On-the-fly Model Checking from Interval Logic Specifications Manuel I. Capel & Miguel J. Hornos Dept. Lenguajes y Sistemas Informáticos Universidad de Granada (Spain) { mcapel,

Outline of the talk 1. Motivation 2. Context 3. Objectives 4. Specification formalism 5. Algorithm 6. Measurements & conclusions

Motivation + Specification and verification of concurrent systems is difficult + Infinite executions + Large number of different possible executions + Temporal Logics are appropiate formalisms to specify properties of linear behaviour + Difficult to use and understand + Textual representation  Interval logics overcome these difficulties + Intervals facilitate the definition of limited temporal contexts + Graphical representation + Specifications more understandable and intuitive 1. MOTIVATION

Problem context + Finite representation of system’s properties expressed as interval logic formulas + Tableau algorithm that automatically generates the equivalent automaton + No tableau algorithms for model checking on- the-fly (until now…) 2. CONTEXT + Automatic verification of reactive systems  Model checking 1. Build the property automaton A  2. Calculate the system automaton P =  P i 3. Find the product automaton P  A  4. Check non-emptiness of L ( P  A  )  L (A  ) L (P) Counterexamples L (A  )  L (A  ) L (P) L (A  )  Concurrent System P Specification 

Objectives + Classic approach to build a Model Checking tool + Leads to the state explosion problem + Approach to be followed: model checking on-the-fly + Nodes are generated only when are needed by the algorithm + State generation is combined with the search of a counterexample + In many cases, it is not necessary to construct the whole state space + Main objective: Integration of the tableau method with the on- the-fly approach for an interval logic 3. OBJECTIVES

Specification formalism + GIL ( Graphical Interval Logic ) is the specification formalism + Propositional Linear-time Temporal Logic + Interval as the key construct + Types of properties f + Initial property [ ) f + Invariant property [ ) f + Eventuality property [ ) 4. SPECIFICATION FORMALISM

. b1  b2 a1  a c1  c 2. d2 d1 d3 d4 Graphical syntax of GIL + Establishment of specific contexts: intervals + Use of standard operators and nested intervals . a bc d 4. SPECIFICATION FORMALISM

Comparison with LTL a b  c. a aa a d  + Example of a system specification in GIL + Specification of the same behaviour, but in LTL a   ( a U (  a U ((( b   c ) U a ) P a )  d U a )) U ( weak until ), U ( strong until ) and P ( precedes ) defined as f P g =  (  f U g ) + FIL ( Future Interval Logic ) is the formal basis of GIL a   [  a,  a |  a,  a,  a ) (   ( b   c )   d ) 4. SPECIFICATION FORMALISM

Syntax and Semantics of FIL + Restricted Syntax f  p |  f | f 1  f 2 | I f + Default-to-true Semantics + Non-negated interval formula + Either properly satisfied [a|b)c[a|b)c c ab + Negated interval formula + Only can be properly satisfied [a|b)c[a|b)c cc ab + or vacuously satisfied (the null context ocurrs)  The state located by  1 does not precede the state located by  2 + A search fails[a|)F = a[a|)F = a [b|)F =  b[b|)F =  b I  [  1 |  2 ) | [  |  2 ) | [  1 |  )  f |  f,  4. SPECIFICATION FORMALISM

Phase 1: Graph construction + Expansion order: Depth First Search + Analysis of each formula in the field New + The node is updated + The node is divided + The node is discarded + Creation of the transition system from the specification  Input: a FIL specification  + Output: the set Graph_Nodes  Rooted in Gerth et al. ’ s algorithm [8] 5. ALGORITHM

Tableau expansion rules + All the nodes are created from the initial node using expansion rules, such as the following ones: + Expansion rules derived from the reduction relation and the FIL semantics [14], so that:    i (  New  i )  (  New c (  )  X  Next c (  )) 5. ALGORITHM

T {b}{b} {b}{b} N3 N4 N2  M  Incoming ( N )  transition M  N  init  Incoming ( N )  N is an initial node + Label of node N: literals ( Old ( N )) + Output : Graph_Nodes An example of graph construction  Input :   {  [  b |  ) F }  {  b }  5. ALGORITHM

 The graph obtained allows some runs inducing sequences that are not models of the specification  Phase 2: Transforming the graph into the Büchi automaton 5. ALGORITHM + Solution: to impose generalized Büchi acceptance conditions  Acceptance condition (AC) is defined by each set of eventuality formulas that share their last search  AC i {  [  i,1,  i |  ) F,  [  i,2,  i |  ) F, …,  [  i,n,  i |  ) F } + A node satisfies the condition defined by an acceptance set if: + Either if does not promise any of the eventuality formulas in the acceptance set + or it immediately satisfies the eventualities from this set that it promises

Determining the accepting states + Accepting states determination procedure 1. Search all the eventuality formulas in the set Graph 2. Define acceptance conditions 3. A node will satisfy an acceptance condition if it does not contain any of its eventualities in the field Next T {b}{b} {b}{b} N4 N3 N2 AC 0 {  [  b|  ) F } ; N3, N4 sat AC 0  N2  sat AC 0 5. ALGORITHM

Obtaining a single set of accepting states Labelled Generalized Buchi Automaton (S, R, L, I, F), F = {F 1, F 2, …, F k }  S  is accepting iff  F i  F, inf (  )  F i   + Possible scenarios  k = 0, satisfied by formulas of type I F and purely propositional ones + k = 1, the LGBA coincides with an LBA  k > 1, we must obtain a single set of accepting states F  Determination of F  For Büchi automata representing FIL formulas, it always hold that F =  F i 5. ALGORITHM

Measurements of the automaton generation + Quite a bit smaller automata than with global construction ( local automaton + eventuality automaton). + For simple specifications, similar measurements than those obtained with Gerth et al.’s algorithm for LTL.  For complex specifications, FIL formulas are more concise and easier to interpret than LTL ones  less complex automata. 6. MEASUREMENTS & CONCLUSIONS

Conclusions + Algorithm for generating a semantically equivalent automaton from a FIL specification + Improvements on Gerth et al.’s algorithm [8] to obtain smaller automata + Our tableau rules succinctly codify the notion of limited temporal scope + Intended for on-the-fly model checking + Explore the state space in a demand-driven manner + Avoid the whole state space construction + First on-the-fly tableau algorithm for an interval logic 6. MEASUREMENTS & CONCLUSIONS

References + [3] C.Courcoubetis, O.Grumberg and D. Peled “Memory-efficient algorithms for the verification of temporal properties”, Formal Methods in System Design, 1, 1992, pp [8] R.Gerth, P.Peled, M.Y.Vardi, P.Wolper, “Simple On-the-Fly Automatic Verification of Linear Temporal Logic”, Proceedings of the 15 th International Symposium on Protocol Specification, Testing and Verification, Warsaw, Poland, June 1995, pp [9] M.Hornos, M.I. Capel, “Automata Generation for On-the-Fly Automatic Verification Using Formulas of an Interval Logic”, 2 nd International Conference on Application of Concurrency to System Design, Newcastle Upon Tyne, U.K., June 2001, pp [14] Y.S.Ramakrishna, P.M.Melliar-Smith, L.E.Moser and L.K.Dillon and G.Kutty, “Interval Logics and their Decision Procedures. Part I: An Interval Logic”, Theoretical Computer Science, 166, 1996, pp.1-47.

On-the-fly Model Checking from Interval Logic Specifications END OF PRESENTATION Manuel I. Capel & Miguel J. Hornos Dept. Lenguajes y Sistemas Informáticos Universidad de Granada (Spain) { mcapel,