model checking lecture 4 tom henzinger. model-checking problem i |= s system modelsystem property
TRANSCRIPT
Model Checking
Lecture 4
Tom Henzinger
Model-Checking Problem
I |= S
System model System property
-state-transition graph
-weak or strong fairness constraints
System Model
Temporal logics
-STL (finite runs) : , U
-CTL (infinite runs) : , U,
-LTL (infinite traces) : , U
Automata
-specification automata (trace containment)
-monitor automata (trace emptiness)
-simulation automata (relation between states)
System Properties
A Classification of Properties
-Finite:
-coFinite: (safety)
-Buchi: (weak fairness)
-coBuchi:
-Streett: ( ) (strong fairness)
-Rabin: ( )
The Omega-Regular Languages (Automata)
Streett = Rabin
Buchi coBuchi
FinitecoFinite
counter-free omega-regular (LTL)
Model-Checking Algorithms = Graph Algorithms
1 Finite/coFinite: reachability
2 Buchi/coBuchi: strongly connected components
3 Streett/Rabin: recursive s.c.c.s
4 Simulation: relation refinement
Graph Algorithms
Given: labeled graph (Q, , A, [ ] )
Cost: each node access and edge access has unit cost
Complexity: in terms of
|Q| = n ... number of nodes
|| = m ... number of edges
Reachability and s.c.c.s: O(m+n)
The Graph-Algorithmic View is Problematic
-The graph is given implicitly (by a program) not explicitly (e.g., by adjacency lists).
-Building an explicit graph representation is exponential, but usually unnecessary (“on-the-fly” algorithms).
-The explicit graph representation may be so big, that the “unit-cost model” is not realistic.
-A class of algorithms, called “symbolic algorithms”, do not operate on nodes and edges at all.
Symbolic Model-Checking Algorithms
Given: a “symbolic theory”, that is, an abstract data type called region with the following operations
pre, pre, post, post : region region
, , \ : region region region
, = : region region bool
< >, > < : A region
, Q : region
Intended Meaning of Symbolic Theories
region ... set of states
, , \, , =, ... set operations
<a> = { q Q | [q] = a }
>a< = { q Q | [q] a }
pre (R) = { q Q | ( r R) q r }
pre (R) = { q Q | ( r)( q r r R )}
post (R) = { q Q | ( r R) r q }
post (R) = { q Q | ( r)( r q r R )}
If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theory FO (Vals, Ops) is an adequate symbolic theory:
region ... formula of FO (Vals, Ops)
, , \, , =, , Q... , , , validity, validity, f, t
pre (R(X)) = ( X’)( Trans(X,X’) R(X’) )
pre (R(X)) = ( X’)( Trans(X,X’) R(X’) )
post (R(X)) = ( X”)( R(X”) Trans(X”,X) )
post (R(X)) = ( X”)( Trans(X”,X) R(X’’) )
If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory:
each pre/post operation is a quantifier elimination
Example: Boolean Systems
-all system variables X are boolean
-region: quantifier-free boolean formula over X
-pre, post: boolean quantifier elimination
Complexity: PSPACE
Example: Presburger Systems
-all system variables X are integers
-the transition relation Trans(X,X’) is defined using only and
-region: quantifier-free formula of (Z, , )
-pre, post: quantifier elimination
An iterative language for writing symbolic model-checking algorithms
-only data type is region
-expressions: pre, post, , , \ , , =, < >, , Q
-assignment, sequencing, while-do, if-then-else
Example: Reachability a
S :=
R := <a>
while R S do
S := S R
R := pre(R)
A recursive language for writing symbolic model-checking algorithms:
The Mu-Calculus
a = ( R) (a pre(R))
a = ( R) (a pre(R))
Syntax of the Mu-Calculus
::= a | a |
| |
pre() | pre() |
(R) | (R) |
R
pre =
pre = R ... region variable
Semantics of the Mu-Calculus
[[ a ]]E := <a>
[[ a ]]E := >a<
[[ ]]E := [[ ]]E [[ ]]E
[[ ]]E := [[ ]]E [[ ]]E
[[ pre() ]]E := pre( [[ ]]E )
[[ pre() ]]E:= pre( [[ ]]E )
E maps each region variable to a region.
Operational Semantics of the Mu-Calculus
[[ (R) ]]E := S’ := ; repeat S := S’; S’ := [[]]E(RS)
until S’=S; return S
[[ (R) ]]E := S’ := Q; repeat S := S’; S’ := [[]]E(RS)
until S’=S; return S
Denotational Semantics of the Mu-Calculus
[[ (R) ]]E := smallest region S such that S = [[]]E(RS)
[[ (R) ]]E := largest region S such that S = [[]]E(RS)
These regions are unique because all operators on regions (, , pre, pre) are monotonic.
a = ( R) (a pre(R))
a = ( R) (a pre(R))
a = ( R) (a pre(R))
a = ( R) (a pre(R))
b U a = ( R) (a (b pre(R)))
a = ( R) (a pre( R )) = ( R) (a pre( ( S) (R pre(S)) ))
-every / alternation adds expressiveness
-all omega-regular languages in alternation depth 2
-model checking complexity: O( (|| (m+n))d ) for formulas of alternation depth d
-most common implementation (SMV, Mocha): use BDDs to represent boolean regions
Binary Decision Diagrams
-canonical data structure for representing quantifier-free boolean formulas
-equivalence checking in constant time
-in practice, model checkers spend more than 90% of their time in “pre-image” or “post-image” computation
-almost synonymous with “symbolic” model checking
-SAT solvers competitive in bounded model checking, which requires no termination (i.e., equivalence) check
Binary Decision Tree
-order k boolean variables x1, ..., xk
-binary tree of height k+1, each leaf labeled 0 or 1
-leaf of path “left, right, right, ...” gives value of boolean formula if x1=0, x2=1, x3=1, etc.
Binary Decision Diagram
1 Identify isomorphic subtrees (this gives a dag)
2 Eliminate nodes with identical left and right successors (for this, nodes need to be labeled with variable names)
For a given boolean formula and variable order, the result is unique.
(The choice of variable order may make an exponential difference!)
Operations on BDDs
, : recursive top-down traversal in O(u v) time if u and v are the number of respective BDD nodes
, : (x) (x) = (0) (1)
Variable reordering
Deciding Simulation
Relation Refinement
Given: state-transition graph (Q, , A, [ ] )
Find: for each state q Q, the set sim(q) Q of states that
simulate q
for each t Q do sim(t) := { u Q | [u] = [t] }
while there are three states s, t, u such thatt s & u sim(t) & sim(s) post(u) =
do
sim(t) := sim(t) \ {u}
{assert if u simulates t, then u sim(t) }
Efficient enumerative implementation: O(m n)
for each t Q do sim(t) := { u Q | [u] = [t] }
while there are three states s, t, u such thatsim(s) post(t) & u sim(t) & sim(s) post(u) =
do
sim(t) := sim(t) \ {u}
{assert s sim(s) }
{assert if u simulates t and t sim(s), then u sim(t) }
Equivalent Variation
Symbolic Implementation
Partition := { <a> | a A and <a> }
for each R Partition do sim(R) := R
while there are two regions R, S Partition such that R pre(sim(S)) &sim(R)\pre(sim(S)) do
R’ := R pre(sim(S)) ; R’’ := R\pre(sim(S))
Partition := (Partition \ {R}) R’
sim(R’) := sim(R) pre(sim(S))
if R’’ then Partition := Partition {R’’}; sim(R’’) := sim(R)
-symbolic algorithm applies also to infinite-state systems
-it terminates iff there is a finite quotient so that any two equivalent states simulate each other