tutorial i – an introduction to model checking peng wu inria futurs lix, École polytechnique
TRANSCRIPT
![Page 1: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/1.jpg)
Tutorial I – An Introduction to Model Checking
Peng WUINRIA Futurs
LIX, École Polytechnique
![Page 2: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/2.jpg)
Outline
Model Checking Temporal Logic Model Checking Algorithms
Symbolic Model Checking Advanced Topics
Symmetry Reduction Partial-Order Reduction Infinite Model Checking
![Page 3: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/3.jpg)
Principles
Increase our confidence in the correctness of the model:
The model satisfied enough system properties Study counterexamples, pinpoint the source of the error, cor
rect the model, and try again
Model(System Requirements)
Specification(System Property)
ModelChecker
Answer:
Yes, if the model satisfiesthe specification
Counterexample, otherwise
![Page 4: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/4.jpg)
Kripke Model
Kripke Structure + Labeling Function Let AP be a non-empty set of atomic propositions. Kripke Model: M = (S, sM = (S, s00, R, L), R, L)
S finite set of states
s0S initial state
RS S transition relation
L: S→2AP labeling function
![Page 5: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/5.jpg)
Temporal Logics
Express properties of event orderings in time
Linear Time Every moment has a unique
successor Infinite sequences (words) Linear Temporal Logic (LTL)
Branching Time Every moment has several
successors Infinite tree Computation Tree Logic (CTL)
![Page 6: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/6.jpg)
Linear Temporal Logic
(Path) Formulas pp – atomic proposition p, pp, pq, pq, pqq Op, Op, p, p, p, pp, pUq, pRqUq, pRq
Semantics M, |= p if pL(0) M, |= p if not M, |= p M, |= pq if M, |= p and M, |= q M, |= pq if M, |= p or M, |= q
![Page 7: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/7.jpg)
LTL
Semantics M, |= Op if M, 1 |= p M, |= p if i≥0: M, i |= p M, |= p if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and
j<i: M, j |= p M, |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p andj≤i: M, j |= q
M |= p if (M): M, |= p
![Page 8: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/8.jpg)
LTL
p
p
pUq
pRq
p p p p p p p p p p p...
p p p p p p
p p p p p p p p p q
q q q q q q q q q q,p
![Page 9: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/9.jpg)
LTL Satisfiability
The satisfiability problem of LTL is PSPACE-complete.
If a LTL formula is satisfiable, then the formula is satisfiable by a finite kripke model.
LTL Model Checking: PSAPCE-complete
![Page 10: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/10.jpg)
LTL Model Checking
ω-Regular Languages ω-Automata
Finite states Representing infinite executions
Büchi Automata <<ΣΣ, S, , S, ΔΔ, I, L, F >, I, L, F > <AP, S, R , {s<AP, S, R , {s00}, L>}, L> - Kripke Model
M |= p iff L(MA) L(pA) iff L(MApA)=
![Page 11: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/11.jpg)
LTL Model Checking
We can build a Büchi automaton which accepts all and only the infinite traces represented by an LTL formula.
The Büchi automaton is exponential in the size of the formula.
The complexity of model checking is proportional to the size of the automaton.
![Page 12: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/12.jpg)
Computation Tree Logic
(State) Formulas p p - atomic proposition p, pp, pq, pq, pqq AXp, EXp, AFp, EFp, AGp, EGpAXp, EXp, AFp, EFp, AGp, EGp A(pA(pUq), Uq), E(pE(pUq), Uq), A(pA(pRq), Rq), E(pE(pRq)Rq)
![Page 13: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/13.jpg)
CTL Semantics
M, s |= p if pL(s) M, s |= p if not M, s |= p M, s |= pq if M, s |= p and M, s |= q M, s |= pq if M, s |= p or M, s |= q
M, s |= Ap if (s): M, |= p M, s |= Ep if (s): M, |= p
![Page 14: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/14.jpg)
CTL Semantics M, |= Xp if M, 1 |= p M, |= Fp if i≥0: M, i |= p M, |= Gp if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and
j< i: M, j |= p M, |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and j≤i: M, j |= q
M |= p if M, s0 |= p
![Page 15: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/15.jpg)
CTL Satisfiability
The satisfiability problem of CTL is EXPTIME-complete.
If a CTL formula is satisfiable, then the formula is satisfiable by a finite kripke model.
CTL Model Checking: O(|p|·(|S|+|R|))
![Page 16: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/16.jpg)
Equivalence
EXp EGp E(pUq)---------------------------------------------------AXp EXpAFp EGpAGp EFpA(pRq) E(pUq)A(pUq) E(pRq)
EFp E(true U p) E(pRq) E(qU(pq))EGq
![Page 17: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/17.jpg)
CTL Model Checking
Six Cases: p is an atomic proposition p = q p = qr p = EXq p = EGq p = E(qUr)
Extension of L – L’: S →2AP { subformulas of p }
![Page 18: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/18.jpg)
CTL Model Checking
p is an atomic proposition :L’(s) = L(s)
p = q :L’(s) = L’(s) { p } if qL’(s)
p = qr :L’(s) = L’(s) { p } if qL’(s) or rL’(s)
p = EX q :L’(s) = L’(s) { p } if (s,s’)R: qL’(s’)
![Page 19: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/19.jpg)
E(qUr) procedure checkEU(q,r)
T := { s | r L(s) };for (all s T) do L’(s) := L(s) { p };while (T≠) do
choose s T;T := T \ {s};for (all t such that R(t,s)) do
if (p L’(t) and q L’(t)) then L’(t) := L(t) { p };T := T { t };
r
qBFS
![Page 20: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/20.jpg)
Example: E(qUr)
r
q q
q
q
q,r
![Page 21: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/21.jpg)
EGq procedure checkEG(q)
S’ := { s | q L(s) };SCC := { C | C is a non-trivial SCC of S’ };T := { s | s some C of SCC };for (all s T) do L’(s) := L(s) { p };while (T≠) do
choose s T;T := T \ {s};for (all t such that t S’ and R(t,s)) do
if (p L’(t)) then L’(t) := L(t) { p };T := T { t };
qSCC
SCCSCC
EG q
![Page 22: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/22.jpg)
Example: EGq
r
q q
q
q
q,r
![Page 23: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/23.jpg)
CTL*
State Formulas p – atomic proposition p, pp, pq, pq, pqq Ap, EpAp, Ep if p is a path formula
Path Formulas pp if p is a state formula p, pp, pq, pq, pqq Xp, Fp, Gp, pXp, Fp, Gp, pUq, Uq, ppRqRq
![Page 24: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/24.jpg)
CTL* Semantics – State Formulas
M, s |= p if pL(s) M, s |= p if not M, s |= p M, s |= pq if M, s |= p and M, s |= p M, s |= pq if M, s |= p or M, s |= p
M, s |= Ap if (s): M, |= p
M, s |= Ep if (s): M, |= p
![Page 25: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/25.jpg)
CTL* Semantics – Path Formulas
M, |= p if M, 0 |= p(p is a state formula)
M, |= p if not M, |= p M, |= pq if M, |= p and M, |= q M, |= pq if M, |= p or M, |= q
![Page 26: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/26.jpg)
CTL* Semantics – Path Formulas M, |= Xp if M, 1 |= p M, |= Fp if i≥0: M, i |= p M, |= Gp if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and
j< i: M, j |= p M, |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and j≤i: M, j |
= qFor a state formula p: M |= p if M, s0 |= p
![Page 27: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/27.jpg)
CTL* Satisfiability
The satisfiability problem of CTL* is 2EXPTIME-complete.
If a CTL* formula is satisfiable, then the formula is satisfiable by a finite kripke model.
CTL* Model Checking: PSAPCE-complete
![Page 28: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/28.jpg)
Extended Kripke Model
Kripke Model: (S, s(S, s00, R, L), R, L)
S finite set of states
s0S initial state
R2S S finite set of transition relations
L: S→2AP labeling function Let aSS range over transition relations in R sa={s’ | (s,s’)a}
![Page 29: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/29.jpg)
Modal -Calculus
(State) Formulas pp – atomic proposition p, pp, pq, pq, pqq [a]p, [a]p, aapp XX – proposition variable X.p, X.p, X.p X.p if all occurrences of X is under a
n even number of negations Syntactic Monotonicity
![Page 30: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/30.jpg)
Alternation Depth top-level ()-subformula
NOT contained within any other greatest(least) fixpoint subformula
Alternation Depth – d d(p)=d(p)=p)=d(X)=0
All negations are applied to propositions. d(pq)=d(pq)=max(d(p),d(q)) d([a]p)=d(ap)=d(p) d(X.p)=max(1, d(p), 1+max(…,d(qi),…)), where qi is a top-le
vel -subformula d(X.p)=max(1, d(p), 1+max(…,d(qi),…)) , where qi is a top-l
evel -subformula
![Page 31: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/31.jpg)
Modal -Calculus - Semantics M, s |=V p if pL(s) M, s |=V p if not M, s |=V p M, s |=V pqif M, s |=V p and M, s |=V p M, s |=V pqif M, s |=V p or M, s |=V p M, s |=V [a]p if s’sa: M, s’ |=V p M, s |=V ap if s’sa: M, s’ |=V p M, s |=V X if sV (X) M, s |=V X.p if M, s |=V p{X.p /X}? M, s |=V X.p if M, s |=V p{X.p /X}?
![Page 32: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/32.jpg)
Global Model Checking Denotation Semantics
SV (p) = {s | pL(s)}
SV (p) = S – SV (p)
SV (pq) = SV (p) SV (q)
SV (pq) = SV (p) SV (q)
SV ([a]p) = {s | s’sa: s’SV (p)}
SV (ap) = {s | s’sa: s’SV (p)}
SV (X) =V (X)
SV (X.p) = {WS |WSV {XW}(p)}
SV (X.p) = {WS |SV {XW}(p)W} Tarski-Knaster Theorem
![Page 33: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/33.jpg)
Global Model Checking
Global Model Checking M, s |= p if sSV (p) F(W)= SV {XW}(p) X.p
S, F(S), F2(S),…, Fi(S)=Fi+1(S) X.p
, F(), F2(),…, Fi()=Fi+1() O(|p|·(|S|+|R|)·|S|k)
k: nesting depth Emerson-Lei: O(|p|·(|S|+|R|)·(|p|·|S|)d)
![Page 34: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/34.jpg)
Local Model Checking Extension of Modal -Calculus
XW.p X.p X.p
Let F be a function on 2S, PX.F(X) iff PF(X.(PF(X)))
M, s |=V XW.p if sW or, if not, M, s |=V p[XW{s}.p/X]
Tableau System Fixpoint Equation System
![Page 35: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/35.jpg)
Modal -Calculus Satisfiability
The satisfiability problem of modal -calculus is EXPTIME-complete.
If a modal -calculus formula is satisfiable, then the formula is satisfiable by a finite kripke model.
Modal -Calculus Model Checking: O(?)
![Page 36: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/36.jpg)
Symbolic Model Checking
State Space Explosion Problem Reduce memory requirement by utilizin
g compact representations of states/transitions Boolean formulas represent sets and
relations Use fixed point characterizations of CTL
operators
![Page 37: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/37.jpg)
Ordered Binary Decision Diagram (OBDD)
(a1 b1) (a2 b2)
a1
b1 b1
a2 a2
b2 b2 b2
a2 a2
b2 b2b2b2 b2
00 110000
0
0
0 0
0
0 0
0 0 0 0
1
1
11
1
11
1 1 1 100 001001
0 0 0 01 1 1 1
![Page 38: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/38.jpg)
Reduced OBDD
(a1 b1) (a2 b2)
a1
b1 b1
a2 a2
b2 b2 b2
a2 a2
b2 b2b2b2 b2
00 110000
0
0
0 0
0
0 0
0 0 0 0
1
1
11
1
11
1 1 1 100 001001
0 0 0 01 1 1 1
![Page 39: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/39.jpg)
(a1 b1) (a2 b2)
a1
b1 b1
a2
b2 b2
a2 a2
b2 b2b2 b2
00 110000
0
0
0
0
0 0
0 0 0 0
1
1
11
1
1
1 1 1 101001
0 01 1
Reduced Ordered BDD
![Page 40: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/40.jpg)
(a1 b1) (a2 b2)
a1
b1 b1
a2
b2 b2
a2
b2 b2
00 11
0
0
0
0
0
0 0
1
1
1
1
1
1 101001
0 01 1
Reduced Ordered BDD
![Page 41: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/41.jpg)
(a1 b1) (a2 b2)
a1
b1 b1
a2
b2 b2
0
0
0
0
1
11
1
010010 01 1
Reduced Ordered BDD
![Page 42: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/42.jpg)
(a1 b1) (a2 b2)
a1
b1 b1
a2
b2 b2
0
0
0
1
1
1
010 01
1
0
1
Reduced Ordered BDD
![Page 43: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/43.jpg)
Representation for States States as Boolean Formulas
2m states encoded by m proposition variables State - conjunction of proposition or negative prop
osition Set of States – conjunction of state (encoding) for
mula
Example: m = 2, S={s1,s2,s3,s4} Proposition Variables {a, b} S={00, 01, 10, 11}={ab, a b, ab, ab} {s1,s2}={00, 01}=(ab)(ab)
![Page 44: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/44.jpg)
Representation for Transitions
Transitions as Boolean Formulas (s, s’) encoded by two sets of proposition v
ariables Transition – conjunction of s and s’ Set of Transitions – conjunction of transitio
n (encoding) formula
Example
(s4,s3) = (11, 10) = aba’b’
![Page 45: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/45.jpg)
Symbolic Model Checking
Atomic Propositions ROBDD(p) = {s | pL(s)}
ROBDD(p) = reversion of ROBDD(p) ROBDD(pq) = ROBDD (p)ROBDD(q)
is or ROBDD(EXp(v)) = v’:[p(v’)R(v, v’)] (E(pUq)) = Z.[q(pEX Z)] (EGp) = Z.[pEX Z]
![Page 46: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/46.jpg)
Genealogy
Logics ofPrograms
Temporal/Modal Logics
CTL ModelChecking
SymbolicModel Checking
-automataS1S
LTL ModelCheckingATV
Tarski
-Calculus
QBF BDD
Floyd/Hoarelate 60s
Aristotle 300’s BCEKripke 59
Pnuelilate 70’s Clarke/Emerson
Early 80’s
Büchi, 60
Kurshan Vardi/Wolpermid 80’s
50’s
Park, 60’s
Bryant, mid 80’s
late 80’s
![Page 47: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/47.jpg)
Anything Else?
Model Checking Temporal Logic Model Checking Algorithms
Symbolic Model Checking Advanced Topics
Symmetry Reduction Partial Order Reduction Infinite Model Checking
![Page 48: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/48.jpg)
Symmetry Reduction If state space is symmetric, explore only a sy
mmetric “quotient” of the state space A permutation is an automorphism of M if f
or any s1,s2S, R(s1,s2) R((s1), (s2))
G is an automorphism group for M iff every permutation G is an automorphism of M.
An automorphism group G is an invariance group for an atomic proposition p iff for any G, sS, pL(s) pL((s))
![Page 49: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/49.jpg)
Quotient Models G – Automorphism Group
Orbit - (s) = {t | G: (s)=t} MG=(SG, (s0), RG, LG)
SG={(s) | sS} RG={((s1), (s2)) | (s1, s2)R} LG((s))=L(rep((s))) – representative
If G is an invariance group for all the atomic propositions occurring in a CTL* formula p, then
M, s |= p iff MG, (s) |= p The orbit problem is as hard as the Graph Isomorphis
m problem, which is in NP.
![Page 50: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/50.jpg)
Partial Order Reduction
Reduce the number of interleavings of independent concurrent transitions Enabledness + Commutativity
r
s
s2s1
a
ab
b
No Reductions Transitions Reduced States Reduced
r
s
s2s1
a
b
b
r
s
s1
a
b
![Page 51: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/51.jpg)
Stuttering Equivalence
Let M and M’ be two stuttering equivalent structures. For every LTL_X property p, M, s |= p iff M’, s |= p
![Page 52: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/52.jpg)
Infinite Model Checking Verification of Infinite Systems
Unbounded Data Structures Data Manipulations on Infinite Data Domains, e.g integer counters Asynchronous (Lossy) Channel Systems – unbounded FIFO queues Timed Automata - real-valued clocks
Unbounded Control Structures (Recursive) Procedure Call - unbounded stacks (Pushdown Automata) Parameterized Systems – any number of processes Dynamic Creation of Processes, Mobility
Abstract Representation Regular Sets, Time Zones, …
More techniques involved Constraint Programming, Deductive Verification,…
AVIS - International Workshop on Automated Verification of Infinite-State Systems
![Page 53: Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique](https://reader035.vdocuments.net/reader035/viewer/2022062712/56649c745503460f94927e51/html5/thumbnails/53.jpg)
Still More…
Abstraction Compositional Verification Software Model Checking
VeriSoft, SLAM, JPF Probabilistic Model Checking