
algorithms
November 30, 2016
90 / 154
Adequate Sets of CTL Connectives I
{AU, EU, AX} is an adequate set of CTL connectives.
▸
Observe that
AGφ
AFφ
AXφ ≡ ¬EX¬φ
≡ ¬EF¬φ
EGφ
≡ A[⊺ U φ]
EFφ
≡ ¬AF¬φ
≡ E[⊺ U φ].
{EG, EU, EX} is an adequate set of CTL connectives.
▸
▸
Recall φ U ψ ≡ ¬(¬ψ U (¬φ ∧ ¬ψ)) ∧ Fψ in LTL.
Observe that A[φ U ψ] ≡ ¬(E[¬ψ U (¬φ ∧ ¬ψ)] ∨ EG¬ψ).
A[φ U ψ] ≡
≡
≡
≡
▸
A[¬(¬ψ U (¬φ ∧ ¬ψ)) ∧ Fψ]
¬E¬[¬(¬ψ U (¬φ ∧ ¬ψ)) ∧ Fψ]
¬E[(¬ψ U (¬φ ∧ ¬ψ)) ∨ G¬ψ]
¬(E[¬ψ U (¬φ ∧ ¬ψ)] ∨ EG¬ψ).
Strictly speaking, we need CTL∗ for the proof.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
91 / 154
Adequate Sets of CTL Connectives II
More generally, we have
Theorem
A set of CTL temporal connectives is adequate iff it contains at least one
of {AX, EX}, at least one of {EG, AF, AU}, and EU.
We can also define AR, ER, AW, and EW by EU:
A[φ R ψ] = ¬E[¬φ U ¬ψ]
△
A[φ W ψ] = A[ψ R (φ ∨ ψ)]
△
Bow-Yaw Wang (Academia Sinica)
E[φ R ψ] = ¬A[¬φ U ¬ψ]
△
E[φ W ψ] = E[ψ R (φ ∨ ψ)]
Verification by Model Checking
△
November 30, 2016
92 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
7
The fixed-point characterisation of CTL
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
93 / 154
LTL and CTL
In LTL, we have temporal connectives X, F, G, U.
In CTL, we have temporal connectives
AX, EX, AF, EF, AG, EG, AU, EU.
Observe that CTL temporal connectives are LTL connectives prefixed
by path quantifiers A or E.
Consider the property: for some path, if p occurs eventually, then q
occurs eventually.
Using LTL, one would write Fp Ô⇒ Fq.
▸
But LTL considers all paths from a specified state.
Using CTL, one would write EFp Ô⇒ EFq.
▸
But this is not what we want either.
How about E(Fp Ô⇒ Fq)?
▸
But this is not in LTL nor CTL!
We need a more expressive logic.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
94 / 154
The Syntax of CTL∗
Definition
CTL∗ has the following syntax:
state formulae
φ ∶∶= ⊺ ∣ p ∣ (¬φ) ∣ (φ ∧ φ) ∣ A[α] ∣ E[α]
where p ∈ Atoms is an atomic formula
path formulae
α ∶∶= φ ∣ (¬α) ∣ (α ∧ α) ∣ (α U α) ∣ (Gα) ∣ (Fα) ∣ (Xα)
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
95 / 154
LTL, CTL, and CTL∗
An LTL formula is in fact a CTL∗ path formula.
Since we consider all paths in LTL, an LTL formula α is in fact the
CTL∗ state formula A[α].
We obtain CTL by restricting path formulae to
α ∶∶= (φ U φ) ∣ (Gφ) ∣ (Fφ) ∣ (Xφ)
Hence both LTL and CTL are subclasses of CTL∗ .
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
96 / 154
Expressive Powers of LTL, CTL, and CTL∗
CTL∗
CTL
ψ1
LTL
ψ2
ψ3
ψ4
ψ1 = AGEFp.
¬p
s
¬p
p
s
ψ2 = AG(p Ô⇒ AFq)(CTL) = G(p Ô⇒ Fq)(LTL).
ψ3 = GFp Ô⇒ Fq.
ψ4 = E[GFp].
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
97 / 154
More Examples
FGp and AFAGp are not equivalent.
p
¬p
p
XFp ≡ FXp (LTL) and AXAFp (CTL) are equivalent. But
AFAXp ≡/ AXAFp.
So, between LTL and CTL, which one is better?
▸
▸
▸
In 1980’s, many debates (and papers) were fought for the question.
Now, people generally believe they are just different: one is not better
than the other.
Try to compare LTL and CTL.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
98 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
The CTL model-checking algorithm
CTL model checking with fairness
The LTL model-checking algorithm
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
99 / 154
The Model Checking Problem
Let M = (S, →, L) be a model, s ∈ S a state, and φ a temporal logic
formula.
The model checking problem is to decide whether M, s ⊧ φ holds.
We will discuss two model checking algorithms: one for LTL, the
other for CTL.
These algorithms help us understand basic principles of various
verification tools (such as NuSMV).
▸
▸
NuSMV does not implement the algorithms we discuss here.
Yet the basic ideas are not very different.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
100 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
The CTL model-checking algorithm
CTL model checking with fairness
The LTL model-checking algorithm
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
101 / 154
The CTL Model Checking Algorithm I
Let us first consider deciding whether M, s0 ⊧ φ where M is a finite
transition system and φ a CTL formula.
▸
▸
That is, M = (S, →, L) with S a finite set of states.
There are algorithms that solve the model checking problem for certain
infinite transition systems.
Our algorithm in fact computes all states that satisfy the top CTL
formula.
▸
That is, it computes the set {s ∈ S ∶ M, s ⊧ φ}.
After computing all states satisfying the given CTL formula, the
model checking problem is solved easily.
▸
We simply check if s0 ∈ {s ∈ S ∶ M, s ⊧ φ}.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
102 / 154
The CTL Model Checking Algorithm II
In our algorithm, we only consider temporal connectives
{EX, AF, EU}.
▸
{EX, AF, EU} is adequate.
For each state, we label it with subformulae of the given CTL
formula.
▸
A state satisfies all subformulae in its label.
Start from smallest subformulae; the algorithm works on each
subformula until the given CTL formula.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
103 / 154
The CTL Model Checking Algorithm III
Input: M = (S, →, L) : a mode; φ : a CTL formula
Output: {s ∈ S ∶ M, s ⊧ φ}
foreach subformula ψ of φ do
switch ψ do
case : do continue;
case p: do label all s with p if p ∈ L(s);
case ψ1 ∧ ψ2 : do label all s with ψ if it is lablled with ψ1 , ψ2 ;
case ¬ψ1 : do label all s with ψ if it is not labelled with ψ1 ;
case EXψ1 : do label all s with ψ if one of its successors is
labelled with ψ1 ;
case AFψ1 : do label all s with ψ if it is labelled with ψ1 , or all
successors of s are labeleed with ψ until no change ;
case E[ψ1 U ψ2 ]: do label all s with ψ if it is labelled with ψ2 , or
s is labelled with ψ1 and one of its successors is labelled with ψ
until no change ;
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
104 / 154
The CTL Model Checking Algorithm IV
Let ∣φ∣ be the number of connectives in φ.
Let M = (S, →, L) be a transition system.
The complexity of the algorithm is O(∣φ∣ ⋅ ∣S∣ ⋅ (∣S∣ + ∣ → ∣)).
▸
▸
There are O(∣φ∣) subformulae.
For AFψ1 and E[ψ1 U ψ2 ], each iteration takes O(∣S∣ + ∣ → ∣) steps;
there are at most O(∣S∣) iterations.
We now present the pseudo algorithm SAT(M, φ).
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
105 / 154
SAT(M, φ)
switch φ do
case ⊺: do return S ;
case : do return ∅ ;
case p: do return {s ∈ S ∶ φ ∈ L(s)} ;
case ¬φ1 : do return S ∖ SAT(M, φ1 ) ;
case φ1 ∧ φ2 : do return SAT(M, φ1 ) ∩ SAT(M, φ2 ) ;
case EXφ1 : do return SATEX (M, φ1 ) ;
case E[φ1 U φ2 ]: do return SATEU (M, φ1 , φ2 ) ;
case AFφ1 : do return SATAF (M, φ1 ) ;
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
106 / 154
pre∃ (M, Y ) and pre∀ (M, Y )
In order to give the pseudo algorithm for SATEX (M, φ),
SATEU (M, φ, ψ), and SATAF (M, φ), we need two functions:
pre∃ (M, Y ) = {s ∈ S ∶ there exists s ′ (s → s ′ and s ′ ∈ Y )}
△
pre∀ (M, Y ) = {s ∈ S ∶ for all s ′ (s → s ′ implies s ′ ∈ Y )}
△
pre∃ (M, Y ) consists of states whose successors intersect Y is not
empty.
pre∀ (M, Y ) consists of states whose successors are contained in Y .
Observe that
pre∀ (M, Y ) = S ∖ pre∃ (M, S ∖ Y )
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
107 / 154
SATEX (M, φ)
X ← SAT(M, φ);
Y ← pre∃ (M, X );
return Y ;
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
108 / 154
SATAF (M, φ)
X ← S;
Y ← SAT(M, φ);
repeat
X ← Y;
Y ← Y ∪ pre∀ (M, Y );
until X = Y ;
return Y ;
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
109 / 154
SATEU (M, φ, ψ)
W ← SAT(M, φ);
Y ← SAT(M, ψ);
repeat
X ← Y;
Y ← Y ∪ (W ∩ pre∃ (M, Y ));
until X = Y ;
return Y ;
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
110 / 154
A More Efficient Model Checking Algorithm
Using backward breadth-first search, we can in fact do better.
We use the adequate set {EX, EG, EU} instead.
Observe that EXψ1 and E[ψ1 U ψ2 ] can be labelled in time
O(∣S∣ + ∣ → ∣) if we perform backward breadth-first search.
For the case EGψ1 ,
▸
▸
▸
Consider the subgraph with states satisfying ψ1 ;
Find maximal strongly connected components (SCC’s) in the subgraph;
Use backward breadth-first search on the subgraph to find states that
can reach an SCC.
The new algorithm takes time O(∣φ∣ ⋅ (∣S∣ + ∣ → ∣)).
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
111 / 154
The State Explosion Problem
Although the complexity of CTL model checking algorithm is linear in
the number of states, the number of states can be exponential in the
number of variables and the number of components of the system.
▸
Adding a Boolean variable can double the number of states.
This is called the state explosion problem.
Lots of researches try to overcome the state explosion problem.
▸
▸
▸
▸
▸
Efficient data structures.
Abstraction.
Partial order reduction.
Induction.
Compositional reasoning.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
112 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
The CTL model-checking algorithm
CTL model checking with fairness
The LTL model-checking algorithm
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
113 / 154
Fairness I
We often simplify the system when we build a model for it.
▸
This is called abstraction.
Abstraction sometimes introduces unrealistic model behaviors.
▸
For instance, a process may stay in its critical section forever.
Such unrealistic behaviors may disprove intended properties.
▸
For instance, it is possible that the other process won’t get to its
critical section forever.
In order to consider realistic model behaviors, we impose fairness
constraints.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
114 / 154
Fairness II
We consider only fair computation paths specified by fair constraints.
Instead of standard path quantifiers A (for all) and E (for some), we
use their variants AC (for all fair paths) and EC (for some fair paths).
As an example, we can ask
“a process will eventually be permitted to enter its critical section if it
requests so along all fair paths.”
Clearly, we have to slightly modify the CTL model checking algorithm.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
115 / 154
Fair Computation Paths
Definition
Let C = {ψ1 , ψ2 , . . . , ψn } be fairness constraints. A computation path
s0 → s1 → ⋯ is fair with respect to C if for every i there are infinitely sj ’s
such that sj ⊧ ψi . We write AC and EC for the path quantifers A and E
restricted to fair paths.
For example, M, s0 ⊧ AC Gφ if φ holds in every state along all fair
paths.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
116 / 154
CTL Model Checking Algorithm with Fairness Constraints
Let C = {ψ1 , ψ2 , . . . , ψn } be a set of fairness constraints.
We consider the adequate set {EC U, EC G, EC X}.
Observe that
EC [φ U ψ] ≡ E[φ U (ψ ∧ EC G⊺)]
EC Xφ ≡ EX(φ ∧ EC G⊺).
▸
▸
Note that a computation path is fair iff all its suffixes are fair.
M, s ⊧ EC G⊺ ensures that s is on a fair path.
Since EC U and EC X can be reduced to EC G, it remains to compute
{s ∈ S ∶ M, s ⊧ EC Gφ}.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
117 / 154
Computing {s ∈ S ∶ M, s ⊧ EC Gφ}
It turns out that the algorithm for computing EC G is similar for
computing EG.
Let C = {ψ1 , ψ2 , . . . , ψn } be a set of fairness constraints.
To compute {s ∈ S ∶ M, s ⊧ EC Gφ}, do the following:
▸
▸
▸
▸
Consider the subgraph with states satisfying φ;
Find maximal strongly connected components (SCC’s) in the subgraph;
Remove an SCC if it does not contain a state satisfying ψi for some i.
The remaining SCC’s are fair SCC’s;
Use backward breadth-first search on the subgraph to find states that
can reach a fair SCC.
The complexity of the algorithm with fairness constraints is
O(∣C ∣ ⋅ ∣φ∣ ⋅ (∣S∣ + ∣ → ∣)).
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
118 / 154
Fairness in NuSMV
In NuSMV two different types of fair paths can be specified.
Justice
▸
▸
▸
Let C = {p1 , p2 , . . . , pn } be a set of atomic formulae.
A path s0 → s1 → ⋯ satisfies the justice constraint C if for every i,
there are infinitely sj ’s such that sj ⊧ pi .
NuSMV uses the keywords FAIRNESS or JUSTICE.
Compassion
▸
▸
▸
Let C = {(p1 , q1 ), (p2 , q2 ), . . . , (pn , qn )} be a set of pairs of atomic
formulae.
A path s0 → s1 → ⋯ satisfies the compassion constraint C if for every i,
there are infinitely sj ’s such that sj ⊧ pi then there are infinitely sj ’s
such that sj ⊧ qi .
NuSMV uses the keyword COMPASSION.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
119 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
The CTL model-checking algorithm
CTL model checking with fairness
The LTL model-checking algorithm
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
120 / 154
LTL Model Checking Algorithm
The CTL model checking algorithm is rather straightforward.
▸
▸
It labels each state by satisfied subformulae.
It works because CTL formulae specify state properties.
LTL formulae, on the other hand, specify path properties.
▸
Labelling states no longer work.
We need a formal model for paths.
Automata theory is required!
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
121 / 154
Paths and Traces
Let M = (S, →, L) be a model.
Recall that a path s0 → s1 → ⋯ is a sequence of states such that
si → si+1 for every i ≥ 0.
A trace is a sequence of valuations of propositional atoms.
The trace of a path s0 → s1 → ⋯ is L(s0 )L(s1 )⋯.
▸
▸
▸
Recall that L ∶ S → 2Atoms .
L(si ) is the set of propositional atoms that hold in si .
L(si ) hence is a valuation of propositional atoms.
Note that different paths may have the same trace.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
122 / 154
Basic Ideas
Let M = (S, →, L) be a model, s ∈ S, and φ an LTL formula.
We check whether M, s ⊧ φ holds as follows.
1
2
Construct an automaton A¬φ . A¬φ accepts the traces satisfying ¬φ;
Construct the combination of the automaton A¬φ and M.
☀
3
Each path of the combination is a path of A¬φ and also a path of M.
Check if there is an accepting path starting from a combined state
including s.
☀
☀
Such a path is a path of M from s.
Moreover its trace satisfying ¬φ.
If an accepting path is found, we report “M, s ⊧
/ φ”; Otherwise,
“M, s ⊧ φ.”
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
123 / 154
Illustration I
init (a) := 1;
init (b) := 0;
next (a) := case
!a : 0;
b : 1;
1 : { 0, 1 };
esac;
next (b) := case
a & next (a) :
!a : 1;
1 : { 0, 1 };
esac;
s1
!b;
s2
ab
ab
ab
ab
s3
s4
M = (S, →, L) with Atoms = {a, b} and φ = ¬(a U b)
Does M, s3 ⊧ φ hold?
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
124 / 154
Illustration II
q1
q2
abψ
abψ
A trace t is accepting if
there is a path π whose
trace is t such that an
accepting state occurs
infinitely often.
abψ
abψ
q3′
abψ
q4
{a}{a}{a, b}{a}{a}⋯ is
accepting.
{a}{a}⋯ is not.
q3
φ = ¬(a U b), ψ = (a U b) and Aψ
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
125 / 154
Illustration III
(s1 , q1 )
(s2 , q2 )
abψ
abψ
(s3 , q3 )(s2 , q2 )⋯ is
accepting.
abψ
abψ
(s3 , q3′ )
abψ
(s4 , q4 )
Hence M, s3 ⊧
/ ¬(a U b)
because of the path
s3 s2 ⋯.
In fact, s3 s4 s3 s4 ⋯ is
another counterexample.
(s3 , q3 )
Combination of M and Aψ
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
126 / 154
Construct Aφ I
Let φ be an LTL formula.
We want to construct an automaton Aφ such that Aφ accepts
precisely traces on which φ holds.
We assume φ contains only the temporal connectives U and X.
▸
Recall that {U, X} is adequate.
Define the closure C(φ) of an LTL formula φ by
C(φ) = {ψ, ¬ψ ∶ ψ is a subformula of φ}
△
where we identify ¬¬ψ and ψ.
Example:
▸
C(a U b) = {a, b, ¬a, ¬b, a U b, ¬(a U b)}.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
127 / 154
Construct Aφ II
Let φ be an LTL formula.
A maximal subset q of C(φ) satisfies the following:
▸
▸
▸
▸
▸
for all (non-negated) ψ ∈ C(φ), either ψ ∈ q or ¬ψ ∈ q;
ψ1 ∨ ψ2 ∈ q iff ψ1 ∈ q or ψ2 ∈ q;
Conditions for other Boolean connectives are similar;
If ψ1 U ψ2 ∈ q, then ψ2 ∈ q or ψ1 ∈ q; and
If ¬(ψ1 U ψ2 ) ∈ q, then ¬ψ2 ∈ q.
The states of Aφ are the maximal subsets of C(φ). That is,
{q ⊆ C(φ) ∶ q is maximal}.
▸
Informally, ψ ∈ q means ψ ∈ C is true at state q.
The initial states of Aφ are those containing φ. Formally,
{q ⊆ C(φ) ∶ q is maximal and φ ∈ q}.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
128 / 154
Construct Aφ III
The transition relation δ of Aφ is defined as follows. (q, q ′ ) ∈ δ if
▸
▸
▸
▸
Xψ ∈ q implies ψ ∈ q ′ ;
¬Xψ ∈ q implies ¬ψ ∈ q ′ ;
ψ1 U ψ2 ∈ q and ψ2 ∈/ q imply ψ1 U ψ2 ∈ q ′ ; and
¬(ψ1 U ψ2 ) ∈ q and ψ1 ∈ q imply ¬(ψ1 U ψ2 ) ∈ q ′ .
Informally, ψ ∈ q enforces certain ψ ′ ∈ q ′ .
▸
▸
Recall the definition of maximal subsets of C(φ).
Observe that
ψ1 U ψ2
¬(ψ1 U ψ2 )
≡ ψ2 ∨ (ψ1 ∧ X(ψ1 U ψ2 )
≡ ¬ψ2 ∧ (¬ψ1 ∨ X¬(ψ1 U ψ2 )).
Consider C(a U b) = {a, ¬a, b, ¬b, a U b, ¬(a U b)}.
Let q = {a, ¬b, a U b} be a maximal subset of C(a U b).
We have (q, q) ∈ δ, the transition relation of AaUb .
Informally, a U b ∈ q means a U b holds at all traces from q.
▸
Apparently, qq⋯ does not satisfy a U b.
We define acceptance conditions to disallow such traces.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
129 / 154
Construct Aφ IV
Let χ1 U ψ1 , . . . , χk U ψk be all formulae of this form in C(φ).
The acceptance condition of Aφ is as follows.
A state q of Aφ is i-accepting if {¬(χi U ψi ), ψi } ∩ q ≠ ∅.
A path π is accepted if for every 1 ≤ i ≤ k, π has infinitely many
i-accepting states.
▸
A state can be i-accepting for every 1 ≤ i ≤ k.
To see why it works, consider a path π = q0 → q1 → ⋯ with only
finitely many i-accepting states. Hence for some h, we have
π h = qh → qh+1 → ⋯ with qj ∩ {¬(χi U ψi ), ψi } = ∅ for every j ≥ h. By
the maximality of qj , we have {χi U ψi , ¬ψi } ⊆ qj for every j ≥ h. The
path π is precisely what we wan to eliminate.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
130 / 154
Construct Aφ V
q1
q2
abψ
abψ
C(a U b) =
{a, ¬a, b, ¬b, aUb, ¬(aUb)}.
Maximal subsets of C(a U b):
q1
q2
q3
q3′
q4
abψ
abψ
q3′
abψ
q3
=
=
=
=
=
{¬a, ¬b, ¬(a U b)}
{¬a, b, a U b}
{a, ¬b, a U b}
{a, ¬b, ¬(a U b)}
{a, b, a U b}
q4
Accepting states are
{qi ∶ ¬(a U b) ∈ qi or b ∈ qi }.
ψ = a U b and Aψ
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
131 / 154
Construct Aφ VI
q1
q2
¬(a U b),
¬(¬a U b),
¬a, ¬b, ¬ψ
a U b,
¬(¬a U b),
a, ¬b, ψ
For a U b, the accepting
states are {q1 , q3 , q4 , q5 , q6 }.
q5
a U b,
¬a U b,
¬a, b, ψ
a U b,
¬a U b,
a, b, ψ
¬(a U b),
¬(¬a U b),
a, ¬b, ¬ψ
q3
q6
For ¬a U b, the accepting
states are {q1 , q2 , q3 , q5 , q6 }.
¬(a U b),
¬a U b,
¬a, ¬b, ψ
q4
ψ = (a U b) ∨ (¬a U b) and Aψ
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
132 / 154
LTL Model Checking with Fairness Constraints
Our CTL model checking algorithm is slightly modified to check CTL
properties with fairness constraints.
However, it is not necessary for LTL model checking.
Consider, for example, checking an LTL formula φ with a justice
constraint ψ.
▸
Recall that a justice constraint ψ considers only paths that ψ occurs
infinitely often.
We would like to check if φ holds on all fair paths.
This is equivalent to checking GFψ Ô⇒ φ.
▸
because LTL can specify justice constraints.
Hence the LTL model checking algorithm works even if there are
fairness constraints.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
133 / 154
NuSMV LTL Model Checking Algorithm
We can in fact implement the LTL model checking algorithm by the
CTL model checking algorithm with justice constraints.
Let M be a NuSMV model and φ an LTL formula.
Here is how it works:
▸
▸
▸
Construct A¬φ as a NuSMV model.
Construct M × A¬φ .
Check EG⊺ with justice constraint ¬(χ U ψ) ∨ ψ for each χ U ψ in φ.
The NuSMV LTL model checking algorithm uses justice constraints
to search paths accepted by M × A¬φ .
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
134 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
7
The fixed-point characterisation of CTL
Monotone functions
The correctness of SATEG
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
135 / 154
The CTL Model Checking Algorithm Revisited I
We have presented a CTL model checking algorithm.
Let M = (S, →, L) be a transition system.
The algorithm computes the set [ φ]] for any CTL formula φ, where
[ φ]] = {s ∈ S ∶ M, s ⊧ φ}.
We use the following equations:
[ p]]
[ ]]
[ ¬φ]]
[ φ ∧ ψ]]
[ EXφ]]
[ AFφ]]
[ E[φ U ψ]]]
=
=
=
=
=
=
=
{s ∈ S ∶ p ∈ L(s)}
∅
S ∖ [ φ]]
[ φ]] ∩ [ ψ]]
pre∃ (M, [ φ]])
[ φ]] ∪ pre∀ (M, [ AFφ]])
[ ψ]] ∪ ([[φ]] ∩ pre∃ (M, [ E[φ U ψ]]]))
The last two recursive equations are puzzling.
▸
Circular definitions are always problematic!
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
136 / 154
The CTL Model Checking Algorithm Revisited II
To simplify our presentation, we will use a different adequate set of
temporal connectives {EX, EG, EU}.
▸
To get rid of pre∀ (●, ●).
Hence we use the following puzzling equations:
[ EGφ]] = [ φ]] ∩ pre∃ (M, [ EGφ]])
[ E[φ U ψ]]] = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, [ E[φ U ψ]]]))
We will explain them by fixed-point theory.
The theory will also establish the correctness of the algorithm.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
137 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
7
The fixed-point characterisation of CTL
Monotone functions
The correctness of SATEG
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
138 / 154
Monotone Functions
Definition
Let S be a set of states and F ∶ 2S → 2S .
1
2
F is monotone if X ⊆ Y implies F (X ) ⊆ F (Y ) for every X , Y ⊆ S;
X ⊆ S is a fixed point of F if F (X ) = X .
Examples: let S = {s0 , s1 }.
△
F (Y ) = Y ∪ {s0 }. F (Y ) is monotone. {s0 } and {s0 , s1 } are fixed
points of F (Y ).
{s } if Y = {s0 }
△
G (Y ) = { 1
. G (Y ) is not monotone. G (Y ) has no
{s0 } otherwise
fixed points.
△
▸
▸
Let F ∶ 2S → 2S . We write F i (X ) for the expression
³¹¹ ¹ ¹ ¹ ¹ · ¹ ¹ ¹ ¹ ¹ ¹µ
F (F ⋯F (X )⋯).
i
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
139 / 154
Fixpoint Theorem I
Theorem
Let S be a set with ∣S∣ = n. If F ∶ 2S → 2S is a monotone function, F n (∅)
is the least fixed point of F and F n (S) is the greatest fixed point of F (by
set inclusion order).
Proof.
Since ∅ ⊆ F (∅) and F is monotone, F (∅) ⊆ F 2 (∅). More generally,
F (∅) ⊆ F 2 (∅) ⊆ ⋯ ⊆ F n (∅) ⊆ F n+1 (∅).
Since ∣S∣ = n and F is monotone, there is 1 ≤ k ≤ n that F k (∅) = F k+1 (∅).
Thus F n (∅) is a fixed point of F .
Suppose H = F (H) is a fixed point of F . Since ∅ ⊆ H, F (∅) ⊆ F (H) = H.
F 2 (∅) ⊆ F (H) = H. Hence F i (∅) ⊆ H for every i. Particularly, F n (∅) ⊆ H.
The case for the greatest fixed point is similar.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
140 / 154
Fixpoint Theorem II
Knaster-Tarski theorem in fact shows the least and greatest fixed
points exist for any (not necessarily finite) set.
Our fixpoint theorem is a special case of Knaster-Tarski theorem.
The fixpoint theorem shows how to compute least and greatest fixed
points for monotone functions over finite sets.
We will show [ EGφ]] and [ E[φ U ψ]]] are in fact greatest and least
fixed points of certain monotone functions respectively.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
141 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
7
The fixed-point characterisation of CTL
Monotone functions
The correctness of SATEG
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
142 / 154
Computing [ EGφ]]
Recall that EGφ ≡ φ ∧ EXEGφ.
Hence [ EGφ]] = [ φ]] ∩ pre∃ (M, [ EGφ]]).
[ EGφ]] is a fixed point of
F (X ) = [ φ]] ∩ pre∃ (M, X ).
△
We will show that [ EGφ]] is in fact a greatest fixed point of F .
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
143 / 154
[ EGφ]] as a Greatest Fixed Point
Theorem
Let M = (S, →, L) be a model with ∣S∣ = n and F (X ) = [ φ]] ∩ pre∃ (M, X ).
Then F is monotone, [ EGφ]] is the greatest fixed point of F , and
[ EGφ]] = F n (S).
△
Proof.
Let X , Y ⊆ S and X ⊆ Y , and s ∈ F (X ). Then s ∈ [ φ]] and there is an s ′
such that s → s ′ and s ′ ∈ X ⊆ Y . That is, s ′ ∈ F (Y ) and hence
F (X ) ⊆ F (Y ). F is monotone.
Since [ EGφ]] = F ([[EGφ]]), [ EGφ]] is a fixed point of F . It remains to
show that [ EGφ]] is the greatest fixed point of F . Consider any X ⊆ S
with X = F (X ). Let s0 ∈ X . Then s0 ∈ F (X ) = [ φ]] ∩ pre∃ (M, X ). s0 ∈ [ φ]]
and there is an s1 with s0 → s1 such that s1 ∈ X . By induction, we have a
path s0 → s1 → ⋯ such that si ∈ [ φ]] for s ≥ 0. Hence s0 ∈ [ EGφ]].
Therefore X ⊆ [ EGφ]] for every fixed point X of F .
The greatest fixed point of F is F n (S).
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
144 / 154
SATEG (M, φ) I
Y ← SAT(φ);
X ← ∅;
repeat
X ← Y;
Y ← Y ∩ pre∃ (M, Y );
until X = Y ;
return (Y );
Note that SATEG (M, φ) does not apply the previous theorem exactly.
Recall that
F (X ) = [ φ]] ∩ pre∃ (M, X ).
△
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
145 / 154
SATEG (M, φ) II
By the theorem, we would have
= F 0 (S) = S
= F (Y 0 ) = [ φ]] ∩ pre∃ (M, Y 0 )
= [ φ]]
Y 2 = F (Y 1 ) = Y 1 ∩ pre∃ (M, Y 1 )
Y 3 = F (Y 2 ) = Y 1 ∩ pre∃ (M, Y 2 )
where Y 0 ⊇ Y 1 ⊇ Y 2 ⊇ ⋯
Y0
Y1
SATEG (M, φ) on the other hand computes
Y0
Y1
Y2
Y3
Bow-Yaw Wang (Academia Sinica)
=
=
=
=
=
=
=
=
=
[ φ]] = Y 1
Y0 ∩ pre∃ (M, Y0 )
Y 1 ∩ pre∃ (M, Y 1 ) = Y 2
Y1 ∩ pre∃ (M, Y1 )
Y 1 ∩ pre∃ (M, Y 1 ) ∩ pre∃ (M, Y 2 )
Y 1 ∩ pre∃ (M, Y 2 ) = Y 3
Y2 ∩ pre∃ (M, Y2 )
Y 1 ∩ pre∃ (M, Y 2 ) ∩ pre∃ (M, Y 3 )
Y 1 ∩ pre∃ (M, Y 3 ) = Y 4
Verification by Model Checking
November 30, 2016
146 / 154
Outline
1
Linear-time temporal logic
2
Model checking
3
The NuSMV model checker
4
Branching-time logic
5
CTL∗ and the expressive powers of LTL and CTL
6
Model-checking algorithms
7
The fixed-point characterisation of CTL
Monotone functions
The correctness of SATEG
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
147 / 154
Computing [ E[φ U ψ]]]
Recall that E[φ U ψ] ≡ ψ ∨ (φ ∧ EXE[φ U ψ]).
Hence [ E[φ U ψ]]] = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, [ E[φ U ψ]]])).
[ E[φ U ψ]]] is a fixed point of
G (X ) = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, X )).
△
We will show that [ E[φ U ψ]]] is in fact a least fixed point of G .
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
148 / 154
[ E[φ U ψ]]] as a Least Fixed Point
Theorem
Let M = (S, →, L) be a model with ∣S∣ = n and G (X ) = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, X )).
Then G is monotone, [ E[φ U ψ]]] is the least fixed point of G , and [ E[φ U ψ]]] = G n (∅).
△
Proof.
Since pre∃ (M, X ) is monotone, G is monotone.
Since G n (∅) is the least fixed point of G , it remains to show that [ E[φ U ψ]]] = G n (∅).
Recall M, s ⊧ E[φ U ψ] if for some path s0 (= s) → s1 → ⋯ there is i ≥ 0 that M, si ⊧ ψ
and for every 0 ≤ j < i we have M, sj ⊧ φ.
Observe that G 1 (∅) = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, ∅)) = [ ψ]]. s ∈ G 1 (∅) iff M, s ⊧ E[φ U ψ]
by taking i = 0. Similarly, G 2 (∅) = G (G 1 (∅)) = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, G 1 (∅))). That
is, s ∈ G 2 (∅) iff M, s ⊧ E[φ U ψ] by taking i = 0, 1. By induction, one can show
s ∈ G k (∅) iff M, s ⊧ E[φ U ψ] by taking i = 0, . . . , k − 1. Hence [ E[φ U ψ]]] = ⋃ G i (∅).
i∈N
Now recall that G 0 (∅) ⊆ G 1 (∅) ⊆ G 2 (∅) ⊆ ⋯ and G n (∅) is a fixed point. We have
i
n
n
⋃ G (∅) = G (∅). That is, [ E[φ U ψ]]] = G (∅).
i∈N
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
149 / 154
SATEU (M, φ, ψ) Revisited I
W ← SAT(M, φ);
X ← S;
Y ← SAT(M, ψ);
repeat
X ← Y;
Y ← Y ∪ (W ∩ pre∃ (M, Y ));
until X = Y ;
return Y ;
Note again that SATEU (M, φ, ψ) does not exactly follow the theorem.
Recall
G (X ) = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, X )).
△
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
150 / 154
SATEU (M, φ, ψ) Revisited II
By the theorem, we would have
= G 0 (∅) = ∅
= G (Y 0 ) = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, Y 0 )) = [ ψ]]
= G (Y 1 ) = [ ψ]] ∪ ([[φ]] ∩ pre∃ (M, Y 1 ))
= Y 1 ∪ ([[φ]] ∩ pre∃ (M, Y 1 ))
Y 3 = G (Y 2 ) = Y 1 ∪ ([[φ]] ∩ pre∃ (M, Y 2 ))
where Y 0 ⊆ Y 1 ⊆ Y 2 ⊆ ⋯
Y0
Y1
Y2
SATEU (M, φ, ψ) on the other hand computes
Y0
Y1
Y2
Y3
=
=
=
=
=
=
=
=
=
Bow-Yaw Wang (Academia Sinica)
[ ψ]] = Y 1
Y0 ∪ ([[φ]] ∩ pre∃ (M, Y0 ))
Y1 ∪ ([[φ]] ∩ pre∃ (M, Y 1 )) = Y 2
Y1 ∪ ([[φ]] ∩ pre∃ (M, Y1 ))
Y 1 ∪ ([[φ]] ∩ pre∃ (M, Y 1 )) ∪ ([[φ]] ∩ pre∃ (M, Y 2 ))
Y 1 ∪ ([[φ]] ∩ pre∃ (M, Y 2 )) = Y 3
Y2 ∪ ([[φ]] ∩ pre∃ (M, Y2 ))
Y 1 ∪ ([[φ]] ∩ pre∃ (M, Y 2 )) ∪ ([[φ]] ∩ pre∃ (M, Y 3 ))
Y 1 ∪ ([[φ]] ∩ pre∃ (M, Y 3 )) = Y 4
Verification by Model Checking
November 30, 2016
151 / 154
Example I
s0 q
s2
s1
p
s3
s4 q
Compute [ EFp]].
Since [ EFp]] = [ E[⊺ U p]]], consider G (X ) = [ p]] ∪ ([[⊺]] ∩ pre∃ (M, X ))
= {s3 } ∪ pre∃ (M, X ). G 1 (∅) = {s3 }, G 2 (∅) = G ({s3 }) = {s3 , s1 },
G 3 (∅) = G ({s1 , s3 }) = {s3 , s0 , s2 , s1 }, G 4 (∅) = G ({s0 , s1 , s2 , s3 }) =
{s3 , s0 , s2 , s1 } = G 3 (∅). Hence [ EFp]] = {s0 , s1 , s2 , s3 }.
△
▸
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
152 / 154
Example II
s0 q
s2
s1
p
s3
s4 q
Compute [ EGq]].
Consider F (X ) = [ q]] ∩ pre∃ (M, X ) = {s0 , s4 } ∩ pre∃ (M, X ).
F 1 (S) = {s0 , s4 }. F 2 (S) = F ({s0 , s4 }) = {s0 , s4 } ∩ {s3 , s0 , s2 , s4 } =
{s0 , s4 } = F 1 (S). Hence [ EGq]] = {s0 , s4 }.
△
▸
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
153 / 154
Where to go?
Model checking has been applied in industry.
▸
IC design, Windows device drivers, NASA Curiosity, Amazon, etc.
We only discuss the most elementary backgrounds.
Lots of techniques are needed to make it practical.
▸
▸
▸
▸
▸
implicit algorithms;
counterexample guided abstraction refinement;
partial order reduction;
compositional reasoning;
and many more.
There are also model checking algorithms for infinite state systems.
Contact me if you are interested in research opportunities.
Bow-Yaw Wang (Academia Sinica)
Verification by Model Checking
November 30, 2016
154 / 154

Download Report

Verification by Model Checking - Institute of Information Science

Paperzz.com

Your Paperzz