checking extended ctl properties using guarded quotient
play

Checking Extended CTL Properties Using Guarded Quotient Structure - PowerPoint PPT Presentation

Checking Extended CTL Properties Using Guarded Quotient Structure Xiaodong Wang advised by: Professor Sistla Outline Part I: Symmetry based method Part II: CCTL logic Part III: Input language Part IV: Model checking algorithm


  1. Checking Extended CTL Properties Using Guarded Quotient Structure Xiaodong Wang advised by: Professor Sistla

  2. Outline ● Part I: Symmetry based method ● Part II: CCTL logic ● Part III: Input language ● Part IV: Model checking algorithm

  3. Part I: Symmetry Based Method ● Part I: Symmetry based method – Overview – QS Method – AQS Method – GQS Method ● Part II: CCTL ● Part II: Input language ● Part IV: Model checking algorithm ● Conclusion

  4. Model Checking Overivew correctness specification model model system model building checking description no, yes, system satisfy counter-example(s): the correctness spec

  5. State Explosion Problem ● State explosion problem – Exponential number of states in the state space – Even infinite state space ● Generally undecidable ● Some model checking methods are optimized for specific types of systems

  6. Symmetric System Client client client client 0 1 2 each module consists of identical processes Server server server 0 1 To model checking such systems, we employ symmetry in the system

  7. Symmetry Based Methods Overview model building property (Temporal Logic formula) symmetries Quotient system Structure model equivalence description checking relation on-the-fly No, Yes, system satisfy output path(s): the property

  8. Example: Mutual Exclusion Protocol with 2 processes state graph Process 2 Process 1 N 1 N 2 Non-critical Non-critical (N) (N) N 1 T 2 T 1 N 2 Trying Trying (T) (T) C 1 N 2 T 1 T 2 N 1 C 2 s y n Critical c Critical h r o n (C) (C) i C 1 T 2 T 1 C 2 z e d

  9. Process Symmetry N 2 N 1 N 1 N 2 N 2 N 1 flip: 1 2 N 2 T 1 N 1 T 2 T 2 N 1 T 1 N 2 N 2 T 1 T 2 N 1 C 2 N 1 C 1 N 2 T 1 T 2 T 2 T 1 N 2 C 1 N 1 C 2 C 2 N 1 T 2 T 1 N 2 C 1 C 2 T 1 T 2 C 1 C 1 T 2 T 1 C 2 C 2 T 1 T 2 C 1

  10. Symmetry Group ● Process symmetries of the system form a group: { f lip, id } ● Process symmetries of some systems may be obtained from system description directly client Server c2 s1 c3 c1 s2 permutations: s2 s1 c3 c2 c1

  11. Equivalence Relation over States N 1 N 2 N 1 T 2 T 1 N 2 C 1 N 2 T 1 T 2 N 1 C 2 C 1 T 2 T 1 C 2 T 1 N 2 flip( ) = T 2 N 1

  12. Quotient Structure N 1 N 2 N 1 T 2 C 1 N 2 T 1 T 2 C 1 T 2 Quotient Structure consisting of representative states

  13. QS Method Overview [1] model building LTL formula symmetric property symmetry automata group Quotient Structure symmetric model checking: (QS) system equivalence explore the product description relation automata no, yes, system satisfies output a trace: the LTL formula

  14. Symmetry Group for QS Method ● System symmetries {flip, id} ● formula symmetries for G (!(C 1 ^ C 2 )) {flip, id} symmetry group ● Symmetry group flip id formula symmetries system symmetries larger symmetry group for symmetric system and symmetric property

  15. Quotient Structure symmetric system: mutual exclusion protocol symmetric property: G( !(C 1 ^ C 2 ) ) N 1 N 2 T 1 N 2 C 1 N 2 T 1 T 2 C 1 T 2

  16. AQS Method Overview [2,3,4] model building LTL symmetric/ asymmetric Annotated system property automata symmetry Quotient Structure symmetric model checking: (AQS) equivalence system partially unwind AQS relation (indirectly by permuting process ids in formula) on-the-fly No, Yes, system satisfies output a trace: the formula

  17. Symmetry Group for AQS Method ● System symmetries {flip, id} ● Formula symmetry for EF (C 2 ) {id} ● Symmetry group symmetry group flip id formula symmetry system symmetries

  18. Annotated Quotient Structure symmetric system : mutual exclusion protocol N 1 N 2 id flip T 1 N 2 id id id T 1 T 2 C 1 N 2 flip id flip id C 1 T 2 does not depend on the formula

  19. Directly Unwind AQS N 1 N 2 N 1 N 2 flip N 1 T 2 N 2 T 1 id T 2 T 1 T 1 T 2 flip T 2 C 1 T 2 C 1 flip T 1 N 2 N 2 T 1 id T 2 T 1 T 1 T 2 id T 2 C 1 T 1 C 2 path in AQS actual path

  20. Indirectly Unwind AQS N 1 N 2 C 2 flip N 2 T 1 C 1 id (flip*id*flip)([T 2 ,C 1 ]) T 2 T 1 C 1 flip satisfies C 2 T 2 C 1 C 2 = flip N 2 T 1 C 1 [T 2 ,C 1 ] satisfies id T 2 T 1 C (flip*id*flip)-1(2) C 1 id T 2 C 1 C 1 atomic proposition C 2 path in AQS

  21. GQS Method Overview [5] model building LTL symmetric/ add edges asymmetric symmetric automata property Guarded system Quotient symmetries symmetric/ Structure model checking: asymmetric (GQS) equivalence partially unwind system relation GQS (check guards, permute process ids AQS in formula and guards) add guards Yes, No, system satisfy output a trace: the property

  22. Partial Symmetric / Asymmetric Systems Process 2 Process 1 Non-critical Non-critical when process 1 and (N) (N) process 2 both in “T”, process 1 has higher Trying Trying priority to enter “C” (T) (T) Critical Critical (C) (C) a partial symmetric system

  23. from Partially Symmetric to Symmetric partially symmetric system symmetric system N 1 N 2 N 1 N 2 add edges to make it more symmetric N 1 T 2 N 1 T 2 T 1 N 2 T 1 N 2 C 1 N 2 T 1 T 2 N 1 C 2 C 1 N 2 T 1 T 2 N 1 C 2 C 1 T 2 T 1 C 2 C 1 T 2 T 1 C 2 This may be done directly with system description, i.e. by ignoring the priorities

  24. Guarded Quotient Structure N 1 N 2 N 1 N 2 add edge flip flip conditions id id T 1 N 2 T 1 N 2 id id flip id id id id C 1 N 2 C 1 N 2 T 1 T 2 T 1 T 2 flip ' id,T 1 ^C 1 id flip id ' flip, T 1 ^C 1 id C 1 T 2 C 1 T 2 GQS AQS

  25. Infeasible Path N 1 N 2 N 1 N 2 flip N 1 T 2 N 2 T 1 id T 2 T 1 T 1 T 2 ' flip,T 1 ^C 1 T 2 C 1 T 2 C 1 flip T 1 N 2 N 2 T 1 id T 2 T 1 T 1 T 2 ' id,T 1 ^C 1 T 2 C 1 T 1 C 2 corresponding actual path in GQS path is infeasible

  26. Summary of the Three Symmetric Based Methods ● QS method – Primary safety properties – Symmetric systems and symmetric properties ● AQS method – Both safety and liveness properties – Symmetric systems ● GQS method – Both safety and liveness properties – Partial symmetric and asymmetric systems

  27. Question ?

  28. Part II : CCTL Logic ● Part I: Symmetry based method ● Part II: CCTL – CCTL syntax – CCTL semantics ● Part II: Input language ● Part IV: Model checking algorithm ● Conclusion

  29. CCTL Syntax <formula> :: <atomic formula> | <count-term> <comp-operator> <count-term> <formula> ^ <formula> | ! <formula> | EX(<formula>) | E fair X(<formula>) | EG(<formula>) | E fair G(<formula>) | E(<formula> U <formula>) | E fair (<formula> U <formula>) <count-term> :: COUNT(i,M,<formula>) | <constant>

  30. CCTL Syntax Cont. N 1 N 2 ● Fairness path quantifier: E fair weak/strong process fairness N 1 T 2 T 1 T 2 ● COUNT term: COUNT(i, M, h(i)) T 2 C 1 – i : free process variable in h N 1 T 2 – M: set of process ids i ranges over T 1 T 2 – h(i) : CCTL formula T 2 C 1 . . – Example: COUNT(i, client, C i ) . . . an “unfair” path .

  31. COUNT Term's Semantics N 2 C 1 S : COUNT(i, client, C i ) S = 1 N 1 N 2 S N 1 T 2 T 1 N 2 C 1 N 2 T 1 T 2 N 1 C 2 C 1 T 2 T 1 C 2 COUNT(i, client, T i ^ EX(C i )) S = 2

  32. Why Introduce the COUNT T erm ● Uniformly express properties such as COUNT(i, {1,2,3,4}, g(i)) = COUNT(i, {1,2,3,4}, h(i) ) f = (g(1)^!g(2)^!g(3)^!g(4) ^ h(1)^!h(2)^!h(3)^!h(4)) v (g(1)^!g(2)^!g(3)^!g(4) ^ !h(1)^h(2)^!h(3)^!h(4)) v ... .... contain 70 sub-formulas ● Efficient evaluate COUNT term

  33. Express Other Temporal Opertor and Process Quantifier ● Other temporal operators: AX(f) = ! EX (! f) AG(f) = ! EF ( ! f) A(f 1 U f 2 ) = ! (EG (! f 2 ) v E(! f 2 U ! f 1 ^ ! f 2 ) ● Process quantifiers: Universal quantifier: COUNT(i, M, h(i)) = COUNT(i, M, True) Existential quantifier: COUNT(i, M, h(i)) > 0

  34. Question ?

  35. Part III: Input Language ● Part I: Symmetry based method ● Part II: CCTL ● Part III: Input language ● Part IV: Model checking algorithm ● Conclusion

  36. Structure of Input Concurrent program initial values module 1 transition templates processes are instantiated ... from modules by instantiating module2 all the transition templates transition templates in that module ... CCTL formula evaluation for the CCTL formula

  37. Concurrent Program ● Program variable: reply[i,j] ● Process variable: i, j ● Transition template: cl of controller {... lc[cl] == 0 & request[cl,k] == 1 & ALL(i: reply [i,k] == 0) reply[ck,k] = 1, buzy[cl] == 1, lc[cl] == 1 (Priority: 0-1;2-5) ...} ● Priority specification (Priority: 0-1;2-5) ● Allow multiple priority specifications in one module

  38. CCTL Formula and Evaluation ● CCTL formula using only free process variables: AG(lk[i] != 2 V lk[j] != 2) ● Evaluation of the free process variables in the formula: i = 1, j = 2

  39. Question ?

  40. Part IV: Model Checking Algorithm ● Part I: Symmetry based method ● Part II: CCTL ● Part II: Input language ● Part IV: Model checking algorithm – Overview – Employing GQS – Evaluate COUNT term – Model checking procedures – Implementation and Experiments ● Conclusion

  41. Overview ● Assume GQS has been fully constructed ● Model Checking the CCTL formula employing GQS – Indirectly unwind GQS – Quantifier elimination – Work inductively over the structure of the CCTL formula

Recommend


More recommend