Algorithmic Software Verification

VII. Computation tree logic and bisimulations

MotivationSee McMillan’s thesis where he models a synchronous

fair bus arbiter circuit.

See table: # of states, BDD size and time

Wants to check:

- No two acks are asserted simultaneously

- Every persistent request is eventually ack-ed

- Ack is not asserted without a request.

Not really safety/reachability properties:

so how do we state and check these specs?

Temporal logics!

References

Symbolic model checking

An approach to the state explosion problem

Ken McMillan 1992

Model: Kripke structures

Finite state machines with boolean variables

ignoring .

FSM = (X, {{true, false}} {x X} , Q, Q_in, , δ )

X finite set of variables/propositions Q finite set of states Q_in Q set of initial states

For each q Q, (q) is a function that maps each x in X to true or false δ Q x Q transition relation

CTL: Syntax

Fix X the set of atomic propositions.

CTL(X) f,g ::= p | f | f g | f g |

EX f | EF f | E(f U g) | A(f U g)

Intuitively:

EX f --- some successor state satisfies f

AX f --- every successor state satisfies f

E(f U g) – along some path, f holds until g holds

A(f U g) – along every path, f holds until g holds

CTL: SyntaxAdditional derived operators:

EF f --- there is some reachable state where f holds

(reachability) E(true U f)

AG f --- in every reachable state, f holds

(safety) E (true U f)

EG f --- there is some path along which f always holds.

A(true U f)

AF f --- along every path, f eventually holds

A(true U f)

Actually, EX, EG and EU are sufficient.

CTL: Examples

- ack1 and ack2 are never asserted simultaneously

- Every request req is eventually acknowledged by

an ack.

- ack is not asserted without a request

CTL: Examples

- ack1 and ack2 are never asserted simultaneously

AG( (ack1 ack2) )

- Every request req is eventually acknowledged by

an ack.

AG(req (AF ack))

- ack is not asserted without a request

E( req U ack)

SemanticsFSM = (X, {{true, false}} {x X} , Q, Q_in, , δ )

With every f associate the set of states of a Kripke structure that satisfies f:

M, s |= p iff (s)(p) = true

M, s |= f g iff M,s |= f or M,s |= g

M, s |= f iff M,s | f

M, s |= EX f iff there is an s’ with δ(s,s’) and

s’ |= f

M, s |= EF f iff there is an s’ reachable from s

such that s’ |= f

Semantics

M, s |= E (f U g) iff there is a path s=s1s2… from s

and a k such that s’ |= g and

for each i<k, si |= f

M, s’ |= A(f U g) iff for every path s=s1s2… from s

and a k such that sk |= g and

for every i<k, si |=f

BisimulationsLet M =(X, Q, Q_in, , δ ) and M’ =(X’, Q’, Q_in’, ’, δ’ )

be two Kripke structures (can be same)

A bisimilation relation is a relation R QxQ’ such that:

- For every (q, q’) in R, (q) = ’(q’)

- If (q,q’) is in R, and q q1 then there is a q1’ in Q’

such that q1 q1’ in M’ and (q1,q1’) is in R.

- If (q,q’) is in R, and q’ q1’ then there is a q1 in Q

such that q q1 in M and (q1,q1’) is in R.

Fact: If R and R’ are bisimulation relations, then so is

R R’.

Bisimulations

Let R* be the largest bisimulation relation:

R* = { R | R is a bisimulation relation}

If q is in Q and q’ is in Q’, then

q and q’ are bisimilar iff (q,q’) is in R*.

Denoted: q ~ q’

Two models are bisimilar if q_in ~ q_in’

Bisimulations

Let M =(X, Q, q_in, , δ ) be a model.

The unfolding of M, unf(M), is a tree model:

Nodes: xq where x is in Q*

Edges: xq xqq’ iff q q’

Initial node: q_in

’(xq) = (q)

Claim:

- M and unf(M) are bisimilar

- For each xq, q ~ xq.

CTL and bisimilarity

Lemma: Let f be a CTL formula.

Let q in Q and q’ in Q’ be two states such

that q ~ q’.

Then M,q |= f iff M,q’ |= f

Proof: By induction on structure of formulas.

CTL and bisimilarity

CTL can distinguish between models that exhibit

the same sequential behaviors.

Hence CTL is a branching-time logic and not a linear-time logic.

What is the right notion of behavior of a model?

--- The set of strings exhibited by it

--- The tree unfolding of the model

Model-checking CTL

Given M and f.

Compute the set of all states of M that satisfy f,

by induction on structure of f.

║p║ = states where p holds

║f g║ = ║f║ ║g ║

║ f ║ = complement of ║f ║

║EX f ║ = the set of states s that have a succ s’ in ║f ║

Model-checking CTL

║E f U g ║ :

Take the set X =║g ║.

Repeat{

Add the set of states that satisfy f and have

a successor in X.

} till X reaches a fixpoint.

Model-checking CTL

║EG f║ :

Let M’ be M restricted to states satisfying f.

A state s satisfies EG f iff

s is in M’ and there is a path from s to an

SCC of M’.

Model-checking CTL

Model-checking CTL can be done in time O(|f|. |M|).

Number of subformulas of f is O(|f|)

║p║, ║f g║ , ║ f ║ and ║EX f ║ are easy.

║EX f U g║ -- Start with states T satisfying g; put them in ║EX f U g║ -- In each round, take a state in T, remove it from T,

and add predecessors of this state that satisfy f

and put them in T and ║EX f U g║. -- Each state is processed only once – linear time.

Model-checking CTL

║EG f║

-- Construct M’.

-- Partition M’ into SCCs using Tarjan’s algorithm

-- Starting from states in nontrivial SCCs, work

backwards adding states that satisfy f.

-- Linear time.