symbolic ctl model checking - uio
TRANSCRIPT
Symbolic CTL Model Checking
Crystal Chang Din
Precise Modeling and Analysis group (PMA),University of Oslo
INF9140 - Specification and Verification of Parallel Systems
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 1 / 27
Outline
1 Computation Tree Logic (CTL)
2 CTL Model Checking Algorithm
3 Symbolic CTL Model Checking
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 2 / 27
Recall of LTL
A linear logic over an infinite sequence of states.
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 3 / 27
Transition System and Computation TreeAssume TS is finite, and has no terminal states, we can unfold it at achosen state into an infinite computation tree.
CTL introduces two path quantifiers:∀ : all computations that start in a state (implicitly expressed in LTL)∃ : some computations that start in a state (cannot be expressed in LTL)
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 4 / 27
Some Basic CTL Formulae
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 5 / 27
Syntax of CTL
State formulae:
Φ ::= true | α | ¬Φ | Φ1 ∧ Φ2 | ∀ϕ | ∃ϕ
where α ∈ AP (atomic proposition)
Path formulae:ϕ ::=© Φ | Φ1 U Φ2
Four possible ways to turn path formulae into state formulae:
∀© ∀ U ∃© ∃U
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 6 / 27
Examples of CTL formulae
Illegal CTL formulaeI ∃(x = 1 ∧ y > 4)I ∃© (true U (x = 1))
Legal CTL formulaeI ∃© (x = 1 ∧ y > 4)I ∃© ∀(true U (x = 1))
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 7 / 27
Derived Temporal Modalities
eventuallyI ∃♦Φ ≡ ∃(true U Φ) Φ holds potentiallyI ∀♦Φ ≡ ∀(true U Φ) Φ is inevitable
alwaysI ∃�Φ ≡ ¬∀♦¬Φ ( 6= ∃♦¬Φ) potentially always ΦI ∀�Φ ≡ ¬∃♦¬Φ ( 6= ∀♦¬Φ) invariantly Φ
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 8 / 27
Satisfaction Relation for CTL
Let transition system TS = (S,Act,→,I,AP,L), state s ∈ S, α be an atomicproposition, Φ1,Φ2 be CTL state formulae, and ϕ be a CTL path formulae.
The satisfaction relation � is defined for state formulae by
s � α iff α ∈ L(s)s � ¬Φ iff not s � Φs � Φ1 ∧ Φ2 iff (s � Φ1) and (s � Φ2)s � ∃ϕ iff π � ϕ for some π ∈ Path(s)s � ∀ϕ iff π � ϕ for all π ∈ Path(s)
For path π, the satisfaction relation � for path formulae is defined by
π � © Φ iff π[1] � Φ
π � Φ1 U Φ2 iff ∃j≥0. (π[j ] � Φ2 ∧ (∀0 ≤ k < j .π[k] � Φ1))
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 9 / 27
Expressiveness of CTL vs. LTL
Intuitively, the LTL formula ♦�α is equivalent to the CTL formula ∀♦∀�α.However, s0 � ♦�α and s0 6� ∀♦∀�α are shown in the following case.
1 ♦�α:α will eventually forever hold from some state
2 ∀♦∀�α:On any computation, eventually some state, s say,is reached such that s � ∀�α
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 10 / 27
Satisfaction Set
Given a transition system TS , the satisfaction set Sat(Φ) for CTL-stateformula Φ is defined by:
Sat(Φ) = { s ∈ S | s � Φ}
For example:
Sat(∀�a) = {s3}
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 11 / 27
CTL Semantics for Transition System
TS � Φ iff ∀s0 ∈ I . s0 � Φ
in other words, TS � Φ iff I ⊆ Sat(Φ)
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 12 / 27
Outline
1 Computation Tree Logic (CTL)
2 CTL Model Checking Algorithm
3 Symbolic CTL Model Checking
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 13 / 27
CTL in Existential Normal Form (ENF)
Φ ::= true | α | ¬Φ | Φ1 ∧ Φ2 | ∃©Φ | ∃( Φ1 U Φ2) | ∃�Φ
Other CTL formulae can be translated into equivalent ENF formulae:∃♦Φ ≡ ∃(true U Φ)∀© Φ ≡ ¬∃©¬Φ∀(Φ1 U Φ2) ≡ ¬∃(¬Φ2 U (¬Φ1 ∧ ¬Φ2)) ∧ ¬∃�¬Φ2∀♦Φ ≡ ¬∃�¬Φ∀�Φ ≡ ¬∃♦¬Φ = ¬∃(true U ¬Φ)
CTL in ENF has the same expressiveness as CTL
We will use ENF of CTL in the model checking algorithm
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 14 / 27
Overview of the Algorithm
To verify for a given transition system TS and CTL formula Φ whetherTS � Φ, the procedure is:
1 recursive computation of the sets Sat(Ψ) for all subformulae Ψ of Φ
2 checking whether I ⊆ Sat(Φ)
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 15 / 27
Computation of the Satisfaction Sets
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 16 / 27
Sat(∃�Φ)T0 = Sat(Φ) and Ti+1 = Ti ∩ {s ∈ Sat(Φ)|Post(s) ∩ Ti 6= ∅}until Ti+1 = Ti (reach the greatest fix point)
i.e. Sat(∃�b) = {s0, s2, s4}
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 17 / 27
Sat(∃(Φ1 U Φ2))
T0 = Sat(Φ2) and Ti+1 = Ti ∪ {s ∈ Sat(Φ1)|Post(s) ∩ Ti 6= ∅}until Ti+1 = Ti (reach the smallest fix point)
i.e. Sat(∃(true U (a = c) ∧ (a 6= b))) = {s4, s5, s6, s7}
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 18 / 27
Time Complexity
Let TS be a finite transition system with N states and K transitions. Ψ asubformula of Φ. The time complexity of calculating Sat(Ψ) is
O(N+K)
Also, there are |Φ| subformulae of Φ. The total time complexity ofcalculating Sat(Φ) is therefore
O((N+K) · |Φ|)
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 19 / 27
Outline
1 Computation Tree Logic (CTL)
2 CTL Model Checking Algorithm
3 Symbolic CTL Model Checking
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 20 / 27
Why Symbolic?
Original version of CTL model checkingI single state and single transition at a timeI record all the predecessors and successors in each stateI iterative computation: union and intersection of setsI state explosion problem in large transition systems
Symbolic versionI sets of states and sets of transitions at a timeI binary encoding of statesI one boolean function for each satisfaction setI one boolean function for all the transitionsI iterative computation:conjunction and disjunction of a sequence of bitsI very efficient
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 21 / 27
Encoding States
Binary encoding (enc) of states, as vectors of n bits:
enc : S → {0, 1}n
For example:8 states (s0, s1, ..., s7) can be encoded with 3 bitss0: 000s1: 001...s7: 111
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 22 / 27
Two Boolean Functions (XT and 4)
XT : to encode set of states T ⊆ S (i.e. T=Sat(α)):
XT : {0, 1}n→ {0,1} s.t. XT (s)=1 iff s ∈ T
4: to encode set of transitions → ⊆ S x S :
4 : {0, 1}2n→ {0,1} s.t. 4(s,s’)=1 iff s → s’
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 23 / 27
Sat(∃�b) in Symbolic Version
binary decision tree (BDT)
8 states (s0, s1, ..., s7) can be encoded with 3 bits (z1z2z3)XT (z1, z2, z3) → {0,1},T=Sat(b) i.e. XT (s2) = XT (0,1,0) = 14(z1, z2, z3, z ′1, z
′2, z
′3) → {0,1} i.e. 4(s1, s2) = 4(0,0,1,0,1,0) = 0
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 24 / 27
Symbolic Computation
T0 = Sat(Φ2) and Ti+1 = Ti ∪ {s ∈ Sat(Φ1)|Post(s) ∩ Ti 6= ∅}
T0 = Sat(Φ) and Ti+1 = Ti ∩ {s ∈ Sat(Φ)|Post(s) ∩ Ti 6= ∅}
continue the example from last slide: f0 : 00010111 → f1 : 00010101 → f2 : 00010101
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 25 / 27
From BDT to BDDbinary decision diagram (BDD): a reduced version of BDT
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 26 / 27
Reference
C. Baier and J.-P. Katoen, “Principles of Model Checking”(The MIT Press, 2008).Figures, algorithms and samples taken from Chapter 6 of the book above.
Crystal Chang Din @ UiO Symbolic CTL Model Checking 12.05.2011 27 / 27