Document Sample

Linear-Time Properties Lecture #5 of Model Checking Joost-Pieter Katoen Lehrstuhl II: Programmiersprachen u. Softwarevalidierung E-mail: katoen@cs.rwth-aachen.de November 8, 2005 c JPK #5: Linear-time properties Model checking Overview Lecture #5 ⇒ The state-space explosion problem • Paths and traces • Linear-time properties c JPK 1 #5: Linear-time properties Model checking Sequential programs • The # states of a simple program graph is: #program locations · | dom(x) | variable x ⇒ number of states grows exponentially in the number of program variables – N variables with k possible values each yields k N states – this is called the state-space explosion problem • A program with 10 locations, 3 bools, 5 integers (in range 0 . . . 9): 10 · 23 · 105 = 800, 000 states • Adding a single 50-positions bit-array yields 800, 000·250 states c JPK 2 #5: Linear-time properties Model checking Concurrent programs • The # states of P ≡ P1 || . . . || Pn is maximally: #states of P1 × . . . × #states of Pn ⇒ # states grows exponentially with the number of components • The composition of N components of size k each yields k N states • This is called the state-space explosion problem c JPK 3 #5: Linear-time properties Model checking Dijkstra’s mutual exclusion program b[k] :k := i • two bit-arrays of size N b[i] := 0 k = i :c[i] := 1 0 1 2 • global variable k c[i] := 1 ¬ b[k] – with value in 1, . . . , N 5 l = i ∧ ¬ c[l] k = i : c[i] := 0, l := 0 • local variable l b[i] := 1 – with value in 1, . . . , N 4 l=N 3 l = i ∨ c[l] :l++ • 6 program locations per process ⇒ totally 22N · N 2 · 6N states c JPK 4 #5: Linear-time properties Model checking Channel systems • Asynchronous communication of processes via channels – each channel c has a bounded capacity cap(c) – if a channel has capacity 0, we obtain handshaking • # states of system with N components and K channels is: N K #program locations | dom(x)| · |dom(cj )|cap(cj ) i=1 variable x j=1 this is the underlying structure of Promela c JPK 5 #5: Linear-time properties Model checking The alternating bit protocol c! m, 0 d?x snd msg(0) st tmr(0) tmr on wait(0) chk ack(0) lost x=1 x=1: timeout x=0: tmr oﬀ timeout tmr oﬀ x=0 lost ! chk ack(1) wait(1) st tmr(1) snd msg(1) tmr on d?x c! m, 1 channel capacity 10, and datums are bits, yields 2·8·6·4 10 ·210 = 3·235 ≈ 1011 states c JPK 6 #5: Linear-time properties Model checking Summary of Chapter 2 • Transition systems are fundamental for modeling software and hardware • Interleaving = execution of independent concurrent processes by non-determinism • For shared variable communication use composition on program graphs • Handshaking on a set H of actions amounts to – executing action ∈ H autonomously (= interleaving) – those in H simultaneously • Channel systems = program graphs + ﬁrst-in ﬁrst-out communication channels – handshaking for channels of capacity 0 – asynchronous message passing when capacity exceeds 0 • Size of transition systems grows exponentially – in the number of concurrent components and the number of variables c JPK 7 #5: Linear-time properties Model checking State graph • The state graph of TS, notation G(TS), is the digraph (V, E) with vertices V = S and edges E = {(s, s ) ∈ S × S | s ∈ Post(s)} ⇒ omit all state and transition labels in TS and ignore being initial • Post∗(s) is the set of states reachable G(TS) from s Post∗(C) = Post∗(s) for C ⊆ S s∈C • The notations Pre∗(s) and Pre∗(C) have analogous meaning • The set of reachable states: Reach(TS) = Post∗(I) c JPK 8 #5: Linear-time properties Model checking Path fragments • A path fragment is an execution fragment without actions • A ﬁnite path fragment π of TS is a state sequence: s0 s1 . . . s n such that si ∈ Post(si−1 ) for all 0 < i n where n 0 • An inﬁnite path fragment π is an inﬁnite state sequence: s0 s1 s2 . . . such that si ∈ Post(si−1 ) for all i > 0 • Notations for path fragment π = s0 s1 s2 . . .: – ﬁrst(π) = s0 = π[0]; let π[j] = sj denote the j -th state of π – j -th preﬁx π[..j] = s0 s1 . . . sj and j -th sufﬁx π[j..] = sj sj+1 . . . – last(s0 . . . sn) = sn is the last state; and len(s 0 . . . sn) = n is the length c JPK 9 #5: Linear-time properties Model checking Paths • A path of TS is an initial, maximal path fragment – a maximal path fragment is either ﬁnite ending in a terminal state, or inﬁnite – a path fragment is initial if s 0 ∈ I • Paths(s) is the set of maximal path fragments π with ﬁrst(π) = s b π – Pathsﬁn (s) is the set of all ﬁnite path fragments π with ﬁrst(b ) = s c JPK 10 #5: Linear-time properties Model checking A mutual exclusion algorithm n1 , n2 , y=1 w1 , n2 , y=1 n1 , w2 , y=1 c1 , n2 , y=0 w1 , w2 , y=1 n1 , c2 , y=0 c1 , w2 , y=0 w1 , c2 , y=0 c JPK 11 #5: Linear-time properties Model checking Example paths c JPK 12 #5: Linear-time properties Model checking Traces • Actions are mainly used to model the (possibility of) interaction – synchronous or asynchronous communication • Here, focus on the states that are visited during executions – the states themselves are not “observable”, but just their atomic propositions • Consider sequences of the form L(s0) L(s1) L(s2) . . . – just register the (set of) atomic propositions that are valid along the execution α0 α1 − − – instead of execution s0 − → s1 − → s2 . . . ⇒ this is called a trace • For a transition system without terminal states: “ ”ω AP AP – traces are inﬁnite words over the alphabet 2 , i.e., they are in 2 c JPK 13 #5: Linear-time properties Model checking Traces • Let TS = (S, Act, →, I, AP, L) be a transition system without terminal states • The trace of path fragment π = s0 s1 . . . is trace(π) = L(s0) L(s1) . . . b π – the trace of π = s0 s1 . . . sn is trace(b ) = L(s0) L(s1 ) . . . L(sn). • The set of traces of a set Π of paths: trace(Π) = { trace(π) | π ∈ Π } • Traces(s) = trace(Paths(s)) Traces(TS) = s∈I Traces(s) • Tracesﬁn (s) = trace(Pathsﬁn (s)) Tracesﬁn (TS) = s∈I Tracesﬁn (s) c JPK 14 #5: Linear-time properties Model checking Example traces c JPK 15 #5: Linear-time properties Model checking Linear-time properties • Linear-time properties specify the traces that a TS must exhibit – LT-property speciﬁes the admissible behaviour of the system under consideration – later, a logical formalism will be introduced for specifying LT properties AP ω • A linear-time property (LT property) over AP is a subset of 2 – ﬁnite words are not needed, as it is assumed that there are no terminal states • TS (over AP) satisﬁes LT-property P (over AP): TS |= P if and only if Traces(TS) ⊆ P – TS satisﬁes the LT property P if all its “observable” behaviors are admissible – state s ∈ S satisﬁes P , notation s |= P , whenever Traces(s) ⊆ P c JPK 16 #5: Linear-time properties Model checking How to specify mutual exclusion? “Always at most one process is in its critical section” • Let AP = { crit1, crit2 } – other atomic propositions are not of any relevance for this property • Formalization as LT property Pmutex = set of inﬁnite words A0 A1 A2 . . . with { crit1, crit2 } ⊆ Ai for all 0 i • Contained in Pmutex are e.g., the inﬁnite words: { crit1 } { crit2 } { crit1 } { crit2 } { crit1 } { crit2 } . . . and ∅∅∅∅∅∅∅... – this does not apply to words of the form: { crit 1 } ∅ { crit1, crit2 } . . . Does the semaphore-based algorithm satisfy P mutex ? c JPK 17 #5: Linear-time properties Model checking How to specify starvation freedom? “A process that wants to enter the critical section is eventually able to do so‘” • Let AP = { wait1, crit1, wait2, crit2 } • Formalization as LT-property Pnostarve = set of inﬁnite words A0 A1 A2 . . . such that: “∞ ” “∞ ” ∃ j. waiti ∈ Aj ⇒ ∃ j. criti ∈ Aj for each i ∈ { 1, 2 } ∞ ∃ stands for “there are inﬁnitely many”. Does the semaphore-based algorithm satisfy P nostarve ? c JPK 18 #5: Linear-time properties Model checking No. The trace ∅ { wait2 } { wait1, wait2 } { crit1, wait2 } { wait2 } { wait1, wait2 } { crit1, wait2 } . . . is a possible trace of the transition system but not in Pnostarve c JPK 19 #5: Linear-time properties Model checking A mutual exclusion algorithm n1 , n2 , y=1 w1 , n2 , y=1 n1 , w2 , y=1 c1 , n2 , y=0 w1 , w2 , y=1 n1 , c2 , y=0 c1 , w2 , y=0 w1 , c2 , y=0 this algorithm satisﬁes P mutex c JPK 20 #5: Linear-time properties Model checking A mutual exclusion algorithm n1 , n2 , y=1 w1 , n2 , y=1 n1 , w2 , y=1 c1 , n2 , y=0 w1 , w2 , y=1 n1 , c2 , y=0 c1 , w2 , y=0 w1 , c2 , y=0 this variant algorithm with an omitted edge also satisﬁes P mutex c JPK 21 #5: Linear-time properties Model checking Trace equivalence and LT properties For TS and TS be transition systems (over AP) without terminal states: Traces(TS) ⊆ Traces(TS ) if and only if for any LT property P : TS |= P implies TS |= P Traces(TS) = Traces(TS ) if and only if TS and TS satisfy the same LT properties c JPK 22 #5: Linear-time properties Model checking Two beverage vending machines pay pay τ τ sprite τ select τ beer select1 sprite beer select2 AP = { pay , sprite , beer } there is no LT-property that can distinguish between these machines c JPK 23

DOCUMENT INFO

Shared By:

Categories:

Tags:
Linear-Time, perties, Lecture#5, ofModel, Checking

Stats:

views: | 8 |

posted: | 6/1/2010 |

language: | English |

pages: | 24 |

OTHER DOCS BY nml23533

How are you planning on using Docstoc?
BUSINESS
PERSONAL

By registering with docstoc.com you agree to our
privacy policy and
terms of service, and to receive content and offer notifications.

Docstoc is the premier online destination to start and grow small businesses. It hosts the best quality and widest selection of professional documents (over 20 million) and resources including expert videos, articles and productivity tools to make every small business better.

Search or Browse for any specific document or resource you need for your business. Or explore our curated resources for Starting a Business, Growing a Business or for Professional Development.

Feel free to Contact Us with any questions you might have.