Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 5 2018 1 / 28
Symbolic model checking Igor Buzhinsky Lecture 5 2018 2 / 28
Motivation State spaces can be very large Igor Buzhinsky Lecture 5 2018 3 / 28
Motivation State spaces can be very large If there are ten 32-bit integer variables, how many states can the system have potentially? Igor Buzhinsky Lecture 5 2018 3 / 28
Motivation State spaces can be very large If there are ten 32-bit integer variables, how many states can the system have potentially? 2 320 ≈ 2 . 1 · 10 96 The so-called “state explosion” problem Igor Buzhinsky Lecture 5 2018 3 / 28
Motivation State spaces can be very large If there are ten 32-bit integer variables, how many states can the system have potentially? 2 320 ≈ 2 . 1 · 10 96 The so-called “state explosion” problem PC can probably handle (store in memory and process) only about 10 9 states... Igor Buzhinsky Lecture 5 2018 3 / 28
Motivation State spaces can be very large If there are ten 32-bit integer variables, how many states can the system have potentially? 2 320 ≈ 2 . 1 · 10 96 The so-called “state explosion” problem PC can probably handle (store in memory and process) only about 10 9 states... Can we avoid explicit construction of the state graph? Igor Buzhinsky Lecture 5 2018 3 / 28
State subsets as Boolean constraints (1) Can you specify the set of reachable states as a Boolean formula? Igor Buzhinsky Lecture 5 2018 4 / 28
State subsets as Boolean constraints (1) Can you specify the set of reachable states as a Boolean formula? p ∨ q Igor Buzhinsky Lecture 5 2018 4 / 28
State subsets as Boolean constraints (1) Can you specify the set of reachable states as a Boolean formula? p ∨ q What about only initial states? Igor Buzhinsky Lecture 5 2018 4 / 28
State subsets as Boolean constraints (1) Can you specify the set of reachable states as a Boolean formula? p ∨ q What about only initial states? p ⊕ q = p ∧ ¬ q ∨ ¬ p ∧ q Igor Buzhinsky Lecture 5 2018 4 / 28
State subsets as Boolean constraints (2) What about the transition relation? p , q : values on this step p ′ , q ′ : values on the next step Igor Buzhinsky Lecture 5 2018 5 / 28
State subsets as Boolean constraints (2) What about the transition relation? p , q : values on this step p ′ , q ′ : values on the next step Quiz: specify the transition relation for the Kripke structure on the left as a Boolean formula Igor Buzhinsky Lecture 5 2018 5 / 28
State subsets as Boolean constraints (2) What about the transition relation? p , q : values on this step p ′ , q ′ : values on the next step Quiz: specify the transition relation for the Kripke structure on the left as a Boolean formula ( p ∧ ¬ q → q ′ ∧ ¬ p ′ ) ∧ Igor Buzhinsky Lecture 5 2018 5 / 28
State subsets as Boolean constraints (2) What about the transition relation? p , q : values on this step p ′ , q ′ : values on the next step Quiz: specify the transition relation for the Kripke structure on the left as a Boolean formula ( p ∧ ¬ q → q ′ ∧ ¬ p ′ ) ∧ ( q ∧ ¬ p → p ′ ∧ q ′ ) ∧ Igor Buzhinsky Lecture 5 2018 5 / 28
State subsets as Boolean constraints (2) What about the transition relation? p , q : values on this step p ′ , q ′ : values on the next step Quiz: specify the transition relation for the Kripke structure on the left as a Boolean formula ( p ∧ ¬ q → q ′ ∧ ¬ p ′ ) ∧ ( q ∧ ¬ p → p ′ ∧ q ′ ) ∧ ( p ∧ q → p ′ ) Igor Buzhinsky Lecture 5 2018 5 / 28
State subsets as Boolean constraints (2) What about the transition relation? p , q : values on this step p ′ , q ′ : values on the next step Quiz: specify the transition relation for the Kripke structure on the left as a Boolean formula ( p ∧ ¬ q → q ′ ∧ ¬ p ′ ) ∧ ( q ∧ ¬ p → p ′ ∧ q ′ ) ∧ ( p ∧ q → p ′ ) Alternative way: ( p ∧ ¬ q ∧ q ′ ∧ ¬ p ′ ) Igor Buzhinsky Lecture 5 2018 5 / 28
State subsets as Boolean constraints (2) What about the transition relation? p , q : values on this step p ′ , q ′ : values on the next step Quiz: specify the transition relation for the Kripke structure on the left as a Boolean formula ( p ∧ ¬ q → q ′ ∧ ¬ p ′ ) ∧ ( q ∧ ¬ p → p ′ ∧ q ′ ) ∧ ( p ∧ q → p ′ ) Alternative way: ( p ∧ ¬ q ∧ q ′ ∧ ¬ p ′ ) ∨ Igor Buzhinsky Lecture 5 2018 5 / 28
State subsets as Boolean constraints (2) What about the transition relation? p , q : values on this step p ′ , q ′ : values on the next step Quiz: specify the transition relation for the Kripke structure on the left as a Boolean formula ( p ∧ ¬ q → q ′ ∧ ¬ p ′ ) ∧ ( q ∧ ¬ p → p ′ ∧ q ′ ) ∧ ( p ∧ q → p ′ ) Alternative way: ( p ∧ ¬ q ∧ q ′ ∧ ¬ p ′ ) ∨ ( q ∧ ¬ p ∧ p ′ ∧ q ′ ) ∨ ( p ∧ q ∧ p ′ ) Igor Buzhinsky Lecture 5 2018 5 / 28
Model checking with Boolean constraints? Assume that our Kripke structure has atomic propositions p 1 , ..., p n Boolean constraints f init [ p 1 , ..., p n ] and f trans [ p 1 , ..., p n , p ′ 1 , ..., p ′ n ] How to model-check g = AG h , where h is a Boolean formula? Igor Buzhinsky Lecture 5 2018 6 / 28
Model checking with Boolean constraints? Assume that our Kripke structure has atomic propositions p 1 , ..., p n Boolean constraints f init [ p 1 , ..., p n ] and f trans [ p 1 , ..., p n , p ′ 1 , ..., p ′ n ] How to model-check g = AG h , where h is a Boolean formula? Compute a sequence of formulae f i : the set of states reachable in i steps Igor Buzhinsky Lecture 5 2018 6 / 28
Model checking with Boolean constraints? Assume that our Kripke structure has atomic propositions p 1 , ..., p n Boolean constraints f init [ p 1 , ..., p n ] and f trans [ p 1 , ..., p n , p ′ 1 , ..., p ′ n ] How to model-check g = AG h , where h is a Boolean formula? Compute a sequence of formulae f i : the set of states reachable in i steps f 0 := f init ; Igor Buzhinsky Lecture 5 2018 6 / 28
Model checking with Boolean constraints? Assume that our Kripke structure has atomic propositions p 1 , ..., p n Boolean constraints f init [ p 1 , ..., p n ] and f trans [ p 1 , ..., p n , p ′ 1 , ..., p ′ n ] How to model-check g = AG h , where h is a Boolean formula? Compute a sequence of formulae f i : the set of states reachable in i steps f 0 := f init ; f i := f i − 1 ∨ remove primes( ∃ p 1 , ..., p n : f i − 1 ∧ f trans ) Igor Buzhinsky Lecture 5 2018 6 / 28
Model checking with Boolean constraints? Assume that our Kripke structure has atomic propositions p 1 , ..., p n Boolean constraints f init [ p 1 , ..., p n ] and f trans [ p 1 , ..., p n , p ′ 1 , ..., p ′ n ] How to model-check g = AG h , where h is a Boolean formula? Compute a sequence of formulae f i : the set of states reachable in i steps f 0 := f init ; f i := f i − 1 ∨ remove primes( ∃ p 1 , ..., p n : f i − 1 ∧ f trans ) If f i ∧ ¬ h is satisfiable , then g is false Igor Buzhinsky Lecture 5 2018 6 / 28
Model checking with Boolean constraints? Assume that our Kripke structure has atomic propositions p 1 , ..., p n Boolean constraints f init [ p 1 , ..., p n ] and f trans [ p 1 , ..., p n , p ′ 1 , ..., p ′ n ] How to model-check g = AG h , where h is a Boolean formula? Compute a sequence of formulae f i : the set of states reachable in i steps f 0 := f init ; f i := f i − 1 ∨ remove primes( ∃ p 1 , ..., p n : f i − 1 ∧ f trans ) If f i ∧ ¬ h is satisfiable , then g is false If at some point f i and f i − 1 become equivalent , we can stop the procedure and conclude that g is true Igor Buzhinsky Lecture 5 2018 6 / 28
Model checking with Boolean constraints? Assume that our Kripke structure has atomic propositions p 1 , ..., p n Boolean constraints f init [ p 1 , ..., p n ] and f trans [ p 1 , ..., p n , p ′ 1 , ..., p ′ n ] How to model-check g = AG h , where h is a Boolean formula? Compute a sequence of formulae f i : the set of states reachable in i steps f 0 := f init ; f i := f i − 1 ∨ remove primes( ∃ p 1 , ..., p n : f i − 1 ∧ f trans ) If f i ∧ ¬ h is satisfiable , then g is false If at some point f i and f i − 1 become equivalent , we can stop the procedure and conclude that g is true How to perform all these symbolic operations efficiently? There are binary decision diagrams (BDDs), a reduced form of decision trees Igor Buzhinsky Lecture 5 2018 6 / 28
Example of a BDD Solid arrows: variable is true Dashed arrows: variable is false If in the end we come to 1, then the formula is true for our assignment If we come to 0, it is false Igor Buzhinsky Lecture 5 2018 7 / 28
Example of a BDD Solid arrows: variable is true Dashed arrows: variable is false If in the end we come to 1, then the formula is true for our assignment If we come to 0, it is false Which function is encoded in this BDD? Igor Buzhinsky Lecture 5 2018 7 / 28
NuSMV model checker Igor Buzhinsky Lecture 5 2018 8 / 28
Recommend
More recommend