## Temporal Logic - Model Checking

Moonzoo Kim CS Division of EECS Dept. KAIST

moonzoo@cs.kaist.ac.kr http://pswlab.kaist.ac.kr/courses/cs402-07



# **Mutual exclusion example**

- When concurrent processes share a resource, it may be necessary to ensure that they do not have access to the common resource at the same time
  - We need to build a protocol which allows only one process to enter critical section
- Requirement properties
  - Safety:
    - Only one process is in its critical section at anytime
  - Liveness:
    - Whenever any process requests to enter its critical section, it will eventually be permitted to do so
  - Non-blocking:
    - A process can always request to enter its critical section
  - No strict sequencing:
    - processes need not enter their critical section in strict sequence



### 1<sup>st</sup> model

### We model two processes

- each of which is in
  - non-critical state (n) or
  - trying to enter its critical state
     (t) or
  - critical section (c)
- No self edges
- each process executes like  $s_2$  $n \rightarrow t \rightarrow c \rightarrow n \rightarrow ...$ 
  - but the two processes interleave with each other
    - only one of the two processes can make a transition at a time (asynchronous interleaving)



### 1<sup>st</sup> model for mutual exclusion

- Safety:  $s_0 \models G \neg (c_1 \land c_2)$
- Liveness  $s_0 \nvDash G(t_1 \rightarrow F c_1)$ 
  - see  $s_0 \rightarrow s_1 \rightarrow s_3 \rightarrow s_4 \rightarrow s_5 \rightarrow s_3 \dots$
- Non-blocking
  - for every state satisfying n<sub>i</sub>, there is a successor satisfying t<sub>i</sub>
    - s<sub>0</sub> satisfies this property
  - We cannot express this property in LTL but in CTL
    - Note that LTL specifies that  $\phi$  is satisfied for all paths
- No strict ordering
  - there is a path where c<sub>1</sub> and c<sub>2</sub> do not occur in strict order
  - Complement of this is
    - $= \mathsf{G}(\mathsf{c}_1 \to \mathsf{c}_1 \mathsf{W}(\neg \mathsf{c}_1 \land \underline{\neg \mathsf{c}_1} \underline{\mathsf{W}} \underline{\mathsf{c}_2}))$
    - anytime we get into a c<sub>1</sub> state, either that condition persists indefinitely, or it ends with a non-c<sub>1</sub> state and in that case there is <u>no further c<sub>1</sub> state</u> unless and until we obtain a <u>c<sub>2</sub></u> state



### 2nd model for mutual exclusion

### All 4 properties are satisfied

- Safety
- Liveness
- Non-blocking
- No strict sequencing





## NuSMV model checker

- NuSMV programs consist of one or more modules.
  - one of the modules must be called main
- Modules can declare variables and assign to them.
- Assignments usually give the initial value of a variable x (init(x)) and its next value (next(x)) as an expression in terms of the current values of variables.
  - this expression can be non-deterministic
    - denoted by several expressions in braces, or no assignment at all



### Example

MODULE main VAR request: boolean; status: {ready,busy}; ASSIGN init(status) := ready; next(status) := case request : busy; 1: {ready,busy}; esac;

#### LTLSPEC

G(request -> F status=busy)

KAIST Intro. to Logic CS402 Fall 2007

- request is under-specified, i.e., not controlled by the program
  - request is determined (randomly) by external environment
  - thus, whole program works nondeterministically
- Case statement is evaluated top-to-bottom



## **Modules in NuSMV**

- A module is instantiated when a variable having that module name as its type is declared.
- A 3 bit counter increases from 000 to 111 repeatedly
  - Req. property
    - infinitely setting carry-out of most significant bit as 1
- By default, modules in NuSMV are composed synchronously
  - there is a global clock and, each time it ticks, each of the modules executes in parallel
  - By use of the 'process' keyword, it is possible to compose the modules asynchronously

```
MODULE main
VAR
  bit0 : counter_cell(1);
  bit1 : counter_cell(bit0.carry_out);
  bit2 : counter_cell(bit1.carry_out);
SPEC
   G F bit2.carry_out
MODULE counter_cell(carry_in)
VAR
   value : boolean;
ASSIGN
   init(value) := 0;
```

```
init(value) := 0;
next(value) := (value + carry_in) mod 2;
DEFINE
carry_out := value & carry_in;
```

