-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.xml
85 lines (78 loc) · 14.2 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Chuyang Chen's Blog</title>
<link>https://blog.cychen.xyz/</link>
<description>Chuyang Chen's Blog</description>
<generator>Hugo -- gohugo.io</generator>
<language>en-us</language>
<lastBuildDate>Sat, 18 Jun 2022 10:37:28 +0800</lastBuildDate>
<atom:link href="https://blog.cychen.xyz/index.xml" rel="self" type="application/rss+xml" />
<item>
<title>Notes on <i>Model Checking</i> 1: Kripke Structure</title>
<link>https://blog.cychen.xyz/posts/notes-on-model-checking-1/</link>
<pubDate>Sat, 18 Jun 2022 10:37:28 +0800</pubDate>
<guid>https://blog.cychen.xyz/posts/notes-on-model-checking-1/</guid>
<description><p>When I picked up Clarke et al.&rsquo;s <em>Model Checking</em>, I&rsquo;d heard the name of model checking for a long time. It appears everywhere in papers concerning software testing as a foundation of other methods. However, I could never figure out what the term stands for. I knew models in <a href="https://en.wikipedia.org/wiki/Model_theory">model theory</a>, but how could they use it to verify a computer program? Do they model a program as a model and write logical assertions on it? We will find that this is indeed what they do.</p>
<h2 id="a-glimpse-at-models-in-model-theory" >A Glimpse at Models in Model Theory
<span>
<a href="#a-glimpse-at-models-in-model-theory">
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
</a>
</span>
</h2><p>Before introducing model checking, let&rsquo;s have a glimpse at models in model theory. Informally, a model is an assignment to <em>vocabularies</em> in a logical formula. It stipulates the <em>meaning</em> of these vocabularies and thus the whole formula. We can only discuss the truth value of a logical formula respecting a model. For instance, suppose we have a first-order formula $$\forall v.(\mathrm{even}(v)\vee\mathrm{odd}(v))$$ Without further clarification, we don&rsquo;t know what it means: for example, what can $v$ be? If the one who gives the formula details that $v$ can range in all natural numbers, then in this model, the formula is &ldquo;true&rdquo;; otherwise, if $v$ ranges in rational numbers, it is not true. If a model $\mathfrak{M}$ makes a formula $f$ true, we denote it as $\mathfrak{M}\models f$, read as &ldquo;$\mathfrak{M}$ satisfies $f$&rdquo; or &ldquo;$\mathfrak{M}$ models $f$.&rdquo;</p>
<h2 id="from-model-theory-to-model-checking" >From Model Theory to Model Checking
<span>
<a href="#from-model-theory-to-model-checking">
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
</a>
</span>
</h2><p>The relation between model theory and model checking is somewhat like the relation between economics and finance (I&rsquo;m not a professional in business disciplines; let me know if you have any better analog). We can intuitively explain this analog by typical questions researchers of model theory and model checking may ask. A model theory researcher may ask: &ldquo;Does there exist <em>any</em> model satisfying this formula?&quot;; a model checking researcher may ask: &ldquo;Does this <em>specific</em> model satisfy this formula?&quot;<sup id="fnref:1"><a href="#fn:1" class="footnote-ref" role="doc-noteref">1</a></sup> In this article, we focus on the latter questions since the topic is about model checking.</p>
<p>But wait! Why do we need to do that? Why do we want to know whether one specific model satisfies a formula? It is because we don&rsquo;t put any constraint on the elements in a model. Although in the above example, elements the model contains are natural numbers or rational numbers, they don&rsquo;t have to be such arithmetic objects. They can be, say, components of a computer program; in turn, the model represents a whole computer program. Also, we don&rsquo;t put any constraints on the logic used to write the formula. It doesn&rsquo;t have to be first-order logic but can be something more expressive. It can be <a href="https://en.wikipedia.org/wiki/Temporal_logic">temporal logic</a> that can describe time. Now, look at what we have: we have a model representing a program and a formula describing time-dependent properties. Boom! We find a way to describe the behavior of a program: the model depicts the program, and the logical formula is the condition it must meet when running (when a program starts to run, its <em>time</em> begins). When a model $\mathfrak{M}$ representing a program $\mathfrak{P}$ satisfies a formula $f$ describing a property $p$, we know that the program $\mathfrak{P}$ has the property $p$.</p>
<h2 id="the-models-used-in-model-checking" ><em>The</em> Models Used in Model Checking
<span>
<a href="#the-models-used-in-model-checking">
<svg viewBox="0 0 28 23" height="100%" width="19" xmlns="http://www.w3.org/2000/svg"><path d="M10 13a5 5 0 0 0 7.54.54l3-3a5 5 0 0 0-7.07-7.07l-1.72 1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/><path d="M14 11a5 5 0 0 0-7.54-.54l-3 3a5 5 0 0 0 7.07 7.07l1.71-1.71" fill="none" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2"/></svg>
</a>
</span>
</h2><p>Model checking selects Kripke structures<sup id="fnref:2"><a href="#fn:2" class="footnote-ref" role="doc-noteref">2</a></sup> among many choices to represent programs. A Kripke structure is an annotated directed graph that describes a <em>transition system</em>, that is, a system with discrete states and transitions between these states. An example is as follows.</p>
<p><img src="1-1.svg" alt="An example of Kripke structures"></p>
<p>The above Kripke structure has three states, $S_1$, $S_2$, and $S_3$, and four transitions, $S_1\rightarrow S_2$, $S_1\rightarrow S_3$, $S_2\rightarrow S_3$, and $S_3\rightarrow S_3$. $a$, $b$, and $c$ are attributes of the states on which the logical formula may make assertions. Possible execution of the system may be $S_1, S_2, S_3, S_3, &hellip;$ Some important points of Kripke structures:</p>
<ol>
<li>The number of states and transitions needs to be finite.</li>
<li>There can be multiple outedges from one state, giving Kripke structures the ability to handle <a href="https://en.wikipedia.org/wiki/Nondeterministic_Turing_machine">nondeterminism</a> naturally.</li>
<li>Some states should be marked as <em>initial states</em> (characterized by an inedge without a tail), from which the system&rsquo;s execution begins. In the above example, $S_1$ is the only initial state.</li>
<li>There can be self-loops, where a state has an outedge pointing itself. In a self-loop, the system may stay in the self-looped state forever.</li>
</ol>
<p>Moreover, model checking imposes an extra constraint on the Kripke structures: every state must have at least one outedge. It means that once the system starts executing, it can never stop. One can easily modify a Kripke structure with <em>halt states</em> (states with no outedges, so the execution can only halt) to this form by just adding self-loops to all halt states.</p>
<p>Characteristics of Kripke structures restrict the ability of model checking: model checking cannot check any program with infinite states<sup id="fnref:3"><a href="#fn:3" class="footnote-ref" role="doc-noteref">3</a></sup>, for example, programs dealing with variable-length strings. However, this is a sensible trade-off between the expressiveness and the simplicity of computing: no computer can represent an arbitrary infinite graph, let alone calculate assertions on it.</p>
<p>Hitherto, we have given a synopsis of the concepts of models in model theory and model checking. In the next post, we will touch on another core concept in model checking—the left-hand side of the notation $\mathfrak{M}\models f$—logical formulas in model checking.</p>
<p>However, before we conclude this post, we have to supplement a slight difference between <em>the</em> models in model checking and models in model theory: the former cannot be strictly subsumed into the latter. As to be detailed in the next post, logical formulas in model checking can only assert properties upon a <em>state</em>. We cannot say $\mathfrak{M}\models f$, but instead $\mathfrak{M},s\models f$, where $\mathfrak{M}$ is a Kripke structure, $f$ is a formula, and $s$ is a state of $\mathfrak{M}$. That means the equivalent of models in model theory in model checking is Kripke structures plus one of their states. Still, for conventional reasons, researchers of model checking simply refer to Kripke structures as &ldquo;models,&rdquo; and we will follow this convention hereafter. Typically, we only check the initial states of a Kripke structure against some formula $f$ because all successive states of these initial states can be specified by this formula through temporal quantifiers. The unreachable states from the initial states do not affect the system&rsquo;s actual behavior. So, you will see a lot of seemingly model theory equations $\mathfrak{M}\models f$ in model checking, while according to the preceding paragraph, it is illegal in model theory. Remember, in model checking, such an equation is just an abbreviation of $$\bigwedge_{s\in\mathrm{initialStatesOf}(\mathfrak{M})}\mathfrak{M},s\models f$$</p>
<section class="footnotes" role="doc-endnotes">
<hr>
<ol>
<li id="fn:1" role="doc-endnote">
<p>A joke: A programmer walks into a bar, saying he has proved twin prime conjecture. All mathematicians are shocked and ask him how he could have done this. He says: &ldquo;I traverse all integers between 2 and 2,147,483,647.&rdquo;&#160;<a href="#fnref:1" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:2" role="doc-endnote">
<p><a href="https://en.wikipedia.org/wiki/Saul_Kripke">Saul Kripke</a> is a preeminent American philosopher who significantly impacted the fields of analytic philosophy and mathematical logic. I&rsquo;m interested in his works and may choose some to read and write on this blog.&#160;<a href="#fnref:2" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
<li id="fn:3" role="doc-endnote">
<p>Such checks can be achieved by formal methods which involve a labor-intensive process to <em>prove</em> the correctness of a program, or if you don&rsquo;t require a 100% guarantee, a multitude of software testing technologies. I will cover these topics on this blog in the future.&#160;<a href="#fnref:3" class="footnote-backref" role="doc-backlink">&#x21a9;&#xfe0e;</a></p>
</li>
</ol>
</section>
</description>
</item>
<item>
<title>About</title>
<link>https://blog.cychen.xyz/about/</link>
<pubDate>Fri, 10 Jun 2022 06:13:47 +0800</pubDate>
<guid>https://blog.cychen.xyz/about/</guid>
<description><p>I&rsquo;m Chuyang Chen (陈楚阳), born in 1998, and currently an MSc student majoring in computer science at Nanjing University, Jiangsu, China. My main research area is software engineering, which aims to help people painlessly develop robust, secure, and maintainable software. I also have vast academic interests in other related fields in the discipline of computer science, such as theoretical computer science and programming languages. Besides academia, I&rsquo;m a reader of sci-fi, pure literature, and philosophy books. Also, I may call myself a core gamer, though finding it harder and harder to allocate time to games. One of my favorite games nowadays is <em>Disco Elysium</em>.</p>
<p>To contact me, email <a href="mailto:[email protected]">[email protected]</a>. For more information, visit <a href="https://info.cychen.xyz">my homepage</a>.</p>
<p>This blog is to record my reviews, remarks, and other thoughts during research and reading. It will focus on academic topics while possibly touching on other things I&rsquo;m reading or working on. I hope to write mainly in English on technical subjects and in Chinese for other casual content. However, that&rsquo;s not strict. It depends on my mood.</p>
</description>
</item>
</channel>
</rss>