Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Parallel Model Checking Game for CTL Lecture 6 – 14.5.02 Lecturer: Orna Grumberg.

Published byAgnes Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Parallel Model Checking Game for CTL Lecture 6 – 14.5.02 Lecturer: Orna Grumberg."— Presentation transcript:

1 1 Parallel Model Checking Game for CTL Lecture 6 – 14.5.02 Lecturer: Orna Grumberg

2 2 Based on: Parallel Model Checking for the Alternation Free  -Calculus, by Benedict Bollig, Martin Leucker and Michel Weber Appeared in the conference: TACAS’01 A book on: Modal and Temporal Properties of processes, by Colin Stirling

3 3 Intuitive explanation The model checking algorithm is based on a two-person game: - one player,  loise, tries to verify the formula on the model - the other player,  belard, tries to falsify it We first handle only formulas with AX, EX, , and 

4 4 The players traverse the model starting from a state s. If the formula is  1  2 or  1  2 and the player is on state t then the player should decide whether he/she wants to falsify/verify  1 or  2 on t. If the formula is EX  or AX  then the player should choose the successor of t from which the play will proceed with .  belard plays on AX  and  1  2.  loise plays on EX  and  1  2.

5 5 Example

6 6 Complexity consideration NC is the class of problems that can be solved in polylogarithmic time with polynomial many processes. NC is contained in P. If we believe that NC  P then P-complete problems cannot be in NC. P-complete problems are inherently sequential.

7 7 Complexity consideration (cont.) Lemma: The program complexity of alternation free  -Calculus is P-hard. Theoretically we cannot expect a good parallel algorithm for alternation free  -Calculus. In practice, the algorithm suggested in the paper has been implemented and showed good results on many practical problems. Open question: Does the same result hold for CTL?

8 8 Remark: DFS is also P-complete and therefore (theoretically) good on-the-fly parallel algorithms should not be expected.

9 9 CTL in negation normal form true, false p,  p, where p  AP  1   2,  1   2 EX , AX , A(  1 U  2 ), E(  1 U  2 ), A(  1 V  2 ), E(  1 V  2 ) A(  1 V  2 )   E(  1 U  2 ) E(  1 V  2 )   A(  1 U  2 )

10 10 M, s |= E(  1 V  2 ) iff there is a path s 0 s 1 … with s 0 =s such that for all j  0, if for every i  j M,s i |   1 then M,s j |=  2. EG   E(false V  ) EF   E(true U  )

11 11 Model checking game to check M,s |=  A play G for (s,  ) is a sequence C 0  p0 C 1  p1 C 2  p2 … of configuration where C 0 = (s,  ) and for all i, C i  S  Sub(  ) and p i denotes the player that took the step (  loise, the Verifier or  belard, the Refuter) G(s,  ) is the set of all possible plays.

12 12 The players do not move alternately. The player is determined by the formula in the configuration The player chooses the next move Configurations with no choice can be played by either

13 13 Defining the next move If C i =(s,true), C i =(s,false), C i =(s,a), or C i =(s,  a) for a  AP then the play terminates. For terminating configurations: C i is an  -configuration if C i =(s,true) or if C i =(s,a) and a  L(s) or if C i =(s,  a) and a  L(s). C i is an  -configuration otherwise.

14 14 Defining the next move (cont.) If C i =(s,  1  2 ) then C i+1 =(s,  1 ) or C i+1 =(s,  1 ) If C i =(s, AX  ) then C i+1 =(t,  ) for some t s.t.(s,t)  R If C i =(s,  1   2 ) then C i+1 =(s,  1 ) or C i+1 =(s,  1 ) If C i =(s, EX  ) then C i+1 =(t,  ) for some t s.t.(s,t)  R (s,  1  2 ), (s, AX  ) are  -configurations (s,  1   2 ), (s, EX  ) are  -configurations

15 15 Defining the next move (cont.) If C i =(s, E(  1 U  2 )) then C i+1 =  2  (  1  EXE(  1 U  2 )) If C i =(s, A(  1 U  2 )) then C i+1 =  2  (  1  AXA(  1 U  2 )) If C i =(s, E(  1 V  2 )) then C i+1 =  2  (  1  EXE(  1 V  2 )) If C i =(s, A(  1 V  2 )) then C i+1 =  2  (  1  AXA(  1 V  2 ))

16 16  belard (the Refuter) wins a play if The play terminates with (s,a) and a  L(s) The play terminates with (s,  a) and a  L(s) The play sequence is infinite and a formula of the form E(  1 U  2 ) or A(  1 U  2 ) appears in infinitely many configurations

17 17  loise (the Verifier) wins a play if The play terminates with (s,a) and a  L(s) The play terminates with (s,  a) and a  L(s) The play sequence is infinite and a formula of the form E(  1 V  2 ) or A(  1 V  2 ) appears in infinitely many configurations

18 18 Example  = AX ( b  EX a), M=… In some of the plays  loise wins, in some other plays  belard wins  belard has a winning strategy: when it is his turn he can choose moves that guarantee his winning, no matter what  loise does.

19 19 Judgements and witnesses A  /  -configuration C is a  /  -judgment if no move is possible from it. C=(s,  ) is an  -witness if  is of the form E(  1 V  2 ) or A(  1 V  2 ). C=(s,  ) is an  -witness if  is of the form E(  1 U  2 ) or A(  1 U  2 ).

20 20 A strategy A strategy for a player p is a set of rules telling the player how to move in a given configuration A winning strategy for p is a strategy that guarantees the winning of p whenever p obeys its rules.

21 21 Winning strategy and model checking If M, s |=  then  loise has a winning strategy starting at (s,  ). If M, s |   then  belard has a winning strategy starting at (s,  ). Since a formula is either true or false at s then the model checking game is determined, i.e., for every game either  loise or  belard has a winning strategy.

22 22 Game graph The game graph for M, s and  captures all possible plays for M, s and  Nodes: all possible configurations Edges: all possible moves of the players It is an and-or graph where or-nodes (denoted  ) are the  -configurations and the and-nodes (denoted  ) are the  -configurations A play corresponds to a path in the graph and vice versa

23 23 Theorem: Let (Q, E) be the game graph for M, s and . Then there are Q 1,…,Q m that satisfy: Q =  i=1,…m Q i and  i,j, i  j, Q i  Q j =  The subgraph induced by Q i is exactly one of: (a) a non-trivial maximal strongly connected component (type I)..(b) a singleton which is a judgment (type II). (c) a maximal directed acyclic graph with no judgments (type III).

24 24 Every Q i of type I either contains at least one  -witness and no  -witness or contains at least one  -witness and no  -witness. There is a partial order  on the Q i ’s such that for every q  Q i and q’  Q j with an edge from q to q’, Q j  Q i. Thus, moves from a configuration in Q i leads to configurations in either the same Q i or a lower Q j.

25 25 Proposition: Every strongly connected component of a game graph with more than one element contains at least one witness.

26 26 Sequential algorithm Decides which player has a winning strategy Labels configuration in the game graph by - green, if  loise has a winning strategy from this configuration - red, if  belard has.

27 27 Sequential algorithm (cont.) It is based on the partial order on the Q i ’s It is also based on the fact that every infinite play gets trapped within a single Q i (that either contains  -witness or  -witness).

28 28 The algorithm Extend the partial order on Q i to a total order. For the minimal Q i : if it is an  -judgment of type II or it is of type I and contains an  -witness, color all nodes with green. if it is an  -judgment of type II or it is of type I and contains an  -witness, color all nodes with red.

29 29 The algorithm (cont.) Once some configuration is colored, the coloring proceeds: An  -node is colored red if one of its successors is red; it is colored green if all its successors are green. An  -node is colored green if one of its successors is green; it is colored red if all its successors are red.

30 30 The algorithm (cont.) Let Q j be non-colored, while all Q i  Q j are already colored. Then Q j must be of type I. All its nodes will be colored green if it contains a  -witness and red otherwise.

31 31 Example 1: AX(b  Exa) Example 2: A(a U b)

Download ppt "1 Parallel Model Checking Game for CTL Lecture 6 – 14.5.02 Lecturer: Orna Grumberg."

Similar presentations

Completeness and Expressiveness

Completeness and Expressiveness
Introduction to Algorithms Graph Algorithms

Introduction to Algorithms Graph Algorithms
6.896: Topics in Algorithmic Game Theory Lecture 21 Yang Cai.

6.896: Topics in Algorithmic Game Theory Lecture 21 Yang Cai.
15-251 Great Theoretical Ideas in Computer Science for Some.

Great Theoretical Ideas in Computer Science for Some.
6.896: Topics in Algorithmic Game Theory Lecture 20 Yang Cai.

6.896: Topics in Algorithmic Game Theory Lecture 20 Yang Cai.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
How to Schedule a Cascade in an Arbitrary Graph F. Chierchetti, J. Kleinberg, A. Panconesi February 2012 Presented by Emrah Cem 7301 – Advances in Social.

How to Schedule a Cascade in an Arbitrary Graph F. Chierchetti, J. Kleinberg, A. Panconesi February 2012 Presented by Emrah Cem 7301 – Advances in Social.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
JAYASRI JETTI CHINMAYA KRISHNA SURYADEVARA

JAYASRI JETTI CHINMAYA KRISHNA SURYADEVARA
Justification-based TMSs (JTMS) JTMS utilizes 3 types of nodes, where each node is associated with an assertion: 1.Premises. Their justifications (provided.

Justification-based TMSs (JTMS) JTMS utilizes 3 types of nodes, where each node is associated with an assertion: 1.Premises. Their justifications (provided.
Generalization and Specialization of Kernelization Daniel Lokshtanov.

Generalization and Specialization of Kernelization Daniel Lokshtanov.
1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.

1 Partial Order Reduction. 2 Basic idea P1P1 P2P2 P3P3 a1a1 a2a2 a3a3 a1a1 a1a1 a2a2 a2a2 a2a2 a2a2 a3a3 a3a3 a3a3 a3a3 a1a1 a1a1 3 independent processes.
AE1APS Algorithmic Problem Solving John Drake.  Invariants – Chapter 2  River Crossing – Chapter 3  Logic Puzzles – Chapter 5  Matchstick Games -

AE1APS Algorithmic Problem Solving John Drake.  Invariants – Chapter 2  River Crossing – Chapter 3  Logic Puzzles – Chapter 5  Matchstick Games -
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Techniques for Dealing with Hard Problems Backtrack: –Systematically enumerates all potential solutions by continually trying to extend a partial solution.

Techniques for Dealing with Hard Problems Backtrack: –Systematically enumerates all potential solutions by continually trying to extend a partial solution.
NP-Completeness: Reductions

NP-Completeness: Reductions
 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.

 Dr. Vered Gafni 1 LTL Decidability Enables consistency check, but also base for verification.
Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.

Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.

Similar presentations

Ads by Google