Optimizing%20CTL%20Model%20checking%20 %20Model%20checking%20TCTL - PowerPoint PPT Presentation

About This Presentation
Title:

Optimizing%20CTL%20Model%20checking%20 %20Model%20checking%20TCTL

Description:

Co-operative mutex: Process P1. if (idle1) { wait1 = true; idle1 = false; ... Co-operative mutex: Process P2. if (idle2) { wait2 = true; idle2 = false; ... – PowerPoint PPT presentation

Number of Views:111
Avg rating:3.0/5.0
Slides: 38
Provided by: dcs2
Category:

less

Transcript and Presenter's Notes

Title: Optimizing%20CTL%20Model%20checking%20 %20Model%20checking%20TCTL


1
Optimizing CTL Model checkingModel checking
TCTL
  • CS 5270 Lecture 9

2
A(FG p) not AF( AG p)
3
Today
  • Summary
  • Optimizations for model checking
  • ROBDDs
  • TCTL-
  • Syntax
  • Semantics
  • Algorithm for MC
  • Optimizations

4
Summary Model checking CTL
5
Optimization
  • The principal one
  • Reduce to a problem with Boolean
    variables/Boolean formulæ
  • Is this reasonable?
  • Well most modelling is done like this even
    when you do have (non-boolean) variables
  • efficiencies from efficient operations on
    boolean functions

6
States as boolean formulæ
  • Encode states using m boolean variables.
  • Allows for 2m states.
  • For example m3
  • Ss1,s2,s3,s4,s5,s6,s7,s8
  • Propositional booleans a,b,c
  • S000,001,010,011,100,101,110,111
  • S ?a??b??c, ?a??b?c, ?a?b??c ,

7
Transitions as boolean formulæ
  • Encode (s,s) using before and after
    propositional boolean variables
  • a,b,c and a,b,c.
  • For example (s1,s4)
  • (s1,s4) (?a??b??c) ? (?a?b?c)

8
Sufficient for modelling?
  • Encode another mutual exclusion protocol
  • Two processes, P1 and P2 share booleans
  • Co-operate for mutual exclusion
  • Third process T1 monitors and sets a turn
    variable
  • System is parallel composition
  • P1 P2 T1

9
Co-operative mutex Process P1
  • if (idle1)
  • wait1 true
  • idle1 false
  • else if (wait1 idle2)
  • active1 true
  • wait1 false
  • else if (wait1 wait2 (!turn))
  • active1 true
  • wait1 false
  • if (active1)
  • CritSect()
  • idle1 true
  • active1 false
  • ( followed by P1 )

P1
10
Co-operative mutex Process P2
  • if (idle2)
  • wait2 true
  • idle2 false
  • else if (wait2 idle1)
  • active2 true
  • wait2 false
  • else if (wait2 wait1 turn)
  • active2 true
  • wait2 false
  • if (active2)
  • CritSect()
  • idle2 true
  • active2 false
  • ( followed by P2 )

P2
11
Co-operative mutex Process T1
  • if (idle1 wait2)
  • turn true
  • else if (idle2 wait1)
  • Turn false
  • ( followed by T1 )
  • (P1 P2 T1) System

T1
System
12
State transition diagram whole system
13
Transitions as predicates
  • P1
  • (i1?w1??i1) ? (w1?i2?a1??w1)
  • ? (w1?w2??t?a1??w1) ? (a1?i1??a1)
  • P2
  • (i2?w2??i2) ? (w2?i1?a2??w2)
  • (w2?w1?t?a2??w2) ? (a2?i2??a2)
  • T1
  • (i1?w2?t) ? (i2?w1??t)

14
Ordered Binary Decision Tree
15
OBDT example (i1?i2)?(i3??i4)
16
? ROBDD (i1?i2)?(i3??i4)
17
? ROBDD (i1?i2)?(i3??i4)
18
? ROBDD (i1?i2)?(i3??i4)
19
? ROBDD (i1?i2)?(i3??i4)
20
? ROBDD (i1?i2)?(i3??i4)
21
? ROBDD (i1?i2)?(i3??i4)
22
History
  • The ROBDD optimization originally by Bryant (86)
    paper on boolean graphs
  • The application to model checking by McMillan
    (Originally in late 80s subject of thesis in
    1992)
  • smv Symbolic model verifier originally by
    McMillan

23
Today
  • Summary
  • Optimizations for model checking
  • ROBDDs
  • TCTL-
  • Syntax
  • Semantics
  • Algorithm for MC
  • Optimizations

24
Regional transition system (RTS)
  • Given TATTS (s,s0,Act, ), then the RTS
    is a quotiented transition system
  • RTS (R,R0, Act,?), where
  • R (s,vt) (s,v)?s ? v t ?REGv, and
  • R0 (s,vt) (s,v)?s0 ? v t ?REGv, and
  • finally, (s,vt) ? (s,vt) if and only if
    there is a transition (s,v) (s,v) in
    TATTS.

a
a

25
Regional transition system (RTS)
  • Notation
  • R a set of regions
  • r a particular region in the set (s,vt)
  • r a particular valuation (s,v)

26
Regional transition system (RTS)
27
Kripke structure/model for TCTL
  • Def A TCTL model over a set of atomic
    propositions AP is the 4-tuple (R,?,AP,L)
  • R finite set of regions from RTS
  • ? ? R ? R - a total transition relation
  • AP a finite set of atomic propositions
  • L R ? 2AP A labelling function which labels
    each region with the propositions true in that
    region
  • Note that the propositions may include clock
    constraints

28
TCTL- syntax
  • Given p?AP, x?X (model clock variables), z?Z
    (property clock variables), ???(X?Z) (clock
    constraints), then p and ? are TCTL- formulæ, and
    if ?1 and ?2 are TCTL- formulæ then so are
  • ??1
  • ?1 ? ?2
  • ?1 ? ?2
  • z in ?1
  • A( ?1 U ?2 )
  • E( ?1 U ?2 )

29
TCTL examples
  • Note temporal operators can be subscripted
  • A( ?1 Ult7 ?2 ) means ?1 holds until (within 7
    time units) ?2 becomes true.
  • Implemented as z in A( (?1?zlt7) U ?2 )
  • A( alarm Ult7 boiler-off ) the alarm is on until
    (within 7 time units) the boiler-off is signaled.
  • EFlt7( alarm ) E( true Ult7 alarm ) the alarm
    will be on within 7 time units.

30
Semantics of TCTL
  • Expressed in terms of a model, and the modelling
    relation ²? which links a model, a composite
    state r(s,v) and a formula clock valuation with
    a property.
  • M,(r,f) ²? P - means that (TCTL) property P holds
    in (or is satisfied in) state r in the case of a
    formula valuation f for a given model M

31
(Inductive) definition of ²?
  • M,(r,f) ²? P ? p?L(r)
  • M,(r,f) ²? ? ? v ? f ² ?
  • M,(r,f) ²? ??1 ? ?(M,(r,f) ²? ?1 )
  • M,(r,f) ²? ?1 ? ?2 ? M,(r,f) ²? ?1, and
  • M,(r,f) ²? ?2
  • M,(r,f) ²? ?1 ? ?2 ? M,(r,f) ²? ?1, or
  • M,(r,f) ²? ?2

32
(Inductive) definition of ²?
  • M,(r,f) ²? z in ?1 ? M,(r,z in f) ²? ?1
  • The notation z in f asserts that z is reset to 0
    whenever it appears in the formula f
  • M,(r,f) ²? A( ?1 U ?2 ) ? for every path p from
    r, for some j, M,?(j) ²? ?2, and ?iltj, M,?(i) ²?
    ?1 ? ?2.

33
(Inductive) definition of ²?
  • M,(r,f) ²? E( ?1 U ?2 ) ? for one path p from r,
    for some j,
  • M,?(j) ²? ?2, and
  • ?iltj, M,?(i) ²? ?1 ? ?2.
  • Note that in both EU and AU, the condition up
    until ?2 is ?1 ? ?2. and not just ?1!!

34
AU ?1 ? ?2 until ?2
35
Model checking TCTL
  • Definition of a labelling algorithm in the notes
    not much different from CTL
  • The only problem is this definition uses a least
    fixpoint iteration over an infinite set
  • In practice use the region construction

36
Optimization for TCTL MC
  • We have already seen the steps to create a
    (finite) regional automaton
  • Apart from that there is no magic bullet, and
    real-time model checking has an equivalent
    region-space explosion
  • For this reason, limit the size of systems
  • so far

37
Uppaal more formally
  • TCTL, but with restrictions that amount to only
    safety (reachability) formulæ
  • Set of clock constraints Z in formula is
  • Syntax just AG(?) and EF(?) (outer level)
  • ? a x op n ?? ?1??2 (op
    ??,?,?,?,?)
  • a is a location in the model
  • Other properties (bounded liveness) require
    extended models/automatons
  • compare system model with other test model
Write a Comment
User Comments (0)
About PowerShow.com