reasoning about real-time systems
TRANSCRIPT
Reasoning about Real-time Systems - Temporal Logics, Modeling
Checking and Timed AutomataReasoning about Real-time Systems
Temporal Logics, Modeling Checking and Timed Automata
Huang-Ming Huang
Department of Computer Science and Engineering Washington University in St. Louis
Mu-calculus and Model Checking The Model Checker SPIN
Timed Automata: Semantics, Algorithms and Tools
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 1 / 35
Introduction
Introduction
Theme of the talk Verify the correctness of computer systems Especially about long-running systems Extend to real-time systems
System Verification Methods Test based Proof based Model Checking
Context of Model Checking Concurrent and reactive systems
Constituents of Model Checking Framework for modeling systems Property specification languages Verification algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 2 / 35
Introduction
Introduction
Theme of the talk Verify the correctness of computer systems Especially about long-running systems Extend to real-time systems
System Verification Methods Test based Proof based Model Checking
Context of Model Checking Concurrent and reactive systems
Constituents of Model Checking Framework for modeling systems Property specification languages Verification algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 2 / 35
Introduction
Introduction
Theme of the talk Verify the correctness of computer systems Especially about long-running systems Extend to real-time systems
System Verification Methods Test based Proof based Model Checking
Context of Model Checking Concurrent and reactive systems
Constituents of Model Checking Framework for modeling systems Property specification languages Verification algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 2 / 35
Introduction
Introduction
Theme of the talk Verify the correctness of computer systems Especially about long-running systems Extend to real-time systems
System Verification Methods Test based Proof based Model Checking
Context of Model Checking Concurrent and reactive systems
Constituents of Model Checking Framework for modeling systems Property specification languages Verification algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 2 / 35
Introduction
Em97 Model Checking and the Mu-calculus by E. A. Emerson.
Syntax and semantics of temporal logics Taxonomy and complexity of different model checking approaches
Ho97 The Model Checker SPIN by G. J. Holzmann The verification algorithm adopted by SPIN Optimizations used by SPIN model checker
BY04 Timed Automata : Semantics, Algorithms and Tools by J. Bengtsson and W. Yi
Model checking with time Algorithms and optimization used by Uppaal model checker
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 3 / 35
Model Checking and the Mu-calculus
Papers to discuss
Em97 Model Checking and the Mu-calculus by E. A. Emerson.
Syntax and semantics of temporal logics Taxonomy and complexity of different model checking approaches
Ho97 The Model Checker SPIN by G. J. Holzmann The verification algorithm adopted by SPIN Optimizations used by SPIN model checker
BY04 Timed Automata : Semantics, Algorithms and Tools by J. Bengtsson and W. Yi
Model checking with time Algorithms and optimization used by Uppaal model checker
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 4 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus Temporal Logics
Property Specification Languages Temporal Logics
(Propositional) Linear Temporal Logic (LTL, PTL, PLTL) Branching Time Logic
CTL (Computational Tree Logic) CTL* µ-calculus.
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 6 / 35
Model Checking and the Mu-calculus Temporal Logics
Temporal Operators Describe the Properties of Paths Through Transition Systems
Xp : Next p ...
Fp : Eventually ... p ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 7 / 35
Model Checking and the Mu-calculus Temporal Logics
Temporal Operators Describe the Properties of Paths Through Transition Systems
Xp : Next p ...
Fp : Eventually ... p ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 7 / 35
Model Checking and the Mu-calculus Temporal Logics
Temporal Operators Describe the Properties of Paths Through Transition Systems
Xp : Next p ...
Fp : Eventually ... p ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 7 / 35
Model Checking and the Mu-calculus Temporal Logics
Temporal Operators Describe the Properties of Paths Through Transition Systems
Xp : Next p ...
Fp : Eventually ... p ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 7 / 35
Model Checking and the Mu-calculus Temporal Logics
Path Quantifiers Specify the Properties of All or Some of the Paths Starting from a State
p
EFp
p
Model Checking and the Mu-calculus Temporal Logics
Syntax of Temporal Logics
LTL : Propositional logic with temporal operators φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | (Xφ) | (Fφ) | (Gφ) | (φ U φ)
CTL : Propositional logic with temporal operators prefixed with path quantifiers
φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | AX φ | EX φ | AF φ | EF φ | AG φ | EG φ | A[φ U φ] | E[φ U φ]
CTL* : A temporal operator can be prefixed by another temporal operator
An example : EGF p φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | A[α] | E[α] α ::= φ | (¬α) | (α ∧ α) | (α U α) | (Gα) | (Fα) | (Xα)
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 9 / 35
Model Checking and the Mu-calculus Temporal Logics
Syntax of Temporal Logics
LTL : Propositional logic with temporal operators φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | (Xφ) | (Fφ) | (Gφ) | (φ U φ)
CTL : Propositional logic with temporal operators prefixed with path quantifiers
φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | AX φ | EX φ | AF φ | EF φ | AG φ | EG φ | A[φ U φ] | E[φ U φ]
CTL* : A temporal operator can be prefixed by another temporal operator
An example : EGF p φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | A[α] | E[α] α ::= φ | (¬α) | (α ∧ α) | (α U α) | (Gα) | (Fα) | (Xα)
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 9 / 35
Model Checking and the Mu-calculus Temporal Logics
Syntax of Temporal Logics
LTL : Propositional logic with temporal operators φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | (Xφ) | (Fφ) | (Gφ) | (φ U φ)
CTL : Propositional logic with temporal operators prefixed with path quantifiers
φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | AX φ | EX φ | AF φ | EF φ | AG φ | EG φ | A[φ U φ] | E[φ U φ]
CTL* : A temporal operator can be prefixed by another temporal operator
An example : EGF p φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | A[α] | E[α] α ::= φ | (¬α) | (α ∧ α) | (α U α) | (Gα) | (Fα) | (Xα)
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 9 / 35
Model Checking and the Mu-calculus Temporal Logics
Fixpoints
Given a domain D, a function τ : D → D, v ∈ D is a fixpoint of τ iff τ(v) = v
Least fixpoint µZ · τ(Z) Greatest fixpoint νZ · τ(Z)
τ
τ
τ
τ
Model Checking and the Mu-calculus Temporal Logics
Fixpoints
Given a domain D, a function τ : D → D, v ∈ D is a fixpoint of τ iff τ(v) = v
Least fixpoint µZ · τ(Z) Greatest fixpoint νZ · τ(Z)
false τ
Model Checking and the Mu-calculus Temporal Logics
Fixpoints
Given a domain D, a function τ : D → D, v ∈ D is a fixpoint of τ iff τ(v) = v
Least fixpoint µZ · τ(Z) Greatest fixpoint νZ · τ(Z)
true τ
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL EF p ≡ µZ · p ∨ EX Z
AG p ≡ νZ · p ∧ AX Z
AF p ≡ µZ · p ∨ AX Z
EG p ≡ νZ · p ∧ EX Z
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
τ(false) = p ∨ EX false
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
p 12
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
p 12
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
p 12
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
p 12
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
LTL Only able to assert properties that will hold for all runs of a transition system
CTL Unable to assert properties with fairness constraints
CTL* (LTL ∪ CTL) ⊂ CTL*
µ-calculus It is less human readable than LTL,CTL and CTL* Its inductive definability is useful as bases for modeling checking algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 13 / 35
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
LTL Only able to assert properties that will hold for all runs of a transition system
CTL Unable to assert properties with fairness constraints
CTL* (LTL ∪ CTL) ⊂ CTL*
µ-calculus It is less human readable than LTL,CTL and CTL* Its inductive definability is useful as bases for modeling checking algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 13 / 35
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
LTL Only able to assert properties that will hold for all runs of a transition system
CTL Unable to assert properties with fairness constraints
CTL* (LTL ∪ CTL) ⊂ CTL*
µ-calculus It is less human readable than LTL,CTL and CTL* Its inductive definability is useful as bases for modeling checking algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 13 / 35
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
LTL Only able to assert properties that will hold for all runs of a transition system
CTL Unable to assert properties with fairness constraints
CTL* (LTL ∪ CTL) ⊂ CTL*
µ-calculus It is less human readable than LTL,CTL and CTL* Its inductive definability is useful as bases for modeling checking algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 13 / 35
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
¬Start ¬Close ¬Heat ¬Error
4
7
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
¬Start ¬Close ¬Heat ¬Error
4
7
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
1
AG (Start→ AF Heat)
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
¬ Start1
AG (Start→ AF Heat)
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
¬ Start1
AG (Start→ AF Heat)
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 14 / 35
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
Monolithic Structure
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
Incremental Algorithm
on-the-fly.swf
Complexities of Model Checking Algorithms
Explicit State CTL : O(|M||f |) LTL, CTL* : PSPACE complete, O(|M|e|f |) General µ-Calculus : NP∩co-NP
Symbolic : Theoretically, PSPACE complete In practice : Good performance when M can be represented in a small Ordered Binary Decision Diagram (OBDD) Useful for hardware circuit design and debugging
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 15 / 35
Model Checking and the Mu-calculus Model Checking Algorithms
Complexities of Model Checking Algorithms
Explicit State CTL : O(|M||f |) LTL, CTL* : PSPACE complete, O(|M|e|f |) General µ-Calculus : NP∩co-NP
Symbolic : Theoretically, PSPACE complete In practice : Good performance when M can be represented in a small Ordered Binary Decision Diagram (OBDD) Useful for hardware circuit design and debugging
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 15 / 35
Model Checking and the Mu-calculus Model Checking Algorithms
State Explosion Problem
Given a system composed by n processes running asynchronously, each is modeled by a transition system M1,M2, · · · ,Mn
The model of the entire system is M = M1 ∪M2 ∪ · · · ∪Mn
The number of global states grows exponentially in n
Some optimizations techniques will be introduced in the next section
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 16 / 35
The Model Chercker SPIN
Em97 Model Checking and the Mu-calculus by E. A. Emerson.
Syntax and semantics of temporal logics Taxonomy and complexity of different model checking approaches
Ho97 The Model Checker SPIN by G. J. Holzmann The verification algorithm adopted by SPIN Optimizations used by SPIN model checker
BY04 Timed Automata : Semantics, Algorithms and Tools by J. Bengtsson and W. Yi
Model checking with time Algorithms and optimization used by Uppaal model checker
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 17 / 35
The Model Chercker SPIN SPIN
SPIN Introduction
Developed from 1991 by Gerard Holzmann System Model : PROMELA language
Converted to Büchi automata by the model checker
Property Specification : LTL
Model Checking Algorithm : Explicit state, local search and on-the-fly algorithm
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 18 / 35
The Model Chercker SPIN Büchi Automata and LTL Model Checking
Büchi Automata
A Büchi Automaton A = (Σ,Q,,Q0,F) is a finite automaton on infinite words A run is an infinite path in the graph of the automaton
e.g. ιs1s2s0s1s2s0 · · · A run ρ is accepted by an automaton A iff there exists at least one state in F which appears infinitely often in ρ
Büchi automata are closed under intersection and complementation
ι s0
s1 s2
p, q
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
Büchi Automata
A Büchi Automaton A = (Σ,Q,,Q0,F) is a finite automaton on infinite words A run is an infinite path in the graph of the automaton
e.g. ιs1s2s0s1s2s0 · · · A run ρ is accepted by an automaton A iff there exists at least one state in F which appears infinitely often in ρ
Büchi automata are closed under intersection and complementation
ι s0
s1 s2
p, q
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
Büchi Automata
A Büchi Automaton A = (Σ,Q,,Q0,F) is a finite automaton on infinite words A run is an infinite path in the graph of the automaton
e.g. ιs1s2s0s1s2s0 · · · A run ρ is accepted by an automaton A iff there exists at least one state in F which appears infinitely often in ρ
Büchi automata are closed under intersection and complementation
ι s0
s1 s2
p, q
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
Büchi Automata
A Büchi Automaton A = (Σ,Q,,Q0,F) is a finite automaton on infinite words A run is an infinite path in the graph of the automaton
e.g. ιs1s2s0s1s2s0 · · · A run ρ is accepted by an automaton A iff there exists at least one state in F which appears infinitely often in ρ
Büchi automata are closed under intersection and complementation
ι s0
s1 s2
p, q
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
s0 s1 p
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
M ∩M′
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
M ∩M′
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
M ∩M′
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
M ∩M′
The Model Chercker SPIN SPIN optimization techniques
Partial Order Reduction Reduce the number of reachable states
s0 s1 s2
T1:
y := 1 g := g ∗ 2
T2:
0,0,0
1,0,0
1,0,2
1,1,2
1,1,4
0,1,0
0,1,01,1,0
1,1,0
1,1,2
g:=g+2 y:=1 x:=1 g:=g*2
y:=1 g:=g+2 g:=g*2 x:=1
g:=g*2 g:=g+2
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 21 / 35
The Model Chercker SPIN SPIN optimization techniques
Effect of Partial Order Reduction
101
102
103
104
105
106
Problem Size (Number of Processes)
standard search
reduced search
The Model Chercker SPIN SPIN optimization techniques
State Compression Reduce the space need for a state
Descriptors for Process 1
Descriptors for Global Variables
Descriptors for Channel 1
Descriptors for Process 2
The Model Chercker SPIN SPIN optimization techniques
Effect of State Compression Compression of 24535220 states
50 50
100 100
150 150
The Model Chercker SPIN SPIN optimization techniques
Bit-State Hashing
Used for DFS to identify if a state has been visited
Lossy
The Model Chercker SPIN SPIN optimization techniques
Bit-State Hashing
Used for DFS to identify if a state has been visited
Lossy
The Model Chercker SPIN SPIN optimization techniques
Bit-State Hashing
Used for DFS to identify if a state has been visited
Lossy
0%
25%
50%
75%
100%
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 25 / 35
The Model Chercker SPIN SPIN optimization techniques
Bit-State Hashing
Used for DFS to identify if a state has been visited
Lossy
Timed Automata: Semantics, Algorithm and Tools
Papers to discuss
Em97 Model Checking and the Mu-calculus by E. A. Emerson.
Syntax and semantics of temporal logics Taxonomy and complexity of different model checking approaches
Ho97 The Model Checker SPIN by G. J. Holzmann The verification algorithm adopted by SPIN Optimizations used by SPIN model checker
BY04 Timed Automata : Semantics, Algorithms and Tools by J. Bengtsson and W. Yi
Model checking with time Algorithms and optimization used by Uppaal model checker
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 26 / 35
Timed Automata: Semantics, Algorithm and Tools Uppaal
Uppaal
Model checking with timed automata
Developed by Uppsala University and Aalborg University, first released in 1995,
System Model : GUI to draw timed automata Property Specification : TCTL
TCTL : CTL with clock constraints
Model Checking Algorithm : Explicit state, global search
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 27 / 35
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Difference Bound Matrices (DBM)
Representing
x1 ≥ 3 ∧ x3 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 0− 0 x1 − 0 x2 − 0 x3 − 0 x1 0− x1 x1 − x1 x2 − x1 x3 − x1 x2 0− x2 x1 − x2 x2 − x2 x3 − x2 x3 0− x3 x1 − x3 x2 − x3 x3 − x3
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 0− 0 x1 − 0 x2 − 0 x3 − 0 x1 0− x1 x1 − x1 x2 − x1 x3 − x1 x2 0− x2 x1 − x2 x2 − x2 x3 − x2 x3 0− x3 x1 − x3 x2 − x3 x3 − x3
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 0− 0 x1 − 0 x2 − 0 x3 − 0 x1 0− x1 x1 − x1 x2 − x1 x3 − x1 x2 0− x2 x1 − x2 x2 − x2 x3 − x2 x3 0− x3 x1 − x3 x2 − x3 x3 − x3
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 x3 − 0 x1 0− x1 (≤, 0) x2 − x1 x3 − x1 x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 x2 − x3 (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 x3 − 0 x1 (≤,−3) (≤, 0) x2 − x1 x3 − x1 x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 x2 − x3 (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) x2 − x1 x3 − x1 x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 x2 − x3 (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) x2 − x1 (≤, 2) x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 x2 − x3 (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) x2 − x1 (≤, 2) x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) (<, 10) (≤, 2) x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) (<, 10) (≤, 2) x2 0− x2 (<,−4) (≤, 0) x3 − x2 x3 0− x3 x1 − x3 (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) (≤,∞) (≤,∞) (≤, 5) x1 (≤,−3) (≤, 0) (<, 10) (≤, 2) x2 (≤,∞) (<,−4) (≤, 0) (≤,∞) x3 (≤,∞) (≤,∞) (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) (≤,∞) (≤,∞) (≤, 5) x1 (≤,−3) (≤, 0) (<, 10) (≤, 2) x2 (≤,∞) (<,−4) (≤, 0) (≤,∞) x3 (≤,∞) (≤,∞) (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
DBM Operations
D1 =
DBM Operations
D1 =
DBM Operations
x2 := 0
DBM Operations
x2 := 0
DBM Operations
x2 := 0
DBM Operations
D
D⇑
D =
0 x1,0 x2,0 x3,0
DBM Operations
D
D⇑
D =
0 x1,0 x2,0 x3,0
DBM Operations
D
D⇑
D⇑ =
0 ∞ ∞ ∞
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Conclusion
Conclusion
Conclusion
Summary
System Model Kripke Structures [Em97] Transition Systems Timed Automata [BY04]
Specify Properties Temporal Logics : LTL [Em97,Ho97], CTL, CTL*, µ-calculus [Em97] Timed Temporal Logics : TCTL [BY04], TLTL
Algorithms Symbolic[Em97] vs Explicit States [Em97,Ho97] Global searching [Em97] vs On-the-fly [Em97,Ho97] From timed to untimed : DBM [BY04]
Tools Untimed : SPIN [Ho97], Bogor, ... Timed : Uppaal [BY04], IF, ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 34 / 35
Conclusion
Summary
System Model Kripke Structures [Em97] Transition Systems Timed Automata [BY04]
Specify Properties Temporal Logics : LTL [Em97,Ho97], CTL, CTL*, µ-calculus [Em97] Timed Temporal Logics : TCTL [BY04], TLTL
Algorithms Symbolic[Em97] vs Explicit States [Em97,Ho97] Global searching [Em97] vs On-the-fly [Em97,Ho97] From timed to untimed : DBM [BY04]
Tools Untimed : SPIN [Ho97], Bogor, ... Timed : Uppaal [BY04], IF, ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 34 / 35
Conclusion
Summary
System Model Kripke Structures [Em97] Transition Systems Timed Automata [BY04]
Specify Properties Temporal Logics : LTL [Em97,Ho97], CTL, CTL*, µ-calculus [Em97] Timed Temporal Logics : TCTL [BY04], TLTL
Algorithms Symbolic[Em97] vs Explicit States [Em97,Ho97] Global searching [Em97] vs On-the-fly [Em97,Ho97] From timed to untimed : DBM [BY04]
Tools Untimed : SPIN [Ho97], Bogor, ... Timed : Uppaal [BY04], IF, ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 34 / 35
Conclusion
Summary
System Model Kripke Structures [Em97] Transition Systems Timed Automata [BY04]
Specify Properties Temporal Logics : LTL [Em97,Ho97], CTL, CTL*, µ-calculus [Em97] Timed Temporal Logics : TCTL [BY04], TLTL
Algorithms Symbolic[Em97] vs Explicit States [Em97,Ho97] Global searching [Em97] vs On-the-fly [Em97,Ho97] From timed to untimed : DBM [BY04]
Tools Untimed : SPIN [Ho97], Bogor, ... Timed : Uppaal [BY04], IF, ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 34 / 35
Conclusion
Summary
Conclusion
Summary
Introduction
Temporal Logics
SPIN optimization techniques
Uppaal
Huang-Ming Huang
Department of Computer Science and Engineering Washington University in St. Louis
Mu-calculus and Model Checking The Model Checker SPIN
Timed Automata: Semantics, Algorithms and Tools
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 1 / 35
Introduction
Introduction
Theme of the talk Verify the correctness of computer systems Especially about long-running systems Extend to real-time systems
System Verification Methods Test based Proof based Model Checking
Context of Model Checking Concurrent and reactive systems
Constituents of Model Checking Framework for modeling systems Property specification languages Verification algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 2 / 35
Introduction
Introduction
Theme of the talk Verify the correctness of computer systems Especially about long-running systems Extend to real-time systems
System Verification Methods Test based Proof based Model Checking
Context of Model Checking Concurrent and reactive systems
Constituents of Model Checking Framework for modeling systems Property specification languages Verification algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 2 / 35
Introduction
Introduction
Theme of the talk Verify the correctness of computer systems Especially about long-running systems Extend to real-time systems
System Verification Methods Test based Proof based Model Checking
Context of Model Checking Concurrent and reactive systems
Constituents of Model Checking Framework for modeling systems Property specification languages Verification algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 2 / 35
Introduction
Introduction
Theme of the talk Verify the correctness of computer systems Especially about long-running systems Extend to real-time systems
System Verification Methods Test based Proof based Model Checking
Context of Model Checking Concurrent and reactive systems
Constituents of Model Checking Framework for modeling systems Property specification languages Verification algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 2 / 35
Introduction
Em97 Model Checking and the Mu-calculus by E. A. Emerson.
Syntax and semantics of temporal logics Taxonomy and complexity of different model checking approaches
Ho97 The Model Checker SPIN by G. J. Holzmann The verification algorithm adopted by SPIN Optimizations used by SPIN model checker
BY04 Timed Automata : Semantics, Algorithms and Tools by J. Bengtsson and W. Yi
Model checking with time Algorithms and optimization used by Uppaal model checker
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 3 / 35
Model Checking and the Mu-calculus
Papers to discuss
Em97 Model Checking and the Mu-calculus by E. A. Emerson.
Syntax and semantics of temporal logics Taxonomy and complexity of different model checking approaches
Ho97 The Model Checker SPIN by G. J. Holzmann The verification algorithm adopted by SPIN Optimizations used by SPIN model checker
BY04 Timed Automata : Semantics, Algorithms and Tools by J. Bengtsson and W. Yi
Model checking with time Algorithms and optimization used by Uppaal model checker
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 4 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus
System Models
A state transition system is a quadruple (S, S0,T,L), where
S : set of states S0 : set of initial states T : set of transitions such that for each α ∈ T, α ⊆ S× S L : S → 2AP
A Kripke structure is a state transition system where,
It has only one transition relation R ∀s ∈ S(∃s′(R(s, s′)))
¬Start ¬Close ¬Heat ¬Error
4
7
Example Adapted from “Model Checking” by Clark, Grumberg and Peled
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 5 / 35
Model Checking and the Mu-calculus Temporal Logics
Property Specification Languages Temporal Logics
(Propositional) Linear Temporal Logic (LTL, PTL, PLTL) Branching Time Logic
CTL (Computational Tree Logic) CTL* µ-calculus.
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 6 / 35
Model Checking and the Mu-calculus Temporal Logics
Temporal Operators Describe the Properties of Paths Through Transition Systems
Xp : Next p ...
Fp : Eventually ... p ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 7 / 35
Model Checking and the Mu-calculus Temporal Logics
Temporal Operators Describe the Properties of Paths Through Transition Systems
Xp : Next p ...
Fp : Eventually ... p ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 7 / 35
Model Checking and the Mu-calculus Temporal Logics
Temporal Operators Describe the Properties of Paths Through Transition Systems
Xp : Next p ...
Fp : Eventually ... p ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 7 / 35
Model Checking and the Mu-calculus Temporal Logics
Temporal Operators Describe the Properties of Paths Through Transition Systems
Xp : Next p ...
Fp : Eventually ... p ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 7 / 35
Model Checking and the Mu-calculus Temporal Logics
Path Quantifiers Specify the Properties of All or Some of the Paths Starting from a State
p
EFp
p
Model Checking and the Mu-calculus Temporal Logics
Syntax of Temporal Logics
LTL : Propositional logic with temporal operators φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | (Xφ) | (Fφ) | (Gφ) | (φ U φ)
CTL : Propositional logic with temporal operators prefixed with path quantifiers
φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | AX φ | EX φ | AF φ | EF φ | AG φ | EG φ | A[φ U φ] | E[φ U φ]
CTL* : A temporal operator can be prefixed by another temporal operator
An example : EGF p φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | A[α] | E[α] α ::= φ | (¬α) | (α ∧ α) | (α U α) | (Gα) | (Fα) | (Xα)
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 9 / 35
Model Checking and the Mu-calculus Temporal Logics
Syntax of Temporal Logics
LTL : Propositional logic with temporal operators φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | (Xφ) | (Fφ) | (Gφ) | (φ U φ)
CTL : Propositional logic with temporal operators prefixed with path quantifiers
φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | AX φ | EX φ | AF φ | EF φ | AG φ | EG φ | A[φ U φ] | E[φ U φ]
CTL* : A temporal operator can be prefixed by another temporal operator
An example : EGF p φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | A[α] | E[α] α ::= φ | (¬α) | (α ∧ α) | (α U α) | (Gα) | (Fα) | (Xα)
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 9 / 35
Model Checking and the Mu-calculus Temporal Logics
Syntax of Temporal Logics
LTL : Propositional logic with temporal operators φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | (Xφ) | (Fφ) | (Gφ) | (φ U φ)
CTL : Propositional logic with temporal operators prefixed with path quantifiers
φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | AX φ | EX φ | AF φ | EF φ | AG φ | EG φ | A[φ U φ] | E[φ U φ]
CTL* : A temporal operator can be prefixed by another temporal operator
An example : EGF p φ ::= true | false | p | (¬φ) | (φ ∧ φ) | (φ ∨ φ) | (φ→ φ) | A[α] | E[α] α ::= φ | (¬α) | (α ∧ α) | (α U α) | (Gα) | (Fα) | (Xα)
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 9 / 35
Model Checking and the Mu-calculus Temporal Logics
Fixpoints
Given a domain D, a function τ : D → D, v ∈ D is a fixpoint of τ iff τ(v) = v
Least fixpoint µZ · τ(Z) Greatest fixpoint νZ · τ(Z)
τ
τ
τ
τ
Model Checking and the Mu-calculus Temporal Logics
Fixpoints
Given a domain D, a function τ : D → D, v ∈ D is a fixpoint of τ iff τ(v) = v
Least fixpoint µZ · τ(Z) Greatest fixpoint νZ · τ(Z)
false τ
Model Checking and the Mu-calculus Temporal Logics
Fixpoints
Given a domain D, a function τ : D → D, v ∈ D is a fixpoint of τ iff τ(v) = v
Least fixpoint µZ · τ(Z) Greatest fixpoint νZ · τ(Z)
true τ
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL EF p ≡ µZ · p ∨ EX Z
AG p ≡ νZ · p ∧ AX Z
AF p ≡ µZ · p ∨ AX Z
EG p ≡ νZ · p ∧ EX Z
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
τ(false) = p ∨ EX false
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
p 12
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
p 12
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
p 12
Model Checking and the Mu-calculus Temporal Logics
µ-Calculus Syntax and Its Expressibility
µ-Calculus Syntax : Propositional logic with fixpoint representations. φ = true | false | p | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ | Z | µZ · φ | νZ · φ | EX φ | AX φ
µ-calculus and CTL
Ap U q ≡ µZ · q∨ (p∧AX Z)
Ep U q ≡ µZ · q∨ (p∧EX Z)
τ(Z) = p ∨ EX Z
p 12
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
LTL Only able to assert properties that will hold for all runs of a transition system
CTL Unable to assert properties with fairness constraints
CTL* (LTL ∪ CTL) ⊂ CTL*
µ-calculus It is less human readable than LTL,CTL and CTL* Its inductive definability is useful as bases for modeling checking algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 13 / 35
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
LTL Only able to assert properties that will hold for all runs of a transition system
CTL Unable to assert properties with fairness constraints
CTL* (LTL ∪ CTL) ⊂ CTL*
µ-calculus It is less human readable than LTL,CTL and CTL* Its inductive definability is useful as bases for modeling checking algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 13 / 35
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
LTL Only able to assert properties that will hold for all runs of a transition system
CTL Unable to assert properties with fairness constraints
CTL* (LTL ∪ CTL) ⊂ CTL*
µ-calculus It is less human readable than LTL,CTL and CTL* Its inductive definability is useful as bases for modeling checking algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 13 / 35
Model Checking and the Mu-calculus Temporal Logics
Expressibility of Temporal Logics
LTL Only able to assert properties that will hold for all runs of a transition system
CTL Unable to assert properties with fairness constraints
CTL* (LTL ∪ CTL) ⊂ CTL*
µ-calculus It is less human readable than LTL,CTL and CTL* Its inductive definability is useful as bases for modeling checking algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 13 / 35
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
¬Start ¬Close ¬Heat ¬Error
4
7
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
¬Start ¬Close ¬Heat ¬Error
4
7
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
1
AG (Start→ AF Heat)
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
¬ Start1
AG (Start→ AF Heat)
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
¬ Start1
AG (Start→ AF Heat)
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 14 / 35
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
Monolithic Structure
Model Checking and the Mu-calculus Model Checking Algorithms
Taxonomy of Model Checking Algorithms
Explicit State vs Symbolic State
Global Calculation vs Local Search
Monolithic Structures vs Incremental (On-the-fly) Algorithms
Incremental Algorithm
on-the-fly.swf
Complexities of Model Checking Algorithms
Explicit State CTL : O(|M||f |) LTL, CTL* : PSPACE complete, O(|M|e|f |) General µ-Calculus : NP∩co-NP
Symbolic : Theoretically, PSPACE complete In practice : Good performance when M can be represented in a small Ordered Binary Decision Diagram (OBDD) Useful for hardware circuit design and debugging
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 15 / 35
Model Checking and the Mu-calculus Model Checking Algorithms
Complexities of Model Checking Algorithms
Explicit State CTL : O(|M||f |) LTL, CTL* : PSPACE complete, O(|M|e|f |) General µ-Calculus : NP∩co-NP
Symbolic : Theoretically, PSPACE complete In practice : Good performance when M can be represented in a small Ordered Binary Decision Diagram (OBDD) Useful for hardware circuit design and debugging
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 15 / 35
Model Checking and the Mu-calculus Model Checking Algorithms
State Explosion Problem
Given a system composed by n processes running asynchronously, each is modeled by a transition system M1,M2, · · · ,Mn
The model of the entire system is M = M1 ∪M2 ∪ · · · ∪Mn
The number of global states grows exponentially in n
Some optimizations techniques will be introduced in the next section
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 16 / 35
The Model Chercker SPIN
Em97 Model Checking and the Mu-calculus by E. A. Emerson.
Syntax and semantics of temporal logics Taxonomy and complexity of different model checking approaches
Ho97 The Model Checker SPIN by G. J. Holzmann The verification algorithm adopted by SPIN Optimizations used by SPIN model checker
BY04 Timed Automata : Semantics, Algorithms and Tools by J. Bengtsson and W. Yi
Model checking with time Algorithms and optimization used by Uppaal model checker
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 17 / 35
The Model Chercker SPIN SPIN
SPIN Introduction
Developed from 1991 by Gerard Holzmann System Model : PROMELA language
Converted to Büchi automata by the model checker
Property Specification : LTL
Model Checking Algorithm : Explicit state, local search and on-the-fly algorithm
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 18 / 35
The Model Chercker SPIN Büchi Automata and LTL Model Checking
Büchi Automata
A Büchi Automaton A = (Σ,Q,,Q0,F) is a finite automaton on infinite words A run is an infinite path in the graph of the automaton
e.g. ιs1s2s0s1s2s0 · · · A run ρ is accepted by an automaton A iff there exists at least one state in F which appears infinitely often in ρ
Büchi automata are closed under intersection and complementation
ι s0
s1 s2
p, q
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
Büchi Automata
A Büchi Automaton A = (Σ,Q,,Q0,F) is a finite automaton on infinite words A run is an infinite path in the graph of the automaton
e.g. ιs1s2s0s1s2s0 · · · A run ρ is accepted by an automaton A iff there exists at least one state in F which appears infinitely often in ρ
Büchi automata are closed under intersection and complementation
ι s0
s1 s2
p, q
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
Büchi Automata
A Büchi Automaton A = (Σ,Q,,Q0,F) is a finite automaton on infinite words A run is an infinite path in the graph of the automaton
e.g. ιs1s2s0s1s2s0 · · · A run ρ is accepted by an automaton A iff there exists at least one state in F which appears infinitely often in ρ
Büchi automata are closed under intersection and complementation
ι s0
s1 s2
p, q
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
Büchi Automata
A Büchi Automaton A = (Σ,Q,,Q0,F) is a finite automaton on infinite words A run is an infinite path in the graph of the automaton
e.g. ιs1s2s0s1s2s0 · · · A run ρ is accepted by an automaton A iff there exists at least one state in F which appears infinitely often in ρ
Büchi automata are closed under intersection and complementation
ι s0
s1 s2
p, q
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
p, q
p q
Kripke Structure
ι s0
s1 s2
p, q
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
s0 s1 p
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
M ∩M′
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
M ∩M′
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
M ∩M′
The Model Chercker SPIN Büchi Automata and LTL Model Checking
LTL Model Checking
Use nested depth-first search to find if M ∩M′ 6= ∅
First DFS : looking for an accepting state Second DFS : looking for a cycle through the accepting state
On-the-fly algorithm : states of M ∩M′ generated as needed
M ∩M′
The Model Chercker SPIN SPIN optimization techniques
Partial Order Reduction Reduce the number of reachable states
s0 s1 s2
T1:
y := 1 g := g ∗ 2
T2:
0,0,0
1,0,0
1,0,2
1,1,2
1,1,4
0,1,0
0,1,01,1,0
1,1,0
1,1,2
g:=g+2 y:=1 x:=1 g:=g*2
y:=1 g:=g+2 g:=g*2 x:=1
g:=g*2 g:=g+2
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 21 / 35
The Model Chercker SPIN SPIN optimization techniques
Effect of Partial Order Reduction
101
102
103
104
105
106
Problem Size (Number of Processes)
standard search
reduced search
The Model Chercker SPIN SPIN optimization techniques
State Compression Reduce the space need for a state
Descriptors for Process 1
Descriptors for Global Variables
Descriptors for Channel 1
Descriptors for Process 2
The Model Chercker SPIN SPIN optimization techniques
Effect of State Compression Compression of 24535220 states
50 50
100 100
150 150
The Model Chercker SPIN SPIN optimization techniques
Bit-State Hashing
Used for DFS to identify if a state has been visited
Lossy
The Model Chercker SPIN SPIN optimization techniques
Bit-State Hashing
Used for DFS to identify if a state has been visited
Lossy
The Model Chercker SPIN SPIN optimization techniques
Bit-State Hashing
Used for DFS to identify if a state has been visited
Lossy
0%
25%
50%
75%
100%
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 25 / 35
The Model Chercker SPIN SPIN optimization techniques
Bit-State Hashing
Used for DFS to identify if a state has been visited
Lossy
Timed Automata: Semantics, Algorithm and Tools
Papers to discuss
Em97 Model Checking and the Mu-calculus by E. A. Emerson.
Syntax and semantics of temporal logics Taxonomy and complexity of different model checking approaches
Ho97 The Model Checker SPIN by G. J. Holzmann The verification algorithm adopted by SPIN Optimizations used by SPIN model checker
BY04 Timed Automata : Semantics, Algorithms and Tools by J. Bengtsson and W. Yi
Model checking with time Algorithms and optimization used by Uppaal model checker
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 26 / 35
Timed Automata: Semantics, Algorithm and Tools Uppaal
Uppaal
Model checking with timed automata
Developed by Uppsala University and Aalborg University, first released in 1995,
System Model : GUI to draw timed automata Property Specification : TCTL
TCTL : CTL with clock constraints
Model Checking Algorithm : Explicit state, global search
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 27 / 35
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Timed Automata
A Timed Automaton A = (S, S0,X, I,T) S is a finite set of locations
S0 ⊆ S : a set of starting locations
X : a set of clocks
I : S → C(X) location invariants
T ⊆ S× C(X)× 2X × S a set of transitions
start
loop
end
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Timed Automata: Semantics, Algorithm and Tools Timed Automata
Transforming A Timed Automaton into Finite Automata
off
dim
bright
press?
Difference Bound Matrices (DBM)
Representing
x1 ≥ 3 ∧ x3 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 0− 0 x1 − 0 x2 − 0 x3 − 0 x1 0− x1 x1 − x1 x2 − x1 x3 − x1 x2 0− x2 x1 − x2 x2 − x2 x3 − x2 x3 0− x3 x1 − x3 x2 − x3 x3 − x3
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 0− 0 x1 − 0 x2 − 0 x3 − 0 x1 0− x1 x1 − x1 x2 − x1 x3 − x1 x2 0− x2 x1 − x2 x2 − x2 x3 − x2 x3 0− x3 x1 − x3 x2 − x3 x3 − x3
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 0− 0 x1 − 0 x2 − 0 x3 − 0 x1 0− x1 x1 − x1 x2 − x1 x3 − x1 x2 0− x2 x1 − x2 x2 − x2 x3 − x2 x3 0− x3 x1 − x3 x2 − x3 x3 − x3
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 x3 − 0 x1 0− x1 (≤, 0) x2 − x1 x3 − x1 x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 x2 − x3 (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 x3 − 0 x1 (≤,−3) (≤, 0) x2 − x1 x3 − x1 x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 x2 − x3 (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) x2 − x1 x3 − x1 x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 x2 − x3 (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) x2 − x1 (≤, 2) x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 x2 − x3 (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) x2 − x1 (≤, 2) x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) (<, 10) (≤, 2) x2 0− x2 x1 − x2 (≤, 0) x3 − x2 x3 0− x3 x1 − x3 (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) x1 − 0 x2 − 0 (≤, 5) x1 (≤,−3) (≤, 0) (<, 10) (≤, 2) x2 0− x2 (<,−4) (≤, 0) x3 − x2 x3 0− x3 x1 − x3 (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) (≤,∞) (≤,∞) (≤, 5) x1 (≤,−3) (≤, 0) (<, 10) (≤, 2) x2 (≤,∞) (<,−4) (≤, 0) (≤,∞) x3 (≤,∞) (≤,∞) (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
Difference Bound Matrices (DBM)
Representing
0− x1 ≤ −3 ∧ x3 − 0 ≤ 5 ∧ x3 − x1 ≤ 2 ∧ x2 − x3 < 2 ∧ x2 − x1 < 10 ∧ x1 − x2 < −4
0 x1 x2 x3 0 (≤, 0) (≤,∞) (≤,∞) (≤, 5) x1 (≤,−3) (≤, 0) (<, 10) (≤, 2) x2 (≤,∞) (<,−4) (≤, 0) (≤,∞) x3 (≤,∞) (≤,∞) (<, 2) (≤, 0)
Canonical DBM : using all pair shortest path (Floyd-Washall) algorithm. O(n3)
0
DBM Operations
D1 =
DBM Operations
D1 =
DBM Operations
x2 := 0
DBM Operations
x2 := 0
DBM Operations
x2 := 0
DBM Operations
D
D⇑
D =
0 x1,0 x2,0 x3,0
DBM Operations
D
D⇑
D =
0 x1,0 x2,0 x3,0
DBM Operations
D
D⇑
D⇑ =
0 ∞ ∞ ∞
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Computing zone successor
is the current zone e.g. = {x = 0 ∧ y = 0}
Given a transition e = (s, ψ, λ, s′) of a timed automaton
I(s) is the invariant of state s
succ(s, )=((∧I(s))⇑∧I(s)∧ψ)[λ := 0]
s′
s
e
Conclusion
Conclusion
Conclusion
Summary
System Model Kripke Structures [Em97] Transition Systems Timed Automata [BY04]
Specify Properties Temporal Logics : LTL [Em97,Ho97], CTL, CTL*, µ-calculus [Em97] Timed Temporal Logics : TCTL [BY04], TLTL
Algorithms Symbolic[Em97] vs Explicit States [Em97,Ho97] Global searching [Em97] vs On-the-fly [Em97,Ho97] From timed to untimed : DBM [BY04]
Tools Untimed : SPIN [Ho97], Bogor, ... Timed : Uppaal [BY04], IF, ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 34 / 35
Conclusion
Summary
System Model Kripke Structures [Em97] Transition Systems Timed Automata [BY04]
Specify Properties Temporal Logics : LTL [Em97,Ho97], CTL, CTL*, µ-calculus [Em97] Timed Temporal Logics : TCTL [BY04], TLTL
Algorithms Symbolic[Em97] vs Explicit States [Em97,Ho97] Global searching [Em97] vs On-the-fly [Em97,Ho97] From timed to untimed : DBM [BY04]
Tools Untimed : SPIN [Ho97], Bogor, ... Timed : Uppaal [BY04], IF, ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 34 / 35
Conclusion
Summary
System Model Kripke Structures [Em97] Transition Systems Timed Automata [BY04]
Specify Properties Temporal Logics : LTL [Em97,Ho97], CTL, CTL*, µ-calculus [Em97] Timed Temporal Logics : TCTL [BY04], TLTL
Algorithms Symbolic[Em97] vs Explicit States [Em97,Ho97] Global searching [Em97] vs On-the-fly [Em97,Ho97] From timed to untimed : DBM [BY04]
Tools Untimed : SPIN [Ho97], Bogor, ... Timed : Uppaal [BY04], IF, ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 34 / 35
Conclusion
Summary
System Model Kripke Structures [Em97] Transition Systems Timed Automata [BY04]
Specify Properties Temporal Logics : LTL [Em97,Ho97], CTL, CTL*, µ-calculus [Em97] Timed Temporal Logics : TCTL [BY04], TLTL
Algorithms Symbolic[Em97] vs Explicit States [Em97,Ho97] Global searching [Em97] vs On-the-fly [Em97,Ho97] From timed to untimed : DBM [BY04]
Tools Untimed : SPIN [Ho97], Bogor, ... Timed : Uppaal [BY04], IF, ...
Huang-Ming Huang (WUSTL) Reasoning about Real-time Systems 34 / 35
Conclusion
Summary
Conclusion
Summary
Introduction
Temporal Logics
SPIN optimization techniques
Uppaal