Model Checking Lecture 2 .

Model Checking Lecture 2

Three imperative choices while picking framework properties: automata versus rationale stretching versus straight time wellbeing versus liveness The three choices are orthogonal, and they prompt considerably distinctive model-checking issues.

If just widespread properties are of interest, why not exclude the way quantifiers?

LTL (Linear Temporal Logic) - security & liveness - straight time [Pnueli 1977; Lichtenstein & Pnueli 1982]

LTL Syntax  ::= a |    |   |   |  U 

LTL Model interminable follow t = t 0 t 1 t 2 ... (succession of perceptions)

Language of halt free state-move diagram K at state q : L(K,q) = set of unending hints of K beginning at q (K, q) |=   iff for all t  L(K,q), t |=  (K, q) |=   iff exists t  L(K,q), t |= 

LTL Semantics t |= a iff a  t 0 t |=    iff t |=  and t |=  t |=  iff not t |=  t |=   iff t 1 t 2 ... |=  t |=  U  iff exists n  0 s.t. 1. for each of the 0  i < n, t i t i+1 ... |=  2. t n t n+1 ... |= 

Defined modalities  X next U until   = genuine U  F eventually   =    G dependably W = ( U )    W sitting tight for (frail until)

Summary of modalities STL         U W CTL the majority of the above and     W U LTL    U W

Important properties Invariance  a wellbeing   (pc1=in  pc2=in) Sequencing a W b W c W d security  (pc1=req  (pc2 in) W (pc2=in) W (pc2 in) W (pc1=in)) Response  (a   b) liveness  (pc1=req   (pc1=in))

Composed modalities  a infinitely frequently a  a almost dependably a

Where did decency go ?

Unlike in CTL, reasonableness can be communicated in LTL ! So there is no requirement for reasonableness in the model. Feeble (Buchi) reasonableness :   (empowered   taken ) =  (empowered  taken) Strong (Streett) decency : (  empowered )  (  taken )

Starvation opportunity, amended  (pc2=in   ( pc2=out))   (pc1=req   (pc1=in))

CTL can\'t express decency   a      a   b      b q 1 q 0 q 2 an a b

LTL can\'t express fanning Possibility   (a    b) So, LTL and CTL are exceptional. (There are fanning rationales that can express reasonableness, e.g., CTL * = CTL + LTL, however they lose the computational allure of CTL.)

System property: 2x2x2 decisions - wellbeing (limited runs) versus liveness (limitless runs) - direct time (follows) versus spreading time (trees) - rationale (decisive) versus automata (operational)

Specification Automata Syntax, given a set An of nuclear perceptions: S finite set of states S 0  S set of starting states  S  S transition connection : S  PL(A) where the equations of PL are  ::= a |    |   for a  A

Language L(M) of detail machine M = (S, S 0 , ,  ) : boundless follow t 0 , t 1 , ...  L(M) iff there exists a limitless run s 0  s 1  ... of M with the end goal that for every one of the 0  i, t i |= (s i )

Linear semantics of determination automata: dialect regulation (K, q) |= L M iff L(K,q)  L(M) state-move diagram condition of K particular robot unending follows

L blade (K,q) = set of limited hints of K beginning at q L balance (M) characterized as takes after: limited follow t 0 , ..., t n  L balance (M) iff there exists a limited run s 0  s 1  ...  s n of M with the end goal that for each of the 0  i  n, t i |= (s i )

(K, q) |= L M iff L(K,q)  L(M) iff L balance (K,q)  L balance (M) Proof requires three realities: K is without stop each state in K has a move from it M is limited expanding: number of moves from a state in M is limited Konig\'s lemma A limited fanning interminable tree has an unbounded way

(K, q) |= L M iff L balance (K,q)  L balance (M) To confirm (K, q) |= L M, check finitary follow regulation

Invariance particular machine pc1  in  pc2  in

One-limited overwhelming determination robot pc1=req  pc2 in pc1=req  pc2=in pc1=out pc1=in pc1=req  pc2 in

Automata are more expressive than rationale, since worldly rationale can\'t tally : Let A = { a } a genuine This can\'t be communicated in LTL. (What about a   (a   a) ?)

 a  an a

 a  an a genuine

 a  an a   (a   a)

 a  an a truth be told, no LTL recipe with at most two events of  can recognize the two follows. Evidence?

Checking dialect control between limited automata is PSPACE-finished ! L(K,q)  L(M) iff L(K,q)  supplement( L(M) ) =  includes determinization (subset development)

practically speaking: 1. use screen automata 2. use reenactment as an adequate condition

Monitor Automata Syntax: same as determination automata, except additionally set E  S of mistake states Semantics: characterize L(M) s.t. runs must end in blunder states (K, q) |= C M iff L(K,q)  L(M) = 

Invariance screen machine pc1  in  pc2  in pc1 = in  pc2 = in ERROR

One-limited surpassing screen robot pc1=req  pc2in pc1=req  pc2=in pc1=out ERROR pc1=req  pc2=in pc1=req  pc2in pc1=in

Specification automaton Monitor robot M complement(M) - portray right traces -depict mistake follows - check dialect control -check void (straight): (exponential) reachability of mistake expresses "All security confirmation is reachability checking."

by and by: 1. use screen automata 2. use reenactment as adequate condition

Branching semantics of particular automata: recreation conditions of (K, q) |= B M iff there exists a reproduction connection R  Q  S s.t. (q,s)  R for some underlying state s of M conditions of M

R  Q  S is a recreation connection iff (q,s)  R infers [q] |= (s) for all q\' s.t. q  q\' , exists s\' s.t. s  s\' and (q\',s\')  R. [Milner 1974]

q |= L a genuine a b c  c  b

q |= B a genuine a b c  c  b

includes just follows (henceforth direct !) (K, q) |= L M M dialect contains (K,q) : exponential check (K, q) |= B M M recreates (K,q) : quadratic check X   includes states (thus fanning !)

by and by, reproduction is typically the "right" idea. (On the off chance that there is dialect control, however not reenactment, this is typically inadvertent, not by configuration.)

Branching semantics of particular automata, elective definition: follow tree regulation (K, q) |= B M iff T(K,q)  T(M) limited follow trees

Omega Automata - security & liveness (unbounded runs !) - detail versus screen automata - direct (dialect regulation) versus spreading (reenactment) semantics We talk about just the direct detail case.

Specification Omega Automata Syntax concerning limited automata, what\'s more an acknowledgment condition: Buchi: BA  S

Language L(M) of particular omega-robot M = (S, S 0 , , , BA ) : interminable follow t 0 , t 1 , ...  L(M) iff there exists an interminable run s 0  s 1  ... of M to such an extent that 1. s 0  s 1  ... fulfills BA 2. for all i  0, t i |= (s i )

Let Inf(s) = { p | p = s i for limitlessly numerous i }. The boundless run s fulfills the acknowledgment condition BA iff Buchi: Inf(s)  BA  

Linear semantics of particular omega automata: omega-dialect control (K, q) |= L M iff L(K,q)  L(M) interminable follows

Response determination machine :  (a  b) expecting (a  b) = false s 1 a b s 2 s 0 b a s 3 Buchi condition { s 0 , s 3 }

Response screen robot :  (a  b) accepting (a  b) = false genuine a b s 0 s 1 s 2 Buchi condition { s 2 }

 an a a s 1 s 0 Buchi condition { s 0 }

 an a a s 1 s 0 a s 2 Buchi condition { s 2 }

Omega automata are entirely more expressive than LTL. Omega-automata: omega-consistent dialects LTL: sans counter omega-standard dialects 

a genuine (p) ( p   p  (p  p)  (p  a)) (p) ( p(0)  p(1)  (t) (p(t)  p(t+2))  (t) (p(t)  a(t))) (a; genuine) 