# © Imperial College LondonPage 1 Model checking and refinement checking for modal transition systems and their cousins MTS meeting 2007 Adam Antonik & Michael.

## Presentation on theme: "© Imperial College LondonPage 1 Model checking and refinement checking for modal transition systems and their cousins MTS meeting 2007 Adam Antonik & Michael."— Presentation transcript:

© Imperial College LondonPage 1 Model checking and refinement checking for modal transition systems and their cousins MTS meeting 2007 Adam Antonik & Michael Huth imperial.ac.uk/quads

© Imperial College LondonPage 2 PART 1 REPORT ON PUBLISHED WORK ON MODEL CHECKING PARTIAL KRIPKE STRUCTURES

© Imperial College LondonPage 3 Partial Kripke structures Often need aggressive abstraction of model prior to model checking Partial state spaces facilitate this, as Kripke structures with 3-valued labeling [Bruns & Godefroid 1999]

© Imperial College LondonPage 4 Abstraction-based model checking Partial Kripke structures have abstraction & refinement notion System = Kripke structure Abstraction = Partial Kripke structure, refined by System Verification Problem: “Do all Kripke structure refinements of Abstraction satisfy formula of mu-calculus?” - If so, System will satisfy it, too. - If not, we may be no wiser.

© Imperial College LondonPage 5 Complexity, Soundness & Incompleteness Verification Problem: “Do all Kripke structure refinements of Abstraction satisfy formula of mu- calculus?” This is EXPTIME-complete in formula, quadratic in model [Bruns & Godefroid 2000] Approximate version of Verification Problem linear in formula/model [Bruns & Godefroid 1999] If approximate version verifies abstraction, system also verified (soundness) If approximate version doesn’t verify abstraction, system may still satisfy considered formula: under-approximation (incompleteness)

© Imperial College LondonPage 6 Refinement = Abstraction -1

© Imperial College LondonPage 7 Example Pointed Kripke structure (N,t1) refines pointed model (M,s1)

© Imperial College LondonPage 8 Formal Verification Problem (M,s) pointed model: M with initial state s holds iff all pointed Kripke structures that refine (M,s) satisfy  holds iff some pointed Kripke structure refines (M,s) and satisfies 

© Imperial College LondonPage 9 Example Judgment holds

© Imperial College LondonPage 10 Counterexample Doesn’t hold: (N,t1) is counterexample

© Imperial College LondonPage 11 Approximate versions of judgments Use semantics similar to labeling algorithm Compositionally evaluate sub-formulas Do this in pessimistic and in optimistic mode for Pessimistic mode: under-approximates Optimistic mode: over-approximates

© Imperial College LondonPage 12 Optimistic (o) and pessimistic (p) approximative semantics for mu-calculus Partial Kripke structure M = (S,R,L)

© Imperial College LondonPage 13 Formal soundness of approximation For sentence  and for set Soudness as two, co-dependent, implications:

© Imperial College LondonPage 14 Incompleteness of approximation If L(s,q) = 1/2, then the tautology holds at state s, but the pessimistic semantics won’t verify this. But pessimistic semantics is complete for many practically relevant property patterns [Antonik & Huth 2006], e.g. “precedence chain: 2 stimuli, 1 response; globally, q and s precede r” patterns.project.cis.ksu.edu

© Imperial College LondonPage 15 Making imprecise patterns precise All patterns at patterns.project.cis.ksu.edu are either complete (already saw an example) or become complete after trivial adjustments: is incomplete for verification, but its semantically equivalent version is complete for verification

© Imperial College LondonPage 16 Semantic self-minimization Sentence  pessimistically self-minimizing: Iff for all pointed models (M,s) Sentence  optimistically self-minimizing: Iff for all pointed models (M,s)

© Imperial College LondonPage 17 Decision Problems OSM = set of optimistically self-minimizing sentences PSM = set of pessimistically self-minimizing sentences VAL = set of valid sentences UNSAT = set of unsatisfiable sentences Study this for mu-calculus, modal logic, and propositional logic.

© Imperial College LondonPage 18 Partition in a picture Negation maps pairs of sets into each other: OSM and PSM I and II III and IV V and itself VI and itself Also, VAL in OSM and disjoint from PSM. Dually, UNSAT in PSM and disjoint from OSM.

© Imperial College LondonPage 19 Set OSM, hardness result Sentence in OSM iff its negation is in PSM So OSM and PSM have same complexity Deciding OSM at least as hard as deciding validity of logic: where x atomic proposition not occuring in  This is desired reduction to VAL:

© Imperial College LondonPage 20 Set OSM, upper bound for mu-calculus For mu-calculus, OSM in 2EXPTIME From  construct two alternating tree automata - exponential blowup in worst case - and then do language inclusion check for these automata - exponential in size of these automata [Godefroid & Huth 2005]: This language inclusion checks “completeness half” of for all pointed models (M,s)

© Imperial College LondonPage 21 Set OSM, upper bound for modal logic For modal logic, OSM in EXPSPACE From  construct two two alternating tree automata as before, and again check Both automata cannot distinguish trees at depths greater than size of  (so called “shallow model property” of modal logic) So the above check is in PSPACE in the size of the automata

© Imperial College LondonPage 22 Set OSM, exact bound for propositional logic Already showed OSM is coNP-hard Show PL - OSM in NP:

© Imperial College LondonPage 23 Summary of results for mu-calculus

© Imperial College LondonPage 24 Summary of results for modal logic

© Imperial College LondonPage 25 Summary of results for propositional logic

© Imperial College LondonPage 26 PART 2 REPORT ON WORK ON REFINEMENT CHECKING OF MODAL TRANSITION SYSTEMS

© Imperial College LondonPage 27 Common implementations For k > 1 pointed modal transition systems (M i,s i ) there is least-fixed point algorithm on their product state space for deciding whether these k models have a common refinement This algorithm is polynomial for fixed k This problem becomes NP-hard for k=2 already if we can name states uniquely with propositions (i.e. “nominals” in “hybrid logic”) This seems to be EXPTIME-complete in k [UNPUBLISHED] There does not exist a unique “most abstract” common refinement in general.

© Imperial College LondonPage 28 Proof sketch for EXPTIME-hardness [unpublished] Relies on EXPTIME = APSPACE Takes alternating-time Turing machine A that computes some EXPTIME-complete problem There is a polynomial P such that each input s of A has circular tape of length P(|s|) For each input s of A, construct k > 1 modal transition systems where k and size of models are polynomial in |s| Show: these k models have common refinement iff A has an accepting run for input s

© Imperial College LondonPage 29 Extensional refinement checking Let (M 1,s 1 ) and (M 2,s 2 ) be pointed modal transition systems. We write I(M i,s i ) for the class of pointed labeled transition systems that refine (M i,s i ). Deciding whether I(M 1,s 1 ) is contained in I(M 2,s 2 ) appears to be PSPACE-hard in the sum of the sizes of M 1 and M 2. [UNPUBLISHED]

© Imperial College LondonPage 30 Proof sketch for PSPACE-hardness [unpublished] QCNF, closed quantified Boolean formulas whose propositional bodies are in conjunctive normal form, e.g.  x  y  z[ (x&!y) || !z || (!x&z)] Computing truth values of QCNF is PSPACE- complete problem Given  in QCNF, construct two modal transition systems N[  ] and M[  ] such that  is false iff I(N[  ],t  )  I(M[  ],s  ) This reduction works also for strict inclusion I(M 1,s 1 )  I(M 2,s 2 ), seems to work for disjunctive modal transition systems, but may not work for I(M 1,s 1 ) = I(M 2,s 2 )

© Imperial College LondonPage 31 Thank you.