tutorial i – an introduction to model checking peng wu inria futurs lix, École polytechnique
TRANSCRIPT
Tutorial I – An Introduction to Model Checking
Peng WUINRIA Futurs
LIX, École Polytechnique
Outline
Model Checking Temporal Logic Model Checking Algorithms
Symbolic Model Checking Advanced Topics
Symmetry Reduction Partial-Order Reduction Infinite Model Checking
Principles
Increase our confidence in the correctness of the model:
The model satisfied enough system properties Study counterexamples, pinpoint the source of the error, cor
rect the model, and try again
Model(System Requirements)
Specification(System Property)
ModelChecker
Answer:
Yes, if the model satisfiesthe specification
Counterexample, otherwise
Kripke Model
Kripke Structure + Labeling Function Let AP be a non-empty set of atomic propositions. Kripke Model: M = (S, sM = (S, s00, R, L), R, L)
S finite set of states
s0S initial state
RS S transition relation
L: S→2AP labeling function
Temporal Logics
Express properties of event orderings in time
Linear Time Every moment has a unique
successor Infinite sequences (words) Linear Temporal Logic (LTL)
Branching Time Every moment has several
successors Infinite tree Computation Tree Logic (CTL)
Linear Temporal Logic
(Path) Formulas pp – atomic proposition p, pp, pq, pq, pqq Op, Op, p, p, p, pp, pUq, pRqUq, pRq
Semantics M, |= p if pL(0) M, |= p if not M, |= p M, |= pq if M, |= p and M, |= q M, |= pq if M, |= p or M, |= q
LTL
Semantics M, |= Op if M, 1 |= p M, |= p if i≥0: M, i |= p M, |= p if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and
j<i: M, j |= p M, |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p andj≤i: M, j |= q
M |= p if (M): M, |= p
LTL
p
p
pUq
pRq
p p p p p p p p p p p...
p p p p p p
p p p p p p p p p q
q q q q q q q q q q,p
LTL Satisfiability
The satisfiability problem of LTL is PSPACE-complete.
If a LTL formula is satisfiable, then the formula is satisfiable by a finite kripke model.
LTL Model Checking: PSAPCE-complete
LTL Model Checking
ω-Regular Languages ω-Automata
Finite states Representing infinite executions
Büchi Automata <<ΣΣ, S, , S, ΔΔ, I, L, F >, I, L, F > <AP, S, R , {s<AP, S, R , {s00}, L>}, L> - Kripke Model
M |= p iff L(MA) L(pA) iff L(MApA)=
LTL Model Checking
We can build a Büchi automaton which accepts all and only the infinite traces represented by an LTL formula.
The Büchi automaton is exponential in the size of the formula.
The complexity of model checking is proportional to the size of the automaton.
Computation Tree Logic
(State) Formulas p p - atomic proposition p, pp, pq, pq, pqq AXp, EXp, AFp, EFp, AGp, EGpAXp, EXp, AFp, EFp, AGp, EGp A(pA(pUq), Uq), E(pE(pUq), Uq), A(pA(pRq), Rq), E(pE(pRq)Rq)
CTL Semantics
M, s |= p if pL(s) M, s |= p if not M, s |= p M, s |= pq if M, s |= p and M, s |= q M, s |= pq if M, s |= p or M, s |= q
M, s |= Ap if (s): M, |= p M, s |= Ep if (s): M, |= p
CTL Semantics M, |= Xp if M, 1 |= p M, |= Fp if i≥0: M, i |= p M, |= Gp if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and
j< i: M, j |= p M, |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and j≤i: M, j |= q
M |= p if M, s0 |= p
CTL Satisfiability
The satisfiability problem of CTL is EXPTIME-complete.
If a CTL formula is satisfiable, then the formula is satisfiable by a finite kripke model.
CTL Model Checking: O(|p|·(|S|+|R|))
Equivalence
EXp EGp E(pUq)---------------------------------------------------AXp EXpAFp EGpAGp EFpA(pRq) E(pUq)A(pUq) E(pRq)
EFp E(true U p) E(pRq) E(qU(pq))EGq
CTL Model Checking
Six Cases: p is an atomic proposition p = q p = qr p = EXq p = EGq p = E(qUr)
Extension of L – L’: S →2AP { subformulas of p }
CTL Model Checking
p is an atomic proposition :L’(s) = L(s)
p = q :L’(s) = L’(s) { p } if qL’(s)
p = qr :L’(s) = L’(s) { p } if qL’(s) or rL’(s)
p = EX q :L’(s) = L’(s) { p } if (s,s’)R: qL’(s’)
E(qUr) procedure checkEU(q,r)
T := { s | r L(s) };for (all s T) do L’(s) := L(s) { p };while (T≠) do
choose s T;T := T \ {s};for (all t such that R(t,s)) do
if (p L’(t) and q L’(t)) then L’(t) := L(t) { p };T := T { t };
r
qBFS
Example: E(qUr)
r
q q
q
q
q,r
EGq procedure checkEG(q)
S’ := { s | q L(s) };SCC := { C | C is a non-trivial SCC of S’ };T := { s | s some C of SCC };for (all s T) do L’(s) := L(s) { p };while (T≠) do
choose s T;T := T \ {s};for (all t such that t S’ and R(t,s)) do
if (p L’(t)) then L’(t) := L(t) { p };T := T { t };
qSCC
SCCSCC
EG q
Example: EGq
r
q q
q
q
q,r
CTL*
State Formulas p – atomic proposition p, pp, pq, pq, pqq Ap, EpAp, Ep if p is a path formula
Path Formulas pp if p is a state formula p, pp, pq, pq, pqq Xp, Fp, Gp, pXp, Fp, Gp, pUq, Uq, ppRqRq
CTL* Semantics – State Formulas
M, s |= p if pL(s) M, s |= p if not M, s |= p M, s |= pq if M, s |= p and M, s |= p M, s |= pq if M, s |= p or M, s |= p
M, s |= Ap if (s): M, |= p
M, s |= Ep if (s): M, |= p
CTL* Semantics – Path Formulas
M, |= p if M, 0 |= p(p is a state formula)
M, |= p if not M, |= p M, |= pq if M, |= p and M, |= q M, |= pq if M, |= p or M, |= q
CTL* Semantics – Path Formulas M, |= Xp if M, 1 |= p M, |= Fp if i≥0: M, i |= p M, |= Gp if i≥0: M, i |= p M, |= pUq if i≥0: M, i |= q and
j< i: M, j |= p M, |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and j≤i: M, j |
= qFor a state formula p: M |= p if M, s0 |= p
CTL* Satisfiability
The satisfiability problem of CTL* is 2EXPTIME-complete.
If a CTL* formula is satisfiable, then the formula is satisfiable by a finite kripke model.
CTL* Model Checking: PSAPCE-complete
Extended Kripke Model
Kripke Model: (S, s(S, s00, R, L), R, L)
S finite set of states
s0S initial state
R2S S finite set of transition relations
L: S→2AP labeling function Let aSS range over transition relations in R sa={s’ | (s,s’)a}
Modal -Calculus
(State) Formulas pp – atomic proposition p, pp, pq, pq, pqq [a]p, [a]p, aapp XX – proposition variable X.p, X.p, X.p X.p if all occurrences of X is under a
n even number of negations Syntactic Monotonicity
Alternation Depth top-level ()-subformula
NOT contained within any other greatest(least) fixpoint subformula
Alternation Depth – d d(p)=d(p)=p)=d(X)=0
All negations are applied to propositions. d(pq)=d(pq)=max(d(p),d(q)) d([a]p)=d(ap)=d(p) d(X.p)=max(1, d(p), 1+max(…,d(qi),…)), where qi is a top-le
vel -subformula d(X.p)=max(1, d(p), 1+max(…,d(qi),…)) , where qi is a top-l
evel -subformula
Modal -Calculus - Semantics M, s |=V p if pL(s) M, s |=V p if not M, s |=V p M, s |=V pqif M, s |=V p and M, s |=V p M, s |=V pqif M, s |=V p or M, s |=V p M, s |=V [a]p if s’sa: M, s’ |=V p M, s |=V ap if s’sa: M, s’ |=V p M, s |=V X if sV (X) M, s |=V X.p if M, s |=V p{X.p /X}? M, s |=V X.p if M, s |=V p{X.p /X}?
Global Model Checking Denotation Semantics
SV (p) = {s | pL(s)}
SV (p) = S – SV (p)
SV (pq) = SV (p) SV (q)
SV (pq) = SV (p) SV (q)
SV ([a]p) = {s | s’sa: s’SV (p)}
SV (ap) = {s | s’sa: s’SV (p)}
SV (X) =V (X)
SV (X.p) = {WS |WSV {XW}(p)}
SV (X.p) = {WS |SV {XW}(p)W} Tarski-Knaster Theorem
Global Model Checking
Global Model Checking M, s |= p if sSV (p) F(W)= SV {XW}(p) X.p
S, F(S), F2(S),…, Fi(S)=Fi+1(S) X.p
, F(), F2(),…, Fi()=Fi+1() O(|p|·(|S|+|R|)·|S|k)
k: nesting depth Emerson-Lei: O(|p|·(|S|+|R|)·(|p|·|S|)d)
Local Model Checking Extension of Modal -Calculus
XW.p X.p X.p
Let F be a function on 2S, PX.F(X) iff PF(X.(PF(X)))
M, s |=V XW.p if sW or, if not, M, s |=V p[XW{s}.p/X]
Tableau System Fixpoint Equation System
Modal -Calculus Satisfiability
The satisfiability problem of modal -calculus is EXPTIME-complete.
If a modal -calculus formula is satisfiable, then the formula is satisfiable by a finite kripke model.
Modal -Calculus Model Checking: O(?)
Symbolic Model Checking
State Space Explosion Problem Reduce memory requirement by utilizin
g compact representations of states/transitions Boolean formulas represent sets and
relations Use fixed point characterizations of CTL
operators
Ordered Binary Decision Diagram (OBDD)
(a1 b1) (a2 b2)
a1
b1 b1
a2 a2
b2 b2 b2
a2 a2
b2 b2b2b2 b2
00 110000
0
0
0 0
0
0 0
0 0 0 0
1
1
11
1
11
1 1 1 100 001001
0 0 0 01 1 1 1
Reduced OBDD
(a1 b1) (a2 b2)
a1
b1 b1
a2 a2
b2 b2 b2
a2 a2
b2 b2b2b2 b2
00 110000
0
0
0 0
0
0 0
0 0 0 0
1
1
11
1
11
1 1 1 100 001001
0 0 0 01 1 1 1
(a1 b1) (a2 b2)
a1
b1 b1
a2
b2 b2
a2 a2
b2 b2b2 b2
00 110000
0
0
0
0
0 0
0 0 0 0
1
1
11
1
1
1 1 1 101001
0 01 1
Reduced Ordered BDD
(a1 b1) (a2 b2)
a1
b1 b1
a2
b2 b2
a2
b2 b2
00 11
0
0
0
0
0
0 0
1
1
1
1
1
1 101001
0 01 1
Reduced Ordered BDD
(a1 b1) (a2 b2)
a1
b1 b1
a2
b2 b2
0
0
0
0
1
11
1
010010 01 1
Reduced Ordered BDD
(a1 b1) (a2 b2)
a1
b1 b1
a2
b2 b2
0
0
0
1
1
1
010 01
1
0
1
Reduced Ordered BDD
Representation for States States as Boolean Formulas
2m states encoded by m proposition variables State - conjunction of proposition or negative prop
osition Set of States – conjunction of state (encoding) for
mula
Example: m = 2, S={s1,s2,s3,s4} Proposition Variables {a, b} S={00, 01, 10, 11}={ab, a b, ab, ab} {s1,s2}={00, 01}=(ab)(ab)
Representation for Transitions
Transitions as Boolean Formulas (s, s’) encoded by two sets of proposition v
ariables Transition – conjunction of s and s’ Set of Transitions – conjunction of transitio
n (encoding) formula
Example
(s4,s3) = (11, 10) = aba’b’
Symbolic Model Checking
Atomic Propositions ROBDD(p) = {s | pL(s)}
ROBDD(p) = reversion of ROBDD(p) ROBDD(pq) = ROBDD (p)ROBDD(q)
is or ROBDD(EXp(v)) = v’:[p(v’)R(v, v’)] (E(pUq)) = Z.[q(pEX Z)] (EGp) = Z.[pEX Z]
Genealogy
Logics ofPrograms
Temporal/Modal Logics
CTL ModelChecking
SymbolicModel Checking
-automataS1S
LTL ModelCheckingATV
Tarski
-Calculus
QBF BDD
Floyd/Hoarelate 60s
Aristotle 300’s BCEKripke 59
Pnuelilate 70’s Clarke/Emerson
Early 80’s
Büchi, 60
Kurshan Vardi/Wolpermid 80’s
50’s
Park, 60’s
Bryant, mid 80’s
late 80’s
Anything Else?
Model Checking Temporal Logic Model Checking Algorithms
Symbolic Model Checking Advanced Topics
Symmetry Reduction Partial Order Reduction Infinite Model Checking
Symmetry Reduction If state space is symmetric, explore only a sy
mmetric “quotient” of the state space A permutation is an automorphism of M if f
or any s1,s2S, R(s1,s2) R((s1), (s2))
G is an automorphism group for M iff every permutation G is an automorphism of M.
An automorphism group G is an invariance group for an atomic proposition p iff for any G, sS, pL(s) pL((s))
Quotient Models G – Automorphism Group
Orbit - (s) = {t | G: (s)=t} MG=(SG, (s0), RG, LG)
SG={(s) | sS} RG={((s1), (s2)) | (s1, s2)R} LG((s))=L(rep((s))) – representative
If G is an invariance group for all the atomic propositions occurring in a CTL* formula p, then
M, s |= p iff MG, (s) |= p The orbit problem is as hard as the Graph Isomorphis
m problem, which is in NP.
Partial Order Reduction
Reduce the number of interleavings of independent concurrent transitions Enabledness + Commutativity
r
s
s2s1
a
ab
b
No Reductions Transitions Reduced States Reduced
r
s
s2s1
a
b
b
r
s
s1
a
b
Stuttering Equivalence
Let M and M’ be two stuttering equivalent structures. For every LTL_X property p, M, s |= p iff M’, s |= p
Infinite Model Checking Verification of Infinite Systems
Unbounded Data Structures Data Manipulations on Infinite Data Domains, e.g integer counters Asynchronous (Lossy) Channel Systems – unbounded FIFO queues Timed Automata - real-valued clocks
Unbounded Control Structures (Recursive) Procedure Call - unbounded stacks (Pushdown Automata) Parameterized Systems – any number of processes Dynamic Creation of Processes, Mobility
Abstract Representation Regular Sets, Time Zones, …
More techniques involved Constraint Programming, Deductive Verification,…
AVIS - International Workshop on Automated Verification of Infinite-State Systems
Still More…
Abstraction Compositional Verification Software Model Checking
VeriSoft, SLAM, JPF Probabilistic Model Checking