Model Checking Lecture 1 .


35 views
Uploaded on:
Description
Model Checking Lecture 1. Outline. 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking Symbolic algorithms for model checking Pushdown systems. Model checking , narrowly interpreted :
Transcripts
Slide 1

Model Checking Lecture 1

Slide 2

Outline 1 Specifications: rationale versus automata, direct versus spreading, wellbeing versus liveness 2 Graph calculations for model checking Symbolic calculations for model checking Pushdown frameworks

Slide 3

Model checking , barely deciphered : Decision techniques for checking if a given Kripke structure is a model for a given recipe of a modular rationale.

Slide 4

Why is this important to us? Since the flow of a discrete framework can be caught by a Kripke structure. Since some dynamic properties of a discrete framework can be expressed in modular rationales.  Model checking = System confirmation

Slide 5

Model checking , liberally deciphered : Algorithms, instead of evidence calculi, for framework check which work on a framework model (semantics), as opposed to a framework portrayal (linguistic structure).

Slide 6

There are a wide range of model-checking issues: for distinctive (classes of) framework models for diverse (classes of) framework properties

Slide 7

A particular model-checking issue is characterized by I |= S "execution" (framework model) "determination" (framework property) "fulfills", "actualizes", "refines" (fulfillment connection)

Slide 8

A particular model-checking issue is characterized by I |= S more definite more theoretical "usage" (framework model) "detail" (framework property) "fulfills", "executes", "refines" (fulfillment connection)

Slide 9

Characteristics of framework models which support model evaluating other confirmation procedures: continuous info/yield conduct (not: single information, single result) simultaneousness (not: single control stream) control escalated (not: loads of information control)

Slide 10

Examples - control rationale of equipment plans - correspondence conventions - gadget drivers

Slide 11

Paradigmatic illustration: shared prohibition convention || circle out: x1 := 1; last := 1 req: anticipate x2 = 0 or last = 2 in: x1 := 0 end circle. circle out: x2 := 1; last := 2 req: anticipate x1 = 0 or last = 1 in: x2 := 0 end circle. P2 P1

Slide 12

Model-checking issue I |= S framework model framework property fulfillment connection

Slide 13

Model-checking issue I |= S framework model framework property fulfillment connection

Slide 14

Important choices while picking a framework model - state-based versus occasion based - interleaving versus genuine simultaneousness - synchronous versus nonconcurrent cooperation - and so on

Slide 15

Particular mixes of decisions yield CSP Petri nets I/O automata Reactive modules and so forth.

Slide 16

While the decision of framework model is critical for simplicity of displaying in a given circumstance, the main thing that is vital for model checking is that the framework model can be deciphered into some type of state-move chart.

Slide 17

q 1 an a,b b q 2 q 3

Slide 18

State-move chart Q set of states {q 1 ,q 2 ,q 3 } A set of nuclear observations {a,b}  Q  Q move connection q 1  q 2 [ ]: Q  2 A perception capacity [q 1 ] = {a} set of perceptions

Slide 19

Mutual-prohibition convention || circle out: x1 := 1; last := 1 req: anticipate x2 = 0 or last = 2 in: x1 := 0 end circle. circle out: x2 := 1; last := 2 req: anticipate x1 = 0 or last = 1 in: x2 := 0 end circle. P2 P1

Slide 20

oo001 or012 ro101 io101 rr112 pc1: {o,r,i} pc2: {o,r,i} x1: {0,1} x2: {0,1} last: {1,2} ir112 3 3222 = 72 states

Slide 21

The interpretation from a framework depiction to a state-move chart for the most part includes an exponential explode !!! e.g., n boolean factors  2 n expresses This is known as the "state-blast issue."

Slide 22

Finite state-move charts don\'t handle: - recursion (need pushdown models) - process creation State-move diagrams are not inexorably limited state We will discuss some of these issues in a later address.

Slide 23

Model-checking issue I |= S framework model framework property fulfillment connection

Slide 24

Three critical choices while picking framework properties: automata versus rationale fanning versus direct time security versus liveness

Slide 25

Three essential choices while picking framework properties: automata versus rationale fanning versus direct time security versus liveness The three choices are orthogonal, and they prompt considerably diverse model-checking issues.

Slide 26

Three imperative choices while picking framework properties: automata versus rationale spreading versus straight time security versus liveness The three choices are orthogonal, and they prompt generously diverse model-checking issues.

Slide 27

Safety versus liveness Safety: something "awful" will never happen Liveness: something "great" will happen (however we don\'t know when)

Slide 28

Safety versus liveness for successive projects Safety: the system will never create a wrong result ("halfway rightness") Liveness: the system will deliver an outcome ("end")

Slide 29

Safety versus liveness for successive projects Safety: the system will never deliver a wrong result ("halfway accuracy") Liveness: the system will create an outcome ("end")

Slide 30

Safety versus liveness for state-move charts Safety: those properties whose infringement dependably has a limited witness ("if something terrible happens on an interminable run, then it happens as of now on some limited prefix") Liveness: those properties whose infringement never has a limited witness ("regardless of what happens along a limited run, something great could at present happen later")

Slide 31

q 1 an a,b b q 2 q 3 Run: q 1  q 3  q 1  q 3  q 1  q 2  q 2  Trace: a  b  a  b  a  a,b  a,b 

Slide 32

State-move diagram S = ( Q, A, , [] ) Finite runs: finRuns(S)  Q * Infinite runs: infRuns(S)  Q  Finite traces: finTraces(S)  (2 A ) * Infinite follows: infTraces(S)  (2 A ) 

Slide 33

Safety: the properties that can be kept an eye on finRuns Liveness: the properties that can\'t be minded finRuns

Slide 34

This is much less demanding. Security: the properties that can be kept an eye on finRuns Liveness: the properties that can\'t be minded finRuns (they should be minded infRuns)

Slide 35

Example: Mutual avoidance It can\'t happen that both procedures are in their basic areas all the while.

Slide 36

Example: Mutual rejection It can\'t happen that both procedures are in their basic areas at the same time. Wellbeing

Slide 37

Example: Bounded surpassing Whenever process P1 needs to enter the basic area, then process P2 gets the opportunity to enter at most once before procedure P1 gets the chance to enter.

Slide 38

Example: Bounded overwhelming Whenever process P1 needs to enter the basic segment, then process P2 gets the opportunity to enter at most once before procedure P1 gets the chance to enter. Security

Slide 39

Example: Starvation opportunity Whenever process P1 needs to enter the basic area, gave process P2 never stays in the basic segment perpetually, P1 gets the chance to enter in the long run.

Slide 40

Example: Starvation flexibility Whenever process P1 needs to enter the basic area, gave process P2 never stays in the basic segment perpetually, P1 gets the opportunity to enter in the end. Liveness

Slide 41

q 1 an a,b b q 2 q 3 infRuns  finRuns

Slide 42

q 1 an a,b b q 2 q 3 infRuns  finRuns  * conclusion * limited spreading

Slide 43

For state-move diagrams, all properties are wellbeing properties !

Slide 44

Example: Starvation flexibility Whenever process P1 needs to enter the basic area, gave process P2 never stays in the basic segment perpetually , P1 gets the opportunity to enter in the long run. Liveness

Slide 45

q 1 an a,b b q 2 q 3 Fairness imperative: the green move can\'t be disregarded everlastingly

Slide 46

q 1 an a,b b q 2 q 3 Without decency: infRuns = q 1 (q 3 q 1 ) * q 2   (q 1 q 3 )  With reasonableness: infRuns = q 1 (q 3 q 1 ) * q 2 

Slide 47

Two essential sorts of decency 1 Weak (Buchi) reasonableness: a determined arrangement of moves can\'t be enabled perpetually without being taken 2 Strong (Streett) fairness: a indicated set of moves can\'t be enabled endlessly regularly without being taken

Slide 48

q1 an a,b b q2 q3 Strong reasonableness

Slide 49

a q1 a,b q2 Weak decency

Slide 50

Fair state-move chart S = ( Q, A, , [], WF, SF) WF set of feebly reasonable activities SF set of unequivocally reasonable activities where every activity is a subset of 

Slide 51

Weak reasonableness originates from displaying simultaneousness || circle x:=0 end circle. circle x:=1 end circle. x=0 x=1 Weakly reasonable activity Weakly reasonable activity

Slide 52

Strong reasonableness originates from demonstrating decision circle m: n: x:=0 | x:=1 end circle. pc=m x=0 pc=m x=1 pc=n x=0 pc=n x=1 Strongly reasonable activity Strongly reasonable activity

Slide 53

Weak decency is adequate for offbeat models ("no procedure holds up everlastingly in the event that it can move"). Solid decency is important for demonstrating asset dispute. Solid decency makes model checking more troublesome.

Slide 54

Fairness changes just infRuns, not finRuns.  Fairness can be disregarded for checking security properties.

Slide 55

Two comments by far most of properties to be confirmed are wellbeing. While no one will ever watch the infringement of a genuine liveness property, decency is a helpful reflection that transforms confused wellbeing into straightforward liveness.

Slide 56

Three vital choices while picking framework properties: automata versus rationale expanding versus direct time security versus liveness The three choices are orth

Recommended
View more...