Verification via Model Checking
(Formal) verification techniques comprise:
• an approach for system modelling (formal description language)
• a specification language for the properties of interest that are to be verified
• a verification method for checking: Does the system description satisfy the
system specification?
32
Classification Criteria for Verification Approaches
• proof-based vs. model-based
• degree of automation (fully automatic . . . user-guided)
• full verification vs. verification of certain (crucial, safety–critical, . . . ) properties
• intended domain of application
• pre- vs. post-development
• ...
Model checking is automatic, model-based, property-based;
intended domain of application: concurrent and reactive systems;
originally: post-development approach
33
Computation Tree Logic (CTL): Syntax
φ ::= ⊥ | ⊤ | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ → φ) |
AX φ | EX φ |
A[φ U φ] | E[φ U φ] |
AG φ | EG φ |
AF φ | EF φ
• A: on all paths
• E : on at least one path
• X : in the neXt state
• F : in some Future state
Priorities / binding rules (for syntax):
• highest priority: unary operators;
• then ∧ and ∨;
• then →, AU , EU .
• G: in all future states (Globally)
• U : Until
34
Computation Tree Logic (CTL): Semantics I
Model for CTL: M
= (S, →, L) where
• → transition relation (binary relation on S ), s.t. for every s ∈ S there exists a
s′ ∈ S with s → s′ (*)
• Labelling function L : S → P(Atoms)
Here:
• P(Atoms) power set over atoms.
• Truth value of atoms depends on current state (in contrast to propositional
logic)!
• L(s) contains (exactly) those atoms that are true in state s.
• Requirement (*) means no deadlock and is not a severe restriction (if
necessary, introduce “error state”).
35
Computation Tree Logic (CTL): Semantics II
Given: Model M
= (S, →, L) for CTL, s ∈ S .
Def. of M, s φ (CTL-formula φ holds in s) via structural induction on φ
1.
M, s ⊤ and M, s 2 ⊥ for all s ∈ S
2.
M, s p
3.
M, s ¬ p
4.
M, s φ1 ∧ φ2
iff
M, s φ1 and M, s φ2
5.
M, s φ1 ∨ φ2
iff
M, s φ1 or M, s φ2
6.
M, s φ1 → φ2
7.
M, s AX φ
iff
for all s1 with s
8.
M, s EX φ
iff
there ex. s1 with s
p ∈ L(s)
iff
iff
M, s 2 p
iff
M, s 2 φ1 or M, s φ2
36
→ s1 : M, s1 φ
→ s1 s.t. M, s1 φ
Computation Tree Logic (CTL): Semantics III
9.
M, s AG φ iff on every path s1 → s2 → . . . with s1 = s and for
every si (on this path): M, si φ
10.
M, s EG φ iff there exists a path s1 → s2 → . . . with s1 = s and
for every si (on this path): M, si φ
11.
M, s AF φ iff on every path s1 → s2 → . . . with s1 = s there
exists si (on this path) with M, si φ
12.
M, s EF φ
→ s2 → . . . with s1 = s s.t.
and for some state si (on this path): M, si φ
13.
M, s A[φ1 U φ2 ] iff every path s1 → s2 → . . . with s1 = s
satisfies φ1 U φ2 , i.e.: There exists a state si on the path with
M, si φ2 , and for all j < i: M, sj φ1
14.
M, s E[φ1 U φ2 ] iff there exists a path s1 → s2 → . . . with
s1 = s satisfying φ1 U φ2 .
iff
there exists a path s1
37
Example (Validity of CTL-Formulae in Models)
Model M:
s0
s1
p, q
q, r
r
p, t
M, s0 φ e.g. for the following φ:
s3
s2
M, s0 6 φ e.g. for the following φ:
• AF q
• AG(AF q)
• AG(EF (p ∨ r))
• AG(p ∨ q)
• EX(EXr))
• A[q U t]
• E[q U r]
• AF t
38
Equivalences I
• φ and ψ are said to be semantically equivalent (φ ≡ ψ ) ⇐⇒
[ M, s φ ⇐⇒ M, s ψ , for all M, s ]
• Sufficient for (semantically equivalent) representation of temporal-logical
operators:
• AU , EU and EX , or
• EG, EU and EX , or
• AG, AU and AX , or
• AF , EU and EX .
• Sufficient for (semantically equivalent) representation of all CTL-formulae:
⊥, ¬, ∧ plus AF , EU , EX .
39
Equivalences II
¬AF φ
≡ EG ¬φ
¬EF φ
≡ AG ¬φ
¬AX φ
≡ EX ¬φ
AF φ
≡ A[⊤ U φ]
EF φ
≡ E[⊤ U φ]
A[φ U ψ]
≡ ¬(E[¬ψ U (¬φ ∧ ¬ψ)] ∨ EG ¬ψ)
40
Equivalences III
Fixed-Point Characterization of CTL (via AX , EX )
AG φ
≡ φ ∧ AX AG φ
EG φ
≡ φ ∧ EX EG φ
AF φ
≡ φ ∨ AX AF φ
EF φ
≡ φ ∨ EX EF φ
A[φ U ψ] ≡ ψ ∨ (φ ∧ AX A[φ U ψ])
E[φ U ψ] ≡ ψ ∨ (φ ∧ EX E[φ U ψ])
41
Exercise (Non-Trivial!)
Prove the CTL equivalence
A[φ U ψ]
≡ ¬(E[¬ψ U (¬φ ∧ ¬ψ)] ∨ EG ¬ψ)
(or at least one direction), by using the semantic definition of validity of
CTL-formulae and by corresponding reasoning!
42
Modelling in CTL – Examples
Formal modelling in CTL – some examples:
• There is a reachable state where started holds, but not ready:
EF (started ∧ ¬ready)
• Whenerver there a request occurs, it will eventually be acknowledged:
AG (requested → AF acknowledged)
• No matter what happens, some process will eventually be blocked (deadlock)
forever :
AF (AG deadlock)
• From every state a restart is possible:
AG (EF restart)
• It is possible that the elevator is idle on the third floor with closed door :
AG (floor = 3 ∧ idle ∧ door = closed → EG (floor = 3 ∧ idle ∧ door = closed))
• Whenever there is a q after p (after a finite number of steps), then the system enters
an interval where r does not hold until finally t holds:
??? (Exercise!)
43