12 Model checking is a popular technique for the verification of finite |
12 Model checking is a popular technique for the verification of finite |
13 state systems (implementations) with respect to temporal logic formulae |
13 state systems (implementations) with respect to temporal logic formulae |
14 (specifications) \cite{ClarkeGP-book,Huth-Ryan-book}. Its foundations are set theoretic |
14 (specifications) \cite{ClarkeGP-book,Huth-Ryan-book}. Its foundations are set theoretic |
15 and this section will explore them in HOL\@. This is done in two steps. First |
15 and this section will explore them in HOL\@. This is done in two steps. First |
16 we consider a simple modal logic called propositional dynamic |
16 we consider a simple modal logic called propositional dynamic |
17 logic (PDL), which we then extend to the temporal logic CTL, which is |
17 logic (PDL)\@. We then proceed to the temporal logic CTL, which is |
18 used in many real |
18 used in many real |
19 model checkers. In each case we give both a traditional semantics (\isa{{\isasymTurnstile}}) and a |
19 model checkers. In each case we give both a traditional semantics (\isa{{\isasymTurnstile}}) and a |
20 recursive function \isa{mc} that maps a formula into the set of all states of |
20 recursive function \isa{mc} that maps a formula into the set of all states of |
21 the system where the formula is valid. If the system has a finite number of |
21 the system where the formula is valid. If the system has a finite number of |
22 states, \isa{mc} is directly executable: it is a model checker, albeit an |
22 states, \isa{mc} is directly executable: it is a model checker, albeit an |
23 inefficient one. The main proof obligation is to show that the semantics |
23 inefficient one. The main proof obligation is to show that the semantics |
24 and the model checker agree. |
24 and the model checker agree. |
25 |
25 |
26 \underscoreon |
26 \underscoreon |
27 |
27 |
28 Our models are \emph{transition systems}, i.e.\ sets of \emph{states} with |
28 Our models are \emph{transition systems}:\index{transition systems} |
29 transitions between them, as shown in this simple example: |
29 sets of \emph{states} with |
|
30 transitions between them. Here is a simple example: |
30 \begin{center} |
31 \begin{center} |
31 \unitlength.5mm |
32 \unitlength.5mm |
32 \thicklines |
33 \thicklines |
33 \begin{picture}(100,60) |
34 \begin{picture}(100,60) |
34 \put(50,50){\circle{20}} |
35 \put(50,50){\circle{20}} |
47 \put(108, 5){\line(0,1){10}} |
48 \put(108, 5){\line(0,1){10}} |
48 \put(108,15){\vector(-1,0){10}} |
49 \put(108,15){\vector(-1,0){10}} |
49 \put(91,21){\makebox(0,0)[bl]{$s_2$}} |
50 \put(91,21){\makebox(0,0)[bl]{$s_2$}} |
50 \end{picture} |
51 \end{picture} |
51 \end{center} |
52 \end{center} |
52 Each state has a unique name or number ($s_0,s_1,s_2$), and in each |
53 Each state has a unique name or number ($s_0,s_1,s_2$), and in each state |
53 state certain \emph{atomic propositions} ($p,q,r$) are true. |
54 certain \emph{atomic propositions} ($p,q,r$) hold. The aim of temporal logic |
54 The aim of temporal logic is to formalize statements such as ``there is no |
55 is to formalize statements such as ``there is no path starting from $s_2$ |
55 path starting from $s_2$ leading to a state where $p$ or $q$ |
56 leading to a state where $p$ or $q$ holds,'' which is true, and ``on all paths |
56 are true'', which is true, and ``on all paths starting from $s_0$ $q$ is always true'', |
57 starting from $s_0$, $q$ always holds,'' which is false. |
57 which is false. |
|
58 |
58 |
59 Abstracting from this concrete example, we assume there is some type of |
59 Abstracting from this concrete example, we assume there is a type of |
60 states:% |
60 states:% |
61 \end{isamarkuptext}% |
61 \end{isamarkuptext}% |
62 \isacommand{typedecl}\ state% |
62 \isacommand{typedecl}\ state% |
63 \begin{isamarkuptext}% |
63 \begin{isamarkuptext}% |
64 \noindent |
64 \noindent |
65 Command \isacommand{typedecl} merely declares a new type but without |
65 Command \commdx{typedecl} merely declares a new type but without |
66 defining it (see \S\ref{sec:typedecl}). Thus we know nothing |
66 defining it (see \S\ref{sec:typedecl}). Thus we know nothing |
67 about the type other than its existence. That is exactly what we need |
67 about the type other than its existence. That is exactly what we need |
68 because \isa{state} really is an implicit parameter of our model. Of |
68 because \isa{state} really is an implicit parameter of our model. Of |
69 course it would have been more generic to make \isa{state} a type |
69 course it would have been more generic to make \isa{state} a type |
70 parameter of everything but declaring \isa{state} globally as above |
70 parameter of everything but declaring \isa{state} globally as above |