Hoare Logic and Model Checking. LTL and CTL: a perspective. Learning outcomes. Model Checking Lecture 12: Loose ends

Similar documents
Symbolic CTL Model Checking

Computation Tree Logic vs. Linear Temporal Logic. Slides from Robert Bellarmine Krug University of Texas at Austin

Computational Tree Logic and Model Checking A simple introduction. F. Raimondi

Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

Linear-Time vs. Branching-Time Properties

Lecture 7: Computation Tree Logics

Choice of Temporal Logic Specifications. Narayanan Sundaram EE219C Lecture

MS&E 226: Small Data

Artificial intelligence (and Searle s objection) COS 116: 4/29/2008 Sanjeev Arora

A Constraint-based Approach to Medical Guidelines and Protocols

Speaker Notes: Qualitative Comparative Analysis (QCA) in Implementation Studies

Lecture 2: Foundations of Concept Learning

Intro to Theory of Computation

CMU SCS CMU SCS CMU SCS CMU SCS

Remarks on Bayesian Control Charts

Chapter 2. Knowledge Representation: Reasoning, Issues, and Acquisition. Teaching Notes

The Semantics of Intention Maintenance for Rational Agents

Some Connectivity Concepts in Bipolar Fuzzy Graphs

A Computational Theory of Belief Introspection

Measuring association in contingency tables

Cayley Graphs. Ryan Jensen. March 26, University of Tennessee. Cayley Graphs. Ryan Jensen. Groups. Free Groups. Graphs.

LECTURE 5: REACTIVE AND HYBRID ARCHITECTURES

My experiences with Haskell as a person with Asperger s Syndrome

THE ANALYTICS EDGE. Intelligence, Happiness, and Health x The Analytics Edge

Supplement 2. Use of Directed Acyclic Graphs (DAGs)

INVESTIGATING FIT WITH THE RASCH MODEL. Benjamin Wright and Ronald Mead (1979?) Most disturbances in the measurement process can be considered a form

An Interval-Based Representation of Temporal Knowledge

Representation Theorems for Multiple Belief Changes

Hypothesis-Driven Research

Formal Methods for Biological Systems: Languages, Algorithms, and Applications

What Happened to Bob? Semantic Data Mining of Context Histories

CPSC 121 Some Sample Questions for the Final Exam

Extracting Runtime Monitors from Tests: An Introduction

Selecting a research method

Ways of counting... Review of Basic Counting Principles. Spring Ways of counting... Spring / 11

Connectivity in a Bipolar Fuzzy Graph and its Complement

Comprehensive Mitigation Framework for Concurrent Application of Multiple Clinical Practice Guidelines

Structural Equation Modeling (SEM)

DEVELOPING THE RESEARCH FRAMEWORK Dr. Noly M. Mascariñas

Selection and Combination of Markers for Prediction

Online Identity and the Digital Self

PLC Fundamentals. Module 4: Programming with Ladder Logic. Academic Services Unit PREPARED BY. January 2013

COMP 516 Research Methods in Computer Science. COMP 516 Research Methods in Computer Science. Research Process Models: Sequential (1)

Modeling Agents as Qualitative Decision Makers

ICS 606. Intelligent Autonomous Agents 1. Intelligent Autonomous Agents ICS 606 / EE 606 Fall Reactive Architectures

INFERENCING STRATEGIES

Examples of Feedback Comments: How to use them to improve your report writing. Example 1: Compare and contrast

Answers to Midterm Exam

Reference Dependence In the Brain

ARTIFICIAL INTELLIGENCE

Artificial Intelligence Programming Probability

Goal Recognition through Goal Graph Analysis

A Spreadsheet for Deriving a Confidence Interval, Mechanistic Inference and Clinical Inference from a P Value

Hierarchical FSM s with Multiple Concurrency Models

Announcements. Perceptual Grouping. Quiz: Fourier Transform. What you should know for quiz. What you should know for quiz

Two-sample Categorical data: Measuring association

vanhelsing: A Fast Proof Checker for Debuggable Compiler Verification

Visual Design. Simplicity, Gestalt Principles, Organization/Structure

Automated Conflict Detection Between Medical Care Pathways

High-level Vision. Bernd Neumann Slides for the course in WS 2004/05. Faculty of Informatics Hamburg University Germany

Part I. Boolean modelling exercises

Exploring Experiential Learning: Simulations and Experiential Exercises, Volume 5, 1978 THE USE OF PROGRAM BAYAUD IN THE TEACHING OF AUDIT SAMPLING

The GCD of m Linear Forms in n Variables Ben Klein

Why did the network make this prediction?

CISC453 Winter Probabilistic Reasoning Part B: AIMA3e Ch

Student Performance Q&A:

Enumerative and Analytic Studies. Description versus prediction

Appendix I Teaching outcomes of the degree programme (art. 1.3)

A Unified View of Consequence Relation, Belief Revision and Conditional Logic

TITLE: A LOGICAL APPROACH TO FORMALISING NEGOTIATION IN MULTI-AGENT SYSTEMS

ANA and Antibody Series Changes in ANA and Antibody Levels in Scleroderma

EPSE 594: Meta-Analysis: Quantitative Research Synthesis

Part I - Multiple Choice. 10 points total.

Designing a Web Page Considering the Interaction Characteristics of the Hard-of-Hearing

Progress in Risk Science and Causality

Understanding Minimal Risk. Richard T. Campbell University of Illinois at Chicago

Investigations in Number, Data, and Space, Grade 4, 2nd Edition 2008 Correlated to: Washington Mathematics Standards for Grade 4

Chapter 3 Software Packages to Install How to Set Up Python Eclipse How to Set Up Eclipse... 42

Comparing Proportions between Two Independent Populations. John McGready Johns Hopkins University

Artificial Intelligence For Homeopathic Remedy Selection

A Brief Introduction to Bayesian Statistics

The UML/MARTE Verifier

The Regression-Discontinuity Design

Artificial Intelligence and Human Thinking. Robert Kowalski Imperial College London

Evolutionary Programming

SOCIAL AND CULTURAL ANTHROPOLOGY

Audio: In this lecture we are going to address psychology as a science. Slide #2

Plan Recognition through Goal Graph Analysis

On Test Scores (Part 2) How to Properly Use Test Scores in Secondary Analyses. Structural Equation Modeling Lecture #12 April 29, 2015

STA Module 9 Confidence Intervals for One Population Mean

Logical formalization of social commitments: Application to agent communication languages

Global Harmonization Task Force SG3 Comments and Recommendations ISO/DIS 9001: 2000 and ISO/DIS 9000: 2000 And Revision of ISO and 13488

Agents and Environments


Identification of Tissue Independent Cancer Driver Genes

Pancreatic Cancer Research and HMGB1 Signaling Pathway

On the Effectiveness of Specification-Based Structural Test-Coverage Criteria as Test-Data Generators for Safety-Critical Systems

Bayesian (Belief) Network Models,

IEEE SIGNAL PROCESSING LETTERS, VOL. 13, NO. 3, MARCH A Self-Structured Adaptive Decision Feedback Equalizer

Transcription:

Learning outcomes Hoare Logic and Model Checking Model Checking Lecture 12: Loose ends Dominic Mulligan Based on previous slides by Alan Mycroft and Mike Gordon Programming, Logic, and Semantics Group University of Cambridge By the end of this lecture, you should: Understand the relative expressive power of LTL and CTL Understand the relation between LTL, CTL, and CTL Understand the state-space explosion problem Know a little about some common model-checking optimisations Academic year 2016 2017 1 2 Relative expressivity of LTL and CTL LTL and CTL: a perspective We have seen two widely used temporal logics How do they compare? Both have very different models of time But perhaps there s a clever way of compiling one into the other? 3

Relative expressivity of LTL and CTL Properties expressible in LTL but not CTL Simple answer: LTL and CTL are incomparable LTL is not a superset of CTL, nor is CTL a superset of LTL There exist temporal properties: that can be expressed in LTL but not CTL, that can be expressed in CTL but not LTL, that can be expressed in both, that can be expressed in neither. Consider the LTL formula p q Intuitively: all paths that have a p along them also have a q Property is inexpressible in CTL as all path formulae are guarded Consider the candidate CTL formula: p q Intuitively: if all paths have a p, then all paths have a q We will now examine these four cases 4 5 Properties expressible in CTL but not LTL A common subset of LTL and CTL Consider the CTL formula (p q) Consider the LTL formula (p q) Consider the CTL formula p Intuitively: in all future states, it s always possible to reach p Property is inexpressible in LTL Cannot express existence of states in LTL (generally) These express the same property Intuitively: any p is eventually followed by a q Warning: (p q) obtained from (p q) by dropping, doing this does not always lead to equivalent formulae, Φ in CTL and φ in LTL are not equivalent! 6 7

Properties expressible in neither LTL and CTL Question Consider the formula p Intuitively: there is a path with infinitely many p This is not expressible in CTL or LTL If last formula not expressible in LTL or CTL, what is it expressible in? LTL cannot quantify over paths Complex proof for this not being expressible in CTL 8 9 CTL CTL grammar Define CTL state formulae by: Both LTL and CTL are fragments of another temporal logic: CTL CTL has both path and state formulae like CTL But path formulae can refer to state formulae, and vice versa Φ, Ψ ::= p ::= Φ Ψ Φ Ψ Φ ::= φ ψ Define CTL path formulae by: φ, ψ ::= Φ φ ::= φ ψ φ ψ ::= φ UNTIL ψ φ φ φ Similar to CTL: but Φ embedded in path formulae 10 11

LTL and CTL as fragments of CTL When to use LTL, when to use CTL? LTL formulae are: CTL path formulae φ where all state subformulae are atomic Preceded by a universal quantifier CTL formulae are obtained by restricting CTL path formulae: φ, ψ ::= Φ Φ Φ Φ UNTIL Ψ for Φ, Ψ state formulae CTL and LTL (and CTL ) have different expressive powers So: when to use CTL, when to use LTL? Answer: it depends : Depends on system being modelled Depends on properties we are interested in Our particular biases (debate similar to editor wars) 12 13 CTL advantages LTL advantages More modern model checkers use linear time model Some say model checking CTL is computationally more efficient than LTL Complexity of CTL model checking is linear, versus exponential for LTL CTL model checking has been applied successfully in industry If required to assert existence of states, or similar, use CTL LTL often seen as more intuitive than CTL: We found only simple CTL equations to be comprehensible; nontrivial equations are hard to understand and prone to error Formal verification made easy, 1997 CTL is difficult to use for most users and requires a new way of thinking about hardware On the fly model checking of RCTL formulas, 1998 14 15

Complexity, revisited Note following theorem (Clarke and Draghicescu): Let Φ be a CTL formula and φ an LTL formula obtained from Φ by deleting all path quantifiers. Then Φ φ or there does not exist any LTL formula equivalent to Φ. Equivalent properties are expressed by shorter LTL formulae (if they Abstraction exist) In fact, formulae may be exponentially shorter in LTL than equivalents So direct comparison of running times may be misleading Debate rages on... 16 State space explosion problem Abstraction Suppose we have a huge model can we simplify it somehow? A key problem with model checking is state space explosion problem As systems become larger, size of models can grow exponentially Puts a limit on what systems are feasible to verify with today s computers Motivates many optimisations to reduce size of models One way of doing this is to use abstraction Write M M when: To each step of M there is a corresponding step of M Atomic properties of M correspond to atomic properties of M Intuitively, if M M then M is simpler view of M If M M say M is abstraction of M 17 18

Example Note Suppose M 1 = S 1, S 1 0, 1, L 1 and M 2 = S 2, S 2 0, 2, L 2 where: S 2 S 1 S0 2 = S0 1 s 2 t iff s 1 t for all s, t in S 2 L 1 (s) = L 2 (s) for all s in S 2 and S 2 contains all reachable states in M: for all s S 2, for all t S 1, s 1 t implies t S 2 Note in last example all M 1 paths from initial states are M 2 paths Hence M 2 = φ implies M 1 = φ But now M 2 = φ is a simpler problem, as M 2 is smaller model Can this observation be generalised? Then M 1 M 2 19 20 Simulations between models Simulation preorder on models Fix M 1 = S 1, S 1 0, 1, L 1 and M 2 = S 2, S 2 0, 2, L 2 Assume models are over same set of atomic propositions Call a relation H S 1 S 2 a simulation between M 1 and M 2 when: To each step of 1 there is a corresponding step of 2 Steps lead to H-related states If H s t then s 1 s implies there exists t where t 2 t and H s t Fix M 1 = S 1, S0, 1 1, L 1 and M 2 = S 2, S0, 2 2, L 2 Then M 1 M 2 if: There exists a simulation H between M 1 and M 2 For all s in S0, 1 exists s S0 2 such that H s s L 1 (s) = L 2 (s ) whenever H s s This is a preorder on models (i.e. reflexive and transitive) 21 22

ACTL subset of CTL Counter-example guided abstract refinement Define ACTL as the existential-free subset of CTL Useful fragment of CTL Example: p can reach p from anywhere Theorem: if M 1 M 2 then M 2 = φ implies M 1 = φ Note: if M 2 = φ fails then not necessarily the case M 1 = φ fails May be a spurious counterexample that does not hold in M 1 CEGAR is a technique to automatically develop refinements Suppose we are trying to show M = φ Then: Generate an initial abstraction of M called M Check whether M = φ If so, we are done per the above theorem Otherwise refine the model abstraction, and repeat Microsoft s SLAM device driver verifier uses CEGAR 23 24 Symbolic model checking Recall CTL model checking algorithm Other optimisations Relies on enumerative presentation of transition system System explicitly given by predecessor/successor set of each state When models are huge, this is not efficient How to make this more efficient? 25

Symbolic models Symmetry reduction example Consider a model: Idea: represent states, transition relations, and so on symbolically Recall Ordered Binary Decision Diagrams from Logic and Proof : a Canonical way of representing boolean functions Efficient operations over boolean functions b a b Represent model as a boolean formula, represented as an OBDD Alter CTL model checking algorithm to work with OBDDs Model is now never explicitly enumerated, but represented implicitly a Very common optimisation in modern model checkers Note how model is symmetric vertically... 26 27 Symmetry reduction Other optimisations More generally models may: Have repeated subcomponents Be symmetric Have similar repeated structures If we could detect these, then could reduce size of model Symmetries can be reduced in two ways: Requiring explicit annotations by user to spot symmetries Trying to use insights from group theory to automatically spot symmetries Lots of active work making model checking: Faster Feasible on ever-larger models Check out the Model Checking Competition and the Hardware Model Checking Competition Represent state-of-the-art in model checking Cutting edge optimisations implemented there, first Automatically spotting symmetries very hard, under active research 28 29

Lecture 1: overview Course conclusion You should know: importance of formal methods when to use model checking over other formal methods, the importance of temporal properties in system specification how to model systems as a transition system 30 LTL: overview CTL: overview You should know: the linear model of time, LTL syntax and semantics LTL model checking is a language problem, and basics of automata-based model checking exponential time complexity for LTL model checking You should know: the branching model of time, CTL syntax and semantics, important CTL equivalences, and normal forms, CTL model checking is a reachability problem naïve recursive labelling algorithm for CTL linear time complexity for CTL model checking 31 32

Loose ends: overview You should know: the incomparable expressiveness of LTL and CTL, LTL and CTL s relation to CTL CEGAR, abstraction, and a high-level view of other optimisations in model checking The End! (Good luck with the exam...) 33 34

2024 © healthdocbox.com Privacy Policy | Terms of Service | Feedback