Model Checking I - PowerPoint PPT Presentation

1 / 44
About This Presentation
Title:

Model Checking I

Description:

qo qbar0 a0 or0 a1 . DTYPE_BAR(dreq,q0,qbar0) & AND(qbar0,dack,a0) & OR ... Gulp! f :: = atomic. All immediate successors | AX f. Some immediate succesor | EX f ... – PowerPoint PPT presentation

Number of Views:14
Avg rating:3.0/5.0
Slides: 45
Provided by: MarySh75
Category:
Tags: checking | gulp | model

less

Transcript and Presenter's Notes

Title: Model Checking I


1
Model Checking I
  • What is CTL?

2
dack
and
or
q0
dreq
and
3
In Higher Order Logic (HOL)
? dreq dack . RECEIVER(dreq,dack) (?
qo qbar0 a0 or0 a1 .
DTYPE_BAR(dreq,q0,qbar0)
AND(qbar0,dack,a0) OR(q0,a0,or0)
AND(dreq,or0,a1)
DTYPE(a1,dack)) simplify
4
Example combinational component AND(a,b,c)
? ?t. c(t) a(t) b(t) Implicit clock. One
step of time one clock tick DTYPE(din,dout)
? dout(t1) din(t)
5
? dreq dack . RECEIVER(dreq,dack) (?
qo . (? t. q0(t1) dreq t)
(? t. dack(t1) dreq t
(q0 t (?q0 t dack t)))))
6
Explicit time reasoning
  • Can be very awkward, especially for regular
    circuits
  • Sometimes the only option, supported by an
    interactive theorem prover
  • F(t17) g(t13) h(t11)
  • (see Lava later)
  • Can also be done in first order logic (FOL)

7
Alternative view circuit as a transition system
  • (dreq, q0, dack) ? (dreq, q0, dack)
  • Already figured out
  • q0 dreq
  • dack dreq (q0 (?q0 dack))

8
Idea
  • Transition system
  • special temporal logic
  • automatic checking algorithm

9
Pnueli implicit time
.
p p p p p p
p p p p ..
Linear time line
G p ..
F (?p)
F (?p)
10
Exercise (from example circuit)
(dreq, q0, dack) ? (dreq, dreq, dreq
(q0 (?q0 dack))) Draw state transition
diagram Q How many states for a start?
11
Hint (partial answer)
000 100 110
111 001
101
010

011
12
Question
000 100 110
111 001
101
010

011
Q how many arrows should there be out of each
state? Why so?
13
Exercise
000 100 110
111 001
101
010

011
Complete the diagram Write down the
corresponding binary relation as a set of pairs
of states
14
Another view
computation tree from a state
111
15
Unwinding further
.
.
.
16
Possible behaviours from state s
Transition relation R
.
.
.
Relation vs. Function? Return to example
17
  • (dreq, q0, dack) ? (dreq, q0, dack)
  • Already figured out
  • q0 dreq
  • dack dreq (q0 (?q0 dack))

Why does each state go to two other states?
18
Computation Tree Logic (CTL)
  • Branching time (remember upside-down tree)
  • Efficient Model Checking algorithms
  • CTL formula define wrt set of atomic formulas
  • (basic properties of individual states)

19
A CTL structure contains
  • S set of states (finite)
  • R binary relation on states
  • assumed total, each state has at least
    one arrow out
  • A set of atomic formulas
  • L function A ? set of states in
    which A holds
  • Lars backwards ? finite Kripke structre

20
f atomic
?f AX
f EX f
AG f
EG f AF f
EF f
f1 f2
A (f1 U f2) E (f1
U f2) other connectives defined as usual
21
Gulp!
22
f
atomic
?f All immediate successors AX
f Some immediate succesor EX f All paths
always AG f Some path
always EG f All paths
eventually AF f Some path
eventually EF f
f1 f2
A
(f1 U f2)
E (f1 U f2)
23
Examples (Gordon)
  • It is possible to get to a state where Started
    holds but Ready does not

24
Examples (Gordon)
  • It is possible to get to a state where Started
    holds but Ready does not
  • EF (Started ?Ready)

25
Examples (Gordon)
  • If a request Req occurs, then it will eventually
    be acknowledged by Ack

26
Examples (Gordon)
  • If a request Req occurs, then it will eventually
    be acknowledged by Ack
  • AG (Req gt AF Ack)

27
Examples (Gordon)
  • If a request Req occurs, then it continues to
    hold, until it is eventually acknowledged

28
Examples (Gordon)
  • If a request Req occurs, then it continues to
    hold, until it is eventually acknowledged
  • AG (Req gt A Req U Ack)

29
Semantics
  • M (S,R,A,L) (remember
    Lars)
  • Read M,s f as
  • f holds for M at state s
  • often leave M implicit

30
(1) Base case
  • s a
  • if and only if
  • s ? L(a) a holds in s

31
(2a) Think of tree rooted at s
  • s ?f
  • iff
  • not (s f)

32
  • (2b)
  • s AX f
  • iff
  • t f for every
    t s.t. s R t

s.t. such that
33
  • (2c)
  • s EX f
  • iff
  • t f for some
    t s.t. s R t

s.t. such that
34
Exercise
  • Draw computation trees illustrating AX f and EX f

35
  • (2d)
  • s AG f
  • iff
  • f holds in every state in every s-path (of
    M)

an s-path is a path starting in state s
36
  • (2e)
  • s EG f
  • iff
  • f holds in every state in some s-path

an s-path is a path starting in state s
37
  • (2f)
  • s AF f
  • iff
  • f holds in some state in every s-path

an s-path is a path starting in state s
38
  • (2g)
  • s EF f
  • iff
  • f holds in some state in some s-path

an s-path is a path starting in state s
39
Exercise
  • Draw computation trees illustrating AG, EG, AF
    and EF

40
  • (3a)
  • s f g
  • iff

s f and s g
41
  • (3b)
  • s0 A (f U g)
  • iff
  • for every path s0 s1 s2 s3 ? j ? 0 s.t.

si f for 0 ?? i lt j
and sj g
42
  • (3c)
  • s0 E (f U g)
  • iff
  • for some path s0 s1 s2 s3 ? j ? 0
    s.t.

si f for 0 ?? i lt j
and sj g
43
Further reading
  • Ed Clarkes course on Bug Catching Automated
    Program Verification and Testing
  • complete with moving bug on the home page!
  • Covers model checking relevant to hardware too.
  • http//www-2.cs.cmu.edu/emc/15-398/

44
Next lecture
  • How to model check CTL formulas
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Model Checking I" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!