tutorial i – an introduction to model checking peng wu inria futurs lix, École polytechnique

Tutorial I – An Introduction to Model Checking

Peng WUINRIA Futurs

LIX, École Polytechnique

Outline

Model Checking Temporal Logic Model Checking Algorithms

Symbolic Model Checking Advanced Topics

Symmetry Reduction Partial-Order Reduction Infinite Model Checking

Principles

Increase our confidence in the correctness of the model:

The model satisfied enough system properties Study counterexamples, pinpoint the source of the error, cor

rect the model, and try again

Model(System Requirements)

Specification(System Property)

ModelChecker

Answer:

Yes, if the model satisfiesthe specification

Counterexample, otherwise

Kripke Model

Kripke Structure + Labeling Function Let AP be a non-empty set of atomic propositions. Kripke Model: M = (S, sM = (S, s00, R, L), R, L)

S finite set of states

s0S initial state

RS S transition relation

L: S→2AP labeling function

Temporal Logics

Express properties of event orderings in time

Linear Time Every moment has a unique

successor Infinite sequences (words) Linear Temporal Logic (LTL)

Branching Time Every moment has several

successors Infinite tree Computation Tree Logic (CTL)

Linear Temporal Logic

(Path) Formulas pp – atomic proposition p, pp, pq, pq, pqq Op, Op, p, p, p, pp, pUq, pRqUq, pRq

Semantics M, |= p if pL(0) M, |= p if not M, |= p M, |= pq if M, |= p and M, |= q M, |= pq if M, |= p or M, |= q

LTL

Semantics M, |= Op if M, 1 |= p M, |= p if i≥0: M, i |= p M, |= p if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and

j<i: M, j |= p M, |= pRq if i≥0: M, i |= q or

i≥0: M, i |= p andj≤i: M, j |= q

M |= p if (M): M, |= p

LTL

p

p

pUq

pRq

p p p p p p p p p p p...

p p p p p p

p p p p p p p p p q

q q q q q q q q q q,p

LTL Satisfiability

The satisfiability problem of LTL is PSPACE-complete.

If a LTL formula is satisfiable, then the formula is satisfiable by a finite kripke model.

LTL Model Checking: PSAPCE-complete

LTL Model Checking

ω-Regular Languages ω-Automata

Finite states Representing infinite executions

Büchi Automata <<ΣΣ, S, , S, ΔΔ, I, L, F >, I, L, F > <AP, S, R , {s<AP, S, R , {s00}, L>}, L> - Kripke Model

M |= p iff L(MA) L(pA) iff L(MApA)=

LTL Model Checking

We can build a Büchi automaton which accepts all and only the infinite traces represented by an LTL formula.

The Büchi automaton is exponential in the size of the formula.

The complexity of model checking is proportional to the size of the automaton.

Computation Tree Logic

(State) Formulas p p - atomic proposition p, pp, pq, pq, pqq AXp, EXp, AFp, EFp, AGp, EGpAXp, EXp, AFp, EFp, AGp, EGp A(pA(pUq), Uq), E(pE(pUq), Uq), A(pA(pRq), Rq), E(pE(pRq)Rq)

CTL Semantics

M, s |= p if pL(s) M, s |= p if not M, s |= p M, s |= pq if M, s |= p and M, s |= q M, s |= pq if M, s |= p or M, s |= q

M, s |= Ap if (s): M, |= p M, s |= Ep if (s): M, |= p

CTL Semantics M, |= Xp if M, 1 |= p M, |= Fp if i≥0: M, i |= p M, |= Gp if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and

j< i: M, j |= p M, |= pRq if i≥0: M, i |= q or

i≥0: M, i |= p and j≤i: M, j |= q

M |= p if M, s0 |= p

CTL Satisfiability

The satisfiability problem of CTL is EXPTIME-complete.

If a CTL formula is satisfiable, then the formula is satisfiable by a finite kripke model.

CTL Model Checking: O(|p|·(|S|+|R|))

Equivalence

EXp EGp E(pUq)---------------------------------------------------AXp EXpAFp EGpAGp EFpA(pRq) E(pUq)A(pUq) E(pRq)

EFp E(true U p) E(pRq) E(qU(pq))EGq

CTL Model Checking

Six Cases: p is an atomic proposition p = q p = qr p = EXq p = EGq p = E(qUr)

Extension of L – L’: S →2AP ｛ subformulas of p ｝

CTL Model Checking

p is an atomic proposition ：L’(s) = L(s)

p = q ：L’(s) = L’(s) { p } if qL’(s)

p = qr ：L’(s) = L’(s) { p } if qL’(s) or rL’(s)

p = EX q ：L’(s) = L’(s) { p } if (s,s’)R: qL’(s’)

E(qUr) procedure checkEU(q,r)

T := { s | r L(s) };for (all s T) do L’(s) := L(s) { p };while (T≠) do

choose s T;T := T \ {s};for (all t such that R(t,s)) do

if (p L’(t) and q L’(t)) then L’(t) := L(t) { p };T := T { t };

r

qBFS

Example: E(qUr)

r

q q

q

q

q,r

EGq procedure checkEG(q)

S’ := { s | q L(s) };SCC := { C | C is a non-trivial SCC of S’ };T := { s | s some C of SCC };for (all s T) do L’(s) := L(s) { p };while (T≠) do

choose s T;T := T \ {s};for (all t such that t S’ and R(t,s)) do

if (p L’(t)) then L’(t) := L(t) { p };T := T { t };

qSCC

SCCSCC

EG q

Example: EGq

r

q q

q

q

q,r

CTL*

State Formulas p – atomic proposition p, pp, pq, pq, pqq Ap, EpAp, Ep if p is a path formula

Path Formulas pp if p is a state formula p, pp, pq, pq, pqq Xp, Fp, Gp, pXp, Fp, Gp, pUq, Uq, ppRqRq

CTL* Semantics – State Formulas

M, s |= p if pL(s) M, s |= p if not M, s |= p M, s |= pq if M, s |= p and M, s |= p M, s |= pq if M, s |= p or M, s |= p

M, s |= Ap if (s): M, |= p

M, s |= Ep if (s): M, |= p

CTL* Semantics – Path Formulas

M, |= p if M, 0 |= p(p is a state formula)

M, |= p if not M, |= p M, |= pq if M, |= p and M, |= q M, |= pq if M, |= p or M, |= q

CTL* Semantics – Path Formulas M, |= Xp if M, 1 |= p M, |= Fp if i≥0: M, i |= p M, |= Gp if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and

j< i: M, j |= p M, |= pRq if i≥0: M, i |= q or

i≥0: M, i |= p and j≤i: M, j |

= qFor a state formula p: M |= p if M, s0 |= p

CTL* Satisfiability

The satisfiability problem of CTL* is 2EXPTIME-complete.

If a CTL* formula is satisfiable, then the formula is satisfiable by a finite kripke model.

CTL* Model Checking: PSAPCE-complete

Extended Kripke Model

Kripke Model: (S, s(S, s00, R, L), R, L)

S finite set of states

s0S initial state

R2S S finite set of transition relations

L: S→2AP labeling function Let aSS range over transition relations in R sa={s’ | (s,s’)a}

Modal -Calculus

(State) Formulas pp – atomic proposition p, pp, pq, pq, pqq [a]p, [a]p, aapp XX – proposition variable X.p, X.p, X.p X.p if all occurrences of X is under a

n even number of negations Syntactic Monotonicity

Alternation Depth top-level ()-subformula

NOT contained within any other greatest(least) fixpoint subformula

Alternation Depth – d d(p)=d(p)=p)=d(X)=0

All negations are applied to propositions. d(pq)=d(pq)=max(d(p),d(q)) d([a]p)=d(ap)=d(p) d(X.p)=max(1, d(p), 1+max(…,d(qi),…)), where qi is a top-le

vel -subformula d(X.p)=max(1, d(p), 1+max(…,d(qi),…)) , where qi is a top-l

evel -subformula

Modal -Calculus - Semantics M, s |=V p if pL(s) M, s |=V p if not M, s |=V p M, s |=V pqif M, s |=V p and M, s |=V p M, s |=V pqif M, s |=V p or M, s |=V p M, s |=V [a]p if s’sa: M, s’ |=V p M, s |=V ap if s’sa: M, s’ |=V p M, s |=V X if sV (X) M, s |=V X.p if M, s |=V p{X.p /X}? M, s |=V X.p if M, s |=V p{X.p /X}?

Global Model Checking Denotation Semantics

SV (p) = {s | pL(s)}

SV (p) = S – SV (p)

SV (pq) = SV (p) SV (q)

SV (pq) = SV (p) SV (q)

SV ([a]p) = {s | s’sa: s’SV (p)}

SV (ap) = {s | s’sa: s’SV (p)}

SV (X) =V (X)

SV (X.p) = {WS |WSV {XW}(p)}

SV (X.p) = {WS |SV {XW}(p)W} Tarski-Knaster Theorem

Global Model Checking

Global Model Checking M, s |= p if sSV (p) F(W)= SV {XW}(p) X.p

S, F(S), F2(S),…, Fi(S)=Fi+1(S) X.p

, F(), F2(),…, Fi()=Fi+1() O(|p|·(|S|+|R|)·|S|k)

k: nesting depth Emerson-Lei: O(|p|·(|S|+|R|)·(|p|·|S|)d)

Local Model Checking Extension of Modal -Calculus

XW.p X.p X.p

Let F be a function on 2S, PX.F(X) iff PF(X.(PF(X)))

M, s |=V XW.p if sW or, if not, M, s |=V p[XW{s}.p/X]

Tableau System Fixpoint Equation System

Modal -Calculus Satisfiability

The satisfiability problem of modal -calculus is EXPTIME-complete.

If a modal -calculus formula is satisfiable, then the formula is satisfiable by a finite kripke model.

Modal -Calculus Model Checking: O(?)

Symbolic Model Checking

State Space Explosion Problem Reduce memory requirement by utilizin

g compact representations of states/transitions Boolean formulas represent sets and

relations Use fixed point characterizations of CTL

operators

Ordered Binary Decision Diagram (OBDD)

(a1 b1) (a2 b2)

a1

b1 b1

a2 a2

b2 b2 b2

a2 a2

b2 b2b2b2 b2

00 110000

0

0

0 0

0

0 0

0 0 0 0

1

1

11

1

11

1 1 1 100 001001

0 0 0 01 1 1 1

Reduced OBDD

(a1 b1) (a2 b2)

a1

b1 b1

a2 a2

b2 b2 b2

a2 a2

b2 b2b2b2 b2

00 110000

0

0

0 0

0

0 0

0 0 0 0

1

1

11

1

11

1 1 1 100 001001

0 0 0 01 1 1 1

(a1 b1) (a2 b2)

a1

b1 b1

a2

b2 b2

a2 a2

b2 b2b2 b2

00 110000

0

0

0

0

0 0

0 0 0 0

1

1

11

1

1

1 1 1 101001

0 01 1

Reduced Ordered BDD

(a1 b1) (a2 b2)

a1

b1 b1

a2

b2 b2

a2

b2 b2

00 11

0

0

0

0

0

0 0

1

1

1

1

1

1 101001

0 01 1

Reduced Ordered BDD

(a1 b1) (a2 b2)

a1

b1 b1

a2

b2 b2

0

0

0

0

1

11

1

010010 01 1

Reduced Ordered BDD

(a1 b1) (a2 b2)

a1

b1 b1

a2

b2 b2

0

0

0

1

1

1

010 01

1

0

1

Reduced Ordered BDD

Representation for States States as Boolean Formulas

2m states encoded by m proposition variables State - conjunction of proposition or negative prop

osition Set of States – conjunction of state (encoding) for

mula

Example: m = 2, S={s1,s2,s3,s4} Proposition Variables {a, b} S={00, 01, 10, 11}={ab, a b, ab, ab} {s1,s2}={00, 01}=(ab)(ab)

Representation for Transitions

Transitions as Boolean Formulas (s, s’) encoded by two sets of proposition v

ariables Transition – conjunction of s and s’ Set of Transitions – conjunction of transitio

n (encoding) formula

Example

(s4,s3) = (11, 10) = aba’b’

Symbolic Model Checking

Atomic Propositions ROBDD(p) = {s | pL(s)}

ROBDD(p) = reversion of ROBDD(p) ROBDD(pq) = ROBDD (p)ROBDD(q)

is or ROBDD(EXp(v)) = v’:[p(v’)R(v, v’)] (E(pUq)) = Z.[q(pEX Z)] (EGp) = Z.[pEX Z]

Genealogy

Logics ofPrograms

Temporal/Modal Logics

CTL ModelChecking

SymbolicModel Checking

-automataS1S

LTL ModelCheckingATV

Tarski

-Calculus

QBF BDD

Floyd/Hoarelate 60s

Aristotle 300’s BCEKripke 59

Pnuelilate 70’s Clarke/Emerson

Early 80’s

Büchi, 60

Kurshan Vardi/Wolpermid 80’s

50’s

Park, 60’s

Bryant, mid 80’s

late 80’s

Anything Else?

Model Checking Temporal Logic Model Checking Algorithms

Symbolic Model Checking Advanced Topics

Symmetry Reduction Partial Order Reduction Infinite Model Checking

Symmetry Reduction If state space is symmetric, explore only a sy

mmetric “quotient” of the state space A permutation is an automorphism of M if f

or any s1,s2S, R(s1,s2) R((s1), (s2))

G is an automorphism group for M iff every permutation G is an automorphism of M.

An automorphism group G is an invariance group for an atomic proposition p iff for any G, sS, pL(s) pL((s))

Quotient Models G – Automorphism Group

Orbit - (s) = {t | G: (s)=t} MG=(SG, (s0), RG, LG)

SG={(s) | sS} RG={((s1), (s2)) | (s1, s2)R} LG((s))=L(rep((s))) – representative

If G is an invariance group for all the atomic propositions occurring in a CTL* formula p, then

M, s |= p iff MG, (s) |= p The orbit problem is as hard as the Graph Isomorphis

m problem, which is in NP.

Partial Order Reduction

Reduce the number of interleavings of independent concurrent transitions Enabledness + Commutativity

r

s

s2s1

a

ab

b

No Reductions Transitions Reduced States Reduced

r

s

s2s1

a

b

b

r

s

s1

a

b

Stuttering Equivalence

Let M and M’ be two stuttering equivalent structures. For every LTL_X property p, M, s |= p iff M’, s |= p

Infinite Model Checking Verification of Infinite Systems

Unbounded Data Structures Data Manipulations on Infinite Data Domains, e.g integer counters Asynchronous (Lossy) Channel Systems – unbounded FIFO queues Timed Automata - real-valued clocks

Unbounded Control Structures (Recursive) Procedure Call - unbounded stacks (Pushdown Automata) Parameterized Systems – any number of processes Dynamic Creation of Processes, Mobility

Abstract Representation Regular Sets, Time Zones, …

More techniques involved Constraint Programming, Deductive Verification,…

AVIS - International Workshop on Automated Verification of Infinite-State Systems

Still More…

Abstraction Compositional Verification Software Model Checking

VeriSoft, SLAM, JPF Probabilistic Model Checking