About ACTL-W and the implementation of a BDD based model checker ISTI, Pisa Robert Meolic Faculty of...
27
About ACTL-W and the About ACTL-W and the implementation of a BDD implementation of a BDD based model checker based model checker ISTI, Pisa Robert Meolic Faculty of EE&CS, Maribor, Slovenia Friday, Februar 13, 2004
-
Upload
veronica-owens -
Category
Documents
-
view
216 -
download
0
Transcript of About ACTL-W and the implementation of a BDD based model checker ISTI, Pisa Robert Meolic Faculty of...
About ACTL-W and the About ACTL-W and the implementation of a BDD based implementation of a BDD based
model checkermodel checker
ISTI, Pisa
Robert MeolicFaculty of EE&CS, Maribor, Slovenia
Friday, Februar 13, 2004
2/27
About our work on this project definition of new action-based temporal logic, fixed point characterisation, global model checking,
witnesses and counterexamples, EST - a free, open source tool incorporating ACTL-W.
About ACTL-W and the About ACTL-W and the implementation of a BDD based implementation of a BDD based
model checkermodel checker
About this presentation an introduction of ACTL-W, ACTL-W versus ACTL proposed in 1990, a short overview of a BDD-based ACTL-W model checker demonstration of EST under Windows.
3/27
Labelled Transition System
States: p0, p1, p2, p3
Actions: a!, b!, c!,
A labelled transition system is a 4-tuple L = (S, A, , s0) where:
• S is a non-empty set of states;
• A is a finite, non-empty set of actions containing visible actions and silent action not visible to an external observer;
• S A S is the transition relation;
• s0 is the initial state.
4/27
A path in the LTS
• st (, 0) is the first state on the path ,
• st (, i ) is a state reached after the i-th transition on (i 1),
• act (, i ) is an action executed during the i-th transition on (i
1).
5/27
Action-based temporal logic
- state - transition (’, ’) - transition
• A state where state formula holds is called -state;
• a transition (p, a, q) where action formula holds for action a is called -transiton;
• a -transition (p, a, q) where state formula holds in state q is called (, )-transition.
6/27
Computation Tree Logic (CTL)
7/27
The idea of Action CTL
E[ {} U {’} ’] A[ {} U {’} ’]
EX {} AX {}
8/27
The idea of Action CTL (cont.)
EX {}
EF {}
EG {}
9/27
Definition of ACTL-W (2003)
U = Until W = Unless (Weak Until)
τAα
ACTL-W = Action CTL with Unless Operator
10/27
ACTL-W operators
11/27
Deadlocked states• In a deadlocked state, formulae E[ {} W {’} ’], A[{} W {’} ’], EG {}, and AG {} hold iff the state is a -state.
• Formulae E[ {} U {’} ’], A[{} U {’} ’], EX {} , AX {} , EF {} , and AF {} , do not hold in a deadlocked state.
• If there exists a finite fullpath starting in state p which is an empty fullpath or consists only of (, ) -transitions, then ACTL formulae E[ {} W {’} ’] and EG {} hold in state p iff p is a -state.
• If there exists a finite fullpath starting in state p which is an empty fullpath or consists only of transitions which are not (’, ’) -transitions, then ACTL formulae A[{} U {’} ’] and AF {’} ’ do not hold in state p.
12/27
Even better definition of ACTL-W
Strict ACTL-W operators allow a more elegant definition of semantics and also more structured model checking algorithms.
E[ {} U {’} ’] = E[ {} U {’} ’]
E[ {} W {’} ’] = E[ {} W {’} ’]
EG {} = EG {}
:== [ {} U {’} ’] | [ {} W {’} ’]
13/27
Useful abbreviations
Equal to CTL !
14/27
Adequate sets of ACTL-W operators
1. By definition: EU, EW, AU, AW
2. An important adequate set: EU, EG, AW, AF
CTL:CTL:Usually used adequate set has 3 elements (EX, EG, EU)Minimal adequate set has 2 elements (EU >, AU >)
ACTL-W:ACTL-W: Minimal adequate set has 4 elements!
we do not have a formal proof, yet
15/27
ACTL-W Model Checking
E[ {} U {’} ’] is valid if there exists the following path:
EG {} is valid if there exists the following path:
16/27
ACTL-W Model Checking (cont.)
A[ {} W {’} ’] is not valid if there exists the following path:
AF {} is not valid if there exists the following path:
17/27
ACTL-W versus ACTL
The converse is not true:There exists a path consisting only of -transitions such that in all states on this path action a can be performed.
EG (EX {a}) {}
we do not have a formal proof, yet
ACTL was introduced by R. De Nicola and F. Vaandrager in 1990;
ACTL-W can render all formulae expressible in ACTL.
18/27
Conclusion of the first part
http://lms.uni-mb.si/EST/
Efficient Symbolic Tools
GNU General Public License, Linux, MS Windows, Solaris
• ACTL-W is a new, enriched variant of Action CTL.• Using ACTL-W, the properties can be expressed with patterns similar to those used with CTL.• ACTL-W model checking and counterexamples generation can be implemented using fixed point calculation.• We have incorporated ACTL-W in a BDD-based tool EST.
19/27
A BDD based model checker
You have: a BDD package with:
Bdd_ITE (f, g, h), Bdd_Cmp (f, g), Bdd_E (f, var), Bdd_A(f, var), Bdd_Rename(f, var1, var2), Bdd_Restrict(f, var, const), Bdd_Compose(f, var, g)
a process algebra package (or LTS package) with: Pa_ReadProcess (FILE), Pa_EncodeProcess (name), Pa_ExtractState (set), Pa_ExtractTransition (set)
transitions encoded as (r, a, s)
You want to implement symbolic model checker.
20/27
BNF for ACTL-W <ACTL> ::= 'FALSE' | 'TRUE'
<ACTL> ::= 'E' '[' <LEFT> 'U' <RIGHT> ']'
<ACTL> ::= 'A' '[' <LEFT> 'U' <RIGHT> ']'
<ACTL> ::= 'E' '[' <LEFT> 'W' <RIGHT> ']'
<ACTL> ::= 'A' '[' <LEFT> 'W' <RIGHT> ']'
<ACTL> ::= 'EX' <RIGHT> | 'AX' <RIGHT>
<ACTL> ::= 'EF' <RIGHT> | 'AF' <RIGHT>
<ACTL> ::= 'EG' <LEFT> | 'AG' <LEFT>
<ACTL> ::= '(' <ACTL> ')' | 'NOT' <ACTL> |
<ACTL> 'AND' <ACTL> | <ACTL> 'OR' <ACTL> |
<ACTL> 'EQV' <ACTL> | <ACTL> 'IMPL' <ACTL>
<LEFT> ::= <ACTL> | <ACTL> '{' <ACTION> '}' | '{' <ACTION> '}'
<RIGHT> ::= <ACTL> | '{' <ACTION> '}' <ACTL> | '{' <ACTION> '}'
<ACTION> ::= 'FALSE' | 'TRUE' | 'TAU' | visible_action
<ACTION> ::= '(' <ACTION> ')' | 'NOT' <ACTION> |
<ACTION> 'AND' <ACTION> | <ACTION> 'OR' <ACTION> |
<ACTION> 'IMPL' <ACTION> | <ACTION> 'EQV' <ACTION>
21/27
Symbolic model checking
operationson
LTSs
operationson
Boolean functions
operationson
BDDs
22/27
Function Mc_CheckEEU: E[ {} U {’} ’]
Bdd_Edge Mc_CheckEEU(Bdd_Edge D, Bdd_Edge s1, Bdd_Edge a1, Bdd_Edge a2, Bdd_Edge s2) { Bdd_Edge last,Z,tmp1,tmp2,tmp3;
/* IF THERE ARE NO TRANSITIONS IN THE PROCESS */ if (Bdd_Cmp(D,bdd_termFalse)) return bdd_termFalse;
/* LEAST FIXED POINT CALCULATION */ last = bdd_termNull; Z = bdd_termFalse; while (!Bdd_Cmp(Z,last)) { last = Z; tmp1 = Bdd_AND(a1,Z); tmp2 = Bdd_AND(a2,s2); tmp3 = Bdd_OR(tmp1,tmp2); tmp3 = Bdd_R2S(tmp3); tmp3 = Bdd_AND_ExAS(D,tmp3); tmp3 = Bdd_AND(s1,tmp3); Z = tm3; } return Z;}
transition relation
’
’
z
’’
EX+(… V …)
S
23/27
Function Mc_CheckEEU - some details
Let L = (S, A, , s0) be a finite-state LTS.We introduce a formula EX+V ’’), which holds in a state p iff there exists either a (, ) -transition or a (, ) -transition from state p.
This new operator help us to express a fixed point formula for EU:
24/27
EST - An example
The crossing consists of two barriers and train traffic lights.
1. The barriers have to be kept down when the train crosses.
2. The train can cross only if the traffic lights are green,
otherwise it has to stop.
A crossing of a road and a railway
25/27
EST - An example (cont.)
26/27
Conclusion
My work during my stay at ISTI: to study ACTL, mu-ACTL and ACTL-W in details; to give an axiomatisation for ACTL-W (based on work of S. Gnesi); to study counterexample and witnesses for ACTL, its subsets and
extensions, especially interested in counterexample and witness automata for CTL, ACTL (based on work of A. Fantechi);
to implement a BDD-based algorithms for counterexample and witness automata and to integrate it into EST and JACK.
27/27
About ACTL-W and the About ACTL-W and the implementation of a BDD based implementation of a BDD based
model checkermodel checker
Thank you!
