Supervisory Control (4CM30) · 3/31/2017 · mCRL2. Step 4: Verify property in mCRL2 1.apply...
47
Transcript of Supervisory Control (4CM30) · 3/31/2017 · mCRL2. Step 4: Verify property in mCRL2 1.apply...
Supervisory Control (4CM30)Verification in mCRL2
Michel Reniers
2016-2017
Verification in mCRL2
MCIF |= φCIF iff MmCRL2 |= φmCRL2
1. Adapt CIF model
2. Formulate property in modal µ-calculus
3. Translate CIF model into mCRL2
4. Verify property in mCRL2
Example: check supermarket model for property whether it ispossible that queue 1 contains three customers
Example: supermarket
1 controllable q1enter , q1leave , q2enter , q2leave;
23 plant queue1:
4 disc int [0..5] count = 0;
5 location l0:
6 initial;
7 marked;
8 edge q1enter when count < 5 do count := count + 1;
9 edge q1leave when count > 0 do count := count - 1;
10 end
1112 plant queue2:
13 disc int [0..5] count = 0;
14 location l0:
15 initial;
16 marked;
17 edge q2enter when count < 5 do count := count + 1;
18 edge q2leave when count > 0 do count := count - 1;
19 end
2021 plant customer:
22 location l0:
23 initial;
24 marked;
25 edge q1enter when queue1.count <= queue2.count;
26 edge q2enter when queue2.count <= queue1.count;
27 end
2829 requirement invariant queue1.count < 3;
3031 requirement q2enter needs queue2.count < 3;
Step 1: Adapt CIF model
I Explicitly introduce Boolean location variables (usingelim-locs-in-exprs)
I Remove event conditions (using elim-state-evt-excl-inv)
I Remove invariants manually
I Add self-loop location events (if needed for property)
I Add self-loop marked state events (if needed for property)
Example
I Remove event condition1 requirement q2enter needs queue2.count < 3;
is replaced by
1 requirement automaton RequirementStateEvtExcls:
2 location:
3 initial;
4 marked;
5 edge q2enter when queue2.count < 3;
6 end
I Remove invariant manually
1 requirement invariant queue1.count < 3;
is replaced by (adapted copy of involved plant(s))
1 requirement automaton RequirementInvariant:
2 location l0:
3 initial;
4 marked;
5 edge q1enter when queue1.count < 2;
6 edge q1leave when queue1.count < 4;
7 end
Step 2: Formulate property in modal µ-calculus
I use location events and marked state events
I use variable value events to refer to values of variables
I mCRL2 syntax for modal µ-calculus propertieshttp://mcrl2.org/web/user_manual/language_
reference/mucalc.html
I file with extension mcf
Example
I property of interest: is it possible that queue 1 contains threecustomers
〈true∗〉queue1.count=3
I find right event representing the variable: value count
〈true∗〉〈value count(3)〉true
I mCRL2 syntax
1 <true*> <value_count (3)> true
Step 3: Translate CIF model to mCRL2
I translation in CIF tool has irritating mistakes
I use tooldef with name fix mcrl2 output.tooldef2 withname of CIF file to be processed in line 3
1 from "lib:cif3" import *;
2
3 string base_name = "xxx";
4 string cif_file = base_name + ".cif";
5 ...
I results in file with name xxx-fixed.mcrl2 to be used bymCRL2
Step 4: Verify property in mCRL2
1. apply mcrl22lps on the mCRL2 file with the optionno-alpha checked!
2. apply lps2pbes on the lps file and the mcf file with theproperty. The result is a file with extension pbes.
3. apply ps2bool on this pbes file.
Supervisory Control (4CM30)Modal µ-calculus & data
Michel Reniers
2016-2017
Even more expressivity ...
I there are still properties we cannot expressI all behaviour inevitably reaches a state where a formula φ holdsI there is some behaviour where the formula φ holds everywhere
I formulating properties using the modal µ-calculus requiresexperience.
φ ::= true | false | ¬φ | φ ∧ φ | φ ∨ φ | φ→ φ |〈a〉φ | [a]φ | µX.φ | νX.φ | X
I Hennessy-Milner logic is included
I action formulas can be translated (as HML is included)
I regular formulas can be translated (explained later)
Fixed points in mathematics
I in mathematics: x is fixed point of function f if x = f(x)
I example: 3 is fixed point of function f with f(x) = x2 − 2x
I function may have multiple fixed points
I fixed point is solution of an equation withunknow(s)/variable(s): x = x2 − 2x
Fixed points in modal µ-calculus
Given a transition system with state space S, a modal µ-calculusformula φ represents a subset of S for which it holds.
Consider the equation X = 〈a〉true.
I 〈a〉true represents the set of states where it holds
I set of all states from which an a-labelled transition starts isthe solution
I unique solution (independent of X)
aa
b
Fixed points in modal µ-calculus
Given a transition system with state space S, a modal µ-calculusformula φ represents a subset of S for which it holds.
Consider the equation X = 〈a〉true.
I 〈a〉true represents the set of states where it holds
I set of all states from which an a-labelled transition starts isthe solution
I unique solution (independent of X)
aa
b
Fixed points in modal µ-calculus
Given a transition system with state space S, a modal µ-calculusformula φ represents a subset of S for which it holds.
Consider the equation X = 〈a〉true.
I 〈a〉true represents the set of states where it holds
I set of all states from which an a-labelled transition starts isthe solution
I unique solution (independent of X)
aa
b
Fixed points in modal µ-calculus
Given a transition system with state space S, a modal µ-calculusformula φ represents a subset of S for which it holds.
Consider the equation X = 〈a〉true.
I 〈a〉true represents the set of states where it holds
I set of all states from which an a-labelled transition starts isthe solution
I unique solution (independent of X)
aa
b
Consider the equation X = 〈a〉X:
s a
I What is the solution?
I There are only two candidates: X = ∅ or X = S = {s}I What is meaning of 〈a〉X? It is the set of states that can
execute a and end up in the set represented by X
I So 〈a〉∅ = ∅ and 〈a〉S = S
I so both are a solution to the equation
Consider the equation X = 〈a〉X:
s a
I What is the solution?
I There are only two candidates: X = ∅ or X = S = {s}
I What is meaning of 〈a〉X? It is the set of states that canexecute a and end up in the set represented by X
I So 〈a〉∅ = ∅ and 〈a〉S = S
I so both are a solution to the equation
Consider the equation X = 〈a〉X:
s a
I What is the solution?
I There are only two candidates: X = ∅ or X = S = {s}I What is meaning of 〈a〉X? It is the set of states that can
execute a and end up in the set represented by X
I So 〈a〉∅ = ∅ and 〈a〉S = S
I so both are a solution to the equation
Consider the equation X = 〈a〉X:
s a
I What is the solution?
I There are only two candidates: X = ∅ or X = S = {s}I What is meaning of 〈a〉X? It is the set of states that can
execute a and end up in the set represented by X
I So 〈a〉∅ = ∅ and 〈a〉S = S
I so both are a solution to the equation
Consider the equation X = 〈a〉X:
s a
I What is the solution?
I There are only two candidates: X = ∅ or X = S = {s}I What is meaning of 〈a〉X? It is the set of states that can
execute a and end up in the set represented by X
I So 〈a〉∅ = ∅ and 〈a〉S = S
I so both are a solution to the equation
Minimal and maximal solutions
Consider the equation X = 〈a〉X:
s a
I µX.φ denotes the minimal solution for the equation X = φ
I µX.〈a〉X holds for no states since the minimal fixed point ofthe equation X = 〈a〉X is ∅
I νX.φ denotes the maximal solution
I µX.〈a〉X holds for aa states since the maximal fixed point ofthe equation X = 〈a〉X is {s}
Minimal and maximal solutions
Consider the equation X = 〈a〉X:
s a
I µX.φ denotes the minimal solution for the equation X = φ
I µX.〈a〉X holds for no states since the minimal fixed point ofthe equation X = 〈a〉X is ∅
I νX.φ denotes the maximal solution
I µX.〈a〉X holds for aa states since the maximal fixed point ofthe equation X = 〈a〉X is {s}
Minimal and maximal solutions
Consider the equation X = 〈a〉X:
s a
I µX.φ denotes the minimal solution for the equation X = φ
I µX.〈a〉X holds for no states since the minimal fixed point ofthe equation X = 〈a〉X is ∅
I νX.φ denotes the maximal solution
I µX.〈a〉X holds for aa states since the maximal fixed point ofthe equation X = 〈a〉X is {s}
Minimal and maximal solutions
Consider the equation X = 〈a〉X:
s a
I µX.φ denotes the minimal solution for the equation X = φ
I µX.〈a〉X holds for no states since the minimal fixed point ofthe equation X = 〈a〉X is ∅
I νX.φ denotes the maximal solution
I µX.〈a〉X holds for aa states since the maximal fixed point ofthe equation X = 〈a〉X is {s}
Safety properties
I Nothing bad may happen
I Assume that φ characterises good states
I µX.[true]φ expresses safety
I [true∗]φ also expresses safety
Liveness
I Something good can happen
I Assume that phi characterises the good thing
I νX.〈true〉φ expresses liveness
I 〈true∗〉φ also expresses liveness
Regular formulas translate to modal µ-calculus
〈R?〉φ = µX.(〈R〉X ∨ φ)
[R?]φ = νX.([R]X ∧ φ)
InevitablyI ♦φ only expressesthat φ can become valid in some run of the
system
I often desired: φ will eventually become valid along every path
µX.([true]X ∨ φ)
I not expressible without fixed point operatorI this formula will also become true for paths ending in a
deadlock, because in such a state [true]X becomes validI avoid this by adding absence of a deadlock explicitly:
µX.(([true]X ∧ 〈true〉true) ∨ φ)
Exercise: Formulate the property that an a action must inevitablybe done unless the system deadlocks
µX.([true]X ∨ 〈a〉true) or µX.[a]X
InevitablyI ♦φ only expressesthat φ can become valid in some run of the
systemI often desired: φ will eventually become valid along every path
µX.([true]X ∨ φ)
I not expressible without fixed point operatorI this formula will also become true for paths ending in a
deadlock, because in such a state [true]X becomes validI avoid this by adding absence of a deadlock explicitly:
µX.(([true]X ∧ 〈true〉true) ∨ φ)
Exercise: Formulate the property that an a action must inevitablybe done unless the system deadlocks
µX.([true]X ∨ 〈a〉true) or µX.[a]X
InevitablyI ♦φ only expressesthat φ can become valid in some run of the
systemI often desired: φ will eventually become valid along every path
µX.([true]X ∨ φ)
I not expressible without fixed point operator
I this formula will also become true for paths ending in adeadlock, because in such a state [true]X becomes valid
I avoid this by adding absence of a deadlock explicitly:
µX.(([true]X ∧ 〈true〉true) ∨ φ)
Exercise: Formulate the property that an a action must inevitablybe done unless the system deadlocks
µX.([true]X ∨ 〈a〉true) or µX.[a]X
InevitablyI ♦φ only expressesthat φ can become valid in some run of the
systemI often desired: φ will eventually become valid along every path
µX.([true]X ∨ φ)
I not expressible without fixed point operatorI this formula will also become true for paths ending in a
deadlock, because in such a state [true]X becomes valid
I avoid this by adding absence of a deadlock explicitly:
µX.(([true]X ∧ 〈true〉true) ∨ φ)
Exercise: Formulate the property that an a action must inevitablybe done unless the system deadlocks
µX.([true]X ∨ 〈a〉true) or µX.[a]X
InevitablyI ♦φ only expressesthat φ can become valid in some run of the
systemI often desired: φ will eventually become valid along every path
µX.([true]X ∨ φ)
I not expressible without fixed point operatorI this formula will also become true for paths ending in a
deadlock, because in such a state [true]X becomes validI avoid this by adding absence of a deadlock explicitly:
µX.(([true]X ∧ 〈true〉true) ∨ φ)
Exercise: Formulate the property that an a action must inevitablybe done unless the system deadlocks
µX.([true]X ∨ 〈a〉true) or µX.[a]X
InevitablyI ♦φ only expressesthat φ can become valid in some run of the
systemI often desired: φ will eventually become valid along every path
µX.([true]X ∨ φ)
I not expressible without fixed point operatorI this formula will also become true for paths ending in a
deadlock, because in such a state [true]X becomes validI avoid this by adding absence of a deadlock explicitly:
µX.(([true]X ∧ 〈true〉true) ∨ φ)
Exercise: Formulate the property that an a action must inevitablybe done unless the system deadlocks
µX.([true]X ∨ 〈a〉true) or µX.[a]X
µX.([true]X ∨ 〈a〉true) versus µX.[a]X
b
a
I µX.([true]X ∨ 〈a〉true) is valid in the initial state
I µX.[a]X is not valid in the initial state
I procedure for establishing validity of a formula w.r.t. a giventransition system is slightly more complicated
I only sketched for formulas with only one fixed point symbol
µX.([true]X ∨ 〈a〉true) versus µX.[a]X
b
a
I µX.([true]X ∨ 〈a〉true) is valid in the initial state
I µX.[a]X is not valid in the initial state
I procedure for establishing validity of a formula w.r.t. a giventransition system is slightly more complicated
I only sketched for formulas with only one fixed point symbol
µX.([true]X ∨ 〈a〉true) versus µX.[a]X
b
a
I µX.([true]X ∨ 〈a〉true) is valid in the initial state
I µX.[a]X is not valid in the initial state
I procedure for establishing validity of a formula w.r.t. a giventransition system is slightly more complicated
I only sketched for formulas with only one fixed point symbol
Validity of minimal fixed point formula µX.φ
I label with subformulas of φ, including X
I initially no state is labeled with X
I label with all other strict subformulas from φ
I when a state is labeled with φ, it is also labeled with X
I repeat from third item until nothing has changed w.r.t.previous labeling
I µX.φ holds in a state iff it is labeled with X
Example
Consider the formula µX.(〈a〉X∨〈b〉true) which expresses thatthere is a finite sequence of a actions after which a b is possible
〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
Example
Consider the formula µX.(〈a〉X∨〈b〉true) which expresses thatthere is a finite sequence of a actions after which a b is possible
〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
Example
Consider the formula µX.(〈a〉X∨〈b〉true) which expresses thatthere is a finite sequence of a actions after which a b is possible
〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈a〉X 〈a〉X ∨ 〈b〉true
X, 〈b〉true 〈a〉X ∨ 〈b〉true
a
a
a
b
Validity of maximal fixed point formula νX.φ
I similar, but now all states are initially labeled with X
I X is removed from a state if φ does not hold when thelabeling process stabilizes
I when removing of labels stabilizes again, νX.φ is valid in thestates labeled with X
Example: Check νX.([a]X∧〈a〉true): always one more a can bedone after an arbitrary a-sequence
X, [a]X 〈a〉true, [a]X ∧ 〈a〉true
X, [a]X 〈a〉true, [a]X ∧ 〈a〉true
X, [a]X
a
a
〈a〉true
〈a〉true
[a]X
a
a
Validity of maximal fixed point formula νX.φ
I similar, but now all states are initially labeled with X
I X is removed from a state if φ does not hold when thelabeling process stabilizes
I when removing of labels stabilizes again, νX.φ is valid in thestates labeled with X
Example: Check νX.([a]X∧〈a〉true): always one more a can bedone after an arbitrary a-sequence
X, [a]X 〈a〉true, [a]X ∧ 〈a〉true
X, [a]X 〈a〉true, [a]X ∧ 〈a〉true
X, [a]X
a
a
〈a〉true
〈a〉true
[a]X
a
a
Validity of maximal fixed point formula νX.φ
I similar, but now all states are initially labeled with X
I X is removed from a state if φ does not hold when thelabeling process stabilizes
I when removing of labels stabilizes again, νX.φ is valid in thestates labeled with X
Example: Check νX.([a]X∧〈a〉true): always one more a can bedone after an arbitrary a-sequence
X, [a]X 〈a〉true, [a]X ∧ 〈a〉true
X, [a]X 〈a〉true, [a]X ∧ 〈a〉true
X, [a]X
a
a
〈a〉true
〈a〉true
[a]X
a
a
Nested fixed point operators
Fairness properties: some event must happen provided it isunboundedly often enabled, or because some other action happensonly a bounded number of times
Example: from the states on each infinite b-trail, there are only afinite number of states where a-transitions are possible
µX.νY.((〈a〉true ∧ [b]X) ∨ (¬〈a〉true ∧ [b]Y ))
Modal formulas with data
Modal formulas are extended with data:
I modal variables can have arguments
I actions can carry data arguments
I existential and universal quantification is possible
af ::= t | true | false | a(t1, . . . , tn) |af | af ∩ af | af ∪ af | ∀d : D.af | ∃d : D.af
R ::= ε | af | R·R | R+R | R? | R+
φ ::= true | false | t | ¬φ | φ∧φ | φ∨φ | φ→φ | 〈R〉φ | [R]φ | ∀d : D.φ | ∃d : D.φ |µX(d1 : D1:=t1, . . . , dn : Dn:=tn).φ | νX(d1 : D1:=t1, . . . , dn : Dn:=tn).φ |X(t1, . . . , tn)
Example: whenever an error with some number n is observed, ashutdown is inevitable:
[true?·∃n : IN .error(n)]µX.([shutdown]X ∧ 〈true〉true)
I material from Chapter 6 is tested in written exam
I modal µ-calculus formulas with nested fixed points are nottested
I modal µ-calculus formulas with data are not tested
You may use these for the assignment!
