Symbolic CTL Model Checking Crystal Chang Din
advertisement
Symbolic CTL Model Checking
Crystal Chang Din
Precise Modeling and Analysis group (PMA),
University of Oslo
INF9140 - Specification and Verification of Parallel Systems
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
1 / 27
Outline
1
Computation Tree Logic (CTL)
2
CTL Model Checking Algorithm
3
Symbolic CTL Model Checking
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
2 / 27
Recall of LTL
A linear logic over an infinite sequence of states.
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
3 / 27
Transition System and Computation Tree
Assume TS is finite, and has no terminal states, we can unfold it at a
chosen state into an infinite computation tree.
CTL introduces two path quantifiers:
∀ : all computations that start in a state (implicitly expressed in LTL)
∃ : some computations that start in a state (cannot be expressed in LTL)
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
4 / 27
Some Basic CTL Formulae
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
5 / 27
Syntax of CTL
State formulae:
Φ ::= true | α | ¬Φ | Φ1 ∧ Φ2 | ∀ϕ | ∃ϕ
where α ∈ AP (atomic proposition)
Path formulae:
ϕ ::= Φ | Φ1 U Φ2
Four possible ways to turn path formulae into state formulae:
∀
Crystal Chang Din @ UiO
∀U
∃
∃U
Symbolic CTL Model Checking
12.05.2011
6 / 27
Examples of CTL formulae
Illegal CTL formulae
I
I
∃(x = 1 ∧ y > 4)
∃ (true U (x = 1))
Legal CTL formulae
I
I
∃ (x = 1 ∧ y > 4)
∃ ∀(true U (x = 1))
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
7 / 27
Derived Temporal Modalities
eventually
I
I
∃♦Φ ≡ ∃(true U Φ)
∀♦Φ ≡ ∀(true U Φ)
Φ holds potentially
Φ is inevitable
always
I
I
∃Φ ≡ ¬∀♦¬Φ
∀Φ ≡ ¬∃♦¬Φ
Crystal Chang Din @ UiO
(6= ∃♦¬Φ)
(6= ∀♦¬Φ)
potentially always Φ
invariantly Φ
Symbolic CTL Model Checking
12.05.2011
8 / 27
Satisfaction Relation for CTL
Let transition system TS = (S,Act,→,I,AP,L), state s ∈ S, α be an atomic
proposition, Φ1 , Φ2 be CTL state formulae, and ϕ be a CTL path formulae.
The satisfaction relation is defined for state formulae by
s
s
s
s
s
α
iff
¬Φ
iff
Φ1 ∧ Φ2 iff
∃ϕ
iff
∀ϕ
iff
α ∈ L(s)
not s Φ
(s Φ1 ) and (s Φ2 )
π ϕ for some π ∈ Path(s)
π ϕ for all π ∈ Path(s)
For path π, the satisfaction relation for path formulae is defined by
πΦ
π Φ1 U Φ2
iff
iff
Crystal Chang Din @ UiO
π[1] Φ
∃j≥0. (π[j] Φ2 ∧ (∀0 ≤ k < j.π[k] Φ1 ))
Symbolic CTL Model Checking
12.05.2011
9 / 27
Expressiveness of CTL vs. LTL
Intuitively, the LTL formula ♦α is equivalent to the CTL formula ∀♦∀α.
However, s0 ♦α and s0 6 ∀♦∀α are shown in the following case.
1
♦α:
α will eventually forever hold from some state
2
∀♦∀α:
On any computation, eventually some state, s say,
is reached such that s ∀α
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
10 / 27
Satisfaction Set
Given a transition system TS, the satisfaction set Sat(Φ) for CTL-state
formula Φ is defined by:
Sat(Φ) = { s ∈ S | s Φ}
For example:
Sat(∀a) = {s3 }
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
11 / 27
CTL Semantics for Transition System
in other words,
Crystal Chang Din @ UiO
TS Φ
iff
∀s0 ∈ I . s0 Φ
TS Φ
iff
I ⊆ Sat(Φ)
Symbolic CTL Model Checking
12.05.2011
12 / 27
Outline
1
Computation Tree Logic (CTL)
2
CTL Model Checking Algorithm
3
Symbolic CTL Model Checking
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
13 / 27
CTL in Existential Normal Form (ENF)
Φ ::= true | α | ¬Φ | Φ1 ∧ Φ2 | ∃ Φ | ∃( Φ1 U Φ2 ) | ∃ Φ
Other CTL formulae can be translated into equivalent ENF formulae:
∃♦Φ
≡ ∃(true U Φ)
∀Φ
≡ ¬∃ ¬Φ
∀(Φ1 U Φ2 ) ≡ ¬∃(¬Φ2 U (¬Φ1 ∧ ¬Φ2 )) ∧ ¬∃¬Φ2
∀♦Φ
≡ ¬∃¬Φ
∀Φ
≡ ¬∃♦¬Φ = ¬∃(true U ¬Φ)
CTL in ENF has the same expressiveness as CTL
We will use ENF of CTL in the model checking algorithm
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
14 / 27
Overview of the Algorithm
To verify for a given transition system TS and CTL formula Φ whether
TS Φ, the procedure is:
1
recursive computation of the sets Sat(Ψ) for all subformulae Ψ of Φ
2
checking whether I ⊆ Sat(Φ)
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
15 / 27
Computation of the Satisfaction Sets
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
16 / 27
Sat(∃Φ)
T0 = Sat(Φ) and Ti+1 = Ti ∩ {s ∈ Sat(Φ)|Post(s) ∩ Ti 6= ∅}
until Ti+1 = Ti (reach the greatest fix point)
i.e. Sat(∃b) = {s0 , s2 , s4 }
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
17 / 27
Sat(∃(Φ1 U Φ2 ))
T0 = Sat(Φ2 ) and Ti+1 = Ti ∪ {s ∈ Sat(Φ1 )|Post(s) ∩ Ti 6= ∅}
until Ti+1 = Ti (reach the smallest fix point)
i.e. Sat(∃(true U (a = c) ∧ (a 6= b))) = {s4 , s5 , s6 , s7 }
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
18 / 27
Time Complexity
Let TS be a finite transition system with N states and K transitions. Ψ a
subformula of Φ. The time complexity of calculating Sat(Ψ) is
O(N+K)
Also, there are |Φ| subformulae of Φ. The total time complexity of
calculating Sat(Φ) is therefore
O((N+K) · |Φ|)
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
19 / 27
Outline
1
Computation Tree Logic (CTL)
2
CTL Model Checking Algorithm
3
Symbolic CTL Model Checking
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
20 / 27
Why Symbolic?
Original version of CTL model checking
I
I
I
I
single state and single transition at a time
record all the predecessors and successors in each state
iterative computation: union and intersection of sets
state explosion problem in large transition systems
Symbolic version
I
I
I
I
I
I
sets of states and sets of transitions at a time
binary encoding of states
one boolean function for each satisfaction set
one boolean function for all the transitions
iterative computation:conjunction and disjunction of a sequence of bits
very efficient
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
21 / 27
Encoding States
Binary encoding (enc) of states, as vectors of n bits:
enc : S → {0, 1}n
For example:
8 states (s0 , s1 , ..., s7 ) can be encoded with 3 bits
s0 : 000
s1 : 001
...
s7 : 111
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
22 / 27
Two Boolean Functions (XT and 4)
XT : to encode set of states T ⊆ S (i.e. T=Sat(α)):
XT : {0, 1}n → {0,1}
s.t.
XT (s)=1
iff
s∈T
4: to encode set of transitions → ⊆ S x S:
4 : {0, 1}2n → {0,1}
Crystal Chang Din @ UiO
s.t.
4(s,s’)=1
Symbolic CTL Model Checking
iff s → s’
12.05.2011
23 / 27
Sat(∃b) in Symbolic Version
binary decision tree (BDT)
8 states (s0 , s1 , ..., s7 ) can be encoded with 3 bits (z1 z2 z3 )
XT (z1 , z2 , z3 ) → {0,1},T=Sat(b)
i.e. XT (s2 ) = XT (0,1,0) = 1
4(z1 , z2 , z3 , z10 , z20 , z30 ) → {0,1}
i.e. 4(s1 , s2 ) = 4(0,0,1,0,1,0) = 0
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
24 / 27
Symbolic Computation
T0 = Sat(Φ2 ) and Ti +1 = Ti ∪ {s ∈ Sat(Φ1 )|Post(s) ∩ Ti 6= ∅}
T0 = Sat(Φ) and Ti +1 = Ti ∩ {s ∈ Sat(Φ)|Post(s) ∩ Ti 6= ∅}
continue the example from last slide: f0 : 00010111 → f1 : 00010101 → f2 : 00010101
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
25 / 27
From BDT to BDD
binary decision diagram (BDD): a reduced version of BDT
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
26 / 27
Reference
C. Baier and J.-P. Katoen, “Principles of Model Checking”(The MIT Press, 2008).
Figures, algorithms and samples taken from Chapter 6 of the book above.
Crystal Chang Din @ UiO
Symbolic CTL Model Checking
12.05.2011
27 / 27
