1-modelchecking

7/31/2019 1-ModelChecking

1/53

Tutorial I An Introduction toModel Checking

Peng WU

INRIA FutursLIX, cole Polytechnique


2/53

Outline Model Checking

Temporal Logic Model Checking Algorithms

Symbolic Model Checking

Advanced Topics

Symmetry Reduction Partial-Order Reduction Infinite Model Checking


3/53

Principles

Increase our confidence in the correctness of themodel: The model satisfied enough system properties Study counterexamples, pinpoint the source of the error,

correct the model, and try again

Model(System Requirements)

Specification(System Property)

Model

Checker

Answer:

Yes, if the model satisfies

the specification

Counterexample, otherwise


4/53

Kripke Model Kripke Structure + Labeling Function

Let AP be a non-empty set of atomic propositions.

Kripke Model: M = (S, s0, R, L)

S finite set of statess0S initial stateRS S transition relationL: S2AP labeling function


5/53

Temporal Logics Express properties of event orderings in

time Linear Time

Every moment has a uniquesuccessor

Infinite sequences (words)

Linear Temporal Logic (LTL)

Branching Time Every moment has several

successors

Infinite tree

Computation Tree Logic (CTL)


8/53

LTL p

p

pUq

pRq

p p p p p p p p p p p...

p p p p p p

p p p p p p p p p q

q q q q q q q q q q,p


9/53

LTL Satisfiability The satisfiability problem of LTL is

PSPACE-complete. If a LTL formula is satisfiable, then the

formula is satisfiable by a finite kripkemodel.

LTL Model Checking: PSAPCE-complete


10/53

LTL Model Checking -Regular Languages -Automata

Finite states Representing infinite executions

Bchi Automata - Kripke Model

M |= p iff L(MA) L(pA) iff L(MApA)=


11/53

LTL Model CheckingWe can build a Bchi automaton which

accepts all and only the infinite traces

represented by an LTL formula.The Bchi automaton is exponential in

the size of the formula.

The complexity of model checking isproportional to the size of theautomaton.


12/53

Computation Tree Logic (State) Formulas

p - atomic proposition

p, pq, pq AXp, EXp, AFp, EFp, AGp, EGp A(pUq), E(pUq), A(pRq), E(pRq)


15/53

CTL Satisfiability

The satisfiability problem of CTL isEXPTIME-complete.

If a CTL formula is satisfiable, then theformula is satisfiable by a finite kripkemodel.

CTL Model Checking: O(|p|(|S|+|R|))


16/53

Equivalence

EXp EGp E(pUq)---------------------------------------------------AXp EXpAFp EGpAGp EFpA(pRq) E(pUq)A(pUq) E(pRq)

EFp E(true U p)E(pRq) E(qU(pq))EGq


17/53

CTL Model Checking

Six Cases: p is an atomic proposition

p = q p = qr p = EXq p = EGq p = E(qUr)

Extension of LL: S 2APsubformulas of p


18/53

CTL Model Checking

p is an atomic propositionL(s) = L(s)

p = qL(s) = L(s) { p } if qL(s)

p = qr

L(s) = L(s) { p } if qL(s) orrL(s)p = EX q

L(s) = L(s) { p } if (s,s)R: qL(s)


19/53

E(qUr)

procedure checkEU(q,r)T := { s | r L(s) };

for (all s T) do L(s) := L(s) { p };while (T) dochoose s T;T := T \ {s};

for (all t such that R(t,s)) doif (p L(t) and q L(t)) thenL(t) := L(t) { p };T := T { t };

r

q

BFS


20/53

Example: E(qUr)

r

q q

q

q

q,r


21/53

EGq

procedure checkEG(q)S := { s | q L(s) };SCC := { C | C is a non-trivial SCC of S };

T := { s | s some C of SCC };for (all s T) do L(s) := L(s) { p };while (T) do

choose s T;T := T \ {s};for (all t such that t S and R(t,s)) do

if (p L(t)) thenL(t) := L(t) { p };T := T { t };qSCC

SCCSCC

EG q


22/53

Example: EGq

r

q q

q

q

q,r


23/53

CTL*

State Formulas p atomic proposition p, pq, pq Ap, Ep if p is a path formula

Path Formulas

p if p is a state formula p, pq, pq Xp, Fp, Gp, pUq, pRq


27/53

CTL* Satisfiability

The satisfiability problem of CTL* is2EXPTIME-complete.

If a CTL* formula is satisfiable, then theformula is satisfiable by a finite kripkemodel.

CTL* Model Checking: PSAPCE-complete


28/53

Extended Kripke Model

Kripke Model: (S, s0, R, L)S finite set of states

s0S initial stateR2S S finite set of transition relationsL: S2AP labeling function

Let aSS range over transition relations in R sa={s | (s,s)a}


29/53

Modal -Calculus

(State) Formulas p atomic proposition

p, pq, pq [a]p, ap X proposition variable X.p, X.p if all occurrences of X is under

an even number of negations Syntactic Monotonicity


30/53

Alternation Depth

top-level ()-subformula NOT contained within any other greatest(least) fixpoint

subformula

Alternation Depth d d(p)=d(p)=d(X)=0

All negations are applied to propositions. d(pq)=d(pq)=max(d(p),d(q)) d([a]p)=d(ap)=d(p) d(X.p)=max(1, d(p), 1+max(,d(qi),)), where qi is a top-

level -subformula d(X.p)=max(1, d(p), 1+max(,d(qi),)) , where qi is a top-

level -subformula


31/53

Modal -Calculus - Semantics

M, s |=V

p if pL(s) M, s |=

Vp if not M, s |=

Vp

M, s |=V

pq if M, s |=V

p and M, s |=V

p M, s |=

Vpq if M, s |=

Vp or M, s |=

Vp

M, s |=V

[a]p if ssa: M, s |=Vp M, s |=

Vap if ssa: M, s |=Vp

M, s |=VX if sV(X) M, s |=

VX.p if M, s |=

Vp{X.p /X}?

M, s |=VX.p if M, s |=

Vp{X.p /X}?


32/53

Global Model Checking

Denotation SemanticsS

V(p) = {s | pL(s)}S

V

(p) = SS

V

(p)

SV(pq) = SV(p) SV(q)

SV(pq) = SV(p) SV(q)

SV([a]p) = {s | ssa: sSV(p)}

SV

(ap) = {s | ss

a: sS

V

(p)}

SV(X) =V(X)

SV(X.p) = {WS |WSV{XW}(p)}

SV(X.p) = {WS |SV{XW}(p)W}

Tarski-Knaster Theorem


33/53

Global Model Checking

Global Model Checking M, s |= p if sS

V(p)

F(W)= SV{X

W}(p) X.p

S, F(S), F2(S),, Fi(S)=Fi+1(S) X.p

, F(), F2

(),, Fi

()=Fi+1

() O(|p|(|S|+|R|)|S|k)

k: nesting depth

Emerson-Lei: O(|p|(|S|+|R|)(|p||S|)d)


34/53

Local Model Checking

Extension of Modal -Calculus XW.p X.p X

.p

Let F be a function on 2S,PX.F(X) iff PF(X.(PF(X)))

M, s |=VXW.p if

sW or, if not, M, s |=Vp[XW{s}.p/X] Tableau System Fixpoint Equation System


35/53

Modal -Calculus Satisfiability

The satisfiability problem of modal -calculus is EXPTIME-complete.

If a modal -calculus formula issatisfiable, then the formula issatisfiable by a finite kripke model.

Modal -Calculus Model Checking: O(?)


36/53


State Space Explosion Problem Reduce memory requirement by

utilizing compact representations ofstates/transitions Boolean formulas represent sets and

relations Use fixed point characterizations of CTL

operators


37/53

Ordered Binary DecisionDiagram (OBDD)

(a1 b1) (a2 b2)

a1

b1

b1

a2 a2

b2 b2 b2

a2 a2

b2 b2b2b2 b2

00 110000

0

0

0 0

0

0 0

0 0 0 0

1

1

11

1

11

1 1 1 100 001001

0 0 0 01 1 1 1


38/53

Reduced OBDD

(a1 b1) (a2 b2)

a1

b1

b1

a2 a2

b2 b2 b2

a2 a2

b2 b2b2b2 b2

00 110000

0

0

0 0

0

0 0

0 0 0 0

1

1

11

1

11

1 1 1 100 001001

0 0 0 01 1 1 1


39/53

(a1 b1) (a2 b2)

a1

b1

b1

a2

b2 b2

a2 a2

b2 b2b2 b2

00 110000

0

0

0

0

0 0

0 0 0 0

1

1

11

1

1

1 1 1 101001

0 01 1

Reduced Ordered BDD


40/53

(a1 b1) (a2 b2)

a1

b1

b1

a2

b2 b2

a2

b2 b2

00 11

0

0

0

0

0

0 0

1

1

1

1

1

1 101001

0 01 1

Reduced Ordered BDD


41/53

(a1 b1) (a2 b2)

a1

b1

b1

a2

b2 b2

0

0

0

0

1

11

1

010010 01 1

Reduced Ordered BDD


42/53

(a1 b1) (a2 b2)

a1

b1

b1

a2

b2 b2

0

0

0

1

1

1

010 01 1

01

Reduced Ordered BDD


43/53

Representation for States

States as Boolean Formulas 2m states encoded by m proposition variables State - conjunction of proposition or negative

proposition Set of States conjunction of state (encoding)

formula

Example: m = 2, S={s1,s2,s3,s4} Proposition Variables {a, b} S={00, 01, 10, 11}={ab, ab, ab, ab} {s1,s2}={00, 01}=(ab)(ab)


44/53

Representation for Transitions

Transitions as Boolean Formulas (s, s) encoded by two sets of proposition

variables Transitionconjunction of s and s Set of Transitions conjunction of

transition (encoding) formula

Example(s4,s3) = (11, 10) = abab


45/53


Atomic Propositions ROBDD(p) = {s | pL(s)}

ROBDD(p) = reversion of ROBDD(p) ROBDD(pq) = ROBDD (p)ROBDD(q)

is or

ROBDD(EXp(v)) = v:[p(v)R(

v, v)]

(E(pUq)) = Z.[q(pEX Z)] (EGp) = Z.[pEX Z]


46/53

Genealogy

Logics ofPrograms

Temporal/Modal Logics

CTL Model

Checking

Symbolic

Model Checking

w-automataS1S

LTL ModelChecking

ATV

Tarski

-Calculus

QBF BDD

Floyd/Hoarelate 60s

Aristotle 300s BCEKripke 59

Pnuelilate 70s Clarke/Emerson

Early 80s

Bchi, 60

Kurshan Vardi/Wolpermid 80s

50

Park, 60s

Bryant, mid 80s

late 80s


47/53

Anything Else?

Model Checking Temporal Logic

Model Checking Algorithms Symbolic Model Checking

Advanced Topics Symmetry Reduction Partial Order Reduction Infinite Model Checking


48/53

Symmetry Reduction

If state space is symmetric, explore only asymmetric quotient of the state space

A permutation is an automorphism of M iffor any s1,s2S,

R(s1,s2) R((s1), (s2)) G is an automorphism group for M iff every

permutation G is an automorphism of M. An automorphism group G is an invariancegroup for an atomic proposition p iff for anyG, sS, pL(s) pL((s))


49/53

Quotient Models

G Automorphism Group Orbit - (s) = {t | G: (s)=t}

MG=(SG, (s0), RG, LG) SG={(s) | sS} RG={((s1), (s2)) | (s1, s2)R} LG((s))=L(rep((s))) representative

If G is an invariance group for all the atomicpropositions occurring in a CTL* formula p, then

M, s |= p iff MG, (s) |= p The orbit problem is as hard as the Graph

Isomorphism problem, which is in NP.


50/53

Partial Order Reduction

Reduce the number of interleavings ofindependent concurrent transitions Enabledness + Commutativity

r

s

s2s1

a

ab

b

No Reductions Transitions Reduced States Reduced

r

s

s2s1

a

b

b

r

s

s1

a

b


51/53

Stuttering Equivalence

Let M and M be two stutteringequivalent structures. For every LTL_Xproperty p, M, s |= p iff M, s |= p


52/53

Infinite Model Checking Verification of Infinite Systems

Unbounded Data Structures Data Manipulations on Infinite Data Domains, e.g integer counters Asynchronous (Lossy) Channel Systems unbounded FIFO queues Timed Automata - real-valued clocks

Unbounded Control Structures (Recursive) Procedure Call - unbounded stacks (Pushdown Automata) Parameterized Systems any number of processes Dynamic Creation of Processes, Mobility

Abstract Representation Regular Sets, Time Zones,

More techniques involved Constraint Programming, Deductive Verification,

AVIS - International Workshop on Automated Verification ofInfinite-State Systems


53/53

Still More

Abstraction Compositional Verification Software Model Checking

VeriSoft, SLAM, JPF

Probabilistic Model Checking

1-modelchecking

Documents