Presentation is loading. Please wait.

Presentation is loading. Please wait.

Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology.

Published byBarnard Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology."— Presentation transcript:

1 Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology

2 IBM HRL 2 Problem Formulation – General Query Checking What is the property? We have the design: This is not as silly as you might think!

3 IBM HRL 3 Problem: Model Understanding work book Is it “always(request -> eventually(grant))” or “always(request -> next(grant))” or “always((request AND not_busy)-> next(grant))” or “always(request -> next(grant AND busy))” Or maybe something else?

4 IBM HRL 4 Current mode of working: Try properties one after another until you find the right ones Usually, we are looking for the strongest properties that hold in the design Very time- consuming and frustrating Wouldn’t it be nice if an automated process could find the right property for us?

5 IBM HRL 5 A formal specification φ Query Checking was defined by W. Chan in 2000 A mathematical model of the system M (an FSM): Does M satisfy φ ? no counter example yes the system is correct! Model Checking: I only have a vague idea about the right property to check …

6 IBM HRL 6 Query Checking was defined by W. Chan in 2000 A mathematical model of the system M (an FSM): A skeleton of a formal specification – basically a formula with placeholders What is the right φ? A strongest φ with a given skeleton that holds in M I found the property! Query Query Checking:

7 IBM HRL 7 Why this particular setting?  A skeleton gives an idea about the kind of property the verification engineer has in mind  Usually, the skeleton is accompanied by the set of signals, which can be used to turn the skeleton into a property – so no uninteresting signals can appear Model learning Model exploration Strongest invariant

8 IBM HRL 8 Related Work  Definition of query checking for CTL; a subset of CTL for which there is a single solution [Chan]  Solving query checking with alternating automata [Bruns and Godefroid]  Solving query checking with lattices [Gurfinkel, Chechik, and Devereux] All these algorithms use some form of repeated model checking

9 IBM HRL 9 Linear Temporal Logic (LTL) In addition to Boolean operators, has temporal operators: always, eventually, next, and until: always(p AND q) – p AND q are true in all states p until q – on each path, p holds until q holds Preliminaries: Buchi Automata Automata on infinite computations: accept if a path visits an accepting state an infinite number of times p&q A accepts all paths on which p AND q are true in all states: Systems as labeled state-transition graphs (FSM) Each state is labeled with atomic propositions (variables) that are true in this state; all states have outgoing transitions; computations are infinite paths on the graph. A system satisfies a property if all its computations satisfy this property.

10 IBM HRL 10 Model Checking: Construct an automaton B for the negation of the property φ Build the product MxB Check whether it is empty: If it is empty, then M ² φ if not, accepting paths are counterexamples Preliminaries: p&q B is an automaton for the negation of “eventually(¬p OR ¬q)” p p,q q M: MxB is empty M satisfies the property

11 IBM HRL 11 Our contribution: LTL Query Checking  Problem formulation: Given an FSM (Kripke structure) M and an LTL query  [?], both over Σ = 2 AP, find a strongest propositional formula f such that M ²  [? Ã f ] A mathematical model of the system M (an FSM): An LTL query  [?] – an LTL formula with placeholders What is the right  ? A strongest propositional f such that M ²  [? Ã f ] I found the property! The set AP’ of atomic propositions to be used to construct f

12 IBM HRL 12 Why propositional f and why over AP’? Usually, the type of the property is defined by its temporal operators; then, query checking finds a propositional f that fits – for example, “always(?)” can be used to find a strongest invariant AP’ is a subset of signals over which f is constructed What is a “strongest”? Option 1: f is stronger than g if models(f) µ models(g) (that is, f  g) Option 2: f is stronger than g if |models(f)| < |models(g)| Option 3: f is stronger than g if φ[f]  φ[g]

13 IBM HRL 13 Our contribution: LTL Query Checking  We present solutions for all definitions of strongest  The most interesting one is to Option 2:  f is stronger than g if |models(f)| < |models(g)| The solution reduces the query checking problem to an optimization problem in Linear Integer Programming over binary variables (0-1-ILP), or, equivalently, a problem for a Pseudo-Boolean Solver (PBS)

14 IBM HRL 14 Intuition: compute f such that the product of M with the automaton for the negation of φ[f] is empty  Let Σ’ = Σ [ ‘?’ [ ‘ : ?’.  Construct P = M £ B :  over Σ’  In this product ‘?’ and ‘ : ?’ are the same as ‘true’, i.e. they synchronize on everything.  Let Π be the set of lasso-shaped accepting paths in P  We will find the strongest f that eliminates all elements of Π. Solution strategy: essentially, we treat ‘?’ as a wild card

15 IBM HRL 15 Bird’s-eye view of the solution – series of reductions Problem 1: find a strongest f such that the product MxB is empty Problem 2: find a minimum cutting set for a Buchi automaton Problem 3: find a minimum cutting set for a finite automaton for a safety query 0-1 ILP To cut all accepting paths

16 IBM HRL 16 From Problem 2 to Problem 3: Problem 2: find a minimum cutting set for a Buchi automaton Problem 3: find a minimum cutting set for a finite automaton Buchi automaton B with the set of accepting states F of size k B0 B1 B2 Bk...... k transitions from the i-th accepting state of B0 to the copy Bi accepting states are here for safety properties, the Buchi automaton is already a finite automaton

17 IBM HRL 17 Reducing the minimum cutting set of a finite automaton to a 0-1-ILP problem  Each edge in the automaton has its labeling  We only leave edges that exist in the automaton regardless of the value of ‘?’ and edges that can exist depending on the value of ‘?’  With each labeling with a positive occurrence of ‘?’ we associate a positive propositional variable  With each labeling with a negative occurrence of ‘?’ we associate a negated propositional variable  With each state we associate a propositional variable  Constraints:  Initial states are reachable: for each s 0 2 S in. e s 0  Accepting states are unreachable: for each f 2 F. : e f  For each transition, we have: e s Æ e l ! e v  Objective: to minimize Σ e l Solution: f = Ç l for which e l = 1

18 IBM HRL 18 Why is this correct?  f can be represented as DNF where each term represents a full assignment  This corresponds to the truth table of f.  For ¼ 2 ¦, let  g( ¼ - ) = { ¿ | 2 ¼ }  g( ¼ + ) = { ¿ | 2 ¼ + }// sets of assignments  f should contradict at least one edge in each path ¼ 2 ¦  For ¿ 2 g( ¼ - ), it is sufficient that f ² ¿.  For ¿ 2 g( ¼ + ), it is sufficient that f 2 ¿.

19 IBM HRL 19 Example  [?] = eventually(always(?)) :  [?] = always(eventually( : ?)) M: w0w0 w1w1 w2w2 p, : q : p, q p, : q B: s0s0 s1s1 :?:? :?:? ? ? s 0,w 0 s 0,w 1 s 0,w 2 s 1,w 1 s 1,w 2 product automaton

20 IBM HRL 20 0-1-ILP formulation for the example Min e : pq + e p : q subject to 1.e : pq Ç e p : q 2.e : pq Ç e p : q Ç : e p : q 3.e p : q Ç e : pq 4.e p : q Ç e : pq Ç : e : pq 5.e : p q Ç : e p : q 6.e p : q Ç : e : pq Optimal solution = e : pq = e p : q = 1, hence f = : pq Ç p : q = p © q  [f] = eventually(always(p © q)) w0w0 w1w1 w2w2 p, : q : p, q p, : q M: accepting path from the previous slide

21 IBM HRL 21 Complexity Size of the product automaton (= of model checking): O(|B|) = O(|M| ¢ 2 |  ) Solving 0-1-ILP is bound by exponent on the number of variables, which is double-exponential in AP’ – a small subset of variables that are taken into consideration when computing f likely to be more efficient in practice size of the finite automaton

22 IBM HRL 22 In the paper but not in the presentation:  Option 1: f is stronger than g if models(f) µ models(g) (in other words, f  g)  Option 3: f is stronger than g if φ[f]  φ[g] solved using lattices  Multiple placeholders – solved similarly using a 0-1-ILP

23 IBM HRL 23 Summary:  Motivation  Definition of query checking  Introducing query checking for LTL  Automata-based algorithm for computing a strongest solution  Complexity Future work:  More efficient algorithms  Query checking with temporal placeholders  Characterization of queries for which exactly one strongest solution exists

24 IBM HRL 24

25 IBM HRL 25 Questions?

26 IBM HRL 26 Is the system correct? Model Checking A mathematical model of the system M (an FSM): A formal specification ψ Does M satisfy ψ? no counter example yes the system is correct!

Download ppt "Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology."

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.

Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique.
Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.

Metodi formali dello sviluppo software a.a.2013/2014 Prof.Anna Labella.
CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.

CS 267: Automated Verification Lecture 2: Linear vs. Branching time. Temporal Logics: CTL, CTL*. CTL model checking algorithm. Counter-example generation.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Partial Order Reduction: Main Idea

Partial Order Reduction: Main Idea
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
ECE 667 - Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.
1 Generalized Buchi automaton. 2 Reminder: Buchi automata A=  Alphabet (finite). S: States (finite).  : S x  x S ) S is the transition relation. I.

1 Generalized Buchi automaton. 2 Reminder: Buchi automata A=  Alphabet (finite). S: States (finite).  : S x  x S ) S is the transition relation. I.
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
Timed Automata.

Timed Automata.

Similar presentations

Ads by Google