model checking
play

Model Checking Lecture #14: Fairness [Baier & Katoen, Chapter - PowerPoint PPT Presentation

Apr 18, 2023 •1.28k likes •2.33k views

Model Checking Lecture #14: Fairness [Baier & Katoen, Chapter 3.5, 5.1.6, 6.5] Joost-Pieter Katoen Software Modeling and Verification Group Model Checking Course, RWTH Aachen, WiSe 2019/2020 Joost-Pieter Katoen Lecture#14 1/62 Overview

  1. Fairness and Safety Properties Overview The Relevance of Fairness 1 Fairness Assumptions 2 Fairness and Safety Properties 3 LTL Model Checking Under Fairness 4 CTL Fairness Assumptions 5 CTL Model Checking Under Fairness 6 Summary 7 Joost-Pieter Katoen Lecture#14 18/62

  2. Fairness and Safety Properties Realisable Fairness Definition: realisable fairness Fairness assumption fair is realisable for transition system TS if for any reachable state s : FairPaths fair ( s ) ≠ ∅ . A fairness assumption is realisable for TS if every initial finite path fragment of TS can be completed to a fair run. Joost-Pieter Katoen Lecture#14 19/62

  3. Fairness and Safety Properties The Fairness Suffix Property For any (infinite) fair path π , it holds 1. all suffixes of π are fair too. 2. any finite path extended by π is fair. Proof. Rather straightforward. Joost-Pieter Katoen Lecture#14 20/62

  4. Fairness and Safety Properties Realisable Fairness and Safety Safety properties are preserved under realisable fairness For transition system TS and safety property E safe (both over AP ) and fair a realisable fairness assumption for TS : TS ⊧ E safe if and only if TS ⊧ fair E safe . Proof. Joost-Pieter Katoen Lecture#14 21/62

  5. Fairness and Safety Properties Realisable Fairness and Safety Safety properties are preserved under realisable fairness For transition system TS and safety property E safe (both over AP ) and fair a realisable fairness assumption for TS : TS ⊧ E safe if and only if TS ⊧ fair E safe . Proof. Non-realisable fairness may harm safety properties. Shown by example. Joost-Pieter Katoen Lecture#14 21/62

  6. LTL Model Checking Under Fairness Overview The Relevance of Fairness 1 Fairness Assumptions 2 Fairness and Safety Properties 3 LTL Model Checking Under Fairness 4 CTL Fairness Assumptions 5 CTL Model Checking Under Fairness 6 Summary 7 Joost-Pieter Katoen Lecture#14 22/62

  7. LTL Model Checking Under Fairness The Fair LTL Model-Checking Problem Given: 1. a finite transition system TS 2. an LTL formula ϕ , and 3. an LTL fairness assumption fair Question: does TS ⊧ fair ϕ ? Joost-Pieter Katoen Lecture#14 23/62

  8. LTL Model Checking Under Fairness Fair LTL Model Checking For transition system TS , LTL formula ϕ and LTL fairness assumption fair : TS ⊧ ( fair → ϕ ) if and only if TS ⊧ fair ϕ ��������������������������������������������������������������� ����������������������������������������������������������������������������������������������������������� fair LTL model checking LTL model checking Joost-Pieter Katoen Lecture#14 24/62

  9. LTL Model Checking Under Fairness Fair LTL Model Checking For transition system TS , LTL formula ϕ and LTL fairness assumption fair : TS ⊧ ( fair → ϕ ) if and only if TS ⊧ fair ϕ ��������������������������������������������������������������� ����������������������������������������������������������������������������������������������������������� fair LTL model checking LTL model checking The fair LTL model-checking problem for ϕ under fairness assumption fair can be reduced to the LTL model-checking problem for fair → ϕ . Joost-Pieter Katoen Lecture#14 24/62

  10. LTL Model Checking Under Fairness Fair LTL Model Checking For transition system TS , LTL formula ϕ and LTL fairness assumption fair : TS ⊧ ( fair → ϕ ) if and only if TS ⊧ fair ϕ ��������������������������������������������������������������� ����������������������������������������������������������������������������������������������������������� fair LTL model checking LTL model checking The fair LTL model-checking problem for ϕ under fairness assumption fair can be reduced to the LTL model-checking problem for fair → ϕ . This approach is not applicable to CTL (as we will discuss) Joost-Pieter Katoen Lecture#14 24/62

  11. LTL Model Checking Under Fairness Which Fairness Notion? ▶ Fairness constraints aim to rule out “unreasonable” runs Joost-Pieter Katoen Lecture#14 25/62

  12. LTL Model Checking Under Fairness Which Fairness Notion? ▶ Fairness constraints aim to rule out “unreasonable” runs ▶ Too strong? reasonable runs ruled out. Verification result: ⇒ ▶ “false”: error found ▶ “true”: don’t know as some relevant execution may refute it Joost-Pieter Katoen Lecture#14 25/62

  13. LTL Model Checking Under Fairness Which Fairness Notion? ▶ Fairness constraints aim to rule out “unreasonable” runs ▶ Too strong? reasonable runs ruled out. Verification result: ⇒ ▶ “false”: error found ▶ “true”: don’t know as some relevant execution may refute it ▶ Too weak? ⇒ too many runs considered. Verification result: ▶ “true”: formula holds ▶ “false”: don’t know, as refutation maybe due to an unreasonable run Joost-Pieter Katoen Lecture#14 25/62

  14. LTL Model Checking Under Fairness Which Fairness Notion? ▶ Fairness constraints aim to rule out “unreasonable” runs ▶ Too strong? reasonable runs ruled out. Verification result: ⇒ ▶ “false”: error found ▶ “true”: don’t know as some relevant execution may refute it ▶ Too weak? ⇒ too many runs considered. Verification result: ▶ “true”: formula holds ▶ “false”: don’t know, as refutation maybe due to an unreasonable run Rules of thumb: ▶ strong (or unconditional) fairness is useful for solving contentions ▶ weak fairness is useful to resolve unfair scheduling of threads Joost-Pieter Katoen Lecture#14 25/62

  15. CTL Fairness Assumptions Overview The Relevance of Fairness 1 Fairness Assumptions 2 Fairness and Safety Properties 3 LTL Model Checking Under Fairness 4 CTL Fairness Assumptions 5 CTL Model Checking Under Fairness 6 Summary 7 Joost-Pieter Katoen Lecture#14 26/62

  16. CTL Fairness Assumptions Fairness Constraints in CTL ▶ For LTL it holds: TS ⊧ fair ϕ TS ⊧ ( fair → ϕ ) if and only if Joost-Pieter Katoen Lecture#14 27/62

  17. CTL Fairness Assumptions Fairness Constraints in CTL ▶ For LTL it holds: TS ⊧ fair ϕ TS ⊧ ( fair → ϕ ) if and only if ▶ An analogous approach for CTL is not possible Joost-Pieter Katoen Lecture#14 27/62

  18. CTL Fairness Assumptions Fairness Constraints in CTL ▶ For LTL it holds: TS ⊧ fair ϕ TS ⊧ ( fair → ϕ ) if and only if ▶ An analogous approach for CTL is not possible ▶ Formulas form ∀ ( fair → ϕ ) and ∃ ( fair ∧ ϕ ) needed Joost-Pieter Katoen Lecture#14 27/62

  19. CTL Fairness Assumptions Fairness Constraints in CTL ▶ For LTL it holds: TS ⊧ fair ϕ TS ⊧ ( fair → ϕ ) if and only if ▶ An analogous approach for CTL is not possible ▶ Formulas form ∀ ( fair → ϕ ) and ∃ ( fair ∧ ϕ ) needed ▶ But: boolean combinations of path formulae are not allowed in CTL Joost-Pieter Katoen Lecture#14 27/62

  20. CTL Fairness Assumptions Fairness Constraints in CTL ▶ For LTL it holds: TS ⊧ fair ϕ TS ⊧ ( fair → ϕ ) if and only if ▶ An analogous approach for CTL is not possible ▶ Formulas form ∀ ( fair → ϕ ) and ∃ ( fair ∧ ϕ ) needed ▶ But: boolean combinations of path formulae are not allowed in CTL ▶ and: strong fairness constraint □ ◇ b → □ ◇ c , i.e., ◇ □ ¬ b ∨ ◇ □ c cannot be expressed in CTL as persistence properties are not in CTL Joost-Pieter Katoen Lecture#14 27/62

  21. CTL Fairness Assumptions Fairness Constraints in CTL ▶ For LTL it holds: TS ⊧ fair ϕ TS ⊧ ( fair → ϕ ) if and only if ▶ An analogous approach for CTL is not possible ▶ Formulas form ∀ ( fair → ϕ ) and ∃ ( fair ∧ ϕ ) needed ▶ But: boolean combinations of path formulae are not allowed in CTL ▶ and: strong fairness constraint □ ◇ b → □ ◇ c , i.e., ◇ □ ¬ b ∨ ◇ □ c cannot be expressed in CTL as persistence properties are not in CTL ▶ Solution: change the semantics of CTL by ignoring unfair paths Joost-Pieter Katoen Lecture#14 27/62

  22. CTL Fairness Assumptions CTL Fairness Constraints Definition: CTL fairness constraints A strong CTL fairness constraint is a formula of the form: ⋀ ( □ ◇ Φ i → □ ◇ Ψ i ) sfair = 0 < i ≤ k where Φ i and Ψ i (for 0 < i ≤ k ) are CTL state-formulas over AP . Joost-Pieter Katoen Lecture#14 28/62

  23. CTL Fairness Assumptions CTL Fairness Constraints Definition: CTL fairness constraints A strong CTL fairness constraint is a formula of the form: ⋀ ( □ ◇ Φ i → □ ◇ Ψ i ) sfair = 0 < i ≤ k where Φ i and Ψ i (for 0 < i ≤ k ) are CTL state-formulas over AP . Weak and unconditional CTL fairness constraints are defined similarly, e.g.: ⋀ ⋀ □ ◇ Ψ i ( ◇ □ Φ i → □ ◇ Ψ i ) . and ufair = wfair = 0 < i ≤ k 0 < i ≤ k Joost-Pieter Katoen Lecture#14 28/62

  24. CTL Fairness Assumptions CTL Fairness Constraints Definition: CTL fairness constraints A strong CTL fairness constraint is a formula of the form: ⋀ ( □ ◇ Φ i → □ ◇ Ψ i ) sfair = 0 < i ≤ k where Φ i and Ψ i (for 0 < i ≤ k ) are CTL state-formulas over AP . Weak and unconditional CTL fairness constraints are defined similarly, e.g.: ⋀ ⋀ □ ◇ Ψ i ( ◇ □ Φ i → □ ◇ Ψ i ) . and ufair = wfair = 0 < i ≤ k 0 < i ≤ k Definition: CTL fairness assumption A CTL fairness assumption is a conjunction of ufair , sfair and wfair . Joost-Pieter Katoen Lecture#14 28/62

  25. CTL Fairness Assumptions CTL Fairness Constraints Definition: CTL fairness constraints A strong CTL fairness constraint is a formula of the form: ⋀ ( □ ◇ Φ i → □ ◇ Ψ i ) sfair = 0 < i ≤ k where Φ i and Ψ i (for 0 < i ≤ k ) are CTL state-formulas over AP . Weak and unconditional CTL fairness constraints are defined similarly, e.g.: ⋀ ⋀ □ ◇ Ψ i ( ◇ □ Φ i → □ ◇ Ψ i ) . and ufair = wfair = 0 < i ≤ k 0 < i ≤ k Definition: CTL fairness assumption A CTL fairness assumption is a conjunction of ufair , sfair and wfair . A CTL fairness constraint is an LTL formula over CTL state formulas. Φ i and Ψ i are interpreted by the standard (unfair) CTL semantics Joost-Pieter Katoen Lecture#14 28/62

  26. CTL Fairness Assumptions Semantics of Fair CTL For CTL fairness assumption fair , relation ⊧ fair is defined by: iff a ∈ L ( s ) s ⊧ fair a ¬ ( s ⊧ fair Φ ) s ⊧ fair ¬ Φ iff iff ( s ⊧ fair Φ ) ∨ ( s ⊧ fair Ψ ) s ⊧ fair Φ ∨ Ψ s ⊧ fair ∃ ϕ iff π ⊧ fair ϕ for some fair path π that starts in s iff π ⊧ fair ϕ for all fair paths π that start in s s ⊧ fair ∀ ϕ iff π [ 1 ] ⊧ fair Φ π ⊧ fair ◯ Φ iff ( ∃ j ≥ 0 . π [ j ] ⊧ fair Ψ and ( ∀ 0 ≤ i < j . π [ i ] ⊧ fair Φ )) π ⊧ fair Φ U Ψ π is a fair path iff π ⊧ LTL fair for CTL fairness assumption fair Joost-Pieter Katoen Lecture#14 29/62

  27. CTL Fairness Assumptions Transition System Semantics ▶ For CTL-state-formula Φ, and fairness assumption fair , the satisfaction set Sat fair ( Φ ) is defined by: Sat fair ( Φ ) = { s ∈ S ∣ s ⊧ fair Φ } ▶ TS satisfies CTL-formula Φ iff Φ holds in all its initial states: TS ⊧ fair Φ if and only if ∀ s 0 ∈ I . s 0 ⊧ fair Φ ▶ This is equivalent to I ⊆ Sat fair ( Φ ) Joost-Pieter Katoen Lecture#14 30/62

  28. CTL Fairness Assumptions Example: An Arbiter for Mutual Exclusion ⊧ ( ∀ □ ∀◇ crit 1 ) ∧ ( ∀ □ ∀◇ crit 2 ) TS 1 ∥ Arbiter ∥ TS 2 / But: TS 1 ∥ Arbiter ∥ TS 2 ⊧ fair ∀ □ ∀◇ crit 1 ∧ ∀ □ ∀◇ crit 2 with fair = □ ◇ head ∧ □ ◇ tail Joost-Pieter Katoen Lecture#14 31/62

  29. CTL Fairness Assumptions Example Joost-Pieter Katoen Lecture#14 32/62

  30. CTL Fairness Assumptions Example Joost-Pieter Katoen Lecture#14 33/62

  31. CTL Model Checking Under Fairness Overview The Relevance of Fairness 1 Fairness Assumptions 2 Fairness and Safety Properties 3 LTL Model Checking Under Fairness 4 CTL Fairness Assumptions 5 CTL Model Checking Under Fairness 6 Summary 7 Joost-Pieter Katoen Lecture#14 34/62

  32. CTL Model Checking Under Fairness The Fair CTL Model-Checking Problem Given: 1. a finite transition system TS 2. an CTL state-formula 1 Φ, and 3. a CTL fairness assumption fair Question: does TS ⊧ fair Φ? 1 Assumed to be in existential normal form. Joost-Pieter Katoen Lecture#14 35/62

  33. CTL Model Checking Under Fairness The Fair CTL Model-Checking Problem Given: 1. a finite transition system TS 2. an CTL state-formula 1 Φ, and 3. a CTL fairness assumption fair Question: does TS ⊧ fair Φ? use recursive descent à la CTL to determine Sat fair ( Φ ) using as much as possible standard CTL model-checking algorithms 1 Assumed to be in existential normal form. Joost-Pieter Katoen Lecture#14 35/62

  34. CTL Model Checking Under Fairness Treating Strong CTL Fairness Constraints ⋀ ( □ ◇ Φ i → □ ◇ Ψ i ) ▶ Let strong CTL fairness constraint: sfair = 0 < i ≤ k where Φ i and Ψ i (for 0 < i ≤ k ) are CTLstate-formulas over AP Joost-Pieter Katoen Lecture#14 36/62

  35. CTL Model Checking Under Fairness Treating Strong CTL Fairness Constraints ⋀ ( □ ◇ Φ i → □ ◇ Ψ i ) ▶ Let strong CTL fairness constraint: sfair = 0 < i ≤ k where Φ i and Ψ i (for 0 < i ≤ k ) are CTLstate-formulas over AP ▶ Replace the CTL state-formulas in sfair by fresh atomic propositions: ⋀ ( □ ◇ a i → □ ◇ b i ) sfair ∶ = 0 < i ≤ k ▶ where a i ∈ L ( s ) if and only if s ∈ Sat ( Φ i ) (not Sat fair ( Φ i ) ) ▶ . . . b i ∈ L ( s ) if and only if s ∈ Sat ( Ψ i ) (not Sat fair ( Ψ i ) ) Joost-Pieter Katoen Lecture#14 36/62

  36. CTL Model Checking Under Fairness Treating Strong CTL Fairness Constraints ⋀ ( □ ◇ Φ i → □ ◇ Ψ i ) ▶ Let strong CTL fairness constraint: sfair = 0 < i ≤ k where Φ i and Ψ i (for 0 < i ≤ k ) are CTLstate-formulas over AP ▶ Replace the CTL state-formulas in sfair by fresh atomic propositions: ⋀ ( □ ◇ a i → □ ◇ b i ) sfair ∶ = 0 < i ≤ k ▶ where a i ∈ L ( s ) if and only if s ∈ Sat ( Φ i ) (not Sat fair ( Φ i ) ) ▶ . . . b i ∈ L ( s ) if and only if s ∈ Sat ( Ψ i ) (not Sat fair ( Ψ i ) ) ▶ For unconditional and weak fairness this goes similarly Joost-Pieter Katoen Lecture#14 36/62

  37. CTL Model Checking Under Fairness Treating Strong CTL Fairness Constraints ⋀ ( □ ◇ Φ i → □ ◇ Ψ i ) ▶ Let strong CTL fairness constraint: sfair = 0 < i ≤ k where Φ i and Ψ i (for 0 < i ≤ k ) are CTLstate-formulas over AP ▶ Replace the CTL state-formulas in sfair by fresh atomic propositions: ⋀ ( □ ◇ a i → □ ◇ b i ) sfair ∶ = 0 < i ≤ k ▶ where a i ∈ L ( s ) if and only if s ∈ Sat ( Φ i ) (not Sat fair ( Φ i ) ) ▶ . . . b i ∈ L ( s ) if and only if s ∈ Sat ( Ψ i ) (not Sat fair ( Ψ i ) ) ▶ For unconditional and weak fairness this goes similarly ▶ Note: π ⊧ fair iff π [ j .. ] ⊧ fair for some j ≥ 0 iff π [ j .. ] ⊧ fair for all j ≥ 0 Joost-Pieter Katoen Lecture#14 36/62

  38. CTL Model Checking Under Fairness Some Useful Results For CTL fairness assumption fair and a , a ′ ∈ AP it holds: 1. s ⊧ fair ∃◯ a iff ∃ s ′ ∈ Post ( s ) with s ′ ⊧ a and FairPaths fair ( s ′ ) / = ∅ 2. s ⊧ fair ∃ ( a U a ′ ) if and only if there exists a finite path fragment s 0 s 1 s 2 . . . s n − 1 s n ∈ Paths ∗ ( s ) with n ≥ 0 such that s i ⊧ a for 0 ≤ i < n , s n ⊧ a ′ , and FairPaths fair ( s n ) / = ∅ . Proof. On the black board. Joost-Pieter Katoen Lecture#14 37/62

  39. CTL Model Checking Under Fairness Example Joost-Pieter Katoen Lecture#14 38/62

  40. CTL Model Checking Under Fairness Fair Path Existence s ⊧ fair ∃ □ true . FairPaths fair ( s ) / if and only if = ∅ Joost-Pieter Katoen Lecture#14 39/62

  41. CTL Model Checking Under Fairness Fair Path Existence s ⊧ fair ∃ □ true . FairPaths fair ( s ) / if and only if = ∅ Example Joost-Pieter Katoen Lecture#14 39/62

  42. CTL Model Checking Under Fairness Basic Model-Checking Algorithm for Fair CTL ▶ Determine Sat fair ( ∃ □ true ) = { s ∈ S ∣ FairPaths fair ( s ) / = ∅ } Joost-Pieter Katoen Lecture#14 40/62

  43. CTL Model Checking Under Fairness Basic Model-Checking Algorithm for Fair CTL ▶ Determine Sat fair ( ∃ □ true ) = { s ∈ S ∣ FairPaths fair ( s ) / = ∅ } ▶ Introduce an atomic proposition a fair and adjust labeling where: s ∈ Sat fair ( ∃ □ true ) ▶ a fair ∈ L ( s ) if and only if Joost-Pieter Katoen Lecture#14 40/62

  44. CTL Model Checking Under Fairness Basic Model-Checking Algorithm for Fair CTL ▶ Determine Sat fair ( ∃ □ true ) = { s ∈ S ∣ FairPaths fair ( s ) / = ∅ } ▶ Introduce an atomic proposition a fair and adjust labeling where: s ∈ Sat fair ( ∃ □ true ) ▶ a fair ∈ L ( s ) if and only if ▶ Compute the sets Sat fair ( Ψ ) for all sub-formulas Ψ of Φ (in ENF) by: Sat fair ( a ) { s ∈ S ∣ a ∈ L ( s ) } = Sat fair ( ¬ a ) S \ Sat fair ( a ) = Sat fair ( a ∧ a ′ ) Sat fair ( a ) ∩ Sat fair ( a ′ ) = Sat fair ( ∃◯ a ) Sat ( ∃◯ ( a ∧ a fair )) = Sat ( ∃ ( a U ( a ′ ∧ a fair ))) Sat fair ( ∃ ( a U a ′ )) = Sat fair ( ∃ □ a ) = . . . . . . Joost-Pieter Katoen Lecture#14 40/62

  45. CTL Model Checking Under Fairness Basic Model-Checking Algorithm for Fair CTL ▶ Determine Sat fair ( ∃ □ true ) = { s ∈ S ∣ FairPaths fair ( s ) / = ∅ } ▶ Introduce an atomic proposition a fair and adjust labeling where: s ∈ Sat fair ( ∃ □ true ) ▶ a fair ∈ L ( s ) if and only if ▶ Compute the sets Sat fair ( Ψ ) for all sub-formulas Ψ of Φ (in ENF) by: Sat fair ( a ) { s ∈ S ∣ a ∈ L ( s ) } = Sat fair ( ¬ a ) S \ Sat fair ( a ) = Sat fair ( a ∧ a ′ ) Sat fair ( a ) ∩ Sat fair ( a ′ ) = Sat fair ( ∃◯ a ) Sat ( ∃◯ ( a ∧ a fair )) = Sat ( ∃ ( a U ( a ′ ∧ a fair ))) Sat fair ( ∃ ( a U a ′ )) = Sat fair ( ∃ □ a ) = . . . . . . ▶ Thus: model checking CTL under fairness constraints is ▶ CTL model checking + algorithm for computing Sat fair ( ∃ □ a ) Joost-Pieter Katoen Lecture#14 40/62

  46. CTL Model Checking Under Fairness Model Checking CTL with Fairness Model checking CTL with fairness can be done by combining ▶ the model-checking algorithm for CTL (without fairness), and ▶ an algorithm for computing Sat fair ( ∃ □ a ) for a ∈ AP . Joost-Pieter Katoen Lecture#14 41/62

  47. CTL Model Checking Under Fairness Model Checking CTL with Fairness Model checking CTL with fairness can be done by combining ▶ the model-checking algorithm for CTL (without fairness), and ▶ an algorithm for computing Sat fair ( ∃ □ a ) for a ∈ AP . As ∃ □ true is a special case of ∃ □ a , an algorithm for Sat fair ( ∃ □ a ) can be used for Sat fair ( ∃ □ true ) Joost-Pieter Katoen Lecture#14 41/62

  48. CTL Model Checking Under Fairness Basic Fair CTL Algorithm Joost-Pieter Katoen Lecture#14 42/62

  49. CTL Model Checking Under Fairness Characterising Sat fair ( ∃□ a ) sfair = ⋀ s ⊧ sfair ∃ □ a ( □ ◇ a i → □ ◇ b i ) where 0 < i ≤ k iff there exists a finite path fragment s 0 . . . s n and a cycle s ′ 0 . . . s ′ r with: s n = s ′ 0 = s ′ 1. s 0 = s and r 2. s i ⊧ a , for any 0 ≤ i ≤ n , and s ′ j ⊧ a , for any 0 ≤ j ≤ r , and 3. Sat ( a i ) ∩ { s ′ 1 , . . . , s ′ r } = ∅ or Sat ( b i ) ∩ { s ′ 1 , . . . , s ′ r } / = ∅ for 0 < i ≤ k Proof. Next slide. Joost-Pieter Katoen Lecture#14 43/62

  50. CTL Model Checking Under Fairness Proof Joost-Pieter Katoen Lecture#14 44/62

  51. CTL Model Checking Under Fairness Computing Sat fair ( ∃□ a ) ▶ Consider only state s if s ⊧ a , otherwise eliminate s ▶ consider TS [ a ] = ( S ′ , Act , → ′ , I ′ , AP , L ′ ) with S ′ = Sat ( a ) , ▶ → ′ = → ∩ ( S ′ × Act × S ′ ) , I ′ = I ∩ S ′ , and L ′ ( s ) = L ( s ) for s ∈ S ′ ⇒ each infinite path fragment in TS [ a ] satisfies □ a 2 This is not necessarily an SCC (a maximal strongly-connected set). Joost-Pieter Katoen Lecture#14 45/62

  52. CTL Model Checking Under Fairness Computing Sat fair ( ∃□ a ) ▶ Consider only state s if s ⊧ a , otherwise eliminate s ▶ consider TS [ a ] = ( S ′ , Act , → ′ , I ′ , AP , L ′ ) with S ′ = Sat ( a ) , ▶ → ′ = → ∩ ( S ′ × Act × S ′ ) , I ′ = I ∩ S ′ , and L ′ ( s ) = L ( s ) for s ∈ S ′ ⇒ each infinite path fragment in TS [ a ] satisfies □ a ⋀ ▶ Let fair = ( □ ◇ a i → □ ◇ b i ) 0 < i ≤ k 2 This is not necessarily an SCC (a maximal strongly-connected set). Joost-Pieter Katoen Lecture#14 45/62

  53. CTL Model Checking Under Fairness Computing Sat fair ( ∃□ a ) ▶ Consider only state s if s ⊧ a , otherwise eliminate s ▶ consider TS [ a ] = ( S ′ , Act , → ′ , I ′ , AP , L ′ ) with S ′ = Sat ( a ) , ▶ → ′ = → ∩ ( S ′ × Act × S ′ ) , I ′ = I ∩ S ′ , and L ′ ( s ) = L ( s ) for s ∈ S ′ ⇒ each infinite path fragment in TS [ a ] satisfies □ a ⋀ ▶ Let fair = ( □ ◇ a i → □ ◇ b i ) 0 < i ≤ k ▶ s ⊧ fair ∃ □ a iff s can reach a strongly connected node-set 2 D in TS [ a ] with: D ∩ Sat ( a i ) = ∅ D ∩ Sat ( b i ) / or = ∅ for 0 < i ≤ k (*) ▶ Sat fair ( ∃ □ a ) = { s ∈ S ∣ Reach TS [ a ] ( s ) ∩ T / = ∅ } ▶ T is the union of all SCCs C that contain D satisfying (*) 2 This is not necessarily an SCC (a maximal strongly-connected set). Joost-Pieter Katoen Lecture#14 45/62

  54. CTL Model Checking Under Fairness Example Computing Sat fair ( ∃ □ a ) by analysing the digraph G a of TS [ a ] Joost-Pieter Katoen Lecture#14 46/62

  55. CTL Model Checking Under Fairness Example Joost-Pieter Katoen Lecture#14 47/62

  56. CTL Model Checking Under Fairness ∃□ a under Unconditional Fairness ⋀ □ ◇ b i Let ufair = 0 < i ≤ k Let T be the set union of all non-trivial SCCs C of TS [ a ] satisfying C ∩ Sat ( b i ) / = ∅ for all 0 < i ≤ k Joost-Pieter Katoen Lecture#14 48/62

  57. CTL Model Checking Under Fairness ∃□ a under Unconditional Fairness ⋀ □ ◇ b i Let ufair = 0 < i ≤ k Let T be the set union of all non-trivial SCCs C of TS [ a ] satisfying C ∩ Sat ( b i ) / = ∅ for all 0 < i ≤ k It now follows: s ⊧ ufair ∃ □ a Reach TS [ a ] ( s ) ∩ T / if and only if = ∅ ⇒ T can be determined by a depth-first search procedure Joost-Pieter Katoen Lecture#14 48/62

  58. CTL Model Checking Under Fairness Example Joost-Pieter Katoen Lecture#14 49/62

  59. CTL Model Checking Under Fairness ∃□ a Under One Strong Fairness Constraint ▶ sfair = □ ◇ a 1 → □ ◇ b 1 , i.e., k = 1 Joost-Pieter Katoen Lecture#14 50/62

  60. CTL Model Checking Under Fairness ∃□ a Under One Strong Fairness Constraint ▶ sfair = □ ◇ a 1 → □ ◇ b 1 , i.e., k = 1 ▶ s ⊧ sfair ∃ □ a iff C is a non-trivial SCC in TS [ a ] reachable from s with: 1. C ∩ Sat ( b 1 ) / = ∅ , or 2. D ∩ Sat ( a 1 ) = ∅ , for some non-trivial SCC D in C Joost-Pieter Katoen Lecture#14 50/62

  61. CTL Model Checking Under Fairness ∃□ a Under One Strong Fairness Constraint ▶ sfair = □ ◇ a 1 → □ ◇ b 1 , i.e., k = 1 ▶ s ⊧ sfair ∃ □ a iff C is a non-trivial SCC in TS [ a ] reachable from s with: 1. C ∩ Sat ( b 1 ) / = ∅ , or 2. D ∩ Sat ( a 1 ) = ∅ , for some non-trivial SCC D in C ▶ D is a non-trivial SCC in the graph that is obtained from C [ ¬ a 1 ] Joost-Pieter Katoen Lecture#14 50/62

  62. CTL Model Checking Under Fairness ∃□ a Under One Strong Fairness Constraint ▶ sfair = □ ◇ a 1 → □ ◇ b 1 , i.e., k = 1 ▶ s ⊧ sfair ∃ □ a iff C is a non-trivial SCC in TS [ a ] reachable from s with: 1. C ∩ Sat ( b 1 ) / = ∅ , or 2. D ∩ Sat ( a 1 ) = ∅ , for some non-trivial SCC D in C ▶ D is a non-trivial SCC in the graph that is obtained from C [ ¬ a 1 ] ▶ For T the union of non-trivial SCCs in satisfying (1) and (2): s ⊧ sfair ∃ □ a Reach TS [ a ] ( s ) ∩ T / if and only if = ∅ Joost-Pieter Katoen Lecture#14 50/62

  63. CTL Model Checking Under Fairness ∃□ a Under One Strong Fairness Constraint ▶ sfair = □ ◇ a 1 → □ ◇ b 1 , i.e., k = 1 ▶ s ⊧ sfair ∃ □ a iff C is a non-trivial SCC in TS [ a ] reachable from s with: 1. C ∩ Sat ( b 1 ) / = ∅ , or 2. D ∩ Sat ( a 1 ) = ∅ , for some non-trivial SCC D in C ▶ D is a non-trivial SCC in the graph that is obtained from C [ ¬ a 1 ] ▶ For T the union of non-trivial SCCs in satisfying (1) and (2): s ⊧ sfair ∃ □ a Reach TS [ a ] ( s ) ∩ T / if and only if = ∅ For several strong fairness constraints ( k > 1), this is applied recursively T is determined by standard graph analysis (DFS) Joost-Pieter Katoen Lecture#14 50/62

  64. CTL Model Checking Under Fairness Example: One Strong Fairness Constraint Joost-Pieter Katoen Lecture#14 51/62

  65. CTL Model Checking Under Fairness Example: One Strong Fairness Constraint Joost-Pieter Katoen Lecture#14 52/62

  66. CTL Model Checking Under Fairness Example: One Strong Fairness Constraint Joost-Pieter Katoen Lecture#14 53/62

  67. CTL Model Checking Under Fairness Example: Two Strong Fairness Constraints Joost-Pieter Katoen Lecture#14 54/62

  68. CTL Model Checking Under Fairness Example: Two Strong Fairness Constraints Joost-Pieter Katoen Lecture#14 55/62

  69. CTL Model Checking Under Fairness Algorithm CheckFair is a recursive procedure over the k strong fairness constraints Basically an SCC analysis per fairness constraint. Time complexity: O (∣ TS ∣ ⋅ ∣ fair ∣) . Joost-Pieter Katoen Lecture#14 56/62

  70. CTL Model Checking Under Fairness CheckFair Algorithm (for completeness) Joost-Pieter Katoen Lecture#14 57/62

  71. CTL Model Checking Under Fairness Time complexity The CTL model-checking problem under fairness assumption fair can be solved in O (∣ Φ ∣ ⋅ ∣ TS ∣ ⋅ ∣ fair ∣) . Proof. Follows from the complexity O (∣ Φ ∣ ⋅ ∣ TS ∣) of CTL model checking Joost-Pieter Katoen Lecture#14 58/62

  72. Summary Overview The Relevance of Fairness 1 Fairness Assumptions 2 Fairness and Safety Properties 3 LTL Model Checking Under Fairness 4 CTL Fairness Assumptions 5 CTL Model Checking Under Fairness 6 Summary 7 Joost-Pieter Katoen Lecture#14 59/62

  73. Summary Model Checking Complexity CTL ∗ CTL LTL model PTIME PSPACE PSPACE checking ∣ TS ∣ ⋅ ∣ Φ ∣ ∣ TS ∣ ⋅ exp (∣ ϕ ∣) ∣ TS ∣ ⋅ exp (∣ Φ ∣) algorithmic complexity ∣ TS ∣ ⋅ ∣ Φ ∣ ⋅ ∣ fair ∣ ∣ TS ∣ ⋅ exp (∣ ϕ ∣ + ∣ fair ∣) ∣ TS ∣ ⋅ exp (∣ Φ ∣ + ∣ fair ∣) with fairness All theoretical complexity indications are complete. Joost-Pieter Katoen Lecture#14 60/62

Recommend

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking

Statistical Statistical Statistical Model Statistical Model Model Checking Model Checking Checking Checking for Timed Automata Timed Automata Coll C l C ll b llabora orators: t ors: Peter Bulychev, Alexandre David Axel Legay, Marius

725 views • 59 slides
Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree

Hoare Logic and Model Checking Model Checking Lecture 11: Model checking for Computation Tree Logic Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge

402 views • 25 slides
Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model

Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model checking historically not the first symbolic model checking approach scales better than original BDD based techniques mostly incomplete in

521 views • 28 slides
CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms

CTL Chapter 6 Part 2 Overview Review CTL Model Checking CTL model Checking algorithms for ( U ) Counter Examples and witnesses Symbolic Model Checking (Thursday) Binary Decision Trees

740 views • 40 slides
Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of

Hoare Logic and Model Checking Model Checking But perhaps theres a clever way of compiling one into the other? Both have very different models of time How do they compare? We have seen two widely used temporal logics Relative

510 views • 10 slides
Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL

Hoare Logic and Model Checking 1. You should be able to model simple systems in NuSMV, an LTL Other interesting books: Model Checking by Clarke, Grumberg, and Peled Principles of Model Checking by Baier and Katoen 3 Course

636 views • 11 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

777 views • 31 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

628 views • 34 slides
Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and

Software Model Checking Using Bogor Software Model Checking Using Bogor a Modular and Extensible Model Checking Framework a Modular and Extensible Model Checking Framework 3rd Estonian Summer School in Computer and System Science

301 views • 8 slides
Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is

Modeling and Analyzing Concurrent Systems using Model Checking Robert B. France 1 What is Model Checking? Model checking is an automated technique that, given a finite-state model of a system and a logical property , systematically

484 views • 36 slides
Model Checking: the Interval Way Alberto Molinari ( j.w. with L. Bozzelli, A. Montanari, A. Peron,

Model Checking: the Interval Way Alberto Molinari ( j.w. with L. Bozzelli, A. Montanari, A. Peron,

Model Checking: the Interval Way Alberto Molinari ( j.w. with L. Bozzelli, A. Montanari, A. Peron, P. Sala ) University of Udine Department of Mathematics, Computer Science, and Physics (DMIF) July 27, 2018 MODEL CHECKING Model checking : the

701 views • 38 slides
Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking

Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking

Automated Reasoning LTL Model Checking Alan Bundy Automated Reasoning LTL Model Checking Lecture 9, page 1 Introduction So far we have looked at theorem proving Powerful, especially where good sets of rewrite rules or decision procedures

639 views • 26 slides
Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic

Hoare Logic and Model Checking Model Checking Lecture 7: Introduction and background Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group, University of Cambridge Academic year

972 views • 41 slides
Hoare Logic and Model Checking Model Checking See NuSMV homepage to download: http://nusmv.fbk.eu/

Hoare Logic and Model Checking Model Checking See NuSMV homepage to download: http://nusmv.fbk.eu/

Hoare Logic and Model Checking Model Checking See NuSMV homepage to download: http://nusmv.fbk.eu/ Was popular in semiconductor industry via Cadence SMV Could handle large models A re-implementation of the SMV model checker: Good

110 views • 10 slides
Probabilisti tic Model Checking in Practi tice Dave Parker Oxford University

Probabilisti tic Model Checking in Practi tice Dave Parker Oxford University

Probabilisti tic Model Checking in Practi tice Dave Parker Oxford University Computing Laboratory Quantitative Model Checking PhD School, Copenhagen, March 2010 Overview Tool support for probabilistic model checking The PRISM

317 views • 14 slides
Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic

Hoare Logic and Model Checking Model Checking Lecture 10: Computation Tree Logic (CTL) Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge Academic year

1.15k views • 48 slides
Towards efficient model checking for variants of ATL under different semantics Wojciech Penczek

Towards efficient model checking for variants of ATL under different semantics Wojciech Penczek

Specification of Strategic Abilities in ATL* Model checking Multi-Valued ATL* Partial order reductions for sATL* Simpler strategies for Timed ATL Conclusions Towards efficient model checking for variants of ATL under different semantics

1.1k views • 88 slides
Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr

Model Checking in Systems Biology s Brim and Milan ska and David Lubo Ce Safr anek Masaryk University Czech Republic SFM 2013 1/150 Outline Introduction 1 LTL Model Checking 2 Parallel LTL Model Checking 3 Discrete

2.18k views • 199 slides
Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model

Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model

Introduction to Model Checking Radu Mateescu Inria Univ. Grenoble Alpes LIG What is model checking? Model checking is the method by which a desired behavioral property of a reactive system is verified over a given system (the model )

606 views • 32 slides
Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems

Model Checking Finite State Finite State Model Checking Finite State Systems Informationsteknologi System Description A No! Debugging Information TOOL TOOL Yes, Requirement F Prototypes C T L Executable Code Test sequences Tools:

637 views • 34 slides
Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas

Context-Bounded Model Checking of LTL Properties for ANSI-C Software Jeremy Morse, Lucas Cordeiro, Bernd Fischer, Denis Nicole Model Checking C Model checking: normally applied to formal state transition systems checks safety and

439 views • 17 slides
Model checking perhaps the most important part of applied statistical modelling Simon Wood

Model checking perhaps the most important part of applied statistical modelling Simon Wood

Model checking perhaps the most important part of applied statistical modelling Simon Wood Model checking Checking validation! As with detection function, checking is important Want to know the model conforms to assumptions What

524 views • 26 slides
SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl

SMT-based Software Model Checking: Experimental Comparison of Four Algorithms Matthias Dangl Joint work with Dirk Beyer University of Passau, Germany SMT-based Software Model Checking Bounded Model Checking ( Cbmc , CPAchecker , Esbmc ,

496 views • 26 slides
Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker

Concurrency in Go Behavioural type inference Model checking behavioural types Termination checking Summary Static verification framework for Go Overview 2 Model checking Behavioural mCRL2 model checker Types Transform Check safety and

681 views • 67 slides

More recommend