Symbolic Model CheckingRevision Slides

Dr. Eng. Amr T. Abdel-Hamid

NETW 703

Winter 2012

Netw

ork P

roto

cols

Slides based on slides of:• Jim Kurose, Keith Ross, “Computer Networking: A Top Down Approach Featuring the Internet”, 2nd edition, Addison-Wesley, July 2002.

•Jiangchuan (JC) Liu , Assistant Professor, SFU & others

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

Functionals

Now, we can think of all temporal operators also as functions from sets of states to sets of states

For example:

or if we use the set notationAX p = (S - EX(S - p)) Logic Set

p q p qp q p q p S – pFalse True S

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

Fixpoint Characterizations

Fixpoint Characterization Equivalences

AG p = y . p AX y AG p = p AX AG p

EG p = y . p EX y EG p = p EX EG p

AF p = y . p AX y AF p = p AX AF p

EF p = y . p EX y EF p = p EX EF p

A(pUq) = y . q A (p X (y)) A(pUq)=q (p AX (p AU q))

E(pUq) = y . q E (p X (y)) E(pUq) = q (p EX (p EU q))

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

EF Fixpoint Computation

EF p = y . p EX y is the limit of the sequence:

, pEX , pEX(pEX ) , pEX(pEX(p EX )) , ...

which is equivalent to

, p, p EX p , p EX (p EX (p) ) , ...

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

EF Fixpoint Computation

s2s1 s4s3p

p

Start

1st iterationpEX = {s1,s4} EX()= {s1,s4} ={s1,s4}

2nd iterationpEX(pEX ) = {s1,s4} EX({s1,s4})= {s1,s4} {s3}={s1,s3,s4}

3rd iterationpEX(pEX(p EX )) = {s1,s4} EX({s1,s3,s4})= {s1,s4} {s2,s3,s4}={s1,s2,s3,s4}

4th iterationpEX(pEX(pEX(p EX ))) = {s1,s4} EX({s1,s2,s3,s4})= {s1,s4} {s1,s2,s3,s4} = {s1,s2,s3,s4}

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

EF Fixpoint Computation

• • •• • •pp

EF(p)EF(p) states that can reach p states that can reach p p p EX(p) EX(p) EX(EX(p)) EX(EX(p)) ... ...

EF(p)EF(p)

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

Greatest Fixpoint

Given a monotonic function F, its greatest fixpoint is the least upper bound (lub) of all the extensive elements:

y. F y = { y | F y y }

The greatest fixpoint y . F y is the limit of the following sequence (assuming F is -continuous):

S, F S, F2 S, F3 S, ...

If S is finite, then we can compute the greatest fixpoint using the above sequence

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

EG Fixpoint Computation

Similarly, EG p = y . p EX y is the limit of the sequence:

S, pEX S, pEX(p EX S) , pEX(p EX (p EX S)) , ...

which is equivalent to

S, p, p EX p , p EX (p EX (p) ) , ...

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

EG Fixpoint Computation

s2s1 s4s3

p p

p

StartS = {s1,s2,s3,s4}

1st iterationpEX S = {s1,s3,s4}EX({s1,s2,s3,s4})= {s1,s3,s4}{s1,s2,s3,s4}={s1,s3,s4}

2nd iterationpEX(pEX S) = {s1,s3,s4}EX({s1,s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4}

3rd iterationpEX(pEX(pEX S)) = {s1,s3,s4}EX({s3,s4})= {s1,s3,s4}{s2,s3,s4}={s3,s4}

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

EG Fixpoint Computation

• • •• • • EG(p)EG(p)

EG(p) EG(p) states that can avoid reaching states that can avoid reaching pp p p EX(p) EX(p) EX(EX(p)) EX(EX(p)) ......

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

Example

11/80

1 2 3 4

56

a,b c b,c a

d c

For the FSM below, formally check the following properties, using Fixpoint Theorm:• AG(a ∨c ∨b)• AF(ab)If failed show the subset of the design the property holds for as well as the counter example

S = {1,2,3,4,5,6}, AP = {a,b,c,d},R = {(1,2), (1,3),(2,3), (3,4), (4,4), (4,5), (5,2), (2,6), (6,1)}L(1) = {a,b}, L(2) = {c}, L(3) = {b,c}, L(4) = {a}, L(5) = {c}, L(6) = {d}

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

Example (cont.) Remember that:

H(a ∪ b) = H(a) H(b) H(c) ={1,4} {2,3,5} {1,3} = {1,2,3,4,5}∪ ∪ ∪ ∪ AG(a c b) = AG p = ∨ ∨ y . p AX y = y . p AX y AX p = EX(p)

I0 S = {1,2,3,4,5,6} I1 {1,2,3,4,5} ∩ S = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,2,3,4,5} I2 {1,2,3,4,5} ∩ AX(1,2,3,4,5) = {1,2,3,4,5} ∩ {1,3,4,5,6} = {1,3,4,5}

This is because that : AX(1,2,3,4,5) = EX((1,2,3,4,5)) = EX(6) = (2) = S- {2 } = {1,3,4,5,6}

I3 {1,2,3,4,5} ∩ AX(1,3,4,5) = {1,3,4,5} This is because that : AX(1,3,4,5) = EX((1,3,4,5)) = ****

I3 = I2 H(AG(a b c)) = {1,3,4,5} ∨ ∨ The property does not hold, except for the above states, and it is clear that

states {2,6} can be considered as counter examples. state 6 does not contain neither a,c,b and state 2 does not have a

proceeding one on one of its pathes path (2,6)

12/80

Dr. A

mr

Tala

at

Netw 703

Netw

ork P

roto

cols

Example (AF(ab))

13/80