Presentation on theme: "Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)"— Presentation transcript:
Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B) L(P)=. If so, S satisfies. Otherwise, the intersection includes a counterexample. Repeat for different properties.
Buchi automata ( -automata) S - finite set of states. (B has l n states) S 0 S - initial states. (P has m states) - finite alphabet. (contains p letters) S S - transition relation. F S - accepting states. Accepting run: passes a state in F infinitely often. System automata: F=S, deterministic.
Every element in the product is a counter example for the checked property. b a a a a s2s2 c a s1s1 s3s3 q2q2 q1q1 s 1,q 1 s 1,q 2 s 3,q 2 s 2,q 1 a b c a Acceptance is determined by automaton P.
Testing Unknown deterministic finite state system B. Known: n states and alphabet. An abstract model C of B. C satisfies all the properties we want from B. Check conformance of B and C. Another version: only a bound n on the number of states l is known.
Model Checking / Testing Given Finite state system B. Transition relation of B known. Property represent by automaton P. Check if L(B) L(P)=. Graph theory or BDD techniques. Complexity: polynomial. Unknown Finite state system B. Alphabet and number of states of B or upper bound known. Specification given as an abstract system C. Check if B C. Complexity: polynomial if number states known. Exponential otherwise.
Black box checking Property represent by automaton P. Check if L(B) L(P)=. Graph theory techniques. Unknown Finite state system B. Alphabet and Upper bound on Number of states of B known. Complexity: exponential.
Combination lock automaton Accepts only words with a specific suffix (cdab in the example). s1s1 s2s2 s3s3 s4s4 s5s5 bdca
Conformance testing Cannot distinguish if reduced or not. a b a a b b a b a b
Conformance testing (cont.) When the black box is nondeterministic, we might never test some choices. b a a
Conformance testing (cont.) a bb a a a a b b b a Need: bound on number of states of B. a
Vasilevskii algorithm Known automaton A has l states. Black box automaton has up to n states. Check each transition. Check that there are no "combination lock" errors. Complexity: O(l 2 n p n-l+1 ). When n=l: O(l 3 p).
Experiments aa bb cc reset a a b b c c try b a a b b c c try c fail
Simpler problem: deadlock? Nondeterministic algorithm: guess a path of length n from the initial state to a deadlock state. Linear time, logarithmic space. Deterministic algorithm: systematically try paths of length n, one after the other (and use reset), until deadlock is reached. Exponential time, linear space.
Deadlock complexity Nondeterministic algorithm: Linear time, logarithmic space. Deterministic algorithm: Exponential (p n-1 ) time, linear space. Lower bound: Exponential time (use combination lock automata). How does this conform with what we know about complexity theory?
Modeling black box checking Cannot model using Turing machines: not all the information about B is given. Only certain experiments are allowed. We learn the model as we make the experiments. Can use the model of games of incomplete information.
Games of incomplete information Two players: player, player (here, deterministic). Finitely many configurations C. Including: Initial C i, Winning : W + and W -. An equivalence relation on C (the player cannot distinguish between equivalent states). Labels L on moves (try a, reset, success, fail). The player has the moves labeled the same from configurations that are equivalent. Strategy for the player: will lead to a configuration in W + W -. Cannot distinguish equivalent conf. Nondet. strategy: ends with W +. Can distinguish.
Modeling BBC as games Each configuration contains an automaton and its current state (and more). Moves of the player are labeled with try a, reset... Moves of the -player with success, fail. c 1 c 2 when the automata in c 1 and c 2 would respond in the same way to the experiments so far.
A naive strategy for BBC Learn first the structure of the black box. Then apply the intersection. Enumerate automata with n states (without repeating isomorphic automata). For a current automata and new automata, construct a distinguishing sequence. Only one of them survives. Complexity: O((n+1) p (n+1) /n!)
On-the-fly strategy Systematically (as in the deadlock case), find two sequences v 1 and v 2 of length <=m n. Applying v 1 to P brings us to a state t that is accepting. Applying v 2 to P brings us back to t. Apply v 1 (v 2 ) n+1 to B. If this succeeds, there is a cycle in the intersection labeled with v 2, with t as the P (accepting) component. Complexity: O(n 2 p 2mn m).
Learning an automaton Use Angluins algorithm for learning an automaton. The learning algorithm queries whether some strings are in the automaton B. It can also conjecture an automaton M i and asks for a counterexample. It then generates an automaton with more states M i+1 and so forth.
A strategy based on learning Start the learning algorithm. Queries are just experiments to B. For a conjectured automaton M i, check if M i P = If so, we check conformance of M i with B (Vasilevskii algorithm). If nonempty, it contains some v 1 (v 2 ). We test B with v 1 (v 2 ) n+1. If this succeeds: error, otherwise, this is a counterexample for M i.
Black Box Checking Strategy Incremental learning Comparing counterexample Model Checking Report error No error found black box testing counterexample no counterexample false negative actual error discrepancy conformance established System PathModel
Complexity l - real size of B. n - an upper bound of size of B. p - size of alphabet. Lower bound: reachability is similar to deadlock. O(l 3 p l + l 2 mn) if there is an error. O(l 3 p l + l 2 n p n-l+1 + l 2 mn) if there is no error. If n is not known, check while time allows.
Some experiments Basic system written in SML (by Alex Groce, CMU). Experiment with black box using Unix I/O. Allows model-free model checking of C code with inter-process communication. Compiling tested code in SML with BBC program as one process.
Conclusions Black box checking is a combination of testing and model checking. If a tight bound on size of B is given: learn B first, then do model checking. Tight lower bound on complexity, up to polynomial factor. Use of games of incomplete information to model testing problems.