Model Checking
Download
1 / 45

Model Checking Lecture 3 - PowerPoint PPT Presentation


  • 126 Views
  • Uploaded on

Model Checking Lecture 3. Model-Checking Algorithms = Graph Algorithms. Safety: -solve: STL ( U model checking), finite monitors (  emptiness) -algorithm: reachability (linear) Response under weak fairness:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Model Checking Lecture 3' - jocelyn-amadeus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Model Checking

Lecture 3



  • Safety:

  • -solve: STL (U model checking), finite monitors ( emptiness)

  • -algorithm: reachability (linear)

  • Response under weak fairness:

    • -solve: weakly fair CTL ( model checking), Buchi monitors ( emptiness)

    • -algorithm: strongly connected components (linear)

  • Liveness:

    • -solve: strongly fair CTL, Streett monitors (  () emptiness)

    • -algorithm: recursively nested SCCs (quadratic)


From specification automata to monitor automata:

determinization (exponential) + complementation (easy)

From LTL to monitor automata:

complementation (easy) + tableau construction (exponential)

Simulation automata:

preorder refinement (quadratic)


Five Algorithms

  • Reachability

  • Strongly connected components

  • Recursively nested SCCs

  • Tableau construction

  • Preorder refinement

  • Streett determinization


Finite Emptiness

Given: finite automaton (S, S0, , , FA)

Find: is there a path from a state in S0 to a state in FA ?

Solution: depth-first or breadth-first search


Application 1: STL model checking

Application 2: finite monitors


Buchi Emptiness

Given: Buchi automaton (S, S0, , , BA)

Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?

Solution: 1. Compute SCC graph by depth-first search

2. Mark SCC C as fair iff C  BA  

3. Check if some fair SCC is reachable from S0


Application 1: CTL model checking over weakly-fair transition graphs

(note: really need multiBuchi)

Application 2: Buchi monitors


Streett Emptiness transition graphs

Given: Streett automaton (S, S0, , , SA)

Find: is there an infinite path from a state in S0 that satisfies all Streett conditions (l,r) in SA ?

Solution: check if S0 RecSCC (S, , SA)  


function RecSCC (S, transition graphs, SA) :

X :=  for each C  SCC (S, ) do F :=  if C   then for each (l,r)  SA do if C  r   then F := F  (l,r) else C := C \ l if F = SA then X := X  pre*(C) else X := X  RecSCC (C, C, F) return X


Complexity transition graphs

n number of states m number of transitions s number of Streett pairs

Reachability: O(n+m)

SCC: O(n+m)

RecSCC: O((n+m) · s2)


Application 1: CTL model checking over strongly-fair transition graphs

Application 2: Streett monitors


Tableau Construction transition graphs

Given: LTL formula 

Find: Buchi automaton M such that L(M) = L()

[Fischer & Ladner 1975; Manna & Wolper 1982]


Fischer-Ladner Closure of a Formula transition graphs

Sub (a) = { a }

Sub () = {  }  Sub ()  Sub ()

Sub () = {  }  Sub ()

Sub () = {  }  Sub ()

Sub (U) = { U, (U) }  Sub ()  Sub ()

| Sub () | = O(||)


s transition graphs Sub () is consistent

iff

-if ()  Sub () then ()  s iff   s and   s

-if ()  Sub () then ()  s iff   s

-if (U)  Sub () then (U)  s iff either   s or   s and (U)  s


Tableau M transition graphs = (S, S0, , , BA)

S ... set of consistent subsets of Sub ()

s  S0 iff   s

s  t iff for all ()  Sub (), ()  s iff   t

(s) ... conjunction of atomic observations in s and negated atomic observations not in s

For each (U)  Sub (), BA contains { s |   s or (U)  s }


Size of M transition graphs is O(2||).

CTL model checking: linear / quadratic

LTL model checking: PSPACE-complete


Model checking the idea
Model checking:the idea transition graphs

  • Let  be an LTL formula and B be a transition system specifying the behavior of a system

    • L(A) corresponds to all allowable behavior of the system

    • L(B) corresponds to all possible behavior of the system

      To check whether a system satisfies a specification we check if

      L(B)  L(A)


Model checking ltl
Model checking LTL transition graphs

  • Checking language containment is difficult!

  • But … L(B)  L(A) is equivalent to

    L(B)  L(A) = 

    where L(A) is the set-complement of L(A).

    Since L(A) = L(A) we have

    L(B)  L(A) iff L(B)  L(A) = 


The method
The method transition graphs

  • We now have the following model checking method

    1. Find an automaton A representing the negation of the desired LTL specification 

    2. Model a system by a transition system B

    3. Construct an automaton Csuch that

    L(C) = L(B)  L(A)

    4. Check if L(C) = 

Yes, but how?


Synchronizing automata
Synchronizing automata transition graphs

To construct an automaton Csuch that

L(C) = L(B)  L(A)

we synchronize B and A considering only

transitions <s,r>  <s’,r’> where

  • s  s’ in B

  • r  r’ in A, and

  • the valuation u holds in the state s.

t

u

tu


Example 1

r transition graphs1

Example (1)

  • Specification:  = G(p  XFq)

    Any occurrence of p must be followed (later) by an occurrence of q

  •  = F(p XGq)

    there exist an occurrence of p after which q will never be encountered again

  • A =

p,q

p,q

p,q

p,q

u1:

u2:

r0

p,q

p,q

p,q

p,q

u0:


Example 2
Example (2) transition graphs

  • The system: B =

p

q

t1

t4

p

q

p

q

t5

t2

t3

p

q


Example 3
Example: transition graphs(3)

  • The synchronized product C = B A

t4u0

p

q

p

q

t1u0

t4u0

t1u2

p

q

p

q

p

q

t5u2

p

q

t5u0

t2u0

t3u0

t2u2

t3u2

p

q

p

q

p,q

p,q

p,q

p,q

p,q

p,q

p,q

p,q

u0:

u1:

u2:


Example 4
Example: transition graphs(4)

There is an execution accepted by B  A

t4u0

p

q

p

q

t1u0

t4u0

t1u2

p

q

p

q

p

q

t5u2

p

q

t5u0

t2u0

t3u0

t2u2

t3u2

p

q

p

q

  • The language of B A is non-empty, and hence B  [with  = G(p  XFq)]


Complexity
Complexity transition graphs

  • A has size O(2||) in the worst case

  • The product B A has size O(|B|x|A|)

  • We can determine if the language of BAis empty in O(|B A|) time

  • Model checking B,s0  can be done in time

    O(|B|x 2||)


Symbolic Model-Checking Algorithms transition graphs

Given: a “symbolic theory”, that is, an abstract data type called region with the following operations

pre, pre, post, post : region  region

, , \ : region  region region

 , = : region  region bool

< >, > < : A  region

, Q : region


Intended Meaning of Symbolic Theories transition graphs

region ... set of states

, , \, , =,  ... set operations

<a> = { q  Q | [q] = a }

>a< = { q  Q | [q]  a }

pre (R) = { q  Q | ( r  R) q  r }

pre (R) = { q  Q | ( r)( q  r  r  R )}

post (R) = { q  Q | ( r  R) r  q }

post (R) = { q  Q | ( r)( r  q  r  R )}


If the state of a system is given by variables of type transition graphsVals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theoryFO(Vals, Ops) is an adequate symbolic theory:

region ... formula of FO (Vals, Ops)

, , \, , =, , Q ... , , ,  validity,  validity, f, t

pre (R(X)) = ( X’)( Trans(X,X’)  R(X’) )

pre (R(X)) = ( X’)( Trans(X,X’)  R(X’) )

post (R(X)) = ( X”)( R(X”)  Trans(X”,X) )

post (R(X)) = ( X”)( Trans(X”,X)  R(X’’) )


If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory:

each pre/post operation is a quantifier elimination


Example: Boolean Systems propositional theory

-all system variables X are boolean

-region: quantifier-free boolean formula over X

-pre, post: boolean quantifier elimination

Complexity: PSPACE


Example: Presburger Systems propositional theory

-all system variables X are integers

-the transition relation Trans(X,X’) is defined using only  and 

-region: quantifier-free formula of (Z, , )

-pre, post: quantifier elimination


An iterative language for writing symbolic model-checking algorithms

-only data type is region

-expressions: pre, post, , , \ ,  , =, < >, , Q

-assignment, sequencing, while-do, if-then-else


Example: Reachability model-checking algorithmsa

S := 

R := <a>

while R  S do

S := S  R

R := pre(R)


A recursive language for writing symbolic model-checking algorithms:

The Mu-Calculus

a = ( R) (a  pre(R))

a = ( R) (a  pre(R))


Syntax of the Mu-Calculus model-checking algorithms:

  • ::= a | a |

       |    |

    pre() | pre() |

    (R)  | (R)  |

    R

pre = 

pre = 

R ... region variable


Semantics of the Mu-Calculus model-checking algorithms:

[[ a ]]E := <a>

[[ a ]]E := >a<

[[    ]]E := [[  ]]E  [[  ]]E

[[    ]]E := [[  ]]E  [[  ]]E

[[ pre() ]]E := pre( [[  ]]E )

[[ pre() ]]E:= pre( [[  ]]E )

E maps each region variable to a region.


Operational Semantics of the Mu-Calculus model-checking algorithms:

[[ (R)  ]]E := S’ := ; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S

[[ (R)  ]]E := S’ := Q; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S


Denotational Semantics of the Mu-Calculus model-checking algorithms:

[[ (R)  ]]E := smallest region S such that S = [[]]E(RS)

[[ (R)  ]]E := largest region S such that S = [[]]E(RS)

These regions are unique because all operators on regions (, , pre, pre) are monotonic.


model-checking algorithms:a = ( R) (a  pre(R))

a = ( R) (a  pre(R))

a = ( R) (a  pre(R))

a = ( R) (a  pre(R))

b U a = ( R) (a  (b  pre(R)))

 a = ( R) (a  pre( R )) = ( R) (a  pre( ( S) (R  pre(S)) ))


Temporal properties fixpoints
Temporal Properties model-checking algorithms: Fixpoints

EF p p  (EX p)  EX (EX p)  …

1

2

3


Temporal properties fixpoints1
Temporal Properties model-checking algorithms: Fixpoints

  • Note that

    • AG p   EF( p )

  • Other temporal operators can also be represented as fixpoints

    • AF p , EG p , p AU q , p EU q


- model-checking algorithms:every / alternation adds expressiveness

-all omega-regular languages in alternation depth 2

-model checking complexity: O( (||  (m+n)) d ) for formulas of alternation depth d

-most common implementation (SMV, Mocha): use BDDs to represent boolean regions


ad