Choice of Temporal Logic Specifications. Narayanan Sundaram EE219C Lecture

Similar documents
Hoare Logic and Model Checking. LTL and CTL: a perspective. Learning outcomes. Model Checking Lecture 12: Loose ends

Linear-Time vs. Branching-Time Properties

Computational Tree Logic and Model Checking A simple introduction. F. Raimondi

A Constraint-based Approach to Medical Guidelines and Protocols

Symbolic CTL Model Checking

Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

LECTURE 5: REACTIVE AND HYBRID ARCHITECTURES

The UML/MARTE Verifier

Lecture 7: Computation Tree Logics

TG100 Implementation Guide - FTA

Supervisory control synthesis

Computation Tree Logic vs. Linear Temporal Logic. Slides from Robert Bellarmine Krug University of Texas at Austin

Tackling Random Blind Spots with Strategy-Driven Stimulus Generation

ICS 606. Intelligent Autonomous Agents 1. Intelligent Autonomous Agents ICS 606 / EE 606 Fall Reactive Architectures

Generating Obstacle Conditions for Requirements Completeness

Formal Methods for Biological Systems: Languages, Algorithms, and Applications

Citation for published version (APA): Geus, A. F. D., & Rotterdam, E. P. (1992). Decision support in aneastehesia s.n.

Extracting Runtime Monitors from Tests: An Introduction

What is Science 2009 What is science?

Structural assessment of heritage buildings

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING. CP 7026-Software Quality Assurance Unit-I. Part-A

Programming with Goals (3)

Cancer Hallmark Automata (I): Model, Therapy and Complexity

Bayesian (Belief) Network Models,

Stepwise Knowledge Acquisition in a Fuzzy Knowledge Representation Framework

Measurement Invariance (MI): a general overview

It is the theory that decides what we can observe. -- Albert Einstein

Test-Driven Development Exposed Growing Complex Software One Test at a Time

Chapter 02 Developing and Evaluating Theories of Behavior

DATE 2006 Session 5B: Timing and Noise Analysis

Expert System Profile

Invited talk, 12th International Conference on Distributed Computing and Internet Technology (ICDCIT), Bhubaneswar, India, January 2016

A Dependability Case Language for a Radiation Therapy System

Causal Knowledge Modeling for Traditional Chinese Medicine using OWL 2

Supplementary notes for lecture 8: Computational modeling of cognitive development


Actor (and network) models

Leveraging Linux: Code Coverage for Post-Silicon Validation

Hierarchical FSM s with Multiple Concurrency Models

Challenges of a Theoretician / Experimentalist

Outline. Experimental Evaluation in Computer Science: A Quantitative Study. Related Work. Introduction. Select CS Papers.

ERA: Architectures for Inference

Evolutionary Programming

University of Bristol - Explore Bristol Research. Peer reviewed version. Link to publication record in Explore Bristol Research PDF-document

How do Categories Work?

Section 3: Economic evaluation

Position Paper: How Certain is Recommended Trust-Information?

Pancreatic Cancer Research and HMGB1 Signaling Pathway

of subjective evaluations.

Complexity Results in Epistemic Planning

Leadership of Decision-Making & Problem Solving. Level II-15 Session 2

Assurance Cases for Model-based Development of Medical Devices. Anaheed Ayoub, BaekGyu Kim, Insup Lee, Oleg Sokolsky. Outline

Incorporation of Imaging-Based Functional Assessment Procedures into the DICOM Standard Draft version 0.1 7/27/2011

Multivariable Systems. Lawrence Hubert. July 31, 2011

Plan Recognition through Goal Graph Analysis

Chapter 3 Tools for Practical Theorizing: Theoretical Maps and Ecosystem Maps

SOCQ121/BIOQ121. Session 2. Evidence and Research. Department of Social Science. endeavour.edu.au

Remarks on Bayesian Control Charts

PO Box 19015, Arlington, TX {ramirez, 5323 Harry Hines Boulevard, Dallas, TX

CPSC 121 Some Sample Questions for the Final Exam

Sign Language Interpretation Using Pseudo Glove

METABOLIC PETRI NETS. MONIKA HEINER, BTU Cottbus REINHARDT HEINRICH, HU BERLIN SOFTWARE ENGINEERING & PETRI NETS

Consider the following aspects of human intelligence: consciousness, memory, abstract reasoning

On Test Scores (Part 2) How to Properly Use Test Scores in Secondary Analyses. Structural Equation Modeling Lecture #12 April 29, 2015

Response to the ASA s statement on p-values: context, process, and purpose

Representation Theorems for Multiple Belief Changes

DiPRA (Distributed Practical Reasoning Architecture)

Transforming OntoUML into Alloy: Towards conceptual model validation using a lightweight formal method

Between-word regressions as part of rational reading

EIQ16 questionnaire. Joe Smith. Emotional Intelligence Report. Report. myskillsprofile.com around the globe

Artificial Intelligence Lecture 7

DRAFT (Final) Concept Paper On choosing appropriate estimands and defining sensitivity analyses in confirmatory clinical trials

Development of Concept of Transitivity in Pre-Operational Stage Children

Normality and Faults in Logic-Based Diagnosis*

A Virtual Glucose Homeostasis Model for Verification, Simulation and Clinical Trials

1 What is an Agent? CHAPTER 2: INTELLIGENT AGENTS

A Modelling Environment for Mind and Matter Aspects of Intentional Behaviour

Protocol of the discussion during November, 1997 on. I found parts of it dicult to follow since I am not sure what the participants

III. WHAT ANSWERS DO YOU EXPECT?

UNLOCKING VALUE WITH DATA SCIENCE BAYES APPROACH: MAKING DATA WORK HARDER

CS 771 Artificial Intelligence. Intelligent Agents

Support system for breast cancer treatment

A hardware implementation of a network of functional spiking neurons with hebbian learning

An Empirical Test of a Postulate of a Mediating Process between Mind Processes Raimo J Laasonen Project Researcher Vihti Finland

SoundRecover2 the first adaptive frequency compression algorithm More audibility of high frequency sounds

Analysis of complex patterns of evidence in legal cases: Wigmore charts vs. Bayesian networks

Regression Benchmarking with Simple Middleware Benchmarks

EEL-5840 Elements of {Artificial} Machine Intelligence

Lecture 9 Internal Validity

Design Safety Verification of Medical Device Models using Automata Theory

On the Effectiveness of Specification-Based Structural Test-Coverage Criteria as Test-Data Generators for Safety-Critical Systems

The Scientific Method

Reasoning about Partial Goal Satisfaction for Requirements and Design Engineering

Chapter 3 Software Packages to Install How to Set Up Python Eclipse How to Set Up Eclipse... 42

Automatic Fault Tree Derivation from Little-JIL Process Definitions

EPSE 594: Meta-Analysis: Quantitative Research Synthesis

An effort is made to analyse the stresses experienced by the human femur. In order

Hacking the experimental method to avoid Cognitive biases

Outline. What s inside this paper? My expectation. Software Defect Prediction. Traditional Method. What s inside this paper?

Design the Flexibility, Maintain the Stability of Conceptual Schemas

Transcription:

Choice of Temporal Logic Specifications Narayanan Sundaram EE219C Lecture 1

CTL Vs LTL The Final Showdown 2

Why should we choose one over the other? Expressiveness Clarity/Intuitiveness Algorithmic Complexity for Verification Ease of analyzing error reports Compositionality 3

Expressiveness - CTL CTL can express formulae that LTL cannot Try expressing AG(p ((AX q) (AX q)) in LTL (This formula is used in the context of database transactions) How about AF AX p or AF AG p? 4

Expressiveness - LTL LTL can express temporal formulae that CTL cannot! Try expressing F G p in CTL (AF AG p is stronger and AF EG p is weaker) LTL CTL All temporal formulae 5

Expressiveness CTL characterizes bisimulation i.e. two states in a transition system are bisimilar iff they satisfy the same CTL properties Bisimulation is a structural relation We need a way to specify behavioural properties 6

Verdict Property CTL LTL Expressiveness Tie/No Answer Clarity/ Intuitiveness Complexity Debugging Composinality 7

Clarity/Intuitiveness Which is more intuitive - CTL or LTL? Claims made for clarity on both sides Tightly linked with expressiveness Does more expressive mean more or less clear/intuitive? 8

Clarity/Intuitiveness Most properties are very simple like AG p Linear time is more intuitive than branching time for most people F X p and X F p mean the same thing AF AX p and AX AF p do not Do we need expressiveness or clarity? 9

Clarity/Intuitiveness LTL uses language containment ( Buchi automaton approach) CTL uses reachability analysis With LTL, both system and properties are FSMs Does this mean that LTL is more intuitive? 10

Verdict Property CTL LTL Expressiveness Tie/No Answer Clarity/ Intuitiveness Complexity Debugging Composinality 11

Complexity Classes EXPSPACE COMPLETE EXPTIME COMPLETE PSPACE COMPLETE NP COMPLETE Increasing Complexity P 12

Complexity For CTL, model checking algorithms run in O(nm) time ( n is the size of transition system and m is the size of temporal formula) For LTL, model checking algorithms run in n.2 O(m) time Is CTL better? Remember : m << n 13

Complexity Closed/Open systems CTL complexity bound is better than LTL only in closed systems For open systems, we get totally different results For LTL, it is PSPACE Complete For CTL, it is EXPTIME Complete For CTL*, it is 2EXPTIME Complete 14

Complexity Are these comparisons valid? Should we only compare properties that are expressible in both CTL and LTL? The 2 O(m) in the LTL complexity comes from creating the Buchi automaton For LTL formulae that are expressible as CTL, there is a Buchi automaton whose size is linear in the size of the LTL formula 15

Complexity Hierarchical systems Both LTL and CTL model checking are PSPACE Complete LTL : Polynomial in the size of the system CTL : Exponential in the size of the system Size of system >> Size of formula Similar results for pushdown systems 16

Verdict Property CTL LTL Expressiveness Tie/No Answer Clarity/ Intuitiveness Complexity Debugging Composinality 17

Debugging from error traces Error trace analysis is needed for Debugging the design Semi-formal verification Don t CTL and LTL give similar error traces? 18

Error traces CTL is inherently branching time based Consider AF AX p is not satisfied - There is no linear trace that can disprove the property In contrast, all LTL property failures can produce a single linear trace 19

Error traces Closely related to intuitiveness of the specification Semiformal verification involves combining formal verification and simulation Harder to do this with CTL than LTL Current approaches to semiformal verification limit themselves to invariants to get around the problem - Too restrictive for wide usage 20

Verdict Property CTL LTL Expressivenss Tie/No Answer Clarity/ Intuitiveness Complexity Debugging Compositionality 21

Compositionality Compositional or modular verification used to tackle the space-explosion problem inherent in any formal verification method Use Assume-Guarantee paradigm M 1 = ψ 1 M 2 = ψ 2 M 1 M 2 = ψ C(ψ 1, ψ 2, ψ) 22

Compositionality ϕ 1 M 1 ψ 1 true M 1 ϕ 1 true M ϕ 2 M 2 ψ 2 1 M 2 ψ 1 ψ 2 true M 2 ϕ 2 <φ>m<ψ> specifies that whenever M is a part of a system satisfying the formula φ, the system satisfies the formula ψ too. This branching modular model-checking problem for CTL is PSPACE complete 23

Compositionality What is generally done in CTL model checking? People generally use (1) instead of (2) M2 A2 is based on intuition, which may be wrong is the simulation refinement relation } M 2 A 2 M M 1 A 2 = ϕ 1 M 2 = ϕ M 1 A 1 A 1 M 2 A 2 M 1 M 2 = ϕ M 1 A 2 = ϕ (1) (2) 24

Compositionality - LTL Compositionality works easily with LTL! To prove <φ>m<ψ> with LTL, we only need to prove M φ ψ To prove the linear-time properties of the parallel composition M E1 E2... Ek, it suffices to consider the linear-time properties of components M, E1,E2,... Ek Possible because if L(M) L(P) and L(E i) L(P), then L(M) L(Ei) L(P) 25

Verdict Property CTL LTL Expressiveness Tie/No Answer Clarity/ Intuitiveness Complexity Debugging Compositionality 26

Final Verdict Property CTL LTL Expressiveness Clarity/ Intuitiveness Complexity Debugging Compositionality Tie/No Answer LTL declared as winner 27

LTL - Other advantages Abstraction can be mapped to language containment which LTL can handle To verify if design P1 is a refinement of P2, we have to just check L(P1) L(P2) BMC fits naturally within a linear time framework as we only search for a counterexample trace of bounded length 28

Is LTL sufficient? It is proven that LTL cannot express certain ω- regular expressions LTL is inadequate to express all assumptions about the environment in modular verification What is the ultimate temporal property specification language? ETL is an extension of LTL with temporal connectives that correspond to ω-automata 29

More Proposals Use past connectives - not necessary but can be convenient when referring to program locations where some modifications were made rather than just the external behaviour In order to perform compositional specification and verification, it is convenient to use the past operators but necessary to have the full power of ETL - Pnueli 30

Some Libraries & Tools in use Cadence SMV is CTL based (It has a linear time model checker built on top of a CTL model checker) FTL is a linear temporal logic with limited form of past connectives and with the full expressive power of ω-regular expressions Used in ForSpec, Intel s formal verification language 31

Some more Libraries & Tools in use Open Verification Library (OVL) Process Specification Language (PSL) System Verilog Assertions (SVA) 32

Integrating Verification Designers use VHDL/Verilog for hardware designs Programmers use C/C++/Java etc Verification engines use FSMs with temporal property specifications How to make them talk to each other? 33

OVL The OVL library of assertion checkers is intended to be used by design, integration, and verification engineers to check for good/bad behavior in simulation, emulation and formal verification OVL is a Verification methodology, which can find bugs (even in mature designs) OVL is a Library of predefined assertions, currently available in Verilog, SVA and PSL 34

Types of OVL Assertions Combinatorial Single-Cycle 2-Cycles n-cycles Event-bound 1'23/04.'-/45&,%%$-./'0%& assert_proposition, assert_never_unknown_async 6/075$89"95$&,%%$-./'0% assert_always, assert_implication, assert_range, 6$:;$0./45&'<$-&=&9"95$% assert_always_on_edge, assert_decrement, 6$:;$0./45&'<$-&0;2>9?% 9"95$% assert_change, assert_cycle_sequence, assert_next, 6$:;$0./45&3$.@$$0&.@'&$<$0.% assert_win_change, assert_win_unchange, assert_window 35

OVL Assertions- Examples TYPE NAME PORTS DESCRIPTION single cycle assert_always (clk, reset_n, test_expr) test_expr must always hold 2 cycles assert_always_on_edge (clk, reset_n, sampling_event, test_expr) test_expr is true immediately following the specified edge (edge_type: 0=noedge, 1=pos, 2=neg, 3=any) n cycles assert_change (clk, reset_n, start_event, test_expr) test_expr must change within num_cks of start_event (action_on_new_start: 0=ignore, 1=restart, 2=error) 36

OVL OVL Assertions are used for property verification as well as constraint specification(environment modeling) OVL is just a layer for specifying properties The verification tool has to understand these assertions and then translate them into temporal formula of choice 37

OVL Timing Diagram - Example assert_always_on_edge #(severity_level, edge_type, property_type, msg, coverage_level) u1 (clk, reset_n, sampling_event, test_expr) test_expr is true immediately following the edge specified by the edge_type parameter 2-Cycles ASSERT forall t. conditions imply requirements assert_always_on_edge #(0,1) t t + 1 Rising edge ASSERT forall t. conditions imply requirements assert_always_on_edge #(0,2) t t + 1 Falling edge sampling_event sampling_event test_expr test_expr clk clk ASSERT assert_always forall t. _on_edge conditions imply requirements test_expr t edge_type=0 (default is no edge) Identical to assert_always ASSERT forall t. conditions imply requirements sampling_event test_expr assert_always_on_edge #(0,3) t t + 1 *SE!= SE@t Any edge 38

Using CTL/LTL based verification There are a number of issues to be solved before we can directly translate OVL to CTL/ LTL Presence of multiple clocks Presence of positive and negative edge triggered logic Support for BMC (for assertions like assert_change specifying num_cks) 39

A simple case study Methodology to use NuSMV with VHDL/ Verilog designs Restricted to designs with one global clock (logic uses only one edge of the clock) Uses synthesis tools along with verification engines Properties specified in OVL 40

Tool flow VHDL/Verilog design Gates to SMV modules - Mapping table Synthesis Flat netlist Convert to SMV Extract properties OVL to CTL/ LTL NuSMV 41

Conclusion LTL is better than CTL for specifying temporal properties of FSMs Many different libraries in use for specifying properties and constraints Designers can use these with minimal effort 42

References Moshe Y. Vardi, Branching vs Linear time : Final Showdown, Proceedings of the 7th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, 2001, pp. 1-22 http://www.accellera.org/activities/ovl/

2024 © healthdocbox.com Privacy Policy | Terms of Service | Feedback