Li Tan - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Li Tan

Description:

M is a witness of f, but it is useless. W f. Any property held by any system T should also be held by the system T' ... Viability. Completeness w.r.t. a logic. ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 35
Provided by: lit67
Category:
Tags: tan

less

Transcript and Presenter's Notes

Title: Li Tan


1
  • Witness and Counterexample
  • Li Tan
  • tanli_at_saul.cis.upenn.edu
  • Oct. 15, 2002

2
Informal Definition
  • What is a witness for M ² f?
  • A witness W should be a subsystem of M
  • W should be small.
  • M is a witness of f, but it is useless.
  • W ² f.
  • Any property held by any system T should also be
    held by the system T of which T is a subsystem.
  • To show M ² f, it is enough to show The relation
    between M and W.
  • Viability.
  • Completeness w.r.t. a logic.
  • Each formula in this logic should have a
    well-defined witness if it is satisfied by the
    model.
  • Simple and Efficient.
  • Witness should be verified and analyzed
    efficiently.
  • Effectiveness.
  • There exists an effective algorithm for
    generating the witness.

3
Informal Definition
  • Counterexample is just the dual of witness.
  • C is an counterexample for M ² ? iff C is a
    witness of M² ?.
  • An counterexample always exists if
  • The logic is complete under negation, i.e., ? 2 L
  • ) ? 2 L , and
  • The definition of witness is complete in L.
  • The mechanism for generating witness/counterexampl
    e are same.
  • For history reason, many model checker like SMV
    and SPIN only use the notion of counterexample.
  • Our reference to witness/counterexample will be
    chose depending on the context.

4
Why we need them?
  • Counterexample can be used for,
  • Debugging the design.
  • Counterexample-based abstract refinement.
  • The abstraction is conservative
  • It may cause the false alarm.
  • A counterexample is generated after checking the
    abstract system, if it is,
  • A real trace, then model checker terminates with
    no.
  • Not a real trace, then refine the abstract ( add
    more predicators etc), and re-do the model
    checking.
  • Witness can be used for,
  • Enabling efficiently checking the correctness.
  • Verifying resultverifying the property on
    witnessprove that a witness is a subsystem of
    model.
  • Generating tests.
  • Any system contains the witness should possess
    the property.

5
Formal Definition
  • Informal definition is ambiguous,
  • What is a context of definition? gt Fix a logic
  • What is a subsystem? gt Define a preordering Á
    on Transition system.
  • Definition Natural Preorder of Logic
  • Let L be a temporal logic, Á on transition
    systems is a nature preordering of L iff, for
    every f 2 L, if T ² f and T Á T, then T ² f.
  • Definition Witness and Counterexample
  • Let Á be a natural preordering for the logic L (
    L), C is a witness(or, counterexample) for M² f
    s.t. in L if
  • C ² ? (C ² ?)
  • C Á M.
  • Our mission fix L, then find Á.

6
Kripke Structure and CTL
  • Definition Kripke Structure
  • Transition system will be modeled as Kripke
    structure KltS, s0, !, A, Vgt where,
  • S is the set of states.
  • s0 2 S is a starting state.
  • ! µ S S is transition relation.
  • A is the set of atomic proposition.
  • V A ! 2S is the evaluation for atomic
    proposition.

7
CTL Syntax
  • Formulae in Computational Tree Logic (CTL) are
    syntactically constructed by,
  • S a a S Æ S S Ç S A P E P
  • P S P Æ P P Ç P X P P U P P R P
  • S is a state formula, and P is a path formula.
  • A (for all the paths), and E (exists a path) are
    the path quantifier.
  • U and R are the until and release operators.
  • X is the next time operator.
  • CTL formula is a state formula.
  • Sometimes, we write G P (always hold) for false R
    P, and F P ( Eventually hold) for true U P

8
Semantics of path formulae
9
Semantics of state formulae
  • s ²T a if s 2 V(a)
  • s ²T a if s ? V(a)
  • s ² A P if ? ² P for every path ? from s.
  • s ² E P if there exists a path ? from s such that
    ? ² P

10
LTL, CTL, and ACTL
  • Linear Temporal Logic (LTL) is sublogic of CTL
    which contains no path quantifier.
  • Semantically LTL formula f CTL formula Af.
  • Intuitively LTL check all the possible paths
    simultaneously.
  • CTL is sublogic of CTL such that each temporal
    operator (X, U, R) must be immediately preceded
    by a path quantifier (A, E).
  • ACTL is a sublogic of CTL in which the only
    path quantifier permitted is A.

11
An example
  • Does T satisfy LTL F(G y)?
  • Does T satisfy ACTL AF( y Æ AX X)?

12
Counterexample in LTL
  • Customizing the definition of counterexample,
  • Fix the logic LTL
  • Fix the preordering relation Á language
    inclusion 2
  • Definition
  • Let f be a LTL formula, a path ? is a linear
    counterexample for model-checking problem M ² f
    if ? ² f and ? 2 L(M).
  • Is the definition complete?
  • If M ² f, then we can always find a ? 2 L(M) as a
    counterexample, why?

13
LTL model checking via Büchi tree automaton
  • A generalized Büchi tree automaton is a tuple ltQ,
    q0, !,l, Fgt where,
  • Q is the set of states with q0 as the starting
    state.
  • ! µ Q Q is the transition relation.
  • l Q ! a, a, Æ, Ç, ltgt,
  • F µ 2Q is Büchi acceptance condition.

14
An example
15
Acceptance Condition of BTA
  • A run R of B on T is a maximal tree with (s0, q0)
    as the root such that,
  • If (s, q) 2 R and l(q)Æ (Ç), then, (s, q) is a
    child of (s, q) in R for every (some) child q of
    q.
  • If (s, q) 2 R, l(q)(ltgt), and q is a child of
    q, then, (s, q) is a child of (s, q) in R for
    every (some) successor s of s.
  • R is a successful run if,
  • Each leaf (s, l) is successful (i.e., s 2 V(l)).
  • Any infinite path in R will visit some nodes in F
    infinitely often, for every F 2 F.
  • B accepts T if there is a successful run of B on
    T.

16
Büchi automaton as the temporal specification
  • GT, BS, !, L is the product graph for B and T
    if,
  • S S Q
  • If q ! q and
  • l(q) 2 Ç, Æ, lts, qgt ! lts, qgt.
  • l(q) ltgt (), lts, qgt ! lts, qgt for some (all)
    s ! s.
  • L(lts, qgt)Ç for l(q) 2 Ç, ltgt and L(lts, qgt)Æ
    otherwise.

17
Büchi automaton-based model checking
  • A successful run ? a successful subgraph in GT,
    B,
  • G is a subgraph of GT, B iff lts, qgt keeps some
    (all) of its child(ren) if L(lts, qgt)Ç (L(lts,
    qgt)Æ).
  • A subgraph is successful if,
  • All the leaves are true, and
  • Any (non-trivial) strongly connected component
    covers some nodes in F, for every F 2 F.
  • Searching for a successful subgraph,
  • Mark all the leaves with true/false depending on
    the labeling, then propagate the values.
  • For the nodes in a strong connected component
    (SCC), marking the nodes as true/false depending
    on the coverage of SCC on F, then propagate the
    values.
  • Eventually, all the nodes will be marked as
    true/false.

18
An example
19

s1, q0 Æ
s0,q0 Æ
s2,q0 Æ
s0, q1 Ç
s1, q1 Ç
s2, q1 Ç
s2, q3 Æ
s2, q4 Ç
s1, q3 Æ
s1, q4 Ç
s0, q3 Ç
s0, q4 Æ
s0, q2 \or
s1, q2 Ç
s2, q2 Ç
false
true
20

s1, q0 Æ
s0,q0 Æ
s2,q0 Æ
s0, q1 Ç
s1, q1 Ç
s2, q1 Ç
s2, q3 Æ
s2, q4 Ç
s1, q3 Æ
s1, q4 Ç
s0, q3 Ç
s0, q4 Æ
s0, q2 \or
s1, q2 Ç
s2, q2 Ç
false
true
21
Translate a LTL to a never claim BTA
  • Construct BTA for f by,

22
Translate a LTL (cont.)
  • 2. For each ?P1 U P2, there is a F 2 F such that
    Fq (? ? q Æ X ? ? q) or P2 2 q
  • Basically F wont contain any nodes of a loop on
    which P1 U P2 will produce itself. ) P2 will
    eventually be satisfied.

23
Translate F( G y)
  • A (F (G y))E(G(F y))

E(G(F y))
E(XG(F y), F y )
E(G(F y))
E(XG(F y), y)
E(XG(F y))
E(XG(F y), XF y )
24
Step 1 find a successful subgraph

s0,q0 Æ
s2,q0 Æ
s0, q1 Ç
s1, q1 Ç
s2, q1 Ç
s2, q4 Ç
s1, q3 Æ
s0, q4 Æ
s1, q2 Ç
true
25
Step 2 Get the skeleton
  • Recursively remove branches like (s, q) ! (s,
    q) such that (s, q) is a leaf and l(q) Ï ltgt,

s0,q0 Æ
s2,q0 Æ
s0, q1 Ç
s1, q1 Ç
s2, q1 Ç
s2, q4 Ç
s1, q3 Æ
s0, q4 Æ
s1, q2 Ç
26
Step 3 Unroll the skeleton and get a path.
  • (s0, q0) (s0, q1) (s0, q4) (s1,q1)(s1, q3)(s1,
    q2)(s2, q0)(s2, q1)(s2, q4)w
  • S0 S0 S0
    S1 S1 S1 S2
    S2 S2

27
Step 4 Eliminate the redundancy
  • Remove (s, q) from (s, q)(s, q) if l(q)
    Ïltgt, .
  • (s0, q0) (s0, q1) (s0, q4) (s1,q1)(s1, q3)(s1,
    q2)(s2, q0)(s2, q1)(s2, q4)w
  • (s0, q0) (s1,q1)
    (s2, q0) w
  • S0 S1
    S2 w

28
Is there a witness /counterexamples for CTL?
  • Any Kripke structure which are not bi- similar
    are distinguishable by a CTL formula Mil71.
  • gt Let Á be a nature order for CTL, then T1 Á T2
    iff T1 bisimulates T2.
  • gt The witness(counterexample) for any T² f must
    also bisimulate T.
  • Since bisimularity on Kripke structures is
    basically the isomorphism in graphics.
  • gt The witness and counterexample is trivial in
    CTL

29
Counterexample for ACTL
  • Simulation preordering is a nature preordering
    for ECTL gt witness for ECTL and Counterexample
    for ACTL are well-defined.
  • Most of desirable safeness and fairness
    properties can be expressed in ACTL
  • Definition Simulation Preordering Ásim
  • Ásim is a simulation preordering on T iff for
    every s Ásim s1 and s ! s, there exists a s1 !
    s1 such that s Ásim s1
  • T1 Ásim T2 if s10 Ásim s20, where s10 and s20 are
    the starting states of T1 and T2

30
Tree-like Counterexample for ACTL
  • Let f be a ACTL formula and M ² f, then there
    exists a tree-like Kripke structure C ÁsimM such
    that C ² f CJLV02.
  • C is a tree-like Kripke structure if,
  • Its (strongly-connected) component graph is a
    tree
  • Only strongly-connected components permitted in C
    are circles.

31
An example
  • ² AF( y Æ AX X)?

Ásim
² AF( y Æ AX X)?
32
Generating Tree-like Counterxample for M² f
  • Similar to generate a linear counterexample for
    LTL!
  • Constructing a BTA B for f.
  • Find a successful subgraph in GM, B.
  • Get the proof skeleton by cutting out any node
    (s, q) s.t. (s, q) is the only child of its
    father (s, q) and l(q) Ï Æ, Ç.
  • Eliminate the redundancy and project the skeleton
    to states.

33
If weve know,
is a tree-like counterexample for
  • ² AF( y Æ AX X)?

34
and want to prove,
  • ² AF( y Æ AX X)

35
We only need to show,
Ásim
Write a Comment
User Comments (0)
About PowerShow.com