CTL Model Checking. Goal Method for proving M sat σ, where M is a Kripke structure and σ is a CTL formula. Approach Model checking!

Similar documents
Lecture 14: Basic Fixpoint Theorems (cont.)

Lattices and the Knaster-Tarski Theorem

Binary Decision Diagrams

Binary Decision Diagrams

The illustrated zoo of order-preserving functions

Cut-free sequent calculi for algebras with adjoint modalities

Tableau Theorem Prover for Intuitionistic Propositional Logic

Tableau Theorem Prover for Intuitionistic Propositional Logic

Recall: Data Flow Analysis. Data Flow Analysis Recall: Data Flow Equations. Forward Data Flow, Again

Gödel algebras free over finite distributive lattices

EDA045F: Program Analysis LECTURE 3: DATAFLOW ANALYSIS 2. Christoph Reichenbach

Semantics and Verification of Software

Generating all modular lattices of a given size

Essays on Some Combinatorial Optimization Problems with Interval Data

ExpTime Tableau Decision Procedures for Regular Grammar Logics with Converse

An orderly algorithm to enumerate finite (semi)modular lattices

CATEGORICAL SKEW LATTICES

Yao s Minimax Principle

CSE 21 Winter 2016 Homework 6 Due: Wednesday, May 11, 2016 at 11:59pm. Instructions

SAT and DPLL. Introduction. Preliminaries. Normal forms DPLL. Complexity. Espen H. Lian. DPLL Implementation. Bibliography.

Lecture l(x) 1. (1) x X

GAME THEORY. Department of Economics, MIT, Follow Muhamet s slides. We need the following result for future reference.

FMCAD 2011 Effective Word-Level Interpolation for Software Verification

SAT and DPLL. Espen H. Lian. May 4, Ifi, UiO. Espen H. Lian (Ifi, UiO) SAT and DPLL May 4, / 59

École normale supérieure, MPRI, M2 Year 2007/2008. Course 2-6 Abstract interpretation: application to verification and static analysis P.

Projective Lattices. with applications to isotope maps and databases. Ralph Freese CLA La Rochelle

Dynamic Programming: An overview. 1 Preliminaries: The basic principle underlying dynamic programming

Algorithmic Game Theory and Applications. Lecture 11: Games of Perfect Information

A relation on 132-avoiding permutation patterns

Lecture 2: The Simple Story of 2-SAT

On the Optimality of a Family of Binary Trees Techical Report TR

The finite lattice representation problem and intervals in subgroup lattices of finite groups

arxiv: v1 [math.lo] 24 Feb 2014

Rational Behaviour and Strategy Construction in Infinite Multiplayer Games

Introduction to Greedy Algorithms: Huffman Codes

TABLEAU-BASED DECISION PROCEDURES FOR HYBRID LOGIC

Tableau-based Decision Procedures for Hybrid Logic

monotone circuit value

0.1 Equivalence between Natural Deduction and Axiomatic Systems

Logic and Artificial Intelligence Lecture 24

Another Variant of 3sat. 3sat. 3sat Is NP-Complete. The Proof (concluded)

Notes on the symmetric group

MAT385 Final (Spring 2009): Boolean Algebras, FSM, and old stuff

Martingales. by D. Cox December 2, 2009

Virtual Demand and Stable Mechanisms

THE NUMBER OF UNARY CLONES CONTAINING THE PERMUTATIONS ON AN INFINITE SET

5 Deduction in First-Order Logic

Another Variant of 3sat

Chair of Communications Theory, Prof. Dr.-Ing. E. Jorswieck. Übung 5: Supermodular Games

Residuated Lattices of Size 12 extended version

Generalising the weak compactness of ω

MAT 4250: Lecture 1 Eric Chung

Sublinear Time Algorithms Oct 19, Lecture 1

Theorem 1.3. Every finite lattice has a congruence-preserving embedding to a finite atomistic lattice.

Satisfaction in outer models

Collinear Triple Hypergraphs and the Finite Plane Kakeya Problem

Asynchronous Announcements in a Public Channel

Principles of Program Analysis: Algorithms

Tug of War Game. William Gasarch and Nick Sovich and Paul Zimand. October 6, Abstract

Fundamental Algorithms - Surprise Test

Chapter 5: Algorithms

Generating all nite modular lattices of a given size

CONSTRUCTION OF CODES BY LATTICE VALUED FUZZY SETS. 1. Introduction. Novi Sad J. Math. Vol. 35, No. 2, 2005,

Hyperidentities in (xx)y xy Graph Algebras of Type (2,0)

Optimal Satisficing Tree Searches

MATH3075/3975 FINANCIAL MATHEMATICS TUTORIAL PROBLEMS

CONGRUENCES AND IDEALS IN A DISTRIBUTIVE LATTICE WITH RESPECT TO A DERIVATION

Computing Unsatisfiable k-sat Instances with Few Occurrences per Variable

Lecture 2: Making Good Sequences of Decisions Given a Model of World. CS234: RL Emma Brunskill Winter 2018

On Existence of Equilibria. Bayesian Allocation-Mechanisms

Levin Reduction and Parsimonious Reductions

PURITY IN IDEAL LATTICES. Abstract.

Problems from 9th edition of Probability and Statistical Inference by Hogg, Tanis and Zimmerman:

1 Overview. 2 The Gradient Descent Algorithm. AM 221: Advanced Optimization Spring 2016

Long-Term Values in MDPs, Corecursively

Strong normalisation and the typed lambda calculus

Computational Intelligence Winter Term 2009/10

Constructing Markov models for barrier options

Game Theory: Normal Form Games

Quadrant marked mesh patterns in 123-avoiding permutations

1 Shapley-Shubik Model

Modular and Distributive Lattices

Characterization of the Optimum

Advanced Numerical Methods

SMT and POR beat Counter Abstraction

Version A. Problem 1. Let X be the continuous random variable defined by the following pdf: 1 x/2 when 0 x 2, f(x) = 0 otherwise.

Bidding Languages. Chapter Introduction. Noam Nisan

Decidability and Recursive Languages

Outline Introduction Game Representations Reductions Solution Concepts. Game Theory. Enrico Franchi. May 19, 2010

BROWNIAN MOTION Antonella Basso, Martina Nardon

First-Order Logic in Standard Notation Basics

Lie Algebras and Representation Theory Homework 7

Lecture Notes on Type Checking

Making Decisions. CS 3793 Artificial Intelligence Making Decisions 1

Realizability of n-vertex Graphs with Prescribed Vertex Connectivity, Edge Connectivity, Minimum Degree, and Maximum Degree

2 Deduction in Sentential Logic

MATH 121 GAME THEORY REVIEW

CS792 Notes Henkin Models, Soundness and Completeness

Introduction to Probability Theory and Stochastic Processes for Finance Lecture Notes

Forecast Horizons for Production Planning with Stochastic Demand

Transcription:

CMSC 630 March 13, 2007 1 CTL Model Checking Goal Method for proving M sat σ, where M is a Kripke structure and σ is a CTL formula. Approach Model checking! Mathematically, M is a model of σ if s I = M σ. So determining if M sat σ amounts means checking whether M is a model of σ

CMSC 630 March 13, 2007 2 Recall the CTL Fragment of CTL... every path modality (i.e. F, G, U) must be preceded by a path quantifier A, E. The syntax can also be given directly as follows. σ ::= a σ σ σ EXσ E(σ U σ) E(σ R σ) Other operators (AX, AU, AR, EF, AF, EG, AG, etc.) can be defined in terms of these.

CMSC 630 March 13, 2007 3 So What s the Big Deal About CTL? Formulas are like those in LTL, but more complex. + Model-checking problem easier to solve in CTL.

CMSC 630 March 13, 2007 4 Properties in CTL Expressiveness of CTL, LTL are incomparable. One can reasonably argue that LTL is easier to understand. However, one can turn LTL system specs into CTL formulas that are at least as strong, provided LTL formulas are in positive normal form (i.e. negations only applied to atomic propositions). E.g. PNF: Not PNF: GF executed GF executed

CMSC 630 March 13, 2007 5 LTL, CTL and PNF Any LTL formula can be put in PNF provided logic is extended with the necessary duals (i.e., R). (φ 1 φ 2 ) ( φ 1 ) ( φ 2 ) (Xφ) X( φ) (φ 1 U φ 2 ) ( φ 1 ) R ( φ 2 )

CMSC 630 March 13, 2007 6 Generating CTL Approximations to LTL So how do we generate CTL formulas at least as strong as LTL system specs? 1. Put LTL formula in PNF. 2. Insert A path quantifier in front of each path modality. LTL G (send F receive) (GF enabled) (GF executed) CTL AG (send AF receive) (AFAG enabled) (AGAF executed)

CMSC 630 March 13, 2007 7 PNF CTL σ ::= a a σ σ σ σ EXσ AXσ E(σ U σ) A(σ U σ) E(σ R σ) A(σ R σ)

CMSC 630 March 13, 2007 8 The CTL Model-Checking Problem Given Kripke structure M = S, A, R, l, s I CTL formula (in PNF) σ Determine Does s I = M σ? One approach 1. Define proof rules for CTL correctness assertions s M σ. 2. Use rules to develop proofs.

CMSC 630 March 13, 2007 9 Sample Proof Rules Recall M = S, A, R, l, s I. A a l(s) s M a A a l(s) s M a 1 s M σ 1 s M σ 1 σ 2 2 s M σ 2 s M σ 1 σ 2 s M σ 1, s M σ 2 s M σ 1 σ 2 Are these rules sound? Complete?

CMSC 630 March 13, 2007 10 Proof Rules for CTL Next-Step Modalities How can we prove assertions of form s M EX σ? s M AX σ? M contains information about transitions from states. Proof rules should use this information. EX AX s M σ, s, s R s M EX σ s 1 M σ,...,s n M σ, {s 1,...,s n } = { s s, s R } s M AX σ

CMSC 630 March 13, 2007 11 Proof Rules for U, R Modalities Idea Use recursive characterizations of modalities. Notation σ 1 σ 2 means: for all M, s, s = M σ 1 iff s = M σ 2. Then: AF σ σ AX(AF σ). AF σ σ AX (AF σ) σ AF σ σ σ σ σ σ σ

CMSC 630 March 13, 2007 12 Other Recursive Characterizations EFσ AGσ E(σ 1 U σ 2 ) E(σ 1 R σ 2 )

CMSC 630 March 13, 2007 13 Turning Recursion into Proof Rules: U EU 1 s M σ 2 s M E(σ 1 U σ 2 ) AU 1 s M σ 2 s M A(σ 1 U σ 2 ) EU 2 AU 2 s M σ 1, s M E(σ 1 U σ 2 ), s, s R s M E(σ 1 U σ 2 ) s M σ 1, s 1 M A(σ 1 U σ 2 ),..., s n M A(σ 1 U σ 2 ), {s 1,...,s n } = { s s, s R } s M A(σ 1 U σ 2 )

CMSC 630 March 13, 2007 14 Turning Recursion into Proof Rules: R ER 1 s M σ 1, s M σ 2 s M E(σ 1 R σ 2 ) AR 1 s M σ 1, s M σ 2 s M A(σ 1 R σ 2 ) ER 2 AR 2 s M σ 2, s M E(σ 1 R σ 2 ), s, s R s M E(σ 1 R σ 2 ) s M σ 2, s 1 M A(σ 1 R σ 2 ),..., s n M A(σ 1 R σ 2 ), {s 1,...,s n } = { s s, s R } s M A(σ 1 R σ 2 )

CMSC 630 March 13, 2007 15 But What about Circular Proofs? Consider proof of E(a U b) for Kripke structure below. s 0 : {a,c} a l(s 1 ) a l(s 0 ) s 1 M a s 0 M E(a U b) s 1 : {a} s 0 M a s 1 M E(a U b) s 0 M E(a U b) Circularity is bad!

CMSC 630 March 13, 2007 16 But What about Circular Proofs (cont.)? Consider proof of EG a for Kripke structure below. s 0 : {a,c} a l(s 1 ) a l(s 0 ) s 1 M a s 0 M EGa s 1 : {a} s 0 M a s 0 M EGa s 1 M EGa Circularity is good!

CMSC 630 March 13, 2007 17 Is Circularity Bad Or Good? It depends on the modality... but how? And why? Precise answers depend on understanding fixpoint characterizations of the CTL operators. These characterizations will also lead to model-checking algorithms for finite-state Kripke structures.

CMSC 630 March 13, 2007 18 CTL Formulas and Fixpoints Recall: AFσ σ AX(AF σ) Equivalently, AFσ may be seen as: a solution to the equation a fixpoint of the function w σ AX w, f(w) = σ AX w Is the solution to the above equation unique? No! Consider the formula tt: tt σ AX tt (why?).

CMSC 630 March 13, 2007 19 So What? AF σ is a solution to an equation, but not a unique solution. How does this help us with circularity? Answer Tarski!... Polish emigré mathematician... Active in early to mid 1900 s... Well-known for work in logic, algebra, lattice theory In 1950 s, Tarski and Knaster proved: Theorem (Tarski-Knaster Fixpoint Theorem) Every monotonic function over a complete lattice has a complete lattice of fixpoints.

CMSC 630 March 13, 2007 20 Complete Lattice? A complete lattice consists of: a set E of elements a partial ordering ( less than or equal to ) E E a least upper-bound operator 2 E E a greatest lower-bound operator 2 E E Example Let S be a set. Then take: E = 2 S = = = This is a complete lattice!

CMSC 630 March 13, 2007 21 Facts about Lattices Theorem Let E,,, be a complete lattice. Then: 1. E has a greatest element =. 2. E has a least element =. 3. (Tarski-Knaster). Let f E E be monotonic, i.e. if e 1 e 2 then f(e 1 ) f(e 2 ). Then the structure { e e = f(e) },,, is also a complete lattice ( complete lattice of fixpoints ).

CMSC 630 March 13, 2007 22 How Can This Possibly Help? All the equations describing CTL operators have unique least and greatest solutions! Let M = S, A, l, R, s I be a Kripke structure. 2 S,,, forms a complete lattice. Each equation has equivalent form w = f(w) where f maps sets of states (meanings of formulas) to sets of states. Each of the f turns out to be monotonic over the lattice. Any complete lattice has a unique greatest and least element.

CMSC 630 March 13, 2007 23 Example AF σ is the unique least solution to w f(w), where f(w) σ AXx. (More precisely, the set of states satisfying AFσ is the smallest set satisfying the equation.) That is, any other solution is implied by AF σ. What is the largest?

CMSC 630 March 13, 2007 24 Another Example Consider: f(w) = σ EX w What is the least fixpoint? Greatest fixpoint?

CMSC 630 March 13, 2007 25 One More Example Consider: f(w) = σ 1 (σ 2 AX w) What is the least fixpoint? Greatest fixpoint?

CMSC 630 March 13, 2007 26 Recall Motivation: Circular Reasoning Least fixpoint CTL operator: Circularity bad! Greatest fixpoint CTL operator: Circularity good!

CMSC 630 March 13, 2007 27 Circularity Example #1 s 0 : {a,c} a l(s 1 ) a l(s 0 ) s 1 M a s 0 M E(a U b) s 1 : {a} s 0 M a s 1 M E(a U b) s 0 M E(a U b) Circularity involves least-fixpoint operator (EU) This proof is therefore invalid.

CMSC 630 March 13, 2007 28 Circularity Example #2 s 0 : {a,c} a l(s 1 ) a l(s 0 ) s 1 M a s 0 M EGa s 1 : {a} s 0 M a s 0 M EGa s 1 M EGa Circularity involves greatest-fixpoint operator (EG) This proof is therefore valid.

CMSC 630 March 13, 2007 29 Constructing Proofs for s M σ Use proof rules A, A, 1, 2,, EX, AX, EU 1, EU 2, AU 1, AU 2, ER 1, ER 2, AR 1, AR 2 Proofs are valid if they end in leaves or circularities only involve maximum fixpoint formulas.

CMSC 630 March 13, 2007 30 Example (Invalid) Proof: AFAGa s 0 : {a} s 1 : { }... s 2 : {a} s 0 M AFAGa s 0 M AFAGa s 1 M AFAGa

CMSC 630 March 13, 2007 31 Soundness and Completeness Proof construction is sound. Proof construction is complete for finite-state Kripke structures. Rules can be modified to be complete for arbitrary Kripke structures (sets of states rather than single states on the left of M ).

CMSC 630 March 13, 2007 32 Algorithmic Model Checking We have talked about model-checking in terms of proof. For certain kinds of Kripke structures (i.e. finite-state), model-checking can be performed automatically. Model-checking algorithms may be seen as conducting proof search.

CMSC 630 March 13, 2007 33 The Finite-State Model-Checking Problem for CTL Given Kripke structure M = S, A, R, l, s I with S < CTL formula σ Compute Does s I = M σ?

CMSC 630 March 13, 2007 34 Traditional CTL Model-Checking Algorithms Compute all states in S satisfying σ. See if s I is in this set. Why is the calculation of these sets of states be possible? Because of Kleene and the recursive characterizations of operators!

CMSC 630 March 13, 2007 35 Continuous Functions on Lattices Definition Let E,,, be a lattice. Then f E E is continuous if for every chain e 0 e 1, f( e i ) = f(e i ) i=0 i=0 Lemma 1. Every continuous function is monotonic. 2. If E < then every monotonic function is continous.

CMSC 630 March 13, 2007 36 Kleene s Fixpoint Theorem Let E,,, be a complete lattice, and let f E E be continuous. Then µf E and νf E, the least and greatest fixpoints of f, respectively, can be given as follows. µf = i=0 f 0 = f i+1 = f(f i ) f i, where νf = i=0 ˆf 0 = ˆf i, where ˆf i+1 = f( ˆf i )

CMSC 630 March 13, 2007 37 How Does This Help? For a finite-state Kripke structure S, A, R, l, s I, complete lattice 2 S,,, is finite. CTL operators are least / greatest fixpoints of functions f(w) over this lattice. All functions for PNF CTL are monotonic, hence continuous over this lattice.

CMSC 630 March 13, 2007 38 Calculating the Least Solution to an Equation Assume equation is x f(x). Set x = (i.e. ff). Compute f(x). If x = f(x) we re done; otherwise set x to f(x) and repeat. E.g. x a AXx. (In other words, which states satisfy AF a?) x f(x) {1} = a AX {1} {1, 2} = a AX{1} {1, 2} {1, 2} = a AX{1, 2} 0 a 1 2 3

CMSC 630 March 13, 2007 39 Another Example: E(a U b) We need to calculate the least solution to x b (a EXx). x f(x) a 0 a 3 a b 1 2

CMSC 630 March 13, 2007 40 Calculating the Largest Solution to an Equation Set x = S (i.e. tt) Compute f(x). If x = f(x), we re done; otherwise, set x to f(x) and repeat. E.g. x a EXx. (In other words, which states satisfy EGa?) x f(x) {0, 1} {0} = a EX{0, 1} {0} {0} = a EX{0} a 0 1

CMSC 630 March 13, 2007 41 Least vs. Greatest: An Example Consider the equation x b (a AXx). Least solution: x f(x) a 0 a 3 Greatest solution: x f(x) b 1 2

CMSC 630 March 13, 2007 42 Classical CTL Model Checking Recall that traditional CTL model checkers: Calculate all states that satisfy a given formula... Then ask if the start state is in this set. So how is the set of states calculated? By processing the formula from the inside out!

CMSC 630 March 13, 2007 43 Example: AFAGa First: For AG a, calculate largest solution to x = a AX x. a 0 x f(x) 1 a 2 Second: For AF x, compute least solution to y = x AX y. y g(y)

CMSC 630 March 13, 2007 44 Pragmatics I: Solving Equations Efficiently Let M = S, A, R, l, s I be a Kripke structure. Define: M = S + R. Claim: Equations defining CTL operators can be solved in M time. How? Counters

CMSC 630 March 13, 2007 45 Huh? E.g. to get least solution to x = σ AXx (assuming σ already known): Associate counter to each state. Counter reflects number of transitions leading to states not in current approximation to solution. When a state moves into solution, counters of states with transitions leading to state must be updated.

CMSC 630 March 13, 2007 46 Example: AF a Must calculate smallest solution to x = a AX x x = { } 0 2 a 1 1 2 2 1 3 4 a 1

CMSC 630 March 13, 2007 47 Complexity Best classical algorithms process each state/transition once per subformula. How many subformulas are there in formula σ? σ! ( σ is number of operators in σ). So for Kripke structure M, CTL formula σ, model checking takes: O( M σ ) time.

CMSC 630 March 13, 2007 48 Pragmatics II: Short-circuiting... stop computation once status of start state is known. E.g. If least solution is being calculated, and start state added to intermediate approximation, can stop.... does not affect complexity, but can improve practical performance.

CMSC 630 March 13, 2007 49 Pragmatics III: On-the-fly Model Checking... short-circuiting taken to the extreme.... takes a top-down view ( what is the minimal information I need to compute to check if s I = M σ ). Approaches can be formulated in terms of proof search involving proof rules like the ones we have studied. Subtlety: circularity.

CMSC 630 March 13, 2007 50 Pragmatics IV: Efficient Data Structures Classical algorithms require manipulations of sets of states: Unions, intersections Equality checking Transitions from/to sets of states The right data structure can yield dramatic time/space improvement!

CMSC 630 March 13, 2007 51 Example: (Ordered) Binary Decision Diagrams In some applications states are fixed-width bit vectors (e.g. Murϕ with only boolean variables). OBDDs are data structures for representing sets of bit vectors compactly. Union, intersection, equality all supported efficiently. In hardware community, most successful model checkers use OBDDs.

CMSC 630 March 13, 2007 52 OBDDs and Sets of Fixed-Width Bit Vectors An OBDD is... a directed acyclic graph, with a leaf labeled 0 and a leaf labeled 1, and each internal node labeled by a variable, and each node having two edges, one labeled 0 and one 1. In addition, OBDDs satisfy: 1. No isomorphic subgraphs 2. No don t cares

CMSC 630 March 13, 2007 53 Example An OBDD for the set {000, 001, 011} with ordering v 1 v 2 v 3. 0 v1 1 0 v2 1 v3 1 0 1 0

CMSC 630 March 13, 2007 54 Example An OBDD for the set {000, 001, 011} with ordering v 3 v 1 v 2. 0 v3 1 v1 0 1 1 v1 0 1 0 v2 0 1

CMSC 630 March 13, 2007 55 Facts about OBDDs 1. Variable ordering influences size of OBDDs. 2. Given a fixed variable ordering, set representation is canonical (equal sets have isomorphic OBDDs). 3. Efficient implementations exist for union, intersection, complementation, projection,...

CMSC 630 March 13, 2007 56 How Are OBDDs Used in Model Checking?... To represent Kripke structures States represented as bit-vectors of length n Transitions represented as bit-vectors of length 2n... To represent approximate solutions during equation solving If x = f(x) is an equation, process of applying f to get new approximations can be given as function on OBDDs!

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback