1

Authors: E.M. Clarke , E.A. Emerson, A. P. Sistla

Presented by Anjana Chatta

Automatic Verification of Finite-State Concurrent Systems Using Temporal Logic Specifications

2

Basic Outline of the Paper

Part 1. Discuss the syntax and semantics of Computational Tree Logic CTL and illustrate an example

Part 2. Describe the basic model checking algorithm and illustrate an example

Part 3. Discuss the extension of this model checking algorithm which only considers fair computations i.e. Extended Model Checking (EMC)

Part 4. Verify the correctness of the ‘Alternating Bit Protocol’ model through EMC

Part 5. Extensions of the CTL to make it more expressive

3

Basic Definitions

1. Temporal logic : Temporal ordering of events and states within a logical framework

2. Computation Tree logic : Propositional, Branching-time Temporal logic

3. Specification : Explicit set of requirements to be satisfied by a system

4. Verification : Check if system meets the required specifications

5. Finite state machine: Designed for expressing the behavior of a system

6. Finite state Concurrent system : The systems are modeled by labeled state-transition graphs, called Kripke Structures

4

Definitions cont.

7. Model checking : Method for formally verifying finite-state Concurrent systems

8. Temporal Logic Model checking :

Input is the Specification Language : Expressed in a propositional temporal logic Verification Procedure : Exhaustive search of the state space of the system to

determine if the specification is true or not. i.e. provide all states of model M which satisfies the formula f

9. Model checking algorithms : Traverse the model and check if the specification holds against the model

5

PART 1 : The Specification Language CTL

1. Formal Syntax of CTL

AP is the set of atomic propositions

Symbols : - AND - Negation

Path quantifiers :A ... : holds for all path (starting at the tree’s root)E ... : holds for some path

Temporal operators :X ... : holds next time F ... : holds in the futureG ...: always holdU….: until

6

The Specification Language cont.

2.Semantics of CTL

AX p - if on all paths starting at state s, p holds in the next stateEX p - if there exists a path starting at state s on which p holds at the next stateEF p - if p is reachable (if there exists a path starting at state s, on which p holds in some future state)AF p - if p is inevitable (if on all paths that start at state s, p holds in some future state)EG p - if there exists a path starting at state s, on which p holds globallyAG p - if p is invariant (if on all paths that start at state s, p holds globally)E[g U f] - if there exists a path starting at state s, on which g holds until f eventually holdsA[g U f] - if on all paths that start at state s, g holds until f eventually holds

7

The Specification Language cont.

Formally CTL structure is triple model M = (S, R, P)

8

The Specification Language cont.

1. For M = (S, R, P) and state s0 S there is an infinite computation tree with root labeled at ∈s0

An infinite computation tree with root labeled at s0

9

The Specification Language cont.

1. For M , s0|= f , means CTL formula or property f holds at state s0 in M

2. The relation |= is defined as

Atomic proposition p is true in s0

(s0 |= f1) and (s0 |= f2)

f1 holds true for every path starting with s0

f1 holds true for some path starting with s0

For all paths, f1 holds true until f2 holds

There exits a path, f1 holds true until f2 holds

10

CTL Model Example Mutual Exclusion

PROPERTIES :

SAFETY : Only one process should be in the critical section at any timeAG((C1 C2))

LIVENESS : Whenever any process wants to enter its critical section, it will eventually be permitted to do soAG [ T1 ----> AF ( C1)]

In this model, AF(C1) is true in state 1 and that EF(C1 C2) is false in state 0

Two processesP1 P2

N1->T1 N2->T2T1->C1 T2->C2C1->N1 C2->N2

11

PART 2 : MODEL CHECKING

1. What is Model Checking ? Given a finite state system model M = (S, R, P), check whether this model

meets a given specification or set of formulae

2. But why use model checking ? 1 . No proofs! Hand written Temporal Logic Proof

construction using axioms are tedious 2. Fast 3. Counter-examples 4. No problem with partial specifications

3. Problem: Model checking suffers from state explosion problem

12

MODEL CHECKING cont.

State Labeling Algorithm :1. Model checking can be achieved through State Labeling Algorithm

2. The algorithm basically works by iteratively determining the states that satisfy a given formula (i.e. labeling the states)

3. The basic input output of the labelling algorithm : Input : A Model M = (S, R, P) and CTL formula f Output : The set of states that satisfy formula f

13

State Labeling Algorithm

State label algorithm handles seven cases

1. Algorithm uses DFS for f = A ( f1 U f2)2. The recursive procedure au( f, s, b) performs the search for formula f starting from state s 3. When au terminates, boolean result parameter b will be set to true s I= f4. Whether s is currently on stack ST is implemented in the boolean procedure stacked(s)

14

State labeling algorithm cont.

1. arg1(f) - first argument

2. arg2(f) - second argument of a two-argument temporal operator

3. If f = A (f1 U f2) then arg1( f) = f1, arg2(f) = f2

4. labeled (s, f) will return true if state s is labeled with formula f

3. add-label (s, f) adds formula f to the current label of state s

4. If f2 is true at s, f is true at s else…

5 . Algorithm requires time O(card(S)+ card(R))

15

State labeling algorithm cont.

1. Is f true in all successor states of s ?

2. If there is some successor state s1 at which f is false, then f is false at s too; hence remove s from the stack and return false

3. If f is true for all successor states, then f is true at s; so pop s from the stack, label s with f, and return true

16

State labeling algorithm cont.

For CTL formula f = E(f1 U f 2) 1. First find all of those states that are labeled with f2 , label it with E(f1Uf2)

2. Then work backwards using the converse of the successor relation i.e. Repeat : Label any state with E(f1Uf2) if

1. it is labeled with f1 and 2. at least one of its successor is labeled with E(f1Uf2) until there is

no change

3. E(f1 U f2) == f2 ˅ (f1 EX E(f1 U f2))

17

State labeling algorithm cont.

CTL formulas with arbitrary nesting of sub-formulas

1. nf [i] is the ith sub-formula of f in (length of f)

2. sf [i] is the list of the numbers assigned to the immediate sub-formulas of the ith formula

3. If f = (AU(NOT X)(OR Y Z)), then nf and sf are given below

18

ExampleLIVENESS : Whenever any process wants to enter its critical section it will eventually be permitted to do so AG(T1 --> AFC1) == EF(T1 v AFC1) == E(T U (T1 v AFC1))Split into sub formulas

In order to handle an arbitrary CTL formula f, 1. Associate with Each state s an array L[s] of size length(f)2. Procedure add-label(s, fi) sets L[s][fi] to true 3. Procedure labeled(s, fi) returns the current value of L[s][fi]4. Successively apply the State labeling algorithm to the sub-formulas of f5. Starting with simplest (i.e., highest numbered) and working backwards to f6. Entire algorithm requires O(length(f) x (card(S) + card(R)))

19

Part 3 – Introduce fairness to CTL

Model Checking with Fairness1. In the verification of model M, (s |= f ) might fail because the model M may contain unrealistic behavior 2. We need to filter out this behavior3. Solution is put on some FAIRNESS constraint on M, so it would remove that behavior

How to handle fairness?1. Modify semantics of CTL i.e. the new logic is called CTL F

2. M is now 4-tuple (S, R, P, F) where F 2S = set of predicates on S3. A path p is F-fair For each g that belongs to F, there are infinitely many states on path p

that satisfies predicate g

20

Model Checking Label algorithm with new CTLF

Extended Model Checking algorithm How do we achieve it ?Introduce an additional proposition Q, which is TRUE at a state s there is a Fair path starting from that s

How can we do it ?1. Obtain the strongly connected components (SCC) of the graph denoted by the model (SCC means ALL components/states that can reached from any other state)

2. A SCC is fair if that SCC contains at least one state from Gi in F = {G1, G2, …Gi} S (From Lemma: we know every state in SCC, is start of infinite fair path)

3. Finally Label a state s with Q if there is path from s, to some state in SCC

4. Algorithm takes O( n x m x p ) where n = max (cars(S), card(R)), m = length(f), p = card(F)

21

Example Micro Oven- Internet

s1

s2 s3 s4

s5 s6 s7

CTL FormulaOnce we start the oven, eventually it must turn on the heating coil AG(start --> AF heat)

Sub formulae heat, AF heat, start, (start -> AF heat)AG(start -> AF heat)

1. By applying label algorithm we see (start -> AF heat) is true in {s4,s7,s6,s3.s1}2. But AG(start -> AF heat) is not true in other states3. s2 and s5 are some sort of unrealistic behavior as Start -> Close the Start -> Close4. So put some constraint while doing Model checking i.e. Fairness {start, close, error}

i.e. when its start, then close not go to error condition5. Restrict the graph – remove s2, s5 6. Find SCC 7. Now AG(start -> AF heat) is true in {s1,s3,s4,s6,s7}

22

EMC algorithm

Can EMC handle 3 types of fairness properties Impartiality, Justice, Fair ?

Impartiality : Every process should be executed infinitely often1. Take a concurrent system Pr. Let M = { S, R, P} and labeling function L: R->Pr2. By duplicating each state in S card(Pr)times, design new concurrent model = { S*, R*, P*, F} where each state in S* is reached by at most one process 3. F is partition of S* , F = {set of states} each state reached by one process4. card(F) = card(Pr). The above Fair paths are impartial execution sequences

Justice : A model is just if every process is either infinitely often disabled OR it is infinitely often executed

Fair : A computation is fair For each process , if the process is infinitely often enabled

then it will be infinitely often executed

23

Part 4 - Using EMC to verify Alternating Bit Protocol

1. The Alternating Bit Protocol ABP is a protocol for correctly transmitting data on faulty channels that may lose or duplicate data

2. ABP uses two faulty channels between a sender and a receiver

3. In case of a unsuccessful transmission the attempt is repeated

4. To achieve its goal, APB keeps track on this repeated send messages using a control bit which is switched 5. The sender appends its control bit to the data to be send and keeps sending till it receives this control bit back via the acknowledgement channel

24

Using EMC to verify ABP

1. Use CSP (Communicating Sequential Processes) programming language (only boolean data types are permitted)

2. The Sender and Receiver processes in the ABP, are in the form of a global state graph

3. The graph for ABP has 251 states

4. EMC can be used to verify the graph

25

Using EMC to verify ABP

1. Sending a message (SndMsg) strictly alternates with receiving a message (RcvMsg)

2. Smsg – the bit that was send Rmsg – the bit that was received If a O-message (l-message) is sent, then a O-message (l-message) is received

3. Fairness constraint : SndMsg, RcvMsg

26

Part 5 : Extended LogicThe computation tree logic CTL (pronounced “CTL star”) combines both branching-time and linear-time ∗operators

Path Formulas1. If f is a path formula, the notation (M, S |= f ) means that f holds true for path S in Kripke structure M where s = {s0,s1,s2…}4. If f and g are path formulas, then ￢ f, f g, Xf, F f, Gf, and f U g are path formulas.∨

State Formulas1. If p is an atomic proposition, then p is a state formula2. If f is a state formula, the notation (M, s |= f ) means that f holds at state s in the Kripke structure M3. If f and g are state formulas, then ￢ f and f g are state formulas∨4. If f is a path formula, then E(f) and A(f) are state formulas5. If f is a state formula, then f is also a path formula (A state formula f is true for a path S if the f is true in the initial state of the path S where S= {s0,s1,s2…} )

27

Extended Logic cont.

We can write :A(f) ≡ ￢ E(￢ f)Gf ≡ ￢ F ￢ f

So, given any CTL formula, we can rewrite it without using the operators A, F, or G∗

28

Summary

1. Syntax and semantics of Computational Tree Logic CTL and illustrate an example Mutual Exclusion

2. Basic model checking algorithm and illustrate an example

3. Extension of this model checking algorithm which only considers fair computations i.e. Extended Model Checking

4. Correctness of the ‘Alternating Bit Protocol’ model through EMC

29

References

(The Importance of Ensuringhttp://www.cs.utexas.edu/users/psp/unity/notes/)http://www.comp.nus.edu.sg/~cs3234/cs3234-lec07.pdfhttp://home.ku.edu.tr/~stasiran/ecoe560/Lectures/verification/modelchecking2.pdfftp://www.ics.ele.tue.nl/pub/papers/fv/gjalt_ifipwg10.2_90.pdf

30

ANY QUESTIONS