Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Published byTobias West Modified over 8 years ago

Similar presentations

Presentation on theme: "Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property."— Presentation transcript:

1 Model Checking Lecture 4 Tom Henzinger

2 Model-Checking Problem I |= S System modelSystem property

3 -state-transition graph -weak or strong fairness constraints System Model

4 Temporal logics -STL (finite runs) :  ,  U -CTL (infinite runs) :  ,  U,   -LTL (infinite traces) : , U Automata -specification automata (trace containment) -monitor automata (trace emptiness) -simulation automata (relation between states) System Properties

5 A Classification of Properties -Finite:  -coFinite:  (safety) -Buchi:  (weak fairness) -coBuchi:  -Streett:  (    )(strong fairness) -Rabin:  (    )

6 The Omega-Regular Languages (Automata) Streett = Rabin BuchicoBuchiFinitecoFinite counter-free omega-regular (LTL)

7 Model-Checking Algorithms = Graph Algorithms 1Finite/coFinite: reachability 2Buchi/coBuchi: strongly connected components 3Streett/Rabin: recursive s.c.c.s 4Simulation: relation refinement

8 Graph Algorithms Given: labeled graph (Q, , A, [ ] ) Cost: each node access and edge access has unit cost Complexity: in terms of |Q| = n...number of nodes |  | = m... number of edges Reachability and s.c.c.s: O(m+n)

9 The Graph-Algorithmic View is Problematic -The graph is given implicitly (by a program) not explicitly (e.g., by adjacency lists). -Building an explicit graph representation is exponential, but usually unnecessary (“on-the-fly” algorithms). -The explicit graph representation may be so big, that the “unit-cost model” is not realistic. -A class of algorithms, called “symbolic algorithms”, do not operate on nodes and edges at all.

10 Symbolic Model-Checking Algorithms Given: a “symbolic theory”, that is, an abstract data type called region with the following operations pre,  pre, post,  post : region  region , , \ : region  region  region , = : region  region  bool, > < : A  region , Q : region

11 Intended Meaning of Symbolic Theories region...set of states , , \, , =, ...set operations = { q  Q | [q] = a } >a< = { q  Q | [q]  a } pre (R) = { q  Q | (  r  R) q  r }  pre (R) = { q  Q | (  r)( q  r  r  R )} post (R) = { q  Q | (  r  R) r  q }  post (R) = { q  Q | (  r)( r  q  r  R )}

12 If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theory FO (Vals, Ops) is an adequate symbolic theory: region...formula of FO (Vals, Ops) , , \, , =, , Q... , ,,  validity,  validity, f, t pre (R(X)) = (  X’)( Trans(X,X’)  R(X’) )  pre (R(X)) = (  X’)( Trans(X,X’)  R(X’) ) post (R(X)) = (  X”)( R(X”)  Trans(X”,X) )  post (R(X)) = (  X”)( Trans(X”,X)  R(X’’) )

13 If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory: each pre/post operation is a quantifier elimination

14 Example: Boolean Systems -all system variables X are boolean -region: quantifier-free boolean formula over X -pre, post: boolean quantifier elimination Complexity: PSPACE

15 Example: Presburger Systems -all system variables X are integers -the transition relation Trans(X,X’) is defined using only  and  -region: quantifier-free formula of (Z, ,  ) -pre, post: quantifier elimination

16 An iterative language for writing symbolic model-checking algorithms -only data type is region -expressions: pre, post, , , \, , =,, , Q -assignment, sequencing, while-do, if-then-else

17 Example: Reachability   a S :=  R := while R  S do S := S  R R := pre(R)

18 A recursive language for writing symbolic model-checking algorithms: The Mu-Calculus   a = (  R) (a  pre(R))   a = ( R) (a   pre(R))

19 Syntax of the Mu-Calculus  ::= a |  a |    |    | pre(  ) |  pre(  ) | (  R)  | ( R)  | R pre =    pre =   R... region variable

20 Semantics of the Mu-Calculus [[ a ]] E := [[  a ]] E := >a< [[    ]] E := [[  ]] E  [[  ]] E [[    ]] E := [[  ]] E  [[  ]] E [[ pre(  ) ]] E := pre( [[  ]] E ) [[  pre(  ) ]] E :=  pre( [[  ]] E ) E maps each region variable to a region.

21 Operational Semantics of the Mu-Calculus [[ (  R)  ]] E := S’ :=  ; repeat S := S’; S’ := [[  ]] E(R  S) until S’=S; return S [[ ( R)  ]] E := S’ := Q; repeat S := S’; S’ := [[  ]] E(R  S) until S’=S; return S

22 Denotational Semantics of the Mu-Calculus [[ (  R)  ]] E := smallest region S such that S = [[  ]] E(R  S) [[ ( R)  ]] E := largest region S such that S = [[  ]] E(R  S) These regions are unique because all operators on regions ( , , pre,  pre) are monotonic.

23   a = (  R) (a  pre(R))   a = ( R) (a  pre(R))   a = (  R) (a   pre(R))   a = ( R) (a   pre(R)) b  U a = (  R) (a  (b  pre(R)))   a = ( R) (a  pre(   R )) = ( R) (a  pre( (  S) (R  pre(S)) ))

24 -every  / alternation adds expressiveness -all omega-regular languages in alternation depth 2 -model checking complexity: O( (|  |  (m+n)) d ) for formulas of alternation depth d -most common implementation (SMV, Mocha): use BDDs to represent boolean regions

25 Binary Decision Diagrams -canonical data structure for representing quantifier- free boolean formulas -equivalence checking in constant time -in practice, model checkers spend more than 90% of their time in “pre-image” or “post-image” computation -almost synonymous with “symbolic” model checking -SAT solvers competitive in bounded model checking, which requires no termination (i.e., equivalence) check

26 Binary Decision Tree -order k boolean variables x 1,..., x k -binary tree of height k+1, each leaf labeled 0 or 1 -leaf of path “left, right, right,...” gives value of boolean formula if x 1 =0, x 2 =1, x 3 =1, etc.

27 Binary Decision Diagram 1Identify isomorphic subtrees (this gives a dag) 2Eliminate nodes with identical left and right successors (for this, nodes need to be labeled with variable names) For a given boolean formula and variable order, the result is unique. (The choice of variable order may make an exponential difference!)

28 Operations on BDDs ,  : recursive top-down traversal in O(u  v) time if u and v are the number of respective BDD nodes ,  : (  x)  (x) =  (0)   (1) Variable reordering

29 Deciding Simulation

30 Relation Refinement Given: state-transition graph (Q, , A, [ ] ) Find: for each state q  Q, the set sim(q)  Q of states that simulate q

31 for each t  Q do sim(t) := { u  Q | [u] = [t] } while there are three states s, t, u such that t  s & u  sim(t) & sim(s)  post(u) =  do sim(t) := sim(t) \ {u} {assert if u simulates t, then u  sim(t) } Efficient enumerative implementation: O(m  n)

32 for each t  Q do sim(t) := { u  Q | [u] = [t] } while there are three states s, t, u such that sim(s)  post(t)   & u  sim(t) & sim(s)  post(u) =  do sim(t) := sim(t) \ {u} {assert s  sim(s) } {assert if u simulates t and t  sim(s), then u  sim(t) } Equivalent Variation

33 Symbolic Implementation Partition := { | a  A and   } for each R  Partition do sim(R) := R while there are two regions R, S  Partition such that R  pre(sim(S))   & sim(R)\pre(sim(S))   do R’ := R  pre(sim(S)) ; R’’ := R\pre(sim(S)) Partition := (Partition \ {R})  R’ sim(R’) := sim(R)  pre(sim(S)) if R’’   then Partition := Partition  {R’’}; sim(R’’) := sim(R)

34 -symbolic algorithm applies also to infinite- state systems -it terminates iff there is a finite quotient so that any two equivalent states simulate each other

Download ppt "Model Checking Lecture 4 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property."

Similar presentations

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.

Model Checking Lecture 4. Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking.
Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.
Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.
Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.

Automatic Verification Book: Chapter 6. How can we check the model? The model is a graph. The specification should refer the the graph representation.
Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.

Representing Boolean Functions for Symbolic Model Checking Supratik Chakraborty IIT Bombay.
M ODEL CHECKING -Vasvi Kakkad University of Sydney.

M ODEL CHECKING -Vasvi Kakkad University of Sydney.
Algorithmic Software Verification VII. Computation tree logic and bisimulations.

Algorithmic Software Verification VII. Computation tree logic and bisimulations.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.

Planning based on Model Checking Dept. of Information Systems and Applied CS Bamberg University Seminar Paper Svetlana Balinova.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.

An Introduction to the Model Verifier verds Wenhui Zhang September 15 th, 2010.
François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.

François Fages MPRI Bio-info 2006 Formal Biology of the Cell Modeling, Computing and Reasoning with Constraints François Fages, Constraints Group, INRIA.
Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.

Game-theoretic approach to the simulation checking problem Peter Bulychev Vladimir Zakharov Lomonosov Moscow State University.
UPPAAL Introduction Chien-Liang Chen.

UPPAAL Introduction Chien-Liang Chen.
Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?

Hybrid Systems Presented by: Arnab De Anand S. An Intuitive Introduction to Hybrid Systems Discrete program with an analog environment. What does it mean?
A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)

A Fixpoint Calculus for Local and Global Program Flows Swarat Chaudhuri, U.Penn (with Rajeev Alur and P. Madhusudan)
SYMBOLIC MODEL CHECKING: 10 20 STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.

SYMBOLIC MODEL CHECKING: STATES AND BEYOND J.R. Burch E.M. Clarke K.L. McMillan D. L. Dill L. J. Hwang Presented by Rehana Begam.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.

Review of topics Final exam : -May 2nd to May 7 th - Projects due on May 7th.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

Similar presentations

Ads by Google