of 112/112
第6第 第第第第 第第第第第第第第第第第第第第第第 第第第第 第第第第第第第第第第第 第第第第 第第第第第 一统 第第第第() 第第第第第第第第第 第第第 第第 第第 第第第第第第 第第第第 第第第 第 (),() 第第第第第 第第第第第第第第第第第第第第第第 第第第第第第第第第第第第 统统 第第第第第第第第第第

第 6 章 模型检测

  • View
    133

  • Download
    0

Embed Size (px)

DESCRIPTION

第 6 章 模型检测. 验证是提高软件可信程度的重要方法 模型检测 基于逻辑推理的程序验证 模型检测 一种验证系统满足性质  (    ) 的方法。它操作在系统的模型  (语义)上,而不是在系统的描述(语法)上 通过遍历系统所有状态空间,能够对有穷状态系统进行自动验证,并自动构造不满足验证性质的反例. 第 6 章 模型检测. 模型检测的应用 常用于硬件验证和通信协议的验证中 现在开始用于软件的验证 模型检测过程的大体步骤 由用户描述的一个模型开始 判断用户所断言的假设在模型中是否有效 若无效,则产生由执行轨迹构成的反例. - PowerPoint PPT Presentation

Text of 第 6 章 模型检测

  • 6 ( )

  • 6

  • 6

  • ::= p | ( ) | ( ) | ( ) | ( ) ( i)(e1) (e2)1, 2, , n 1, 2, , n ,

  • p, q1, 2, , n, , 1, 2, , n ,

  • t ::= x | c | f(t, , t) , ::= P(t1, t2, , tn) | ( ) | ( ) | ( ) | ( ) | (x ) | ( x ) ( P )

  • Model checking, narrowly interpretedDecision procedures for checking if a given Kripke structure is a model for a given formula of a modal logic.Why is this of interest to us?Because the dynamics of a discrete system can be captured by a Kripke structure. Because some dynamic properties of a discrete system can be stated in modal logics. Model checking = System verification

  • Model checking, generously interpretedAlgorithms for system verification which operate on a system model (semantics) rather than a system description (syntax).

    There are many different model-checking problemsfor different (classes of) system modelsfor different (classes of) system properties

  • S{s1, s2, s3}()A{p, q} S S s1 s2, L: S P(A)L(s1) = { p },

  • (Linear-time Temprol Logic, LTL)

  • LTL ::= | | p | ( ) | ( ) | ( ) | ( ) |(X ) | (F ) | (G ) | ( U ) | ( W ) | ( R ) , , p, q, r, (X)(F)(G)(U)(R)(W)

  • LTL ::= | | p | ( ) | ( ) | ( ) | ( ) |(X ) | (F ) | (G ) | ( U ) | ( W ) | ( R ) , , p, q, r, U, R, W ,

  • LTLKripkeS, s0, , A, LSs0ALs:S. s':S. s s'S, , L = s1 s2 i si si si+1

  • , , p iff p L(s1), iff 1 2 iff 1 2 1 2 iff 1 2 1 2 iff 1 2 X iff 2 G iff i 1i F iff i 1i U iff i 1i j =1, , i 1j

  • U iff i 1i j =1, , i 1j

    s1 s2 s3 s4 s5 s6 s7 s8 s9s10

    i( 3 i 9)p U q

  • U iff i 1i j =1, , i 1j

    W iff i 1i j =1, , i 1j k 1k

    R iff i 1i j =1, , i j k 1k

  • R ( U ) U iff i 1i j =1, , i 1j s1 s2 si-1 si si+1

    R iff i 1i j =1, , i j k 1k s1 s2 si-1 si si+1

  • R ( U ) U iff i 1i j =1, , i 1j s1 s2 si-1 si si+1

    R iff i 1i j =1, , i j k 1k s1 s2 si-1 si si+1

  • R ( U ) U iff i 1i j =1, , i 1j s1 s2 si-1 si si+1

    R iff i 1i j =1, , i j k 1k s1 s2 si-1 si si+1

  • R ( U ) U iff i 1i j =1, , i 1j s1 s2 si-1 si si+1

    R iff i 1i j =1, , i j k 1k s1 s2 si-1 si si+1

  • , s s s , s0 p q, s0 r, s0 , s0 X r, s0 X ( q r ), s0 G ( p r ), s2 G r

  • , s s s , s F (q r ) F G rsG F pps0 s1 s0 s1 G F ps0 s2 s2 G F p, s0 G F p G F r, s0 G F r G F p

  • LTLG(started ready)G(requested F acknowledged)G F enabled, enabledF G deadlock

  • LTLG F enabled G F runningenabled

    G(floor2 directionup ButtonPressed5 (directionup U floor5))525

  • LTL

    3

  • LTL FG G F , F G X X X UR ( U ) R ( R ) U F ( ) F F G ( ) G G

  • LTL {, , }

    {U, X} R ( U ) W R ( ) {R, X} {W, X}

  • (safety)(liveness)(non-blocking)

  • n t c n ntc

    c1c2

  • G(c1 c2)s0

  • G(t1 F c1)s0

  • n1t1

  • c1c1c2

    c1c2c1

  • G(c1 c1W(c1 c1W c2))c1c2c1

  • New Symbolic Model Verifier

  • LTL

  • (Computation Tree Logic) ::= | | p | ( ) | ( ) | ( ) | ( ) |AX | EX | AF | EF | AG | EG | A[ U ] | E[ U ] AEqEF qp EF AG pAG( p E[p U q] )AG( p EG q )

  • CTL, s AX s s1s1, s1 , s EX s s1s1, s1 , s1 AG s1 s2 si, si , s1 EG s1 s2 si, si

  • CTL, s1 AF s1 s2 si, si , s1 EF s1 s2 si, si , s1 A[1 U 2 ]s1 s2 1 U 2, s1 E[1 U 2 ]s1 s2 1 U 2

  • CTLEF

  • CTLEG

  • CTLAG

  • CTLAF

  • CTL, s0 EX( q r ), s0 AX( q r ), s0 EF( p r ), s2 EG( r ), s0 AF r , s0 E [( p q ) U r ], s0 A [ p U r ], s0 AG(pqr EF EG r)

  • CTL EF ( started ready )LTL G(started ready)

    AG (requested AF acknowledged ) LTL G(requested F acknowledged)

  • CTLAG ( AF enabled )enabled LTL G F enabled

    AF ( AG deadlock ) LTL F G deadlock

  • CTLAG( floor2 directionup ButtonPressed5 A [directionup U floor5] )525 LTL G( floor2 directionup ButtonPressed5 (directionup U floor5) )

  • CTLenabledLTL G F enabled G F running

    G F enabled G F runningAEAG AF enabled AG AF running

  • CTLAG( EF restart )

    AG( floor3 idle DoorClosed EG (floor3 idle DoorClosed ))3

  • CTLAG( n1 EX t1 )

    EF (c1 E[ c1 U ( c1 E[ c2 U c1 ] ) ] )LTL G(c1 c1W(c1 c1W c2))

  • CTL AF EG EF AG AX EX AF A[ U ]EF E[ U ]

  • CTL

    {AX, EX}{EG, AF, AU}EU

  • LTLCTL1CTLLTLCTL2LTLCTLLTLF p F qpqCTLFAEpqAF p AF qAG( p AF q )

  • CTL(X, U, F, G)(A, E)A[(p U r) (q U r)]A[X p XX p]E[GF p]p

  • CTL(X, U, F, G)(A, E)

    ::= | p | ( ) | ( ) | A[] | E[] ::= | ( ) | ( ) | ( U ) | (G ) | (F ) |(X )

  • CTLLTL CTLA[ ]CTLCTL ::= ( U ) | (G ) | (F ) | (X )

  • 1CTLLTLAG EF p p(1) , s AG EF p(2) s

  • , s AG EF p

  • , s AG EF p

    s

  • 1CTLLTLAG EF p p LTLA[ ]AG EF p, s AG EF p , s A[ ], s AG EF ps , s A[ ]

  • 1CTLLTLAG EF p p2LTLCTLA[GF p F q] pq3CTLLTLCTLE[GF p]p

  • 1CTLLTLAG EF p p2LTLCTLA[GF p F q]3CTLLTLCTLE[GF p]p4LTLCTLAG(p AF q) (CTL) G(p F q) (LTL) pq

  • LTLCTLG( p F q )AG( p AF q )FG p AF AG pFG pAF AG p

  • pFG p

  • AG pAF AG p

  • CTLs0S, s0 1 , s0 yesno2 , s ss02

  • =(S, , L) {, , } {AF, EU, EX} 1 2 2 3

  • pp L(s)s p 1 2s 1 2s 1 2 1s 1 1AF 11s 1AF 12s AF 1s AF 1

  • E[ 1 U 2]1s 2E[ 1 U 2]2s 1E[ 1 U 2], s E[ 1 U 2] , EX 1s 1s EX 1

  • E[c2 U c1]1E[c2 U c1]c1 s2, s4

  • E[c2 U c1]2E[c2 U c1]c2 s1, s3

  • E[c2 U c1]3E[c2 U c1]c2 s0

  • , s0 s0 s1 s3 s7 s1 s3 s7

  • AG( t1 AF c1)

  • s1(s3 s1)(s2) (s1 s3 )s1(s3 s1)(s2)

  • Weak fairness: a specified set of transitions cannot be enabled forever without being taken Strong (Streett) fairness:a specified set of transitions cannot be enabled infinitely often without being taken

  • Weak fairness is sufficient for asynchronous models (no process waits forever if it can move). Strong fairness is necessary for modeling synchronous interaction (rendezvous).

  • 2GFc2 GFc2

  • LTLCTL1CTL2LTL, s s

  • LTL = ( S, , L ) , s {a, b}aa (a U b)

    s3, s4, s3, s2, s2, (trace) ab, ab, ab, ab, ab,

  • LTL1 (a U b) A a U bAa U b

    UXC (a U b) ={ a, b, (a U b), a, b, (a U b) }X

  • LTL1 (a U b) Asa) s s a U b

  • LTL1 (a U b) Asb) 1 2 1 2s 12s a U b

  • LTL1 (a U b) Asb) 1 2 1 2s 12s c) 1 2 a U b

  • LTL1 (a U b) Asd) 1U 2s 12s a U b

  • LTL1 (a U b) Asd) 1U 2s 12s e) (1U 2)s 2s a U b

  • LTL1 (a U b) A (a U b )

    a U b

  • LTL1 (a U b) A( s, s )iff a)1U 2 s2ssa U b

  • LTL1 (a U b) A( s, s )iff a)1U 2 s2ssb)(1U 2) s1 ssa U b

  • LTL1 (a U b) A( s, s ) iff c)1U 2 s2s1U 2 s 1U 2 =2 (1 X(1U 2 ))a U b

  • LTL1 (a U b) A( s, s ) iff d)(1U 2) s1 s(1U 2) s(1U 2) =2 (1 X(1U 2 ))a U b

  • LTL1 (a U b) A1U 22s3, s3, a U b

  • LTL1 A2AAa U b

  • LTL2AAa U b

  • LTL2AA

  • LTL2AA

  • a U b

  • LTL2AAa U b

  • LTL2AA3s a U b

  • LTL3s yes, , s no, , s s3, (s4, s3,) s2, s2, s3, s4, (s3, s4,) s3, s1, s2, s2, a U b

  • LTL = ( S, , L ) , s 1 A2AA3s yes, , s no, , s