Presentation is loading. Please wait.

Presentation is loading. Please wait.

Monte Carlo Model Checking Scott Smolka SUNY at Stony Brook Joint work with Radu Grosu Main source of support: ARO – David Hislop.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Monte Carlo Model Checking Scott Smolka SUNY at Stony Brook Joint work with Radu Grosu Main source of support: ARO – David Hislop."— Presentation transcript:

1 Monte Carlo Model Checking Scott Smolka SUNY at Stony Brook Joint work with Radu Grosu Main source of support: ARO – David Hislop

2 Model Checking ? Is system S a model of formula φ?

3 Automata-Theoretic Approach [Vardi & Wolper LICS’86] Büchi automaton is an automaton over infinite words. Acceptance condition: a final state must be visited infinitely often. Every LTL formula  can be translated to a Büchi automaton whose language is set of infinite words satisfying . State transition graph of S can also be viewed as a Büchi automaton.

4 LTL Model Checking Take product B S  B  of: –Büchi automaton for S ’s state transition graph, –Büchi automaton for LTL formula  . Check for emptiness: –L ( B S  B  )   iff L ( B S )  L ( B  )

5 Emptiness Checking Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state. Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly! s1s1 s2s2 s3s3 sksk s k-2 s k-1 s k+1 s k+2 s k+3 snsn DFS 2 DFS 1

6 Monte Carlo Approximation Problem: Compute the mean value μ Z of a random variable Z distributed in [0,1] when an exact computation of μ Z proves intractable. with error margin  and confidence ratio . Solution: Compute an ( ,  )-approximation of  Z : Has been used to: approximate permanent of 0-1 valued matrices, volume of convex bodies, and, now, probability that S ⊨  !

7 Original Solution [Karp, Luby & Madras: Journal of Algorithms 1989] Compute as the mean value of N independent random variables (samples) identically distributed according to Z : Compute N using the Zero-One estimator theorem: Problems: is unknown and can be large.

8 Optimal Approx Algorithm (OOA) [Dagum, Karp, Luby & Ross: SIAM J Comput 2000] Compute N using generalized Zero-One estimator: Apply sequential analysis (prediction/correction): 1. Assume  2 is small and compute with SRA( ) 2. Compute  using and 3. Use to correct N and. Expected number of samples is optimal to within a constant factor!

9 Monte Carlo Model Checking Input: Büchi automaton B=(Σ,Q,Q 0,δ,F) Sample Space: lasso-like reachable cycles: –Let U be the set of all lassos, –Let G be the set of all accepting lassos. Probability: p = |G|/|U| of an accepting lasso. Random variable Z having: –outcome 0 with probability p –outcome 1 with probability 1-p

10 Monte Carlo Model Checking Use OAA to produce an ( ε,δ )-approximation of μ Z If B = B S  B  then μ Z is expectation that S ⊨  ! Obtain sample by random walk through B, storing indices of states encountered in hash table. Accepting lasso is a counter-example => One-sided error! We call resulting algorithm MC 2.

11 Monte Carlo Model Checking Theorem: Given a Büchi automaton B, error margin ε, and confidence ratio δ, MC 2 computes an ( ε,δ )- approximation of probability that L(B) = Ø. Theorem: For the model-checking problem S ╞ φ, MC 2 runs in expected time O(N∙(| S | + |φ|)) and uses expected space O(| S | + |φ|). Cf. DDFS which runs in O(2 | S |+|φ| ) time and space.

12 Implementation Implemented DDFS and MC 2 in jMocha model checker for synchronous systems specified using Reactive Modules. Performance and scalability of MC 2 compares very favorably to DDFS. Observed in Dining Philosophers that probability of deadlock freedom increases linearly with number of philosophers.

13 Deadlock freedom: G~(pc1 = wait &…& pcn = wait) Experimental Results

14 Conclusions MC 2 is first randomized, Monte Carlo algorithm for the classical problem of temporal-logic model checking. Future Work: Use BDDs to improve run time. Also, take samples in parallel! Open Problem: Branching-Time Temporal Logic (e.g. CTL, modal mu-calculus).

15 Stopping Rule Algorithm (SRA) [Dagum, Karp, Luby & Ross: SIAM J Comput 2000] Innovation: computes correct N without using Theorem: E[ N ] ≤ 4 ln(2/  ) / μ Z  2 ;  = 4 ln(2/  ) /  2 ; for (N=0, S=0; S≤  ; N++) S=S+Z N ; = S/N; return ; Problem: is in most interesting cases too large.

16 Related Work Heimdahl et al.’s Lurch debugger. Mihail & Papidimitriou (and others) use random walks to sample system state space. Herault et al. use bounded model checking to compute an (ε,δ)-approximation for “positive LTL”. Probabilistic Model Checking of Markov Chains: ETMCC, PRISM, PIOAtool, and other.

17 Starvation freedom: G F (pc1 = eat) Experimental Results

Download ppt "Monte Carlo Model Checking Scott Smolka SUNY at Stony Brook Joint work with Radu Grosu Main source of support: ARO – David Hislop."

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Model Checking and Testing combined

Model Checking and Testing combined
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.

Monte Carlo Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Part 3: Safety and liveness

Part 3: Safety and liveness
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
Timed Automata.

Timed Automata.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.

1 The Monte Carlo method. 2 (0,0) (1,1) (-1,-1) (-1,1) (1,-1) 1 Z= 1 If  X 2 +Y 2  1 0 o/w (X,Y) is a point chosen uniformly at random in a 2  2 square.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Anna Philippou Department of Computer Science University of Cyprus Joint work with Mauricio Toro Department of Comp. Sc. EAFIT University Christina Kassara.

Anna Philippou Department of Computer Science University of Cyprus Joint work with Mauricio Toro Department of Comp. Sc. EAFIT University Christina Kassara.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture # 11.

Similar presentations

Ads by Google