CTL May Be Ambiguous when Model Checking Moore Machines Cdric Roux - - PowerPoint PPT Presentation

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

Cédric Roux and Emmanuelle Encrenaz Université Pierre et Marie Curie

Architecture des Systèmes Intégrés et Micro−électronique

CTL May Be Ambiguous when Model Checking Moore Machines

Laboratoire d’Informatique de Paris 6

1

Modeling versus Verification

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM 1 CHARME 2003

Modeling versus Verification

Modeling world

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM 1 CHARME 2003

Modeling versus Verification

Moore or Mealy machines

Modeling world

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM 1 CHARME 2003

Modeling versus Verification

Verification world

Moore or Mealy machines

Modeling world

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM 1 CHARME 2003

Modeling versus Verification

Verification world

Kripke structures Moore or Mealy machines

Modeling world

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM 1 CHARME 2003

Modeling versus Verification

Verification world

Kripke structures Moore or Mealy machines

Modeling world Translation

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM 2 CHARME 2003

From Moore to Kripke

i i i i i i Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM 2 CHARME 2003

From Moore to Kripke

i i i i i i Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

3

First translation scheme

i i i i i i Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

Remove the input signals

3

First translation scheme

i i i i i i Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

First translation scheme

Simple

3

Remove the input signals

i i i i i i Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

First translation scheme

Simple Impossible to express properties including input signals Remove the input signals

3

i i i i i i a b c d e f g Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

4

Second translation scheme

a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 i i i i i i a b c d e f g Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

4

Second translation scheme

Input signals into target state of transitions

a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 i i i i i i a b c d e f g Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

4

Second translation scheme

Composition of Moore machines lost Input signals into target state of transitions

i i i i i i a b c d e f g Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

Third translation scheme

5

i i i i i i a b c d e f g Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

Third translation scheme

Input signals into source state of transitions

5 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

i i i i i i a b c d e f g Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

Third translation scheme

Input signals into source state of transitions

5 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 We can compose Moore machines

i i i i i i a b c d e f g Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

From Moore to Kripke

Third translation scheme

Input signals into source state of transitions

5 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 We can compose Moore machines This may introduce ambiguities when using CTL

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 6

Possible CTL ambiguities

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 6

Possible CTL ambiguities

Checking the property AX EX p

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 6

Possible CTL ambiguities

a b c e f g i i i i i i

Checking the property AX EX p

d

states verifying p Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 6

Possible CTL ambiguities

a b c e f g i i i i i i

Checking the property AX EX p

d

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 6

Possible CTL ambiguities

a b c e f g i i i i i i

Checking the property AX EX p

states verifying EX p d

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 6

Possible CTL ambiguities

a b c e f g i i i i i i

Checking the property AX EX p

states verifying AX EX p d

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 e0 e1 f0 g0 g1 6

Possible CTL ambiguities

Checking the property AX EX p

d0 f1 d1

states verifying p Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d1 e0 e1 f0 g0 g1 6

Possible CTL ambiguities

Checking the property AX EX p

d0 f1

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d1 e0 e1 f0 f1 g0 g1 6

Possible CTL ambiguities

Checking the property AX EX p

states verifying EX p d0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 6

Possible CTL ambiguities

Checking the property AX EX p

states verifying AX EX p

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 6

Possible CTL ambiguities

a b c d e f g i i i i i i

Checking the property AX EX p

states verifying AX EX p

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 6

Possible CTL ambiguities

a b c d e f g i i i i i i

Checking the property AX EX p

states verifying AX EX p «AX EX p does not have the same truth value in both structures»

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 7

A first ambiguity

Possible CTL ambiguities

a0 a1 b0 b1 c0 c1 d1 e0 e1 f0 f1 g0 g1 d0 Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a b c e f g i i i i i i states verifying EX p d

A first ambiguity

Possible CTL ambiguities

7

a0 a1 b0 b1 c0 c1 d1 e0 e1 f0 f1 g0 g1 d0 Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a b c e f g i i i i i i states verifying EX p d

A first ambiguity

States b0 and b1 should verify EX p, as state b does

Possible CTL ambiguities

7

states verifying EX p

E i to remove this ambiguity E i

a0 a1 b0 b1 c0 c1 d1 e0 e1 f0 f1 g0 g1 d0 Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a b c e f g i i i i i i d

A first ambiguity

States b0 and b1 should verify EX p, as state b does We introduce

Possible CTL ambiguities

states verifying EX p 7

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

Possible CTL ambiguities

A second ambiguity

8

states verifying AX EX p Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

Possible CTL ambiguities

a b c d e f g i i i i i i

A second ambiguity

8

states verifying AX EX p Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

Possible CTL ambiguities

a b c d e f g i i i i i i

A second ambiguity

b0 (and b1) should not verify AX EX p, and a0 and a1 should

8

states verifying AX EX p

A i A i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

Possible CTL ambiguities

a b c d e f g i i i i i i

A second ambiguity

b0 (and b1) should not verify AX EX p, and a0 and a1 should We introduce to remove this ambiguity

states verifying AX EX p 8

E i A i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

Possible CTL ambiguities

Checking the property AX EX p

9

E i A i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

Possible CTL ambiguities

Checking the property AX EX p

9

E i A i

states verifying p Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

Possible CTL ambiguities

Checking the property AX EX p

9

E i A i

E i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

Possible CTL ambiguities

Checking the property AX EX p

states verifying EX p 9

E i A i

A i E i

states verifying AX EX p Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 g0 g1

Possible CTL ambiguities

Checking the property AX EX p

f1 9

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

Possible CTL ambiguities

Comparison with AX EX p

10

A i E i

states verifying AX EX p Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

Possible CTL ambiguities

a b c d e f g i i i i i i

Comparison with AX EX p

states verifying AX EX p 10

A i E i

states verifying AX EX p Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1

Possible CTL ambiguities

a b c d e f g i i i i i i

Comparison with AX EX p

states verifying AX EX p

The ambiguities have been removed

10

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 11

iCTL

A i E i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 11

iCTL

Extends CTL with and

A i E i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 11

iCTL

Extends CTL with and More expressive than CTL

A i E i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 11

iCTL

Extends CTL with and More expressive than CTL (univ_abstract, exist_abstract) Easily integrable in a symbolic model−checker

A i E i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 11

iCTL

Extends CTL with and More expressive than CTL (univ_abstract, exist_abstract) Easily integrable in a symbolic model−checker Applicable to Mealy machines

A i E i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 11

iCTL

Extends CTL with and More expressive than CTL (univ_abstract, exist_abstract) Easily integrable in a symbolic model−checker Applicable to Mealy machines and are not relevant for LTL A i E i

AX and EX seem similar to [ ] and < > of the mu−calculus A i E i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 11

iCTL

Extends CTL with and More expressive than CTL (univ_abstract, exist_abstract) Easily integrable in a symbolic model−checker Applicable to Mealy machines and are not relevant for LTL * * A i E i A i E i

AX and EX seem similar to [ ] and < > of the mu−calculus A i E i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003 11

iCTL

Extends CTL with and More expressive than CTL (univ_abstract, exist_abstract) Easily integrable in a symbolic model−checker Applicable to Mealy machines and are not relevant for LTL * * A i E i A i E i but what about EX ? A i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM CHARME 2003

Thank you