Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Introduction to Model-Checking using Sal
Deepak D’Souza
Department of Computer Science and Automation
Indian Institute of Science, Bangalore.
27 January 2014
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Alloy, Sal and Rodin
Alloy
Model the system state (components/entities, relationship
between them, constraints/invariants)
Can also model operations (preconditions, updates, satisfaction
of invariants)
Displays scenarios, may say “no instance found.”
Sal
Models finite-state system (state and operations)
Can prove (or give counter-example) for properties of dynamic
system behaviours.
Algorithm for checking temporal properties of a finite-state
system.
Rodin
Lets us model state, invariants
Operations, preconditions, udpates
Can prove that operations satisfy certain properties
Support for refinement.
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Methods and tools covered in this course
Tools
Systematic Testing
(Pex)
Functional Correctness
(Rodin, VCC)
Model−Checking
(SAL)
Analysing Requirements
(Alloy)
Requirements
Design
Coding
Software Development Stages
Testing
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Model-checking using Sal: Plan of lectures
Lecture 1 & 2: Intro to model-checking using Sal.
Lecture 3: How LTL model checking works.
Example 2: Traffic light
Overview
Transition Systems
Example 1: mod-4 counter
Outline of this lecture
1
Overview
2
Transition Systems
3
Example 1: mod-4 counter
4
Specifying properties in LTL
5
Example 2: Traffic light
Specifying properties in LTL
Example 2: Traffic light
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Overview of Sal
Sal is model-checking tool, in which we can
Describe transition system models.
Simulate them, explore paths in them.
Describe desirable properties of the system in temporal logic.
Check that the system satisfies these properties.
Proves that property is satisfied
Produces counter-examples (system behaviour that violates
property).
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Transition systems: states
A state (over a set of variables Var with associated types) is a
valuation for the variables in Var .
Thus a state is a map s : Var → Values, that assigns to each
variable x a value s(x) in the domain of the type of x.
Example of a state
Consider Var = {loc, ctr }, with type of loc = {sleep, try, crit},
and type of ctr = N.
Example state s: hloc 7→ sleep, ctr 7→ 2i, depicted as:
loc = sleep
ctr = 2
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Transition systems
A transition system is of the form T = (S, I , →) where
S is a set of states,
I ⊆ S is a set of initial states,
→⊆ S × S is a transition relation.
A run or execution of T is a (finite or infinite) sequence of states
s0 , s1 , s2 , . . . such that
s0 ∈ I , and
for each i, si → si+1 .
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Example transition system: a mod-4 counter
Transition system of a mod-4 counter
Here Var = {count}, with type of count = {0, 1, 2, 3}.
T = (S
I
→
=
=
=
{hcount 7→ 0i, hcount 7→ 1i, hcount 7→ 2i, hcount 7→ 3i, },
{hcount 7→ 0i},
{(hcount 7→ 0i, hcount 7→ 1i),
(hcount 7→ 1i, hcount 7→ 2i),
(hcount 7→ 2i, hcount 7→ 3i),
(hcount 7→ 3i, hcount 7→ 0i)}).
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Example transition system: a mod-4 counter
Diagrammatic representation
count = 1
count = 0
count = 2
count = 3
Example run:
count = 0
count = 1
count = 2
count = 3
count = 0
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Specifying the transition system using predicates
Specify the initial states using a predicate on the state
variables:
count = 0
Specify the transitions using a predicate on the before
(unprimed) and after (primed) state variables:
count’ = (count + 1) MOD 4
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Mod-4 counter in Sal
counter: context =
begin
counter: module =
begin
output count: [0..3]
initialization
count = 0
transition
count’ = (count + 1) MOD 4
end;
end
Example 2: Traffic light
Overview
Transition Systems
Example 1: mod-4 counter
Simulating in Sal
$ sal-sim
sal > (import! "counter")
counter
sal > (start-simulation! "counter")
sal > (display-curr-trace)
Step 0:
--- System Variables (assignments) --count = 0
#f
sal > (step!)
sal > (display-curr-trace)
Step 0:
--- System Variables (assignments) --count = 0
-----------------------Step 1:
--- System Variables (assignments) --count = 1
#f
Specifying properties in LTL
Example 2: Traffic light
Overview
Transition Systems
Example 1: mod-4 counter
Sal pathfinder
$ sal-path-finder counter.sal counter
Assignment
========================
Path
========================
Step 0:
--- System Variables (assignments)
count = 0
-----------------------Step 1:
--- System Variables (assignments)
count = 1
-----------------------Step 2:
--- System Variables (assignments)
count = 2
-----------------------Step 3:
--- System Variables (assignments)
count = 3
------------------------
---
---
---
---
Specifying properties in LTL
Example 2: Traffic light
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Example to illustrate composition of modules
composition: context =
begin
Signal: type = {green, amber, red};
clock: module =
begin
output tick: boolean
initialization
tick = true
transition
tick’ = NOT tick
end;
light: module =
begin
input tick: boolean
output light: Signal
% definition light = if (tick) then green else red endif;
end;
clockedlight: module = clock || light;
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Semantics of model
Initial states are those that satisfy the initialization
constraint, with input variables taking on any possible values.
From a given state, we get the next states by first finding
valuations to the non-input variables that satisfy the
transition constraint (variables whose “primed” state is not
defined, carry over their value from the before state). Then
we add all possible valuations for the input variables. Finally,
compute the values of variables using the definition clause
if applicable.
Exercise
Draw the transition systems induced by the modules clock,
light, and clockedlight.
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Property specifications in Temporal Logic
Linear-time Temporal Logic (LTL) proposed by Amir Pnueli in
1978 to specify properties of program executions.
What can we say in LTL? An LTL formula describes a
property of an infinite sequence of “states.”
p: an atomic proposition p (like “count = 2” or “tick =
false”) holds in the current state.
X p (“next p”): property p holds in the tail of the sequence
starting from the next state.
F p (“future p”): property p holds eventually at a future state.
G p (“globally p”): property p holds henceforth (at all future
states).
U(p, q) (“p Until q”): property q holds eventually and p holds
till then.
p
q
¬p
¬q
p
¬q
p
¬q
¬p
q
p
q
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Syntax and semantics of LTL
Syntax:
ϕ ::= p | ¬ϕ | ϕ ∨ ϕ | X ϕ | U(ϕ, ϕ).
Semantics: Given an infinite sequence of states w = s0 s1 · · · , and
a position i ∈ {0, 1, . . .}, we define the relation w , i |= ϕ
inductively as follows:
w, i
w, i
w, i
w, i
w, i
|= p
|= ¬ϕ
|= ϕ ∨ ψ
|= X ϕ
|= U(ϕ, ψ)
iff
iff
iff
iff
iff
p holds true in si .
w , i 6|= ϕ.
w , i |= ϕ or w , i |= ψ.
w , i + 1 |= ϕ.
∃j : i ≤ j, w , j |= ψ, and
∀k : i ≤ k < j, w , k |= ϕ.
F ϕ is shorthand for U(true, ϕ), and G ϕ is shorthand for ¬(F ¬ϕ).
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
When a system model satisfies an LTL property
If T is a transition system and ϕ is an LTL formula with
propositions that refer to values of variables in T , then we say
T |= ϕ (read “T satisfies ϕ”) iff each infinite execution of T
satisfies ϕ in its initial state.
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Example properties for counter model
counterV2: context =
begin
counter: module =
begin
output count: [0..3]
initialization
count = 0
transition
count’ = (count + 1) MOD 4
end;
prop1:
prop2:
prop3:
prop4:
end
theorem
theorem
theorem
theorem
counter
counter
counter
counter
||||-
G(not(count > 3));
G((count = 1) => X(count = 2));
U((count = 0) OR (count = 1),(count = 2));
G(count = 0);
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Caveat for Sal checker
If given system model contains “deadlock” states (i.e. states from
which there are no outgoing transitions) then sal-smc might give
unsound answers.
Use sal-deadlock-checker to check your model for deadlock
states.
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example with inputs: Traffic light model
“Stop” says the red light, “Go” says the green.
“Change” says the amber light, blinking in between.
That’s what they say, and that’s what they mean.
We all must obey them, even the Queen!
Example 2: Traffic light
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Sal model of traffic light
trafficlight: context =
begin
Signal: type = {green, amber, red};
CState: type = {go, change, stop};
tlight : module =
begin
input tick: boolean
output light: Signal
local status: CState
local ctr: [0..3]
initialization
ctr = 0;
status = go;
definition
light = if (status = go) then green
elsif (status = change) then amber
else red endif;
transition [
((status = go) AND (ctr = 3) AND tick) --> status’ = change; ctr’ = 0
[] ((status = change) AND (ctr = 1) AND tick) --> status’ = stop; ctr’ = 0
[] ((status = stop) AND (ctr = 3) AND tick) --> status’ = change; ctr’ = 0
[] else --> ctr’ = if (tick) then ((ctr + 1) MOD 4) else ctr endif
]
end;
end
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Transition system for traffic light (partial)
tick = true
status = go
light = green
ctr = 1
tick = true
status = go
light = green
ctr = 0
tick = false
status = go
light = green
ctr = 0
tick = false
status = go
light = green
ctr = 1
tick = true
status = go
light = green
ctr = 2
tick = false
status = go
light = green
ctr = 2
Example 2: Traffic light
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Exercise
1
Which of the properties below are true of the traffic light
model?
G((light = red) => F(light = green));
G(U(light = red, U(light = amber,light = green)));
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Exercise
1
Which of the properties below are true of the traffic light
model?
G((light = red) => F(light = green));
G(U(light = red, U(light = amber,light = green)));
2
Give modified properties that the system satisfies.
Overview
Transition Systems
Example 1: mod-4 counter
Specifying properties in LTL
Example 2: Traffic light
Sal resources and other material
Sal webpage: http://sal.csl.sri.com/
Useful documentation:
Sal tutorial:
http://sal.csl.sri.com/doc/salenv tutorial.pdf
Sal language manual:
http://sal.csl.sri.com/doc/language-report.pdf
Material for other topics:
Textbook by Huth and Ryan, Logic in Computer Science:
Specifications, semantics, and model-checking techniques for
LTL (and CTL).