CTL May Be Ambiguous when Model Checking Moore Machines - Sed

CHARME 2003. From Moore to Kripke. Third translation scheme. Input signals into source state of transitions. 5 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 ...
Télécharger le PDF
327KB taille 1 téléchargements 366 vues
commentaire
Report
CTL May Be Ambiguous when Model Checking Moore Machines Cédric Roux and Emmanuelle Encrenaz Université Pierre et Marie Curie Laboratoire d’Informatique de Paris 6 Architecture des Systèmes Intégrés et Micro−électronique Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

Modeling versus Verification

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

1

Modeling versus Verification

Modeling world

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

1

Modeling versus Verification

Modeling world Moore or Mealy machines

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

1

Modeling versus Verification

Verification world

Modeling world Moore or Mealy machines

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

1

Modeling versus Verification

Verification world Kripke structures

Modeling world Moore or Mealy machines

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

1

Modeling versus Verification

Verification world Kripke structures

Tr

an

sla

tio

n

Modeling world Moore or Mealy machines

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

1

From Moore to Kripke

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

2

From Moore to Kripke

i

i

i

i

i

i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

2

From Moore to Kripke First translation scheme

i

i

i

i

i

i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

3

From Moore to Kripke First translation scheme Remove the input signals

i

i

i

i

i

i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

3

From Moore to Kripke First translation scheme Remove the input signals

i

i

i

i

i

i

Simple

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

3

From Moore to Kripke First translation scheme Remove the input signals

i

i

i

i

i

i

Simple Impossible to express properties including input signals

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

3

From Moore to Kripke Second translation scheme

a i

i

b

c

i

i

i

i

d

e

f

g

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

4

From Moore to Kripke Second translation scheme Input signals into target state of transitions

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

4

From Moore to Kripke Second translation scheme Input signals into target state of transitions

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

Composition of Moore machines lost

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

4

From Moore to Kripke Third translation scheme

a i

i

b

c

i

i

i

i

d

e

f

g

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

5

From Moore to Kripke Third translation scheme Input signals into source state of transitions

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

5

From Moore to Kripke Third translation scheme Input signals into source state of transitions

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

We can compose Moore machines

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

5

From Moore to Kripke Third translation scheme Input signals into source state of transitions

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

We can compose Moore machines This may introduce ambiguities when using CTL

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

5

Possible CTL ambiguities

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

6

Possible CTL ambiguities Checking the property AX EX p

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

6

Possible CTL ambiguities Checking the property AX EX p

a i

i

b

c

i

i

i

i

d

e

f

g

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

6

Possible CTL ambiguities Checking the property AX EX p states verifying p

a i

i

b

c

i

i

i

i

d

e

f

g

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

6

Possible CTL ambiguities Checking the property AX EX p states verifying EX p

a i

i

b

c

i

i

i

i

d

e

f

g

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

6

Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p

a i

i

b

c

i

i

i

i

d

e

f

g

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

6

Possible CTL ambiguities Checking the property AX EX p

a0

b0

d0

d1

a1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

6

Possible CTL ambiguities Checking the property AX EX p states verifying p

a0

b0

d0

d1

a1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

6

Possible CTL ambiguities Checking the property AX EX p states verifying EX p

a0

b0

d0

d1

a1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

6

Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p

a0

b0

d0

d1

a1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

6

Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

6

Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

«AX EX p does not have the same truth value in both structures»

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

6

Possible CTL ambiguities A first ambiguity

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

7

Possible CTL ambiguities A first ambiguity states verifying EX p

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

7

Possible CTL ambiguities A first ambiguity states verifying EX p

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

States b0 and b1 should verify EX p, as state b does

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

7

Possible CTL ambiguities A first ambiguity states verifying EX p

E

states verifying

i EX p a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

States b0 and b1 should verify EX p, as state b does E

We introduce

i to remove this ambiguity

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

7

Possible CTL ambiguities A second ambiguity

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

8

Possible CTL ambiguities A second ambiguity states verifying AX EX p

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

8

Possible CTL ambiguities A second ambiguity states verifying AX EX p

a0

a i

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

b0 (and b1) should not verify AX EX p, and a0 and a1 should

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

8

Possible CTL ambiguities A second ambiguity states verifying AX EX p

a0

a i

A

states verifying

i AX EX p

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

b0 (and b1) should not verify AX EX p, and a0 and a1 should A

We introduce

i to remove this ambiguity

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

8

Possible CTL ambiguities E

A

Checking the property

i AX i EX p

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

9

Possible CTL ambiguities E

A

Checking the property

i AX i EX p

a0

b0

d0

d1

a1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

9

Possible CTL ambiguities E

A

Checking the property

i AX i EX p

states verifying p

a0

b0

d0

d1

a1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

9

Possible CTL ambiguities A

i AX i EX p

E

states verifying

E

Checking the property

i EX p

a0

b0

d0

d1

a1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

9

Possible CTL ambiguities E

A

i AX i EX p

a0

b0

d0

d1

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

i AX i EX p

a1

b1

e0

A

states verifying

E

Checking the property

f0

c1

f1

CHARME 2003

g0

g1

9

Possible CTL ambiguities Comparison with AX EX p

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

10

Possible CTL ambiguities Comparison with AX EX p

a0

a i

A

states verifying

E

states verifying AX EX p

i AX i EX p

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

c0

e1

f0

c1

f1

CHARME 2003

g0

g1

10

Possible CTL ambiguities Comparison with AX EX p

a0

a i

A

states verifying

E

states verifying AX EX p

i AX i EX p

a1

i

b

c

i

i

i

i

d

e

f

g

b0

d0

d1

b1

e0

c0

e1

f0

c1

f1

g0

g1

The ambiguities have been removed

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

10

iCTL

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

11

iCTL A

i and

E

Extends CTL with

i

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

11

iCTL A

i and

E

Extends CTL with

i

More expressive than CTL

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

11

iCTL A

i and

E

Extends CTL with

i

More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract)

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

11

iCTL A

i and

E

Extends CTL with

i

More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

11

iCTL A

i and

E

Extends CTL with

i

More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E

A

i and i are not relevant for LTL

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

11

iCTL A

i and

E

Extends CTL with

i

More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E

A

i and i are not relevant for LTL E

A

i AX and

i EX seem similar to [ * ] and < * > of the mu−calculus

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

11

iCTL A

i and

E

Extends CTL with

i

More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E

A

i and i are not relevant for LTL E

i EX seem similar to [ * ] and < * > of the mu−calculus

but what about

A

A

i AX and

i EX ?

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003

11

Thank you

Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM

CHARME 2003