Computational Tree Logic and Model Checking A simple introduction. F. Raimondi

Similar documents
Linear-Time vs. Branching-Time Properties

Symbolic CTL Model Checking

Computation Tree Logic vs. Linear Temporal Logic. Slides from Robert Bellarmine Krug University of Texas at Austin

Lecture 7: Computation Tree Logics

Hoare Logic and Model Checking. LTL and CTL: a perspective. Learning outcomes. Model Checking Lecture 12: Loose ends

Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

Choice of Temporal Logic Specifications. Narayanan Sundaram EE219C Lecture

CPSC 121 Some Sample Questions for the Final Exam

A Constraint-based Approach to Medical Guidelines and Protocols

Chapter 2. Knowledge Representation: Reasoning, Issues, and Acquisition. Teaching Notes

Foundations of AI. 10. Knowledge Representation: Modeling with Logic. Concepts, Actions, Time, & All the Rest

15.301/310, Managerial Psychology Prof. Dan Ariely Recitation 8: T test and ANOVA

Chapter 3 Software Packages to Install How to Set Up Python Eclipse How to Set Up Eclipse... 42

Problem Set 2: Computer Psychiatrist

Objectives. Quantifying the quality of hypothesis tests. Type I and II errors. Power of a test. Cautions about significance tests

9. Interpret a Confidence level: "To say that we are 95% confident is shorthand for..

Lecture 2: Foundations of Concept Learning

Programming with Goals (3)

Computer Science 101 Project 2: Predator Prey Model

Cleveland State University Department of Electrical and Computer Engineering Control Systems Laboratory. Experiment #3

A Scientific Model of Consciousness that Explains Spirituality and Enlightened States

Stepwise Knowledge Acquisition in a Fuzzy Knowledge Representation Framework

Introduction to Categorization Theory

Intelligent Agents. CmpE 540 Principles of Artificial Intelligence

Central Algorithmic Techniques. Iterative Algorithms

A Computational Theory of Belief Introspection

University of Cambridge Engineering Part IB Information Engineering Elective

Coherence Theory of Truth as Base for Knowledge Based Systems

More Examples and Applications on AVL Tree

On the Effectiveness of Specification-Based Structural Test-Coverage Criteria as Test-Data Generators for Safety-Critical Systems

Plan Recognition through Goal Graph Analysis

Connexion of Item Response Theory to Decision Making in Chess. Presented by Tamal Biswas Research Advised by Dr. Kenneth Regan

Research Approaches Quantitative Approach. Research Methods vs Research Design

PROCEDURAL APPROACH TO MITIGATING CONCURRENTLY APPLIED CLINICAL PRACTICE GUIDELINES

Chapter 19. Confidence Intervals for Proportions. Copyright 2010, 2007, 2004 Pearson Education, Inc.

Chapter 8: Estimating with Confidence

Review Questions in Introductory Knowledge... 37

A Three Agent Model of Consciousness Explains Spirituality and Multiple Nondual Enlightened States Frank Heile, Ph.D.

MTAT Bayesian Networks. Introductory Lecture. Sven Laur University of Tartu

Speaker Notes: Qualitative Comparative Analysis (QCA) in Implementation Studies

What Happened to Bob? Semantic Data Mining of Context Histories

Pancreatic Cancer Research and HMGB1 Signaling Pathway

Expert Systems. Artificial Intelligence. Lecture 4 Karim Bouzoubaa

Sequential Decision Making

Deaf Support. Level 3 British Sign Language 2017 Handout resources. 2 SIGN GRAMMAR Grammar is phonology + syntax + semantics It is the order of sign.

Formal Analysis of Damasio s Theory on Core Consciousness

Intro to Theory of Computation

Part I - Multiple Choice. 10 points total.

Audio: In this lecture we are going to address psychology as a science. Slide #2

Intro to Cognitive Neuroscience. Working memory

Plan Recognition through Goal Graph Analysis

Automatic Fault Tree Derivation from Little-JIL Process Definitions

MBios 478: Systems Biology and Bayesian Networks, 27 [Dr. Wyrick] Slide #1. Lecture 27: Systems Biology and Bayesian Networks

Applied Statistical Analysis EDUC 6050 Week 4

Agents. This course is about designing intelligent agents Agents and environments. Rationality. The vacuum-cleaner world

Bayes theorem describes the probability of an event, based on prior knowledge of conditions that might be related to the event.

Reading Questions. ChE 436

Copyright 2018 The Guilford Press

Phenomenal content. PHIL April 15, 2012

Internalized Motivation in the Classroom

Bayesian (Belief) Network Models,

Organizational. Architectures of Cognition Lecture 1. What cognitive phenomena will we examine? Goals of this course. Practical Assignments.

A Three Agent Model of Consciousness Explains Spirituality and Multiple Nondual Enlightened States Frank Heile, Ph.D.

Two-Way Independent ANOVA

A Modelling Environment for Mind and Matter Aspects of Intentional Behaviour

ID + MD = OD Towards a Fundamental Algorithm for Consciousness. by Thomas McGrath. June 30, Abstract

1 What is an Agent? CHAPTER 2: INTELLIGENT AGENTS

56:134 Process Engineering

Exploring Experiential Learning: Simulations and Experiential Exercises, Volume 5, 1978 THE USE OF PROGRAM BAYAUD IN THE TEACHING OF AUDIT SAMPLING

Hypertension encoded in GLIF

MITOCW conditional_probability

Resource Access Protocols. LS 12, TU Dortmund

Chapter 12 Conclusions and Outlook

Grade 6 Math Circles Winter February 6/7 Number Theory - Solutions Warm-up! What is special about the following groups of numbers?

Chapter 19. Confidence Intervals for Proportions. Copyright 2010 Pearson Education, Inc.

Living with Newton's Laws

A Taxonomy of Decision Models in Decision Analysis

TRANSLATING RESEARCH INTO PRACTICE

Over the years, philosophers, psychoanalysts, psychologists, psychiatrists,

Hypothesis-Driven Research

Authors Knowing something about the authors can illuminate the topic of the paper. Where does Robert Brooks work, and what does he usually research?

Illusion of control is all about the relationship between the conscious and the sub-conscious mind.

The Logic of Data Analysis Using Statistical Techniques M. E. Swisher, 2016

Supplementary notes for lecture 8: Computational modeling of cognitive development

COMP 516 Research Methods in Computer Science. COMP 516 Research Methods in Computer Science. Research Process Models: Sequential (1)

Chapter 12. The One- Sample

Interviewer: Tell us about the workshops you taught on Self-Determination.

So far. INFOWO Lecture M5 Homogeneity and Reliability. Homogeneity. Homogeneity

Generating Obstacle Conditions for Requirements Completeness

The GCD of m Linear Forms in n Variables Ben Klein

Neural Coding. Computing and the Brain. How Is Information Coded in Networks of Spiking Neurons?

Including Quantification in Defeasible Reasoning for the Description Logic EL

Confidence Intervals. Chapter 10

A23C581 Consumer Behavior. Introductory lecture 19 February 2018

Analysis of in-vivo extracellular recordings. Ryan Morrill Bootcamp 9/10/2014

INTRODUCTION TO MACHINE LEARNING. Decision tree learning

Behaviorism: An essential survival tool for practitioners in autism

15.053x. OpenSolver (

Regulation of Human Heart Rate

Transcription:

Computational Tree Logic and Model Checking A simple introduction F. Raimondi

I am Franco Raimondi, f.raimondi@cs.ucl.ac.uk Slides, coursework, coursework solutions can be found online: http://www.cs.ucl.ac.uk/staff/f.raimondi/ (choose Teaching ). Text book: M. Huth and M. Ryan, Logic in computer science, (the pages mentioned below are for the second edition). Structure of the lectures: Lectures on CTL and NuSMV (2 or 3 hours, 1.20) Lab class on NuSMV (1 or 2 hours, 4.06) Coursework (will be given next Friday, deadline Friday 2 Feb, electronic submission by email) Thanks to Dr. Alessio Lomuscio (now at Imperial College) for various material in these slides. A simple introduction to CTL and model checking Slide 2

Reference material for CTL pp. 207 217 (Section 3.4): Syntax, Semantics, Specification Patterns, Equivalence of Formulas. pp. 221 230 (Section 3.6.1): Model checking algorithms. Reference material for NuSMV Lecture notes based on NuSMV tutorial available online. A simple introduction to CTL and model checking Slide 3

Introduction There is a great advantage in being able to verify the correctness of computer systems, whether they are hardware, software, or a combination. This is most obvious in the case of safety-critical systems, but also applies to those that are commercially critical (such as mass-produced chips), mission critical (think of NASA rovers), etc. In this lecture: verification using model checking. Model checking is an automatic, model-based, property verification approach. A simple introduction to CTL and model checking Slide 4

Model checking: definition Given a model M and a formula ϕ, model checking is the problem of verifying whether or not ϕ is true in M (written M = ϕ: don t worry, it will be much clearer by the end of these slides). A simple introduction to CTL and model checking Slide 5

Model checking: definition Given a model M and a formula ϕ, model checking is the problem of verifying whether or not ϕ is true in M (written M = ϕ: don t worry, it will be much clearer by the end of these slides). Distributed system Required property A simple introduction to CTL and model checking Slide 5

Model checking: definition Given a model M and a formula ϕ, model checking is the problem of verifying whether or not ϕ is true in M (written M = ϕ: don t worry, it will be much clearer by the end of these slides). Distributed system abstract Logical model M Required property represent Logical formula ϕ A simple introduction to CTL and model checking Slide 5

Model checking: definition Given a model M and a formula ϕ, model checking is the problem of verifying whether or not ϕ is true in M (written M = ϕ: don t worry, it will be much clearer by the end of these slides). Distributed system abstract Logical model M Required property represent Logical formula ϕ M = ϕ? A simple introduction to CTL and model checking Slide 5

Model checking and temporal logic Model checking is based on mainly temporal logic. There are various kinds of temporal logic: Linear Temporal Logic (LTL), Computational Tree Logic (CTL), CTL*, µ-calculus, etc. In this lecture we will cover CTL, a logic to reason about sequence of events. For instance, we will write formally statements such as: There exists an execution of the system such that, if the proposition p is true, then in the next computation step q is true (at the end of this lecture: try to encode this in CTL). A simple introduction to CTL and model checking Slide 6

Basic concepts: syntax and semantics Syntax tells how to write formulas: syntax gives the rules to write correct (i.e., well-formed) formulas (wff). Semantics gives a meaning to well-formed formulas. Semantics is used to decide whether or not a given wff is true or false. A simple introduction to CTL and model checking Slide 7

CTL Syntax We start from a set of atomic propositions AP = {p, q,...}. Atomic propositions stand for atomic facts which may hold in a system, e.g. Printer ps706 is busy, Process 1486 is idle, The value of x is 5, etc. The Backus-Naur form form CTL formulae is the following: ϕ ::= p ϕ ϕ ϕ ϕ ϕ ϕ ϕ AXϕ EXϕ AFϕ EFϕ AGϕ EGϕ A[ϕUϕ] E[ϕUϕ] IF YOU DON T KNOW THE MEANING OF THIS EXPRESSION PLEASE RAISE YOUR HAND NOW!!! A simple introduction to CTL and model checking Slide 8

CTL Syntax Each CTL operator is a pair of symbols. The first one is either A ( for All paths ), or E ( there Exists a path ). The second one is one of X ( next state ), F ( in a Future state ), G ( Globally in the future ) or U ( Until ). NOTICE: U is a binary operator, it could be written EU(ϕ, ψ) or AU(ϕ, ψ). Notice that the quantifier is graphically separated (e.g., E[pUq]), but it is in fact a single operator EU, which could be written EU(p, q). Example: AG(p (EFq)) is read as It is Globally the case that, if p is true, then there Exists a path such that at some point in the Future q is true. A simple introduction to CTL and model checking Slide 9

CTL Syntax: parse trees Parse trees are very useful to understand CTL formulas. For instance: (EF(EGp)) E[pUq] A simple introduction to CTL and model checking Slide 10

CTL Syntax: parse trees Parse trees are very useful to understand CTL formulas. For instance: (EF(EGp)) E[pUq] EF EU EG p q p A simple introduction to CTL and model checking Slide 10

CTL Syntax: EXERCISE Build the parse tree of the following formula: A[pU q] (AF( EGr)) A simple introduction to CTL and model checking Slide 11

CTL Syntax: EXERCISE Build the parse tree of the following formula: A[pU q] (AF( EGr)) AU AF p q EG r A simple introduction to CTL and model checking Slide 11

CTL Syntax: EXERCISE Is it a wff? Why? 1. EFGr 2. A G p 3. A[pU(EFr)] 4. F[rUq] 5. EF(rUq) 6. AEFr 7. A[rUA[pUq]] 8. A[(rUq) (pur)] A simple introduction to CTL and model checking Slide 12

CTL Syntax: EXERCISE Answers 1. EFGr NO 2. A G p NO 3. A[pU(EFr)] YES 4. F[rUq] NO 5. EF(rUq) NO 6. AEFr NO 7. A[rU A[pU q]] YES 8. A[(rUq) (pur)] NO A simple introduction to CTL and model checking Slide 13

CTL Semantics You should be able to identify well-formed CTL formulae. Now: how to evaluate formulae, i.e., how to decide whether or not a formula is true. A simple introduction to CTL and model checking Slide 14

CTL Semantics You should be able to identify well-formed CTL formulae. Now: how to evaluate formulae, i.e., how to decide whether or not a formula is true. You should know the meaning of tautology and unsatisfiable formulae: AG(p p) : tautology AG(p p): unsatisfiable A simple introduction to CTL and model checking Slide 14

CTL Semantics You should be able to identify well-formed CTL formulae. Now: how to evaluate formulae, i.e., how to decide whether or not a formula is true. You should know the meaning of tautology and unsatisfiable formulae: AG(p p) : tautology AG(p p): unsatisfiable But what about EFp? it may be true or not, depending on how we evaluate formulae. A simple introduction to CTL and model checking Slide 14

CTL Semantics: transition systems We evaluate formulae in transition systems. A transition system model a system by means of states and transitions between states. Formally: A transition system M = (S, R t, L) is a set of states S with a binary relation R t S S and a labelling function L : S 2 AP (AP is a set of atomic propositions, see above). The relation R t is serial, i.e., for every state s S, there exists a state s s.t. sr t s. A simple introduction to CTL and model checking Slide 15

CTL Semantics: transition systems An example M = (S, R t, L) p,q s 0 s 2 q,r s 1 r Here S = {s 0, s 1, s 2 }, R t = {(s 0, s 1 ), (s 0, s 2 ), (s 1, s 0 ), (s 1, s 2 ), (s 2, s 2 )}, and L(s 0 ) = {p, q}, L(s 1 ) = {q, r}, L(s 2 ) = {r}. A simple introduction to CTL and model checking Slide 16

CTL semantics: from transition systems to computation paths It is useful to visualise all possible computation paths by unwinding the transition system: p,q s 0 s 2 q,r s 1 r p,q s 0 r s 2 r s 2 s 2 s 2 q,r s 1 r rs 2 r A simple introduction to CTL and model checking Slide 17

CTL semantics: computation paths EXERCISE Unwind the following transition systems s 0 p,q s 2 r q,r s 1 q,r s 3 A simple introduction to CTL and model checking Slide 18

CTL semantics: computation paths EXERCISE SOLUTION s 0 p,q q,r s 1 s 2 r p,q s 3 q,r s 0 q,r s 1 s 2 r s 3 q,r p,q 3 s 3 q,rs q,r s 0 A simple introduction to CTL and model checking Slide 19

Short summary You should be able to recognise well-formed CTL formulas. You know what a transition system is (M = (S, R t, L)). You know how to unwind a transition system and obtain computation paths. Next: Given a CTL formula ϕ and a transition system M, establish whether or not ϕ is true at a given state s in M, written as: M, s = ϕ A simple introduction to CTL and model checking Slide 20

CTL semantics (finally!) Let M = (S, R t, L) be a transition system (also called a model for CTL). Let ϕ be a CTL formula and s S. M, s = ϕ is defined inductively on the structure of ϕ, as follows (I m using the first transition system of today as an example on the board): M, s = M, s = M, s = p iff p L(s) M, s = ϕ iff M,s = ϕ M, s = ϕ ψ iff M,s = ϕ and M, s = ϕ M, s = ϕ ψ iff M,s = ϕ or M,s = ϕ A simple introduction to CTL and model checking Slide 21

CTL Semantics (temporal operators) M, s = AXϕ iff s s.t. sr t s, M,s = ϕ M, s = EXϕ iff s s.t. sr t s and M, s = ϕ M, s = AGϕ iff for all paths (s, s 2, s 3, s 4,...) s.t. s i R t s i+1 and for all i, it is the case that M, s i = ϕ M, s = EGϕ iff there is a path (s, s 2, s 3, s 4,...) s.t. s i R t s i+1 and for all i it is the case that M, s i = ϕ M, s = AFϕ iff for all paths (s, s 2, s 3, s 4,...) s.t. s i R t s i+1, there is a state s i s.t. M, s i = ϕ M, s = EFϕ iff there is a path (s, s 2, s 3, s 4,...) s.t. s i R t s i+1, and there is a state s i s.t. M, s i = ϕ A simple introduction to CTL and model checking Slide 22

CTL Semantics (temporal operators) M, s = A[ϕUψ] iff for all paths (s, s 2,s 3, s 4,...) s.t. s i R t s i+1 there is a state s j s.t. M, s j = ψ and M,s i = ψ for all i < j. M, s = E[ϕUψ] iff there exists a path (s, s 2, s 3,s 4,...) s.t. s i R t s i+1 and there is a state s j s.t. M, s j = ψ and M,s i = ψ for all i < j. A simple introduction to CTL and model checking Slide 23

CTL semantics: EXERCISE Consider the following transition system: s 0 p,q s 2 r q,r s 1 q,r s 3 Verify whether or not: (1) M, s 0 = EX( p); (2) M, s 0 = EXEG(r); (3) M, s 1 = AG(q r); (4) M, s 2 = A[rUq]; (5) M, s 1 A[qUAG(r)]; (6) M, s 1 E[qUEG(r)]; (7) M, s 0 = EG(q); (8) M, s 1 = EFAG(q). A simple introduction to CTL and model checking Slide 24

CTL semantics: EXERCISE SOLUTIONS (1) YES; (2) YES; (3) YES ; (4) YES; (5) NO (because AG(r) is never true if you keep looping between s 0 and s 1 ); (6) YES; (7) YES; (8) YES. A simple introduction to CTL and model checking Slide 25

Equivalences between CTL formulas In the syntax of CTL we introduced all the operators AX, EX, AF, EF, AG, EG, AU, and EU. However, some formulas are equivalent: AXϕ EX ϕ AGϕ EF ϕ AF ϕ EG ϕ Moreover, EFϕ E[ Uϕ]. Therefore, only three operators are required to express all the remaining: EX, EG, EU (this is called an adequate set of operators. This is useful when developing algorithms for model checking. A simple introduction to CTL and model checking Slide 26

Specification patterns Temporal logics are useful to express requirements of systems. Typically, requirements have common and recurring patterns. For instance, two example of patterns: Liveness: Something good will eventually happen. For instance: Whenever any process requests to enter its critical section, it will eventually be permitted to do so. In CTL: AG(request AF(critical)) Safety: Nothing bad will happen. For instance, Only one process is in its critical section at any time. In CTL (with 2 processes only): AG( (critical 1 critical 2 )) A simple introduction to CTL and model checking Slide 27

Specification patterns: EXERCISE Write in CTL the following requirements: 1. From any state it is possible to get a reset state 2. Event p precedes s and t on all computation paths (try to encode the negation of this). 3. On all computation paths, after p, q is never true. A simple introduction to CTL and model checking Slide 28

Specification patterns: EXERCISE Write in CTL the following requirements: 1. From any state it is possible to get a reset state 2. Event p precedes s and t on all computation paths (try to encode the negation of this). 3. On all computation paths, after p, q is never true. 1. AGEF(reset) 2. The negation: there exists in the future a state in which p follows s t: EF((s t) EF(p)). Its negation: EF((s t) EF(p)) AG( ((s t) EF(p))) 3. AG(p ( EF(q))) A simple introduction to CTL and model checking Slide 28

Summary You are able to recognise and write well-formed CTL formulas. You are able to unwind a transition system in computation paths. You are able to evaluate whether or not a given CTL formula is true at a given state of a transition system M. You are able to recognise (simple) equivalent CTL formulas. You are able to translate simple requirements from plain English into CTL syntax. A simple introduction to CTL and model checking Slide 29

Model checking algorithms A simple introduction to CTL and model checking Slide 30

Model checking CTL: introduction We have seen very simple example in these slides. However, real systems may be composed of hundred of thousand states. Efficient algorithms are needed to verify M, s = ϕ. We will see example of systems using NuSMV (a model checker) later in the course. How do you verify a formula in a model? What we did: unwind the transition system M. However, a computer cannot check infinite data structures: we need to check finite data structure. Next: an algorithm to compute the set of states of a model M in which ϕ holds, the labelling algorithm. A simple introduction to CTL and model checking Slide 31

The labelling algorithm INPUT: a CTL model M = (S, R t, L) and a CTL formula ϕ. OUTPUT: the set of states of M which satisfy ϕ. Sketch: (1) express ϕ using the adequate set of operators EX, EG, EU; (2) operate recursively on the structure of ϕ, starting from sub-formulas. A simple introduction to CTL and model checking Slide 32

The labelling algorithm, informally Suppose all the subformulas of ϕ have already been labelled. If ϕ is: p: label s with p if p L(s). ϕ 1 ϕ 2 : label s with ϕ 1 ϕ 2 if s is already labelled both with ϕ 1 and ϕ 2. ϕ 1 : label s with ϕ 1 if s is not already labelled with ϕ 1. EXϕ 1 : label s with EXϕ 1 if one of its successor is labelled with ϕ 1. A simple introduction to CTL and model checking Slide 33

The labelling algorithm for EG If ϕ is EGϕ 1 : Label all states with EGϕ 1. If any state s is not labelled with ϕ 1, delete the label EGϕ 1. Repeat: delete the label EGϕ from any state if none of its successors is labelled with EGϕ 1, until there is no change. If ϕ is E[ϕ 1 Uϕ 2 : see book. See the code at page 227 of the book for the procedure SAT(ϕ) (the pages 225 231 are optional). A simple introduction to CTL and model checking Slide 34

Summary You should be able to understand and to solve exercises about: CTL syntax and parse trees. CTL semantics: transition systems, computation paths, establish whether or not a formula is true at a state in a model. Recognise (simple) equivalent formulas. Formalise in CTL temporal requirements expressed in plain English. Basic ideas about model checking algorithms. A simple introduction to CTL and model checking Slide 35

Additional material if you are interested in the subject All chapter 3 of the book is worth reading (it introduces LTL and CTL* and the details of model checking algorithms). M. B. Dwyer and G. S. Avrunin and J. C. Corbett, Property Specification Patterns for Finite-State Verification, Proceedings of FSMP, 1998. E. M. Clarke and O. Grumberg and D. A. Peled, Model Checking, The MIT Press, 1999. F. Raimondi, Model Checking Multi-Agent Systems, PhD thesis 2006. Please feel free to contact me for further information. A simple introduction to CTL and model checking Slide 36

2024 © healthdocbox.com Privacy Policy | Terms of Service | Feedback