1 / 45

Model Checking Lecture 3

Model Checking Lecture 3. Model-Checking Algorithms = Graph Algorithms. Safety: -solve: STL ( U model checking), finite monitors (  emptiness) -algorithm: reachability (linear) Response under weak fairness:

jocelyn-amadeus
Download Presentation

Model Checking Lecture 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking Lecture 3

  2. Model-Checking Algorithms = Graph Algorithms

  3. Safety: • -solve: STL (U model checking), finite monitors ( emptiness) • -algorithm: reachability (linear) • Response under weak fairness: • -solve: weakly fair CTL ( model checking), Buchi monitors ( emptiness) • -algorithm: strongly connected components (linear) • Liveness: • -solve: strongly fair CTL, Streett monitors (  () emptiness) • -algorithm: recursively nested SCCs (quadratic)

  4. From specification automata to monitor automata: determinization (exponential) + complementation (easy) From LTL to monitor automata: complementation (easy) + tableau construction (exponential) Simulation automata: preorder refinement (quadratic)

  5. Five Algorithms • Reachability • Strongly connected components • Recursively nested SCCs • Tableau construction • Preorder refinement • Streett determinization

  6. Finite Emptiness Given: finite automaton (S, S0, , , FA) Find: is there a path from a state in S0 to a state in FA ? Solution: depth-first or breadth-first search

  7. Application 1: STL model checking Application 2: finite monitors

  8. Buchi Emptiness Given: Buchi automaton (S, S0, , , BA) Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C  BA   3. Check if some fair SCC is reachable from S0

  9. Application 1: CTL model checking over weakly-fair transition graphs (note: really need multiBuchi) Application 2: Buchi monitors

  10. Streett Emptiness Given: Streett automaton (S, S0, , , SA) Find: is there an infinite path from a state in S0 that satisfies all Streett conditions (l,r) in SA ? Solution: check if S0 RecSCC (S, , SA)  

  11. function RecSCC (S, , SA) : X :=  for each C  SCC (S, ) do F :=  if C   then for each (l,r)  SA do if C  r   then F := F  (l,r) else C := C \ l if F = SA then X := X  pre*(C) else X := X  RecSCC (C, C, F) return X

  12. Complexity n number of states m number of transitions s number of Streett pairs Reachability: O(n+m) SCC: O(n+m) RecSCC: O((n+m) · s2)

  13. Application 1: CTL model checking over strongly-fair transition graphs Application 2: Streett monitors

  14. Tableau Construction Given: LTL formula  Find: Buchi automaton M such that L(M) = L() [Fischer & Ladner 1975; Manna & Wolper 1982]

  15. Fischer-Ladner Closure of a Formula Sub (a) = { a } Sub () = {  }  Sub ()  Sub () Sub () = {  }  Sub () Sub () = {  }  Sub () Sub (U) = { U, (U) }  Sub ()  Sub () | Sub () | = O(||)

  16. s  Sub () is consistent iff -if ()  Sub () then ()  s iff   s and   s -if ()  Sub () then ()  s iff   s -if (U)  Sub () then (U)  s iff either   s or   s and (U)  s

  17. Tableau M = (S, S0, , , BA) S ... set of consistent subsets of Sub () s  S0 iff   s s  t iff for all ()  Sub (), ()  s iff   t (s) ... conjunction of atomic observations in s and negated atomic observations not in s For each (U)  Sub (), BA contains { s |   s or (U)  s }

  18. Size of M is O(2||). CTL model checking: linear / quadratic LTL model checking: PSPACE-complete

  19. Model checking:the idea • Let  be an LTL formula and B be a transition system specifying the behavior of a system • L(A) corresponds to all allowable behavior of the system • L(B) corresponds to all possible behavior of the system To check whether a system satisfies a specification we check if L(B)  L(A)

  20. Model checking LTL • Checking language containment is difficult! • But … L(B)  L(A) is equivalent to L(B)  L(A) =  where L(A) is the set-complement of L(A). Since L(A) = L(A) we have L(B)  L(A) iff L(B)  L(A) = 

  21. The method • We now have the following model checking method 1. Find an automaton A representing the negation of the desired LTL specification  2. Model a system by a transition system B 3. Construct an automaton Csuch that L(C) = L(B)  L(A) 4. Check if L(C) =  Yes, but how?

  22. Synchronizing automata To construct an automaton Csuch that L(C) = L(B)  L(A) we synchronize B and A considering only transitions <s,r>  <s’,r’> where • s  s’ in B • r  r’ in A, and • the valuation u holds in the state s. t u tu

  23. r1 Example (1) • Specification:  = G(p  XFq) Any occurrence of p must be followed (later) by an occurrence of q •  = F(p XGq) there exist an occurrence of p after which q will never be encountered again • A = p,q p,q p,q p,q u1: u2: r0 p,q p,q p,q p,q u0:

  24. Example (2) • The system: B = p q t1 t4 p q p q t5 t2 t3 p q

  25. Example: (3) • The synchronized product C = B A t4u0 p q p q t1u0 t4u0 t1u2 p q p q p q t5u2 p q t5u0 t2u0 t3u0 t2u2 t3u2 p q p q p,q p,q p,q p,q p,q p,q p,q p,q u0: u1: u2:

  26. Example: (4) There is an execution accepted by B  A t4u0 p q p q t1u0 t4u0 t1u2 p q p q p q t5u2 p q t5u0 t2u0 t3u0 t2u2 t3u2 p q p q • The language of B A is non-empty, and hence B  [with  = G(p  XFq)]

  27. Complexity • A has size O(2||) in the worst case • The product B A has size O(|B|x|A|) • We can determine if the language of BAis empty in O(|B A|) time • Model checking B,s0  can be done in time O(|B|x 2||)

  28. Symbolic Model-Checking Algorithms Given: a “symbolic theory”, that is, an abstract data type called region with the following operations pre, pre, post, post : region  region , , \ : region  region region  , = : region  region bool < >, > < : A  region , Q : region

  29. Intended Meaning of Symbolic Theories region ... set of states , , \, , =,  ... set operations <a> = { q  Q | [q] = a } >a< = { q  Q | [q]  a } pre (R) = { q  Q | ( r  R) q  r } pre (R) = { q  Q | ( r)( q  r  r  R )} post (R) = { q  Q | ( r  R) r  q } post (R) = { q  Q | ( r)( r  q  r  R )}

  30. If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theoryFO(Vals, Ops) is an adequate symbolic theory: region ... formula of FO (Vals, Ops) , , \, , =, , Q ... , , ,  validity,  validity, f, t pre (R(X)) = ( X’)( Trans(X,X’)  R(X’) ) pre (R(X)) = ( X’)( Trans(X,X’)  R(X’) ) post (R(X)) = ( X”)( R(X”)  Trans(X”,X) ) post (R(X)) = ( X”)( Trans(X”,X)  R(X’’) )

  31. If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory: each pre/post operation is a quantifier elimination

  32. Example: Boolean Systems -all system variables X are boolean -region: quantifier-free boolean formula over X -pre, post: boolean quantifier elimination Complexity: PSPACE

  33. Example: Presburger Systems -all system variables X are integers -the transition relation Trans(X,X’) is defined using only  and  -region: quantifier-free formula of (Z, , ) -pre, post: quantifier elimination

  34. An iterative language for writing symbolic model-checking algorithms -only data type is region -expressions: pre, post, , , \ ,  , =, < >, , Q -assignment, sequencing, while-do, if-then-else

  35. Example: Reachability a S :=  R := <a> while R  S do S := S  R R := pre(R)

  36. A recursive language for writing symbolic model-checking algorithms: The Mu-Calculus a = ( R) (a  pre(R)) a = ( R) (a  pre(R))

  37. Syntax of the Mu-Calculus • ::= a | a |    |    | pre() | pre() | (R)  | (R)  | R pre =  pre =  R ... region variable

  38. Semantics of the Mu-Calculus [[ a ]]E := <a> [[ a ]]E := >a< [[    ]]E := [[  ]]E  [[  ]]E [[    ]]E := [[  ]]E  [[  ]]E [[ pre() ]]E := pre( [[  ]]E ) [[ pre() ]]E:= pre( [[  ]]E ) E maps each region variable to a region.

  39. Operational Semantics of the Mu-Calculus [[ (R)  ]]E := S’ := ; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S [[ (R)  ]]E := S’ := Q; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S

  40. Denotational Semantics of the Mu-Calculus [[ (R)  ]]E := smallest region S such that S = [[]]E(RS) [[ (R)  ]]E := largest region S such that S = [[]]E(RS) These regions are unique because all operators on regions (, , pre, pre) are monotonic.

  41. a = ( R) (a  pre(R)) a = ( R) (a  pre(R)) a = ( R) (a  pre(R)) a = ( R) (a  pre(R)) b U a = ( R) (a  (b  pre(R)))  a = ( R) (a  pre( R )) = ( R) (a  pre( ( S) (R  pre(S)) ))

  42. Temporal Properties  Fixpoints EF p p  (EX p)  EX (EX p)  … 1 2 3

  43. Temporal Properties  Fixpoints • Note that • AG p   EF( p ) • Other temporal operators can also be represented as fixpoints • AF p , EG p , p AU q , p EU q

  44. -every / alternation adds expressiveness -all omega-regular languages in alternation depth 2 -model checking complexity: O( (||  (m+n)) d ) for formulas of alternation depth d -most common implementation (SMV, Mocha): use BDDs to represent boolean regions

More Related