Tutorial I – An Introduction to Model Checking Peng WU INRIA Futurs LIX, École Polytechnique

Outline Model Checking Temporal Logic Model Checking Algorithms Symbolic Model Checking Advanced Topics Symmetry Reduction Partial-Order Reduction Infinite Model Checking

Principles Increase our confidence in the correctness of the model: The model satisfied enough system properties Study counterexamples, pinpoint the source of the error, correct the model, and try again Model (System Requirements) Specification (System Property) Model Checker Answer: Yes, if the model satisfies the specification Counterexample, otherwise

Kripke Model Kripke Structure + Labeling Function Let AP be a non-empty set of atomic propositions. M = (S, s 0, R, L) Kripke Model: M = (S, s 0, R, L) Sfinite set of states s 0  Sinitial state R  S  Stransition relation L: S→2 AP labeling function

Temporal Logics Express properties of event orderings in time Linear Time Every moment has a unique successor Infinite sequences (words) Linear Temporal Logic (LTL) Branching Time Every moment has several successors Infinite tree Computation Tree Logic (CTL)

Linear Temporal Logic (Path) Formulas p p – atomic proposition  p, p  q, p  q  p, p  q, p  q Op,  p,  p, pUq, pRq Op,  p,  p, pUq, pRq Semantics M,  |= p if p  L(  0 ) M,  |=  p if not M,  |= p M,  |= p  qif M,  |= p and M,  |= q M,  |= p  qif M,  |= p or M,  |= q

LTL Semantics M,  |= Op if M,  1 |= p M,  |=  p if  i≥0: M,  i |= p M,  |=  p if  i≥0: M,  i |= p M,  |= pUqif  i≥0: M,  i |= q and  j<i: M,  j |= p M,  |= pRq if  i≥0: M,  i |= q or  i≥0: M,  i |= p and  j≤i: M,  j |= q M |= pif  (M): M,  |= p

LTL  p  p pUq pRq ppppppppppp...pppppppppppppppqqqqqqqqqqq,p

LTL Satisfiability The satisfiability problem of LTL is PSPACE-complete. If a LTL formula is satisfiable, then the formula is satisfiable by a finite kripke model. LTL Model Checking: PSAPCE- complete

LTL Model Checking ω-Regular Languages ω-Automata Finite states Representing infinite executions Büchi Automata - Kripke Model M |= p iff L(M A )  L(p A ) iff L(M A  p A )= 

LTL Model Checking We can build a Büchi automaton which accepts all and only the infinite traces represented by an LTL formula. The Büchi automaton is exponential in the size of the formula. The complexity of model checking is proportional to the size of the automaton.

Computation Tree Logic (State) Formulas p p - atomic proposition  p, p  q, p  q  p, p  q, p  q AXp, EXp, AFp, EFp, AGp, EGp AXp, EXp, AFp, EFp, AGp, EGp A(pUq), E(pUq), A(pRq), E(pRq) A(pUq), E(pUq), A(pRq), E(pRq)

CTL Semantics M, s |= p if p  L(s) M, s |=  p if not M, s |= p M, s |= p  qif M, s |= p and M, s |= q M, s |= p  qif M, s |= p or M, s |= q M, s |= Ap if  (s): M,  |= p M, s |= Ep if  (s): M,  |= p

CTL Semantics M,  |= Xp if M,  1 |= p M,  |= Fp if  i≥0: M,  i |= p M,  |= Gp if  i≥0: M,  i |= p M,  |= pUq if  i≥0: M,  i |= q and  j< i: M,  j |= p M,  |= pRq if  i≥0: M,  i |= q or  i≥0: M,  i |= p and  j≤i: M,  j |= q M |= pifM, s 0 |= p

CTL Satisfiability The satisfiability problem of CTL is EXPTIME-complete. If a CTL formula is satisfiable, then the formula is satisfiable by a finite kripke model. CTL Model Checking: O(|p|·(|S|+|R|))

Equivalence EXpEGpE(pUq) AXp   EX  p AFp   EG  p AGp   EF  p A(pRq)   E(  pU  q) A(pUq)   E(  pR  q) EFp  E(true U p) E(pRq)  E(qU(p  q))  EGq

CTL Model Checking Six Cases: p is an atomic proposition p =  q p = q  r p = EXq p = EGq p = E(qUr) Extension of L – L’: S →2 AP  ｛ subformulas of p ｝

CTL Model Checking p is an atomic proposition ： L’(s) = L(s) p =  q ： L’(s) = L’(s)  { p } if q  L’(s) p = q  r ： L’(s) = L’(s)  { p } if q  L’(s) or r  L’(s) p = EX q ： L’(s) = L’(s)  { p } if  (s,s’)  R: q  L’(s’)

E(qUr) procedure checkEU(q,r) T := { s | r  L(s) }; for (all s  T) do L’(s) := L(s)  { p }; while (T≠  ) do choose s  T; T := T \ {s}; for (all t such that R(t,s)) do if (p  L’(t) and q  L’(t)) then L’(t) := L(t)  { p }; T := T  { t }; r q BFS

Example: E(qUr) r qq q q q,r

EGq procedure checkEG(q) S’ := { s | q  L(s) }; SCC := { C | C is a non-trivial SCC of S’ }; T := { s | s  some C of SCC }; for (all s  T) do L’(s) := L(s)  { p }; while (T≠  ) do choose s  T; T := T \ {s}; for (all t such that t  S’ and R(t,s)) do if (p  L’(t)) then L’(t) := L(t)  { p }; T := T  { t }; q SCC EG q

Example: EGq r qq q q q,r

CTL* State Formulas p – atomic proposition  p, p  q, p  q  p, p  q, p  q Ap, Ep Ap, Ep if p is a path formula Path Formulas p p if p is a state formula  p, p  q, p  q  p, p  q, p  q Xp, Fp, Gp, pUq, pRq Xp, Fp, Gp, pUq, pRq

CTL* Semantics – State Formulas M, s |= p if p  L(s) M, s |=  p if not M, s |= p M, s |= p  qif M, s |= p and M, s |= p M, s |= p  qif M, s |= p or M, s |= p M, s |= Ap if  (s): M,  |= p M, s |= Ep if  (s): M,  |= p

CTL* Semantics – Path Formulas M,  |= p if M,  0 |= p (p is a state formula) M,  |=  p if not M,  |= p M,  |= p  qif M,  |= p and M,  |= q M,  |= p  qif M,  |= p or M,  |= q

CTL* Semantics – Path Formulas M,  |= Xp if M,  1 |= p M,  |= Fp if  i≥0: M,  i |= p M,  |= Gp if  i≥0: M,  i |= p M,  |= pUq if  i≥0: M,  i |= q and  j< i: M,  j |= p M,  |= pRq if  i≥0: M,  i |= q or  i≥0: M,  i |= p and  j≤i: M,  j |= q For a state formula p: M |= p if M, s 0 |= p

CTL* Satisfiability The satisfiability problem of CTL* is 2EXPTIME-complete. If a CTL* formula is satisfiable, then the formula is satisfiable by a finite kripke model. CTL* Model Checking: PSAPCE- complete

Extended Kripke Model (S, s 0, R, L) Kripke Model: (S, s 0, R, L) Sfinite set of states s 0  Sinitial state R  2 S  S finite set of transition relations L: S→2 AP labeling function Let a  S  S range over transition relations in R s a ={s’ | (s,s’)  a}

Modal  -Calculus (State) Formulas p p – atomic proposition  p, p  q, p  q  p, p  q, p  q [a]p,  a  p [a]p,  a  p X X – proposition variable X.p,  X.p X.p,  X.p if all occurrences of X is under an even number of negations Syntactic Monotonicity

Alternation Depth  top-level (  )-subformula NOT contained within any other greatest(least) fixpoint subformula Alternation Depth – d p)= d(p)=d(  p)=d(X)=0 All negations are applied to propositions. d(p  q)=d(p  q)=max(d(p),d(q)) d([a]p)=d(  a  p)=d(p) d( X.p)=max(1, d(p), 1+max(…,d(q i ),…)), where q i is a top- level  -subformula d(  X.p)=max(1, d(p), 1+max(…,d(q i ),…)), where q i is a top- level -subformula

Modal  -Calculus - Semantics M, s |= V p if p  L(s) M, s |= V  p if not M, s |= V p M, s |= V p  qif M, s |= V p and M, s |= V p M, s |= V p  qif M, s |= V p or M, s |= V p M, s |= V [a]pif  s’  s a : M, s’ |= V p M, s |= V  a  p if  s’  s a : M, s’ |= V p M, s |= V X if s  V (X) M, s |= V X.pif M, s |= V p{ X.p /X}? M, s |= V  X.pif M, s |= V p{  X.p /X}?

Global Model Checking Denotation Semantics S V (p) = {s | p  L(s)} S V (  p) = S – S V (p) S V (p  q)= S V (p)  S V (q) S V (p  q)= S V (p)  S V (q) S V ([a]p) = {s |  s’  s a : s’  S V (p)} S V (  a  p) = {s |  s’  s a : s’  S V (p)} S V (X) = V (X) S V ( X.p) =  {W  S |W  S V {X  W} (p)} S V (  X.p) =  {W  S | S V {X  W} (p)  W} Tarski-Knaster Theorem

Global Model Checking M, s |= p if s  S V (p) F(W)= S V {X  W} (p) X.p S, F(S), F 2 (S),…, F i (S)=F i+1 (S)  X.p , F(  ), F 2 (  ),…, F i (  )=F i+1 (  ) O(|p|·(|S|+|R|)·|S| k ) k: nesting depth Emerson-Lei: O(|p|·(|S|+|R|)·(|p|·|S|) d )

Local Model Checking Extension of Modal  -Calculus X W.p X.p  X .p Let F be a function on 2 S, P  X.F(X) iff P  F( X.(P  F(X))) M, s |= V X W.p if s  W or, if not, M, s |= V p[ X W  {s}.p/X] Tableau System Fixpoint Equation System

Modal  -Calculus Satisfiability The satisfiability problem of modal  - calculus is EXPTIME-complete. If a modal  -calculus formula is satisfiable, then the formula is satisfiable by a finite kripke model. Modal  -Calculus Model Checking: O(?)

Symbolic Model Checking State Space Explosion Problem Reduce memory requirement by utilizing compact representations of states/transitions Boolean formulas represent sets and relations Use fixed point characterizations of CTL operators

Ordered Binary Decision Diagram (OBDD) (a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 a2a2 b2b2 b2b2 b2b2 a2a2 a2a2 b2b2 b2b2 b2b2 b2b2 b2b

Reduced OBDD (a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 a2a2 b2b2 b2b2 b2b2 a2a2 a2a2 b2b2 b2b2 b2b2 b2b2 b2b

a1a1 b1b1 b1b1 a2a2 b2b2 b2b2 a2a2 a2a2 b2b2 b2b2 b2b2 b2b Reduced Ordered BDD

(a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 b2b2 b2b2 a2a2 b2b2 b2b Reduced Ordered BDD

(a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 b2b2 b2b Reduced Ordered BDD

(a 1  b 1 )  (a 2  b 2 ) a1a1 b1b1 b1b1 a2a2 b2b2 b2b Reduced Ordered BDD

Representation for States States as Boolean Formulas 2 m states encoded by m proposition variables State - conjunction of proposition or negative proposition Set of States – conjunction of state (encoding) formula Example: m = 2, S={s 1,s 2,s 3,s 4 } Proposition Variables {a, b} S={00, 01, 10, 11}={  a   b,  a  b, a   b, a  b} {s 1,s 2 }={00, 01}=(  a   b)  (  a  b)

Representation for Transitions Transitions as Boolean Formulas (s, s’) encoded by two sets of proposition variables Transition – conjunction of s and s’ Set of Transitions – conjunction of transition (encoding) formula Example (s 4,s 3 ) = (11, 10) = a  b  a’  b’

Symbolic Model Checking Atomic Propositions ROBDD(p) = {s | p  L(s)} ROBDD(  p) = reversion of ROBDD(p) ROBDD(p  q) = ROBDD (p)  ROBDD(q)  is  or  ROBDD(EXp( v )) =  v’ :[p( v’ )  R( v, v’ )] (E(pUq)) =  Z.[q  (p  EX Z )] (EGp) = Z.[p  EX Z ]

Genealogy Logics of Programs Temporal/ Modal Logics CTL Model Checking Symbolic Model Checking  -automata S1S LTL Model Checking ATV Tarski  -Calculus QBFBDD Floyd/Hoare late 60s Aristotle 300’s BCE Kripke 59 Pnueli late 70’s Clarke/Emerson Early 80’s Büchi, 60 Kurshan Vardi/Wolper mid 80’s 50’s Park, 60’s Bryant, mid 80’s late 80’s

Anything Else? Model Checking Temporal Logic Model Checking Algorithms Symbolic Model Checking Advanced Topics Symmetry Reduction Partial Order Reduction Infinite Model Checking

Symmetry Reduction If state space is symmetric, explore only a symmetric “quotient” of the state space A permutation  is an automorphism of M if for any s 1,s 2  S, R(s 1,s 2 )  R(  (s 1 ),  (s 2 )) G is an automorphism group for M iff every permutation  G is an automorphism of M. An automorphism group G is an invariance group for an atomic proposition p iff for any  G, s  S, p  L(s)  p  L(  (s))

Quotient Models G – Automorphism Group Orbit -  (s) = {t |  G:  (s)=t} M G =(S G,  (s 0 ), R G, L G ) S G ={  (s) | s  S} R G ={(  (s 1 ),  (s 2 )) | (s 1, s 2 )  R} L G (  (s))=L(rep(  (s))) – representative If G is an invariance group for all the atomic propositions occurring in a CTL* formula p, then M, s |= p iff M G,  (s) |= p The orbit problem is as hard as the Graph Isomorphism problem, which is in NP.

Partial Order Reduction Reduce the number of interleavings of independent concurrent transitions Enabledness + Commutativity r s s2s2 s1s1 a a b b No ReductionsTransitions Reduced States Reduced r s s2s2 s1s1 a b b r s s1s1 a b

Stuttering Equivalence Let M and M’ be two stuttering equivalent structures. For every LTL_ X property p, M, s |= p iff M’, s |= p

Infinite Model Checking Verification of Infinite Systems Unbounded Data Structures Data Manipulations on Infinite Data Domains, e.g integer counters Asynchronous (Lossy) Channel Systems – unbounded FIFO queues Timed Automata - real-valued clocks Unbounded Control Structures (Recursive) Procedure Call - unbounded stacks (Pushdown Automata) Parameterized Systems – any number of processes Dynamic Creation of Processes, Mobility Abstract Representation Regular Sets, Time Zones, … More techniques involved Constraint Programming, Deductive Verification,… AVIS - International Workshop on Automated Verification of Infinite-State Systems

Still More… Abstraction Compositional Verification Software Model Checking VeriSoft, SLAM, JPF Probabilistic Model Checking