220 likes | 289 Views
Trigger Querying. Orna Kupferman Yoad Lustig. ?. Motivation. Model exploration. In model exploration, the objective is to explore and understand the model. Contrast this with model checking, in which the objective is to verify that the model satisfies the specification.
E N D
Trigger Querying Orna Kupferman Yoad Lustig
? Motivation
Model exploration • In model exploration, the objective is to explore and understand the model. • Contrast this with model checking, in which the objective is to verify that the model satisfies the specification. • Model exploration was formalized as a problem by Chan (CAV 2000) who introduced query checking.
Query Checking • Query checking is based on CTL. • In CTL model checking we get a Kripke structure M and a formula, say AG[ p ], and ask whether M ² AG[ p ]. • In query checking, a Boolean subformula is replaced by “?”, and one may ask M ²AG[?]. • The solution is the “strongest” Boolean expression that can replace the “?”.
Query Checking - shortcoming • In query checking we search for a Boolean expression (that can replace the “?”). • A Boolean expression is evaluated at a state, and therefore refers to one point in time. • No temporal dynamics. • The user is usually interested in scenarios. • Example: what scenarios lead to the calling of the function.
Triggers semantics • We use the temporal operator triggers (a.k.a. suffix implication) to describe scenarios. • M ² r triggers means:for every computation of M and index i,If [1..i]2 L(r) then i2 L(). i [1..i] i
p Triggers semantics - example • In this model • Does M ² p¢q triggers next p • ALL computations inducing p¢q must be considered. • Does M ² p¢p triggers next q q p q p p,q q ? ?
Trigger Querying - Definition • In the trigger query M ² ? triggers we ask which words trigger , orwhat is { u2* | M ² u triggers }? • The solution is the set of scenarios that trigger . • The solution is guaranteed to be a regular set, and can be represented as a regular expression or a DFA.
q2 q1 q3 q8 q4 q4 q1 q0 q7 q1 q8 q7 q5 q2 q5 q7 w Trigger Querying technical characterization • Trigger querying: do all paths that induce a word does (w) µ []M? are followed by ? (w) []M []M : states from which all paths satisfy . (w) : states a computation inducing w might end in.
Trigger Querying branching-time view • M ² u triggers iff (u) µ []M. • In other words, the query is about states (rather than infinite words / computations). • M ² w triggers is equivalent toM ² A[ w triggers ]and toM ² A[ w triggers A[ ] ].
Solving Trigger Querying • The problem of identifying the set []M is the well studied problem of global model checking. • The problem of computing (u) is easily solvable by a type of subset construction on the states of M. • Construct a DFA AM, with state space 2Q, such that AM visits state (u) after reading u, and the accepting states of AM are sets contained in []M.
Complexity of Trigger Querying • Computing both []M and AM can be done in PSPACE. • For []M, the dependency on || is polyspace, but the dependency on |M| (structure complexity) is only polytime. • For AM, however, the dependency on M is also polyspace. Unfortunately, this is unavoidable.
w Complexity of Trigger Querying - lower bound idea. • Trigger querying: do all paths that induce a word • NFA complementation: do all runs on a word end in some set? are followed by ? end in some set? []M
Variants of trigger querying • Partial trigger querying. • Relevant trigger querying. • Constrained trigger querying. • Observable trigger querying. • Search for necessary conditions.
Partial Trigger Querying • Motivation: trying to overcome high complexity demands. • In partial trigger querying, we search for a subset of the solution to M ² ? triggers that is not empty unless so is the solution. • Simplest case: find a single word, of length bounded by a unary parameter, that trigger . This case is NP hard.
[1..i] i Relevant Trigger Querying M ² r triggers means: 8 computation 8 i≥0 If[1..i]2 L(r) theni2 L(). • Words that are not a prefix of any computation are solutions to M ² r triggers . • In relevant trigger querying we do not accept such vacuous solutions. • Technical solution: remove ; from AM’s set of accepting states.
Constrained Trigger Querying • Sometimes a user would like to have a dialog with the query-checking tool. • Example: • What are the solutions in which the signal xis initially 0? Solutions in which x is initially 0 but then turns to 1? • In constrained trigger querying the user provides a query as well as a constraint; the solution set is intersected with the constraint.
Observable trigger querying • Sometimes a user would like to see solutions that refer only to a subset of “observable” signals. • Examples: • A user that doesn’t want to hear about internal signals used in the implementation. • A user that want to know if there is a way to control input signal x that will force the system to behave in some way.
Necessary conditions • When M ² r triggers , the language of r can be seen as a sufficient reason for . • If a word from L(r) “happens” then will inevitably “happen”. • What about necessary conditions? • Informally: what “event” always precedes ?
Necessary conditions (cont’) • 8 computation 8 i≥0 If i2 L() then [1..i]2 L(r) . • No unique solution. In fact, * is always a solution. • A solution r1 is stronger than r2 iff L(r1)µ L(r2). • A unique stronger solution exists. [1..i] i
Necessary conditions - technical • Similar technical details: • Set G = { s | Ms ² : }. • Necessary condition is { u2* | (u)Å G ; }. • The complexity is polynomial space in ||, but only nondeterministic logspace in |M|.
Queries? A query A trigger(fish)