solutions-mock-exam_CAV23.pdf

LH Computer-Aided Verification Solutions Mock Exam December 2022 1 No calculator Note Answer ALL questions. Each question will be marked out of 20. The paper will be marked out of 60, which will be rescaled to a mark out of 100. Question 1 Reactive Modeling module M interface a 0 , a 1 , a 2 : B atom A 0 controls a 0 reads a 0 init 8 true → a ′ 0 := false update 8 true → a ′ 0 := ¬ a 0 atom A 1 controls a 1 reads a 0 , a 1 awaits a 0 init 8 true → a ′ 1 := false update 8 a 0 ∧ ¬ a ′ 0 → a ′ 1 := ¬ a 1 8 ¬ a 0 ∨ a ′ 0 → a ′ 1 := a 1 atom A 2 controls a 2 reads a 1 , a 2 awaits a 1 init 8 true → a ′ 2 := false update 8 a 1 ∧ ¬ a ′ 1 → a ′ 2 := ¬ a 2 8 ¬ a 1 ∨ a ′ 1 → a ′ 2 := a 2 (a) Draw the transition graph of module M [6 marks] (b) Express each of the properties below as an LTL or a CTL model checking problem; if neither LTL or CTL are appropriate, then use CTL*. For each property, state the logic you are using and provide an appropriate formula in that logic. Specify whether your formula represents the given property positively (just mark it as “Positive”) or whether it represents its negation (mark it as “Negative”). Write the formulae in positive normal form, i.e., without using negation ¬ except on atomic propositions. [8 marks] • There exists an initialised trace that exhibits proposition a at most finitely many times. Formally, there exists a trajectory s 0 s 1 s 2 . . . such that a ∈ L ( s i ) occurs for at most finitely many indices i ≥ 0. • Every reachable state admits a trajectory that eventually exhibits proposition a . Formally, for every intialised trajectories s 0 s 1 s 2 . . . , for all i ≥ 0 there exists a trajectory t 0 t 1 t 2 . . . such that s i = t 0 and a ∈ L ( t j ) for some j ≥ 0. – 2 – Turn Over No calculator • Consider the reactive module above. Model the property that states that every positive a 0 is always immediately follwed by a negative a 0 , i.e, formally, for every initialised trajectory s 0 s 1 s 2 . . . , if s i ( a 0 ) = tr ue then s i +1 ( s 0 ) = f alse for all i ≥ 0. (c) Provide a symbolic encoding for the reactive module above. • Give a set of variables for the representation. • Give a symbolic encoding expressed as a first order logic formula for the char- acteristic function of the init. • Give a symbolic encoding expressed as a first order logic formula for the switch- ing function. Make sure to give well-formed propositional logic formulae. [6 marks] Model answer / LOs / Creativity: (a) The transition graph of M is shown below, where every state represents the values a 0 , a 1 , a 2 respectively: 0,0,0 1,0,0 0,1,0 1,1,0 0,0,1 1,0,1 0,1,1 1,1,1 (b) The properties are expressed as follows: Logic Formula Pos/Neg (i) LTL ♦ a Neg (ii) CTL ∀ ∃ ♦ a Pos (iii) LTL ( a 0 → ©¬ a 0 ) Pos (c) It is sufficient to use three Boolean variables, respcetively representing variables a 0 , a 1 , and a 2 . The charactestic function of init is represented by the following formula: χ init ( a 0 , a 1 , a 2 ) = ¬ a 0 ∧ ¬ a 1 ∧ ¬ a 2 Then, the switching function can be represented as the following formula: ∆( a 0 , a 1 , a 2 , a ′ 0 , a ′ 1 , a ′ 2 ) =( tr ue → a ′ 0 ↔ ¬ a 0 ) ∧ ( a 0 ∧ ¬ a ′ 0 → a ′ 1 ↔ ¬ a 1 ) ∧ ( ¬ a 0 ∨ a ′ 0 → a ′ 1 ↔ a 1 ) ∧ ( a 1 ∧ ¬ a ′ 1 → a ′ 2 ↔ ¬ a 2 ) ∧ ( ¬ a 1 ∨ a ′ 1 → a ′ 2 ↔ a 2 ) – 3 – Turn Over No calculator Question 2 Linear Temporal Logic Let Ap = { a, b } be the set of atomic propositions in this question. We wil use the shorthands u = ∅ , x = { a } , y = { b } and z = { a, b } for the letters of Σ = 2 Ap (a) We want to check whether a LTL property φ holds on Kripke model M The following B ̈ uchi automaton B over alphabet Σ = 2 Ap is such that L ( B ) = L M s 0 s 1 s 2 y z z y The following B ̈ uchi automaton C over alphabet Σ = 2 Ap is such that L ( C ) = L ¬ φ q 0 q 1 q 2 x , z y , z u , y Σ (i) On the blueprint below, draw the product automaton B ⊗ C such that L ( B ⊗ C ) = L ( B ) ∩ L ( C ). [6 marks] Note : We (partially) pruned the set of states of some that would have been unreachable. You do not need to add them. (ii) Explain how you can use the automaton B ⊗ C to check whether M | = φ . Is M | = φ true or false? Justify briefly. [4 marks] – 4 – Turn Over No calculator ( s 0 , q 0 , 1) ( s 0 , q 0 , 2) ( s 1 , q 1 , 1) ( s 1 , q 1 , 2) ( s 2 , q 0 , 1) ( s 2 , q 0 , 2) ( s 2 , q 1 , 1) ( s 2 , q 1 , 2) ( s 1 , q 2 , 1) ( s 1 , q 2 , 2) – 5 – Turn Over No calculator (b) Give a LTL formula equivalent to ¬ ( ♦ a → ( b U a )) but only using the symbols a , b , true , ¬ , ∧ , © and U [4 marks] (c) Consider a Kripke model N = ( S, I, R, Ap , L ) with set of states S = { s 0 , s 1 , s 2 , s 3 } , set of initial states I = { s 0 } , and transition relation R ⊆ S × S and labelling function L : S 7 → 2 Ap given by the following diagram s 0 { a } s 2 { } s 3 { a } s 1 { } We can then represent N symbolically, that is, with Boolean formulas χ init , χ a , and χ update to represent the set of initial states, the set of states that satisfy a , and the transition relation in N , respectively. (i) Give a Boolean formula corresponding to the Bounded Model Checking problem for © a with k = 3, that is, a formula that is satisfiable iff there is a counter- example to © a of length ≤ 3. Note: You are not asked to compute χ init , χ a , and χ update , you can use these abbreviations together with the substitution notation [ v 1 , . . . , v n /u 1 , . . . , u n ] (which indicates the replacement of variables v 1 , . . . v n by variables u 1 , . . . , u n ). (ii) Can this help you deduce either N | = © a or N 6 | = © a ? Justify your answer. [6 marks] Model answer / LOs / Creativity: (a) (i) – 6 – Turn Over No calculator ( s 0 , q 0 , 1) ( s 1 , q 1 , 2) ( s 2 , q 0 , 1) ( s 2 , q 0 , 2) ( s 2 , q 1 , 2) ( s 1 , q 2 , 2) y z y y z z z y z (ii) M | = φ ⇔ L M ⊆ L φ ⇔ L M ∩ L c φ = ∅ ⇔ L M ∩ L ¬ φ = ∅ ⇔ L ( B ⊗ C ) = ∅ To check whether the language of an NBA is empty it is enough to check that at least one of its accept states is (i) reachable from an initial state and (ii) part of a cycle. The accept state ( s 2 , q 0 , 1) of B ⊗ C is (i) reachable from the initial state via the word yzzyz and (ii) reachable from itself via the word yzzyz , so L ( B ⊗ C ) 6 = ∅ This means that M 6 | = φ (b) ψ = ( true U a ) ∧ ¬ ( b U a ) – 7 – Turn Over No calculator (c) The bounded model checking encoding for a counterexample to property © a of lenght k = 3 can be expresses as follows. Let’s assume the system state is repre- sented by a vector of variables ̄ x . Then, we augment these variables over four copies ̄ x 0 , ̄ x 1 , ̄ x 2 , ̄ x 3 each of which represent a state respectively at initialisation round and after 1,2 and 3 update rounds. The encoding is made of two components: an unrolling of the transition relation up to length 3 and a formula representing a coun- terexample for the property. χ init ( ̄ x 0 ) ∧ χ update ( ̄ x 0 , ̄ x 1 ) ∧ χ update ( ̄ x 1 , ̄ x 2 ) ∧ χ update ( ̄ x 2 , ̄ x 3 ) ∧ ( ¬ χ a ( ̄ x 1 ) ∨ ¬ χ a ( ̄ x 2 ) ∨ ¬ χ a ( ̄ x 3 )) Note that in your bounded model checking lecture you used a different notation, where [[ I ]] and [[ a ]] are formulae over variables ̄ x that respectively represent the characteristic functions of “init” and “a”, and [[ R ]] is a formula over variables ̄ x and ̄ x ′ that represents the switching function. Under that notation, you would write the same bounded model checking encoding as [[ I ]][ ̄ x/ ̄ x 0 ] ∧ [[ R ]][ ̄ x, ̄ x ′ / ̄ x 0 , ̄ x 1 ] ∧ [[ R ]][ ̄ x, ̄ x ′ / ̄ x 1 , ̄ x 2 ] ∧ [[ R ]][ ̄ x, ̄ x ′ / ̄ x 2 , ̄ x 3 ] ∧ ( ¬ [[ a ]][ ̄ x/ ̄ x 1 ] ∨ ¬ [[ a ]][ ̄ x/ ̄ x 2 ] ∨ ¬ [[ a ]][ ̄ x/ ̄ x 3 ]) (d) If the fomula is satisfiable, then there exists a counterexample of length 3 that vi- olated the specification. Therefore, this BMC encoding can be used to conclude whether N 6 | = © a . However, if this formula is unsatisfiable, then we cannot con- clude that N | = © a . This is because our encoding may miss counterexamples of length 4, which the minimum amount of steps required to capture all counterexam- ples for this property over this system. Note: The “Bounded Model Checking” paper provides elegant solutions to this problem, which involve (1) encoding properties over loops and (2) computing a com- pleteness threshold. We reccomend the interested students to read that optional paper. However, these additional concepts are not exam material, and we will limit ourselves to the basic encoding shown in class. Question 3 Computation Tree Logic and Abstraction Let Ap = { a, b } be the set of atomic propositions for this question. (a) Illustrate the application of the explicit CTL model checking algorithm to determine whether the Kriple model below M satisfies the CTL formula Φ 1 = ∃ © ∀ ♦ ( a ∧ b ) (i) Compute Ψ 1 the Existential Normal Form of Φ 1 (ii) For each state subformula of Ψ 1 , give the set of states in M that satisfy it and lay out each intermediate step in the fixpoint iterations. (iii) In conclusion, does M | = Φ 1 ? Explain your answer. – 8 – Turn Over No calculator [7 marks] s 0 { a } s 1 { a, b } s 2 { b } s 3 { } (b) Consider formula Φ 2 = ¬∃ ( true U ¬ b ) and assume to have a symbolic representation for the Kripke structure M above which uses two Boolean variables a, b to represent the state space as follows: state a b s 0 1 0 s 1 1 1 s 2 0 1 s 3 0 0 Assume you are given a switching function for the transition relation (so, you don’t have to give one). Explain how to proceed to check whether or not M | = Φ 2 using OBDDs, using the variable ordering a, b from top to bottom. (i) For each state subformula of Φ 2 , give the characteristic function that represents the set of states satisfying it and lay out each intermediate step in the fixpoint iterations. (ii) In conclusion, does M | = Φ 2 ? Give the OBDD that answers the question. [7 marks] (c) Give two finite Kripke models M 1 and M 2 which satisfy the same LTL formulas but not the same CTL formulas, that is: • for all LTL φ , M 1 | = φ if and only if M 2 | = φ ; • there exists a CTL formula Ψ such that M 1 | = Ψ and M 2 6 | = Ψ. Give a short explanation. [6 marks] Model answer / LOs / Creativity: (a) (i) Formula φ 1 is expressed in ENF as ψ 1 = ∃ © ¬∃ ¬ ( a ∧ b ) – 9 – Turn Over No calculator (ii) The explicit state CTL model checking algorithms procees by computing the following satisfying sets: Sat( a ) = { s 0 , s 1 } Sat( b ) = { s 1 , s 2 } Sat( a ∧ b ) = { s 1 } Sat( ¬ ( a ∧ b )) = { s 0 , s 2 , s 3 } Sat( ∃ ¬ ( a ∧ b )) = gfp ( λX. { s 0 , s 2 , s 3 } ∩ Pre( X )) = ∅ after the following iterations X 0 = S, X 1 = { s 0 , s 2 , s 3 } , X 2 = { s 0 , s 2 } , X 3 = { s 0 } , X 4 = ∅ , X 5 = ∅ Sat( ¬∃ ¬ ( a ∧ b )) = S Sat( ∃ © ¬∃ ¬ ( a ∧ b )) = S (iii) The system satisfies φ 1 because the initial set { s 0 } is included in the satifying set of ψ 1 , which is S (b) First, we convert ∀ b to existential normal form, that is, ¬∃ ♦ ¬ b . Then, we con- struct the representation of proposition b and after that ¬ b . Then, we compute the b 1 0 1 0 b 1 0 0 1 b ¬ b least fixpoint of λX.χ ¬ b ( a, b ) ∨ ∃ a ′ , b ′ ∆ update ( a, b, a ′ , b ′ ) ∧ X ( a ′ , b ′ ). We begin with formula “false” and proceed until fixpoint, as shown here: 0 b 1 0 0 1 1 f alse ¬ b tr ue Note that the pre of ¬ b , i.e, ∃ a ′ , b ′ ∆ update ( a, b, a ′ , b ′ ) ∧ ¬ b ′ equals to the formula b , and thus the third iteration produced formula ¬ b ∧ b = tr ue , which is obviously the fixpoint. Then, we negate the formula which results in formula “false” (shown above). Then, we construct the characteristic function of init χ init ( a, b ) = ( a ∧ ¬ b ). Finally, we construct the OBDD for the formula ( a ∧ ¬ b ) → f alse , which checks whether all initial states and included in the states that satisfy the CTL specification. This is equivalent to the formula “ ¬ ( a ∧ ¬ b )”. This formula is not valid, i.e., it is not the case that every variable assignment satisfies it. Therefore, we conclude that the property is not satisfied. – 10 – Turn Over a b 1 0 1 0 1 0 a b 0 1 1 0 1 0 a ∧ ¬ b ( a ∧ ¬ b ) → f alse (c) An example of such models is the following: M 1 M 2 s 0 { a } s 1 {} t 0 { a } t 1 {} t 2 {} • These two models are trace equivalent then, necessarity, either both satisfy or both violate any given LTL formula. Trace equivalence follows from the fact that M 1 and M 2 simulate each other. In fact, M 1 simulates M 2 thanks to simulation relation ρ 1 = { ( s 0 , t 0 ) , ( s 1 , t 1 ) , ( s 0 , t 2 ) } , and M 2 simulates M 1 thanks to simulation relation ρ 2 = { ( t 0 , s 0 ) , ( t 1 , s 1 ) } • However, the two models are not bisimilar, thus there exists at least one CTL formula that distinguishes them. For example, formula ∀ ∃ ♦ a is satisfied by M 1 , but not by M 2 11