Shuvendu K. Lahiri Sanjit A. Seshia Randal E. Bryant Carnegie Mellon University, USA
CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC...
-
Upload
franklin-cannon -
Category
Documents
-
view
214 -
download
1
Transcript of CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC...
![Page 1: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/1.jpg)
CSE 522Model-based Development (2)
Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU)
Computer Science & Engineering DepartmentArizona State University
Tempe, AZ 85287
Dr. Yann-Hang [email protected](480) 727-7507
![Page 2: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/2.jpg)
2
Temporal Logic
Temporal logic is used to describe any system of rules and symbolism for representing, and reasoning about, propositions qualified in terms of time.
An extension of a classical propositional or predicate logic by temporal quantifiers "I am always hungry", "I will eventually be hungry", "I will be hungry until I eat something“
A single type of model is considered: a transition system (finite state machine)
To express and verify properties of system dynamics Safety (invariance): Nothing bad will happen Liveness: Something good will happen
![Page 3: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/3.jpg)
Invariants
The simplest form of a temporal logic property Definition: A property that is true on the system at all
times (always) Examples:
“The program never dereferences a null pointer” “If a thread A blocks while trying to acquire a mutex lock, then
the thread B that holds that lock must not be blocked attempting to acquire a lock held by A.”
“Whenever the reset signal is asserted the state machine shall move immediately to the ErrorReset state and remain there until the reset signal is de-asserted.”
![Page 4: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/4.jpg)
Pedestrian Light with Car Light
System invariant:
There is no pedestrian crossing when the traffic light (for the cars) is green
![Page 5: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/5.jpg)
unsafe states
Pedestrian Light with Car Light
q Combine the states of car light and pedestrian light
q Is there a way to enter the unsafe states
q Reachability
![Page 6: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/6.jpg)
FSM Behavior
Each port p, for each reaction will take a value from Vp{absent}, generating a sequence (or function)
sp : N Vp {absent}
Behavior: the assignment of signals to each input port such that an output sequence can be produced• Observable trace ((xi,yi))iN
• Execution trace ((xi, si, yi))iN
The set of all behaviors of an FSM M is called the language of M and it is denoted by L(M)
![Page 7: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/7.jpg)
Garage Counter: Behavior
Behavior:
sup = (present, absent, present, absent, present, …)
sdown = (present, absent, absent, present, absent, …)
scount = (absent, absent, 1, 0, 1, …)
Execution trace :
τ = ((pres,pres),0, abs) ((abs, abs),0, abs) ((pres,abs),1, 1) ...
![Page 8: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/8.jpg)
Propositional logic
Concerned with relationships between propositions A proposition is a sentence whose truth depends on the
current context In Boolean logic, a proposition can be either true or false
(not both) Atomic propositions: Statements about an input, output,
or state of a state machine. Examples:
formula meaning
x true if x is present
x = 1 true if x is present and has value 1
y = absent true if y is absent
s true if machine is in state s
![Page 9: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/9.jpg)
Propositions & Connectives
A compound proposition is formed using propositions and connectives: : not or negation : and or conjunction : or or disjunction (one or the other or both) : implies or implication : if and only if or biconditional
y is present and the FSM is in state a. Propositions:
p1 := “y is present” := y
p2 := “the FSM is in state a” := a
Symbolic representation: p1 p2 (read as “p1 and p2”)
![Page 10: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/10.jpg)
Propositions & Connectives
A compound proposition is formed using propositions and connectives: : not or negation : and or conjunction : or or disjunction (one or the other or both) : implies or implication : if and only if or biconditional
y is present and the FSM is in state a.Propositions:
p1 := “y is present” := y
p2 := “the FSM is in state a” := a
Symbolic representation:
p1 p2 (read as “p1 and p2”)
If the FSM is in state a, then y is present.
Propositions:
p1 = “y”
p2 = “the FSM is in state a”
Symbolic representation:
p2 p1 (read as “if p2, then p1” or “p2 implies p1”)
![Page 11: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/11.jpg)
Equivalences through truth tables
p1 p2 p1p2 p1 p2 p1p2 (p1p2)
0 0 0 1 1 1 0
0 1 1 1 0 0 1
1 0 1 0 1 0 1
1 1 1 0 0 0 1
p1p2 (p1p2)
q Two compound propositions are logically equivalent if they have the same truth values for all the choices of truth values of the variables p, q, etc.
q We denote logical equivalence using the symbol
![Page 12: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/12.jpg)
Propositional Logic on Traces
A proposition formula p holds for a trace
q0, q1, q2, . . .
if and only if p is true for q0.
A trace q (does not) satisfies a formula φ starting at time i
an FSM M (does not) satisfies φ and we write
iff for all q in LE(M), we have (q,0) φ where L⊨ E(M) contains all the execution traces of M
(q,i) ⊨ φ ( (q,i) ⊨ φ )
M ⊨ φ ( M ⊨ φ )
![Page 13: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/13.jpg)
Examples
1. Mi ⊨ b?
2. Mi ⊨ x y?
3. Mi ⊨ y?M1 M2
![Page 14: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/14.jpg)
14
Kripke Model
a Kripke model S, I,R,AP,L consists of a set of states S; a set of initial states I ⊆ S; a set of transitions R ⊆ S×S; a set of atomic propositions AP; a labeling function L : S 2AP.
A path in a Kripke model M from a state s0 is an infinite sequence of states
= s0, s1, s2, . . .
such that (si, si+1) R∈ , for all i ≥ 0.
![Page 15: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/15.jpg)
15
FSM to Kripke
K=<S ×I,S0 ×I, R, L>,
for any s S ∈ and i I∈
(< s, i >, < s’, i’>) R ∈i ff δ(s, i) = s’
L(< s, i >) = i s ∪ ∪ λ(s, i)
![Page 16: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/16.jpg)
Linear Temporal Logic (LTL)
LTL formulas: Statements about an execution trace
q0, q1, q2, q3, . . . . . .
p is propositional logic formula and is either a propositional logic or an LTL formula.
Suffix: a suffix of a string x is a string z such that there exists a string y such that x = yz
formula mnemonic meaning
p proposition p holds in q0
G () globally holds for every suffix of trace
F () finally, future, eventually
holds for some suffix of trace
X () next state holds for q1, q2, q3, . . . .
1U2) until 1 holds for all suffix of the trace until a suffix for which 2 holds
![Page 17: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/17.jpg)
Linear Temporal Logics: Semantic Intuition
a – a now
G a - always a
F a – eventually a
X a – next state a
a U b – a until b
a B b – a before b
a a a a aa
* * a * **
a * * * **
a a b * *a
* a * b **
a * * * **
![Page 18: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/18.jpg)
LTL operators can apply to LTL formulas as well as to propositional logic formulas.
E.g. Every input x is eventually followed by an output y
G (x Fy)
Propositional Linear Temporal Logic
Globally
(at any point in time) If x occurs
It is eventually followed by y
x holdsy holds
![Page 19: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/19.jpg)
Examples
1. M2 ⊨ G(x˄y)?
2. M2 ⊨ G(x y)?
3. M1 ⊨ Fb ?
4. M2 ⊨ (Gx) (Fb)?
5. M2 ⊨ G(x Fb)?
6. M1 ⊨ x Xa ?
7. M1 ⊨ G(x Xa) ?
8. M2 ⊨ G(b Xa) ?
9. M2 ⊨ a U x ?
10. M2 ⊨ G(x) (aUx) ?
M1 M2
![Page 20: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/20.jpg)
Examples: What do they mean?
G F p p holds infinitely often
F G p Eventually, p holds henceforth
G( p F q ) Every p is eventually followed by a q
G( p (X X q) ) Every p is followed by a q two reactions later
G = F (G = F ) F = true U
Remember:
Gp p holds in all states
Fp p holds eventually
Xp p holds in the next state
![Page 21: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/21.jpg)
21
Model Checking in LTL
Safety: Only one process is in its critical section at a time. -- “No two processes can be in the critical section at the same time.” always not (CS1 and CS2): mutual exclusion
Liveness: Whenever any process requests to enter its critical section it will eventually be permitted to do so -- “Every request is eventually granted.” always (Request implies eventually Grant)
“Every continuous request is eventually granted.” always (Request implies (Request until Grant))
“Every repeated request is eventually granted.” always (always eventually Request) implies eventually Grant
![Page 22: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/22.jpg)
Examples: Write in Temporal Logic
1. “Whenever the iRobot is at the ramp-edge (cliff), eventually it moves 5 cm away from the cliff.”• p1 – iRobot is at the cliff
• p2 – iRobot is 5 cm away from the cliff
2. “Whenever the distance between cars is less than 2m, cruise control is deactivated”• p1 – distance between cars is less than 2 m
• p2 – cruise control is active
![Page 23: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/23.jpg)
Why the linear in LTL?
Properties expressed over a single computation path or run the satisfiability is checked on the run with no possibility of
switching to another run during the checking.
s0
s1 s2
s0s2s1s2 s1
s0
a/ca/b
a/btrue/b
a/c
Does M ⊨ G b ?
M s0 s1 s2s1 s2
![Page 24: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/24.jpg)
24
Example: Mutual Exclusion (1)
Each process can be in its non-critical state (N), or trying to enter its critical state (T), or in its critical state (C).
The variable turn considers the first process that went into its trying state.
N1,N2turn=0
T1,N2turn=1
T1,T2turn=1
C1,N2turn=1
C1,T2turn=1
N1,T2turn=2
T1,T2turn=2
N1,C2turn=2
T1,C2turn=2
![Page 25: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/25.jpg)
25
Example: Mutual Exclusion (2)
SafetyM |= G (C1 C2) ?
Is there a reachable state in which (C1 C2) holds? Liveness
M |= FC1 ?
Is there an infinite cyclic solution in which C1 never holds? Liveness
M |= G(T1 FC1) ? or M |= GFT1 GFC1 ?
Does every path starting from each state where T1 holds pass
through a state where C1 holds.
![Page 26: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/26.jpg)
26
Automata-based Model Checking
The behaviors (computations) of a system can be seen as sequences of assignments to propositions over all traces.
Represent the set of computation by a finite automaton
An automaton for the set of all acceptable computations
Check if the language of the system automaton is contained in the language accepted by the property automaton.
00
01
00
11
11
11
00
00
01
00
00
11
00
00
00
00
00
00
00
00
11
11
11
11
00
01
00
01
00
11
00 01
11
![Page 27: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/27.jpg)
27
Automata-Based LTL Model Checking (2)
Let M be a Kripke model and be an LTL formula
M ⊨ (LTL)
(M) ( ) (M) ( ) = { }
(AM) (A ) = { }
(AM A ) = { }
AM is a Büchi Automaton equivalent to M (which represents all and only the executions of M)
A is a Büchi Automaton which represents all and only the
paths that satisfy (do not satisfy ) AM A : represents all and only the paths appearing in M and
not in .
![Page 28: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/28.jpg)
28
Automata-Based LTL Model Checking (1)
(Christel Baier and Joost-Pieter Katoen, "Principles of Model Checking”)
![Page 29: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/29.jpg)
Büchi Automata
Automaton which accepts infinite traces A Büchi automaton is 4-tupleS, I,, F
S is a finite set of states I S is a set of initial states S S is a transition relation F S is a set of accepting states
An infinite sequence of states is accepted iff it contains accepting states infinitely often
1=S0S1S2S2S2S2…
2=S0S1S2S1S2S1…
3=S0S1S2S1S1S1…
ACCEPTED
ACCEPTED
REJECTED
S0 S1 S2
![Page 30: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/30.jpg)
30
Büchi Automata
The labels of a Büchi Automaton are different from the labels of a Kripke Structure. Also graphically, they are interpreted differently:
in a Kripke Structure, p is true and all other propositions are false; in a Büchi Automaton, p is true and all other propositions are
irrelevant (“don’t care”), i.e. can be either true or false.
p
a b c
S0 S1 S2 S0 S1 S2
a
b c
Sinit
F={S0, S1,S2}
a
![Page 31: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/31.jpg)
LTL and Büchi Automata
LTL formula Represents a set of infinite traces which satisfy such formula
Büchi Automaton Accepts a set of infinite traces
We can build an automaton which accepts all and only the infinite traces represented by an LTL formula
Gp Fp p U q GFp
pp
T
T
q
p
T
p
T
![Page 32: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/32.jpg)
32
Product of Transition Systems: Example
s1
s0
a
b
a
b
t1
a
a bt2
t0
b
b
a
s0t1
a
a
b
s0t2
s0t0
b
b
a
s1t1
a
ab
s1t2
b
b
a
s1t0
![Page 33: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/33.jpg)
33
Explicit-State Model Checking
Model checking exhaustively enumerates the states of the system State space can be viewed as a graph Explicitly enumerates each state and traverses each edge of the
graph Example: explicit-state techniques in SPIN Nested DFS to detect reachable accepting cycles.
The first search is used to search for reachable accepting states The second one (nested) tries to detect accepting cycles.
Consider the simplest property G p p is a system invariant to be satisfied by all states DFS graph traversal and maintain 2 data structures: set of visited
states and stack with current path from the initial state
![Page 34: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/34.jpg)
34
Computational Temporal Logic
In LTL, time is treated as if each moment in time has a unique possible future. LTL formulas are interpreted over linear sequences which are
used to describe a behavior of a single computation of a program.
In branching temporal logics, each moment in time may split into various possible futures infinite computation trees and each describing the behavior of
the possible computations of a nondeterministic program. When reaching an individual state, the choice of transitions
remains undecided. Two path quantifiers: E (“there exists a computation”) and A (“for
all computations”). Decide whether holds in the computation tree of M.
![Page 35: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/35.jpg)
35
Path Quantifiers in CTL
In All Paths: The temporal formula is true in all the paths starting in the current state.
There Exists a Path: The temporal formula is true in some path starting in the current state.
finally p globally p next p p until q
![Page 36: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/36.jpg)
36
LTL vs. CTL
AP = {a; b; c; d; e} of atomic propositions. Sexm: Q = {q1; q2; q3; q4} and I = {q1; q2} L(q1) = {a}, L(q2) = ;, L(q3) = {b; e},
and L(q4) = {c}.
(Ph. Schnoebelen: The Complexity of Temporal Logic Model Checking. Advances in Modal Logic 2002: 393-436)
![Page 37: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/37.jpg)
BDD and Symbolic Model Checking
Binary Decision Diagram (BDD): a DAG to represent a Boolean formula
An example f = ab+a’c+bc’d Two different orderings, same function. ROBDD – reduced and ordered Can we process them?
37
a
c
d
b
0 1
c+bd
d+b
b
1
0
a
b b
c c
d
0 1
c+bd b
c+dc
d
![Page 38: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/38.jpg)
38
Operations of BDD
Negation: switch 0 and 1 If f then g else h operator: ite(f,g,h)
f AND g = ite (f, g, 0) f OR g = ite (f, 1, g)
Compute ite recursively: v is top-most variable among the three BDDs f, g, h
Existential quantification (EXISTS and ANDEXIST) (
![Page 39: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/39.jpg)
I = ite (F, G, H) = (a, ite (Fa , Ga , Ha ), ite (Fa , Ga , Ha ))= (a, ite (1, C , H ), ite(B, 0, H ))= (a, C, (b , ite (Bb , 0b , Hb ), ite (Bb , 0b , Hb )) = (a, C, (b , ite (1, 0, 1), ite (0, 0, D))) = (a, C, (b , 0, D))= (a, C, J)
Check: F = a + b, G = ac, H = b + dite(F, G, H) = (a + b)(ac) + a b(b + d) = ac + abd
Example of ite
39
F,G,H,I,J,B,C,Dare pointers
b1
1
a
0
1 0
1 0
F
B
1
1
a
0
1 0
0
G
c 0C
1
b
0
1 0
0
H
dD
11
0
a
1 0
0
I
bJ
1
C
D
![Page 40: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/40.jpg)
40
Symbolic Model Checking
State representation: A state is encoded as a Boolean formula (s), where sS sets of states as their characteristic function three state variables x1, x2, x3: { 000, 001, 010, 011 } represented as “first
bit false”: ¬x1
Representation of Transition Relations A transition is a pair of states (s, s’) where s’ is the next state: (s,s’)=(s)
(s’)
00 01
10 11
(01,10) = (¬v1v0, v’1¬v’0) = (¬v1v0) (v’1¬v’0)
(R) = (v’0 ¬v0) (v’1 v0v1)
![Page 41: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/41.jpg)
41
PreImage(P,R) := {s | for some s’P, (s, s’) R}
Image(P,R) := {s’| for some sP, (s, s’)R}
Compute EX[P] for the 2-bit counter,
where (P) = (v0 v1) (i.e. P= { 00, 11})
PreImage(P,R)) = (P)[s’] (R)[s,s’]
= v’0v’1. (v’0 v’1) ((v’0 ¬v0) (v’1 v0v1))
(substitute v’0v’1 with 00, 01, 10, 11)
= (v0 ¬(v0v1)) (¬v0 (v0v1))
= v1 (i.e. P= { 01, 11} )
Pre-Image and Forward Image
![Page 42: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/42.jpg)
42
Reachability using BDD
Reachability( v, Gin(s), R(s,s’), F(s))
[ s – states; Gin , R(s,s’) and F are BDDs ]
G:=; G’=Gin;
do {
G = G’; G’ = G ( s. ( G (s) R(s,s’) ) [s/s’] );
– F[x/y] means that we substitute x for y in F
} while (G ≠ G’ or GF ≠ );
If (GF = ) report “Unreachable”, else report “Reachable”;
![Page 43: CSE 522 Model-based Development (2) Some of the slides were based on lectures by Lee & Seshia (UC Berkeley) and Fainekos (ASU) Computer Science & Engineering.](https://reader030.fdocuments.in/reader030/viewer/2022032709/56649ed35503460f94be3112/html5/thumbnails/43.jpg)
43
Timed Automata
A timed automaton is a tuple A = (Q,Σ,C,E,q0) that consists of the following components: Q is a finite set. The elements of Q are called the states of A. Σ is a finite set called the alphabet or actions of A. C is a finite set called the clocks of A. E ⊆ Q×Σ×B(C)×P(C)×Q is a set of edges, called transitions of A,
where B(C) is the set of boolean clock constraints involving clocks
from C, and P(C) is the powerset of C.
q0 is an element of Q, called the initial state.
An edge (q,a,g,r,q') from E is a transition from state q to q' with action a, guard g and clock resets r.