¹ -Calculus Based on: “Model Checking”, E. Clarke and O. Grumberg (ch. 6, 7) “Symbolic Model Checking: 10^20 States and Beyond”, Burch, Clark, et al “Introduction to Modal Mu-Calculi”, J. Bradfield and C. Stirling

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications

Reminder: Kripke Structure M = ( S, R, L ) p p,qp,q q AP = { p, q }

Reminder: CTL* (I) State formulae: – p 2 AP –If f and g are state formulae, so are: f Æ g:ff Ç gf Æ g:ff Ç g –If f is a path formula, the following are state formulae: AfEf

Reminder: CTL* (II) Path formulae: –If f is a state formula, it is also a path formula –If f and g are path formula, so are: f Æ g:ff Ç g f Æ g:ff Ç g X fG fX fG f F fF f f U gf U g f W gf W g … fffff f fff g fff g ffff … …

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications 

Fixpoints: definitions (I) The power-set lattice –Defined over P (S) for some finite set S –Partial order: µ –Example: { 1, 2, 3 } { 1 }{ 2 } ; { 1, 2 }{ 1, 3 }{ 2, 3 } { 3 }

Fixpoints: definitions (II) Predicate transformer: ¿ : P (S) ! P (S) asdf F 2 P (S) is a fixpoint of ¿ iff ¿ ( F ) = F SS ¿

Fixpoints: definitions (III) F 2 P (S) is a least fixpoint of ¿ iff – F is a fixpoint of ¿, and –If G is a fixpoint of ¿, then F µ G Notation: ¹X. ¿(X) F 2 P (S) is a greatest fixpoint of ¿ iff – F is a fixpoint of ¿, and –If G is a fixpoint of ¿, then G µ F Notation: ºX. ¿(X) F G

Fixpoint properties (I) Is there always a fixpoint? No, e.g.: S  { 1 } P (S) = { ;, { 1 } } ¿( ; )  { 1 } ¿( { 1 } )  ;

Fixpoint properties (II) If there is a fixpoint, is there always a least fixpoint? No, e.g.: S  { 1, 2 } ¿  ( { 2 } )  { 2 } ¿  ( { 1 } )  { 1 } ¿  ( ; )  { 1 }

Monotonous functions ¿ is monotonic iff for all F µ G : ¿(F) µ ¿(G) ¿ F G ¿(G)¿(G) ¿(F)¿(F)

Fixpoint properties (IV) Theorem (Knaster-Tarski): If ¿ is monotonous and S is finite, ¿ has a unique least fixpoint and a unique greatest fixpoint. Proof: constructive.

Computing least fixpoints Q old := ; Q new = ¿( Q old ) while Q old  Q new do Q old := Q new Q new := ¿( Q old ) end while return Q new Need to show: - Termination - Result is a least fixpoint - Result is unique

Correctness (I) Q i : the value of Q new in the i -th iteration Q old := ; Q new = ¿( Q old ) while Q old  Q new do Q old := Q new Q new := ¿( Q old ) end while return Q new ; …= Q0Q0 Q1Q1 Q2Q2 QnQn Q n+1 ¿(;)¿(;) ¿¿¿ ¿ ¿(;)¿(;)¿n(;)¿n(;)¿ n+1 ( ; ) = Q !

Correctness (II) Lemma: Q i µ Q i+1 for all i Proof by induction: –Base: i = 0 Q old := ; Q new = ¿( Q old ) while Q old  Q new do Q old := Q new Q new := ¿( Q old ) end while return Q new ; Q0Q0 Q1Q1 (;)(;) ¿ µ

Correctness (III) Lemma: Q i µ Q i+1 for all i Proof by induction: –Step: Q old := ; Q new = ¿( Q old ) while Q old  Q new do Q old := Q new Q new := ¿( Q old ) end while return Q new Q i-1 ¿ µ QiQi ¿ µ ? Q i+1 Induction hypothesis Q i-1 µ Q i ¿(Q i-1 ) µ ¿(Q i ) Qi =Qi = = Q i +1  ¿ is monotonic

Correctness (IV) Lemma: Q i µ Q i+1 for all i Termination: S is finite Q old := ; Q new = ¿  ( Q old ) while Q old  Q new do Q old := Q new Q new := ¿( Q old ) end while return Q new ; …= Q0Q0 Q1Q1 Q2Q2 QnQn Q n+1 ¿(;)¿(;) ¿¿¿ ¿ ¿(;)¿(;)¿n(;)¿n(;)¿  n+1 ( ; ) µµµµ Need to show: ) Termination - Result is a least fixpoint - Result is unique

Correctness (V) Q ! is a least fixpoint: –Let G be some fixpoint. –Need to show: Q ! µ G –We will show: Q i µ G for all i Base: Q 0 = ; µ G Step: Assume Q i µ G Q i+1 = ¿(Q i ) µ ¿(G) = G Q old := ; Q new = ¿( Q old ) while Q old  Q new do Q old := Q new Q new := ¿( Q old ) end while return Q new Need to show:  Termination ) Result is a least fixpoint - Result is unique 

Correctness (VI) The least fixpoint is unique: –Let F and G be least fixpoints – F µ G and G µ F ) F = G ) F = G

The Initial Estimate We used Q 0 = ; Can start with any “conservative” estimate – I µ least fixpoint

Computing greatest fixpoints Q old := S Q new = ¿( Q old ) while Q old  Q new do Q old := Q new Q new := ¿( Q old ) end while return Q new

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications 

¹ -Calculus (I) Let AP be a set of atomic propositions Let VAR = { Y 1, Y 2, … } be a set of relational variables The formulas of ¹ -Calculus: – p 2 AP – Y 2 VAR –If f and g are formulas, so are f Ç g, f Æ g,  f

¹ -Calculus (II) The formulas of ¹ -Calculus (cont’d): –If f is a formula, so are ¤ f and } f –If Y is a relational variable and f is a formula, the following are formulas: ¹Y. f ºY. f AXEX bind Y  x. P ( x ) ¹Y. f(Y) A formula is closed if all its fixpoint variables are bound

¹ -Calculus Semantics (I) For Y 2 VAR, Y is a formula. But what does it mean? e : VAR ! 2 S is an environment Define: e[Q Ã W] is e with W substituted for Q – (e[Q Ã W])(Q) = W The environment is not needed for closed formulas

¹ -Calculus Semantics (II) A formula f is interpreted as a set of states in which f is true Notation: « f ¬ M e « p ¬ M e = { s 2 S | p 2 L(s) } « Y ¬ M e = e(Y) «: f ¬ M e = S n « f ¬ M e « f Æ g ¬ M e = « f ¬ M e Å « g ¬ M e « f Ç g ¬ M e = « f ¬ M e [ « g ¬ M e M,s ⊨ f  s  « f ¬ M

«} f ¬ M e = { s | 9 t : R(s, t) Æ t 2 « f ¬ M e } « ¤ f ¬ M e = { s | 8 t : R(s, t) ! t 2 « f ¬ M e } « ¹Y.f ¬ M e is the least fixpoint of: ¿(W) = «f¬Me[Y à W ]¿(W) = «f¬Me[Y à W ] « ºY.f ¬ M e is the greatest fixpoint ¹ -Calculus Semantics (II) ss «f¬«f¬ «f¬«f¬

Restrictions on ¹ -Calculus Are all formulae monotonic? – f Æ g, f Ç g – :f– :f ) fixpoint variables must be under an even number of negations ¹Y. : Y ºY. : ( Y Ç p ) ¹Y. : ( : Y Ç p )    ¿( ; )  { 1 } ¿( { 1 } )  ; ¹Y. : ( : Y Ç p )¹Y. ( :: Y Æ : p )¹Y. (Y Æ : p ) : ¹ -Calculus is closed under negation

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications 

Why are fixpoints interesting? Recall from Logic I: – I( A, P ) : the smallest set W such that A µ W, and If x 2 W and f 2 P then x 2 W. – I( A, P ) = ¹Y. A Ç P( Y ) A P

x 2 « ¹Y. ¿(Y) ¬ “Finite iteration” Example: – EF ' = ¹Y. ' Ç } Y Intuition for least fixpoints ; … x

Intuition for greatest fixpoints x 2 « ºY. ¿(Y) ¬ “Invariant” Example: – EG ' = ºY. ' Æ } Y … xx xx x = S =S =

¹Y. q Ç ( p Æ ¤ Y ) = ? A[ p U q ] ºY. q Ç ( p Æ ¤ Y ) = ? A[ p W q ] ¹ -Calculus aerobic (I) q Y0Y0 Y1Y1 p Y2Y2 p …

¹ -Calculus aerobic (II) ¹Y. ºZ. ( p Æ ¤ Y ) Ç ( : p Æ ¤ Z ) = ? –Can pass through Y a finite number of times Each time p holds –Can pass through Z infinitely Each time p doesn’t hold ) “ p is true only finitely often on all paths”

¹ -Calculus aerobic (III) ¹Y. ºZ. ( p Æ ¤ Y ) Ç ( : p Æ ¤ Z ) = ? Inner computation 1: Y 0 = ;, Z 00 = S – Z !0 = ºZ. : p Æ ¤ Z = AG : p S p p p :p:p :p:p :p:p :p:p :p:p … AG : p Notation: Y i : i th estimate for Y Z ij : i th estimate for Z, using the j th estimate for Y ! denotes the last iteration

¹ -Calculus aerobic (IV) ¹Y. ºZ. ( p Æ ¤ Y ) Ç ( : p Æ ¤ Z ) = ? Outer iteration 1: – Y 1 = ( p Æ ¤ Y 0 ) Ç ( : p Æ ¤ Z ! 0 ) AG : p :p:p :p:p :p:p :p:p …

¹ -Calculus aerobic (V) ¹Y. ºZ. ( p Æ ¤ Y ) Ç ( : p Æ ¤ Z ) = ? Inner computation 2: – Z !1 = ºZ. ( p Æ ¤ Y 1 ) Ç ( : p Æ ¤ Z) AG : p :p:p :p:p :p:p :p:p … p : p :p:p p :p:p … AG : p :p:p p :p:p :p:p :p:p … A[ : p W ( p Æ ¤ Y 1 )]

¹ -Calculus aerobic (VI) ¹Y. ºZ. ( p Æ ¤ Y ) Ç ( : p Æ ¤ Z ) = ? Outer iteration 2: – Y 2 = ( p Æ ¤ Y 1 ) Ç ( : p Æ ¤ Z ! 2 ) AG : p p :p:p Y1Y1 Z ! 2 p :p:p :p:p :p:p :p:p … AG : p :p:p p :p:p … :p:p p :p:p :p:p :p:p …

¹ -Calculus aerobic (VI) ¹Y. ºZ. ( p Æ ¤ Y ) Ç ( : p Æ ¤ Z ) = ? Every inner computation: A[ : p W ( p Æ ¤ Y n )] –Add a “layer” of : p (with infinite behaviors) Every outer iteration: ( p Æ ¤Yn ) Ç ( :p Æ ¤Zm ) ( p Æ ¤Yn ) Ç ( :p Æ ¤Zm ) –Add a single p

¹ -Calculus aerobic (VII) ¹Y. ºZ. ( p Æ ¤ Y ) Ç ( : p Æ ¤ Z ) = ? p can appear a finite number of times :p:p pp :p:p … AG : p :p:p p :p:p :p:p pp finite no.

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications 

Symbolic Model Checking eval( f, e ) f M, e states that satisfy f

Model Checking Algorithm (I) if f = p : return { s | p 2 L(s) } if f = Q : return e(Q) if f = g 1 Æ g 2 : return eval( g 1, e ) Å eval( g 2, e ) if f = g 1 Ç g 2 : return eval( g 1, e ) [ eval( g 2, e )

Model Checking Algorithm (II) if f = } g : return { s | 9 t[R(s, t) Æ t 2 eval( g, e)] } if f = ¤ g : return { s | 8 t[R(s, t) ! eval( g, e)(t)] }

Model Checking Algorithm (III) if f = ¹Y. g(Y) : Q new = ; repeat Q old = Q new Q new = eval( g, e[Y Ã Q new ] ) until Q new = Q old return Q new

Model Checking Algorithm (III) if f = ºY. g(Y) : Q new = S repeat Q old = Q new Q new = eval( g, e[Y Ã Q new ] ) until Q new = Q old return Q new

Model Checking Complexity (I) if f = p : return { s | p 2 L(s) } if f = Q : return e(Q) if f = g 1 Æ g 2 : return eval( g 1, e ) Å eval( g 2, e ) if f = g 1 Ç g 2 : return eval( g 1, e ) [ eval( g 2, e ) if f = } g : return { s | 9 t[R(s, t) Æ t 2 eval( g, e)] } if f = ¤ g : return { s | 8 t[R(s, t) ! eval( g, e)(t)] } O( | M | )

Model Checking Complexity (II) if f = ¹Y. g(Y) : Q new = ; repeat Q old = Q new Q new = eval( g, e[Y Ã Q new ] ) until Q new = Q old return Q new O( | S | ) O( | M | ¢ | f | ¢ | S | k ) nesting depth Overall complexity: Repeat entire computation of eval(g)

Improved Model Checking (I) Example: ¹Y. g(Y, ¹Z. h(Y, Z)) ¹Y¹Z ;; = Z ! 0 = ¹Z. h( ;, Z)Y 1 = g( ;, Z ! 0 ) = = Z ! 1 = ¹Z. h(Y 1, Z) Y 2 = g(Y 1, Z !1 ) = | S | iterations O( | S | 2 ) ) O( | S | + | S | ) Before:Now:

Improved Model Checking (II) What about ºY. g(Y, ¹Z. h(Y, Z)) ? ºY¹Z ; = Z ! 0 = ¹Z. h( ;, Z)Y 1 = g( ;, Z ! 0 ) = = Z ! 1 = ¹Z. h(Y 1, Z) S 

Improved Model Checking (II) Conclusion –Restart only on alternation O( | M | ¢ | f | ¢ | S | k ) nesting depth O( | M | ¢ | f | ¢ | S | d ) alternation depth ) ¹ … º … ¹ … d

Complexity Considerations ¹ -Calculus Model checking 2 NP Å co-NP L = { ( M, s, f ) | M,s ² f } A nondeterministic polynomial algorithm: Given M, s, f, –For each greatest fixpoint in f (inside  out): Guess a value Q Check that Q is a fixpoint –Model-check the rest of f All fixpoints are ¹ Complexity: O( | M | ¢ | f | ) ºY. ¿(Y) ) Q ¿(Q) = Q

Complexity Considerations ¹ -Calculus Model checking 2 NP Å co-NP Correctness: –If ( M, s, f ) 2 L, correct guess ) “yes”. –If ( M, s, f )  L : Suppose G is the real greatest fixpoint Q µ G f is monotonous Since s  « f ¬, the answer will be “no” « f ¬ states the run will compute

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications –The power of ¹ -Calculus –Translating CTL to ¹ -Calculus –Adding fairness constraints –Checking bisimulation 

¹ -Calculus The power of ¹ -Calculus CTL* LTLCTL

CTL* vs. ¹ -Calculus (II) Can’t express in CTL*: “ p is reachable in an even number of steps” In ¹ -Calculus: ¹Y. p Ç }} Y … p 01234

CTL* vs. ¹ -Calculus (I) Can’t express in CTL*: “ p holds in every odd-numbered state on every path” In ¹ -Calculus: ºY. p Æ ¤¤ Y … p p

CTL to ¹ -Calculus AX f = ¤ f EX f = } f EF f = ¹Y. f Ç } Y AF f = ¹Y. f Ç ¤ Y EG f = ºY. f Æ } Y AG f = ºY. f Æ ¤ Y E[ f U g ] = ¹Y. g Ç ( f Æ } Y ) A[ f U g ] = ¹Y. g Ç ( f Æ ¤ Y )

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications –The power of ¹ -Calculus –Translating CTL to ¹ -Calculus Adding fairness constraints –Checking bisimulation 

Fairness constraints (I) Motivation: p1p1 p2p2 p3p3 request grant release mutex scheduler

Fairness Constraints (II) No starvation: “every process that requests the lock will eventually get it” A possible execution: Admissible execution: every process takes an infinite number of steps p1p1 req 1 p1p1 grant 1 p2p2 req 2 p2p2 p2p2 p2p2 …

Fairness Constraints (III) Fairness constraints: C = ( C 1, …, C k ) For a path ¼ = s 0 s 1 … : inf(¼) = { t | t = s i for an infinite number of i ’s } A path ¼ is fair iff inf(¼) Å C i  ; for all i

Fairness Constraints (IV) Fairness cannot be expressed in unfair CTL Fair semantics: s ² F E ' (notation: s ² E F ' ) iff there exists a fair path ¼ from s such that ¼ ² F ' s ² F A ' (notation: s ² A F ' ) iff for all fair paths ¼ from s, ¼ ² F '

FCTL to ¹ -Calculus (I) E F G f = ? ºZ. [ f Æ ( Æ EX E[ f U (C i Æ Z)] ) ] E F G f f ff f f C1C1 C2C2 C3C3 n i = 1

E F G f = ? ºZ. [ f Æ ( Æ EX E[ f U (C i Æ Z)] ) ] FCTL to ¹ -Calculus (II) E F G f f ff f f C1C1 C2C2 C3C3 n i = 1 f C1C1 C2C2 C3C3

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications –The power of ¹ -Calculus –Translating CTL to ¹ -Calculus –Adding fairness constraints Checking bisimulation 

Checking Bisimulation (I) Let M = ( S, s 0, R, L ) and M ’ = ( S ’, s 0 ’, R ’, L ’ ) be Kripke structures over AP H µ S ’ £ S ’ is a bisimulation iff for all ( s, s ’ ) 2 H, 1. L 1 (s) = L 2 (s ’ ) 2. If ( s, t ) 2 R, then there exists t ’ 2 S ’ such that ( t, t ’ ) 2 H and ( s ’, t ’ ) 2 R ’ 3. If ( s ’, t ’ ) 2 R ’, then there exists t 2 S such that ( t, t ’ ) 2 H and ( s, t ) 2 R s s’s’ t t’t’ t’t’ t

M’M’ M Checking Bisimulation (II) M ´ bis M ’ if there exists a bisimulation H over M, M ’ such that –For every s 0 2 S 0 there exists s 0 ’ 2 S 0 ’ such that (s 0, s ’ 0 ) 2 H –For every s 0 ’ 2 S 0 ’ there exists s 0 2 S 0 such that (s 0, s ’ 0 ) 2 H

Checking Bisimulation (III) How can we check if M ´ bis M ’ ? –Where will we obtain H ? Lemma: if M ´ bis M ’ then there exists a maximal bisimulation H max over M, M ’ –If H 1 and H 2 are bisimulations, so is H 1 [ H 2 –Take H max = union of all the bisimulations Our strategy: –Compute H max –Check if ( s 0, s 0 ’ ) 2 H max

Checking Bisimulation (IV) H max = ºH. ¿( H ) ¿ ( H ) = H( s, s ’ ) Æ 8 t[R( s, t ) ! 9 t ’ ( R ’ ( s ’, t ’ ) Æ H( t ’, t ’ ) )] Æ 8 t ’ [R ’ ( s ’, t ’ ) ! 9 t( R( s, t ) Æ H( t, t ’ ) )] Not a ¹ -Calculus formula…

Checking Bisimulation (V) Algorithm: H old = S £ S ’ H new = ¿( H old ) while H old  H new H old = H new H new = ¿( H old ) if ( s 0, s 0 ‘ ) 2 H new return true else return false

Agenda Review Some fixpoint theory Syntax and semantics of ¹ -Calculus Examples Symbolic Model Checking Applications