checking extended ctl properties using guarded quotient
play

Checking Extended CTL Properties Using Guarded Quotient Structure - PowerPoint PPT Presentation

Mar 17, 2023 •30 likes •630 views

Checking Extended CTL Properties Using Guarded Quotient Structure Xiaodong Wang advised by: Professor Sistla Outline Part I: Symmetry based method Part II: CCTL logic Part III: Input language Part IV: Model checking algorithm

  1. Checking Extended CTL Properties Using Guarded Quotient Structure Xiaodong Wang advised by: Professor Sistla

  2. Outline ● Part I: Symmetry based method ● Part II: CCTL logic ● Part III: Input language ● Part IV: Model checking algorithm

  3. Part I: Symmetry Based Method ● Part I: Symmetry based method – Overview – QS Method – AQS Method – GQS Method ● Part II: CCTL ● Part II: Input language ● Part IV: Model checking algorithm ● Conclusion

  4. Model Checking Overivew correctness specification model model system model building checking description no, yes, system satisfy counter-example(s): the correctness spec

  5. State Explosion Problem ● State explosion problem – Exponential number of states in the state space – Even infinite state space ● Generally undecidable ● Some model checking methods are optimized for specific types of systems

  6. Symmetric System Client client client client 0 1 2 each module consists of identical processes Server server server 0 1 To model checking such systems, we employ symmetry in the system

  7. Symmetry Based Methods Overview model building property (Temporal Logic formula) symmetries Quotient system Structure model equivalence description checking relation on-the-fly No, Yes, system satisfy output path(s): the property

  8. Example: Mutual Exclusion Protocol with 2 processes state graph Process 2 Process 1 N 1 N 2 Non-critical Non-critical (N) (N) N 1 T 2 T 1 N 2 Trying Trying (T) (T) C 1 N 2 T 1 T 2 N 1 C 2 s y n Critical c Critical h r o n (C) (C) i C 1 T 2 T 1 C 2 z e d

  9. Process Symmetry N 2 N 1 N 1 N 2 N 2 N 1 flip: 1 2 N 2 T 1 N 1 T 2 T 2 N 1 T 1 N 2 N 2 T 1 T 2 N 1 C 2 N 1 C 1 N 2 T 1 T 2 T 2 T 1 N 2 C 1 N 1 C 2 C 2 N 1 T 2 T 1 N 2 C 1 C 2 T 1 T 2 C 1 C 1 T 2 T 1 C 2 C 2 T 1 T 2 C 1

  10. Symmetry Group ● Process symmetries of the system form a group: { f lip, id } ● Process symmetries of some systems may be obtained from system description directly client Server c2 s1 c3 c1 s2 permutations: s2 s1 c3 c2 c1

  11. Equivalence Relation over States N 1 N 2 N 1 T 2 T 1 N 2 C 1 N 2 T 1 T 2 N 1 C 2 C 1 T 2 T 1 C 2 T 1 N 2 flip( ) = T 2 N 1

  12. Quotient Structure N 1 N 2 N 1 T 2 C 1 N 2 T 1 T 2 C 1 T 2 Quotient Structure consisting of representative states

  13. QS Method Overview [1] model building LTL formula symmetric property symmetry automata group Quotient Structure symmetric model checking: (QS) system equivalence explore the product description relation automata no, yes, system satisfies output a trace: the LTL formula

  14. Symmetry Group for QS Method ● System symmetries {flip, id} ● formula symmetries for G (!(C 1 ^ C 2 )) {flip, id} symmetry group ● Symmetry group flip id formula symmetries system symmetries larger symmetry group for symmetric system and symmetric property

  15. Quotient Structure symmetric system: mutual exclusion protocol symmetric property: G( !(C 1 ^ C 2 ) ) N 1 N 2 T 1 N 2 C 1 N 2 T 1 T 2 C 1 T 2

  16. AQS Method Overview [2,3,4] model building LTL symmetric/ asymmetric Annotated system property automata symmetry Quotient Structure symmetric model checking: (AQS) equivalence system partially unwind AQS relation (indirectly by permuting process ids in formula) on-the-fly No, Yes, system satisfies output a trace: the formula

  17. Symmetry Group for AQS Method ● System symmetries {flip, id} ● Formula symmetry for EF (C 2 ) {id} ● Symmetry group symmetry group flip id formula symmetry system symmetries

  18. Annotated Quotient Structure symmetric system : mutual exclusion protocol N 1 N 2 id flip T 1 N 2 id id id T 1 T 2 C 1 N 2 flip id flip id C 1 T 2 does not depend on the formula

  19. Directly Unwind AQS N 1 N 2 N 1 N 2 flip N 1 T 2 N 2 T 1 id T 2 T 1 T 1 T 2 flip T 2 C 1 T 2 C 1 flip T 1 N 2 N 2 T 1 id T 2 T 1 T 1 T 2 id T 2 C 1 T 1 C 2 path in AQS actual path

  20. Indirectly Unwind AQS N 1 N 2 C 2 flip N 2 T 1 C 1 id (flip*id*flip)([T 2 ,C 1 ]) T 2 T 1 C 1 flip satisfies C 2 T 2 C 1 C 2 = flip N 2 T 1 C 1 [T 2 ,C 1 ] satisfies id T 2 T 1 C (flip*id*flip)-1(2) C 1 id T 2 C 1 C 1 atomic proposition C 2 path in AQS

  21. GQS Method Overview [5] model building LTL symmetric/ add edges asymmetric symmetric automata property Guarded system Quotient symmetries symmetric/ Structure model checking: asymmetric (GQS) equivalence partially unwind system relation GQS (check guards, permute process ids AQS in formula and guards) add guards Yes, No, system satisfy output a trace: the property

  22. Partial Symmetric / Asymmetric Systems Process 2 Process 1 Non-critical Non-critical when process 1 and (N) (N) process 2 both in “T”, process 1 has higher Trying Trying priority to enter “C” (T) (T) Critical Critical (C) (C) a partial symmetric system

  23. from Partially Symmetric to Symmetric partially symmetric system symmetric system N 1 N 2 N 1 N 2 add edges to make it more symmetric N 1 T 2 N 1 T 2 T 1 N 2 T 1 N 2 C 1 N 2 T 1 T 2 N 1 C 2 C 1 N 2 T 1 T 2 N 1 C 2 C 1 T 2 T 1 C 2 C 1 T 2 T 1 C 2 This may be done directly with system description, i.e. by ignoring the priorities

  24. Guarded Quotient Structure N 1 N 2 N 1 N 2 add edge flip flip conditions id id T 1 N 2 T 1 N 2 id id flip id id id id C 1 N 2 C 1 N 2 T 1 T 2 T 1 T 2 flip ' id,T 1 ^C 1 id flip id ' flip, T 1 ^C 1 id C 1 T 2 C 1 T 2 GQS AQS

  25. Infeasible Path N 1 N 2 N 1 N 2 flip N 1 T 2 N 2 T 1 id T 2 T 1 T 1 T 2 ' flip,T 1 ^C 1 T 2 C 1 T 2 C 1 flip T 1 N 2 N 2 T 1 id T 2 T 1 T 1 T 2 ' id,T 1 ^C 1 T 2 C 1 T 1 C 2 corresponding actual path in GQS path is infeasible

  26. Summary of the Three Symmetric Based Methods ● QS method – Primary safety properties – Symmetric systems and symmetric properties ● AQS method – Both safety and liveness properties – Symmetric systems ● GQS method – Both safety and liveness properties – Partial symmetric and asymmetric systems

  27. Question ?

  28. Part II : CCTL Logic ● Part I: Symmetry based method ● Part II: CCTL – CCTL syntax – CCTL semantics ● Part II: Input language ● Part IV: Model checking algorithm ● Conclusion

  29. CCTL Syntax <formula> :: <atomic formula> | <count-term> <comp-operator> <count-term> <formula> ^ <formula> | ! <formula> | EX(<formula>) | E fair X(<formula>) | EG(<formula>) | E fair G(<formula>) | E(<formula> U <formula>) | E fair (<formula> U <formula>) <count-term> :: COUNT(i,M,<formula>) | <constant>

  30. CCTL Syntax Cont. N 1 N 2 ● Fairness path quantifier: E fair weak/strong process fairness N 1 T 2 T 1 T 2 ● COUNT term: COUNT(i, M, h(i)) T 2 C 1 – i : free process variable in h N 1 T 2 – M: set of process ids i ranges over T 1 T 2 – h(i) : CCTL formula T 2 C 1 . . – Example: COUNT(i, client, C i ) . . . an “unfair” path .

  31. COUNT Term's Semantics N 2 C 1 S : COUNT(i, client, C i ) S = 1 N 1 N 2 S N 1 T 2 T 1 N 2 C 1 N 2 T 1 T 2 N 1 C 2 C 1 T 2 T 1 C 2 COUNT(i, client, T i ^ EX(C i )) S = 2

  32. Why Introduce the COUNT T erm ● Uniformly express properties such as COUNT(i, {1,2,3,4}, g(i)) = COUNT(i, {1,2,3,4}, h(i) ) f = (g(1)^!g(2)^!g(3)^!g(4) ^ h(1)^!h(2)^!h(3)^!h(4)) v (g(1)^!g(2)^!g(3)^!g(4) ^ !h(1)^h(2)^!h(3)^!h(4)) v ... .... contain 70 sub-formulas ● Efficient evaluate COUNT term

  33. Express Other Temporal Opertor and Process Quantifier ● Other temporal operators: AX(f) = ! EX (! f) AG(f) = ! EF ( ! f) A(f 1 U f 2 ) = ! (EG (! f 2 ) v E(! f 2 U ! f 1 ^ ! f 2 ) ● Process quantifiers: Universal quantifier: COUNT(i, M, h(i)) = COUNT(i, M, True) Existential quantifier: COUNT(i, M, h(i)) > 0

  34. Question ?

  35. Part III: Input Language ● Part I: Symmetry based method ● Part II: CCTL ● Part III: Input language ● Part IV: Model checking algorithm ● Conclusion

  36. Structure of Input Concurrent program initial values module 1 transition templates processes are instantiated ... from modules by instantiating module2 all the transition templates transition templates in that module ... CCTL formula evaluation for the CCTL formula

  37. Concurrent Program ● Program variable: reply[i,j] ● Process variable: i, j ● Transition template: cl of controller {... lc[cl] == 0 & request[cl,k] == 1 & ALL(i: reply [i,k] == 0) reply[ck,k] = 1, buzy[cl] == 1, lc[cl] == 1 (Priority: 0-1;2-5) ...} ● Priority specification (Priority: 0-1;2-5) ● Allow multiple priority specifications in one module

  38. CCTL Formula and Evaluation ● CCTL formula using only free process variables: AG(lk[i] != 2 V lk[j] != 2) ● Evaluation of the free process variables in the formula: i = 1, j = 2

  39. Question ?

  40. Part IV: Model Checking Algorithm ● Part I: Symmetry based method ● Part II: CCTL ● Part II: Input language ● Part IV: Model checking algorithm – Overview – Employing GQS – Evaluate COUNT term – Model checking procedures – Implementation and Experiments ● Conclusion

  41. Overview ● Assume GQS has been fully constructed ● Model Checking the CCTL formula employing GQS – Indirectly unwind GQS – Quantifier elimination – Work inductively over the structure of the CCTL formula

Recommend

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6

Authors Authors Author Defn. Num.* K. Rustan M. Leino MJS 13 Extended Static Checking Extended Static Checking Greg Nelson MJ 6 James B. Saxe MJ 6 Wolfram Schulte S 3 David Detlefs M 2 Raymie Stata J 2 Mike Barnett S 2

239 views • 5 slides
Checking Graph Properties with GP Chris Poskitt (cmp501@cs.york.ac.uk) The University of York

Checking Graph Properties with GP Chris Poskitt (cmp501@cs.york.ac.uk) The University of York

Checking Graph Properties with GP Checking Graph Properties with GP Chris Poskitt (cmp501@cs.york.ac.uk) The University of York PLASMA Seminar: 5th March 2009 Checking Graph Properties with GP Motivation Todays Talk 1. Motivation 2. GP

874 views • 52 slides
Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties

Liveness Checking as Safety Checking to Find Shortest Counterexamples to Linear Time Properties Viktor Schuppan Computer Systems Institute, ETH Z urich http://www.inf.ethz.ch/schuppan/ Defense Thesis ETH 16268 September 28, 2005, Z

382 views • 19 slides
Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition systems checks safety and

439 views • 17 slides
ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of

ESC/Java extended static checking for Java Erik Poll, Joe Kiniry, David Cok University of Nijmegen; Eastman Kodak Company Erik Poll - JML p.1/17 ESC/Java Extended static checker by Rustan Leino et.al. [Compaq]. tries to prove

334 views • 22 slides
Cauchy quotient means and their properties Martin Himmel Department of Mathematics, Computer

Cauchy quotient means and their properties Martin Himmel Department of Mathematics, Computer

Cauchy quotient means and their properties Martin Himmel Department of Mathematics, Computer Science and Econometrics University of Zielona G ora Topics in Complex Dynamics, October 2-6, 2017, Barcelona Topics in Complex Dynamics, October

511 views • 39 slides
Extended Static Checking for Java Lukas Erlacher TU Mnchen - Seminar Verification 14. Juli

Extended Static Checking for Java Lukas Erlacher TU Mnchen - Seminar Verification 14. Juli

Motivation Example Architecture Discussion Extended Static Checking for Java Lukas Erlacher TU Mnchen - Seminar Verification 14. Juli 2011 Erlacher Extended Static Checking for Java Motivation Example Architecture Discussion Outline

662 views • 32 slides
Efficient Model Checking of Safety Properties Timo Latvala timo.latvala@hut.fi Laboratory for

Efficient Model Checking of Safety Properties Timo Latvala timo.latvala@hut.fi Laboratory for

Efficient Model Checking of Safety Properties Timo Latvala timo.latvala@hut.fi Laboratory for Theoretical Computer Science Helsinki University of Technology Finland Spin 2003 p.1/16 Introduction Safety properties properties

669 views • 44 slides
Lecture 4: Checking properties in NuSMV B. Srivathsan Chennai Mathematical Institute Model

Lecture 4: Checking properties in NuSMV B. Srivathsan Chennai Mathematical Institute Model

Lecture 4: Checking properties in NuSMV B. Srivathsan Chennai Mathematical Institute Model Checking and Systems Verification January - April 2016 1 / 43 Outline Module 1: Synchronous Vs Asynchronous composition Module 2: More examples

1.11k views • 90 slides
Rewrite Semantics for Guarded Recursion in Type Theory Patrick Bahr IT University of Copenhagen

Rewrite Semantics for Guarded Recursion in Type Theory Patrick Bahr IT University of Copenhagen

Rewrite Semantics for Guarded Recursion in Type Theory Patrick Bahr IT University of Copenhagen joint work with Rasmus Mgelberg and Hans Bugge Grathwohl Overview Guarded Recursive Types Dependent Types Reduction Semantics 2 / 21 Guarded

488 views • 45 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Extended Static Checking with ESC/Java2 1. Overview Wolfgang Schreiner

Extended Static Checking with ESC/Java2 1. Overview Wolfgang Schreiner

Extended Static Checking with ESC/Java2 1. Overview Wolfgang Schreiner Wolfgang.Schreiner@risc.uni-linz.ac.at 2. Examples Research Institute for Symbolic Computation (RISC) Johannes Kepler University, Linz, Austria

653 views • 12 slides
Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time

Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time

Productive Coprogramming with Guarded Recursion Jeroen Slot en Ilse Pool First slide Last time we saw that corecursive functions have to be guarded. But guarded recur- sion does not always work, so we need something else, which we will be

783 views • 5 slides
Scalable Verification of Design with Multiple Properties Rohit Dureja Iowa State University

Scalable Verification of Design with Multiple Properties Rohit Dureja Iowa State University

Scalable Verification of Design with Multiple Properties Rohit Dureja Iowa State University October 23, 2019 Model Checking 2 Model Checking Usually multiple properties to be verified 3 Model Checking Report 4 Model Checking Report

446 views • 9 slides
Verifying Timed Reachability Properties Lecture #17 of Advanced Model Checking Joost-Pieter

Verifying Timed Reachability Properties Lecture #17 of Advanced Model Checking Joost-Pieter

Verifying Timed Reachability Properties Lecture #17 of Advanced Model Checking Joost-Pieter Katoen Lehrstuhl 2: Software Modeling &amp; Verification E-mail: katoen@cs.rwth-aachen.de June 30, 2014 c JPK Advanced model checking Timelock,

720 views • 31 slides
Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming

Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming

Industrial Strength Refinement Checking Jesse Bingham, John Erickson, Gaurav Singh, and Flemming Andersen Intel IAG FMCAD 2009 1 Introduction Standard approach to FV of HW protocols Develop high level model (HLM) in guarded-command-

473 views • 25 slides
Quotient Group Dr. R. S. Wadbude Associate Professor Co-sets Normal Sub-Group Quotient

Quotient Group Dr. R. S. Wadbude Associate Professor Co-sets Normal Sub-Group Quotient

Department of Mathematics Quotient Group Dr. R. S. Wadbude Associate Professor Co-sets Normal Sub-Group Quotient Group Lagranges Theorem Coset a Group Sub-Group (H) h 1.Under Addition a) Left Coset : a+H={a+h : h H} b)

899 views • 12 slides
On the Decidability of Model-Checking Information Flow Properties Raghavendra K. R. Joint Work:

On the Decidability of Model-Checking Information Flow Properties Raghavendra K. R. Joint Work:

Introduction Noninteference BSPs Results Conclusion On the Decidability of Model-Checking Information Flow Properties Raghavendra K. R. Joint Work: Deepak DSouza, Janardhan Kulkarni, Barbara Sprick, Raveendra Holla Indian Institute of

717 views • 26 slides
The Clocks Are Ticking: No More Delays! Reduction Semantics for Type Theory with Guarded

The Clocks Are Ticking: No More Delays! Reduction Semantics for Type Theory with Guarded

The Clocks Are Ticking: No More Delays! Reduction Semantics for Type Theory with Guarded Recursion Patrick Bahr 1 Hans Bugge Grathwohl 2 Rasmus Mgelberg 1 1 IT University of Copenhagen 2 Aarhus University What is guarded recursion?

710 views • 48 slides
Introduction Goal: Use programmers design decisions with automatic checking todetect potential

Introduction Goal: Use programmers design decisions with automatic checking todetect potential

0.5 setgray0 0.5 setgray1 Introduction Goal: Use programmers design decisions with automatic checking todetect potential errors. Extended Static Checking (ESC) tries to prove correctness at compile-time helps finding run-time exceptions

302 views • 11 slides
Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de

Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de

Type checking liveness properties of mobile processes Maxime Gamboni 1 Instituto de Telecomunica c oes, Instituto Superior T ecnico October 30, 2008 1 Joint work with Ant onio Ravara Motivation TyPiCal Receptiveness,

983 views • 59 slides
Efficient Probabilistic Model Checking of Systems with Ranged Probabilities Khalil Ghorbal 1 , 2

Efficient Probabilistic Model Checking of Systems with Ranged Probabilities Khalil Ghorbal 1 , 2

Introduction Bounded Properties Unbounded Properties Experiments Efficient Probabilistic Model Checking of Systems with Ranged Probabilities Khalil Ghorbal 1 , 2 Parasara Sridhar Duggirala 1 , 3 c 1 Vineet Kahlon 1 Aarti Gupta 1 Franjo Ivan

400 views • 28 slides
Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product

Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product

Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product Lines Andreas Classen, Patrick Heymans, Pierre-Yves Schobbens, Axel Legay, Jean-Franois Raskin (2010) Presented by Laura Walsh 1 Overview 1.

401 views • 28 slides
Checking Consistency Properties: Tractable Reductions to Reachability Constantin Enea IRIF ,

Checking Consistency Properties: Tractable Reductions to Reachability Constantin Enea IRIF ,

Checking Consistency Properties: Tractable Reductions to Reachability Constantin Enea IRIF , University Paris Diderot Concurrent/Distributed Objects Modern computer software is increasingly concurrent performance improvements often

522 views • 29 slides

More recommend