Tutorial I - An Introduction To Model Checking: Peng WU

Tutorial I – An Introduction to
Model Checking
Peng WU
INRIA Futurs
LIX, École Polytechnique
Outline
 Model Checking
 Temporal Logic
 Model Checking Algorithms
 Symbolic Model Checking
 Advanced Topics
 Symmetry Reduction
 Partial-Order Reduction
 Infinite Model Checking
Principles
Model
(System Requirements) Answer:
Model Yes, if the model satisfies

Checker the specification
Specification
Counterexample, otherwise
(System Property)
 Increase our confidence in the correctness of the

model:
 The model satisfied enough system properties
 Study counterexamples, pinpoint the source of the error,
correct the model, and try again
Kripke Model
 Kripke Structure + Labeling Function
 Let AP be a non-empty set of atomic propositions.
 Kripke Model: M = (S, s0, R, L)
S finite set of states

s0S initial state
RS  S transition relation
L: S→2AP labeling function
Temporal Logics
 Express properties of event orderings in
time
 Linear Time  Branching Time
 Every moment has a unique  Every moment has several
successor successors
 Infinite sequences (words)  Infinite tree
 Linear Temporal Logic (LTL)  Computation Tree Logic (CTL)
Linear Temporal Logic
 (Path) Formulas
 p – atomic proposition
 p, pq, pq
 Op, p, p, pUq, pRq
 Semantics
 M,  |= p if pL(0)
 M,  |= p if not M,  |= p
 M,  |= pq if M,  |= p and M,  |= q
 M,  |= pq if M,  |= p or M,  |= q
LTL
 Semantics
 M,  |= Op if M, 1 |= p
 M,  |= p if i≥0: M, i |= p
 M,  |= p if i≥0: M, i |= p
 M,  |= pUq if i≥0: M, i |= q and
j<i: M, j |= p
 M,  |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and
j≤i: M, j |= q
M |= p if (M): M, |= p
LTL
 p
p p p p p p
 p
p p p p p p p p p p p...
 pUq
p p p p p p p p p q
 pRq
q q q q q q q q q q,p
LTL Satisfiability
 The satisfiability problem of LTL is
PSPACE-complete.
 If a LTL formula is satisfiable, then the
formula is satisfiable by a finite kripke
model.
 LTL Model Checking: PSAPCE-
complete
LTL Model Checking
 ω-Regular Languages
 ω-Automata
 Finite states
 Representing infinite executions
 Büchi Automata
 <Σ, S, Δ, I, L, F >
 <AP, S, R , {s0}, L> - Kripke Model
M |= p iff L(MA)  L(pA) iff L(MApA)=

LTL Model Checking
We can build a Büchi automaton which
accepts all and only the infinite traces
represented by an LTL formula.
The Büchi automaton is exponential in
the size of the formula.
The complexity of model checking is
proportional to the size of the
automaton.
Computation Tree Logic
 (State) Formulas
 p - atomic proposition
 p, pq, pq
 AXp, EXp, AFp, EFp, AGp, EGp
 A(pUq), E(pUq), A(pRq), E(pRq)
CTL Semantics
 M, s |= p if pL(s)
 M, s |= p if not M, s |= p
 M, s |= pq if M, s |= p and M, s |= q
 M, s |= pq if M, s |= p or M, s |= q
 M, s |= Ap if (s): M,  |= p
 M, s |= Ep if (s): M,  |= p
CTL Semantics
 M,  |= Xp if M, 1 |= p
 M,  |= Fp if i≥0: M, i |= p
 M,  |= Gp if i≥0: M, i |= p
 M,  |= pUq if i≥0: M, i |= q and
j< i: M, j |= p
 M,  |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and
j≤i: M, j |= q
M |= p if M, s0 |= p
CTL Satisfiability
 The satisfiability problem of CTL is
EXPTIME-complete.
 If a CTL formula is satisfiable, then the
model.
 CTL Model Checking: O(|p|·(|S|+|R|))
Equivalence
EXp EGp E(pUq)
---------------------------------------------------
AXp  EXp
AFp  EGp
AGp  EFp
A(pRq)  E(pUq)
A(pUq)  E(pRq)
EFp  E(true U p)
E(pRq)  E(qU(pq))EGq
CTL Model Checking
 Six Cases:
 p is an atomic proposition
 p = q
 p = qr
 p = EXq
 p = EGq
 p = E(qUr)
 Extension of L – L’: S →2AP ｛subformulas of p｝
CTL Model Checking
p is an atomic proposition：
L’(s) = L(s)
p = q ：
L’(s) = L’(s)  { p } if qL’(s)
p = qr ：
L’(s) = L’(s)  { p } if qL’(s) or rL’(s)
p = EX q ：
L’(s) = L’(s)  { p } if (s,s’)R: qL’(s’)
E(qUr)
 procedure checkEU(q,r)
T := { s | r  L(s) };
for (all s T) do L’(s) := L(s)  { p };
while (T≠) do
choose s T;
T := T \ {s};
for (all t such that R(t,s)) do
if (p  L’(t) and q  L’(t)) then
q
BFS L’(t) := L(t)  { p };
r
T := T  { t };
Example: E(qUr)
r q
q q q,r
EGq
 procedure checkEG(q)
S’ := { s | q  L(s) };
SCC := { C | C is a non-trivial SCC of S’ };
T := { s | s  some C of SCC };
for (all s T) do L’(s) := L(s)  { p };
while (T≠) do
choose s T;
T := T \ {s};
for (all t such that t  S’ and R(t,s)) do
if (p  L’(t)) then
L’(t) := L(t)  { p };
q
SCC T := T  { t };
EG q
SCC
SCC
Example: EGq
r q
q q q,r
CTL*
 State Formulas
 p, pq, pq
 Ap, Ep if p is a path formula
 Path Formulas
 p if p is a state formula
 p, pq, pq
 Xp, Fp, Gp, pUq, pRq
CTL* Semantics – State
Formulas
 M, s |= p if pL(s)
 M, s |= p if not M, s |= p
 M, s |= pq if M, s |= p and M, s |= p
 M, s |= pq if M, s |= p or M, s |= p
 M, s |= Ap if (s): M,  |= p
 M, s |= Ep if (s): M,  |= p
CTL* Semantics – Path
Formulas
 M,  |= p if M, 0 |= p
(p is a state formula)
 M,  |= p if not M,  |= p
 M,  |= pq if M,  |= p and M,  |= q
 M,  |= pq if M,  |= p or M,  |= q
CTL* Semantics – Path
Formulas
 M,  |= Xp if M, 1 |= p
 M,  |= Fp if i≥0: M, i |= p
 M,  |= Gp if i≥0: M, i |= p
 M,  |= pUq if i≥0: M, i |= q and
j< i: M, j |= p
 M,  |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and
j≤i: M, j |= q
For a state formula p: M |= p if M, s0 |= p

CTL* Satisfiability
 The satisfiability problem of CTL* is
2EXPTIME-complete.
 If a CTL* formula is satisfiable, then the
model.
 CTL* Model Checking: PSAPCE-
complete
Extended Kripke Model
 Kripke Model: (S, s0, R, L)
S finite set of states
s0S initial state
R2S  S finite set of transition relations
L: S→2AP labeling function
 Let aSS range over transition relations in R
 sa={s’ | (s,s’)a}
Modal -Calculus
 (State) Formulas
 p, pq, pq
 [a]p, ap
 X – proposition variable
 X.p, X.p if all occurrences of X is under
an even number of negations
 Syntactic Monotonicity
Alternation Depth
 top-level ()-subformula
 NOT contained within any other greatest(least) fixpoint
subformula
 Alternation Depth – d
 d(p)=d(p)=d(X)=0
 All negations are applied to propositions.
 d(pq)=d(pq)=max(d(p),d(q))
 d([a]p)=d(ap)=d(p)
 d(X.p)=max(1, d(p), 1+max(…,d(qi),…)), where qi is a top-
level -subformula
 d(X.p)=max(1, d(p), 1+max(…,d(qi),…)) , where qi is a top-
level -subformula
Modal -Calculus - Semantics
 M, s |=V p if pL(s)
 M, s |=V p if not M, s |=V p
 M, s |=V pq if M, s |=V p and M, s |=V p
 M, s |=V pq if M, s |=V p or M, s |=V p
 M, s |=V [a]p if s’sa: M, s’ |=V p
 M, s |=V ap if s’sa: M, s’ |=V p
 M, s |=V X if sV (X)
 M, s |=V X.p if M, s |=V p{X.p /X}?
 M, s |=V X.p if M, s |=V p{X.p /X}?
Global Model Checking
 Denotation Semantics
SV (p) = {s | pL(s)}
SV (p) = S – SV (p)
SV (pq) = SV (p)  SV (q)
SV (pq) = SV (p)  SV (q)
SV ([a]p) = {s | s’sa: s’SV (p)}
SV (ap) = {s | s’sa: s’SV (p)}
SV (X) =V (X)
SV (X.p) = {WS |WSV {XW}(p)}
SV (X.p) = {WS |SV {XW}(p)W}
 Tarski-Knaster Theorem
Global Model Checking
 Global Model Checking
 M, s |= p if sSV (p)
 F(W)= SV {XW}(p)
 X.p
 S, F(S), F (S),…, F (S)=F
2 i i+1(S)
 X.p
 , F(), F (),…, F ()=F
2 i i+1()
 O(|p|·(|S|+|R|)·|S|k)
 k: nesting depth
 Emerson-Lei: O(|p|·(|S|+|R|)·(|p|·|S|)d)
Local Model Checking
 Extension of Modal -Calculus
 XW.p
 X.p  X.p
 Let F be a function on 2S,
PX.F(X) iff PF(X.(PF(X)))
 M, s |=V XW.p if
 sW or, if not, M, s |=V p[XW{s}.p/X]
 Tableau System
 Fixpoint Equation System
Modal -Calculus Satisfiability
 The satisfiability problem of modal -
calculus is EXPTIME-complete.
 If a modal -calculus formula is
satisfiable, then the formula is
satisfiable by a finite kripke model.
 Modal -Calculus Model Checking: O(?)
Symbolic Model Checking
 State Space Explosion Problem
 Reduce memory requirement by
utilizing compact representations of
states/transitions
 Boolean formulas represent sets and
relations
 Use fixed point characterizations of CTL
operators
Ordered Binary Decision
Diagram (OBDD)
a1
0 1
b1 b1
0 1 0 1
a2 a2 a2 a2
0 1 0 1 0 1 0 1
b2 b2 b2 b2 b2 b2 b2 b2
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
(a1  b1)  (a2  b2)
Reduced OBDD
a1
0 1
b1 b1
0 1 0 1
a2 a2 a2 a2
0 1 0 1 0 1 0 1
b2 b2 b2 b2 b2 b2 b2 b2
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
(a1  b1)  (a2  b2)
Reduced Ordered BDD
a1
0 1
b1 b1
0 1 0 1
a2 a2 a2
0 1 0 1 0 1
b2 b2 b2 b2 b2 b2
0 1 0 1 0 1 0 1 0 1 0 1
1 0 0 1 0 0 0 0 0 1 0 0 1
(a1  b1)  (a2  b2)
Reduced Ordered BDD
a1
0 1
b1 b1
0 1 0 1
a2 a2
0 1 0 1
b2 b2 b2 b2
0 1 0 1 0 1 0 1
1 0 0 1 0 1 0 0 1
(a1  b1)  (a2  b2)
Reduced Ordered BDD
a1
0 1
b1 b1
0 1 1 0
a2
0 1
b2 b2
0 1 0 1
1 0 0 1 0
(a1  b1)  (a2  b2)
Reduced Ordered BDD
a1
0 1
b1 b1
0 1 1
a2 0
0 1
b2 b2
0 11 0
1 0
(a1  b1)  (a2  b2)
Representation for States
 States as Boolean Formulas
 2m states encoded by m proposition variables
 State - conjunction of proposition or negative
proposition
 Set of States – conjunction of state (encoding)
formula
Example: m = 2, S={s1,s2,s3,s4}
 Proposition Variables {a, b}
 S={00, 01, 10, 11}={ab, a b, ab, ab}
 {s1,s2}={00, 01}=(ab)(ab)
Representation for Transitions
 Transitions as Boolean Formulas
 (s, s’) encoded by two sets of proposition
variables
 Transition – conjunction of s and s’
 Set of Transitions – conjunction of
transition (encoding) formula
Example
(s4,s3) = (11, 10) = aba’b’
Symbolic Model Checking
 Atomic Propositions
 ROBDD(p) = {s | pL(s)}
 ROBDD(p) = reversion of ROBDD(p)
 ROBDD(pq) = ROBDD (p)ROBDD(q)
  is  or 
 ROBDD(EXp(v)) = v’:[p(v’)R(v, v’)]
 (E(pUq)) = Z.[q(pEX Z)]
 (EGp) = Z.[pEX Z]
Genealogy
Floyd/Hoare Aristotle 300’s BCE
late 60s Kripke 59
Logics of Temporal/
Programs Modal Logics
Büchi, 60
Tarski 50’s
w-automata Pnueli
late 70’s Clarke/Emerson Park, 60’s
S1S Early 80’s
Kurshan Vardi/Wolper -Calculus
mid 80’s CTL Model
LTL Model Checking
Bryant, mid 80’s
ATV
Checking QBF BDD
Symbolic
Model Checking late 80’s
Anything Else?
 Model Checking
 Temporal Logic
 Model Checking Algorithms
 Symbolic Model Checking
 Advanced Topics
 Symmetry Reduction
 Partial Order Reduction
 Infinite Model Checking
Symmetry Reduction
 If state space is symmetric, explore only a
symmetric “quotient” of the state space
 A permutation  is an automorphism of M if
for any s1,s2S,
R(s1,s2)  R((s1), (s2))
 G is an automorphism group for M iff every
permutation G is an automorphism of M.
 An automorphism group G is an invariance
group for an atomic proposition p iff for any
G, sS, pL(s)  pL((s))
Quotient Models
 G – Automorphism Group
 Orbit - (s) = {t | G: (s)=t}
 MG=(SG, (s0), RG, LG)
 SG={(s) | sS}
 RG={((s1), (s2)) | (s1, s2)R}
 LG((s))=L(rep((s))) – representative
 If G is an invariance group for all the atomic
propositions occurring in a CTL* formula p, then
M, s |= p iff MG, (s) |= p
 The orbit problem is as hard as the Graph
Isomorphism problem, which is in NP.
Partial Order Reduction
 Reduce the number of interleavings of
independent concurrent transitions
 Enabledness + Commutativity
s s s
a b a b a
s1 s2 s1 s2 s1
b a b b
r r r
No Reductions Transitions Reduced States Reduced

Stuttering Equivalence
 Let M and M’ be two stuttering

equivalent structures. For every LTL_X
property p, M, s |= p iff M’, s |= p
Infinite Model Checking
 Verification of Infinite Systems
 Unbounded Data Structures
 Data Manipulations on Infinite Data Domains, e.g integer counters
 Asynchronous (Lossy) Channel Systems – unbounded FIFO queues
 Timed Automata - real-valued clocks
 Unbounded Control Structures
 (Recursive) Procedure Call - unbounded stacks (Pushdown Automata)
 Parameterized Systems – any number of processes
 Dynamic Creation of Processes, Mobility
 Abstract Representation
 Regular Sets, Time Zones, …
 More techniques involved
 Constraint Programming, Deductive Verification,…
 AVIS - International Workshop on Automated Verification of
Infinite-State Systems
Still More…
 Abstraction
 Compositional Verification
 Software Model Checking
 VeriSoft, SLAM, JPF
 Probabilistic Model Checking

Tutorial I - An Introduction To Model Checking: Peng WU

Uploaded by

Copyright:

Available Formats

You might also like

Tutorial I - An Introduction To Model Checking: Peng WU

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tutorial I - An Introduction To Model Checking: Peng WU

Uploaded by

Copyright:

Available Formats

Tutorial I – An Introduction to

Model Yes, if the model satisfies

 Increase our confidence in the correctness of the

S finite set of states

M |= p iff L(MA)  L(pA) iff L(MApA)=

For a state formula p: M |= p if M, s0 |= p

No Reductions Transitions Reduced States Reduced

 Let M and M’ be two stuttering

You might also like