Transcript Chapter 1 -- Introduction

CSE 522
Model-based Development (2)
Computer Science & Engineering Department
Arizona State University
Tempe, AZ 85287
Dr. Yann-Hang Lee
[email protected]
(480) 727-7507
Some of the slides were based on lectures by
Lee & Seshia (UC Berkeley) and Fainekos (ASU)
Temporal Logic
 Temporal logic is used to describe any system of rules and
symbolism for representing, and reasoning about, propositions
qualified in terms of time.
 An extension of a classical propositional or predicate logic by
temporal quantifiers
 "I am always hungry",
 "I will eventually be hungry",
 "I will be hungry until I eat something“
 A single type of model is considered: a transition system
(finite state machine)
 To express and verify properties of system dynamics
 Safety (invariance): Nothing bad will happen
 Liveness: Something good will happen
2
Invariants
 The simplest form of a temporal logic property
 Definition: A property that is true on the system at all
times (always)
 Examples:
 “The program never dereferences a null pointer”
 “If a thread A blocks while trying to acquire a mutex lock, then
the thread B that holds that lock must not be blocked
attempting to acquire a lock held by A.”
 “Whenever the reset signal is asserted the state machine
shall move immediately to the ErrorReset state and remain
there until the reset signal is de-asserted.”
Pedestrian Light with Car Light
System invariant:
There is no pedestrian crossing
when the traffic light (for the
cars) is green
Pedestrian Light
with Car Light
 Combine the states of
car light and
pedestrian light
 Is there a way to enter
the unsafe states
unsafe states
 Reachability
FSM Behavior
 Each port p, for each reaction will take a value from
Vp{absent}, generating a sequence (or function)
sp : N  Vp {absent}
 Behavior: the assignment of signals to each input port
such that an output sequence can be produced
• Observable trace ((xi,yi))iN
• Execution trace ((xi, si, yi))iN
 The set of all behaviors of an FSM M is called the
language of M and it is denoted by L(M)
Garage Counter: Behavior
Behavior:
sup = (present, absent, present, absent, present, …)
sdown = (present, absent, absent, present, absent, …)
scount = (absent, absent, 1, 0, 1, …)
Execution trace :
τ = ((pres,pres),0, abs) ((abs, abs),0, abs) ((pres,abs),1, 1) ...
Propositional logic
 Concerned with relationships between propositions
 A proposition is a sentence whose truth depends on the
current context
 In Boolean logic, a proposition can be either true or false
(not both)
 Atomic propositions: Statements about an input, output,
or state of a state machine. Examples:
formula
meaning
x
true if x is present
x=1
true if x is present and has value 1
y = absent
true if y is absent
s
true if machine is in state s
Propositions & Connectives
 A compound proposition is formed using propositions
and connectives:
  : not or negation
  : and or conjunction
  : or or disjunction (one or the other or both)
  : implies or implication
  : if and only if or biconditional
 y is present and the FSM is in state a.
 Propositions:
 p1 := “y is present” := y
 p2 := “the FSM is in state a” := a
 Symbolic representation:
 p1  p2 (read as “p1 and p2”)
Propositions & Connectives
 A compound proposition is formed using propositions and
connectives:
  : not or negation
  : and or conjunction
  : or or disjunction (one or the other or both)
  : implies or implication
  : if and only if or biconditional
y is present and the FSM is in state a.
Propositions:
p1 := “y is present” := y
p2 := “the FSM is in state a” := a
Symbolic representation:
p1  p2 (read as “p1 and p2”)
If the FSM is in state a, then y is
present.
Propositions:
p1 = “y”
p2 = “the FSM is in state a”
Symbolic representation:
p2  p1 (read as “if p2, then
p1” or “p2 implies p1”)
Equivalences through truth tables
 Two compound propositions are logically equivalent if
they have the same truth values for all the choices of
truth values of the variables p, q, etc.
 We denote logical equivalence using the symbol 
p1p2  (p1p2)
p1
p2
p1p2
p1
p2
p1p2
(p1p2)
0
0
0
1
1
1
0
0
1
1
1
0
0
1
1
0
1
0
1
0
1
1
1
1
0
0
0
1
Propositional Logic on Traces
 A proposition formula p holds for a trace
q0, q1, q2, . . .
if and only if p is true for q0.
 A trace q (does not) satisfies a formula φ starting at time i
(q,i) ⊨ φ
( (q,i) ⊨ φ )
 an FSM M (does not) satisfies φ and we write
M⊨φ
( M⊨ φ)
iff for all q in LE(M), we have (q,0) ⊨ φ where LE(M)
contains all the execution traces of M
Examples
1. Mi ⊨ b?
2. Mi ⊨ x  y?
3. Mi ⊨ y?
M1
M2
Kripke Model
 a Kripke model S, I,R,AP,L consists of
 a set of states S;
 a set of initial states I ⊆ S;
 a set of transitions R ⊆ S×S;
 a set of atomic propositions AP;
 a labeling function L : S  2AP.
 A path in a Kripke model M from a state s0 is an infinite
sequence of states
 = s0, s1, s2, . . .
such that (si, si+1) ∈ R, for all i ≥ 0.
14
FSM to Kripke
 K=<S ×I,S0 ×I, R, L>,
for any s ∈ S and i ∈ I
(< s, i >, < s’, i’>) ∈ R
iff δ(s, i) = s’
L(< s, i >) = i∪ s ∪ λ(s, i)
15
Linear Temporal Logic (LTL)
 LTL formulas: Statements about an execution trace
q0 , q 1 , q 2 , q 3 , . . . . . .
formula
mnemonic
meaning
p
proposition
p holds in q0
G ()
globally
 holds for every suffix of trace
F ()
finally, future,
eventually
 holds for some suffix of trace
X ()
next state
 holds for q1, q2, q3, . . . .
1U2 (⋃)
until
1 holds for all suffix of the trace until a
suffix for which 2 holds
 p is propositional logic formula and  is either a propositional logic or an LTL
formula.
 Suffix: a suffix of a string x is a string z such that there exists a string y such
that x = yz
Linear Temporal Logics: Semantic Intuition
a – a now
a
*
*
*
*
*
G a - always a
a
a
a
a
a
a
F a – eventually a
*
*
*
a
*
*
X a – next state a
*
a
*
*
*
*
a U b – a until b
a
a
a
b
*
*
a B b – a before b
*
*
a
*
b
*
Propositional Linear Temporal Logic
 LTL operators can apply to LTL formulas as well as to
propositional logic formulas.
 E.g. Every input x is eventually followed by an output y
G (x  Fy)
Globally
(at any point in time) If x occurs
It is eventually followed by y
x holds
y holds
Examples
1. M2 ⊨ G(x˄y)?
2. M2 ⊨ G(x  y)?
3. M1 ⊨ Fb ?
4. M2 ⊨ (Gx)  (Fb)?
5. M2 ⊨ G(x  Fb)?
M1
M2
6. M1 ⊨ x  Xa ?
7. M1 ⊨ G(x  Xa) ?
8. M2 ⊨ G(b  Xa) ?
9. M2 ⊨ a U x ?
10. M2 ⊨ G(x)  (aUx) ?
Examples: What do they mean?
GFp
 p holds infinitely often
FGp
 Eventually, p holds henceforth
Remember:
Gp p holds in all states
Fp p holds eventually
Xp p holds in the next state
 G( p  F q )
 Every p is eventually followed by a q
 G( p  (X X q) )
 Every p is followed by a q two reactions later
 G  = F  (G  = F  )
 F  = true U 
Model Checking in LTL
 Safety: Only one process is in its critical section at a time.
-- “No two processes can be in the critical section at the
same time.”
 always not (CS1 and CS2): mutual exclusion
 Liveness: Whenever any process requests to enter its
critical section it will eventually be permitted to do so -“Every request is eventually granted.”
 always (Request implies eventually Grant)
 “Every continuous request is eventually granted.”
 always (Request implies (Request until Grant))
 “Every repeated request is eventually granted.”
 always (always eventually Request) implies eventually Grant
21
Examples: Write in Temporal Logic
1. “Whenever the iRobot is at the ramp-edge (cliff),
eventually it moves 5 cm away from the cliff.”
•
•
p1 – iRobot is at the cliff
p2 – iRobot is 5 cm away from the cliff
2. “Whenever the distance between cars is less than 2m,
cruise control is deactivated”
•
•
p1 – distance between cars is less than 2 m
p2 – cruise control is active
Why the linear in LTL?
 Properties expressed over a single computation path
or run
 the satisfiability is checked on the run with no possibility of
switching to another run during the checking.
s0
a/b
s0
 a/c
s2
a/b
true/b
s1
 a/c
s1
s1
M
Does M ⊨ G b ?
s1
s2
s2
s2
s0
s0
s1
s2
Example: Mutual Exclusion (1)
 Each process can be in its non-critical state (N), or trying to enter its
critical state (T), or in its critical state (C).
 The variable turn considers the first process that went into its trying
state.
N1,N2
turn=0
T1,N2
turn=1
C1,N2
turn=1
N1,T2
turn=2
T1,T2
turn=1
C1,T2
turn=1
T1,T2
turn=2
N1,C2
turn=2
T1,C2
turn=2
24
Example: Mutual Exclusion (2)
 Safety
M |= G  (C1  C2) ?
Is there a reachable state in which (C1  C2) holds?
 Liveness
M |= FC1 ?
Is there an infinite cyclic solution in which C1 never holds?
 Liveness
M |= G(T1  FC1) ? or M |= GFT1  GFC1 ?
Does every path starting from each state where T1 holds pass
through a state where C1 holds.
25
Automata-based Model Checking
 The behaviors (computations) of
a system can be seen as
sequences of assignments to
propositions over all traces.
 Represent the set of
computation by a finite
automaton
 An automaton for the set of all
acceptable computations
 Check if the language of the
system automaton is contained
in the language accepted by the
property automaton.
00
00
00
00
00
01
01
00
00
00
00
00
01
00
11
11
01
00
00
11
11
00
00
00
11
11
11
11
00
11
00
01
11
26
Automata-Based LTL Model Checking (2)
 Let M be a Kripke model and  be an LTL formula
M ⊨  (LTL)
⟺ ℒ(M) ⊆ ℒ( )
⟺ ℒ(M) ∩ ℒ( ) = { }
⟺ ℒ (AM) ∩ ℒ (A ) = { }
⟺ ℒ (AM × A ) = { }
 AM is a Büchi Automaton equivalent to M (which represents all
and only the executions of M)
 A is a Büchi Automaton which represents all and only the
paths that satisfy  (do not satisfy  )
 AM × A : represents all and only the paths appearing in M
and not in  .
27
Automata-Based LTL Model Checking (1)
(Christel Baier and Joost-Pieter Katoen, "Principles of Model Checking”)
28
Büchi Automata
 Automaton which accepts infinite traces
 A Büchi automaton is 4-tupleS, I,, F




S is a finite set of states
I S is a set of initial states
  S S is a transition relation
F S is a set of accepting states
 An infinite sequence of states is accepted iff it contains
accepting states infinitely often
1=S0S1S2S2S2S2… ACCEPTED
S0
S1
S2
2=S0S1S2S1S2S1… ACCEPTED
3=S0S1S2S1S1S1… REJECTED
Büchi Automata
 The labels of a Büchi Automaton are different from the labels
of a Kripke Structure. Also graphically, they are interpreted
differently:
p
 in a Kripke Structure, p is true and all other propositions are false;
 in a Büchi Automaton, p is true and all other propositions are
irrelevant (“don’t care”), i.e. can be either true or false.
a
a
a
b
c
S0
S1
S2
Sinit
b
S0
c
S1
S2
F={S0, S1,S2}
30
LTL and Büchi Automata
 LTL formula
 Represents a set of infinite traces which satisfy such formula
 Büchi Automaton
 Accepts a set of infinite traces
 We can build an automaton which accepts all and only the
infinite traces represented by an LTL formula
Fp
Gp
p
T
pUq
p
p
q
T
T
GFp
T
p
Product of Transition Systems: Example
b
a
t0
s0
a
a
b
b
t2
s1
a
a
b
t1
b
b
s1t0
s0t0
b
a
a
s0t2
s0t1
a
a
a
s1t2
a
s1t1
b
b
b
b
32
Explicit-State Model Checking
 Model checking exhaustively enumerates the states of the
system
 State space can be viewed as a graph
 Explicitly enumerates each state and traverses each edge of the
graph
 Example: explicit-state techniques in SPIN
 Nested DFS to detect reachable accepting cycles.
 The first search is used to search for reachable accepting states
 The second one (nested) tries to detect accepting cycles.
 Consider the simplest property G p
 p is a system invariant to be satisfied by all states
 DFS graph traversal and maintain 2 data structures: set of visited
states and stack with current path from the initial state
33
Computational Temporal Logic
 In LTL, time is treated as if each moment in time has a
unique possible future.
 LTL formulas are interpreted over linear sequences which are
used to describe a behavior of a single computation of a
program.
 In branching temporal logics, each moment in time may
split into various possible futures
 infinite computation trees and each describing the behavior of the
possible computations of a nondeterministic program.
 When reaching an individual state, the choice of transitions
remains undecided.
 Two path quantifiers: E (“there exists a computation”) and A (“for
all computations”).
 Decide whether  holds in the computation tree of M.
34
Path Quantifiers in CTL
 In All Paths: The temporal formula is true in all the paths starting in
the current state.
 There Exists a Path: The temporal formula is true in some path
starting in the current state.
finally p
globally p
next p
p until q
35
LTL vs. CTL
 AP = {a; b; c; d; e} of atomic propositions.
 Sexm: Q = {q1; q2; q3; q4} and I = {q1; q2}
 L(q1) = {a}, L(q2) = ;, L(q3) = {b; e},
and L(q4) = {c}.
(Ph. Schnoebelen: The Complexity of Temporal Logic Model
Checking. Advances in Modal Logic 2002: 393-436)
36
BDD and Symbolic Model Checking
 Binary Decision Diagram (BDD): a DAG to represent a Boolean




formula
An example f = ab+a’c+bc’d
Two different orderings, same function.
ROBDD – reduced and ordered
Can we process them?
a
c+bd
c
b
c+d
c
b
b
a
0
c+bd
d+b
c
d
b
d
0
1
1
c
d
b
0
1
37
Operations of BDD
 Negation: switch 0 and 1
 If f then g else h operator: ite(f,g,h)
 f AND g = ite (f, g, 0)
 f OR g = ite (f, 1, g)
 Compute ite recursively: v is top-most variable among the three
BDDs f, g, h
 Existential quantification (EXISTS and ANDEXIST)
 ∃ 𝑣. 𝑓 𝐴 = 𝑓𝑣 𝐴  𝑓𝑣 (𝐴) (𝑓|𝑣=1 𝐴  𝑓|𝑣=0 (𝐴))
 ∃ 𝑣. 𝑓 𝐴 𝑔 𝐵 = 𝑓 𝐴 𝑔 𝐵 |𝑣=1  𝑓 𝐴 𝑔 𝐵 |𝑣=0
38
Example of ite
F
G
H
a
a
b
0
1
b
1
1
1
0
1
B
0
0
C
1
1
c
0
0
0
I
a
0
1
d
1
1
1
D
C
0
0
I
0
1
= ite (F, G, H)
= (a, ite (Fa , Ga , Ha ), ite (Fa , Ga , Ha ))
= (a, ite (1, C , H ),
ite(B, 0, H ))
= (a, C,
(b , ite (Bb , 0b , Hb ), ite (Bb , 0b , Hb ))
= (a, C,
(b , ite (1, 0, 1), ite (0, 0, D)))
= (a, C,
(b , 0, D))
= (a, C,
J)
Check: F = a + b, G = ac, H = b + d
b
1
0
J
0
D
F,G,H,I,J,B,C,D
are pointers
ite(F, G, H) = (a + b)(ac) + a b(b + d) = ac + abd
39
Symbolic Model Checking
 State representation:
 A state is encoded as a Boolean formula (s), where sS
 sets of states as their characteristic function
 three state variables x1, x2, x3: { 000, 001, 010, 011 } represented as
“first bit false”: ¬x1
 Representation of Transition Relations
 A transition is a pair of states (s, s’) where s’ is the next state: (s,s’)=(s)
(s’)
(01,10) = (¬v1v0, v’1¬v’0) = (¬v1v0)  (v’1¬v’0)
00
01
(R) = (v’0  ¬v0)  (v’1  v0v1)
10
11
40
Pre-Image and Forward Image
PreImage(P,R) := {s | for some s’P, (s, s’) R}
Image(P,R) := {s’| for some sP, (s, s’)R}
Compute EX[P] for the 2-bit counter,
where (P) = (v0  v1) (i.e. P= { 00, 11})
PreImage(P,R)) = ∃ 𝑠 ′ . (P)[s’]  (R)[s,s’]
= ∃ v’0v’1. (v’0 v’1)  ((v’0  ¬v0)  (v’1  v0v1))
(substitute v’0v’1 with 00, 01, 10, 11)
= (v0  ¬(v0v1))  (¬v0  (v0v1))
= v1 (i.e. P= { 01, 11} )
41
Reachability using BDD
Reachability( v, Gin(s), R(s,s’), F(s))
[ s – states; Gin , R(s,s’) and F are BDDs ]
G:=; G’=Gin;
do {
G = G’;
G’ = G  (  s. ( G (s)  R(s,s’) ) [s/s’] );
– F[x/y] means that we substitute x for y in F
} while (G ≠ G’ or GF ≠ );
If (GF = ) report “Unreachable”, else report “Reachable”;
42
Timed Automata
 A timed automaton is a tuple A = (Q,Σ,C,E,q0) that consists
of the following components:
 Q is a finite set. The elements of Q are called the states of A.
 Σ is a finite set called the alphabet or actions of A.
 C is a finite set called the clocks of A.
 E ⊆ Q×Σ×B(C)×P(C)×Q is a set of edges, called transitions of A,
where
 B(C) is the set of boolean clock constraints involving clocks
from C, and
 P(C) is the powerset of C.
 q0 is an element of Q, called the initial state.
An edge (q,a,g,r,q') from E is a transition from state q to q' with
action a, guard g and clock resets r.
43