Four Lectures on Model Checking Tom Henzinger University of California, Berkeley

Four Lectures on Model Checking: Lecture IV 1 Eight model-checking problems: logic vs. automata, linear vs. branching, safety vs. liveness 2 Finite-state systems: six graph algorithms for model checking 3 Infinite-state systems: from graph algorithms to symbolic algorithms

Model-checking problem I |= S system model: state-transition graph system property: -safety v. weak v. strong fairness -logic v. spec v. monitor automata -linear v. branching

   finite boolean combinations of  and  safety weakly fair strongly fair liveness

Model-checking problem I |= S system model: state-transition graph system property: -safety v. weak v. strong fairness -logic v. spec v. monitor automata -linear v. branching easiest harder hard

Model-Checking Algorithms = Graph Algorithms

1Safety: -solve: STL (  U model checking), finite monitors (  emptiness) -algorithm: reachability (linear) 2Eventuality under weak fairness: -solve: weakly fair CTL (   model checking), Buchi monitors (  emptiness) -algorithm: strongly connected components (linear) 3Liveness: -solve: strongly fair CTL, Streett monitors (  (    ) emptiness) -algorithm: recursively nested SCCs (quadratic)

From specification automata to monitor automata: determinization (exponential) + complementation (easy) From LTL to monitor automata: complementation (easy) + tableau construction (exponential)

B1 Simulation: relation refinement (quadratic) B2 Weakly fair simulation: Buchi game (quadratic) B3 Strongly fair simulation: Streett game (quadratic in structures, exponential in fairness constraints)

Six Algorithms 1Reachability 2Strongly connected components 3Recursively nested SCCs 4Tableau construction 5Relation refinement 6Buchi games 7Streett games 8Streett determinization

Finite Emptiness Given: finite automaton (S, S 0, , , FA) Find: is there a path from a state in S 0 to a state in FA ? Solution: depth-first or breadth-first search

Application 1:STL model checking Application 2:finite monitors

Buchi Emptiness Given: Buchi automaton (S, S 0, , , BA) Find: is there an infinite path from a state in S 0 that visits some state in BA infinitely often ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C  BA   3. Check if some fair SCC is reachable from S 0

Application 1:CTL model checking over weakly-fair transition graphs (note: really need multiBuchi) Application 2:Buchi monitors

Streett Emptiness Given: Streett automaton (S, S 0, , , SA) Find: is there an infinite path from a state in S 0 that satisfies all Streett conditions (l,r) in SA ? Solution: check if S 0  RecSCC (S, , SA)  

function RecSCC (S, , SA) : X :=  for each C  SCC (S,  ) do F :=  if  C   then for each (l,r)  SA do if C  r   then F := F  (l,r) else C := C \ l if F = SA then X := X  pre * (C) else X := X  RecSCC (C,  C, F) return X

Complexity n number of states m number of transitions snumber of Streett pairs Reachability:O(n+m) SCC:O(n+m) RecSCC:O((n+m) · s 2 )

Application 1:CTL model checking over strongly-fair transition graphs Application 2:Streett monitors

Tableau Construction Given: LTL formula  Find: Buchi automaton M  such that L(M  ) = L(  ) [Fischer & Ladner 1975; Manna & Wolper 1982] monitors subformulas of 

Fischer-Ladner Closure of a Formula Sub (a)= { a } Sub (  )={  }  Sub (  )  Sub (  ) Sub (  )={  }  Sub (  ) Sub (   )={   }  Sub (  ) Sub (  U  )={  U ,  (  U  ) }  Sub (  )  Sub (  ) | Sub (  ) | = O(|  |)

s  Sub (  ) is consistent iff -if (  )  Sub (  ) then (  )  s iff   s and   s -if (  )  Sub (  ) then (  )  s iff   s -if (  U  )  Sub (  ) then (  U  )  s iff either   s or   s and  (  U  )  s

Tableau M  = (S, S 0, , , BA) S...set of consistent subsets of Sub (  ) s  S 0 iff   s s  t iff for all (   )  Sub (  ), (   )  s iff   t  (s)... conjunction of atomic observations in s and negated atomic observations not in s For each (  U  )  Sub (  ), BA contains { s |   s or (  U  )  s }

Size of M  is O(2 |  | ). CTL model checking:linear / quadratic LTL model checking:PSPACE-complete

Relation Refinement Given: state-transition graph K = (Q, , A, [ ] ), specification automaton M = (S, S 0, ,  ) Find: for each state q  Q, the set sim(q)  S of states that simulate q for each t  Q do sim(t) := { u  S | t |=  (u) } while there are three states s, t, u such that t  s & u  sim(t) & sim(s)  post(u) =  do sim(t) := sim(t) \ {u} {assert if u simulates t, then u  sim(t) }

Complexity of relation refinement: O(mn) [ Bloom & Paige; H, H, Kopke 1995 ] Relation refinement produces a maximal simulation relation R. With fairness, it suffices to check if the specification has a winning strategy G that follows R: - q n |= [G(q 0 …q n )] - for all infinite fair runs q 0 q 1 … of K, G(q 0 ) G(q 0 q 1 ) G(q 0 q 1 q 2 ) …  L(M). Buchi game

Finite Emptiness Given: finite automaton (S, S 0, , , FA) Find: is there a path from a state in S 0 to a state in FA ? Solution: depth-first or breadth-first search O(m+n)

Finite Games Given: finite game (S , S , S 0, , , FA) Find: is there a strategy of the Or player to get from a state in S 0 to a state in FA ? Solution: backward accumulation of winning states O(n+m) And-Or graph And nodes: And player moves Or nodes: Or player moves

Buchi Emptiness Given: Buchi automaton (S, S 0, , , BA) Find: is there an infinite path from a state in S 0 that visits some state in BA infinitely often ? Solution: 1. Compute SCC graph by depth-first search 2. Mark SCC C as fair iff C  BA   3. Check if some fair SCC is reachable from S 0 O(m+n)

Buchi Games Given: Buchi game (S , S , S 0, , , BA) Find: is there a strategy of the Or player to get from a state in S 0 to a state in BA infinitely often ? Solution: 1. Compute the states BA 1  BA from which there is an Or strategy to get to BA 2. Compute the states BA 2  BA 1 from which there is an Or strategy to get to BA 1 3. Etc. 4. Check if there is an Or strategy to get from a state in S 0 to a state in BA  O((m+n)  n)

Model-Checking Algorithms = Graph Algorithms 1Finite/coFinite: reachability 2Buchi/coBuchi: strongly connected components 3Streett/Rabin: recursive s.c.c.s 4Simulation: relation refinement 5Fair simulation: game

Graph Algorithms Given: labeled graph (Q, , A, [ ] ) Cost: each node access and edge access has unit cost Complexity: in terms of |Q| = n...number of nodes |  | = m... number of edges Reachability and s.c.c.s: O(m+n)

The Graph-Algorithmic View is Problematic -The graph is given implicitly (by a program) not explicitly (e.g., by adjacency lists). -Building an explicit graph representation is exponential, but usually unnecessary (“on-the-fly” algorithms). -The explicit graph representation may be so big, that the “unit-cost model” is not realistic. -A class of algorithms, called “symbolic algorithms”, do not operate on nodes and edges at all.

Symbolic Model-Checking Algorithms Given: a “symbolic theory”, that is, an abstract data type called region with the following operations: pre,  pre, post,  post : region  region , , \ : region  region  region , = : region  region  bool, > < : A  region , Q : region

Intended Meaning of Symbolic Theories region...set of states , , \, , =, ...set operations = { q  Q | [q] = a } >a< = { q  Q | [q]  a } pre (R) = { q  Q | (  r  R) q  r }  pre (R) = { q  Q | (  r)( q  r  r  R )} post (R) = { q  Q | (  r  R) r  q }  post (R) = { q  Q | (  r)( r  q  r  R )}

If the state of a system is given by variables of type Vals, and the transitions of the system can be described by operations Ops on Vals, then the first-order theory FO (Vals, Ops) is an adequate symbolic theory: region...formula of FO (Vals, Ops) , , \, , =, , Q... , ,,  validity,  validity, f, t pre (R(X)) = (  X’)( Trans(X,X’)  R(X’) )  pre (R(X)) = (  X’)( Trans(X,X’)  R(X’) ) post (R(X)) = (  X”)( R(X”)  Trans(X”,X) )  post (R(X)) = (  X”)( Trans(X”,X)  R(X’’) )

If FO (Vals, Ops) admits quantifier elimination, then the propositional theory ZO (Vals, Ops) is an adequate symbolic theory: each pre/post operation is a quantifier elimination

Example: Boolean Systems -all system variables X are boolean -region: quantifier-free boolean formula over X -pre, post: boolean quantifier elimination Complexity: PSPACE

Example: Presburger Systems -all system variables X are integers -the transition relation Trans(X,X’) is defined using only  and  -region: quantifier-free formula of (Z, ,  ) -pre, post: quantifier elimination

An iterative language for writing symbolic model-checking algorithms -only data type is region -expressions: pre, post, , , \, , =,, , Q -assignment, sequencing, while-do, if-then-else

Example: Reachability   a S :=  R := while R  S do S := S  R R := pre(R)

A recursive language for writing symbolic model-checking algorithms: The Mu-Calculus   a = (  R) (a  pre(R))   a = ( R) (a   pre(R))

Syntax of the Mu-Calculus  ::= a |  a |    |    | pre(  ) |  pre(  ) | (  R)  | ( R)  | R pre =    pre =   R... region variable

Semantics of the Mu-Calculus [[ a ]] E := [[  a ]] E := >a< [[    ]] E := [[  ]] E  [[  ]] E [[    ]] E := [[  ]] E  [[  ]] E [[ pre(  ) ]] E := pre( [[  ]] E ) [[  pre(  ) ]] E :=  pre( [[  ]] E ) E maps each region variable to a region.

Operational Semantics of the Mu-Calculus [[ (  R)  ]] E := S’ :=  ; repeat S := S’; S’ := [[  ]] E(R  S) until S’=S; return S [[ ( R)  ]] E := S’ := Q; repeat S := S’; S’ := [[  ]] E(R  S) until S’=S; return S

Denotational Semantics of the Mu-Calculus [[ (  R)  ]] E := smallest region S such that S = [[  ]] E(R  S) [[ ( R)  ]] E := largest region S such that S = [[  ]] E(R  S) These regions are unique because all operators on regions ( , , pre,  pre) are monotonic.

  a = (  R) (a  pre(R))   a = ( R) (a  pre(R))   a = (  R) (a   pre(R))   a = ( R) (a   pre(R)) b  U a = (  R) (a  (b  pre(R)))   a = ( R)   (a  pre(R)) = ( R) (  S) ((a  pre(R))  pre(S))

-every  / alternation adds expressiveness -all omega-regular languages in alternation depth 2 -model checking complexity: O( (|  |  (m+n)) d ) for formulas of alternation depth d -most common implementation (SMV, Mocha): use BDDs to represent boolean regions

Binary Decision Diagrams -canonical data structure for representing quantifier- free boolean formulas -equivalence checking in constant time -in practice, model checkers spend more than 90% of their time in “pre-image” or “post-image” computation -almost synonymous with “symbolic” model checking -SAT solvers superior in bounded model checking, which requires no termination (i.e., equivalence) check

Binary Decision Tree -order k boolean variables x 1,..., x k -binary tree of height k+1, each leaf labeled 0 or 1 -leaf of path “left, right, right,...” gives value of boolean formula if x 1 =0, x 2 =1, x 3 =1, etc.

Binary Decision Diagram 1Identify isomorphic subtrees (this gives a dag) 2Eliminate nodes with identical left and right successors (for this, nodes need to be labeled with variable names) For a given boolean formula and variable order, the result is unique. (The choice of variable order may make an exponential difference!)

(x  y)  (x'  y') Variable order: x, y, x', y' x yx' y'

Operations on BDDs ,  : recursive top-down traversal in O(u  v) time if u and v are the number of respective BDD nodes ,  : (  x)  (x) =  (0)   (1) Variable reordering

-symbolic algorithms apply also to infinite-state systems -important new question: termination Model Checking: From Finite-state to Hybrid Systems