Loading in 5 sec....

Model Checking Lecture 3PowerPoint Presentation

Model Checking Lecture 3

- 126 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Model Checking Lecture 3' - jocelyn-amadeus

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Lecture 3

- Safety:
- -solve: STL (U model checking), finite monitors ( emptiness)
- -algorithm: reachability (linear)
- Response under weak fairness:
- -solve: weakly fair CTL ( model checking), Buchi monitors ( emptiness)
- -algorithm: strongly connected components (linear)

- Liveness:
- -solve: strongly fair CTL, Streett monitors ( () emptiness)
- -algorithm: recursively nested SCCs (quadratic)

From specification automata to monitor automata:

determinization (exponential) + complementation (easy)

From LTL to monitor automata:

complementation (easy) + tableau construction (exponential)

Simulation automata:

preorder refinement (quadratic)

- Reachability
- Strongly connected components
- Recursively nested SCCs
- Tableau construction
- Preorder refinement
- Streett determinization

Given: finite automaton (S, S0, , , FA)

Find: is there a path from a state in S0 to a state in FA ?

Solution: depth-first or breadth-first search

Application 1: STL model checking

Application 2: finite monitors

Given: Buchi automaton (S, S0, , , BA)

Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?

Solution: 1. Compute SCC graph by depth-first search

2. Mark SCC C as fair iff C BA

3. Check if some fair SCC is reachable from S0

Application 1: CTL model checking over weakly-fair transition graphs

(note: really need multiBuchi)

Application 2: Buchi monitors

Streett Emptiness transition graphs

Given: Streett automaton (S, S0, , , SA)

Find: is there an infinite path from a state in S0 that satisfies all Streett conditions (l,r) in SA ?

Solution: check if S0 RecSCC (S, , SA)

function RecSCC (S, transition graphs, SA) :

X := for each C SCC (S, ) do F := if C then for each (l,r) SA do if C r then F := F (l,r) else C := C \ l if F = SA then X := X pre*(C) else X := X RecSCC (C, C, F) return X

Complexity transition graphs

n number of states m number of transitions s number of Streett pairs

Reachability: O(n+m)

SCC: O(n+m)

RecSCC: O((n+m) · s2)

Application 1: CTL model checking over strongly-fair transition graphs

Application 2: Streett monitors

Tableau Construction transition graphs

Given: LTL formula

Find: Buchi automaton M such that L(M) = L()

[Fischer & Ladner 1975; Manna & Wolper 1982]

Fischer-Ladner Closure of a Formula transition graphs

Sub (a) = { a }

Sub () = { } Sub () Sub ()

Sub () = { } Sub ()

Sub () = { } Sub ()

Sub (U) = { U, (U) } Sub () Sub ()

| Sub () | = O(||)

s transition graphs Sub () is consistent

iff

-if () Sub () then () s iff s and s

-if () Sub () then () s iff s

-if (U) Sub () then (U) s iff either s or s and (U) s

Tableau M transition graphs = (S, S0, , , BA)

S ... set of consistent subsets of Sub ()

s S0 iff s

s t iff for all () Sub (), () s iff t

(s) ... conjunction of atomic observations in s and negated atomic observations not in s

For each (U) Sub (), BA contains { s | s or (U) s }

Size of M transition graphs is O(2||).

CTL model checking: linear / quadratic

LTL model checking: PSPACE-complete

Model checking:the idea transition graphs

- Let be an LTL formula and B be a transition system specifying the behavior of a system
- L(A) corresponds to all allowable behavior of the system
- L(B) corresponds to all possible behavior of the system
To check whether a system satisfies a specification we check if

L(B) L(A)

Model checking LTL transition graphs

- Checking language containment is difficult!
- But … L(B) L(A) is equivalent to
L(B) L(A) =

where L(A) is the set-complement of L(A).

Since L(A) = L(A) we have

L(B) L(A) iff L(B) L(A) =

The method transition graphs

- We now have the following model checking method
1. Find an automaton A representing the negation of the desired LTL specification

2. Model a system by a transition system B

3. Construct an automaton Csuch that

L(C) = L(B) L(A)

4. Check if L(C) =

Yes, but how?

Synchronizing automata transition graphs

To construct an automaton Csuch that

L(C) = L(B) L(A)

we synchronize B and A considering only

transitions <s,r> <s’,r’> where

- s s’ in B
- r r’ in A, and
- the valuation u holds in the state s.

t

u

tu

r transition graphs1

Example (1)- Specification: = G(p XFq)
Any occurrence of p must be followed (later) by an occurrence of q

- = F(p XGq)
there exist an occurrence of p after which q will never be encountered again

- A =

p,q

p,q

p,q

p,q

u1:

u2:

r0

p,q

p,q

p,q

p,q

u0:

Example: transition graphs(3)

- The synchronized product C = B A

t4u0

p

q

p

q

t1u0

t4u0

t1u2

p

q

p

q

p

q

t5u2

p

q

t5u0

t2u0

t3u0

t2u2

t3u2

p

q

p

q

p,q

p,q

p,q

p,q

p,q

p,q

p,q

p,q

u0:

u1:

u2:

Example: transition graphs(4)

There is an execution accepted by B A

t4u0

p

q

p

q

t1u0

t4u0

t1u2

p

q

p

q

p

q

t5u2

p

q

t5u0

t2u0

t3u0

t2u2

t3u2

p

q

p

q

- The language of B A is non-empty, and hence B [with = G(p XFq)]

Complexity transition graphs

- A has size O(2||) in the worst case
- The product B A has size O(|B|x|A|)
- We can determine if the language of BAis empty in O(|B A|) time
- Model checking B,s0 can be done in time
O(|B|x 2||)

Symbolic Model-Checking Algorithms transition graphs

Given: a “symbolic theory”, that is, an abstract data type called region with the following operations

pre, pre, post, post : region region

, , \ : region region region

, = : region region bool

< >, > < : A region

, Q : region

Intended Meaning of Symbolic Theories transition graphs

region ... set of states

, , \, , =, ... set operations

<a> = { q Q | [q] = a }

>a< = { q Q | [q] a }

pre (R) = { q Q | ( r R) q r }

pre (R) = { q Q | ( r)( q r r R )}

post (R) = { q Q | ( r R) r q }

post (R) = { q Q | ( r)( r q r R )}

If the state of a system is given by variables of type transition graphsVals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theoryFO(Vals, Ops) is an adequate symbolic theory:

region ... formula of FO (Vals, Ops)

, , \, , =, , Q ... , , , validity, validity, f, t

pre (R(X)) = ( X’)( Trans(X,X’) R(X’) )

pre (R(X)) = ( X’)( Trans(X,X’) R(X’) )

post (R(X)) = ( X”)( R(X”) Trans(X”,X) )

post (R(X)) = ( X”)( Trans(X”,X) R(X’’) )

If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory:

each pre/post operation is a quantifier elimination

Example: Boolean Systems propositional theory

-all system variables X are boolean

-region: quantifier-free boolean formula over X

-pre, post: boolean quantifier elimination

Complexity: PSPACE

Example: Presburger Systems propositional theory

-all system variables X are integers

-the transition relation Trans(X,X’) is defined using only and

-region: quantifier-free formula of (Z, , )

-pre, post: quantifier elimination

An iterative language for writing symbolic model-checking algorithms

-only data type is region

-expressions: pre, post, , , \ , , =, < >, , Q

-assignment, sequencing, while-do, if-then-else

Example: Reachability model-checking algorithmsa

S :=

R := <a>

while R S do

S := S R

R := pre(R)

A recursive language for writing symbolic model-checking algorithms:

The Mu-Calculus

a = ( R) (a pre(R))

a = ( R) (a pre(R))

Syntax of the Mu-Calculus model-checking algorithms:

- ::= a | a |
| |

pre() | pre() |

(R) | (R) |

R

pre =

pre =

R ... region variable

Semantics of the Mu-Calculus model-checking algorithms:

[[ a ]]E := <a>

[[ a ]]E := >a<

[[ ]]E := [[ ]]E [[ ]]E

[[ ]]E := [[ ]]E [[ ]]E

[[ pre() ]]E := pre( [[ ]]E )

[[ pre() ]]E:= pre( [[ ]]E )

E maps each region variable to a region.

Operational Semantics of the Mu-Calculus model-checking algorithms:

[[ (R) ]]E := S’ := ; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S

[[ (R) ]]E := S’ := Q; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S

Denotational Semantics of the Mu-Calculus model-checking algorithms:

[[ (R) ]]E := smallest region S such that S = [[]]E(RS)

[[ (R) ]]E := largest region S such that S = [[]]E(RS)

These regions are unique because all operators on regions (, , pre, pre) are monotonic.

model-checking algorithms:a = ( R) (a pre(R))

a = ( R) (a pre(R))

a = ( R) (a pre(R))

a = ( R) (a pre(R))

b U a = ( R) (a (b pre(R)))

a = ( R) (a pre( R )) = ( R) (a pre( ( S) (R pre(S)) ))

Temporal Properties model-checking algorithms: Fixpoints

- Note that
- AG p EF( p )

- Other temporal operators can also be represented as fixpoints
- AF p , EG p , p AU q , p EU q

- model-checking algorithms:every / alternation adds expressiveness

-all omega-regular languages in alternation depth 2

-model checking complexity: O( (|| (m+n)) d ) for formulas of alternation depth d

-most common implementation (SMV, Mocha): use BDDs to represent boolean regions

Download Presentation

Connecting to Server..