Model checking Ral Monroy Verification by model checking

Model checking Raúl Monroy

Verification by model checking n n Model checking is based on temporal logic A formula is not statically true or false in a model The notion of truth is dynamic, the formulae may change their truth values as the system evolves Models are transition systems

Verification by model checking n To verify that a system satisfies a property: 1. Model the system using the description language (of the model checker. ), M. 2. Code property using the specification language, resulting in . Run the model checker with inputs M and . 3.

Temporal logics n n Linear-time logics Branching-time logics ¡ n n Useful in modelling non-deterministic computations Time: continuous or discrete CTL: time is branching and discrete

Syntax n CTL formulas are defined inductively via a Backus Naur form Φ : : = ┴ │ T │p │ (¬Φ) │ (Φ Φ) │ AX Φ │ EX Φ │ A [Φ U Φ] │ E [Φ U Φ] │ AG Φ │ AF Φ │ EF Φ where p ranges over atomic formulas

Syntax n n AX, EX, AG, EG, AU, EU, AF and EF are called temporal connectives Each temporal connectives is a pair of symbols: ¡ ¡ n 1 st symbol of pair: A (along all paths) or E (along at least one path) 2 nd symbol of pair: X (ne. Xt state), G (all future states), U (until) and F (some Future step) AU and EU are binary X, G, U and F cannot occur independently ¬, AG, AF, AX bind most tightly. Next and , and after that , AU

Syntax n EG r n AG (q EG r) n AG q EG r n A [r U q] n EF E [r U q] n A [p U EF r]

Syntax n AG AF r n A [ p 1 U A [ p 2 U p 3 ]] n E [ A [ p 1 U p 2 ] U p 3 ] n AG ( p A [ p U ( ¬p A [ ¬p U q ] )

Syntax n n n FG r A ¬G ¬p F[r. Uq] EF [ r U q ] AEF r AF [ ( r U q ) (r U q )]

Parse tree of a CTL formula n A subformula of a CTL formula Φ is any formula ψ whose parse tree is a subtree of Φ’s parse tree AU AX EU ¬ EX ¬ p p p q A [AX ¬p U E [EX (p q) U ¬p]]

Semantics of CTL p, q q, r r A concise presentation of a model M as a directed graph, whose nodes are states containing all the propositional atoms which are true in that particular state.

Deadlock treatment A model, M, is given by (S, , L) S 0 S 1 S 2 n A system with a state S 4 that does not have any further transitions. S 3 S 4

Deadlock treatment n An expand system with a ‘deadlock’ state Sd such that no state can deadlock; of course, it is then our understanding that reaching the ‘deadlock’ state corresponds to deadlock in the original system. S 0 S 1 S 2 S 3 S 4 Sd

n = (S, , L). Given any s in S, a CTL formula Φ holds in state s M, s │= Φ Let M iff

Satisfaction relation, │= 1. 2. 3. 4. M, s │= T and M, │=/= ┴, s S M, s │= p iff p L(s) M, s │= ¬ Φ iff M, s Φ M, s │= Φ 1 Φ 2 iff M, s │= Φ 1 and M, s │= Φ 2 5. M, s │= Φ 1 Φ 2 iff M, s │= Φ 1 or M, s │= Φ 2

6. M, s │= Φ 1 Φ 2 iff M, s │=/ Φ 1 or M, s │= Φ 2 7. M, s │= AX Φ iff for all s 1 such that s s 1 we have M, s 1 │= Φ. Thus, AX says: ‘in every next state’ 8. M, s │= EX Φ iff for some s 1 such that s s 1 we have M, s 1 │= Φ. Thus, EX says: ‘in some next state’.

9. M, s │= AG Φ holds iff for all paths s 1 s 2 s 3 …, where s 1 equals s, and all si along the path, we have M, si │= Φ Mnemonically: for all computation paths beginning in s the property Φ holds globally

10. M, s │= EG Φ holds iff there is a path s 1 s 2 s 3 …, where s 1 equals s, and for all si along the path, we have M, si │= Φ Mnemotecnically: there Exists a path that beginning in s such that Φ holds globally along the path

11. M, s │= AF Φ holds iff for all the paths s 1 s 2 …, where s 1 equals s, there is ome si such that M, s │= Φ Mnemotecnically: for all computation paths beginning in s there will be some future state where Φ holds

Semantics of CTL p, q q, r S 1 S 0 r S 1 r S 0 r S 2 S 2 r r S 2 Unwinding the system of figure 3. 2 as an infinite tree of all computation paths beginning in a particular state

Semantics of CTL Φ Φ n A system whose starting state satisfies EF Φ n A system whose starting state satisfies EG Φ

Semantics of CTL Φ Φ Φ Φ Φ A system whose starting state satisfies AG Φ Φ n A system whose starting state satisfies AF Φ

Semantics of CTL r p, t, r r q, r p, q q, r n A system with four states n Another system with four states

Equivalences in CTL n Two CTL formulas and ψ are said to be semantically equivalent if any state in any model which satisfies one of them also satisfies the other; we denote this by ≡ ψ

Equivalences in CTL n Noteworthy are the follow: ¡ ¡ ¡ AG ≡ AX AG EG ≡ EX EG AF ≡ AX AF EF ≡ EX EF A[ U ψ] ≡ ψ ( AX A [ U ψ]) E[ U ψ] ≡ ψ ( EX E [ U ψ])

Mutual exclusion n 1 n 2 t 1 n 2 c 1 n 2 t 1 t 2 c 1 t 2 n n 1 t 2 n 1 c 2 t 1 c 2 The first modelling attempt

Mutual exclusion n Four properties: 1. 2. 3. 4. Safety: 1 = AG ¬(c 1 c 2) Liveness: 2 def= AG (t 1 AF c 2) Non-blocking: 3 =def AG (n 1 EX t 1) No strict sequencing: 4 = def. EF (c 1 E[c 1 U (¬c 1 E[¬c 2 U c 1])]) def

Mutual exclusion n 1 n 2 t 1 n 2 c 1 n 2 t 1 t 2 c 1 t 2 n n 1 t 2 t 1 t 2 n 1 c 2 t 1 c 2 The second modelling attempt

Labelling algorithm n n INPUT: a CTL model M = (S, , L) and a CTL formula Φ OUTPUT: the set of states of M wich satisfies Φ

Labelling algorithm n n ┴ : then no state are labelled with ┴ p : then label s with p if p L(s) ψ1 ψ2 : label s with ψ1 ψ2 if s is already labelled both with ψ1 and with ψ2 ¬ψ1 : label s with ¬ψ1 if s is not already labelled with ψ1

Labelling algorithm n AF ¬ψ1: ¡ ¡ If any state s is labelled with ψ1, label it with AF ψ1 Repeat: label any state AF ψ1 if all successor state are labelled with AF ψ1, until there is no change

Labelling algorithm n E[ψ1 U ψ2]: ¡ If any state s is labelled with ψ2, label it with E[ψ1 U ψ2] ¡ Repeat: label any state AF ψ1 if all successor state are labelled with AF ψ1, until there is no change

Model checking 3. 13 1. π │= T 2. π │= p iff p L (si) 3. π │= ¬ Φ iff π │=/ Φ 4. π │= Φ 1 Φ 2 iff π │= Φ 1 and π │= Φ 2 5. π │= X Φ iff π2 │= Φ 6. π │= G Φ holds iff, for all i >= 1, πi │= Φ 7. π │= F Φ holds iff, for some i >= 1, πi │= Φ 8. π │= Φ U ψ holds iff there is some i >= 1 such that πi │= ψ and for all j = 1, …, i -1 we have πj │= ψ