Model Checking Lecture 4 Tom Henzinger

Model-Checking Problem I |= S System modelSystem property

-state-transition graph -weak or strong fairness constraints System Model

Temporal logics -STL (finite runs) :  ,  U -CTL (infinite runs) :  ,  U,   -LTL (infinite traces) : , U Automata -specification automata (trace containment) -monitor automata (trace emptiness) -simulation automata (relation between states) System Properties

A Classification of Properties -Finite:  -coFinite:  (safety) -Buchi:  (weak fairness) -coBuchi:  -Streett:  (    )(strong fairness) -Rabin:  (    )

The Omega-Regular Languages (Automata) Streett = Rabin BuchicoBuchiFinitecoFinite counter-free omega-regular (LTL)

Model-Checking Algorithms = Graph Algorithms 1Finite/coFinite: reachability 2Buchi/coBuchi: strongly connected components 3Streett/Rabin: recursive s.c.c.s 4Simulation: relation refinement

Graph Algorithms Given: labeled graph (Q, , A, [ ] ) Cost: each node access and edge access has unit cost Complexity: in terms of |Q| = n...number of nodes |  | = m... number of edges Reachability and s.c.c.s: O(m+n)

The Graph-Algorithmic View is Problematic -The graph is given implicitly (by a program) not explicitly (e.g., by adjacency lists). -Building an explicit graph representation is exponential, but usually unnecessary (“on-the-fly” algorithms). -The explicit graph representation may be so big, that the “unit-cost model” is not realistic. -A class of algorithms, called “symbolic algorithms”, do not operate on nodes and edges at all.

Symbolic Model-Checking Algorithms Given: a “symbolic theory”, that is, an abstract data type called region with the following operations pre,  pre, post,  post : region  region , , \ : region  region  region , = : region  region  bool, > < : A  region , Q : region

Intended Meaning of Symbolic Theories region...set of states , , \, , =, ...set operations = { q  Q | [q] = a } >a< = { q  Q | [q]  a } pre (R) = { q  Q | (  r  R) q  r }  pre (R) = { q  Q | (  r)( q  r  r  R )} post (R) = { q  Q | (  r  R) r  q }  post (R) = { q  Q | (  r)( r  q  r  R )}

If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theory FO (Vals, Ops) is an adequate symbolic theory: region...formula of FO (Vals, Ops) , , \, , =, , Q... , ,,  validity,  validity, f, t pre (R(X)) = (  X’)( Trans(X,X’)  R(X’) )  pre (R(X)) = (  X’)( Trans(X,X’)  R(X’) ) post (R(X)) = (  X”)( R(X”)  Trans(X”,X) )  post (R(X)) = (  X”)( Trans(X”,X)  R(X’’) )

If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory: each pre/post operation is a quantifier elimination

Example: Boolean Systems -all system variables X are boolean -region: quantifier-free boolean formula over X -pre, post: boolean quantifier elimination Complexity: PSPACE

Example: Presburger Systems -all system variables X are integers -the transition relation Trans(X,X’) is defined using only  and  -region: quantifier-free formula of (Z, ,  ) -pre, post: quantifier elimination

An iterative language for writing symbolic model-checking algorithms -only data type is region -expressions: pre, post, , , \, , =,, , Q -assignment, sequencing, while-do, if-then-else

Example: Reachability   a S :=  R := while R  S do S := S  R R := pre(R)

A recursive language for writing symbolic model-checking algorithms: The Mu-Calculus   a = (  R) (a  pre(R))   a = ( R) (a   pre(R))

Syntax of the Mu-Calculus  ::= a |  a |    |    | pre(  ) |  pre(  ) | (  R)  | ( R)  | R pre =    pre =   R... region variable

Semantics of the Mu-Calculus [[ a ]] E := [[  a ]] E := >a< [[    ]] E := [[  ]] E  [[  ]] E [[    ]] E := [[  ]] E  [[  ]] E [[ pre(  ) ]] E := pre( [[  ]] E ) [[  pre(  ) ]] E :=  pre( [[  ]] E ) E maps each region variable to a region.

Operational Semantics of the Mu-Calculus [[ (  R)  ]] E := S’ :=  ; repeat S := S’; S’ := [[  ]] E(R  S) until S’=S; return S [[ ( R)  ]] E := S’ := Q; repeat S := S’; S’ := [[  ]] E(R  S) until S’=S; return S

Denotational Semantics of the Mu-Calculus [[ (  R)  ]] E := smallest region S such that S = [[  ]] E(R  S) [[ ( R)  ]] E := largest region S such that S = [[  ]] E(R  S) These regions are unique because all operators on regions ( , , pre,  pre) are monotonic.

  a = (  R) (a  pre(R))   a = ( R) (a  pre(R))   a = (  R) (a   pre(R))   a = ( R) (a   pre(R)) b  U a = (  R) (a  (b  pre(R)))   a = ( R) (a  pre(   R )) = ( R) (a  pre( (  S) (R  pre(S)) ))

-every  / alternation adds expressiveness -all omega-regular languages in alternation depth 2 -model checking complexity: O( (|  |  (m+n)) d ) for formulas of alternation depth d -most common implementation (SMV, Mocha): use BDDs to represent boolean regions

Binary Decision Diagrams -canonical data structure for representing quantifier- free boolean formulas -equivalence checking in constant time -in practice, model checkers spend more than 90% of their time in “pre-image” or “post-image” computation -almost synonymous with “symbolic” model checking -SAT solvers competitive in bounded model checking, which requires no termination (i.e., equivalence) check

Binary Decision Tree -order k boolean variables x 1,..., x k -binary tree of height k+1, each leaf labeled 0 or 1 -leaf of path “left, right, right,...” gives value of boolean formula if x 1 =0, x 2 =1, x 3 =1, etc.

Binary Decision Diagram 1Identify isomorphic subtrees (this gives a dag) 2Eliminate nodes with identical left and right successors (for this, nodes need to be labeled with variable names) For a given boolean formula and variable order, the result is unique. (The choice of variable order may make an exponential difference!)

Operations on BDDs ,  : recursive top-down traversal in O(u  v) time if u and v are the number of respective BDD nodes ,  : (  x)  (x) =  (0)   (1) Variable reordering

Deciding Simulation

Relation Refinement Given: state-transition graph (Q, , A, [ ] ) Find: for each state q  Q, the set sim(q)  Q of states that simulate q

for each t  Q do sim(t) := { u  Q | [u] = [t] } while there are three states s, t, u such that t  s & u  sim(t) & sim(s)  post(u) =  do sim(t) := sim(t) \ {u} {assert if u simulates t, then u  sim(t) } Efficient enumerative implementation: O(m  n)

for each t  Q do sim(t) := { u  Q | [u] = [t] } while there are three states s, t, u such that sim(s)  post(t)   & u  sim(t) & sim(s)  post(u) =  do sim(t) := sim(t) \ {u} {assert s  sim(s) } {assert if u simulates t and t  sim(s), then u  sim(t) } Equivalent Variation

Symbolic Implementation Partition := { | a  A and   } for each R  Partition do sim(R) := R while there are two regions R, S  Partition such that R  pre(sim(S))   & sim(R)\pre(sim(S))   do R’ := R  pre(sim(S)) ; R’’ := R\pre(sim(S)) Partition := (Partition \ {R})  R’ sim(R’) := sim(R)  pre(sim(S)) if R’’   then Partition := Partition  {R’’}; sim(R’’) := sim(R)

-symbolic algorithm applies also to infinite- state systems -it terminates iff there is a finite quotient so that any two equivalent states simulate each other