Modelchecking with LTL and CTL

Systeme Hoher Sicherheit und Qualität Universität Bremen WS 2015/2016

Lecture 13 (25.01.2016)

Modelchecking with LTL and CTL

Christoph Lüth Jan Peleska Dieter Hutter

Organisatorisches

I Evaluation: auf der stud.ip-Seite (unterLehrevaluation)

I Prüfungen & Fachgespräche:

IKW 7 (15./16. Februar), oder

I02. Februar (letzte Semesterwoche, zum Übungstermin).

SSQ, WS 15/16 2 [25]

Where are we?

I 01: Concepts of Quality

I 02: Legal Requirements: Norms and Standards I 03: The Software Development Process I 04: Hazard Analysis

I 05: High-Level Design with SysML I 06: Formal Modelling with SysML and OCL I 07: Detailed Specification with SysML I 08: Testing

I 09: Program Analysis

I 10: Foundations of Software Verification I 11: Verification Condition Generation I 12: Semantics of Programming Languages I 13: Model-Checking

I 14: Conclusions and Outlook

SSQ, WS 15/16 3 [25]

Modelchecking in the Development Process

I Model-checking proves properties ofabstractionsof the system.

I Thus, it scales also to higher levels of the development process

SSQ, WS 15/16 4 [25]

Introduction

I In the last lectures, we were verifying program properties with the Floyd-Hoarecalculus and related approaches. Program verification was reduced to adeductiveproblem by translating the program into logic (specifically, state change becomes substitution).

I Model-checking takes a different approach: instead of directly working with the program, we work with anabstractionof the system (a model). Because we build abstractions, this approach is also applicable in the higher verification levels.

I But what are the properties we want to express? How do we express them, and how do we prove them?

SSQ, WS 15/16 5 [25]

The Model-Checking Problem

The Basic Question

Given a modelM, and a propertyφ, we want to know whether M |=φ

I What isM?Finite state machines I What isφ?Temporal logic

I How to prove it? Enumerating states —model checking

IThe basicproblem:state explosion

SSQ, WS 15/16 6 [25]

Finite State Machines

Finite State Machine (FSM) A FSM is given byM=hΣ,→iwhere I Σ is a finite set ofstates, and

I → ⊆Σ×Σ is atransition relation, such that→is left-total:

∀s∈Σ.∃s⁰∈Σ.s→s⁰

I Many variations of this definition exists, e.g. sometimes we have state variables or labelled transitions.

I Note there is nofinalstate, and no input or output (this is the key difference to automata).

I If→is a function, the FSM isdeterministic, otherwise it is non-deterministic.

SSQ, WS 15/16 7 [25]

The Railway Crossing

Source: Wikipedia

SSQ, WS 15/16 8 [25]

The Railway Crossing — Abstraction

Train

Car

Gates

SSQ, WS 15/16 9 [25]

The Railway Crossing — Model

States of the train:

xing away

lvng appr

gate= closd

States of the car:

xing away

lvng appr

gate= open gate = closed

States of the gate:

closd open

train = appr

train = lvng train = lvng train= appr

SSQ, WS 15/16 10 [25]

The FSM

I The states here are a map from variablesCar,Train,Gateto the domains

ΣCar = {appr,xing,lvng,away}

ΣTrain = {appr,xing,lvng,away}

ΣGate = {open,clsd}

or alternatively, a three-tupleS∈Σ = ΣCar×ΣTrain×ΣGate.

I The transition relation is given by e.g.

haway,open,awayi → happr,open,awayi happr,open,awayi → hxing,open,awayi . . .

SSQ, WS 15/16 11 [25]

Railway Crossing — Safety Properties

I Now we want to express safety (or security)properties, such as the following:

ICars and trains never cross at the same time.

IThe car can always leave the crossing

IApproaching trains may eventually cross.

IThere are cars crossing the tracks.

I We distinguishsafetyproperties fromlivenessproperties:

ISafety: something bad never happens.

ILiveness: something good will (eventually) happen.

I To express these properties, we need to talk about sequences of states in an FSM.

SSQ, WS 15/16 12 [25]

Linear Temporal Logic (LTL) and Paths

I LTL allows us to talk aboutpathsin a FSM, where a path is a sequence of states connected by the transition relation.

I We first define the syntax of formula,

I then what it means for a path to satisfy the formula, and I from that we derive the notion of a model for an LTL formula.

Paths

Given a FSMM=hΣ,→i, apathinMis an (infinite) sequence hs1,s2,s3, . . .isuch thatsi∈Σ andsi→si+1for alli.

I For a pathp=hs1,s2,s3, . . .i, we writepiforsi(selection) andpⁱfor hs_i,si+1, . . .i(the suffix starting ati).

SSQ, WS 15/16 13 [25]

Linear Temporal Logic (LTL)

φ::= > | ⊥ |p — True, false, atomic

| ¬φ|φ1∧φ2|φ1∨φ2|φ1−→φ2 — Propositional formulae

| Xφ — Next state

| ♦φ — Some Future State

| φ — All future states (Globally)

| φ1Uφ2 — Until

I Operator precedence: Unary operators; thenU; then∧,∨; then−→.

I An atomic formulapabove denotes astate predicate. Note that different FSMs have different states, so the notion of whether an atomic formula is satisfied depends on the FSM in question. A different (but equivalent) approach is to label states with atomic propositions.

I From these, we can define other operators, such asφRψ(release) or φWψ(weak until).

SSQ, WS 15/16 14 [25]

Satifsaction and Models of LTL

Given a pathpand an LTL formulaφ, thesatisfaction relationp|=φis defined inductively as follows:

p |= True p 6|= False p |= piffp(p1) p |= ¬φiffp6|=φ

p |= φ∧ψiffp|=φandp|=ψ p |= φ∨ψiffp|=φorp|=ψ

p |= φ−→ψiff wheneverp|=φthenp|=ψ

p |= Xφiffp²|=φ

p |= φiff for alli, we havepⁱ|=φ p |= ♦φiff there isisuch thatpⁱ|=φ

p |= φUψiff there isi pⁱ|=ψand for allj= 1, . . . ,i−1, p^j|=φ

Models of LTL formulae

A FSMMsatisfies an LTL formulaφ,M |=φ, iff every pathpinM satisfiesφ.

SSQ, WS 15/16 15 [25]

The Railway Crossing

I Cars and trains never cross at the same time.

¬(car=xing∧train=xing)

I A car can always leave the crossing:

(car=xing−→♦(car=lvng))

I Approaching trains may eventually cross:

(train=appr−→♦(train=xing))

I There are cars crossing the tracks:

♦(car=xing) meanssomething else!

ICan not express this in LTL!

SSQ, WS 15/16 16 [25]

Computational Tree Logic (CTL)

I LTL does not allow us the quantify over paths, e.g. assert the existance of a path satisfying a particular property.

I To a limited degree, we can solve this problem by negation: instead of asserting a propertyφ, we check wether¬φis satisfied; if that is not the case,φholds. But this does not work for mixtures of universal and existential quantifiers.

I Computational Tree Logic (CTL) is an extension of LTL which allows this by adding universal and existential quantifiers to the modal operators.

I The name comes from considering paths in thecomputational tree obtained byunwindingthe FSM.

SSQ, WS 15/16 17 [25]

CTL Formulae

φ::= > | ⊥ |p — True, false, atomic

| ¬φ|φ1∧φ2|φ1∨φ2|φ1−→φ2 — Propositional formulae

| AXφ|EXφ — All or some next state

| AFφ|EFφ — All or some future states

| AGφ|EGφ — All or some global future

| A[φ1Uφ2]|E[φ1Uφ2] — Until all or some

SSQ, WS 15/16 18 [25]

Satifsfaction

I Note that CTL formulae can be considered to be a LTL formulae with a ’modality’ (AorE) added on top of each temporal operator.

I Generally speaking, theAmodality says the temporal operator holds for all paths, and theEmodality says the temporal operator only holds for all least one path.

I Of course, that strictly speaking is not true, because the arguments of the temporal operators are in turn CTL forumulae, so we need recursion.

I This all explains why we do not define a satisfaction for a single path p, but satisfaction with respect to a specificstatein an FSM.

SSQ, WS 15/16 19 [25]

Satisfaction for CTL

Given an FSMM=hΣ,→i,s∈Σ and a CTL formulaφ, then M,s|=φis defined inductively as follows:

M,s |= True M,s 6|= False M,s |= piffp(s)

M,s |= φ∧ψiffM,s|=φandM,s|=ψ M,s |= φ∨ψiffM,s|=φorM,s|=ψ

M,s |= φ−→ψiff wheneverM,s|=φthenM,s|=ψ . . .

SSQ, WS 15/16 20 [25]

Satisfaction for CTL (c’ed)

Given an FSMM=hΣ,→i,s∈Σ and a CTL formulaφ, then M,s|=φis defined inductively as follows:

. . .

M,s |= AXφiff for alls1withs→s1, we have M,s1|=φ M,s |= EXφiff for somes1withs→s1, we haveM,s1|=φ M,s |= AGφiff for all pathspwithp1=s,

we haveM,pi|=φfor alli≥2 M,s |= EGφiff there is a pathpwithp1=sand

we haveM,pi|=φfor alli≥2 M,s |= AFφiff for all pathspwithp1=s

we haveM,pi|=φfor somei M,s |= EFφiff there is a pathpwithp1=sand

we have;M,pi|=φfor somei M,s |= A[φUψ] iff for all pathspwithp1=s, there isi

withM,pi|=ψand for allj<i,M,pj|=φ M,s |= E[φUψ] iff there is a pathpwithp1=sand there isi

withM,pi|=ψand for allj<i,M,pj|=φ

SSQ, WS 15/16 21 [25]

Patterns of Specification

I Something bad (p) cannot happen: AG¬p I poccurs infinitly often: AG(AFp) I poccurs eventually: AFp

I In the future,pwill hold eventually forever: AF AGp

I Wheneverpwill hold in the future,qwill hold eventually:

AG(p−→AFq)

I In all states,pis always possible: AG(EFp)

SSQ, WS 15/16 22 [25]

LTL and CTL

I We have seen that CTL is more expressive than LTL, but (surprisingly), there are properties which we can formalise in LTL but not in CTL!

I Example: all paths which have apalong them also have aqalong them.

I LTL:♦p−→♦q

I CTL:NotAFp−→AFq(would mean: if all paths havep, then all paths haveq), neither AG(p−→AFq) (which means: if there is ap, it will be followed by aq).

I The logicCTL^∗combines both LTL and CTL (but we will not consider it further here).

SSQ, WS 15/16 23 [25]

State Explosion and Complexity

I The basic problem of model checking isstate explosion.

I Even our small railway crossing has

|Σ|=|ΣCar×ΣTrain×ΣGate|=|ΣCar| · |ΣTrain| · |ΣGate|= 4·4·2 = 32 states. Add one integer variable with 2³²states, and this gets intractable.

I Theoretically, there is not much hope. The basic problem of deciding wether a particular formula holds is known as the satisfiability problem, and for the temporal logics we have seen, its complexity is as follows:

ILTL withoutUisNP-complete.

ILTL isPSPACE-complete.

ICTL isEXPTIME-complete.

I The good news is that at least it isdecidable. Practically,state abstractionis the key technique. E.g. instead of considering all possible integer values, consider only wetheriis zero or larger than zero.

SSQ, WS 15/16 24 [25]

Summary

I Model-checking allows us to show to show properties of systems by enumerating the system’s states, by modelling systems asfinite state machines, and expressing properties in temporal logic.

I We considered Linear Temporal Logic (LTL) and Computational Tree Logic (CTL). LTL allows us to express properties of single paths, CTL allows quantifications over all possible paths of an FSM.

I The basic problem: the system state can quickly gethuge, and the basic complexity of the problem ishorrendous. Use of abstraction and state compression techniques make model-checking bearable.

I Tomorrow: practical experiments with model-checkers (NuSMV and/or Spin)

SSQ, WS 15/16 25 [25]