Title: Optimizing%20CTL%20Model%20checking%20 %20Model%20checking%20TCTL
1Optimizing CTL Model checkingModel checking
TCTL
2A(FG p) not AF( AG p)
3Today
- Summary
- Optimizations for model checking
- ROBDDs
- TCTL-
- Syntax
- Semantics
- Algorithm for MC
- Optimizations
4Summary Model checking CTL
5Optimization
- The principal one
- Reduce to a problem with Boolean
variables/Boolean formulæ - Is this reasonable?
- Well most modelling is done like this even
when you do have (non-boolean) variables - efficiencies from efficient operations on
boolean functions
6States as boolean formulæ
- Encode states using m boolean variables.
- Allows for 2m states.
- For example m3
- Ss1,s2,s3,s4,s5,s6,s7,s8
- Propositional booleans a,b,c
- S000,001,010,011,100,101,110,111
- S ?a??b??c, ?a??b?c, ?a?b??c ,
7Transitions as boolean formulæ
- Encode (s,s) using before and after
propositional boolean variables - a,b,c and a,b,c.
- For example (s1,s4)
- (s1,s4) (?a??b??c) ? (?a?b?c)
8Sufficient for modelling?
- Encode another mutual exclusion protocol
- Two processes, P1 and P2 share booleans
- Co-operate for mutual exclusion
- Third process T1 monitors and sets a turn
variable - System is parallel composition
- P1 P2 T1
9Co-operative mutex Process P1
- if (idle1)
- wait1 true
- idle1 false
- else if (wait1 idle2)
- active1 true
- wait1 false
- else if (wait1 wait2 (!turn))
- active1 true
- wait1 false
-
- if (active1)
- CritSect()
- idle1 true
- active1 false
- ( followed by P1 )
P1
10Co-operative mutex Process P2
- if (idle2)
- wait2 true
- idle2 false
- else if (wait2 idle1)
- active2 true
- wait2 false
- else if (wait2 wait1 turn)
- active2 true
- wait2 false
-
- if (active2)
- CritSect()
- idle2 true
- active2 false
- ( followed by P2 )
P2
11Co-operative mutex Process T1
- if (idle1 wait2)
- turn true
- else if (idle2 wait1)
- Turn false
- ( followed by T1 )
- (P1 P2 T1) System
T1
System
12State transition diagram whole system
13Transitions as predicates
- P1
- (i1?w1??i1) ? (w1?i2?a1??w1)
- ? (w1?w2??t?a1??w1) ? (a1?i1??a1)
- P2
- (i2?w2??i2) ? (w2?i1?a2??w2)
- (w2?w1?t?a2??w2) ? (a2?i2??a2)
- T1
- (i1?w2?t) ? (i2?w1??t)
14Ordered Binary Decision Tree
15OBDT example (i1?i2)?(i3??i4)
16? ROBDD (i1?i2)?(i3??i4)
17? ROBDD (i1?i2)?(i3??i4)
18? ROBDD (i1?i2)?(i3??i4)
19? ROBDD (i1?i2)?(i3??i4)
20? ROBDD (i1?i2)?(i3??i4)
21? ROBDD (i1?i2)?(i3??i4)
22History
- The ROBDD optimization originally by Bryant (86)
paper on boolean graphs - The application to model checking by McMillan
(Originally in late 80s subject of thesis in
1992) - smv Symbolic model verifier originally by
McMillan
23Today
- Summary
- Optimizations for model checking
- ROBDDs
- TCTL-
- Syntax
- Semantics
- Algorithm for MC
- Optimizations
24Regional transition system (RTS)
- Given TATTS (s,s0,Act, ), then the RTS
is a quotiented transition system - RTS (R,R0, Act,?), where
- R (s,vt) (s,v)?s ? v t ?REGv, and
- R0 (s,vt) (s,v)?s0 ? v t ?REGv, and
- finally, (s,vt) ? (s,vt) if and only if
there is a transition (s,v) (s,v) in
TATTS.
a
a
25Regional transition system (RTS)
- Notation
- R a set of regions
- r a particular region in the set (s,vt)
- r a particular valuation (s,v)
26Regional transition system (RTS)
27Kripke structure/model for TCTL
- Def A TCTL model over a set of atomic
propositions AP is the 4-tuple (R,?,AP,L) - R finite set of regions from RTS
- ? ? R ? R - a total transition relation
- AP a finite set of atomic propositions
- L R ? 2AP A labelling function which labels
each region with the propositions true in that
region - Note that the propositions may include clock
constraints
28TCTL- syntax
- Given p?AP, x?X (model clock variables), z?Z
(property clock variables), ???(X?Z) (clock
constraints), then p and ? are TCTL- formulæ, and
if ?1 and ?2 are TCTL- formulæ then so are - ??1
- ?1 ? ?2
- ?1 ? ?2
- z in ?1
- A( ?1 U ?2 )
- E( ?1 U ?2 )
29TCTL examples
- Note temporal operators can be subscripted
- A( ?1 Ult7 ?2 ) means ?1 holds until (within 7
time units) ?2 becomes true. - Implemented as z in A( (?1?zlt7) U ?2 )
- A( alarm Ult7 boiler-off ) the alarm is on until
(within 7 time units) the boiler-off is signaled. - EFlt7( alarm ) E( true Ult7 alarm ) the alarm
will be on within 7 time units.
30Semantics of TCTL
- Expressed in terms of a model, and the modelling
relation ²? which links a model, a composite
state r(s,v) and a formula clock valuation with
a property. - M,(r,f) ²? P - means that (TCTL) property P holds
in (or is satisfied in) state r in the case of a
formula valuation f for a given model M
31(Inductive) definition of ²?
- M,(r,f) ²? P ? p?L(r)
- M,(r,f) ²? ? ? v ? f ² ?
- M,(r,f) ²? ??1 ? ?(M,(r,f) ²? ?1 )
- M,(r,f) ²? ?1 ? ?2 ? M,(r,f) ²? ?1, and
- M,(r,f) ²? ?2
- M,(r,f) ²? ?1 ? ?2 ? M,(r,f) ²? ?1, or
- M,(r,f) ²? ?2
32(Inductive) definition of ²?
- M,(r,f) ²? z in ?1 ? M,(r,z in f) ²? ?1
- The notation z in f asserts that z is reset to 0
whenever it appears in the formula f - M,(r,f) ²? A( ?1 U ?2 ) ? for every path p from
r, for some j, M,?(j) ²? ?2, and ?iltj, M,?(i) ²?
?1 ? ?2.
33(Inductive) definition of ²?
- M,(r,f) ²? E( ?1 U ?2 ) ? for one path p from r,
for some j, - M,?(j) ²? ?2, and
- ?iltj, M,?(i) ²? ?1 ? ?2.
- Note that in both EU and AU, the condition up
until ?2 is ?1 ? ?2. and not just ?1!!
34AU ?1 ? ?2 until ?2
35Model checking TCTL
- Definition of a labelling algorithm in the notes
not much different from CTL - The only problem is this definition uses a least
fixpoint iteration over an infinite set - In practice use the region construction
36Optimization for TCTL MC
- We have already seen the steps to create a
(finite) regional automaton - Apart from that there is no magic bullet, and
real-time model checking has an equivalent
region-space explosion - For this reason, limit the size of systems
- so far
37Uppaal more formally
- TCTL, but with restrictions that amount to only
safety (reachability) formulæ - Set of clock constraints Z in formula is
- Syntax just AG(?) and EF(?) (outer level)
- ? a x op n ?? ?1??2 (op
??,?,?,?,?) - a is a location in the model
- Other properties (bounded liveness) require
extended models/automatons - compare system model with other test model