Trigger Querying

Orna Kupferman

Yoad Lustig

Motivation

Model exploration

In model exploration, the objective is to explore and understand the model.

Contrast this with model checking, in which the objective is to verify that the model satisfies the specification.

Model exploration was formalized as a problem by Chan (CAV 2000) who introduced query checking.

Query Checking

Query checking is based on CTL. In CTL model checking we get a Kripke

structure M and a formula, say AG[ p ], and ask whether M ² AG[ p ].

In query checking, a Boolean subformula is replaced by “?”, and one may ask M ²AG[?].

The solution is the “strongest” Boolean expression that can replace the “?”.

Query Checking - shortcoming

In query checking we search for a Boolean expression (that can replace the “?”).

A Boolean expression is evaluated at a state, and therefore refers to one point in time.

No temporal dynamics. The user is usually interested in scenarios. Example: what scenarios lead to the calling

of the function.

Triggers semantics

We use the temporal operator triggers (a.k.a. suffix implication) to describe scenarios.

M ² r triggers means:for every computation of M and index i,If [1..i]2 L(r) then i2 L().

1..i] i

i

Triggers semantics - example

In this model – Does M ² p¢q triggers next p– ALL computations inducing p¢q must be considered.

– Does M ² p¢p triggers next q

p q

p

q

q

p

p,q

?

?

Trigger Querying - Definition

In the trigger query M ² ? triggers we ask which words trigger orwhat is { u2* | M ² u triggers

The solution is the set of scenarios that trigger

The solution is guaranteed to be a regular set, and can be represented as a regular expression or a DFA.

Trigger querying: do all paths that induce a word

Trigger Querying technical characterization

are followed by ? does (w) µ []M?

w

[]M

q1

q8

q5

q4

q2

q7q0

q7 q5

q4

q2

q1 q3

q7

q8

q1

[]M : states from which all paths satisfy .

(w) : states a computation inducing w might end in.

(w)

Trigger Querying branching-time view

M ² u triggers iff (u) µ [M. In other words, the query is about states

(rather than infinite words / computations).

M ² w triggers is equivalent to M ² A[ w triggers and to M ² A[ w triggers A[

Solving Trigger Querying

The problem of identifying the set [M is the well studied problem of global model checking.

The problem of computing (u) is easily solvable by a type of subset construction on the states of M.

Construct a DFA AM, with state space 2Q, such that AM visits state (u) after reading u, and the accepting states of AM are sets contained in [M.

Complexity of Trigger Querying

Computing both [M and AM can be done in PSPACE.

For [M, the dependency on || is polyspace, but the dependency on |M| (structure complexity) is only polytime.

For AM, however, the dependency on M is also polyspace. Unfortunately, this is unavoidable.

Trigger querying: do all paths that induce a word

NFA complementation: do all runs on a word end in some set?

Complexity of Trigger Querying- lower bound idea.

are followed by ?end in some set?

w

[]M

Variants of trigger querying

Partial trigger querying. Relevant trigger querying. Constrained trigger querying. Observable trigger querying. Search for necessary conditions.

Partial Trigger Querying

Motivation: trying to overcome high complexity demands.

In partial trigger querying, we search for a subset of the solution to M ² ? triggers that is not empty unless so is the solution.

Simplest case: find a single word, of length bounded by a unary parameter, that trigger . This case is NP hard.

Relevant Trigger Querying

M ² r triggers means: 8 computation 8 i≥0 If [1..i]2 L(r) then i2 L().

Words that are not a prefix of any computation are solutions to M ² r triggers .

In relevant trigger querying we do not accept such vacuous solutions.

Technical solution: remove ; from AM’s set of accepting states.

1..i] i

Constrained Trigger Querying

Sometimes a user would like to have a dialog with the query-checking tool.

Example:– What are the solutions in which the signal x

is initially 0? Solutions in which x is initially 0 but then turns to 1?

In constrained trigger querying the user provides a query as well as a constraint; the solution set is intersected with the constraint.

Observable trigger querying

Sometimes a user would like to see solutions that refer only to a subset of “observable” signals.

Examples: – A user that doesn’t want to hear about internal

signals used in the implementation.– A user that want to know if there is a way to

control input signal x that will force the system to behave in some way.

When M ² r triggers , the language of r can be seen as a sufficient reason for

If a word from L(r) “happens” then will inevitably “happen”.

What about necessary conditions? Informally: what “event” always precedes ?

Necessary conditions

Necessary conditions (cont’)

8 computation 8 i≥0 If i2 L() then [1..i]2 L(r) .

No unique solution. In fact, * is always a solution.

A solution r1 is stronger than r2 iff L(r1)µ L(r2). A unique stronger solution exists.

1..i] i

Necessary conditions - technical

Similar technical details:– Set G = { s | Ms ² : }.– Necessary condition is { u2* | (u)Å G ; }.

The complexity is polynomial space in ||, but only nondeterministic logspace in |M|.

Queries?

A query A trigger(fish)