1 / 34

Model Checking Lecture 4 Tom Henzinger

Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem. I |= S. System model. System property. System Model. -state-transition graph -weak or strong fairness constraints. System Properties. Temporal logics -STL (finite runs) :   , U

lylethomas
Download Presentation

Model Checking Lecture 4 Tom Henzinger

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model Checking Lecture 4 Tom Henzinger

  2. Model-Checking Problem I |= S System model System property

  3. System Model -state-transition graph -weak or strong fairness constraints

  4. System Properties Temporal logics -STL (finite runs) : , U -CTL (infinite runs) : , U,  -LTL (infinite traces) : , U Automata -specification automata (trace containment) -monitor automata (trace emptiness) -simulation automata (relation between states)

  5. A Classification of Properties -Finite:  -coFinite:  (safety) -Buchi:  (weak fairness) -coBuchi:  -Streett:  (   ) (strong fairness) -Rabin: (   )

  6. The Omega-Regular Languages (Automata) Streett = Rabin Buchi coFinite Finite coBuchi counter-free omega-regular (LTL)

  7. Model-Checking Algorithms = Graph Algorithms • Finite/coFinite: reachability • Buchi/coBuchi: strongly connected components • Streett/Rabin: recursive s.c.c.s • Simulation: relation refinement

  8. Graph Algorithms Given: labeled graph (Q, , A, [ ] ) Cost: each node access and edge access has unit cost Complexity: in terms of |Q| = n ... number of nodes || = m ... number of edges Reachability and s.c.c.s: O(m+n)

  9. The Graph-Algorithmic View is Problematic -The graph is given implicitly (by a program) not explicitly (e.g., by adjacency lists). -Building an explicit graph representation is exponential, but usually unnecessary (“on-the-fly” algorithms). -The explicit graph representation may be so big, that the “unit-cost model” is not realistic. -A class of algorithms, called “symbolic algorithms”, do not operate on nodes and edges at all.

  10. Symbolic Model-Checking Algorithms Given: a “symbolic theory”, that is, an abstract data type called region with the following operations pre, pre, post, post : region  region , , \ : region  region region  , = : region  region bool < >, > < : A  region , Q : region

  11. Intended Meaning of Symbolic Theories region ... set of states , , \, , =,  ... set operations <a> = { q  Q | [q] = a } >a< = { q  Q | [q]  a } pre (R) = { q  Q | ( r  R) q  r } pre (R) = { q  Q | ( r)( q  r  r  R )} post (R) = { q  Q | ( r  R) r  q } post (R) = { q  Q | ( r)( r  q  r  R )}

  12. If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theoryFO(Vals, Ops) is an adequate symbolic theory: region ... formula of FO (Vals, Ops) , , \, , =, , Q ... , , ,  validity,  validity, f, t pre (R(X)) = ( X’)( Trans(X,X’)  R(X’) ) pre (R(X)) = ( X’)( Trans(X,X’)  R(X’) ) post (R(X)) = ( X”)( R(X”)  Trans(X”,X) ) post (R(X)) = ( X”)( Trans(X”,X)  R(X’’) )

  13. If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory: each pre/post operation is a quantifier elimination

  14. Example: Boolean Systems -all system variables X are boolean -region: quantifier-free boolean formula over X -pre, post: boolean quantifier elimination Complexity: PSPACE

  15. Example: Presburger Systems -all system variables X are integers -the transition relation Trans(X,X’) is defined using only  and  -region: quantifier-free formula of (Z, , ) -pre, post: quantifier elimination

  16. An iterative language for writing symbolic model-checking algorithms -only data type is region -expressions: pre, post, , , \ ,  , =, < >, , Q -assignment, sequencing, while-do, if-then-else

  17. Example: Reachability a S :=  R := <a> while R  S do S := S  R R := pre(R)

  18. A recursive language for writing symbolic model-checking algorithms: The Mu-Calculus a = ( R) (a  pre(R)) a = ( R) (a  pre(R))

  19. Syntax of the Mu-Calculus • ::= a | a |    |    | pre() | pre() | (R)  | (R)  | R pre =  pre =  R ... region variable

  20. Semantics of the Mu-Calculus [[ a ]]E := <a> [[ a ]]E := >a< [[    ]]E := [[  ]]E  [[  ]]E [[    ]]E := [[  ]]E  [[  ]]E [[ pre() ]]E := pre( [[  ]]E ) [[ pre() ]]E:= pre( [[  ]]E ) E maps each region variable to a region.

  21. Operational Semantics of the Mu-Calculus [[ (R)  ]]E := S’ := ; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S [[ (R)  ]]E := S’ := Q; repeat S := S’; S’ := [[]]E(RS) until S’=S; return S

  22. Denotational Semantics of the Mu-Calculus [[ (R)  ]]E := smallest region S such that S = [[]]E(RS) [[ (R)  ]]E := largest region S such that S = [[]]E(RS) These regions are unique because all operators on regions (, , pre, pre) are monotonic.

  23. a = ( R) (a  pre(R)) a = ( R) (a  pre(R)) a = ( R) (a  pre(R)) a = ( R) (a  pre(R)) b U a = ( R) (a  (b  pre(R)))  a = ( R) (a  pre( R )) = ( R) (a  pre( ( S) (R  pre(S)) ))

  24. -every / alternation adds expressiveness -all omega-regular languages in alternation depth 2 -model checking complexity: O( (||  (m+n)) d ) for formulas of alternation depth d -most common implementation (SMV, Mocha): use BDDs to represent boolean regions

  25. Binary Decision Diagrams -canonical data structure for representing quantifier-free boolean formulas -equivalence checking in constant time -in practice, model checkers spend more than 90% of their time in “pre-image” or “post-image” computation -almost synonymous with “symbolic” model checking -SAT solvers competitive in bounded model checking, which requires no termination (i.e., equivalence) check

  26. Binary Decision Tree -order k boolean variables x1, ..., xk -binary tree of height k+1, each leaf labeled 0 or 1 -leaf of path “left, right, right, ...” gives value of boolean formula if x1=0, x2=1, x3=1, etc.

  27. Binary Decision Diagram • Identify isomorphic subtrees (this gives a dag) • Eliminate nodes with identical left and right successors (for this, nodes need to be labeled with variable names) For a given boolean formula and variable order, the result is unique. (The choice of variable order may make an exponential difference!)

  28. Operations on BDDs ,  : recursive top-down traversal in O(u  v) time if u and v are the number of respective BDD nodes ,  : (x) (x) = (0)  (1) Variable reordering

  29. Deciding Simulation

  30. Relation Refinement Given: state-transition graph (Q, , A, [ ] ) Find: for each state q  Q, the set sim(q)  Q of states that simulate q

  31. for each t  Q do sim(t) := { u  Q | [u] = [t] } while there are three states s, t, u such that t  s & u  sim(t) & sim(s)  post(u) =  do sim(t) := sim(t) \ {u} {assert if u simulates t, then u  sim(t) } Efficient enumerative implementation: O(m  n)

  32. Equivalent Variation for each t  Q do sim(t) := { u  Q | [u] = [t] } while there are three states s, t, u such that sim(s)  post(t)   & u  sim(t) & sim(s)  post(u) =  do sim(t) := sim(t) \ {u} {assert s  sim(s) } {assert if u simulates t and t  sim(s), then u  sim(t) }

  33. Symbolic Implementation Partition := { <a> | a  A and <a>   } for each R  Partition do sim(R) := R while there are two regions R, S  Partition such that R  pre(sim(S))   & sim(R)\pre(sim(S))   do R’ := R  pre(sim(S)) ; R’’ := R\pre(sim(S)) Partition := (Partition \ {R})  R’ sim(R’) := sim(R)  pre(sim(S)) if R’’   then Partition := Partition  {R’’}; sim(R’’) := sim(R)

  34. -symbolic algorithm applies also to infinite-state systems -it terminates iff there is a finite quotient so that any two equivalent states simulate each other

More Related