Verification Lecture 3 Bernd Finkbeiner
Plan for today CTL model checking Thebasicalgorithm Fairness Counterexamplesandwitnesses
Review: Computation tree logic modal logic over infinite trees[clarke& Emerson 1981] Statements over states a AP atomicproposition ΦandΦ Ψ negationandconjunction Eφ thereexistsapathfulfillingφ Aφ allpathsfulfillφ Statements over paths XΦ thenextstatefulfillsφ ΦUΨ ΦholdsuntilaΨ-stateisreached notethatxand U alternatewitha ande AXXΦandAEX Φ/ CTL,butAXAX ΦandAXEX Φ CTL Alternativesyntax:E,A,X,G,F.
Review: Existential normal form(enf) ThesetofCTLformulasinexistentialnormalform(ENF)isgivenby: Φ = true a Φ 1 Φ 2 Φ EXΦ E(Φ 1 UΦ 2 ) EGΦ For each CTL formula, there exists an equivalent CTL formula in ENF AXΦ EX Φ A(ΦUΨ) E( ΨU( Φ Ψ)) EG Ψ
Review: Model checking CTL HowtocheckwhetherstategraphTSsatisfiesCTLformula Φ? converttheformula ΦintotheequivalentΦinENF computerecursivelythesetsat(φ)={q S q Φ} TS ΦifandonlyifeachinitialstateofTSbelongstoSat(Φ) Recursive bottom-up computation of Sat(Φ): considertheparse-treeofφ starttocomputesat(ai ),forallleavesinthetree thengoonelevelupinthetreeanddeterminesat( )forthese nodes e.g.,: Sat(Ψ 1 Ψ 2 )=Sat( Ψ 1 nodeatleveli node at level i 1 ) Sat( Ψ 2 node at level i 1 thengoonelevelupanddeterminesat( )ofthesenodes andsoon...untiltherootistreated,i.e.,sat(φ)iscomputed )
Basic algorithm Require: finite transition system TS with states S and initial states I, and CTLformulaΦ(bothoverAP) Ensure: TS Φ {computethesetssat(φ)={q S q Φ}} foralli Φ do forallψ Sub(Φ)with Ψ =ido computesat(ψ)fromsat(ψ ){formaximalproperψ Sub(Ψ)} end for end for returni Sat(Φ)
Characterization of Sat(1) ForallCTLformulasΦ,ΨoverAPitholds: Sat(true) = S Sat(a) = {q S a L(q)}, foranya AP Sat(Φ Ψ) = Sat(Φ) Sat(Ψ) Sat( Φ) = S Sat(Φ) Sat(EXΦ) = {q S Post(q) Sat(Φ)/= } for a given finite transition system without terminal states
Characterization of Sat(2) Sat(E(ΦUΨ))isthesmallestsubsetT ofs,suchthat: (1)Sat(Ψ) T and (2)(q Sat(Φ)andPost(q) T ) q T Sat(EGΦ)isthelargestsubsetT ofs,suchthat: (3)T Sat(Φ) and (4)q T impliespost(q) T/=
ComputingSat(E(ΦUΨ))(1) Sat(E(ΦUΨ))isthesmallestsetT Ssuchthat: (1)Sat(Ψ) T and (2)(q Sat(Φ)andPost(q) T ) q T ThissuggeststocomputeSat(E(ΦUΨ))iteratively: T 0 = Sat(Ψ) and T i+1 = T i {q Sat(Φ) Post(q) T i /= } T i =statesthatcanreachaψ-stateinatmostistepsviaa Φ-path Byinductiononjitfollows: T 0 T 1... T j T j+1... Sat(E(ΦUΨ))
ComputingSat(E(ΦUΨ))(2) TSisfinite,soforsomej 0wehave:T j = T j+1 = T j+2 =... Therefore:T j = T j {q Sat(Φ) Post(q) T j /= } Hence:{q Sat(Φ) Post(q) T j /= } T j hence,tj satisfies(2),i.e., (q Sat(Φ)andPost(q) T j ) q T j further,sat(ψ)=t0 T j so,t j satisfies(1),i.e.sat(ψ) T j AsSat(E(ΦUΨ))isthesmallestsetsatisfying(1)and(2): Sat(E(ΦUΨ)) Tj andthussat(e(φuψ))=t j Hence:T 0 T 1 T 2... T j =T j+1 =...=Sat(E(ΦUΨ))
ComputingSat(E(ΦUΨ))(3) Require: finite transition system with states S CTL-formula E(Φ U Ψ) Ensure: Sat(E(ΦUΨ))={q S q E(ΦUΨ)} V =Sat(Ψ);{V administersstatesqwithq E(ΦUΨ)} T =V;{T containsthealreadyvisitedstatesqwithq E(ΦUΨ)} whilev/= do let q V; V =V {q }; forallq Pre(q )do if q Sat(Φ) T thenv =V {q};t =T {q}; endif end for end while return T
Computing Sat(EG Φ) V = S Sat(Φ);{V containsanynotvisitedq withq / EGΦ} T = Sat(Φ);{T containsanyqforwhichq EGΦhasnotyetbeendisproven} forallq Sat(Φ)doc[q] = Post(q) ; od{initializearrayc} whilev do {loopinvariant:c[q]= Post(q) (T V) } letq V;{q / Φ} V = V {q };{q hasbeenconsidered} forallq Pre(q )do ifq T then c[q] = c[q] 1;{updatecounterc[q]forpredecessorqofq } ifc[q]=0then T = T {q};v = V {q};{qdoesnothaveanysuccessorint} endif endif end for end while return T
Alternative algorithm for Sat(EG Φ) 1. Consideronlystateqifq Φ,otherwiseeliminateq changestatestos =Sat(Φ), allremovedstateswillnotsatisfyegφ,andthuscanbesafely removed 2. Determine all non-trivial strongly connected components in TS[Φ] non-trivialscc=maximal,connectedsubgraphwithatleast one edge anystateinsuchsccsatisfiesegφ 3. q EGΦisequivalentto somesccisreachablefromq thissearchcanbedoneinabackwardmanner
Complexity FortransitionsystemTSwithNstatesandMedges, andctlformulaφ,thectlmodel-checkingproblemts Φ canbesolvedintimeo( Φ (N+M)) thisappliestobothalgorithmsforegφ
Fairness
Arbiter discussed yesterday typedefenum Ð Ø ÓÒ typedefenum Á Ä Ê ÍË ÓÒØÖÓÐÐ Ö Ø Ø typedefenum ÆÇ Ê É Ê É À Î ÌÇÃ Æ Ð ÒØ Ø Ø module Ñ Ò Ð µ input Ð output Ð Ø ÓÒ wire Ð wire Ø Ú assign Ø Ú Ô ØÓ Ò Ô ØÓ Ò Ô ØÓ Ò ÓÒØÖÓÐÐ Ö ÓÒØÖÓÐÐ Ö Ð Ö Õ Ð Ô ØÓ Ò µ ÓÒØÖÓÐÐ Ö ÓÒØÖÓÐÐ Ö Ð Ö Õ Ð Ô ØÓ Ò µ ÓÒØÖÓÐÐ Ö ÓÒØÖÓÐÐ Ö Ð Ö Õ Ð Ô ØÓ Ò µ Ö Ø Ö Ö Ø Ö Ð Ð Ø Ú µ Ð ÒØ Ð ÒØ Ð Ö Õ µ Ð ÒØ Ð ÒØ Ð Ö Õ µ Ð ÒØ Ð ÒØ Ð Ö Õ µ endmodule
Model checking(1) Mutualexclusion:Notwodifferentacksaregivenatthesame time. ½ ½ ½ ½ ½ ½µ µ Ú Ö Ú Ö ÐÓ Ö Ø ÖºÚ Ú Ò Ø Ú Ö Ý Ú ÑÓ Ð Ö Ø ÖºØÐ Å ÓÖÑÙÐ Ô ¹ ½ ½µ ½ ½µµ ½ ½µµµµ
Model checking(2) Responsiveness: Every request is eventually followed by an ack Ö Õ ½µ ¹ ½µ µ Ö Õ ½µ ¹ ½µ µ Ö Õ ½µ ¹ ½µ µ Ú Ö Ú Ö ÐÓ Ö Ø ÖºÚ Ú Ò Ø Ú Ö Ý Ú ÑÓ Ð Ö Ø ÖºØÐ Å ÓÖÑÙÐ Ô ¹ ½ ½µ ½ ½µµ ½ ½µµµµ Å ÓÖÑÙÐ Ð ¹ Ö Õ ½ ¹ ½µµµ Å ÓÖÑÙÐ Ð ¹ Ö Õ ½ ¹ ½µµµ Å ÓÖÑÙÐ Ð ¹ Ö Õ ½ ¹ ½µµµ
module Ð ÒØ Ð Ö Õ µ input Ð output Ö Õ reg Ö Õ Ð ÒØ Ø Ø reg Ø Ø wire Ö Ò Ó initial Ö Õ ¼ initial Ø Ø ÆÇ Ê É assign Ö Ò Ó Æ ¼ ½µ always@ posedge Ð µ begin case Ø Ø µ ÆÇ Ê É if Ö Ò Ó µ begin Ö Õ ½ Ø Ø Ê É end
Ê É if µ Ø Ø À Î ÌÇÃ Æ À Î ÌÇÃ Æ if Ö Ò Ó µ begin Ö Õ ¼ Ø Ø ÆÇ Ê É end endcase end endmodule
Fairness constraints Fairness: We are only interested in paths where the clients release the token infinitely often. arbiter.fair: Ð ÒØ º Ø Ø À Î ÌÇà Ƶ Ð ÒØ º Ø Ø À Î ÌÇà Ƶ Ð ÒØ º Ø Ø À Î ÌÇà Ƶ Ú Ö ÖÒ Ö Ø Öº Ö Ú ÑÓ Ð Ö Ø ÖºØÐ Å ÓÖÑÙÐ Ô ¹ ½ ½µ ½ ½µµ ½ ½µµµµ Å ÓÖÑÙÐ Ô ¹ Ö Õ ½ ¹ ½µµµ Å ÓÖÑÙÐ Ô ¹ Ö Õ ½ ¹ ½µµµ Å ÓÖÑÙÐ Ô ¹ Ö Õ ½ ¹ ½µµµ