Model Checking Lecture 4

Outline 1 Specifications: logic vs. automata, linear vs. branching, safety vs. liveness 2 Graph algorithms for model checking 3Symbolic algorithms for model checking 4Pushdown systems

Model-checking problem I |= S system model: state-transition graph system property: -safety v. weak v. strong fairness -logic v. spec v. monitor automata -linear v. branching

Model-Checking Algorithms = Graph Algorithms

Graph Algorithms Given: labeled graph (Q,, A, [ ] ) Cost: each node access and edge access has unit cost Complexity: in terms of |Q| = n...number of nodes | | = m... number of edges Reachability and s.c.c.s: O(m+n)

The Graph-Algorithmic View is Problematic -The graph is given implicitly (by a program) not explicitly (e.g., by adjacency lists). -Building an explicit graph representation is exponential, but usually unnecessary (on-the-fly algorithms). -The explicit graph representation may be so big, that the unit-cost model is not realistic. -A class of algorithms, called symbolic algorithms, do not operate on nodes and edges at all.

Symbolic Model-Checking Algorithms Given: a symbolic theory, that is, an abstract data type called region with the following operations: pre, pre, post, post : region region,, \ : region region region, = : region region bool, > < : A region, Q : region

Intended Meaning of Symbolic Theories region...set of states,, \,, =,...set operations = { q Q | [q] = a } >a< = { q Q | [q] a } pre (R) = { q Q | ( r R) q r } pre (R) = { q Q | ( r)( q r r R )} post (R) = { q Q | ( r R) r q } post (R) = { q Q | ( r)( r q r R )}

If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theory FO (Vals, Ops) is an adequate symbolic theory: region...formula of FO (Vals, Ops),, \,, =,, Q...,,,,, f, t pre (R(X)) = ( X)( Trans(X,X) R(X) ) post (R(X)) = ( X)( R(X) Trans(X,X) ) post (R(X)) = ( X)( Trans(X,X) R(X) )

If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory: each pre/post operation is a quantifier elimination

Example: Boolean Systems -all system variables X are boolean -region: quantifier-free boolean formula over X -pre, post: boolean quantifier elimination Complexity: PSPACE

Example: Presburger Systems -all system variables X are integers -the transition relation Trans(X,X) is defined using only and -region: quantifier-free formula of (Z,, ) -pre, post: quantifier elimination

An iterative language for writing symbolic model-checking algorithms -only data type is region -expressions: pre, post,,, \,, =,,, Q -assignment, sequencing, while-do, if-then-else

Example: Reachability a S := R := while R S do S := S R R := pre(R)

A recursive language for writing symbolic model-checking algorithms: The Mu-Calculus a = ( R) (a pre(R))

Syntax of the Mu-Calculus ::= a | a | | | pre( ) | pre( ) | ( R) | ( R) | R pre = R... region variable

Semantics of the Mu-Calculus [[ a ]] E := [[ a ]] E := >a< [[ ]] E := [[ ]] E [[ ]] E [[ pre( ) ]] E := pre( [[ ]] E ) E maps each region variable to a region.

Operational Semantics of the Mu-Calculus [[ ( R) ]] E := S := ; repeat S := S; S := [[ ]] E(R S) until S=S; return S [[ ( R) ]] E := S := Q; repeat S := S; S := [[ ]] E(R S) until S=S; return S

Denotational Semantics of the Mu-Calculus [[ ( R) ]] E := smallest region S such that S = [[ ]] E(R S) [[ ( R) ]] E := largest region S such that S = [[ ]] E(R S) These regions are unique because all operators on regions (,, pre, pre) are monotonic.

a = ( R) (a pre(R)) b U a = ( R) (a (b pre(R))) a = ( R) (a pre(R)) = ( R) ( S) ((a pre(R)) pre(S))

-every / alternation adds expressiveness -all omega-regular languages in alternation depth 2 -model checking complexity: O( (| | (m+n)) d ) for formulas of alternation depth d -most common implementation (SMV, Mocha): use BDDs to represent boolean regions

Binary Decision Diagrams -canonical data structure for representing quantifier- free boolean formulas -equivalence checking in constant time -in practice, model checkers spend more than 90% of their time in pre-image or post-image computation -almost synonymous with symbolic model checking -SAT solvers superior in bounded model checking, which requires no termination (i.e., equivalence) check

Binary Decision Tree -order k boolean variables x 1,..., x k -binary tree of height k+1, each leaf labeled 0 or 1 -leaf of path left, right, right,... gives value of boolean formula if x 1 =0, x 2 =1, x 3 =1, etc.

Truth TableDecision Tree –Vertex represents decision –Follow green (dashed) line for value 0 –Follow red (solid) line for value 1 –Function value determined by leaf value –Along each path, variables occur in the variable order –Along each path, a variable occurs exactly once

(Reduced Ordered) Binary Decision Diagram 1Identify isomorphic subtrees (this gives a dag) 2Eliminate nodes with identical left and right successors 3Eliminate redundant tests For a given boolean formula and variable order, the result is unique. (The choice of variable order may make an exponential difference!)

Merge equivalent leaves aa a Reduction rule #1

y x z x Merge isomorphic nodes y x z x y x z x Reduction rule #2

Eliminate redundant tests y x y Reduction rule #3

Initial graphReduced graph Canonical representation of Boolean function For given variable ordering, two functions equivalent if and only if their graphs are isomorphic Test in linear time (x 1 x 2 ) x 3

Constants Unique unsatisfiable function Unique tautology Variable Treat variable as function Odd parity Linear representation Typical function (x 1 x 2 ) x 4 No vertex labeled x 3 independent of x 3 Many subgraphs shared Examples

Good orderingBad ordering Linear growthExponential growth Effect of variable ordering (a 1 b 1 ) (a 2 b 2 ) (a 3 b 3 )

Bit-serial computer analogy Operation –Read inputs in sequence; produce 0 or 1 as function value. –Store information about previous inputs to correctly deduce function value from remaining inputs. Relation to BDD Size –Processor requires K bits of memory at step i. –BDD has ~2 K branches crossing level i.

K = 2K = n (a 1 b 1 ) (a 2 b 2 ) (a 3 b 3 ) Good orderingBad ordering

Dynamic variable reordering Invented by Richard Rudell, Synopsys Periodically attempt to improve ordering for all BDDs –Part of garbage collection –Move each variable through ordering to find its best location Has proved very successful

Lower bound for multiplication (Bryant 1991) Integer multiplier circuit –n-bit input words A and B –2n-bit output word P Boolean function –Middle bit (n-1) of product Complexity –Exponential BDD for all possible variable orderings Mult n a0a0 a n-1 b0b0 b n-1 p0p0 p n-1 pnpn p 2n-1 Actual Numbers 40,563,945 BDD nodes to represent all outputs of 16-bit multiplier Grows 2.86x per bit of word size Intractable Function

BDD operations,,,, x n ab n.var = x n.false = a n.true = b BDD node - BDD manager maintains a directed acyclic graph of BDD nodes - ite(x,a,b) returns a node with variable x, left child a, and right child b.

if (a = false b = false) return false if (a = true) return b if (b = true) return a if (a = b) return a if (a.var < b.var) return ite(a.var, and(a.false,b), and(a.true,b)) if (b.var < a.var) return ite(b.var, and(a,b.false), and(a,b.true)) // a.var = b.var return ite(a.var, and(a.false,b.false), and(a.true,b.true)) and(a,b) Complexity: O(|a| |b|)

not(a) if (a = true) return false if (a = false) return true return ite(a.var, not(a.false), not(a.true)) Complexity: O(|a|)

cofactor(a,x,p) if (x < a.var) return a if (x > a.var) return ite(a.var, cofactor(a.false,x,p), cofactor(a.true,x,p)) // x = a.var if (p) return a.true else return a.false Complexity: O(|a|)

Operations returning BDD: or(a,b) not(and(not(a),not(b))) exists(a,x) or(cofactor(a,x,false), cofactor(a,x,true)) forall(a,x) and(cofactor(a,x,false), cofactor(a,x,true)) Derived operations Operations returning boolean: implies(a,b) (or(not(a),b) = true) iff(a,b) (a = b)

substitute(a,x,y) Assumptions - a is independent of y - x and y are adjacent in variable order if (a = true a = false) return a if (a.var > x) return a if (a.var < x) return ite(a.var, substitute(a.false,x,y), substitute(a.true,x,y)) if (a.var = x) return ite(y,a.false,a.true)

Symbolic reachability analysis with BDDs Vector of state variables: X = (x 1,…,x n ) Init predicate: I[X] Transition relation: T[X,X] Error predicate: E[X] R[X] = I[X] do { S[X] = R[X] R[X] = exists(and(S[X],T[X,X]), X) R[X] = substitute(R[X],X,X) R[X] = or(R[X],S[X]) } while (R S) Invariant: For each i, x i and x i are adjacent in variable order