model checking lecture 3
DESCRIPTION
Model Checking Lecture 3. Model-Checking Algorithms = Graph Algorithms. Safety: -solve: STL ( U model checking), finite monitors ( emptiness) -algorithm: reachability (linear) Response under weak fairness: - PowerPoint PPT PresentationTRANSCRIPT
1 Safety:
-solve: STL (U model checking), finite monitors ( emptiness)
-algorithm: reachability (linear)
2 Response under weak fairness:
-solve: weakly fair CTL ( model checking), Buchi monitors ( emptiness)
-algorithm: strongly connected components (linear)
3 Liveness:
-solve: strongly fair CTL, Streett monitors ( ()
emptiness)
-algorithm: recursively nested SCCs (quadratic)
From specification automata to monitor automata:
determinization (exponential) + complementation (easy)
Simulation automata:
preorder refinement (quadratic)
From LTL to monitor automata:
complementation (easy) + tableau construction (exponential)
Five Algorithms
1 Reachability
2 Strongly connected components
3 Recursively nested SCCs
4 Tableau construction
5 Preorder refinement
6 Streett determinization
Finite Emptiness
Given: finite automaton (S, S0, , , FA)
Find: is there a path from a state in S0 to a state in FA ?
Solution: depth-first or breadth-first search
Buchi Emptiness
Given: Buchi automaton (S, S0, , , BA)
Find: is there an infinite path from a state in S0 that visits some state in BA infinitely often ?
Solution: 1. Compute SCC graph by depth-first search
2. Mark SCC C as fair iff C BA
3. Check if some fair SCC is reachable from S0
Application 1: CTL model checking over weakly-fair transition
graphs
(note: really need multiBuchi)
Application 2: Buchi monitors
Streett Emptiness
Given: Streett automaton (S, S0, , , SA)
Find: is there an infinite path from a state in S0 that satisfies all Streett conditions (l,r) in SA ?
Solution: check if S0 RecSCC (S, , SA)
function RecSCC (S, , SA) :
X := for each C SCC (S, ) do
F := if C then
for each (l,r) SA doif C r
then F := F (l,r) else C := C \ l
if F = SA then X := X pre*(C) else X := X RecSCC (C, C, F)
return X
Complexity
n number of states m number of transitions s number of Streett pairs
Reachability: O(n+m)
SCC: O(n+m)
RecSCC: O((n+m) · s2)
Application 1: CTL model checking over strongly-fair transition
graphs
Application 2: Streett monitors
Tableau Construction
Given: LTL formula
Find: Buchi automaton M such that L(M) = L()
[Fischer & Ladner 1975; Manna & Wolper 1982]
Fischer-Ladner Closure of a Formula
Sub (a) = { a }
Sub () = { } Sub () Sub ()
Sub () = { } Sub ()
Sub () = { } Sub ()
Sub (U) = { U, (U) } Sub () Sub ()
| Sub () | = O(||)
s Sub () is consistent
iff
-if () Sub () then () s iff s and s
-if () Sub () then () s iff s
-if (U) Sub () then (U) s iff either s
or s and (U) s
Tableau M = (S, S0, , , BA)
S ... set of consistent subsets of Sub ()
s S0 iff s
s t iff for all () Sub (), () s iff t
(s) ... conjunction of atomic observations in s and negated atomic observations not in s
For each (U) Sub (), BA contains { s | s or (U) s }
Model checking:the idea• Let be an LTL formula and B be a
transition system specifying the behavior of a system
– L(A) corresponds to all allowable behavior of
the system– L(B) corresponds to all possible behavior of
the system
To check whether a system satisfies a specification we check if
L(B) L(A)
• Checking language containment is difficult!
• But … L(B) L(A) is equivalent to
L(B) L(A) =
where L(A) is the set-complement of L(A).
Since L(A) = L(A) we have
L(B) L(A) iff L(B) L(A) =
Model checking LTL
The method
• We now have the following model checking method1. Find an automaton A representing the negation of the desired LTL specification
2. Model a system by a transition system B
3. Construct an automaton C such that
L(C) = L(B) L(A)
4. Check if L(C) = Yes, but how?
Synchronizing automata
To construct an automaton C such that
L(C) = L(B) L(A)
we synchronize B and A considering only
transitions <s,r> <s’,r’> where – s s’ in B
– r r’ in A, and
– the valuation u holds in the state s.
t
tuu
Example (1)• Specification: = G(p XFq)
Any occurrence of p must be followed (later) by an occurrence of q
= F(p XGq)there exist an occurrence of p after which q will never be encountered again
• A =
r0 r1p,q
p,qp,qp,q
p,qp,q p,q
p,qu1:
u0:
u2:
Example: (3)• The synchronized product C = B A
pq
pq
pq
pq
t1u0
t5u0
t2u0 t3u0
t4u0
pq
pq
pq
pq
t1u2
t5u2
t2u2 t3u2
t4u0
p,qp,qp,qp,q
u0:p,q
p,qu1: p,qp,qu2:
• The language of B A is non-empty, and hence B [with = G(p XFq)]
Example: (4)There is an execution accepted by B A
pq
pq
pq
pq
t1u0
t5u0
t2u0 t3u0
t4u0
pq
pq
pq
pq
t1u2
t5u2
t2u2 t3u2
t4u0
Complexity
• A has size O(2||) in the worst case• The product B A has size O(|B|x|
A|)• We can determine if the language of
BA is empty in O(|B A|) time
• Model checking B,s0 can be done in time
O(|B|x 2||)
Symbolic Model-Checking Algorithms
Given: a “symbolic theory”, that is, an abstract data type called region with the following operations
pre, pre, post, post : region region
, , \ : region region region
, = : region region bool
< >, > < : A region
, Q : region
Intended Meaning of Symbolic Theories
region ... set of states
, , \, , =, ... set operations
<a> = { q Q | [q] = a }
>a< = { q Q | [q] a }
pre (R) = { q Q | ( r R) q r }
pre (R) = { q Q | ( r)( q r r R )}
post (R) = { q Q | ( r R) r q }
post (R) = { q Q | ( r)( r q r R )}
If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theory FO (Vals, Ops) is an adequate symbolic theory:
region ... formula of FO (Vals, Ops)
, , \, , =, , Q... , , , validity, validity, f, t
pre (R(X)) = ( X’)( Trans(X,X’) R(X’) )
pre (R(X)) = ( X’)( Trans(X,X’) R(X’) )
post (R(X)) = ( X”)( R(X”) Trans(X”,X) )
post (R(X)) = ( X”)( Trans(X”,X) R(X’’) )
If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory:
each pre/post operation is a quantifier elimination
Example: Boolean Systems
-all system variables X are boolean
-region: quantifier-free boolean formula over X
-pre, post: boolean quantifier elimination
Complexity: PSPACE
Example: Presburger Systems
-all system variables X are integers
-the transition relation Trans(X,X’) is defined using only and
-region: quantifier-free formula of (Z, , )
-pre, post: quantifier elimination
An iterative language for writing symbolic model-checking algorithms
-only data type is region
-expressions: pre, post, , , \ , , =, < >, , Q
-assignment, sequencing, while-do, if-then-else
A recursive language for writing symbolic model-checking algorithms:
The Mu-Calculus
a = ( R) (a pre(R))
a = ( R) (a pre(R))
Syntax of the Mu-Calculus
::= a | a |
| |
pre() | pre() |
(R) | (R) |
R
pre =
pre = R ... region variable
Semantics of the Mu-Calculus
[[ a ]]E := <a>
[[ a ]]E := >a<
[[ ]]E := [[ ]]E [[ ]]E
[[ ]]E := [[ ]]E [[ ]]E
[[ pre() ]]E := pre( [[ ]]E )
[[ pre() ]]E:= pre( [[ ]]E )
E maps each region variable to a region.
Operational Semantics of the Mu-Calculus
[[ (R) ]]E := S’ := ; repeat S := S’; S’ := [[]]E(RS)
until S’=S; return S
[[ (R) ]]E := S’ := Q; repeat S := S’; S’ := [[]]E(RS)
until S’=S; return S
Denotational Semantics of the Mu-Calculus
[[ (R) ]]E := smallest region S such that S = [[]]E(RS)
[[ (R) ]]E := largest region S such that S = [[]]E(RS)
These regions are unique because all operators on regions (, , pre, pre) are monotonic.
a = ( R) (a pre(R))
a = ( R) (a pre(R))
a = ( R) (a pre(R))
a = ( R) (a pre(R))
b U a = ( R) (a (b pre(R)))
a = ( R) (a pre( R )) = ( R) (a pre( ( S) (R pre(S)) ))
Temporal Properties Fixpoints
• Note that– AG p EF( p )
• Other temporal operators can also be represented as fixpoints– AF p , EG p , p AU q , p EU q