About ACTLW and the implementation of a BDD based model checker

1
About ACTL-W and the implementation of a BDD
based model checker
ISTI, Pisa
Friday, Februar 13, 2004
Robert Meolic Faculty of EECS, Maribor, Slovenia
2
About ACTL-W and the implementation of a BDD
based model checker

• About our work on this project
• definition of new action-based temporal logic,
• fixed point characterisation, global model
  checking,witnesses and counterexamples,
• EST - a free, open source tool incorporating
  ACTL-W.

• About this presentation
• an introduction of ACTL-W,
• ACTL-W versus ACTL proposed in 1990,
• a short overview of a BDD-based ACTL-W model
  checker
• demonstration of EST under Windows.

3
Labelled Transition System

• A labelled transition system is a 4-tuple L (S,
  At, d, s0) where
• S is a non-empty set of states
• At is a finite, non-empty set of actions
  containing visible actions and silent action t
  not visible to an external observer
• d ? S ? At ? S is the transition relation
• s0 is the initial state.

States p0, p1, p2, p3 Actions a!, b!, c!,?
4
A path ? in the LTS

• st (p, 0) is the first state on the path p,
• st (p, i ) is a state reached after the i-th
  transition on p (i ? 1),
• act (p, i ) is an action executed during the
  i-th transition on p (i ? 1).

5
Action-based temporal logic

• A state where state formula ? holds is called ?
  -state
• a transition (p, a, q) where action formula ?
  holds for action a is called ?-transiton
• a ?-transition (p, a, q) where state formula ?
  holds in state q is called (?, ?)-transition.

? - state
? - transition
(?, ?) - transition
6
Computation Tree Logic (CTL)
7
The idea of Action CTL
EX ? ?
AX ? ?
E? ? U ? ?
A? ? U ? ?
8
The idea of Action CTL (cont.)
EX ? ?
EF ? ?
EG ? ?
9
Definition of ACTL-W (2003)
U Until
W Unless (Weak Until)
ACTL-W Action CTL with Unless Operator
10
ACTL-W operators
11
Deadlocked states

• In a deadlocked state, formulae E? ? W ?
  ?, A?? W ? ?, EG ? ?, and AG ? ?
  hold iff the state is a ? -state.
• Formulae E? ? U ? ?, A?? U ? ?,
  EX ? ?, AX ? ?, EF ? ?, and AF ? ?, do
  not hold in a deadlocked state.
• If there exists a finite fullpath starting in
  state p which is an empty fullpath or consists
  only of (?, ?) -transitions, then ACTL formulae
  E? ? W ? ? and EG ?? hold in state p
  iff p is a ? -state.
• If there exists a finite fullpath starting in
  state p which is an empty fullpath or consists
  only of transitions which are not (?, ?)
  -transitions, then ACTL formulae A?? U ?
  ? and AF ? ? do not hold in state p.

12
Even better definition of ACTL-W
g ? ? U ? ? ? ? W ? ?
Strict ACTL-W operators allow a more elegant
definition of semantics and also more structured
model checking algorithms. E? ? U ? ? ?
? E ? ? U ? ? E? ? W ? ? ? ? E
? ? W ? ? EG ? ? ? ? EG ? ?
13
Useful abbreviations
Equal to CTL !
14
Adequate sets of ACTL-W operators
1. By definition EU, EW, AU, AW 2. An important
adequate set EU, EG, AW, AF
CTLUsually used adequate set has 3 elements
(EX, EG, EU)Minimal adequate set has 2 elements
(EU gt, AU gt) ACTL-W Minimal adequate set has 4
elements!
we do not have a formal proof, yet
15
ACTL-W Model Checking
E? ? U ? ? is valid if there exists the
following path
EG ? ? is valid if there exists the following
path
16
ACTL-W Model Checking (cont.)
A? ? W ? ? is not valid if there exists
the following path
AF ? ? is not valid if there exists the
following path
17
ACTL-W versus ACTL

• ACTL was introduced by R. De Nicola and F.
  Vaandrager in 1990
• ACTL-W can render all formulae expressible in
  ACTL.

The converse is not trueThere exists a path
consisting only of ?-transitions such that in all
states on this path action a can be
performed. EG (EX a) ?
we do not have a formal proof, yet
18
Conclusion of the first part

• ACTL-W is a new, enriched variant of Action
  CTL.
• Using ACTL-W, the properties can be expressed
  with patterns similar to those used with CTL.
• ACTL-W model checking and counterexamples
  generation can be implemented using fixed point
  calculation.
• We have incorporated ACTL-W in a BDD-based tool
  EST.

Efficient Symbolic Tools
GNU General Public License, Linux, MS Windows,
Solaris
http//lms.uni-mb.si/EST/
19
A BDD based model checker

• You have
• a BDD package with Bdd_ITE (f, g, h),
  Bdd_Cmp (f, g), Bdd_E (f, var), Bdd_A(f,
  var), Bdd_Rename(f, var1, var2),
  Bdd_Restrict(f, var, const), Bdd_Compose(f, var,
  g)
• a process algebra package (or LTS package) with
  Pa_ReadProcess (FILE), Pa_EncodeProcess
  (name), Pa_ExtractState (set),
  Pa_ExtractTransition (set)
• transitions encoded as (r, a, s)

You want to implement symbolic model checker.
20
BNF for ACTL-W

• ltACTLgt 'FALSE' 'TRUE'
• ltACTLgt 'E' '' ltLEFTgt 'U' ltRIGHTgt ''
• ltACTLgt 'A' '' ltLEFTgt 'U' ltRIGHTgt ''
• ltACTLgt 'E' '' ltLEFTgt 'W' ltRIGHTgt ''
• ltACTLgt 'A' '' ltLEFTgt 'W' ltRIGHTgt ''
• ltACTLgt 'EX' ltRIGHTgt 'AX' ltRIGHTgt
• ltACTLgt 'EF' ltRIGHTgt 'AF' ltRIGHTgt
• ltACTLgt 'EG' ltLEFTgt 'AG' ltLEFTgt
• ltACTLgt '(' ltACTLgt ')' 'NOT' ltACTLgt
• ltACTLgt 'AND' ltACTLgt ltACTLgt 'OR'
  ltACTLgt
• ltACTLgt 'EQV' ltACTLgt ltACTLgt 'IMPL'
  ltACTLgt
• ltLEFTgt ltACTLgt ltACTLgt '' ltACTIONgt ''
  '' ltACTIONgt ''
• ltRIGHTgt ltACTLgt '' ltACTIONgt '' ltACTLgt
  '' ltACTIONgt ''
• ltACTIONgt 'FALSE' 'TRUE' 'TAU'
  visible_action
• ltACTIONgt '(' ltACTIONgt ')' 'NOT' ltACTIONgt
• ltACTIONgt 'AND' ltACTIONgt ltACTIONgt
  'OR' ltACTIONgt
• ltACTIONgt 'IMPL' ltACTIONgt ltACTIONgt
  'EQV' ltACTIONgt

21
Symbolic model checking
operationsonLTSs
operationsonBDDs
operationsonBoolean functions
22
Function Mc_CheckEEU E? ? U ? ?

• Bdd_Edge Mc_CheckEEU
• (Bdd_Edge D, Bdd_Edge s1, Bdd_Edge a1, Bdd_Edge
  a2, Bdd_Edge s2)
• Bdd_Edge last,Z,tmp1,tmp2,tmp3
• / IF THERE ARE NO TRANSITIONS IN THE PROCESS
  /
• if (Bdd_Cmp(D,bdd_termFalse)) return
  bdd_termFalse
• / LEAST FIXED POINT CALCULATION /
• last bdd_termNull
• Z bdd_termFalse
• while (!Bdd_Cmp(Z,last))
• last Z
• tmp1 Bdd_AND(a1,Z)
• tmp2 Bdd_AND(a2,s2)
• tmp3 Bdd_OR(tmp1,tmp2)
• tmp3 Bdd_R2S(tmp3)
• tmp3 Bdd_AND_ExAS(D,tmp3)
• tmp3 Bdd_AND(s1,tmp3)

transition relation
c
?
?
c
c F z
c?
EX( V )
S? ? ...
23
Function Mc_CheckEEU - some details
Let L (S, At, d, s0) be a finite-state LTS.We
introduce a formula EX(c?V c?), which
holds in a state p iff there exists either a (?,
?) -transition or a (?, ?) -transition from state
p.
This new operator help us to express a fixed
point formula for EU
24
EST - An example
A crossing of a road and a railway
The crossing consists of two barriers and train
traffic lights. 1. The barriers have to be kept
down when the train crosses. 2. The train can
cross only if the traffic lights are green,
otherwise it has to stop.
25
EST - An example (cont.)
26
Conclusion

• My work during my stay at ISTI
• to study ACTL, mu-ACTL and ACTL-W in details
• to give an axiomatisation for ACTL-W (based on
  work of S. Gnesi)
• to study counterexample and witnesses for ACTL,
  its subsets and extensions, especially interested
  in counterexample and witness automata for CTL,
  ACTL (based on work of A. Fantechi)
• to implement a BDD-based algorithms for
  counterexample and witness automata and to
  integrate it into EST and JACK.

27
About ACTL-W and the implementation of a BDD
based model checker
Thank you!