1 / 45

# Model Checking Lecture 3 - PowerPoint PPT Presentation

Model Checking Lecture 3. Model-Checking Algorithms = Graph Algorithms. Safety: -solve: STL ( U model checking), finite monitors (  emptiness) -algorithm: reachability (linear) Response under weak fairness:

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Lecture 3

• Safety:

• -solve: STL (U model checking), finite monitors ( emptiness)

• -algorithm: reachability (linear)

• Response under weak fairness:

• -solve: weakly fair CTL ( model checking), Buchi monitors ( emptiness)

• -algorithm: strongly connected components (linear)

• Liveness:

• -solve: strongly fair CTL, Streett monitors (  () emptiness)

• -algorithm: recursively nested SCCs (quadratic)

From specification automata to monitor automata:

determinization (exponential) + complementation (easy)

From LTL to monitor automata:

complementation (easy) + tableau construction (exponential)

Simulation automata:

• Reachability

• Strongly connected components

• Recursively nested SCCs

• Tableau construction

• Preorder refinement

• Streett determinization

Given: finite automaton (S, S0, , , FA)

Find: is there a path from a state in S0 to a state in FA ?

Application 2: finite monitors

Given: Buchi automaton (S, S0, , , BA)

Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?

Solution: 1. Compute SCC graph by depth-first search

2. Mark SCC C as fair iff C  BA  

3. Check if some fair SCC is reachable from S0

Application 1: CTL model checking over weakly-fair transition graphs

(note: really need multiBuchi)

Application 2: Buchi monitors

Streett Emptiness transition graphs

Given: Streett automaton (S, S0, , , SA)

Find: is there an infinite path from a state in S0 that satisfies all Streett conditions (l,r) in SA ?

Solution: check if S0 RecSCC (S, , SA)  

function RecSCC (S, transition graphs, SA) :

X :=  for each C  SCC (S, ) do F :=  if C   then for each (l,r)  SA do if C  r   then F := F  (l,r) else C := C \ l if F = SA then X := X  pre*(C) else X := X  RecSCC (C, C, F) return X

Complexity transition graphs

n number of states m number of transitions s number of Streett pairs

Reachability: O(n+m)

SCC: O(n+m)

RecSCC: O((n+m) · s2)

Application 1: CTL model checking over strongly-fair transition graphs

Application 2: Streett monitors

Tableau Construction transition graphs

Given: LTL formula 

Find: Buchi automaton M such that L(M) = L()

[Fischer & Ladner 1975; Manna & Wolper 1982]

Fischer-Ladner Closure of a Formula transition graphs

Sub (a) = { a }

Sub () = {  }  Sub ()  Sub ()

Sub () = {  }  Sub ()

Sub () = {  }  Sub ()

Sub (U) = { U, (U) }  Sub ()  Sub ()

| Sub () | = O(||)

s transition graphs Sub () is consistent

iff

-if ()  Sub () then ()  s iff   s and   s

-if ()  Sub () then ()  s iff   s

-if (U)  Sub () then (U)  s iff either   s or   s and (U)  s

Tableau M transition graphs = (S, S0, , , BA)

S ... set of consistent subsets of Sub ()

s  S0 iff   s

s  t iff for all ()  Sub (), ()  s iff   t

(s) ... conjunction of atomic observations in s and negated atomic observations not in s

For each (U)  Sub (), BA contains { s |   s or (U)  s }

Size of M transition graphs is O(2||).

CTL model checking: linear / quadratic

LTL model checking: PSPACE-complete

Model checking:the idea transition graphs

• Let  be an LTL formula and B be a transition system specifying the behavior of a system

• L(A) corresponds to all allowable behavior of the system

• L(B) corresponds to all possible behavior of the system

To check whether a system satisfies a specification we check if

L(B)  L(A)

Model checking LTL transition graphs

• Checking language containment is difficult!

• But … L(B)  L(A) is equivalent to

L(B)  L(A) = 

where L(A) is the set-complement of L(A).

Since L(A) = L(A) we have

L(B)  L(A) iff L(B)  L(A) = 

The method transition graphs

• We now have the following model checking method

1. Find an automaton A representing the negation of the desired LTL specification 

2. Model a system by a transition system B

3. Construct an automaton Csuch that

L(C) = L(B)  L(A)

4. Check if L(C) = 

Yes, but how?

Synchronizing automata transition graphs

To construct an automaton Csuch that

L(C) = L(B)  L(A)

we synchronize B and A considering only

transitions <s,r>  <s’,r’> where

• s  s’ in B

• r  r’ in A, and

• the valuation u holds in the state s.

t

u

tu

r transition graphs1

Example (1)

• Specification:  = G(p  XFq)

Any occurrence of p must be followed (later) by an occurrence of q

•  = F(p XGq)

there exist an occurrence of p after which q will never be encountered again

• A =

p,q

p,q

p,q

p,q

u1:

u2:

r0

p,q

p,q

p,q

p,q

u0:

Example (2) transition graphs

• The system: B =

p

q

t1

t4

p

q

p

q

t5

t2

t3

p

q

Example: transition graphs(3)

• The synchronized product C = B A

t4u0

p

q

p

q

t1u0

t4u0

t1u2

p

q

p

q

p

q

t5u2

p

q

t5u0

t2u0

t3u0

t2u2

t3u2

p

q

p

q

p,q

p,q

p,q

p,q

p,q

p,q

p,q

p,q

u0:

u1:

u2:

Example: transition graphs(4)

There is an execution accepted by B  A

t4u0

p

q

p

q

t1u0

t4u0

t1u2

p

q

p

q

p

q

t5u2

p

q

t5u0

t2u0

t3u0

t2u2

t3u2

p

q

p

q

• The language of B A is non-empty, and hence B  [with  = G(p  XFq)]

Complexity transition graphs

• A has size O(2||) in the worst case

• The product B A has size O(|B|x|A|)

• We can determine if the language of BAis empty in O(|B A|) time

• Model checking B,s0  can be done in time

O(|B|x 2||)

Symbolic Model-Checking Algorithms transition graphs

Given: a “symbolic theory”, that is, an abstract data type called region with the following operations

pre, pre, post, post : region  region

, , \ : region  region region

 , = : region  region bool

< >, > < : A  region

, Q : region

Intended Meaning of Symbolic Theories transition graphs

region ... set of states

, , \, , =,  ... set operations

<a> = { q  Q | [q] = a }

>a< = { q  Q | [q]  a }

pre (R) = { q  Q | ( r  R) q  r }

pre (R) = { q  Q | ( r)( q  r  r  R )}

post (R) = { q  Q | ( r  R) r  q }

post (R) = { q  Q | ( r)( r  q  r  R )}

If the state of a system is given by variables of type transition graphsVals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theoryFO(Vals, Ops) is an adequate symbolic theory:

region ... formula of FO (Vals, Ops)

, , \, , =, , Q ... , , ,  validity,  validity, f, t

pre (R(X)) = ( X’)( Trans(X,X’)  R(X’) )

pre (R(X)) = ( X’)( Trans(X,X’)  R(X’) )

post (R(X)) = ( X”)( R(X”)  Trans(X”,X) )

post (R(X)) = ( X”)( Trans(X”,X)  R(X’’) )

If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory:

each pre/post operation is a quantifier elimination

Example: Boolean Systems propositional theory

-all system variables X are boolean

-region: quantifier-free boolean formula over X

-pre, post: boolean quantifier elimination

Complexity: PSPACE

Example: Presburger Systems propositional theory

-all system variables X are integers

-the transition relation Trans(X,X’) is defined using only  and 

-region: quantifier-free formula of (Z, , )

-pre, post: quantifier elimination

An iterative language for writing symbolic model-checking algorithms

-only data type is region

-expressions: pre, post, , , \ ,  , =, < >, , Q

-assignment, sequencing, while-do, if-then-else

Example: Reachability model-checking algorithmsa

S := 

R := <a>

while R  S do

S := S  R

R := pre(R)

A recursive language for writing symbolic model-checking algorithms:

The Mu-Calculus

a = ( R) (a  pre(R))

a = ( R) (a  pre(R))

Syntax of the Mu-Calculus model-checking algorithms:

• ::= a | a |

   |    |

pre() | pre() |

(R)  | (R)  |

R

pre = 

pre = 

R ... region variable

Semantics of the Mu-Calculus model-checking algorithms:

[[ a ]]E := <a>

[[ a ]]E := >a<

[[    ]]E := [[  ]]E  [[  ]]E

[[    ]]E := [[  ]]E  [[  ]]E

[[ pre() ]]E := pre( [[  ]]E )

[[ pre() ]]E:= pre( [[  ]]E )

E maps each region variable to a region.

Operational Semantics of the Mu-Calculus model-checking algorithms:

[[ (R)  ]]E := S’ := ; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S

[[ (R)  ]]E := S’ := Q; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S

Denotational Semantics of the Mu-Calculus model-checking algorithms:

[[ (R)  ]]E := smallest region S such that S = [[]]E(RS)

[[ (R)  ]]E := largest region S such that S = [[]]E(RS)

These regions are unique because all operators on regions (, , pre, pre) are monotonic.

model-checking algorithms:a = ( R) (a  pre(R))

a = ( R) (a  pre(R))

a = ( R) (a  pre(R))

a = ( R) (a  pre(R))

b U a = ( R) (a  (b  pre(R)))

 a = ( R) (a  pre( R )) = ( R) (a  pre( ( S) (R  pre(S)) ))

Temporal Properties model-checking algorithms: Fixpoints

EF p p  (EX p)  EX (EX p)  …

1

2

3

Temporal Properties model-checking algorithms: Fixpoints

• Note that

• AG p   EF( p )

• Other temporal operators can also be represented as fixpoints

• AF p , EG p , p AU q , p EU q

- model-checking algorithms:every / alternation adds expressiveness

-all omega-regular languages in alternation depth 2

-model checking complexity: O( (||  (m+n)) d ) for formulas of alternation depth d

-most common implementation (SMV, Mocha): use BDDs to represent boolean regions