Model Checking CS 680 Formal Methods Jeremy Johnson

Outliine Introduction Model checking for CTL Model checking for LTL Labeling Algorithm Example Complexity and “state explosion” Correctness Model checking for LTL Strategy (Automaton for , Combine, Search for path in combined automaton)

Transition System M = (S, , L) S is a set of states  a binary relation on S (transition relation) L : S  𝒫(Atoms) p,q S0 S2 q,r r S1

Tree of Computation Paths p,q S2 q,r r S1 S2 S2 r r S0 p,q S2 r S2 q,r r S1 … … … … … M,s0⊨ GF p  GF r , M,s0⊨ GF r  GF p

Tree of Computation Paths p,q S2 q,r r S1 S2 S2 r r S0 p,q S2 r S2 q,r r S1 … … … … … M,s0⊨ E[(pq)Ur], M,s0⊨ A[pUr]

First Attempt s0 s5 s1 s3 s6 s2 s4 s7 n1n2 s5 s1 t1n2 n1t2 s3 s6 s2 c1n2 t1t2 n1c2 c1t2 t1c2 s4 s7 M,s0⊨ AG[n1  EXt1], M,s0⊨ AG[t1  AFc1]

Second Attempt s0 s5 s1 s3 s9 s6 s2 s4 s7 n1n2 s5 s1 t1n2 n1t2 s3 s9 s6 s2 c1n2 t1t2 t1t2 n1c2 c1t2 t1c2 s4 s7 M,s0⊨ AG[n1  EXt1], M,s0⊨ AG[t1  AFc1]

Properties of CTL Theorem 3.17. A set of temporal connectives in CTL is adequate iff it contains at least one of {AX,EX}, at least one of {EG, AF, AU} and EU. AF     AX AF  EG     EX EG  E[ U ]    (  EX E[ U ])

Labeling Algorithm Determine all states s which satisfy  Label states with subformulas of  starting with the smallest working outwards to  Translate  to use only AF, EU, EX, , ,  : no states are labeled with  p: label s with p if p  L(S) 1  2 : label s with 1  2 if s already labeled with both 1 and 2 : label s with   if s not labeled with 

Labeling Algorithm: AF1 label s with AF1 if any state s is labeled with 1 label s with AF1 Repeat until no change: label any state with AF1 if all successor states are labeled with AF1 AF1 AF1 AF1 AF1 AF1 AF1 AF1

Labeling Algorithm: E[1 U 2] If any state s is labeled with 2 label s with E[1 U 2] Repeat until no change: label any state with E[1 U 2] if it is labeled with 1 and one of its successors is labeled with E[1 U 2] E[1U 2] E[1U 2] E[1U 2] 1 1

Labeling Algorithm: EX1 Label any state s with EX1 if one of its successors is labeled with 1 1 1 EX1

Example: E[c2 U c1] s0 s5 s1 s3 s9 s6 s2 s7 s4 n1n2 t1n2 n1t2 c1n2 t1t2 t1t2 n1c2 c1t2 t1c2 s7 s4

Example: E[c2 U c1] * s0 s5 s1 s3 s9 s6 s2 s7 s4 n1n2 t1n2 n1t2 c1n2 t1t2 t1t2 n1c2 c1t2 * t1c2 s7 s4

Example: E[c2 U c1] ** s0 s5 s1 s3 s9 s6 s2 s7 s4 n1n2 t1n2 ** n1t2 c1n2 * t1t2 ** t1t2 n1c2 c1t2 * t1c2 s7 s4

Example: E[c2 U c1] *** s0 s5 s1 s3 s9 s6 s2 s7 s4 n1n2 *** t1n2 ** c1n2 * t1t2 ** t1t2 n1c2 c1t2 * t1c2 s7 s4

Complexity Let f be the number of connectives in  V be the number of states in M E be the number of transitions The computing time for the labeling algorithm is O(fV(E+V))

Labeling Algorithm: EG1 Label all states s with label 1 with EG1 Repeat until no change: delete the label EG1 if none of its successor states are labeled with EG1 EG1 EG1 EG1 EG1 EG1

Efficient Labeling Algorithm It is possible to reduce the complexity to O(f(E+V)) [linear in the size of the model and the size of the formula] Use breadth first search (predecessors) Replace AF by EG and use efficient graph algorithms Restrict graph to states satisfying  Compute strongly connected components (SCC) Use bfs on restricted graph to find any state that can reach an SCC

SAT() function SAT() case  is  : return   is atomic : return {s  S |   L(s) }  is 1 : return S – SAT(1)  is 1  2 : return SAT(1)  SAT(2)  is AF1: return SATAF(1)  is E(1 U 2): return SATEU(1,2)  is EX1: return SATEX(1) end case

SATEX() function SATEX() X := SAT(); Y := pre(X); return Y; pre(X) = {s  S| there is some s’ with s  s’, s’ X} pre(X) = {s  S| for all s’ with s  s’, s’ X}

SATAF() function SATAF() X := S; Y := SAT(); repeat X := Y; Y := Y  pre(X); until X = Y return Y AF𝜑= 𝜑 AX AF 𝜑 AF𝜑 = 𝜑  pre AF𝜑

SATEU(,) function SATEU(,) W := SAT(); X := S; Y := SAT(); repeat X := Y; Y := Y  (W  pre(Y)); until X = Y return Y E[ U ]=  (  EX E[ U ]) E[ U ] =   (   pre E[ U ] )

SATEG() function SATAF() X := ; Y := SAT(); repeat X := Y; Y := Y  pre(Y); until X = Y return Y EG𝜑= 𝜑 EX EG 𝜑 EG𝜑 = 𝜑  pre EG𝜑

Monotone Functions F: P(S)  P(S) F is monotone if X  Y  F(X)  F(Y) X  S is a fixed point if F(X) = X Example S = {s0,s1,s2} F(X) = X  {s0} is monotone Any set containing s0 is a fixed point. {s0} is the least fixed point and S is the greatest fixed point

Correctness of SAT Monotone functions always have a least and greatest fixed point The meaning of EG, AF, and EU can be expressed via monotone functions on P(S) and least and greatest fixed points SATEU and SATAF compute these fixed points and their correctness depends on properties of the fixed points

Knaster-Tarski Theorem Let S = {s0,s1,…,sn} and F: P(S)  P(S) a monotone function, then Fn+1() is the least fixed point and Fn+1(S) is the greatest fixed point. Proof.   F()  F2()  …  Fn+1(). Since S has n+1 points there exists 1  k  n+1 such that Fk+1() = F(Fk()) = Fk(). Now suppose X is a fixed point then   X  F()  F(X) = X. By induction Fi()  F(X) = X, so Fk() = Fn+1() is the least fixed point.

Correctness of SATEG() Theorem 3.25. Let F(X) = 𝜑  pre(X). Then F(X) is monotone and EG𝜑 is the greatest fixed point of F(X). Proof. Show that F(X) is monotone EGφ is a fixed point. Must show that it is the greatest fixed point EGφ = Fn+1(S)

Correctness of SATEG() F(X) = 𝜑  pre(X). Show that if X  Y then F(X)  F(Y). If s0  s1 with s1  X then s1  Y, so pre(X)  pre(Y) and F(X)  F(Y). Show that if F(X) = X then X  EGφ . s0  X  s0  𝜑 and s0  s1 for s1  X By the same argument we have s1  𝜑 and s1  s2 for s2  X. Continuing this way we have an infinite path s0  s1  s2   with si  𝜑 , so s0  EGφ .

Correctness of SATAF() Theorem 3.25. Let F(X) = 𝜑  pre(X). Then F(X) is monotone and AF𝜑 is the least fixed point of F(X). Proof. Exercise.

LTL Model Checking Given M = (S,,L), s  S, and  and LTL formula determine if M,s⊨ , i.e.  satisfied along all paths starting with s. Construct an automaton A that accepts all traces that satisfy  Combine A and M – A transition system whose paths are both paths of the automaton and the system Discover if there is any path from a state corresponding to s. Such a path, if there is one, “is” a path of M which does not satisfy 

Example init(a) := TRUE; init(b) := FALSE; next(a) := case !a : FALSE; b : TRUE; TRUE : {TRUE, FALSE}; esac; next(b) := case a && next(a) : !b; !a : TRUE; LTLSPEC !(a U b) q2 q1 𝑎 𝑏 𝑎 𝑏 a 𝑏 ab q3 q4

A(a U b) q1 q2 𝑎 𝑏  𝑎 𝑏 a 𝑏  ab a 𝑏  q4 q’3 q3

Redrawn M q1 q2 𝑎 𝑏  𝑎 𝑏 a 𝑏  ab a 𝑏  q4 q’3 q3

Combined Automaton q1 q2 𝑎 𝑏 𝑎 𝑏 a 𝑏 ab a 𝑏 q4 q’3 q3