Design Verification Model/Property Checking: Computation Tree Logic - PowerPoint PPT Presentation

Design Verification Model/Property Checking: Computation Tree Logic Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/ E-mail: viren@ee.iitb.ac.in EE-709: Testing & Verification of VLSI Circuits  Lecture 32 (07 April 2013)

Linear-Time Temporal Logic • LTL formulas are evaluated on paths • State of a system satisfies an LTL formula if all the paths from the given state satisfy it • LTL implicitly quantify universally over paths Properties which asserts the existence of a path • cannot be expressed in LTL  Negation can partly solve the problem  Check whether all paths satisfy the negation of formula  07 Apr 2013 EE-709@IITB 2

Computation Tree s 0 P,q P,q s 2 s 1 r q,r r q,r p,q r r q,r r r r  07 Apr 2013 EE-709@IITB 3

Syntax of CTL Backus Naur Form  07 Apr 2013 EE-709@IITB 4

Semantics of CTL Let M = (S, →, L) be a model for CTL, and s in S , φ a CTL formula. The relation M,s ╞ φ is defined by structural induction on φ . = 1. , | M s T ≠ 2. , | M s I = ∈ 3. , | , , ( ) M s p iff p L s 1 = ¬ φ ≠ φ 4. , | , , , | M s iff M s = φ ∧ φ = φ = φ 5. , | , , , | , , | M s iff M s and M s 1 2 1 2 = φ ∨ φ = φ = φ 6. , | , , , | , , | M s iff M s or M s 1 2 1 2 = φ → φ = φ = φ 7. , | , , , | , , | M s iff M s whenever M s 1 2 2 1  07 Apr 2013 EE-709@IITB 5

Semantics of CTL = φ ∀ → = φ 8. , | , , , . ., ; , | M s AX iff s s t s s M s 1 1 1 = φ ∃ → = φ 9. , | , , , . ., ; , | M s EX iff s s t s s M s 1 1 1 = φ ∀ → → ∀ = φ 10. , | , , , ..., , , | M s AG iff paths s s s s M s 1 2 3 i i = φ ∃ → → ∀ = φ 11. , | , , , ..., ; , | M s EG iff path s s s s M s 1 2 3 i i = φ ∀ → → ∃ = φ 12. , | , , , ..., ; , | M s AF iff paths s s s s M s 1 2 3 i i = φ ∃ → → ∃ = φ 13. , | , , , ..., ; , | M s EF iff path s s s s M s 1 2 3 i i = φ ϕ ∀ → → → ∀ 14. , | [ ], , , ..., , M s A U iff paths s s s s 1 2 3 i = φ ∀ < = φ , | , ; , | M s j i M s 2 1 i j = φ ϕ ∃ → → → ∀ 15. , | [ ], , , ..., , M s E U iff path s s s s 1 2 3 i = φ ∀ < = φ , | , ; , | M s j i M s 2 1 i j  07 Apr 2013 EE-709@IITB 6

CTL Formula = ∀ → = , | , , , . ., ; , | M s AXf iff s s t s s M s f AX(f) 1 1 1 For all Paths, f holds at the next state. EX(f) There is a path such that f holds at the next state = ∃ → = , | , , , . ., ; , | M s EXf iff s s t s s M s f 1 1 1  07 Apr 2013 EE-709@IITB 7

CTL Formula AG(f) : For all paths, f holds at every node of the path. = φ ∀ , | , , , M s AG iff paths → → ∀ = φ ..., , , | s s s s M s 1 2 3 i i EG(f) : There is a path along which f holds at every state. = φ ∃ , | , , , M s EG iff path → → ∀ = φ ..., ; , | s s s s M s 1 2 3 i i AF(f) : For all paths, f holds eventually. = φ ∀ , | , , , M s AF iff paths → → ∃ = φ ..., ; , | s s s s M s 1 2 3 i i  07 Apr 2013 EE-709@IITB 8

CTL Formula EF(f) There is a path along which f holds eventually. A(fUg) For all paths, f holds until g holds. E(fUg) There is a path along which f holds until g holds.  07 Apr 2013 EE-709@IITB 9

Examples 1. For any state, if a request occurs, then it will eventually be acknowledged  AG( requested  AF acknowledged ) 2. A process is enabled infinitely often on every computation path  AG (AF enabled ) 3. Whatever happens, a certain process will eventually be permanently deadlocked  AF (AG deadlock) 4. From every state it is possible to get to a restart state  AG (EF restart )  07 Apr 2013 EE-709@IITB 10

Examples • An upward travelling elevator at the second floor does not change its direction when it has passengers wishing to go to fifth floor  AG ( floor2 ∧ directionup ∧ ButtonPressed5  A[directionup U floor5]) • The elevator can remain idle on the third floor with its door closed  AG ( floor3 ∧ idle ∧ doorclosed  EG[ floor3 ∧ idle ∧ doorclosed )  07 Apr 2013 EE-709@IITB 11

Mutual Exclusion: Implementation 2 s 0 n 1 n 2 s 1 s 5 t 1 n 2 n 1 t 2 s 3 s 9 s 6 c 1 n 2 n 1 c 2 s 2 t 1 t 2 t 1 t 2 c 1 t 2 t 1 c 2 s 4 s 7  07 Apr 2013 EE-709@IITB 12

Mutual Exclusion: Properties 1. Safety – Only one process in the critical section  Pass  AG ¬ (c 1 ∧ c 2 ) 2. Liveness – Whenever any process request to enter its critical section, it will eventually be permitted  Pass  AG (t 1  AFc 1 ) 3. Non Blocking – For every state satisfying n 1 , there is a successor satisfying t 1  Pass  AG (n 1  EX t 1 ) 4. No strict sequencing  Pass  EF(c 1 ∧ E[c 1 U ( ¬ c 1 ∧ E [ ¬ c 2 U c 1 ])])  07 Apr 2013 EE-709@IITB 13

Computation Tree Logic - Equivalence  ¬ ( φ ∧ ψ ) Ξ ( ¬ φ ∨ ¬ ψ )  ¬ ( φ ∨ ψ ) Ξ ( ¬ φ ∧ ¬ ψ )  ¬ E F φ Ξ A G ¬ φ  ¬ A F φ Ξ E G ¬ φ  ¬ A X φ Ξ E X ¬ φ  A F φ Ξ A [ T U φ ]  E F φ Ξ E [ T U φ ]  07 Apr 2013 EE-709@IITB 14

Computation Tree Logic - Equivalence φ ≡ ¬ ¬ φ AX EX φ ≡ φ [ ] AF A TU φ ≡ φ [ ] EF E TU φ ≡ ¬ ¬ φ ≡ ¬ ¬ φ [ ] AG EF E TU φ ≡ ¬ ¬ φ ≡ ¬ ¬ φ [ ] EG AF A TU Essential Set: AU, EU, and EX  07 Apr 2013 EE-709@IITB 15

Adequate Set of CTL Operators Theorem: A set of temporal connectives in CTL is adequate if, and only if, it contains at least one of {AX, EX}, at least one of {EG, AF, AU} and EU.  07 Apr 2013 EE-709@IITB 16

Computation Tree Logic - Equivalence φ ϕ ≡ ¬ ¬ ϕ ¬ ∧ ¬ φ ϕ ∨ ¬ ϕ [ ] ( [ ( )] ) A U E U EG Pr oof φ ϕ ≡ ¬ ¬ ϕ ¬ ∧ ¬ φ ϕ ∧ ϕ [ ] [ ( ( )) ] A U A U F ≡ ¬ ¬ ¬ ϕ ¬ ∧ ¬ φ ϕ ∧ ϕ [ ( ( )) ] E U F ≡ ¬ ¬ ϕ ¬ ∧ ¬ φ ϕ ∨ ¬ ϕ [( ( )) ] E U G ≡ ¬ ¬ ϕ ¬ ∧ ¬ φ ϕ ∨ ¬ ϕ ( [ ( ) ] ) E U E G  07 Apr 2013 EE-709@IITB 17

Other CTL Equivalence φ ϕ ≡ ¬ ¬ φ ¬ ϕ 1. [ ] [ ] A R E U φ ϕ ≡ ¬ ¬ φ ¬ ϕ 2. E[ ] [ ] R A U φ ϕ ≡ ϕ φ ∨ ϕ 3. [ ] [ ( )] A W A R ≡ ¬ ¬ ϕ ¬ φ ∨ ϕ [ ( )] E U ≡ ¬ ¬ ϕ ¬ ∧ ¬ φ ϕ [ ( )] E U φ ϕ ≡ ϕ φ ∨ ϕ 4. E[ ] [ ( )] W E R ≡ ¬ ¬ ϕ ¬ φ ∨ ϕ [ ( )] A U ≡ ¬ [ ¬ ϕ ¬ ∧ ¬ φ ϕ ( )] A U  07 Apr 2013 EE-709@IITB 18

Checking CTL Formula 1. find all nodes at which the formula holds 2. determines whether all initial states are contained in the set of nodes Kripke structure  Labeled variables are true, and the missing variables are false  extend this labeling rule to include formulae or subformulae that evaluate true at the node  07 Apr 2013 EE-709@IITB 19

Checking CTL Formula  consider AND and NOT operators  if both operand formulas are true at the node, the resulting AND formula is true at the node and it is labeled at the node  If the operand formula is not true (in other words, it is missing at a node), then the resulting NOT formula is true and it is labeled at the node  only need to consider EXf, E(fUg), and EG(f) temporal operators  07 Apr 2013 EE-709@IITB 20

Checking CTL Formula • Algorithm for Checking AF( Φ ) input: a Kripke structure K and a CTL formula EX( Φ ). output: labeling of the states where AF( Φ ) holds Verify_AF( Φ ): // check CTL formula AF( Φ ) for each state s of K, add label AF( Φ ) if Φ is labeled at a all successor of s  07 Apr 2013 EE-709@IITB 21

Checking CTL Formula: AF Φ Φ AF Φ AF Φ Φ AF Φ AF Φ AF Φ Φ AF Φ AF Φ  07 Apr 2013 EE-709@IITB 22

Checking CTL Formula • Algorithm for Checking EX( Φ ) input: a Kripke structure K and a CTL formula EX( Φ ). output: labeling of the states where EX( Φ ) holds Verify_EX( Φ ): // check CTL formula EX( Φ ) for each state s of K, add label EX( Φ ) if Φ is labeled at a successor of s  07 Apr 2013 EE-709@IITB 23

Checking CTL Formula: EX Φ Φ Φ EX Φ  07 Apr 2013 EE-709@IITB 24

Checking CTL Formula Algorithm for Checking E(Φ U Ψ ) • assume formulas Φ and Ψ have been verified • E(Φ U Ψ ) is true at a node if there is a path from the node to a Ψ -labeled node, and at every node along that partial path Φ is labeled but Ψ is not • A node satisfies E(Φ U Ψ ) if Ψ is labeled at the node or Φ but not Ψ is labeled at the node and its successor is either labeled Ψ or E(Φ U Ψ )  07 Apr 2013 EE-709@IITB 25