CTL May Be Ambiguous when Model Checking Moore Machines - Sed
CHARME 2003. From Moore to Kripke. Third translation scheme. Input signals into source state of transitions. 5 a0 a1 b0 b1 c0 c1 d0 d1 e0 e1 f0 f1 g0 g1 ...
CTL May Be Ambiguous when Model Checking Moore Machines Cédric Roux and Emmanuelle Encrenaz Université Pierre et Marie Curie Laboratoire d’Informatique de Paris 6 Architecture des Systèmes Intégrés et Micro−électronique Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
Modeling versus Verification
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Modeling world
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Modeling world Moore or Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Verification world
Modeling world Moore or Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Verification world Kripke structures
Modeling world Moore or Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
Modeling versus Verification
Verification world Kripke structures
Tr
an
sla
tio
n
Modeling world Moore or Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
1
From Moore to Kripke
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
2
From Moore to Kripke
i
i
i
i
i
i
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
2
From Moore to Kripke First translation scheme
i
i
i
i
i
i
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
3
From Moore to Kripke First translation scheme Remove the input signals
i
i
i
i
i
i
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
3
From Moore to Kripke First translation scheme Remove the input signals
i
i
i
i
i
i
Simple
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
3
From Moore to Kripke First translation scheme Remove the input signals
i
i
i
i
i
i
Simple Impossible to express properties including input signals
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
3
From Moore to Kripke Second translation scheme
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
4
From Moore to Kripke Second translation scheme Input signals into target state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
4
From Moore to Kripke Second translation scheme Input signals into target state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
Composition of Moore machines lost
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
4
From Moore to Kripke Third translation scheme
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
5
From Moore to Kripke Third translation scheme Input signals into source state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
5
From Moore to Kripke Third translation scheme Input signals into source state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
We can compose Moore machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
5
From Moore to Kripke Third translation scheme Input signals into source state of transitions
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
We can compose Moore machines This may introduce ambiguities when using CTL
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
5
Possible CTL ambiguities
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p states verifying p
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p states verifying EX p
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p
a i
i
b
c
i
i
i
i
d
e
f
g
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities Checking the property AX EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
6
Possible CTL ambiguities Checking the property AX EX p states verifying AX EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
«AX EX p does not have the same truth value in both structures»
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
6
Possible CTL ambiguities A first ambiguity
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
7
Possible CTL ambiguities A first ambiguity states verifying EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
7
Possible CTL ambiguities A first ambiguity states verifying EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
States b0 and b1 should verify EX p, as state b does
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
7
Possible CTL ambiguities A first ambiguity states verifying EX p
E
states verifying
i EX p a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
States b0 and b1 should verify EX p, as state b does E
We introduce
i to remove this ambiguity
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
7
Possible CTL ambiguities A second ambiguity
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
8
Possible CTL ambiguities A second ambiguity states verifying AX EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
8
Possible CTL ambiguities A second ambiguity states verifying AX EX p
a0
a i
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
b0 (and b1) should not verify AX EX p, and a0 and a1 should
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
8
Possible CTL ambiguities A second ambiguity states verifying AX EX p
a0
a i
A
states verifying
i AX EX p
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
b0 (and b1) should not verify AX EX p, and a0 and a1 should A
We introduce
i to remove this ambiguity
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
8
Possible CTL ambiguities E
A
Checking the property
i AX i EX p
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
9
Possible CTL ambiguities E
A
Checking the property
i AX i EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
9
Possible CTL ambiguities E
A
Checking the property
i AX i EX p
states verifying p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
9
Possible CTL ambiguities A
i AX i EX p
E
states verifying
E
Checking the property
i EX p
a0
b0
d0
d1
a1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
9
Possible CTL ambiguities E
A
i AX i EX p
a0
b0
d0
d1
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
i AX i EX p
a1
b1
e0
A
states verifying
E
Checking the property
f0
c1
f1
CHARME 2003
g0
g1
9
Possible CTL ambiguities Comparison with AX EX p
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
10
Possible CTL ambiguities Comparison with AX EX p
a0
a i
A
states verifying
E
states verifying AX EX p
i AX i EX p
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
c0
e1
f0
c1
f1
CHARME 2003
g0
g1
10
Possible CTL ambiguities Comparison with AX EX p
a0
a i
A
states verifying
E
states verifying AX EX p
i AX i EX p
a1
i
b
c
i
i
i
i
d
e
f
g
b0
d0
d1
b1
e0
c0
e1
f0
c1
f1
g0
g1
The ambiguities have been removed
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
10
iCTL
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract)
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E
A
i and i are not relevant for LTL
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E
A
i and i are not relevant for LTL E
A
i AX and
i EX seem similar to [ * ] and < * > of the mu−calculus
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
iCTL A
i and
E
Extends CTL with
i
More expressive than CTL Easily integrable in a symbolic model−checker (univ_abstract, exist_abstract) Applicable to Mealy machines E
A
i and i are not relevant for LTL E
i EX seem similar to [ * ] and < * > of the mu−calculus
but what about
A
A
i AX and
i EX ?
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
CHARME 2003
11
Thank you
Cédric Roux and Emmanuelle Encrenaz − UPMC LIP6 ASIM
May It Be theme from Lord of The Rings by Enya. - 1 - http://www.geocities.com/pianosheetangel/. Page 2. = >. ~. {{{ ssss ssss{{. 17. {{ sss ssssss. @@@ ssssss.
In: Breitman, K., Cavalcanti, A. (eds.) ICFEM 2009. LNCS, vol. 5885, pp. 186â205. Springer, Heidelberg (2009). 29. Pnueli, A.: The temporal logic of programs.
1 and Marc Esteva. 2 and Steve Phelps. 3 and Carles Sierra. 4 and Michael Wooldridge. 5. Abstract. ... with the complexity of designing DAI systems [6, 14, 2, 20]. In this sense, we ..... the scene answer that they have received the message. The term
British computer conferences - portal.acm.org, 1989. 1 citation(s). [154] AM Turing. The chemical basis of ... navy bombe. Cryptologia - Taylor & Francis, 2003.
1 and Marc Esteva. 2 and Steve Phelps. 3 and Carles Sierra. 4 and Michael Wooldridge. 5. Abstract. ... with the complexity of designing DAI systems [6, 14, 2, 20]. In this sense, we ..... the scene answer that they have received the message. The term
it not been for Lamport clocks, the investigation of scatter/gather I/O might .... that we can do much to affect an application's av- .... The choice of public-private key pairs in. [201, 96 .... Universite paris 8 vincennes saint-denis licence m2i &
Jan 28, 2004 - polymorphisms in the heat-shock protein gene30. Uric acid measurement. Uric acid ..... airway tube by only 15%. It is important to determine ...
Oct 24, 2008 - tion industrielle du model checking pour certains types d'application. .... Si c'est un vrai bug, avertir le concepteur et attendre qu'il corrige. ... nommé PSL a été mis au point par un consortium regroupant entre autre Intel et IBM.
the quite a few benefits of air bed and how you know how you can sleep far better on ... have sleeping concern and look for approaches to attain best, additional ... side with the bed at for different stress point areas for each and every sleeper.
While working on a programming guide, we found that the names of statements were entered ..... The value of pos is 2. ...... This will make future in tests return.
5 ÉTOILES. EN SUISSE. À Verbier, face au sommet du Grand Combin, le panorama est à couper le souffle ! 450 km de pistes à 3 300 m d'altitude, dans un environnement international, avec seulement 5 % de francophones. Dans cette colo de luxe (avec deux
Avis aux jeunes parents qui veulent pouponner au chaud : l'hôtel Heritage Le Telfair Golf. & Wellness Resort (5*), sur l'île. Maurice, a eu la bonne idée.
Crudely, the model checking verification process can then be understood as follows: Given a system. S, which we wish to verify satisfies some property Ï ex-.
and how to mix the result with more standard symbolic computation; in other cases, e.g., ... For each level we give a symbolic algorithm with acceleration computing ... r1 then r2. IdX is the identity relation on X. ri is defined by r0 = IdX,ri+1 = r
Model checking implies fully automated property proving. ... ing the verificationâ) AlPiNA either confirms that the properties hold, or reports a violation. In the latter.
instruction rate (dB). Figure 4: Note that sampling rate grows as latency .... 3 cita- tion(s). [33] AM Turing. A note on normal numbers. -, 0. 8 citation(s). [34] AM Turing. .... normal form. Manuscript ..... esis. 1953. Bulletin of mathematical bio
in two steps (1) we will build a stochastic abstraction for a part of the PTP application between ..... 40 minutes on a Pentium 4 running under a Linux distribution.
The first edition of the Model Checking Contest @ Petri nets took place within the context of the ... MCC-2011-report.pdf, and raw data of the benchmarks at http://sumo.lip6.fr/ ... Since 2005, its objective is to evaluates the decision proce- dures