Scribd
Upload
48 views53 pages

Tutorial I - An Introduction To Model Checking: Peng WU

- Model checking is a technique for verifying that a model of a system meets given specifications. It involves building a model of the system and using an algorithm to check the model against temporal logic properties. - Temporal logics like LTL and CTL are used to express properties of event orderings over time. Model checking algorithms evaluate if a model satisfies a temporal logic formula. - The document outlines key concepts in model checking including Kripke structures, temporal logics, satisfiability problems, and model checking algorithms for LTL and CTL. Advanced topics like symmetry reduction are also mentioned.

Uploaded by

Houria Ing
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
48 views53 pages

Tutorial I - An Introduction To Model Checking: Peng WU

- Model checking is a technique for verifying that a model of a system meets given specifications. It involves building a model of the system and using an algorithm to check the model against temporal logic properties. - Temporal logics like LTL and CTL are used to express properties of event orderings over time. Model checking algorithms evaluate if a model satisfies a temporal logic formula. - The document outlines key concepts in model checking including Kripke structures, temporal logics, satisfiability problems, and model checking algorithms for LTL and CTL. Advanced topics like symmetry reduction are also mentioned.

Uploaded by

Houria Ing
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 53

Tutorial I – An Introduction to

Model Checking

Peng WU
INRIA Futurs
LIX, École Polytechnique
Outline
 Model Checking
 Temporal Logic
 Model Checking Algorithms
 Symbolic Model Checking
 Advanced Topics
 Symmetry Reduction
 Partial-Order Reduction
 Infinite Model Checking
Principles
Model
(System Requirements) Answer:

Model Yes, if the model satisfies


Checker the specification
Specification
Counterexample, otherwise
(System Property)

 Increase our confidence in the correctness of the


model:
 The model satisfied enough system properties
 Study counterexamples, pinpoint the source of the error,
correct the model, and try again
Kripke Model
 Kripke Structure + Labeling Function
 Let AP be a non-empty set of atomic propositions.
 Kripke Model: M = (S, s0, R, L)

S finite set of states


s0S initial state
RS  S transition relation
L: S→2AP labeling function
Temporal Logics
 Express properties of event orderings in
time
 Linear Time  Branching Time
 Every moment has a unique  Every moment has several
successor successors
 Infinite sequences (words)  Infinite tree
 Linear Temporal Logic (LTL)  Computation Tree Logic (CTL)
Linear Temporal Logic
 (Path) Formulas
 p – atomic proposition
 p, pq, pq
 Op, p, p, pUq, pRq
 Semantics
 M,  |= p if pL(0)
 M,  |= p if not M,  |= p
 M,  |= pq if M,  |= p and M,  |= q
 M,  |= pq if M,  |= p or M,  |= q
LTL
 Semantics
 M,  |= Op if M, 1 |= p
 M,  |= p if i≥0: M, i |= p
 M,  |= p if i≥0: M, i |= p
 M,  |= pUq if i≥0: M, i |= q and
j<i: M, j |= p
 M,  |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and
j≤i: M, j |= q

M |= p if (M): M, |= p
LTL
 p
p p p p p p

 p
p p p p p p p p p p p...

 pUq
p p p p p p p p p q

 pRq
q q q q q q q q q q,p
LTL Satisfiability
 The satisfiability problem of LTL is
PSPACE-complete.
 If a LTL formula is satisfiable, then the
formula is satisfiable by a finite kripke
model.
 LTL Model Checking: PSAPCE-
complete
LTL Model Checking
 ω-Regular Languages
 ω-Automata
 Finite states
 Representing infinite executions
 Büchi Automata
 <Σ, S, Δ, I, L, F >
 <AP, S, R , {s0}, L> - Kripke Model

M |= p iff L(MA)  L(pA) iff L(MApA)=


LTL Model Checking
We can build a Büchi automaton which
accepts all and only the infinite traces
represented by an LTL formula.
The Büchi automaton is exponential in
the size of the formula.
The complexity of model checking is
proportional to the size of the
automaton.
Computation Tree Logic
 (State) Formulas
 p - atomic proposition
 p, pq, pq
 AXp, EXp, AFp, EFp, AGp, EGp
 A(pUq), E(pUq), A(pRq), E(pRq)
CTL Semantics
 M, s |= p if pL(s)
 M, s |= p if not M, s |= p
 M, s |= pq if M, s |= p and M, s |= q
 M, s |= pq if M, s |= p or M, s |= q

 M, s |= Ap if (s): M,  |= p
 M, s |= Ep if (s): M,  |= p
CTL Semantics
 M,  |= Xp if M, 1 |= p
 M,  |= Fp if i≥0: M, i |= p
 M,  |= Gp if i≥0: M, i |= p
 M,  |= pUq if i≥0: M, i |= q and
j< i: M, j |= p
 M,  |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and
j≤i: M, j |= q

M |= p if M, s0 |= p
CTL Satisfiability
 The satisfiability problem of CTL is
EXPTIME-complete.
 If a CTL formula is satisfiable, then the
formula is satisfiable by a finite kripke
model.
 CTL Model Checking: O(|p|·(|S|+|R|))
Equivalence
EXp EGp E(pUq)
---------------------------------------------------
AXp  EXp
AFp  EGp
AGp  EFp
A(pRq)  E(pUq)
A(pUq)  E(pRq)

EFp  E(true U p)
E(pRq)  E(qU(pq))EGq
CTL Model Checking
 Six Cases:
 p is an atomic proposition
 p = q
 p = qr
 p = EXq
 p = EGq
 p = E(qUr)
 Extension of L – L’: S →2AP {subformulas of p}
CTL Model Checking
p is an atomic proposition:
L’(s) = L(s)
p = q :
L’(s) = L’(s)  { p } if qL’(s)
p = qr :
L’(s) = L’(s)  { p } if qL’(s) or rL’(s)
p = EX q :
L’(s) = L’(s)  { p } if (s,s’)R: qL’(s’)
E(qUr)
 procedure checkEU(q,r)
T := { s | r  L(s) };
for (all s T) do L’(s) := L(s)  { p };
while (T≠) do
choose s T;
T := T \ {s};
for (all t such that R(t,s)) do
if (p  L’(t) and q  L’(t)) then
q
BFS L’(t) := L(t)  { p };
r
T := T  { t };
Example: E(qUr)

r q

q q q,r
EGq
 procedure checkEG(q)
S’ := { s | q  L(s) };
SCC := { C | C is a non-trivial SCC of S’ };
T := { s | s  some C of SCC };
for (all s T) do L’(s) := L(s)  { p };
while (T≠) do
choose s T;
T := T \ {s};
for (all t such that t  S’ and R(t,s)) do
if (p  L’(t)) then
L’(t) := L(t)  { p };
q
SCC T := T  { t };
EG q
SCC
SCC
Example: EGq

r q

q q q,r
CTL*
 State Formulas
 p – atomic proposition
 p, pq, pq
 Ap, Ep if p is a path formula
 Path Formulas
 p if p is a state formula
 p, pq, pq
 Xp, Fp, Gp, pUq, pRq
CTL* Semantics – State
Formulas
 M, s |= p if pL(s)
 M, s |= p if not M, s |= p
 M, s |= pq if M, s |= p and M, s |= p
 M, s |= pq if M, s |= p or M, s |= p

 M, s |= Ap if (s): M,  |= p
 M, s |= Ep if (s): M,  |= p
CTL* Semantics – Path
Formulas
 M,  |= p if M, 0 |= p
(p is a state formula)
 M,  |= p if not M,  |= p
 M,  |= pq if M,  |= p and M,  |= q
 M,  |= pq if M,  |= p or M,  |= q
CTL* Semantics – Path
Formulas
 M,  |= Xp if M, 1 |= p
 M,  |= Fp if i≥0: M, i |= p
 M,  |= Gp if i≥0: M, i |= p
 M,  |= pUq if i≥0: M, i |= q and
j< i: M, j |= p
 M,  |= pRq if i≥0: M, i |= q or
i≥0: M, i |= p and
j≤i: M, j |= q

For a state formula p: M |= p if M, s0 |= p


CTL* Satisfiability
 The satisfiability problem of CTL* is
2EXPTIME-complete.
 If a CTL* formula is satisfiable, then the
formula is satisfiable by a finite kripke
model.
 CTL* Model Checking: PSAPCE-
complete
Extended Kripke Model
 Kripke Model: (S, s0, R, L)
S finite set of states
s0S initial state
R2S  S finite set of transition relations
L: S→2AP labeling function
 Let aSS range over transition relations in R
 sa={s’ | (s,s’)a}
Modal -Calculus
 (State) Formulas
 p – atomic proposition
 p, pq, pq
 [a]p, ap
 X – proposition variable
 X.p, X.p if all occurrences of X is under
an even number of negations
 Syntactic Monotonicity
Alternation Depth
 top-level ()-subformula
 NOT contained within any other greatest(least) fixpoint
subformula
 Alternation Depth – d
 d(p)=d(p)=d(X)=0
 All negations are applied to propositions.
 d(pq)=d(pq)=max(d(p),d(q))
 d([a]p)=d(ap)=d(p)
 d(X.p)=max(1, d(p), 1+max(…,d(qi),…)), where qi is a top-
level -subformula
 d(X.p)=max(1, d(p), 1+max(…,d(qi),…)) , where qi is a top-
level -subformula
Modal -Calculus - Semantics
 M, s |=V p if pL(s)
 M, s |=V p if not M, s |=V p
 M, s |=V pq if M, s |=V p and M, s |=V p
 M, s |=V pq if M, s |=V p or M, s |=V p
 M, s |=V [a]p if s’sa: M, s’ |=V p
 M, s |=V ap if s’sa: M, s’ |=V p
 M, s |=V X if sV (X)
 M, s |=V X.p if M, s |=V p{X.p /X}?
 M, s |=V X.p if M, s |=V p{X.p /X}?
Global Model Checking
 Denotation Semantics
SV (p) = {s | pL(s)}
SV (p) = S – SV (p)
SV (pq) = SV (p)  SV (q)
SV (pq) = SV (p)  SV (q)
SV ([a]p) = {s | s’sa: s’SV (p)}
SV (ap) = {s | s’sa: s’SV (p)}
SV (X) =V (X)
SV (X.p) = {WS |WSV {XW}(p)}
SV (X.p) = {WS |SV {XW}(p)W}
 Tarski-Knaster Theorem
Global Model Checking
 Global Model Checking
 M, s |= p if sSV (p)
 F(W)= SV {XW}(p)
 X.p
 S, F(S), F (S),…, F (S)=F
2 i i+1(S)

 X.p
 , F(), F (),…, F ()=F
2 i i+1()

 O(|p|·(|S|+|R|)·|S|k)
 k: nesting depth

 Emerson-Lei: O(|p|·(|S|+|R|)·(|p|·|S|)d)
Local Model Checking
 Extension of Modal -Calculus
 XW.p
 X.p  X.p
 Let F be a function on 2S,
PX.F(X) iff PF(X.(PF(X)))
 M, s |=V XW.p if
 sW or, if not, M, s |=V p[XW{s}.p/X]
 Tableau System
 Fixpoint Equation System
Modal -Calculus Satisfiability
 The satisfiability problem of modal -
calculus is EXPTIME-complete.
 If a modal -calculus formula is
satisfiable, then the formula is
satisfiable by a finite kripke model.
 Modal -Calculus Model Checking: O(?)
Symbolic Model Checking
 State Space Explosion Problem
 Reduce memory requirement by
utilizing compact representations of
states/transitions
 Boolean formulas represent sets and
relations
 Use fixed point characterizations of CTL
operators
Ordered Binary Decision
Diagram (OBDD)
a1
0 1
b1 b1
0 1 0 1
a2 a2 a2 a2
0 1 0 1 0 1 0 1
b2 b2 b2 b2 b2 b2 b2 b2
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
(a1  b1)  (a2  b2)
Reduced OBDD
a1
0 1
b1 b1
0 1 0 1
a2 a2 a2 a2
0 1 0 1 0 1 0 1
b2 b2 b2 b2 b2 b2 b2 b2
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
1 0 0 1 0 0 0 0 0 0 0 0 1 0 0 1
(a1  b1)  (a2  b2)
Reduced Ordered BDD
a1
0 1
b1 b1
0 1 0 1
a2 a2 a2
0 1 0 1 0 1
b2 b2 b2 b2 b2 b2
0 1 0 1 0 1 0 1 0 1 0 1
1 0 0 1 0 0 0 0 0 1 0 0 1
(a1  b1)  (a2  b2)
Reduced Ordered BDD
a1
0 1
b1 b1
0 1 0 1
a2 a2
0 1 0 1
b2 b2 b2 b2
0 1 0 1 0 1 0 1
1 0 0 1 0 1 0 0 1
(a1  b1)  (a2  b2)
Reduced Ordered BDD
a1
0 1
b1 b1
0 1 1 0
a2
0 1
b2 b2
0 1 0 1
1 0 0 1 0
(a1  b1)  (a2  b2)
Reduced Ordered BDD
a1
0 1
b1 b1
0 1 1
a2 0
0 1
b2 b2
0 11 0
1 0
(a1  b1)  (a2  b2)
Representation for States
 States as Boolean Formulas
 2m states encoded by m proposition variables
 State - conjunction of proposition or negative
proposition
 Set of States – conjunction of state (encoding)
formula
Example: m = 2, S={s1,s2,s3,s4}
 Proposition Variables {a, b}
 S={00, 01, 10, 11}={ab, a b, ab, ab}
 {s1,s2}={00, 01}=(ab)(ab)
Representation for Transitions
 Transitions as Boolean Formulas
 (s, s’) encoded by two sets of proposition
variables
 Transition – conjunction of s and s’
 Set of Transitions – conjunction of
transition (encoding) formula
Example
(s4,s3) = (11, 10) = aba’b’
Symbolic Model Checking
 Atomic Propositions
 ROBDD(p) = {s | pL(s)}
 ROBDD(p) = reversion of ROBDD(p)
 ROBDD(pq) = ROBDD (p)ROBDD(q)
  is  or 
 ROBDD(EXp(v)) = v’:[p(v’)R(v, v’)]
 (E(pUq)) = Z.[q(pEX Z)]
 (EGp) = Z.[pEX Z]
Genealogy
Floyd/Hoare Aristotle 300’s BCE
late 60s Kripke 59
Logics of Temporal/
Programs Modal Logics
Büchi, 60
Tarski 50’s
w-automata Pnueli
late 70’s Clarke/Emerson Park, 60’s
S1S Early 80’s
Kurshan Vardi/Wolper -Calculus
mid 80’s CTL Model
LTL Model Checking
Bryant, mid 80’s
ATV
Checking QBF BDD

Symbolic
Model Checking late 80’s
Anything Else?
 Model Checking
 Temporal Logic
 Model Checking Algorithms
 Symbolic Model Checking
 Advanced Topics
 Symmetry Reduction
 Partial Order Reduction
 Infinite Model Checking
Symmetry Reduction
 If state space is symmetric, explore only a
symmetric “quotient” of the state space
 A permutation  is an automorphism of M if
for any s1,s2S,
R(s1,s2)  R((s1), (s2))
 G is an automorphism group for M iff every
permutation G is an automorphism of M.
 An automorphism group G is an invariance
group for an atomic proposition p iff for any
G, sS, pL(s)  pL((s))
Quotient Models
 G – Automorphism Group
 Orbit - (s) = {t | G: (s)=t}
 MG=(SG, (s0), RG, LG)
 SG={(s) | sS}
 RG={((s1), (s2)) | (s1, s2)R}
 LG((s))=L(rep((s))) – representative
 If G is an invariance group for all the atomic
propositions occurring in a CTL* formula p, then
M, s |= p iff MG, (s) |= p
 The orbit problem is as hard as the Graph
Isomorphism problem, which is in NP.
Partial Order Reduction
 Reduce the number of interleavings of
independent concurrent transitions
 Enabledness + Commutativity

s s s
a b a b a

s1 s2 s1 s2 s1

b a b b
r r r

No Reductions Transitions Reduced States Reduced


Stuttering Equivalence

 Let M and M’ be two stuttering


equivalent structures. For every LTL_X
property p, M, s |= p iff M’, s |= p
Infinite Model Checking
 Verification of Infinite Systems
 Unbounded Data Structures
 Data Manipulations on Infinite Data Domains, e.g integer counters
 Asynchronous (Lossy) Channel Systems – unbounded FIFO queues
 Timed Automata - real-valued clocks
 Unbounded Control Structures
 (Recursive) Procedure Call - unbounded stacks (Pushdown Automata)
 Parameterized Systems – any number of processes
 Dynamic Creation of Processes, Mobility
 Abstract Representation
 Regular Sets, Time Zones, …
 More techniques involved
 Constraint Programming, Deductive Verification,…
 AVIS - International Workshop on Automated Verification of
Infinite-State Systems
Still More…
 Abstraction
 Compositional Verification
 Software Model Checking
 VeriSoft, SLAM, JPF
 Probabilistic Model Checking

You might also like