model checking

Model checking

Raúl Monroy

(from Huth & Ryan’s LICS book)

Verification by model checking

Model checking is based on temporal logic

A formula is not statically true or false in a model

The notion of truth is dynamic, the formulae may change their truth values as the system evolves

Models are transition systems

Verification by model checking

To verify that a system satisfies a property:

1. Model the system using the description language (of the model checker.), M.

2. Code property using the specification language, resulting in .

3. Run the model checker with inputs M and .

Temporal logics

Linear-time logics Branching-time logics

Useful in modelling non-deterministic computations

Time: continuous or discrete LTL: time is linear and discrete CTL: time is branching and discrete

Linear-Time Temporal Logic

LTL: Syntax

Syntax of LTL formulae is defined inductively in Backus Naur form:

Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ XΦ │ FΦ │ GΦ │ Φ U Φ │ Φ W Φ │Φ R Φ

where p ranges over atomic formulae

LTL: Syntax

X, F, G, U, W and R are called temporal connectives

Convention: ¬, X, F, G bind most tightly; (unary connectives) U, R and W and , and after that

LTL: Syntax

F p G q p W r F(p G r) ¬q U p p W (q W r) G F p F(q s)

Now consider: U r p G q

Definition of a model

A model, M, is given by (S, , L) S is a set of states is a transition relation, such that

every s S has some s’ with s s’ L is a labelling function

L : S P(Atoms)

Semantics of LTL

p, q

q, r r

A concise presentation of a model M as a directed graph, whose nodes are states

containing all the propositional atoms which are true in that particular state.

Deadlock treatment

A system with a state S4 that does not have any further transitions.

S3

S1S0

S2

S4

Deadlock treatment

An expand system with a ‘deadlock’ state Sd such that no state can deadlock; of course, it is then our understanding that reaching the ‘deadlock’ state corresponds to deadlock in the original system.

S0 S1

S2

S3

S4

Sd

Linear-time temporal logic

A path in a model M = (S, , L) is an infinite sequence of states s1,s2,s3

in S such that, for each i1, si si+1

We write π = s1 s2 s3 π3 = s3 s4 s5

Satisfaction relation on paths

Let M = (S, , L) be a model and π = s1 s2 s3 be a path in M. The satisfaction relation, │=, is given by:

π │= T π │= p iff p L(s1) π │= ¬ Φ iff π │=/= Φ π │= Φ1 Φ2 iff π │= Φ1 and π │= Φ2

π │= Φ1 Φ2 iff π │= Φ1 or π │= Φ2

6. π │= X Φ iff π2 │= Φ7. π │= G Φ holds iff, for all i 1, πi │= Φ

8. π │= F Φ holds iff, for some i 1, πi │= Φ

9. π │= Φ U ψ holds iff there is some i1 s.t. πi│=ψ and for all j=1,…,i-1 πj │= Φ

10. π │= Φ W ψ holds iff either …; or for all k1 w.h.t. πk │= Φ

11. π │= Φ R ψ holds iff either there is some i 1 s.t. πi │= ψ and for all j=1,…,i πj│=Φ; or for all k1 w.h.t. πk│= ψ

S1S0 S3S2 S5S4 S7S6 S9S8 S10

pq

• Illustration of the meaning of Until in the semantics of LTL.

• Each of the states s3 to s9 satisfies p U q along the path shown

• W is just like U except it does not require that ψ is eventually satisfied along the path in question• R is the dual of U: Φ R ψ ¬(¬Φ U ¬ψ)

LTL: Semantics

Suppose M = (S, , L) is a model, sS, and Φ an LTL formula. We write M, s |= Φ if, for every execution path π of M starting at s, we have π |= Φ

Consider again system M

p, q

q, r r

p, q

q, r

p, q

q, r

r

r

r

r

r

S0

S1

S0

S1

S2

S2

S2

S2

S2

Unwinding M as an infinite tree of all computation paths beginning in a particular

state

Example checks for system M

1. M, s0 │= p q2. M, s0 │= ¬r3. M, s0 │= ┬4. M, s0 │= X r5. M, s0 │= ¬X (q r)6. M, s0 │= G¬(p r)7. M, s2 │= F(¬q r)F G r8. M, s2 │= G F p9. M, s0 │= G F p G F r10. M, s0 │= ¬(G F r G F p)

Computation Tree Logic

CTL: Syntax

CTL formulas are defined inductively via a Backus Naur form

Φ :: = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ (Φ Φ) │ (Φ Φ) │ AX Φ │ EX Φ │ A [Φ U Φ] │ E [Φ U Φ] │ AG Φ │ AF Φ │ EF Φ

where p ranges over atomic formulas

CTL: Syntax

AX, EX, AG, EG, AU, EU, AF and EF are called temporal connectives

Each temporal connectives is a pair of symbols: 1st symbol of pair: A (along all paths) or E (along

at least one path) 2nd symbol of pair: X (neXt state), G (all future

states), U (until) and F (some Future step) AU and EU are binary X, G, U and F cannot occur independently

¬, AG, AF, AX bind most tightly. Next and , and after that , AU

CTL: Syntax

EG r

AG (q EG r) AG q EG r A [r U q] EF E [r U q]

A [p U EF r]

CTL: Syntax

AG AF r

A [ p1 U A [ p2 U p3 ]]

E [ A [ p1 U p2 ] U p3 ]

AG ( p A [ p U ( ¬p A [ ¬p U q ] ) ] )

CTL: Syntax

FG r A ¬G ¬p F [ r U q ] EF [ r U q ] AEF r AF [ ( r U q ) (r U q )]

Parse tree of a CTL formula

A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ’s parse tree

AU

AX EU

¬

p

EX ¬

p

p q

A [AX ¬p U E [EX (p q) U ¬p]]

Semantics of CTL

Let M = (S,,L). Given any s in S, a CTL formula Φ holds in state s

M, s │= Φ

iff

Satisfaction relation, │=

1. M, s │= T and M, s │=/= ┴, s S

2. M, s │= p iff p L(s)

3. M, s │= ¬ Φ iff M, s |=/= Φ

4. M, s │= Φ1 Φ2

iff M, s │= Φ1 and M, s │= Φ2

5. M, s │= Φ1 Φ2

iff M, s │= Φ1 or M, s │= Φ2

6. M, s │= Φ1 Φ2 iff M, s │=/= Φ1 or M, s │= Φ2

n M, s │= AX Φ iff for all s1 such that s s1

we have M, s1 │= Φ. Thus, AX says: ‘in every next state’

6. M, s │= EX Φ iff for some s1 such that s s1

we have M, s1 │= Φ. Thus, EX says: ‘in some next state’.

9. M, s │= AG Φ holds iff for all paths s1 s2 s3 …,

where s1 equals s,

and all si along the path, we have

M, si │= Φ

Mnemonically: for all computation paths beginning in s the property Φ holds globally

10. M, s │= EG Φ holds

iff there is a path s1 s2 s3 …,

where s1 equals s,

and for all si along the path, we have

M, si │= ΦMnemonically: there Exists a path that beginning in s such that Φ holds globally along the path

11. M, s │= AF Φ holds iff for all the paths s1 s2 …,

where s1 equals s,

there is some si such that

M, si │= Φ

Mnemonically: for all computation paths beginning in s there will be some future state where Φ holds

12. M, s │= EF Φ holds iff There is a path s1 s2 …, where s1 equals s, andfor some si along the path,We have

M, si │= Φ

Mnemonically: there Exists a computation path beginning in s such that Φ holds in some Future state

13. M, s │= A[Φ1UΦ2] holds iff for all paths s1 s2 …,

where s1 equals s,

there is some si along the path such that

M, si │= Φ2

and for each j<i, we have

M, sj │= Φ1

Mnemonically: All computation paths beginning in s satisfy that Φ1 Until Φ2 holds on it

14. M, s │= E[Φ1UΦ2] holds iff there is a path s1 s2 …,

where s1 equals s, and

there is some si along the path such that

M, si │= Φ2

and for each j<i, we have

M, sj │= Φ1

Mnemonically: there Exists a computation path beginning in s such that Φ1 Until Φ2 holds on it

Semantics of CTL

A system whose starting state satisfies EF Φ

A system whose starting state satisfies EG Φ

Φ

Φ

Φ

Φ

Semantics of CTL

A system whose starting state satisfies AG Φ

A system whose starting state satisfies AF Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ

Φ Φ

Φ

ΦΦ Φ

Φ

Semantics of CTL

S1S0 S3S2 S5S4 S7S6 S9S8 S10

p

q

An illustration of the meaning of Until in the semantics of CTL.

Each of the states s3 to s9 satisfiesp U q along the path shown

Consider again system M

p, q

q, r r

Semantics of CTLp, q

q, r

p, q

q, r

r

r

r

r

r

S0

S1

S0

S1

S2

S2

S2

S2

S2

Unwinding M as an infinite tree of all computation paths beginning in a particular

state

Example checks for system M

1. M, s0 │= p q2. M, s0 │= ¬r3. M, s0 │= ┬4. M, s0 │= EX (q r)5. M, s0 │= ¬AX (q r)6. M, s0 │= ¬EF (p r)7. M, s2 │= EG r8. M, s2 │= AG r9. M, s0 │= AF r10. M, s0 │= E [(p q) U r]11. M, s0 │= A [p U r]

Practical patterns of specification

It is possible to get to a state where started holds, but ready does not hold: EF ( started ¬ready)

For any state, if a request (of some resource) occurs, then it will eventually be acknowledged: AG ( request AF acknowledged)

Practical patterns of specification

A certain process is enabled infinitely often on every computation path: AG ( AF enabled)

Whatever happens, a certain process will eventually be permanently dead-locked: AF ( AG deadlock)

Practical patterns of specification

From any state it is possible to get to restart state: AG ( EF restart)

Practical patterns of specification

An upwards travelling elevator at the second floor does not change its direction when it has passengers wishing to go to the fifth floor: AG (floor=2 direction=up

ButtonPressed5 A [direction=up U floor=5]

Here, our atomic description are boolean expresions built from system variables, e.g. floor = 2

Practical patterns of specification

The elevator can remain idle in the third floor with its doors closed: AG (floor=3 idle door=closed

EG (floor=3 idle door=closed))

Mutual exclusion

The first modelling attempt

n1n2

t1t2

t1n2 n1t2

c1t2

c1n2 n1c2

t1c2

Mutual exclusion

Four properties:1. Safety: 1 = AG ¬(c1 c2)

2. Liveness: 2 = AG (t1 AF c1)

3. Non-blocking: 3 = AG (n1 EX t1)

4. No strict sequencing:

4 = EF (c1 E[c1 U (¬c1 E[¬c2 U c1])])

def

def

def

def

Mutual exclusion

The second modelling attempt

n1n2

t1t2

t1n2 n1t2

c1t2

c1n2 n1c2

t1c2

t1t2

Equivalences in CTL

Two CTL formulas and ψ are said to be semantically equivalent if any state in any model which satisfies one of them also satisfies the other; we denote this by ≡ ψ

Equivalences in CTL

¬AF ≡ EG ¬ ¬EF ≡ AG ¬ ¬AX ≡ EX ¬ AF ≡ A [┬ U ] EF ≡ E [┬ U ] AG ≡ AX AG EG ≡ EX EG AF ≡ AX AF EF ≡ EX EF A[ U ψ] ≡ ψ ( AX A [ U ψ]) E[ U ψ] ≡ ψ ( EX E [ U ψ])

Labelling algorithm

INPUT: a CTL model M = (S, , L) and a CTL formula Φ

OUTPUT: the set of states of M wich satisfies Φ

Labelling algorithm

┴ : then no state are labelled with ┴ p : then label s with p if p L(s) ψ1 ψ2 : label s with ψ1 ψ2 if s is

already labelled both with ψ1 and with ψ2

¬ψ1 : label s with ¬ψ1 if s is not already labelled with ψ1

Labelling algorithm

AF ¬ψ1:

If any state s is labelled with ψ1, label it with AF ψ1

Repeat: label any state AF ψ1 if all successor state are labelled with AF ψ1, until there is no change

Labelling algorithm

E[ψ1 U ψ2]: If any state s is labelled with ψ2, label

it with E[ψ1 U ψ2] Repeat: label any state AF ψ1 if all

successor state are labelled with AF ψ1, until there is no change

EX ψ1: label any state with EX ψ1 if one of its successor is labelled with ψ1

Labelling algorithm

The iteration step of the procedure for labelling states with subformulas of the form AF ψ1

AF ψ1

AF ψ1

AF ψ1

AF ψ1

AF ψ1

AF ψ1

AF ψ1

Repeat…

… until no change

Labelling algorithm

The iteration step of the procedure for labelling states with subformulas of the form E [ψ1 U ψ2]

ψ1

E [ψ1 U ψ2]Repeat…

… until no change

E [ψ1 U ψ2]

E [ψ1 U ψ2]

ψ1

Labelling algorithm

Handling EG directly EG ψ1:

Label all the states with EG ψ1

If any state s is not labelled EG ψ1 from any state if none of its succesors is labelled with EG ψ1; until there is no change

Labelling algorithm

A better way of handling EG

SCC

SCC

SCC

│= EG ψ1

Labelling algorithm

A variant which is more efficient For the EG ψ case:

Restrict the graph to states satisfying ψ, e.i. delete all other states and their transitions;

Find the maximal strongly connected components (SCCs); these are maximal regions of the state space in which every state is linked with ( = has a finite path to ) every other one in that region

Labelling algorithm

An example run of the labelling algorithm in our second model of mutual exclusion applied to formula E[ ¬c2 U c1]

Labelling algorithm

0: c1n2

1: E [ ¬c2 U c1]

0: n1n2

3: E [ ¬c2 U c1]

0: t1n2

2: E [ ¬c2 U c1]

0: t1t2

2: E [ ¬c2 U c1]

0: c1t2

1: E [ ¬c2 U c1]

0: n1t2

0: t1c2

0: n1c20: t1t2

The SMV system Input to SMV:

MODULE mainVAR

request : boolean;status : {ready, busy}

ASSIGNinit (status) : = ready;next (status) : = case;

request ; busy;

1 : {ready, busy}

esac;SPEC

AG (request AF status = busy)

reqready

reqbusy

¬reqready

¬reqbusy

Semantics of CTL

A system with four states

Another system with four states

r

p, t, r

q, r

p, q

rp, t, r

q, r p, q