Finite state automata � Finite graphs with labels on edges/nodes Lecture 2 � a set of nodes (states) Model-Checking Finite-State Systems � a set of edges (transitions) (untimed systems) � a set of labels (alphabet) Finite Automata, CTL, LTL and Model Checking 1 2 CTL Models = Kripke Structures Complete Systems and Kripke Structure � From now on, we shall consider only Complete systems, that is, automata with labels on nodes. � There is no essential difference between models with labels on nodes or transitions � This is the so called Kripke Structure, that is, automata with propositions labeled on states 3 4 Example 1 2 4 p p,q p CTL: Computation Tree Logics defined on Computation Trees of Kripke structures q 3 5 6
Computation Tree Logic, CTL Path Clarke & Emerson 1980 Syntax p The set of path starting in s s s 1 p s 2 s 3 ... p 7 8 Formal Semantics ( ) CTL, Derived Operators possible inevitable AF p EF p p p p p . . . . . . . . . . . . . . . . . . . . . . . . E<> p in UPPAAL ! A<> p in UPPAAL 9 10 CTL, Derived Operators There are too many operators! But potentially always We need to remember only the following: always X ( ne X t time ) AG p EG p E F ( F uture, some time ) A G ( G lobal ) p p U ( U ntil ) p p p The most useful are EF, AG, EG and AF: p p p p p . . . . . . . . . . . . . . . . . . . . . . . . A[] p in UPPAAL E[] p in UPPAAL 11 12
Theorem Example All operators are derivable from All operators are derivable from 1 2 4 • EX f • EX f p p,q p • EG f • EG f • E[ f U g ] • E[ f U g ] and boolean connectives and boolean connectives q [ ] [ ] ( ) ≡ ¬ ¬ ¬ ∧ ¬ ∧ ¬ ¬ A f U g E g U f g EG g 3 13 14 EX p EX p Example Example 1 2 4 1 2 4 p p,q p p p,q p q q 3 3 15 16 AX p AX p Example Example 1 2 4 1 2 4 p p,q p p p,q p q q 3 3 Note: state 1 doesn’t satisfy AX p 17 18
EG p EG p Example Example 1 2 4 1 2 4 p p,q p p p,q p q q 3 3 19 20 AG p AG p Example Example 1 2 4 1 2 4 p p,q p p p,q p q q 3 3 21 22 A[ p U q ] A[ p U q ] Example Example 1 2 4 1 2 4 p p,q p p p,q p q q 3 3 23 24
Properties of MUTEX example ? AG ¬ (C ∧ C ) 1 2 HOW to DECIDE ⇒ AG[ T AF(C )] 1 1 IN GENERAL [ ] ¬ EG C 1 [ [ ( [ ] ) ] ] ⇒ ¬ ∧ ¬ AG C A C U C A C U C 1 1 1 1 2 I1 I2 I1 I2 t=0 t=1 CTL Model Checking Algorithms I1 T2 T1 I2 T1 I2 I1 T2 t=1 t=0 t=1 t=0 T1 T2 I1 C2 C1 I2 T1 T2 t=0 t=0 t=1 t=1 T1 C2 C1 T2 t=0 t=1 25 26 Labeling Methods [Clarke et al 81] � Check all sub-formulas of F � For each sub-formula f of F, label all nodes where f is true � Check the composed formulas 27 28 Algorithm ideas for checking E(f U g) � Mark all nodes where f is true and all nodes where g is true � Start from all nodes where g is true and � Perform backwards reachability analysis � Each step backwards, store all nodes in Q where f is true � Repeat the above step, until it converges � Q contains all nodes satisfying E(f U g) Q + f Q Q=g 29 30
Algorithm ideas for checking A(f U g) � Similar to the case for A(f U g) � But each step backwards, store all nodes in Q where (f or g) is true, and the stored nodes do not lead to a node where (f or g) is false � Repeat the above step, until it converges ∀ ∈ ⇒ ∈ ∩ φ � Q contains all nodes satisfying A(f U g) ({ s | s '.( s , s ' ) R s ' Q } Sat ( )) Q+ f Not (f) Q Q=g 31 32 Fixpoint Characterizations Fixed points of monotonic functions � Let τ be a function S → S ≡ ∨ EF EX EF p p p � Say τ is monotonic when ⊆ τ ⊆ τ x y implies ( x ) ( y ) or let A be the set of states satisfying EF p then � Fixed point of τ is y such that τ y = ( ) y ≡ ∨ A p EX A � If τ monotonic, then it has � least fixed point µ y . τ ( y ) � greatest fixed point ν y . τ ( y ) in fact A is the smallest one of sets satisfying the equations (the least fixpoint) 33 34 Iteratively computing fixed points Example: EF p � EF p is characterized by � Suppose S is finite = µ ∨ EF p y . ( p EX y ) � The least fixed point µ y . τ ( y ) is the limit of � Thus, it is the limit of the increasing series... ⊆ τ ⊆ τ τ ⊆ Λ false (false) ( (false)) � The greatest fixed point ν y . τ ( y ) is the limit of p ∨ ⊇ τ ⊇ τ τ ⊇ Λ p ∨ EX p true (true) ( (true)) . . . p EX ( p ∨ EX p ) Note, since S is finite, convergence is finite 35 36
Example: EG p Example, continued EF q = µ ∨ EF q y . ( q EX y ) � EG p is characterized by = ν ∧ EG p y . ( p EX y ) 1 2 4 � Thus, it is the limit of the decreasing series... p p,q p = A Ø 0 p ∧ q ... p ∧ EX p p = A { 2 , 3 } EX ( p ∧ EX p ) 1 3 A = { 1 , 2 , 3 } 2 = A { 1 , 2 , 3 } 3 37 38 Remaining operators Complexity = µ ∨ AF p y . ( p AX y ) = ν ∧ AG p y . ( p AX y ) = µ ∨ ∧ E ( p U q ) y . ( q ( p EX y )) However S sys may be EXPONENTIAL in However S sys may be EXPONENTIAL in number of parallel components! number of parallel components! = µ ∨ ∧ A ( p U q ) y . ( q ( p AX y )) -- -- FIXPOINT COMPUTATIONS may be carried FIXPOINT COMPUTATIONS may be carried out using out using ROBDD’s ROBDD’s (Reduced Ordered Binary Decision Diagrams) (Reduced Ordered Binary Decision Diagrams) Bryant, 86 Bryant, 86 39 40 Branching time semantics Something more about � Computation tree of an automaton is the unfolding Finite State Automata of the automaton and Temporal Logics (Continuation of Lecture 2) 41 42
Example (Branching Time) Linear Time Semantics � Sequences of transitions (or states) � set of possible excecutions of a system a a a � Suite best for closed systems b a a a b a a b b 43 44 Example (Linear Time) Equivalences and Preorders � A equivalent to B if the tree of A is identical to the tree of B (Too strong!) a a a � A is simulated by B if every transition of A is simulated by a a transition of B (simulation [Milner78]) a a b � A and B are bisimular if there is a symmetrical simulation a between A’s and B’s states (bisimulation [Milner80]) b a � A and B are testing equivalent if they can pass the same set b of tests (may and must testing [Nicola and Hennessy 84]) � A and B trace-equivalent if they provide the same set of b sequences of transitions (trace equivalence [Hoare76]) 45 46 Models: Infinite Sequences ( ω -language accepted by automata) � Automata with accepting conditions � Buchi, Muller automata � Infininte accepted sequences of transitions as LTL: Linear Time Logics semantics of automata defined on infinite traces of Kripke structures with accepting conditions 47 48
LTL: Syntax LTL: semantics � P � assume an automaton M � not F � a sequence of M: t=s(0) � s(1) � s(2) � ... � s(i) ... ... � F1 and F2 � The set of sequences of M is Comp(M) � O F (next time) � F1 U F2 (Until) � s(i) sat p if p is a label of s(i) � s(i) sat not F if not (s(i) sat F) � s(i) sat F1 and F2 if s(i) sat F1 and s(i) sat F2 � s(i) sat O F if s(i+1) sat F � s(i) sat F1 U F2 if s(k) sat F2 for some k=>i and s(j) sat F1 for all j such that i<=j<k 49 50 LTL: semantics (contn.) Derived Operators � assume an automaton M � <>F denotes (true U F) � a sequence of M: t=s(0) � s(1) � s(2) � ... � s(i) ... ... � [ ]F denotes not (<> not F) � The set of sequences of M is Comp(M) � F1 W F2 denotes (F1 U F2) or [ ]F1 (weak Until-operator) � t sat F iff s(0) sat F � M sat F iff t sat F for all sequences t of Comp(M) 51 52 Model Checking LTL [Wolper et al 1986] Comparing CTL and LTL � Given an automata M and a formula F, to check M sat F � <> P (LTL) similar AF p (CTL) � Construct the formula automaton: A(¬ F) [] p (LTL) similar AG p (CTL) � Construct the product automaton M || A(¬ F) (on-the-fly) � If M || A(¬ F) is empty then M sat F otherwise NO � Time-Complexity = |M|*2 O (|F|) However, � LTL cannot express possibilities properties: EF P � CTL cannot express <>[] p The same idea can be used for CTL model checking � CTL* = LTL + CTL using Tree-automata 53 54
Comparing CTL and LTL (contn.) Why? No subtree where p is true everywhere p ¬ p P ¬ P p P p ¬ p Satisfies <>[] p p but it does not satisfy AF AG p p ¬ p p 55 56 END (Finite State Untimed Systems) 57
Recommend
More recommend