Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Published byGarrett Gorham Modified over 9 years ago

Similar presentations

Presentation on theme: "Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique."— Presentation transcript:

1 Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique

2 Outline Model Checking Temporal Logic Model Checking Algorithms Symbolic Model Checking Advanced Topics Symmetry Reduction Partial-Order Reduction Infinite Model Checking

3 Principles Increase our confidence in the correctness of the model: The model satisfied enough system properties Study counterexamples, pinpoint the source of the error, correct the model, and try again Model (System Requirements) Specification (System Property) Model Checker Answer: Yes, if the model satisfies the specification Counterexample, otherwise

4 Kripke Model Kripke Structure + Labeling Function Let AP be a non-empty set of atomic propositions. M = (S, s 0, R, L) Kripke Model: M = (S, s 0, R, L) Sfinite set of states s 0  Sinitial state R  S  Stransition relation L: S→2 AP labeling function

5 Temporal Logics Express properties of event orderings in time Linear Time Every moment has a unique successor Infinite sequences (words) Linear Temporal Logic (LTL) Branching Time Every moment has several successors Infinite tree Computation Tree Logic (CTL)

6 Linear Temporal Logic (Path) Formulas p p – atomic proposition  p, p  q, p  q  p, p  q, p  q Op,  p,  p, pUq, pRq Op,  p,  p, pUq, pRq Semantics M,  |= p if p  L(  0 ) M,  |=  p if not M,  |= p M,  |= p  qif M,  |= p and M,  |= q M,  |= p  qif M,  |= p or M,  |= q

7 LTL Semantics M,  |= Op if M,  1 |= p M,  |=  p if  i≥0: M,  i |= p M,  |=  p if  i≥0: M,  i |= p M,  |= pUqif  i≥0: M,  i |= q and  j<i: M,  j |= p M,  |= pRq if  i≥0: M,  i |= q or  i≥0: M,  i |= p and  j≤i: M,  j |= q M |= pif  (M): M,  |= p

8 LTL  p  p pUq pRq ppppppppppp...pppppppppppppppqqqqqqqqqqq,p

9 LTL Satisfiability The satisfiability problem of LTL is PSPACE-complete. If a LTL formula is satisfiable, then the formula is satisfiable by a finite kripke model. LTL Model Checking: PSAPCE- complete

10 LTL Model Checking ω-Regular Languages ω-Automata Finite states Representing infinite executions Büchi Automata - Kripke Model M |= p iff L(M A )  L(p A ) iff L(M A  p A )= 

11 LTL Model Checking We can build a Büchi automaton which accepts all and only the infinite traces represented by an LTL formula. The Büchi automaton is exponential in the size of the formula. The complexity of model checking is proportional to the size of the automaton.

12 Computation Tree Logic (State) Formulas p p - atomic proposition  p, p  q, p  q  p, p  q, p  q AXp, EXp, AFp, EFp, AGp, EGp AXp, EXp, AFp, EFp, AGp, EGp A(pUq), E(pUq), A(pRq), E(pRq) A(pUq), E(pUq), A(pRq), E(pRq)

13 CTL Semantics M, s |= p if p  L(s) M, s |=  p if not M, s |= p M, s |= p  qif M, s |= p and M, s |= q M, s |= p  qif M, s |= p or M, s |= q M, s |= Ap if  (s): M,  |= p M, s |= Ep if  (s): M,  |= p

14 CTL Semantics M,  |= Xp if M,  1 |= p M,  |= Fp if  i≥0: M,  i |= p M,  |= Gp if  i≥0: M,  i |= p M,  |= pUq if  i≥0: M,  i |= q and  j< i: M,  j |= p M,  |= pRq if  i≥0: M,  i |= q or  i≥0: M,  i |= p and  j≤i: M,  j |= q M |= pifM, s 0 |= p

15 CTL Satisfiability The satisfiability problem of CTL is EXPTIME-complete. If a CTL formula is satisfiable, then the formula is satisfiable by a finite kripke model. CTL Model Checking: O(|p|·(|S|+|R|))

16 Equivalence EXpEGpE(pUq) --------------------------------------------------- AXp   EX  p AFp   EG  p AGp   EF  p A(pRq)   E(  pU  q) A(pUq)   E(  pR  q) EFp  E(true U p) E(pRq)  E(qU(p  q))  EGq

17 CTL Model Checking Six Cases: p is an atomic proposition p =  q p = q  r p = EXq p = EGq p = E(qUr) Extension of L – L’: S →2 AP  { subformulas of p }

18 CTL Model Checking p is an atomic proposition : L’(s) = L(s) p =  q : L’(s) = L’(s)  { p } if q  L’(s) p = q  r : L’(s) = L’(s)  { p } if q  L’(s) or r  L’(s) p = EX q : L’(s) = L’(s)  { p } if  (s,s’)  R: q  L’(s’)

19 E(qUr) procedure checkEU(q,r) T := { s | r  L(s) }; for (all s  T) do L’(s) := L(s)  { p }; while (T≠  ) do choose s  T; T := T \ {s}; for (all t such that R(t,s)) do if (p  L’(t) and q  L’(t)) then L’(t) := L(t)  { p }; T := T  { t }; r q BFS

20 Example: E(qUr) r qq q q q,r

21 EGq procedure checkEG(q) S’ := { s | q  L(s) }; SCC := { C | C is a non-trivial SCC of S’ }; T := { s | s  some C of SCC }; for (all s  T) do L’(s) := L(s)  { p }; while (T≠  ) do choose s  T; T := T \ {s}; for (all t such that t  S’ and R(t,s)) do if (p  L’(t)) then L’(t) := L(t)  { p }; T := T  { t }; q SCC EG q

22 Example: EGq r qq q q q,r

23 CTL* State Formulas p – atomic proposition  p, p  q, p  q  p, p  q, p  q Ap, Ep Ap, Ep if p is a path formula Path Formulas p p if p is a state formula  p, p  q, p  q  p, p  q, p  q Xp, Fp, Gp, pUq, pRq Xp, Fp, Gp, pUq, pRq

24 CTL* Semantics – State Formulas M, s |= p if p  L(s) M, s |=  p if not M, s |= p M, s |= p  qif M, s |= p and M, s |= p M, s |= p  qif M, s |= p or M, s |= p M, s |= Ap if  (s): M,  |= p M, s |= Ep if  (s): M,  |= p

25 CTL* Semantics – Path Formulas M,  |= p if M,  0 |= p (p is a state formula) M,  |=  p if not M,  |= p M,  |= p  qif M,  |= p and M,  |= q M,  |= p  qif M,  |= p or M,  |= q

26 CTL* Semantics – Path Formulas M,  |= Xp if M,  1 |= p M,  |= Fp if  i≥0: M,  i |= p M,  |= Gp if  i≥0: M,  i |= p M,  |= pUq if  i≥0: M,  i |= q and  j< i: M,  j |= p M,  |= pRq if  i≥0: M,  i |= q or  i≥0: M,  i |= p and  j≤i: M,  j |= q For a state formula p: M |= p if M, s 0 |= p

27 CTL* Satisfiability The satisfiability problem of CTL* is 2EXPTIME-complete. If a CTL* formula is satisfiable, then the formula is satisfiable by a finite kripke model. CTL* Model Checking: PSAPCE- complete

28 Extended Kripke Model (S, s 0, R, L) Kripke Model: (S, s 0, R, L) Sfinite set of states s 0  Sinitial state R  2 S  S finite set of transition relations L: S→2 AP labeling function Let a  S  S range over transition relations in R s a ={s’ | (s,s’)  a}

29 Modal  -Calculus (State) Formulas p p – atomic proposition  p, p  q, p  q  p, p  q, p  q [a]p,  a  p [a]p,  a  p X X – proposition variable X.p,  X.p X.p,  X.p if all occurrences of X is under an even number of negations Syntactic Monotonicity

30 Alternation Depth  top-level (  )-subformula NOT contained within any other greatest(least) fixpoint subformula Alternation Depth – d p)= d(p)=d(  p)=d(X)=0 All negations are applied to propositions. d(p  q)=d(p  q)=max(d(p),d(q)) d([a]p)=d(  a  p)=d(p) d( X.p)=max(1, d(p), 1+max(…,d(q i ),…)), where q i is a top- level  -subformula d(  X.p)=max(1, d(p), 1+max(…,d(q i ),…)), where q i is a top- level -subformula

31 Modal  -Calculus - Semantics M, s |= V p if p  L(s) M, s |= V  p if not M, s |= V p M, s |= V p  qif M, s |= V p and M, s |= V p M, s |= V p  qif M, s |= V p or M, s |= V p M, s |= V [a]pif  s’  s a : M, s’ |= V p M, s |= V  a  p if  s’  s a : M, s’ |= V p M, s |= V X if s  V (X) M, s |= V X.pif M, s |= V p{ X.p /X}? M, s |= V  X.pif M, s |= V p{  X.p /X}?

32 Global Model Checking Denotation Semantics S V (p) = {s | p  L(s)} S V (  p) = S – S V (p) S V (p  q)= S V (p)  S V (q) S V (p  q)= S V (p)  S V (q) S V ([a]p) = {s |  s’  s a : s’  S V (p)} S V (  a  p) = {s |  s’  s a : s’  S V (p)} S V (X) = V (X) S V ( X.p) =  {W  S |W  S V {X  W} (p)} S V (  X.p) =  {W  S | S V {X  W} (p)  W} Tarski-Knaster Theorem

33 Global Model Checking M, s |= p if s  S V (p) F(W)= S V {X  W} (p) X.p S, F(S), F 2 (S),…, F i (S)=F i+1 (S)  X.p , F(  ), F 2 (  ),…, F i (  )=F i+1 (  ) O(|p|·(|S|+|R|)·|S| k ) k: nesting depth Emerson-Lei: O(|p|·(|S|+|R|)·(|p|·|S|) d )

34 Local Model Checking Extension of Modal  -Calculus X W.p X.p  X .p Let F be a function on 2 S, P  X.F(X) iff P  F( X.(P  F(X))) M, s |= V X W.p if s  W or, if not, M, s |= V p[ X W  {s}.p/X] Tableau System Fixpoint Equation System

35 Modal  -Calculus Satisfiability The satisfiability problem of modal  - calculus is EXPTIME-complete. If a modal  -calculus formula is satisfiable, then the formula is satisfiable by a finite kripke model. Modal  -Calculus Model Checking: O(?)

36 Symbolic Model Checking State Space Explosion Problem Reduce memory requirement by utilizing compact representations of states/transitions Boolean formulas represent sets and relations Use fixed point characterizations of CTL operators

37 Ordered Binary Decision Diagram (OBDD) (a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 a2a2 b2b2 b2b2 b2b2 a2a2 a2a2 b2b2 b2b2 b2b2 b2b2 b2b2 00110000 0 0 0 0 0 0 0 0 00 0 1 1 1 1 1 1 1 1 11 1 00001001 0 00 01 11 1

38 Reduced OBDD (a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 a2a2 b2b2 b2b2 b2b2 a2a2 a2a2 b2b2 b2b2 b2b2 b2b2 b2b2 00110000 0 0 0 0 0 0 0 0 00 0 1 1 1 1 1 1 1 1 11 1 00001001 0 00 01 11 1

39 a1a1 b1b1 b1b1 a2a2 b2b2 b2b2 a2a2 a2a2 b2b2 b2b2 b2b2 b2b2 00110000 0 0 0 0 0 0 0 00 0 1 1 1 1 1 1 1 11 1 01001 0 0 1 1 Reduced Ordered BDD

40 (a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 b2b2 b2b2 a2a2 b2b2 b2b2 0011 0 0 0 0 0 0 0 1 1 1 1 1 1 1 01001 0 0 1 1 Reduced Ordered BDD

41 (a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 b2b2 b2b2 0 0 0 0 1 1 1 1 01001 0 0 1 1 Reduced Ordered BDD

42 (a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 b2b2 b2b2 0 0 0 1 1 1 01 0 01 1 0 1 Reduced Ordered BDD

43 Representation for States States as Boolean Formulas 2 m states encoded by m proposition variables State - conjunction of proposition or negative proposition Set of States – conjunction of state (encoding) formula Example: m = 2, S={s 1,s 2,s 3,s 4 } Proposition Variables {a, b} S={00, 01, 10, 11}={  a   b,  a  b, a   b, a  b} {s 1,s 2 }={00, 01}=(  a   b)  (  a  b)

44 Representation for Transitions Transitions as Boolean Formulas (s, s’) encoded by two sets of proposition variables Transition – conjunction of s and s’ Set of Transitions – conjunction of transition (encoding) formula Example (s 4,s 3 ) = (11, 10) = a  b  a’  b’

45 Symbolic Model Checking Atomic Propositions ROBDD(p) = {s | p  L(s)} ROBDD(  p) = reversion of ROBDD(p) ROBDD(p  q) = ROBDD (p)  ROBDD(q)  is  or  ROBDD(EXp( v )) =  v’ :[p( v’ )  R( v, v’ )] (E(pUq)) =  Z.[q  (p  EX Z )] (EGp) = Z.[p  EX Z ]

46 Genealogy Logics of Programs Temporal/ Modal Logics CTL Model Checking Symbolic Model Checking  -automata S1S LTL Model Checking ATV Tarski  -Calculus QBFBDD Floyd/Hoare late 60s Aristotle 300’s BCE Kripke 59 Pnueli late 70’s Clarke/Emerson Early 80’s Büchi, 60 Kurshan Vardi/Wolper mid 80’s 50’s Park, 60’s Bryant, mid 80’s late 80’s

47 Anything Else? Model Checking Temporal Logic Model Checking Algorithms Symbolic Model Checking Advanced Topics Symmetry Reduction Partial Order Reduction Infinite Model Checking

48 Symmetry Reduction If state space is symmetric, explore only a symmetric “quotient” of the state space A permutation  is an automorphism of M if for any s 1,s 2  S, R(s 1,s 2 )  R(  (s 1 ),  (s 2 )) G is an automorphism group for M iff every permutation  G is an automorphism of M. An automorphism group G is an invariance group for an atomic proposition p iff for any  G, s  S, p  L(s)  p  L(  (s))

49 Quotient Models G – Automorphism Group Orbit -  (s) = {t |  G:  (s)=t} M G =(S G,  (s 0 ), R G, L G ) S G ={  (s) | s  S} R G ={(  (s 1 ),  (s 2 )) | (s 1, s 2 )  R} L G (  (s))=L(rep(  (s))) – representative If G is an invariance group for all the atomic propositions occurring in a CTL* formula p, then M, s |= p iff M G,  (s) |= p The orbit problem is as hard as the Graph Isomorphism problem, which is in NP.

50 Partial Order Reduction Reduce the number of interleavings of independent concurrent transitions Enabledness + Commutativity r s s2s2 s1s1 a a b b No ReductionsTransitions Reduced States Reduced r s s2s2 s1s1 a b b r s s1s1 a b

51 Stuttering Equivalence Let M and M’ be two stuttering equivalent structures. For every LTL_ X property p, M, s |= p iff M’, s |= p

52 Infinite Model Checking Verification of Infinite Systems Unbounded Data Structures Data Manipulations on Infinite Data Domains, e.g integer counters Asynchronous (Lossy) Channel Systems – unbounded FIFO queues Timed Automata - real-valued clocks Unbounded Control Structures (Recursive) Procedure Call - unbounded stacks (Pushdown Automata) Parameterized Systems – any number of processes Dynamic Creation of Processes, Mobility Abstract Representation Regular Sets, Time Zones, … More techniques involved Constraint Programming, Deductive Verification,… AVIS - International Workshop on Automated Verification of Infinite-State Systems

53 Still More… Abstraction Compositional Verification Software Model Checking VeriSoft, SLAM, JPF Probabilistic Model Checking

Download ppt "Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 

1 Computation Tree Logic (CTL). 2 CTL Syntax P - a set of atomic propositions, every p  P is a CTL formula. f, g, CTL formulae, then so are  f, f 
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
François Fages MPRI Bio-info 2007 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraint Programming.

François Fages MPRI Bio-info 2007 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraint Programming.
LINEAR TEMPORAL LOGIC Fall 2013 Dr. Eric Rozier.

LINEAR TEMPORAL LOGIC Fall 2013 Dr. Eric Rozier.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Temporal Logic and the NuSMV Model Checker CS 680 Formal Methods Jeremy Johnson.

Similar presentations

Ads by Google