Review of the automata-theoretic approach to model-checking

Overview* Kripke structures Temporal logics: LTL, CTL, CTL* From LTL to Buchi automata Model checking *Thanks for borrowed slides: Orna Grumberg, Ken McMillan

Program verification Given a program and a specification, does the program satisfy the specification? Not decidable! We restrict the problem to a decidable one: Finite-state abstractions Propositional temporal logics

Model Checking MC G(p -> F q) yes no p q p q temporal formula finite-state model algorithm counterexample Model must now represent all behaviors

Finite state systems Hardware designs Communication protocols High level description of non finite state systems Web service abstractions

Properties in temporal logic mutual exclusion: always  ( cs 1  cs 2 ) non starvation: always (request  eventually grant) communication protocols: (  get-message) until send-message

Kripke structures A Kripke structure (S,AP,R,L) consists of –set of states S, atomic propositions AP –set of transitions R  S  S –labeling L  S  AP Example: Kripke model of a program pp p repeat p := true; p := false; end

Kripke structure / transition system a,ba a b,c c a,c a,b b

 =s 0 s 1 s 2... is a run in M from s iff s = s 0 and for every i  0: (s i,s i+1 )  R How to specify properties of runs: temporal logics!

Linear temporal logic: LTL AP – a set of atomic propositions LTL: propositional logic + temporal operators Gp Fp Xp pUq

Examples of LTL properties x=a  y=b  XXXX z=a+b pay B deliver B: “before” liveness: “if input, then eventually output” G (input  F output) strong fairness: “infinitely sent implies infinitely received” GF send  GF receive

Branching time logics: CTL, CTL* Model of time is a tree, not a sequence Path quantifiers A: “for every path” E: “there exists a path” AF p p p p

Computation Tree Logic: CTL Every operator F, G, X, U preceded by A or E Universal modalities: pp p... AG p pppp p pp AF p

CTL, cont... Existential modalities: p p... EG p p p EF p

CTL, cont Other modalities AX p, EX p, A(p U q), E(p U q) Examples: mutual exclusion specs... AG  (C 1  C 2 ) mutual exclusion AG (request  AF grant) non-starvation AG (N 1  EX T 1 ) non-blocking

CTL* Contains both CTL and LTL –path formulas p U q, G p, Fp, Xp,  p, p  q –state formulas A p, E p Note: p in LTL  A p in CTL* CTL* is more powerful than CTL Example: Fairness assumptions A (GF p  GF q)

Model checking complexities CTL LTL O(2 f (V+E)) CTL O(f (V+E)) * = Note: all are linear in model size PSPACE COMPLETE

LTL vs. Buchi automata Buchi automaton: finite-state automaton accepting infinite words by going forever through some accepting state a 1 a 2 a 3 ……………………………… s 0 s 1 s 2 s 3 ………. f ….. f ….. f ….. f….. Languages accepted by Buchi automata: ω-regular

Let φ be an LTL formula with propositions AP. There exists a Buchi automaton B(φ) over alphabet 2 AP accepting exactly the infinite words satisfying φ. Naïve construction: simple recursion on the structure of φ Examples: if φ = X p then B(φ) is if φ = p U q then B(φ) is but: each negation leads to exponential blowup! p q accept p

Smarter way: one-step construction exponential number of states given a state of B(φ) and an input, a next state of B(φ) can be computed in PSPACE with respect to φ

Example: p U q States: consistent sets of subformulas (or their negations) (  ) subformulas p U q,  (p U q), p,  p, q,  q p, q p U q p,  q, p U q p,  q,  (p U q)  p, q, p U q  p  q,  (p U q) States (consistent sets): Intuition: a state contains the formulas satisfied by all accepted infinite runs starting in that state

p,  q, p U q p, q, p U q  p,  q,  (p U q)  p, q, p U q p,  q,  (p U q) all Initial states: all containing p U q Transitions: on assignment in source state

Model checking Input: Kripke structure K LTL formula φ 1.Construct B(  φ) 2.Search for runs of K accepted by B(  φ) 3.If none found, output “yes” otherwise, output counter-example run

Can be done in NPSPACE, so in PSPACE: Non-deterministically generate runs of K  B(  φ) Accept when looping in where S is a state in K and f is an accepting state of B(  φ) Run of K States of B(  φ) s 0 s 1 s 2 … f …. f … Deterministic algorithm: depth-first search + some efficient bookkeeping O(2 |φ| |K|) S

Some other complexities Model checking for CTL: O( | φ| |K|) Satisfiability for CTL: EXPTIME-complete Model checking for CTL*: PSPACE-complete Satisfiability for CTL*: 2-EXPTIME-complete